SPEAKERS CONTENTS INSERTS
Page 1 TOP OF DOC
CONSUMER FINANCIAL PRIVACY
THURSDAY, SEPTEMBER 18, 1997
House of Representatives,
Subcommittee on Financial Institutions and Consumer Credit,
Committee on Banking and Financial Services,
Washington, DC.
The subcommittee met, pursuant to call, at 10 a.m., in Room 2128, Rayburn House Office Building, Hon. Marge Roukema, [chairwoman of the subcommittee] presiding.
Present: Chairwoman Roukema; Representatives Bereuter, Metcalf, Kelly, Redmond, Vento, C. Maloney of New York, Barrett, Roybal-Allard, Bentsen, Kilpatrick and Weygand.
Chairwoman ROUKEMA. If the first panel would take its seat, please, and our observers and guests here today, if you will take your seats, please, I would appreciate it. I was waiting for the House to officially go into session. It now has, although it is about 5 minutes late. We will be hopeful that we are not interrupted too frequently with roll call votes, but you
understand what that is all about.
I think the best thing to do is to get started as quickly as possible. If the first panel will come forward, I would like to make an opening statement and perhaps have others from my colleagues on the subcommittee.
Page 2 PREV PAGE TOP OF DOC
I should begin by thanking our colleague and Ranking Member, Mr. Vento, for bringing this issue to our attention some weeks ago, and I welcome his contribution and his recommendation. It is proving to be, of course, as timely as ever. There has been so much that has happened recently that has proven the wisdom of our scheduling this hearing this September, despite the fact that we are competing with a lot of other concerns through the appropriations process, trade issues, and so forth.
But the issue is a very important one. Privacy matters have come to our attention, whether they are health issues or other privacy issues, but currently the questions of financial privacy are moving to the top of the agenda and to the consciousness of people all over the country, consumers as well as the service providers.
The computer age, I need not tell you, has revolutionized commerce and information access. The ability for us to acquire, share and store information has never been more advanced or more central to business operations. However, as we are learning rapidly, the proliferation of readily available personal information could jeopardize personal privacy and facilitate—and this is an important part of it—facilitate fraud and deception practices that none of us could even have begun to anticipate. This hearing today will initiate our inquiry and address the risks associated with the misuse and abuse of individual's financial information.
The genesis of this hearing, as I said, was Mr. Vento's request, but also it is the consequence of increasing concern about the privacy of consumer financial information. A poll published in August of this year in Money Magazine found that 83 percent of the respondents were concerned about the release of financial records like bank or brokerage account information. Banks and brokerage firms are certainly not the only commercial firms that have access to consumer financial information. Credit bureaus collect financial information about individuals from banks, credit card companies, mortgage lenders, finance companies, merchants and others. This information is used to prepare a so-called ''credit report'' that includes an individual's address, Social Security number, phone number, even mother's maiden name—that surprised me—salary, loans, credit cards, outstanding credit balances and repayment histories.
Page 3 PREV PAGE TOP OF DOC
Such reports are available to sell to anyone with a ''legitimate business need.'' Is it any wonder that 83 percent of the people polled had anxiety and concerns about this?
By the way, this may come up later in our questioning. I don't know to what extent our panelists have hard information about what percentage of people feel as though they have been violated against the law, but we will bring that up in the questioning later, or in the testimony later.
But, such reports are available for sale to anyone who has a ''legitimate business need,'' as they define it. Each time a consumer uses a credit card or debit card, the company that issued the card and the merchant collect information such as the credit card number, the individual's name, and so forth, and the product purchased. Information about a consumer's finances and purchasing preferences are also collected from warranty cards and surveys. The same information can be collected from transactions over the Internet. Data on consumer finances and buying habits is used to develop consumer profiles that contain a variety of information that are used by the direct marketers.
And this, I think, is very important, and I stress it—the sale and distribution of personal identifying information by businesses is not new, but the information age has increased the great complexity not only concerning consumer awareness of the practice, but it throws a new light on the implications, not only for business but for the consumer.
Today's consumers can download mortgage application forms, fill out forms on a computer and then submit the loan application electronically. Now, in the face of it, that is all to the good, but it raises the questions that we are going to be looking at today, pro and con.
Page 4 PREV PAGE TOP OF DOC
The move from traditional banking services into such other areas as database marketing, however, presents new privacy concerns for the industry. In the information age, inadequate protection of privileged financial information among banks, credit bureaus and software manufacturers, especially combined with other types of information such as those I outlined, such as demographic profiles, could have, and I think will inevitably have, implications on the individual's privacy. As banks merge and become more electronically oriented, the potential for privacy problems will increase dramatically.
In recognition of this, many participants, and I must state this and stress as a positive, many of the participants in the financial services industry have already taken voluntary steps to address privacy concerns, whether it be the American Bankers Association, Consumer Bankers Association and the Bankers Roundtable. They have taken some action, and we will hear their testimony here today, and we will be able to objectively determine whether or not they are adequate.
In addition to voluntary privacy standards that some of these industries have adopted, there are two Federal laws which govern, under present circumstances, financial privacy issues: the Fair Credit Reporting Act and the Right to Financial Privacy Act.
In addition to Federal laws, many States have laws that relate to the privacy of an individual's financial information, but again, State action in this field is extremely limited because this is, indeed, national and international communication.
Today's hearing is going to focus on who collects and disseminates consumer financial information and what type of information is actually collected, and who has access to the information. In other words, we are going to look at, hopefully, every perspective of it, and it is only going to be an initial action on our part, initial information gathering.
Page 5 PREV PAGE TOP OF DOC
I feel free to confess to all of you publicly, as I have to those that are on the panel, you are going to educate me today and educate all of us today. We have to have sound information before we can draw any conclusions.
But I guess I have to make the obvious connection to a ''Brave New World.'' If you remember, in George Orwell's book, ''1984'', he predicted, and it was quite a shock to many people because it seemed like he was hitting a very raw nerve—even at the time that he wrote his book. He predicted a day when the Government would be monitoring every aspect of life. But literally George Orwell didn't get it right. ''Big Brother'' could turn out to be private industry and the computerized network for gathering information; it may or may not be the Federal Government. But there are other aspects of this that even George Orwell didn't anticipate.
I don't know whether ''Big Brother'' is already here, but that is one of our jobs today, through this series of hearings, to determine how we can keep ''Big Brother'' under control.
Thank you very much. With that, I would yield to my colleague, Mr. Vento, the Ranking Member here.
Mr. VENTO. Thank you, Madam Chairwoman. As the second oldest of eight in a family, I am a ''big brother'' in a lot of ways.
Chairwoman ROUKEMA. All right.
Page 6 PREV PAGE TOP OF DOC
Mr. VENTO. In any case——
Chairwoman ROUKEMA. I won't make any political observations at this point.
Mr. VENTO. All right. I want to begin by first thanking you for the hearing and your thoughtful statement this morning, which I concur with. I have long held an interest in protecting the privacy of Americans, and in recent years have introduced legislation in this and in the previous Congress regarding privacy on the Internet, which is just place-marker legislation. But more detailed proposals have been introduced, and we plan on continuing to work in that endeavor.
I would also like to note, Madam Chairwoman, the excellent panels that you have assembled this morning, in which I concur, but there are a number of witnesses we would like to have heard from today, many in the consumer privacy advocacy organizations, who already had plans to attend an important conference and session in Brussels. And I am hopeful that we will be able to reconcile that.
In particular, I hope we can hear from the Center for Democracy and Technology, EPIC and others who are experts in the field. So even though we have a long list of panelists today, we still need to hear from consumer privacy advocates.
Privacy, of course, is a familiar word in the financial realm. However, it is often at the low end of the totem pole, topped by security in and of financial transactions. Institutions are, understandably, first interested in security and such security assurance may well come at the expense of individual consumer privacy.
Page 7 PREV PAGE TOP OF DOC
The financial sector has a model in the Fair Credit Reporting Act. It is certainly not a perfect model. Privacy protection, in fact, has been a sector-by-sector initiative by law and by industries. That, in and of itself, raises problems. Yet in the end, it is the same person, the same personal privacy and the same basic information about a person that is affected by the various sectors and privacy protection laws. Because of the computer, the Internet and the electronic age, the single separate threads of consumer protection governing personal information have really become woven into a bridge. This bridge, of course, conveys all of our personal and financial information. It opens up our privacy and security to the information superhighway.
The threads of that bridge have become blurred by continued technological advances. The advent of the Internet has brought the privacy abuser basically into the comfort of our own homes. The collection of information on or about a person has become so pervasive and so inexpensive as to become the fodder for major industries based on cereal preferences or credit card shopping patterns. People's financial security and their actual identity are at risk to abusive utilization and improper actions by those who manipulate the medium and circumvent the complex laws governing personal privacy concerns and, admittedly, most of those are geared to a different era.
Congress has a duty, as do the regulators and Federal agencies that have begun the process, to explore the policy implications and proper safeguards to be accorded to American citizens encountering, as you had mentioned, Madam Chair, the brave new Internet world—electronic commerce, data collection, data sales and privacy. I know there will be a mantra repeated today by the industries, and even the Federal Trade Commission, that the Government should give the technology time to evolve and that abuses are self-correcting with market innovation and new developments. This may well result, I fear, in a loss of a public voice. Congress must assume a role in establishing benchmarks. Proposed protections for consumer privacy should not take a back seat, however, to market innovation.
Page 8 PREV PAGE TOP OF DOC
My principal concern is for the consumer. Does his or her agreement constitute informed consent? Currently, a Web user faces significant threshold problems in simply trying to learn and understand the nature of the individual company's privacy policy. The issue is compounded by the difficulty of holding accountable or ascertaining whether vendor Web sites or servers are complying with their stated policies. Given such a challenge, it is not surprising that privacy concerns are discouraging consumers from use of the Internet for important transactions. Until privacy and financial concerns are equally resolved, the Internet, particularly electronic commerce, will not reach its full potential. This may be the first, but it will not be the last time today that we hear a version of this dilemma.
Yet, I fear that under a well-intentioned self-regulatory approach, which today's testimony, with predictable certainty, speaks in favor of, is a regime that can work against consumer privacy interests. We have not achieved a critical mass where the profits for greater consumer privacy protections reward and outweigh the losses from the company not being able to use the information. As a result, there is a monetary premium for information that is collected for one purpose to be employed for another purpose.
