ID Theft Disclosure Law Worries Advocates

If your credit card information were stolen as part of a major online heist, wouldn't you want to know?

In the last few years, 19 states have enacted laws requiring credit card companies, financial institutions and other parties dealing with personal data to notify individuals when their information is breached. But advocates of full disclosure say a movement is afoot in Washington to weaken these laws by giving companies more flexibility over whether or not they have to notify customers.

"We have millions of Americans who become victims of identity theft each year, and we need to do as much as possible to lower that number," said Susanna Montezemolo, policy analyst for the Consumers Union, which is lobbying Congress for tough security and privacy standards.

"States have been innovators in regard to identity security; we want to know that the state will still be able to come out with effective solutions," Montezemolo told

Others, including congressional lawmakers and the companies and institutions affected by new disclosure laws, say more uniformity is needed in disclosure rules nationwide as well as balance to create a line between transparency and unduly spooking customers.

Atlanta-based information giant ChoicePoint, Inc. (search), announced last winter that 145,000 personal records in its databases had been inadvertently handed off to a ring of crooks. Unbeknownst to many, it wasn't the first time the massive data aggregator had experienced a security breach.

In fact, five years earlier ChoicePoint had a similar security incident, but that was before 2003, when California became the first state to enact a law requiring companies like ChoicePoint to notify anyone affected in its state of such breaches. ChoicePoint's earlier breach was first revealed in March during the course of investigative reporting by The Los Angeles Times.

Prior to 2003, such incidents were largely kept quiet, say security analysts.

"[Companies] were used to keeping it close to the vest," said Jim Harper, electronic privacy expert for the libertarian think tank Cato Institute in Washington, D.C.

Since the February ChoicePoint incident, a string of other breaches have been reported by top names in the banking and credit card industry — Visa, MasterCard, Wachovia Bank and Bank of America to name a few — totaling more than 50 million customers who had their information, including loan histories, Social Security numbers and credit reports, lost or exposed.

Privacy and security analysts say the California law helped along the swift disclosure of these latest incidents because the national companies could not tell its California customers of the security breaches without notifying everyone.

Now, as more states pass laws similar to California's, a number of bills are pending in Congress that would create a federal disclosure standard, but critics say these proposals give the companies authority to decide whether full disclosure is required at all.

"Congress is trying to undercut all the great work of the states," said Edmund Mierzwinski, consumer program director for the U.S. Public Interest Research Groups, the national advocacy group for state PIRGs. "The states have the best laws forcing [companies] to disclose if information is lost."

The Who and When of Notification

All of the current major House and Senate bills dealing with consumer notification allow "triggers" for disclosure, meaning that in order to launch the notification process, the companies must find evidence that harm will come to individuals as a result of the security breach.

Most of the bills also have some language that would permit new federal measures to trump states' notification processes.

A number of lawmakers, banking industry associations and others who represent the institutions affected by disclosure standards say that not all breaches result in harm, and a balance of interests must be considered. Aside from unduly scaring customers even when a breach doesn't directly affect them, notification can heap huge expenses on businesses' pocketbooks and reputations, they say.

Among the bills up for consideration is the Financial Data Security Act, co-sponsored by Reps. Dennis Moore, D-Kan., Deborah Pryce, R-Ohio, and Mike Castle, R-Del. It includes a provision that calls for an investigation by the company first to decide if notification is necessary. This bill would also supersede state laws.

"If following the investigation, they find that the breach will reasonably result in fraud, then they are required to notify consumers," Moore told "We want to be reasonable here, and not impose an undue burden on the consumer or the business."

"We don't want a situation where consumers are inundated with potential breach alerts, and like the boy who cried 'wolf,' can't then recognize when their information has been put in serious harm's way," Pryce said.

Fritz Elmendorf, spokesman for the Consumer Bankers Association, said his group supports legislation that will pre-empt state laws on the notification issue, in part because banks should have the discretion of notifying only those customers who might have been specifically affected by a security breach.

Since banks and credit card companies use third parties to process all kinds of transactions, including credit reporting, an enormous amount of data is being exchanged, he said.

"It does get a little more complicated when third parties are involved, and banks would seek discretion to work with the affected parties, to have some flexibility," said Elmendorf.

"Banks are always going to err on the side of protecting consumers," said John Hall, spokesman for the American Bankers Association, which is also looking for flexibility and notification standards that pre-empt the state laws.

"If Congress does act in this area," he added, it is ABA's hope "that a uniform approach be taken so financial services and companies aren’t subject to a hodgepodge of laws."

On the other hand, Cato's Harper says the notification is just a "sideshow" to the real problem of security. He said states and consumers should have the ability to sue companies under the common law liability rule where harm by security breaches can be proven. Courts in New Hampshire and Michigan have already tested this, Harper said, and it would be a more effective way of putting companies on notice.

"Most likely, if this rule were adopted, then companies would be more proactive about protecting their consumers," he said.

Montezemolo said a bipartisan bill introduced by leaders in the Senate Judiciary Committee looks to be the least pre-emptive, in that it allows the federal government and state attorneys general, not just the affected company, help determine whether notification is required.

"We just want to see something comprehensive for the consumer," she said.