Attorney General's Bill to Ban Credit Freezes to be Heard in Rhode Island House Corporations Committee on Tuesday
Attorney General Peter F. Kilmartin today joined a bipartisan coalition of attorneys general urging Congress not to preempt state data breach and data security laws, including laws that require notice to consumers and state attorneys general of data breaches.
In their letter, the attorneys general argue that any federal law must not diminish the important role of states in addressing data breaches and identity theft, especially in states like Rhode Island that have laws that provide greater protections than federal counterparts.
"Rhode Island has some of the strongest data breach laws in the country, and the proposed measure before Congress would only reduce protections for consumers and rollback disclosure requirements for corporations," said Attorney General Kilmartin. "We have all experienced the repercussions from the countless data breaches that have occurred over the past several years, and this proposed legislation would not help a single consumer be better protected or hold corporations accountable."
The letter urges Congress to preserve existing protections in state law, ensure that states can continue to enforce breach notification requirements under their own state laws and enact new laws to respond to new data security threats.
In part, the letter states:
"States have proven themselves to be active, agile, and experienced enforcers of their consumers' data security and privacy. With the increasing threat and ever-evolving nature of data security risks, the state consumer protection laws that our Offices enforce provide vital flexibility and a vehicle by which the States can rapidly and effectively respond to protect their consumers."
The attorneys general point out a number of concerns with the proposed Data Acquisition and Technology Accountability and Security Act, including:
Reduced transparency to consumers: The bill allows entities suffering data breaches to determine whether to notify consumers of a breach based on their own judgment. The attorneys general argue that when a data breach occurs, impacted consumers should be informed as soon as possible.
Narrow focus on large-scale data breaches: The bill fails to acknowledge that most breaches are either local or regional in nature. The bill only addresses large, national breaches affecting 5,000 or more consumers and prevents state attorneys general from learning of or addressing breaches that are smaller but still cause great harm to consumers.
Today's letter underscores earlier actions by Attorney General Kilmartin to enhance protections for those consumers who have experienced a data breach. This legislative session, Attorney General Kilmartin filed a bill that would prohibit credit bureaus from charging all Rhode Island consumers fees to place, temporarily lift, or remove security freezes on their accounts.
Under current law (RIGL 6-48), a consumer may be charged a fee of no more than ten dollars ($10.00) for any security freeze services, including, but not limited to, the placement, temporary lifting, and permanent removal of a security freeze.
The consumer may not be charged for a one-time reissue of a new personal identification number; provided, however, the consumer may be charged not more than five dollars ($5.00) for subsequent instances of loss of the personal identification number.
However, a consumer reporting agency may not charge any fee to a victim of identity theft who has submitted a copy of an incident report from, or a complaint to, a law enforcement agency or to a consumer who is of sixty-five (65) years of age or older.
The legislation (H7604), sponsored by Representative Mia Ackerman, would remove all costs for consumers to place, temporarily halt, or remove a security freeze, no matter age of consumer or if the consumer was a victim of identity theft. It is scheduled to be heard in the House Corporations Committee on Tuesday, March 20th.
Commonly referred to as a "credit freeze," a security freeze, in most cases, prohibits a consumer reporting agency from giving your credit information to a third-party creditor. A security freeze is more effective than a fraud alert in preventing unauthorized persons from obtaining credit in your name.
"It's safe to assume that at some point or another, every person's information has been compromised through a data breach or something more criminal, making it more important than ever for consumers to exert greater control over their own personal information. Credit bureaus make money from selling our personal information to third parties. They should not be able to profit off consumers who decide to take control over who has access to their personal data," said Kilmartin.
The issue of costs associated with security freezes came to light after the massive Equifax data breach, where the company initially charged consumers who were impacted by the breach to place a credit freeze with Equifax. The company quickly reversed course after pressure by attorneys general and consumers nationwide. While placing a credit freeze is currently free with Equifax for those affected by the data breach, the other credit bureaus – TransUnion and Experian – continue to charge consumers the credit freeze fees.