To: The United States House of Representatives and The United States Senate
Mandate companies provide consumers with basic identity fraud protections following data breaches
Companies should default to protecting consumers immediately after a breach and make it easy for them to extend these protections going forward. The current requirement for a data breach victim to wait until they are also a victim of identity theft before offering these basic protections for free is archaic. It results in lost US worker productivity (time and billions of dollars) cleaning up the mess left after an identity theft event.
Why is this important?
I would not expect McDonald's to offer me a year of free hamburgers (converting into a paid subscription for suspect hamburgers the following year) as compensation if they served me a hamburger that gave me a lifelong bacterial infection. Yet apparently this is essentially what Experian and Equifax have offered us in recent massive data breaches. A HUGE conflict of interest! It is time we demand Congress to act on our behalf for sensible data breach regulations:
Within the first week after a notification of a data breach, a fraud alert should automatically be enabled on behalf of all affected customers. If the breach involves credit or core personal information (SSN, drivers license, financial, or health information), the option to enable an indefinite fraud alert should be offered for free without the requirement of waiting for an identity theft event.
Any breach that involves core personal information entitles victims to complimentary credit freezes and thaws from all vendors indefinitely, without the requirement of waiting for an identity theft event. If there are processing costs associated with enabling these features at other companies, the company responsible for the breach shall be held liable.
Any data breach involving core personal information requires a minimum of [10 years] of free ID and credit monitoring service chosen by the consumer from a marketplace. If the consumer was previously the victim of a data breach, an additional [10 years] of complimentary monitoring services will be added to their existing service.
Build upon the Fair and Accurate Credit Transactions Act and redesign annualcreditreport.com to handle adding, removing, and thawing credit freezes and fraud alerts across all credit bureaus (Experian, Equifax, TransUnion, ChexSystems, Innovis, etc.).
http://www.lessismoreorless.com/2015/11/19/applying-common-sense-to-data-breach-response/
https://medium.com/@lessismoreorless/stop-drop-freeze-rinse-repeat-the-equifax-edition-ea201e8ef0fa
http://www.lessismoreorless.com/2015/11/18/stop-drop-and-freeze-part-2/