[House Hearing, 106 Congress] [From the U.S. Government Publishing Office] THE PRIVACY COMMISSION: A COMPLETE EXAMINATION OF PRIVACY PROTECTION ======================================================================= HEARING before the SUBCOMMITTEE ON GOVERNMENT MANAGEMENT, INFORMATION, AND TECHNOLOGY of the COMMITTEE ON GOVERNMENT REFORM HOUSE OF REPRESENTATIVES ONE HUNDRED SIXTH CONGRESS SECOND SESSION __________ APRIL 12, 2000 __________ Serial No. 106-192 __________ Printed for the use of the Committee on Government Reform Available via the World Wide Web: http://www.gpo.gov/congress/house http://www.house.gov/reform ---------- U.S. GOVERNMENT PRINTING OFFICE 70-436 WASHINGTON : 2001 _______________________________________________________________________ For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: (202) 512-1800 Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 COMMITTEE ON GOVERNMENT REFORM DAN BURTON, Indiana, Chairman BENJAMIN A. GILMAN, New York HENRY A. WAXMAN, California CONSTANCE A. MORELLA, Maryland TOM LANTOS, California CHRISTOPHER SHAYS, Connecticut ROBERT E. WISE, Jr., West Virginia ILEANA ROS-LEHTINEN, Florida MAJOR R. OWENS, New York JOHN M. McHUGH, New York EDOLPHUS TOWNS, New York STEPHEN HORN, California PAUL E. KANJORSKI, Pennsylvania JOHN L. MICA, Florida PATSY T. MINK, Hawaii THOMAS M. DAVIS, Virginia CAROLYN B. MALONEY, New York DAVID M. McINTOSH, Indiana ELEANOR HOLMES NORTON, Washington, MARK E. SOUDER, Indiana DC JOE SCARBOROUGH, Florida CHAKA FATTAH, Pennsylvania STEVEN C. LaTOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland MARSHALL ``MARK'' SANFORD, South DENNIS J. KUCINICH, Ohio Carolina ROD R. BLAGOJEVICH, Illinois BOB BARR, Georgia DANNY K. DAVIS, Illinois DAN MILLER, Florida JOHN F. TIERNEY, Massachusetts ASA HUTCHINSON, Arkansas JIM TURNER, Texas LEE TERRY, Nebraska THOMAS H. ALLEN, Maine JUDY BIGGERT, Illinois HAROLD E. FORD, Jr., Tennessee GREG WALDEN, Oregon JANICE D. SCHAKOWSKY, Illinois DOUG OSE, California ------ PAUL RYAN, Wisconsin BERNARD SANDERS, Vermont HELEN CHENOWETH-HAGE, Idaho (Independent) DAVID VITTER, Louisiana Kevin Binger, Staff Director Daniel R. Moll, Deputy Staff Director David A. Kass, Deputy Counsel and Parliamentarian Lisa Smith Arafune, Chief Clerk Phil Schiliro, Minority Staff Director ------ Subcommittee on Government Management, Information, and Technology STEPHEN HORN, California, Chairman JUDY BIGGERT, Illinois JIM TURNER, Texas THOMAS M. DAVIS, Virginia PAUL E. KANJORSKI, Pennsylvania GREG WALDEN, Oregon MAJOR R. OWENS, New York DOUG OSE, California PATSY T. MINK, Hawaii PAUL RYAN, Wisconsin CAROLYN B. MALONEY, New York Ex Officio DAN BURTON, Indiana HENRY A. WAXMAN, California J. Russell George, Staff Director and Chief Counsel Heather Bailey, Professional Staff Member Bryan Sisk, Clerk Michelle Ash, Minority Counsel C O N T E N T S ---------- Page Hearing held on April 12, 2000................................... 1 Statement of: Cate, Professor Fred, professor of law and Harry T. Ice faculty fellow, Indiana University School of Law, Bloomington; Travis Plunkett, legislative director, Consumer Federation of America; Ari Schwartz, policy analyst, Center for Democracy and Technology; and Sandra Parker, esquire, director of government affairs and health policy, Maine Hospital Association......................... 60 Twentyman, Sallie, victim of credit card theft; Robert Douglas, private investigator; and Paul Appelbaum, M.D., chairman, Department of Psychiatry, director, Law and Psychiatry Program, University of Massachusetts Medical School..................................................... 14 Letters, statements, etc., submitted for the record by: Appelbaum, Paul, M.D., chairman, Department of Psychiatry, director, Law and Psychiatry Program, University of Massachusetts Medical School, prepared statement of the American Psychiatric Association........................... 47 Cate, Professor Fred, professor of law and Harry T. Ice faculty fellow, Indiana University School of Law, Bloomington, prepared statement of......................... 62 Douglas, Robert, private investigator, prepared statement of. 26 Horn, Hon. Stephen, a Representative in Congress from the State of California, prepared statement of................. 3 Hutchinson, Hon. Asa, a Representative in Congress from the State of Arizona, prepared statement of.................... 7 Parker, Sandra, esquire, director of government affairs and health policy, Maine Hospital Association, prepared statement of............................................... 106 Plunkett, Travis, legislative director, Consumer Federation of America, prepared statement of.......................... 75 Schwartz, Ari, policy analyst, Center for Democracy and Technology, prepared statement of.......................... 87 Turner, Hon. Jim, a Representative in Congress from the State of Texas, prepared statement of............................ 12 Twentyman, Sallie, victim of credit card theft, prepared statement of............................................... 17 THE PRIVACY COMMISSION: A COMPLETE EXAMINATION OF PRIVACY PROTECTION ---------- WEDNESDAY, APRIL 12, 2000 House of Representatives, Subcommittee on Government Management, Information, and Technology, Committee on Government Reform, Washington, DC. The subcommittee met, pursuant to notice, at 10 a.m., in room 2247, Rayburn House Office Building, Hon. Stephen Horn (chairman of the subcommittee) presiding. Present: Representatives Horn and Turner. Also present: Representatives Hutchinson and Moran of Virginia. Staff present: J. Russell George, staff director and chief counsel; Heather Bailey, professional staff member; Bonnie Heald, director of communications; Bryan Sisk, clerk; Ryan McKee, staff assistant; Michael Soon, intern; Kristin Amerling, minority deputy chief counsel; Michelle Ash and Trey Henderson, minority counsels; and Jean Gosa, minority assistant clerk. Mr. Horn. A quorum being present, the hearing of the Subcommittee on Government Management, Information, and Technology will come to order. The first Federal Privacy Commission was established in 1977 to examine a similar issue to that being addressed today: How can private information be protected while allowing public access to information that can benefit society? Today, a few keystrokes on a computer can produce a quantity of information that was unimaginable in 1974. From e- mail and e-commerce to e-government, technology has simplified the way people communicate, shop, and file their income tax returns. Last year, for example, more than 17 million people spent $20 billion for on-line purchases. At a subcommittee hearing on Monday, IRS Commissioner Charles Rossotti testified that as of March 31, nearly 21 million people had filed their tax returns electronically this year, a 16 percent increase over the same period last year. The downside of these technological advances is that a vast amount of personal information now flows over the Internet, and all too often, citizens are being victimized. Today names, addresses, Social Security numbers, and credit reports, as well as other personal information, can be bought by nearly anyone who is willing to pay the going rate. Today the subcommittee will examine this troubling issue and whether the time has come to establish another Federal commission on privacy. I welcome our witnesses, and look forward to their testimony. [The prepared statement of Hon. Stephen Horn follows:] [GRAPHIC] [TIFF OMITTED] T0436.001 Mr. Horn. Panel one will be Ms. Sally Twentyman, victim of a credit card theft; Mr. Robert Douglas, private investigator; Paul Appelbaum, M.D., chairman of the Department of Psychiatry, director, Law and Psychiatry Program, University of Massachusetts Medical School. If you will come forward. Let me just say what the ground rules are. We swear in all witnesses, and we would like--we have your statements, they are all very fine, and we would like you to summarize it if you can in 5 minutes, and certainly not more than 10 minutes. Then we will have panel two later. If you would like to stay, we would certainly welcome that in case you have some comments in relationship to panel two. So if you will stand and raise your right hands, we will give you the oath. [Witnesses sworn.] Mr. Horn. The clerk will note all three witnesses affirmed the oath. Without objection, Mr. Moran will be a member of this panel, and we will have Mr. Moran, the distinguished gentleman from Virginia, to give us an opening statement then. Mr. Moran of Virginia. Well, thank you very much, Mr. Chairman. Chairman Horn and Mr. Turner and the distinguished staff, I am pleased to join with Congressman Hutchinson, who has just arrived, for this hearing on H.R. 4049, the Privacy Commission Act. As any Member of this House can attest, privacy is an enormous concern to our constituents. We hear about privacy at our town meetings, in our mail, and from so many citizens who are utilizing the new technologies that are driving our economy. Their concerns are valid. People know that their medical data, which is the most personal information about any of us, is increasingly being electronically stored and transmitted. As the World Wide Web has become commercialized, some companies have developed the means to profile Web users by the sites that they visit. While such profiling is not all that different from what direct marketers have done for many years, the idea of our purchases and shopping habits being profiled in cyberspace is somehow very unsettling to many people, and rightfully so. Even though many Web sites have moved aggressively to self- regulate and to display very prominent statements about their own privacy rules, concerns among the public have not abated. Public opinion polls are clear that this remains a major issue for the American people. As serious as these concerns are, however, there is a countervailing danger of overreaction. The U.S. Internet economy is already worth an estimated $350 billion and is a harbinger of the potential in everything from business-to- business transactions, to consumer retail, to financial services across the board. It is transforming our economy. By the end of this year, some 72 million American adults are expected to be on line; that is 35 percent of the American population. The Internet has flourished in the absence of burdensome government regulations or taxation. Given the stakes to our economy and the depth of public concern, it is clear to us that what is needed is a thoughtful, deliberate approach to privacy issues by this Congress. That is exactly what the Hutchinson-Moran bill provides. It sets up a 17-member commission appointed jointly by the President and the Republican and Democratic leadership of the House to examine any threats that exist to the privacy of Americans and to report back on whether additional legislation is necessary, and if it is, what protections it should contain. It also directs the commission to report on nonlegislative solutions. If self-regulation can be improved, how should industry achieve that objective? It requires an analysis of existing statutes and regulations on privacy, and an analysis of the extent to which any new regulations would impose undue costs or burdens on our economy. I would note that our colleague in the other body, Senator Kohl of Wisconsin, has sponsored similar legislation. In short, this is a balanced, measured approach to a complex issue that carries big costs to our economy. I commend Mr. Hutchinson for his leadership on it, and I commend you, Chairman Horn, for holding this hearing about it. It is good to see my colleague Mr. Turner as well. We look forward to hearing from our thoughtful witnesses as well. Thank you, Mr. Chairman. Mr. Horn. Well, thank you very much for that opening statement. Mr. Hutchinson is now with us. Without objection, he will be a member of this panel throughout the morning, and with Mr. Turner's consent, Mr. Hutchinson is free to give his opening statement. Mr. Hutchinson. Thank you, Mr. Chairman. I apologize for walking in here a couple of minutes late. I do thank you for conducting this hearing, and I want to thank the ranking member, Mr. Turner, also for his interest and support of this legislation and his participation in this important hearing. I would like permission to submit the written statement for the record. Mr. Horn. Without objection, it will be inserted at this point. I might tell all the witnesses, the minute we introduce you, your full statement is in the record, and then we want you to summarize. Mr. Hutchinson. My colleague Mr. Moran, I value his friendship, judgment, and participation on this important issue. He is the cosponsor with me. We are a team on this, and I thank him, and he has really been instrumental in bringing this issue forward. I just wanted to talk a little bit about how this came about. We all are familiar with the polls that show the No. 1 concern of persons as we go into the next century being that of personal privacy. But to me, it is much more personal than that. During December, during our break, I conducted a 16- county district tour; went through all of the 16 counties in my congressional district, held town meetings, and I came back and sat down in my living room and sort of penciled in what were the major concerns. Really, to my surprise, privacy was right at the top. We hear the stories of the hill country folks in Arkansas who really believe that they ought to have privacy; many of them moved to the hills for that reason, and they are concerned about the invasion of that privacy. It is really an unprecedented accumulation and transfer of personal information that we see today in our information society. So I came back with an intent to address that issue. I looked at what is happening in Congress and realized that there is a lot of different bills out there, many of them are good bills, that address privacy concerns, but I think there are about four different approaches to what we should do with privacy issues. First of all, there is the attitude, let us just do something now, regardless of what it is, let's just get something done. The problem is that doing it right sometimes takes more time, more thought, and I think it is more important than doing it quick and simply as a reaction of the pressing need to get something done. So I think that is the wrong approach. The second approach is let's pass legislation in a narrow area. We have bills that deal with financial records; we have bills that deal with medical privacy issues, and then we have separate bills that deal with on-line privacy. I am really a cosponsor of a number of those bills that I believe are good, and I want to support and push those through the legislative process. It is important that this commission not be used as a means to stop other efforts that are going through, and that is my intent. But I do believe that there is much more merit, rather than taking a sectarian approach of, you know, let's look at the financial records issue and health care records with the Internet, it is all-encompassing across every sector of our society. We are really different from the European approach that has taken a more comprehensive approach to privacy than we have taken industry by industry, and I think this commission would broaden it up. The fourth approach is let's leave it to the regulators. Excuse me, that is the third approach. Leave it to the regulators. As a legislator, I don't think that is the best approach. I believe there should be legislative involvement and a legislative discussion of this. Finally, that leads to the comprehensive commission that Congressman Moran and I are proposing, the structure he has outlined. It is certainly bipartisan. It is designed to conduct hearings across the country. We have set a time limit of 18 months for a report, but it is important to note that they have authority if they deem necessary to issue an interim report prior to that 18 months, because there could be some need in a particular arena to issue an interim report. So it could move quicker than 18 months. But clearly, I believe that it is responsible, it is workable, and it is comprehensive; it is the right approach to privacy concerns. We have to be realistic this year. I hope that we can pass some other individual bills. But realistically, I believe this is the best thing that we can do this Congress, and the result will be greater protections of our individual freedom. I yield back. Mr. Horn. Thank you very much. [The prepared statement of Hon. Asa Hutchinson follows:] [GRAPHIC] [TIFF OMITTED] T0436.002 [GRAPHIC] [TIFF OMITTED] T0436.003 [GRAPHIC] [TIFF OMITTED] T0436.004 [GRAPHIC] [TIFF OMITTED] T0436.005 Mr. Horn. The gentleman from Texas, the ranking member, Mr. Turner. Mr. Turner. Thank you, Mr. Chairman. I want to commend Mr. Hutchinson and Mr. Moran for their work on this legislation. It is one of the most important issues that we face. As you mentioned, Mr. Hutchinson, the polls clearly indicate that privacy is one of the top concerns of the American people. I was