Thursday, March 23, 2006

Utah Governor Signs New Credit Freeze Law

March 23, 2006 – On Monday, Utah Governor Jon Huntsman, Jr. signed 16 bills into law. Among them is a credit freeze law with a unique twist. The law was supported by major consumer groups, but they are not the only ones who are happy with the law. The bill was supported by virtually every major business group in the state; making it an anomaly among the states that have already passed or are considering credit freeze legislation.

Utah’s credit freeze law allows any citizen of the state to freeze their credit file for any reason. Individuals who have become victims of identity theft have the right to freeze their files for free. Those who are not victims of identity theft will have to pay a fee of $10 to each of the three major credit repositories. These features are fairly standard among the states that allow their citizens to place a freeze on their credit file.

What makes the Utah law unique is that citizens of the state will be able to lift a credit freeze on 15 minutes notice using a PIN number. No other state has mandated that the credit reporting agencies allow this. The systems used in other states can take up to a week for a freeze to be lifted.

The PIN requirement will mean that citizens of Utah will still have access to instant credit. No other credit freeze bill in the country provides this kind of access, which is the reason that major business groups have opposed virtually every other credit freeze proposal.

The large credit reporting agencies voiced strong objections to the PIN requirement, saying that they did not possess the technology to comply with the law. The law gives them two years to develop and deploy PIN technology that will bring them into compliance.

The new law also contains a data breach notification provision. This provision requires companies that store consumer data to notify consumers when their data has been exposed without authorization. This type of exposure can lead to identity theft.

The only two groups which engaged in active opposition to the Utah law right up until it was signed were the credit reporting agencies and data brokers. Even so, the law saw some unfortunate revisions just prior to the time it was passed by the state assembly, earlier this month. One clause that was added to the law prevents individuals from suing if their data is exposed, or if the credit freeze is violated. The responsibility for enforcement lies with the State Attorney General.

Another provision limited the scope of the credit freezes. Insurance companies and other companies that use credit reports to set rates will still be able to access them under the law. The unfortunate truth is that this single provision significantly weakens the law, and does not do enough to protect the privacy of consumers. This weakening was lobbied for heavily by the insurance industry, which uses credit reports to set insurance rates.

It should be noted that the new Utah law, along with other credit freeze laws in 13 other states and data breach laws in 23 other states, is in jeopardy. Congress is considering federal legislation that would usurp any state laws that allow credit freezes or require notification of consumers when a data breach occurs.

HB 3997, intentionally misnamed the Financial Data Protection Act, would set a weak federal standard for data breach notification. It would also allow consumers to freeze their credit file ONLY if they had already become victims of identity theft. Although there is stiff opposition to this legislation from privacy rights activists, including ACCESS, there is strong support in Congress for the bill. This is largely due to the amount of money that data brokers and the financial services industry donate to in the form of campaign contributions.

Even so, if Congress hears loud and clear from voters that they want to see the Financial Data Protection act defeated, they will listen. The best way to inform your elected representatives that you want this bad legislation defeated is to call them. When you call, a staff member will ask for your name and where you live so don’t be surprised when you are asked for this information.

You can get the phone number of your elected representatives by filling in the form below. When you press the button, the phone numbers of your Senators and your Representative in the House will be displayed immediately.

ACCESS is urging all concerned citizens to take just a couple of minutes of time and place these calls.

Technorati Tags : , , , ,













action="javascript:getReps();">

























Instant Congress Phone Number Lookup



Street number and name only:




Zip Code (5 digits):



















Tuesday, March 21, 2006

Missing Tape With Consumer Data Causes ABN AMRO To Change Data Transfer Methods, Highlights Folly of Proposed Federal Legislation

In November of 2005, ABN AMRO Mortgage lost a computer tape containing the financial information of more than 2 million residential mortgage clients. The tape was being used to transfer updated credit information to Experian; one of the three major credit reporting agencies. The tape had been shipped using DHL and disappeared while in transit. Although the tape was later recovered, the incident and its ensuing bad publicity has been enough to get ABN AMRO to change the way that it handles consumer data.

ABN shipped the tape to Experian on November 18, 2005. From that point it is unclear where it was, or who had access to it for the next month. It was discovered by DHL employees on December 19, 2005 and it was missing its air-bill.

DHL repackaged the tape and sent it back to ABN but by that time, the FBI was involved in an investigation. Once the tape was recovered, the company began notifying consumers about the data loss and recovery.

There was never any doubt that ABN AMRO Mortgage would begin notifying consumers of this mishap. The tape contained data on 201,495 California consumers. This meant that by California law, ABN had to notify those consumers that their data may have been exposed to identity thieves. ABN was left with little choice but to notify all consumers that may have been exposed, regardless of the state in which they reside.

