SALEM — The state Senate has unanimously passed a bill to protect consumers when hackers steal their personal information from credit reporting bureaus and other companies.
The legislation requires companies to notify consumers within 45 days after discovering a data breach of their personal information and prohibits companies from charging consumers for a security freeze. A security freeze is one of the best ways to secure a breached account and stop identity theft, according to the Oregon Department of Justice.
Under Senate Bill 1551, consumers would be entitled to place a credit freeze with each credit reporting agency free-of-charge at any time for any reason. Companies also would be prohibited from charging for removal of a freeze, or a temporary lifting of a freeze.
“Consumers protecting themselves when their personal data is compromised should be as easy and inexpensive as possible,” said state Sen. Floyd Prozanski, D-Eugene, who carried the bill on the Senate floor Wednesday. “When there is a data breach, credit freezes should be granted right away, at no cost, to help people protect themselves from financial hardship due to identity theft.”
Dubbed the “Equifax bill,” the legislation — along with a nearly identical proposal in the state House — responds to a mass cyber theft at the Atlanta-based credit reporting agency last September. The data breach compromised private information, such as Social Security and driver’s license numbers, of 145 million consumers in the United States, Canada and the United Kingdom. About 1.7 million Social Security numbers were jeopardized in Oregon alone, according to the Department of Justice.
Equifax discovered in July that cyber thieves had accessed consumers’ names, addresses, birthdates, Social Security numbers and driver license information, but the breach wasn’t reported to consumers until September, according to media reports. A letter this month to U.S. Sen. Elizabeth Warren, D-Massachusetts, of the U.S. Senate Banking, Housing and Urban Affairs Committee, showed that additional consumer information was exposed, including tax identification numbers, email addresses and additional driver’s license information.
Like the House bill, the proposal passed by the Senate Wednesday would require companies to reveal a breach within 45 days unless law enforcement determines doing so would impede a criminal investigation. Prozanski and Rep. Paul Holvey, another Democrat from Eugene, co-sponsored both pieces of legislation.
Companies would have to report all data breaches to the state Department of Justice.
Oregonians reported losses of $12.8 million from cybercrimes in 2016, according to the FBI’s Internet Crime Complaint Center. Data breaches fuel those crimes, according to the state.
Equifax offered free credit monitoring services to affected consumers but by accepting the offer they were forced to accept arbitration and a waiver of any lawsuit connected to the breach. “They and other credit reporting agencies steered consumers away from credit freezes, and into other pay-per-month type services,” according to testimony from the state Department of Justice.
Freezing credit is one of the best preventative measures a consumer can take to protect their credit from fraudulent uses, but ordering a freeze required a fee.
“No company should be able to make money by helping someone protect themselves because that company didn’t adequately protect the consumer’s data,” Prozanski said. “This bill will ensure consumers have adequate tools and protections in place in the unfortunate circumstance that this type of massive breach happens again.”
Oregon has had its own share of data breaches.
In January, Oregon’s State Accident Insurance Fund Corp. revealed that it may have inadvertently exposed confidential information of more than 1,750 people.
The information, including the individuals’ names and Social Security numbers, was compromised in November when a hacker gained access to a SAIF auditor’s email account. That account contained emails which included personal information on employees for six companies who get their workers’ compensation insurance through the quasi-public agency. Among those affected are some substitute teachers and school classified workers in the Portland area.
The bill now heads to the House for consideration.
The Capital Bureau is a collaboration between EO Media Group and Pamplin Media Group.