After Equifax Data Breach, Here Are 8 Changes Lawmakers Propose
The increase in the rate of identity theft in the United States—highlighted by the massive Equifax data breach earlier this year—has lawmakers at state and federal levels taking action.
Elected officials are pushing legislation to help victims and tighten regulations. The goal is to enact laws that enhance security and protection measures, as well as provide remedies for consumers affected by data breaches.
A central feature of much of the new legislation is to mandate free credit freezes and related activities for consumers whose data has been breached. Unless you’re an identity theft victim, in which case credit freezes are free, credit reporting agencies can charge up to $10 to freeze a single credit report and, possibly, another fee to unfreeze it. With three major credit reporting agencies in possession of such data, a consumer might want to pay three times for each freeze to ensure the best possible protection.
Why now? Data breaches smashing records
The number of data breaches in the U.S. is on track to hit a record high this year, according to the Identity Theft Resource Center. The center estimates the number of U.S. data breaches could reach 1,500 in 2017, a 37 percent annual increase over 2016.
The numbers for 2017 include the huge Equifax data breach, which potentially exposed the Social Security numbers and other personal information of as many as 145.5 million U.S. consumers.
In the wake of such breaches, Congressional lawmakers want to cut fees charged to consumers and tighten reporting requirements for hacked businesses, while state legislatures from Vermont to Montana are backing their own measures to beef up consumer identity protections.
“I think this is a response to the Equifax breach,” said Eva Velasquez, president and CEO of the nonprofit Identity Theft Resource Center. “Historically, what we’ve seen is that when an issue gets overwhelming enough, we start getting legislatures jumping in.”
Here are eight ways they’re trying to take the leap.
- Demanding more from data brokers
In the U.S. Senate, Massachusetts Democrat Edward Markey introduced the Data Broker Accountability and Transparency Act of 2017 in September. The proposed legislation would:
• Create accountability and transparency requirements for brokers who handle sensitive consumer information.
• Establish privacy and security standards, as well as require brokers to give consumers reasonable notice if a breach occurs.
• Allow consumers to review and correct information held by data brokers, and to opt out of having their information sold to marketers.
Currently, Sen. Markey’s bill would assign federal enforcement to the Federal Trade Commission, which is one of a few agencies tasked with oversight into identity theft claims for consumers, and the bill would eliminate any discretion data firms now have when it comes to informing citizens about breaches.
Equifax, for example, knew about the breach for more than five weeks before announcing it had happened.
The bill also would require the FTC to write regulations, and establish a central website listing data brokers covered by the act and consumer rights information.
- Putting the freeze on freeze costs
Another Massachusetts Senator, Democrat Elizabeth Warren, noted that the Equifax breach created business opportunities for the company. Along with Hawaii Democrat Brian Schatz, Warren introduced the Freedom from Equifax Exploitation (FREE) Act in September. The bill would prevent credit reporting agencies from profiting off of consumers' information during a freeze, enhance fraud alert protections, and allow consumers to receive an additional free credit report following the Equifax data breach. (Consumers are currently allowed one free credit report annually from each of the three major credit reporting agencies, available at AnnualCreditReport.com.) It also would create a uniform national process for obtaining and lifting a freeze.
The act also would force Equifax and other credit reporting bureaus to refund what they charged for credit freezes in the wake of the Equifax data breach. Such fees vary widely from state to state, with some states requiring free freezes and others allowing charges of $3 to $10 for freezing, unfreezing and temporarily lifting a freeze. Equifax has said it will waive freeze charges through Jan. 31. Beginning on that date, it said it would introduce a mobile app allowing consumers to lock and unlock their credit for free.
“Credit reporting agencies like Equifax make billions of dollars collecting and selling personal data about consumers without their consent, and then make consumers pay if they want to stop the sharing of their own data,” Warren said. "Our bill gives consumers more control over their own personal data and prohibits companies like Equifax from charging consumers for freezing and unfreezing access to their credit files.”
- Boosting breach notification
On the other side of the Capitol, House lawmakers are backing the Personal Data Notification and Protection Act of 2017 (PDNP Act), which would replace all 48 different state laws covering notification of data breaches with one uniform national standard. The act would require consumers to be notified within 30 days of a breach and to coordinate notifications with the Federal Trade Commission.
