LATEST DATA BREACH CREATING STIR AROUND CONSUMER CREDIT BILL [+AUDIO]
By Michael P. Norton
STATE HOUSE NEWS SERVICE
STATE HOUSE, BOSTON, SEPT. 26, 2017....Massachusetts lawmakers appear to have found the impetus for major consumer credit protection legislation - the latest in a wave of data breaches affecting tens of millions of Americans.
On their heels in the wake of the massive Equifax data breach that has their constituents angry and frustrated, legislators are suddenly energized around a bill filed in January that would provide a suite of legally binding consumer safeguards.
The bill (H 134/S 130) eliminates fees associated with credit management, establishes a "one-stop shop" for placing freezes on credit, and requires the encryption of personal information in credit reports. It also requires companies to obtain consumer consent before accessing or using credit reports or scores.
Sen. Barbara L'Italien (right) talked with Attorney General Maura Healey Tuesday before testifying at a Consumer Protection and Professional Licensure Committee hearing. [Photo: Sam Doran/SHNS]
"We put in an emergency preamble because we can't wait," Sen. Barbara L'Italien told the Legislature's Consumer Protection Committee, which she co-chairs. "We need to set about passing this bill and passing it soon." The preamble eliminates the traditional 90-day waiting period before a signed law by the governor takes effect.
Rep. Tackey Chan, the House chair of the consumer protection committee, told the News Service he has "no plans" for the committee to vote on what he called a "relatively new proposal for us." He said the committee received Attorney General Maura Healey's recommendations for updates to the legislation on Monday.
"The AG's proposed a bill that isn't a bill exactly yet, because the bill we have really just addresses the issue of credit freezes for everyone, so the AG proposed a lot of additional stuff, which the committee will review and take a look at how it would work and how it would be implemented, so we're open to the ideas and we're going to take a look," Chan said after the hearing.
Among the issues Chan said he wanted to dive more deeply into was the security around credit freezes themselves, and how an agency would ensure that the consumer -- and not an impostor who gained access to their information -- was the one thawing a freeze.
A breach involving the personal information of 143 million Americans by the consumer credit reporting agency Equifax has drawn attention to the legislation.
"I think I can reduce my testimony to one word, which is Equifax," said Rep. Denise Provost, a Somerville Democrat who supports the bill.
Healey estimated 3 million "still reeling" Massachusetts residents are affected by the Equifax breach, which she said should provide a lesson for financial institutions that are amassing vast amounts of personal data.
"If you can't keep it safe you shouldn't be able to collect it," said Healey, who called the Equifax breach "far and away the worst that we've seen."
Massachusetts has one of the nation's strongest data security laws pertaining to disclosure of breaches, Healey said, and the pending legislation would "make a meaningful difference" on the consumer side of the equation.
Deidre Cummings, legislative director of the Massachusetts Public Interest Research Group, said the bill includes features that activists were unable to include in the 2007 data security law.
Michael Festa, a former lawmaker who works as state director of AARP, called it "offensive" that consumer credit bureaus charge consumers fees and said it was critical for consumers to be able to easily freeze and unfreeze their credit in order to prevent criminals from fraudulently opening credit lines.
Rep. Randy Hunt, a Sandwich Republican who is a certified public accountant, said he hoped to vote on the bill before the Legislature's Thanksgiving break. The bill's parameters should be expanded, Hunt said, so that consumers are able to manage their credit reports "all with no cost at any time."
"We don't have the choice of having credit files with these organizations," Hunt said, noting personal information accessed by criminals is "forever data."
The Equifax breach, he said, "certainly has driven home the reason that this bill should be dealt with in an expeditious manner."
Data breaches at Target and TJ Maxx were problematic, L'Italien said, but the Equifax breach "affects virtually everybody."
"This bill really sends a message that Massachusetts is serious about protecting consumers and their financial security," L'Italien said.
The sponsor of the House bill, Rep. Jennifer Benson, who is also the former chair of the Consumer Protection Committee, said the bill addresses one of the most important issues that the Legislature can take up.
"More and more of our lives have been digitized and held in these warehouses," Benson said.
Sarah Lashford, who handles government relations for the Consumer Data Industry Association and testifed against the bill, said credit freezes are best used as a "last resort" for someone whose identity has been stolen. Fraud alerts, which are offered freely by credit reporting agencies, are a better route for people who are generally concerned about identity theft, she said.
Healey has filed a lawsuit against Equifax and told lawmakers Tuesday that the company "needs to pay for its mistakes" and any harm suffered by consumers.
Equifax CEO Richard Smith resigned on Tuesday, effective immediately, but plans to stay on as an unpaid advisor to the Atlanta-based company.
"Serving as CEO of Equifax has been an honor, and I'm indebted to the 10,000 Equifax employees who have dedicated their lives to making this a better company," Smith said in a statement. "The cybersecurity incident has affected millions of consumers, and I have been completely dedicated to making this right. At this critical juncture, I believe it is in the best interests of the company to have new leadership to move the company forward."
Sen. Elizabeth Warren issued a statement in response to Smith's resignation.
"I've called for Equifax executives to be held accountable for their role in failing to stop this data breach and hiding it from the public for forty days," Warren said. "It's not real accountability if the CEO resigns without giving back a nickel in pay and without publicly answering questions. Mr. Smith, along with the new Chairman and the new interim CEO, should all testify before the Senate Banking Committee. The American public deserves answers about what went wrong at Equifax and what the company plans to do going forward."
[Andy Metzger and Katie Lannan contributed reporting]