An overwhelming majority of consumers understand that their privacy is at risk in the Information Age. Consumers want affirmative choices, not necessarily the negative options currently offered by the information industries, but rather affirmative choices to exercise control over the collection, distribution and use of their personal information. I will be listening closely for solutions in today's testimony in order to determine what precise actions can be taken to strike a more appropriate balance between consumer demands to control personal information and business demand to, in essence, harvest this personal information.
Page 9 PREV PAGE TOP OF DOC
This hearing should be very helpful in deciding how to refine my legislation, the Consumer Internet Privacy Protection Act. A new and improved version of it will hopefully be aggregated or be put forth in the next weeks.
Why is the Banking Committee interested in this? Much of the deep data mining taking place, whether on the individual or in the aggregate, takes place in conjunction with a financial transaction. Whether it is tracking credit card purchases or catalog sales, the purchase of items creates profiles and preferences that some company, somewhere, may pay money to access and use. Although basically anonymous, even cash transactions in some stores are done in conjunction with a zip code request of the consumer.
I would note that the testimony and most of the work fails to explore the basic social behavior and dynamics that take place at the point of transaction. When we make a credit card purchase, most consumers feel vulnerable. Are we going to be rejected, denied or approved? Informational demands for Social Security numbers, phone numbers or addresses may seem more like an ultimatum at that point, as opposed to just a discretionary request.
Further, key data about a person that is more readily available than ever, has, in fact, put individuals at risk of being electronically mugged. The phenomenon of identity theft is growing and the wealth of data casually available along with lax industry standards—credit, information or elsewhere—has afforded the aggressive marketer on the legal side and worse, the wise criminal on the illegal side, with thousands upon thousands of opportunities for sales and, unfortunately, for fraud. Fraud that wreaks havoc on the lives of individual consumers.
Page 10 PREV PAGE TOP OF DOC
The Internet has spawned another route for fraud and misinformation hucksters. It is not always crystal clear how far out on the thin ice these schemes can slide before they break the law. We have seen many of them that I am sure consumers feel a concern about, from junk e-mail to solicitations of pornography, credit repair schemes, kids games which ask for information about grandma and grandpa, and even the possibility of finding out juicy tidbits about anyone you desire. Let me quote from one such e-mail, Madam Chairwoman. It states: ''Now you too can learn everything about your friends, neighbors, enemies, employees or anyone else! Even your boss, even yourself.'' This can be quite dangerous, you know.
Madam Chairwoman, the pervasive nature of the Internet has been defined. Now the questions remain as to how it can be checked and, of course, as I say, I am not convinced today that self-regulation is the sole solution.
I greatly look forward to the hearing and am certain that the privacy in financial transactions represents a common ground and fertile soil for further hearings, fact-finding and possible legislative activity by our subcommittee.
Thank you, Madam Chairwoman.
Chairwoman ROUKEMA. Thank you, Mr. Vento.
If there are other opening statements.
Mr. Metcalf.
Page 11 PREV PAGE TOP OF DOC
Mr. METCALF. Thank you, Madam Chairwoman.
In glancing around the room, I see again I am the oldest person in the room. I don't necessarily like that, but it is a fact of life.
I was born into a world where privacy was considered your right and respected. I am appalled by the willful collection of private information far beyond what is necessary or legitimate.
Orwell's ''1984'' arrived over a decade ago and has been far surpassed. We appreciate this hearing so that we can judge, ''surpassed by how much?''
Thank you.
Chairwoman ROUKEMA. I am sorry. I was still concerned about age. And Mr. Vento observed also, and I think it was a good observation, so I did not hear your last statement, that you are a privacy fundamentalist. I think I share that with you, if not your age. Thank you.
Mrs. Maloney.
Mrs. MALONEY. Thank you, Madam Chairwoman. I would simply like to be associated with the concern expressed by my colleagues. I would like to request that my opening remarks in total be put into the record.
Page 12 PREV PAGE TOP OF DOC
First of all, I would like especially to welcome my former colleague, Leslie Byrne. It is so good to see you again.
I would just simply like to add my own concern that every day we give a little piece of ourselves. With every purchase we make, every form we fill out, every withdrawal we make, someone somewhere is collecting information about us. Sometimes we are aware of it when we fill out an application for a loan, but sometimes we are totally unaware of the information that is being gathered about us. We certainly do need to examine the laws which already exist and examine whether they are still appropriate in this ever-progressing and advancing era.
Certainly, businesses have the need to expand their marketing base. Consumers certainly have a right to protect their privacy. The area that I feel is probably the greatest problem area is when information a consumer gives to one business is then sold to another. The consumer usually has no knowledge, let alone control, over the new business which now has this personal information.
I would simply like to add that I believe that by better understanding the new relationship between technology, information and business, we will be better able to address the concerns of the consumer without harming business opportunity.
I look forward to the comments of the panels, and I ask that my remarks, in total, be put in the record. Thank you.
Chairwoman ROUKEMA. Thank you.
Page 13 PREV PAGE TOP OF DOC
And we are also pleased that Congresswoman Kelly is with us today.
Mrs. KELLY. Thank you, Madam Chairwoman. I would like to thank you and Ranking Member Vento for agreeing to hold this hearing on the privacy of consumers' financial information. I don't believe we could hold a hearing on a more timely and potentially troublesome area as we move into the 21st century.
As the representative of New York's 19th District, I am fortunate to have the headquarters of IBM in my district. I mention this not only to highlight their importance to me as one of the area's largest employers, but also to thank them for helping me prepare for this hearing. In conversations I have had with the folks at IBM, I have gained much better insights into the amount of information that is available about us electronically, as well as ways by which individuals can gather information about us through seemingly unobtrusive questions, while simply conducting an on-line search. For example, if we are just looking for information about purchasing a car, without even typing a word, we are leaving a signature on each Web site we visit, detailing who we are and our e-mail address, and if the account we are using to access the page is personal or business, and, naturally, our interests. As the rate of electronic mail increases, the potential use and misuse of these lists is really alarming.
We all know the types of information that the Government and businesses use to identify us over the phone: name; address; ZIP code; Social Security number; mother's maiden name and so on. What I would like to focus on today is what information it takes to electronically identify ourselves, and therefore, for someone to falsify themselves electronically to commit fraud and steal from us.
Page 14 PREV PAGE TOP OF DOC
Of course, I am focusing on electronic fraud since people are capable of perpetrating this from other countries, where our laws don't apply. I would like to submit an article for the record, Madam Chairwoman, from the April 21 edition of The Washington Times, which details a cybercrime, an electronic bank heist. It says that cybercrime averages $250,000. The headline on this article is ''Electronic Bank Robbers Flourish.'' I would like to submit that with unanimous consent for the record, please.
Chairwoman ROUKEMA. So moved, without objection.
Mrs. KELLY. Thank you.
This article details a Russian hacker's network that took untold sums from Citibank in 1994. Since then, Citibank has totally revamped its electronic security.
But I submit to this subcommittee, how much longer before foreign hackers begin to focus on individual holdings, gathering information available about us electronically, to pass themselves off as us? Ordering everything from additional credit cards to accessing our different accounts? The possibilities are really endless.
I am pleased that all of these witnesses were able to take the time to share their insights with us, and I look forward to working with all of the Members of this subcommittee as we learn about how little privacy we have for ourselves and personal financial information.
Page 15 PREV PAGE TOP OF DOC
And, Jack, I want to tell you, you do have a few years on me, but I remember when privacy was a real thing, too.
Chairwoman ROUKEMA. All right. I thank my colleagues.
Now we move to our first panel of witnesses. I am very grateful that they were so willing to come and meet with our time constraints and our schedule here in the House.
The first panel, in one form or another, whether at the Federal level with our first two people, or at the State level, have a direct application to their responsibilities, not only to oversight, but implementation and enforcement of the legislation that deals with these privacy issues and the transfer of information a consumer needs here. So we are particularly hopeful that you can give us an overview, with some specificity, about how we, as a responsible Congress, can address these issues.
I also would like to make the point, and I think I neglected it in my introduction, that in that same Money Magazine article which indicated the concerns that consumers have, there was also an indication of perhaps as many as 29 percent of those surveyed felt strongly that their financial, medical or personal privacy had already been violated. I don't know whether that is consistent with your studies, your experience and your knowledge in the field, but I would be happy if you would address them.
Now, before introducing each of you individually, let me also say we have some time constraints. I would hope that you could keep your comments, your statements, to 5 minutes, and I will try to be as understanding as necessary; but we would like to conclude the hearing here in a timely manner because we will only be more and more interrupted by legislative business on the floor the longer we continue.
Page 16 PREV PAGE TOP OF DOC
Mr. VENTO. Madam Chairwoman, could I just extend a special welcome to Leslie Byrne, the Director and Special Assistant to the President for the U.S. Office of Consumer Affairs. She came to my District some months ago and we held a conference, unfortunately not a well-attended conference, about privacy on the Internet. But I am grateful for her work and interest in this. I think it points out the importance of this function within the Office of Consumer Affairs and, hopefully some day it will attain the status it once had. I know she is working very hard on this issue, and we appreciate her participation here today.
Thank you, Madam Chairwoman.
Chairwoman ROUKEMA. Thank you.
Yes, I will introduce our first witness, former Congresswoman Leslie Byrne, and I stress that because she has a perspective from both sides of the desk here, both as a former Member of Congress and now as Director and Special Assistant to the President for the U.S. Office of Consumer Affairs. You give us a very practical insight into the problems.
Ms. Byrne.
STATEMENT OF LESLIE L. BYRNE, SPECIAL ASSISTANT TO THE PRESIDENT; DIRECTOR, U.S. OFFICE OF CONSUMER AFFAIRS
Ms. BYRNE. Thank you, Madam Chairwoman. It is good to be here with you and the other Members of the subcommittee today and to discuss electronic commerce and the use of personal and financial information in the marketplace. It is indeed the stuff of ''Big Brother.''
Page 17 PREV PAGE TOP OF DOC
You hit the nail on the head. I guess the real question now is, what do we do with this unruly sibling?
Technology is moving so quickly that consumers sometimes feel that they are witnessing a revolution without really understanding it. Despite the enormous amounts of money invested in this new technology, the predictions about its potential will fall flat unless we remove the stumbling blocks that consumers feel are there for their participation.
For example, electronic commerce industry itself has begun to understand that the promise of this segment of the economy will succeed only when consumers trust the technology and have confidence in on-line providers of goods and services.