Although the loss of the tape was inconvenient for consumers, the publicity surrounding it has had some positive impact on ABN. At the time of the loss, ACCESS publicly questioned the wisdom of shipping consumer data via a messenger service. Electronic data transfer is significantly more secure when it is done correctly. Well, apparently ABN agrees. Following the loss of the tape, ABN suspended all future physical data tape transfers. The company has now switched to electronic data transfer.

The ABN incident is noteworthy for a couple of reasons.

First, state laws in California, and 19 other states at the time of the incident, forced ABN to notify the public of the data loss. These notifications allowed consumers to take additional action to protect their identities’. In the states that allow it, consumers were even free to freeze their credit file; making identity theft nearly impossible.

Second, the incident points out that when you shine the light of day on data breaches, companies will change their business practices. These changes benefit the public but they are expensive and embarrassing to the businesses that are forced to make them.

Over the past few days ACCESS has been talking about a bill that is moving through Congress; HR 3997. If that bill had been law at the time that DHL lost ABN’s tape, no consumer notifications would have been required. Furthermore, it is highly doubtful that ABN would have made any changes to their business practices.

Among other things, HR 3997 overrides state notification laws in favor of a weak national standard. Under that standard, businesses are allowed to determine on their own if a data loss could lead to identity theft. If their determination is that the risk is minimal, no notification is required.

The bill also overrides any state laws that allow consumers to freeze their credit file. Under HR 3997 only those who have already become victims of identity theft will be given this privilege.

And finally, HR 3997 takes away the power of State’s Attorney General to enforce the law. All regulatory authority is given to the FTC. The FTC is currently in charge of identity theft matters at the federal level, and has already proven that it is incapable of controlling it.

HR 3997 is backed by the banking industry, insurance companies and data brokers. All of these industries have lobbied hard to win passage of this bill, which has a nearly identical counterpart moving through the Senate. If you would like your congressional representatives to oppose this bill, you can let them know how you feel by clicking here and submitting a letter to them.

Technorati Tags : , , ,

Monday, March 20, 2006

Federal Government Declares War on Financial Privacy

Has the federal government declared war financial privacy? The question is more than rhetorical. A variety of actions on the part of the federal government indicate that financial privacy is the last thing that it believes anyone has a right to. The latest indicator of this is a proposed IRS rule change that will allow your tax preparer to sell you tax data – all of your tax data – to the highest bidder and leave millions exposed to identity theft.

Under the new rule, your tax preparer would be aloud to ask you to sign a permission slip, allowing the sale of your data. While consumers would have the right to refuse, the change would open up a Pandora’s Box of abuse opportunities.

The data that would be sold could prove to be quite valuable to marketers, data brokers and identity thieves. Once signed, consumers would have absolutely no control over whom their tax preparer was selling their data to. And all of the data contained in a tax return could be included. This information includes Social Security Numbers, dates of birth and current contact information. For many taxpayers that file long returns, additional information such as brokerage accounts and bank account numbers are also included.

The opportunities for consumer abuse may be too large for some to resist. The rules change would make it simple for a tax preparer to "slip" the consumer consent form into a tax return. Consumers commonly hear the phrase "sign here" from their accountant and don’t think twice about signing.

It would only be a matter of time before this kind of behavior became the norm.

And if history is any indicator – and it usually is – other abuses would almost certainly occur. Among these would be forged permission slips; some by dishonest tax preparers and others by those filing a tax return using a stolen identity. Either of these could prove disastrous for unsuspecting victims because once the data is released, it can’t be recalled.

The proposal comes at a time that Congress is seriously considering weakening state laws on privacy and identity theft.

Last week HR 3997 erroneously named the Financial Data Protection Act passed out of the House Financial Services Committee for consideration by the full House on a 42 to 17 vote. The bill, which is commonly referred by privacy advocates as the "worst data breach notification law ever" has a nearly identical counterpart in the Senate.

In a nutshell, HR 3997 will set an extremely weak federal standard for corporate notification of consumers when their data is stolen. It will override stronger notification laws currently in place in 23 states. The law would also end all state laws that allow consumers to freeze their credit files. This is the only known way to prevent identity theft.

The most likely buyers of consumer data from tax preparers are the large data brokers. If the rule change takes place, it could actually happen at exactly the same time that HR 3997 becomes law; weakening the regulation of these same data brokers. The end result of such a rule change would inevitably be invasions of privacy, financial fraud and identity theft.

It should be pointed out that a wide variety of studies have shown that more than 9 out of ten consumers want stronger privacy laws.

The IRS will hold a hearing on the proposed change on April 4th in Washington, DC.

Technorati Tags : , , , , , , , , , , , , , , , , , ,