Three months after Equifax revealed a massive data breach, the credit rating agency still has not notified millions of consumers that their personal financial information may be in the hands of criminals. 

Because of a hodge-podge of state laws, Equifax has contacted relatively few of the 145 million Americans affected by the breach. As a result, millions of consumers remain unaware that their sensitive financial data may have been stolen.

That has prompted consumer advocates and some members of Congress to call for federal legislation requiring companies to alert consumers when there is a data breach.  

Right now, only about 20 states and U.S. territories have specific provisions about how consumers must be notified and what information must be contained in that message. These states also differ sharply on how strict their rules are.

More on the Equifax Breach

In Utah, posting a notice in a general circulation newspaper is sufficient, but California requires broader media notification and sending an email message to those people who may have been affected.

The uneven reporting requirements help explain why 71 million U.S. adults (more than 30 percent of the population) haven’t heard anything at all about the Equifax breach, according to a recent study from CreditCards.com.

“If I didn’t watch the news as much as I do, I would have never known about it,” Danielle Michaud, a 32-year-old mother of three from Volusia County, Fla., told Consumer Reports. 

Michaud says she hasn’t gotten any letters or emails from Equifax informing her about the breach.

“Inconsistent state laws mean that not all consumers have adequate protections in the event of a data breach,” says Maureen Mahoney, policy analyst at Consumers Union, the policy and mobilization division of Consumer Reports.

During a Senate hearing on Wednesday, Equifax’s interim CEO Paulino do Rego Barros was asked whether Equifax had proactively reached out to all 145 million consumers who may have been affected by the breach, even in states that don’t demand that the company do so. His response was that the company was contacting consumers as mandated by law.

Equifax says it has mailed notices to about 391,000 consumers, posted two press releases about the breach, and created a website to inform consumers about the incident. In his testimony, Barros said that 30 million individuals have used the website. 

Consumer advocates say that is far from enough. “While Equifax may be following the law, ‘doing enough’ doesn’t just mean meeting the bare minimum state requirements,” Mahoney says.

Other advocates say Equifax puts the burden on consumers to find out about the breach.

“Equifax makes you proactively check the site,” says Chi Chi Wu, staff attorney at the National Consumer Law Center. “The burden should be on them to proactively inform the consumer.”

Like some lawmakers at the hearing, Consumers Union and other consumer advocates want to see Congress pass a strong federal data-breach notification law that includes, at a minimum, strong civil penalties for violating data-breach notification laws, and enforcement by state attorneys general.

Mahoney, says a federal law should provide a baseline for state-level protections to build on.

Steps to Take Now

Consumers still need to take steps to protect themselves. Of those people who told CreditCards.com that they knew a lot about the Equifax breach, 22 percent said they haven’t bothered to check their credit within the past 12 months. 

Credit safety experts say that whether your information was hacked or not, the best way to protect your personal data is to institute a credit freeze from all three credit bureaus, Equifax, Experian, and Transunion.

Equifax is providing free credit freezes until Jan. 31, 2018. The other two big agencies are charging up to $10 each for a freeze, depending on which state you live in. If you later need to unfreeze your credit—say, because you want to apply for a new credit card—you may have to pay to do that, too, again depending on where you live

“The truth is that you’re better off assuming the worst and taking steps to protect yourself,” says Matt Schulz, a senior industry analyst for CreditCards.com. “This cyberattack was so big, and it contained so much highly sensitive information, that it’s going to linger for a long time,” he says.