A U.S. House panel effort to write a national data breach disclosure law is
running into fierce opposition by consumer groups calling the legislation
the “worst data security bill ever.”
Passed out of the House Financial Services Committee on a 48-17 vote late
Thursday afternoon, the Financial Data Protection Act of 2005 (H.R. 3997)
allows data brokers and other companies to conduct an investigation of a
breach and determine if notification to consumers is necessary.
The bill also allows companies that choose to protect their data with
encryption to take that into consideration when determining if consumer
notification is necessary in the aftermath of a breach.
“We think consumers should be notified in case of a breach and it shouldn’t
be left to the companies to decide,” Susanna Montezemolo, a policy analyst
with Consumers Union, told internetnews.com.
The legislation also pre-exempts any state laws mandating breach disclosures
to consumers. According the Consumers Union, 11 states currently have
stricter notification standards than H.R. 3997, including a California law
that resulted in data broker ChoicePoint being forced into disclosing
the breach of 145,000 consumer records.
The furor over the ChoicePoint breach prompted Congress to begin considering
a national breach notification law.
“It is ironic that after a year in which over 55 million Americans’
identities were put at risk through preventable data breaches, the House
Financial Services Committee would repeal state laws that have protected
consumers from identity theft,” Montezemolo said.
Under the bill, if a company conducts a “reasonable” investigation after a
breach and determines no “harm” to consumers occurred, the companies are not
obligated to inform consumers of the breach.
The bill defines harm as “material financial loss to or civil or criminal
penalties imposed on the consumer or the need for the consumer to expend
significant time and effort to correct erroneous information relating to the
consumer.”
“Today, the Financial Services Committee voted for the worst data security
bill ever,” Ed Mierzwinski of the U.S. Public Interest Research Group said
in a statement.
“Rather than voting to protect consumers, the committee made
things worse. All consumers should have the right to sleep at night without
worrying about identity theft. This bill takes us in the wrong direction.”
In an e-mail statement to internetnews.com, bill sponsor Steven LaTourette of Ohio said: “We have crafted a balanced bill that makes sure companies safeguard their sensitive information and ensures that consumers are fully protected if data is breached.”
A LaTourette spokesman added in an interview, “The bill did pass in
committee overwhelmingly on a bipartisan vote.”
Mierzwinski said if LaTourette’s bill had been in place at the time of
ChoicePoint’s data breach, consumers would have never heard about it.
Montezemolo said her organization much prefers the Personal Data Privacy and
Security Act of 2005 (S. 1789) passed by the Senate Judiciary Committee in
November.
That legislation also allows companies to avoid notifying consumers of
breaches if there is no significant risk of identity theft.
However, the
bill mandates that if a company decides there is no risk to consumers, the
company must file a written report to the U.S. Secret Service, which can
conduct its own investigation.
“What we like is that there is a process and something gets put in writing,”
Montezemolo said.