The following are comments submitted by VPIRG at the public hearing of the Vermont House Commerce and Economic Development Committee responding to the Equifax Data Breach and other data privacy related concerns:
Good evening. I’m Zachary Tomanelli – the Communications and Technology Director for the Vermont Public Interest Research Group, VPIRG, the state’s largest environmental and consumer advocacy organization. I offer these comments on behalf of VPIRG and our organization’s 50,000+ members and supporters.
Like many here today, across this state and across the country – we at VPIRG were dismayed by the revelation that Equifax, one of the nation’s largest credit reporting agencies, was subject to a data breach that compromised the important and sensitive information of millions of Americans.
We appreciate that this committee, along with other state leaders, is exploring what can be done here in Vermont to better protect Vermonters from these types of breaches going forward and to make sure that when these breaches do occur, consumers here have access to the appropriate recourse.
To that end – VPIRG supports several of the recommendations that have been proposed by various legislators in recent reports on this issue.
For instance, a recent article in Seven Days suggests that Sen. Michael Sirotkin is preparing to introduce legislation that would, “prohibit credit rating agencies from imposing fees on consumers to fix problems created by the agencies themselves; establish a comprehensive information security program; expand the power of the Attorney General and individual consumers to bring civil suits to recoup costs incurred due to data breaches; and establish a data security chief position in the AG’s office to coordinate state efforts on ‘enforcement, education and prevention.’”
VPIRG would support all of these reforms. More specifically and perhaps most importantly, the state should act swiftly to prohibit credit agencies from charging fees to consumers who elect to enact a security freeze on their credit history. Security freezes are perhaps the most effective tool consumers have to protect themselves after a data breach, like the one at Equifax, occurs. Yet because the credit reporting agencies can charge fees for these freezes, hacks like these can actually benefit the bottom line of these companies.
Right now in Vermont, fees on such freezes are only waived if an individual can demonstrate he or she is the victim of identity theft. However seven states make freezes free to all consumers, whether they are identity theft victims or not. It’s time for Vermont to join these states and give our consumers access to this tool for free.
I’d also like to take a moment to discuss VPIRG’s recommendations on the related issue of data broker regulation. While the Equifax hack was incredibly alarming, at least credit reporting agencies are governed by the Fair Credit Reporting Act – which lends consumers some protection in this area. When it comes to data brokers, however, no such protections exist.
As was thoroughly noted in a comprehensive 2014 report from the Federal Trade Commission on the issue, the activities of these data brokers “remain opaque.”
VPIRG has already offered recommendations on common sense reforms that could be made in this area as part of the hearings organized by the Attorney General’s office and the Department of Financial Regulation as required by Act 66.
I’ll take just a few moments to highlight those recommendations here tonight – but will note that we look forward to the forthcoming recommendations of the Attorney General’s office and Department of Financial Regulation, and hope that their findings lead to productive action by the legislature to enact these reforms in the coming legislative session.
As it pertains to data broker regulation, VPIRG recommends reforms that would:
- Require the registration of all major data brokers collecting or selling information in the state.
- Give consumers a Fair Information Practices right to access and correct their own data broker information for free, as the FCRA allows.
- Require data brokers to disclose at some level their sources of information so that consumers are better able to determine if they need to correct their data.
- Give consumers the right to control the use of their data for secondary purposes—specifically the ability to opt-out of sharing their information with data brokers
As to the question of what constitutes a data broker – it has been VPIRG’s position that the state take caution to adopt a careful definition that captures major data brokers without “boiling the ocean ” by, for example, including every tech company or every consumer-facing or intermediary firm on the Internet.
However, we hope that this committee and legislators do not let unfounded fears promoted by the data broker industry prevent you from taking necessary action. The industry has tried to promote the notion that any regulations governing data brokers would cover any business, government and non-profit that maintains information on their customers, constituents or members.
This is a scare tactic, plain and simple. Data brokers can and should be clearly and specifically defined as third-party businesses that acquire data about consumers for the purposes of packaging it and reselling it.
This industry is surprisingly powerful and thrives in the largely unregulated environment in which it now operates. We urge you to not let their fear tactics prevent you from doing the important job of protecting Vermonters’ information.
Thank you for the opportunity to comment this evening – and thank you for your work on this issue.