By Martin H. Bosworth

March 16, 2006
A new identity theft prevention bill in Congress is drawing such heavy criticism that a number of influential consumer groups have united against it, with some calling it the "worst data bill ever."

House Resolution (H.R.) 3997, the "Financial Data Protection Act," is coming under fire from the U.S. Public Interest Research Group (PIRG), the Consumer Federation of America (CFA), the Privacy Rights Clearinghouse, and many other groups, for preempting strong state fraud prevention laws with weaker federal laws.

Critics say the bill opens loopholes that would enable companies to avoid notifying customers if data breaches occur.

The bill is currently up for vote by the House of Representatives' Financial Services Committee. PIRG's Ed Mierzwinski issued a statement urging committee members to reject the bill, saying "We believe consumers today would be worse off under this bill than if nothing passed."

The resolution amends the Fair Credit Reporting Act (FCRA) to mandate protections for consumer information in order to prevent an identity breach.

Under the Data Protection Act, if a company engages in a "reasonable" investigation and determines a possibility that stolen information can harm consumers, they can then notify them "without unreasonable delay."

The bill also limits consumer notification of data breaches to cases where "substantial harm" has occurred, defined as "material financial loss to or civil or criminal penalties imposed on the consumer or the need for the consumer to expend significant time and effort to correct erroneous information relating to the consumer."

Mierzwinski said that if H.R. 3997 had been in place when ChoicePoint lost the records of 145,000 people to a Nigerian identity theft ring, the public never would have heard about it.

"We believe individuals need to know whenever their sensitive personal information has been breached," he said.

The bill's sponsor, Rep. Steve LaTourette (R-OH), ironically bemoaned the slow pace of notification of data breaches in a Dec. 2005 press release urging passage of his resolution.

LaTourette cited the loss of customer data belonging to the ABN AMRO mortgage group, and said "The company is taking a good step by notifying customers, but it's bothersome to me that the tape has been missing nearly a month and the public and Congress are just learning about it."

Sweeping Preemptions

The bill also preempts virtually all state law enforcement power over identity theft and data breaches, remanding investigative power exclusively under federal agencies such as the Federal Trade Commission (FTC), the Securities and Exchange Commission (SEC), and other federal agencies.

The bill also mandates that any company affected by a data breach offer its customers six months of free credit monitoring, but only after the customers have been directly affected by identity theft or fraud.

Many corporations already offer free credit monitoring for one or two years in case of breaches, even without direct evidence that every involved customer or employee was affected, as in the case of Verizon losing a laptop containing employee data to theft.

The bill does enable consumers to "freeze" their credit records to prevent thieves from opening new accounts in their name, but only once their information was actually misused. In other words, they would have to wait for an identity crime to occur in order to prevent it.

Mierzwinski hammered the bill for what he called "locking the door after the horse has already left the barn."

"All consumers should have the right to sleep at night without worrying about identity theft, by placing a freeze on their accounts. It's the only proven way to stop identity theft before it starts," he said.