H.R. 3375 – The Financial Data Security Act of 2005
Q: Why is it the bill important?
- Identity theft is the fastest-growing white collar crime in the United States. The nonprofit Privacy Rights Clearinghouse says there have been 80 data breaches in the U.S. since February, involving the personal information of more than 51 million people. The Federal Trade Commission (FTC) estimates that identity theft costs consumers and businesses more than $55 billion each year. Identity theft is the most frequent complaint to the FTC from all 50 states, with the number of complaints having grown for the fourth consecutive year.
- What takes only seconds for a hacker to destroy can take weeks and months for companies and individuals to rebuild. A thief can jeopardize a person’s financial security by opening new lines of credit or procuring unsecured loans under a person’s name.
- Victims of identity theft spend on average 90 hours of their own time and $1,700 in out-of-pocket expenses in their attempts to resolve the problem.
Q: What does the bill do?
- All companies storing sensitive information on consumers must have data security policies and procedures.
- The legislation more clearly defines what a harmful breach of information is and puts in place a uniform national standard for data breach notification. Such a standard will ensure that consumers receive clear instructions and assistance when a breach of their personal information has taken place.
- If there is an unauthorized access to personal identity information that is reasonably likely to result in a misuse of the information, then the company has to notify the potentially affected consumers, and in some cases other entities involved in the transactions (card issuers, etc.). There is a safe harbor from lawsuits if certain mitigation services are provided (e.g., credit monitoring). These standards are uniform nationwide (i.e., preemptive), are further described in regulations to be issued by the Federal Trade Commission, Treasury, and Federal Reserve Board, and enforced by each entity's functional regulator.
- It should be noted that this legislation is the only one out there that says it’s the breached company’s responsibility to pay for the notice — they lost the sensitive information, they need to take responsibility and make sure they are properly protecting personal financial information in the future.
Q: Would the bill preempt state laws?
- Yes, the bill would preempt state law. However, as only 13 states and one city (a New York City ordinance) have laws on the books currently, uniformity needs should outweigh preemption concerns.
Q: Why does the bill only notify consumers if it’s reasonably likely to result in the misuse of the information?
- Consumers would be inundated with alerts if notified every time their data was potentially breached. And like the boy who cried wolf, they may not then recognize when their information has been put in serious harm’s way.
Q: When can we expect Congressional consideration of H.R. 3375?
- In September, the Financial Institutions and Consumer Credit Subcommittee of the House Financial Services Committee will hold hearings on the bill. Once the Committee marks up the bill, it would be ready for consideration by the full House.