[Senate Hearing 107-] [From the U.S. Government Publishing Office] S. Hrg. 107- 990 FINANCIAL PRIVACY AND CONSUMER PROTECTION ======================================================================= HEARING before the COMMITTEE ON BANKING,HOUSING,AND URBAN AFFAIRS UNITED STATES SENATE ONE HUNDRED SEVENTH CONGRESS SECOND SESSION ON THE GROWING CONCERNS OVER THE WAY CONSUMERS' PERSONAL AND FINANCIAL INFORMATION IS BEING SHARED OR SOLD BY THEIR FINANCIAL INSTITUTIONS __________ SEPTEMBER 19, 2002 __________ Printed for the use of the Committee on Banking, Housing, and Urban Affairs U.S. GOVERNMENT PRINTING OFFICE 90-808 WASHINGTON : 2003 _____________________________________________________________________________ For Sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512-1800 Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 COMMITTEE ON BANKING, HOUSING, AND URBAN AFFAIRS PAUL S. SARBANES, Maryland, Chairman CHRISTOPHER J. DODD, Connecticut PHIL GRAMM, Texas TIM JOHNSON, South Dakota RICHARD C. SHELBY, Alabama JACK REED, Rhode Island ROBERT F. BENNETT, Utah CHARLES E. SCHUMER, New York WAYNE ALLARD, Colorado EVAN BAYH, Indiana MICHAEL B. ENZI, Wyoming ZELL MILLER, Georgia CHUCK HAGEL, Nebraska THOMAS R. CARPER, Delaware RICK SANTORUM, Pennsylvania DEBBIE STABENOW, Michigan JIM BUNNING, Kentucky JON S. CORZINE, New Jersey MIKE CRAPO, Idaho DANIEL K. AKAKA, Hawaii JOHN ENSIGN, Nevada Steven B. Harris, Staff Director and Chief Counsel Linda L. Lord, Republican Staff Director Dean Shahinian, Counsel Daris D. Meeks, Republican Counsel Mark F. Oesterle, Republican Counsel Sarah E. Dumont, Republican Professional Staff Joseph R. Kolinski, Chief Clerk and Computer Systems Administrator George E. Whittle, Editor (ii) C O N T E N T S ---------- THURSDAY, SEPTEMBER 19, 2002 Page Opening statement of Chairman Sarbanes........................... 1 Opening statements, comments, or prepared statements of: Senator Shelby............................................... 2 Senator Stabenow............................................. 3 Senator Akaka................................................ 26 Senator Corzine.............................................. 27 Senator Carper............................................... 41 WITNESSES William H. Sorrell, Attorney General, The State of Vermont....... 4 Prepared statement........................................... 46 Fred H. Cate, Professor of Law, Indiana University School of Law. 8 Prepared statement........................................... 53 John C. Dugan, Partner, Covington & Burling; on behalf of the Financial Services Coordinating Council........................ 11 Prepared statement........................................... 57 Mike Hatch, Attorney General, The State of Minnesota............. 14 Prepared statement........................................... 62 James M. Kasper, Member, House of Representatives, The State of North Dakota................................................... 17 Prepared statement........................................... 65 Phyllis Schlafly, President, Eagle Forum......................... 21 Prepared statement........................................... 69 Edmund Mierzwinski, Consumer Program Director, U.S. Public Interest Research Group; on behalf of: Consumer Action, Consumer Federation of America, Consumer Task Force on Automotive Issues, Consumers Union, Electronic Privacy Information Center, Identity Theft Resource Center, Junkbusters, Inc., Privacy Rights Clearinghouse, Private Citizen, Inc., and U.S. Public Interest Research Group......... 23 Prepared statement........................................... 72 (iii) FINANCIAL PRIVACY AND CONSUMER PROTECTION ---------- THURSDAY, SEPTEMBER 19, 2002 U.S. Senate, Committee on Banking, Housing, and Urban Affairs, Washington, DC. The Committee met at 10:07 a.m. in room SD-538 of the Dirksen Senate Office Building, Senator Paul S. Sarbanes (Chairman of the Committee) presiding. OPENING STATEMENT OF CHAIRMAN PAUL S. SARBANES Chairman Sarbanes. The hearing will come to order. This morning, the Committee meets to hear testimony on the issue of financial privacy and consumer protection. At the very outset, I want to acknowledge the interest and the contribution which Senator Shelby has made regarding this issue and I am pleased to be working with him on it. Senator Shelby. Thank you, Mr. Chairman. Chairman Sarbanes. During the past few years--even longer, actually--there have been growing concerns over the way consumers' personal and financial information is shared or sold by their financial institutions. In 1999, when we did the major revision of the structure of the financial industry, after considerable debate, we enacted certain Federal privacy protections, although many perceived them as not to be fully adequate to the challenge, and therefore, financial privacy remains a critical issues. The amount of sensitive personally identifiable financial information that, under current Federal law, can be circulated is vast. It