The recently passed Economic Growth, Regulatory Relief, and Consumer Protection Act contains provisions whereby a consumer can request any consumer reporting agency to impose a security freeze on his/her credit information. The term ‘security freeze’ means a restriction that prohibits a consumer reporting agency from disclosing the contents of a consumer report that is subject to such security freeze to any person requesting the consumer report.
Many states, including Massachusetts, had their own security freeze laws, but many of these, like Massachusetts, permitted credit reporting agencies to charge a fee, both to institute and to remove a freeze. There were reports that credit reporting agencies did not respond quickly to requests for freezes, especially Experian during a recent data breach. It is possible credit reporting agencies were not equipped (or chose not to equip themselves) to promptly institute or remove security freezes because not all states had security freeze laws and those laws were not consistent.
If so, the new federal law may have changed that because it requires credit reporting agencies to have separate webpages for consumers to institute and remove security freezes, and it is said the new national law preempts state security freeze laws. I went to the Experian webpage to institute a security freeze for myself and navigated through the prompts pretty quickly. Time will tell if this is true for everyone at all times.
Critics of the concept of a security freeze law claim that since it requires the consumer to obtain a PIN, it creates just another bit of personalized information the hackers can pilfer. This does not seem reasonable to me. If a hacker can get far enough into the credit reporting agency's system to get your security freeze PIN, why wouldn't they just pilfer your SS#?
There are exceptions to what the freeze covers, such as reports sought by current holders of your debt and persons collecting debt from you, child support obligations, state and federal authorities investigating fraud or collecting taxes, and others. U.S.PIRG criticizes the law because it also does not cover employment and insurance underwriting reports, claiming those areas are sources of identity theft, and because the new federal law makes no provision for automatic freezes. This last point seems cogent to me. Why not pass a law freezing everyone's credit reporting unless the consumer gives consent? Did the credit reporting agencies agree to set up websites for consumers to obtain freezes in return for the government to refrain from mandating an automatic freeze?
It is probably the case that current security procedures credit card companies already use constitute fairly stiff protection of your credit cards from hackers. Credit card companies freeze your credit card themselves if they discover what appear to be unauthorized charges and cannot reach you to verify them. However, having the ability to freeze and unfreeze your credit reporting information gives you that much more control over something you once had almost no control at all.