Technology can offer us many benefits, including cost savings and faster service and more choices. As it stands today, it also has some drawbacks. One of the most serious is the potential loss of privacy. The lack of control over how our personal information is used is of deep concern to most of us. It becomes even more pressing when face-to-face transactions are replaced by automated ones. In a face-to-face transaction, a consumer can rely on a number of clues to verify the legitimacy of that transaction and that vendor.
For example, Madam Chairwoman, if I buy a ''Rolex'' off a guy on the street, I have a pretty good idea it's a fake. If that watch stops the next day, I know I am out of luck. On the other hand, if I go cybershopping and click onto the home page of what appears to be a legitimate jewelry store that offers me that same ''Rolex,'' I cannot tell if it is that same street vendor dressed up in cyberclothes, or it is the real thing?
Page 18 PREV PAGE TOP OF DOC
As recent media accounts about America Online's experiences with fraudulent efforts to collect credit card numbers of subscribers show, in cyberspace it can be very hard to tell legitimate operators from con artists.
In addition, in the real world, the individual can also exercise choices about how to complete transactions. For example, payment can be made with cash, check, either credit or debit card. In the electronic marketplace, a credit or debit card is usually required. While I believe consumers understand that credit and debit card purchases leave a trail in the form of an itemized bill, I don't believe that the majority of consumers understand that when they shop on-line, they are leaving an electronic trail that can be followed by those who know what Web sites they have visited. This is called a ''click stream,'' Madam Chairwoman. And this ''click stream'' of visits is used to detail a profile about that individual's interests, their buying habits and their personal lives.
Both on-line and off-line, identity theft is the fastest growing segment of the estimated $10 billion in credit card fraud a year. A con artist uses the identity of an unsuspecting consumer to acquire credit in that consumer's name. By the time the consumer has found out about the fraud, his or her credit is often ruined. It can take years to clear this up.
On the subject of debit cards specifically, it has been noted in news stories that banks are increasingly sending consumers dual-use cards; the card is an ATM card and a debit card. While most people don't understand how they can use these cards, it is often overlooked and misunderstood how the use for an ATM is a debit card, often draining their checking accounts before that misunderstanding is cleared up. As a result of these kinds of identity thefts, the drain on these accounts can be severe.
Page 19 PREV PAGE TOP OF DOC
In addition, because debit cards look like credit cards, some consumers have assumed that protections and, particularly, liability for theft or misuse is the same. Fortunately, to their credit, MasterCard, Visa and the Bank of America just announced voluntarily that they were going to equalize the amount of liability for debit cards to that of credit cards, which is $50.
Information about consumers offers a competitive advantage, Madam Chairwoman. This information is now viewed as a commodity in and of itself. It has turned the normal buyer/seller transaction relationship on its head. You may buy something from a store, but that store wants more than payment for goods and services. It wants the facts about you that make you who you are. Recent articles about data mining suggest that the common industry view is to collect as much information as possible about consumers and figure out how to use it later.
Madam Chairwoman, we believe that there are some basic privacy principles that we have included in our testimony that we submit for the record. We want to work with you in having those implemented, and I say this with some sense of irony because, Madam Chairwoman, as the only Federal agency that deals as the consumer advocate for privacy in the Federal Government, we have been zeroed out by the House and Senate Appropriations Committees.
So, I hope that we are here to help you in your deliberations. And the fact is that when business privacy is in question, we call it piracy. When we talk about intellectual property, we put in a lot of effort. We had hearings here in this building yesterday about intellectual property. If we look at individual information as stringently as we look at business information and ask for the same kind of protections, I think we will make great gains on this subject for the American people.
Page 20 PREV PAGE TOP OF DOC
Thank you, Madam Chairwoman.
Chairwoman ROUKEMA. Thank you, Ms. Byrne. Excuse me, you indicated that you were zeroed out where?
Ms. BYRNE. In the House and Senate Appropriations Committees.
Chairwoman ROUKEMA. In both?
Ms. BYRNE. Yes.
Chairwoman ROUKEMA. All right. By the way, you referenced debit cards. In our hearing next week, we will address that aspect of the question.
Mr. Medine, I don't want to shortchange you in your testimony. I think this is the best time for us to adjourn for maybe 10 to 15 minutes and then come back so that we can really concentrate on your testimony.
Thank you. There is a vote on the floor of the House.
Excuse me. The lights did not show. I don't know whether they are deficient or what the problem is, but there are evidently two votes in sequence, so it will be at least a 15 minute adjournment. Thank you.
Page 21 PREV PAGE TOP OF DOC
[Recess.]
Chairwoman ROUKEMA. Will the hearing come to order, please? We will want to move this along before we get interrupted again. We have been alerted that there may be some, what I call ''fun and games'' on the floor today. So hopefully those who are speculating are wrong.
I won't repeat what Mr. Vento just whispered.
Mr. Medine, David Medine—I did pronounce that correctly?
Mr. MEDINE. Yes, you did. Thank you.
Chairwoman ROUKEMA. Mr. Medine is our next witness. And he is Associate Director of the Credit Practices Division for the Federal Trade Commission and is certainly well-known for his extensive background and knowledge on financial privacy matters.
And I believe, Mr. Medine, you have a direct responsibility, do you not, for enforcement of legislation?
Mr. MEDINE. Yes, we do.
Chairwoman ROUKEMA. The existing legislation?
Mr. MEDINE. Yes.
Page 22 PREV PAGE TOP OF DOC
Chairwoman ROUKEMA. I thank you very much for being with us here today, and we will turn the microphone over to you.
STATEMENT OF DAVID MEDINE, ASSOCIATE DIRECTOR OF CREDIT PRACTICES DIVISION, FEDERAL TRADE COMMISSION
Mr. MEDINE. Thank you, Chairwoman Roukema and Members of the subcommittee. I am pleased to appear on behalf of the Federal Trade Commission at this extremely timely hearing on the implications of emerging electronic payment systems on an individual's privacy.
Changes in electronic payment systems will facilitate a marketing revolution in which consumers may be making purchases on interactive television, or their computer, or through payment devices not yet even invented. Great demands will be put on new payment systems to make sure they provide consumers with both convenience and security. Privacy and consumer protection issues will present an overarching policy question: What is the appropriate role of Government in the development and deployment of new electronic payment systems?
On the one hand, it can be argued that without effective Government regulation, there will not be sufficient public confidence in the security, effectiveness and fairness of these new electronic payment systems to permit their development. On the other hand, premature Government regulation could chill or prevent the market from developing optimal solutions. Particularly at the early stages of new technologies, where new issues will take shape gradually over time, there is a good case for Government restraint. For now, Government should continue to monitor the development of the marketplace for electronic payment systems to ensure that consumers are getting the information they need to make informed choices about protecting the privacy of their financial transactions.
Page 23 PREV PAGE TOP OF DOC
In order to become a part of consumers' everyday lives, however, electronic money must be widely accepted, convenient and secure. Our consumer protection experience has shown that payment systems will be accepted by consumers only when they are confident that those systems offer a sufficient level of privacy and security. Electronic money presents a wide array of consumer protection issues, including liability for unauthorized use and dispute resolution procedures. While the focus of this hearing is on privacy, we should not forget the need to address these important consumer protection concerns. In fact, in some situations, there may even be a tradeoff between consumer protection and privacy, and each must be fully understood to evaluate potential tradeoffs.
In the developing electronic marketplace, consumers may not know the potential exists to monitor not just their ultimate purchases, but the whole on-line shopping process that led to the purchases. In the on-line environment, it will be possible for merchants not only to know what a consumer purchased, but also what other items he or she examined, for how long, and at what point this took place during the store visit. There are currently few, if any, controls on the use to which this consumer transaction information is put. Merchants are generally free to gather and use such information for their own purposes and to sell or rent it to third parties without notice to consumers. This information can then be combined with demographic information and data from other merchants to create detailed profiles of individual consumers, which can enable merchants to more successfully market their goods or services. The Commission has learned through its privacy workshops that some consumers might not care whether this information is captured, especially if it results in their getting better service or individually tailored offers in the future. On the other hand, others might be highly offended. Shopping for some products, books, magazines, videos may raise even more sensitivity to privacy concerns.
Page 24 PREV PAGE TOP OF DOC
The Commission expects privacy to be relevant to consumers' willingness to use electronic money in making payments, whether on the Internet or at the corner drugstore. Consumers' privacy can be protected in two major ways when using electronic payment systems: First, electronic transactions can be anonymous, so that no personal information about the consumer is gathered. Anonymity protects consumers' privacy, but it also has drawbacks. It is important to recognize that the dominant method of payment in this country, both in terms of transactions and dollar amount transacted, is paper currency—cash and checks. Cash, of course, is a fully anonymous payment system. There is no way to tie information about a transaction to a particular consumer if cash is used, which offers substantial benefits and detriments to consumers. On the benefits side, consumers can purchase items they may not want others to know they have purchased, either due to the sensitivity of the item or a general desire not to be observed when making purchases. A major detriment, however, is that cash payments may inhibit consumers' ability to take advantage of certain consumer protections such as those provided for credit or debit cards. The greater concern is that if cash is lost, it cannot be replaced. The same risk would apply to electronic payment systems that do not offer an audit trail. If those payment systems are lost, so is the value of payment stored on them. On the one hand, one important benefit of anonymity is that it could significantly reduce the incidence of identity theft. Identity theft involves a criminal takeover of a consumer's existing credit accounts or the opening of new accounts in a consumer's name. Clearly it is much harder to assume someone's identity when their payment identity is anonymous.
If confronted by this dichotomy of anonymity versus accountability, the market should decide which approach is preferable. In fact, the marketplace approach to this issue could well mean that both systems could thrive. The key to making this marketplace work is consumer education and disclosure of important terms and information about electronic products. Only when consumers have been armed with this basic information can they intelligently decide what degree of privacy they will seek for their transactions.
Page 25 PREV PAGE TOP OF DOC
Consumers will need to understand that with credit cards they get certain protections; debit cards, other protections; and that some stored-value cards may offer no protections at all. At some point, there may be a need to mandate uniform disclosure so that consumers can quickly and easily compare payment products and determine which product suits their needs best.
One Federal statutory scheme governing the use of consumers' transaction information can be found in the Fair Credit Reporting Act——
Can I have your indulgence for another minute to complete my statement?
Chairwoman ROUKEMA. Yes. I would be happy to extend that.
