RE: Serious Concerns with H.R. 3997, “Financial Data Protection Act”

13 March 2006

Dear Member of the House Financial Services Committee:

On behalf of our millions of members and supporters, the undersigned consumer and privacy protection organizations are writing to express our grave concerns over H.R. 3997, the “Financial Data Protection Act of 2005,” which we understand may be marked up this week. The bill would put in place a weak federal system and overturn many stronger state laws. Consumers today would be worse off under this bill than if nothing passed.

We are concerned that a bill so fundamentally and structurally flawed may be brought up for markup. We urge you to support amendments that offer stronger consumer protections and privacy rights, and to oppose reporting it out of Committee unless it is significantly improved.

Since last February’s revelation that ChoicePoint had sold 163,000 detailed consumer dossiers to identity thieves, over 100 breaches – at banks, their third-party processors, retailers, and state agencies – affecting over 55 million Americans have been reported. We only know about these breaches because of a strong, pioneering California breach notice law that companies have been complying with nationwide.

Some of the major problems with the latest draft of H.R. 3997 are:

(1) The “trigger” for notification would leave consumers uninformed in many instances when personal information has been breached.

Notification is critical, because it provides a marketplace incentive for companies to put in place strong protections against breaches. In addition, when people know they personally are at increased risk of harm because of a breach, they can take sensible steps to avoid becoming a victim (such as placing a fraud alert or freeze on their credit file, monitoring their credit, etc.).

The bill features what we could call a “don’t know, don’t tell” trigger, meaning that when a company doesn’t know whether there is a risk of harm, individuals are not notified. This gives companies an incentive not to conduct thorough investigations. Moreover, under the bill, notice is only required if there has been or is reasonably likely to be misuse “in a manner causing” “substantial harm or inconvenience against the consumer to whom such information relates.” Substantial harm or inconvenience exists only where there is “material financial loss,” “civil or criminal penalties” or the “need to expend significant time and effort in order to avoid material financial loss or civil or criminal penalties.”

Had H.R. 3997 been in place, we doubt we would have heard about any of the data breaches that came to light in 2005, which affected tens of millions of Americans.

We believe individuals need to know whenever their sensitive personal information has been breached. If there is an exception at all, it should be limited to cases when there is no reasonable risk of harm.

(2) The freeze applies to victims only, yet the bill overturns state laws that give everyone the right to place a freeze.

A security freeze is the single most effective tool for consumers to prevent the financial harms that result from identity theft. A freeze works because it keeps identity thieves from opening new accounts in their victims’ names; it actually stops the granting of credit, unlike a fraud alert, which merely conditions the granting of credit. Because a freeze is a strong prevention tool, only allowing victims of identity theft the right to place a freeze, particularly while preempting state laws that give everyone the right to place a freeze, makes for bad public policy.

For example, under this bill, consumers who received a letter that their Social Security numbers had been breached would not be able to take the simple preventative step of placing a security freeze on their credit files before the Social Security number was misused by an identity thief. They would have to wait until their information had been misused in order to be considered victims and be able to place a freeze.

Any federal freeze law should easy-to-use, convenient, low-cost, and available to all consumers. For example, the New Jersey allows any consumer to place a freeze for free, caps temporary lifts at $5, and includes a regulatory mechanism that requires companies eventually to allow consumers to lift a freeze in just fifteen minutes. Some states are considering similar proposals.

(3) The bill’s weak standards are combined with sweeping preemption, making us worse off than we are today under many state laws.

This preemption applies to safeguards, duty to investigate breaches, notice of breach, and all state laws to mitigate any loss or harm resulting from the breach. Under the safeguards preemption, states couldn’t require mandatory employee bonding or screening for purposes of information protection for persons working with groups that are at particularly high risk of identity theft and financial fraud, such as seniors. Similarly, the bill would overturn a state law requiring notice of a security breach to the state Attorney General or to the local police department. The notice preemption also would preempt all other non-notice state remedies for a security breach. In fact, the latest draft makes the preemption worse.

(4) The bill sets the stage to weaken the privacy provisions of the Gramm-Leach-Bliley Act (GLBA).

The bill directs regulatory agencies that have existing regulations under GLBA to “harmonize” the requirements of those regulations with this statute. As a practical matter, this bill opens the door for federal regulators to weaken already-insufficient notice requirements to match the weaker standards in the bill. For example, the bank regulators, which currently require institutions to notify individuals when it is “reasonably possible” that information will be misused, could change the regulations so that such institutions would only have to notify when there was “substantial harm or inconvenience.”

(5) The enforcement provisions are weak.

Even if the bill had more consumer protections, there is a very weak mechanism for enforcement, with only federal agencies having the power to enforce. Enforcement is critical, for it is the “stick” that provides companies with an incentive to follow the law. Without the threat of strong enforcement, we are likely to see more data breaches and more consumer harm.

This bill limits enforcement to federal regulators. It does not provide for a private right of action or even for enforcement by state Attorneys General (AGs), even though it has been shoehorned into the Fair Credit Reporting Act (FCRA), a law that provides for both these enforcement mechanisms.

(6) The bill’s credit monitoring provision could actually hurt, rather than help, consumers.

Under the provision, a company’s liability can be automatically limited if it simply offers six months of credit monitoring, even though a breach may not result in an immediate identity theft incident and it sometimes takes victims years to find out about identity theft. Worse, nothing in the bill would prevent the “free” credit monitoring from converting, on a so-called “free-to-pay” basis, to an over-priced subscription-based credit monitoring service for $120-$150/year or more.

In addition, we understand that there may be an amendment to the Credit Repair Organization Act (CROA) to excuse credit monitoring activities from coverage under that Act. The proposed language that we have seen would undermine existing consumer protections. Credit monitoring providers have been the subject of numerous state and federal investigations for their deceptive and illegal activities.

We also are concerned that there is no assistance for non-English speaking individuals who have difficulty gaining access to their credit report. The inability of Latinos and other immigrants to access their credit report in languages they can understand means that they will be unable to file complaints and fraud alerts, and monitor their credit report for identity theft purposes. The bill does nothing to ensure that credit bureaus are required by law to provide the free report in Spanish and to create processes for non-English speaking consumers to exercise other federal rights, including fraud alerts, blocking, and disputing and correcting inaccuracies.

We are very concerned with this deeply flawed bill. These and numerous other problems with the bill could be ameliorated by instead using H.R. 3140, the “Consumer Data Security and Notification Act,” as a base text (although our organizations may have strengthening amendments to that bill as well). For example, H.R. 3140 addresses the problem of unregulated data brokers, including ChoicePoint, the company whose malfeasance started us down the road toward new legislation. H.R. 3140’s general statutory scheme for safeguarding information and requiring breach notification is much more logical and straightforward and less prone to litigation over intent than is the convoluted language of H.R. 3997, which, for example, uses variants of the word “reasonable” at least 31 times.

We look forward to working with the committee on meaningful legislation to improve the way companies protect personal information from misuse and prevent identity theft. Please contact Susanna Montezemolo with Consumers Union at (202) 462-6262 if you have any questions.

Sincerely,

Susanna Montezemolo – Consumers Union
Ed Mierzwinski – U.S. PIRG
Travis Plunkett – Consumer Federation of America
Linda Sherry – Consumer Action
Margot Saunders – National Consumer Law Center
Monica Gonzalez – National Community Reinvestment Coalition
Beth Givens – Privacy Rights Clearinghouse
Pam Dixon – World Privacy Forum
Beatriz Ibarra – National Council of La Raza
Mari Frank – Privacy Attorney
Dian Black – Calegislation
Abigail Caplovitz – New Jersey PIRG