Chapter 7: State Data Breach Notification, Data Security, and Data Destruction Laws

Notification: Free Credit Monitoring

When SSNs are exposed, the FTC suggests offering at least a year of free credit monitoring. Three states - California, Delaware, and Massachusetts - require it for at least 12 months when SSNs or similar data are exposed. California was first (2015).

When Social Security numbers are compromised, the FTC suggests companies offer at least a year of free credit monitoring or identity-theft protection. Three states require it for at least 12 months when SSNs or similar data are exposed: California (first, 2015), Delaware, and Massachusetts.

Suggested vs required

The FTC's year of credit monitoring is a suggestion. Only California, Delaware, and Massachusetts make at least 12 months mandatory. Do not treat the FTC suggestion as a binding national rule.

Key terms - quick answers

What is “Credit monitoring requirement”?

A mandate in California, Delaware, and Massachusetts to provide affected individuals free credit monitoring for at least 12 months when SSNs or similar data are exposed.

← Notification: Content of the Letter Notification: Method and Substitute Notice →