BOSTON — Credit bureaus would be prohibited from charging consumers who want to "freeze" or "thaw" their credit reports if their financial information is hacked or stolen under a proposal approved by the state Senate on Thursday.
The legislation, co-sponsored by Sen. Barbara L'Italien, D-Andover, would allow consumers whose financial data is breached to request two to five years of free credit monitoring from the main reporting bureaus — Equifax, Experian and TransUnion — depending on the type of information stolen.
The credit companies would be required to “freeze” a person's credit report within three days of a mailed request, and one day for requests made by telephone or email. “Freezing” a credit report is one way that consumers can ensure that identity thieves don’t use stolen information to open a new line of credit.
L'Italien, chairwoman of the Legislature's Consumer Protection Committee, said the massive Equifax data breach showed the need for more safeguards.
"Equifax is known for helping people protect their credit reports but instead ignored clear cybersecurity threats and failed to safeguard our information," she said ahead of the vote Thursday. "Millions of Americans don't know who might have access to their personal information and what they might do with it."
Georgia-based Equifax disclosed last year that the personal information of as many as 147 million Americans was exposed.
The company infuriated those who were compromised by waiting weeks to reveal the breach, then charging those who wanted to freeze their credit information while demanding that they give up their legal rights to sue. Equifax CEO Richard Smith stepped down amid the uproar.
Attorney General Maura Healey sued Equifax, accusing it of failing to protect the information of at least three million Bay State consumers.
Under L'Italien's bill, anyone who wants to access someone else’s personal financial information on a credit report would first have to get written permission.
"Consumers have to be empowered to know who is requesting their data and why," she said.
Credit reporting agencies would also be prohibited from requiring consumers to waive their legal rights if their personal data is compromised.
Backers of the bill dropped a provision that would have required any business that holds the personal financial information of more than 1,000 Massachusetts consumers to use encryption systems but it does require companies to "certify, under penalty of perjury" that they have an adequate cybersecurity program.
The state House of Representatives passed a similar bill in February. Differences between the two versions will be worked out by a conference committee.
An emergency preamble has been added to the legislation, which means it would go into effect right away once signed by Gov. Charlie Baker.
State regulations would still have to be written but many key components of the law would take effect immediately.
Several amendments were tacked onto the bill Thursday, including one offered by Senate Minority Leader Bruce Tarr that would require national credit agencies to share information about consumers who request a freeze so that information could be frozen by other reporting agencies.
Twelve states, including Indiana and Arizona, have passed laws prohibiting credit bureaus from charging consumers who want to begin or remove a freeze.
On a national level, consumer advocates say prospects for strengthened consumer protections are dim in the current political climate.
More than $16 billion was stolen from Americans last year as a result of identity theft — a 16 percent jump from the previous year, consumer advocates say.
“This is a marketplace that is broken," said Deidre Cummings, legislative director for the Massachusetts Public Interest Research Group. "This bill will offer all Massachusetts residents much-needed, long-overdue, common-sense consumer protection against identity theft and the sloppy, dangerous practices by the big three credit reporting agencies."
Christian M. Wade covers the Massachusetts Statehouse for North of Boston Media Group’s newspapers and websites.