December 5, 2005

Bankruptcy “Reform” without Other Reform, Part 1: Data Protection and Credit-Freeze Bills Are Bogged Down

Filed under: Bankruptcy & Reform, Economy, Privacy/ID Theft, Taxes & Government — TBlumer @ 10:01 am

When Bankruptcy “Reform” was enacted in April, many of us believed that the financial services industry’s promises to get a handle on the personal data it holds and to allow legislation helping consumers protect that data were empty. We also doubted the Congressmen and Senators who told us they would get around to meaningful credit and lending reform.

The cynicism appears to have been justified. Nothing significant has happened on either front, and barring an unexpected breakthough, it looks like nothing will happen before the end of the year.

First, The Wall Street Journal (requires subscription) reported on November 26 that data protection and credit-freeze legislation is in suspended animation:

Identity-Theft Bills Stall in Congress

Despite a rash of highly publicized security lapses this year that had consumer advocates and business lobbyists clamoring for legislation, Congress is finding it difficult to agree on ways reduce identity theft and to protect the privacy of consumers.

Consumer groups are pushing for credit protections that financial institutions oppose. Small banks are arguing with larger ones about who picks up the “reissuing costs” when credit or debit cards must be replaced. And everyone with a stake in the issue is debating the “notification trigger,” specifying what breaches require alerting customers.

The discord has derailed the prospect of legislation this year, and without some consensus, the outlook remains dim for next year as well.

This new reality is far removed from how things looked in February, when data broker ChoicePoint Inc. disclosed it had mistakenly sold sensitive information on 145,000 people to criminals posing as legitimate businessmen.

….. A flurry of bills was introduced, and six different committees seized on proposed solutions. Among them were the Senate Banking and House Energy and Commerce committees, run by influential Republicans who co-founded the bipartisan Congressional Privacy Caucus.

Then, in June, word came that hackers had “infiltrated” payments processor CardSystems Solutions Inc., compromising the security of 40 million credit-card accounts. The enormity of the breach sent shock waves through the financial industry and seemed to ensure a quick federal response.

….. But while everyone agreed that consumers need to know when a security breach puts them at risk for identity theft, writing the new law has proven difficult.

Many privacy advocates, casting a suspicious eye on companies that fail to secure personal information, want legislative language in federal legislation similar to the seminal California law that requires disclosure of security lapses regardless of the potential for harm. Businesses say that poses too big a cost burden for them and say notification should be limited to breaches that threaten a “significant risk” of identity theft.

Companies say notification is expensive — and so is replacing debit and credit cards. America’s Community Bankers, a trade association representing community banks, told a House panel this month that legislation should require those responsible for a data breach to pick up the tab for notifying customers and reissuing cards. It figured that reissuing debit or credit cards can cost as much as $15 each.

The debate over notifying consumers has muddied the waters so much that the Senate Judiciary Committee has approved one bill with an industry-friendly notification standard and marked up another with a tougher notification requirement. It is uncertain which one — if either — will come up before the full Senate.

It is “curiouser and curiouser,” says Ed Mierzwinski, a consumer-program director for the Washington-based advocacy group U.S. PIRG who is leading a coalition of privacy advocates. “I’m still trying to figure it out.”

The conflict over consumer notification isn’t the only one stalling legislation. Three Senate committees are divided over a provision in a bill approved by the Commerce Committee during the summer that would let consumers “freeze” their credit reports, blocking access and preventing criminals from opening new accounts under their names.

Several states already allow consumers to do just that, and proponents view the freeze as a main weapon in the fight against identity theft. But credit bureaus, banks and other financial institutions argue that freezes slow down electronic commerce and hurt consumers when they really do need credit.

….. At the end of the day, congressional inaction may be a bigger problem for business groups than for consumers. Already, half of the states have passed security-breach notification laws, and credit-freeze laws will soon take effect in another seven states. Because many of the new state laws take a more aggressive, consumer-friendly line than business lobbyists prefer, businesses have been increasingly pushing for federal legislation that would pre-empt state measures and provide a single standard to follow.

So it looks like a lot of sound and fury, signifying nothing. I don’t want to hear the financial-services and credit-reporting industries moan about having to deal with 50 different sets of rules and regulations and 50 types of credit freezes, which is where I think things are heading if meaningful federal legislation does not get through. It will be their own fault if we come to that point, and what they gained from the bankruptcy “reform” law will still far outweigh their extra compliance costs.

No Comments

No comments yet.

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.