pleased to join with you as a cosponsor of this bill because I think the commission will create a high profile for the issue and enable us to have a full and open discussion with the American people about these issues so that we can resolve them in the appropriate way. I was very pleased to hear your comments about your intent with regard to the commission was not to impede the progress of other legislation that we may achieve a bipartisan consensus on during the time that the commission is working. I think the commission can be a sounding board for a lot of those proposals. I know there are regulations at HHS pending on medical privacy. I hope that the commission would not impede those regulations, but also provide a sounding board for those regulations, because some of these privacy issues need to be dealt with right away. So if we find a consensus on it, and if the agencies are finding their way to protecting our privacy as HHS is trying to do with the medical regulations, I think the American people deserve those protections as soon as possible. The commission not only can provide a sounding board for the proposals that are out there and for actions that may be taken over the next 18 months, but at the end of the day, hopefully can come up with an overall recommendation in these various areas that represent a true consensus to protect the privacy of the American people. So I commend you, and I welcome our witnesses here today. We look forward to working on this bill and making it everything that I think the authors intend for it to be. Thank you, Mr. Chairman. Mr. Horn. Thank you very much. [The prepared statement of Hon. Jim Turner follows:] [GRAPHIC] [TIFF OMITTED] T0436.006 [GRAPHIC] [TIFF OMITTED] T0436.007 Mr. Horn. We will now begin with the first panel. We will start with Ms. Sallie Twentyman, who is the victim of credit card theft. Tell us about it. STATEMENTS OF SALLIE TWENTYMAN, VICTIM OF CREDIT CARD THEFT; ROBERT DOUGLAS, PRIVATE INVESTIGATOR; AND PAUL APPELBAUM, M.D., CHAIRMAN, DEPARTMENT OF PSYCHIATRY, DIRECTOR, LAW AND PSYCHIATRY PROGRAM, UNIVERSITY OF MASSACHUSETTS MEDICAL SCHOOL Ms. Twentyman. Mr. Chairman, I do appreciate the opportunity to appear here today to tell you about my experiences. Last summer my privacy was dealt a blow from which I will never totally recover when I became a victim of identity theft. I still don't know how, when, or where it happened, or who the perpetrator was. I probably never will. But what I do know is that I never received two of my renewal credit cards in the mail, and that someone used my name and Social Security number to access these two credit card accounts and to establish several other new credit card accounts in my name, all in just a matter of a few days and all from a fraudulent address. In one account alone, this person was able to get approximately $13,000 in cash in less than a week. Over the next several months, this fraudulent activity continued, with my list of residences extending to at least five different States, even after fraud alerts were placed on my name at each of the three credit bureaus in the country. Today, I am hopeful that the activity is winding down, but I still live each day knowing that my information is in the hands of criminals. This identity theft, especially when perpetrated by a group or a crime ring, as mine probably has been, is similar to what I call financial cancer. Even if, through my efforts, I manage to stop these criminals for a while, they are likely to begin using the information again in the future when they think that I am no longer watching. As identity theft takes new forms, as it does every year or two, I will be at high risk of being a victim of these newer forms of crime. So far, I haven't been responsible for repaying any of the fraudulent balances, which I appreciate, and I haven't even had pressure put on me, which is good, because I hear a couple of years ago people did have problems with that. I haven't applied for any new loans, so I don't know how difficult it would be to buy a car or get a mortgage at this point or get a student loan to send my teenagers to college, which is coming up in a couple of years. During the past 8 months, since my identity was stolen, I face some problems and frustrations which I do appreciate being able to come here and tell you about. I faced all of these just as a citizen, a very typical citizen who knew very little about identity theft when it happened to me. First of all, the Identity Theft and Assumption Deterrence Act made identity theft a crime, and that is very good, but it seems that no one has really been made responsible and are given the manpower needed for apprehending the criminals and enforcing the law. I realize it has kind of skyrocketed, and it is hard for so few people to investigate so many cases. I was unable to get most law enforcement officials to do anything. When I was unable to get out-of-state police departments to file police reports--because the criminals were very good; they knew to do it in States where I don't live--or to investigate the addresses out of which the thieves were acting, a local police officer made many phone calls for me, but in each case she, too, was unable to get police officials in these other jurisdictions to file reports. As our country moves from a brick-and-mortar economy to an electronically based economy, law enforcement agencies will need to establish ways of dealing with new electronic forms of crimes which do not fall into specific physical jurisdictions. I need to note, too, that every governmental agency that I contacted, including the FTC, the FBI, the Secret Service, and the Postal Service, politely took my report, or voice message, or e-mail, and several sincerely wanted to help, I know that they did. However, not a single one ever followed up with me to let me know that they had really done anything with my specific case, which made me--it is very lonely, feeling like nobody is doing anything. Financial institutions and other businesses need to be made accountable for protecting customers' personal information. Maybe stiff fines and other penalties need to be established when these institutions are negligent or when they continue to open new accounts after fraud alerts have been placed in the person's name. I don't really want to have to get an attorney to do things for me. I really feel they should be made accountable in some way. My bank did not protect my personal information and helped to spread this financial cancer. In fact, they allowed someone to change my birth date and mother's maiden name in their computers, which made it really hard when I tried to access my account and have something done. All the banks which issued the fraudulent credit act as if the losses were all theirs; since they wiped my slate clean, I did not owe anything. I would like to point out that their losses were over as soon as they passed on their costs to other consumers in the form of increased service charges and higher interest rates, but my personal information has been lost forever, and I am 44 years old, and there are a lot of years ahead of me. When a victim learns of his or her identity theft, we need a faster, more effective way of reporting the crime and beginning investigations. The bank told me to start with the credit bureaus, which I did. I left fraud alerts. It was very frustrating, though, getting through voice mails. When you are in shock, when you hear press one of this, two of that, three of that, I had to hang up several times and start over. Also, it took me 2 weeks to get my credit reports, and during the 2 weeks I just wondered what had been happening, and I wish I could have gotten them sooner. Maybe they could have been faxed to me, e-mailed to me, or something. I feel we need regulations regarding the issuance of instant credit in this country. These people managed to get instant credit several times, and the bank would call me 3 days later saying, I am sorry, I see we have a fraud alert, but we had issued the credit card, and we will take care of it. But it does keep going on. We need to also look into the efficacy of establishing some national hotline or fraud reporting agency in some way. I had to report to three different credit bureaus, but not everybody has to check them. Bank accounts who aren't issuing you credit don't have to. I wish there was someplace a victim could call and just put a block on their name totally; no bank accounts, no new cars, no mortgages, nothing without calling me first. You all are aware of the Internet. I must say that I can look at--I go to Infoseekers.com now, and I see that for $65 they can buy everything about me, my Social Security number, name, address, how many kids I have, what properties I own, medical information. I really wish something could be done. I am not sure, but I will say that that is a sore point for me right now to go on line and see that. I also recently got an Internet security system and have been having hackers almost daily trying to get in. It has been something. I know that we need to protect Social Security numbers in the country. I am sure the commission would be looking at who needs it and who doesn't, and restrict it to who does. I don't feel like student IDs, driver's license, medical records, everything has to have Social Security numbers. Government officials and corporate officials need to really establish ways of authenticating electronic telephone transactions. I know they are doing it, I encourage it. Work diligently, please. Once again, I do thank you for the opportunity to share my experiences today. I deeply appreciate your efforts in helping to protect the privacy of all citizens. [The prepared statement of Ms. Twentyman follows:] [GRAPHIC] [TIFF OMITTED] T0436.008 [GRAPHIC] [TIFF OMITTED] T0436.009 [GRAPHIC] [TIFF OMITTED] T0436.010 [GRAPHIC] [TIFF OMITTED] T0436.011 Mr. Horn. Well, thank you for your story. I think it must make every one of us behind this podium and everyone in the seats out there that you just feel like you have been violated, and your whole person is in somebody else's hand and control. I am going to ask one or two questions now, and then we--we don't want to waste the talent here, and we will do all of them afterwards. But you mentioned the Secret Service. Did you go to the FBI? Ms. Twentyman. I left a message and was never called back. Mr. Horn. They never contacted you? Ms. Twentyman. I think I left two. I never heard back. The Secret Service I did hear from. They asked for some information. I faxed it, but I never heard back. I realize I could have called and really aggressively tried to get, tried harder, but I didn't. I mean, I felt like they knew. Mr. Horn. Did you contact your own Member of Congress? Ms. Twentyman. Sitting right over there, I did e-mail him about this. Mr. Horn. He is the kind of person that gets something done. Ms. Twentyman. That is right. Mr. Horn. OK. Ms. Twentyman. He catches his car thieves, too. Mr. Horn. I had a problem like that when a few Federal agencies wouldn't move, we just went right to the top, and believe me, they got a little dynamite stick under them and started moving. But that is another story. Ms. Twentyman. I think part of this is I wanted to also see the citizens--things seem to be winding down. I have been very proactive. I need to observe what is going on, because every citizen does not--I know my parents would not have been extremely assertive. I am just so thankful it is me instead of them and some people. Mr. Horn. Well, thank you. Stay with us, and we will have some more questions as we finish this panel. Mr. Robert Douglas is a private investigator. We are glad to have you here. Mr. Douglas. Thank you, Mr. Chairman. My name is Robert Douglas, and I am the founder of American Privacy Consultants. I appreciate the opportunity to appear before you in support of the creation of a privacy commission and to state my belief that a comprehensive review of current privacy law and the formulation of a privacy plan for the 21st century are important and long overdue. Prior to founding APC, I was a Washington, DC, private detective. In 1997, I began investigating the practice of information brokers selling personal financial information. I brought the results of that investigation here to Congress, and I would note in part of that testimony, which I have appended to my statement this morning, I addressed specifically the situation that happened to Ms. Twentyman where her maiden name and birth date records were changed within a financial institution, and I know the techniques that are used to do that, and it happens thousands of times a year around this country. My 1998 testimony resulted in passage of the Financial Information Privacy Act, which was incorporated in the Gramm- Leach-Bliley financial modernization law. In 1998, I informed Congress that the use of identity theft, fraud, and deception was rampant in the information broker industry and extended well beyond personal financial information. It is my hope that passage of H.R. 4049 will result in a privacy commission that can act as a small, but very important, part of a broader mandate, to investigate the use of identity theft to access and steal many other types of personal information of citizens and residents of the United States. I am often asked what personal information can be gathered by the average citizen. The truth is almost anything can be learned about anybody in the United States today. The question is how. The impact of technology on privacy today is the ability to accumulate, store, filter, cross-reference, analyze, and disseminate vast amounts of information about anyone in a fast and cost-efficient manner that was previously unavailable to a point where almost anyone can now afford to participate in the buying or selling of data of any type about anybody. Simply put, privacy in the United States is too often a concept, not a reality. For the purpose of today's hearing, I would like to focus on several particularly egregious categories of personal information that are being advertised and sold on the World Wide Web. We did have a power point presentation, but I understand it is not able to be done in this room, so if you follow through my statement, I will do the charts that I have there in order. The first example is found at a company called Docusearch.com, and it is a list of searches. From this menu, one can see that anyone's Social Security number, address, and date of birth can be purchased. These are the essential ingredients for identity theft. With this information, a criminal can impersonate anyone they choose and gain access to all of the personal information concerning the target of the identity theft and do things like happened to Ms. Twentyman. That is how you get in, that is how you change a person's information, that is how you shut off their utilities if you are a stalker or harasser, that is how you steal their finances, that is how you take over their credit history. The following Web page from Docusearch is the description of the Social Security number search. This page documents--and this is very important--this page documents the use of credit headers for selling personal, biographical information first obtained as part of a normal, ordinary, day-to-day credit transaction and then sold to private investigators and information brokers by our Nation's credit bureaus. This is a common and widespread practice that must be revisited by Congress. While there are many useful and legitimate reasons for the access of credit header information in certain legal and investigative contexts, the wholesale and unregulated access of biographical data from credit reports goes on at an alarming rate. There are hundreds of Web sites on the Internet, and I repeat hundreds of Web sites on the Internet, selling biographical information obtained from credit reports. The sale of credit headers is the starting point for many forms of identity theft as it gives the identity thief all of the biographical information necessary to impersonate the true owner of the information. This ability to then impersonate the true owner opens up access to all forms of personal information sought by the identity thief. Congress should extend the same permissible purposes test currently in place for the access to credit data under the Fair Credit Reporting Act to the biographical data included in the credit header, which is now exempted under current interpretations of the FCRA. The next chart demonstrates another company called Strategic Data Services, and again, we see the sale of Social Security numbers, employment information, dates of birth, driver's license, but added to this we see where they will sell the physical address that goes to a post office box owner, something to someone who has a civil protection order, is trying to stay away from a stalker or a harasser, is terrifying to them, because they will reach out and get and pay extra for a private P.O. box specifically to hide their physical address, and yet here we have hundreds of Web