Credit Bureaus Fight Consumer-Ordered Freezes

Credit agencies preach that identity theft isn't as big a threat as believed.

— -- SEATTLE -- Wearing his trademark bow tie, Eric Ellman goes to work every day prepared to explain why identity theft isn't as big a threat as people think.

His logic has often found friendly ears in Washington, D.C., where Ellman, a lobbyist for the Consumer Data Industry Association (CDIA), champions the interests of the Big Three credit bureaus: Experian, Equifax and TransUnion.

The CDIA has been scrambling for two years to get federal lawmakers to defuse the onrush of state laws empowering consumers to freeze access to their credit histories to prevent identity theft. It spent a record $1.4 million on federal lobbying in 2006, nearly double what it spent in 2004, according to the Center for Responsive Politics.

But a funny thing has happened outside the nation's capital. More states have begun requiring companies to notify consumers when their personal data turn up missing -- and states are ordering the credit bureaus to make it easier for consumers to ban anyone from viewing their credit files. By the end of this year, more than 35 states will have such laws; a few years ago, barely a handful did.

When this trend began to gather steam in 2005, the CDIA deployed Ellman on a series of trips to Montana to dissuade lawmakers from adopting one of the nation's most pro-consumer credit-freeze laws. "He was here so often, I jokingly told him he should start paying state income tax," says Claudia Clifford, Montana-based lobbyist for AARP, a staunch consumer advocate for freezes.

Ultimately, Ellman failed in Montana. The lawmakers there made credit freezes cheaper and quicker to do than anywhere else in the nation. The CDIA's efforts in Big Sky country and other states reveal how the credit bureaus have been losing ground in a struggle to preserve control of consumer credit information as data theft and identity fraud escalate. The key factor: Consumer advocates have shifted the field of battle outside of Washington D.C., where power politics reign, to state capitals in places such as Helena, Mont., Salt Lake City, Carson City, Nev., and Annapolis, Md., where populist sentiments often carry the day.

"A lot of people are simply being affected by identity theft, and (consumers) want to be able to do something about it before it gets really messy," says Michelle Jun, staff attorney for Consumers Union.

CDIA President Stuart Pratt declined to allow Ellman to be interviewed. As the trade group's vice president and counsel of state and federal regulatory affairs, Ellman is one of two CDIA lobbyists who crisscross the country testifying against freezes in state legislatures. His public assertions provide a revealing glimpse of the tactics the CDIA has employed to try to limit consumers' control of their credit histories.

Best Protection

Compelled by state data-loss notification laws, companies and organizations have disclosed more than 500 incidents of personal data turning up missing since February 2005. Computers have been hacked or stolen; data tapes fall off delivery vans; insiders take files home. Scores of universities, hospitals, government agencies, merchants and financial firms continue to report such breaches. Total records reported lost: 155 million.

Meanwhile, con artists are finding new ways to use stolen data, particularly Social Security numbers, to commit fraud, especially online. A report issued in March by Gartner banking security analyst Avivah Litan estimates 15 million Americans will become victims of identity theft in 2007, up 50% from 2005. Average loss: $3,257 in 2006, up from $1,408 in 2005.

By far, the messiest form of identity theft is new-account fraud. Criminals use stolen data to create cellphone and credit card accounts, pay medical bills, even take out auto loans and mortgages. As scammers open multiple accounts and rack up unpaid balances, victims are left to unravel the mess. With their credit histories corrupted, they can end up paying higher interest rates for years.

By far the best protection against new-account fraud is a credit freeze, say credit consultants and fraud investigators. A credit freeze bars the credit bureaus from issuing your credit report -- the summary of loans and payments that forms the basis of your credit score. Because few lenders will issue credit without first seeing a credit score, identity thieves can't use stolen data to open new accounts.

"The credit freeze, out of anything else that's been conceived, has potential to be the most effective tool for preventing crooks from fraudulently using your Social Security number," says Madison Ayer, co-founder of ID Watchdog, a Denver-based identity protection firm.

However, credit freezes could also cut deeply into the credit bureaus' core business. The Big Three issue billions of credit reports each year in support of loan applications. The combined annual revenue of Experian, Equifax and TransUnion tops $4 billion, reports Hoover's.They issue yet more reports to enable lenders to target consumers with junk mail and telemarketing campaigns for new credit cards, auto loans, mortgages and student loans, says John Ulzheimer, president of education for Credit.com, a consumer credit consultancy. Ulzheimer is a former manager at Equifax and at credit scoring company Fair Isaac.

The CDIA, which has lobbied on behalf of the Big Three since the 1970s, contends that it doesn't necessarily oppose freezes. Instead, credit bureaus seek state regulations that are consistent and "operationally feasible," says Pratt.

Yet, in state after state, Ellman, 40, who directs the CDIA's state lobbying efforts, has publicly expressed disdain for freezes, which didn't exist until California's pioneering freeze law took effect in January 2003. California allows the credit bureaus to charge a $10 per bureau fee, and requires that freeze requests be made via certified mail.

