With more than 4 million consumer records breached in the first three months of 2018, Connecticut lawmakers are crafting legislation to hold credit companies more accountable even as Congress pursues its own action.
More than 1.5 million Connecticut residents were affected in the massive breach of Equifax’s databases last year, which occurred over several weeks during which identity thieves were able to download names, Social Security numbers and other information. The Atlanta-based company did not notify consumers immediately when it discovered the intrusion, costing Richard Smith his job as CEO of Equifax, with Smith a former executive with Norwalk-based GE Capital.
Fred Camillo, R-Greenwich, and other legislators want Connecticut to follow the example of several other states and prohibit fees charged by Equifax, Experian and TransUnion to freeze credit reports, issued when credit card companies and other financial firms process requests for new accounts. Consumers would be able to file a single request to freeze reports at all three ratings companies, and the legislation would double to two years the amount of time companies must offer free credit monitoring in breaches that expose Social Security numbers.
The Connecticut General Assembly is considering the bill even as Congress weighs creating national standards for how companies should respond to data breaches, and penalties if they fail to do so. To date this year through March 20, more than 4 million consumer records were tapped in 228 new breaches, as tracked by the Identity Theft Resource Center whose backers include the credit ratings agencies and lenders like Stamford-based Synchrony Financial.
Testifying this month in Hartford in support of fee-free credit freezes, Connecticut Attorney General George Jepsen said his office received more than 700 notifications of data breaches, a rough rate of 60 a month.
“We know firsthand how disappointed, frustrated and overwhelmed consumers are when they learn a company they trusted to protect their personal information has suffered a breach,” Jepsen said before the banking committee of the Connecticut General Assembly. “A security freeze is one of the most potent defenses against identity theft. … In essence, the security freeze and ‘unfreeze’ is like the key that controls the lock on the consumer’s financial home.”
In contrary arguments offered by the Consumer Data Industry Association, which lobbies on behalf of credit agencies like Experian, CDIA stated its members do not make profits on those fees, which cover administrative costs and which are kept intentionally low. CDIA added a credit freeze should only be used as a tool of last resort, maintaining consumers who suspect identity theft should first place a fraud alert on their credit files. Already offered for free and lasting 90 days with the option to extend, a fraud alert forces lenders to contact a consumer or otherwise take extra steps to verify an identity prior to issuing credit.