sites selling it. The P.O. box's postal regulations recognize few exceptions for obtaining the corresponding physical address, yet here we see it for sale on the Internet. The next category shows the sale of driver and vehicle searches, general doc search. Included in the list are the sale of names and addresses associated with a license plate and the sale of a specific driver's license number. So if I see your license plate on your car on the street, and I want to find out who you are and where you live, I can buy that information. The following Web page shows the specific driver history records by name, and I would note that many Americans believe that the passage of the Drivers' Privacy Protection Act, which I am aware Senator Shelby just held hearings on, I believe, last week, looking to reinforce that act and strengthen it, but I am afraid he missed what I am about to talk about here many Americans believed would stop the sale of this type of information. However, the act allowed an exemption for private investigators. Unfortunately, although there are thousands and thousands of very lawful and upstanding private investigators in this country, there are a number of information brokers who are also private investigators or who have established relationships with private investigators that are subsequently accessing this information and selling it to almost anyone who submits a request on the Internet. The next page shows telephone searches, and this is an area that I am not aware that anyone in Congress has looked at to this date. One can see from the listing that any phone number can be traced back to its owner. Whether or not the individual owner has taken steps to protect their privacy by again paying extra for an unlisted or nonpublished phone number, it doesn't matter. It doesn't protect you one iota. Again, we have a page demonstrating exactly the sale of nonpublished phone number information. Again, another page demonstrating all of the other types of phone searches on another Web page, and I will try to move along here for you. But on that one it is very important to note that, in addition to being able to find the ownership site for selling the actual long-distance toll call records. In other words, you can purchase the long-distance phone records, including the number called, the date, time, and duration of the call. This is actually used in economic espionage, business espionage, on a fairly regular basis in this country. The next page is, again, financial searches. We can see that even though Gramm-Leach-Bliley was passed last November 12 and signed by President Clinton, that both personal and corporate, private financial information continues to be sold on hundreds of Web sites on the Web. I have documented the specific bank account search here, and there is one portion in the description that I have bolded and underlined that should be alarming to this committee and to Congress, and that is this individual, whose name is Daniel Cohen and operates Docusearch, is claiming that he is accessing a Federal database. The article from Forbes Magazine that I have appended as appendix 1, he goes further in that article and claims he is getting it from the Federal Reserve. As I pointed out in my speech to the FDIC about 2 weeks ago, I believe that to be a total falsehood. There is no such database with the Federal Reserve. But these are the types of lies these people are telling, even on the Internet, even to reporters like the reporter from Forbes and to our American citizens, which are making our citizens answer the question that Congressman Hutchinson found when he traveled to his district, and I am sure Congressman Moran and others, into believing that they have no longer any financial privacy in this country. They are actually stealing this information through impersonation, but are claiming to our citizens that they have lawful access via Federal databases, and I would hope that that would be of concern to this committee. The final page is a credit card activity page. To sum that one up, there are dozens of Web sites you can go on where I could buy Ms. Twentyman's actual credit card activity, where she had her dinner, what presents she bought for her family at Christmastime, right down to the individual transactions. The examples I have provided today demonstrate that a vast and varied amount of personal information is available on the Internet. These examples are just several of thousands available. I have provided committee staff with hundreds of other Web page examples of information being advertised and sold on the Internet, and without saying his or her name, because they asked me not to, I demonstrated to your staff, Chairman Horn, the other day that with one phone call, and I think that person could tell you that, in about 3 minutes I got a phone call back, and I knew her Social Security number and her address. And I have with me a complete report of that individual that I will show them later on today. If H.R. 4049 passes, and it should, I will do all I can to assist the privacy commission or any committee of Congress to understand and weed out the methods currently being used and developed to access our fellow citizens' personal and private information. In conclusion, and I apologize for running so long, the time is ripe to have a privacy commission with broad-based authority to examine privacy in the United States today and to take appropriate steps to safeguard the privacy of all Americans while ensuring that steps are not so Draconian as to impede our booming information age economy. I thank you, Mr. Chairman. [The prepared statement of Mr. Douglas follows:] [GRAPHIC] [TIFF OMITTED] T0436.012 [GRAPHIC] [TIFF OMITTED] T0436.013 [GRAPHIC] [TIFF OMITTED] T0436.014 [GRAPHIC] [TIFF OMITTED] T0436.015 [GRAPHIC] [TIFF OMITTED] T0436.016 [GRAPHIC] [TIFF OMITTED] T0436.017 [GRAPHIC] [TIFF OMITTED] T0436.018 [GRAPHIC] [TIFF OMITTED] T0436.019 [GRAPHIC] [TIFF OMITTED] T0436.020 [GRAPHIC] [TIFF OMITTED] T0436.021 [GRAPHIC] [TIFF OMITTED] T0436.022 [GRAPHIC] [TIFF OMITTED] T0436.023 [GRAPHIC] [TIFF OMITTED] T0436.024 [GRAPHIC] [TIFF OMITTED] T0436.025 [GRAPHIC] [TIFF OMITTED] T0436.026 [GRAPHIC] [TIFF OMITTED] T0436.027 [GRAPHIC] [TIFF OMITTED] T0436.028 Mr. Horn. Well, we thank you a lot, because you have just done a terrific job of taking us through how easy it is to have this happen, and we are indebted to you in terms of the excellent information you provided. I take it you have not ever been filing for Social Security numbers and anything like that. When did you get into this? Mr. Douglas. I came across it while I was working as an active private investigator in Washington, DC, and started to note that more and more information brokers were advertising in the PI trade magazines, and then relatively blatantly on the Internet. I did attend law school. I had some sense that this could not quite be right, some of the information that they were selling, and I began calling literally dozens of them and actually contracted with a few to find out what types of information they were able to obtain. Through the course of developing--and they will lie blatantly even to other private investigators, reporters, Members of Congress who have talked to them and claim all types of--you know, it is proprietary databases that we have, investigative sources. And there are certain key phrases that you can find on these Web pages that I could demonstrate to the committee or others, indicate that they are not getting the information legally. Any time they claim--on the page where they claim they are getting it from a Federal database, well, gee, they are getting it from a Federal database, but on the same page it tells them it takes 18 days to get it. So the reason it takes 10 to 18 days is because what they are doing and what has happened to Mrs. Twentyman is they will buy your credit information, they will then in her case get someone in their office who is female and approximately her age to start calling her bank and calling whatever, the phone company, utility companies, whoever they want to obtain information from and impersonate her, and they now have her name, her date of birth, her address, her Social Security number, and with that information, you can get almost anything, including--and I demonstrated this to Chairman Leach 2 years ago in the Banking Committee. What they do, the way they changed her date of birth and her mother's maiden name-- many banks use the mother's maiden name as the password to gain access. I have been advising banks for several years now to change that, and the OCC letter that was put out following my testimony also advised them to go from the maiden name to a PIN number. Mr. Horn. Explain OCC. Mr. Douglas. The Office of the Comptroller of the Currency, one of the regulatory bodies overseeing our financial institutions. They put out an advisory letter in the fall of 1998 following my testimony advising them to change that, for the very reason as to what happened to Ms. Twentyman, because here is how it is done. If I want to change your--even your password, I call the bank, and I claim to be Mr. Horn, and I have the biographical data, but maybe I don't have the mother's maiden name. I say, gee, I am on the road, I need to get some information off my checking statement. I am afraid I have a check that is going to bounce. I am out of town. I have to take care of this today. I don't have my checkbook with me, sometimes they don't have the account number, can you help me. Well, because in fairness to the banks, they are in the customer service business--and this applies to any other institution, not just financial institutions. They are in the customer service business, they want to be helpful, they are trained to be helpful. So if you have enough data, date of birth, Social Security number, you start to sound real to them. If you have a good enough pretext, as we call it in the industry, falsehood, fraud, and you sound nice enough on the phone, you start to convince them. Now we get to the tricky question of mother's maiden name. I will say Smith. And the person will say, well, I am sorry, Mr. Horn, that is not what we have here on the account. And excuse me, but the response would be, well, goddamnit, who are you to have the wrong information? I know what my mother's maiden name is. I want a supervisor on the phone right now, or I am pulling my account out of this bank today. Well, hang on, hang on, Mr. Horn, I am sure we can work this out. They eventually convince them that somebody on their end has made a mistake, and then they change Ms. Twentyman's information so that now she cannot even access her own information, but I can. That is how it is done. It is done dozens of times, if not hundreds of times a day around this country. Mr. Horn. Well, thank you. Our last witness on this panel is Dr. Paul Appelbaum, the Chairman of the Department of Psychiatry and Director of the Law and Psychiatry program for the University of Massachusetts Medical School. Thank you for coming. Mr. Appelbaum. Thank you, Mr. Chairman. I am Paul Appelbaum, M.D., vice president of the American Psychiatric Association, a medical specialty society representing more than 40,000 psychiatric physicians nationwide. My work treating patients, the empirical studies that I have conducted on medical records privacy, as well as my work consulting with State legislatures, State health agencies, and the U.S. Secret Service have given me a broad perspective on medical privacy issues. Thank you for the opportunity to testify today. Just a month ago, a leading computer magazine proclaimed in its cover story, we know everything about you. Privacy is dead. Get used to it. I greatly appreciate Representative Hutchinson's and Moran's efforts, as well as the subcommittee's interest, in remedying this loss of privacy. I focus my comments today on the importance of protecting doctor-patient confidentiality. The level of privacy enjoyed by patients has eroded dramatically, and physicians are often hampered in our ability to provide the highest quality medical care as a result. We have a 21st century health care delivery system, but patients are forced to live with privacy protections designed for the time of Marcus Welby, M.D. I note for your consideration several examples of today's health privacy crisis. A study by professors at UMass, Harvard, and Stanford revealed over 200 cases where patients at risk for genetic disorders had been harmed by disclosures of medical record information. Patients often forego insurance coverage to maintain their privacy. I treated a skilled tradesman for 2\1/2\ years who worked overtime to pay for his treatment because he didn't want his union, which administered his insurance plan, to know that he was receiving psychiatric care. Members of Congress have seen highly personal disclosures about their medical conditions, some true, some untrue. In one case, a major daily newspaper splashed headlines about a Member's mental health condition only days before the Member's primary. The San Diego Tribune reported that a pharmacy inappropriately disclosed a man's HIV status to his ex-wife, and the woman was able to use that information in a custody dispute. The Federal Government's appetite for identifiable patient information continues to grow. Witness last year's efforts by HCFA to collect highly personal information in its Oasis program, an effort that they were ultimately compelled, at least partially, to back down from, and how it grows the potential for abuse of this information. It is critically important to realize that privacy is not only a value in and of itself, it is an essential component of providing the highest quality medical care. Some patients refrain from seeking medical care or drop out of treatment in order to avoid any risk of disclosure of their records. Others simply will not provide the full information necessary for successful treatment, and we know this from a Louis Harris poll that this is a widespread behavior in our society today. Patients ask us not to include certain information in their medical record for fear that it will be indiscriminately used or disclosed. As a result, more patients do not receive needed care, and the medical records data themselves that we need for many purposes are inaccurate and tainted. We need a high level of confidentiality protection for all medical records so that all patients receive the privacy necessary for high-quality care. Communicable diseases, mental illness and substance abuse, sexual assault histories, cancer, reproductive and women's health issues, as well as many other conditions may be highly sensitive for patients, and information about these conditions is unlikely to be revealed without assurances that the privacy that exists in the doctor- patient relationship will be maintained. We believe that many medical privacy proposals before the Congress as well as the regulations being proposed by the Department of Health and Human Services, need to incorporate additional medical privacy protections. The most significant action that Members of this subcommittee can take today to protect medical records privacy would be to contact HHS to express your belief that additional privacy protections should be included in HHS's final regulations, and to conduct hearings on their proposal. The American Psychiatric Association is very encouraged by Representative Hutchinson's and Moran's privacy commission legislation. Particularly important, in our view, is to focus this proposal on increasing public awareness of the need for additional actions to protect privacy, as well as the actions that citizens can already take to protect their own privacy; working on neglected areas of privacy policy, including the adequacy of privacy protection for employees--many employers have widespread access to their employees' medical records--and on the Federal Government's use of confidential information; and allowing the current efforts to produce greater privacy to flourish. We are particularly supportive of the work of the Bipartisan Privacy Caucus led by Representatives Markey and Barton, including legislation introduced to remedy the major financial and medical privacy problems contained in last year's Financial Services Modernization Act. Last and most important, we believe that all involved parties, whether brick or click private sector companies, privacy experts, consumers, patients and civil libertarians, must be fully involved in the work of a privacy commission. As part of this consensus-oriented approach, we believe it is essential that the membership of any commission contain a balance among all stakeholders, including the privacy community. Thank you for this opportunity to testify. I look forward to working with the committee on these important issues. Mr. Horn. Thank you, Dr. Appelbaum. [The information referred to follows:] [GRAPHIC] [TIFF OMITTED] T0436.029 [GRAPHIC] [TIFF OMITTED] T0436.030 [GRAPHIC] [TIFF OMITTED] T0436.031 [GRAPHIC] [TIFF OMITTED] T0436.032 Mr. Horn. We are now going to question