includes savings and checking account balances, certificates of deposit maturity dates and balances, any check which an individual writes, any check that is deposited into a customer's account, stock and mutual fund purchases and sales, life insurance payouts, and other data. The universe of consumer data that the financial institutions can collect, warehouse, and then either share or sell is increasingly growing, some think at a very rapid pace. Modern technology makes this sharing cheaper, quicker, and easier than ever before. I think the real issue is that much of this is done without the knowledge or the approval of the customer regarding the specific information being transferred or the specific affiliated or nonaffiliated company to whom it is either being sold or shared. Financial privacy is in many respects a fundamental right that all consumers should enjoy. And obviously, if that is the case, if it is not adequately protected, we can have abuses. Recent reports and surveys indicate the public's ongoing concerns. Dr. Alan Westin of Columbia University, who heads Privacy and American Business, wrote this year: ``Both on and off the Internet, consumers are more concerned about privacy today than they have been at any point over the past 2 years.'' A survey published this year by that group and sponsored by the AICPA and Ernst & Young found that 79 percent of respondents agreed with the statement: ``Consumers have lost all control over how personal information is collected and used by companies.'' The same survey found that the number of respondents who disagreed with the statement: ``Existing laws and organizational practices provide a reasonable level of protection for consumers today.'' That was the statement, that existing laws and practices provided a reasonable level of protection. The number disagreeing with that statement has gone from 38 percent in 1999 to 62 percent in 2001. We obviously need to address the issue of whether consumers should have the right to choose whether his or her bank or other financial institution may circulate private financial information to others for purposes that the consumer may never have originally intended. At today's hearing, we will hear testimony with respect to a number of questions: Do consumers continue to be concerned about their financial privacy, the privacy of nonpublic personally identifiable data held by financial institutions? What types of concerns do consumers have about the possible uses of their financial information? Are the minimum financial privacy protections in Federal law adequate to meet the consumer's concerns? What recommendations would panelists make to the Committee regarding financial privacy protection? We have a number of very able witnesses with us this morning. In a sense, I apologize for the breadth of the panel, but we had many people that we wanted to hear from. I think what I will do, in view of that, is I will introduce each witness as we come to them, rather than introducing them all here at the outset because, by the time we get to the last witness, they may have forgotten what was said about them. [Laughter.] So before I begin the process of going to the witnesses, we thank all of you for coming today, we very much appreciate your participation, I yield to my colleagues for any opening remarks. First, I turn to Senator Shelby. STATEMENT OF SENATOR RICHARD C. SHELBY Senator Shelby. Thank you, Mr. Chairman. Thank you for calling this hearing. And I also want to thank you for your long-time interest and work in this area. We worked together on a number of initiatives dealing with financial privacy and I believe we will continue to work those issues because the more I see and talk to the American people, most of them do not realize what is going on yet. But they are learning. And hearings like this certainly help. Mr. Chairman, the subject of financial privacy is one that is very important to all of us and requires the Committee's thorough consideration, as you realize. I want to thank the witnesses for taking the time to come here to share their views and experiences with us. And I look forward to hearing from all of you. This issue of privacy is not a new one. In one way or another there has been an ongoing debate about privacy since the founding of this country. However, the issue has clearly evolved over time as a range of specific incidents and general trends have raised public concerns about new or different threats to our privacy. Where once only the Government possessed the ability to obtain and the means to exploit vast amounts of personal data, technology now makes it possible for just about anyone to collect, to store, to sell, or to do just about anything that they want to with a lot of our private items. I believe that the existence of such capabilities requires that we carefully, here in the Congress, examine the pros and cons of its use relative to the disclosure of personal information. Furthermore, as we move forward, I think it is