Mr. MEDINE.——Which bears on the privacy protections afforded such information. The subcommittee may want to examine the impact of technological developments on the degree of protection the Fair Credit Reporting Act will afford financial information in the future. The FCRA is premised on the notion that financial information will be pooled into large databases such as those operated by the major credit bureaus. However, developments in cyberbanking and computer networking technology suggest that the past efficiencies of large databases may not be nearly as great in the future. In the event that large numbers of individual merchants choose to report information on their transactions with consumers directly to other merchants, it will be possible to create detailed financial profiles on consumers that escape any protection under the Fair Credit Reporting Act.
Page 26 PREV PAGE TOP OF DOC
In addition, in last year's amendments to the Fair Credit Reporting Act, Congress permitted affiliated companies to share information, even credit reports, free from most of the FCRA's restrictions. The subcommittee may wish to examine whether these lessened protections for affiliated companies sharing information raise special concerns in the cyberbanking or electronic payments context, where detailed and sometimes sensitive information about consumers is gathered.
In considering whether to regulate electronic money, it makes sense to err on the side of under-, rather than over-regulation. Market-created solutions, voluntary self-regulation, and technological fixes may be sufficient. However, if private solutions prove inadequate, Government should be ready to act. The utility of efficient, decentralized marketing on interactive television, the Internet and future technologies is too valuable to be allowed to evaporate because an effective payment system does not develop.
Thank you.
Chairwoman ROUKEMA. I thank you.
We now have the final member of this first panel, Dan Greenwood, who will be here to give us an additional perspective. Mr. Greenwood is Deputy General Counsel for the Information Technology Division, the Commonwealth of Massachusetts, so he gives us a State perspective.
STATEMENT OF DANIEL J. GREENWOOD, DEPUTY GENERAL COUNSEL, INFORMATION TECHNOLOGY DIVISION, COMMONWEALTH OF MASSACHUSETTS
Page 27 PREV PAGE TOP OF DOC
Mr. GREENWOOD. Thank you very much.
Chairwoman ROUKEMA. Welcome, Mr. Greenwood.
Mr. GREENWOOD. I guess I win the title, or I win the race for the longest title. I would really like to, on behalf of the Commonwealth, thank you very much for inviting us to testify today. I think it is important that State perspectives are brought to bear on this issue, because it does cut across areas of law and jurisdiction.
I think it is safe to say in the Commonwealth of Massachusetts that we have taken a leadership position with electronic commerce policy at a State level, but also with consumer protection laws more generally and certainly those relating to banking and financial services. I am pleased to say that many of the remarks that I had submitted for the record have already been echoed by my colleagues here, and so in the interest of time, also, why don't I just quickly skip across the top of the waves? I would like to emphasize a couple of things that haven't been mentioned from a State perspective.
First of all, States are really in the electronic commerce game as users. In Massachusetts, for instance, now you can renew a vehicle registration, you can pay traffic citations, even order vanity license plates over our Web site. We accept credit cards—and that is with encrypted data, between the browser and the server.
We are also permitting banks in our jurisdiction, and other financial institutions, to do some filings with our division of banks, and that is being secured and also authenticated by use of so-called ''digital certificates,'' which are public key cryptography-based instruments which perhaps we can get into later. But I think, as a technology, that is going to end up playing very heavily indeed into how it is we look at security and privacy issues in terms of the technical reality, developing implementations, and that that probably ought to guide some policy development too.
Page 28 PREV PAGE TOP OF DOC
Also, vendors can now get solicitations on the Web. We have discovered from a user's perspective that this has been very useful for our business and it has also been extremely useful for businesses in our jurisdiction. We are the home of a lot of so-called ''cyberindustries,'' and banks in Massachusetts, like elsewhere, are beginning to use this technology; and increasingly they are looking to us to set policy and implement laws where there have been some perceived obstacles.
In terms of privacy, to the extent you start to look at the potential need for congressional action in this area, I would again just really encourage you to take a close look at the relationship between that action and existing bodies of State law. To the extent that that action would preempt State law, particularly in areas that involve electronic commerce, electronic transactions, we are starting to discover that there can be implications that really are non-obvious at the start of the drafting process.
We have 239-some-odd specific provisions in the Massachusetts General Laws, for instance, that deal, head on, with privacy or confidentiality of information; and this morning, before coming out, I did another search for ''shall not disclose,'' or ''may not disclose,'' or ''disclose only if''; and then I got hundreds more, which dealt with every different area of the economy, public and private sector, and depending on how legislation was drafted, could have effects beyond, you know—that we ought to talk about.
We have been also at the State level, I think, out ahead of the Federal Government in the area of electronic contracts and so-called ''electronic signature'' legislation, and to the extent that that involves electronic records, privacy issues have been implicated. I think now there are some 12 or 13 States that have enacted such legislation. Massachusetts has some on the drawing board.
Page 29 PREV PAGE TOP OF DOC
The National Conference of Commissioners on Uniform State Law is now looking at a Uniform Electronic Transactions Act which has, in part, modeled State rules for electronic records and, certainly, for records in the hands of the Government, and I think they are going to have to look at the questions of privacy.
In terms of banking, the committee did ask, what is the relationship between, for instance, the Fair Credit Reporting Act and State law in Massachusetts? I am going to submit for the record a short analysis piece that we have, but the amended Fair Credit Reporting Act specifically exempts from the preemption—from parts of the preemption—an area of Massachusetts General Law where our privacy requirements actually exceed those of the Fair Credit Reporting Act. I believe Vermont and California law were similarly—or parts of it—were similarly exempted from that preemption.
And so, again, I would like to suggest that, as you move forward, that we continue some sort of communication or dialogue, either through inclusion—certainly the National Governors Association has been a good focal point for communications, and other forums where we can make sure that we are synching up law and policy at the State level, where I foresee we will continue to exercise our traditional jurisdictions in areas like contracts and privacy law, signature law, electronic commerce, Uniform Commercial Code to the extent that implicates electronic commerce.
And I think we are going to—I can tell you for a fact that we are very concerned that we not only do this uniformly at a State level, but that we continue communications to make sure that it makes sense in a national structure and fits in well with what you have in mind at the Federal level.
Page 30 PREV PAGE TOP OF DOC
If I could just close by—well, I guess for the record, I am going to submit a couple of things that the National Governors Association are doing with something called the United States Innovation Partnership, a partnership between the NGA and the White House Office of Technology Policy, where we are attempting to find another forum to specifically sync up technology policy between the States and the Federal Government. We have been very active in Massachusetts in the electronic commerce portion of that. Certainly the banking and financial payments area is an important part, and that is another forum where we are looking to create communication.
In the future, we would like to make ourselves available to continue the dialogue about coming up with a consistent legal and policy infrastructure to support electronic commerce at the State and the Federal level.
So with that, I would like to conclude my remarks.
Chairwoman ROUKEMA. I thank you very much.
I have a couple of questions with respect to your last statement, Mr. Greenwood, and perhaps it is included in that portion that you want included in the record, that report that you want included in the record; but if you could submit for the record, with more specificity perhaps, your concerns on how we can coordinate both the State and the Federal, you know, it would seem to me that inevitably there is a tremendous conflict here—maybe not—but I would like to have more information on that.
Page 31 PREV PAGE TOP OF DOC
I don't think we have time to go into it in any great detail right at this moment, but—unless you have a very brief statement to make.
Mr. GREENWOOD. Very briefly.
Chairwoman ROUKEMA. Yes.
Mr. GREENWOOD. Like I say, I brought with me to submit for the record, some materials from the National Conference of Commissioners on Uniform State Law that has a Federal liaison committee, and also a statement from the National Governors Association, where the governors specifically call for consultative forums, and they have some ideas on that which we support in Massachusetts. I will submit that.
Chairwoman ROUKEMA. That would be very helpful. I thank you for that.
Now, for our other two members, and you as well, Mr. Greenwood, if you want to contribute, but I am very concerned, because I didn't get quite the clear insight that I hoped I would hear, and it may have been because of the disruption here in terms of the vote that we had.
And I did hear Mr. Medine refer to market solutions and, as a good Republican, I always like to think of market solutions. However, I am not quite sure what your experience has been—based on what your experience has been, if you wouldn't give us some precise understanding of how the Fair Credit Reporting Act might be improved.
Page 32 PREV PAGE TOP OF DOC
I guess you made one reference to it, that is, the information-sharing provision of the Fair Credit Reporting Act. I think you see that as a problem, and I am not quite understanding of that.
But aside from that, is there a specific way that we could improve the legislation, aside from the monitoring that you are talking about, based on your experience, before this becomes a horrendous problem; and before that sibling that Ms. Byrne referred to, ''Big Brother'' sibling, is any further unruly and out of control?
Can you give us one specific example, or would you say that need is not yet proven? I will start with Mr. Medine and then Ms. Byrne.
Mr. MEDINE. As regards the Fair Credit Reporting Act, I think there are two areas that would be worth the subcommittee focusing on. One is, in the last session, there were amendments passed to the Fair Credit Reporting Act which allowed affiliated companies to share very sensitive information about consumers, including credit reports, without the substantial protections that are otherwise accorded that kind of financial information.
The idea was to increase the efficiency of operations within companies in terms of affiliates sharing information; and there's nothing wrong with that. But those protections that consumers value in terms of access to the information, the ability to correct it and the responsibility for accuracy, were lost in that process. And I think it might well be worth reexamining, in the privacy context, whether too much was given in terms of the facilitating of sharing, which can benefit consumers in terms of increasing offers and the ability of consumers to do more business with affiliated companies, without losing those protections at the same time.
Page 33 PREV PAGE TOP OF DOC
The second question down the road is, credit bureaus exist really because of the efficiency of sharing large amounts of data in one place. With networked computers and the Internet, it is not clear that that is really going to be the way companies communicate in the future. They may communicate directly with each other and create electronic profiles through the network, essentially, and avoid the large databases. If that happens, the Fair Credit Reporting Act won't apply at all to the gathering and distribution of that information; and so, in terms of the amendments that were passed last year, which in many ways improved privacy and accuracy, they didn't focus on the future exchange of information in the form of electronic commerce and electronic payments. And there may be some substantial losses to consumers there.
Chairwoman ROUKEMA. Is there a reason why we should try to protect the credit dissemination, or should we just accept the fact that it is an anachronism under existing law?
Mr. MEDINE. Well, we would urge you to consider ways of protecting it while still balancing the ability for a free flow of information, but protect consumers from profiles being created about them which may cause them to lose jobs, lose the opportunity to get credit or insurance or other valuable benefits based on incorrect information that they have no right to see.
So the question is, can you balance the protections of privacy in terms of accuracy and correction with the free flow of information in the marketplace?
Chairwoman ROUKEMA. And some legitimate needs for credit information if a sound business judgment is to be made.