this panel and we will do it in 5-minute segments, alternating between majority and minority. Does Mr. Turner want to yield to Mr. Moran, or would you like to start? Mr. Turner. I yield to Mr. Moran of Virginia. Mr. Moran of Virginia. Well, thank you, my friend, and thank you, Mr. Chairman, my friend as well. This was very good testimony, and I particularly appreciate my constituent, Ms. Twentyman, to come forward and tell us what happened to you. I know that it is somewhat embarrassing, but I am glad that you have taken the initiative. As you say, I don't know that your mother's generation would be willing to, but you have stepped forward, and I appreciate it. It is just such a constituent that initiated the Driver's Privacy Protection Act. It was a woman who went to a health center to get advice, she had just had a miscarriage, and by the time she got home, she drove home, she lived in northern Virginia, there was a group picketing on her front lawn because they assumed that she had had an abortion, because that health clinic had also offered a full range of services to women. In addition to being--the irony of it and being distraught, she just couldn't imagine how they had known where she lived, and we found out that what they had done was simply write down the license numbers of the cars and the tag numbers and went to the State Division of Motor Vehicles that was in Alexandria and got the addresses, the names of everyone that had parked in that lot, and that just didn't seem right. The State was collecting $5 for every individual piece of information, direct marketing organizations, of course, were paying more. We found out that there were a number of organizations that were determined to continue that practice because they made a lot of money off of it, and most protective of that practice was the States. They were making millions, as Mr. Douglas has indicated. But the detectives particularly wanted to be exempted. We exempted them, and I know the newspapers and publishers' associations want to be exempted. I don't think the conference report finally exempted them, but they thought it was also a great idea to be able to access this information. So we are vulnerable. But it would seem, and I know Asa feels just as strongly, and I suspect my friend Mr. Horn and Mr. Turner do as well, that we should not try to impose a type of cookie cutter approach from the public sector if there is a way that the private sector can regulate itself. There does seem to be a number of initiatives being attempted that would enable you to do that. I guess I would like to solicit from the three of you, if you have seen ways in which your situation, Ms. Twentyman, could have been avoided, or you could have been protected. Mr. Douglas, this information you give us is just astounding, the access that people can get to our information, and then can shut us off from even getting our own information. Dr. Appelbaum, you have obviously explored this very extensively as well. Do you see efforts in the private sector developing that are able to self-regulate, or at least give people an option to keep their information private? What we did with the Driver's License Privacy Protection Act was to require that a box be on the license application that you can't miss if you don't want that information shared, you just check it, and then it is against the law to give out any information on that person's data without that person's permission. Let me see whether any of the three of you have come across ways that have already developed, nongovernmental ways that might have protected you. Dr. Appelbaum. Mr. Appelbaum. The medical information developments in the last several years have resulted in a widespread use of computerized medical records and aggregated databases in ever- growing HMOs and hospital systems. Some of these systems are beginning to pay attention to these issues. For example, I can tell you that at the University of Michigan's Medical Center in Ann Arbor in the last year, having implemented an electronic medical record, they have simultaneously carved out and placed behind a firewall the psychiatric portion of those records, with limited access only to people in the Department of Psychiatry. So such efforts are, indeed, possible. The problem, I think from my perspective, is that the incentives all push in the other direction in terms of doing things easily, using information for marketing purposes and mining it for additional revenues. The private sector has every incentive not to pay attention to these issues. And though direct regulation may be a last resort, at the very least, I would think that some sort of balancing incentives should be given to these organizations so that they receive some encouragement to take privacy seriously. Mr. Douglas. I think you hit exactly on what is the main discussion or argument taking place in the business community today, and that is fair information practices and key phrases like opt-in versus opt-out. Currently, the burden is on the consumer, people like Ms. Twentyman, to safeguard their own information. If you were to sit down with a pen and paper and list all of the different places that you have private data, private information, you would still be writing at 5 p.m. So the burden is currently on you as the consumer, as an American citizen, to go out and find all of those places and tell them, if they will even listen to you, that you want to opt out, that you don't want your information being shared. The discussion today, I know the discussion within the financial community and certainly as we sit here today, the regulators are proposing regulations under Gramm-Leach-Bliley dealing with third party affiliates, opt-in versus opt-out, and it is very cumbersome. The average American consumer is not going to understand it. What many are arguing for today is that it should be opt in. As far as information practices, if I give you--and let me just use the example of the credit agencies, we all have to participate, almost all of us, in credit transactions on a daily basis. But we believe when we fill out a credit application, a mortgage application, a rental application, a department store application, that that information is between us, the credit bureau and the person making the decision as to whether they will grant that credit, but that is not the truth of the matter. The truth of the matter is, through the credit headers and the recompilation in the vast databases, a lot of that statistical information is being resold. Every day your and my information is running up millions of dollars for American business and the States, as you noted. As just one afterthought, you had mentioned the Newspaper Guild or somebody's resistance to the DPPA. Deep within the article that I have attached as appendix I from Forbes is a story of a company called Touchtone Services out of Colorado that I am very familiar with, because they are one of the few successful prosecutions of an information broker in this country, and Mr. Rap, who is the owner of that company, I think just got out of jail within the last week or two after serving, what, 70 days. Let me tell you what he did as part of the allegations. He was selling information on the Cosby family to the tabloids. We often wonder how the newspapers and the TV stations show up on our doorstep when there is a tragedy, like an aircraft crash or something like that, faster than even the police, because they go to these information brokers. They have one on contract, private investigators who know how to use these techniques of how to impersonate people. The Jon-Benet Ramsay, he impersonated Mr. Ramsay and was able to obtain his banking information. He was able to obtain where the Colorado detectives were secreting witnesses and in what hotels. In the Monica Lewinsky investigation, it was his firm that obtained Kathleen Willey from Richmond's phone records and sold it to a Montgomery County private investigator who turned it over to the attorney of a very prominent Democrat who is still under investigation in an Alexandria grand jury. Perhaps most egregious of all, and I went over this with your staff the other day, Mr. Horn, he was able to get the pager numbers of undercover LAPD police officers that were working on a very important investigation with the Israeli Mafia and they were able to clone those pagers, a little technical, but there is a way to do that, so that they, the bad guys, were getting the same pages that the undercover officers were getting, and they were then able to figure out who the secret witnesses were in the investigation and get the home addresses of the undercover police officers who, in one case, showed up on the doorstep while the officer was away and intimidated the wife of the officer. So we are not talking kid's play here. There are very serious things that are going on out there, and it all leads back to how our information is being bought, sold and packaged every day in this country. Mr. Moran of Virginia. Troubling. Thank you, Mr. Douglas. Mr. Horn. The gentleman from Arkansas, Mr. Hutchinson. Mr. Hutchinson. Thank you, Mr. Chairman. I want to join in the thanks to each of the panelists for your extraordinary testimony today. I want to focus with Mr. Douglas for just a moment. I really do appreciate your expertise. We need to have more people that have a background in the darker, sinister world. Mr. Douglas. My mother would be so happy to hear that. Mr. Hutchinson. I want to focus on Social Security numbers for just a second. We all have our stories of going into a business and cashing a check and they ask for your Social Security number, sometimes you don't even give them a check, you pay cash for it and they want to know your address and they want to know information. Mr. Douglas. Radio Shack, yes. Mr. Hutchinson. Your natural inclination, in the South we are particularly friendly, we just give them what they ask, we are accommodating. Of course, the dissemination of that information is a concern. But in reference to Social Security numbers, clearly, they are being used far beyond what was originally intended. What impact does that have on the dissemination of personal information? Mr. Douglas. It is the single biggest impact. It has become the national identifier, although the American people were told it would not be, and I think that is one of the reasons you see cynicism around the country and the concerns with privacy around the country that you talked about in your opening statement this morning when you were back in your district. Because people are aware of this, and they do know that--they are told on the one hand, don't provide that, you don't need to provide that, yet at last count I think 23 of the States in this Nation for the driver's license number use the Social Security number. So even if you provide your driver's license number, and we have all done this, especially if we live locally, Virginia has it, although again you can opt out of that process, but again how many do; the District uses it, that the clerk will record that on the back of the check. Many people, such as Ms. Twentyman, who end up as identity theft victims, need to remember there are 400,000 cases a year by the Secret Service's statistics, not some privacy whacko group; the Federal Government, recognizes 400,000 cases a year of identity theft in this country, that begin in just such a fashion, with information that is put down for purposes that is of questionable use. But yet, if you go in there, Mr. Hutchinson, and tell them well, no, I have been taught that I don't need to give that, in many cases they won't complete the transaction with you, even though that is not necessary for the transaction by any stretch of the imagination. So the Social Security number problem is the most frequent question I get when I talk to people on the Hill, and it is a very complex one, because it is so ingrained in so many systems around the country, and because it has become the default national identifier to tomorrow, say, well, for Congress to outlaw it, that somehow tomorrow it would crash the economy of this country. Mr. Hutchinson. You are saying that if we outlawed the use of Social Security numbers beyond the original intent, which is I guess you give it to your employer so that you can make sure you get credit for your FICA taxes that are paid. Mr. Douglas. Correct. Mr. Hutchinson. If we outlawed it beyond that limited use, what impact would that have? Mr. Douglas. I am sure you would hear loud and clear from the business communities that so many are using that as the national identifier, how will they now identify individual transactions that go through. That has become the national identifier. Every business in America that keeps information on our citizens and, you know, very valid reasons, whether it be medical records, financial records, the things that make our economy hum, to identify us use the Social Security number. Mr. Hutchinson. There is benefit to consumers for that as well. Mr. Douglas. Absolutely. That is one thing, and I touch on it a little bit more in my full statement. We need to be very careful, and that is why I wholly support this approach that is presented here today, because the piecemeal approach of legislation could be very dangerous. I think there needs to be--we need to take a deep breath. Gramm-Leach-Bliley just passed, the DPPA is just starting to kick in; I am not as familiar with the medical area, but it is just starting to kick in. We need to step back and take this 18-month look at, first of all, how do some of those provisions that are out there kick in, what effects do they have, and to find a comprehensive way to deal with that. Because to just take a rash approach tomorrow because of concerns I think would have a serious impact on the business community. Mr. Hutchinson. Thank you. Do I have any time left, or is it gone? Mr. Horn. Sure. Mr. Douglas. My fault. I am so long-winded. Mr. Hutchinson. Let me just ask one more question if I might which follows up on that. Dr. Appelbaum, you mentioned that one thing the commission could do is to increase public awareness. If you would just sort of elaborate on that a little bit, particularly in the area of medical records. We have a limited amount of protection now, but there are some things that consumers can do to protect to a greater extent their own information; is that correct? Mr. Appelbaum. There is, yes. There are a number of such steps that they can take, of which most people are unaware. An increasing number of States, for example, give patients the right to access their own medical records and to make corrections to those records if errors are found, before the records are widely disseminated, potentially, to their disadvantage. Most people don't know that. There are institutions such as the Medical Information Bureau in my home State of Massachusetts which collects medical-related information for the insurance industry, and similarly will allow individuals to find out, not easily, but to find out the information that is being kept in their files, and correct it, and most people are unaware of that as well. Mr. Hutchinson. Let me interrupt, because I want to yield back my time, but the commission I think is important, that if you conduct hearings across the country, you engage in getting information of the problems that are out there, but also educating the public as to things that they can do themselves to protect privacy, and I think that is very important. Mr. Chairman, thank you for your leniency, and I yield back. Mr. Horn. I thank the gentleman and I now yield to the ranking member, Mr. Turner, the gentleman from Texas. Mr. Turner. Thank you, Mr. Chairman. Ms. Twentyman, I want to thank you for your testimony. It has been very enlightening to understand what you have gone through. I notice you mentioned in one part of your testimony that you had $13,000, I believe it was, in one credit card account alone that was taken? Ms. Twentyman. Just in 3 or 4 days. Mr. Turner. In 3 or 4 days. Ms. Twentyman. Right. Mr. Turner. You mentioned, I think, later in your testimony that you haven't personally been held accountable for any of these balances. These credit card companies, do they have some kind of protection for you as a credit card holder that ensures that you don't have to pay when somebody steals from your credit card account? Ms. Twentyman. I don't know whether it is insurance or what, but all of them have, as soon as I report it, they take it off my account and tell me I am no longer responsible for it. I am not sure with their bookkeeping what they do with that money, but fortunately I haven't had to repay any of it. Mr. Turner. Mr. Douglas, have you had any experience with that? Do these credit card companies just routinely insure against theft? Mr. Douglas. Yes, sir. The consumer is only liable in theory for $50, if they make prompt notification, to the credit card company and most credit card companies will even waive that $50 on behalf of the customer in order to hold on to the customer. The thing that