EDITOR'S NOTE: The name of this newsletter will change next month to "Security Strategies," reflecting its strategic approach. To complement it, Network World will also offer the "Security in Practice" semi-monthly newsletter, written by Mike Rothman. To sign up, go to our subscription page today.Last week, the House Committee on Financial Services (HCFS) approved a proposal called the Financial Data Protection Act (FDPA)\u00a0of 2005 (see story and track this bill). Supporters of the bill enthusiastically point to the establishment of uniform federal rules to supersede the hodge-podge of state laws that currently mandate disclosure of privacy breaches involving consumer data.The official summary describes the FDPA as follows:\u201cDeclares that each consumer reporter shall have an affirmative obligation to implement policies and procedures to protect the security and confidentiality of any consumer's sensitive financial personal information maintained, serviced, or communicated by or on the reporter's behalf against any unauthorized use reasonably likely to result in substantial harm or inconvenience to the consumer.\u201dThe summary goes on to define a "consumer reporter" in essence as any commercial organization that sells consumer information.The Credit Union National Association (CUNA) wrote in its Feb. 3 letter to the HCFS that \u201cCUNA supports the uniform, national standards in H.R. 3997, the Financial Data Protection Act of 2005, to impose data security safeguards and notification requirements on a wide range of entities engaged in the business of collecting or handling sensitive personal financial information. Currently, the privacy and security requirements of the Gramm-Leach-Bliley Act (GLBA) only apply to financial institutions.\u201dIn addition, CUNA wrote, it supports "the proposed standard of \u2018substantial harm or inconvenience\u2019 for triggering the notice requirement."The most problematic issue in the legislation may be that it gives the consumer reporters the unrestricted freedom to determine what constitutes \u201csubstantial harm or inconvenience\u201d to their data subjects. A consortium of 12 privacy advocates (including the Consumers Union, the Consumer Federation of America, the National Consumer Law Center and the Privacy Rights Clearinghouse) wrote to the HCFS complaining that \u201cThe \u2018trigger\u2019 for notification would leave consumers uninformed in many instances when personal information has been breached.\u201dTheir letter continued:"The bill features what we could call a 'don\u2019t know, don\u2019t tell' trigger, meaning that when a company doesn\u2019t know whether there is a risk of harm, individuals are not notified. This gives companies an incentive not to conduct thorough investigations\u2026 Had H.R. 3997 been in place, we doubt we would have heard about any of the data breaches that came to light in 2005, which affected tens of millions of Americans. We believe individuals need to know whenever their sensitive personal information has been breached. If there is an exception at all, it should be limited to cases when there is no reasonable risk of harm."Other criticisms articulated and discussed by the privacy advocates:* The bill stops consumers from putting a security freeze on their financial accounts until they have become victims of identity theft.* It preempts stricter state laws designed to reduce identity theft and financial fraud.* It may start us on the slippery slope to weakening privacy elements of the Gramm-Leach-Bliley Act.* Enforcement provisions are weak.* Provisions for limiting firms\u2019 liability may reduce consumer protection.I urge security specialists whose organizations are affected by this legislation to study this bill carefully and to work with corporate counsel to understand its implications. I urge all U.S. citizens to do the same from their personal perspective and to communicate with their senators.