There’s been a lot of noise about HR 3997, also called the Financial Data Protection Act. I'm a few days behind on this.

CALPIRG blog (ED MIERZWINSKI) writes about this bill here first and then about a later draft here the same day, calling it “easily the most problematic, preemptive, loop-hole-ridden and industry friendly proposal that has a chance to move in the Congress.” Frankly, I don’t care if it’s “industry friendly.” That doesn’t make any bill instantly a bad thing in my mind. But what I do care about is if the bill might be a compromise that is harmful to people without substantial benefit to us as a whole. CALPIRG also says, “Had H.R. 3997 been in place, we doubt we would have heard about any of the data breaches that came to light in 2005, which affected tens of millions of Americans.”

Why? Because according to this letter by a group of consumer advocates and experts, the data breach notifications are terribly weak:

The bill features what we could call a “don’t know, don’t tell” trigger, meaning that when a company doesn’t know whether there is a risk of harm, individuals are not notified. This gives companies an incentive not to conduct thorough investigations. Moreover, under the bill, notice is only required if there has been or is reasonably likely to be misuse “in a manner causing” “substantial harm or inconvenience against the consumer to whom such information relates.” Substantial harm or inconvenience exists only where there is “material financial loss,” “civil or criminal penalties” or the “need to expend significant time and effort in order to avoid material financial loss or civil or criminal penalties.”

Ed, in his blog, goes on to write about another problem, “The latest draft of HR 3997 includes a new section that preempts stronger state freeze laws and implements a weak "victims with police reports" only federal freeze.” What this means is that the bill would take away the right that some states (12, I believe) have granted—the ability to freeze your credit file at any time. With or without a police report. I agree, rolling back these rights in favor of a weak federal law, is nuts. Now you may be wondering about the terms “credit freeze” versus “fraud alerts.” The bottom line is that fraud alerts on your credit files are very weak, but a credit freeze blocks all access to new fraudulent credit granted in your name via a credit bureau. CALPIRG explains:

Giving the right to a security freeze only to ID theft victims is locking the door after the horse has already left the barn. All consumers should have the right to sleep at night without worrying about identity theft, by placing a freeze on their accounts. It's the only proven way to stop identity theft before it starts. This important right should not merely be provided after you've already become a victim. In fact, granting the right to a freeze only to victims runs counter to industry's basic lobbying claim that existing fraud alert rights are already adequate protection to victims against repeat occurrences. (By the way, they're not: (1) fraud alerts are only available to some consumers and (2) they don't absolutely stop credit granting. Presence of a fraud alert merely subjects the creditor to potential liability if it doesn't do certain things.)

The consumer advocates attacking HR 3997 also claim these additional problems. (a) This bill has baked in a large swath of preemptions, nullifying a number of state laws which protect consumers, (b) The bill sets the stage to weaken the privacy provisions of the Gramm-Leach-Bliley Act, (c) The enforcement provisions are weak. (d) The bill’s credit monitoring provision could actually hurt, rather than help, consumers.

Wow, some very powerful arguments against this bill. Well, read the letter and decide for yourself. Consumers Union, one of the signees of the letter, also has a web site about this at http://www.financialprivacynow.org.

Computerworld wrote this article and points out that backers of the bill,

…argue that a federal law is needed to reduce the complexity involved in dealing with the variety of often-conflicting state requirements. They also claim that raising the bar on notifications is crucial because current state laws are leading to a climate of overnotification with very little real justification.

Computerworld failed to mention who the backers of the bill are. It’s groups within the banking, financial services, and insurance industries. I will try to post opposing opinions here, so you get both sides. More to come.