HOBOKEN, N.J. – U.S. Senator Bob Menendez, a senior member of the Senate Banking Committee, today announced updated legislation to strengthen protections for consumers’ personal data, provide them with greater privacy rights and establish reasonable accountability measures for businesses and credit reporting agencies that fail to safeguard consumers’ personal information.

The recent Equifax security breach exposed the vital, personal information of 143 million Americans, including Social Security numbers, addresses, phone numbers, and payment histories used to determine the credit worthiness of those applying for jobs, housing, mortgages, lines of credit, car and student loans. An additional 209,000 consumers had their credit card numbers stolen, and another 189,000 people with disputes over their credit history had that information compromised.

“Whether you’re applying for a home mortgage or a new job, leasing a car or even buying a cell phone, your credit report is the cornerstone of your financial reputation, and credit reporting agencies like Equifax are supposed to be the trusted keepers of your personal financial that data,” said Sen. Menendez. “But Equifax chose not to make data security a priority, and now 143 million U.S. consumers, including four million right here in New Jersey, face a heightened risk for identity theft, financial fraud, and endless headaches. This epic breach highlights the urgent need for Congress to pass a new Commercial Privacy Bill of Rights with strengthened data security standards for credit reporting agencies and accountability measures for companies that retain vast troves of sensitive personal information online.”

Menendez - Equifax

Sen. Menendez explains what consumers can do to protect themselves from identity theft in the wake of the Equifax data security breach.

The Commercial Data Privacy Bill of Rights Act of 2017 is built upon legislation first introduced by Sen. Menendez in the aftermath of the 2013 Target breach, and includes new measures that heighten data security protocols at credit reporting agencies. The bill also requires credit reporting agencies to quickly inform the public and federal regulators of major data breaches and increase assistance for consumers whose information has been compromised.

Commercial Privacy Bill of Rights

New provisions after Equifax data breach

  • Prompt notification after breach. In the event of a data breach at a consumer reporting agency (CRA), the CRA must promptly notify the FTC, Consumer Financial Protection Bureau (CFPB), and appropriate law enforcement and intelligence agencies.
  • Strengthening data security at the CRAs. Require CRAs to strengthen their data security standards and submit data security plans to the Federal Trade Commission.
  • Interagency working group with the FTC and CFPB. Create an interagency task force between the FTC and CFPB to examine data security issues and strengthen consumer protections at CRAs.
  • Free security freezes. In the event of a data breach at a CRA, the CRA must pay for up to ten years of credit freezes for affected individuals at all three of the major credit reporting agencies. The CRA may not force consumers to agree to pre-dispute arbitration as a condition of utilizing the post-breach protections.
  • Assist consumers impacted by data breach. In the event of a data breach at a CRA, require the CRA to notify affected individuals provide consumers an affirmative opportunity to dispute any inaccurate information on their credit reports following the date of the breach.

Existing provisions of bill

  • Protects individual privacy and data rights by placing limits on both the type of information an entity may collect and for how long it may retain that information.
  • Provides Consumers with participation and notice rights. The bill requires the FTC to issue regulations that allow individuals to opt out of the transfer of their covered information to third parties for behavioral advertising or marketing; access and correct any personally identifiable information the entity has stored; and compel those entities to inform their customers of and allow them to exercise their rights.
  • Protects information from distribution to third parties by requiring that entities contractually protect consumer information when transferring it to a third party.
  • Avoids unduly burdening businesses by requiring an independent NGO to help companies implement the Act and tasking the Department of Commerce with organizing outside entities towards the creation of safe harbor provisions. This legislation would only apply to entities covered by the FTC that collect, use, transfer, or store certain information concerning more than 5,000 people during a 12 month period. While the bill will be enforced by State Attorneys General and the FTC, private suits based on the law would be prohibited.

Sen. Menendez outlined the bill during a news conference held at Stevens Institute of Technology in Hoboken, home of the Center for the Advancement of Secure Systems and Information Assurance, a major cybersecurity research center designated by the National Security Agency. He was joined by Professor Giuseppe Ateniese, Stevens’ Computer Science Department chair, and Beverly Brown Ruggia of New Jersey Citizen Action.

The Senator also joined Sen. Elizabeth Warren (D-Mass.) in introducing the Freedom from Equifax Exploitation (FREE) Act, new legislation that would give consumers the ability to freeze and unfreeze their credit data at no charge.

"It is outrageous that Equifax made billions while mismanaging the most vital personal data of 143 million people, like my 22-year-old daughter, whose information Equifax says was likely compromised and now must enter the dismal and uncertain world of possible identity theft that can wreak havoc with everything from her ability to get a credit card or student loan, rent an apartment, or buy a car," said New Jersey Citizen Action's Beverly Brown Ruggia. "Equifax and its executives must be held accountable for woefully inadequate security system and for any deliberate attempts on their part to hide the breach; Congress must pass the Freedom from Equifax Exploitation (FREE) Act introduced by Senator Menendez and others; and we need to revisit his crucial Commercial Privacy Bill of Rights. Finally, Equifax's deceptive behavior clearly exemplifies why the Consumer Financial Protection Bureau must maintain full and independent authority to take enforcement actions."

The Commercial Privacy Bill of Rights Act and FREE Act are just the latest efforts by Sen. Menendez to hold Equifax accountable since news of the massive security breach broke earlier this month, which included yesterday leading a group of Democratic senators in calling for the Federal Trade Commission (FTC) to immediately review data security not only at Equifax, but also the other two major consumer reporting agencies, Experian and TransUnion.

"It is inexcusable that Equifax failed to undertake basic cyber and data security measures—neglecting to apply superior and readily available patches and protections—for the data of 143 million people,” said Dr. Ateniese, a cybersecurity expert. “This leaked data could translate into stolen identities, skimmed bank accounts, and manipulated credit reports, ruining the financial lives of millions of everyday people. While much of the damage is done, we as a society must realize that the future is one in which advanced technological solutions in cybersecurity are the only way to protect against equally massive hacking enterprises.”

Sen. Menendez led the call urging Senate Banking Committee Chairman Mike Crapo (R-Idaho) to schedule immediate hearings on the cause, scope, and implications of the data breach; pushed Equifax, along with several Democratic colleagues, to completely end its use of forced arbitration agreements that limit the ability of consumers to pursue justice in a public court of law or challenge widespread corporate wrongdoing—which Equifax eventually agreed to do amidst rising public pressure; and joined a bipartisan group of 34 Senate colleagues to request the Securities and Exchange Commission (SEC), the Department of Justice (DOJ), and the FTC to investigate the sale of nearly $2 million in Equifax securities held by high-level Equifax executives shortly after the company learned of a massive cybersecurity breach.

###