Page 1       TOP OF DOC
26–912 PDF










 Page 2       PREV PAGE       TOP OF DOC
APRIL 4, 2006

Serial No. 109–98

Printed for the use of the Committee on the Judiciary

Available via the World Wide Web: http://judiciary.house.gov


F. JAMES SENSENBRENNER, Jr., Wisconsin, Chairman
HENRY J. HYDE, Illinois
HOWARD COBLE, North Carolina
BOB INGLIS, South Carolina
MARK GREEN, Wisconsin
 Page 3       PREV PAGE       TOP OF DOC
DARRELL ISSA, California

JOHN CONYERS, Jr., Michigan
HOWARD L. BERMAN, California
MELVIN L. WATT, North Carolina
ZOE LOFGREN, California
MARTIN T. MEEHAN, Massachusetts
WILLIAM D. DELAHUNT, Massachusetts
ADAM B. SCHIFF, California
LINDA T. SÁNCHEZ, California
 Page 4       PREV PAGE       TOP OF DOC

PHILIP G. KIKO, Chief of Staff-General Counsel
PERRY H. APELBAUM, Minority Chief Counsel

Subcommittee on Commercial and Administrative Law

CHRIS CANNON, Utah Chairman

HOWARD COBLE, North Carolina
MARK GREEN, Wisconsin

MELVIN L. WATT, North Carolina
WILLIAM D. DELAHUNT, Massachusetts

 Page 5       PREV PAGE       TOP OF DOC
MIKE LENN, Full Committee Counsel
STEPHANIE MOORE, Minority Counsel

Subcommittee on the Constitution

STEVE CHABOT, Ohio, Chairman

MARK GREEN, Wisconsin

JOHN CONYERS, Jr., Michigan
MELVIN L. WATT, North Carolina

PAUL B. TAYLOR, Chief Counsel
 Page 6       PREV PAGE       TOP OF DOC
DAVID LACHMANN, Minority Professional Staff Member


APRIL 4, 2006

    The Honorable Chris Cannon, a Representative in Congress from the State of Utah, and Chairman, Subcommittee on Commercial and Administrative Law

    The Honorable Melvin L. Watt, a Representative in Congress from the State of North Carolina, and Ranking Member, Subcommittee on Commercial and Administrative Law

    The Honorable Steve Chabot, a Representative in Congress from the State of Ohio, and Chairman, Subcommittee on the Constitution

    The Honorable Jerrold Nadler, a Representative in Congress from the State of New York, and Ranking Member, Subcommittee on the Constitution


Ms. Linda D. Koontz, Director, Information Management Issues, U.S. Government Accountability Office
Oral Testimony
Prepared Statement
 Page 7       PREV PAGE       TOP OF DOC

Ms. Maureen Cooney, Acting Chief Privacy Officer, U.S. Department of Homeland Security
Oral Testimony
Prepared Statement

Mr. Peter Swire, William O'Neill Professor of Law, Moritz College of Law of the Ohio State University, Visiting Senior Fellow, Center for American Progress
Oral Testimony
Prepared Statement

Mr. Stuart K. Pratt, President and Chief Executive Officer, Consumer Data Industry Association
Oral Testimony
Prepared Statement


Material Submitted for the Hearing Record

    Additional Material for the Record submitted by Linda D. Koontz, Director, Information Management Issues, U.S. Government Accountability Office


 Page 8       PREV PAGE       TOP OF DOC

House of Representatives,
Subcommittee on Commercial
and Administrative Law,
Committee on the Judiciary,
Washington, DC.

    The Subcommittees met, pursuant to call, at 12:03 p.m., in Room 2138 Rayburn House Office Building, the Honorable Chris Cannon (Chairman of the Subcommittee on Commercial and Administrative Law) presiding.

    Mr. CANNON. I think we will get started here. The hearing will be called to order.

    As many of you know, the protection of personal information in the hands of the Federal Government has long been a top priority for my Subcommittee, the Subcommittee on Commercial and Administrative Law, and Chairman Chabot's Subcommittee, the Constitution Subcommittee. Both of our Subcommittees have played a major role in respect to protecting personal privacy and civil liberties under the leadership and guidance of Jim Sensenbrenner, Chairman of the Judiciary Committee.

    In this post-September 11th world, however, it is no easy task to balance the competing goals of keeping our Nation secure while at the same time protecting the privacy of our Nation's citizens. Nevertheless, I believe that our respective Subcommittees and the Judiciary Committee are uniquely and best suited to study and resolve these issues.
 Page 9       PREV PAGE       TOP OF DOC

    Our accomplishments to date include the establishment of the first statutorily-created Privacy Office in a Federal agency, namely the Department of Homeland Security. That office has since earned plaudits from both the public and private sectors. Based on the successes of that office, we also spearheaded the creation of a similar function in the Justice Department, which was signed into law in January of this year.

    In addition, both my Subcommittee and the Constitution Subcommittee have considered the support of legislation requiring a Federal agency to prepare a privacy impact analysis for proposed and final rules and to include this analysis in the Notice for Public Comment issued in conjunction with the publication of such rules.

    Today's hearing focuses on the respective roles that the Federal Government and information resellers have with respect to personal information collected in commercial databases. As the hearing title denotes, we approach this subject with an open mind and willingness to understand the factors and nuances concerning how Federal agencies and those in the private sector safeguard personal information that they obtain from us.

    As technological developments increasingly facilitate the collection, use, and dissemination of personally identifiable information, the potential for misuse of such information escalates. Five years ago, the GAO warned: ''our Nation has an increasing ability to accumulate, store, retrieve, cross-reference, analyze, and link vast numbers of electronic records in an ever-faster and more cost-efficient manner. These advances bring substantial Federal information benefits as well as increasing responsibilities and concerns.'' Given the largely unfettered use of Social Security numbers and the availability of other personally identifiable information, identity theft has swiftly evolved into one of the most prolific crimes in the United States. According to the Federal Trade Commission, identity theft topped the list of consumer complaints filed with the Agency in 2005. The FTC estimates that 10 million consumers were victims of some form of identity theft in 2003.
 Page 10       PREV PAGE       TOP OF DOC

    As a result of this crime, American businesses suffered an estimated $48 billion in losses, while consumers incurred an additional $5 billion in out-of-pocket losses. Just this week, the Justice Department announced that nearly 4 million households, about 3 percent of all households in the Nation, learned that they had been identity theft victims. Just last week, I got a credit card in the mail with a little note saying that my account had been viewed as one that might be subject to identity theft, and so I have a new card with a new number. I hadn't memorized the old one, so it was not much of an inconvenience. But it is a broad problem.

    Unfortunately, we continue to receive reports from GAO finding shortcomings in how Federal agencies safeguard personal information, and the private sector's vulnerability was highlighted by the many high-profile databases that have occurred in recent years. Questions have also been posed about the accuracy of some of the data maintained in these commercial databases. It is against this complex but exceedingly interesting backdrop that we are holding this hearing today.

    I would now like to turn to my colleague Mr. Watt, the distinguished Ranking Member of my Subcommittee, and ask him if he has any opening remarks.

    Mr. WATT. Thank you, Mr. Chairman. I will be brief.

    Let me commend Chairman Sensenbrenner and Ranking Member Conyers and Mr. Chabot and Mr. Nadler for taking steps to get the GAO to conduct this investigation and produce this report. It is clear that privacy issues that confront our country as a result of extraordinary technological advances are significant and that the ramifications of how we treat the privacy of personally identifiable information is heightened in the post-9/11 world. I say this as a member of both the Financial Services and Judiciary Committees, and have heard testimony from numerous witnesses on the enhanced concerns about the Government's acquisition, maintenance, and dissemination of personal information and the opportunity for identity theft created by the massive data mining of this information.
 Page 11       PREV PAGE       TOP OF DOC

    One of the main recommendations of the 9/11 Commission was the establishment of a Governmentwide watchdog to safeguard civil liberties. The Commission found that currently, ''there is no office within the Government whose job it is to look across the Government at the actions we are taking to protect ourselves and to ensure that liberty concerns are appropriately considered.''

    We have tried to get that recommendation passed, without any success up to this point, and I think the need for that kind of oversight body is continuing to grow and we need to do that.

    I am looking forward to the testimony of the witnesses. And with that, Mr. Chairman, I will yield back the balance of my time.

    Mr. CANNON. The gentleman yields back. Thank you.

    Now I would like to turn to my colleague Mr. Chabot, the distinguished chair of the Constitution Subcommittee, and ask him if he has any opening remarks.

    Mr. CHABOT. Yes, I do. Thank you, Mr. Chairman.

    Mr. CANNON. The gentleman is recognized for 5 minutes.

    Mr. CHABOT. First I would like to thank you for holding this hearing and thank all our witnesses for assisting us in our examination of issues related to the security and privacy of our personal information.
 Page 12       PREV PAGE       TOP OF DOC

    Security breaches reported in the media last year involving the unauthorized access to and theft of personal information highlighted an emerging area of concern to all of us, that being the treatment of our personal information as just another commodity. Our concerns are well-founded, as recent statistics released by the Department of Justice reveal that identity theft affected 3.6 million households across the Nation and cost our economy $3.2 billion during the first half of 2004 alone.

    The security breaches also raise questions with regard to the Federal Government's reliance on and contributions to the use of personal information. Questions raised include: Are Federal agencies collecting information on us? What information is being collected? Where is the information going and where will it eventually end up? What Federal laws guide collection activities? And most importantly, how, as individuals affected by these collection activities, can we best monitor and ensure that such information is being used as was intended?

    Last spring, I, along with the Chairman and Ranking Member of the full Committee, Mr. Conyers, charged GAO with finding answers to these questions. In particular, we sought to gain a better understanding of the Federal Government's involvement and reliance on data as it relates to fulfilling our Federal Government's top priorities, such as our Nation's law enforcement and antiterrorism efforts, and performing other critical domestic functions such as effectively distributing benefits.

    Our inquiry was also prompted by the information age in which we live, where technology has allowed personal information to be universally available to anyone at any time, including to the Federal Government. The information provided by the commercial data suppliers has served an important role in supporting our Nation's law enforcement and antiterrorism efforts. It has also played an important role in assisting the Federal Government to perform other administrative responsibilities. For example, last fall, commercial data companies provided critical assistance to FEMA to assist the victims of Hurricane Katrina.
 Page 13       PREV PAGE       TOP OF DOC

    However, with the widespread availability of information comes increased risks of privacy and security breaches, unauthorized uses, and other negative effects, to which the Federal Government is not immune.

    I hope through today's hearing we can gain a better understanding of the existing Federal laws and policies in place guiding commercial data suppliers and the Federal Government in handling personal information. Moreover, I look forward to discussing whether Federal laws such as the Privacy Act of 1974 and E-Government Act of 2002, which guide the Federal Government, and the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act, which guide the commercial data industry, have been affected in addressing concerns raised by the emerging industry.

    With a better understanding of the existing framework, we can ensure that the Federal Government continues to have access to the types of information that will enable it to fulfill its responsibilities. At the same time, we can ensure that citizens know when and how their information is being collected and used by the Federal Government.

    I look forward to discussing these issues and learning whether new legislation, such as the Federal Agency Privacy Protection Act which I have introduced in the previous Congresses, would be an appropriate remedy to ensure citizens' privacy concerns over the use of their personal information by the Federal Government. The Federal Agency Privacy Protection Act would require that all Federal agencies conduct privacy impact assessments when issuing a notice regarding a new or interpretive rule relating to the collection of personally identifiable information on citizens, as well as when final rules are promulgated.
 Page 14       PREV PAGE       TOP OF DOC

    Again, I welcome the witnesses here with us today and look forward to their testimony.

    I yield back the balance of my time.

    Mr. CANNON. Thank you, Mr. Chabot.

    Mr. Nadler, do you have an opening statement?

    Mr. NADLER. Yes. Thank you, Mr. Chairman. I will be brief because I want to get to our witnesses.

    Modern technology and security concerns have greatly threatened the privacy of the most personal information about every American. The nexus between private information resellers and Government action are especially troubling.

    How we handle these complicated issues—and they are complicated—will affect the lives of every one of our constituents. It is not simply a matter of identity theft but of the basic right to be secure in our persons, our papers, and our homes. People need to know that when they visit a doctor, go to the store, read a book, engage in the practice of their religion, they will not be subject to unwanted and uninvited prying eyes.

    The secret NSA wiretaps, some of the abuses of power by the Justice Department, some of the more extravagant claims by this Administration are warning signs. I hope this Congress looks more carefully at the question of privacy from both a technical and legal perspective. This study and this hearing are important steps in this direction.
 Page 15       PREV PAGE       TOP OF DOC

    Of course, in one sense, this study, this hearing, everything we are doing, in one sense is irrelevant, because the Administration claimed in the NSA wiretap situation that the President has inherent power to disobey the FISA law because of inherent power under article II and under the authorization for the use of military force. And in fact, it claims inherent power to go beyond that, and we have no way of knowing what the NSA or some other agency may in fact be doing that might invade privacy. The Administration won't tell us. They won't testify to us. It is all secret. And in fact, the Administration is conducting an investigation into who revealed what we do know about the NSA wiretaps, because they think that ought to have remained secret. I disagree, obviously, but that is their position.

    And they have made it quite clear that, in fact, various Government agencies may be going far beyond what we know in wiretapping or otherwise invading the privacy of American citizens regardless of what the law says and regardless of any law we may pass, because the President has inherent power to disregard that during a war, and we are in a war on terrorism.

    So everything we say, everything we investigate, everything we hear, everything we do may in fact be irrelevant because the President claims the power to ignore it and may or may not be exercising that power in ways that are unknown to us. That is a far greater threat to our liberty than probably anything else we are talking about.

