Consumer groups rail against proposed data-breach notification law

Bill called 'flawed,' too easy on businesses

Consumer and privacy advocacy groups are up in arms over a proposed federal data-breach notification bill that today was approved by the House Financial Services Committee.

The bill, which passed by a 48-16 vote, is H.R. 3997 -- otherwise known as the Financial Data Protection Act of 2005. It is designed to give financial services companies a national standard for securing sensitive personal information and notifying consumers in the event of a data breach.

Outraged opponents of the bill say that H.R. 3997 would gut stronger state laws already in place and would give companies far too much leeway when it comes to disclosing breaches involving the compromise of sensitive data.

Today's passage of the bill "is a really devastating blow for consumers," said Susanna Montezemolo, policy analyst at advocacy group Consumers Union in Washington. "But it's not become law yet," she said.

Ed Mierzwinski, consumer program director of the U.S. Public Interest Research Group (U.S. PIRG) in Washington, called the bill "easily the worst data-breach bill ever."

In a letter addressed to members of the House Financial Services Committee, Mierzwinski and representatives from nine other consumer and privacy groups slammed the proposed bill, claiming that consumers "would be worse off under this bill than if nothing passed."

"We are concerned that a bill so fundamentally and structurally flawed may be brought up for markup," the letter said. It also called for amendments to make the legislation more consumer-friendly.

According to Mierzwinski, one major problem with the bill is that it sets a notification trigger that would give companies too much flexibility in disclosing data breaches. Unlike state laws, such as California's SB 1386, which requires companies to notify consumers whenever there is a data breach, H.R. 3997 would require companies to do so only if they think there is a reasonable risk of harm.

"This bill has such a high trigger for determining when a breach might cause harm that consumers will never receive notice," he said.

Other major issues with the bill are that it would not regulate the activities of data aggregators such as ChoicePoint Inc. and would preempt stronger state laws that are already in place, he said.

"We want to make sure the bill won't wipe out all of the good state legislations that are already in place," said Beth Givens, director of the Privacy Rights Clearinghouse, a San Diego-based advocacy group.

According to Givens, industry lobbyists have pushed heavily for passage of H.R. 3997 because it "gives license to breached entities to decide whether or not to inform consumers" of breaches that affect them, she said.

Another significant problem cited in the letter is the bill would overturn state laws that allow consumers to put a security freeze on their credit reports to protect against identity theft. Under H.R. 3997, consumers would be allowed to do so only after they have become victims of identity theft.

This is not the first time that attempts to pass a national privacy law have drawn fire. Last November, a bill called the Data Accountability and Trust Act (DATA), or H.R. 4127, drew heavy criticism after it was approved in a party-line 13-8 vote by a subcommittee of the House Energy and Commerce Committee (see "Critics hit proposed data breach notification law as ineffective"). Many of the criticisms leveled against that bill were identical to those being aired against H.R. 3997.

Proponents of a national standard for breach disclosures, meanwhile, argue that a federal law is needed to reduce the complexity involved in dealing with the variety of often-conflicting state requirements. They also claim that raising the bar on notifications is crucial because current state laws are leading to a climate of overnotification with very little real justification.

Copyright © 2006 IDG Communications, Inc.

  
Shop Tech Products at Amazon