From the office of Rep. Randy Hunt (R-Sandwich)...
BOSTON – The House and Senate have finalized legislation to give Massachusetts residents more control over the use of their personal credit information, along with enhanced protections in the event their information is compromised.
State Representative Randy Hunt, R-Sandwich, voted to support House Bill 4806, An Act Relative to Consumer Protection from Security Breaches, which passed the House and Senate unanimously on July 25. The bill represents a compromise agreed to by a six-member conference committee, on which Rep. Hunt served, that worked to reconcile the differences between two earlier versions of the bill previously approved by the two branches.
From May through July 2017, Equifax was the subject of a data hack that stole the personal information of 148 million Americans. That works out to be upwards of 75% of our adult population who rely on credit transactions.
Equifax failed to install a software security patch that was made available to them two months before the cyber theft began. After discovering the hack on July 29, 2017, Equifax kept the breach a secret from the public for five weeks, during which time, their chief financial officer and two other high-level employees sold company stock, pocketing more than $1 million in capital gains. Those insider trading cases are currently being investigated by the Securities and Exchange Commission.
After announcing the security breach on September 7, the advice provided by the company was for consumers to freeze their credit reports and to offer one-year of credit monitoring for free. Initially, Equifax was requiring consumers to waive their legal rights in exchange for the free credit monitoring but then retracted that requirement in light of heavy consumer outrage.
“At the time,” recounted Rep. Hunt, “Equifax and the other major credit reporting agencies (CRAs), TransUnion and Experian, charged consumers $5 to activate a credit freeze and another $5 to release it. If only 10 percent of the 148 million consumers affected by the data breach opted to follow Equifax’ advice, the three CRAs would have enjoyed nearly a quarter of a billion dollars in fees, all because of Equifax’ inability to keep consumer data protected. A windfall for screwing up.”
House Bill 4806 eliminates any charge for applying or removing a credit account freeze and requires CRAs to point consumers to this free service when explaining their paid service options. The bill also prevents unauthorized access to credit reports by requiring written, verbal or electronic consent from the consumer before their personal information can be accessed. Anyone attempting to access a consumer’s credit report must also disclose their reason for doing so to the consumer.
More stringent requirements have been put in place on business entities and credit reporting agencies that experience a data breach. Businesses will now be required to provide a minimum of 18 months of free credit monitoring services to consumers following a breach, while credit reporting agencies will be required to provide these services free of charge for at least 3½ years. In addition, breached entities must immediately notify the Attorney General and the Director of the Office of Consumer Affairs whenever a breach occurs and provide details on the extent of the breach and the steps being taken to address it.
The bill is now on Governor Charlie Baker’s desk for his review. He has until August 4 to sign it into law.