    So I thank you, Mr. Chairman, for scheduling this hearing. But I hope we realize that the ability of this Congress to deal with this is very much circumscribed by the unprecedented and tyrannical claim of power that the Administration is making.

 Page 16       PREV PAGE       TOP OF DOC
    I thank you. I yield back.

    Mr. CANNON. Far be it from me to disagree with the gentleman, but I think it is the role of Congress to oversee any president of either party.

    Mr. NADLER. Well, I certainly agree with that.

    Mr. CANNON. That is not the focus of this hearing, but we certainly need to be doing that.

    Mr. NADLER. Mr. Chairman, if I could just say.

    Mr. CANNON. Certainly.

    Mr. NADLER. You are not disagreeing with me. I certainly agree that we ought to be overseeing the Administration. My point is that the Administration claims under the wartime power that we have no power to do that.

    Mr. CANNON. I understand that you are being very harsh about the Administration. I think our objective is to transcend the current status of affairs with the war on terror.

    Without objection, the gentleman's entire statement will be placed in the record. Hearing no objection, so ordered.

 Page 17       PREV PAGE       TOP OF DOC
    Without objection, all Members may place their statements in the record at this point. Hearing no objection, so ordered.

    Without objection, the Chair will be authorized to declare recesses of this hearing at any point. Hearing no objection, so ordered.

    I ask unanimous consent that Members have 5 legislative days to submit written statements for inclusion in today's hearing record. Hearing no objection, so ordered.

    I am now pleased to introduce the witnesses for today's hearing. Our first witness is Linda Koontz, who is the Director of GAO's Information and Management Issues Division. In that capacity, she is responsible for issues regarding the collection, use, and dissemination of Government information. Mrs. Koontz has led GAO's investigations into the Government's data mining activities as well as E-Government initiatives. In addition to obtaining her bachelor's degree from Michigan State University, Ms. Koontz received certification as a Government financial manager. She is also a member of the Association for Information and Image Management Standards Board.

    Maureen Cooney, our next witness, is the Acting Chief Privacy Officer for the Department of Homeland Security. Ms. Cooney, we always appreciated working with your predecessor, Nuala O'Connor Kelly, and we look forward to working with you as well. As I previously noted in my opening remarks, my Subcommittee, with the support of Chairman Jim Sensenbrenner, played a major role in establishing Ms. Cooney's office at the Department of Homeland Security. The legislation creating her office not only mandated the appointment of a privacy officer, but specified the officer's responsibilities. One of the principal responsibilities of the DHS Privacy Officer, as set out by statute, is the duty to assure that the use of technologies sustain and do not erode privacy protections relating to the use, collection, and disclosure of personal information. In addition, the Privacy Officer must assure that personal information is handled in full compliance with the Privacy Act and assess privacy impact of the Department's proposed rules.
 Page 18       PREV PAGE       TOP OF DOC

    Before joining the DHS Privacy Office, Ms. Cooney worked on international privacy and security issues at the U.S. Federal Trade Commission, where she served as the principal liaison for the FTC to the European Commission and article 29 Working Party on Privacy Issues. She also played a major role on the rewrite of the Organization for Economic Cooperation and Development Security Guidelines for Information Systems and Networks. Prior to that assignment, Ms. Cooney worked on privacy and security issues with the Treasury Department in the Office of the Comptroller of the Currency. We are really pleased that there are people that know as much about this as you do, who are here to help guide us.

    Ms. Cooney received her bachelor's degree in American studies from Georgetown University and her law degree from Georgetown University Law Center.

    Our third witness is Peter Swire, the C. William O'Neill Professor in Law and Judicial Administration at the Moritz College of Law of Ohio State University. In addition to his academic endeavors, Professor Swire is a consultant with the law firm Morrison & Foerster, where he provides advice on privacy, cyberspace, and related matters. He is also currently a visiting senior fellow at the Center for American Progress, a nonpartisan research and educational institute. Under the Clinton administration, Professor Swire was OMB's Chief Counselor for Privacy.

    Professor Swire received his undergraduate degree from Princeton University and his law degree from Yale Law School. He is a prolific writer, with numerous law review articles and other writings to his credit.

 Page 19       PREV PAGE       TOP OF DOC
    Our final witness is Stuart Pratt. Mr. Pratt is the president and CEO of the Consumer Data Industry Association, an international trade association representing more than 250 consumer information companies. Prior to his current position, Mr. Pratt served as the association's vice president of government relations. He is a well-known expert on the Fair Credit Reporting Act, identity fraud, and the issues of consumer data and public record data issues. Mr. Pratt received his undergraduate degree from Furman University in Greenville, South Carolina.

    I extend to each of you my warm regards and appreciation for your willingness to participate in today's hearing. In light of the fact that your written statements will be included in the hearing record, I request that you limit your oral remarks to 5 minutes. Accordingly, please feel free to summarize or highlight the salient points of your testimony.

    You will note that we have a lighting system, which is not yet on but they are the two little gizmos in front of you. It starts with a green light and you have 4 minutes before it turns yellow, and then at the 5-minute mark it turns red. It is my habit to tap the gavel at 5 minutes. We will appreciate it if you would finish up your thoughts within that time frame. We don't want to cut people off in the middle of your thinking, but I find it works better if everybody realizes we have a 5-minute limit. I am probably going to be a little more aggressive with questions so that we can give everybody an opportunity to ask questions.

    After you have presented your remarks, the Subcommittee Members, in the order they arrived, will be permitted to ask questions of the witness. They will also be limited to 5 minutes.

    Pursuant to the direction of the Chairman of the Judiciary Committee, I ask the witnesses to please stand and raise your right hand to take the oath.
 Page 20       PREV PAGE       TOP OF DOC

    [Witnesses sworn.]

    Mr. CANNON. Thank you. You may be seated.

    The record should reflect that each of the witnesses answered in the affirmative.

    Ms. Koontz, would you please proceed with your testimony.


    Ms. KOONTZ. Mr. Chairman and Members of the Subcommittees, I appreciate the opportunity to discuss the results of GAO's work on the Federal Government's purchase of personal information from businesses known as information resellers. My testimony summarizes the results of the report we did at the Committee's request and that we are issuing today. For that report we reviewed four agencies: Justice, Homeland Security, State, and Social Security.

    Information is an extremely valuable resource and information resellers provide services that are important to a variety of Federal agency functions. Specifically, for fiscal year 2005, the four agencies we reviewed reported a combined total of approximately $30 million in obligations for the purchase of personal information from resellers.
 Page 21       PREV PAGE       TOP OF DOC

    The vast majority of this spending, about 91 percent, was for law enforcement or counterterrorism. For example, the Department of Justice, the largest user among the four, used the information for criminal investigations, locating witnesses and fugitives, and researching assets held by individuals of interest. Reseller information was also used by others to detect and investigate fraud, verify identities, and determine eligibility for benefits.

    As agreed, we also evaluated agency and reseller privacy policies and practices against the Fair Information Practices, a set of widely accepted principles for protecting the privacy and security of personal information. These principles, with variations, are the basis of privacy laws in many countries and are the foundation of the Privacy Act. They are not legally binding either on Federal agencies or resellers, but we believe they do provide a useful framework for analyzing agency and reseller practices and serve as an appropriate basis for further discussion and debate.

    Applying this framework to Federal agencies, we found some inconsistencies. Agencies did take steps to address the privacy and security of the information acquired from resellers, but their handling of this information did not always fully reflect the Fair Information Practices. For example, although agencies issued privacy notices on information collections, these did not always specifically state that information resellers were among the sources used. This is not consistent with the principle that the public should be informed about privacy policies and have a ready means of learning about the use of personal information. One reason for this kind of inconsistency is ambiguity in OMB's guidance regarding how privacy requirements apply to Federal agency use of reseller information.

 Page 22       PREV PAGE       TOP OF DOC
    To address these inconsistencies, we made recommendations to OMB and to the agencies we reviewed. These agencies generally agreed with our report and reported actions they are taking. In particular, the Privacy Office within Homeland Security has conducted a public workshop on the Government's use of commercial data for homeland security and recently finalized guidance on conducting privacy impact assessments, which includes very useful direction on the collection and use of commercial data.

    Regarding resellers, they also took steps to protect privacy, but these measures were not fully consistent with the Fair Information Practices. For example, resellers generally informed the public about key privacy practices and principles and they have recently taken steps to improve security safeguards. However, the principles that the collection and use of personal information should be limited and its intended use specified are largely at odds with the nature of the reseller business, which is based on providing information to multiple customers for multiple purposes.

    Further, resellers generally limit the extent to which individuals can gain access to personal information held about themselves, as well as the extent to which they can correct or delete inaccurate information contained in reseller databases.

    In response, information resellers raised concerns about our reliance on the Fair Information Practices and suggested it would be unreasonable for them to comply with some aspects of the principles that, they believe, were intended for organizations that collect information directly from consumers. Nonetheless, we believe that analysis against a framework of the Fair Information Practices is important as a starting point to frame potential issues and facilitate informed discussion, and we suggest that Congress consider these issues in its deliberations.
 Page 23       PREV PAGE       TOP OF DOC

    In conclusion, privacy is ultimately about striking a balance between competing interests. In this case, it is about balancing the value of reseller information as to important Government functions against the privacy rights of individuals. I look forward to participating in the discussion on how best to strike that balance.

    This concludes my statement. Thank you.

    [The prepared statement of Ms. Koontz follows:]


[Note: Image(s) not available in this format. See PDF version of this file.]

    Mr. CANNON. Thank you, Ms. Koontz.

    Ms. Cooney?


    Ms. COONEY. Thank you. Chairmen Cannon and Chabot, Ranking Members Watt and Nadler, and Members of the Subcommittees on Commercial and Administrative Law and the Constitution, it is an honor to testify before you today. Because this marks my very first appearance before the Subcommittee, I would like to offer a few biographical background notes.
 Page 24       PREV PAGE       TOP OF DOC

    It is my honor to currently serve as the Acting Chief Privacy Officer for the Department of Homeland Security. I come to this position with 20 years of Federal service experience in risk management and compliance and enforcement activities as well as in consumer protection on global information privacy and security issues post-9/11. I was recruited from the Federal Trade Commission to join the Department of Homeland Security more than 2 years ago as Chief of Staff of the Privacy Office and Senior Adviser for International Privacy Policy.

    Since that time, it has been my privilege to help build the DHS Privacy Office with my colleagues and under the leadership of former Chief Privacy Officer Nuala O'Connor Kelly and Secretaries Chertoff and Ridge.

    I appreciate this opportunity to address the subject of personal information acquired by the Government from information resellers. The use of commercial data for homeland security involves complex issues that touch on privacy, program effectiveness, and operational efficiency. I commend the Government Accountability Office for undertaking their analysis, which will positively assist in informing privacy policy development.

    As my written statement points out, internally the primary oversight mechanism used by the Privacy Office for ensuring appropriate use of personal information regardless of its source is the privacy impact assessment, which is required to be used by section 208 of the E-Government Act of 2002 and section 222 of the Homeland Security Act.

    Privacy impact assessments, or PIAs as we call them, can be one of the most important instruments in establishing trust between the Department's operations and the public simply because they are generally very transparent. In fact, PIAs are fundamental at our Department in making privacy an operational element within the DHS family. Privacy impact assessments allow for the examination of privacy questions concerning a program or an information system's collection and use of information, including commercial reseller data.
 Page 25       PREV PAGE       TOP OF DOC

    As mentioned in my colleague Ms. Koontz's testimony, the DHS Privacy Office has issued official guidance on the conduct of privacy impact assessments. Various sections of that guidance are particularly relevant to the subject matter of this hearing. I refer you to my written testimony on the details of that.

    I am a little concerned that we may run out of time, so one of the points that I would like to make is that in addition to privacy requirements under the Privacy Act of 1974, the privacy impact assessment process really augments the system of record notice provisions in the Privacy Act that provide for notice to the public about the types of information collected by the Government and the treatment of that information. The DHS Privacy Office reviews new systems of record notices to make sure that the presence of commercial data is made transparent if data is collected as a source of information in a system, and we are seeking to apply this to existing sources as well.

    The Privacy Office also has been part of a broad-based dialogue on the use of commercial data both within and outside of the Department. In September of 2005, we hosted a public workshop addressing privacy and technology, exploring the use of commercial data for homeland security. The workshop examined the policy, legal, and technology issues associated with the Government's use of commercial personally identifiable data for homeland security purposes.

    With input from the public workshop, the DHS Privacy Office is now in the process of drafting specific guidance for our Department on the use of commercial data. The guidance will address three broad categories of use: comparing data in commercial and Government databases, obtaining data from commercial sources for use in Government systems, and use of Government analytic tools on commercial databases.
 Page 26       PREV PAGE       TOP OF DOC

    We will be hosting a meeting with our internal Privacy and Data Integrity Board made up of senior Department managers on April 11th to collaborate on this policy through a full and meaningful discussion of an appropriate framework for using commercial data.

    The Privacy Office also has been discussing commercial data issues with the DHS Data Privacy and Integrity Advisory Committee, our Federal advisory committee made up of U.S. citizens with expertise in privacy information technology, information security, and public policy.

    In October of 2005 the DHS Privacy Advisory Committee published a report on the use of commercial data to reduce false positives in screening programs, and the Committee's recommendations will be incorporated in our policy development.

    Thank you for inviting me, and thank you for your support of the DHS Privacy Office.

