Colorado lawmakers look to protect personal information under 3 new bills
Author: Marianne Goodland - January 22, 2018 - Updated: January 22, 2018
Finding out your identity and your personal information are under attack is a nightmare. And it’s one that Republican state Rep. Cole Wist of Centennial has experienced — twice.
A couple of years ago, Wist found out someone was trying to file false tax returns using his Social Security number, and false returns using his wife’s number and his children’s.
It wasn’t the breach at Equifax, the national credit reporting agency, that caused problems for Wist. It was through a health insurance company, an experience he called both frightening and daunting.
Wist said his experience, and a second one where his Social Security number was stolen by a meth ring, points to the need for greater protection for consumers in Colorado. Wist and Democratic Rep. Jeff Bridges of Greenwood Village teamed up with the attorney general’s office to come up with a measure, House Bill 1128, that will provide more protection for consumers.
The measure takes aim at more than just credit reporting agencies like Equifax, which reported last September that hackers had obtained the personal information of 143 million Americans, the largest such breach in U.S. history. Any company that uses personal information – insurance or credit card companies or companies that do background checks, for example, or even governments – would be impacted by the bill.
The Wist/Bridges measure has three provisions: that companies that use personal information delete it as soon as it’s no longer needed; that the information be secure; and to notify consumers in a timely manner when breaches occur, through phone, email and/or snail mail.
Information covered under the bill includes first name or initial, last name, Social Security number, driver’s license or identification card number; account numbers, such as from credit or debit cards; health insurance and medical information, user names, passwords and security questions and answers.
The timeliness of notification is critical, Wist said Monday. “If you do business in the state of Colorado, we will take steps to protect” that information.
The bill requires the company or government to notify the Attorney General within 7 days of a breach; for consumers, it’s 45 days. The disclosure would include a description of the information that was revealed, the date of the breach; toll-free numbers, addresses and websites for consumer reporting agencies and the Federal Trade Commission; and information on how the consumer can contact the entity that was breached.
Bridges pointed out that the Equifax breach was handled badly. The website looked “spammy,” he said, and the company even tweeted a fake phishing site to consumers for several days after the breach was discovered.
Bridges noted Attorney General Cynthia Coffman has been interested in the data issue before the Equifax breach took place, and gave her kudos for keeping the issue in the forefront.
He also acknowledged that this measure may be an additional burden on companies, but anyone who holds that kind of information has an obligation to protect it, he said.
“Everyone knows this is a problem, but when it happens to you, it’s a nightmare,” Wist said.
Two other measures, both introduced last week, also seek to protect consumers in the wake of the Equifax breach, and the two measures are almost identical.
The first is sponsored by Republican Rep. Polly Lawrence of Roxborough Park, and it would allow a parent or guardian to put a security freeze on the consumer report of a minor, under the age of 18. A bill sponsored by Speaker of the House Crisanta Duran of Denver and Republican Rep. Kim Ransom of Littleton would make a security freeze mandatory for those under the age of 18.
There are now four bills dealing with the Equifax breach awaiting House action, including an opt-out bill from Republican Rep. Dave Williams of Colorado Springs. All have been assigned to the House State, Veterans and Military Affairs Committee, which in this issue is not expected to act as a “kill” committee. The Wist/Bridges and Lawrence bills are scheduled for a Feb. 7 hearing.