Lawmakers hear residents on data breaches

MANCHESTER — Mounting concern over online data breaches and a feeling of helplessness in the face of internet attacks were expressed Tuesday during a legislative hearing at the Manchester Community Library.

The afternoon session before members of the House Commerce and Economic Development Committee, which drew about two dozen area residents, was the third of four held around the state in the wake of the Equifax security breech in September that exposed personal information on about 150 million Americans, including an estimated 240,000 Vermonters.

Committee Chairman Bill Botzow, D-Pownal/Woodford, said the information-gathering sessions, which concluded Tuesday evening in Burlington, were requested by House Speaker Mitzi Johnson after the massive breach at one of three major credit reporting agencies.

Botzow said the committee's goals were to listen to the experiences and concerns of Vermonters and to gather information that might inform new state legislation in the coming session.

Business owners described constant threats to company and personal information and attempted fraud, which increasingly involved the use of stolen or carelessly guarded personal information.

One woman described an internet attack a few years ago at a firm where she worked in payroll. Today, she said, her practice is to avoid using an internet connection for business or personal financial reasons whenever possible.

"I try not to use a [connected] computer," she said, later adding, "Just be careful; it's all over the world."

A motel owner said she now handles credit card transactions off-line via telephone to protect against the theft of data about her business or her customers. But she acknowledged "it would be very difficult to run our business if we didn't have the internet," and noted that large hotels could not handle their transactions off-line.

A similar issue raised by committee members and local residents was telephone "spoofing" calls, in which a phone number familiar to the person being called appears in the phone's caller ID, possibly making the person more trusting and open to some type of fraud. Most of those attending the Manchester session said they were familiar with calls involving a form of identity theft.

Botzow said he and others in the area have recently received calls from a number located at Southwestern Vermont Medical Center.

Spoof calls come into her motel on a daily basis, the owner said, but each must be answered to determine whether it sounds legitimate or is an attempted fraud.

The woman added that she's also "very concerned" about her elderly parents and their vulnerability because they are from a more trusting era and "don't think they have a problem" requiring safeguarding their financial information.

Botzow said that among legislative ideas under consideration are provisions to better protect both seniors and young people. In light of the information that can easily be obtained through social media posts and public records, he said frauds are often tailored to the person who is being targeted, prompting an instant but unwarranted trusting response and the release of more personal data.

Committee member Rep. Jean O'Sullivan, D-Burlington, said the panel has heard the same complaint at each of the hearings. She stressed the importance of residents' input to make the Legislature aware of their concerns as it takes up related bills in the 2018 session.

"We need to show that this is a problem," she said, later adding that when a similar bill was considered this year, it quickly faced "a wall of reaction" from opponents.

"This is incredibly important to us as decision-makers," Botzow said, "because everyone is going to ask us what we heard from Vermonters."

One woman noted that "new tactics" involving game-playing posts on social media, asking questions about birthdays or pet names, can give thieves what they need to extrapolate passwords a person might choose.

"I don't think that registers with some young folks, the people that rely totally on their computers," she said.

Another woman commented that she'd like to see a portion of any fines companies pay concerning data breaches go into a pool of funds to assist the victims who've been harmed by the release of personal information.

Several speakers asked the committee to address the fees credit-reporting agencies charge people to freeze and later unfreeze the release of their information. While the data is frozen to thwart thieves, it also can't be released to banks or businesses when someone is seeking a loan, a new credit card or making another financial transaction.

Some states don't allow such fees, Botzow said, adding that fee-related changes are among those likely to be considered.

A man who commented said he would like to see a system for freezing credit information that requires just a single phone call, rather than having to contact all three major credit agencies.

"There should be a simple way to do this," he said.

Botzow said other states, such as Massachusetts, have provisions requiring businesses to meet security protocols and hold financial entities more responsible for protecting customer information. He said that state's laws are "considered the gold standard" for such consumer legislation.

He urged Vermonters to become informed about these issues and about each new security problem, and to take steps to protect their personal information. If there is no progress on new legislation, Botzow said, residents should contact their state representatives to seek answers.

Also attending the session was David Hall, an attorney with the Office of the Legislative Council. He said residents can get further information about fraud alerts and issues like the Equifax data breach on the Attorney General's website and its Consumer Assistance Program site.

The Legislative Council has been asked by the House committee to research state and federal law regarding information and security in anticipation of new legislation.

Botzow noted during the session that an estimated 1.9 billion user names and passwords are being traded on the black market and billions of internet accounts were targeted by internet phishing attempts.

"I think that part of our goal here is to raise of level of knowledge of Vermonters, including businesses," he said.

Christopher Curtis, chief of the Public Protection Division of the Attorney General's Office, said the office responded quickly to notify Vermonters of the Equifax breach. He said about 15,000 people were contacted immediately because they had signed up to receive an emergency fraud email, text or phone alerts through the AG's website.

Information about that breach and other consumer issues is updated constantly on the AG's site, at, he said.

Jason Duquette-Hoffman, of the AG's Consumer Assistance Program, said individuals can learn how to respond to the Equifax breach or others through the website, at

In addition, he recommended that residents contact their financial institution to learn if there are security protections they can take advantage of through the institution.

He and others also recommended continued vigilance, as thieves know that many credit freezes will last for a year, and they could be waiting to take advantage of future lapses in monitoring by the individual or business.

Gavin Boyles, of the Vermont Department of Financial Regulation, advised people to become aware of all the ways their personal information could be accessed as they use computers, tablets, phones or other devices connected to the internet, and to take steps to limit what might be revealed to data thieves.

Jim Therrien writes for New England Newspapers in Southern Vermont and @BB_therrien on Twitter.


If you'd like to leave a comment (or a tip or a question) about this story with the editors, please email us. We also welcome letters to the editor for publication; you can do that by filling out our letters form and submitting it to the newsroom.

Powered by Creative Circle Media Solutions