Updated Friday at 3:15 p.m. with Jepsen’s letter to Equifax and congressional proposals. Updated Monday at 9 a.m. with other groups exempt from freeze fees.
Consumers looking to protect themselves from identity theft after a massive data breach of credit report provider Equifax could face fees, thanks to a decade-old state law that has similar counterparts in many states.
Connecticut Attorney General George Jepsen, who is co-leading an investigation by state attorneys general into the data breach, said residents proactively ordering freezes to protect themselves shouldn’t be on the hook for these fees — Equifax should.
Equifax has agreed not to charge for freezes temporarily, but other bureaus may still charge, and presumably anyone freezing credit now might want to unfreeze it in the future, beyond the grace period.
Equifax disclosed disclosed Sept. 7 that a breach of private information affected about 143 million people in the United States. Jepsen’s office told The Mirror Thursday that Equifax estimated 1.5 million Connecticut residents were affected by the breach. The firm believes the breach happened in mid-May, and they learned of it in late July, waiting until last week to notify the public.
One of the defensive measures a number of consumer watchdogs recommend is to consider placing a security freeze on your credit reports. This prevents people — you, but also criminals pretending to be you with stolen information — from opening up credit cards or other lines of credit in your name.
The “freeze” part is when you — or a crook — applies for a line of credit and the lender asks the credit bureau for your credit history. The freeze prevents the bureau from giving out your information, and the bank knows not to issue the credit. If you want to take out a loan, you’ll need to unfreeze your credit report first, so the bank can pull it.
A state law that went into effect in 2006 requiring credit bureaus to offer freezes also allows the bureaus to charge for them — $10 to freeze or un-freeze your credit, and $12 if you want to let a specific party pull your credit report but otherwise keep the freeze in place. That cost varies from state to state. Maine, for instance, doesn’t allow the fees at all.
It’s not just a $10, one-time fee. Each bureau can charge the allowed fees.
Consumer watchdogs recommend freezing your credit at three or four credit bureaus — Experian, Equifax, TransUnion, and some also include Innovis. Equifax has waived its freeze fee temporarily, but it normally charges $10. Experian and TransUnion also charge the $10 in Connecticut. We could not confirm Thursday whether Innovis charges.
In response to consumer feedback, Equifax will waive all Security Freeze fees for the next 30 days. -Tim
— Equifax Inc. (@Equifax) September 11, 2017
But, there’s an exception in Connecticut, and in many other states, that allows identity theft victims to order freezes without being charged. Also exempt from credit freeze fees in Connecticut are people aged 62 or older, under 18, domestic violence victims and anyone with a court-appointed guardian or conservator.
Asked if all Connecticut residents can count themselves as victims, and qualify for a fee waiver, a spokesperson for Jepsen said, “Determining whether someone is an identity theft victim is a legal determination that the attorney general is not yet in a position to make. That said, Attorney General Jepsen believes that consumers, who are at no fault in this situation, should not have to pay anyone to freeze their credit, if that is what the consumer feels is the correct course of action for them. If the other credit bureaus continue to apply fees for security freezes, as Connecticut law does allow, Attorney General Jepsen believes that Equifax should reimburse consumers for the costs that they incur.”
For now that means keep your receipts if you’re paying to freeze your credit.
Equifax did not immediately respond to The Mirror’s request for comment Thursday.
Jepsen’s statement added that lawmakers might want to rethink whether consumers should face these fees at all: “The attorney general feels that the General Assembly should look very seriously at the issue of changing Connecticut law to prohibit these fees going forward.”
Another lax security practice by Equifax came to light this week, and there’s a question as to whether it could be a violation of Connecticut’s law.
The law says that when freezes are put in place, the credit bureau has to issue a secure code to use to unfreeze the account later on. The law describes the code as a “unique personal identification number or password to be used by the consumer when providing authorization for the release of such consumer’s report to a third party or for a period of time.”
However, rather than a more secure, randomly generated PIN, consumers noticed Equifax was simply using the date and time in a 10-digit format.
Asked whether using this deterministic timestamp, which is not “unique,” violates the law, Jepsen’s office said the question “pertains to matters that will likely be subject to that investigation and, as such, we are unable to comment while the investigation is pending.”
In a letter Friday, Jepsen and other state attorneys general asked Equifax to reimburse customers who proactively sign up for credit freezes and incur costs. The letter also rebuked the credit bureau for promoting fee-based credit monitoring services in addition to the services it said would be free after the breach.
“We believe continuing to offer consumers a fee-based service in addition to Equifax’s free monitoring services will serve to only confuse consumers who are already struggling to make decisions on how to best protect themselves in the wake of this massive breach. We object to Equifax seemingly using its own data breach as an opportunity to sell services to breach victims,” the attorneys general wrote.
In the letter, the attorneys general also scolded Equifax for initially seeming to require people enrolling in credit monitoring to waive their right to sue Equifax, before that language was removed from their terms of service, and called for extending until Jan. 31 the Nov. 21 deadline to sign up for a free credit freeze.
A number of lawmakers in Congress, including U.S. Rep. Jim Himes, D-4th, and U.S. Sen. Richard Blumenthal and Mass. Sen. Elizabeth Warren, have promoted legislation that would curb or prohibit credit-freeze related fees.
Himes introduced an amendment to the Fair Credit Reporting Act that would require free proactive credit freezes at credit bureaus that had been breached, but it would not require bureaus to reimburse consumers for fees at other bureaus, and it would only include lifetime fee waivers for consumers whose data was identified as being stolen. Blumenthal joined Warren and other senators on legislation that would simply make credit freezes free.
Equifax did not immediately respond to another request by The Mirror for comment Friday.