Page 34 PREV PAGE TOP OF DOC
But you have got to help us find that definition.
Mr. MEDINE. We would be happy to help you.
Chairwoman ROUKEMA. Will you do that?
Ms. Byrne, please.
Ms. BYRNE. I echo Mr. Medine's comments. And just to give you an example of what this affiliate sharing means, that a card issuer can share with an affiliate travel agency, who can share with an affiliate publisher, who can share with an affiliate list compiler; and that is how this information goes through the system. So the Fair Credit Reporting Act enabled all of these affiliates to start passing this information around without the ability, once it has left the credit bureau or the credit card issuer, to correct false information; and it can end up anyplace.
The other thing that I would point out to you, Madam Chairwoman, is that while card companies and banks make good-faith efforts to highlight their privacy policies—and they are going to tell you about that later this afternoon, I am sure. I brought a couple of samples that came across my mailbox.
This is my credit card from Nordstrom's, and it says, under all of this verbiage: Number 15, Sharing Information: Nordstrom's may share information about its experiences and transactions relating to me with its affiliates and other parties.
Page 35 PREV PAGE TOP OF DOC
That is your notification.
Chairwoman ROUKEMA. ''And other parties.''
Ms. BYRNE. ''And other parties.''
Chairwoman ROUKEMA. Will you submit that for the record?
Ms. BYRNE. I will indeed.
Chairwoman ROUKEMA. Thank you.
Ms. BYRNE. American Express does a much more comprehensive job, but it also goes on to say, ''For mailing lists, we may use information you have provided to us on your initial application; in surveys; information derived from how you use the card and information from external sources, including consumer reports, for marketing activities, including mailing lists, by us and our affiliates.''
And then it goes through a process on both of these that at some point you can call a 1–800 number, if you can get through, to tell them that, ''No, I don't want this.''
So you have to dig through all of this information to find out what the privacy policy is, and then it is up to the individual to carry forward to say, ''Now, take me off your list.'' It is very difficult, when you look at these real-time examples, to find this information.
Page 36 PREV PAGE TOP OF DOC
Chairwoman ROUKEMA. Thank you.
Mr. BEREUTER. Madam Chairwoman.
Chairwoman ROUKEMA. Yes. I yield to Congressman Bereuter.
Mr. BEREUTER. I think we ought to make sure the record is correct here. The sharing between affiliates is authorized by law. The sharing with other parties, as the first of those examples indicated, is not sanctioned by law, and that could be disputed.
And I did want to point out what our former colleague just pointed out, that there is an opt-out arrangement that must be there, but that is for affiliate sharing and there is no authorization for sharing it beyond that under Federal statute. And I do want to point out that the gentleman's statement on page 18 gives the implication that Congress did not consider this ''not subject to hearing.''
Those provisions were in the legislation when first introduced. They were subject to debate and consideration, and I do not like the incorrect information that you are conveying on page 18.
Mr. MEDINE. Sorry. I didn't intend to convey that although it was not subject to hearings, it was a discussion in markups and subsequent debate.
Mr. BEREUTER. But the legislation was subject to hearings. It was in the legislation from the beginning. It did not come as an amendment.
Page 37 PREV PAGE TOP OF DOC
Mr. VENTO. If the gentlelady would yield.
Chairwoman ROUKEMA. I would be happy to yield.
Mr. VENTO. I don't know that there is any disagreement about the statement from Nordstrom's, because they can share. The only thing they cannot share is the credit rating and the credit rating information. They can share preferences and purchase patterns and so forth. And, of course, not only can they, but, I mean, under the Fair Credit Reporting, as Mr. Medine has pointed out on page 17, that the Fair Credit Reporting has a significant exclusion; information about entities, direct transactions with the consumer can be transmitted to anyone without making the source—you know, without making the source a consumer reporting agency or credit bureau.
I agree with the gentleman from Nebraska that there was debate on the affiliate issue. In fact, it passed in one Congress on the House floor. It was a matter of a vote there. And then in the next Congress, perhaps it didn't have, as a process a pure type of path, but it was debated in terms of what went on with regard to the affiliate sharing.
Madam Chairwoman, maybe you should recognize me on my own time.
Chairwoman ROUKEMA. This is a good example of why we are having a hearing, in view of the experience of the legislation we have now, that this particular issue should come up for a thorough analysis and review. It is not a black-and-white issue necessarily, but we have to base our judgments now on the experience of the last few years.
Page 38 PREV PAGE TOP OF DOC
I certainly would say that many of us, given the extraordinary advancements of technology, perhaps did not understand the full implications of affiliate sharing and how it is working out.
We don't yet have evidence of necessarily serious legal or personal violations here, but that is something that we do have to look into.
I will yield now to our colleague.
Mr. VENTO. Thanks, Madam Chairwoman.
Chairwoman ROUKEMA. Ranking Member.
Mr. VENTO. Understanding I have had some time, but let me just say, I think this is a good point, this affiliate sharing, and I think it just is one more law where even though there was this sharing—I mean, most of us voted for it, understanding what it did and the implications of the electronic age and so forth. That is the least of our problems.
The problem today is that each of these laws have loose ends, including Fair Credit Reporting, which is rather more closely regulated than some. If you look at other financial institution laws—and I just want to call to my colleague from Nebraska's attention that most of them have no prohibition or limitation on sharing of the information. The fact that they don't share information is because it is proprietary, and it is to their advantage to keep it.
Page 39 PREV PAGE TOP OF DOC
But the question today is where most of that information was accumulated, it was benign, because it was sitting out there in an unorganized mass of paper and other details that could not be woven together. It is like a blind man trying to describe an elephant; you know, we have all heard the analogy so I need not go through it.
But today you get a—not just a horizontal or a vertical, but a three-dimensional picture. You get the entire profile of everything that is taking place. So now, what was benign information that Nordstrom's was passing around to whomever they could do it, all of a sudden becomes a means of completing a complete click trail. It might be from the computer; it might be from a retail store; it may be from American Express; it could be from a bank.
But now we have to understand that, you know, what is the deal? And I think the issue is, here, yes, consumers have a responsibility. The question is: Do they have the tools and the ability to control it? I think that is what Mr. Metcalf is concerned about when he talks about our rights to privacy: Do we have the tools to control that?
I would suggest that, beyond even implied consent, are the tools there if you want to do it?
The question is: What is the responsibility of those affiliates or what is the responsibility of Nordstrom's in terms of, yes, they can accumulate this data, but what is their responsibility on how it is put forward? Do they have any responsibility?
I would think, yes, they have some responsibility to make certain that this is used in a bona fide way.
Page 40 PREV PAGE TOP OF DOC
We talk about—and I have nothing against self-regulation—do all Web sites now have a consumer policy with regard to sharing of information, Consumer Advocate Byrne?
Ms. BYRNE. Unfortunately, many Web sites do not show what their privacy policy is on the Web sites. It is becoming more and more common that their providers are requesting that information be put up. Again, it is in the industry's best interest that they start addressing the issue of privacy head on, because if they don't, Mr. Vento, the fact is that people are going to run away from electronic commerce. They don't trust it and they want to know how this information is going to be used.
You are going to hear people talk about ''click streams'' and ''cookies'' and be able to trace people from place to place on the Web, and I am not a technocrat, so I will let others explain all of that to you.
Mr. VENTO. This is a new type of Cookie Monster.
Ms. BYRNE. A bad Cookie Monster. But the fact is that those who aren't explaining their privacy policies are going to, I believe, suffer the consequences of not doing that, and that is, people won't participate.
We also need to understand that to have solutions, we need a context, and if this subcommittee can do anything in having self-regulation work, it can give goals and context to those self-regulatory efforts, because right now it is kind of spread across the horizon.
Page 41 PREV PAGE TOP OF DOC
Mr. VENTO. Well, we need to play our role here. I think it is going to be key.
Mr. Medine, there is no standard agreed upon—when I get to one Web site, I may have one particular policy. When I get to another, I may have another. There is no commonality. So it is a task; in terms of trying to rationalize this, it may be extremely difficult for those of us that would be or could be, if it were required, if there were some standards and so forth here, but we need to set some sort of a basic foundation.
I want to point out that I believe in the free enterprise system. I don't believe that legislation should be such that we would structure it to change the entire dynamic of our economy. It has to work.
As a matter of fact, whether we like it or not, we are all going to be part of this electronic age. Just ask those 10 million people that don't have checking accounts right now at banks that are going to have their payments directed to financial institutions. They are going to have to become part of that system, a piece of it. And so it is sort of involuntary, as a matter of fact, and Congress has voted to make it to some extent involuntary.
So I think we need to stay engaged and hopefully we can find some common ground.
There is much more I would like to ask, but I respect the fact that many of our colleagues are here, Madam Chairwoman, and I am going to yield back.
Page 42 PREV PAGE TOP OF DOC
Chairwoman ROUKEMA. Thank you. Thank you.
Congressman Bereuter.
Mr. BEREUTER. Thank you very much.
Thank you, Madam Chairwoman.
Mr. Greenwood, I have a couple of questions for you, and perhaps it is in your written material which you supplemented, but I have not had a chance to read it in its entirety. I am wondering—I noticed, for example, that you are discussing the National Governors Association and others, including the Secretary of Commerce and the White House, involved in the United States Innovative Partnership, looking at the national technology policy.
Beyond that, is there an attempt ongoing to develop some kind of a unified, or at least coordinated, State position on consumer privacy issues as they relate to the issues we are talking about here today? Are the States coming up with a common set of guidelines for enacting legislation?
Mr. GREENWOOD. I would have to say that there is not currently a mature effort to do that. However, there are a number of efforts that are afoot now among the CIOs of the States, the comptrollers, the purchasing officers and other sort of high-staff-level people involved in electronic commerce policy, to coordinate our efforts generally. And consumer issues, privacy issues, our own information practices issues, are often on those agendas. But I don't know that we have taken this square on on its own merits at this time.
Page 43 PREV PAGE TOP OF DOC
Mr. BEREUTER. All right. We are told that you are a leader in Massachusetts, the Commonwealth, in experimenting with on-line technology. Could you briefly describe security measures being used in this system and explain whether or not they are applicable to protecting sensitive information which would be transferred over the Internet?
Mr. GREENWOOD. Yes. Very briefly, I would say we are attempting to use the same tools available in the private electronic commerce marketplace to make it easier, we hope, for citizens and businesses. Encryption is one of the best tools available at this time, that we have come across. For credit card numbers, we are using a protocol known as SSL 2, Secure Sockets Layer 2.0, which allows for a point-to-point encrypted session between a browser and a server. So the data, in this case, credit card data for our registered motor vehicle pilots, is encrypted. If it were intercepted over the Internet, one couldn't read it.
