Consumer groups rail against proposed data-breach notification law

Computerworld - Consumer and privacy advocacy groups are up in arms over a proposed federal data-breach notification bill that today was approved by the House Financial Services Committee.

The bill, which passed by a 48-16 vote, is H.R. 3997 -- otherwise known as the Financial Data Protection Act of 2005. It is designed to give financial services companies a national standard for securing sensitive personal information and notifying consumers in the event of a data breach.

Outraged opponents of the bill say that H.R. 3997 would gut stronger state laws already in place and would give companies far too much leeway when it comes to disclosing breaches involving the compromise of sensitive data.

Today's passage of the bill "is a really devastating blow for consumers," said Susanna Montezemolo, policy analyst at advocacy group Consumers Union in Washington. "But it's not become law yet," she said.

Ed Mierzwinski, consumer program director of the U.S. Public Interest Research Group (U.S. PIRG) in Washington, called the bill "easily the worst data-breach bill ever."

In a letter addressed to members of the House Financial Services Committee, Mierzwinski and representatives from nine other consumer and privacy groups slammed the proposed bill, claiming that consumers "would be worse off under this bill than if nothing passed."

"We are concerned that a bill so fundamentally and structurally flawed may be brought up for markup," the letter said. It also called for amendments to make the legislation more consumer-friendly.

According to Mierzwinski, one major problem with the bill is that it sets a notification trigger that would give companies too much flexibility in disclosing data breaches. Unlike state laws, such as California's SB 1386, which requires companies to notify consumers whenever there is a data breach, H.R. 3997 would require companies to do so only if they think there is a reasonable risk of harm.

"This bill has such a high trigger for determining when a breach might cause harm that consumers will never receive notice," he said.

Other major issues with the bill are that it would not regulate the activities of data aggregators such as ChoicePoint Inc. and would preempt stronger state laws that are already in place, he said.

"We want to make sure the bill won't wipe out all of the good state legislations that are already in place," said Beth Givens, director of the Privacy Rights Clearinghouse, a San Diego-based advocacy group.

According to Givens, industry lobbyists have pushed heavily for passage of H.R. 3997 because it "gives license to breached entities to decide whether or not to inform consumers" of breaches that affect them, she said.