<DOC>
[106th Congress House Hearings]
[From the U.S. Government Printing Office via GPO Access]
[DOCID: f:70436.wais]
THE PRIVACY COMMISSION: A COMPLETE EXAMINATION OF PRIVACY PROTECTION
=======================================================================
HEARING
before the
SUBCOMMITTEE ON GOVERNMENT MANAGEMENT,
INFORMATION, AND TECHNOLOGY
of the
COMMITTEE ON
GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED SIXTH CONGRESS
SECOND SESSION
__________
APRIL 12, 2000
__________
Serial No. 106-192
__________
Printed for the use of the Committee on Government Reform
Available via the World Wide Web: http://www.gpo.gov/congress/house
http://www.house.gov/reform
----------
U.S. GOVERNMENT PRINTING OFFICE
70-436 WASHINGTON : 2001
_______________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Printing
Office
Internet: bookstore.gpo.gov Phone: (202) 512-1800 Fax: (202) 512-2250
Mail: Stop SSOP, Washington, DC 20402-0001
COMMITTEE ON GOVERNMENT REFORM
DAN BURTON, Indiana, Chairman
BENJAMIN A. GILMAN, New York HENRY A. WAXMAN, California
CONSTANCE A. MORELLA, Maryland TOM LANTOS, California
CHRISTOPHER SHAYS, Connecticut ROBERT E. WISE, Jr., West Virginia
ILEANA ROS-LEHTINEN, Florida MAJOR R. OWENS, New York
JOHN M. McHUGH, New York EDOLPHUS TOWNS, New York
STEPHEN HORN, California PAUL E. KANJORSKI, Pennsylvania
JOHN L. MICA, Florida PATSY T. MINK, Hawaii
THOMAS M. DAVIS, Virginia CAROLYN B. MALONEY, New York
DAVID M. McINTOSH, Indiana ELEANOR HOLMES NORTON, Washington,
MARK E. SOUDER, Indiana DC
JOE SCARBOROUGH, Florida CHAKA FATTAH, Pennsylvania
STEVEN C. LaTOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland
MARSHALL ``MARK'' SANFORD, South DENNIS J. KUCINICH, Ohio
Carolina ROD R. BLAGOJEVICH, Illinois
BOB BARR, Georgia DANNY K. DAVIS, Illinois
DAN MILLER, Florida JOHN F. TIERNEY, Massachusetts
ASA HUTCHINSON, Arkansas JIM TURNER, Texas
LEE TERRY, Nebraska THOMAS H. ALLEN, Maine
JUDY BIGGERT, Illinois HAROLD E. FORD, Jr., Tennessee
GREG WALDEN, Oregon JANICE D. SCHAKOWSKY, Illinois
DOUG OSE, California ------
PAUL RYAN, Wisconsin BERNARD SANDERS, Vermont
HELEN CHENOWETH-HAGE, Idaho (Independent)
DAVID VITTER, Louisiana
Kevin Binger, Staff Director
Daniel R. Moll, Deputy Staff Director
David A. Kass, Deputy Counsel and Parliamentarian
Lisa Smith Arafune, Chief Clerk
Phil Schiliro, Minority Staff Director
------
Subcommittee on Government Management, Information, and Technology
STEPHEN HORN, California, Chairman
JUDY BIGGERT, Illinois JIM TURNER, Texas
THOMAS M. DAVIS, Virginia PAUL E. KANJORSKI, Pennsylvania
GREG WALDEN, Oregon MAJOR R. OWENS, New York
DOUG OSE, California PATSY T. MINK, Hawaii
PAUL RYAN, Wisconsin CAROLYN B. MALONEY, New York
Ex Officio
DAN BURTON, Indiana HENRY A. WAXMAN, California
J. Russell George, Staff Director and Chief Counsel
Heather Bailey, Professional Staff Member
Bryan Sisk, Clerk
Michelle Ash, Minority Counsel
C O N T E N T S
----------
Page
Hearing held on April 12, 2000................................... 1
Statement of:
Cate, Professor Fred, professor of law and Harry T. Ice
faculty fellow, Indiana University School of Law,
Bloomington; Travis Plunkett, legislative director,
Consumer Federation of America; Ari Schwartz, policy
analyst, Center for Democracy and Technology; and Sandra
Parker, esquire, director of government affairs and health
policy, Maine Hospital Association......................... 60
Twentyman, Sallie, victim of credit card theft; Robert
Douglas, private investigator; and Paul Appelbaum, M.D.,
chairman, Department of Psychiatry, director, Law and
Psychiatry Program, University of Massachusetts Medical
School..................................................... 14
Letters, statements, etc., submitted for the record by:
Appelbaum, Paul, M.D., chairman, Department of Psychiatry,
director, Law and Psychiatry Program, University of
Massachusetts Medical School, prepared statement of the
American Psychiatric Association........................... 47
Cate, Professor Fred, professor of law and Harry T. Ice
faculty fellow, Indiana University School of Law,
Bloomington, prepared statement of......................... 62
Douglas, Robert, private investigator, prepared statement of. 26
Horn, Hon. Stephen, a Representative in Congress from the
State of California, prepared statement of................. 3
Hutchinson, Hon. Asa, a Representative in Congress from the
State of Arizona, prepared statement of.................... 7
Parker, Sandra, esquire, director of government affairs and
health policy, Maine Hospital Association, prepared
statement of............................................... 106
Plunkett, Travis, legislative director, Consumer Federation
of America, prepared statement of.......................... 75
Schwartz, Ari, policy analyst, Center for Democracy and
Technology, prepared statement of.......................... 87
Turner, Hon. Jim, a Representative in Congress from the State
of Texas, prepared statement of............................ 12
Twentyman, Sallie, victim of credit card theft, prepared
statement of............................................... 17
THE PRIVACY COMMISSION: A COMPLETE EXAMINATION OF PRIVACY PROTECTION
----------
WEDNESDAY, APRIL 12, 2000
House of Representatives,
Subcommittee on Government Management, Information,
and Technology,
Committee on Government Reform,
Washington, DC.
The subcommittee met, pursuant to notice, at 10 a.m., in
room 2247, Rayburn House Office Building, Hon. Stephen Horn
(chairman of the subcommittee) presiding.
Present: Representatives Horn and Turner.
Also present: Representatives Hutchinson and Moran of
Virginia.
Staff present: J. Russell George, staff director and chief
counsel; Heather Bailey, professional staff member; Bonnie
Heald, director of communications; Bryan Sisk, clerk; Ryan
McKee, staff assistant; Michael Soon, intern; Kristin Amerling,
minority deputy chief counsel; Michelle Ash and Trey Henderson,
minority counsels; and Jean Gosa, minority assistant clerk.
Mr. Horn. A quorum being present, the hearing of the
Subcommittee on Government Management, Information, and
Technology will come to order.
The first Federal Privacy Commission was established in
1977 to examine a similar issue to that being addressed today:
How can private information be protected while allowing public
access to information that can benefit society?
Today, a few keystrokes on a computer can produce a
quantity of information that was unimaginable in 1974. From e-
mail and e-commerce to e-government, technology has simplified
the way people communicate, shop, and file their income tax
returns.
Last year, for example, more than 17 million people spent
$20 billion for on-line purchases. At a subcommittee hearing on
Monday, IRS Commissioner Charles Rossotti testified that as of
March 31, nearly 21 million people had filed their tax returns
electronically this year, a 16 percent increase over the same
period last year.
The downside of these technological advances is that a vast
amount of personal information now flows over the Internet, and
all too often, citizens are being victimized. Today names,
addresses, Social Security numbers, and credit reports, as well
as other personal information, can be bought by nearly anyone
who is willing to pay the going rate.
Today the subcommittee will examine this troubling issue
and whether the time has come to establish another Federal
commission on privacy. I welcome our witnesses, and look
forward to their testimony.
[The prepared statement of Hon. Stephen Horn follows:]
[GRAPHIC] [TIFF OMITTED] T0436.001
Mr. Horn. Panel one will be Ms. Sally Twentyman, victim of
a credit card theft; Mr. Robert Douglas, private investigator;
Paul Appelbaum, M.D., chairman of the Department of Psychiatry,
director, Law and Psychiatry Program, University of
Massachusetts Medical School. If you will come forward.
Let me just say what the ground rules are. We swear in all
witnesses, and we would like--we have your statements, they are
all very fine, and we would like you to summarize it if you can
in 5 minutes, and certainly not more than 10 minutes. Then we
will have panel two later. If you would like to stay, we would
certainly welcome that in case you have some comments in
relationship to panel two.
So if you will stand and raise your right hands, we will
give you the oath.
[Witnesses sworn.]
Mr. Horn. The clerk will note all three witnesses affirmed
the oath.
Without objection, Mr. Moran will be a member of this
panel, and we will have Mr. Moran, the distinguished gentleman
from Virginia, to give us an opening statement then.
Mr. Moran of Virginia. Well, thank you very much, Mr.
Chairman. Chairman Horn and Mr. Turner and the distinguished
staff, I am pleased to join with Congressman Hutchinson, who
has just arrived, for this hearing on H.R. 4049, the Privacy
Commission Act.
As any Member of this House can attest, privacy is an
enormous concern to our constituents. We hear about privacy at
our town meetings, in our mail, and from so many citizens who
are utilizing the new technologies that are driving our
economy. Their concerns are valid. People know that their
medical data, which is the most personal information about any
of us, is increasingly being electronically stored and
transmitted.
As the World Wide Web has become commercialized, some
companies have developed the means to profile Web users by the
sites that they visit. While such profiling is not all that
different from what direct marketers have done for many years,
the idea of our purchases and shopping habits being profiled in
cyberspace is somehow very unsettling to many people, and
rightfully so.
Even though many Web sites have moved aggressively to self-
regulate and to display very prominent statements about their
own privacy rules, concerns among the public have not abated.
Public opinion polls are clear that this remains a major issue
for the American people.
As serious as these concerns are, however, there is a
countervailing danger of overreaction. The U.S. Internet
economy is already worth an estimated $350 billion and is a
harbinger of the potential in everything from business-to-
business transactions, to consumer retail, to financial
services across the board. It is transforming our economy. By
the end of this year, some 72 million American adults are
expected to be on line; that is 35 percent of the American
population. The Internet has flourished in the absence of
burdensome government regulations or taxation. Given the stakes
to our economy and the depth of public concern, it is clear to
us that what is needed is a thoughtful, deliberate approach to
privacy issues by this Congress.
That is exactly what the Hutchinson-Moran bill provides. It
sets up a 17-member commission appointed jointly by the
President and the Republican and Democratic leadership of the
House to examine any threats that exist to the privacy of
Americans and to report back on whether additional legislation
is necessary, and if it is, what protections it should contain.
It also directs the commission to report on nonlegislative
solutions. If self-regulation can be improved, how should
industry achieve that objective? It requires an analysis of
existing statutes and regulations on privacy, and an analysis
of the extent to which any new regulations would impose undue
costs or burdens on our economy. I would note that our
colleague in the other body, Senator Kohl of Wisconsin, has
sponsored similar legislation.
In short, this is a balanced, measured approach to a
complex issue that carries big costs to our economy. I commend
Mr. Hutchinson for his leadership on it, and I commend you,
Chairman Horn, for holding this hearing about it. It is good to
see my colleague Mr. Turner as well. We look forward to hearing
from our thoughtful witnesses as well.
Thank you, Mr. Chairman.
Mr. Horn. Well, thank you very much for that opening
statement.
Mr. Hutchinson is now with us. Without objection, he will
be a member of this panel throughout the morning, and with Mr.
Turner's consent, Mr. Hutchinson is free to give his opening
statement.
Mr. Hutchinson. Thank you, Mr. Chairman. I apologize for
walking in here a couple of minutes late. I do thank you for
conducting this hearing, and I want to thank the ranking
member, Mr. Turner, also for his interest and support of this
legislation and his participation in this important hearing. I
would like permission to submit the written statement for the
record.
Mr. Horn. Without objection, it will be inserted at this
point.
I might tell all the witnesses, the minute we introduce
you, your full statement is in the record, and then we want you
to summarize.
Mr. Hutchinson. My colleague Mr. Moran, I value his
friendship, judgment, and participation on this important
issue. He is the cosponsor with me. We are a team on this, and
I thank him, and he has really been instrumental in bringing
this issue forward.
I just wanted to talk a little bit about how this came
about. We all are familiar with the polls that show the No. 1
concern of persons as we go into the next century being that of
personal privacy. But to me, it is much more personal than
that. During December, during our break, I conducted a 16-
county district tour; went through all of the 16 counties in my
congressional district, held town meetings, and I came back and
sat down in my living room and sort of penciled in what were
the major concerns. Really, to my surprise, privacy was right
at the top.
We hear the stories of the hill country folks in Arkansas
who really believe that they ought to have privacy; many of
them moved to the hills for that reason, and they are concerned
about the invasion of that privacy. It is really an
unprecedented accumulation and transfer of personal information
that we see today in our information society.
So I came back with an intent to address that issue. I
looked at what is happening in Congress and realized that there
is a lot of different bills out there, many of them are good
bills, that address privacy concerns, but I think there are
about four different approaches to what we should do with
privacy issues. First of all, there is the attitude, let us
just do something now, regardless of what it is, let's just get
something done. The problem is that doing it right sometimes
takes more time, more thought, and I think it is more important
than doing it quick and simply as a reaction of the pressing
need to get something done. So I think that is the wrong
approach.
The second approach is let's pass legislation in a narrow
area. We have bills that deal with financial records; we have
bills that deal with medical privacy issues, and then we have
separate bills that deal with on-line privacy. I am really a
cosponsor of a number of those bills that I believe are good,
and I want to support and push those through the legislative
process. It is important that this commission not be used as a
means to stop other efforts that are going through, and that is
my intent.
But I do believe that there is much more merit, rather than
taking a sectarian approach of, you know, let's look at the
financial records issue and health care records with the
Internet, it is all-encompassing across every sector of our
society. We are really different from the European approach
that has taken a more comprehensive approach to privacy than we
have taken industry by industry, and I think this commission
would broaden it up.
