New data breach protections closer to law
SALEM — Oregon's House of Representatives on Thursday passed a bill to enhance protections for consumers when hackers steal their information from credit reporting bureaus and other companies.
The 58-1 vote follows unanimous passage of the bill in the Senate in February. The bill now needs Gov. Kate Brown's signature to become law.
The legislation requires companies to notify consumers within 45 days after discovering a data breach of their personal information and prohibits companies from charging consumers for a security freeze. A security freeze is one of the best ways to secure a breached account and stop identity theft, according to the Oregon Department of Justice.
"Let's hope that this bill will help these sorts of issues from devastating consumers in the future, especially in Oregon, as we know this is a very difficult thing for consumers to deal with that can be time-consuming and sometimes expensive," said Rep. Paul Holvey, D-Eugene, who presented the bill on the House floor Thursday, March 1.
Under Senate Bill 1551, consumers would be entitled to place a credit freeze with each credit reporting agency without charge at any time for any reason. Companies also would be prohibited from charging for removal of a freeze, or a temporary lifting of a freeze.
Revealing a breach
Dubbed the "Equifax bill," the legislation responds to a mass cyber theft at the Atlanta-based credit reporting agency last September. The data breach compromised private information, such as Social Security and driver's license numbers, of 145 million consumers in the United States, Canada and the United Kingdom. About 1.7 million Social Security numbers were jeopardized in Oregon alone, according to DOJ.
Atlanta's Equifax discovered in July that cyber thieves had accessed consumers' names, addresses, birthdates, Social Security numbers and driver license information, but the breach wasn't reported to consumers until September, according to media reports.
A Feb. 9 letter to U.S. Sen. Elizabeth Warren, D-Massachusetts, of the U.S. Senate Banking Committee, showed that additional consumer information was exposed, including tax identification numbers, email addresses and additional driver's license information.
"The Equifax data breach was a shocking reminder of how vulnerable we all are to having our sensitive information compromised and falling victim to identity theft," said Maureen Mahoney, policy analyst for Consumers Union, a division of Consumer Reports. "Identity thieves can ruin a consumer's credit record by opening fraudulent accounts in their names and running up big bills that go unpaid. By making the security freeze free, Oregon is providing consumers with a powerful safeguard that prevents crooks from doing serious financial damage that can take years to repair."
The bill would require companies to reveal a breach within 45 days unless law enforcement determines doing so would impede a criminal investigation. Holvey and Sen. Floyd Prozanski, another Democrat from Eugene, co-sponsored the legislation.
Companies would have to report all data breaches to the state DOJ.