Many Americans are learning the words “security freeze” recently, courtesy of Equifax. Really, they should be thanking their state lawmakers and a tireless group of consumer advocates.
More important, it should give people new appreciation for the disaster that is the legal maneuvering called “state pre-emption,” and why consumers should hate it. Let me explain with a little history lesson.
It’s the turn of the century, and identity theft is just entering public consciousness. There’s crazy stories about people being jailed as a result of ID theft; accused of murder on live TV because of ID theft; told their application for employment was denied because another person using their SSN was already working there. And there’s an endless stream of fake credit cards and checking accounts causing pain all around the country.
Somehow, more than 15 years ago, California state legislators had the foresight to see the best solution to this raging problem: the security freeze. Here’s the text of SB 168, which took effect in 2003.
“The bill would also require .. .consumer credit reporting agency to place a security freeze, as defined, on a consumer credit report within 5 business days of receiving a request to do so in writing by certified mail, and would prohibit the release of information from a consumer credit report while the freeze is in place,” the bill read.
Within three years, two dozen states had passed similar security freeze laws, giving their residents a state-law-mandated right to protect themselves against ID theft. Not long after, essentially every state had done so.
Here’s the rub: Credit bureaus never wanted to offer security freezes. They are entirely a construct of state laws, pushed forward by attorneys general and other consumer advocates. Local victim advocates kept hearing from consumers suffering through these Kafka-esque nightmares because of ID theft. What worse, many victims would be re-victimized — once their data was out there, it was out there. The simplest way to stop this re-victimization was to literally disable a consumers’ credit report.
Enter state legislatures. Starting in California, lawmakers in statehouses forced the concept and mechanics of freezes onto the credit reporting agencies.
Initially, freezes were designed to help victims in an active identity exploitation situation. But eventually it became clear that freezes were useful whenever a consumer was at high risk — say, after their data was stolen. They were useful to others who had reason to be concerned, such as victims of domestic abuse.
Security freezes are a victory, more than a decade in the making, of good, locally-based consumer protection law. It seems they are a victory for the credit bureaus, too, who now include a version of a freeze in commercial products they offer.
So, about pre-emption.
Large corporations hate state laws. With issue after issue, you’ll hear them complain it’s unfair that they should have to comply with 50 (plus DC!) separate sets of rules when they do business. Federal laws should pre-empt state laws, they say, because that’s the only sane way for a large company to do business.
And they have a point.
If you look at the ridiculous list of state laws governing freezes, and the small variations in each, you can certainly get some sympathy for the tangled mess of compliance with state regulations. Further, it seems downright crazy to the economics-friendly business reporter side of my brain that a government should issue such detailed instructions to the inner workings of a corporation. It does make me uncomfortable.
The only thing worse is the alternative. Letting the free market work its magic. JUST KIDDING. As you know, citizens are the product of credit bureaus, not consumer of their product. Citizen-friendly provisions would never arise from market forces in that situation.
No, the alternative would have been convincing Congress to pass a federal law requiring security freezes. You might as well wait for Congress to do something simpler, like pass health care reform. In fact, there still is no federal data breach notification law, an idea that is more than a decade old. The only reason we hear about any of these data is leaks is….you guessed it…state law that requires it. (Thanks California, again, for being the first).
Corporations prefer federal to state laws for lots of reasons. One: Congress is usually easier to manipulate than a bunch of statehouses. Two: It saves them legal hassle. Three: A single, federal law tends to atrophy towards the least-common-denominator.
In this case, thank goodness states’ rights prevailed. It’s not always that way.
So as you decide what to do about the Equifax hack, hug a state legislator. They tend to be closer to constituents, and they also tend to listen to state attorneys general, who are nearly always the first to hear about important consumer issues. So when you hear about a state Student Borrower Bill of Rights, or “Right to Know” privacy bills making their way through statehouses, cheer them on.
And the next time you hear a corporation lament a requirement that it abide by a “patchwork of 50 state laws,” you’ll know better. You’ll think about security freezes.