    [The prepared statement of Ms. Cooney follows:]


    Chairmen Cannon and Chabot, Ranking Members Watt and Nadler, and Members of the Subcommittees on Commercial and Administrative Law and the Constitution, it is an honor to testify before you today on the activities of the United States Department of Homeland Security, for which I am privileged to served as the Acting Chief Privacy Officer.
 Page 27       PREV PAGE       TOP OF DOC

    Thank you for inviting me to speak with you on the subject of personal information acquired by the government from information resellers.

    As you know, the DHS Chief Privacy Officer is the first statutorily required privacy officer in the Federal government. The responsibilities of the DHS Chief Privacy Officer are set forth in Section 222 of the Homeland Security Act of 2002. They include:

    assuring that the use of technologies sustain, and do not erode, privacy protections relating to the use, collection and disclosure of personal information;

    assuring that personal information contained in Privacy Act systems of records is handled in full compliance with fair information practices as set out in the Privacy Act of 1974;

    evaluating legislative and regulatory proposals involving collection, use, and disclosure of personal information by the Federal Government;

    conducting a privacy impact assessment of proposed rules of the Department on the privacy of personal information, including the type of personal information collected and the number of people affected; and
 Page 28       PREV PAGE       TOP OF DOC

    preparing a report to Congress on an annual basis on activities of the Department that affect privacy, including complaints of privacy violations, implementation of the Privacy Act of 1974, internal controls and other matters.(see footnote 1)

    It is upon this statutory authority that the Chief Privacy Officer and the DHS Privacy Office review and approach the use of personal information by the Department, including the use of data from information resellers.

    The use of data from information resellers for homeland security involves complex issues that touch on privacy, program effectiveness and operational efficiency. There are many benefits to the government when commercial data is used responsibly. It can save time, it is often more precise, and is updated more quickly and, therefore, in certain circumstances, it could be more accurate and therefore have greater data integrity than other sources. At the same time, the government's use of commercial data must be transparent and appropriate. The DHS Privacy Office has been part of a broad based dialogue both within and outside of the Department on the use of commercial data.

    As noted by the Government Accountability Office (GAO), unless an information reseller is operating a System of Records specifically on behalf of a Federal agency, it is not subject to the provisions of the Privacy Act of 1974. However, the Privacy Act applies to Federal agencies that bring data from information resellers into a Federal System of Records. The Privacy Office exercises oversight over the way Departmental components access, use and maintain data obtained from information resellers as part of our responsibility to assure that Departmental systems operate in accordance with Section 222(b) of our authorizing statute—that information in DHS Systems of Records is handled in a manner consistent with the fair information practices principles set out in the Privacy Act.
 Page 29       PREV PAGE       TOP OF DOC

    The main oversight mechanism used by the Privacy Office for information systems is the Privacy Impact Assessment (PIA). PIAs are fundamental in making privacy an operational element within the Department. Conducting PIAs demonstrates the Department's efforts to assess the privacy impact of utilizing new or changing information systems, including attention to mitigating privacy risks. Touching on the breadth of privacy issues, PIAs allow the examination of the privacy questions that may surround a program or system's collection of information, including commercial reseller data, as well as the system's overall development and deployment. When worked on early in the development process, PIAs provide an opportunity for program managers and system owners to build privacy protections into a program or system in the beginning. This avoids forcing the protections in at the end of the developmental cycle when remedies can be more difficult and costly to implement.

    With respect to the data types that are collected and their handling, the PIA process augments the Systems of Record Notice provisions in the Privacy Act that provide notice to the public about the types of information collected and its treatment. The PIA can be one of the most important instruments in establishing trust between the Department's operations and the public.

    In accordance with Section 208 of the E-Government Act of 2002 and OMB's implementing guidance, the Department of Homeland Security is required to perform PIAs whenever it procures new information technology systems or substantially modifies existing systems that contain personal information. Although the E-Government Act allows exceptions from the PIA requirement for national security systems, DHS is implementing Section 222 of the Homeland Security Act to require that all DHS systems, including national security systems, must undergo a PIA if they contain personal information. The Privacy Office has staff with security clearances that allow them to work with programs to assess the privacy impact of classified systems or systems that contain classified information. In cases where the publication of the PIA would be detrimental to national security, the PIA document may not be published or may be published in redacted form.
 Page 30       PREV PAGE       TOP OF DOC

    Every PIA must address at least two issues:

    1. It must address the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic information system; and

    2. It must evaluate the protections and alternative processes for handling information to mitigate potential privacy risks.

    The Privacy Office has issued official guidance on the conduct of Privacy Impact Assessments. The most up-to-date version of the guidance is available at the DHS Privacy Office Web site at http://www.dhs.gov/dhspublic/interapp/editorial/editorial—0511.xml. However, earlier versions of the guidance have been available internally to DHS for about two years, with initial guidance issued in February 2004.

    Various sections of the PIA guidance are particularly relevant to the subject matter of this hearing. First, the guidance states that the PIA requirement applies broadly to personally identifiable information rather than to a much narrower category of ''private'' information. If information can be connected with an individual, it is personally identifiable information, whether or not the information is private or secret. This is important because much of the information purchased from information resellers is either publicly available, e.g., addresses and telephone numbers, or is derived from public records.

    In addition, Section 1.2.2 of the guidance directs programs that use data from commercial data aggregators to state this fact and then to explain in Section 1.3 why data from this source is being used. Section 2.3.4 requires a statement about whether data obtained from commercial data aggregators is assessed for quality, and if so, what quality measures are used.
 Page 31       PREV PAGE       TOP OF DOC

    Some products offered by information resellers permit users to ''ping'' resellers' databases either to obtain new information or to verify information in government databases. This ability to access information without bringing it into Federal systems raises the question about when information is actually ''collected'' by a government agency. It is DHS policy that any time information from an information reseller is used in a decision-making process, whether the decision involves correcting existing government information or obtaining new information, a PIA is required.

    In order to clarify specific issues related to the use of data from information resellers, the DHS Privacy Office is in the process of drafting specific guidance on the use of commercial data to complement the general PIA guidance. The guidance on the use of commercial data will apply specifically to the use of data from information resellers and will address three broad categories of use: comparing data in commercial and government databases, obtaining data from commercial sources for use in government systems; and use of government analytic tools on commercial databases. The guidance will specify when PIAs must be performed and what additional requirements might apply to programs that use data from commercial sources. We expect this guidance to be released as soon as it completes Departmental clearance, and would be happy to discuss it with you at that time.

    The DHS Privacy Office has been part of a broad-based national dialog on these issues. In September of 2005, the Privacy Office held a public workshop on the use of commercial data for homeland security. The objective of the workshop was to look at the policy, legal, and technology issues associated with the government's use of commercial personally identifiable data in homeland security. A broad range of experts, including representatives from government, academia, and business participated in the panel discussions. The panels addressed how government agencies are using commercial data to aid in homeland security; the legal issues raised by the government's use of commercial data, particularly the applicability of the Privacy Act; current and developing technologies that can aid the government in data analysis; ways in which technology can help protect individual privacy while enabling government agencies to analyze data; and ways to build privacy protections into the government's use of commercial data. At the end of each panel, the audience was given an opportunity to address questions to the panelists. The full transcript of the Workshop is available at www.dhs.gov/privacy. A report summarizing the workshop is attached.
 Page 32       PREV PAGE       TOP OF DOC

    The Privacy Office has also been working with the DHS Data Privacy and Integrity Advisory Committee (DPIAC) on issues related to the use of commercial data. In October 2005, the DPIAC published a report on the use of commercial data to reduce false positives in screening programs. The report is available on the DHS Privacy Office Web site at http://www.dhs.gov/interweb/assetlibrary/privacy—advcom—rpt—1streport.pdf. The Committee recommends that commercial data be used for screening programs only when:

 It is necessary to satisfy a defined purpose

 The minimization principle is used

 Data quality issues are analyzed and satisfactorily resolved

 Access to the data is tightly controlled

 The potential harm to the individual from a false positive misidentification is substantial

 Use for secondary purposes is tightly controlled

 Transfer to third parties is carefully managed

 Robust security measures are employed

 The data are retained only for the minimum necessary period of time
 Page 33       PREV PAGE       TOP OF DOC

 Transparency and oversight are provided

 The restrictions of the Privacy Act are applied, regardless of whether an exemption may apply

 Simple and effective redress is provided

 Less invasive alternatives are exhausted

    The Committee is now working on a broader report that addresses the use of commercial data in applications beyond screening. We are using the work of the DPIAC to help inform our work on guidance for the Department.

    We are living through a time of tremendous change as more and more personal information becomes electronic. In electronic form such information is more easily collected, analyzed and used for various purposes and serves as a basis for decision-making in personal, social, political and economic spheres. It is the goal of the DHS Privacy Office to ensure that commercial information used by the Department in the performance of its mission is used responsibly and with respect for individuals' legitimate expectations of privacy. We look forward to working with the Committee and everyone involved on these important issues.

    Thank you.

    Mr. CANNON. We are thrilled how well you all have done in that office.
 Page 34       PREV PAGE       TOP OF DOC

    Ms. COONEY. Thank you.

    Mr. CANNON. It has been a great model for what we have done otherwise, what we hope to do still.

    Professor Swire, you are recognized for 5 minutes.


    Mr. SWIRE. Thank you, Mr. Chairman, and thank you to the Committee for the invitation to participate today. And I express my appreciation for the leadership this Committee has shown, including in creating the Chief Privacy Officer office that we have just heard the impressive discussion from Ms. Cooney.

    In my written testimony, I give a little bit of the history of this topic. In 1974, when the Privacy Act was passed, the most important databases were primarily Government databases, like IRS or Social Security. Today, by contrast, the databases are dominated by private-sector databases. That is where the records are. So the big question is how do we update our laws and practices to this new reality.

    The overall theme of my testimony is that we are still early on the learning curve about how to incorporate private databases into public agency activities. My written testimony gives some comments on the GAO report and the Fair Information Practices, but I highlight four recommendations.
 Page 35       PREV PAGE       TOP OF DOC

    First, because Federal agencies make such important decisions based on the data, we must have accurate data and we have to have effective ways to get redress when mistakes inevitably do occur.

    Second, new mechanisms of accountability are likely needed as agencies rely more and more on these private-sector records. There should be expanded use of privacy impact assessments, perhaps along the line of Chairman Chabot's bill, and there are other steps that I will go into.

    Third, greater expertise and leadership is needed in the executive branch at the highest levels on privacy issues, including policy leadership from the Executive Office of the President. The lack of such leadership on privacy, I believe, has led to significant and avoidable problems.

    Fourth, as we continue along the learning curve, it is important to merge today's discussion about privacy with the discussions about information sharing in the war on terror, and I suggest a National Academy of Sciences study on privacy and information sharing might be useful.

    Let me turn to a couple of things in more detail.

    In order to think about accuracy of data over time, I think it makes sense for the Government to test and audit the accuracy of data, at least selectively, at the time that we purchase the data. S. 1789, the data breach bill that has been passed by the Senate Judiciary Committee, calls for audits like this as new Government contracts are formed. I think that might help us get a sense of where the accuracy is and isn't.
 Page 36       PREV PAGE       TOP OF DOC

    However accurate data is on the front end, though, we are going to have issues on the back end. We are going to have mistakes that get made. Many people on the Committee likely know about the troubles that Senator Kennedy or Congressman Lewis have had getting off watch lists. Last month, Senator Ted Stevens of Alaska told the story about his wife, which I hadn't heard about until I was researching this. Apparently, she was having great trouble getting on airplanes. Her first name is Catherine, the nickname for that is ''Cat,'' and they had her down as Cat Stevens and she was having trouble getting on airplanes.

    Now, if it is tough for Senators, including quite powerful Senators, to get their family members off of watch lists, it suggests there are issues for all 300 million Americans. So how we do redress is something to really think about going forward.

    In the testimony I discuss some of the other accountability mechanisms—privacy impact assessments and the rest—that I think can be considered and cites to legislation that does some of this.

    I would like to turn to the question of the structure of privacy protection in the executive branch. Step one has been creation by your Committee of the Chief Privacy Officer in Homeland Security and now elsewhere, and I was pleased to get to testify on that in 2002 before your Committee when that was set up. In 2004, Congress created the Privacy and Civil Liberties Board for intelligence activities only. But the gap is for the rest, which is where a lot of commercial data is used. There is no White House leadership, there is no policy official who is on the job there. One recent example, I think, illustrates the need to have a policy official looking at these issues up front and correcting problems.
 Page 37       PREV PAGE       TOP OF DOC

    You might have seen press reports about 2 weeks ago that the IRS has a proposed rule now to allow tax preparation companies, for the first time, to sell people's tax records or even to give them away to people with no limits on how they then get resold or redisclosed. It would be legal under this, if I sign my name for my company, to put my tax records up on the Internet. It is supposed to be done with consent, but, you know, when you sign your tax forms, you sign in about 27 places and maybe you missed this one. And suddenly you have consented to sale of your tax records.

    Now, when I worked at OMB, my office reviewed proposals such as this. We got it before it became policy. I think we would have noticed the lack of limits on redisclosure and resale. And I don't think the rule would have gone forward the way it did. If such a mistake had happened, I think we would have moved to correct it. But now this rule may be going final, and without a White House ability currently to spot and correct such mistakes, privacy problems, I think, turn out to be worse than they ought to be. So I think continued steps toward leadership on privacy in the executive branch are called for.

    The last point I want to make in my testimony is we have hearings on information sharing, how we have to use the data to fight terrorism, and we have hearings on privacy, how we have to stop uses of data that might lead to identity theft and the rest. I think we probably need to bring those two things together. One way to do that might be a National Academy of Sciences study on the two that would involve commercial databases but also how to do privacy and information sharing. I have been working on this in my own research. I think it is a big issue that a lot of people should come together to examine. So I suggest that as one possible thing for your Committee to consider.
 Page 38       PREV PAGE       TOP OF DOC

    Thank you, and I look forward to questions.

