When Equifax announced hackers had stolen the personal information — names, Social Security numbers, birth dates and addresses — of 145.5 million Americans, it marked one of the most significant data breaches to date, not only because it affects over half of U.S. adults, but also because the stolen information is the key to obtaining credit. While the Equifax breach has shown the need for the federal government to replace outdated and overused Social Security numbers with a modern digital equivalent, it has also highlighted the failure of state laws to protect consumers, as state laws on obtaining a security freeze on credit reports too often put the interests of the credit agencies ahead of consumers.
While a credit freeze will do nothing to protect consumers against fraud on existing accounts, it is one of the most effective tools to prevent criminals from opening new ones. A credit freeze works by restricting access to a consumer’s credit report. Without seeing a credit report, most creditors will not open a new account, and thus a credit freeze keeps consumers safe from identity theft.
Unfortunately, many existing state laws on credit freezes make this fraud prevention method impractical for most consumers. Credit bureaus can charge consumers fees, ranging from $5 to $10, for applying for a credit freeze, and again every time they need to lift it. Moreover, since consumers do not always know which of the three main U.S. credit bureaus a creditor will check, they may have to do this for all three credit bureaus. Complicating the situation further, each credit bureau has its own process to make this request, and credit bureaus can take a few days to “thaw” a credit report. These costs and delays make credit freezes a poor solution for most consumers.
Ideally the federal government should address this situation. Just as consumers have benefited from a federal law allowing them to get a free copy of their credit report once per year from all three credit bureaus through a single website, they would similarly benefit from a one-stop shop to freeze and unfreeze the credit reports at no cost.
But in the absence of federal action, states can and should address this problem. First, they should pass a law requiring credit bureaus to allow all consumers to freeze and unfreeze their credit at no cost. Maine, for example, already requires this of the credit bureaus for all of its residents. Many states allow consumers to freeze their credit at no cost if they are victims of identity theft, but obtaining the “proof” can be more cumbersome than simply paying the fees. Moreover, it makes no sense to only extend this protection to people who have already been victimized rather than trying to stop fraud before it happens. Following the Equifax data breach, states should expand this service to everyone.
Second, states should impose strict time limits on how long credit bureaus can take to unlock credit reports. States like New York have required credit bureaus to lift credit freezes within 15 minutes when the request is made by phone or online. These time limits are necessary to ensure that credit freezes do not interfere with legitimate inquiries when consumers need to open new accounts. If consumers cannot unfreeze their credit quickly and easily, they will not take this step to protect their credit.
Finally, policymakers should consider whether consumer credit reports should be frozen by default, rather than the reverse, and whether consumers should have real-time access to their credit online, rather than only receiving these once per year. After all, most consumers are not regularly applying for more credit, and regular monitoring would be more effective at detecting fraud than annual reviews.
Given the rising levels of identity theft, it is time to rethink some of these policies. While states may not be able to stop all data breaches, they can at least take steps to protect consumers from the fallout of such incidents.
Daniel Castro is the vice president of the Information Technology and Innovation Foundation (ITIF) and director of the Center for Data Innovation. Before joining ITIF, he worked at the Government Accountability Office where he audited IT security and management controls.