Committee Advances Stringent Data Security Measure
March 22, 2006
The House Committee on Financial Services, chaired by Rep. Michael G. Oxley (OH), approved the following bill in a full Committee markup yesterday:
H.R. 3997, the Financial Data Protection Act
Introduced by Rep. Steven C. LaTourette (OH), Rep. Darlene Hooley (OR), Rep. Michael N. Castle (DE), Domestic and International Monetary Policy Subcommittee Chairman Deborah Pryce (OH), and Rep. Dennis Moore (KS) on October 6, 2005, H.R. 3997 would expand the data safeguards requirements of Gramm-Leach-Bliley Act (GLBA) and Fair Credit Reporting Act (FCRA) to establish uniform standards for all businesses that possess or maintain sensitive financial account or identity information about consumers.
House Financial Services Committee Chairman Michael G. Oxley (OH) said, “I commend my colleagues, Reps. LaTourette, Hooley, Castle, Pryce, and Moore, who have been hard at work on this initiative to protect consumers’ sensitive information from being misused. The bill would ensure that consumers receive prompt and effective notice when sensitive information has been compromised and puts them at risk of identity theft or account fraud. This legislation is a bold next step in protecting consumers from identity thieves, computer hackers, and other criminals who will always be searching for ways to steal Social Security numbers and other personal information. It is critical that consumers have the information and the tools they need to fight identity thieves and to repair their credit histories after identity attacks.”
The Financial Data Protection Act of 2005 would: prevent data breaches by mandating a strong national standard for the protection of sensitive consumer information; require institutions to notify consumers that their information has been compromised and could be used by identity thieves; and require that institutions provide consumers with a free six-month nationwide credit monitoring service upon notification of a breach related to sensitive identity information.
Rep. LaTourette (OH) said, “The Committee’s action sends a clear message that Congress is serious about confronting the string of data security breaches that have exposed millions of consumers to harm. I’m proud to have worked with Chairman Oxley, Chairman Bachus, Ranking Member Frank and my partners throughout this process – Ms. Hooley, Mr. Castle, Ms. Pryce, and Mr. Moore. We have crafted a balanced bill that makes sure companies safeguard their sensitive information and ensures that consumers are fully protected if data is breached. I am looking forward to moving this bill to consideration by the full House in the near future.”
Recently, there have been a number of high-profile cases of compromised data files at well-known companies that are not currently under any federal data security requirements. With more and more sensitive information becoming part of the everyday exchange of records among businesses, consumers are increasingly concerned about companies’ data security policies and post-breach procedures.
Rep. Darlene Hooley said, “Since drafting my first identity theft bill with Rep. LaTourette in 2000, the number of incidents reported to the FTC has increased eight-fold. Reversing this trend requires Congress and the private sector to work together to safeguard sensitive personal information and to ensure consumers get timely, uniform information when their personal financial data is placed at risk by a security breach. Our free-credit-report law has helped consumers spot fraud; this new legislation will help stop fraud.”
Congress has passed laws establishing data security requirements for specific types of information, such as health insurance records and credit reports, and for certain industries, but has not yet established comprehensive data security requirements that apply uniformly to all companies for all sensitive personal information that could be used to commit financial fraud.
Several of the most high profile data security breaches last year involved large data brokers that compile files from financial companies and other sources containing personal information on millions of consumers, but who are not subject to current federal data security requirements. While these data brokers provide services that assist law-enforcement efforts and create a more efficient and reliable financial services marketplace, most of the witnesses at the Committee’s data security hearings expressed concerns about the lack of a uniform national standard governing such services and highlighted the role of retailers and third-party processors in the information chain.
Rep. Castle said, "We live in a society where the flow of information is important -- this data also helps consumers every day with access to credit, price competition and even with issues related to public safety. And as businesses of all sorts invest in computer technology and the price of that technology becomes affordable, more sensitive consumer data is being collected and, therefore, needs to be held more securely. We believe this legislation is a strong step in the right direction."
The Federal Trade Commission (FTC) estimates that 10 million Americans fall victim to identity theft each year, costing consumers and businesses more than $55 billion per year. Identity theft is the most frequent complaint to the FTC from all 50 states with the number of complaints having grown for the fourth consecutive year.
Rep. Pryce (OH) said, “Our personal information needs to be more secure and this legislation takes an important step to ensuring its protection. As data breaches continue to occur at an alarming rate, it is Congress’ responsibility to set up safeguards to protect consumer data and to create a national uniform process by which companies must notify customers after a data breach has occurred.”
The Committee held four hearings in the 109th Congress to assess the need for stronger data security protections governing businesses’ sensitive personal financial information on consumers. In 2005 alone, there were over 100 data security breaches involving sensitive information on over 50 million consumers. As of March 5, 2006, another 29 breaches had been reported.
Rep. Moore said, “I’m pleased that this legislation is moving forward. Identity theft and the misuse of personal data are extremely serious problems in our society. Congress should be doing all we can to protect consumers from data breaches and create a uniform national standard to establish a level of certainty for both consumers and national businesses.”
Key provisions in the legislation include:
- Data Protection: All businesses are required to maintain reasonable
policies and procedures to protect the security and confidentiality of their sensitive
financial personal information relating to any consumer.
- Investigation: Businesses are required to immediately investigate any
information reasonably indicating that a data security breach may have occurred.
- Notification: If the potential breach of data security may result in
harm or inconvenience to any consumer, then the business is required to notify law enforcement,
appropriate regulator(s), and other businesses in the transaction chain. If the potential
breach may result in financial fraud against consumers causing harm or inconvenience, then
the consumers must be notified through a uniform mailing.
- Financial Fraud Mitigation: Consumer notification involving sensitive
financial identity information must include an offer of free credit-file monitoring for
- Uniformity: The legislation extends data protection standards across
all business sectors.
Source: House Financial Services Comm.