    [The prepared statement of Mr. Swire follows:]


[Note: Image(s) not available in this format. See PDF version of this file.]

    Mr. CANNON. Thank you, Professor.

    Mr. Pratt?


    Mr. PRATT. Chairmen Cannon and Chabot, Ranking Members Watt and Nadler, Members of the Committees, thank you for this opportunity to appear before you today.

    We are here to discuss the GAO's report regarding Government uses of data and some concerns that we do have with regard to that report, that we hope will inform your thinking here as the Committee.

    First, while the report does survey governmental uses of our members' systems, it does not discuss the value and effectiveness of them. Government agencies are faced with extraordinary challenges in accomplishing their missions. Consider just a few examples of those: preventing money laundering and terrorist financing, enforcing child support orders, locating missing and exploited children, researching fugitives, researching assets held by individuals of interest, witness location, entitlement fraud, background screening for national security investigations, and disaster assistance, as was mentioned.
 Page 39       PREV PAGE       TOP OF DOC

    A real-world example of how these systems work, a public record provider can provide for as little as $25 a search of 100 million criminal records in order for that to be done. Otherwise, you would have to spend approximately $48,000 and it would take days, if not weeks, to accomplish the same search.

    These are just one of a number of examples we include in our written testimony of the direct value of data products that our members produce.

    We do have other concerns with the report beyond its lack of an adequate description of the value of our members' services. First, the report does not help the reader understand the breadth of the application of Federal laws to data products used by Government agencies today. The report lists laws, but it relegates an incomplete discussion of their requirements to an appendix. Chairman Chabot mentioned several of these laws. There is one that is not acknowledged directly in the report, and that is that the FTC Act, section 5, also applies to data practices and it does include enforcement actions relative to privacy notices as well as to the security of sensitive personal information.

    One such law, the Fair Credit Reporting Act, applies to the public sector equally as it does to the private sector, and thus all decisions where there is a determination of a consumer's eligibility such as approval or denial are made, extensive rights are accorded to that consumer under this statute. This is just one of many Federal statutes that need to be considered in the context of this discussion today.

    The GAO report does commingle a variety of different business models under a single uniform ''information reseller'' term and then attempts to monolithically apply the OECD privacy guidelines across every business model and every product. In doing so, we think they make a mistake in thinking that Fair Information Practices frameworks can operate as a one-size-fits-all yardstick. We disagree, and the guidelines themselves caution against such an approach. In fact, they state that the application of the guidelines should be considered in the context of different categories of personal information, different protective measures to be applied, depending on their nature and the context in which they are collected, stored, processed, and disseminated. We don't think that the GAO fully adhered to this OECD guidance itself, and there are certainly other privacy guidelines that are more contemporary than those of the OECD that were produced back in 1980.
 Page 40       PREV PAGE       TOP OF DOC

    Again, the implication of the GAO's report is that congressional oversight was also incomplete and that its review of the industry sector's uses of personal information was insufficient. We disagree. The GAO does not properly account for the system, for example, of public records in this country and the inapplicability of many of the privacy principles to such public records.

    Just a couple of examples of how the actual privacy principles would or wouldn't apply.

    Consumer consent. If consumers had the ability to consent or to control data that would go into a fraud prevention tool, criminals could simply prohibit the kind of information we use to stop identity theft.

    Data quality. If a consumer could—if we applied data quality to the principle of public records in the way that we would under the way that we would under the Fair Credit Reporting Act, we probably couldn't aggregate a system of criminal histories in this country the way that we do today.

    Use limitations. How would you apply a use limitation concept to criminal histories or other types of public records—records of eviction, professional licensing—used for background screening in the way that we do today?

    Access and correction. If we allow all types of databases to be tied to an access and correction standard, then we are allowing a fraudster to have access to a fraud prevention system, and not only to do so but then to correct the information that is used to prevent the very fraud which they are going to attempt to commit.
 Page 41       PREV PAGE       TOP OF DOC

    The GAO report states in its conclusion that, Given that reseller data may be used for many purposes that could affect an individual's livelihood and rights, ensuring that individuals have appropriate degrees of control or influence over the way in which their personal information is obtained and used—as envisioned in the Fair Information Practices—is critical.

    I don't know that we disagree with that, but we disagree with the application of the principles, as we have discussed in our testimony. A one-size-fits-all approach simply can't work for all types of data systems that we have discussed. We also don't think that the OECD guidelines should be used as an overlay for all of the Federal laws that do today regulate various aspects of personal information that are used in our society today.

    With that, we thank you for this opportunity to testify and we welcome your questions.

    [The prepared statement of Mr. Pratt follows:]


    Chairmen Cannon and Chabot, Ranking members Watt and Nadler, and members of the committees, thank you for this opportunity to appear before you today. For the record, my name is Stuart Pratt and I am president and CEO of the Consumer Data Industry Association.(see footnote 2) Our members appreciate this opportunity to discuss our serious concerns with basic premises which underlie and methodologies employed in drafting the report written by the General Accountability Office (GAO) regarding the government's use of data provided by consumer data companies.(see footnote 3)
 Page 42       PREV PAGE       TOP OF DOC


    CDIA's members are the leading companies producing consumer data products and services for both the private and public sector markets. The GAO report surveys governmental uses of our members' systems, but leaves the reader with a less than complete perspective on the value and effectiveness of such services. Consider the following examples of governmental uses of our members products and services:

 Preventing money laundering and terrorist financing through investigative tools.

 Enforcing child support orders through the use of sophisticated location tools.(see footnote 4)

 Assisting law enforcement and private agencies which locate missing and exploited children through location tools.

 Researching fugitives, assets held by individuals of interest through the use of investigative tools which allow law enforcement agencies tie together disparate data on given individuals and thus to effectively target manpower resources.

 Witness location through use of location tools.

 Entitlement fraud prevention, eligibility determinations, and identity verification through fraud prevention data matching and analytical products.
 Page 43       PREV PAGE       TOP OF DOC

 Background screening for employment and security clearances.

 Disaster assistance.

    Homeland security, law enforcement and entitlement program management are all faced with extraordinary challenges in accomplishing their missions. The GAO's report does not properly set the stage for understanding how difficult it is to accomplish their missions. Consider the facts regarding simply identity verification:

Personal identifiers change:

    While it probably doesn't occur to most of us, the identifiers we use in everyday life do change and more often than most might think. For example, data from the U.S. Postal Service and the U.S. Census confirm that over 40 million addresses change every year. More than three million last names change due to marriage and divorce. While trends in naming conventions are changing, this fact is still far more often true for women than men.

We use our identifiers inconsistently:

    It is a fact that we use our identifiers inconsistently for a wide variety of reasons. First, many citizens choose to use nicknames rather than a given name. However, there are times where, in official transactions, a full name is required, Some consumers, when hurried, use an initial coupled with a last name, rather than their full name or nickname. Consumers are also inconsistent in the use of generational designations (e.g., III, or Sr.). Finally, there are times where consumers themselves do make mistakes when completing applications, such as transposing a digit in an SSN. Thus, a consumer's identifiers may be presented in different ways in different databases and, in some cases, the data may be partially incorrect.
 Page 44       PREV PAGE       TOP OF DOC

Personal identifiers are not always unique:

    We think of our names as a very personal part of who we are. However, our names are less uncommon and unique than we might think. For example, families carry forward family naming conventions leading to some consumers sharing entirely the same name. Further, U.S. Census data shows that both first and last names are, in some cases amazingly common. Fully 2.5 million consumers share the last name Smith. Another 3 million share the name Jones and more than thirteen million consumers have one of ten common last names. First names are also used very commonly leading to common naming combinations. Eight million males have either the name James or John and a total of 57 million males have one of ten common first names. An additional 26 million females have one of ten common first names. Common naming conventions make it more difficult and in some cases impossible to depend on name alone to properly match consumer data.

Identifiers are shared:

    Our birthday is a unique day in our lives, but it is, nonetheless, a date shared with hundreds of thousands of others. Date of birth alone is not an effective identifier. Family members who live together end up sharing addresses and per our discussion above, where consumers share the same name due to family traditions and the address at which they live, distinguishing one consumer from another is complex.

Data entry errors do happen:

    Hundreds of millions of applications for credit, insurance, cellular phone services, and more are processed every year. There is no doubt that in the process of entering a consumer's identifying information errors can be made which carry forward into databases and into the reporting of data to consumer reporting agencies.
 Page 45       PREV PAGE       TOP OF DOC

We do not always update our records:

    Consumers don't always remember to update records when they move or when portions of their personal identifying information change. For example, consumers are permitted to change their social security number under certain circumstances in addition to officially changing their names and while the percentages of consumers who take these steps is small relative to the U.S. population, such changes do affect data matching systems. It is important to know that some consumers try to separate themselves from their records on purpose and apply with the SSA for employer ID numbers (EINs) to use in lieu of their SSNs.(see footnote 5) A non-custodial parent who does not want to pay child support might employ such tactics in order to avoid being located and forced to fulfill a court order. A consumer who does not want to take responsibility for their mismanagement of credit and hopes that by using new identifying to separate himself/herself from a credit report is another example. Clearly fugitives are another example of a type of person who will employ tactics to try and separate themselves from their histories.

    These facts about our identifying information demonstrate how challenging it is to match records with individuals and why the products, tools and services of our members are in such high demand.

    Let's now consider what government representatives themselves have said about the value they derive from the use of consumer reporting agencies and other consumer data companies. On September 8, 2005, the Department of Homeland Security held a workshop which explored its use of commercial data. This public meeting brought forward important input which informs the record of this hearing.
 Page 46       PREV PAGE       TOP OF DOC

    Regarding identity verification, Grace Mastalli, Principle Deputy Director for the Information Sharing and Collaboration Program in DHS stated the following regarding the value of CDIA member services: ''There are people without prescriptions, without driver's licenses, and it the commercial data sources, in many instances right now, that are facilitating not just placing people, but verifying their identities to the claims . . .we get to make sure that entitlements go to individuals who deserve them.''

    Regarding how our members' systems contribute to the accuracy of governmental systems, Mastalli indicated that ''we have sometimes used commercial data, not just to support identity authentication, but to assure the integrity of government data, and the accuracy of government data. Unfortunately, in many respects, the commercial enterprises have done better jobs of organizing and, what I call 'cleaning' data to eliminate errors in data.''

    Mr. Jeff Ross, senior advisor in the area of money laundering and terrorist financing, in the Office of Terrorist Financing and Financial Crime at the Department of Treasury, also participated in this DHS workshop. He pointed out that many crimes have a financial aspect to them including narcotics trafficking, public corruption, terrorist financing, and organized crime in general. His comments help explain the investigative research value of CDIA member tools where he states ''so commercial data bases are very important to us in law enforcement area to be used proactively . . . we have targets and need information, where you are trying, also, to find a specific individual or entity that should be involved . . . who could also be potential witnesses in a case.''

    Mastalli provided a very concrete example of how the sophistication of private-sector data matching tools contributes to efficient use of governmental law enforcement agents. She noted that ''. . . commercial database providers provide accurate data—often more accurate than some that we have, because they spend the time cleaning it and verifying it and have matching capabilities that we in government have not yet invested in to eliminate the 17 instances of an individual who has a phonetically spelled name being recorded as 17 people instead of one.''
 Page 47       PREV PAGE       TOP OF DOC

    She goes on to explain that government cannot always anticipate what data might be of value to a particular investigation. Mastalli provided the following scenario: ''One extremely well-known law enforcement intelligence example from immediately post 9/11 was when there was a now well-publicized threat . . . that there might be cells of terrorists training for scuba diving underwater bombing, similar to those that trained for 9/11 to fly—but not land—planes. How does the government best acquire that? The FBI applied the standard shoe-leather approach—spent millions of dollars sending out every agent in every office in the country to identify certified scuba training schools. The alternative could and should have been for the Federal government to be able to buy that data for a couple of hundred dollars from a commercial provider, and to use that baseline and law enforcement resources, starting with the commercial baseline. One of the issues here is that, other than the name of the owner or manager of scuba diving schools, there was no personally identifiable data.''

    To further the point regarding the value of commercial data our members supply, consider the following two examples:

Example 1:

    In this example we learn how the aggregation of public records creates low-cost research efficiencies that ensure that ''shoe leather'' investigations conducted by highly trained personnel are truly are targeted and results-focused. One commercial database provider charges just $25 for an instant comprehensive search of multiple criminal record sources, including fugitive files, state and county criminal record repositories, proprietary criminal record information, and prison, parole and release files, representing more than 100 million criminal records across the United States.(see footnote 6) In contrast, an in-person, local search of one local courthouse for felony and misdemeanor records takes 3 business days and costs $16 plus courthouse fees.(see footnote 7) An in-person search of every county courthouse would cost $48,544 (3,034 county governments times $16). Similarly, a state sexual offender search costs just $9 and includes states that do not provide online registries of sexual offenders. An in-person search of sexual offender records in all 50 states would cost $800.(see footnote 8)
 Page 48       PREV PAGE       TOP OF DOC

Example 2:

    While this next example is drawn from the private sector, it helps illustrate how fraud prevention and identity verification services reduce fraud and is analogous to the value of such systems when used by the government, as well. A national credit card issuer reports that they approve more than 19 million applications for credit every year. In fact they process more than 90,000 applications every day, with an approval rate of approximately sixty percent. This creditor reports that they identify one fraudulent account for every 1,613 applications approved. This means that the tools our members provided were preventing fraud in more than 99.9 percent of the transactions processed.