The fourth approach is let's leave it to the regulators.
Excuse me, that is the third approach. Leave it to the
regulators. As a legislator, I don't think that is the best
approach. I believe there should be legislative involvement and
a legislative discussion of this.
Finally, that leads to the comprehensive commission that
Congressman Moran and I are proposing, the structure he has
outlined. It is certainly bipartisan. It is designed to conduct
hearings across the country. We have set a time limit of 18
months for a report, but it is important to note that they have
authority if they deem necessary to issue an interim report
prior to that 18 months, because there could be some need in a
particular arena to issue an interim report. So it could move
quicker than 18 months.
But clearly, I believe that it is responsible, it is
workable, and it is comprehensive; it is the right approach to
privacy concerns. We have to be realistic this year. I hope
that we can pass some other individual bills. But
realistically, I believe this is the best thing that we can do
this Congress, and the result will be greater protections of
our individual freedom.
I yield back.
Mr. Horn. Thank you very much.
[The prepared statement of Hon. Asa Hutchinson follows:]
[GRAPHIC] [TIFF OMITTED] T0436.002
[GRAPHIC] [TIFF OMITTED] T0436.003
[GRAPHIC] [TIFF OMITTED] T0436.004
[GRAPHIC] [TIFF OMITTED] T0436.005
Mr. Horn. The gentleman from Texas, the ranking member, Mr.
Turner.
Mr. Turner. Thank you, Mr. Chairman. I want to commend Mr.
Hutchinson and Mr. Moran for their work on this legislation. It
is one of the most important issues that we face. As you
mentioned, Mr. Hutchinson, the polls clearly indicate that
privacy is one of the top concerns of the American people.
I was pleased to join with you as a cosponsor of this bill
because I think the commission will create a high profile for
the issue and enable us to have a full and open discussion with
the American people about these issues so that we can resolve
them in the appropriate way.
I was very pleased to hear your comments about your intent
with regard to the commission was not to impede the progress of
other legislation that we may achieve a bipartisan consensus on
during the time that the commission is working. I think the
commission can be a sounding board for a lot of those
proposals. I know there are regulations at HHS pending on
medical privacy. I hope that the commission would not impede
those regulations, but also provide a sounding board for those
regulations, because some of these privacy issues need to be
dealt with right away. So if we find a consensus on it, and if
the agencies are finding their way to protecting our privacy as
HHS is trying to do with the medical regulations, I think the
American people deserve those protections as soon as possible.
The commission not only can provide a sounding board for
the proposals that are out there and for actions that may be
taken over the next 18 months, but at the end of the day,
hopefully can come up with an overall recommendation in these
various areas that represent a true consensus to protect the
privacy of the American people.
So I commend you, and I welcome our witnesses here today.
We look forward to working on this bill and making it
everything that I think the authors intend for it to be.
Thank you, Mr. Chairman.
Mr. Horn. Thank you very much.
[The prepared statement of Hon. Jim Turner follows:]
[GRAPHIC] [TIFF OMITTED] T0436.006
[GRAPHIC] [TIFF OMITTED] T0436.007
Mr. Horn. We will now begin with the first panel. We will
start with Ms. Sallie Twentyman, who is the victim of credit
card theft. Tell us about it.
STATEMENTS OF SALLIE TWENTYMAN, VICTIM OF CREDIT CARD THEFT;
ROBERT DOUGLAS, PRIVATE INVESTIGATOR; AND PAUL APPELBAUM, M.D.,
CHAIRMAN, DEPARTMENT OF PSYCHIATRY, DIRECTOR, LAW AND
PSYCHIATRY PROGRAM, UNIVERSITY OF MASSACHUSETTS MEDICAL SCHOOL
Ms. Twentyman. Mr. Chairman, I do appreciate the
opportunity to appear here today to tell you about my
experiences.
Last summer my privacy was dealt a blow from which I will
never totally recover when I became a victim of identity theft.
I still don't know how, when, or where it happened, or who the
perpetrator was. I probably never will. But what I do know is
that I never received two of my renewal credit cards in the
mail, and that someone used my name and Social Security number
to access these two credit card accounts and to establish
several other new credit card accounts in my name, all in just
a matter of a few days and all from a fraudulent address. In
one account alone, this person was able to get approximately
$13,000 in cash in less than a week.
Over the next several months, this fraudulent activity
continued, with my list of residences extending to at least
five different States, even after fraud alerts were placed on
my name at each of the three credit bureaus in the country.
Today, I am hopeful that the activity is winding down, but
I still live each day knowing that my information is in the
hands of criminals. This identity theft, especially when
perpetrated by a group or a crime ring, as mine probably has
been, is similar to what I call financial cancer. Even if,
through my efforts, I manage to stop these criminals for a
while, they are likely to begin using the information again in
the future when they think that I am no longer watching. As
identity theft takes new forms, as it does every year or two, I
will be at high risk of being a victim of these newer forms of
crime.
So far, I haven't been responsible for repaying any of the
fraudulent balances, which I appreciate, and I haven't even had
pressure put on me, which is good, because I hear a couple of
years ago people did have problems with that. I haven't applied
for any new loans, so I don't know how difficult it would be to
buy a car or get a mortgage at this point or get a student loan
to send my teenagers to college, which is coming up in a couple
of years.
During the past 8 months, since my identity was stolen, I
face some problems and frustrations which I do appreciate being
able to come here and tell you about. I faced all of these just
as a citizen, a very typical citizen who knew very little about
identity theft when it happened to me.
First of all, the Identity Theft and Assumption Deterrence
Act made identity theft a crime, and that is very good, but it
seems that no one has really been made responsible and are
given the manpower needed for apprehending the criminals and
enforcing the law. I realize it has kind of skyrocketed, and it
is hard for so few people to investigate so many cases.
I was unable to get most law enforcement officials to do
anything. When I was unable to get out-of-state police
departments to file police reports--because the criminals were
very good; they knew to do it in States where I don't live--or
to investigate the addresses out of which the thieves were
acting, a local police officer made many phone calls for me,
but in each case she, too, was unable to get police officials
in these other jurisdictions to file reports.
As our country moves from a brick-and-mortar economy to an
electronically based economy, law enforcement agencies will
need to establish ways of dealing with new electronic forms of
crimes which do not fall into specific physical jurisdictions.
I need to note, too, that every governmental agency that I
contacted, including the FTC, the FBI, the Secret Service, and
the Postal Service, politely took my report, or voice message,
or e-mail, and several sincerely wanted to help, I know that
they did. However, not a single one ever followed up with me to
let me know that they had really done anything with my specific
case, which made me--it is very lonely, feeling like nobody is
doing anything.
Financial institutions and other businesses need to be made
accountable for protecting customers' personal information.
Maybe stiff fines and other penalties need to be established
when these institutions are negligent or when they continue to
open new accounts after fraud alerts have been placed in the
person's name. I don't really want to have to get an attorney
to do things for me. I really feel they should be made
accountable in some way.
My bank did not protect my personal information and helped
to spread this financial cancer. In fact, they allowed someone
to change my birth date and mother's maiden name in their
computers, which made it really hard when I tried to access my
account and have something done.
All the banks which issued the fraudulent credit act as if
the losses were all theirs; since they wiped my slate clean, I
did not owe anything. I would like to point out that their
losses were over as soon as they passed on their costs to other
consumers in the form of increased service charges and higher
interest rates, but my personal information has been lost
forever, and I am 44 years old, and there are a lot of years
ahead of me.
When a victim learns of his or her identity theft, we need
a faster, more effective way of reporting the crime and
beginning investigations. The bank told me to start with the
credit bureaus, which I did. I left fraud alerts. It was very
frustrating, though, getting through voice mails. When you are
in shock, when you hear press one of this, two of that, three
of that, I had to hang up several times and start over.
Also, it took me 2 weeks to get my credit reports, and
during the 2 weeks I just wondered what had been happening, and
I wish I could have gotten them sooner. Maybe they could have
been faxed to me, e-mailed to me, or something.
I feel we need regulations regarding the issuance of
instant credit in this country. These people managed to get
instant credit several times, and the bank would call me 3 days
later saying, I am sorry, I see we have a fraud alert, but we
had issued the credit card, and we will take care of it. But it
does keep going on.
We need to also look into the efficacy of establishing some
national hotline or fraud reporting agency in some way. I had
to report to three different credit bureaus, but not everybody
has to check them. Bank accounts who aren't issuing you credit
don't have to. I wish there was someplace a victim could call
and just put a block on their name totally; no bank accounts,
no new cars, no mortgages, nothing without calling me first.
You all are aware of the Internet. I must say that I can
look at--I go to Infoseekers.com now, and I see that for $65
they can buy everything about me, my Social Security number,
name, address, how many kids I have, what properties I own,
medical information. I really wish something could be done. I
am not sure, but I will say that that is a sore point for me
right now to go on line and see that.
I also recently got an Internet security system and have
been having hackers almost daily trying to get in. It has been
something.
I know that we need to protect Social Security numbers in
the country. I am sure the commission would be looking at who
needs it and who doesn't, and restrict it to who does. I don't
feel like student IDs, driver's license, medical records,
everything has to have Social Security numbers.
Government officials and corporate officials need to really
establish ways of authenticating electronic telephone
transactions. I know they are doing it, I encourage it. Work
diligently, please.
Once again, I do thank you for the opportunity to share my
experiences today. I deeply appreciate your efforts in helping
to protect the privacy of all citizens.
[The prepared statement of Ms. Twentyman follows:]
[GRAPHIC] [TIFF OMITTED] T0436.008
[GRAPHIC] [TIFF OMITTED] T0436.009
[GRAPHIC] [TIFF OMITTED] T0436.010
[GRAPHIC] [TIFF OMITTED] T0436.011
Mr. Horn. Well, thank you for your story. I think it must
make every one of us behind this podium and everyone in the
seats out there that you just feel like you have been violated,
and your whole person is in somebody else's hand and control.
I am going to ask one or two questions now, and then we--we
don't want to waste the talent here, and we will do all of them
afterwards. But you mentioned the Secret Service. Did you go to
the FBI?
Ms. Twentyman. I left a message and was never called back.
Mr. Horn. They never contacted you?
Ms. Twentyman. I think I left two. I never heard back. The
Secret Service I did hear from. They asked for some
information. I faxed it, but I never heard back. I realize I
could have called and really aggressively tried to get, tried
harder, but I didn't. I mean, I felt like they knew.
Mr. Horn. Did you contact your own Member of Congress?
Ms. Twentyman. Sitting right over there, I did e-mail him
about this.
Mr. Horn. He is the kind of person that gets something
done.
Ms. Twentyman. That is right.
Mr. Horn. OK.
Ms. Twentyman. He catches his car thieves, too.
Mr. Horn. I had a problem like that when a few Federal
agencies wouldn't move, we just went right to the top, and
believe me, they got a little dynamite stick under them and
started moving. But that is another story.
Ms. Twentyman. I think part of this is I wanted to also see
the citizens--things seem to be winding down. I have been very
proactive. I need to observe what is going on, because every
citizen does not--I know my parents would not have been
extremely assertive. I am just so thankful it is me instead of
them and some people.
Mr. Horn. Well, thank you. Stay with us, and we will have
some more questions as we finish this panel.
Mr. Robert Douglas is a private investigator. We are glad
to have you here.
Mr. Douglas. Thank you, Mr. Chairman. My name is Robert
Douglas, and I am the founder of American Privacy Consultants.
I appreciate the opportunity to appear before you in
support of the creation of a privacy commission and to state my
belief that a comprehensive review of current privacy law and
the formulation of a privacy plan for the 21st century are
important and long overdue.
Prior to founding APC, I was a Washington, DC, private
detective. In 1997, I began investigating the practice of
information brokers selling personal financial information. I
brought the results of that investigation here to Congress, and
I would note in part of that testimony, which I have appended
to my statement this morning, I addressed specifically the
situation that happened to Ms. Twentyman where her maiden name
and birth date records were changed within a financial
institution, and I know the techniques that are used to do
that, and it happens thousands of times a year around this
country.
My 1998 testimony resulted in passage of the Financial
Information Privacy Act, which was incorporated in the Gramm-
Leach-Bliley financial modernization law.
In 1998, I informed Congress that the use of identity
theft, fraud, and deception was rampant in the information
broker industry and extended well beyond personal financial
information. It is my hope that passage of H.R. 4049 will
result in a privacy commission that can act as a small, but
very important, part of a broader mandate, to investigate the
use of identity theft to access and steal many other types of
personal information of citizens and residents of the United
States.
I am often asked what personal information can be gathered
by the average citizen. The truth is almost anything can be
learned about anybody in the United States today. The question
is how. The impact of technology on privacy today is the
ability to accumulate, store, filter, cross-reference, analyze,
and disseminate vast amounts of information about anyone in a
fast and cost-efficient manner that was previously unavailable
to a point where almost anyone can now afford to participate in
the buying or selling of data of any type about anybody. Simply
put, privacy in the United States is too often a concept, not a
reality.
For the purpose of today's hearing, I would like to focus
on several particularly egregious categories of personal
information that are being advertised and sold on the World
Wide Web. We did have a power point presentation, but I
understand it is not able to be done in this room, so if you
follow through my statement, I will do the charts that I have
there in order.
The first example is found at a company called
Docusearch.com, and it is a list of searches. From this menu,
one can see that anyone's Social Security number, address, and
date of birth can be purchased. These are the essential
ingredients for identity theft. With this information, a
criminal can impersonate anyone they choose and gain access to
all of the personal information concerning the target of the
identity theft and do things like happened to Ms. Twentyman.
That is how you get in, that is how you change a person's
information, that is how you shut off their utilities if you
are a stalker or harasser, that is how you steal their
finances, that is how you take over their credit history.
The following Web page from Docusearch is the description
of the Social Security number search. This page documents--and
this is very important--this page documents the use of credit
headers for selling personal, biographical information first
obtained as part of a normal, ordinary, day-to-day credit
transaction and then sold to private investigators and
information brokers by our Nation's credit bureaus.
