July 26, 2006 – HR 3997, the controversial bill that would stop the states from regulating data breaches, has been placed on hole in the House of Representatives. The bill, written primarily by the financial services industry, was scheduled to be voted on this week by the house. The move is good news consumer and privacy groups. But the bill is not quite dead yet.

HR 3997 would have weakened laws regulating consumer data breaches by replacing strong laws in 34 states with a very weak federal standard. Under the standard that is contained in the bill, companies would be given a choice of whether or not to notify consumers when their data was exposed without authorization. Most consumer groups agree that very few, if any notifications would take place.

California was the first state to pass a data breach notification law, in 2002. The law became known nationally in 2005 when ChoicePoint, one of the country’s largest data brokers, exposed the names and other personal financial information of 145,000 consumers to identity thieves.

Since the ChoicePoint breach, roughly 18 months ago, 33 more states have passed data breach notification laws. These laws have forced companies to admit to exposing more than 90 million personal records, involving tens of millions of people, within the same time period. Needless to say, admissions such as these can be both embarrassing and bad for business. So the financial services industry has been lobbying hard to institute a single federal law that gut state data breach laws.

Today, house leaders put off a vote on HR 3997 until after the summer recess with little explanation. This could just be a tactic to try and get consumer groups focused on other things. The bill has received an extensive amount of bad press. Even so, for reasons largely associated with campaign donations the bill refuses to die.

The bill is one of several that have been moving through congress that deal with issues related to identity theft. It is one of the least consumer friendly bills on the issue.

Although ACCESS is opposed to any federal bill that will usurp state regulatory rights, it is quite likely that Congress will pass some form of law dealing with both data breaches and credit freezes prior to the mid-term elections in November. In that event, a much better law is also under consideration; HR 4127 – the Data Accountability and Trust Act (DATA).

While this law could potentially weaken data breach notification laws in the states with the strongest language, its negative impact would be minimal. Overall, it should strengthen consumer protections on a nationwide basis.

Here is a comparison of key issues address by the two bills:

In a best case scenario, neither of these bills will pass. But in the event either of them does make it to the President’s desk for his signature, clearly HR 4127 is a much more consumer friendly bill.

Only registered users can write comments.
Please login or register.