    The GAO paper should have done more to speak to the value of the commercially available data and analytical tools our members provide and not merely to provide an accounting of governmental uses. We hope that the above discussion will inform the this hearing record and set a more complete context for these committees' future deliberations.


    Now having an appropriate context for truly understanding the value that our members' services bring to both the public and private sectors, I would like to discuss serious concerns we have with the GAO's presentation of current Federal laws and how they regulate our members' practices as well as their attempt to apply the 1980 Organization for Economic Development (OECD) privacy guidelines to the practices of ''information resellers.'' We believe that a thorough understanding of the decades of congressional oversight and action is essential to today's hearing.
 Page 49       PREV PAGE       TOP OF DOC

The State of Current Federal Laws

    The United States is on the forefront of establishing sector-specific and enforceable laws regulating uses of personal information of many types. The GAO does provide an accounting of some of these Acts on page 18 of their draft report. Their accounting includes the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.),(see footnote 9) The Gramm-Leach-Bliley Act (Pub. L. 106–102, Title V),the Health Insurance Portability and Accountability Act (Pub. L. 104–191), and the Drivers Privacy Protection Act (18 U.S.C. 2721 et seq.).

    While the GAO relegates their discussion of statutory requirements to Appendix II of the draft report, we believe that such a discussion is essential and that it should have been included in the body of the report. In doing so, the GAO would have provided readers with a better one-to-one understanding of the operation of current laws in contrast with their views of the application of OECD guidelines US information practices.(see footnote 10) For example, it is important to note that, predating the Privacy Act of 1974 (and OMB implementing guidelines therein), the OECD Guidelines of 1980 and the Gramm-Leach-Bliley Act of 1999 (and implementing regulations therein), the E-Government Act of 2002 and the Federal Information Security Management Act of 2002, was enactment of the Fair Credit Reporting Act in 1970. Equally important is understanding the breadth of the application of this law in particular and thus why a discussion of consumer data companies in general should not be commingled with a discussion of the practices of consumer reporting agencies.

    The FCRA applies to both the private and public sectors and thus is extremely relevant to today's discussion. It has been the focus of careful oversight by the Congress resulting in significant changes in both 1996(see footnote 11) and again in 2003.(see footnote 12) There is no other law that is so current in ensuring consumer rights and protections are adequate.(see footnote 13)
 Page 50       PREV PAGE       TOP OF DOC

    Key to understanding the role of the FCRA is the fact that it regulates any use of personal information (whether obtained from a public or private source) defined as a consumer report. A consumer report is defined as data which is gathered and shared with a third party for a determination of a consumer's eligibility for enumerated permissible purposes.

    This concept of an eligibility test is a key to understanding how Federal laws regulate personal information. The United States has a law which makes clear that any third-party supplied data that is used to accept or deny, for example, my application for a government entitlement, employment,(see footnote 14) credit (e.g., student loans), insurance, and any other transaction initiated by the consumer where there is a legitimate business need. The breadth of the application of the FCRA to how data is used to include or exclude a consumer is enormous. Again, this law applies equally to governmental uses and not merely to the private sector.

    Because personal information about consumers is used for decisions to accept or deny access to a consumer, they have fundamental rights which the GAO report does not discuss in any depth and which demonstrate why it is inappropriate to attempt to overlay a discussion of OECD privacy guidelines with this statute. Consider the following:

 The right of access—consumers may request at any time a disclosure of all information in their file at the time of the request. This right is enhanced by requirements that the cost of such disclosure must be free under a variety of circumstances including where there is suspected fraud, where a consumer is unemployed and seeking employment, or where a consumer is receiving public assistance and thus would not have the means to pay. Note that the right of access is absolute since the term file is defined in the FCRA and it includes the base information from which a consumer report is produced.
 Page 51       PREV PAGE       TOP OF DOC

 The right of correction—a consumer may dispute any information in the file. The right of dispute is absolute and no fee may be charged.

 The right to know who has seen or reviewed information in the consumer's file—as part of the right of access, a consumer must see all ''inquiries'' made to the file and these inquiries include the trade name of the consumer and upon request, a disclosure of contact information, if available, for any inquirer to the consumer's file.

 The right to deny use of the file except for transactions initiated by the consumer—consumers have the right to opt out of non-initiated transactions, such as a mailed offer for a new credit card.

 The right to be notified when a consumer report has been used to take an adverse action—This right, ensures that I can act on all of the other rights enumerated above.

 Beyond the rights discussed above, with every disclosure of a file, consumers receive a notice providing a complete listing all consumer rights. A separate GAO report produced as a result of the FACT Act indicated that in a single year, perhaps 50 million consumers see their files and receive these notices.

 Finally, all such products are regulated for accuracy with a ''reasonable procedures to ensure maximum possible accuracy'' standard. Further all sources which provide data to consumer reporting agencies must also adhere to a standard of accuracy which, as a result of the FACT Act, now includes new rulemaking powers for the FTC and functional bank regulators.
 Page 52       PREV PAGE       TOP OF DOC

    The GAO report does not attempt to describe the delivery of products regulated under the FCRA and thus fails to properly inform the reader of the concomitant rights accorded in all of these cases. Every CDIA member mentioned in this report is operating, in part and sometimes solely as a consumer reporting agency. Therefore, in every case where products sold to governmental agencies were used for a determination of a consumer's eligibility, they were regulated by the FCRA with all of the rights discussed above. The GAO's report should have acknowledged this fact and discussed uses of consumer reports separately from other data products.

    Not all consumer data products are used for eligibility determinations regulated by the FCRA. Congress has applied different standards of protection that are appropriate to the use, the sensitivity of the data, etc. Our members produce and sell a range of fraud prevention and location products which are governed by other laws such as GLB.

    Fraud prevention systems deploy a diversity of strategies. In 2004 alone, businesses conducted more than 2.6 billion searches to check for fraudulent transactions. As the fraud problem has grown, industry has been forced to increase the complexity and sophistication of the fraud detection tools they use.

    Fraud detection tools are also known as Reference, Verification and Information services or RVI services. RVI services are used not only to identify fraud, but also to locate and verify information for public and private sector uses. While fraud detection tools may differ, there are four key models used.

 Fraud databases—check for possible suspicious elements of customer information. These databases include past identities and records that have been used in known frauds or are on terrorist watch lists, suspect phone numbers or addresses, and records of inconsistent issue dates of SSNs and the given birth years.
 Page 53       PREV PAGE       TOP OF DOC

 Identity verification products—crosscheck for consistency in identifying information supplied by the consumer by utilizing other sources of known data about the consumer. Identity thieves must change pieces of information in their victim's files to avoid alerting others of their presence. Inconsistencies in name, address, or SSN associated with a name raise suspicions of possible fraud.

 Quantitative fraud prediction models—calculate fraud scores that predict the likelihood an application or proposed transaction is fraudulent. The power of these models is their ability to assess the cumulative significance of small inconsistencies or problems that may appear insignificant in isolation.

 Identity element approaches—use the analysis of pooled applications and other data to detect anomalies in typical business activity to identify potential fraudulent activity. These tools generally use anonymous consumer information to create macro-models of applications or credit card usage that deviates from normal information or spending patterns, as well as a series of applications with a common work number or address but under different names, or even the identification and further attention to geographical areas where there are spikes in what may be fraudulent activity.

Who uses Fraud Detection Tools?

    The largest users of fraud detection tools are financial businesses, accounting for approximately 78 percent of all users. However, there are many non-financial business uses for fraud detection tools. Users include:
 Page 54       PREV PAGE       TOP OF DOC

 Governmental agencies—Fraud detection tools are used by the IRS to locate assets of tax evaders, state agencies to find individuals who owe child support, law enforcement to assist in investigations, and by various federal and state agencies for employment background checks.

 Private use—Journalists use fraud detection services to locate sources, attorneys to find witnesses, and individuals use them to do background checks on childcare providers.

Location services and products

    CDIA's members are also the leading location services providers in the United States. These services, which help locate individuals, are a key business-to-business tool that creates great value for consumers and business alike. Locator services depend on a variety of matching elements, but again, a key is the SSN. Consider the following examples of location service uses:

 There were 5.5 million location searches conducted by child support enforcement agencies to enforce court orders. Access to SSNs dramatically increases the ability of child support enforcement agencies to locate non-custodial, delinquent parents (often reported in the news with the moniker ''deadbeat dads''). For example, the Financial Institution Data Match program required by the Personal Responsibility and Work Opportunity Reconciliation Act of 1996 (PL 104–193) led to the location of 700,000 delinquent individuals being linked to accounts worth nearly $2.5 billion.
 Page 55       PREV PAGE       TOP OF DOC

 There were 378 million location searches used to enforce contractual obligations to pay debts.

 Tens of millions of searches were conducted by pension funds (location of beneficiaries), lawyers (witness location), blood donors organizations, as well as by organizations focused on missing and exploited children.

    Clearly location services bring great benefit to consumers, governmental agencies and to businesses of all sizes.


    As discussed above, part our concern with the GAO's report is that it commingles a variety of different business models under a single term ''information reseller'' and in doing so the report also commingles data products which are regulated under different Federal laws. For example, CDIA's members which are operating as consumer reporting agencies should not be discussed in the report as though they are not in fact highly regulated businesses. Similarly, CDIA's members which are defined as ''financial institutions'' under GLB are also highly regulated with regard to how information is to be used (see Section 502(e)) as well as though extensive federal agency rules prescribing how such information should be secured.

    By employing the term ''information reseller'' readers are left with the wrong impression that such a term may exist in law or that it is possible to consider the multiplicity of different business models (and products produced therein) that make up the consumer data industry as a single type of entity and one that, in the eyes of the GAO, is not highly regulated. It is exceedingly difficult, if not impossible, to make meaningful statements which have the breadth of those often made in the draft report regarding the practices of many different types of business models delivering different products and services. Finally, we also strongly disagree with paper's attempt to simplify a discussion of our members' businesses which are in fact highly regulated under a variety of sector-specific laws by attempting to apply a set of OECD guidelines as though there are not laws which were thoroughly debated by the congress over the years and which are mature and protective of consumer's today.
 Page 56       PREV PAGE       TOP OF DOC


    Let me amplify on our concerns regarding how the GAO has attempted to apply the 1980 OECD privacy guidelines as a scorecard against which to evaluate the practices of CDIA members. Due to the GAO's mistaken assumptions about the breadth of the application of current laws, the GAO also makes the mistake of thinking that a fair information practices framework can operate as a one-size-fits-all yardstick. We disagree for a variety of reasons.

    First, we are concerned about how the GAO attempted to make use of the guidelines. Let us consider what the OECD said about their own guidelines:

These Guidelines should not be interpreted as preventing:

a) the application, to different categories of personal data, of different protective measures depending upon their nature and the context in which they are collected, stored, processed or disseminated;

    Further to the question of how privacy guidelines are to be used, in the 1977 Report of the U.S. Privacy Protection Commission it was noted that ''[P]rivacy, both as a societal value and as an individual interest, does not and cannot exist in a vacuum. . . . [T]he privacy protections afforded [to societal relationships] must be balanced against other significant values and interests. It is very common to find such statements associated with guidelines because they are not considered to be definitive rules with equal applicability to all data flows. We do not believe that the GAO's report adheres to this guidance provided by the authors of the OECD guidelines themselves or fully accounts for the U.S. Privacy Commission's admonition regarding how to apply guidelines.
 Page 57       PREV PAGE       TOP OF DOC

    Second, the GAO suggests, not purposefully, of course, but by omission that there is a single global opinion regarding which set of guiding principals is preeminent. To the contrary, consider the following:

 The 1973 HEW Report contains 5 principles.

 The 1980 OECD Guidelines contain 8 principles.

 The 1995 EU Data Protection Directive contains 11 principles.

 The 2000 FTC Report on Online Privacy contains 4 principles; and

 The 2004 APEC Privacy Framework contains 9 principles.

    Each framework has to be applied with care and not monolithically across all data uses however different they may be in terms of risk, use, content and so on. The GAO does not explain why a particular set of principles was chose and as previously stated, we believe that the GAO's methodology by which the OECD principles was applied is flawed.

    Third, as discussed above, there is an extraordinarily thorough record of congressional oversight of various industry sectors' uses of personal information. The U.S. has chosen a sector-specific structure to consumer data laws which ensures regulatory structures which are both appropriate to the data and which can be effectively enforced. Sector-specific laws and regulations exist today because of such oversight and due to the expertise of different committees overseeing different aspects of American business. The GAO, by implication and likely unintentionally, implies to the reader that all such oversight was incomplete and that a single evaluative standard is the right approach to analyzing our members business models and products. This, however, is a very fundamental flaw in the GAO's approach. Sector specific laws ensure that they are tailored to the industries, to the uses of data and to the risks involved. How healthcare data (i.e., HIPAA) is regulated is inevitably different than how one might regulate a telephone number (i.e., Do Not Call). Ultimately, tailored laws and regulations ensure that consumers are protected, but also are empowered by the data about them.
 Page 58       PREV PAGE       TOP OF DOC

    Fourth, the GAO's one-size-fits-all approach to applying the OECD guidelines ignores a fundamental bifurcation that exists with regard to information use and that is the difference between consumer data products used for eligibility determinations and those which are not. A fraud prevention product, for example does not end a transaction, but provides a user with a ''caution flag'' which encourages the user to take additional steps to further authenticate a person's identity. As discussed above, where data is provided by our members for eligibility determinations such as employment or credit, the FCRA already provides a robust set of rights and protections for consumers. Regulation of consumer data where it is used for eligibility determinations is different than regulating consumer data used for fraud prevention or investigative location tool used by law enforcement. By not accounting for this essential bifurcation in uses, application of the OECD guidelines leaves readers with the wrong impression about how good data protection laws should operate.