Introduced in September by Rhode Island Democrat Jim Langevin, the proposed legislation would require notification—by mail, telephone or, in some cases, email—of the type of information stolen.
- More protection for Social Security numbers
Also in the House, North Carolina Republican Patrick McHenry, who’s also Chief Deputy Whip, authored a bill that would ban credit bureaus from using Social Security numbers to identify consumers. Introduced in October, Rep. McHenry’s bill is called the Promoting Responsible Oversight of Transactions and Examinations of Credit Technology Act of 2017.
The legislation also calls for the federal government to create uniform national cybersecurity standards for credit reporting agencies, ensure that the agencies are in compliance, and create a nationwide credit freeze structure.
Because of McHenry’s standing with the Republican House leadership, his measure could have a better chance of success. The other legislation—in both the House and Senate—all has been introduced by minority-party Democrats.
- More consumer protections—for free
In addition, the House’s ranking Democrat on the Committee on Financial Services, reintroduced the Comprehensive Consumer Credit Reporting Reform Act. The bill, introduced in September by California Rep. Maxine Waters, would add a number of consumer protections to rules governing credit bureaus and credit reporting. These include requiring free, timely access to credit freezes for fraud victims and others, and free credit monitoring and identity theft services to vulnerable consumers.
- Outlawing fees for freezes statewide
Beyond the D.C. Beltway, state legislators also have been introducing a flurry of laws. The landscape of rules regarding credit reports, freezes, charges, and other consumer rights is now a patchwork of state-by-state laws, with fees banned in several states.
In Illinois, the state House has already approved and sent to the state Senate a bill that outlaws charging fees for credit freezes and removing or temporary lifting freezes. The bill would amend that state’s Consumer Fraud and Deceptive Business Practices Act.
“When a big corporation that makes billions of dollars collecting our personal information can’t keep that information secure, it shouldn’t be on us to pay to clean up their mess,” said Democratic State Rep. Dan Beiser. “This is an important change that makes it less costly for people trying to protect their finances.”
- Free freezes—without a police report
A Washington state lawmaker also is moving to make it easier and free for Washington consumers to implement credit freezes. Democratic State Rep. Mike Pellicciotti said in late October that he’ll introduce legislation allowing consumers to request free credit freezes without filing a police report.
The law now allows victims of identity theft and seniors to freeze credit for free, but only after the victims submit a formal police report to get this protection. Pellicciotti says the police report requirement drains law enforcement resources and is a burden for fraud victims. His proposed legislation would allow fraud victims to freeze and unfreeze credit for free by simply certifying that a breach occurred.
In Vermont, the state legislature won’t be back in session until January, but the state scheduled public hearings to gather consumer concerns and suggestions.
“This is about giving Vermonters control,” said Attorney General T.J. Donovan. “This is about giving power back to the folks of this state.”
- Identity stolen—May I see your passport?
Finally, in Minnesota State Sen. Dave Senjem and Rep. Duane Quam have renewed efforts they started two years ago to set up a Minnesota state “identify theft passport.”
The passport would look similar to a driver’s license and help victims prove to financial institutions, law enforcement officers and others that they’ve been the victims of ID theft and not the perpetrators of the crime. Other states, including Iowa, have similar ID theft passports available.
“Data breaches like we have seen recently with Equifax put the identity and financial health of millions of Minnesotans at risk,” said Rep. Quam, according to Forum News Service.
Breach provides ‘wake-up call’
The attention that identity theft and data breaches are getting at state and federal levels is welcome news after the Experian breach, said Velasquez of the Identity Theft Resource Center.
“It’s been a wake-up call, not only for consumers but also the lawmakers,” Velasquez said. “I’m glad to see that we’re at least having the conversation about addressing the data security and data breach issues that we have in this country.”
Symantec Corporation, the world’s leading cyber security company, allows organizations, governments, and people to secure their most important data wherever it lives. More than 50 million people and families rely on Symantec’s Norton and LifeLock comprehensive digital safety platform to help protect their personal information, devices, home networks, and identities.