Assemblymember Chau Introduces Legislation in Response to Equifax Data Breach

Thursday, January 11, 2018

Sacramento – Assemblymember Ed Chau (D–Monterey Park), Chair of the Assembly Privacy and Consumer Protection Committee, introduced legislation in response to the Equifax data breach from last year that resulted in the loss of 145.5 million U.S. consumers’ personal information.  Assembly Bill (AB) 1859 would require Consumer Credit Reporting Agencies (CCRAs) to patch their vulnerable computer systems in a timely manner or be subject to civil penalties to individuals whose data was compromised.

“The scale and severity of the Equifax breach is simply staggering and has inflicted real personal and financial costs on millions of innocent consumers for years, if not the rest of their lives,” said Assemblymember Chau.  “The impact of this information disaster requires that we examine our laws to ensure they are sufficiently updated and robust to address negligently lax behavior by credit reporting agencies when it comes to safeguarding their systems against cybersecurity threats. That is what this bill attempts to do.” 

According to Equifax, it experienced a cybersecurity breach from mid-May through July 2017 that resulted in the loss of 145.5 million U.S. consumers’ personal information, though this disclosure was not made until September 7, 2017. Furthermore, it has been reported by news outlets that the U.S. Department of Homeland Security (DHS) notified Equifax and other companies of a security vulnerability in their software called Apache Struts, as early as March 8, 2017. In other words, hackers had exploited the website vulnerability well after Equifax had been notified by DHS to patch its network. 

AB 1859 would require a CCRA conducting business in California to patch its computer system in the most expedient time possible, consistent with industry best practices, but no longer than 10 days in any case, if it is subject to a vulnerability that could compromise the security of computerized data containing personal information. If a CCRA fails to patch its system and a data breach occurs, the bill would allow a resident of California, whose information was compromised, to bring a civil action to recover damages for his or her injuries, civil penalties, and reasonable attorney’s fees and costs.

Assemblymember Ed Chau represents the 49th Assembly District, comprised of the communities of Alhambra, Arcadia, El Monte, Monterey Park, Rosemead, San Gabriel, San Marino, Temple City and portions of Montebello, and South El Monte.