Letter to Congress Re: the Financial Services Data “Security” Bill

Today, we enjoy a de facto national standard in which companies notify individuals nationally based on the strongest state laws when their personal information has been lost or stolen. H.R. 3997 overturns existing state notice of breach laws and weakens this de facto national standard. It requires individual notification only after the company experiencing the breach decides that the breach is “reasonably likely” to result in actual ID theft or account fraud. We call this a “don’t know, don’t tell” policy because if a company doesn’t know whether consumers will be victimized, it does not have to notify them.