Senate tightens security rules with 'Equifax bill
SALEM — The Oregon Senate has unanimously passed a bill to protect consumers when hackers steal their information from credit reporting bureaus and other companies.
The bill, which will now make its way to the House of Representatives, requires companies to notify consumers within 45 days after discovering a data breach of their personal information and prohibits companies from charging consumers for a security freeze. A security freeze is one of the best ways to secure a breached account and stop identity theft, according to the Oregon Department of Justice.
Under Senate Bill 1551, consumers would be entitled to place a credit freeze with each credit reporting agency without charge at any time for any reason. Companies also would be prohibited from charging for removal of a freeze, or a temporary lifting of a freeze.
"Consumers protecting themselves when their personal data is compromised should be as easy and inexpensive as possible," said state Sen. Floyd Prozanski (D-Eugene), who carried the bill on the Senate floor Feb. 21. "When there is a data breach, credit freezes should be granted right away, at no cost, to help people protect themselves from financial hardship due to identity theft."
Revealing a breach
Dubbed the "Equifax bill," the legislation — along with a nearly identical bill in the House — responds to a mass cyber theft at the Atlanta-based credit reporting agency in September. The data breach compromised private information, such as Social Security and driver's license numbers, of 145 million consumers in the United States, Canada and the United Kingdom. About 1.7 million Social Security numbers were jeopardized in Oregon alone, according to DOJ.
Atlanta's Equifax discovered in July that cyber thieves had accessed consumers' names, addresses, birthdates, Social Security numbers and driver license information, but the breach wasn't reported to consumers until September, according to media reports. A Feb. 9 letter to U.S. Sen. Elizabeth Warren (D-Massachusetts) of the U.S. Senate Banking Committee, showed that additional consumer information was exposed, including tax identification numbers, email addresses and additional driver's license information.
Like the House bill, the proposal passed by the Senate would require companies to reveal a breach within 45 days unless law enforcement determines doing so would impede a criminal investigation. Prozanski and Rep. Paul Holvey, another Democrat from Eugene, co-sponsored both pieces of legislation in the Senate and House.
Companies would have to report all data breaches to the state DOJ as well.
Ensuring adequate protection
Oregonians reported losses of $12.8 million from cybercrimes in 2016, according to the FBI's Internet Crime Complaint Center. Data breaches fuel most of those crimes, according to the state DOJ.
Equifax offered free credit monitoring services to affected consumers but by accepting the offer they were forced to accept arbitration and a waiver of any lawsuit connected to the breach.
"They and other credit reporting agencies steered consumers away from credit freezes, and into other pay-per-month type services," according to testimony from the state DOJ.
Freezing credit is one of the best preventative measures a consumer can take to protect their credit from fraudulent uses, but ordering a freeze required a fee.
"No company should be able to make money by helping someone protect themselves because that company didn't adequately protect the consumer's data," Prozanski said. "This bill will ensure consumers have adequate tools and protections in place in the unfortunate circumstance that this type of massive breach happens again."
Oregon has had its own share of data breaches.
In January, the State Accident Insurance Fund (SAIF) reported that it may have inadvertently exposed confidential information of more than 1,750 people.
The information, including the individuals' names and Social Security numbers, was compromised on Nov. 3 when a hacker gained access to a SAIF auditor's email account.
That account contained emails which included personal information on employees for six companies who get their workers' compensation insurance through the quasi-public agency. Among those affected are some substitute teachers and school classified workers in the Portland area.