New data breach protections closer to law
SALEM — Oregon's House on Thursday passed a bill to enhance protections for consumers when hackers steal their information from credit reporting bureaus and other companies.
The 58-1 vote in the House follows unanimous passage of the bill in the Senate in February. The bill now needs Gov. Kate Brown's signature to become law.
The legislation requires companies to notify consumers within 45 days after discovering a data breach of their personal information and prohibits companies from charging consumers for a security freeze. A security freeze is one of the best ways to secure a breached account and stop identity theft, according to the Oregon Department of Justice.
"Let's hope that this bill will help these sorts of issues from devastating consumers in the future, especially in Oregon, as we know this is a very difficult thing for consumers to deal with that can be time-consuming and sometimes expensive," said Rep. Paul Holvey, D-Eugene, who presented the bill on the House floor Thursday, March 1.
Under Senate Bill 1551, consumers would be entitled to place a credit freeze with each credit reporting agency without charge at any time for any reason. Companies also would be prohibited from charging for removal of a freeze, or a temporary lifting of a freeze.
Dubbed the "Equifax bill," the legislation responds to a mass cyber theft at the Atlanta-based credit reporting agency last September. The data breach compromised private information, such as Social Security and driver's license numbers, of 145 million consumers in the United States, Canada and the United Kingdom. About 1.7 million Social Security numbers were jeopardized in Oregon alone, according to DOJ.
Atlanta's Equifax discovered in July that cyber thieves had accessed consumers' names, addresses, birthdates, Social Security numbers and driver license information, but the breach wasn't reported to consumers until September, according to media reports. A Feb. 9 letter to U.S. Sen. Elizabeth Warren, D-Massachusetts, of the U.S. Senate Banking Committee, showed that additional consumer information was exposed, including tax identification numbers, email addresses and additional driver's license information.
"The Equifax data breach was a shocking reminder of how vulnerable we all are to having our sensitive information compromised and falling victim to identity theft," said Maureen Mahoney, policy analyst for Consumers Union, a division of Consumer Reports. "Identity thieves can ruin a consumer's credit record by opening fraudulent accounts in their names and running up big bills that go unpaid. By making the security freeze free, Oregon is providing consumers with a powerful safeguard that prevents crooks from doing serious financial damage that can take years to repair."
The bill would require companies to reveal a breach within 45 days unless law enforcement determines doing so would impede a criminal investigation. Holvey and Sen. Floyd Prozanski, another Democrat from Eugene, co-sponsored the legislation.
Companies would have to report all data breaches to the state DOJ.
Oregonians reported losses of $12.8 million from cybercrimes in 2016, according to the Federal Bureau of Investigation's Internet Crime Complaint Center. Data breaches fuel those crimes, according to the state DOJ.
Equifax offered free credit monitoring services to affected consumers but by accepting the offer they were forced to accept arbitration and a waiver of any lawsuit connected to the breach. "They and other credit reporting agencies steered consumers away from credit freezes, and into other pay-per-month type services," according to testimony from the state DOJ.
A security freeze gives consumers the choice to "freeze" or block access to their credit file against identity thieves trying to open up a new account or a new credit line of credit in their name. Under existing state law, most consumers imust pay $10 to each of the three major credit bureaus to place, temporarily lift or remove a credit freeze.
A security freeze at all three major credit bureaus prevents an identity thief from opening a new account because the potential creditor or seller of services cannot check the credit file. The consumer can lift the freeze temporarily using a PIN so legitimate applications for credit or services can be processed.
If SB 1551 becomes law, Oregon will join four other states that enable consumers to place, temporarily lift, and remove security freeze protection free-of-charge: Indiana, Maine, North Carolina and South Carolina. Four other states enable consumers to place a security freeze for free, but they can be charged to temporarily lift or remove a freeze: Colorado, Maryland, New Jersey and New York, according to Consumers Union.