Federal Data Breach Bill Faces Opposition
Consumer advocacy groups say state laws are stronger.
By
Tina Dhamija
A recently approved federal data breach notification bill has consumer advocacy groups and Congress facing off. Approved by the House Financial Services Committee in a 48-16 vote in March, the Financial Data Protection Act of 2005, or H.R. 3997, is intended to give financial services companies a national standard for securing sensitive personal information and notifying consumers in the event of a data breach. Supporters say the bill will help decrease the current complication of companies trying to comply with multiple state laws. However, consumer groups vehemently oppose it, saying it trumps stronger existing state laws.
The bill amends the Fair Credit Reporting Act and expands the entities covered under it to include “consumer reporters,” a category of businesses or individuals that collect and sell information. The bill would require companies to provide reasonable security and confidentiality for the information they hold. It also calls for the Secretary of Treasury, the Federal Reserve and the Federal Trade Commission to develop their own guidelines for the organizations the act covers.
“The bill establishes weak duties to protect confidential consumer DNA, yet grants broad discretion to ignore telling us when banks or other companies lose it,” said Ed Mierzwinski, consumer program director of the U.S. Public Interest Research Group and one of the bill’s most vocal opponents. “[H.R. 3997] threatens to destroy all the good work that the states have done to prevent identity theft, without preventing any itself.” One section of the bill Mierzwinski said he is opposed to is a provision that gives only victims of identity theft the right to place a security freeze on their credit reports, rather than giving all consumers the right to do so.
In contrast, supporters of the bill say a federal law is necessary to reduce the complexity of the variety of frequently conflicting state requirements. Some proponents also claim changing the standard on notifications is crucial because current state laws are leading to a climate of over-notification with minimal justification.
A separate bill also is making its way through Congress, and has garnered far less ire from advocacy groups. The House Energy and Commerce Committee approved the Data Accountability and Trust Act by a unanimous vote in March. While Mierzwinski said U.S. PIRG still can’t support the bill because the group supports individual state laws, he said it does include strong standards for determining whether notices of breaches are required.
Several privacy advocacy groups issued a joint statement in support of DATA, saying they are pleased with the “trigger” language in the act regarding when businesses must notify individuals of a data breach. “Notification is critical because it provides marketplace incentive for companies to keep our information secure,” the statement said.
Both bills now are before the full House, and at press time neither were scheduled for a vote.
Entire contents copyright © 2006 James Publishing, Inc.
All Rights Reserved.
