Following Equifax Hack, AG Healey and Legislators Announce Data Breach Bill to Better Protect Massachusetts Residents
BOSTON – After bringing the nation’s first enforcement action against Equifax for its failure to protect the personal information of nearly three million Massachusetts residents, Attorney General Maura Healey announced updated legislation that will better protect consumers from data breaches.
The new legislation, An Act Removing Fees for Security Freezes and Disclosures of Consumer Credit Reports (SB 130/HB 134) will help consumers by eliminating fees and establishing a one-stop shop for placing credit freezes, mandating encryption of personal information in credit reports, and requiring that companies obtain consent before accessing or using consumer credit reports and credit scores.
The bill – introduced today at the State House – is co-sponsored by Senator Barbara L’Italien and State Representative Jennifer Benson. AG Healey’s office assisted in drafting the updated language to provide additional protections for consumers affected by a breach.
“For too long, protecting consumers has been an afterthought for Equifax and other credit reporting agencies,” said AG Healey. “This bill will give Massachusetts residents control over their personal data and help fix a system that needed reform long before the Equifax breach. I am proud to join with Senator L’Italien and Representative Benson as Massachusetts leads the charge for our country’s consumers.”
“I am proud to stand today in collaboration with the Attorney General and Rep. Jen Benson to discuss enhanced consumer protections for all residents of our Commonwealth,” said Senator L’Italien. “With the Equifax breach we learned how easy it is for our personal information to be compromised, and the urgency of ensuring additional protection for consumers and our credit and financial information.”
“I welcome the Attorney General’s support of this important legislation,” said Representative Benson, Chair of the Joint Committee on State Administration and Regulatory Oversight. “I filed this bill to protect victims of identity theft, and in collaboration with the Attorney General and Chairwoman L’Italien, we’ve made the language even stronger to provide further consumer protections.”
“For far too long, consumers have had too little control over their own personal information that is stored and sold by credit reporting agencies,” said Chi Chi Wu, National Consumer Law Center staff attorney. “I commend Attorney General Maura Healey for introducing this updated bill, which gives consumers a say in whether a business can access their credit report or score. The bill also responds to the Equifax data breach by making credit freezes free of charge.”
“Equifax’s massive security breach exposed that not only did they throw away the lock and lose the key to safeguarding our information, but when we asked them to secure it, with a credit freeze, they wanted to charge us and make a profit off of their extreme negligence,” said Deirdre Cummings, Legislative Director with MASSPIRG. “We have a terrific opportunity and obligation to pass a strong reform bill, and we should do it now.”
“AARP Massachusetts believes that consumers should not have to pay to freeze their credit, and urges Massachusetts lawmakers to enact this legislation to give residents of Massachusetts the power to control access to their credit report without cost,” said Mike Festa, state director of AARP Massachusetts.
The updated legislation helps consumers in Massachusetts in a number of ways:
- Consent: Any company seeking to obtain or use a consumer’s credit report or credit score will need the written consent of the consumer and must disclose the reason for seeking access to the information.
- Credit Freeze: The bill would allow consumers to place and lift a credit freeze on their files at any time, for free. Unlike credit monitoring (which alerts you after potential identity theft has already occurred), a credit freeze makes it harder for someone to open a new account in your name. The new legislation will require the credit reporting agencies to put in place a simple, one-stop shop for freezing and unfreezing your credit reports.
- Credit reports: The bill will require each credit reporting agency to provide extra access to free credit reports to consumers impacted by a breach. Under federal law, consumers only get access to one free credit report per year, but under the new legislation, affected consumers will be entitled to no less than three free copies from each agency after a data breach.
- Credit monitoring: If the breach occurs at a consumer reporting agency – like Equifax – the bill requires it to provide five years of free credit monitoring to affected consumers.
- Encryption: The bill will require that all agencies encrypt personal information contained in consumer credit reports to enhance the security, confidentiality and integrity of personal information.
According to Equifax, the breach reported earlier this month potentially compromised the personal information of 143 million consumers nationwide, including nearly three million Massachusetts consumers. Following the breach, AG Healey launched an immediate investigation and filed a lawsuit last week against Equifax alleging that it did not maintain the appropriate safeguards to protect consumer data in violation of Massachusetts consumer protection and data privacy laws and regulations. The AG’s Office also issued guidance for consumers in the wake of the data breach.
Equifax is a consumer reporting agency that businesses rely on to make decisions about the credit worthiness of consumers, therefore affecting whether consumers can buy a house, acquire a loan, lease a vehicle, or even get a job. Consumers have little to no control over the information about them that Equifax acquires.
AG Healey will testify before the Joint Committee on Consumer Protection and Professional Licensure tomorrow in support of the bill and ask the Committee to incorporate the additional consumer protections proposed today.