This is a common and widespread practice that must be
revisited by Congress. While there are many useful and
legitimate reasons for the access of credit header information
in certain legal and investigative contexts, the wholesale and
unregulated access of biographical data from credit reports
goes on at an alarming rate. There are hundreds of Web sites on
the Internet, and I repeat hundreds of Web sites on the
Internet, selling biographical information obtained from credit
reports.
The sale of credit headers is the starting point for many
forms of identity theft as it gives the identity thief all of
the biographical information necessary to impersonate the true
owner of the information. This ability to then impersonate the
true owner opens up access to all forms of personal information
sought by the identity thief. Congress should extend the same
permissible purposes test currently in place for the access to
credit data under the Fair Credit Reporting Act to the
biographical data included in the credit header, which is now
exempted under current interpretations of the FCRA.
The next chart demonstrates another company called
Strategic Data Services, and again, we see the sale of Social
Security numbers, employment information, dates of birth,
driver's license, but added to this we see where they will sell
the physical address that goes to a post office box owner,
something to someone who has a civil protection order, is
trying to stay away from a stalker or a harasser, is terrifying
to them, because they will reach out and get and pay extra for
a private P.O. box specifically to hide their physical address,
and yet here we have hundreds of Web sites selling it. The P.O.
box's postal regulations recognize few exceptions for obtaining
the corresponding physical address, yet here we see it for sale
on the Internet.
The next category shows the sale of driver and vehicle
searches, general doc search. Included in the list are the sale
of names and addresses associated with a license plate and the
sale of a specific driver's license number. So if I see your
license plate on your car on the street, and I want to find out
who you are and where you live, I can buy that information.
The following Web page shows the specific driver history
records by name, and I would note that many Americans believe
that the passage of the Drivers' Privacy Protection Act, which
I am aware Senator Shelby just held hearings on, I believe,
last week, looking to reinforce that act and strengthen it, but
I am afraid he missed what I am about to talk about here many
Americans believed would stop the sale of this type of
information. However, the act allowed an exemption for private
investigators. Unfortunately, although there are thousands and
thousands of very lawful and upstanding private investigators
in this country, there are a number of information brokers who
are also private investigators or who have established
relationships with private investigators that are subsequently
accessing this information and selling it to almost anyone who
submits a request on the Internet.
The next page shows telephone searches, and this is an area
that I am not aware that anyone in Congress has looked at to
this date. One can see from the listing that any phone number
can be traced back to its owner. Whether or not the individual
owner has taken steps to protect their privacy by again paying
extra for an unlisted or nonpublished phone number, it doesn't
matter. It doesn't protect you one iota. Again, we have a page
demonstrating exactly the sale of nonpublished phone number
information.
Again, another page demonstrating all of the other types of
phone searches on another Web page, and I will try to move
along here for you. But on that one it is very important to
note that, in addition to being able to find the ownership site
for selling the actual long-distance toll call records. In
other words, you can purchase the long-distance phone records,
including the number called, the date, time, and duration of
the call. This is actually used in economic espionage, business
espionage, on a fairly regular basis in this country.
The next page is, again, financial searches. We can see
that even though Gramm-Leach-Bliley was passed last November 12
and signed by President Clinton, that both personal and
corporate, private financial information continues to be sold
on hundreds of Web sites on the Web. I have documented the
specific bank account search here, and there is one portion in
the description that I have bolded and underlined that should
be alarming to this committee and to Congress, and that is this
individual, whose name is Daniel Cohen and operates Docusearch,
is claiming that he is accessing a Federal database. The
article from Forbes Magazine that I have appended as appendix
1, he goes further in that article and claims he is getting it
from the Federal Reserve.
As I pointed out in my speech to the FDIC about 2 weeks
ago, I believe that to be a total falsehood. There is no such
database with the Federal Reserve. But these are the types of
lies these people are telling, even on the Internet, even to
reporters like the reporter from Forbes and to our American
citizens, which are making our citizens answer the question
that Congressman Hutchinson found when he traveled to his
district, and I am sure Congressman Moran and others, into
believing that they have no longer any financial privacy in
this country. They are actually stealing this information
through impersonation, but are claiming to our citizens that
they have lawful access via Federal databases, and I would hope
that that would be of concern to this committee.
The final page is a credit card activity page. To sum that
one up, there are dozens of Web sites you can go on where I
could buy Ms. Twentyman's actual credit card activity, where
she had her dinner, what presents she bought for her family at
Christmastime, right down to the individual transactions.
The examples I have provided today demonstrate that a vast
and varied amount of personal information is available on the
Internet. These examples are just several of thousands
available. I have provided committee staff with hundreds of
other Web page examples of information being advertised and
sold on the Internet, and without saying his or her name,
because they asked me not to, I demonstrated to your staff,
Chairman Horn, the other day that with one phone call, and I
think that person could tell you that, in about 3 minutes I got
a phone call back, and I knew her Social Security number and
her address. And I have with me a complete report of that
individual that I will show them later on today.
If H.R. 4049 passes, and it should, I will do all I can to
assist the privacy commission or any committee of Congress to
understand and weed out the methods currently being used and
developed to access our fellow citizens' personal and private
information.
In conclusion, and I apologize for running so long, the
time is ripe to have a privacy commission with broad-based
authority to
examine privacy in the United States today and to take
appropriate steps to safeguard the privacy of all Americans
while ensuring that steps are not so Draconian as to impede our
booming information age economy. I thank you, Mr. Chairman.
[The prepared statement of Mr. Douglas follows:]
[GRAPHIC] [TIFF OMITTED] T0436.012
[GRAPHIC] [TIFF OMITTED] T0436.013
[GRAPHIC] [TIFF OMITTED] T0436.014
[GRAPHIC] [TIFF OMITTED] T0436.015
[GRAPHIC] [TIFF OMITTED] T0436.016
[GRAPHIC] [TIFF OMITTED] T0436.017
[GRAPHIC] [TIFF OMITTED] T0436.018
[GRAPHIC] [TIFF OMITTED] T0436.019
[GRAPHIC] [TIFF OMITTED] T0436.020
[GRAPHIC] [TIFF OMITTED] T0436.021
[GRAPHIC] [TIFF OMITTED] T0436.022
[GRAPHIC] [TIFF OMITTED] T0436.023
[GRAPHIC] [TIFF OMITTED] T0436.024
[GRAPHIC] [TIFF OMITTED] T0436.025
[GRAPHIC] [TIFF OMITTED] T0436.026
[GRAPHIC] [TIFF OMITTED] T0436.027
[GRAPHIC] [TIFF OMITTED] T0436.028
Mr. Horn. Well, we thank you a lot, because you have just
done a terrific job of taking us through how easy it is to have
this happen, and we are indebted to you in terms of the
excellent information you provided. I take it you have not ever
been filing for Social Security numbers and anything like that.
When did you get into this?
Mr. Douglas. I came across it while I was working as an
active private investigator in Washington, DC, and started to
note that more and more information brokers were advertising in
the PI trade magazines, and then relatively blatantly on the
Internet. I did attend law school. I had some sense that this
could not quite be right, some of the information that they
were selling, and I began calling literally dozens of them and
actually contracted with a few to find out what types of
information they were able to obtain.
Through the course of developing--and they will lie
blatantly even to other private investigators, reporters,
Members of Congress who have talked to them and claim all types
of--you know, it is proprietary databases that we have,
investigative sources. And there are certain key phrases that
you can find on these Web pages that I could demonstrate to the
committee or others, indicate that they are not getting the
information legally.
Any time they claim--on the page where they claim they are
getting it from a Federal database, well, gee, they are getting
it from a Federal database, but on the same page it tells them
it takes 18 days to get it. So the reason it takes 10 to 18
days is because what they are doing and what has happened to
Mrs. Twentyman is they will buy your credit information, they
will then in her case get someone in their office who is female
and approximately her age to start calling her bank and calling
whatever, the phone company, utility companies, whoever they
want to obtain information from and impersonate her, and they
now have her name, her date of birth, her address, her Social
Security number, and with that information, you can get almost
anything, including--and I demonstrated this to Chairman Leach
2 years ago in the Banking Committee. What they do, the way
they changed her date of birth and her mother's maiden name--
many banks use the mother's maiden name as the password to gain
access. I have been advising banks for several years now to
change that, and the OCC letter that was put out following my
testimony also advised them to go from the maiden name to a PIN
number.
Mr. Horn. Explain OCC.
Mr. Douglas. The Office of the Comptroller of the Currency,
one of the regulatory bodies overseeing our financial
institutions. They put out an advisory letter in the fall of
1998 following my testimony advising them to change that, for
the very reason as to what happened to Ms. Twentyman, because
here is how it is done. If I want to change your--even your
password, I call the bank, and I claim to be Mr. Horn, and I
have the biographical data, but maybe I don't have the mother's
maiden name. I say, gee, I am on the road, I need to get some
information off my checking statement. I am afraid I have a
check that is going to bounce. I am out of town. I have to take
care of this today. I don't have my checkbook with me,
sometimes they don't have the account number, can you help me.
Well, because in fairness to the banks, they are in the
customer service business--and this applies to any other
institution, not just financial institutions. They are in the
customer service business, they want to be helpful, they are
trained to be helpful. So if you have enough data, date of
birth, Social Security number, you start to sound real to them.
If you have a good enough pretext, as we call it in the
industry, falsehood, fraud, and you sound nice enough on the
phone, you start to convince them.
Now we get to the tricky question of mother's maiden name.
I will say Smith. And the person will say, well, I am sorry,
Mr. Horn, that is not what we have here on the account. And
excuse me, but the response would be, well, goddamnit, who are
you to have the wrong information? I know what my mother's
maiden name is. I want a supervisor on the phone right now, or
I am pulling my account out of this bank today. Well, hang on,
hang on, Mr. Horn, I am sure we can work this out. They
eventually convince them that somebody on their end has made a
mistake, and then they change Ms. Twentyman's information so
that now she cannot even access her own information, but I can.
That is how it is done. It is done dozens of times, if not
hundreds of times a day around this country.
Mr. Horn. Well, thank you.
Our last witness on this panel is Dr. Paul Appelbaum, the
Chairman of the Department of Psychiatry and Director of the
Law and Psychiatry program for the University of Massachusetts
Medical School. Thank you for coming.
Mr. Appelbaum. Thank you, Mr. Chairman. I am Paul
Appelbaum, M.D., vice president of the American Psychiatric
Association, a medical specialty society representing more than
40,000 psychiatric physicians nationwide. My work treating
patients, the empirical studies that I have conducted on
medical records privacy, as well as my work consulting with
State legislatures, State health agencies, and the U.S. Secret
Service have given me a broad perspective on medical privacy
issues. Thank you for the opportunity to testify today.
Just a month ago, a leading computer magazine proclaimed in
its cover story, we know everything about you. Privacy is dead.
Get used to it. I greatly appreciate Representative
Hutchinson's and Moran's efforts, as well as the subcommittee's
interest, in remedying this loss of privacy.
I focus my comments today on the importance of protecting
doctor-patient confidentiality. The level of privacy enjoyed by
patients has eroded dramatically, and physicians are often
hampered in our ability to provide the highest quality medical
care as a result. We have a 21st century health care delivery
system, but patients are forced to live with privacy
protections designed for the time of Marcus Welby, M.D.
I note for your consideration several examples of today's
health privacy crisis. A study by professors at UMass, Harvard,
and Stanford revealed over 200 cases where patients at risk for
genetic disorders had been harmed by disclosures of medical
record information. Patients often forego insurance coverage to
maintain their privacy. I treated a skilled tradesman for 2\1/2\
years who worked overtime to pay for his treatment because
he didn't want his union, which administered his insurance
plan, to know that he was receiving psychiatric care. Members
of Congress have seen highly personal disclosures about their
medical conditions, some true, some untrue. In one case, a
major daily newspaper splashed headlines about a Member's
mental health condition only days before the Member's primary.
The San Diego Tribune reported that a pharmacy inappropriately
disclosed a man's HIV status to his ex-wife, and the woman was
able to use that information in a custody dispute.
The Federal Government's appetite for identifiable patient
information continues to grow. Witness last year's efforts by
HCFA to collect highly personal information in its Oasis
program, an effort that they were ultimately compelled, at
least partially, to back down from, and how it grows the
potential for abuse of this information.
It is critically important to realize that privacy is not
only a value in and of itself, it is an essential component of
providing the highest quality medical care. Some patients
refrain from seeking medical care or drop out of treatment in
order to avoid any risk of disclosure of their records. Others
simply will not provide the full information necessary for
successful treatment, and we know this from a Louis Harris poll
that this is a widespread behavior in our society today.
Patients ask us not to include certain information in their
medical record for fear that it will be indiscriminately used
or disclosed. As a result, more patients do not receive needed
care, and the medical records data themselves that we need for
many purposes are inaccurate and tainted.
We need a high level of confidentiality protection for all
medical records so that all patients receive the privacy
necessary for high-quality care. Communicable diseases, mental
illness and substance abuse, sexual assault histories, cancer,
reproductive and women's health issues, as well as many other
conditions may be highly sensitive for patients, and
information about these conditions is unlikely to be revealed
without assurances that the privacy that exists in the doctor-
patient relationship will be maintained.
We believe that many medical privacy proposals before the
Congress as well as the regulations being proposed by the
Department of Health and Human Services, need to incorporate
additional medical privacy protections. The most significant
action that Members of this subcommittee can take today to
protect medical records privacy would be to contact HHS to
express your belief that additional privacy protections should
be included in HHS's final regulations, and to conduct hearings
on their proposal.
The American Psychiatric Association is very encouraged by
Representative Hutchinson's and Moran's privacy commission
legislation. Particularly important, in our view, is to focus
this proposal on increasing public awareness of the need for
additional actions to protect privacy, as well as the actions
that citizens can already take to protect their own privacy;
working on neglected areas of privacy policy, including the
adequacy of privacy protection for employees--many employers
have widespread access to their employees' medical records--and
on the Federal Government's use of confidential information;
and allowing the current efforts to produce greater privacy to
flourish.
