In the wake of the Equifax data breach, a number of strong, meaningful bills have been introduced to provide for free credit freezes (e.g., Senators Warren/Schatz, Senator Wyden, Representative Lujan) or to more broadly reform the credit reporting industry (Congresswoman Waters and Senator Schatz). However, one bill sticks out for the wrong reasons. Senator David Perdue, who hails from Equifax’s home state of Georgia, has introduced S.1982, a weak bill to provide for a “national standard” for credit freezes. S. 1982, the PROTECT Act of 2017, would permit the credit bureaus to charge $5 for each freeze and thaw, or $15 for all three credit bureaus. The exceptions would be minors, consumers over 65 years old, and active duty servicemembers. Notably, there is no right to a free credit freeze for data breach victims, including those victimized by a credit bureau’s own negligence.
All 50 states already have laws that give consumers a right to a security freeze (interactive map of state free laws). Four states provide initial freezes for free, three states and the District of Columbia provide for free “thaws” (i.e., free temporary lifting of the freeze), and four states provide both the initial freezes and subsequent thaws for free. And freezes and/or thaws are cheaper in four other states including, ironically, Georgia! Thus, Senator Perdue’s bill, S.1982, would not add to the rights of the vast majority of adult Americans, including many of the 145.5 million consumers impacted by the Equifax hack, and the bill would be weaker than existing laws in 15 states and the District of Columbia.
Another problem is the potential preemption of these stronger state laws. S.1982 would amend 1681c of the FCRA, which is a provision that could be argued to preempt equivalent state laws.* While such an argument could be challenged, it seems unconscionable to expose state laws that provide for free freezes to the risk of being preempted.
Also troubling: S.1982 bans the credit bureaus from using Social Security Numbers as identifiers or for any other purpose. While the United States absolutely needs to stop relying on SSNs as a verifier of identity (i.e. using it to confirm that Consumer X is actually the real Consumer X and not a fraudster), it cannot stop relying on the SSN as an unique identifier unless it is replaced at the same time. Without a unique number to distinguish consumers with similar names and addresses, there will be more of the worst type of credit reporting error – mixed file cases, where an innocent consumer’s credit report is mixed up with someone else who has a bad credit record. There are already too many mixed files because the credit bureaus match data based on only 7 out of 9 digits of the SSN. Without SSNs, consumers with common names – like former Equifax CEO “Richard Smith” – are at much greater risk of this devastating type of credit reporting error.
American consumers deserve real, meaningful responses to the Equifax breach. Mouthing outrage at Equifax while introducing milquetoast bills or doing nothing is the kind of response that makes ordinary Americans angry and distrustful of our legislative process. Congress must do better; it must pass bills to provide free freezes and reform the credit reporting system.
*If you want the gory details: The FCRA, 15 U.S.C. § 1681t(b)(1)(E), provides that “No Requirement or prohibition may be imposed under the laws of any state—(1) with respect to any subject matter regulated under—-(E) Section 1681c of this title, relating to information contained in consumer reports…”
— Chi Chi Wu
Chi Chi Wu has been a staff attorney at NCLC for over a decade. She is co-author of the legal manuals Fair Credit Reporting Act and Collection Actions, and a contributing author to Consumer Credit Regulation and Truth in Lending.