We are also using cryptography in another way to get at another dimension of information security, which is the authentication piece. How do you know who you are dealing with on the other side of a transaction, whether it is the merchant side or the consumer side? And, unfortunately, I can't describe that briefly, but I will tell you the moniker is something called public ecryptography and we are using digital certificates.
We have relationships with so-called certificate authorities, and we are in a multistate effort now. I was in Washington again just this past Monday with representatives from a number of other States where we are now working with NATCHA, a clearinghouse association, to come up with national standards for how we will deal with certificate authorities and how we will have digital signature standards more generally. That is going to be an area that I think is going to have to be looked at very closely because it does raise policy issues.
Page 44 PREV PAGE TOP OF DOC
Mr. BEREUTER. Thank you very much.
Director Byrne, you have indicated in the last few paragraphs of your testimony the five common-sense principles which you identify for us, that you think should be used, that are relevant today to protect the privacy of personal information. Is the Office of Consumer Affairs prepared to begin to work with us on moving any necessary changes to implement those common-sense principles into statute and then into regulation?
Ms. BYRNE. Mr. Bereuter, we have been proponents of these principles since 1989 and we are trying our best to educate the consumers that these are what they should be looking for. We are prepared to go forward, again, as I mentioned, as long as we are in business, to help this subcommittee and others make these principles a reality. You will hear several of our industry friends here today talk about how they are trying to enforce very similar principles, and the question really comes down to implementation.
I don't think there is any disagreement among industry or consumer advocates about these principles. What we need is some kind of implementation mechanism.
Mr. BEREUTER. Have you reached a conclusion whether or not the implementation of these principles will require Federal action? Or can we rely on the private sector to adequately implement them to protect the consumer?
Ms. BYRNE. Again, it is trying to see, when we look at the privacy disclosures and the things that I read, the great differences. And to have some kind of context that is a legislative standardization of these principles, I think would be wise from the industry's point of view, because it saves them trouble, and from the consumer point of view, because they know exactly what they are looking for, and you and I can go ahead and educate them how to look for it.
Page 45 PREV PAGE TOP OF DOC
Mr. BEREUTER. Thank you.
Thank you, Madam Chairwoman.
Chairwoman ROUKEMA. I thank you, Mr. Bereuter.
Mr.—I am sorry, Ms. Kilpatrick. I am taking Members in the order of their arrival. Ms. Kilpatrick.
Ms. KILPATRICK. Thank you, Madam Chairwoman. I think my first question will be to Ms. Byrne.
Some mention was made about the affiliates exchanging information within their own institutions. I am aware of several times when lists are sold, and that seems to be one of the major concerns of constituents around my district and probably across America. How is their information ''sold,'' in fact, when the law does allow that within affiliates it can be ''shared,'' I would rather say; and many times, in many instances, they found that their name is sold on a list?
Is that not against the law? And what protections are there for those consumers?
Ms. BYRNE. Well, you have to recognize all of the sources for this information. One of the greatest sources of information that is sold comes from our State governments in selling their records, and so they sell records to list compilers. We have records coming in from credit sources, and this, what I call in my testimony ''data mining,'' is where all of this compiled together. And the availability for sales is across all spectrums.
Page 46 PREV PAGE TOP OF DOC
Now, affiliates can share; they can trade. I can—if I am an affiliate of a card issuer and I am a travel agency, I can trade my travel agency customers with the card issuer customers. So whether you call it trading or selling, it is still done.
Ms. KILPATRICK. Isn't that unethical?
Ms. BYRNE. Not under the law.
Ms. KILPATRICK. Does the law need to be changed or do you think it is OK that consumers would be used in this way?
Ms. BYRNE. I think the information sharing among affiliates has a great potential for mischief.
Ms. KILPATRICK. Are you recommending that Congress do something about it? I come from a State legislature, and you are right, many times the States are the biggest faulters of what we are discussing at the moment. Should some regulation—or really, can it be manipulated so that the consumer is better protected?
Ms. BYRNE. Well, the previous Congress took a good step in passing the Moran-Boxer Bill, which outlined for States how they were going to handle information on DMV records, on driver motor vehicle records. That was a positive way to address how States handle information. I think you would look to that model for how other information is used.
Page 47 PREV PAGE TOP OF DOC
Ms. KILPATRICK. Thank you.
Another question, if I might, Madam Chairwoman, to Mr. Medine. Given that, that we just discussed and as the FTC looks at it and those of us who represent consumers across America, I too believe that consumers must be educated so that we know exactly how our information is used when we apply. What tools might we use, as Congresspeople, as FTC regulators, to better educate consumers to deal with what is happening to them to protect them in their creditworthiness?
Mr. MEDINE. Well, I think that you have touched on one of the most critical issues, which is consumers' understanding of information practices, because without understanding how their information is going to be used, consumers cannot make an intelligent choice about whether to enter into a transaction or deal with a particular merchant. And there are a number of ways that can be done.
The FTC has held a number of public workshops to try to highlight to consumers how information is being gathered and used. We have also encouraged companies to disclose their privacy policies; and in fact, in a letter to Congress in July, we indicated that next March we are going to be surfing the Net and counting how many Web sites, at least on a statistical basis, are disclosing privacy policies and report back to Congress the following June, about our findings. Our hope and expectation would be that a substantial majority of Web sites are posting privacy policies that indicate how consumers' information will be used that is gathered through the Internet, so again consumers can have some choice in this area. And we hope to find that and we think that will be industry's self-regulatory response.
Page 48 PREV PAGE TOP OF DOC
If we don't find that, we will also, of course, report back to Congress that there is a failing in this area and that maybe greater attention needs to be given to informing consumers about information practices.
Ms. KILPATRICK. We certainly look for that information. And I think, finally, with this global world that we live in, it is almost going to be impossible even that we want to do these things and protect our constituents as well as consumers across America. But with the technology that is available, that is advancing every day, we are almost, you know, good to have it in one instance, but there are some downsides to it as well. And I count on the FTC, as well as the President's representatives and all of us, to look out for the people whom we represent.
Mr. MEDINE. Well, technology is a double-edged sword in that it can provide an opportunity to invade consumers' privacy as well as protect it, especially, as you point out, in the international arena where our laws only go to our borders; and this information is now being exchanged internationally. Sometimes technological solutions that limit the flow of information or put it into consumers' control may have a greater force than even the law in this area.
Chairwoman ROUKEMA. Mr. Medine, that was an interesting response to Ms. Kilpatrick's question. What did you say on the posting privacy policies on the Web site? There is a study being done by your commission and a survey or a study with recommendations that are coming forward when?
Mr. MEDINE. We responded to letters from Senator McCain and Chairman Bliley after we held some privacy workshops in June about where the FTC was going on privacy issues. And what we reported back in that letter, we would be happy to make a copy of that letter a part of the record if that would be helpful.
Page 49 PREV PAGE TOP OF DOC
Chairwoman ROUKEMA. Yes, please.
Mr. MEDINE. We will do a survey of Web sites in March of 1998, and what we hope to find is a substantial majority of Web sites hosting privacy policies; and we will report back to the Congress in June of 1998 about the state of on-line privacy generally, but in particular, what we find in our survey.
Chairwoman ROUKEMA. All right. Thank you very much. I appreciate that.
Mr. Barrett.
Mr. BARRETT. Thank you, Madam Chairwoman.
When we talk about self-regulation or security guidelines, isn't there a problem with that if not all marketing organizations adhere to the guidelines and consumers are left with the risk?
Mr. Medine, if you could address that?
Mr. MEDINE. That is a challenge of self-regulation. It is not enough for the good members of the industry to come forward and adopt good policies. They have to adopt policies and procedures that protect consumers across the board. And, clearly, that is the challenge the industry faces in this area.
Page 50 PREV PAGE TOP OF DOC
They have made it clear, because the technology moves so quickly, sometimes Government regulation may impede the development of the marketplace. I think the challenge for Government staying its hand is an adequate response to protect consumers across the board through technologies that protect consumers, or through policies where consumers know not to shop at a certain Web site, because they don't have a privacy policy, and shop at the ones that do, because they have committed to protect consumers' privacy.
Mr. BARRETT. But it sounds like you are still advocating for us to take a reactive, rather than a proactive, approach to this. I think consumers are left holding the bag then.
Mr. MEDINE. Well, I think we are, fortunately, at an early stage of electronic commerce, where we have a chance for the technologies to develop and industry to be monitored to see if it is providing adequate protections and to intervene in situations where there are not adequate protections for consumers.
Mr. BARRETT. The other question I have deals with enforcement.
If you have a situation now where a provider of some sort tells you what they are going to use the information for—once it gets out into the World Wide Web and it is overseas or wherever it goes, where does our enforcement ability stop? How do we deal with that problem?
Mr. MEDINE. Well, I think there are legal challenges and practical challenges that we face in that area. In terms of our legal enforcement powers, there is no question we have jurisdiction over commerce that affects this country, even if the commerce comes from abroad. But there may be practical enforcement questions.
Page 51 PREV PAGE TOP OF DOC
One example that recently came up, we were asked our opinion about a Web site that was based in Australia that we believed to be deceptive; and we might have had jurisdiction over it in this country, but as a practical matter, the site was based in Australia. What we did in that instance was to contact the Australian equivalent of the FTC and ask them to take a look at the Web site. And they were fully ready to jump in and they are investigating that Web site, because they recognized that even though relatively few Australians were victimized, it is now in everybody's interest to pursue fraudulent activities on the Internet.
So we are going to see far greater cooperation among the law enforcement agencies around the world, because we recognize it is in all of our interest to address these concerns.
Mr. BARRETT. OK. And I would like to welcome back my old classmate Leslie Byrne. It is good to see you. You look relaxed after Congress.
I didn't catch your oral testimony. But as I was looking through your written testimony, I saw your reference to an industry that is a hot spot issue to me, and that is debit cards. Earlier this year, I found out I had a debit card after I mistakenly used it to charge $300 over the phone. Thank God I had $300 in my checking account at the time.
But I had received it unsolicited, thinking that it was simply a replacement ATM card. And then when I learned that I was, in essence, carrying around signed blank checks because of the provisions that are in effect right now, I introduced a bill that has Congressman Schumer to deal with this.