should be noted on this, although the customer is not losing out, the business is. And they are not necessarily insured, they are self-insured in this area. Current statistics show that on Internet transactions, and only 1 percent currently over the last Christmas season, only 1 percent of purchases were made by the Internet, 25 to 35 percent of credit card transactions currently made on the Internet are fraudulent, and the people picking up the tab on that are the Internet companies. They lose out. They end up biting the bullet on that. So again, if that area is not addressed, it will be a strain on the advance of the Internet economy. Mr. Turner. What kind of enforcement ability do we have to control this? It seems to me law enforcement is totally ill- equipped to deal with any of this. Mr. Douglas. I think currently they are. I think they are scrambling quickly to catch up. I know the Washington Post has documented just within the last week some efforts on behalf of the FBI to get up to speed in some of these areas, but as in many areas of crime, the thieves are often far ahead. It should be noted, an awful lot of that, especially in the Internet transaction area, is occurring overseas where we have no enforcement jurisdiction. So many of the software packages that are being developed for Internet businesses, I-businesses, in order to preclude fraudulent transactions are totally ruling out any transaction from overseas. Mr. Turner. When you said 25 percent of the e-commerce transactions are fraudulent, you are talking about purchases? Mr. Douglas. That is correct. Mr. Turner. With use of a credit card? Mr. Douglas. Right. Somebody claiming to be Mr. Turner to buy a pair of Nikes is not Mr. Turner, but somebody else. We have all seen when you have gone to a Web site and ordered that you can have it delivered to another address. That is what they will do, they will put in the credit card information and have it delivered to another address, which is often a vacant home or they are in cahoots with somebody else. Mr. Turner. What is the source of that 25 percent figure? Who compiles that kind of information? Mr. Douglas. You will see that in almost any of the Internet commerce magazines that are tracking this information. Mr. Turner. What is the track record with regard to theft from bank accounts? Of course I don't mean just Internet banking, but theft from bank accounts of individuals? Do we have any compilation of totals or is that a very common thing? Mr. Douglas. I don't have any compilations of totals. When you deal with the identity theft that I have talked about, which is pretext, it is very hard to track, because often it is done and the person doesn't know how it is done; just as Ms. Twentyman said, they never have caught the person. So a lot of people don't report, a lot of people are embarrassed about it, and I am sorry to say that our most fragile and under protected citizenry in this country is senior citizens who this happens to quite regularly. A lot of this is done over the phone. I have talked about methods that are used to get it from the actual institutions, the same methods are used to defraud our citizens by phone, and senior citizens are the most vulnerable because they grew up in a generation that was polite and didn't just hang up the phone on somebody. Mr. Turner. Is there any source of compilation of theft from bank accounts using any of these methods, or is this the kind of information banks wouldn't like to talk about too much? Mr. Douglas. Well, let me give you an example. There was an information broker by the name, a company called Source One, run by one individual by the name of Peter Easton out of New York. The State of Massachusetts has been the most aggressive in this area. They civilly prosecuted, I think, 10 companies, and he was the only one that went to trial, and they found thousands of cases in just his situation alone. Touchtone that I talked about before from Colorado is currently under a proceeding in the FTC and they also, when they saw his records, found thousands of these cases. Docusearch employs 18 people, Touchtone employed 12 or 18 people, and these are just one of hundreds or dozens of companies around the country. So you could work the statistics backward that way from the few successful prosecutions and know that this is happening thousands of times a day around the country, if that is helpful. Mr. Turner. Thank you, Mr. Chairman. Mr. Horn. We thank you. Let me ask just a few questions to the panel. I might say for my colleagues, if you pick out your voting card, which is your identity card, the Social Security number you have is printed on the card. So be careful. Anyhow, how about the chance to look at H.R. 4049, the Hutchinson-Moran bill. Do you have any suggestions on it? There is the markup of the commission and their purposes and so forth rather well set out. Dr. Appelbaum, do you have any thoughts on it? Mr. Appelbaum. Yes, I do, Mr. Horn. The composition of the group is laid out in terms of its bipartisan nature. But I think for the purposes of achieving true privacy protection, it would be important to build into this legislation some balance among the various actors in this area, since interests are genuinely conflicting and everyone should be represented. The National Committee on Vital and Health Statistics, which is similarly charged to explore this area, has on it, although it was balanced from a partisan perspective, no consumer representatives, no patient representatives, no privacy advocates, and one practicing physician, and it is that kind of imbalance that we would hope would not occur with this new and very promising privacy commission proposal. Mr. Horn. So you are saying in the appointments by the majority leader, minority leader, Speaker, and President, there ought to be, the kind of person they pick would have some major concern, maybe, on this particular matter. I don't know how the gentleman who authored this feels. Mr. Hutchinson. Well, first of all, I agree completely that this commission should be composed of people that represent a broad range of the stakeholders in this issue, and second, that they are openminded to this issue. But the reason that was not--when we thought about specifically delineating different representatives on it that sure enough we will leave somebody out, for one thing, and the balance of it, and I felt like, and we have talked about this with Congressman Moran, that the political process would work; in other words, these stakeholders are going to be asking and putting pressure on the appointing people to make sure they are represented on it. I am certainly open, if we need, and we can do that fairly, to delineate that, but that was the thinking, anyway. Mr. Horn. You mentioned, Mr. Douglas, in your testimony about the Colorado case, and you also mentioned what went on in Virginia. Now, what are the penalties the States have? Have you sort of taken a look at those? I want to tell the staff on both sides that the American Law Division will be asked to give us a paper on the penalties. But I wondered what your experience is; just for this hearing. Mr. Douglas. When it comes to the use of pretext and other means of fraud and deception to gain information, most of the States have nothing specifically on point. In fact, the Federal Government didn't, until the Financial Information Privacy Act under Gramm-Leach-Bliley, and that is specific to a very narrow range of pretext methods used against financial institutions. As I noted in my written statement, most of the information brokers have figured out, or are either ignoring it or have gone underground, unfortunately, that is quite a few of them, or figured out other techniques that I am aware of to get around it. Gramm-Leach-Bliley's enactment brought the first Federal criminal provisions ranging from 5 to 10 years, depending upon the dollar amount involved, or the size of the company. But most of the States have nothing. There had been really no prosecutions. There is some argument that Federal or State wire fraud laws might apply. Perhaps the identity theft law that Congress passed a year or two ago might apply, but we have seen relatively few criminal prosecutions at all. In fact, only 1 State criminal prosecution, no Federal criminal prosecutions, and about 12 civil prosecutions under Deceptive Trade Practices Act types of legislation the State mirrored on the FDC's regulations, if that is helpful. Mr. Horn. Have you had a chance to look at the Secretary of Health and Human Service's temporary regulations in this area and what the penalties are? Mr. Douglas. I have not. Mr. Horn. Have you had a chance to, Dr. Appelbaum? Mr. Appelbaum. Yes, we have looked at them extensively. Mr. Horn. Well, if you would like to file a statement for the record, that is fine. We will do it at this point. Because I realize sometimes in a hearing situation you don't have a chance to really see the language and all the rest of it, so we would welcome the thoughts from you, and your colleagues. Mr. Appelbaum. We will do that. Mr. Horn. To all of you I would ask, what is the extent of the problem with the law enforcement agencies and how easy is it to, let's be charitable and say provide incentives to them to give some of this information, which I guess you could also say are bribes. What has been your experience, Mr. Douglas, with these cases? Mr. Douglas. I am sorry, I misunderstood the question. Mr. Horn. Well, the question is, when your friendly local law enforcement agency has a lot of information and you, as a private detective, what are your feelings about what your colleagues do and maybe you do to gain information? Mr. Douglas. I am with you now. The purchase or bribing of information kept in Federal databases, including law enforcement, that area has actually subsided quite a bit with a round of prosecutions that took place around 10 years ago. It was quite common in the private investigative industry to have a friend in law enforcement, or many PIs are ex-law enforcement who would obtain NCIC information, which is arrest and prosecution records maintained in a Federal database. That has really come to a close, because a number of people have been prosecuted for it, so you don't see quite as much of that going on today. Mr. Horn. How about with insurance companies? Can they be subjected to sort of getting information out of them to people that maybe shouldn't have it? Mr. Douglas. Absolutely, and their Web sites, I didn't include any in my presentation today, but where I could go and find out what your life insurance policy is valued at; any of your insurance areas. I also didn't include in these charts stocks, bonds, mutual funds. Any position that you can think of, I can tell you a way to get it. Mr. Horn. Well, we thank you. We have to get to the next panel if we are going to adjourn at 12, so thank you very much. We really appreciate the time you have taken and the wisdom you have provided. I know, Ms. Twentyman, that it is really something like a stalker that is out somewhere. Our next panel consists of Professor Fred Cate, professor of law and Harry T. Ice faculty fellow at the Indiana University School of Law in Bloomington; Mr. Travis Plunkett, legislative director, Consumer Federation of America; Mr. Ari Schwartz, policy analyst, Center for Democracy and Technology; and Sandra Parker, esquire, director of Government Affairs and Health Policy, Maine Hospital Association. [Witnesses sworn.] Mr. Horn. All four, the clerk will note, have accepted the oath. So we will start with Professor Fred Cate, professor of law and Harry T. Ice faculty fellow at the Indiana University School of Law in Bloomington. Now, they have a school of law also in Indianapolis, don't they? Mr. Cate. Yes, Mr. Chairman, they do. Mr. Horn. But is the main one at Bloomington? Mr. Cate. They would resent the definition of ``main'' as being in Bloomington; there are two separate law schools. Mr. Horn. Well, you have a beautiful campus there in Bloomington. I was a fellow there for a week, 30 years ago, and it is impressive, what you are doing at Indiana. Mr. Cate. Thank you, Mr. Chairman. Mr. Horn. Please proceed. STATEMENTS OF PROFESSOR FRED CATE, PROFESSOR OF LAW AND HARRY T. ICE FACULTY FELLOW, INDIANA UNIVERSITY SCHOOL OF LAW, BLOOMINGTON; TRAVIS PLUNKETT, LEGISLATIVE DIRECTOR, CONSUMER FEDERATION OF AMERICA; ARI SCHWARTZ, POLICY ANALYST, CENTER FOR DEMOCRACY AND TECHNOLOGY; AND SANDRA PARKER, ESQUIRE, DIRECTOR OF GOVERNMENT AFFAIRS AND HEALTH POLICY, MAINE HOSPITAL ASSOCIATION Mr. Cate. Thank you very much. Mr. Horn. As you know, your statements are in the record; summarize it so we have time for questions. Mr. Cate. I will do so. Let me say for the record, I specialize in privacy and information law-related issues. I am testifying today not only as somebody who specializes in that area, but also on behalf of the Financial Services Coordinating Council, which, as I believe you know, is an alliance of the principal national trade organizations in each of the financial services sectors that deal with issues that cut across those sectors, including privacy. I think, as the prior panel showed, and something which I believe all of the members of this committee certainly already knew, the issue of privacy is not only incredibly urgent, it is also enormously complex. It arises in many different contexts, it involves many different types of information, it involves use of information by many different people. As a result, efforts to deal with privacy issues, whether those efforts are regulatory or legislative or technological, are themselves also inevitably quite complex, and there are a great variety of them. It is precisely because of this complexity and variety that the comprehensiveness of the proposal for a privacy study commission is certainly laudable. The idea of bringing together in one place a focus on a wide range of issues is certainly laudable. Let me be very specific, however, and offer two comments about the proposal itself. One is the issue of what do you do about financial information? Congress has just in the past year passed the Gramm-Leach-Bliley Financial Services Modernization Act, that has not even yet been implemented, regulations are currently pending, and that bill itself calls for a study to be conducted by the Department of the Treasury. The risk of duplicating that effort or of rewriting one set of regulations before an existing set even comes into play is a very great one and is something that I think this bill and the Congress in considering this bill will need to deal with explicitly. What is to be done about the fact that this is an area in which we have already recently undergone extensive regulation. I might also note in relation to the prior panel, financial services is an area that is already subject to considerable regulation. It has Federal regulators, it has State regulators. This is not an area without a framework of law that already exists and it is one that Congress has recently taken considerable steps to strengthen. The second point that I would like to make is the one which I believe was also made clearly on the last panel and that is really the key need that if there is a privacy study commission--the importance that its charge be broad, that it not be limited only to looking at the urgent need for privacy protection, but also at the cost of privacy protection, at the cost of inappropriate privacy protection, and at the alternatives to using laws or further regulation for privacy protection. Now, I think that is clearly captured within the pending legislation. I am not in any way suggesting that change to the bill as I read it, but rather highlighting the importance that if this commission is to engage in what Representative Moran called the ``thoughtful, deliberative'' process, it needs to have that broad charge and to consider the value of information flows, as well as some of the risk posed by those information flows. Let me stop there and allow for questions later. [The prepared statement of Mr. Cate follows:] [GRAPHIC] [TIFF OMITTED] T0436.033 [GRAPHIC] [TIFF OMITTED] T0436.034 [GRAPHIC] [TIFF OMITTED] T0436.035 [GRAPHIC] [TIFF OMITTED] T0436.036 [GRAPHIC] [TIFF OMITTED] T0436.037 [GRAPHIC] [TIFF OMITTED] T0436.038 [GRAPHIC] [TIFF OMITTED] T0436.039 [GRAPHIC] [TIFF OMITTED] T0436.040 [GRAPHIC] [TIFF OMITTED] T0436.041 [GRAPHIC] [TIFF OMITTED] T0436.042 Mr. Horn. Well, thank you very much, Mr. Cate. We will go to Mr. Plunkett. Mr. Plunkett is the legislative director for the Consumer Federation of America. Mr. Plunkett. Good morning. Thank you very much for the opportunity to offer our comments today, Chairman Horn, and Mr. Turner. We commend the subcommittee for examining this important issue. We agree with everything we have heard so far on the significance and urgency of further action on privacy protection for Americans. I am going to commend Representative Hutchinson, because we have talked, I have talked with his staff and with him about our concern here. It is not that we don't see a