Whose Credit Report is it, Anyway? It's Time for States to Pass Credit Freeze Laws that Give Consumers Control Over their Credit Profiles

By ANITA RAMASASTRY
Monday, Feb. 06, 2006

In late January, the Federal Trade Commission (FTC) announced that data broker ChoicePoint will pay $10 million to the Commission, and $5 million to redress consumer harms caused by a large data breach. It is reportedly the largest civil penalty in FTC history.

According to the FTC, ChoicePoint sold records of at least 163,000 individuals to a criminal ring of identity thieves - and thereby violated federal consumer protection laws. It did so, the FTC says, by failing to maintain reasonable procedures to protect consumer data, and also by falsely advertising that it adequately shielded personal information from fraud and misuse.

Thus far, ChoicePoint's sale of personal data to thieves has caused at least 800 consumers to fall prey to identity theft. It can take months or years to repair one's credit history once this happens.

What, if anything, can consumers do to protect themselves from such breaches -- which are only becoming more commonplace? Recently, state legislatures have begun to examine an important new protective measure - credit report "freezes."

In this column, I'll explain how the freezes work, and argue that the right to freeze one's credit ought to be legally guaranteed nationwide.

The Status Quo: No Good Remedy, or Response, to Identity Theft

Identity theft is a growing problem. When impostors assume the identity of innocent consumers -- by gaining access, from companies, to sensitive consumer data such as Social Security numbers, dates of birth, mother's maiden names, bank account numbers, and more -- they can make purchases on credit, and potentially destroy the consumer's credit history.

Thus far, remedies have proved largely ineffective. Victims are told to try to shield their personal information from loss or theft - but how can they, when they must give certain identifying information to companies with which they deal? Also, while criminal penalties for identity theft have been heightened, impostors still may evade detection, and even if they are caught, their victim's credit history is still destroyed.

Warning victims and jailing impostors - if they are caught - is not enough. It's time to focus on the companies that hold data, and those that maintain credit reports, too.

For instance, some critics of the current system point out that if merchants and credit-granting institutions weren't so lax in granting credit in the first place, then impostors would find it much more difficult to succeed.

The pressures of market competition seem to be to blame for the ease of getting credit, even fraudulently: If one company has strict credit practices, another company with laxer practices will beat the first company in the market. Yet the market as a whole would benefit from stricter practices, for companies currently must write off the sums impostors steal.

The Virtues of the Right to "Freeze" One's Credit Report

Other critics - such as privacy advocate Chris Hoofnagle - argue that customers ought to be able to command companies to "freeze" their credit reports with the major credit reporting bureaus.

This right to freeze one's credit history, it is argued, ought to be triggered as soon as suspicious activity occurs - such as the theft of a purse, of mail from a financial company, or of a credit card - before identity theft can occur. The result of the freeze would be simple: Identity thieves would not be able to open new credit accounts or obtain credit easily.

After the freeze, advocates explain, a consumer could "thaw" his or her file, but only partially, specifying to whom, when, or in what circumstances information should be released.

More Than Half the States Now Have Passed, Or Are Considering, Credit Freeze Laws

In the beginning of 2005, only four states had credit freeze laws on the books: California and Louisiana, for all consumers; and Texas and Vermont, for identity theft victims only.

At the start of 2006, 12 states in total had such legislation. Now, however, 27 states are considering security freeze bills -- including California and Texas, which have filed bills to expand their existing security freeze laws.

Such laws typically have the following definitions, and features:

A consumer must request a freeze in writing and must provide a valid police report showing either identity theft, or the kind of theft (as of a purse or credit card) that leads to identity theft. A "freeze" consists of a notice placed on that person's credit report, at the person's request. It prohibits consumer-reporting agencies from releasing the credit report without express authorization by the consumer.

Normally, the freeze remains in effect until the consumer asks for it to be removed. But the freeze can be lifted if the consumer materially misrepresents the relevant facts.

As noted above, some states extend the right to freeze a credit report to all consumers, including those who only suspect they will soon be identity theft victims. But others extend the right only to actual identity theft victims. (For instance, Washington State defines an identity theft victim for these purposes, as one whose identification or other personal information has been used with the intent to commit, or to aid or abet, any crime.)

Most of the laws apply to "credit reports" but a few states have enacted provisions applying more broadly to "consumer reports" - encompassing virtually any report that could be utilized by insurers for underwriting and fraud prevention, including insurance claims histories

The Criticisms of "Credit Freeze" Laws - and Why They Are Unpersuasive

Critics of "credit freeze" laws complain that it will take too long to lift a credit freeze -- from several, to as many as twelve, days in some cases. They fear that freezes, especially if they linger too long, could lead to reduced consumer sales (especially on credit) and an overall economic downturn. It's for this reason many businesses have joined forces with credit granting institutions, spending millions of dollars on lobbying against credit freeze legislation.

Consumers, too, may be affected if freezes take too long to lift - especially if they need to, for instance, purchase auto insurance or a major appliance (on credit) right away. But these delays aren't, in my view, a reason to junk credit freeze laws: They're simply a reason to expedite the lifting of freezes.

For instance, in Utah, one proposed bill would allow the consumer to lift a credit freeze for a merchant of their choosing on only fifteen minutes notice - simply by calling the credit bureau, and providing some personal information and a PIN number.

The fact that states - which doubtless will experiment with different approaches - are still working out the kinks in figuring out how freezes can be expeditiously lifted, does not mean that freeze laws are a bad idea. Remember, both consumers and businesses lose when freezes are not possible - for consumers are victimized by identity theft that can take years to correct, and businesses typically must cover the thefts out of their own pockets.

A Goal For 2006: A Credit Freeze Law for Every State, Perhaps with a Federal Minimum Standard

Of course, a credit freeze law can only prevent fraud if consumers use it. And they will only use it, if it is designed to be user-friendly: free of charge, easy to initiate, quick to take effect, and easy to lift.

It's best if the various states fulfill their role as "laboratories" when it comes to the laws in this area. Perhaps Congress should state the minimum a state must do - for instance, that it must legally allow a credit freed once identity theft has been proven. But states should be able to figure out what they think is the best solution - looking to each other's laws as possible models.

The alternative is giving up - and giving in to the identity thieves. Surely, there's a better solution.


Anita Ramasastry is an Associate Professor of Law at the University of Washington School of Law in Seattle and a Director of the Shidler Center for Law, Commerce & Technology. She has previously written on business law, cyberlaw, and other legal issues for this site, which contains an archive of her columns.