BOSTON — The massive cybersecurity scandal at Equifax is fueling demands on Beacon Hill for beefed up consumer protections, with lawmakers fast-tracking proposals aimed at safeguarding financial data.
One proposal that’s gaining a lot of traction would prohibit credit bureaus from charging fees to “freeze” or “thaw” the credit reports of consumers who’ve had their financial information hacked or stolen.
The legislation, co-sponsored by Sen. Barbara L’Italien, D-Andover, was given a boost Monday from Attorney General Maura Healey, who announced support for the measure and added tough new provisions, including a requirement that credit companies provide free identity theft protection for up to five years.
“This system needed reforms even before this latest breach,” Healey said. “This is a step that we can and must take to protect Massachusetts residents.”
L’Italien, chairwoman of the Legislature’s Consumer Protection Committee, said the Equifax breach showed the need for more safeguards.
“This sends a message that Massachusetts is serious about protecting consumers and their financial security,” she told reporters.
Equifax, one of the three major credit bureaus, has been under mounting scrutiny since disclosing that the personal information of as many as 143 million Americans was exposed to hackers.
The company infuriated those whose information was compromised by charging a fee to freeze their credit information and demanding that they give up their right to sue.
Last week, Healey filed a lawsuit against Equifax alleging that it failed to protect the financial information of at least 3 million Bay State consumers.
Equifax knew about vulnerabilities in its system for months, Healey alleged, but “utterly failed” to protect the data of those Massachusetts residents.
“Equifax needs to pay for its mistakes, make our residents whole, and fix the problem so it never happens again,” she said.
On Tuesday, the credit bureau’s CEO, Richard Smith, joined other senior managers who’ve resigned from the beleaguered company since it disclosed the security breach.
Meanwhile, a Senate committee grilled U.S. Securities and Exchange Commission Chairman Jay Clayton about the breach and allegations that Equifax executives made stock sales prior to the disclosure of the hack.
Sen. Mark Warner, D-Va., called it a “travesty” and said Smith’s resignation “is by no means enough.”
In effect once Baker signs
L’Italien’s plan, which went before a Beacon Hill committee on Tuesday, would allow consumers whose information was exposed to request up to three free credit reports from each of the main reporting credit bureaus — Equifax, Experian and TransUnion — with no expiration date for the reports.
Credit companies would be required to get permission from consumers to release their credit report or score, and to allow consumers to request a freeze from the top three bureaus at the same time.
Companies that possess data of 1,000 or more Massachusetts residents would be required to use encryption or other security measures.
An emergency preamble tacked onto the legislation means it would go into effect immediately, once signed by Gov. Charlie Baker. State regulations would still have to be written, but many key components of the law would take effect at once.
Despite the rhetoric in Washington, consumer advocates say prospects for strengthened consumer protections are dim in the current political climate.
President Donald Trump and the Republican-controlled Congress have been rolling back regulations that they argue are stifling business growth.
In June, the U.S. House of Representatives voted to roll back key provisions of the Dodd-Frank Act, a federal banking law created after the economic recession.
Several states, including Indiana and North Carolina, already prohibit credit bureaus from charging consumers who want to begin or remove a freeze. Consumers whose information has been exposed may freeze their credit information, making it difficult if not impossible for an imposter to open a new line of credit in their names.
Deirdre Cummings, legislative affairs director for the Massachusetts Public Interest Research Group, said consumers shouldn’t be forced to pay for protections following data breaches. Her nonprofit is one of several advocacy groups pushing for tougher state protections.
“They’re charging people and making a profit off their extreme negligence. Talk about adding insult to injury,” she said. “We should not tolerate this.”
Christian M. Wade covers the Massachusetts Statehouse for North of Boston Media Group’s newspapers and websites. Email him at email@example.com