Commentary: Protecting consumers from data breach
This violation of Vermonters' trust was the subject of four recent House Commerce and Economic Development Committee hearings held in Manchester and Barton and in Springfield and Burlington during the first two weeks in November. The hearings gave Vermonters the opportunity to share their personal experiences about such breaches and learn how to better protect their personal information in the future.
Key members of the offices of the Attorney General, Department of Financial Regulation and Vermont's Consumer Assistance Protection Program also participated in the hearings. They informed the public about the steps their offices have taken to reduce the damage done by security breaches and how Vermonters can protect their personal information henceforth.
Brattleboro native and current Commissioner of DFR Michael Pieciak and Deputy State's Attorney Chris Curtis discussed the steps the public can take to protect their information and address security breaches. Our Committee's Legislative Council, David Hall, who helps lawmakers write statutes, described the plethora of federal and state statutes that currently protect consumer information, and the complicated legal framework that regulates the collection, use, disclosure, disposal and security of personal and financial information.
Multiple layers of federal and state law regulate consumer protection and data security in different ways and contexts. Enforcement falls under the jurisdiction of many different federal and state entities, including the Consumer Financial Protection Bureau, the Federal Trade Commission, the federal regulators for various financial institutions, the Federal Reserve Board and insurance regulators.
Overarching the host of federal laws is the Federal Trade Commission Act, which prohibits unfair methods of competition and unfair or deceptive acts or practices that affect commerce. In addition to the FTC Act, the Fair Credit Reporting Act applies to consumer reporting agencies, consumer reports and people who use or furnish credit information.
The second group of statutes, the Financial Services Modernization Act, also referred to as the Gramm-Leach-Bailey Act applies broadly to financial institutions and other businesses significantly engaged in providing financial products or services.
In addition to these laws, states generally have authority to impose additional requirements, which, in many cases, are more stringent than federal law. Thirteen states have laws applicable to businesses that have access to consumer personal information. These states' statutes require such businesses to implement a data security program similar to the GLB Act. Most states, including Vermont, have a data breach notification law that requires notice to consumers when a data breach occurs.
Like many states, Vermont has scores of state laws across most legal subset areas that seek to limit the disclosure of personal or confidential information by government-related actives. Specific Vermont laws mandate the protection of and limit the use and disclosure of social security numbers; require businesses to take reasonable steps to destroy records with personal information and limit a consumer's liability for unauthorized use of a credit card; and make identity theft a crime.
Vermont law goes beyond the requirements of federal law in many areas. With respect to financial institutions, insurance companies and securities professionals, Vermont not only requires regular notices of privacy policies, but also requires Vermont consumers to "opt in" to allow those companies to disclose personal information to non-affiliated third parties.
With respect to credit reports and credit reporting agencies, Vermont limits the use of credit information for employment purposes, and with limited exceptions, requires written consent from the consumer before a person or entity can obtain his or her credit report. Like many states, Vermont allows a consumer to place a "security freeze" on his or her credit file; imposes certain state-specific notice requirements for consumers; caps the amount and applicability of certain fees; and mandates a free annual credit report from each consumer reporting agency.
If you were affected by the Equifax breach here is how you can protect your personal information
Contact Vermont's Consumer Assistance Program. The website for this joint venture between the Vermont Attorney General's office and the University of Vermont is consumer.vemont.gov. There is no "www" and the website is user friendly. It also has links to the three major credit bureaus. If you would rather speak with someone, call 800-649-2424.
Monitor your credit carefully. Regularly check any credit card statements (paper and online) to ensure there are no erroneous or suspicious charges. In addition, obtain a copy of your credit report; it's free. Then, make sure it accurately represents your credit and that no new accounts have been opened in your name without your consent.
If your data was affected, you may put a "security freeze" on your credit information by contacting the three credit bureaus: Equifax, Transunion and Experian. This does not freeze your existing credit cards or other credit tools; it merely locks down your information.
If you are applying for new credit (auto loans, mortgages, credit cards, insurance or apartment leases), you will have the ability to authorize a company to access your credit for a short time. Beware: only Equifax is currently waiving its "security freeze fees." Transunion and Experian are not. There also is a fee for lifting your credit freeze.
File your annual federal and state income tax returns as early as possible. A known scam is for hackers to file people's tax returns before they do in order to get any refund that may be due.
Clearly, the burden of thwarting the potential damage associated with such breaches should not land on Vermonters who have had their personal information illegally compromised.
I was one of the first members of the General Assembly to propose a bill that will address such violations. My bill would remove the onus for mitigating the potential damage done by such breaches from innocent individuals and place the responsibility for securing Vermonters' personal information on the businesses that have access to such information.
My two-pronged approach would strengthen our state's framework for mitigating, following up on and prohibiting breaches; free consumers from the fees associated with breaches; and place responsibility on the entities that have access to our personal information to protect and notify other entities of breaches.
The bill would make it illegal for credit agencies to charge fees for freezing consumers' personal information and give Vermonters access to and permit them to correct their personal information for free. My bill also calls for strengthening Vermont's cybersecurity laws.
During the upcoming session, I will work with my colleagues on the House Commerce Committee to craft legislation that will better protect Vermonters against security breaches. My goal is to ensure that the cost and responsibility for such breaches will be shouldered by the entities that have access to Vermonters' personal information henceforth.
State Rep. Valerie A. Stuart has served in the Vermont State Legislature for seven years. She represents the residents of West Brattleboro, District 2-1. She welcomes you to contact her with your concerns at firstname.lastname@example.org or 802-257-0249. The opinions expressed by columnists do not necessarily reflect the views of the Brattleboro Reformer.
TALK TO US
If you'd like to leave a comment (or a tip or a question) about this story with the editors, please email us. We also welcome letters to the editor for publication; you can do that by filling out our letters form and submitting it to the newsroom.