(a) With respect to individuals found under this subpart by the Secretary to be subject to a reasonable risk for the potential misuse of any sensitive personal information under this subpart, the Secretary may offer one or more of the following as warranted based on considerations specified in paragraph (b) of this section:

(1) One year of credit monitoring services consisting of automatic daily monitoring of at least 3 relevant credit bureau reports;

(2) Data breach analysis;

(3) Fraud resolution services, including writing dispute letters, initiating fraud alerts and credit freezes, to assist affected individuals to bring matters to resolution; and/or

(4) One year of identity theft insurance with $20,000.00 coverage at $0 deductible.

(b) Consistent with the requirements of the Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.) as interpreted and applied by the Federal Trade Commission, the notice to the individual offering other credit protection services will explain how the individual may obtain the services, including the information required to be submitted by the individual to obtain the services, and the time period within which the individual must act to take advantage of the credit protection services offered.

(c) In determining whether any or all of the credit protection services specified in paragraph (a) of this section will be offered to individuals subject to a data breach, the Secretary will consider the following:

(1) The data elements involved;

(2) The number of individuals affected or potentially affected;

(3) The likelihood the sensitive personal information will be or has been made accessible to and usable by unauthorized persons;

(4) The risk of potential harm to the affected individuals; and

(5) The ability to mitigate the risk of harm.

(c) The Secretary will take action to obtain data mining and data breach analyses services, as appropriate, to obtain information relevant for making determinations under this subpart.

(Authority: 38 U.S.C. § 501, 5724, 5727)