Part of the huge settlement announced Monday by Equifax over its massive 2017 data breach includes lots of free credit reports for consumers.
Just don't count on it being a way to prevent criminals from accessing your file.
The settlement — which could reach more than $650 million and must still be approved by the courts — includes Equifax paying $300 million to a fund that would provide affected consumers with credit-monitoring services, along with compensating those who paid for such services as a result of the 2017 data breach.
The agreement calls for Equifax to provide consumers with six free credit reports each year for seven years beginning in January 2020, according to the Federal Trade Commission's announcement of the resolution. That would be in addition to the one free annual report that consumers are entitled to from each of the nationwide credit-reporting firms.
"None of this changes the strategy that consumers should deploy to protect themselves," said John Ulzheimer, a credit experts and president of the The Ulzheimer Group in Atlanta.
"Free credit reports are fantastic, but I don't think pulling your report from time to time is a good strategy to protect your identity, because it's reactive," Ulzheimer said.
In other words, if you spot a problem, fraud may already have happened.
In contrast, Ulzheimer said, being proactive would mean freezing your credit report, which generally blocks outside access to your file. This means a scammer can't use your personal information to get a loan or establish credit, because the potential lender can't check your report to approve the application.
"A freeze is by far the most important thing to do to protect your score and your reports," Ulzheimer said.
Last September, a federal law went into effect that prohibits credit-reporting firms from charging consumers for a credit freeze (or to lift a freeze). However, you must alert the firms — Equifax, Experian and TransUnion are the biggest — to freeze your report at each of them.
You also can use a short-term fraud alert, which lasts one year. These alerts are different from freezes: Under a fraud alert, a lender seeking to approve an application must first contact you to verify the request is not from an imposter.
You only need to contact one credit reporting firm to initiate a fraud alert, which in turn is legally obligated to share your notice with others. It also is free.
Ulzheimer said he uses both a freeze and a fraud alert.
More from Personal Finance:
This is how much income tax you're paying to your state
Best way to save for retirement may include this underused plan
Avoiding costly Medicare mistakes when retiring after age 65
"I double up," he said. "I have to thaw [unfreeze] my report to give a lender access to it, but then the lender also has to take reasonable steps to make sure I'm the one who applied when they see the fraud alert."
While the cyberattack at Equifax wasn't the first major breach at a U.S. company, it was different in that the revealed data included far more identifying information — and consumers did not willingly share any of it with the company. Like other credit reporting firms, Equifax collects and compiles consumers' personal data from various sources to create credit reports and calculate credit scores.
Several months after the 2017 breach, Equifax disclosed that the personal data of at least 143 million consumers — including their names, birthdates and Social Security numbers — had been exposed to criminals in a cyberattack against the company. By March 2018, the number of consumers affected was revised upward to 148 million.
The settlement announced Monday would resolve consumer class-action litigation, as well as investigations by the FTC, the Consumer Financial Protect Bureau, and most states, along with Washington, D.C., and Puerto Rico, according to the Equifax announcement.
The consumer fund that's part of the settlement "reinforces our commitment to putting consumers first and safeguarding their data — and reflects the seriousness with which we take this matter," said Equifax CEO Mark Begor in a statement.