High-profile data leaks at information warehouse companies such as ChoicePoint and Lexis-Nexis are keeping the U.S. postal service busy, with well over 1 million bad-news letters telling consumers they are now vulnerable to identity theft.
People who receive the letters have one immediate question: What do I do now? Generally, the answer has been vague and unsatisfying: watch your credit report and hope for the best.
But state legislators around the country think they have found a better answer: a credit report "security freeze." Put simply, a freeze would lock down a consumer's credit report, preventing anyone -- including the legitimate consumer -- from instantly opening new credit cards or taking out loans.
Until recently, only Californians had the right to implement a security freeze, but the idea has spread like wildfire across statehouses in recent months. About 20 states now have pending legislation which would force credit bureaus to give consumers the right to freeze their accounts.
"The ChoicePoint issue and all the subsequent breaches are drawing consumers' attention and policy makers' attention," said Kerry Smith, senior consumer attorney with the Public Interest Research Group. The agency penned model security freeze legislation that has been adopted by many state lawmakers.
"Right now, consumers don't have enough tools to protect themselves," Smith said.
'Bad advice,' says industry
A credit freeze would be the essential identity theft prevention tool, consumer advocates say. With a freeze in place, credit files cannot be accessed, and instant credit -- such as retail credit cards or on-the-spot car loans -- cannot be granted.
Only after a consumer provides additional evidence they are who they say they are, a process known as "thawing," can credit be granted. Thawing can take up to three days, and generally can't be done at the point of sale, such as that critical moment when consumers find themselves unexpectedly across a table from a car salesman. But freezes also prevent identity thieves from making high-speed credit purchases and opening new accounts.
"This puts the consumer in the driver's seat over their personal information," Smith said.
The retail industry and the nation's credit bureaus are less enthused. The industry argues that consumers like the convenience of instant credit and those who lock down their credit files will miss out on good deals. No impulse buys at the car dealership, no 10 percent discount for signing up for the store credit card.
"Ultimately (telling someone to use a credit freeze) is bad advice," said Stuart Pratt, CEO of the Consumer Data Industry Association, which lobbies for the credit bureaus. "It's a little like telling consumers to brick up their windows and doors to prevent burglary, but then you can't get out of house when you need to."
Consumers who implement freezes will be frustrated the first time they try to get new credit, the industry claims.
"It completely eliminates any point of sale type of credit transaction. If credit files were frozen, certainly that source of income for retailers would stop," said Experian spokeswoman Susan Henson. "We feel there are other tools consumer can take advantage of that are a little less draconian."
"Identity theft solutions have to be effective and practical. We really do want to engage in commerce," Pratt said. "A freeze really is not practical."
State lawmakers take up the case
Neither is the current state of affairs, said Gail Hillebrand, senior attorney at Consumers Union, which is lobbying on behalf of the state credit freeze bills. Nearly 10 million people are hit with identity theft every year, and there is currently nothing consumers can do ahead of time to prevent it, she said.
"Consumers can do everything right, shred all their mail, read all their statements, but still be a victim," Hillebrand said. "You can't stop someone from stealing your personal information from someone else."
The high-profile thefts at ChoicePoint and other firms highlight this helplessness, said Utah state Sen. Carlene M. Walker, chief sponsor of Utah's credit freeze law. Even after consumers find out their data has been stolen, there's little a consumer can do until after an identity theft has occurred, she said.
The Salt Lake City Republican said she spent the better part of the last year fighting to get her bill passed after she learned of a particularly brutal ID theft case in her hometown district.
"Consumers don't have a preventative, proactive tool," she said. "A credit freeze would let consumers be proactive. I just feel like we owe it to the consumer."
Walker's bill died before it reached a floor vote, killed largely by the auto dealer lobby, she said. A similar bill has already been dropped by the Indiana legislature.
But despite lobbying efforts by the credit bureaus and retail industry, momentum for security freezes continues to build.
In Illinois, a freeze bill was passed by the state's lower house unanimously on March 17. The state senate is scheduled to take up the measure in April. A similar bill was passed out of committee on Tuesday in Connecticut, and has the support of the state Attorney General Richard Blumenthal. According to the Public Internet Research Group, consumer advocates have active lobbying efforts in 12 other states.
