Sunday, March 19, 2006

Will Special Interests Place Business Interests over People in Breaches of Personal Data

Fraud and Identity theft have become a worldwide epidemic in the internet age. Starting with laws in California, there has been a movement to better protect the victims of these crimes. The Consumers Union has a list of laws passed nationwide to protect people from becoming a statistic.

A new Federal law, the Financial Data Protection Act of 2005 (H.R. 3997), which recently passed the House Financial Services Committee on a 48-17 vote is drawing fire from consumer groups.

Reuters, who broke the story, is reporting:

"A U.S. House panel on Wednesday started debate on legislation to protect consumers' sensitive financial information, but agreed to set what some in the financial industry see as a low standard for triggering investigations and other steps required after a data breach."

For the full story from Reuters:

US House panel weighs consumer data security bill

Consumer advocates are warning that this proposed legislation will do nothing more than water down existing State laws. In fact, according to the Consumers Union, eleven States already have a higher standard. The proposed Federal law, which essentially lets the companies decide, whether the victims of breach should be notified, is a major step backwards.

All we have to do is look at the most recent case involving debit cards. It appears (I say that because no one is confirming anything) Visa and Mastercard knew of the problem at least a month before it was made public. The story broke with Bank of America and shortly thereafter, it was disclosed that Wells Fargo and Washington Mutual were involved, also. First, we were led to believe that the breach was in Northern California, but ever so slowly it seemed to move across the entire country. Then Boing Boing (a blog) broke the story that Citibank was involved and that PIN based transactions had also been compromised.

Of course, no one is admitting to the point of compromise, but then again, it seems to point to Office Max and Sam's Club.

Are special interest groups pushing this legislation to protect business interests over the people compromised? In fact, some might even speculate that the current rush to push this bill forward (after it sat in committee for a long time) is to prevent fall-out to the corporations involved.

U.S. Pirg (Public Interest Research Group) is already calling the bill a step backwards. In fact, Ed Mierzwinski (Consumer Program Director) said:

"Today, the Financial Services Committee voted for the worst data security bill ever. Rather than voting to protect consumers, the committee made things worse. All consumers should have the right to sleep at night without worrying about identity theft. This bill takes us in the wrong direction."

Here is a link to a blog entry that states how U.S. PIRG and the Consumers Union feel about this legislation.

Susanna Montezemolo, a policy analyst with Consumers Union, told Internet News:

"It is ironic that after a year in which over 55 million Americans' identities were put at risk through preventable data breaches, the House Financial Services Committee would repeal state laws that have protected consumers from identity theft."

The financial industry needs to wake up and smell the coffee and so do our elected representatives. Many of these breaches were caused by information not being protected properly and or human error. Now, the people, who lose the information and expose millions get to decide when their victims will be notified?

The bills reeks of the "Fox watching the Hen House."

Another scary thought is the "point of compromise" premise. The latest debit card breach has proven that most of these companies aren't going to be forthcoming with any information that might implicate them. In most "identity theft" cases, the point of compromise is never discovered. This means that few disclosures will ever be "triggered" under the current form of legislation.

Failure to disclose the truth leaves people, who have been targeted to become victims vulnerable. In fact, it seems to make the crime easier to accomplish. CalPirg did a study on a law enforcement perspective on identity theft. Some of the law enforcement opinions were to make credit issuers pay for the damage they cause and require stricter controls on credit issuance.

It's interesting that those in law enforcement, who have to investigate these crimes, feel so strongly about it. They seem to display almost a disgust for how easy the "credit issuers" make it to commit these crimes.

Perhaps, the solution is for everyone, who thinks they have been breached to write the elected representatives and call for a better version of this law.

Here is a site, where you can write to them and let them know how you feel.

No comments: