June 20, 2006 at 10:20 AM ET
That lost Veterans Administration data may end up hurting you, even if you're not a vet.
Last month, the VA announced an employee had lost a computer loaded with the identities of 26 million current and former GIs. The dramatic incident has inspired outrage from lawmakers in Washington D.C. Unfortunately, that outrage has taken form in legislation that could make things worse for all of us.
How? It establishes nationwide standards for data security that actually eliminate some consumer rights granted at the state level.
If the Financial Data Protection Act, already passed by the House Financial Services Committee, is approved by the full House later this month, millions of consumers could lose the right to freeze their credit reports. And all those notices consumers now receive after a company loses personal data? Many of those would no longer be required.
The House is expected to vote on some data security legislation as soon as next week, with the Financial Data Protection Act one leading candidate.
Before we go on, a short history lesson is in order. Let's look back a few short years, before the California state legislature passed its data leak disclosure law and a time when we all lived in blissful ignorance, assuming the vast majority of companies took great care with our personal data. Then, the California disclosure law took effect and suddenly we knew the truth. ChoicePoint, LexisNexis, Bank of America, Citibank, Wells Fargo, the list goes on and on. All sent out notifications of data leaks, and they did so because the California law required it.
Soon after this litany of leaks, there were flourishes of legislative creativity, with dozens of states imitating California's laws. But also, there were hurried attempts by Congress to deal with the problem. A half-dozen federal bills were drafted, most with ill-conceived provisions that pre-empted state laws.
VA case lends urgency
Fast-forward to this year. With all the other distractions facing Washington D.C., federal data leak legislation seemed doomed, stuck on the far back-burner of Congress’ stove. But that all changed last month, when the VA data leak came to light. And suddenly, there was the age-old urge to "do something" to fix the problem. So last year's legislation suddenly found room on the front burner.
Now, HR 3997 is dangerously close to passage by the entire House.
There are two clear problems with the bill: Under its provisions, only ID theft victims would have the right to freeze their credit; and companies that lose data would only have to tell consumers if there was a "significant risk" of harm. Guess who decides if lost data poses a significant risk?
The legislation would take away the right to a security freeze from about 100 million people. State legislature in 18 states, including California, New York, Florida, and Illinois, have passed security freeze laws in recent years. The law allowed consumers to lock up their credit files, cutting off criminals’ access instant credit in their name. Freezes aren't a silver bullet, but they are the only thing consumers can do pre-emptively to protect themselves against ID theft.
This federal legislation would limit freezes to those who've already been a victim of ID theft -- a nonsensical limitation on a tool designed as preventative medicine.
If the Financial Data Protection Act were to become the law of the land, disclosure notices also would largely vanish. Had the Financial Data Protection Act been the law for these past three years, we may never have learned about the lost laptops, backup tapes, and hacker break-ins we now know are commonplace.
A large step backward
In short, passage of the bill would be a large step backward.
Fortunately, there are alternatives. A competing House bill, the Data Accountability and Trust Act (The acronym is DATA! Clever, eh?) passed by the Energy and Commerce Committee, doesn't pre-empt consumers' freeze rights. And it has a slightly lower bar for mandating disclosure notices. There are also two bills in the Senate which preserve security freeze rights. All of these measures would ease the requirements for companies to notify consumers after data incidents -- a bad thing -- but they seem to be the lesser evils.
There is great concern that the Financial Data Protection Act, which has the support of many in the financial services industry, will win the day -- at least in the House. In light of the VA incident, there is great impetus to get something passed -- particularly with the July 4 holiday and a congressional recess looming. As one consumer advocate told me, "They want to go home to the parades and say they did something for the vets."
Well, this is one case where doing nothing would be quite a bit better than doing something. If you're concerned about the safety of your personal information or you're interested in preserving rights given to you by your state legislature, now would be a good time to speak up.