March 10, 2006

House panel to consider data security bill

By Kristin Roberts

WASHINGTON (Reuters) - A U.S. House panel next week will
consider legislation aimed at protecting consumers' sensitive
financial data after a string of high-profile breaches reported
by banks and credit card issuers.

The House Financial Services Committee said it would hold a
mark-up, where committee members debate various provisions of
the proposed legislation, on Wednesday at 10 a.m.

The bill lays out requirements for companies to investigate
data breaches and notify consumers. It could pre-empt state
data security laws, easing compliance for banks.

The effort on Capitol Hill to tighten data security rules
comes as consumer groups voice concerns about identity theft
following a series of reports in recent years from banks, card
issuers and retailers of compromised or stolen data involving
thousands of accounts.

Most recently, Citigroup Inc., the largest U.S. bank, said
money had been illegally withdrawn from customer accounts on
debit cards used in Canada, the United Kingdom and Russia.

Bank of America Corp. and Washington Mutual Inc. recently
blocked and reissued some credit cards to protect customers
after Visa USA, the credit card association, reported a data
security breach at a U.S. merchant.

Merchants and credit card processors are not allowed to
store a host of sensitive data, according to Visa and

That includes personal identification numbers, or PINs,
used to withdraw cash, the three-digit code on the signature
panel, and data on the magnetic stripe on the back of credit

A Visa spokeswoman would not comment on recent data
breaches because of continuing investigations, but she pointed
to inappropriate data storage as a cause of criminal activity.

"I can tell you generally that one of the biggest causes of
criminal activity is from the inappropriate storage of this
card information," said Rosetta Jones, a Visa spokeswoman.

Committees in both the House and Senate are considering
separate financial data security legislation that would require
companies to implement tougher security standards and to notify
customers, law enforcement and credit-reporting agencies
whenever there is a breach.

Senate Banking Committee Chairman Richard Shelby, an
Alabama Republican, has called data security a priority for
2006, and said it should be designed to complement existing
protections in the Gramm-Leach-Bliley Act of 1999 and the Fair
Credit Reporting Act.

A U.S. bank regulator, Comptroller of the Currency John
Dugan, recently said Congress should look to a national data
security standard that would pre-empt states' laws as long as
rulemaking and enforcement are left in the hands of financial
regulatory agencies.

He said non-bank financial institutions and other companies
should either be subject to existing bank security provisions
of the Gramm-Leach-Bliley Act or subject to a new national
security standard that applies to both bank and non-bank

He said multiple standards or rules that vary from state to
state would be costly and may be ineffective.