A credit freeze requires the reporting agency to get direct authorization from the consumer before opening another account or releasing information to someone else. In addition to allowing credit freezes, the new Minnesota law requires businesses to disclose any breaches in unprotected databases of personal information.
Ari Schwartz, deputy director for the Center for the Internet and Technology in Washington, D.C., says Minnesota is one of several states responding to increasing concerns over reports of stolen laptop computers or missing hard drives that contain thousands of people's personal information.
"The state laws were passed---in the beginning it was almost an experiment to see if people could freeze their credit and it was very successful in several states," he says. "And so we're starting to see several states pick up the same kind of laws."
The worry is savvy crooks can strip personal information from large databases and use it fraudulently to get money or merchandise. Schwartz, and other consumer protection groups, praise laws like Minnesota's that require notification for shining a light on potential security breaks that previously went unnoticed.
"Identity theft is the fastest growing crime in the United States right now. We are seeing the breach laws--laws giving people information about the breaches--have really informed us quite a bit that there are so many of these going on. People feel really at risk and this is about putting peoples' credit reports back in their own hands," he says.
But Schwartz and others are closely watching national efforts to limit laws like Minnesota's.
"The financial service companies are pushing very hard right now to get Congress to pre-empt the state and pass a law at a lower standard than what Minnesota has."
Bills before Congress go in two general directions. One sets a national standard similar to Minnesota's in terms of notification and consumer credit control. The other allows agencies to determine whether lost or breached data can be readily misused. The American Bankers Association is among those pushing for what it calls more focused consumer protections. Association spokeswoman Laura Fisher says Congress should not set national policy based on exaggerated security concerns.
"What we'd like to see is a system where people are notified when there's real risk. We don't want to cause consumers undue alarm when there's not a possibility there will be an identity theft," she says.
Fisher says Banks especially have strict privacy rules to protect customers.
"Banks already have very strong regulators in place. The banking system is heavily regulated. It's very strong and sound. Because of that we don't need to add another level of regulation to banks."
Fisher points out actual identity theft is rare. She says more people are worried about account fraud, in which a thief illegally uses another person's credit card number. That's a crime for which people already have adequate legal and financial protections.
Still, the thought of personal information lost or compromised is something Harris, Minnesota resident Karen Francis would rather know about.
Francis' husband is currently deployed in Iraq. His personal information was on computer tapes lost by BankAmerica last year. And this year, he was notified his information was on the laptop stolen from the Veterans Administration employee in May. Francis says, as difficult as it is, she'd rather know when potentially damaging information is lost. "It's my social security number, it's my money, it's my date of birth, it's my place of birth. If it's going to take an extra five minutes when I open a loan or want to open a new credit card that's my problem. I don't understand why the banks get so upset about it."
Neither privacy rights groups nor financial services advocates can predict when Congress might act on the consumer information bills.