Page 52 PREV PAGE TOP OF DOC
And the Chairlady has been very receptive to looking at this issue, and I appreciate that. So I wanted to thank you for your interest in that area. And if you have any recommendations, we certainly would be open to those.
Ms. BYRNE. Well, your legislation, I think, would address a lot of the concerns that we have been hearing about from consumers who have had experiences just like yours.
I would like to take just one second to talk about the international picture because, in this global economy, it is important to understand that there are things going on across the globe to address privacy.
The European Union has come out with an EU directive on privacy that is much more strict and has a much more regulatory aspect to it than U.S. policy. One of the questions really is, can our companies compete overseas if they don't do better on privacy? Are they going to have self-imposed trade barriers when they try to do business overseas, because they have not addressed privacy that the EU directive demands? So that is a real question about how we are coming to grips with this in this worldwide marketplace.
Chairwoman ROUKEMA. Congressman Barrett, I might point out, or remind everyone, that next Wednesday we will have additional hearings on the debit card question that will be specific to the subject.
Mr. BARRETT. Thank you. I appreciate that very much. That is all, Madam Chairwoman.
Page 53 PREV PAGE TOP OF DOC
Chairwoman ROUKEMA. Ms. Mahoney.
Mrs. MALONEY OF NEW YORK. It is Maloney.
Chairwoman ROUKEMA. I am sorry. I know better than that. I am sorry, Congresswoman.
Mrs. MALONEY OF NEW YORK. Mr. Greenwood, what kinds of information does a State gather about a person which can be accessed by a third party?
Mr. GREENWOOD. First of all, States do gather a dizzying array of information about people through various filings, certainly—you know, tax records, medical records through public hospitals, and so forth.
In terms of access by third-party detention, as I think was anticipated a little bit by prior comments, between the public records laws, our equivalent to FOI, and privacy interests, every State has some version of a public records law.
Let me speak to Massachusetts. Our public records law presumptively makes every record in the hands of our Government a public record unless it falls into one of several relatively narrowly crafted exceptions. Medical records and so forth are included in those exceptions.
And we are also one of the States that has a so-called Fair Information Practices Act, which gives people a right to prevent disclosure of information of a private nature. In my practice, I have come across times when I have been able to prevent disclosure of records, such as personnel files, based on that.
Page 54 PREV PAGE TOP OF DOC
But I have to say that I characterize that as a constant twilight battle between fending off requests for public records based on privacy concerns and looking for adequate hooks in law to get to that result. And we do continually amend our public records law in Massachusetts to keep pace with the electronic realities of the data that we keep.
Mrs. MALONEY OF NEW YORK. Well, could you just elaborate a little bit more on the types of problems that have surfaced because of third-party access to these volumes of information that you are gathering in Massachusetts?
Mr. GREENWOOD. Just, for instance, we have a lot of data on our employees. Much of that data, I think for good policy reasons, is available. People want to know how we are spending our money, how we are managing the public affairs.
There were—actually I am not sure exactly what precipitated this, but recently there was an amendment to our public records law that exempted out the employee data, the name, the home address, and so forth for prosecutors, law enforcement officials, judges and so forth, which prior to that was public record.
I had to deal with a public records request as that amendment was going through for every solitary employee of the Commonwealth, and this is for direct marketing purposes; and we were able to arrange to exempt out some of those records. But that will be one example.
Mrs. MALONEY OF NEW YORK. OK. Thank you.
Page 55 PREV PAGE TOP OF DOC
Chairwoman ROUKEMA. I thank you. I thank this panel. This has been very instructive, very helpful for us; and we will go over your testimony in detail and certainly compare——
Mr. VENTO. Can we submit written questions? I realize we would like to move along, but I would like to submit written questions.
Chairwoman ROUKEMA. Oh, absolutely. All Members would be permitted with unanimous consent to submit questions to you for the official record. And we appreciate your cooperation.
Thank you very much. We certainly will be interested in comparing your testimony with that now of the private sector, the second panel that will be before us.
If this panel number two will come forward, please.
Thank you very much. I appreciate your patience and your willingness to come before us today to give us of your wisdom, based on the practical experience you have.
I am going to introduce you in the order in which you are seated, and it will be in that order that you will give testimony.
First, I welcome Dr. Alan Westin, who is Professor Emeritus of Public Law and Government at Columbia University, with a long history of teaching there for many years. Dr. Westin not only has a law degree from Harvard University, but also has a Ph.D. in Political Science.
Page 56 PREV PAGE TOP OF DOC
Dr. Westin, I understand you are the author of 26 books.
Dr. WESTIN. Yes, I am.
Chairwoman ROUKEMA. And publisher of Privacy and American Business. We appreciate that. And of course your most notable claim to fame is that you are a resident of New Jersey.
Dr. WESTIN. Absolutely. Yes I am.
Chairwoman ROUKEMA. Thank you. Dr. Westin
STATEMENT OF DR. ALAN F. WESTIN, PROFESSOR EMERITUS OF PUBLIC LAW AND GOVERNMENT, COLUMBIA UNIVERSITY, PUBLISHER, ''PRIVACY AND AMERICAN BUSINESS''
Dr. WESTIN. Thank you, Madam Chairwoman and Members of the subcommittee. As a privacy expert who has been looking at these issues now for 4 decades, I want to underscore how important I think it is that your subcommittee is holding these hearings, because unlike the European countries that have national regulatory commissions that cover the private sector, our tradition has been very much one of sector legislation and a mixture of market forces, private lawsuits, and sector legislation.
But when you have rapidly changing technology and some of the trends in financial applications of new information technology that I describe in my testimony, it becomes very important for committees of Congress to look hard at whether the existing structure of law and the existing practices in industry are adequate. And it is in that spirit that I think your gathering of information from a wide variety of sources is extremely appropriate.
Page 57 PREV PAGE TOP OF DOC
What I have tried to do in my written testimony is to provide you with some survey material, some actual experience and then some judgments about what the directions are for voluntary activity, and also a judgment as to whether legislation would be appropriate at this moment.
Let me start quickly by summarizing some of the survey data. I have been the academic advisor on 24 national public opinion surveys on privacy since 1978 with both Louis Harris & Associates and Opinion Research Corporation in New Jersey.
Just this past May, Privacy and American Business sponsored, with Louis Harris, the first representative national survey of computer users in America, about 100 million persons who use computers today, and that included 44 million persons who were on the Internet.
In my testimony, I lay out the highlights of what we found. And also, as an appendix to my testimony, there is an issue of Privacy and American Business, which details all of these, and I would like to submit that for the record.
Chairwoman ROUKEMA. Yes, that will be in the record. Thank you.
Dr. WESTIN. Among the major survey findings are that, first, as many people know, consumers rank financial information along with medical information as the two most privacy-sensitive types of information collected about them.
Traditionally, the public has had high trust in banks and financial institutions to collect and use their financial information appropriately. But a number of trends in data mining and warehousing and target marketing and affiliate sharing and the breakdown of industry lines and the connection of the banks, insurance companies, and securities firms have begun to shake public confidence that the traditional trust in banks is merited.
Page 58 PREV PAGE TOP OF DOC
And so we find much lower confidence today in credit card companies, on-line and Internet service providers, credit reporting agencies and others, a feeling, in other words, that consumers have not yet seen a set of policies and a set of practices enunciated and communicated to them that keeps pace with the much more rapid circulation of consumer information within these financial service communities.
The surveys also show that, in general, the American public is quite strong in favoring voluntary safeguards and voluntary policies over Government regulation if the private sector adopts such good policies and if they are widely supported.
A final highlight I would like to mention from the survey data is that consumers clearly differ in how they define privacy and their willingness to provide personal information in return for consumer opportunities. And that is why a one-size-fits-all concept of legislative intervention is pretty dangerous in this area. Much more important is a concept of notice and choice and variety, because that reflects much better what the survey data tells us about the differences people have about how comfortable they are to share information.
In the second section of my testimony, I describe what I think are the core voluntary principles that have emerged from various hearings and efficacy and industry sources. There are seven of these that are listed, and they range from no surreptitious or secret gathering of personally identified data and notice at the outset, provisions of choice, effective techniques to screen out unwanted commercial or other solicitations, a provision of inspection and correction opportunities, verification mechanisms and workable systems that challenge, and public education and response.
Page 59 PREV PAGE TOP OF DOC
And many leading companies in the United States making use of the Internet have appreciated this. And so, in my testimony, I give examples on the home pages of companies like IBM, Equifax, Bell Atlantic and Time Warner, which all, as examples, state on their home pages what they collect, how they will use it, and often offer opt-out provisions to visitors as to how their information would be used.
Knowing that I was asked to testify, my center, the Center for Social and Legal Research, last week did a pilot survey of 50 banks and 22 investment firms with Web sites to see how widely those models of what the IBMs and the Equifaxes have done are being followed in the banking area.
And I should say that in all of these sites, personal information is being collected from consumers, either in requests for information forums, on-line banking, financial analysis models, signing up for various services, and so on.
And our findings are that no bank or investment firm Web site of all those we surveyed has on its homepage a privacy notice that tells individuals how their information is going to be used. And only three of the banks of the 39 that collected personal information offered an opt-out at the point at which they were collecting sensitive personal information from their customers.
Now, my sense is that the reason for this is that senior management in the banks have not yet stepped forward to tell their marketing people and the Web site developers that this is, indeed, what consumers expect and what good public policy and good industry policy ought to be.
Page 60 PREV PAGE TOP OF DOC
And I know because it happens that one bank that popped up in our sample, PNC Bank, in fact has a major privacy policy which they are about to put up on their Web site. So I know there is progress that is going on, even though that is the way they happened to hit in our survey.
My own sense, in other words, is this is not out of willfulness or a sense of disregard. But it does seem to me that your subcommittee has to measure the actual progress in this voluntary safeguard concept against what actually is being done.
In general, as I say in my testimony, I think that this is a period in which a tremendous amount of ferment is going on in the technology community, the industry community, the public interest community, and that many things are being done that are the models for what will be good practice. The problem is to make sure that these are followed, that they become the norms, and that they have remedies and enforcement mechanisms that are important.
Let me close by saying that I have, over 40 years, been a strong advocate of privacy legislation in particular sectors when the time was right. I was a lead witness for the Fair Credit Reporting Act in 1969 when it was passed in Congress, and I have supported privacy legislation in the health and medical area, digital communications, and a wide variety of other sectors. But I don't believe the time is right yet for legislation in the Internet and on-line area.