We are particularly supportive of the work of the
Bipartisan Privacy Caucus led by Representatives Markey and
Barton, including legislation introduced to remedy the major
financial and medical privacy problems contained in last year's
Financial Services Modernization Act.
Last and most important, we believe that all involved
parties, whether brick or click private sector companies,
privacy experts, consumers, patients and civil libertarians,
must be fully involved in the work of a privacy commission. As
part of this consensus-oriented approach, we believe it is
essential that the membership of any commission contain a
balance among all stakeholders, including the privacy
community.
Thank you for this opportunity to testify. I look forward
to working with the committee on these important issues.
Mr. Horn. Thank you, Dr. Appelbaum.
[The information referred to follows:]
[GRAPHIC] [TIFF OMITTED] T0436.029
[GRAPHIC] [TIFF OMITTED] T0436.030
[GRAPHIC] [TIFF OMITTED] T0436.031
[GRAPHIC] [TIFF OMITTED] T0436.032
Mr. Horn. We are now going to question this panel and we
will do it in 5-minute segments, alternating between majority
and minority.
Does Mr. Turner want to yield to Mr. Moran, or would you
like to start?
Mr. Turner. I yield to Mr. Moran of Virginia.
Mr. Moran of Virginia. Well, thank you, my friend, and
thank you, Mr. Chairman, my friend as well. This was very good
testimony, and I particularly appreciate my constituent, Ms.
Twentyman, to come forward and tell us what happened to you. I
know that it is somewhat embarrassing, but I am glad that you
have taken the initiative. As you say, I don't know that your
mother's generation would be willing to, but you have stepped
forward, and I appreciate it.
It is just such a constituent that initiated the Driver's
Privacy Protection Act. It was a woman who went to a health
center to get advice, she had just had a miscarriage, and by
the time she got home, she drove home, she lived in northern
Virginia, there was a group picketing on her front lawn because
they assumed that she had had an abortion, because that health
clinic had also offered a full range of services to women. In
addition to being--the irony of it and being distraught, she
just couldn't imagine how they had known where she lived, and
we found out that what they had done was simply write down the
license numbers of the cars and the tag numbers and went to the
State Division of Motor Vehicles that was in Alexandria and got
the addresses, the names of everyone that had parked in that
lot, and that just didn't seem right.
The State was collecting $5 for every individual piece of
information, direct marketing organizations, of course, were
paying more. We found out that there were a number of
organizations that were determined to continue that practice
because they made a lot of money off of it, and most protective
of that practice was the States. They were making millions, as
Mr. Douglas has indicated. But the detectives particularly
wanted to be exempted. We exempted them, and I know the
newspapers and publishers' associations want to be exempted. I
don't think the conference report finally exempted them, but
they thought it was also a great idea to be able to access this
information.
So we are vulnerable. But it would seem, and I know Asa
feels just as strongly, and I suspect my friend Mr. Horn and
Mr. Turner do as well, that we should not try to impose a type
of cookie cutter approach from the public sector if there is a
way that the private sector can regulate itself. There does
seem to be a number of initiatives being attempted that would
enable you to do that.
I guess I would like to solicit from the three of you, if
you have seen ways in which your situation, Ms. Twentyman,
could have been avoided, or you could have been protected. Mr.
Douglas, this information you give us is just astounding, the
access that people can get to our information, and then can
shut us off from even getting our own information. Dr.
Appelbaum, you have obviously explored this very extensively as
well.
Do you see efforts in the private sector developing that
are able to self-regulate, or at least give people an option to
keep their information private? What we did with the Driver's
License Privacy Protection Act was to require that a box be on
the license application that you can't miss if you don't want
that information shared, you just check it, and then it is
against the law to give out any information on that person's
data without that person's permission.
Let me see whether any of the three of you have come across
ways that have already developed, nongovernmental ways that
might have protected you. Dr. Appelbaum.
Mr. Appelbaum. The medical information developments in the
last several years have resulted in a widespread use of
computerized medical records and aggregated databases in ever-
growing HMOs and hospital systems. Some of these systems are
beginning to pay attention to these issues. For example, I can
tell you that at the University of Michigan's Medical Center in
Ann Arbor in the last year, having implemented an electronic
medical record, they have simultaneously carved out and placed
behind a firewall the psychiatric portion of those records,
with limited access only to people in the Department of
Psychiatry. So such efforts are, indeed, possible.
The problem, I think from my perspective, is that the
incentives all push in the other direction in terms of doing
things easily, using information for marketing purposes and
mining it for additional revenues. The private sector has every
incentive not to pay attention to these issues. And though
direct regulation may be a last resort, at the very least, I
would think that some sort of balancing incentives should be
given to these organizations so that they receive some
encouragement to take privacy seriously.
Mr. Douglas. I think you hit exactly on what is the main
discussion or argument taking place in the business community
today, and that is fair information practices and key phrases
like opt-in versus opt-out. Currently, the burden is on the
consumer, people like Ms. Twentyman, to safeguard their own
information. If you were to sit down with a pen and paper and
list all of the different places that you have private data,
private information, you would still be writing at 5 p.m. So
the burden is currently on you as the consumer, as an American
citizen, to go out and find all of those places and tell them,
if they will even listen to you, that you want to opt out, that
you don't want your information being shared.
The discussion today, I know the discussion within the
financial community and certainly as we sit here today, the
regulators are proposing regulations under Gramm-Leach-Bliley
dealing with third party affiliates, opt-in versus opt-out, and
it is very cumbersome. The average American consumer is not
going to understand it. What many are arguing for today is that
it should be opt in. As far as information practices, if I give
you--and let me just use the example of the credit agencies, we
all have to participate, almost all of us, in credit
transactions on a daily basis. But we believe when we fill out
a credit application, a mortgage application, a rental
application, a department store application, that that
information is between us, the credit bureau and the person
making the decision as to whether they will grant that credit,
but that is not the truth of the matter. The truth of the
matter is, through the credit headers and the recompilation in
the vast databases, a lot of that statistical information is
being resold. Every day your and my information is running up
millions of dollars for American business and the States, as
you noted.
As just one afterthought, you had mentioned the Newspaper
Guild or somebody's resistance to the DPPA. Deep within the
article that I have attached as appendix I from Forbes is a
story of a company called Touchtone Services out of Colorado
that I am very familiar with, because they are one of the few
successful prosecutions of an information broker in this
country, and Mr. Rap, who is the owner of that company, I think
just got out of jail within the last week or two after serving,
what, 70 days.
Let me tell you what he did as part of the allegations. He
was selling information on the Cosby family to the tabloids. We
often wonder how the newspapers and the TV stations show up on
our doorstep when there is a tragedy, like an aircraft crash or
something like that, faster than even the police, because they
go to these information brokers. They have one on contract,
private investigators who know how to use these techniques of
how to impersonate people. The Jon-Benet Ramsay, he
impersonated Mr. Ramsay and was able to obtain his banking
information. He was able to obtain where the Colorado
detectives were secreting witnesses and in what hotels.
In the Monica Lewinsky investigation, it was his firm that
obtained Kathleen Willey from Richmond's phone records and sold
it to a Montgomery County private investigator who turned it
over to the attorney of a very prominent Democrat who is still
under investigation in an Alexandria grand jury.
Perhaps most egregious of all, and I went over this with
your staff the other day, Mr. Horn, he was able to get the
pager numbers of undercover LAPD police officers that were
working on a very important investigation with the Israeli
Mafia and they were able to clone those pagers, a little
technical, but there is a way to do that, so that they, the bad
guys, were getting the same pages that the undercover officers
were getting, and they were then able to figure out who the
secret witnesses were in the investigation and get the home
addresses of the undercover police officers who, in one case,
showed up on the doorstep while the officer was away and
intimidated the wife of the officer.
So we are not talking kid's play here. There are very
serious things that are going on out there, and it all leads
back to how our information is being bought, sold and packaged
every day in this country.
Mr. Moran of Virginia. Troubling. Thank you, Mr. Douglas.
Mr. Horn. The gentleman from Arkansas, Mr. Hutchinson.
Mr. Hutchinson. Thank you, Mr. Chairman. I want to join in
the thanks to each of the panelists for your extraordinary
testimony today. I want to focus with Mr. Douglas for just a
moment. I really do appreciate your expertise. We need to have
more people that have a background in the darker, sinister
world.
Mr. Douglas. My mother would be so happy to hear that.
Mr. Hutchinson. I want to focus on Social Security numbers
for just a second. We all have our stories of going into a
business and cashing a check and they ask for your Social
Security number, sometimes you don't even give them a check,
you pay cash for it and they want to know your address and they
want to know information.
Mr. Douglas. Radio Shack, yes.
Mr. Hutchinson. Your natural inclination, in the South we
are particularly friendly, we just give them what they ask, we
are accommodating. Of course, the dissemination of that
information is a concern.
But in reference to Social Security numbers, clearly, they
are being used far beyond what was originally intended. What
impact does that have on the dissemination of personal
information?
Mr. Douglas. It is the single biggest impact. It has become
the national identifier, although the American people were told
it would not be, and I think that is one of the reasons you see
cynicism around the country and the concerns with privacy
around the country that you talked about in your opening
statement this morning when you were back in your district.
Because people are aware of this, and they do know that--they
are told on the one hand, don't provide that, you don't need to
provide that, yet at last count I think 23 of the States in
this Nation for the driver's license number use the Social
Security number.
So even if you provide your driver's license number, and we
have all done this, especially if we live locally, Virginia has
it, although again you can opt out of that process, but again
how many do; the District uses it, that the clerk will record
that on the back of the check.
Many people, such as Ms. Twentyman, who end up as identity
theft victims, need to remember there are 400,000 cases a year
by the Secret Service's statistics, not some privacy whacko
group; the Federal Government, recognizes 400,000 cases a year
of identity theft in this country, that begin in just such a
fashion, with information that is put down for purposes that is
of questionable use. But yet, if you go in there, Mr.
Hutchinson, and tell them well, no, I have been taught that I
don't need to give that, in many cases they won't complete the
transaction with you, even though that is not necessary for the
transaction by any stretch of the imagination.
So the Social Security number problem is the most frequent
question I get when I talk to people on the Hill, and it is a
very complex one, because it is so ingrained in so many systems
around the country, and because it has become the default
national identifier to tomorrow, say, well, for Congress to
outlaw it, that somehow tomorrow it would crash the economy of
this country.
Mr. Hutchinson. You are saying that if we outlawed the use
of Social Security numbers beyond the original intent, which is
I guess you give it to your employer so that you can make sure
you get credit for your FICA taxes that are paid.
Mr. Douglas. Correct.
Mr. Hutchinson. If we outlawed it beyond that limited use,
what impact would that have?
Mr. Douglas. I am sure you would hear loud and clear from
the business communities that so many are using that as the
national identifier, how will they now identify individual
transactions that go through. That has become the national
identifier. Every business in America that keeps information on
our citizens and, you know, very valid reasons, whether it be
medical records, financial records, the things that make our
economy hum, to identify us use the Social Security number.
Mr. Hutchinson. There is benefit to consumers for that as
well.
Mr. Douglas. Absolutely. That is one thing, and I touch on
it a little bit more in my full statement. We need to be very
careful, and that is why I wholly support this approach that is
presented here today, because the piecemeal approach of
legislation could be very dangerous.
I think there needs to be--we need to take a deep breath.
Gramm-Leach-Bliley just passed, the DPPA is just starting to
kick in; I am not as familiar with the medical area, but it is
just starting to kick in. We need to step back and take this
18-month look at, first of all, how do some of those provisions
that are out there kick in, what effects do they have, and to
find a comprehensive way to deal with that. Because to just
take a rash approach tomorrow because of concerns I think would
have a serious impact on the business community.
Mr. Hutchinson. Thank you. Do I have any time left, or is
it gone?
Mr. Horn. Sure.
Mr. Douglas. My fault. I am so long-winded.
Mr. Hutchinson. Let me just ask one more question if I
might which follows up on that.
Dr. Appelbaum, you mentioned that one thing the commission
could do is to increase public awareness. If you would just
sort of elaborate on that a little bit, particularly in the
area of medical records. We have a limited amount of protection
now, but there are some things that consumers can do to protect
to a greater extent their own information; is that correct?
Mr. Appelbaum. There is, yes. There are a number of such
steps that they can take, of which most people are unaware. An
increasing number of States, for example, give patients the
right to access their own medical records and to make
corrections to those records if errors are found, before the
records are widely disseminated, potentially, to their
disadvantage. Most people don't know that. There are
institutions such as the Medical Information Bureau in my home
State of Massachusetts which collects medical-related
information for the insurance industry, and similarly will
allow individuals to find out, not easily, but to find out the
information that is being kept in their files, and correct it,
and most people are unaware of that as well.
Mr. Hutchinson. Let me interrupt, because I want to yield
back my time, but the commission I think is important, that if
you conduct hearings across the country, you engage in getting
information of the problems that are out there, but also
educating the public as to things that they can do themselves
to protect privacy, and I think that is very important.
Mr. Chairman, thank you for your leniency, and I yield
back.
Mr. Horn. I thank the gentleman and I now yield to the
ranking member, Mr. Turner, the gentleman from Texas.
Mr. Turner. Thank you, Mr. Chairman.
Ms. Twentyman, I want to thank you for your testimony. It
has been very enlightening to understand what you have gone
through. I notice you mentioned in one part of your testimony
that you had $13,000, I believe it was, in one credit card
account alone that was taken?
Ms. Twentyman. Just in 3 or 4 days.
Mr. Turner. In 3 or 4 days.
Ms. Twentyman. Right.
Mr. Turner. You mentioned, I think, later in your testimony
that you haven't personally been held accountable for any of
these balances. These credit card companies, do they have some
kind of protection for you as a credit card holder that ensures
that you don't have to pay when somebody steals from your
credit card account?
Ms. Twentyman. I don't know whether it is insurance or
what, but all of them have, as soon as I report it, they take
it off my account and tell me I am no longer responsible for
it. I am not sure with their bookkeeping what they do with that
money, but fortunately I haven't had to repay any of it.
