Identity v Credit ... and States v Feds

Financial institutions are lobbying Congress in support of HR 3997, the Financial Data Protection Act of 2006, which would preempt state efforts to protect consumer identity. Currently 18 states allow consumers to initiate a freeze on their credit account -- prohibiting any new credit from being issued without their permission. HR 3997 would set one federal standard, which advocates say is more institution-friendly than consumer-friendly.

The federal law would allow consumers to freeze their credit reports only after proof of identity theft. According to the Seattle Times, in the past 1.5 years, there have been at least 90 million individual records containing personal information put at risk in 100 known data breaches.

Moreover, the federal law would undercut state efforts because it requires institutions to notify individuals "of a data breach only if the breach is 'reasonably likely' to result in identity theft." States allow the freeze if an individual's private information has been compromised.

And how are these data being "lost"? Employees taking home laptops with sensitive data - unencrypted - and losing the laptop. Ditto info on USB (thumb) drives. Companies selling surplus computers on eBay without erasing hard drives. Major institutions -- including state and federal goverments, financial institutions and universities -- have been implicated.

An alternative bill, HR 4127, the Data Accountability and Trust Act, was reported by the Energy and Commerce Committee in May. It would "require that each time a security breach of personal security is detected the intended target or victim of the breach be notified by the responsible party."

It's not too late to contact your representative on this issue. HR 3997 overview. Bill text (pdf) as well as House Committee Reports (1 - pdf, 2-pdf)

Also, see Congress must pass strongest protection of consumer data, Don't let credit bureaus sell your personal data, My identity laid bare