Critics call House bill a step in erosion of consumer laws

Washington — The script has become a familiar one in Washington as
California’s consumer protections come under attack in Congress. This
time it’s the state’s law mandating strict rules for notifying
consumers when the security of their personal financial data has been
breached.

The House Financial Services Committee voted 48-17 last week for a bill
that would mandate uniform national standards for such consumer
notifications, which advocates say is a way to protect against identity
theft.

But the federal law would kill California’s new, tougher requirements
for the companies and credit reporting agencies involved in such cases.

The measure, which could come before the full House soon, follows a
House vote early this month that would gut California’s 20-year-old
trendsetting food-safety labeling law. And three years ago, Congress
passed legislation superceding the state’s law preventing institutions
from sharing customers’ financial information with most other
companies.

Industry, in case after case, has told Congress that it is unfair and
hinders consumer protection to expect them to comply with 50 different
state laws, especially when the U.S. market for services and products
is one big market, not 50 separate ones.

But consumer advocates see a disturbing trend driven by industries’
close ties to the majority Republicans in Congress, to whom big
companies have given millions of dollars in campaign contributions.

"California has been at the cutting edge of consumer protection. It rankles giant corporations," said Richard Holober, executive director of the Consumer Federation of California.

"(The corporations) have a general aggressive mood, and they have
intimate relations with this president and the Congress. These are all
laws that curb corporate greed, so they do everything they can to
overturn those laws,” Holober said.

Critics of Congress and of President Bush point out that the financial
services industries have lavished millions of dollars of contributions
on the very congressmen who are supporting bids by those industries to
curb California’s laws.

The commercial banking industry has given Republican candidates $53
million since 2000, 64 percent of the industry’s total monetary
political gifts in that period.

The food and beverage manufacturing and processing industries — which
have pushed for House passage of the law that would undo California’s
food-safety law, Proposition 65 — have given Republicans about $64
million, about 70 percent of their total.

"Over the last five years, political power has been usurped from state
and local governments in a way not seen before in American history.
That may seem like just a concern for academic types, but it should
worry every American, as the power grab increasingly creeps into almost
every aspect of citizens’ economic life," wrote David Sirota, a
longtime Democratic activist who is now a Montana-based author and
blogger.

But many members of Congress point out that new federal standards —
although they reduce consumer protections for Californians — bring
greater protections for many Americans living in states with weaker
laws.

When his House Financial Services Committee held a hearing on the data
security breach problem, the panel’s chairman, Rep Michael Oxley,
R-Ohio, took note of what was then California’s new law on the issue.
California mandated the notification of all consumers whose financial
information has been accessed by unauthorized people, whether that
accessing has caused a problem or not.

Commenting that other states were considering similar laws, Oxley said,
"It is important that this committee take a look at what is being
contemplated in the states and consider whether a national breach
notification standard would work best for American consumers."

At a subsequent subcommittee hearing, chairman Rep. Spencer Bachus,
R-Ala., said, "It is reasonable to expect that if we decide to
legislate in this area, companies should have a single uniform standard
to comply with, as opposed to dozens of inconsistent standards."

Witnesses at Bachus’ hearing included Bank of America executive Barbara
Desoer, who urged the House to take a national view. "We believe that a
national approach to information security guidelines will promote the
most consistent and efficient path to ensuring customer information
privacy is maintained," Desoer said.

She then suggested an approach mirrored by the one the committee
eventually adopted in its lopsided bipartisan vote. "Consumers should
be notified in a timely manner about any incident that could reasonably
lead to the unauthorized use of their confidential information," Desoer
said.

California consumer advocates say the two controversial words in the
committee’s bill, which is similar to a Senate version introduced by
Sen. Thomas Carper, D-Del., are "reasonably likely."

That means a company can decide when to notify consumers once it has
discovered that hackers have been at work on consumer accounts or when
data is lost, as has happened in a few incidents.

California law requires notification in all cases.

The federal bill also allows consumers to place a freeze on their
credit reports after they’ve become a victim of ID theft, not before as
the California law provides.

"Privacy is the No. 1 concern of most Americans. I don’t see how making
life easier for would-be identity thieves, as Congress seems intent on
doing, and setting the identity theft prevention efforts back five
years does anything to help people protect their privacy," state Sen.
Debra Bowen, D-Marina del Rey (Los Angeles County), said in a
statement. She is lobbying California’s congressional delegation to
oppose the proposed federal standard.

That’s what Democratic Sens. Barbara Boxer and Dianne Feinstein tried
unsuccessfully three years ago when Congress passed a law that
pre-empted the state’s crackdown on so-called affiliate sharing, the
practice by ever-growing financial conglomerates of sharing their
customers’ financial information within a family of businesses.

Congress eventually adopted, and President Bush signed, a lesser
standard that cut protections for Californians but increased them for
people in most other states.

A lawsuit eventually said that although California couldn’t regulate
information sharing among affiliated companies, the state’s residents
could refuse to give their financial institutions the right to give
their information to unrelated companies.

The food-standards legislation that would override California’s Prop.
65 faces a fight in the Senate. The House bill would override Prop.
65’s rules requiring food manufacturers to list any cancer- or
birth-defect-causing substances in their products.

The food industry has tried for almost two decades, since California
voters passed the measure in 1986, to replace Prop. 65’s rules with a
weaker uniform standard.

Opponents hope the Senate will block the legislation, in part because
37 state attorneys general of both parties have announced their
opposition. California is largely alone in the financial privacy fight,
but all other states have food labeling laws that would be changed by
the House bill.

"The Senate needs to stop this effort in its tracks," Feinstein said after House passage of the bill.

Federal vs. state

Legislation making its way through Congress could weaken some of California’s consumer protections.

Hackers: Companies would have discretion in whether to notify customers
that their accounts have been hacked into. California law requires
notification. Food standards: California’s Prop. 65, which requires
food manufacturers to list any cancer- or birth-defect-causing
substances in their products, would be nullified.

Information sharing: Federal intervention has blocked California’s
effort to let customers stop financial conglomerates from sharing
information within a family of businesses. Customers still can block
info sharing between unrelated companies.

E-mail Edward Epstein at eepstein@sfchronicle.com.

Page A – 1

URL: https://sfgate.com/cgi-bin/article.cgi?file=/c/a/2006/03/23/MNGSDHSPK91.DTL