Mr. Turner. Mr. Douglas, have you had any experience with
that? Do these credit card companies just routinely insure
against theft?
Mr. Douglas. Yes, sir. The consumer is only liable in
theory for $50, if they make prompt notification, to the credit
card company and most credit card companies will even waive
that $50 on behalf of the customer in order to hold on to the
customer.
The thing that should be noted on this, although the
customer is not losing out, the business is. And they are not
necessarily insured, they are self-insured in this area.
Current statistics show that on Internet transactions, and only
1 percent currently over the last Christmas season, only 1
percent of purchases were made by the Internet, 25 to 35
percent of credit card transactions currently made on the
Internet are fraudulent, and the people picking up the tab on
that are the Internet companies. They lose out. They end up
biting the bullet on that. So again, if that area is not
addressed, it will be a strain on the advance of the Internet
economy.
Mr. Turner. What kind of enforcement ability do we have to
control this? It seems to me law enforcement is totally ill-
equipped to deal with any of this.
Mr. Douglas. I think currently they are. I think they are
scrambling quickly to catch up. I know the Washington Post has
documented just within the last week some efforts on behalf of
the FBI to get up to speed in some of these areas, but as in
many areas of crime, the thieves are often far ahead. It should
be noted, an awful lot of that, especially in the Internet
transaction area, is occurring overseas where we have no
enforcement jurisdiction. So many of the software packages that
are being developed for Internet businesses, I-businesses, in
order to preclude fraudulent transactions are totally ruling
out any transaction from overseas.
Mr. Turner. When you said 25 percent of the e-commerce
transactions are fraudulent, you are talking about purchases?
Mr. Douglas. That is correct.
Mr. Turner. With use of a credit card?
Mr. Douglas. Right. Somebody claiming to be Mr. Turner to
buy a pair of Nikes is not Mr. Turner, but somebody else. We
have all seen when you have gone to a Web site and ordered that
you can have it delivered to another address. That is what they
will do, they will put in the credit card information and have
it delivered to another address, which is often a vacant home
or they are in cahoots with somebody else.
Mr. Turner. What is the source of that 25 percent figure?
Who compiles that kind of information?
Mr. Douglas. You will see that in almost any of the
Internet commerce magazines that are tracking this information.
Mr. Turner. What is the track record with regard to theft
from bank accounts? Of course I don't mean just Internet
banking, but theft from bank accounts of individuals? Do we
have any compilation of totals or is that a very common thing?
Mr. Douglas. I don't have any compilations of totals. When
you deal with the identity theft that I have talked about,
which is pretext, it is very hard to track, because often it is
done and the person doesn't know how it is done; just as Ms.
Twentyman said, they never have caught the person. So a lot of
people don't report, a lot of people are embarrassed about it,
and I am sorry to say that our most fragile and under protected
citizenry in this country is senior citizens who this happens
to quite regularly.
A lot of this is done over the phone. I have talked about
methods that are used to get it from the actual institutions,
the same methods are used to defraud our citizens by phone, and
senior citizens are the most vulnerable because they grew up in
a generation that was polite and didn't just hang up the phone
on somebody.
Mr. Turner. Is there any source of compilation of theft
from bank accounts using any of these methods, or is this the
kind of information banks wouldn't like to talk about too much?
Mr. Douglas. Well, let me give you an example. There was an
information broker by the name, a company called Source One,
run by one individual by the name of Peter Easton out of New
York. The State of Massachusetts has been the most aggressive
in this area. They civilly prosecuted, I think, 10 companies,
and he was the only one that went to trial, and they found
thousands of cases in just his situation alone. Touchtone that
I talked about before from Colorado is currently under a
proceeding in the FTC and they also, when they saw his records,
found thousands of these cases. Docusearch employs 18 people,
Touchtone employed 12 or 18 people, and these are just one of
hundreds or dozens of companies around the country.
So you could work the statistics backward that way from the
few successful prosecutions and know that this is happening
thousands of times a day around the country, if that is
helpful.
Mr. Turner. Thank you, Mr. Chairman.
Mr. Horn. We thank you. Let me ask just a few questions to
the panel. I might say for my colleagues, if you pick out your
voting card, which is your identity card, the Social Security
number you have is printed on the card. So be careful.
Anyhow, how about the chance to look at H.R. 4049, the
Hutchinson-Moran bill. Do you have any suggestions on it? There
is the markup of the commission and their purposes and so forth
rather well set out. Dr. Appelbaum, do you have any thoughts on
it?
Mr. Appelbaum. Yes, I do, Mr. Horn. The composition of the
group is laid out in terms of its bipartisan nature. But I
think for the purposes of achieving true privacy protection, it
would be important to build into this legislation some balance
among the various actors in this area, since interests are
genuinely conflicting and everyone should be represented. The
National Committee on Vital and Health Statistics, which is
similarly charged to explore this area, has on it, although it
was balanced from a partisan perspective, no consumer
representatives, no patient representatives, no privacy
advocates, and one practicing physician, and it is that kind of
imbalance that we would hope would not occur with this new and
very promising privacy commission proposal.
Mr. Horn. So you are saying in the appointments by the
majority leader, minority leader, Speaker, and President, there
ought to be, the kind of person they pick would have some major
concern, maybe, on this particular matter. I don't know how the
gentleman who authored this feels.
Mr. Hutchinson. Well, first of all, I agree completely that
this commission should be composed of people that represent a
broad range of the stakeholders in this issue, and second, that
they are openminded to this issue. But the reason that was
not--when we thought about specifically delineating different
representatives on it that sure enough we will leave somebody
out, for one thing, and the balance of it, and I felt like, and
we have talked about this with Congressman Moran, that the
political process would work; in other words, these
stakeholders are going to be asking and putting pressure on the
appointing people to make sure they are represented on it. I am
certainly open, if we need, and we can do that fairly, to
delineate that, but that was the thinking, anyway.
Mr. Horn. You mentioned, Mr. Douglas, in your testimony
about the Colorado case, and you also mentioned what went on in
Virginia. Now, what are the penalties the States have? Have you
sort of taken a look at those? I want to tell the staff on both
sides that the American Law Division will be asked to give us a
paper on the penalties. But I wondered what your experience is;
just for this hearing.
Mr. Douglas. When it comes to the use of pretext and other
means of fraud and deception to gain information, most of the
States have nothing specifically on point. In fact, the Federal
Government didn't, until the Financial Information Privacy Act
under Gramm-Leach-Bliley, and that is specific to a very narrow
range of pretext methods used against financial institutions.
As I noted in my written statement, most of the information
brokers have figured out, or are either ignoring it or have
gone underground, unfortunately, that is quite a few of them,
or figured out other techniques that I am aware of to get
around it. Gramm-Leach-Bliley's enactment brought the first
Federal criminal provisions ranging from 5 to 10 years,
depending upon the dollar amount involved, or the size of the
company. But most of the States have nothing. There had been
really no prosecutions.
There is some argument that Federal or State wire fraud
laws might apply. Perhaps the identity theft law that Congress
passed a year or two ago might apply, but we have seen
relatively few criminal prosecutions at all. In fact, only 1
State criminal prosecution, no Federal criminal prosecutions,
and about 12 civil prosecutions under Deceptive Trade Practices
Act types of legislation the State mirrored on the FDC's
regulations, if that is helpful.
Mr. Horn. Have you had a chance to look at the Secretary of
Health and Human Service's temporary regulations in this area
and what the penalties are?
Mr. Douglas. I have not.
Mr. Horn. Have you had a chance to, Dr. Appelbaum?
Mr. Appelbaum. Yes, we have looked at them extensively.
Mr. Horn. Well, if you would like to file a statement for
the record, that is fine. We will do it at this point. Because
I realize sometimes in a hearing situation you don't have a
chance to really see the language and all the rest of it, so we
would welcome the thoughts from you, and your colleagues.
Mr. Appelbaum. We will do that.
Mr. Horn. To all of you I would ask, what is the extent of
the problem with the law enforcement agencies and how easy is
it to, let's be charitable and say provide incentives to them
to give some of this information, which I guess you could also
say are bribes. What has been your experience, Mr. Douglas,
with these cases?
Mr. Douglas. I am sorry, I misunderstood the question.
Mr. Horn. Well, the question is, when your friendly local
law enforcement agency has a lot of information and you, as a
private detective, what are your feelings about what your
colleagues do and maybe you do to gain information?
Mr. Douglas. I am with you now. The purchase or bribing of
information kept in Federal databases, including law
enforcement, that area has actually subsided quite a bit with a
round of prosecutions that took place around 10 years ago. It
was quite common in the private investigative industry to have
a friend in law enforcement, or many PIs are ex-law enforcement
who would obtain NCIC information, which is arrest and
prosecution records maintained in a Federal database. That has
really come to a close, because a number of people have been
prosecuted for it, so you don't see quite as much of that going
on today.
Mr. Horn. How about with insurance companies? Can they be
subjected to sort of getting information out of them to people
that maybe shouldn't have it?
Mr. Douglas. Absolutely, and their Web sites, I didn't
include any in my presentation today, but where I could go and
find out what your life insurance policy is valued at; any of
your insurance areas. I also didn't include in these charts
stocks, bonds, mutual funds. Any position that you can think
of, I can tell you a way to get it.
Mr. Horn. Well, we thank you. We have to get to the next
panel if we are going to adjourn at 12, so thank you very much.
We really appreciate the time you have taken and the wisdom you
have provided. I know, Ms. Twentyman, that it is really
something like a stalker that is out somewhere.
Our next panel consists of Professor Fred Cate, professor
of law and Harry T. Ice faculty fellow at the Indiana
University School of Law in Bloomington; Mr. Travis Plunkett,
legislative director, Consumer Federation of America; Mr. Ari
Schwartz, policy analyst, Center for Democracy and Technology;
and Sandra Parker, esquire, director of Government Affairs and
Health Policy, Maine Hospital Association.
[Witnesses sworn.]
Mr. Horn. All four, the clerk will note, have accepted the
oath.
So we will start with Professor Fred Cate, professor of law
and Harry T. Ice faculty fellow at the Indiana University
School of Law in Bloomington. Now, they have a school of law
also in Indianapolis, don't they?
Mr. Cate. Yes, Mr. Chairman, they do.
Mr. Horn. But is the main one at Bloomington?
Mr. Cate. They would resent the definition of ``main'' as
being in Bloomington; there are two separate law schools.
Mr. Horn. Well, you have a beautiful campus there in
Bloomington. I was a fellow there for a week, 30 years ago, and
it is impressive, what you are doing at Indiana.
Mr. Cate. Thank you, Mr. Chairman.
Mr. Horn. Please proceed.
STATEMENTS OF PROFESSOR FRED CATE, PROFESSOR OF LAW AND HARRY
T. ICE FACULTY FELLOW, INDIANA UNIVERSITY SCHOOL OF LAW,
BLOOMINGTON; TRAVIS PLUNKETT, LEGISLATIVE DIRECTOR, CONSUMER
FEDERATION OF AMERICA; ARI SCHWARTZ, POLICY ANALYST, CENTER FOR
DEMOCRACY AND TECHNOLOGY; AND SANDRA PARKER, ESQUIRE, DIRECTOR
OF GOVERNMENT AFFAIRS AND HEALTH POLICY, MAINE HOSPITAL
ASSOCIATION
Mr. Cate. Thank you very much.
Mr. Horn. As you know, your statements are in the record;
summarize it so we have time for questions.
Mr. Cate. I will do so. Let me say for the record, I
specialize in privacy and information law-related issues. I am
testifying today not only as somebody who specializes in that
area, but also on behalf of the Financial Services Coordinating
Council, which, as I believe you know, is an alliance of the
principal national trade organizations in each of the financial
services sectors that deal with issues that cut across those
sectors, including privacy.
I think, as the prior panel showed, and something which I
believe all of the members of this committee certainly already
knew, the issue of privacy is not only incredibly urgent, it is
also enormously complex. It arises in many different contexts,
it involves many different types of information, it involves
use of information by many different people. As a result,
efforts to deal with privacy issues, whether those efforts are
regulatory or legislative or technological, are themselves also
inevitably quite complex, and there are a great variety of
them. It is precisely because of this complexity and variety
that the comprehensiveness of the proposal for a privacy study
commission is certainly laudable. The idea of bringing together
in one place a focus on a wide range of issues is certainly
laudable.
Let me be very specific, however, and offer two comments
about the proposal itself.
One is the issue of what do you do about financial
information? Congress has just in the past year passed the
Gramm-Leach-Bliley Financial Services Modernization Act, that
has not even yet been implemented, regulations are currently
pending, and that bill itself calls for a study to be conducted
by the Department of the Treasury. The risk of duplicating that
effort or of rewriting one set of regulations before an
existing set even comes into play is a very great one and is
something that I think this bill and the Congress in
considering this bill will need to deal with explicitly. What
is to be done about the fact that this is an area in which we
have already recently undergone extensive regulation.
I might also note in relation to the prior panel, financial
services is an area that is already subject to considerable
regulation. It has Federal regulators, it has State regulators.
This is not an area without a framework of law that already
exists and it is one that Congress has recently taken
considerable steps to strengthen.
The second point that I would like to make is the one which
I believe was also made clearly on the last panel and that is
really the key need that if there is a privacy study
commission--the importance that its charge be broad, that it
not be limited only to looking at the urgent need for privacy
protection, but also at the cost of privacy protection, at the
cost of inappropriate privacy protection, and at the
alternatives to using laws or further regulation for privacy
protection.
Now, I think that is clearly captured within the pending
legislation. I am not in any way suggesting that change to the
bill as I read it, but rather highlighting the importance that
if this commission is to engage in what Representative Moran
called the ``thoughtful, deliberative'' process, it needs to
have that broad charge and to consider the value of information
flows, as well as some of the risk posed by those information
flows.
Let me stop there and allow for questions later.
