BOSTON — Consumer advocates are urging Gov. Charlie Baker to sign off on a proposal to guard against breaches of financial data and other personal information.
The bipartisan legislation, co-sponsored by former state Sen. Barbara L’Italien, D-Andover, was approved last year by the House and Senate in response to the 2017 cybersecurity breach at Equifax, which compromised the data of more than 143 million people.
Baker put on the brakes on the legislation in July, saying it shields too much and could have had “unintended consequences” for courts and agencies that rely on access to that information, such as for child support investigations. He sent the bill back to lawmakers with a requested amendment that, among other changes, would allow that access.
Lawmakers approved a final version of the bill with Baker’s recommended changes Dec. 31 and sent it back to him for consideration.
A Baker spokesman said on Friday that the bill is still under review. He has 10 days from Dec. 31 to approve or veto the bill, but he cannot make any changes.
“Identity theft is a growing problem and this proposal includes tools that will allow consumers to better protect their personal information,” said Deidre Cummings, legislative director for the Massachusetts Public Interest Research Group. “These are important protections, and we hope Governor Baker will approve them.”
Cummings said there have been numerous other breaches since the Equifax hack, including one involving Marriott International. The hotel company recently revealed that as many as 383 million records — including customers’ debit and credit card numbers and passport information — were stolen by hackers.
“This wouldn’t crack down on the industry, but it does provide consumers with some simple resources to protect themselves from identity theft,” she said.
Mike Festa, state director for the Massachusetts chapter of the American Association of Retired Persons, is also pressuring Baker to sign the legislation.
“With more access to credit, due to their longer careers and higher incomes, older adults are the most common targets of identity theft nationwide,” he said.
The proposal unanimously approved by lawmakers would allow consumers whose information is hacked to request up to 3 1/2 years of free credit monitoring from the main reporting bureaus — Equifax, Experian and TransUnion — depending on the type of information stolen.
Credit bureaus would be required to “freeze” a person’s credit within five business days of a request to do so. “Freezing” one’s credit, which essentially instructs the credit bureaus not to issue credit reports for a person, is a widely recommended strategy for consumers to ensure that identity thieves don’t use their stolen information to open new lines of credit.
The bureaus also would be prohibited from charging consumers who want to “freeze” or “thaw” their credit information.
They would be prohibited from requiring consumers to waive their legal rights to sue if their data are compromised.
Georgia-based Equifax disclosed last year that the personal information of as many as 143 million people was exposed when its computers were compromised.
Its disclosure caused an uproar because the company waited weeks to reveal the breach, then charged consumers who wanted to freeze their credit information while demanding that they give up their legal rights to sue. Equifax CEO Richard Smith stepped down amid the uproar.
Massachusetts Attorney General Maura Healey sued Equifax, accusing it of failing to protect the information of at least three million Bay State consumers.
Twelve states, including Indiana and Arizona, have passed laws prohibiting credit bureaus from charging consumers who want to begin or remove a freeze.
Christian M. Wade covers the Massachusetts Statehouse for North of Boston Media Group’s newspapers and websites.