Since I live in Massachusetts, any state legislation about Identity Theft is important. About 35 states have laws requiring companies to inform citizens of a data breach, but Massachusetts does not. About 25 states have laws providing their citizens with a Credit Freeze tool. Massachusetts is not on this list either. No matter where you live, you should check both lists to see how seriously your state government considers Identity theft.
Thankfully, change is underway in Massachusetts. And it is long overdue. An Identity Theft bill in Massachusetts has been passed by the state House and is under consideration by the state Senate. I haven't read the actual legislation yet. When I do, I will comment about the legislation and if it goes far enough with strong enough identity theft protections.
Some background: a Credit Freeze is a critical and powerful tool for consumers to protect against Identity theft. With a Credit Freeze, a company or a creditor cannot access a consumer's credit file unless the consumer provides consent. Today's U.S. financial system allows the national credit bureaus (and other companies) to freely share your credit information with creditors (good or bad)... even after you've placed a Fraud Alert on your credit file. As you might expect, the national credit bureaus oppose state legislation with the Credit Freeze tool.
If Massachusetts offered a Credit Freeze option, I would have used it immediately when IBM notified me of their data breach. As I mentioned in an earlier blog entry, the U.S. financial system is heavily tilted towards companies making money by freely sharing consumers' credit information, and tilted away from strong protections and notifications for consumers. In my case, IBM was a prior employer and not a retailer I'd purchased products from.
One reasons why I started this blog is to raise consumers' awareness of the identity theft problem, particularly where employers lose personal data about prior employees. And everyone has one or more prior employers. I believe we can fix this tilted system. As you might expect, the national credit bureaus view the Credit Freeze tool as a burden and oppose legislation with it at the state level. Surprisingly, there is a discussion about whether or not consumers should be notified about data breaches.
To me, consumer notification should be required of all companies, especially when that company is a prior employer who has chosen to archive personal data for an extended period. Consumer notification should be required for all data breaches. And, the Credit Freeze tool should be available to all consumers nationwide. These are two critical tools for protection against identity theft.
Next entry: a conversation with IBM (part 1)