ID Theft Protection Act May Not Protect So Well, Say Critics

Legislation intended to prevent identity theft may actually weaken existing laws designed to protect consumers and give more discretion to companies whose data has been breached, say critics.

The "Financial Data Protection Act of 2006" supersedes up to 20 state laws, many of which stipulate that companies must notify their customers if their identity is not 100 percent secure.  The proposed legislation, however, lets the companies decide whether or not at-risk consumers need to be notified.

"This bill has about the worst risk-based standard you could ever use," according to Ed Mierzwinski, Consumer Program Director at the U.S. Public Interest Research Group.

"About 12 states currently say that if you lose information, you have to tell the victim.  And the other states have a somewhat weaker rule, but not as weak as the one that this bill has," said Mierzwinski.

Proponents of the bill fight back, saying it will establish uniform standards for all businesses that possess personally identifiable data.

"In order for that system to work, allowing American consumers from coast to coast the ability to quickly access funds, Congress needs to pass laws that are uniform and national, eliminating what would otherwise become a ‘patchwork’ of varying state laws," said Deborah Setliff, spokeswoman for Rep. Steven LaTourette (R-OH), who sponsored the bill.

"The bill puts the burden of protecting sensitive data on the entities that hold the data, not the consumer," she added.

Some of current state laws also allow consumers to freeze their accounts for any reason — the only way to be completely secure, say critics of the new bill.

Under the new bill’s provisions, however, consumers could only suspend their accounts if they have already been a victim of identity theft.

The bill is awaiting consideration by the House Committee on Energy and Commerce.