[The prepared statement of Mr. Cate follows:]
[GRAPHIC] [TIFF OMITTED] T0436.033
[GRAPHIC] [TIFF OMITTED] T0436.034
[GRAPHIC] [TIFF OMITTED] T0436.035
[GRAPHIC] [TIFF OMITTED] T0436.036
[GRAPHIC] [TIFF OMITTED] T0436.037
[GRAPHIC] [TIFF OMITTED] T0436.038
[GRAPHIC] [TIFF OMITTED] T0436.039
[GRAPHIC] [TIFF OMITTED] T0436.040
[GRAPHIC] [TIFF OMITTED] T0436.041
[GRAPHIC] [TIFF OMITTED] T0436.042
Mr. Horn. Well, thank you very much, Mr. Cate. We will go
to Mr. Plunkett. Mr. Plunkett is the legislative director for
the Consumer Federation of America.
Mr. Plunkett. Good morning. Thank you very much for the
opportunity to offer our comments today, Chairman Horn, and Mr.
Turner. We commend the subcommittee for examining this
important issue.
We agree with everything we have heard so far on the
significance and urgency of further action on privacy
protection for Americans. I am going to commend Representative
Hutchinson, because we have talked, I have talked with his
staff and with him about our concern here. It is not that we
don't see a need for action with the commission and on privacy,
it is just a question for us of what is the most effective and
timely course of action.
I too will focus my comments on financial privacy and on
that issue in particular, we believe that a commission may
actually be harmful, not because of your desire to look at the
issue and address concerns, but because momentum is building
right now at the State and the Federal level to take action
soon. Our fear is that it will stall if a commission is
enacted.
Like it or not, if Congress establishes a commission to
examine privacy issues, many will urge, and we have already
heard it to some extent this morning, that all major privacy
proposals be stuck in a deep freeze for 18 months or more. The
commission has an ambitious schedule and they might run a
little over while the commission is operating.
We do very much welcome the fact that the sponsors of this
bill, Mr. Hutchinson in particular, see a need for further
Federal action on privacy, and I commend Mr. Hutchinson for
highlighting the need for more comprehensive Federal
approaches. The American people clearly want it. The Wall
Street Journal surveyed its subscribers about the most serious
issue facing America in the 21st century, and the top concern
was not the economy, education, or illegal drugs, it was the
loss of personal privacy.
On financial privacy, there is a great deal of research
about what Americans want, very specific research, including a
1999 survey by AARP, that found that 81 percent of its members
oppose the internal sharing of their personal and financial
information with affiliates, a key issue I will get to in a
minute, and 92 percent oppose companies selling their personal
information.
The erosion of privacy, which we are all aware of and
grappling with, leads not only to annoyances, and I put phone
calls from pushy people at dinnertime in that category, it can
be harmful. You have already heard a great deal about identity
theft, which I would call the signature crime of the
Information Age and the anecdotal evidence you have heard this
morning is backed up by research. Law enforcement officials
report a sudden sharp increase in identity theft.
Another example regarding financial privacy, how this
causes real harm, a bank in California's San Fernando Valley
sold 3.7 million credit card numbers to a felon who then
allegedly bilked card holders out of more than $45 million in
charges worldwide.
I would point out that consumers and businesses suffer when
Americans are worried about their personal privacy. This is an
issue that I think is very important to keep in mind. FTC
Chairman Pitofsky recently noted that concerns about privacy
are a major reason why Americans who do use the Internet don't
make purchases. He also noted that consumers who do not use the
Internet rank concerns about privacy as their top reason for
not going on line.
Now, the continuing gaps in financial privacy protection
are particularly serious, and we take really a much different
position than the previous speaker on this issue. Under Federal
law, even the new Financial Services Modernization Act, the
Gramm-Leach-Bliley Act, even our video rental records are
better protected than confidential experience and transaction
information held by financial institutions, in particular, held
by those institutions and shared with their affiliates.
Affiliate information-sharing is a very significant issue. We
all expect that under the Gramm-Leach-Bliley Act, we are going
to see the largest consolidation of the financial services
industry in American history. That means that we, in terms of
information-sharing and abuses and intrusions, what we have
seen is the tip of the iceberg. It is going to happen. Most
players in the market are honest, they are honest brokers, but
we are going to see more intrusion and we are going to see more
abuses.
One of the worst information-sharing abuses on record did
not involve the selling of information to outside third
parties; it involved an affiliate. This is the NationsBank/
NationsSecurities case, which resulted in a total of $7 million
in civil penalties. It was an inside affiliate-sharing
agreement. NationsBank shared detailed customer information
about maturing certificate of deposit holders with a
NationsSecurities affiliate, which then switched, urged the CD
holders to switch to a risky derivative fund. Many of these
customers who did this lost portions of their life savings.
Legislation to improve financial privacy protections has
been introduced in at least 20 States and in both Houses of
Congress. The bills in Congress are bipartisan, they are
bicameral. Senator Shelby and Representative Markey are leading
the charge and they have also set up, as many of you know, a
Privacy Caucus. Several folks here are members, including
Representative Hutchinson. Virtually all of these proposals
would provide that information could not be shared with either
an affiliate or a third party without informed consent.
Once again, I would dispute what you have just heard. This
isn't an issue that hasn't been studied, it isn't an issue that
hasn't been debated extensively. It is the unfinished business
of the Gramm-Leach-Bliley Act and the fact that so many States
are looking at this issue, and several are moving these bills,
they are not just introducing bills, and most of these bills
deal with the same topic. Affiliate information-sharing shows
me that it is a good idea to act soon and not wait for a good
deal of time.
I would note, even though I won't talk too much about this,
you are going to hear more about this in a minute, that
considerable progress has been made in terms of studying,
debating various proposals on health privacy and Internet
privacy as well. The Department of Health and Human Services,
for instance, has received 60,000 comments on proposed health
privacy regulations. The FTC has undergone numerous rulemaking
proceedings on Internet privacy and has supervised or actually
implemented several surveys as well.
So in closing, let me just say that to his credit,
Representative Hutchinson has clearly indicated that he doesn't
want to delay progress of important privacy legislation with
this commission. Our recommendation, and we have some modest
recommendations which I won't go into regarding the language of
the bill, but our broad recommendation is that the mandate of
the commission be narrowed to address very specific issues in
need of greater study.
I think you are going to hear in a minute of issues that
could be studied at greater length. We would urge those who do
support the bill to make it clear repeatedly and on the record
that the intent of the study is not to delay needed legislative
action on financial privacy and health privacy and Internet
privacy. Thank you.
[The prepared statement of Mr. Plunkett follows:]
[GRAPHIC] [TIFF OMITTED] T0436.043
[GRAPHIC] [TIFF OMITTED] T0436.044
[GRAPHIC] [TIFF OMITTED] T0436.045
[GRAPHIC] [TIFF OMITTED] T0436.046
[GRAPHIC] [TIFF OMITTED] T0436.047
[GRAPHIC] [TIFF OMITTED] T0436.048
[GRAPHIC] [TIFF OMITTED] T0436.049
[GRAPHIC] [TIFF OMITTED] T0436.050
[GRAPHIC] [TIFF OMITTED] T0436.051
[GRAPHIC] [TIFF OMITTED] T0436.052
Mr. Horn. Thank you. We now have Mr. Ari Schwartz, policy
analyst for the Center for Democracy and Technology. You might
tell us a little bit about that institution.
Mr. Schwartz. Sure. Thank you, Chairman Horn and members of
the panel. Thank you for inviting me to testify on the Privacy
Commission Act.
CDT believes that the focused privacy commission could help
build privacy protections, but as Representative Hutchinson
mentioned earlier, it should not be used to derail the current
process on important legislative proposals already in front of
Congress.
Before going into detail about how such a commission might
work, I would first like to explain CDT's view of the current
state of consumer privacy. As some of you know, the Center for
Democracy and Technology is committed to protecting privacy on
the Internet. Recent studies have shown that individuals are
growing more concerned about their loss of privacy, both on and
off line.
These growing concerns are well-founded. Stories of privacy
invasions and security gaps in both the private and public
sector are becoming almost daily occurrences. CDT believes that
work in three areas, three legs of a stool if you will, are
needed to help reverse this trend and build privacy protections
for the future.
First, CDT is working with many responsible companies,
privacy experts and technologists on privacy-enhancing
technologies which are necessary to build privacy into the
infrastructure of communications technology such as the
Internet and reverse the trend that we have been seeing so much
of with privacy-invasive technologies. For example, we are
working on a standard with the World Wide Web Consortium called
the Platform for Privacy Preferences, or ``P3P'', which would
make privacy notices easier to read.
Many companies are beginning to build P3P into their
Internet products. For example, last week Microsoft announced
that it has plans to implement P3P in its upcoming consumer
software products. Self-regulatory efforts by industry are also
important to ensure enforcement on the Internet. As the economy
becomes more global and decentralized, responsible practices
become an increasingly important tool.
Last, we believe that there is a role for Congress.
Legislative approaches are needed. Without the means to imbed
fair, predictable results, better encourage self-regulation, or
go after bad actors in law, CDT fears that the actions of a
single company could cause the public to question the motives
of an entire industry. For the reasons that we have heard
today, this is especially important in the financial, health
and Internet areas.
Congress must move forward in these areas in particular.
A commission such as the one proposed could help learn how
to protect privacy. In fact, over the past 30 years, we have
seen various kinds of commissions at the U.S. Federal level. I
have detailed those in my written testimony in the appendix.
However, while the theoretical work of these commissions and
panels have pushed privacy forward worldwide, the U.S.
consumers have very little to show for it. Therefore, we urge
you not to duplicate the work of those past committees and
panels, but to move forward and focus the panel on issues that
have not been studied.
Some of the areas of special interest to this subcommittee
may be: revising the Privacy Act of 1974. As early as 1977, a
congressional commission found that the Privacy Act, which
protects personal information within the Federal Government,
was not as effective as it should be. The act should be
examined again and recommendations should be made in light of
the advent of government's use of the Internet and the spread
of the Social Security number which we have already heard a
little bit about today.
Public records such as driver's license information and
court records and other information that Mr. Douglas brought
forward would also be a useful area to study. We need to
reexamine how the government information is made available to
the public. The claim that a government document is hard to
find can no longer be used as an excuse to keep personally
identifiable information available to anyone to sell or use as
they wish.
Similarly, government at all levels should be encouraged to
post more public information to the Internet. With jurisdiction
over both the Freedom of Information Act and the Privacy Act,
the two great government accountability and openness acts of
the past century, this discussion should be of great interest
to this subcommittee in particular.
On access and security issues, the commission could help
Congress use the findings of the FTC advisory committee which
is just finishing its work on these subjects.
Last, a commission could examine the effectiveness of an
individual's private right of action under privacy laws. While
the private right of action should remain an integral part of
privacy laws, we have seen time and time again that when this
is the only option for Americans, they receive no redress.
Again, this concern is most clear in the application of the
Privacy Act of 1974.
Creating a commission focused on these areas would allow
its members to build on the work done in the past. While
focusing the commission would better help use taxpayer dollars
and allow us to further learn about privacy, the most vital
concern facing the creation of a new congressional commission
is a political one, as we have heard from Mr. Plunkett and Mr.
Hutchinson. The commission must not be used to delay or deter
from the discussion or progress of medical, financial or
Internet bills that have already been mapped or studies.
I thank you again for having me and look forward to your
questions.
[The prepared statement of Mr. Schwartz follows:]
[GRAPHIC] [TIFF OMITTED] T0436.053
[GRAPHIC] [TIFF OMITTED] T0436.054
[GRAPHIC] [TIFF OMITTED] T0436.055
[GRAPHIC] [TIFF OMITTED] T0436.056
[GRAPHIC] [TIFF OMITTED] T0436.057
[GRAPHIC] [TIFF OMITTED] T0436.058
[GRAPHIC] [TIFF OMITTED] T0436.059
[GRAPHIC] [TIFF OMITTED] T0436.060
[GRAPHIC] [TIFF OMITTED] T0436.061
[GRAPHIC] [TIFF OMITTED] T0436.062
[GRAPHIC] [TIFF OMITTED] T0436.063
[GRAPHIC] [TIFF OMITTED] T0436.064
[GRAPHIC] [TIFF OMITTED] T0436.065
[GRAPHIC] [TIFF OMITTED] T0436.066
[GRAPHIC] [TIFF OMITTED] T0436.067
[GRAPHIC] [TIFF OMITTED] T0436.068
Mr. Horn. Thank you very much. We will get back to
questions.
Our last panelist on panel two is Sandra Parker, esquire,
Director of Government Affairs and Health Policy, the Maine
Hospital Association. Thank you for coming down.
Ms. Parker. Thank you for having me, Chairman Horn. We
represent 38 main hospitals and their affiliated entities. I am
here today to tell you about Maine's experiences in
legislatively protecting the confidentiality of health care
information, a small subset of the information referenced in
H.R. 4049, but one that is particularly near and dear to us.
Our members, and I think everyone in this room firmly
believes that health care information is very private and it
needs to be protected against inappropriate disclosures. Dr.
Appelbaum did a fine job explaining the reasons and concerns
people have, and I am not going to reiterate any of them, but I
will tell you in recognition of those concerns, our hospitals
have always had policies in place to protect the information,
because we think it is important, and we will continue to have
the policies, no matter what happens in Augusta, ME or
Washington, DC.
The Maine Legislature agreed with us. In fact, they wanted
to see every health care practitioner have those practice and
policies in places to protect the information, and they felt
that the Maine citizens would benefit from a statewide
consistent privacy standard in applying to everyone. So they
began.
In January 1997, they took up the very difficult task of
translating those protective ideals into legislative language.
Their initiative would apply only to health care providers in
an effort to protect health care information at its source.
Respecting the complexity of the task before them, they worked
with a professional facilitator and met every 2 weeks with
interested parties and a facilitator to exhaustively study the
issue and try to anticipate all of the concerns. They worked
through the spring, they worked through the summer, they worked
through the fall and into the next year. Our dedicated
legislators worked for 2 years to develop a bill just on health
care information and studied it extensively.
Still, consensus was hard to find, and it wasn't until the
final hours of the session in the 1998 session that a
compromise bill was quickly passed through the House and
Senate. It was to be effective January 1, 1999.
