While it appears unlikely our Congress is going to do anything about immigration, gas prices, or the deficit anytime soon, as early as this week it might very well take action on another sore point for many Americans: privacy and identity theft. But, wouldn't you just know it, the approach our elected representatives seem most attached to is one that -- instead of strengthening privacy protection -- will actually deprive consumers of the most effective privacy protections we now have.
With last Friday's disclosure of a long unreported Department of Energy data leak coming so soon after the massive Veterans Affairs security breach, the pressure on Congress now to do something about privacy and data theft will surely be irresistible. A wide array of bills have been kicking around in the Senate and the House for months, including some we discussed earlier that would replace strong laws in California and other states requiring that consumers be notified of security breaches involving their personal information. Instead, most of these bills would pre-empt the state laws with a much weaker disclosure requirement that would leave it up to the organization that exposed your data to decide if the risk of identity theft is great enough to bother notifying you.
As if that's not bad enough, observers expect a different bill that goes even further in weakening effective state privacy laws could be voted on by the House as early as this week. H.R. 3997, the Financial Data Protection Act of 2006, will deliver a new level of protection all right, but it is protection for the financial institutions whose security failures put us at risk for identity theft.
The really odd thing is that the House would consider H.R. 3997 a response to the VA case, as that theft is a good example of how the law's loopholes would let companies avoid notifying their customers of serious data breaches involving their data. "Under H.R. 3997, if a company does not know whether the theft puts individuals at risk for identity theft, it does not have to notify them," says Gail Hillebrand, senior attorney for Consumers Union. "Since the identity and purposes of the thief who took the VA laptop are unknown, the loopholes in 3997 would let a private company in a similar situation say they don't know if consumers are at risk, so they don't have to tell."
What's even worse, though, is that the law would also deprive citizens of some states of an effective countermeasure they can now take when they suspect they are a victim of identity theft. Seventeen states have already enacted security freeze laws that allow all consumers to put a freeze on their credit report files, thus stopping identity thieves from opening fraudulent accounts with the information they've stolen. It's one of the first things privacy experts suggest you do when you suspect your personal information has been exposed.
The Financial Data Protection Act specifically pre-empts these security freeze laws, instead limiting credit freezes to consumers who are already known victims of identity theft. That makes almost no sense as a way of protecting consumers, because the security freeze is a preventive measure that's best used before stolen information is abused. If 3997 were the law of the land right now, the 26 million veterans whose social security numbers were lost would not have the right to put a security freeze on their credit files. They would have to wait until they were victims -- what kind of "financial data protection" is that?
Now, if you're a little confused as to why Congress would be so attracted to the idea of replacing effective state laws on identity theft with weak federal ones, then you just haven't been paying much attention to how your government works. It is of course the banks, databrokers, and other financial institutions whose indifferent security practices keep exposing our personal information that don't want to have to notify us when it happens. And it is of course the credit bureaus, credit card companies, etc. who don't want us to be able to freeze our credit files just because identity thieves might have our information. So we're talking about a lot of big companies with a lot of influence -- i.e., money -- that they can spread around our nation's capital.
H.R. 3997 has a number of other problems that make it by far the worst of the bills Congress is considering. You can read more about what Consumers Union thinks of the different bills -- and how you can express your concerns to your federal and state representatives -- at CU's FinancialPrivacyNow.org website. You might also want to consider visiting their privacy campaign's donation page, just in case you'd like to provide a bit of counterweight to the financial institutions' lobbying dollars.
While Consumers Union believes that some of the bills before Congress might be close enough to make for a reasonable compromise with the tougher state laws, I personally hope that the feds will simply not pass any new laws. Our state privacy laws are already working pretty well, and they're getting more effective as more states catch on. So let's hope that Congress simply does nothing. Fortunately, along with sticking their palms out, doing nothing seems to be the one thing at which all our Congresspersons excel.
Read and post comments about this story here.
10:00:47 AM 
|
