A U.S. House panel effort to write a national data breach disclosure law is running into fierce opposition by consumer groups calling the legislation the "worst data security bill ever."

Passed out of the House Financial Services Committee on a 48-17 vote late last Thursday afternoon, the Financial Data Protection Act of 2005 (H.R. 3997) allows data brokers and other companies to conduct an investigation of a breach and determine if notification to consumers is necessary.

The bill also allows companies that choose to protect their data with encryption to take that into consideration when determining if consumer notification is necessary in the aftermath of a breach.

"We think consumers should be notified in case of a breach and it shouldn't be left to the companies to decide," Susanna Montezemolo, a policy analyst with Consumers Union, told internetnews.com.

The legislation also pre-exempts any state laws mandating breach disclosures to consumers. According the Consumers Union, 11 states currently have stricter notification standards than H.R. 3997, including a California law that resulted in data broker ChoicePoint being forced into disclosing the breach of 145,000 consumer records.

The furor over the ChoicePoint breach prompted Congress to begin considering a national breach notification law.

"It is ironic that after a year in which over 55 million Americans' identities were put at risk through preventable data breaches, the House Financial Services Committee would repeal state laws that have protected consumers from identity theft," Montezemolo said.

Under the bill, if a company conducts a "reasonable" investigation after a breach and determines no "harm" to consumers occurred, the companies are not obligated to inform consumers of the breach.

The bill defines harm as "material financial loss to or civil or criminal penalties imposed on the consumer or the need for the consumer to expend significant time and effort to correct erroneous information relating to the consumer."

"Today, the Financial Services Committee voted for the worst data security bill ever," Ed Mierzwinski of the U.S. Public Interest Research Group said in a statement.

This article was first published on InternetNews.com. To read the full article, click here.