[M]ANCHESTER — Vermonters spoke of mounting concern over online data breaches and a feeling of helplessness in the face of internet attacks during a legislative hearing Tuesday in Manchester.
The afternoon session before members of the House Commerce and Economic Development Committee drew about two dozen area residents. It was the third of four sessions held around the state in the wake of the Equifax security breach in September that exposed personal information on some 150 million Americans, including an estimated 240,000 Vermonters.
Committee Chairman Bill Botzow, D-Pownal, said the information-gathering sessions, which concluded Tuesday evening in Burlington, were requested by House Speaker Mitzi Johnson, D-South Hero, after the massive breach at one of three major credit reporting agencies.
Botzow said the committee’s goals were to listen to the experiences and concerns of Vermonters and gather information that might inform legislation in the coming session.
Business owners described constant threats to company and personal information and attempts at fraud, which increasingly involved the use of stolen or carelessly guarded personal information.
One woman described an internet attack a few years ago at a firm where she worked in payroll. Today, she said, her practice is to avoid using an internet connection for business or personal financial reasons whenever possible.
“I try not to use a (connected) computer,” she said, later adding, “Just be careful; it’s all over the world.”
A motel owner said she now handles credit card transactions offline via telephone to protect against the theft of data about her business or her customers. But she acknowledged “it would be very difficult to run our business if we didn’t have the internet” and noted that large hotels could not handle their transactions offline.
A similar issue that committee members and residents raised was telephone “spoofing” calls, in which a phone number familiar to the person being called appears in the caller ID, possibly making the person more trusting and open to some type of fraud. Most of those attending the Manchester session said they were familiar with calls involving a form of identity theft.
Botzow said he and others in the area have recently received calls appearing to come from a number located at Southwestern Vermont Medical Center.
Spoof calls come in to her motel on a daily basis, the owner said, but each must be answered to determine whether it sounds legitimate or is a fraud attempt.
The woman added that she’s also “very concerned” about her elderly parents and their vulnerability because they are from a more trusting era and “don’t think they have a problem” requiring safeguarding of their financial information.
Botzow said legislative ideas under consideration include provisions to better protect both elders and young people. In light of the information that can easily be obtained through social media and public records, he said fraud attempts are often tailored to the person who is being targeted, prompting an instant but unwarranted trusting response and the release of more personal data.
Rep. Jean O’Sullivan, D-Burlington, said the panel has heard the same complaint at each of the hearings. She stressed the importance of residents’ input to make the Legislature aware of their concerns as it takes up related bills in the 2018 session.
“We need to show that this is a problem,” she said, later adding that when a similar bill was considered this year, it quickly faced “a wall of reaction” from opponents.
“This is incredibly important to us as decision-makers,” Botzow said, “because everyone is going to ask us what we heard from Vermonters.”
One woman noted that “new tactics” involving game-playing posts on social media, asking questions about birthdays or pets’ names, can give thieves what they need to extrapolate passwords a person might choose.
“I don’t think that registers with some young folks, the people that rely totally on their computers,” she said.
Another woman said she’d like to see a portion of any fines companies pay concerning data breaches go into a fund to assist victims.
Several speakers asked the committee to address the fees credit reporting agencies charge people to freeze and later unfreeze the release of their information. While the data is frozen to thwart thieves, it also can’t be released to banks or businesses when someone is seeking a loan or credit card or making another financial transaction.
Some states don’t allow such fees, Botzow said, adding that fee-related changes are among those likely to be considered.
One man said he would like to see a system for freezing credit information that requires a single phone call, rather than having to contact all three major credit agencies. “There should be a simple way to do this,” he said.
Botzow said other states, such as Massachusetts, have provisions requiring businesses to meet security protocols and hold financial entities more responsible for protecting customer information. He said that state’s laws are “considered the gold standard” for such consumer legislation.
David Hall, an attorney with the Office of the Legislative Council, attended the session. He said residents can get further information about fraud alerts and issues like the Equifax data breach on the attorney general’s website and its Consumer Assistance Program site.
The House committee has asked the Legislative Council to research state and federal law regarding information and security in anticipation of new legislation.
The effort comes as some in Washington take up the issue of data security as well.
U.S. Sen. Patrick Leahy, D-Vt., introduced legislation Tuesday that would require corporations to take steps to secure consumer data, including Social Security numbers, financial account information and biometrics.
The legislation, which has five co-sponsors, all Democrats, would also mandate that firms notify customers in a timely manner when there is a breach.
Leahy mentioned his plans to introduce the legislation at a hearing with former Equifax chief Richard Smith in October.
Botzow addressed the scope of the problem so far, noting during the hearing that an estimated 1.9 billion usernames and passwords are being traded on the black market and billions of internet accounts were targeted by internet phishing attempts.
“I think that part of our goal here is to raise of level of knowledge of Vermonters, including businesses,” he said.
Christopher Curtis, chief of the Public Protection Division of the attorney general’s Office, said the office responded quickly to notify Vermonters of the Equifax breach. He said about 15,000 people were contacted immediately because they had signed up to receive an emergency fraud email, text or phone alerts through the AG’s website.
Jason Duquette-Hoffman, of the AG’s Consumer Assistance Program, said people can learn how to respond to the Equifax breach or others through its website. In addition, he recommended that residents contact their financial institution to learn of any available security protections.
He and others also recommended continued vigilance, as thieves know that many credit freezes will last for a year, and they could be waiting to take advantage of lapses in monitoring.
Gavin Boyles, of the Vermont Department of Financial Regulation, told people to become aware of all the ways their personal information could be accessed as they use computers, tablets, phones or other devices connected to the internet, and to take steps to limit what might be revealed to data thieves.
(VTDigger’s Elizabeth Hewitt contributed reporting from Washington.)