extremely important that we continue to pay close attention to the significant role that technological capability is going to play in this debate. Consumer and industry demand for faster and more reliable information exchange is only going to increase. As technological capabilities are expanded to keep up, new and unforeseen issues concerning the use of sensitive personal financial information I believe will continuously arise. While it may not be possible to develop rules that deal with every possible scenario involving the use of confidential financial information, I believe the American people will demand that we establish some basic principles that will guide our future efforts. In order to do this I believe that it is important for this Committee, the Banking Committee, to draw from a broad range of perspectives in considering the basic questions regarding the various Federal laws touching on financial privacy. For instance: Are such laws effective? Are they targeted to consumer concerns? Do consumers even understand them? I am going to ask that again: Do consumers even understand them? Are they in sync with today's marketplace? What restrictions do they place on business activity? Additionally, in light of the fact that the States play an important role in this area, I think it is also essential for us to gain a better understanding of their efforts and to consider some basic questions about their activities. For instance: Do State officials have a greater perspective or awareness regarding the trends or concerns about financial privacy? What value is provided by preserving a State legislative role, thanks to Senator Sarbanes? What value is provided by preserving strictly a State enforcement role? How does State activity impact the financial services industry? It is my hope that this is just the first, Mr. Chairman, of what I hope are a whole series of opportunities to consider this issue. I look forward to a productive and informative dialogue here and I thank you for this hearing. Chairman Sarbanes. Thank you very much, Senator Shelby. Senator Stabenow. STATEMENT OF SENATOR DEBBIE STABENOW Senator Stabenow. Thank you, Mr. Chairman. And to you and to Senator Shelby, thank you for your leadership. I think this is one of the most important issues that we face as we move forward at this time, and I appreciate the fact that we have so many people willing to share their expertise with us today. This is a topic that, in our increasingly sophisticated world, is one that consumers are extremely concerned about, as has been indicated. We know that our financial decisions can be recorded, analyzed, shared, and sold, and consumers want to know that they have a basic level of privacy. We all want to know that we have that basic level of privacy. When we passed the privacy provisions of Gramm-Leach- Bliley, we were breaking new ground. We gave the public a certain degree of control, but not as much as many would have liked. And since the Act was passed in 1999, the regulators have had the opportunity to set standards, as we know, and financial institutions have been complying with the law. Now it is appropriate to reflect on that legislation and how it is being implemented and where we should go from here. Is it sufficient? Is it being implemented effectively? As Senator Shelby said, do consumers really understand their privacy rights? Are the annual financial privacy disclosures effective or simply thrown away with all of the other things that come in the mail? What are regulators doing to make sure that these disclosures meet the spirit of the law? I also believe it is important to look at States, as Senator Shelby was mentioning. I know there have been a number of serious debates going on in States. In particular, there has been a lot of focus on North Dakota and California. I suspect the discussions will continue, from Sacramento to my hometown of Lansing, Michigan, to Annapolis, all across the country, this will become more and more of a debate and discussion, as it should. So, Mr. Chairman, thank you again for what I think is a very important hearing. I hope this helps us lay a foundation as we move into the next Congress to focus on this issue, which I know is of deep, deep concern to the American public. Chairman Sarbanes. Thank you very much, Senator Stabenow. We will now turn to our panel. We will first hear from Attorney General William Sorrell, who has been the Attorney General of the State of Vermont since 1997. Attorney General Sorrell is the Vice President of the National Association of Attorneys General and Co-Chair of its Consumer Protection Committee. Earlier, he served as Vermont's Secretary of Administration. Mr. Attorney General, we are very pleased to have you here. STATEMENT OF WILLIAM H. SORRELL ATTORNEY GENERAL, THE STATE OF VERMONT Mr. Sorrell. Thank you very much. Chairman Sarbanes. I think if you pull that microphone close to you, it will be helpful to all of us. Mr. Sorrell. Good morning. Chairman Sarbanes. That