    Fifth, the GAO does not properly account for the system of public records which exists in our country and which has been considered a key pillar in the success of our democracy. Unlike other nations, our government cannot withhold information about us from us. Governmental transparency is achieved through open records and freedom of information acts at the state and federal levels. The application of many aspects of any one of a number of principles works against a system that has been in place since the early days of our country's existence. The GAO's report does readers a disservice by not discussing the unique nature of public records and by attempting to apply the OECD guidelines to this system of records.

    To amplify on our general concern about the GAO's approach to applying OECD guidelines, let's now consider some specific illustrative examples.
 Page 59       PREV PAGE       TOP OF DOC

Consumer Consent

    The report states that ''[r]esellers generally do not adhere to the principle that, where appropriate, information should be collected with the knowledge and consent of the individual.''(see footnote 15) The reader is left with the wrong impression regarding the practices of our members, the laws which currently regulate them and the appropriate application of a consent standard. For example, the GAO does not attempt to apply a consent-based standard on a product specific basis or even a business-model-specific basis, which is an inherent flaw in their methodology. If one were to apply such a standard to, for example, consumer credit reports, then the result would be to give consumers the ability to pick and choose which creditors' data would be reported to a credit bureau. Consumers could allow creditors they intend to pay on time to report and could prohibit from reporting those that they don't intend to pay on time or at all. The result would be to turn the nation's credit reporting system on its head and to affect the fundamental safety and soundness principle upon which our banking system has operated since the days of the great depression. In 1970, Congress recognized the inapplicability of this fair information practices concept since it would essentially work against the fundamental premise of data acting as an independent affirmation of a consumer's own willingness to pay, or otherwise qualify for a benefit. In a second example, of what value would an identity verification tool be if consumers who intend to commit fraud can decide which data will or won't be used? A third example involves public records. How does one apply a consent standard to records which are in the public domain? Through these examples, it is clear that consent is not a universal concept which can be applied to all data flows.

 Page 60       PREV PAGE       TOP OF DOC
Data Quality

    The title of the data quality discussion is ''Information Resellers Do Not Ensure the Accuracy of Personal Information They Provide.'' This is misleading. As discussed above, CDIA's members are committed to the quality of information they collect. Further, in all cases where the data is used to produce a consumer report used for an eligibility decision, the standard for accuracy is found in the FCRA.(see footnote 16) It is a standard that has been in place since 1970 (and amended extensively in both 1996 and again in 2003) and which applies to eligibility decisions such as applications for insurance, employment, government entitlements or credit. The GAO report does not properly acknowledge this fact or the breadth of the application of FCRA to consumer data transactions involving consumer reporting agencies. However, applying an accuracy standard to an investigative product used to locate individuals makes little sense. These location services are predicated on possible connections between addresses, names, etc., which are then followed up with direct contacts by law enforcement agents or collection agencies, for example. Location services are certainly high quality services and often are very precise, but since these products are not used to make an eligibility determination (e.g., job, credit) they are not regulated in the same way. This said, the quotes drawn included in this testimony regarding the high quality of consumer data products purchased by law enforcement or counterterrorism agencies (81% of users according to the GAO) speak for themselves. Like consumer consent, the concept of data quality cannot be applied in the same manner to each consumer data product as is implied by the GAO's methodology.

Use Limitations

    The GAO report states that ''[r]esellers do not generally limit the use of information beyond those limitations required by law.'' It is not clear what the GAO intends by this, but in fact both Title V of GLB and Section 604 of the FCRA do, for example, impose significant limitations on the use of nonpublic personal information and consumer reports respectively. The GAO's report does not acknowledge these use limitations in the context of their discussion. Further the GAO does not state that use limitations cannot apply to public records which are not gathered for purposes under the FCRA since such records are generally available to the general public directly from Federal, state and local agencies and courts. This said, the Drivers Privacy Protection Act does impose use limitations on records coming from state motor vehicle agencies. The draft report also states that ''[w]ithout limiting use to predefined purposes, resellers cannot provide individuals with assurance that their information will only be accessed and used for identified purposes.'' This criticism of the system of laws and contract is without basis. We have discussed the extent of the laws which impose a variety of use limitations and as evidenced by the GLB's service provider requirements (in effect since 2001), HIPAA's business associate requirements (in effect since 2003), and the concept of using contracts to limit use is an entirely appropriate system for consumer data companies. In fact many laws which restrict uses of information, also require that certifications through contracts be obtained.
 Page 61       PREV PAGE       TOP OF DOC

Access and Correction

    CDIA's members when operating as consumer reporting agencies provide full access and a right of correction for all consumer reports. Consumer reports are used for eligibility determinations and thus our members fully agree with the application of this principle. However the application of an access and correction principle applied to a fraud prevention and location data base would result in empowering criminals to delete information that is used for pattern analysis and other analytics which help in linking suspects or key pieces of information necessary to stop fraud or to solve a case. The GAO's report does not properly describe the harmful application of an access and correction regime to location, investigative and fraud prevention systems which are not used to stop a transaction or prevent a consumer's access to a service or benefit (eligibility). In fact FTC Chairman Majoras stated in a letter responding to questions about the imposition of an access and correction obligation on information resellers:

''Before extending this approach to additional databases [beyond FCRA], however, it is necessary to consider carefully the impact of such extension. For example, requiring data merchants to provide consumers with access to sensitive information may itself present a significant security issue—in some cases it may be difficult for the data merchant to verify the identity of someone who claims to be a particular consumer demanding to see his or her file. Similarly, for databases that are used to prevent fraud or other criminal activities, providing correction rights could pose serious problems; those trying to perpetrate the fraud may take advantage of the right to 'correct' data to hide it from those they are trying to defraud.''

    The GAO report states in its conclusion that ''[g]iven that reseller data may be used for many purposes that could affect an individuals livelihood and rights, ensuring that individuals have an appropriate degree of control or influence over the way in which their personal information is obtained and used—as envisioned by the Fair Information Principles—is critical.'' For all of the reasons discussed above, the GAO has failed to support this claim because:
 Page 62       PREV PAGE       TOP OF DOC

 Their analysis does not properly account for the severe regulation of consumer reporting agencies, and the breadth of the FCRA's application to all eligibility transactions which apply to all governmental transactions and uses.

 In taking a one-size-fits-all approach, the analysis does not properly account for the destructive consequences of applying various principles in the same way to all business models and product which make up the consumer data industry.

 In making this claim, the GAO often ignores or undercuts decades of congressional oversight, legislative enactments (FCRA, GLB, HIPAA, DPPA, etc.), federal regulatory activities and law enforcement actions.


    In conclusion, the members of the CDIA believe that the GAO's report is methodologically flawed and often misleads readers through the attempt to apply a once-size-fits-all analysis of a set of privacy guidelines. The consumer data industry does not consist of a single entity called an ''information reseller.'' It is an industry with a diversity of business models focused on the production of consumer reports, fraud prevention tools, location and investigative products, analytics services and more. CDIA's members create incredible value for the government agencies which use their services. The consumer data industry is a significantly regulated industry through sector-specific laws which tailor the component information use principles to the types of data, risks and uses involved. Our nation remains at the forefront of enacting enforceable laws and regulations with which our members commit themselves to complying each and every day.
 Page 63       PREV PAGE       TOP OF DOC

    We appreciate this opportunity to testify and we welcome your questions.

    Mr. CANNON. Thank you, Mr. Pratt. We appreciate your testimony.

    Now the gentleman from Ohio is recognized for 5 minutes.

    Mr. CHABOT. Thank you very much, Mr. Chairman.

    Ms. Cooney, I will begin with you, if I can. Would you elaborate on why privacy impact assessments are important, what they are good for, and how you have seen them work in action?

    Ms. COONEY. Certainly, I would be happy to. At the Department of Homeland Security it has been a very important tool, on the front end of any mission program that uses an information system to collect personal information, to really determine on the front end why are we collecting the information, what information do we really need, how long will we keep it, how accurate is the information from the sources that we are taking it in from, how will we handle it, how do we plan to share it internally or with other Federal agencies or even State and local first responders, and what are the possible redress mechanisms?

    So with a mission as critical as ours is to protect the homeland and security of the American people, we believe that it is also very critical that at each step, from the very beginning of a program through the entire lifecycle development of the technologies that we use to collect and store information, that we look critically at what we are doing and use some basic planning as we do those programs. To us, like in the private sector, it is important information management and it is good ethical Government behavior.
 Page 64       PREV PAGE       TOP OF DOC

    We have met with cooperation, really, throughout the Department in making that operationalized across business lines and it has been a very satisfactory experience.

    Mr. CHABOT. Thank you very much.

    Ms. Koontz, let me turn to you, if I can. What did the GAO find in terms of the security of personnel information in the GAO report? I know that you have already talked about it to some degree, but could you elaborate a little on that?

    Ms. KOONTZ. Sure. We found that the four Federal agencies that we reviewed had put security protections in place to deal with reseller information. For example, all four of them told us that they had instituted passwords and other access controls to make sure that there wasn't unauthorized access to reseller information. Some of the agencies also had restricted access to very sensitive reseller information only to those personnel who have a need to use that kind of thing.

    Some of the law enforcement agencies as well use something known as cloaked logging. That is a procedure that actually masks the searches that law enforcement personnel do against reseller data so that even the vendor doesn't know what kind of searchers are being done. And this is a way of protecting the integrity of the investigations and making sure that subjects of investigations cannot be tipped off as to the existence of them.

    That being said, I think Federal agencies realize that the security is an important component. We did not do a test of security controls at the four agencies we reviewed so we can't make an assessment of the efficacy of the controls that they have in place. And work that we have done Government-wide on security indicates that we found security weaknesses in almost every area in the 24 major agencies, including the four agencies that we reviewed.
 Page 65       PREV PAGE       TOP OF DOC

    Mr. CHABOT. Thank you very much.

    Mr. Swire, do the same security concerns exist with Federal Government's maintenance of personal information as exist among commercial data companies?

    Mr. SWIRE. Well, many of the challenges are the same. The Government uses overwhelmingly commercial software now, and they are using platforms and vendors that are very, very similar.

    The Federal Government has some special challenges, though. There are classified systems for some systems, and that is a much harder standard to live up to. And also the Government probably has lagged, despite FISMA and GISRA and these security statutes, it has probably lagged the private-sector best practices. It has been hard sometimes to get the personnel in place, it has been hard to get the resources. So it has been a very big challenge and the scorecards haven't always been satisfactory.

    Mr. CHABOT. Thank you.

    And finally, Mr. Pratt, I would like to turn to you. What security policies are in place to ensure that citizens' information is not easily accessible by identity thieves or computer hackers?

    Mr. PRATT. Well, I think the best baseline that we can see in guidance and law and regulation would be those that we find in the safeguards rules under Gramm-Leach-Bliley Act, which apply not—really are applied across the board in many of our member companies today. So that includes technical safeguards, strategies that you would use simplistically—firewalls, if you have online or offline systems. It includes employee training, it includes employee background screening, it includes the types of strategies discussed by the GAO in terms of, you know, password access, how quickly passwords are changed and cycled through, for example.
 Page 66       PREV PAGE       TOP OF DOC

    It includes even physical safeguards—who has access to a data center, who can in fact get in and potentially walk out with a hard drive that might contain sensitive personal information.

    So when you have the technical, the physical, as well as the employee-based safeguards, you have, really, three legs of a key stool which we need to ensure is applied to really all kinds of sensitive personal information.

    Mr. CHABOT. Thank you very much. My time has expired, Mr. Chairman.

    Mr. CANNON. The gentleman yields back.

    Mr. Nadler. The gentleman from New York, the Ranking Member of the Constitution Subcommittee, is recognized for 5 minutes.

    Mr. NADLER. Thank you, Mr. Chairman.

    I would like to ask all the panelists, given the importance of privacy impact assessments, as Ms. Cooney stated, do you support a broader requirement that agencies prepare privacy impact assessments for rules involving the collection of personally identifiable information in all Government agencies?

    Start with Ms. Cooney, then everybody else.
 Page 67       PREV PAGE       TOP OF DOC

    Ms. COONEY. Thank you. I would say that certainly under Security 222 of the Homeland Security Act we read the requirement by Congress to really require DHS to undertake those types of privacy——

    Mr. NADLER. No, no, clearly my question is do you think that Congress should extend that to other agencies?

    Ms. COONEY. We found it helpful at DHS. I am not sure what the Administration view is, but I can tell you from our experience it has been a very helpful process.

    Mr. NADLER. So you would think it a good idea to extend it to other agencies?

    Ms. COONEY. It may be.

    Mr. NADLER. Okay. Ms. Koontz?

    Ms. KOONTZ. What we found in our work is that the privacy impact assessments were not being done consistently from agency to agency. And that was something that concerned us very much. And as Ms. Cooney said very articulately, the privacy impact assessments are a very powerful tool before you start building an information system, before you start collecting information, in order to assess what the privacy implications are and then to put the controls in place up front. And to the extent that they are made publicly available, I think they contributed to——
 Page 68       PREV PAGE       TOP OF DOC

    Mr. NADLER. Are you suggesting—this is for new rules. Is it your suggestion that we need better enforcement of them?

    Ms. KOONTZ. I think we need better implementation of the existing requirements and I think that we saw that what Homeland Security put in their guidance to be a model that could be expanded to other agencies.

    Mr. NADLER. Thank you.

    Professor Swire?

    Mr. SWIRE. I do support broadening the PIA's application to rules. I think we have used that they are a useful tool. There is an issue about scope. You don't want to have it for things that only have a tangential relationship to a couple of people's data. But in terms of enforcement, I think that goes back to having OMB or the White House have a privacy office to make sure agencies aren't falling down on the job. So you spread it to the rules and then you have some coordination across agencies.

