Share this article on:
On January 3, 2018, Senator Adam Morfield introduced a bill that aims to improve protections for Nebraska residents whose personal information is exposed as a result of a data breach. The first round of voting has seen the bill unanimously passed by Nebraska lawmakers.
The bill was introduced in the wake of the massive data breach at Equifax in 2017 that saw the personal information of more than 145 Americans – and almost 700,000 Nebraskans – compromised as a result of a cyberattack.
The bill – Legislative Bill 757 – seeks to make changes to the Credit Report Protection Act and the Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 to improve protections for state residents, both by helping to prevent data breaches and ensuring appropriate action is taken by the breached entity when a breach is experienced.
According to Sen. Morfield, his bill “ensures that the hard-earned dollars and credit of every Nebraskan is put before crediting reporting agencies like Equifax.” Sen. Morfield has made the bill his number one priority.
It was not only the scale of the Equifax breach that was galling for Se. Morfield, but the actions of Equifax following the breach. The company only provided 12 months of free credit monitoring services to breach victims, after which consumers would be charged to protect themselves. Many consumers were also forced to pay out of pocket to freeze their accounts, as those services were not provided free of charge. While free credit monitoring services were offered, chargeable credit freezes were advertised on the same site.
Nebraska Attorney General Doug Peterson also spoke out about the actions of Equifax, claiming the firm was “seemingly using its own data breach as an opportunity to sell services to breach victims.”
The bill proposes credit reporting agencies should not be permitted to charge consumers fees for placing and removing credit freezes on accounts” after a credit reporting agency experiences a security breach that exposes consumer data.
The bill originally called for such breaches to require a lifetime of free credit reporting services to be provided to breach victims, although that attracted considerable criticism from the industry and the bill was amended.
In addition to free credit reporting and credit freezes, the bill would require credit agencies to maintain “reasonable security procedures and practices,” to ensure the confidentiality of any consumer data held, and also for any third-party companies that are provided with consumer data by the agencies to also ensure they have reasonable security measures in place. The bill would give the state attorney general greater powers to pursue legal action against companies and collect damages on behalf of consumers.
While the bill is primarily concerned with protecting consumers from data breaches experienced by credit monitoring and reporting agencies, the bill requires any “individual or a commercial entity that conducts business in Nebraska and owns, licenses, or maintains data that includes personal information about a resident of Nebraska,” to implement and maintain reasonable security measures to protect the data of state residents.
If a company or organization complies with federal legislation that provides the same or greater levels of protection for consumers, it would be deemed to be in compliance with the requirements of Legislative Bill 757 – For example, organizations that comply with the Gramm-Leach-Bliley Act or HIPAA.
While there was a unanimous vote in favor of the bill, some Senators were concerned about the impact such a bill would have on consumers and the credit monitoring and reporting industry. Some senators have requested further information on the bill, with Sen. Paul Schumacher of Columbus concerned that the bill may result in significant cost increases for consumers. However, despite concerns, the bill was passed 34-0.
Before the bill is written into the state legislature it is required to pass two further votes.