Breach of trust

How Vermonters should protect identities and personal information in the aftermath of the Equifax crisis

WEST BRATTLEBORO — One hundred forty-six million U.S. residents had their personal information hacked or stolen as part of the recent Equifax security breach. Here in Vermont, one out of every two adults, or 240,000 Vermonters, had their privacy invaded and their trust shattered by such breaches.

This violation of Vermonters' trust was the subject of four recent House Commerce and Economic Development Committee hearings that gave a wide cross-section of Vermonters the opportunity to share their personal experiences with being breached and learn how to protect their privacy in the future.

The House Commerce and Economic Development Committee, on which I am serving my second term, will make statutory changes during the upcoming session that address the current shortcomings of Vermont law regarding breaches.

Key members of the Office of the Attorney General (AG), the Department of Financial Regulation (DFR), and Vermont's Consumer Assistance Protection Program also participated in the hearings.

Among those who spoke at the hearings was Brattleboro native and current Commissioner of DFR Michael Pieciak. He and Deputy State's Attorney Chris Curtis discussed the steps the public can take to protect their personal information.

* * *

Our committee's legislative counsel, David Hall, described the plethora of federal and state statutes that protect consumer information and the complicated legal framework that regulates the collection, use, disclosure, disposal, and security of personal and financial information.

Multiple layers of federal and state law regulate consumer protection and data security in different ways and contexts. Enforcement falls under the jurisdiction of many federal and state entities.

States generally have authority to impose additional requirements, which, in many cases, are more stringent than federal law. For example, 13 states have laws applicable to businesses that have access to consumer personal information. These states' statutes require such businesses to implement a data security program similar to the federal Gramm-Leach-Bliley (GLB) Act.

Most states, including Vermont, have a data breach notification law, which requires notice to consumers (and often to the state attorney general) when a data breach occurs.

* * *

Like many states, Vermont has scores of laws across most legal subset areas that seek to limit the disclosure of personal or confidential information by government-related actives.

Vermont law goes beyond the requirements of federal law in many areas. For example, with respect to financial institutions, insurance companies and securities professionals, Vermont requires not only regular notices of privacy policies, but also that consumers explicitly allow those companies to disclose personal information to nonaffiliated third parties. Vermont also requires these entities to provide an information security program similar to the GLB Act.

Like many states, Vermont allows consumers to place a “security freeze” on their credit file; imposes certain state-specific notice requirements for consumers; caps the amount and applicability of certain fees; and mandates a free annual credit report from each consumer reporting agency.

* * *

How can you protect your personal information?

1. Contact Vermont's Consumer Assistance Program (consumer.vemont.gov, no “www”), a joint venture between the Vermont Attorney General's office and the University of Vermont. The user-friendly site also has links to the three major credit bureaus, Equifax, TransUnion, and Experian. Or you can call 800-649-2424.

2. Monitor your credit carefully. Regularly check any credit-card statements (paper and online) to ensure there are no suspicious charges.

In addition, obtain a copy of your credit report; it's free. Then, make sure it accurately represents your credit and that no new accounts have been opened in your name without your consent.

3. If your data was affected, you may put a “security freeze” on your credit information by contacting the three credit bureaus. Doing so does not freeze your existing credit cards or other credit tools; it merely locks down your information.

If you are applying for new credit (auto loans, mortgages, credit cards, or insurance or apartment leases), you can authorize a company to access your credit for a short time. Be aware, though, that only Equifax is currently waiving its security-freeze fees. All three impose a fee for lifting your credit freeze.

4. File your annual federal and state income-tax returns as early as possible. A known scam is for hackers to file people's tax returns before they do in order to get any refund.

* * *

Clearly, the burden of thwarting the potential damage associated with such breaches should not land on Vermonters who - through no fault of their own - had their personal information, ranging from Social Security numbers to income-tax and credit information, illegally compromised.

In response to the Equifax security breach, I have proposed a bill that will address such violations. It would place the responsibility for securing Vermonters' personal information on the businesses that have access to such private information.

My two-pronged approach would strengthen our state government's framework for mitigating, following up on, and prohibiting such breaches; free consumers from the associated fees; and place responsibility on the entities that have access to our personal information to protect and announce breaches to other entities that do business in this arena.

The bill would make it illegal for credit agencies to charge fees for freezing consumers' personal information and give Vermonters access to and permit them to correct their personal information for free.

Consumers also would gain the right to control the use of their data for secondary purposes.

In addition, data brokers would be required to register with the state. Credit agencies also would have to establish written protocols on how security breaches would be handled and train their employees to implement them. In addition, credit agencies would have to report annually on the number of security breaches and the steps they took to remedy them.

My bill also calls for thoroughly reviewing and strengthening Vermont's cybersecurity laws.

During the upcoming session, I look forward to working with my colleagues on the Commerce Committee to craft legislation that will better protect Vermonters against such breaches.

Subscribe to the newsletter for weekly updates