    Mr. NADLER. Thank you.

    Mr. Pratt?

    Mr. PRATT. I think from our perspective, really, you have at DHS a good model for how an agency should oversee the uses of private-sector information as well as data that would be gathered under the aegis of the public agency. So to the extent that you are suggesting other agencies that may use sensitive personal information might need a similar infrastructure of knowledgeable and highly trained individuals, that makes sense to us. Certainly in the private sector we have chief information privacy officers, we have the same types of reviews in the financial services industry that go on with regard to how information is used and protected and so on. So I don't think that we ever have a problem with agencies understanding how to protect and secure and use responsibly information they obtain.
 Page 69       PREV PAGE       TOP OF DOC

    Mr. NADLER. I thank you.

    Professor, do you think we could benefit from agency privacy ombudsmen in other parts of the Government?

    Mr. SWIRE. Well, there have been efforts to spread it. I think there may be up to three or four different executive orders or executive statements that say agencies are supposed to have privacy offices, but implementation has really been uneven over time.

    So there are a number of agencies that haven't been nearly as institutionalized as Homeland Security and haven't been as systematic in——

    Mr. NADLER. See, so again, as in your answer to the previous question, if we had an office in the White House or somewhere to make sure that all the agencies were complying with privacy impact statements or with having the ombudsman function properly, or the agency offices, whatever we want to call them, function properly.

    Mr. SWIRE. I can offer some perspective from having been in that seat. It gives you one person to criticize by name. And that has a very powerful effect, seeing your name in the newspaper as a bad guy, and it leads you to try to get other people to cooperate and make it all work a little bit better.

    Mr. NADLER. It gives you a motive.
 Page 70       PREV PAGE       TOP OF DOC

    Mr. SWIRE. Yeah.

    Mr. NADLER. Thank you.

    Again, Professor Swire, to the extent that data processing operations might move overseas, what protections do we have or ought we have that we don't have to extend our protections for that eventuality?

    Mr. SWIRE. Well, this issue of overseas has been a powerful issue that people are looking at. I must say, I have a slightly different perspective because the United States complained very much when Europe tried to do that to us. And Europe had in a privacy directive rules that they wouldn't let data go to the United States, and we wanted to make sure that American companies could use that data responsibly.

    I am a step more cautious. I think it is always good to have the contractors under very good controls and make sure those controls work. I am not personally as sure that we should make a big line about overseas or not.

    Mr. NADLER. Could I just ask if anybody else would want to comment on that question? Ms. Cooney?

    Ms. COONEY. Thank you, Mr. Nadler. I would like to tell you that there is work presently going on that the Federal Government is very involved in, and we are included in that work in the DHS Privacy Office, both in the Organization for Economic Cooperation and Development and in the APEC forum in working on cross-border enforcement on privacy issues. There has been some work already accomplished in certain areas, such as combatting spam, and that has been fairly effective.
 Page 71       PREV PAGE       TOP OF DOC

    What we have found so far is that it is not done solely by privacy practitioners or privacy enforcement officers, but it might be done by consumer protection folks in certain areas, criminal law enforcement in others, privacy professionals working together.

    So I would want you to know that that is an active part of the agenda that we are working on as Federal partners in that.

    Mr. NADLER. Thank you. Anybody else?

    Thank you, Mr. Chairman.

    Mr. CANNON. The gentleman yields back.

    Mr. Franks, the gentleman from Arizona, is recognized for 5 minutes.

    Mr. FRANKS. Well, Thank you, Mr. Chairman.

    I want to direct this to anyone at the—in fact, I would like, maybe, for everyone to take a shot at it. I am wondering, in terms of what really are the challenges that we face to keep people's data secret and accurate, is it more of a policy issue that needs to be changed here from Congress, or is it more of a mechanical issue of just the reality that, with the expansion of computer technology and all of the different things that happen today, is it more of a technology challenge or is it more of a policy challenge?

 Page 72       PREV PAGE       TOP OF DOC
    Mr. PRATT. I will take a first stab at this. First of all, I do think that in this country we need to protect, under the rule of law, sensitive personal information no matter who gathers it. Some of the different laws that we have discussed in our testimony, which are also accounted for in the GAO report, do deal with sectors of business in this country where we have to secure and protect that information. The Gramm-Leach-Bliley Act information safeguards rules are a good example.

    Certainly our membership has testified before several different Committees saying that information safeguards standards should apply to anybody who is going to gather sensitive personal information such as my name and my address and my Social Security number in that combination.

    I think there are several effects to that, by the way. First of all, fewer folks will gather that information. They will think about it first. And that is good, because they should. And if they are going to gather it, they should protect it under that three-legged stool we have discussed. And I think in doing so, it does create an enforcement mechanism also, where there is failure in the marketplace. We think those are all good outcomes that could result from the enactment of law that would do that. There are several Committees that are focused on that now that I think would move forward with an effective program for protecting sensitive personal information.

    It is also education, though. And I would say within the last 5 years, certainly the last decade, what we know and think about as information security is very different than it was 10 years ago. And certainly the velocity of change with technology makes it very challenging.
 Page 73       PREV PAGE       TOP OF DOC

    Mr. SWIRE. I think it is very much a policy issue where the hard things come in. There is a lot of consensus on data security. You can get pretty much everyone to agree on the list. But which data is the right data to use? And this IRS example from my testimony is one example. Should your tax preparation agency be able to resell your data or not? They can have perfect security, it is just a question of whether that company should be reselling it or not. That is a policy decision. That is where I think a lot of the work has to happen.

    Mr. FRANKS. Ms. Cooney?

    Ms. COONEY. Thank you. I think the point that I would like to make is that the process of data security and information security practices is not one-size-fits-all and it is not a one-step process. It is an iterative process. I think Mr. Pratt's reference to the GLBA safeguards rule is very important and that those general guidelines can be used across Government systems as well as in the private sector, keeping in mind, as they require it, that it is an iterative process and you need to keep looking at your process both from a technology standpoint, from a personnel standpoint, and from a policy standpoint in terms of why do you need to keep this data and is it the right data to keep.

    On the accuracy issues, and it somewhat answers your question, in terms of the application of the Fair Information Practices principles to data accuracy in the private sector for commercial resellers, whether all those principles should apply or would easily apply is something that could be discussed. But certainly a focus on allowing individuals some access to their information to correct the information really should be looked at, because originally that information would have been collected for very different purposes. Many citizens may not even know that a data aggregator has their information. And it is a matter of fairness as well as carefulness with the information.
 Page 74       PREV PAGE       TOP OF DOC

    Mr. FRANKS. So just to expand on your thought there, much like the credit data that we access, you are convinced that something along those lines for generalized data, that the consumer would always have the right to ascertain what that was, or at least in nonsecurity issues?

    Ms. COONEY. Right. In many circumstances, when it doesn't touch law enforcement or national security in particular, although even in our case we need to be very concerned on our end in the Federal Government to check on data accuracy.

    Mr. FRANKS. My time is almost gone. Mr. Pratt, let me skip quickly to you, sir. With the proliferation of ID theft, a lot of times you can identify a particular culprit. Is this escape of data happening mostly in Government databases or is it private databases? Is there any one—is it just generalized or is there some kind of particular area where we are hemorrhaging?

    Mr. PRATT. It is difficult to pin it down. Certainly, for example, it could be as simple as somebody driving down the street at the right time of the month to pick up your mail, so you have something as simple as mailbox fraud. We saw last year about 50 percent of all the media coverage focused on universities that were losing sensitive personal information, I think probably because they were at that time using Social Security numbers as student ID. I think a lot of universities have begun to change that practice.

    So no, sir, I don't think there is any one place you can go.

 Page 75       PREV PAGE       TOP OF DOC
    To your point, by the way, about the Fair Credit Reporting Act and having access, let me just say it this way. The Fair Credit Reporting Act is a terrible title for the law because, in fact, the law applies to any kind of eligibility decision. So any time data is used to deny me something, I can't get it, I have a right of access. I have a right to correct it. I have a right to expect that it was accurate in the first place. I have private rights to enforce, I expect the Federal Trade Commission to enforce, State attorneys general to enforce.

    So I think it is very important. That was one of the issues we had with the way the report was structured, is you might walk away from that thinking that there was not this very, very broad-based law that said whether it is my employment application, my application to purchase a home, my application to get a cellular phone account, my application to obtain a utility—no matter how and where a consumer report is used, not a credit report but a consumer report—I have all of those rights that we have just begun to discuss. So I do think we have a law on the books that is quite a bit broader than maybe the title would imply.

    Mr. FRANKS. Thank you.

    Thank you, Mr. Chairman.

    Mr. CANNON. The gentleman yields back.

    Mr. Scott.

    Mr. SCOTT. Thank you, Mr. Chairman.

 Page 76       PREV PAGE       TOP OF DOC
    I guess my first question is a little more basic. Who are we talking about? Who are these resellers?

    Ms. KOONTZ. I assume you mean the names of the companies?

    Mr. SCOTT. Well, if you want to leave the names out, just describe them.

    Ms. KOONTZ. For our study, we defined information resellers as being businesses that collect and aggregate information, personal information about individuals and make them available to consumers. So it is rather broad.

    Mr. SCOTT. To consumers or to businesses?

    Ms. KOONTZ. And to businesses, yes. To their customers.

    Mr. SCOTT. The purpose for which you are gathering the data can vary depending on what it is going to be used for. You could be just compiling a mailing list. Is that what you are talking about?

    Ms. KOONTZ. I think we are talking about information resellers who then collect this information and then they convert it into information products, some of which are used for marketing, some of which are used for other purposes.

    Mr. SCOTT. Well, if you are using it for marketing you can get a list that would be interested—where a certain product would be interested in marketing to that group of people.
 Page 77       PREV PAGE       TOP OF DOC

    Ms. KOONTZ. Mm-hm.

    Mr. SCOTT. Could be 80 percent accurate, but that is good enough for mass mailing. Because it is better than kind of saturation mailing. You knocked off 75 percent of the people you don't want to mail to. Are we talking about that, too?

    Ms. KOONTZ. Well, that is some of it. Some of it is for marketing purposes. But I think you have hit on a key point that we talked about in our report, is that the privacy principles basically talk about accuracy for a specific purpose. And the specific purpose in this case is often determined by the user. So it is difficult for the reseller to assure the degree of accuracy for a particular purpose because they are not the ones that are determining that purpose.

    Mr. SCOTT. Well, you don't care whether it is accurate or not if all they are going to do is just mass mail. If the Government gets hold of it, it is going to take some adverse action based on this kind of superficial dragnet where you come in and gather up a lot of names, most of which would be in the category you are aiming at, where the person gathering the data didn't have any interest in accuracy. So what do you do in that case? Is that the information we are talking about?

    Ms. KOONTZ. That is part of the information that we are talking about. There are all kinds of information products that are offered by resellers. And I think it does put more of a, shall we say, an obligation, too. In this case we are talking about the use of these data products by Federal agencies and it puts, I think, an obligation on the part of the Federal agency to determine that the accuracy is appropriate for the use that they are using it for. Which is, for example, the reason that law enforcement corroborates this information with other sources before they take any action against an individual.
 Page 78       PREV PAGE       TOP OF DOC

    Mr. SCOTT. Is the information subject to the Freedom of Information?

    Ms. KOONTZ. I don't know.

    Mr. SWIRE. There is a privacy exception to the Freedom of Information Act and it often would prevent a Freedom of Information Act request from going through.

    Mr. SCOTT. To get the whole list?

    Mr. SWIRE. Yes.

    Mr. SCOTT. If you are doing law enforcement activities, do I understand that the Levy Guidelines are no longer in effect, where you had to actually be investigating a crime before you started gathering information on people? Professor?

    Mr. SWIRE. Yes, that is correct. They were changed very substantially after 9/11.

    Mr. SCOTT. Before 9/11, before you started gathering information on people and setting up dossiers, you had to actually be investigating a crime, not just gathering information. Is that right?

 Page 79       PREV PAGE       TOP OF DOC
    Mr. SWIRE. There were detailed predicates for each stage as the investigation went further, yes.

    Mr. SCOTT. And that is no longer in effect, so the Government is now just gathering information?

    Mr. SWIRE. There are guidelines that Attorney General Ashcroft issued. I have read them, but I don't have them clearly in my head. They are quite a bit more permissive, because the idea is share data and use data more intensively.

    Mr. SCOTT. Professor, did I understand you to say there is some idea that you could actually sell tax records?

    Mr. SWIRE. Well, this was actually a subject of a public hearing today somewhere else in town. But H&R Block or any other tax preparer, under the proposed rule, would be allowed to sell tax records or databases of tax records for the first time to outside parties.

    Mr. SCOTT. That is records that they prepared?

    Mr. SWIRE. That they prepared for you as the taxpayer. If you signed off, as one of your signatures to them, they would then be able to resell that.

    It got quite a press hit a couple of weeks ago, when people found out about it. And deserves to.
 Page 80       PREV PAGE       TOP OF DOC

    Mr. SCOTT. Thank you, Mr. Chairman.

    Mr. CANNON. The gentleman yields back.

    Ms. Wasserman Schultz, did you have questions?

    Good. Thank you. The Ranking Member is recognized for 5 minutes. Mr. Watt?

    Mr. WATT. Thank you, Mr. Chairman.

    Ms. Koontz, I know you all did the study and you are not doing policy, but I particularly wanted to hear from you and Mr. Pratt about whether you thought that Professor Swire's suggestion that we reinstitute a privacy officer in the White House that has kind of umbrella authority from agency to agency, whether you think that is a good idea, whether there are particular good pros to doing that or particular bad cons to doing that.

