Hannah Levintova reports that Elizabeth Warren has introduced legislation in response to the Equifax hack:
The bill, titled the Freedom from Equifax Exploitation (FREE) Act, would require credit reporting agencies to offer customers free options to impose or lift a “credit freeze” that stops the sharing and selling of personal credit information to third parties. Currently, there is no federal rule requiring that credit reporting agencies offer any sort of freeze option, and agencies that do, charge between $2-$10 each time a freeze is imposed or lifted.
….The bill—also sponsored by Sen. Brian Schatz (D-Hawaii)—would also offer consumers better fraud alert protections in the wake of the breach, requiring credit reporting agencies to offer up to seven years of renewable fraud alert protections.
As happy as I am to see Warren responding to this—even if there’s precious little chance of Republicans offering their support—I’m surprised that her bill is so weak. It should be stronger and less complicated.
A “credit freeze” is a simple thing: it means that if you apply for credit and someone asks for a credit report, Equifax¹ has to contact you first to make sure that it was really you who applied for credit. That’s it. This should be the default. No hassles, no loopholes. Your personal financial information never gets shared with anyone else until you give explicit permission.
In some cases this would delay getting credit. But these days, it would be a minor imposition for most people. Think about what happens when you forget a password and have to change it. You get an email or a text within seconds and then you click a Confirm button. Done. It could work the same way for credit. There should be a single central clearinghouse that links Social Security numbers with email addresses and phone numbers, and credit reporting agencies would all use that clearinghouse to contact credit applicants for confirmation.
Note that this would be kept entirely separate from the credit report itself. This means that if a hacker does somehow get hold of your credit report, they still don’t know your email address or phone number, so they can’t use the information in the report to go on a credit application spree.
Is this perfect? No, but nothing is perfect. It means you have to keep your contact information up to date if it changes. If you forget, it could result in a long delay getting credit approved. And what if you don’t have email or a smartphone? Then the credit reporting agency would have to contact you via phone, or maybe even postal mail. If that’s too much of a hassle for you, you could apply to have your account permanently accessible to anyone who wants to see it—i.e., permanently unfrozen. Needless to say, if you did that you’d be responsible for any credit hacking or identity theft.
These days, a simple text/email confirmation would be easy for 95+ percent of us, with that number increasing every year. It’s a better solution than Warren’s.
Could more be done? Probably. If the credit reporting agencies were made statutorily responsible for identity theft, I’ll bet they’d think of a few more ideas. So how about it, Senator Warren? Why not a bill that requires identity confirmation in all cases and makes credit reporting agencies responsible for identity theft? It’s simple, easy, and effective. It would make the credit reporting agencies unhappy, and it would drive up their costs, but I think I can live with that.
¹And TransUnion and Experian and anyone else who sells credit reports.