need for action with the commission and on privacy, it is just a question for us of what is the most effective and timely course of action. I too will focus my comments on financial privacy and on that issue in particular, we believe that a commission may actually be harmful, not because of your desire to look at the issue and address concerns, but because momentum is building right now at the State and the Federal level to take action soon. Our fear is that it will stall if a commission is enacted. Like it or not, if Congress establishes a commission to examine privacy issues, many will urge, and we have already heard it to some extent this morning, that all major privacy proposals be stuck in a deep freeze for 18 months or more. The commission has an ambitious schedule and they might run a little over while the commission is operating. We do very much welcome the fact that the sponsors of this bill, Mr. Hutchinson in particular, see a need for further Federal action on privacy, and I commend Mr. Hutchinson for highlighting the need for more comprehensive Federal approaches. The American people clearly want it. The Wall Street Journal surveyed its subscribers about the most serious issue facing America in the 21st century, and the top concern was not the economy, education, or illegal drugs, it was the loss of personal privacy. On financial privacy, there is a great deal of research about what Americans want, very specific research, including a 1999 survey by AARP, that found that 81 percent of its members oppose the internal sharing of their personal and financial information with affiliates, a key issue I will get to in a minute, and 92 percent oppose companies selling their personal information. The erosion of privacy, which we are all aware of and grappling with, leads not only to annoyances, and I put phone calls from pushy people at dinnertime in that category, it can be harmful. You have already heard a great deal about identity theft, which I would call the signature crime of the Information Age and the anecdotal evidence you have heard this morning is backed up by research. Law enforcement officials report a sudden sharp increase in identity theft. Another example regarding financial privacy, how this causes real harm, a bank in California's San Fernando Valley sold 3.7 million credit card numbers to a felon who then allegedly bilked card holders out of more than $45 million in charges worldwide. I would point out that consumers and businesses suffer when Americans are worried about their personal privacy. This is an issue that I think is very important to keep in mind. FTC Chairman Pitofsky recently noted that concerns about privacy are a major reason why Americans who do use the Internet don't make purchases. He also noted that consumers who do not use the Internet rank concerns about privacy as their top reason for not going on line. Now, the continuing gaps in financial privacy protection are particularly serious, and we take really a much different position than the previous speaker on this issue. Under Federal law, even the new Financial Services Modernization Act, the Gramm-Leach-Bliley Act, even our video rental records are better protected than confidential experience and transaction information held by financial institutions, in particular, held by those institutions and shared with their affiliates. Affiliate information-sharing is a very significant issue. We all expect that under the Gramm-Leach-Bliley Act, we are going to see the largest consolidation of the financial services industry in American history. That means that we, in terms of information-sharing and abuses and intrusions, what we have seen is the tip of the iceberg. It is going to happen. Most players in the market are honest, they are honest brokers, but we are going to see more intrusion and we are going to see more abuses. One of the worst information-sharing abuses on record did not involve the selling of information to outside third parties; it involved an affiliate. This is the NationsBank/ NationsSecurities case, which resulted in a total of $7 million in civil penalties. It was an inside affiliate-sharing agreement. NationsBank shared detailed customer information about maturing certificate of deposit holders with a NationsSecurities affiliate, which then switched, urged the CD holders to switch to a risky derivative fund. Many of these customers who did this lost portions of their life savings. Legislation to improve financial privacy protections has been introduced in at least 20 States and in both Houses of Congress. The bills in Congress are bipartisan, they are bicameral. Senator Shelby and Representative Markey are leading the charge and they have also set up, as many of you know, a Privacy Caucus. Several folks here are members, including Representative Hutchinson. Virtually all of these proposals would provide that information could not be shared with either an affiliate or a third party without informed consent. Once again, I would dispute what you have just heard. This isn't an issue that hasn't been studied, it isn't an issue that hasn't been debated extensively. It is the unfinished business of the Gramm-Leach-Bliley Act and the fact that so many States are looking at this issue, and several are moving these bills, they are not just introducing bills, and most of these bills deal with the same topic. Affiliate information-sharing shows me that it is a good idea to act soon and not wait for a good deal of time. I would note, even though I won't talk too much about this, you are going to hear more about this in a minute, that considerable progress has been made in terms of studying, debating various proposals on health privacy and Internet privacy as well. The Department of Health and Human Services, for instance, has received 60,000 comments on proposed health privacy regulations. The FTC has undergone numerous rulemaking proceedings on Internet privacy and has supervised or actually implemented several surveys as well. So in closing, let me just say that to his credit, Representative Hutchinson has clearly indicated that he doesn't want to delay progress of important privacy legislation with this commission. Our recommendation, and we have some modest recommendations which I won't go into regarding the language of the bill, but our broad recommendation is that the mandate of the commission be narrowed to address very specific issues in need of greater study. I think you are going to hear in a minute of issues that could be studied at greater length. We would urge those who do support the bill to make it clear repeatedly and on the record that the intent of the study is not to delay needed legislative action on financial privacy and health privacy and Internet privacy. Thank you. [The prepared statement of Mr. Plunkett follows:] [GRAPHIC] [TIFF OMITTED] T0436.043 [GRAPHIC] [TIFF OMITTED] T0436.044 [GRAPHIC] [TIFF OMITTED] T0436.045 [GRAPHIC] [TIFF OMITTED] T0436.046 [GRAPHIC] [TIFF OMITTED] T0436.047 [GRAPHIC] [TIFF OMITTED] T0436.048 [GRAPHIC] [TIFF OMITTED] T0436.049 [GRAPHIC] [TIFF OMITTED] T0436.050 [GRAPHIC] [TIFF OMITTED] T0436.051 [GRAPHIC] [TIFF OMITTED] T0436.052 Mr. Horn. Thank you. We now have Mr. Ari Schwartz, policy analyst for the Center for Democracy and Technology. You might tell us a little bit about that institution. Mr. Schwartz. Sure. Thank you, Chairman Horn and members of the panel. Thank you for inviting me to testify on the Privacy Commission Act. CDT believes that the focused privacy commission could help build privacy protections, but as Representative Hutchinson mentioned earlier, it should not be used to derail the current process on important legislative proposals already in front of Congress. Before going into detail about how such a commission might work, I would first like to explain CDT's view of the current state of consumer privacy. As some of you know, the Center for Democracy and Technology is committed to protecting privacy on the Internet. Recent studies have shown that individuals are growing more concerned about their loss of privacy, both on and off line. These growing concerns are well-founded. Stories of privacy invasions and security gaps in both the private and public sector are becoming almost daily occurrences. CDT believes that work in three areas, three legs of a stool if you will, are needed to help reverse this trend and build privacy protections for the future. First, CDT is working with many responsible companies, privacy experts and technologists on privacy-enhancing technologies which are necessary to build privacy into the infrastructure of communications technology such as the Internet and reverse the trend that we have been seeing so much of with privacy-invasive technologies. For example, we are working on a standard with the World Wide Web Consortium called the Platform for Privacy Preferences, or ``P3P'', which would make privacy notices easier to read. Many companies are beginning to build P3P into their Internet products. For example, last week Microsoft announced that it has plans to implement P3P in its upcoming consumer software products. Self-regulatory efforts by industry are also important to ensure enforcement on the Internet. As the economy becomes more global and decentralized, responsible practices become an increasingly important tool. Last, we believe that there is a role for Congress. Legislative approaches are needed. Without the means to imbed fair, predictable results, better encourage self-regulation, or go after bad actors in law, CDT fears that the actions of a single company could cause the public to question the motives of an entire industry. For the reasons that we have heard today, this is especially important in the financial, health and Internet areas. Congress must move forward in these areas in particular. A commission such as the one proposed could help learn how to protect privacy. In fact, over the past 30 years, we have seen various kinds of commissions at the U.S. Federal level. I have detailed those in my written testimony in the appendix. However, while the theoretical work of these commissions and panels have pushed privacy forward worldwide, the U.S. consumers have very little to show for it. Therefore, we urge you not to duplicate the work of those past committees and panels, but to move forward and focus the panel on issues that have not been studied. Some of the areas of special interest to this subcommittee may be: revising the Privacy Act of 1974. As early as 1977, a congressional commission found that the Privacy Act, which protects personal information within the Federal Government, was not as effective as it should be. The act should be examined again and recommendations should be made in light of the advent of government's use of the Internet and the spread of the Social Security number which we have already heard a little bit about today. Public records such as driver's license information and court records and other information that Mr. Douglas brought forward would also be a useful area to study. We need to reexamine how the government information is made available to the public. The claim that a government document is hard to find can no longer be used as an excuse to keep personally identifiable information available to anyone to sell or use as they wish. Similarly, government at all levels should be encouraged to post more public information to the Internet. With jurisdiction over both the Freedom of Information Act and the Privacy Act, the two great government accountability and openness acts of the past century, this discussion should be of great interest to this subcommittee in particular. On access and security issues, the commission could help Congress use the findings of the FTC advisory committee which is just finishing its work on these subjects. Last, a commission could examine the effectiveness of an individual's private right of action under privacy laws. While the private right of action should remain an integral part of privacy laws, we have seen time and time again that when this is the only option for Americans, they receive no redress. Again, this concern is most clear in the application of the Privacy Act of 1974. Creating a commission focused on these areas would allow its members to build on the work done in the past. While focusing the commission would better help use taxpayer dollars and allow us to further learn about privacy, the most vital concern facing the creation of a new congressional commission is a political one, as we have heard from Mr. Plunkett and Mr. Hutchinson. The commission must not be used to delay or deter from the discussion or progress of medical, financial or Internet bills that have already been mapped or studies. I thank you again for having me and look forward to your questions. [The prepared statement of Mr. Schwartz follows:] [GRAPHIC] [TIFF OMITTED] T0436.053 [GRAPHIC] [TIFF OMITTED] T0436.054 [GRAPHIC] [TIFF OMITTED] T0436.055 [GRAPHIC] [TIFF OMITTED] T0436.056 [GRAPHIC] [TIFF OMITTED] T0436.057 [GRAPHIC] [TIFF OMITTED] T0436.058 [GRAPHIC] [TIFF OMITTED] T0436.059 [GRAPHIC] [TIFF OMITTED] T0436.060 [GRAPHIC] [TIFF OMITTED] T0436.061 [GRAPHIC] [TIFF OMITTED] T0436.062 [GRAPHIC] [TIFF OMITTED] T0436.063 [GRAPHIC] [TIFF OMITTED] T0436.064 [GRAPHIC] [TIFF OMITTED] T0436.065 [GRAPHIC] [TIFF OMITTED] T0436.066 [GRAPHIC] [TIFF OMITTED] T0436.067 [GRAPHIC] [TIFF OMITTED] T0436.068 Mr. Horn. Thank you very much. We will get back to questions. Our last panelist on panel two is Sandra Parker, esquire, Director of Government Affairs and Health Policy, the Maine Hospital Association. Thank you for coming down. Ms. Parker. Thank you for having me, Chairman Horn. We represent 38 main hospitals and their affiliated entities. I am here today to tell you about Maine's experiences in legislatively protecting the confidentiality of health care information, a small subset of the information referenced in H.R. 4049, but one that is particularly near and dear to us. Our members, and I think everyone in this room firmly believes that health care information is very private and it needs to be protected against inappropriate disclosures. Dr. Appelbaum did a fine job explaining the reasons and concerns people have, and I am not going to reiterate any of them, but I will tell you in recognition of those concerns, our hospitals have always had policies in place to protect the information, because we think it is important, and we will continue to have the policies, no matter what happens in Augusta, ME or Washington, DC. The Maine Legislature agreed with us. In fact, they wanted to see every health care practitioner have those practice and policies in places to protect the information, and they felt that the Maine citizens would benefit from a statewide consistent privacy standard in applying to everyone. So they began. In January 1997, they took up the very difficult task of translating those protective ideals into legislative language. Their initiative would apply only to health care providers in an effort to protect health care information at its source. Respecting the complexity of the task before them, they worked with a professional facilitator and met every 2 weeks with interested parties and a facilitator to exhaustively study the issue and try to anticipate all of the concerns. They worked through the spring, they worked through the summer, they worked through the fall and into the next year. Our dedicated legislators worked for 2 years to develop a bill just on health care information and studied it extensively. Still, consensus was hard to find, and it wasn't until the final hours of the session in the 1998 session that a compromise bill was quickly passed through the House and Senate. It was to be effective January 1, 1999. As we reviewed the bill and prepared to help our members comply with the anticipated new law, we began to uncover some unintended and troublesome consequences, despite their extreme hard work. I would like to just briefly illustrate a couple of those, nowhere near what is in my written statement, but just a quick illustration. To do that, I need to tell you three provisions of the law. First, health care information is defined very broadly and intentionally so. They didn't want any health care information to fall through the cracks. So they defined it as any information that identifies an individual directly and relates to their physical, mental, behavioral condition, medical treatment, personal or family history. It sounds like a terrific definition. We still stand by it, but it caused us some problems. The second piece I would like you to know is that with certain exceptions, the law required written authorization from the patient or their legally appointed representative before any disclosures could be made. Again, that sounds terrific, and again, it gave us some problems I would like to tell you about. The third piece you need to know is that written authorization is a defined term in our statute. They specifically denote the elements of a valid authorization and nothing else will do. It