PRC's Privacy Update No. 4, Iss. 3

In this issue . . .

[1] Congressional Update: Bad ID Theft Bill Will be Considered This Week

[2] Message to New Subscribers


[1] Congressional Update: Bad ID Theft Bill Will be Considered This Week

Ten days ago we alerted subscribers of this newsletter to a bad bill making its way through Congress, H.R. 3997, the so-called ìFinancial Data Protection Act.î We have just learned from our colleagues at Consumers Union in D.C. that a vote on the floor of the House of Representatives is expected this coming week (sometime July 24-27).

Although the worst of its provisions on credit freezes has been removed (details below), the bill is still a harmful one for consumer protection. We urge you to contact your

Congressional Representative with a message to oppose H.R. 3997 and instead to bring H.R. 4127 to the floor for a vote. That bill is the ìData Accountability and Trust Act.î

To find the fax and e-mail addresses for your Representative, visit this web site: But do NOT send a letter by postal mail. Letters are delayed while inspected for anthrax.

Or you can call the Capitol Switchboard at this number, (202) 224-3121, and ask to be connected to the office of your Representative.

Here's why we continue to consider H.R. 3997 to be bad for consumers. At least 34 states have passed laws requiring companies that experience data breaches to notify individuals that their sensitive personal information has been compromised. This enables consumers to take steps to prevent identity theft, such as placing fraud alerts on their three credit reports. The strongest of those state laws, including California 's, require that the breached organizations notify individuals in each instance.

H.R. 3997 allows companies to decide whether or not they think the breach will result in harm to individuals before deciding to notify individuals. This is called ìtrigger language.î We believe this provision will result in many breaches not being disclosed to the affected individuals at all. We don't think companies that experience breaches, especially when SSNs are involved, can foretell the future, at least not at this time.

To make matters worse, this bill would pre-empt all of the breach notice laws passed by states, thus wiping out strong consumer protection provisions across the country.

The trigger language in H.R. 4127 provides consumers much better protection in the event of a security breach. It requires that companies notify individuals of a breach unless it can show otherwise that there is no reasonable risk of harm ñ a much stronger trigger standard than in 3997.

And the pre-emption clause in H.R. 4127 is also much narrower. Whereas 3997 would eliminate a broad array of state laws, 4127 only targets state laws that deal with data security practices covered by this bill.

Of course, our strong preference is for NO pre-emption of state laws at all. State legislatures are much better positioned to pass laws that protect consumers' interests. Unfortunately, this is not realistic in the current Congress.

H.R. 4127 contains an additional provision that is especially valuable for consumers. It gives individuals new rights to review and dispute information held by the large data brokers such as ChoicePoint and Lexis-Nexis. This industry is unregulated at this time. Yet the data warehouses of information brokers contain detailed profiles on virtually every American adult. It's long overdue for consumers to have access to their data files and to make sure the information is correct.

The only good thing to report about H.R. 3997 is that the security freeze provision has been removed. In our previous newsletter , we explained that this bill would only allow victims of identity theft to freeze their credit reports ñ AFTER the harm has been done. We strongly believe that ALL consumers should have the ability to freeze their credit reports ñ the ultimate identity theft prevention strategy that individuals have.

For more detailed information on these bills, visit the web sites of our colleagues at Consumers Union and U.S. PIRG:


[2] Message to New Subscribers

Many of you are reading this newsletter for the first time, even though you may have subscribed months ago. We discovered a glitch in the mailing list management service that we use, and recent subscribers were not registered until earlier this week. We apologize!

This newsletter usually alerts you to new privacy guides on our web site, fraud schemes to watch out for, and from time to time -- like this issue -- activity in Congress that we think you would be interested in. especially when Congress is poised to reduce the kinds of consumer protections that we believe all individuals should be entitled to.


  To subscribe to our free email newsletter, go to