is better, yes. Mr. Sorrell. Thank you for inviting me to speak with you today on the important issue of financial privacy. The State Attorneys General are grateful for the work of this Committee on this important consumer issue and we especially want to commend Chairman Sarbanes and Senator Shelby for working so hard to address these issues in a bipartisan fashion. As this panel of witnesses demonstrates, concerns about the privacy of consumers' financial information is neither a Democratic issue, nor a Republican issue. It is not a liberal issue, nor a conservative issue. Rather, it cuts across traditional party and philosophical lines to touch all of us who are concerned about protecting our citizens. The Chairman did indicate that I am the Vice President of the National Association of Attorneys General. But I want to make clear for the record that I am here for myself and representing my Office of Attorney General for the State of Vermont. I am not here purporting to speak for the entire National Association of Attorneys General. Chairman Sarbanes. As they say on those ads that they put in the paper when they get all those academics to sign and give their institutions, just for the purpose of identification. [Laughter.] Mr. Sorrell. Thank you very much, Mr. Chairman. [Laughter.] Along with my esteemed colleagues on this panel, I am here today to tell you that the privacy provisions of Gramm-Leach- Bliley are not working. Although this Committee worked hard to enact provisions to eliminate the abusive practices that were uncovered by the State Attorneys General in 1999, in fact, these practices are continuing largely unabated. I strongly recommend that this Committee undertake a thorough examination of the effects of Gramm-Leach-Bliley and the related regulations implemented by the Federal regulators in order to determine whether the law, as interpreted by the Federal agencies, carries out your intent. I believe you will find that it does not do so. I also believe you will want to enact strong provisions to correct problems that have arisen under Gramm-Leach-Bliley. What are some of these problems that consumers are facing? First and foremost, the unfortunate telemarketing practices that were uncovered in 1999, by Minnesota Attorney General Hatch are continuing. The U.S. Bancorp case demonstrated that major financial institutions were facilitating abusive telemarketing by selling their customers' account numbers and other nonpublic personal financial information to vendors, who then turned around and sold consumers memberships in travel clubs, gardening clubs, esoteric insurance products, often through improper use of information provided by the financial institution. This Committee wanted to put a stop to such practices, and so prohibited financial institutions from sharing account numbers. But the Federal agencies responsible for interpreting the law allow financial institutions to share or sell encrypted account numbers or other unique identifiers, thereby giving the telemarketers essentially the same access to consumers' accounts as before. So just as was the case prior to Gramm-Leach-Bliley, an eager telemarketer, paid on commission, is able to convert a consumer's ambiguous statement of interest into a purchase. The telemarketer simply informs the financial institution that a charge should be processed on that consumer's account. The telemarketer doesn't need the actual account number because the bank will convert the encrypted number or unique identifier into the account number for processing the charge. The consumer doesn't know how the charge appeared on her account since she never gave out her account number. In many instances, she doesn't even know she made a purchase. This Committee should undertake a thorough investigation of these continuing abusive telemarketing practices and afford greater protection to consumers in this regard. Gramm-Leach-Bliley is also not working because the notices required under the law are fundamentally incomprehensible to too many consumers. My written testimony fully covers the surveys and studies that demonstrate the dense writing of these notices, as well as the correspondingly high reading levels required to understand them. I thought, and with the Committee's indulgence, that I might just take a moment to read just one paragraph from one of these notices. This should serve to give the Committee a flavor of what consumers face in trying to decipher these notices and the excerpt I will read is from the American Bankers Association model, Gramm-Leach-Bliley privacy policy notice, that it sent out to its members for use in their notices. And in that notice, and I believe the average American household received roughly eight or more of these notices, under the heading, What Information We Disclose, if you get down in the body of the notice, here is what you find: We may disclose nonpublic personal information about you to the following types of ``affiliates'' (i.e., companies related to us by