Ultrino, House Approve Bill to Enhance Consumer Protection Following Data Breaches

BOSTON – Representative Steve Ultrino joined his colleagues in the House to pass legislation providing added protections and resources for consumers in the event of a data security breach that impacts a credit agency or other business.  

“This legislation is about protecting millions of people from massive data breaches at companies like Equifax,” said Representative Ultrino. “When hackers gain access to vast amounts of personal consumer information, we need to know that the financial institutions involved will provide working families with the access, information and resources they need to protect themselves from financial threats and identify theft.”

Under this legislation, credit freezes, lifts or removals must be provided to consumers without a charge. Credit agencies or businesses must provide one year of free credit monitoring after any breach.

“This legislation includes many powerful consumer protection tools that also modernize the way we do business,” House Speaker Robert A. DeLeo said. “I thank Chairman Chan for his exhaustive study into this complex problem and Chairwoman Benson for her ongoing commitment.”

“I am proud to see the House of Representatives vote today to protect Massachusetts residents from data breaches and modernize our current laws,” said Representative Tackey Chan (D-Quincy), House Chair of the Committee on Consumer Protection and Professional Licensure. “Particularly following numerous high profile breaches over the last year, this legislation is urgently needed to ensure that consumers have more control over their credit protections. This is an issue that impacts every individual, organization and business in the Commonwealth, and I am grateful for the valuable input from so many stakeholders, committee members, and colleagues throughout this process to ensure that we produced the best possible policy for our residents.”

“As an advocate for consumer protection, I filed legislation to make it easier for consumers to freeze their credit reports so that victims of identity theft and fraud could more quickly regain control of their credit,” said Representative Jennifer Benson (D-Lunenburg). “In the wake of the Equifax hack last year, I worked with the Attorney General and advocates to strengthen the bill with additional language offering further protections. I’m proud of my colleagues in the House for coming together to pass this important legislation to protect and empower Massachusetts consumers.”

The legislation updates the framework for the implementation of a freeze and related communication including:

  • Modernizes the current law by allowing consumers to request credit freezes electronically or by telephone.

  • Requires clear and accurate disclosure to consumers of basic information about credit freezes.

  • In the event of a security breach, mandates credit agencies place a security freeze on a consumer report within one day of an electronic or telephone request, and within three days of receipt of a written request.

  • Credit agencies must send confirmation of the security freeze within three days.

  • Credit agencies must lift a security freeze within three days of a written request and 15 minutes of an electronic/ phone request.

  • When a consumer requests a freeze, national credit reporting agencies must inform consumers of other reporting agencies that may have files on the consumer. They must also inform consumers of appropriate websites, toll-free numbers and mailing addresses that would permit the consumer to place additional freezes.

For the first time in Massachusetts, this legislation establishes specific guidelines for parents and guardians to freeze accounts of children under the age of 16 and incapacitated individuals.  

The legislation also updates notification guidelines for breached entities and third party affiliates.

    • Breached entities must provide consumers with immediate notice and timely updates.

    • Upon receiving notice of a breach, the Office of Consumer Affairs and Business Regulation must post notice online within 24 hours.

Additionally, the Attorney General must provide information online to consumers regarding the breach.

This bill also updates current law to require companies and organizations to obtain consent before running a credit report.