Louisiana followed with a similar law. Several states then passed laws restricting freezes to identity theft victims who could document the crime. Washington, Texas and Hawaii have since rescinded that victims-only restriction, says Gail Hillebrand, an attorney at Consumers Union.

Testifying before a Louisiana legislative committee in 2004, Ellman called credit freezes "the most dramatic and draconian alteration" ever to hit the credit-reporting system. He later traveled to Washington, Nevada and Massachusetts to assert that the CDIA did not support credit freezes in any form.

"It has not been proven to be a viable identity-theft tool," he testified in Massachusetts. "Ultimately, it's our hope that legislatures will see that file freezing isn't the silver bullet that people think it is."

'Expensive Burden'

Ellman arrived in Montana prepared to argue that if Montana was bent on adopting a freeze law, it should be based on the California standard, with its $10 fee and other restrictions, says AARP's Clifford, who debated him on several occasions.

Testifying before the Montana Senate's Committee on Business, Labor and Economic Affairs on Jan. 19 this year, Ellman characterized credit freezes as "an expensive burden to bear" for credit bureaus. "We're being asked to build a system that so far nobody is using," he said. "We think $10 is not a barrier to entry. It is merely an administrative fee to recoup the costs of an investment that no one is using."

But Montana's lawmakers didn't buy those arguments. Consumer advocates pointed out that the $10 fee translated into $30 for an individual to freeze reports at all three bureaus. Montana adopted a $3 per bureau fee -- the nation's lowest -- and a streamlined request process.

Lawmakers went a step further, making Montana the first state to require the credit bureaus to freeze a consumer's credit report within 24 hours if the request came from someone who could prove he or she was the victim of ID theft. Otherwise, the bureaus had up to five days to honor freeze requests.

Ellman asked Montana Gov. Brian Schweitzer to veto the entire law. In a March 29 letter to the governor, Ellman argued that protections in federal laws for identity theft victims were more than adequate, and warned that a 24-hour freeze requirement would create undue hardships for the credit bureaus, possibly even disrupt the national economy:

"The mandate of placement of a freeze within 24 hours may compromise the accuracy and integrity of consumer reporting files, the very files banks, credit unions and other businesses rely upon to ensure safe and sound lending decisions. In short, the foundation of the credit economy is the credit bureaus. Rattle the foundation of the credit bureaus, and you rattle the foundation of the credit economy."

Schweitzer asked Attorney General Mike McGrath for an opinion. Assistant Attorney General Pamela Bucy, who marshaled the proposal through the legislative process, argued successfully for Schweitzer to sign the bill as delivered to him by the Legislature.

"We told him that the 24-hour provision did more proactively to help the victims of identity theft than anything else you can do," says Bucy. "It absolutely locks the door to someone's credit."

Quick Thaws

Ellman moved on. In Maryland, his home state, Ellman again called for the California standard. Again, he fell short. Maryland passed a freeze bill last spring allowing the bureaus to charge $5 per bureau, half of California's fee.

As more states adopted freeze laws, auto dealers and retailers began clamoring for a way to let consumers easily unfreeze their credit files, says state Sen. Jean Berkey, D-Everett, Wash., who sponsored the state's recently revamped freeze law.

Freeze laws to this point required consumers to wait three days after unfreezing their files to apply for a loan. The auto dealers and merchants worried that impulse buying of big-ticket items, driven by instant access to credit, might sharply decline, Berkey says.

The answer: a "quick thaw." Washington, Maryland, Montana, New Jersey, Utah and Delaware ordered the credit bureaus to provide consumers with a four-digit personal identification number they could use to unfreeze their histories within 15 minutes.

"It became very evident we couldn't have a straight across-the-board freeze unless we had a 15-minute thaw," says Berkey. "It just wouldn't work for the retailers and auto dealers."

Ellman argued that quick thaws required study before the credit bureaus could implement them, and could not possibly be readied before July 2009. Again, he fell short. Most states ordering quick thaws imposed a September 2008 implementation deadline.

As increasingly pro-consumer freeze laws spread across the country, the CDIA regrouped in Washington D.C.

An industry-backed proposal died in a House committee debate last summer. It would have established a federal law restricting freezes to ID theft victims, pre-empting all state laws.

In April, Sen. Mark Pryor, D-Ark., introduced a national credit-freeze bill, based on the California standard -- a $10 per bureau fee and certified mail application. Pryor's bill was folded into a broader data-security bill co-sponsored by Sens. Daniel Inouye, D-Hawaii, and Ted Stevens, R-Alaska.

Consumers Union attorney Jun says one concern is that a federal law could reduce the authority of state attorneys general to enforce local freeze laws. Jun and other consumer and privacy advocates argue that federal regulations must not undermine any of the hard-won state laws.

"We don't want a federal law unless it is stronger than state laws," says Susanna Montezemolo, senior legislative representative for AARP. "I cannot imagine Congress will move on a weak, pre-emptive credit-freeze bill given the number of high-profile data breaches."

Acohido reported from Seattle, Swartz from San Francisco.