The state of Maryland has entered into multiple settlements with Experian over data breaches. The Maryland Attorney General's office along with those in 39 other states announced two separate settlements with Experian and a subsidiary recently over the companies' handling of personal information. Experian failed to notify customers regarding data breaches in 2010 and 2015. As part of the settlement, Experian has paid penalties and agreed to improve its data handling and security. To ensure those new methods are effective, Maryland Attorney General Brian Frosh says Experian will hire outside firms to audit its data practices.
"There will be monitors in place whom they will hire to look over their shoulders who will be looking at how they're doing and what they're doing."
Experian did not respond to our request for comment.
A few states have enacted comprehensive data privacy laws. Maryland's Personal Information Protection Act isn't comprehensive but has been strengthened since it was implemented in 2008. Now the law mandates data aggregators such as Experian notify customers about data breaches within 10 days of discovery. When asked if Congress and state legislatures should enact more strict data protection and privacy laws, Frosh said yes and pointed to biometric data.
"You can now get your DNA tested. It goes into a database somewhere. It may be sold to other entities. We think that should be included among the things that are protected within the scope of the personal information that people need to take special care of."
The settlement requires Experian to offer affected consumers 5 years of free credit monitoring services. For more info on data privacy and security, in addition to other services for consumers, visit the Attorney General's Identity Theft Unit website at marylandattorneygeneral.gov.