must be written and it must have those elements. Well, nowhere in the law did they reference directory information, and what I mean by that is if you find out that your good friend Sandra Parker is in the hospital and you call the medical center and ask how I am doing they tell you that I am in room 222 and in satisfactory condition. Our law never mentioned directory information, but confirmation that I am in the hospital and saying that I am in satisfactory condition relates to my medical treatment and physical well-being and, therefore, falls within the definition of health care information, therefore requires written authorization from me specifically in order to release it. So, that is what we did. There were delays, however, and when people were in the emergency room and they hadn't gotten to their routine paperwork yet and they said to their care giver could you go out and get so and so from the waiting room, we would have to say, well, no, we can't, because we can't tell them you are here until we get to the paperwork and sign the forms. They could not tell us. Oral authorization was not enough, it had to be written. Unless and until that paperwork was done, visitors couldn't be directed, clergy couldn't be called, phone calls couldn't be transferred, flowers couldn't even be accepted. It sounds like a good idea, but in practice we received many, many complaints about it. The idea that oral authorizations were not allowed was a problem for us. Maine residents often spend the harsh winter months in more temperate climes and would like to call their physicians or hospitals and get their medical records transferred and that option was completely removed from their control. They now had to get a special form with statutorily required elements, fill it out, sign it, date it, send it back to their provider before the provider could direct the records to the right place. The other major problem that we had was that the authorization of disclosure was given only to the patient and their legally appointed representative. That was also done intentionally, for good reason. We don't want anyone else to have control of that information. However, many, many people don't have legally appointed representatives, and by that I mean a guardian, a court-appointed guardian, someone with power of attorney, someone under an advanced directive statute. What we found was that when people didn't have a representative, a legally appointed representative and were unable to sign their paperwork, because they were too ill, they were medicated, they had a stroke, whatever it was, we had nowhere to go. We could release no information to anybody under any circumstances. So despite great effort, there were some problems. We approached the sponsor of the bill and we worked with her to amend it, and we submitted a bill, but before the legislature could reach our bill, the law went into effect on January 1, as scheduled, and the day it went into effect, the legislators' constituents began to call, and they called, and called and called and complained, so much so, so adamantly so, that the legislature suspended the law after it was in effect for just 2 weeks and went back to the drawing board. There was extensive discussions about maybe not going forward at all, maybe we should wait for a Federal law, maybe we didn't need it, maybe it was an impossible task. But it was so important, so, so very important that the legislators, to their credit, gave it another try. They worked on it for 6 more months and amended the law. The amended law went into effect February 1, just a couple of months ago. So far, it seems to be effectively protecting information without provoking consumer outrage. Perhaps we will have more to do. We are still learning our lessons. But it is something that everyone in Maine believes in, and we will keep trying. It is that important. Thanks. [The prepared statement of Ms. Parker follows:] [GRAPHIC] [TIFF OMITTED] T0436.069 [GRAPHIC] [TIFF OMITTED] T0436.070 [GRAPHIC] [TIFF OMITTED] T0436.071 [GRAPHIC] [TIFF OMITTED] T0436.072 Mr. Horn. Well, that is very helpful experience. Let me ask you, what is the most important privacy issue you have confronted, either with the clientele you represent, or just your own experience? So let's just go down the line, Professor Cate. Mr. Cate. I guess I would say the single most important privacy issue is trying to find a solution to problems that are not clearly defined. So we talk about opt in and opt out, and things like this. In other words, we have a lot of terms on one side of the equation, tools for protecting privacy, without being clear about what it is we are trying to accomplish. I think that was exactly the issue Congress faced with Gramm- Leach-Bliley. Mr. Horn. Mr. Plunkett. Mr. Plunkett. Well, I will stick with our theme since it is our focus on financial privacy. One of the things I didn't mention which has been touched on by a lot of the speakers and is in our testimony is that the standards, the principles, the building blocks, if you will, for strong privacy protection are fairly well-known. In fact, they are reflected in the 1974 Privacy Act. They are called fair information practices. One of the most important is that the information that you provide should not be used for a secondary purpose. That obviously means for a purpose other than for which it was given. Our concern, once again, with financial institutions is that if you open a bank account, you may not know that your bank is affiliated or soon will be affiliated with an insurance company, and there are abuses that can occur there, and I think the NationsBank/NationsSecurities example I gave illustrates that. But there are also problems when cross marketing occurs, because that insurance company, in our opinion, shouldn't have your account transaction and experience information, because that is not the purpose for which you gave them the information. So to answer your question, I think applying the fair information practices to all of these issues, it can get complicated when you are dealing with the details, no doubt. But the hardest thing for us is to ask people to back up and say, well, don't forget the principles. They are fairly well established, they are fairly well-known, accepted, and please use them. Mr. Horn. Mr. Schwartz. Mr. Schwartz. I would say I have three areas. First, children's privacy is very important, because they--it has been shown that they are not really sure what they are consenting to when they actually do consent to something, medical privacy, because the information is so vital, and last information that is held by the government, because there are so many vital services that are needed when you turn over that type of information. So those three areas are really in terms of if you are going to do a tiered approach, those three areas would be the first place to focus in our minds. Mr. Horn. Ms. Parker. Ms. Parker. At least from our experience, the most difficult piece of protecting this information was the balance, the balance between necessary and desirable communication and the balance against the time that it took to get written authorizations to release the information. Mr. Horn. Well, I thank you for those answers. I noticed in one of the papers here, I believe it was Mr. Schwartz' one, where you noted the updating of the Privacy Act of 1974, and you made a point here that the quote, to make matters worse, the Office of Management and Budget has not updated its Privacy Act guidance since a year after the act was passed. What do you feel is the reason for that, and what do you think they ought to do in updating? Mr. Schwartz. Well, it has only been a year since the OMB has gotten a Chief Counsel for Privacy, so hopefully we are moving down that path. This past year we also had all of the agencies right there on Privacy Act implementation, where they stand on the reports, and the OMB and the Chief Counsel for Privacy in particular will be handing out a final report based on those to the Congress. Also, GAO is looking into privacy-owned government Web sites, another important issue that should be covered by the Privacy Act more than it is, but as I said in my written statement, the Internet--the Privacy Act wasn't designed with the Internet in mind. So we really do need to reexamine the Privacy Act. I think this kind of commission would be a perfect venue to do that, and it certainly would be great to have more oversight hearings on the Privacy Act when OMB's report moves forward. Mr. Horn. Mr. Plunkett, is there legitimate need to exchange information between the banks and third-party affiliates, specifically for the various life needs, like check printing and credit billing in small community banks, and wouldn't you agree that these need to be known before laws are enacted which could have unintended consequences, which could cripple entities such as the small community banks? That is a question that Mr. Hutchinson has left for me to ask, because he had to go to another meeting. Mr. Plunkett. That is a good question. The legislation that Mr. Markey and Mr. Barton have introduced allows for explicit approval for the financial institutions to share information when it is for the intended purpose; that is, if you are opening up a checking account, they can certainly share your checking account information to those that are printing your checks. That is a fairly, I think a fairly easy problem to fix and absolutely there is a legitimate reason in that circumstance to share information. Mr. Horn. Any other comments on that by anybody? Professor Cate. Mr. Cate. If I may just say, Mr. Chairman, I think the difficulty here is that there are a lot of uses that we might consider valuable that aren't that immediately obvious. For example, fraud prevention or detection, monitoring accounts to determine if there are charges out of the ordinary, monitoring an account to determine whether that customer is speaking to a balance in a noninterest-bearing account--these are all things which we could debate on whether it is within the purpose for which the person originally disclosed the information. I think we would also all consider them to be valuable uses. I think this really sort of highlights the complexity here. I obviously disagree that this issue has been thoroughly and well studied and we now know what to do and should do it. I think the fact that you have 22 States that have introduced 22 different bills, none of them agree on what to do and how to do it, and in fact a large part of that is that we have so little sense, I think exactly what the Maine experience showed. It was easy to focus on the privacy side; it was very hard to focus on what are all the valuable, useful things we do with useful information every day that we don't want to put a stop to. Mr. Horn. Thank you. Well, thank you. I just have one question before I yield to Mrs. Maloney. Some of you have had experience on the privacy laws abroad, and I am curious what your thinking is on the European Community's privacy laws. You will recall the European Community asked all of their Member States to put together a privacy law about 2 years ago, and then they put it off for a while, and there were real concerns in this country in terms of the free flow of data between corporations of the United States subsidiaries in Europe and European subsidiaries in the United States, and that was one of the reasons they put it off. I just wondered what your thinking is there, and would that have made a major impact on the economy. Again, they wanted, I guess even a census date that the individual signed the form, which sounded a little much. But go ahead. Mr. Cate. Well, Mr. Chairman, thank you. I think the answer is absolutely it would have made an enormous impact on not only the economy of international trade between the United States and Europe, but also within Europe, which is probably why Europe has really not implemented the directive. Half of the countries haven't implemented it at all, they have not even made the pretense of implementing it. The others have implemented laws which we are told by data protection commissioners in Europe are not being enforced currently. So, for example, if you read the law, what is the law today in England, Greece, or Portugal, it would tell you that the law is opt in affirmative consent. You must get consent, for example, from every employee in writing before you process their data. What we know is that is not taking place in any of those countries, that in fact they are simply using a slightly different mechanism than we use. We tend to write exceptions into law; they are simply putting those exceptions into practice. Mr. Horn. Any comments on that, Mr. Plunkett? Mr. Plunkett. I would note that in the so-called safe harbor negotiations, many of the same entities, financial institutions in particular, that talk about the expense of complying with meaningful privacy protections, and by that I mean privacy protections that extend to affiliates which I spoke about earlier and information-sharing to affiliates, many of the same companies that are objecting there are willing to go along with an agreement that is close to being consummated, the so-called safe harbor agreement, that will provide European customers of American institutions with greater privacy protection than with American customers. Mr. Horn. Now I yield to the gentlewoman from New York. It is good to see her here, a former ranking member. Mrs. Maloney. Great to see you, Mr. Horn, and thank you for calling this important hearing. I would like to request that my opening statement be put in the record. Mr. Horn. Without objection, it will be put where all the opening statements were, as if read. Mrs. Maloney. Thank you. Then I would like to just ask a few questions. I am not against this bill, but I hope that the intent is not to stop other protections from going forward, and the protections that we already have in place. Last year, as a member of the Banking Committee, I had an opportunity to participate in the conference on the Gramm- Leach-Bliley Financial Services Reform Act where we had a considerable debate over issues related to the privacy of financial institutions and passed some privacy protections for consumers of financial institutions. These regulations have not even been in place yet. Shortly over 2 billion consumers will be receiving privacy notices in the mail, and my question is, would this commission in any way halt or hinder this work that we have already done? This commission? Mr. Cate. Well, if I can speak to that, I would say certainly, you know, our view is that it should not. Mrs. Maloney. So it would not. Is that clear in the bill? Mr. Cate. I believe there is no language in the bill that would suggest it has the power to stop the implementation or that it is the intent of Congress to stop the implementation of any existing law. You might even argue further, I mean this would suggest to me why, if the commission goes forward, you would probably want people on it, some of the members of it, to be involved in the implementation of that law, to bring the experience of that process to the commission. Mrs. Maloney. I would like to mention---- Mr. Plunkett. Could I respond as well? Mrs. Maloney. Sure. Anybody can comment. Mr. Plunkett. I would agree that the intent of the act is not to inhibit implementation of the Gramm-Leach-Bliley act. I would note, though, that the regulations that are ongoing don't deal with the significant flaw in the act that these State bills and the Federal bills have identified, which is the affiliate-sharing loophole. Mrs. Maloney. But a number of States are going forward with their initiatives, as I understand it, is that correct? Mr. Plunkett. Well, they are moving through the process, including in New York, from what I understand. Mrs. Maloney. Now, I would like to ask about another issue. We actually had several hearings on this particular matter, the Health Insurance Portability Act, a 1996 act. It provided that if Congress was not able to reach consensus and enact legislation on medical privacy by August 1999, the Secretary of Health and Human Services would come forward with medical privacy regulations to ensure that Federal medical privacy protections are in place. Since Congress failed to meet the August 1999 deadline, the Secretary is now, as we sit here, in the process of finalizing medical confidentiality regulations. I would just like to ask the members of the panel, do you believe that if a privacy commission were created, the administration should delay moving forward with these regulations until after the commission completed its report? I would like to really--you know, in other words, the question I am asking is one that--would this in any way hinder work that is already in place from going forward or stop other protections from going forward? I don't know if the proper person to ask is the panel or Mr. Hutchinson himself, but you know, the fact that we have been working in this committee actually since 1996 and that these are supposed