Identity theft is the name given to theft or fraud involving appropriation of personal data, such as Social Security numbers, to borrow money or buy goods on credit in another person's name.

The universal use of computer databases and portable data storage devices, coupled with the existence of a lawful nationwide market in personal information, makes identity theft easier to commit on a wider scale than ever before. When you think of identify theft, you may have a mental image of a restaurant waiter filching a copy of your credit card slip or a stranger finding an ATM receipt with your PIN written on it. These things still happen; but in the past two years there have been more than 500 incidents of personal data lost in bulk, involving a total of 155,000,000 consumer records. Negligent mishandling of data exposes vast numbers of records to the risk of being transferred to criminals and organized crime rings that turn them into easy money.

According to security analysts, by far the costliest form of identity theft is new-account fraud. And the gatekeepers to new accounts are credit reporting agencies (CRAs), especially the “big three” national firms, Equifax, Experian, and TransUnion. Virtually no extender of credit will consider opening an account for a new customer without inputting his or her date of birth and Social Security number to run a credit check. Accordingly, measures to address identity theft must involve the CRAs.

In 2003 Congress passed a law known as the Fair and Accurate Credit Transactions Act. FACTA was not overwhelmingly pro-consumer legislation; to the contrary, the main reason it got passed was to preempt states from passing more protective laws. But it took an early stab at trying to minimize the harmful effects of identity theft on credit reports.

FACTA provides for three varieties of “alerts” that consumers may add to their files maintained by CRAs. The effect of an alert is to notify creditors that you do not authorize new credit to be opened in your name, except to extend an existing credit card account. An extender of credit should not allow a credit transaction to take place in your name without taking reasonable steps to establish that it is actually you, such as calling you at the phone number you provide. When one agency receives such an alert, it is required to refer it to the other nationwide agencies. This is known as a “one call” system.

First, consumers who believe that they have been or may be victimized by identity fraud may place a “fraud alert” on their CRA files. An agency receiving such a notice must make a notation of it in the consumer's file and, each time the CRA generates the consumer's credit report for a user, it must include the notation that the consumer has reported fraud. The user is then supposed to demand verification of identify of anyone trying to get credit in your name and contact you before opening a new account.

But this kind of alert stays active for only 90 days.

A consumer may also obtain an “extended fraud alert” by submitting an identity theft report that includes a sworn statement to a law enforcement authority. This kind of report stays active for seven years and generates more extensive precautions on the part of the CRA. For example, the consumer must be excluded from prescreening lists (mass mailings that attract the addressee to sign up for more credit cards).

Third, a consumer who is on active military duty (including a reservist stationed away from home) may add his or her status to the CRA's file.

Thus under FACTA, a consumer seeking to slow the exchange of information between CRAs and potential granters of credit (except a member of the armed forces) must first have experienced theft or fraud. Victims and activists began asking: Why do I have to be victimized first? Shouldn't I be able to control the trafficking of my personal information? Why can't I just freeze the dissemination of my credit report? According to those who study the issue, the credit freeze is the best way to prevent having a new account opened by an imposter.

Laws authorizing a “credit freeze” began in California in 2003. Their details vary: how do you make your request, how much do you have to pay for it, how fast must the credit bureaus act on it, and how long does it take to “thaw” your data if you actually do want to apply for new credit.

Just this month Massachusetts became the 36 th state to enact legislation providing for credit freezes. The law caps the fees to place, lift and remove the freeze at $5. There is no fee for victims of identity theft. The law also allows a victim of identity theft to get a copy of the police report from any law enforcement office, even if the crime did not occur in that jurisdiction. Victims need a copy of their police report to clean up the financial mess resulting from identity theft and to qualify for the free security freeze. The consumer organization MassPIRG fought for this legislation over many years.

http://www.usatoday.com/money/perfi/credit/2007-06-25-credit-freeze-usat_N.htm

CRAs make billions of dollars a year by issuing credit reports, not just in response to actual applications for credit, but also to blitz us with solicitations to apply. Widespread “freezing” of credit reports would cut significantly into their business.