As we reviewed the bill and prepared to help our members
comply with the anticipated new law, we began to uncover some
unintended and troublesome consequences, despite their extreme
hard work.
I would like to just briefly illustrate a couple of those,
nowhere near what is in my written statement, but just a quick
illustration. To do that, I need to tell you three provisions
of the law. First, health care information is defined very
broadly and intentionally so. They didn't want any health care
information to fall through the cracks. So they defined it as
any information that identifies an individual directly and
relates to their physical, mental, behavioral condition,
medical treatment, personal or family history. It sounds like a
terrific definition. We still stand by it, but it caused us
some problems.
The second piece I would like you to know is that with
certain exceptions, the law required written authorization from
the patient or their legally appointed representative before
any disclosures could be made. Again, that sounds terrific, and
again, it gave us some problems I would like to tell you about.
The third piece you need to know is that written
authorization is a defined term in our statute. They
specifically denote the elements of a valid authorization and
nothing else will do. It must be written and it must have those
elements.
Well, nowhere in the law did they reference directory
information, and what I mean by that is if you find out that
your good friend Sandra Parker is in the hospital and you call
the medical center and ask how I am doing they tell you that I
am in room 222 and in satisfactory condition. Our law never
mentioned directory information, but confirmation that I am in
the hospital and saying that I am in satisfactory condition
relates to my medical treatment and physical well-being and,
therefore, falls within the definition of health care
information, therefore requires written authorization from me
specifically in order to release it. So, that is what we did.
There were delays, however, and when people were in the
emergency room and they hadn't gotten to their routine
paperwork yet and they said to their care giver could you go
out and get so and so from the waiting room, we would have to
say, well, no, we can't, because we can't tell them you are
here until we get to the paperwork and sign the forms. They
could not tell us. Oral authorization was not enough, it had to
be written. Unless and until that paperwork was done, visitors
couldn't be directed, clergy couldn't be called, phone calls
couldn't be transferred, flowers couldn't even be accepted.
It sounds like a good idea, but in practice we received
many, many complaints about it.
The idea that oral authorizations were not allowed was a
problem for us. Maine residents often spend the harsh winter
months in more temperate climes and would like to call their
physicians or hospitals and get their medical records
transferred and that option was completely removed from their
control. They now had to get a special form with statutorily
required elements, fill it out, sign it, date it, send it back
to their provider before the provider could direct the records
to the right place.
The other major problem that we had was that the
authorization of disclosure was given only to the patient and
their legally appointed representative. That was also done
intentionally, for good reason. We don't want anyone else to
have control of that information. However, many, many people
don't have legally appointed representatives, and by that I
mean a guardian, a court-appointed guardian, someone with power
of attorney, someone under an advanced directive statute. What
we found was that when people didn't have a representative, a
legally appointed representative and were unable to sign their
paperwork, because they were too ill, they were medicated, they
had a stroke, whatever it was, we had nowhere to go. We could
release no information to anybody under any circumstances.
So despite great effort, there were some problems. We
approached the sponsor of the bill and we worked with her to
amend it, and we submitted a bill, but before the legislature
could reach our bill, the law went into effect on January 1, as
scheduled, and the day it went into effect, the legislators'
constituents began to call, and they called, and called and
called and complained, so much so, so adamantly so, that the
legislature suspended the law after it was in effect for just 2
weeks and went back to the drawing board. There was extensive
discussions about maybe not going forward at all, maybe we
should wait for a Federal law, maybe we didn't need it, maybe
it was an impossible task. But it was so important, so, so very
important that the legislators, to their credit, gave it
another try. They worked on it for 6 more months and amended
the law.
The amended law went into effect February 1, just a couple
of months ago. So far, it seems to be effectively protecting
information without provoking consumer outrage. Perhaps we will
have more to do. We are still learning our lessons. But it is
something that everyone in Maine believes in, and we will keep
trying. It is that important.
Thanks.
[The prepared statement of Ms. Parker follows:]
[GRAPHIC] [TIFF OMITTED] T0436.069
[GRAPHIC] [TIFF OMITTED] T0436.070
[GRAPHIC] [TIFF OMITTED] T0436.071
[GRAPHIC] [TIFF OMITTED] T0436.072
Mr. Horn. Well, that is very helpful experience.
Let me ask you, what is the most important privacy issue
you have confronted, either with the clientele you represent,
or just your own experience? So let's just go down the line,
Professor Cate.
Mr. Cate. I guess I would say the single most important
privacy issue is trying to find a solution to problems that are
not clearly defined. So we talk about opt in and opt out, and
things like this. In other words, we have a lot of terms on one
side of the equation, tools for protecting privacy, without
being clear about what it is we are trying to accomplish. I
think that was exactly the issue Congress faced with Gramm-
Leach-Bliley.
Mr. Horn. Mr. Plunkett.
Mr. Plunkett. Well, I will stick with our theme since it is
our focus on financial privacy. One of the things I didn't
mention which has been touched on by a lot of the speakers and
is in our testimony is that the standards, the principles, the
building blocks, if you will, for strong privacy protection are
fairly well-known. In fact, they are reflected in the 1974
Privacy Act. They are called fair information practices. One of
the most important is that the information that you provide
should not be used for a secondary purpose. That obviously
means for a purpose other than for which it was given.
Our concern, once again, with financial institutions is
that if you open a bank account, you may not know that your
bank is affiliated or soon will be affiliated with an insurance
company, and there are abuses that can occur there, and I think
the NationsBank/NationsSecurities example I gave illustrates
that. But there are also problems when cross marketing occurs,
because that insurance company, in our opinion, shouldn't have
your account transaction and experience information, because
that is not the purpose for which you gave them the
information.
So to answer your question, I think applying the fair
information practices to all of these issues, it can get
complicated when you are dealing with the details, no doubt.
But the hardest thing for us is to ask people to back up and
say, well, don't forget the principles. They are fairly well
established, they are fairly well-known, accepted, and please
use them.
Mr. Horn. Mr. Schwartz.
Mr. Schwartz. I would say I have three areas. First,
children's privacy is very important, because they--it has been
shown that they are not really sure what they are consenting to
when they actually do consent to something, medical privacy,
because the information is so vital, and last information that
is held by the government, because there are so many vital
services that are needed when you turn over that type of
information.
So those three areas are really in terms of if you are
going to do a tiered approach, those three areas would be the
first place to focus in our minds.
Mr. Horn. Ms. Parker.
Ms. Parker. At least from our experience, the most
difficult piece of protecting this information was the balance,
the balance between necessary and desirable communication and
the balance against the time that it took to get written
authorizations to release the information.
Mr. Horn. Well, I thank you for those answers. I noticed in
one of the papers here, I believe it was Mr. Schwartz' one,
where you noted the updating of the Privacy Act of 1974, and
you made a point here that the quote, to make matters worse,
the Office of Management and Budget has not updated its Privacy
Act guidance since a year after the act was passed.
What do you feel is the reason for that, and what do you
think they ought to do in updating?
Mr. Schwartz. Well, it has only been a year since the OMB
has gotten a Chief Counsel for Privacy, so hopefully we are
moving down that path. This past year we also had all of the
agencies right there on Privacy Act implementation, where they
stand on the reports, and the OMB and the Chief Counsel for
Privacy in particular will be handing out a final report based
on those to the Congress.
Also, GAO is looking into privacy-owned government Web
sites, another important issue that should be covered by the
Privacy Act more than it is, but as I said in my written
statement, the Internet--the Privacy Act wasn't designed with
the Internet in mind. So we really do need to reexamine the
Privacy Act. I think this kind of commission would be a perfect
venue to do that, and it certainly would be great to have more
oversight hearings on the Privacy Act when OMB's report moves
forward.
Mr. Horn. Mr. Plunkett, is there legitimate need to
exchange information between the banks and third-party
affiliates, specifically for the various life needs, like check
printing and credit billing in small community banks, and
wouldn't you agree that these need to be known before laws are
enacted which could have unintended consequences, which could
cripple entities such as the small community banks?
That is a question that Mr. Hutchinson has left for me to
ask, because he had to go to another meeting.
Mr. Plunkett. That is a good question. The legislation that
Mr. Markey and Mr. Barton have introduced allows for explicit
approval for the financial institutions to share information
when it is for the intended purpose; that is, if you are
opening up a checking account, they can certainly share your
checking account information to those that are printing your
checks. That is a fairly, I think a fairly easy problem to fix
and absolutely there is a legitimate reason in that
circumstance to share information.
Mr. Horn. Any other comments on that by anybody? Professor
Cate.
Mr. Cate. If I may just say, Mr. Chairman, I think the
difficulty here is that there are a lot of uses that we might
consider valuable that aren't that immediately obvious. For
example, fraud prevention or detection, monitoring accounts to
determine if there are charges out of the ordinary, monitoring
an account to determine whether that customer is speaking to a
balance in a noninterest-bearing account--these are all things
which we could debate on whether it is within the purpose for
which the person originally disclosed the information. I think
we would also all consider them to be valuable uses. I think
this really sort of highlights the complexity here.
I obviously disagree that this issue has been thoroughly
and well studied and we now know what to do and should do it. I
think the fact that you have 22 States that have introduced 22
different bills, none of them agree on what to do and how to do
it, and in fact a large part of that is that we have so little
sense, I think exactly what the Maine experience showed. It was
easy to focus on the privacy side; it was very hard to focus on
what are all the valuable, useful things we do with useful
information every day that we don't want to put a stop to.
Mr. Horn. Thank you. Well, thank you. I just have one
question before I yield to Mrs. Maloney.
Some of you have had experience on the privacy laws abroad,
and I am curious what your thinking is on the European
Community's privacy laws. You will recall the European
Community asked all of their Member States to put together a
privacy law about 2 years ago, and then they put it off for a
while, and there were real concerns in this country in terms of
the free flow of data between corporations of the United States
subsidiaries in Europe and European subsidiaries in the United
States, and that was one of the reasons they put it off.
I just wondered what your thinking is there, and would that
have made a major impact on the economy. Again, they wanted, I
guess even a census date that the individual signed the form,
which sounded a little much. But go ahead.
Mr. Cate. Well, Mr. Chairman, thank you. I think the answer
is absolutely it would have made an enormous impact on not only
the economy of international trade between the United States
and Europe, but also within Europe, which is probably why
Europe has really not implemented the directive. Half of the
countries haven't implemented it at all, they have not even
made the pretense of implementing it. The others have
implemented laws which we are told by data protection
commissioners in Europe are not being enforced currently.
So, for example, if you read the law, what is the law today
in England, Greece, or Portugal, it would tell you that the law
is opt in affirmative consent. You must get consent, for
example, from every employee in writing before you process
their data. What we know is that is not taking place in any of
those countries, that in fact they are simply using a slightly
different mechanism than we use. We tend to write exceptions
into law; they are simply putting those exceptions into
practice.
Mr. Horn. Any comments on that, Mr. Plunkett?
Mr. Plunkett. I would note that in the so-called safe
harbor negotiations, many of the same entities, financial
institutions in particular, that talk about the expense of
complying with meaningful privacy protections, and by that I
mean privacy protections that extend to affiliates which I
spoke about earlier and information-sharing to affiliates, many
of the same companies that are objecting there are willing to
go along with an agreement that is close to being consummated,
the so-called safe harbor agreement, that will provide European
customers of American institutions with greater privacy
protection than with American customers.
Mr. Horn. Now I yield to the gentlewoman from New York. It
is good to see her here, a former ranking member.
Mrs. Maloney. Great to see you, Mr. Horn, and thank you for
calling this important hearing. I would like to request that my
opening statement be put in the record.
Mr. Horn. Without objection, it will be put where all the
opening statements were, as if read.
Mrs. Maloney. Thank you. Then I would like to just ask a
few questions. I am not against this bill, but I hope that the
intent is not to stop other protections from going forward, and
the protections that we already have in place.
Last year, as a member of the Banking Committee, I had an
opportunity to participate in the conference on the Gramm-
Leach-Bliley Financial Services Reform Act where we had a
considerable debate over issues related to the privacy of
financial institutions and passed some privacy protections for
consumers of financial institutions. These regulations have not
even been in place yet. Shortly over 2 billion consumers will
be receiving privacy notices in the mail, and my question is,
would this commission in any way halt or hinder this work that
we have already done? This commission?
Mr. Cate. Well, if I can speak to that, I would say
certainly, you know, our view is that it should not.
Mrs. Maloney. So it would not. Is that clear in the bill?
Mr. Cate. I believe there is no language in the bill that
would suggest it has the power to stop the implementation or
that it is the intent of Congress to stop the implementation of
any existing law. You might even argue further, I mean this
would suggest to me why, if the commission goes forward, you
would probably want people on it, some of the members of it, to
be involved in the implementation of that law, to bring the
experience of that process to the commission.
Mrs. Maloney. I would like to mention----
Mr. Plunkett. Could I respond as well?
Mrs. Maloney. Sure. Anybody can comment.
Mr. Plunkett. I would agree that the intent of the act is
not to inhibit implementation of the Gramm-Leach-Bliley act. I
would note, though, that the regulations that are ongoing don't
deal with the significant flaw in the act that these State
bills and the Federal bills have identified, which is the
affiliate-sharing loophole.
Mrs. Maloney. But a number of States are going forward with
their initiatives, as I understand it, is that correct?
Mr. Plunkett. Well, they are moving through the process,
including in New York, from what I understand.
Mrs. Maloney. Now, I would like to ask about another issue.
We actually had several hearings on this particular matter, the
Health Insurance Portability Act, a 1996 act. It provided that
if Congress was not able to reach consensus and enact
legislation on medical privacy by August 1999, the Secretary of
Health and Human Services would come forward with medical
privacy regulations to ensure that Federal medical privacy
protections are in place. Since Congress failed to meet the
August 1999 deadline, the Secretary is now, as we sit here, in
the process of finalizing medical confidentiality regulations.
