New Report: How Massachusetts Can Protect Consumers 1 Year After Equifax Breach

Media Releases

Media Contacts


A year ago, Equifax announced that hackers had breached its system and accessed the data of nearly 150 million U.S. consumers. To mark the anniversary of that notorious announcement, MASSPIRG called on state lawmakers to pass the pending Security Breach Bill, H4806 and released a new report containing suggestions on how lawmakers, regulators, and consumers can safeguard personal information.

“One year after announcing the worst data breach in history weeks after it knew about it, Equifax has yet to pay a price or provide consumers with the information and tools they need to adequately protect themselves,” said Deirdre Cummings, MASSPIRG’s Legislative Director. “This may not have been the biggest breach ever, but it’s the worst, because Equifax’s carelessness made it easier for bad guys to steal the identities of nearly 150 million consumers.”

The Act Relative to Consumer Protection from Security Breaches, HB 4806 passed both the Massachusetts House and Senate with unanimous bi-partisan support in July is currently pending a final reenactment vote before it can become law. Instead of signing the bill, Governor Baker sent the bill back to the legislature with relatively minor changes. As a result, the legislature must “re-enact” the bill before the end of the year before it can become law.

“The legislature should be commended for acting quickly and passing this important consumer protection bill,” said Cummings. “But the bill still needs a final vote to become law.  We hope the legislature will see to it that the bill makes it over the finish line to protect Massachusetts consumers.”  

If passed, the bill will provide consumers with important consumer protections: (click here for more detail)

Free Credit Freeze: The law will allow consumers to freeze and thaw their credit files at any time, for free.

Free Credit Monitoring: If a security breach involving a Social Security number occurs at a consumer reporting agency – such as Equifax – the bill requires credit reporting agencies to provide at least 3.5 years of free monitoring to affected consumers.  Other entities that suffer a breach must offer consumers at least 1.5 years of free monitoring.

Prohibits binding arbitration clause in credit monitoring products:  No one should have to give up their right to sue for redress just to receive credit monitoring after a breach.

Addition Consumer Information: The new law would better inform consumers about security breaches and their rights.

Consent:  In some limited instances companies or individuals seeking to obtain or use a consumer’s credit report will need the permission of the consumer and must disclose the reason for seeking access to the information.
The report, Equifax Breach: 1 Year Later – How to Protect Yourself Against ID Theft & Hold Equifax Accountable, includes the following features:

  • A recap of the main governmental and civil actions against Equifax over the last year (which have so far failed to hold the company accountable).
  • New materials, including charts and checklists, to help consumers understand how to best protect themselves against the very real threats of identity theft for the rest of their lives.
  • A case for why we need both oversight and financial consequences to prevent future large-scale breaches.

The report also recommends requiring companies that have been hacked to clearly explain to consumers how they can protect themselves against most types of identity theft.

The report contains charts, checklists and other tips to help consumers prevent and detect the types of identity theft and fraud made possible by the Equifax breach:

  • Existing Account Fraud: Check your monthly credit card and bank statements.
  • New Account Fraud (including cell phone, credit card, loan, and utilities): Get credit freezes at all three nationwide credit bureaus —Equifax,Experian, andTransUnion. A new federal law will eliminate fees for those credit freezes for consumers on September 21st, 2018 – the pending state bill will codify this into state law.
  • Tax Refund Fraud: File your taxes as soon as possible, before thieves do. Also,if you qualify, get an Identity Protection (IP) PIN.
  • Health Care Services / Medical Benefits Fraud: Sign up for online accounts with your health care and insurance providers to periodically check for any fraudulent services on your statements.
  • Other Fraudulent Activity: Check your free annual consumer reports with companies thatspecialize in collecting information often misused by criminals.
  • Phishing Scams: Ignore unsolicited requests for personal information by email, links, phone calls, pop-up windows, or text messages.

The report also highlights the need for both penalties against and new oversight of Equifax to compensate the victims and prevent future breaches of this scale.

“Ultimately, we are not the customers of Equifax or the other credit bureaus. We are their product. We did not ask or give them permission to collect or sell our personal information,” said Cummings. “At the very least, breached companies should be held accountable for failing to safeguard our personal information and the legislature should act without delay in passing the security breach bill.”



MASSPIRG Education Fund is an independent, non-partisan group that works for consumers and the public interest. Through research, public education and outreach, we serve as counterweights to the influence of powerful special interests that threaten our health, safety, or well-being.