HR 3997 as passed by the House Financial Services Committee: imposes a terrible uniform federal breach notification standard, which has so high a test of risk that it will not result in warnings to potential victims (it's a "don't know, don't tell" standard and if it were the law, we'd never have learned about any of the breaches that have occurred from ChoicePoint on), eliminates 18 strong state security freeze laws available to protect all 149 million residents in those states (HR 3997 says you must be a previous victim to protect yourself with the freeze: that's like saying no seatbelts until you've been in a car crash already), explicitly prohibits state attorney general enforcement of the law, fails to rein in data brokers like ChoicePoint, and sweepingly preempts all stronger state privacy and identity theft laws and prevents further state leadership.
It is important to note that we oppose HR 3997, the Financial Data Protection Act, as passed by the Financial Services Committee. Under House procedures, the bill was then referred to the Energy and Commerce committee, which substituted HR 4127 (the DATA Act) for HR 3997. In this version of HR 3997, we oppose the italicized section, which is the original Financial Services passed bill (pages 2-68). The remainder of the bill in boldface roman (pages 68-108) is the Energy and Commerce DATA bill, which is much better, but we cannot offer unqualifed support due to its (much narrower than HR 3997) state law preemption. See the letter for details.
