Congress Considers Bill to Help Keep Your Financial Data Safe

— -- WASHINGTON -- If your credit card information is stolen and used to make large purchases unlike those you've made in the past, it only makes sense that you would want your creditor to notify you. But what if you used a temporary credit card and a hacker obtained that information? Would you really care if someone had access to expired account numbers or other such information that won't compromise your safety and financial security?

Business professionals on Capitol Hill Wednesday said no and told lawmakers yesterday that the lack of distinction between critical and inconsequential data is one of the major flaws in a data security bill moving through the House.

The bipartisan proposal, HR 3997, the Financial Data Protection Act, which is now before the House Financial Services Committee, would protect private consumer data kept by businesses in credit reports and require businesses to notify consumers when data was accessed if, according to a release from Congress, "it could possibly be misused in any way."

"Many consumers get these notifications and they raise more questions than they answer," said Evan Hendricks in an interview. Hendricks, who publishes Privacy Times, a newsletter covering information law and policy, was one of those testifying in the hearing held by the House subcommittee on Financial Institutes and Consumer Credit. Hendricks says the legislation would merely water down the accountability of businesses.

"[The bill] fails to . . . [create] a right to freeze disclosure of one's own credit report," Hendricks said in written testimony submitted to the committee. "If interpreted in a draconian fashion, it would conceivably pre-empt some 12 state laws allowing consumers to 'freeze' disclosure of their credit reports."

Twenty-two states have laws designed to inform consumers of security breaches, according to Hendricks.

Julie Brill, assistant attorney general for Vermont, testified that state attorneys general believe that if Congress doesn't pass a stronger security breach standard than that proposed in the legislation, it should leave the matter solely to the discretion of the states.

"The benefit of the doubt [for this legislation] should be given to the consumer and identification," Brill said.

Brill calls the measure "not an ugly child, but one that's failing in class and is in need of help", and Hendricks labels it "The Titanic Chair Reorganization Act."

Rep. Jeb Hensarling, R-Texas, questions whether businesses have incentives to avoid security breaches or, if they occur, disclosed. But Karl Kaufmann, speaking on behalf of the Chamber of Commerce, says publicity surrounding security breaches is a strong incentive.

"People in the marketplace pay attention," Kaufmann replied. "[If you get breached], your business's name goes on the front page, and the stock drops."