to come forward, I believe, shortly, would this in any way hinder that from going forward in? Mr. Hutchinson. If the gentlewoman would yield. Mrs. Maloney. Absolutely. Mr. Hutchinson. The answer is no. There was some discussion and some urging to put in the commission bill a moratorium on other regulations and legislation moving forward until the commission did its work, and we specifically rejected that, because again, I view this commission and this legislation as complementary and not as a substitute. So there would not be a prohibition there. In fact, I think many of those will be adopted this year, won't they? Mrs. Maloney. Well, yes, they are supposed to come forward, and as we mentioned while you were not in the room, the financial services bill, the bipartisan Leach-Bliley bill had privacy for the financial institutions, and they are in the process of coming forward with them, and as I mentioned, roughly 2 billion consumers will be getting notices. This will not in any way hinder the work of the Banking Committee on the privacy issue? Mr. Hutchinson. The answer is it will absolutely not interfere. Mrs. Maloney. Now, obviously, who is on this commission is going to have a lot to do with how well it operates. I understand from reading it that there is no criteria for the commission's membership. I would just like to ask Mr. Cate, Mr. Plunkett, and Mr. Schwartz, what are your ideas of criteria for membership on this, and what do you think would be the appropriate criteria for membership on the commission? Mr. Schwartz. I will address that, partly because I addressed it in my written testimony and was not able to address it orally. Mrs. Maloney. I am sorry. I missed it then. Mr. Schwartz. We think that it is very important that consumer groups, privacy advocates, and the other--along with many of the other groups that would be affected in the financial health industries be represented on the panel. We have specific concerns that the schedule for the panel, 20 meetings in 18 months, is really quite a heavy load for-- particularly for consumers groups and civil liberties groups, because even the time constraints on limited staff resources can be very difficult, so we hope that that can be addressed as well. Mr. Cate. If I may also respond and wholly join in that comment, I think one of the assumptions is that if a commission goes forward, it has a tremendous amount of deliberation to do, that it is not so much unearthing new information, it is working out ways of working with existing information. I think one of the things that would be of concern in the bill is the requirement for 20 hearings in five different locations in 18 months, that it would be preferable to have this commission be able to spend a greater amount of its time in deliberation as to how to reconcile these issues as opposed to engage quite so much as a fact-finding body. If I may also just add one point: in addition to the representation along types of groups, consumer groups, industry groups and so forth, I too would reiterate the point that I think it is important that the experiences that the members bring to the table, whether those are experiences from business or industry or consumer groups or academia, it makes no difference, that those experiences reflect a broad range of interests and approaches to privacy; that what you don't want is a group of people who are all focused on privacy, but just from different points of view, since we have clearly I think come to understand that these privacy issues touch on, as the Maine experience shows, so many other realms of our lives that you would want that well represented. Mrs. Maloney. Just as a followup, Mr. Cate, in reading your testimony, you stated that the commission's work might duplicate the Treasury study on Gramm-Leach-Bliley on financial privacy. Do you think that the commission is unnecessary as a whole, or just unnecessary with regards to the financial services industry? Could you sort of clarify your thoughts on that? Mr. Cate. Yes. Unfortunately, I can only make them as clear as they are, and you may find that they are somewhat befuddled to start with. I think it is very important that the commission not duplicate existing work, and I think there is a real risk with the Treasury study under way currently that you would not want the commission to do the same type of study. Mrs. Maloney. When is the Treasury supposed to complete their study, do you know exactly? Mr. Cate. I believe they have another full year to complete it. So there would be some overlap potentially between the commission and the Treasury study. That is true in other areas as well. I mean there are certainly other studies and other studies done in the past. I don't think you want any of those duplicated. I think that doesn't put an end to the question, though. The question is, if there is a commission, how can it build on the work that the Treasury is doing. There would be a variety of ways. I mean one way would be to exclude financial information, to say look, the Treasury has been dealing with that, we are going to leave that out. Another way would be to say include financial services information, but with particular attention to not sort of going through the same types of hearings, the same types of deliberation, but rather to draw on what the Treasury and other financial regulators are doing. I am sure there are many other ways of doing that. That is instruction it seems to me Congress would want to give either through legislative history or the legislation. Mrs. Maloney. Is my time up, Mr. Chairman? Mr. Horn. Go ahead. Mrs. Maloney. Thank you, Mr. Chairman. You made a statement about the valuable--useful use of information, and I think one of the most startling things in our country now, and really in our economy and in our life, is just the fast-changing pace of the so-called information age. We have had hearings on many of the things that may be driving these tremendous, or one component, the tremendous success of our economy is this whole information age that is allowing so much to happen so quickly. Would you elaborate in your statement on really not wanting to curtail the use of information and being able to grow on this new phenomena, but also to protect privacy and some of the valuable, useful uses of information that we don't want to hinder in the growth of possibilities for individuals and really growth of our country? Mr. Cate. Well, yes. Thank you. Let me offer two responses. One is I think it is critically important that we do a better job, and by we I mean all of us. Certainly academia bears a shared responsibility, for not having engaged in the type of research as to how we use information. We really know very little about that. We know a lot about privacy, we know very little about, if you will, the infrastructure uses of information. How does a business, how does Congress use information about individuals and in what ways does it benefit our lives? What are ways in which--public records is a good example that was raised earlier. In the financial services context, I think that type of an investigation has really first begun. I did a study which was published just a month ago now which was just the tip of the iceberg in looking at the types of beneficial uses that come out of allowing relatively unhindered access to basic personal information. Who has an account, where, what do they use it for, etc. The best example of that is probably fraud prevention, that if we can look across accounts, you see patterns of consumer behavior, which then when you see anomalies, may alert the bank or the credit card issuer or whomever to the fact that there is something here that that consumer may need to be notified about or there may need to be further inquiry. As we heard on the first panel, given that it is the businesses and then ultimately consumers that sustain those losses, that cover those losses where there is fraud, for example, allowing that type of use seems important. But I think the second response was more the process response. I think that is why if there is to be a commission, or if there is not to be a commission, it is important that we all be engaged more in the process of figuring out what are the other uses of this type of information. They may be as pedestrian as confirming where to make a flower delivery for a patient in the hospital, but that really matters to real people who are in distress. Mr. Plunkett. Could I just jump in and say that nothing in any of the financial privacy proposals that we or I believe anybody supports would prevent fraud prevention or inhibit fraud prevention. It is important also to note the increasing, again, uneasiness that Americans have about erosion of their privacy. I do not want anybody to get into this situation where they are putting privacy at odds with economic interests. As I mentioned before, when it comes to, for instance, being at ease with electronic commerce, privacy protection may actually be the best thing for more people using the World Wide Web and the Internet, and taking advantage of electronic commerce because they won't worry that their privacy is being violated. Mrs. Maloney. Well, I appreciate your testimony. My time is up. I would just appreciate, Mr. Hutchinson, if in the, I don't know, intent or some place in the bill you would let it be clear that you in no way want to hinder the work going forward from the 1996 Health Insurance Portability Act on privacy and also the work of the Banking Committee on the Gramm-Leach- Bliley, so that it doesn't hinder this work going forward. Mr. Horn. We are going to have a markup on this. That might come up there. I will tell you, if this commission doesn't pass, there won't be much passed, because they have had numerous privacy bills in the Senate, in the House; they have gone nowhere, except the one on the banking and the human services regulations issued by the Secretary. So I look on it the other way, that this is the way to get a privacy law on the book, is get that commission moving. I thank the gentlewoman for being here. The last word I will give to the prime author of the legislation, Mr. Hutchinson. I want to say that both the Democratic side and the Republican side will be forwarding you and the first panel some questions that we haven't been able to get to. We hope you will write the answers and they will go in this part of the record. In addition, we will keep the record open to any citizen for the next 2 weeks, roughly 14 days. So please send it to the staff. It is B-373, I believe. The chief counsel and staff director, Mr. George, is over there, and we will work it out with everybody as to the questions and they will go into the official record. So I now yield for the last word on this subject for 5 minutes to the gentleman from Arkansas. Mr. Hutchinson. I thank the Chairman. Again, I want to express my appreciation for this hearing, your willingness to schedule a markup on this legislation. I just want to make a couple of comments. First, I want to thank Ms. Parker for being here and testifying on this and giving us the experience from Maine. I think that is very instructive and helpful as we look at this in Congress and our responsibility. There has been some questions about the criteria for membership, and I would emphasize that, you know, this can be changed; obviously, that is what the markup is for, and if wisdom prevails that we ought to specify different criteria for involvement in this commission, then I am certainly open to that. But the reason that was not included is, as I stated before, there is always a fear of leaving someone out. I can just see itemizing who should belong to this commission and someone coming up and saying, well, how about our group, or how about this particular stakeholder. So you start down a risky path. The other reason is that it is consistent with other commissions in the past that you leave the particular makeup of the commission to the appointing officials and allowing a bipartisan consensus to develop on it. So I would expect that all of the important stakeholders should be and will be represented on the commission. But again, if we need to be more specific than that, then that might be an option. The second issue, and I want to talk to Mr. Plunkett for a moment, and I very much appreciate your testimony today, and I specifically wanted you on this panel because I knew you disagreed with the commission. I think it is important as you consider legislation that you hear from both sides. I appreciate your work on privacy. You and I can get together and we can push some of these bills through and we can get some passed this session, but there are a lot of other players out there, and I think in fact because it could be a short legislative session, it is going to be difficult, as the chairman said, to develop a consensus on an individual bill. But it is very important that this not be used as an excuse not to continue passing some privacy regulations or some privacy initiatives. I see this as complementary. If you passed everything on your wish list, Mr. Plunkett, this year, I still think we need a privacy commission, because you still have on-line privacy issues, you have developing technology, you have got new criminals out there that create new methods of invading someone's privacy. So I think that we need to see how the laws that we passed are going to work, we need to see how the FTC and the other regulations that are being considered on financial privacy, how they are working out there, and that is part of the function of this commission, to see what supplementary we need to do. For example, Mr. Plunkett, I mean there is the opt-in, opt- out question right now, am I correct? Mr. Plunkett. Oh, yes. Mr. Hutchinson. And so if there is not--I mean the regulations that are going to be adopted are going to be under the--where you have to specifically opt out, is that correct? Mr. Plunkett. In some cases. In other cases it won't be allowed, yes. Mr. Hutchinson. So if you want to change that, unless we pass some legislation, the commission would have to look at that. Now, I think the debate was whether we should even look at that at all, because it is already under consideration by an ongoing regulatory body, and I think that is a fair consideration we need to talk about some more. But regardless of what we pass, I see the need for a commission to look at the new challenges in the future, and to look at it comprehensively rather than just sectorially, what are we doing in financial privacy, what are we doing in health care records and what are we doing with on-line. It intersects and cross-sections each other. So that was the purpose of it. I know that was a little bit of a speech---- Mr. Plunkett. After my speech, you have a right. Mr. Hutchinson. So thank you again, Ms. Parker and gentlemen, for your testimony today. I yield back, Mr. Chairman. Mr. Horn. I thank the gentleman very much. I hear the gentlewoman from New York has one question. Mrs. Maloney. Mr. Chairman, I have another item that really came out of the Banking Committee and I would like to ask Mr. Hutchinson for clarification. I would like to see it in this bill, and I am waiting to see the final language, but I am not against this bill and will probably support it. But one thing that we were very concerned about is that each State is different in their financial services, very different. So States wanted the freedom to come forward with stricter provisions and insurance or privacy or banking or their own special needs, and in your bill, do you see that this would not in any way hinder the ability for States to go forward with stricter provisions? Mr. Hutchinson. No. The commission will have to look at what the States have done, consider their approach, and consider whether you want to have a comprehensive Federal approach, or where you have a Federal floor which is supplemented by the States. Mrs. Maloney. That is what we supported in Banking. Mr. Hutchinson. And that would certainly be my inclination, but that is something that the commission would have to debate. Mrs. Maloney. Thank you. Mr. Horn. I thank the gentlewoman. I would like to thank the staff on both sides. Let me just go down the line. The staff director, chief counsel for the House Subcommittee on Government Management is Russell George; the counsel next to me for this particular hearing is Ms. Bailey; Bonnie Heald, director of communications back there; and Bryan Sisk, clerk; and Ryan McKee, staff assistant; Michael Soon, intern; and Mr. Turner's counsel is Trey Henderson, counsel; and Jean Gosa, minority clerk; and Julie Bryan is our faithful court reporter. So thank you very much for being with us. With that, we are adjourned. [Whereupon, at 12:20 p.m., the subcommittee was adjourned.] [Additional information submitted for the hearing record follows:] [GRAPHIC] [TIFF OMITTED] T0436.073 [GRAPHIC] [TIFF OMITTED] T0436.074 [GRAPHIC] [TIFF OMITTED] T0436.075 [GRAPHIC] [TIFF OMITTED] T0436.076 [GRAPHIC] [TIFF OMITTED] T0436.077 [GRAPHIC] [TIFF OMITTED] T0436.078