The Identity Theft Protection Act is the short title of legislation in the United States passed in most states in response to the growing incidence of computer fraud, privacy violations, and identity theft. Based on model legislation developed by the Public Interest Research Group (PIRG) and the Consumers' Union (CU), the act gives consumers the right to file a police report if they become the victims of identity theft, and to freeze their credit files at their own discretion, preventing the unauthorized issuance of new credit. The act also imposes higher standards of security for companies' use of consumers' personal data, including social security numbers, and requires companies to destroy files containing personal information when no longer needed.
When identity theft surfaced as a significant problem for American consumers, it also posed a serious problem to law enforcement. For various reasons, many law enforcement agencies declined even to issue a police report when citizens complained, claiming that they couldn't be certain that a crime had actually been committed, and if it had, that it had taken place within their jurisdiction. Credit card issuers, however, refused to take any action in the absence of a police report, and the companies that maintain credit reports likewise refused to acknowledge that a theft had occurred without a police report. Consumers, victimized by identity thieves who raided their banking and credit accounts, were unable to seek satisfaction because they couldn't get a police report, despite documented proof of the theft on their account statements. The Identity Theft Protection Act eliminated that problem.
Credit freezes are another important component of the Identity Theft Protection Act. Before extending credit, lenders review an applicant's data with one or more of the three credit reporting agencies in the US, generally extending credit if the report is favorable. Using stolen personal data, identity thieves file fraudulent credit applications and then use the credit established to steal. Creditors expected the victims of the identity theft to pay the bills incurred by the thieves. A credit freeze prohibits the credit reporting agencies from revealing anything at all about a consumer, thus providing absolute protection for potential victims. Credit freezes can be lifted temporarily when a consumer legitimately applies for credit.
Companies whose databases contained files on literally millions of consumers, meanwhile, continually experienced security breaches, losing sensitive consumer data to theft or incompetence. Security measures to safeguard such data were often minimal or non-existent; some sensitive files were lost when laptops containing the data were left in taxicabs and on restaurant tables. Some companies also treated their customers' confidential data as an asset to be exploited, making profit by selling it to third parties or sharing it with affiliates. Identity thieves posing as merchants were sometimes able to purchase customer files from large companies, often with sufficient information for them to make fraudulent credit applications.
Attempts by the US Congress to deal with identity theft were mostly ineffective, in part because of questions of jurisdiction, and in part because of opposition from banking and credit interests. Federal identity theft protection law essentially gives consumers access to free copies of their credit reports and the right to ask the credit reporting agencies to flag their credit files. These flags are supposed to alert potential creditors to require direct contact with the consumer and positive identification before extending credit, but are frequently ignored by creditors.
To address the perceived deficiencies of federal legislation, PIRG and the CU developed the Identity Theft Protection Act, formally titled the State Clean Credit and Identity Theft Protection Act. Model legislation like this is often written as a guideline for the various states when they share common objectives on issues that don't fall under federal jurisdiction, and facilitate operations of businesses operating in multiple states because they don't have to contend with a host of different and sometimes contradictory regulations.