    I will ask that question of you, if you can address it from a policy perspective. And I would like to get Mr. Pratt's view on it, too.

    Ms. KOONTZ. We haven't studied the question of the need for a privacy officer in OMB or in the Executive Office of the President. I can see, though, that the idea probably has some merit, in terms of further discussion, as a way of having a focal point for privacy issues and the Federal Government. I mean, I think we have seen some benefits from, for example, within the Department of Homeland Security, where you have a highly placed official who has a broad privacy responsibility, and that seems to be something that is useful in terms of looking at these policy issues.
 Page 81       PREV PAGE       TOP OF DOC

    Mr. WATT. Mr. Pratt?

    Mr. PRATT. Our association hasn't actually studied that same question any more—so I suspect—than the GAO. My first reaction is that sometimes centralization can be a red flag, because you start to remove the expertise and the knowledge you might need. So the knowledge you might need in HHS might be different than the knowledge you might need in DHS.

    So I don't know if a—just off the top of my head, I don't know if a central office would make things better or if it is just simply important to make sure that there are knowledgeable professionals who are thinking about data use issues on an agency-by-agency basis.

    And of course Federal Trade Commission has established its new division, which does focus on information use and identity theft issues as well as——

    Mr. WATT. Who is that? I am sorry.

    Mr. PRATT. The Federal Trade Commission has established a new division under the Bureau of Consumer Protection, which focuses specifically on information protection and identity theft. So there is an office there that focuses on data flows in that regard.

    Mr. WATT. Under what authority is it doing that, and is that——
 Page 82       PREV PAGE       TOP OF DOC

    Mr. PRATT. It is not the same principle. It isn't the same principle as an omnibus individual, if you will, at the level of the White House. They really oversee—their scope of authority would be no broader than the FTC's scope of authority generally in the marketplace.

    Mr. WATT. Do you concede that despite the concerns, the potential on the downside that maybe having a more consistent set of principles across the Government would be facilitated by this suggestion?

    Mr. PRATT. I don't know yet because, again, one of the difficulties we have even had with the GAO report, and we certainly appreciate the hard work that the researchers did in putting it together, it demonstrates one of the difficulties, and that is we feel that the GAO took the principles and applied them too monolithically across something called an information reseller. And really, to Mr. Scott's question, I suppose information resellers are consumer reporting agencies. They may be financial institutions under the Gramm-Leach-Bliley Act, consumer reporting agencies under the Fair Credit Reporting Act. So I don't know if centralizing expertise works better than just simply making sure that you have knowledgeable individuals operating at an agency level.

    Again, I think also I am probably not in the best position to discuss the effectiveness of the current operation of the Privacy Act or the OMB guidelines that implement that. It is probably the domain of Professor Swire.

    Mr. WATT. Professor Swire, there was a lot of debate about, when this Privacy and Civil Liberties Oversight Board was set up, about whether it should have subpoena power. I know that the Agency just got structured in February—I mean the people who were appointed. But can you just give us kind of the pros and cons of—or maybe better, even, what are the real problems with not having subpoena power?
 Page 83       PREV PAGE       TOP OF DOC

    Mr. SWIRE. Well, there are various jobs the Privacy and Civil Liberties Board could do. One of them is to be inside the executive branch during clearance, when they are trying to figure out how do you do a new program. And I don't think subpoena power is needed for that. That is talking to the people, being in the room, building confidence that the board can help.

    When it comes to finding out if there are problems out there in the agencies, there is a question of how you find that out. One way is to go to the IGs, right. We have Inspectors General, and especially if we have some good whistleblower protections so the people are allowed to talk to the IGs, then that may be one way to do the investigation.

    If you think that is not working, then you look around, who else might do it? It could be the Department of Justice, but you have to have a good step toward a criminal investigation. If you don't have that, then maybe somebody else, like this board, with subpoena power might be your best chance to find problems in the agencies and do something about it.

    It really has to do with whether the IG system is working, because they were supposed to be the ones to subpoena, and whether you need a second look with some expertise.

    Mr. WATT. Can I just ask one more question, Mr. Chairman?

    Ms. Cooney, how is your office going to coordinate with this Privacy and Civil Liberties Oversight Board? How do you see these two things meshing together, Homeland Security and this oversight board?
 Page 84       PREV PAGE       TOP OF DOC

    Ms. COONEY. Sure. Under the oversight board there actually is a Privacy and Civil Liberties Officer for the DNI. We coordinate with that Privacy and Civil Liberties Officer now, Alex Joel, in a very cooperative way. As he is setting up his operation, he has come to DHS to ask us what our experience has been, for advice on the startup. And we are working very closely right now, along with others, including the new Privacy and Civil Liberties Officer and DOJ and others, on building in a privacy architecture for the information sharing environment across the Federal Government.

    So I think it is going to be a very collaborative process and it has been very positive so far.

    Mr. WATT. Thank you, Mr. Chairman.

    Mr. CANNON. I would like, before I ask a couple of questions here, I would like to thank the panel for being here today. It think this report is very, very helpful, Ms. Koontz, and you have done a remarkable job in helping us to understand it.

    Ms. Cooney, we appreciate what you have done. Can I just ask, are you coordinating with the people at Justice that are setting up the same process that you are doing? Could you comment on that briefly?

    Ms. COONEY. Yes, we are. Actually, before the appointment of the Privacy and Civil Liberties Officer there, we worked, really, for several months before that in providing advice in terms of our experience, our budget, the type of personnel that we have hired, which is quite multi-disciplinary. And as Mr. Pratt noted, it takes expertise along a wide range of areas. We have technology experts, we have policy experts, we coordinate closely with our Office of the General Counsel on legal issues. And I am very proud to say we have a Chief Counsel to the Privacy Office, who is embedded with us, reporting to our General Counsel, so that is very cooperative.
 Page 85       PREV PAGE       TOP OF DOC

    We have a compliance team that has a private-sector background. We have folks who had enforcement and compliance experience in the Government realm. We have international. All of those things are really needed if your agency does work across a wide scope and has a lot of different dynamic programs.

    We have shared that type of information with the Department of Justice. And since Jane Horvath has joined the Department of Justice, we have met several times, e-mail, talk about issues. And I think that is the way it should be, and we are happy to do that.

    Mr. CANNON. Well, I—you know, if you look at DHS, which is hard to do because it is so big—it takes the Almighty to comprehend it, and I am not sure it would take the Almighty, but it is beyond my capacity to understand the Department of Justice. It seems to me that the idea, and I guess it goes to your comment, Mr. Pratt, that having a decentralized process may be helpful.

    But Professor Swire, we appreciate your comments and look forward to working with you on what a of a—how we would sort of oversee this whole process. I think it is vitally important that we take these huge, monstrous organizations and get them thinking about what they do, and then cumulate activity rather than mandating it. But at some point, you have to have some kind of overarching oversight of that. So we will revisit that.

    Mr. Pratt, can I ask a couple of questions of you? The GAO has reported that information resellers generally allow individuals limited access to correct their personal information. Why can't individuals get data about themselves corrected when it is wrong? And if the consumer reporting agencies are able to accommodate such corrections, as they are required by the Fair Credit Reporting Act, why can't information resellers do likewise?
 Page 86       PREV PAGE       TOP OF DOC

    Mr. PRATT. Really, it depends. Again, it is just taking that Fair Information Practice, and then we have to walk through the various products that it might apply to. So as you say, consumer reports, absolutely. Those reports are used to deny me access to a benefit or service. And that is one of the basic fair information principles we are working off of. If I can't get something because information has told the user that I should not get the credit, I should not drive off the car lot with the car, then that makes sense to us and we understand that.

    A fraud prevention product is another type of data product that is used. A fraud prevention product, were we to disclose it, would mean we are disclosing the recipe, because we would be disclosing the various data elements which are cross-matched which raise a yellow flag.

    Now, a fraud prevention product doesn't deny me access, but it probably slows me down. Somebody is going to ask me more questions. You know, Congressman Cannon, are you really who you say you are; can I have another item of identification from you to make sure that you are who you say you are.

    And I think that is also true of some of the investigative tools that we have, location tools. In other words, a location tool really just—and I have seen some about me, where it will show where I have lived previously. And so it is not really—it just says you lived in Houston, Texas, for a period of time, one of your friends now lives in Los Angeles. It really just shows an investigator how they might candidly conduct a national security investigation were I applying for a national security level of clearance. So that is a different kind of tool.
 Page 87       PREV PAGE       TOP OF DOC

    So accuracy and how you apply accuracy really pivots, I think, off of that.

    In terms of correction, though, public records are a particular challenge. Because if you have a court record and you have simply taken that same image data and put it into a national database, the real key to correcting that is to make sure the consumer knows how to get back to the court in order to correct the information in the first place. Because if you don't correct it at the courthouse, it is still publicly available, there are is still a Web site from which you can obtain it, and in fact all you have done is fix the intermediate source.

    And by the way, that principle was corrected in the Fair Credit Reporting Act to ensure that a reseller in the context of a consumer reporting agency, where access and correction do apply, that the consumer would be referred back to the data source in order to correct it at the source rather than to try to correct it at the mid level.

    Mr. CANNON. Let me just get one more question before my time expires.

    When a data breach occurs, shouldn't an information reseller be required to notify those whose information was compromised? And if so, how should notification take place? What follow-ups, if any, should be required of information resellers to monitor compromised information?

    Mr. PRATT. Well, I don't know that we think about it in terms of information resellers. There are several different bills that have been worked on by various Committees, and the fundamental question is, when you have a certain type of information that we tend to think of as sensitive personal information—If I have secured it in the first place, of course, I have done the right thing. If for some reason my security protocols have failed, yes, we think that there is a risk of identity theft, a significant risk of identity theft. Absolutely.
 Page 88       PREV PAGE       TOP OF DOC

    The reason we make that distinction, Mr. Chairman, is because there are cases where a laptop is stolen, but when you do the forensics on the laptop, you determine that it was really stolen in order to just simply fence the laptop. And in fact it was never opened, it was never started back up again, nobody ever looked at the data, the hard drive wasn't tampered with. So notifying a thousand consumers that their data was on a hard drive of a laptop that was stolen that was never dealt with from a technology perspective probably creates false positives which move consumers away from really being proactive.

    So we think the key to good notices is the trigger—when should I do it so that you and I as consumers really can act on other rights that we should have.

    Mr. CANNON. Of course the question does occur, who makes that judgment?

    Mr. PRATT. It is a difficult one, yes, sir.

    Mr. CANNON. Thank you.

    We appreciate your being here today. Since we don't have, I don't think, any further questions, we will now stand adjourned.

    [Whereupon, at 1:21 p.m., the Subcommittees adjourned.]

 Page 89       PREV PAGE       TOP OF DOC

Material Submitted for the Hearing Record


[Note: Image(s) not available in this format. See PDF version of this file.]

(Footnote 1 return)
The Homeland Security Act of 2002, Pub. L. No. 107–296, Title II, §116 Stat. 2155.

(Footnote 2 return)
CDIA, as we are commonly known, is the international trade association representing over 300 consumer data companies that provide fraud prevention and risk management products, credit and mortgage reports, tenant and employment screening services, check fraud and verification services, systems for insurance underwriting and also collection services.

(Footnote 3 return)
The GAO employs the term information reseller and we have concerns with the use of the term which will be discussed later in this testimony. For example we do not believe that the term ''consumer reporting agency'' as defined by the Fair Credit Reporting Act should be commingled with other data products due to the specificity of law which regulates this product. The GAO fails to draw this distinction in its draft report.

(Footnote 4 return)
In 2004 there were 5.5 million location searches conducted by child support enforcement agencies to enforce court orders.

(Footnote 5 return)
The FTC investigates ''file segregation'' schemes. Here's what they say on their website about this activity: ''You're promised a chance to hide unfavorable credit information by establishing a new credit identity. The problem: File segregation is illegal. If you use it, you could face fines or even a prison sentence.''

(Footnote 6 return)
http://www.choicetrust.com/servlet/com.kx.cs.servlets.CsServlet?channel=home&product=bgcheck&subproduct=default&anchor=#. All RVI providers recommend that employers should supplement 'no criminal record found' results with a local county records search before making a hiring decision as any national criminal database will not contain all current criminal records since courthouses add new records daily.

(Footnote 7 return)

(Footnote 8 return)
Assuming each in-person search costs $16, the same as an in-person county courthouse search.

(Footnote 9 return)
The GAO also lists the Fair and Accurate Credit Transactions Act of 2003 (Pub. L. cite), however this act is in fact a series of amendments to the FCRA.

(Footnote 10 return)
CDIA has serious concerns about the attempt by the GAO to measure the acceptability of the practices of US consumer data companies, which are in fact regulated by US laws today. This concern will be discussed more fully later in this testimony.

(Footnote 11 return)
See Pub. L. 104–208, Title II, Subtitle D, Chapter 1).

(Footnote 12 return)
See FACT Act Amendments (Pub. L. 108–159).

(Footnote 13 return)
It is also true that the Gramm-Leach-Bliley Act, Title V provisions regulating the use of nonpublic personal information is current due to the extensive role that federal banking regulators and the Federal Trade Commission play in drafting regulations, issuing guidance and enforcing the law.

(Footnote 14 return)
This includes national security investigations, background checks for security clearances, basic employment screening processes for new hires, review processes for promotions, and more.

(Footnote 15 return)
Page 44, Draft Report.

(Footnote 16 return)
The standard of accuracy in FCRA can be found at Sec. 607(a). A consumer reporting agency must use reasonable procedures to assure the maximum possible accuracy of the information in the report.