Our survey found, for example, when we asked a sample of people using the Internet and using on-line services, ''Do you believe that your privacy has been invaded in your use of the on-line and Internet survey process?'', only 5 percent of Internet users and 7 percent of on-line service subscribers reported that they had ever experienced any invasion of privacy while on-line and using the Internet.
Page 61 PREV PAGE TOP OF DOC
And since we know that about that percentage of people believe Martians have come down in their backyard and taken away their young, I don't think that a 5 percent or 7 percent figure really ought to be seen as evidence of a tremendous, actually experienced invasion of privacy.
Therefore, I would argue that what a subcommittee like this needs to look at is, are there abuses and malpractices that have been documented that need to be addressed? Is there clear evidence of the failure of good voluntary efforts and practices to unfold in sufficient volume? And, finally, are there regulatory approaches that have a high likelihood of resolving problems effectively without creating even more serious problems in the regulatory effort?
Measured by those standards, I would suggest that the next two years or so is a wonderful time to watch and wait, but that the effort to frame legislation this year or next year, it seems to me, to be anticipative in the wrong sense and would not be a significant contribution to the process of development that is taking place in this area.
Chairwoman ROUKEMA. Thank you, Dr. Westin.
Marcia Z. Sullivan. We welcome you here today. Ms. Sullivan is Director of Government Relations for the Consumer Bankers Association, and one of the architects of the banking industry, as I understand it, your best practice is use of customer information. Do you accept credit for that?
Page 62 PREV PAGE TOP OF DOC
Ms. SULLIVAN. I would love to be an architect.
Chairwoman ROUKEMA. Do you accept credit for that? In any case, you have considerable practical experience in this area, and if you will begin your testimony. Thank you.
STATEMENT OF MARCIA Z. SULLIVAN, VICE PRESIDENT AND DIRECTOR, GOVERNMENT RELATIONS, CONSUMER BANKERS ASSOCIATION
Ms. SULLIVAN. You are welcome, Chairwoman Roukema, thank you for the kind introduction. I appreciate the opportunity to appear today to talk about the ongoing efforts at CBA.
I would also like to say that I like the watch-and-wait philosophy of Dr. Westin to my left. I think all of us here would agree, having lived through working with you and your staff on the Fair Credit Reporting Act over the past—people say 7; I seem to remember 10 years—but, nonetheless, we think it is a good law, and we would like to talk about it some later.
As we heard today, electronic technologies have provided consumers with unparalleled choice and opportunities. We are also aware, however, that these new information technologies have raised concerns about the collection and the use of personal information. As a result, we know that it is clear that a balance must be struck between protecting individual privacy and the fair use of information.
Page 63 PREV PAGE TOP OF DOC
I want to talk about a couple of things today. First, the principle of customer information or customer confidentiality on which banks operate today, is one on which they have operated for decades. Second, the development of industry-wide privacy principles such as those endorsed by CBA, ABA, The Bankers Roundtable, and BITS are very important; and I want to talk a little bit about our part in the development of that. And last, the current law and substantial oversight in Federal Government today in the area of privacy, which we welcome and we think has been—and is—quite substantial.
Banks have traditionally protected personal financial information. This has led to strong safeguards, ensuring the confidentiality and proper use of customer information. As a result, we believe that banks are well prepared to protect customer or consumer privacy in the electronic commerce age. Although the form and quantity of information may have changed, it is a change of degree and not in kind.
Protecting customer privacy is important to the very success of a financial institution.
Few consumers would patronize a bank that would fail to provide an adequate level of privacy. It is really easy for a dissatisfied customer to find another bank. In addition, the establishment of bank industry privacy principles strongly encourages banks to provide consumers with consistent assurance about the confidentiality of personal information.
Within the banking industry, we were at the forefront in developing these privacy principles or best practices guidelines. We responded to a growing concern over the use of customer information and its importance to the banking industry, and our board adopted guidelines to serve as a blueprint for institutions developing their own.
Page 64 PREV PAGE TOP OF DOC
In order to help the banks implement the policy, we had a workshop a year ago and are doing another one very shortly with Morrison & Foerster—a firm that many of you have worked with on the Fair Credit Reporting Act—in order to help banks implement their policies.
This is a very difficult area. I have worked on it with the banks for years. Many of them are on the cusp of actually making their policies public; as Dr. Westin mentioned, PNC is one of them. But that is not an easy thing to do, and we are hoping that we can help them in the process, as will ABA and The Bankers Roundtable and BITS.
We also believe that the marketplace, with the support of existing Government oversight, is the best regulator of electronic commerce at this time. One example is the recently amended, and we certainly talked about it, the Fair Credit Reporting Act, FCRA.
FCRA puts consumers in the driver's seat by providing them with notice and the ability to opt-out of information-sharing arrangements among affiliates. September 30, however, is the date this law does become effective. So I do think that we will see a correction of the problems that Dr. Westin was referring to on the 30th when that law does go into effect.
Moreover, and I want to state this again, it is important to note that FCRA amendments allow only affiliated companies to share information. If a bank were to share with an unaffiliated third party, the bank would become a consumer reporting agency and subject to the very burdensome requirements of the FCRA.
Page 65 PREV PAGE TOP OF DOC
The rationale of that was to allow banks to share information because the law required that they be in a bank holding company structure. As such, they weren't allowed to share information they could share, were they just one company.
Other laws, like the Electronic Funds Transfer Act, require that consumers also be informed that banks share information. Finally, as discussed, a number of States govern their disclosure.
At the same time, Government is playing an integral oversight role in the development of electronic commerce. As financial institutions develop new products, they have done so in very close contact with their bank regulators.
We have heard about the FTC. We have heard what Ms. Byrne's work is. The Department of Commerce has also been extraordinarily active. Its role is due in part to the American companies and their concern with the privacy initiatives, especially the European directive abroad.
We believe, and we would like to agree with the FTC discussion today, that the Government could play an even larger role in educating consumers about the benefits of the use of privacy and its implications—the use of customer information and its implication to their privacy. We would welcome working with you and the regulators on this very important task.
Once again, I thank you very much. I would like to submit for the record, because I think the press is playing a very important role in educating customers, an article in Time Magazine on August 25 and an article in The Washington Post from September 7, both advising customers on what to do and how to protect their privacy. Thank you.
Page 66 PREV PAGE TOP OF DOC
Chairwoman ROUKEMA. Very good. Without exception, we will have those included in the record.
Now, we have a vote going on, currently in progress, and we expect it to be followed by a second 5 minute vote, so we will be in recess for at least 15 minutes. And, hopefully, my colleagues will return promptly, and we will try to begin right after this second vote. Thank you for your patience.
[Recess.]
Chairwoman ROUKEMA. I would hope that we could bring the panel to the front and continue the hearing.
Again, I thank Ms. Sullivan for her testimony. We concluded that.
Now we have a window of opportunity here. We don't anticipate other votes, at least not within the next hour, so we would hope that we can conclude matters here. And at least the rest of this panel can be assured that they will have our undivided attention.
The next panelist is John Byrne, and he is representing the American Bankers Association and I believe has particular focus on financial privacy matters. Mr. Byrne serves, as I understand it, as Senior Federal Counsel for the American Bankers Association.
We welcome you here today.
Page 67 PREV PAGE TOP OF DOC
STATEMENT OF JOHN J. BYRNE, SENIOR COUNSEL AND COMPLIANCE MANAGER, AMERICAN BANKERS ASSOCIATION
Mr. BYRNE. Thank you, Madam Chairwoman and Congressman Vento. I am pleased to be here today to discuss the issue of privacy. I want to summarize some of the issues that we have included in our written statement; and also some of the same things that Marcia has talked about, I will leave for our written statement.
The banking industry is acutely aware of the increased focus on consumer privacy due to the rapid emergence of electronic commerce. But as Dr. Westin said and Marcia said, we do believe that, overall, banks do more to protect customer confidentiality than any other industry. Whether by law or by policy, the watchword for our industry is trust. And we realize that without it, consumers can lose confidence in their financial institutions.
Basically speaking, when we talk about privacy law in the United States, we are talking about a series of Federal and State laws, as well as case law, dealing with privacy. So some of the discussions about the European Union and how those are stronger laws, I take a little bit of issue with because while it is more difficult to discern financial privacy restrictions in our country, you simply need to go to several different sources to figure out what they are.
We have the Right to Financial Privacy Act, the Fair Credit Act you talked about earlier, and the Electronic Communications Privacy Act. As I said before, you also have State law and an array of case law that you need to look at to determine what banks' obligations are. These laws and court decisions make it clear that our industry has unique challenges.
Page 68 PREV PAGE TOP OF DOC
ABA believes that information is critical to the daily business of our members, and issues such as unauthorized access and disclosure are carefully addressed in bank policies and procedures. Before talking about those issues, I would like to briefly mention the work of the ABA payment system task force.
The task force came together two years ago and concluded at the end of September 1996, among other things, the necessity of creating a privacy working group. We put that group together earlier this year, and one of the results of that group was the creation of industry privacy guidelines which, as Marcia has pointed out, were based in part on what the Consumer Bankers Association had done in an excellent fashion, in the year prior to the ABA development. Our task force concluded that industry guidelines should be drafted and made available to all industry parties.
In June of this year, the ABA's board of directors approved privacy principles. And since that time, ABA, the CBA, The Bankers Roundtable, as well as the Independent Bankers Association, have all agreed on a uniform set of industry principles so that banks in the United States would have just one set of principles to use in order to enhance, supplement, or create their own individual policies.
In July of this year, our association responded to a series of privacy policy options addressed in the White House report, ''A Framework for Global Electronic Commerce.'' The overall position taken in the report is to support private-sector efforts to implement, ''meaningful, consumer-friendly, self-regulatory privacy regimes.'' The report emphasizes that failure to produce appropriate models will result in Government pressure to play a more direct role in industry privacy responses.
Page 69 PREV PAGE TOP OF DOC
The banking industry willingly accepts this challenge, and we will continue to develop appropriate models to address customer concerns. Our industry, therefore, should be free to develop our own privacy response to emerging technologies because we are in the best position to address compliance with the various laws. We believe that our efforts to address privacy issues within the industry will pass muster under any reasonable objective analysis of banking privacy policies.
Another option being discussed within the framework of that study, that we could support, concerns the creation of an advisory body without regulatory authority. Our industry has a track record of working with several governmental advisory groups whose mission is information-sharing and coordination.
For example, ABA has participated with NSTAC, the National Security Telecommunications Advisory Committee, in a public-private sector advisory group created to draft recommendations on important infrastructure and compute