BOSTON — Last week marked the one-year anniversary of credit reporting company Equifax’s announcement that hackers had breached its system, exposing the data of nearly 150 million Americans.
A consumer watchdog group is observing the occasion with a call for the state Legislature to take the final steps to write new data protections into law.
The 2017 Equifax breach shined a new light on the issue of data security in Massachusetts, and lawmakers on July 25 sent Gov. Charlie Baker compromise legislation that requires companies to seek consumers’ consent before using or obtaining their credit reports, and provides for free credit monitoring to affected consumers after a breach.
Baker returned the bill with amendments on Aug. 3. The House referred his message to its Committee on Bills on Third Reading, chaired by Rep. Ted Speliotis of Danvers, on Aug. 6, and it has not surfaced for further action since then.
“The Legislature should be commended for acting quickly and passing this important consumer protection bill,” MASSPIRG legislative director Deirdre Cummings. “But the bill still needs a final vote to become law. We hope the Legislature will see to it that the bill makes it over the finish line to protect Massachusetts consumers.”
The bill took a winding path to Baker’s desk.
Rep. Jennifer Benson and Sen. Barbara L’Italien filed their original versions when the legislative session began in January 2017, then last fall, worked with Attorney General Maura Healey to develop new language responding to the Equifax hack.
L’Italien and Rep. Tackey Chan, the co-chairs of the Consumer Protection and Professional Licensure Committee, were unable to agree on the legislation by a February deadline, so the House that month passed one version of the bill and the Senate approved its own in April.
A conference committee led by L’Italien and Chan produced a compromise bill on July 24, and lawmakers shipped it to Baker’s desk the following day.
While expressing approval of many of the bill’s provisions, Baker when he returned the bill recommended language he said would allow state agencies charged with ensuring child support payment and “protecting the credit history of children under State care” to continue their work despite the bill’s new restrictions on accessing consumer credit reports.
MASSPIRG characterized Baker’s amendments as “relatively minor changes” and at the time urged lawmakers to quickly accept them so the bill could be signed into law.
Equifax announced on Sept. 6, 2017 that hackers had gained access to their files for a several-week period earlier in that year, originally reporting that the personal information of 143 million people had been potentially compromised and later updating that figure to nearly 148 million.
MASSPIRG last week released a report reflecting on the anniversary of the Equifax breach, knocking the company for not fixing a security vulnerability identified months before the hack, waiting to notify the public after discovering the hack and other elements of its response.
“One year after announcing the worst data breach in history weeks after it knew about it, Equifax has yet to pay a price or provide consumers with the information and tools they need to adequately protect themselves,” Cummings said. “This may not have been the biggest breach ever, but it’s the worst, because Equifax’s carelessness made it easier for bad guys to steal the identities of nearly 150 million consumers.”
In its report, MASSPIRG recommended that consumers protect themselves from identity theft and fraud by checking monthly credit card and bank statements, freezing their credit at all three bureaus, and ignoring unsolicited requests for personal information, among other measures.
A federal law taking effect on Sept. 21 will make it free to place or lift a credit security freeze, a service for which companies can currently charge fees.