If you build it, will they come?
While lawmakers and privacy advocates may like security freezes, will consumers actually use them? The credit bureaus say no, pointing to the evidence in the two states where they already have the option.
In California, which passed a freeze law in 2003, only about 4,000 consumers have taken the option, according to Experian. In Texas, where the option is only available to identity theft victims, only 133 consumers have filed for a freeze.
Consumer advocates respond that few consumers in either state are aware of the freeze option.
Joanne McNabb, who runs California's Office of Privacy Protection, said phone inquires about freezes have skyrocketed in recent weeks as consumers responded to the rash of high-profile data thefts. Last July, only 1 percent of phone inquires to the office concerned credit freezes. So far this month, 15 percent of callers are asking about freezes, she said.
Few disagree that the current system for using a security freeze is complicated. At the moment, files are unlocked by PIN numbers that consumers must remember and provide to the credit bureaus before they apply for credit. Consumers could easily forget these rarely-used PINS, or fail to realize that they need to unlock their files at all three credit bureaus before applying for a home mortgage, the credit trade group's Pratt said.
There will be other unexpected frustrations, too, said Experian's Henson.
"Consumers don't think about the fact that if they lose their cell phone, and they need a new one, the cell phone company will need access to their credit report to do that," Henson said. "And with a freeze, it just takes time."
It can also be pricey. In California, freezes are free to ID theft victims, but others must pay about $10 to each credit bureau each time the freeze is turned on or off. That can add up quickly for a household with two or more adults who apply for credit a couple of times each year. And delays caused by credit freezes could also cost consumers a chance at a home in a fast-moving market, the bureaus say.
Consumer advocates reply that the bureaus could develop a system which allowed instant on-off toggling of credit freezes, since so many other credit decisions are made at light speed.
Even if some consumers might be frustrated, locking up credit reports has become a necessary evil, given the proliferation of identity theft, said Beth Givens, director of the Privacy Rights Clearinghouse.
"Someone who has been the victim of an aggressive identity thief will find comfort in establishing a freeze, and put up with the inconvenience," Givens said.
Fraud alerts pushed as alternative
Pratt said consumers already have the tool they need. Anyone concerned about identity theft can have a fraud alert placed on their files with the credit bureaus at no charge. With such an alert in place, retailers who pull a credit report are given a warning to take additional steps to verify the identity of the consumer.
This system, however, relies on the retailers to verify the consumer's identity and privacy advocates criticize it as ineffective. Unlike freezes, retailers are still able to access credit reports, just with fraud alerts attached.
The alert system was improved by the latest update to the Fair Credit Reporting Act, called the FACT Act, passed by Congress at the end of 2003, and those measures should be given a chance, Pratt said.
"We need to give the FACT Act a chance to be effective," he said. "We are concerned about any new initiative, we have so much in the pipeline right now that is going to be an effective deterrent to identity theft."
Fraud alerts have already been tried and failed, said McNabb of the California privacy office.
"The reason (credit freezes) passed here was frustration with ineffectiveness of fraud alerts," she said. "We had a parade of identity theft victims who placed fraud alerts on their files and credit was issued anyway."
The alerts have another characteristic that dooms them to ineffectiveness, Givens said -- they generally expire after 90 days. Con artists know this, so often they simply steal data and wait for a few months before attempting fraud. ChoicePoint victims, for example, were told to place fraud alerts on their accounts when they received their letters in February. But that protection will expire at the end of May unless they request a new alert.
"I know a man puts a note on his calendar and refiles for a fraud alert every 90 days," Givens said. "Fraud alerts just aren't working. It's really a shame we have to go this far, but we do."
On a more fundamental level, Hillebrand argued that even if freezes ultimately aren't popular with consumers, the option to lock up personal files is an important consumer right.
"Every consumer in America should be able to do this," she said. "In light of ChoicePoint and the other incidents, people are beginning to understand that other people have their personal information and have an interest in selling it. And that interest is very different from your interest in protecting it.
"There will always be hackers, and information about us will always be stolen. A freeze is the one thing that gives consumers control over who can look at their files for granting credit. We as individuals need one way to close the door."
Bob Sullivan is author of Your Evil Twin: Behind the Identity Theft Epidemic