A new report recommends the legislature take steps to better protect consumer information collected by data brokers.
There’s been heightened concern about the information gathered, aggregated and sold by third-party companies as the data collection industry has grown in the past decade.
In September, a security breach at the credit reporting agency Equifax exposed personal information about hundreds of thousands of Vermonters.
“Our consumer assistance program took over 700 calls from Vermonters in the week following that breach,” says Christopher Curtis, chief of public protection with the Attorney General’s office.
“People [were] anxious, panicked, angry; wondering what to do and how to protect themselves.”
Curtis says in the wake of the breach, Equifax charged worried consumers fees to freeze their credit reports – even though Equifax was responsible for the problem.
“The industry that causes that problem should not be able to stick a bill to Vermont consumers,” says Curtis.
The report, by a working group headed by the Attorney General’s office and Department of Financial Regulation, recommends the legislature amend Vermont law to prohibit the fees charged for freezing or unfreezing credit reports.
"These recommendations balance the twin imperatives of preserving commerce and common sense" — Chris Curtis, Vermont Attorney General's Office
Overall, Curtis says the report’s recommendations are designed to require more transparency and accountability on the part of the data brokers.
“Many of the players in the data broker industry have lost the trust of Vermonters. These recommendations balance the twin imperatives of preserving commerce and common sense,” says Curtis.
The report calls for requiring data brokers to provide information about how consumers can opt-out of having their information collected and shared.
It’s not clear if a diligent consumer could prevent all of their information from being used.
“Most of the testimony that we heard from industry suggested that many of the data brokers do offer an opt-out and that it’s a best practice. If that’s the case, the key thing is to connect up that best practice with consumers and let consumers take advantage of it,” says Curtis.
The report also recommends requiring data brokers to show they are using reasonable methods to keep information secure and to provide quick notice of breaches.
Data brokers gather information from online activity and publicly available documents, such as motor vehicle registrations, property records and court cases. The information is then sold and used for marketing, credit reporting and background checks.
The data is a tool used by banks and other businesses to assess risks or detect fraud, but it can also be compromised through security breaches, such as the one at Equifax, or used in identity theft or to target vulnerable populations.
The data can also contain errors that could affect an individual’s credit rating or the interest rates they receive.
Most consumers are unaware of how much of their personal information is being collected and used by data brokers.
“One of the challenges is, we don’t know the full scope,” says Curtis.
The report defines what a data broker is and recommends that certain businesses that collect consumer information not be considered data brokers. This includes banks, utilities, retailers and others who are not acting as third parties, and collecting information about their own customers.
