SALEM — Oregon lawmakers hope to advance a bill this week to require companies to notify consumers within 45 days after discovering a data breach of their personal information.
House Bill 4147 also would prohibit companies from charging consumers or requesting their credit or debit card numbers to redeem the companies’ offer for free credit card monitoring or a security freeze or to replace personal identification number, passwords or similar devices.
Dubbed the “Equifax bill,” the proposed regulations intersect with revelations Friday, Feb. 9, that cyber thieves last year accessed more personal information than previously reported by the Equifax. The security breach affected an estimated 145.5 million consumers in the United States, Canada and the United Kingdom.
“Oregon fared no better — over 1.7 million of Oregonians’ information was breached,” according to written testimony from Oregon Attorney General Ellen Rosenblum’s office. “As one cannot change their Social Security Numbers, this is a breach that will follow Oregonians for many years to come. Not only does the sheer size of the breach cause concern, but the Equifax story revealed many other failures and unfair practices.”
The Atlanta credit reporting agency discovered in July that hackers had stolen consumers’ names, addresses, birthdates, Social Security numbers and certain driver’s license information. But the breach wasn’t reported to consumers until September, according to media reports.
A letter to U.S. Sen. Elizabeth Warren, D-Massachusetts, of the U.S. Senate Banking Committee on Friday, Feb. 9, showed that additional consumer information was exposed, including tax identification numbers, email addresses and additional driver’s license information.
HB 4147 would require companies to reveal a breach within 45 days unless law enforcement determines doing so would impede a criminal investigation.
Data breaches less than 350,000 would require companies to notify consumers in writing, electronically or by phone. Notices of larger data breaches would require companies to post notice on their website and in statewide newspapers and television broadcasts. Companies would have to report all data breaches to the state attorney general’s office.
Oregonians reported losses of $12.8 million from cybercrimes in 2016, according to the Federal Bureau of Investigation’s Internet Crime Complaint Center. Data breaches fuel those crimes, according to the attorney general’s office.
Equifax offered free credit monitoring services to affected consumers but accepting the offer they were forced to accept arbitration and a waiver of any lawsuit connected to the breach. “They and other credit reporting agencies steered consumers away from credit freezes, and into other pay-per-month type services,” according to the attorney general’s office testimony.
Freezing credit is one of the best preventative measures a consumer can take to protect their credit from fraudulent uses, but ordering a freeze required a fee. “Making freezes free, like some other states, is the best way to help consumers use this very important tool,” according to the attorney general’s statement. The bill provides that a consumer may freeze credit for free once a year.