common control or ownership) and ``nonaffiliated third parties'' (i.e., third parties that are not members of our corporate family). Financial service providers, such as mortgage bankers, security brokers-dealers, and insurance agents. Nonfinancial companies, such as retailers, direct marketers, airlines and publishers. And others, such as nonprofit organizations. If you prefer that we not disclose nonpublic personal information about you to such nonaffiliated third parties [with respect to this loan or account], you may opt-out of those disclosures, that is, you may direct us not to make those disclosures (other than disclosures permitted by law). If you wish to opt-out of disclosures to nonaffiliated third parties, you may call the following toll-free number. I hope I have made my point. It stretches credulity to think that average consumers can readily work their way through these obtuse notices and reach a basic understanding of their rights to control the sharing of financial information. And then to make informed choices in this regard. This is exactly why the Attorneys General of 44 of the States and territories recently called on the Federal regulatory agencies to create standard notices to require much simpler language so that consumers can more readily understand the notices. This Committee should give serious consideration to requiring standard privacy notices similar to the nutritional notices that are required in the Federal Nutritional Labeling and Education Act. This Committee had the wisdom to ensure that States would have the authority to go further than Gramm-Leach-Bliley to enact more protective laws governing financial privacy. We hope the Committee will continue to allow States to protect their citizens as they see the need to do so. Indeed, several States had enacted more protective laws governing financial privacy prior to the adoption of Gramm-Leach-Bliley. Because consumers continued to be very concerned about the protection of their personal financial information, States have continued to adopt laws that are more protective than Federal law. Currently, there are six States that have enacted laws that require some form of opt-in before financial information can be shared by banks, and 14 States have enacted laws that require some form of consumer consent before financial information can be shared by insurance companies. As my co-panelist, Representative Kasper, will describe, North Dakota voters recently adopted a referendum reversing the State legislature's repeal of that State's opt-in law, thereby putting that State's banking opt-in law back on the books. In addition, two California localities, San Mateo County and Daley City, have recently adopted ordinances requiring affirmative consumer consent before financial information may be shared. These State and local laws are a reaction to the problems associated with Gramm-Leach-Bliley and an effort by these governments to exercise the power given them by this Committee under Section 507, to provide consumers with protections greater than those afforded under Federal law. The sharing of financial information among corporate affiliates remains another real concern. Should a consumer who opens an account with Citibank, for example, expect that, for purposes of ``preacquired account marketing,'' her account number will be shared with Travelers Insurance or any of the other 2,761 affiliates within Citigroup? The number and the breadth of affiliates currently associated with some of the country's major financial institutions is truly astounding. In addition to the Citigroup's 2,761 affiliates, the web site of the Federal Reserve lists 1,476 corporate affiliates for Bank of America, and 871 affiliates for KeyCorp, which is considered to be a mid-size bank. A perusal of these corporate affiliate lists demonstrates that these holding companies appear to be involved in widely disparate activities, including insurance, securities, international banking, real estate holdings and development, and equipment leasing. So a consumer holding a credit card with the lead bank or an insurance policy with a major insurer in any of these affiliate groups would not expect that his or her account number would be spread throughout the corporate affiliate structure for the purpose, not of servicing the consumer better, but of marketing products to the consumer. This Committee should require that financial institutions give consumers an effective choice before nonpublic personal financial information can be shared among affiliates. Moreover, the Congress should direct that the standard financial privacy notices to be created by the Federal regulatory agencies contain a standard format for information about affiliate-sharing practices and consumers' choices to prevent such sharing. Mr. Chairman, I referred to the following documents* in my written and oral testimony. I would like to have them submitted into the record: Affiliate lists for Bank of America, Citigroup, and KeyCorp; a report