By Martin H. Bosworth

June 14, 2006
Even as more states pass laws protecting their residents from identity theft and giving them more options to control their credit, a bill that could override all state laws for data breaches is slithering through Congress.

The House of Representatives may vote as early as this week on the "Financial Data and Security Act" (H.R. 3997), sponsored by Rep. Steve LaTourette (R-OH).

The bill, dubbed the "worst data bill ever" by Public Interest Research Group's Ed Mierzwinski, would preempt existing state laws that allow consumers to "freeze" their credit and prevent accounts from being opened in their name without permission.

The bill also preempts states from exerting any authority to investigate data breaches, and would only mandate companies notify customers of a data breach or fraud alert after they have performed a "reasonable" investigation themselves.

InfoWorld columnist Ed Foster said that the weakness of H.R. 3997 was due to the effects of heavy lobbying by banks, credit bureaus, and other members of the financial industry on Congress. "So we're talking about a lot of big companies with a lot of influence -- i.e., money -- that they can spread around our nation's capital."

Upstart credit protection company TrustedID has been aggressively campaigning against overturning any state laws. The company recently launched, a "consumer information" site designed to educate readers about the weaknesses of H.R. 3997.

"The credit bureaus -- and their Washington lobbyists -- are pushing a plan in Congress that will overturn more than a dozen state laws that now offer tens of millions of consumers crucial protections against identity theft and financial fraud," according to the site's mission statement.

If the "Financial Data and Security Act" becomes law, companies like TrustedID would not be able to market its credit freeze and monitoring products in any state. As it is, the company can only offer credit freezes in states that have passed laws allowing the practice.

The debate over H.R. 3997 comes at a time when many more states are passing laws that grant consumers stronger preemptive protection against identity theft. New York governor George Pataki recently signed a "credit freeze" bill into law for the state, as well as stronger rules for how businesses dispose of data they collect.

The state of Washington recently enabled veterans and active-duty military personnel who may have been affected by the theft of 26.5 Veterans Administration (VA) data records to put freezes on their credit reports.

Colorado passed a law enabling credit freezes that takes effect on July 1st. In discussing the law, Rocky Mountain News columnist Rex Nesmith noted that it doesn't protect victims of data breaches by government agencies.

"There was a loophole in the law that did not cover the banks or government, such as universities and state colleges," Nesmith said.

"The experience with [the Veterans Administration data breach] demonstrates thatlawmakers need to close that loophole and mandate notice whenever an unauthorized person has gained access to sensitive information about consumers - no matter what the institution."

Ironically, Rep. LaTourette invoked the spectre of the VA data breach when he claimed one of his constituents, a 33-year-old disabled veteran from Ashtabula, OH, might have been affected, as someone may have opened a bank account in his name.

When VA Secretary Jim Nicholson testified before Congress on the breach, LaTourette told him that the story was the "first instance" he had heard of veterans being affected by the breach.