Workgroup, Motivated by Equifax, Explores Data Breach Laws

Published Thursday, October 26, 2017

The data breach at Equifax, which happened in late spring and early summer and became known to the public in September, has heightened interest in legislation and regulation to protect consumers from computer hacks that expose private financial information. In Oregon, Senator Floyd Prozanski (D-Eugene) is chairing a workgroup that held its first meeting Wednesday, October 25.

The hack at Equifax, one of the nation's leading credit reporting agencies, has created an understandable desire among consumer advocates to increase protection of financial data. However, past efforts - such as HB 2581, which failed during the 2017 Legislative Session in Oregon - have shown that it is difficult to create laws and regulations that protect consumer data without placing unreasonable burdens on businesses that were not responsible for the breach, particularly retailers.

Betsy Earls is representing OBI's retailers on the newly formed workgroup to ensure that retailers' concerns are heard and considered.

Here are some of the ideas that the workgroup is expected to discuss:

Reduce or eliminate the fee to freeze credit. Currently, Oregon has a $10 cap on fees that can be charged for each placement or lift of a security freeze. At least seven states have eliminated fees since the Equifax breach. Many others have a cap lower than $10. The Oregon Department of Justice (DOJ) recently joined a letter with 36 other states to Equifax and the other credit reporting agencies, asking them to waive fees in the light of the wave of legislation since the breach.

Improve consumer notification. The months-long lag between the Equifax hack and public notification has sparked calls for stronger laws on when breaches must be reported. Current Oregon law requires notification "in the most expeditious manner possible, without unreasonable delay, consistent with the legitimate needs of law enforcement." Other states have adopted, or are considering, laws that require notification within a set period following realization that a breach has occurred.

End the practice of "upselling." In the aftermath of a data breach, standard industry practice has evolved to standardize providing free credit monitoring for breached consumers. It is a relatively common practice for credit reporting agencies to offer free credit monitoring for breaches to consumers, and to "upsell" by offering additional services for a fee simultaneously with the free service. One policy solution under consideration is to require that only free credit monitoring be offered at the time of a breach.

Allow private suit for negligent protection or notification. Under existing law, only the Attorney General can pursue a cause of action alleging a violation of either the notice provisions or data protection provisions. Allowing private right of action would expose businesses, including some not at fault for the breach, to greater risk of lawsuits.

Expand data breach law. This proposal would expand Oregon's existing data breach law, specifically the definition of personal information to protect all consumer information, not just traditional financial information, government identification, biometrics, and medical information currently protected by statute. It would also update the technical, administrative, and physical safeguards contained within existing language. This is another proposal that has the potential to expose businesses that were not responsible for the breach to legal risk. Oregon DOJ has acknowledged that "this proposal would impact a wide array of stakeholders beyond credit reporting agencies, which may make the proposal inappropriate for a short session."