[Congressional Record Volume 151, Number 106 (Friday, July 29, 2005)]
[Extensions of Remarks]
[Pages E1743-E1744]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




                THE CREDIT CARD MESS--CONGRESS MUST ACT

                                 ______
                                 

                           HON. JULIA CARSON

                               of indiana

                    in the house of representatives

                         Friday, July 29, 2005

  Ms. CARSON. Mr. Speaker, yesterday I introduced H.R. 3501, the 
``Consumer Access Rights Defense Act (CARD) of 2005''. My bill is in 
response to the disastrous breach of credit card information and data 
privacy and continuous exposure of fraud suffered by millions of credit 
card consumers across the country.
  My CARD ACT would require any data processing, credit or debit card 
businesses or other financial institutions to notify individuals when 
there has been a security breach compromising anyone's sensitive 
personal data, including Social Security numbers, driver's license or 
state identification numbers, credit or debit cards, or other financial 
account information.
  Should any financial data be compromised, the bill will require 
notices be sent out by mail or e-mail without unreasonable delay. The 
bill will allow impose civil remedies for failure to notify; $1,000 per 
individual whose personal information was comprised or not more than 
$50,000 per day while failure to notify continues. The bill allows 
persons to sue for damages resulting from a data breach. The bill 
permits the placement of extended fraud alerts on credit reports. 
Finally, the bill will allow the Attorney General of every state to 
protect the interests of residents of their States when the federal 
government or businesses fail to notify individuals of a breach.
  The bill covers both electronic and non-electronic data as well as 
encrypted and non-encrypted data. Furthermore, the bill sets a national 
standard so that individuals across the country have the same 
protections.
  The law would be enforced by the Federal Trade Commission or other 
relevant regulator, or by a State attorney general who could file a 
civil suit. Individuals cold sue for actual damages.
  Like most Americans, I was shocked to learn that the names, bank 
account and credit card details of possibly 40 million credit card 
holders have been exposed to fraud. Forty million accounts were 
exposed, and records pertaining to at least 200,000 admittedly were 
stolen, primarily MasterCard and Visa cards. Undoubtedly many people I 
represent could be affected by this disastrous breach of what credit 
companies and banks repeatedly have assured the public is a secure 
credit card system.
  It is true that credit card holders are protected under Federal laws, 
including the Truth in Lending Act, which makes it illegal for banks to 
charge victims of credit card theft more than $50, despite the cost of 
purchases made on the card. And most banks have zero-liability 
policies, removing any financial responsibility of credit card theft 
from the cardholder. While the compromised data is said not to include 
addresses or Social Security numbers, the stolen information 
potentially can be used in turn to steal individual citizen's credit 
identify. Nearly 10 million people are victim of identity theft each 
year, costing consumers $5 billion in out-of-pocket losses and 
businesses $48 billion, according to the Federal Trade Commission. And 
that counts only the money loss. The Identity Theft Resource Center, a 
non-profit group based in San Diego, estimates the average victim 
spends about 600 hours trying to clear up credit problems after an ID 
theft.
  Within days after this massive card data theft, some of that data was 
being bought and sold brazenly on the Internet by thieves who broker 
such information worldwide operating out of Russia and other Eastern 
European nations.
  The irony of why and how the American people learned that 40 million 
of them, as well as others, had their financial privacy invaded should 
not be lost on my colleagues in this House.
  We found out about this only because the State of California has a 
law which forces credit card companies to notify consumers when such 
theft happens. The Federal government has no such law, although those 
of us concerned about consumers rights are going to do our best to see 
that one is adopted quickly. At the very least, I believe, a person 
whose credit card information has been stolen or otherwise compromised 
has a right to swift and accurate notice from the issuing company or 
bank. For consumers fast notice of such a breach is the first, and 
sometimes, the only defense they have.
  As member of the House Committee on Financial Services and of the 
Subcommittee on Financial Institutions and Consumer Credit, I am very 
much aware of the many credit information breaches that have occurred 
recently and over many months before. So many incidents like this have 
taken place, that I hope that this finally will spur the Congress to 
enact legislation to curb these frauds and protect consumers in the 
future.
  While huge in numbers, the breach disclosed at CardSystems Solutions 
Inc. in California was not the first such attack on a card processor. 
In 2003, a Nebraska company called Data Processors International Inc., 
part of TransFirst Holdings Inc. had a similar breach and as many as 8 
million account numbers were vulnerable. Earlier this month, Citigroup 
Inc. said UPS lost computer tapes with sensitive information from 3.9 
million customers of CitiFinancial, which provides loans. Other 
companies, including Bank of America Corp., DSW Shoe Warehouse and 
BJ's Wholesale Club Inc., and CVS Drug Stores have also suffered 
extensive data theft.

  While banks and credit card companies may have tighten their own 
security, they obviously have failed to force payment processors to 
meet similar high standards. Companies such as J.P. Morgan Chase & Co., 
Citigroup Inc., American Express Co. and MBNA Corp. said that they were 
not automatically alerting their customers that their information may 
have been exposed, but that they were ``more closely monitoring the 
accounts'' that may have been affected.
  That simply is not good enough.
  What happened in California has placed a needed spotlight on a little 
known, but highly sensitive part of the financial services industry; 
the hundreds of companies that process transactions between merchants 
and card issuers.
  Edmund Mierzwinski, consumer program director at U.S. Public Interest 
Research Group, says that in his opinion ``information travels through 
the credit system and stops in so many places where it could be 
illegally used

[[Page E1744]]

that consumers have no idea what a hodgepodge of a system the credit 
card companies have created.'' He pointed out that the system is mainly 
designed to extract fees from consumers and businesses, ``but very 
little of it is designed for security.''
  Even though many states are following California and adopting new 
laws, we in Congress should not drag our feet on this national issue 
anymore. We need federal protection for our people, at the very least, 
consumers have the right to know quickly when their private information 
is compromised.
  In my view, here are the basic elements any protective legislation 
should include:
  (1) Immediate notice of a breach by the card issuer to the card 
holder.
  (2) A reasonable definition of when a ``breach'' occurs.
  (3) Imposition of liability on third party card processors when at 
fault.
  (4) A simple method of immediate assistance by the card issuer to the 
affected card holder to correct the problem as quickly as possible.
  Mr. Speaker, I am assured that the CARD Act will be an important 
consumer law with teeth to rectify and strengthen consumer credit 
rights. I hope that this legislation will lessen the injurious 
liability that many of them face with no compassion from credit card 
companies, corporations, or the credit rating agencies, due to no fault 
of their own. I sincerely hope that the financial services industry 
will not oppose reasonable legislation to correct what is a very real 
and expanding national problem affecting millions of Americans.
  I know some in the industry are saying that the cost of such 
notification is too great. But that statement flies in the fact of the 
numbers. The Wall Street Journal reports that the nation's largest 
banks profit each year by more than $20 billion in transaction fees 
they charge merchants on every credit card purchase made through 
MasterCard International Inc. or Visa USA Inc.
  Surely some of that huge profit can be used for better and greater 
credit card security.

                          ____________________