[B]ENNINGTON — State legislation that followed in the wake of the massive Equifax data breach last year is the first of its kind in the nation.
Vermont Attorney General TJ Donovan says the law, which Gov. Phil Scott allowed to take effect without his signature, “slashes fees, helps stop fraudsters, and promotes transparency.”
“Vermonters care about their privacy,” Donovan said in a statement. “This bill not only saves them money, but it gives them information and tools to help them keep their personal information secure.”
The legislation, H.764, was drafted for the recent session and followed a fall 2017 listening tour of several Vermont communities involving House Committee on Commerce and Economic Development members and other lawmakers, along with representatives from the AG’s office and other state departments.
Rep. Bill Botzow, D-Pownal, chair of House Commerce, said the bill was a priority this session. Lawmakers worked with the consumer protection division of the AG’s office and the Senate Economic Development Committee “to come up with light touch regulation that protects Vermonters and saves them money,” Botzow said.
“No one has defined in law a third-party data broker before and required them to come forward, let us know who they are and how they operate,” Botzow said. “These companies buy and sell your and my information, sometimes to our detriment, and we have had no way to say ‘hey, wait a minute. That’s my life you’re selling. I want to know what’s going on and I want a say in if I like what you’re up to.’”
The bill “protects consumers from credit freeze fees, fraudulent acquisition of Vermonters’ data, and establishes a registry and security standards for the ‘data broker’ industry,” Donovan said.
Donovan said H.764 immediately eliminates fees credit firms charge to freeze access to credit reports and subsequent fees to lift a freeze. It costs $10 to initiate a freeze and $5 to lift one.
A registry with the Vermont Secretary of State’s office is expected to be established by Jan. 1, according to the legislation, allowing consumers and regulators to search information concerning entities acting as third-party brokers of credit or other data, and providing information on whether brokers have opt-out or other policies consumers might want to utilize.
Christopher Curtis, chief of the attorney general’s public protection office, said the bill also clarifies data security requirements for commercial entities that buy or sell personal information. That includes Equifax and two other major national credit rating entities, Experian and TransUnion, which may be unknown to consumers, who have no direct commercial or other relationship with them.
The law also specifically makes it illegal to acquire data for fraudulent purposes or for purposes of stalking, harassment, identification theft, or to discriminate.
Unique bill ‘thoroughly vetted’
Curtis said there may be legal challenges from the industry over some of the bill’s provisions, but he said the AG’s office, along with the Department of Financial Regulation, other state departments and lawmakers, worked for about two years on what became the finished piece of legislation. That included visits by officials and lawmakers last fall to several communities, including Manchester, to solicit input from residents after the Equifax data breach, which exposed personal information of some 146 million consumers.
“We had a ton of inquiries after Equifax,” Curtis said of the AG’s office. “More than 700 people called for information on freezing credit reports. Many were very upset at having to pay a fee.”
The bill’s registration component will reveal which data-broker entities are operating in the state, whether there are others beyond the large rating services, and their activities, Curtis said. With required annual reports from third-party broker each, a record of activities and practices will become available for consumers, regulators and lawmakers, he said.
He said those involved in crafting the bill sought “a balance between commerce and common sense,” allowing residents to receive credit services while also providing greater protection of personal information.
“This was very carefully crafted and thoroughly vetted over about two years,” he said, and involved input from industry stakeholders as well.
Subsequent reports to the Legislature from the Attorney General or Secretary of State’s office are expected to recommend on further changes or updates to the regulatory program.
Describing the legislation as “a big deal,” Botzow said he recently received a call from a Washington state legislator, “who was so excited we got a bill passed as she had been working on the issue over several sessions.”
California also tried to pass a similar regulatory bill concerning what is a growing industry, “but couldn’t get it done,” he said.
Governor’s response
In a memo on his decision not to sign the bill, Scott said he supports provisions prohibiting data brokers from charging fees to freeze or unfreeze credit reports and regulating third-party data brokers through a state-maintained registry, requiring annual reporting.
But the governor disagreed with the definition of data broker in the bill, which he said “is unusual in that it is both over-broad and under-inclusive.”
“It treats responsible corporate citizens which collect and sell publicly-available personal information as part of their business services, such as for data analysis and marketing, the same as it treats irresponsible actors brokering data in away which may jeopardize the interests of Vermonters,” Scott worte.
Vermont businesses listed in a state directory, he said, “could be perceived negatively both inside and outside the state. And at a time when the national dialogue has turned to the use and misuse of data by large companies such as Facebook, this law exempts those companies from its scope, thus giving Vermonters a false sense of security.”
And the governor questioned whether some of the provisions could be effectively enforced.
Scott said he sees the legislation as “a worthy first step to provide Vermonters with a tool to at least identify a few of the unrelated third parties who may hold their personal information, but as this bill moved through the process, constitutional issues were raised. I have concerns this provision may expose the state to litigation risk and expense.”
He said he urged the Legislature during the 2019 session to refine the data bill and “to make the changes necessary to clarify this bill only applies to data broker businesses registered to do business in Vermont.”
