House Passes Legislation to Enhance Consumer Protections Following Data Breaches

BOSTON – Representative Jennifer Benson joined her colleagues in the House this week to pass legislation providing added protections and resources for consumers in the event of a data security breach that impacts a credit agency or other business.

Under this legislation, credit freezes, lifts or removals must be provided to consumers without a charge. Credit agencies or businesses must provide one year of free credit monitoring after any breach.

“This legislation includes many powerful consumer protection tools that also modernize the way we do business,” House Speaker Robert A. DeLeo said. “I thank Chairman Chan for his exhaustive study into this complex problem and Chairwoman Benson for her ongoing commitment.”

“As an advocate for consumer protection, I filed legislation to make it easier for consumers to freeze their credit reports so that victims of identity theft and fraud could more quickly regain control of their credit,” said Representative Jennifer Benson (D-Lunenburg). “In the wake of the Equifax breach last year, I worked with the Attorney General and advocates to strengthen the bill with additional language offering further protections. I’m proud of my colleagues in the House for coming together to pass this important legislation to protect and empower Massachusetts consumers.”

The legislation updates the framework for the implementation of a freeze and related communication including:

  • Modernizes the current law by allowing consumers to request credit freezes electronically or by telephone.
  • Requires clear and accurate disclosure to consumers of basic information about credit freezes.
  • In the event of a security breach, mandates credit agencies place a security freeze on a consumer report within one day of an electronic or telephone request, and within three days of receipt of a written request.
  • Credit agencies must send confirmation of the security freeze within three days.
  • Credit agencies must lift a security freeze within three days of a written request and 15 minutes of an electronic/ phone request.
  • When a consumer requests a freeze, national credit reporting agencies must inform consumers of other reporting agencies that may have files on the consumer. They must also inform consumers of appropriate websites, toll-free numbers and mailing addresses that would permit the consumer to place additional freezes.

For the first time in Massachusetts, this legislation establishes specific guidelines for parents and guardians to freeze accounts of children under the age of 16 and incapacitated individuals.

The legislation also updates notification guidelines for breached entities and third party affiliates.

  • Breached entities must provide consumers with immediate notice and timely updates.
  • Upon receiving notice of a breach, the Office of Consumer Affairs and Business Regulation must post notice online within 24 hours.

Additionally, the Attorney General must provide information online to consumers regarding the breach. This bill also updates current law to require companies and organizations to obtain consent before running a credit report.