The Morning Report
Get the news and information you need to take on the day.
Our reporting relies on your support. Contribute today!
Help us reach our goal of $250,000. The countdown is on!
Thursday, Sept. 14, 2006 | Among the bills Congress may take up this month, if national security and immigration issues don’t overwhelm the entire agenda, is an alarming measure that would pre-empt state consumer laws designed to protect personal and financial data from identity thieves.
H.R. 3997 is euphemistically called the Financial Data Protection Act, which sounds like your personal information is going to be locked in a vault somewhere. But if lawmakers were more forthright, it would be called the Protect Banks and Data Brokers from Pesky State Privacy Laws Act.
That’s not to say that the bill’s sponsor Steve LaTourette (R-OH) set out to give favors to the financial services industry or that he’s not well-intentioned. In fact, LaTourette pushed for the law that now entitles you to a free copy of your credit reports each year. And, overall, the bill is intended to create data security standards that prevent breaches in the first place, which is important. Hurrah LaTourette!
I also don’t mean to suggest that it wouldn’t be great for consumers and businesses to have a national standard for data security and consumer credit protection. But that standard should be as strong, or stronger, than the best state protections out there. It isn’t.
The bill pre-empts state laws that are better. For example, California law states that residents may place a permanent “security freeze” on their credit reports to prevent anyone from obtaining credit in your name. (You can’t apply for credit without a credit history and you can’t get that without access to credit reports). The freeze can be temporarily lifted within three days when you need to apply for credit. The process is easy and inexpensive in California, involving nothing more than a short letter to each of the credit bureaus along with $10 each. Vermont took this concept a step further by entitling all Vermont residents to activate security freezes free of charge.
LaTourette’s bill, as reported by the House Committee on Financial Services, would only allow victims of identity theft to freeze their credit reports, which makes no sense at all considering all the data we now have on how long it takes to repair credit damaged by identity theft. It shouldn’t surprise anyone that the organizations supporting this measure are the same people who traffic in your personal data, such as the banks that extend credit and have an interest in your ability to get it quickly.
The list of the bill’s supporters includes the U.S. Chamber of Commerce, Mortgage Bankers Association, American Financial Services Association and the Financial Services Coordinating Council, which represents banks, insurance companies and securities firms. Oliver Ireland, an attorney representing the Council told the House Subcommittee on Financial Institutions and Consumer Credit last November that establishing a national right to security freezes “could significantly disrupt the credit-granting process by preventing consumers from obtaining credit without going through time-consuming procedures to remove or temporarily lift security freezes.”
Translation: it will be harder for us to sell consumers on our instant credit and pre-approved offers if they get a chance to think about whether they really need the money. Correct me if you’ve ever experienced a desperate emergency need for credit, but I’m not aware of any credit needs that can’t wait the three days it takes to lift a security freeze.
I love how all these financial services industry advocates always couch their arguments in concern for consumers. A separate provision of the bill winning praise from credit lenders and data collectors states that these entities must notify consumers whenever there has been a security breach that may cause them harm or inconvenience. By comparison, California, which has the toughest law on this subject, requires notification every time a breach occurs whether or not the breach involved encrypted data or appears likely to be used for identity theft. Statements made by the financial services industry in support of the bill paint a worrisome portrait of confused, desensitized or hapless consumers being inundated with too much unsolicited mail. The fact that these are the same organizations that mail unsolicited credit card offers to consumers day after day after day is apparently lost on them.
I don’t know whether it’s necessary to be notified every time my personal information is compromised because I assume it’s compromised anyway. And I’ve never received a single security breach notification despite having lived in California since the law was passed in 2003, so I doubt anyone is seriously being overwhelmed with mail. But if Congress is going to give industry room to decide whether harm or inconvenience are likely to occur, they need to define the terms very specifically.
Meanwhile, LaTourette is reconsidering the security freeze provision in response to Vermont’s recent changes, according to spokeswoman Debbie Setliff. LaTourette now believes that anyone should be able to freeze their credit report regardless of their status as a victim of ID theft, and maybe, that they should be able to do so free of charge, she said. A separate version of the same bill reported by the House Committee on Energy and Commerce eliminates the freeze language altogether. Which bill actually makes it to the House floor or whether some hybrid emerges is up to the House leadership.
The bill may also be amended on the House floor so write to your representatives now to demand that consumers in all states be given the right to a security freeze regardless of whether they’ve been victims of ID theft. In a world where data collection and sharing is its own industry, a security freeze is the best protection you’ll ever have.