I would just like to ask the members of the panel, do you
believe that if a privacy commission were created, the
administration should delay moving forward with these
regulations until after the commission completed its report? I
would like to really--you know, in other words, the question I
am asking is one that--would this in any way hinder work that
is already in place from going forward or stop other
protections from going forward?
I don't know if the proper person to ask is the panel or
Mr. Hutchinson himself, but you know, the fact that we have
been working in this committee actually since 1996 and that
these are supposed to come forward, I believe, shortly, would
this in any way hinder that from going forward in?
Mr. Hutchinson. If the gentlewoman would yield.
Mrs. Maloney. Absolutely.
Mr. Hutchinson. The answer is no. There was some discussion
and some urging to put in the commission bill a moratorium on
other regulations and legislation moving forward until the
commission did its work, and we specifically rejected that,
because again, I view this commission and this legislation as
complementary and not as a substitute. So there would not be a
prohibition there. In fact, I think many of those will be
adopted this year, won't they?
Mrs. Maloney. Well, yes, they are supposed to come forward,
and as we mentioned while you were not in the room, the
financial services bill, the bipartisan Leach-Bliley bill had
privacy for the financial institutions, and they are in the
process of coming forward with them, and as I mentioned,
roughly 2 billion consumers will be getting notices. This will
not in any way hinder the work of the Banking Committee on the
privacy issue?
Mr. Hutchinson. The answer is it will absolutely not
interfere.
Mrs. Maloney. Now, obviously, who is on this commission is
going to have a lot to do with how well it operates. I
understand from reading it that there is no criteria for the
commission's membership.
I would just like to ask Mr. Cate, Mr. Plunkett, and Mr.
Schwartz, what are your ideas of criteria for membership on
this, and what do you think would be the appropriate criteria
for membership on the commission?
Mr. Schwartz. I will address that, partly because I
addressed it in my written testimony and was not able to
address it orally.
Mrs. Maloney. I am sorry. I missed it then.
Mr. Schwartz. We think that it is very important that
consumer groups, privacy advocates, and the other--along with
many of the other groups that would be affected in the
financial health industries be represented on the panel. We
have specific concerns that the schedule for the panel, 20
meetings in 18 months, is really quite a heavy load for--
particularly for consumers groups and civil liberties groups,
because even the time constraints on limited staff resources
can be very difficult, so we hope that that can be addressed as
well.
Mr. Cate. If I may also respond and wholly join in that
comment, I think one of the assumptions is that if a commission
goes forward, it has a tremendous amount of deliberation to do,
that it is not so much unearthing new information, it is
working out ways of working with existing information. I think
one of the things that would be of concern in the bill is the
requirement for 20 hearings in five different locations in 18
months, that it would be preferable to have this commission be
able to spend a greater amount of its time in deliberation as
to how to reconcile these issues as opposed to engage quite so
much as a fact-finding body.
If I may also just add one point: in addition to the
representation along types of groups, consumer groups, industry
groups and so forth, I too would reiterate the point that I
think it is important that the experiences that the members
bring to the table, whether those are experiences from business
or industry or consumer groups or academia, it makes no
difference, that those experiences reflect a broad range of
interests and approaches to privacy; that what you don't want
is a group of people who are all focused on privacy, but just
from different points of view, since we have clearly I think
come to understand that these privacy issues touch on, as the
Maine experience shows, so many other realms of our lives that
you would want that well represented.
Mrs. Maloney. Just as a followup, Mr. Cate, in reading your
testimony, you stated that the commission's work might
duplicate the Treasury study on Gramm-Leach-Bliley on financial
privacy. Do you think that the commission is unnecessary as a
whole, or just unnecessary with regards to the financial
services industry? Could you sort of clarify your thoughts on
that?
Mr. Cate. Yes. Unfortunately, I can only make them as clear
as they are, and you may find that they are somewhat befuddled
to start with. I think it is very important that the commission
not duplicate existing work, and I think there is a real risk
with the Treasury study under way currently that you would not
want the commission to do the same type of study.
Mrs. Maloney. When is the Treasury supposed to complete
their study, do you know exactly?
Mr. Cate. I believe they have another full year to complete
it. So there would be some overlap potentially between the
commission and the Treasury study. That is true in other areas
as well. I mean there are certainly other studies and other
studies done in the past. I don't think you want any of those
duplicated.
I think that doesn't put an end to the question, though.
The question is, if there is a commission, how can it build on
the work that the Treasury is doing. There would be a variety
of ways. I mean one way would be to exclude financial
information, to say look, the Treasury has been dealing with
that, we are going to leave that out. Another way would be to
say include financial services information, but with particular
attention to not sort of going through the same types of
hearings, the same types of deliberation, but rather to draw on
what the Treasury and other financial regulators are doing. I
am sure there are many other ways of doing that. That is
instruction it seems to me Congress would want to give either
through legislative history or the legislation.
Mrs. Maloney. Is my time up, Mr. Chairman?
Mr. Horn. Go ahead.
Mrs. Maloney. Thank you, Mr. Chairman.
You made a statement about the valuable--useful use of
information, and I think one of the most startling things in
our country now, and really in our economy and in our life, is
just the fast-changing pace of the so-called information age.
We have had hearings on many of the things that may be driving
these tremendous, or one component, the tremendous success of
our economy is this whole information age that is allowing so
much to happen so quickly.
Would you elaborate in your statement on really not wanting
to curtail the use of information and being able to grow on
this new phenomena, but also to protect privacy and some of the
valuable, useful uses of information that we don't want to
hinder in the growth of possibilities for individuals and
really growth of our country?
Mr. Cate. Well, yes. Thank you. Let me offer two responses.
One is I think it is critically important that we do a better
job, and by we I mean all of us. Certainly academia bears a
shared responsibility, for not having engaged in the type of
research as to how we use information. We really know very
little about that. We know a lot about privacy, we know very
little about, if you will, the infrastructure uses of
information. How does a business, how does Congress use
information about individuals and in what ways does it benefit
our lives? What are ways in which--public records is a good
example that was raised earlier. In the financial services
context, I think that type of an investigation has really first
begun.
I did a study which was published just a month ago now
which was just the tip of the iceberg in looking at the types
of beneficial uses that come out of allowing relatively
unhindered access to basic personal information. Who has an
account, where, what do they use it for, etc. The best example
of that is probably fraud prevention, that if we can look
across accounts, you see patterns of consumer behavior, which
then when you see anomalies, may alert the bank or the credit
card issuer or whomever to the fact that there is something
here that that consumer may need to be notified about or there
may need to be further inquiry.
As we heard on the first panel, given that it is the
businesses and then ultimately consumers that sustain those
losses, that cover those losses where there is fraud, for
example, allowing that type of use seems important. But I think
the second response was more the process response. I think that
is why if there is to be a commission, or if there is not to be
a commission, it is important that we all be engaged more in
the process of figuring out what are the other uses of this
type of information. They may be as pedestrian as confirming
where to make a flower delivery for a patient in the hospital,
but that really matters to real people who are in distress.
Mr. Plunkett. Could I just jump in and say that nothing in
any of the financial privacy proposals that we or I believe
anybody supports would prevent fraud prevention or inhibit
fraud prevention. It is important also to note the increasing,
again, uneasiness that Americans have about erosion of their
privacy. I do not want anybody to get into this situation where
they are putting privacy at odds with economic interests. As I
mentioned before, when it comes to, for instance, being at ease
with electronic commerce, privacy protection may actually be
the best thing for more people using the World Wide Web and the
Internet, and taking advantage of electronic commerce because
they won't worry that their privacy is being violated.
Mrs. Maloney. Well, I appreciate your testimony. My time is
up. I would just appreciate, Mr. Hutchinson, if in the, I don't
know, intent or some place in the bill you would let it be
clear that you in no way want to hinder the work going forward
from the 1996 Health Insurance Portability Act on privacy and
also the work of the Banking Committee on the Gramm-Leach-
Bliley, so that it doesn't hinder this work going forward.
Mr. Horn. We are going to have a markup on this. That might
come up there. I will tell you, if this commission doesn't
pass, there won't be much passed, because they have had
numerous privacy bills in the Senate, in the House; they have
gone nowhere, except the one on the banking and the human
services regulations issued by the Secretary. So I look on it
the other way, that this is the way to get a privacy law on the
book, is get that commission moving.
I thank the gentlewoman for being here.
The last word I will give to the prime author of the
legislation, Mr. Hutchinson. I want to say that both the
Democratic side and the Republican side will be forwarding you
and the first panel some questions that we haven't been able to
get to. We hope you will write the answers and they will go in
this part of the record.
In addition, we will keep the record open to any citizen
for the next 2 weeks, roughly 14 days.
So please send it to the staff. It is B-373, I believe. The
chief counsel and staff director, Mr. George, is over there,
and we will work it out with everybody as to the questions and
they will go into the official record.
So I now yield for the last word on this subject for 5
minutes to the gentleman from Arkansas.
Mr. Hutchinson. I thank the Chairman. Again, I want to
express my appreciation for this hearing, your willingness to
schedule a markup on this legislation. I just want to make a
couple of comments. First, I want to thank Ms. Parker for being
here and testifying on this and giving us the experience from
Maine. I think that is very instructive and helpful as we look
at this in Congress and our responsibility.
There has been some questions about the criteria for
membership, and I would emphasize that, you know, this can be
changed; obviously, that is what the markup is for, and if
wisdom prevails that we ought to specify different criteria for
involvement in this commission, then I am certainly open to
that. But the reason that was not included is, as I stated
before, there is always a fear of leaving someone out. I can
just see itemizing who should belong to this commission and
someone coming up and saying, well, how about our group, or how
about this particular stakeholder. So you start down a risky
path.
The other reason is that it is consistent with other
commissions in the past that you leave the particular makeup of
the commission to the appointing officials and allowing a
bipartisan consensus to develop on it. So I would expect that
all of the important stakeholders should be and will be
represented on the commission. But again, if we need to be more
specific than that, then that might be an option.
The second issue, and I want to talk to Mr. Plunkett for a
moment, and I very much appreciate your testimony today, and I
specifically wanted you on this panel because I knew you
disagreed with the commission. I think it is important as you
consider legislation that you hear from both sides. I
appreciate your work on privacy. You and I can get together and
we can push some of these bills through and we can get some
passed this session, but there are a lot of other players out
there, and I think in fact because it could be a short
legislative session, it is going to be difficult, as the
chairman said, to develop a consensus on an individual bill.
But it is very important that this not be used as an excuse not
to continue passing some privacy regulations or some privacy
initiatives.
I see this as complementary. If you passed everything on
your wish list, Mr. Plunkett, this year, I still think we need
a privacy commission, because you still have on-line privacy
issues, you have developing technology, you have got new
criminals out there that create new methods of invading
someone's privacy. So I think that we need to see how the laws
that we passed are going to work, we need to see how the FTC
and the other regulations that are being considered on
financial privacy, how they are working out there, and that is
part of the function of this commission, to see what
supplementary we need to do.
For example, Mr. Plunkett, I mean there is the opt-in, opt-
out question right now, am I correct?
Mr. Plunkett. Oh, yes.
Mr. Hutchinson. And so if there is not--I mean the
regulations that are going to be adopted are going to be under
the--where you have to specifically opt out, is that correct?
Mr. Plunkett. In some cases. In other cases it won't be
allowed, yes.
Mr. Hutchinson. So if you want to change that, unless we
pass some legislation, the commission would have to look at
that.
Now, I think the debate was whether we should even look at
that at all, because it is already under consideration by an
ongoing regulatory body, and I think that is a fair
consideration we need to talk about some more. But regardless
of what we pass, I see the need for a commission to look at the
new challenges in the future, and to look at it comprehensively
rather than just sectorially, what are we doing in financial
privacy, what are we doing in health care records and what are
we doing with on-line. It intersects and cross-sections each
other. So that was the purpose of it.
I know that was a little bit of a speech----
Mr. Plunkett. After my speech, you have a right.
Mr. Hutchinson. So thank you again, Ms. Parker and
gentlemen, for your testimony today. I yield back, Mr.
Chairman.
Mr. Horn. I thank the gentleman very much. I hear the
gentlewoman from New York has one question.
Mrs. Maloney. Mr. Chairman, I have another item that really
came out of the Banking Committee and I would like to ask Mr.
Hutchinson for clarification. I would like to see it in this
bill, and I am waiting to see the final language, but I am not
against this bill and will probably support it.
But one thing that we were very concerned about is that
each State is different in their financial services, very
different. So States wanted the freedom to come forward with
stricter provisions and insurance or privacy or banking or
their own special needs, and in your bill, do you see that this
would not in any way hinder the ability for States to go
forward with stricter provisions?
Mr. Hutchinson. No. The commission will have to look at
what the States have done, consider their approach, and
consider whether you want to have a comprehensive Federal
approach, or where you have a Federal floor which is
supplemented by the States.
Mrs. Maloney. That is what we supported in Banking.
Mr. Hutchinson. And that would certainly be my inclination,
but that is something that the commission would have to debate.
Mrs. Maloney. Thank you.
Mr. Horn. I thank the gentlewoman. I would like to thank
the staff on both sides. Let me just go down the line. The
staff director, chief counsel for the House Subcommittee on
Government Management is Russell George; the counsel next to me
for this particular hearing is Ms. Bailey; Bonnie Heald,
director of communications back there; and Bryan Sisk, clerk;
and Ryan McKee, staff assistant; Michael Soon, intern; and Mr.
Turner's counsel is Trey Henderson, counsel; and Jean Gosa,
minority clerk; and Julie Bryan is our faithful court reporter.
So thank you very much for being with us.
With that, we are adjourned.
[Whereupon, at 12:20 p.m., the subcommittee was adjourned.]
[Additional information submitted for the hearing record
follows:]
[GRAPHIC] [TIFF OMITTED] T0436.073
[GRAPHIC] [TIFF OMITTED] T0436.074
[GRAPHIC] [TIFF OMITTED] T0436.075
[GRAPHIC] [TIFF OMITTED] T0436.076
[GRAPHIC] [TIFF OMITTED] T0436.077
[GRAPHIC] [TIFF OMITTED] T0436.078