from my office and our Department of Banking and Insurance; an interim report to the Vermont legislature on financial privacy; the final of such report; and the American Bankers Association sample privacy notice. I hope those and my written testimony will be accepted into the record. --------------------------------------------------------------------------- *Held in Committee files. --------------------------------------------------------------------------- Chairman Sarbanes. They will be held in Committee files. Mr. Sorrell. Thank you very much for this opportunity. Chairman Sarbanes. Thank you very much. We very much appreciate hearing from you. We will now turn to Fred Cate, Professor of Law at the Indiana University School of Law in Bloomington, Indiana, and a Senior Policy Advisor at the Hunton & Williams Center for Information Policy Leadership. Professor Cate. STATEMENT OF FRED H. CATE PROFESSOR OF LAW INDIANA UNIVERSITY SCHOOL OF LAW Dr. Cate. Thank you very much, Mr. Chairman, distinguished Members of the Committee. I appreciate the opportunity to be here. I should offer the same qualification as my distinguished colleague, which is, of course, that my comments do not reflect the views of Indiana University. One would like to think that the University would have the good sense that they would. [Laughter.] But in any event, the University would want me to clarify that they do not necessarily. There is much to say, but I will do my best to limit myself to four points and try to make those as briefly as possible. First, there is no doubt but what consumers are concerned about financial privacy. It seems like there is no room to even debate that question. I think the issue is what do we make of that concern and what would this Committee and the Congress do in response to that concern? I, for one, do not find that concern tremendously surprising. Consumers should be concerned about financial privacy. They should be concerned about privacy in many areas because, frankly, many of the most effective and, in some cases, the only effective, steps to protect an individual's privacy are individual actions. They are not protections afforded by law. They are not protections afforded by policies or technologies, but, rather, the things that an individual himself or herself will do. So given that we have just had a deluge, twice now, of more than two billion privacy notices, given the attention given this issue in the press, it would, I think, be surprising if there weren't consumer concern about this issue, and I think that concern is largely healthy. Clearly, it is not healthy to the extent that it represents lack of knowledge about either banking practices or the law, and I will return to this in my conclusion. Second, in addition, however, to looking at the presence of consumer concern, we also have to look at consumer action. And what we know is that in response to tens of thousands of financial institutions, mailing billions of privacy notices, the opt-out rates seem to be consistently less than 5 percent. Many institutions report opt-out rates of 1 percent or less. This is true, by the way, not only in financial privacy. This is true with the FCRA opt-out provisions. This is true for the DMA's opt-out provisions. This is true for many companies that report what their specific industry opt-out rates are. A low response rate is very consistent. So before encouraging the Congress to adopt new laws or more restrictive privacy laws, it seems important to first understand why consumers aren't taking advantage of the rights that they currently have under existing law. Before giving new rights, why are the current rights not being used? Third, another reason for concern about going forward with more restrictive privacy laws on either the State or Federal level is, of course, that information serves many valuable, irreplaceable functions in this economy and in the society. This point seems so obvious that I do not want to belabor it here. It has been much written about. And probably the most articulate spokespeople coming from the Federal Reserve Board. Let me just offer one quote from Governor Gramlich: ``Information about individual's needs and preferences is the cornerstone of any system that allocates goods and services within an economy.'' The more such information is available, ``the more accurately and efficiently will the economy meet those needs and preferences.'' This seems particularly true in the case of affiliate- sharing. The number of affiliates which have been referred to certainly could give one pause. But I think it is worth noting that research shows that companies do not create affiliates just for the opportunity to create affiliates, that affiliate relationships are often driven by tax or liability issues, by regulatory requirements, by any number of State licensing issues. The question then of whether affiliate-sharing of information should be permitted or restricted would necessarily, if made a legal issue, require that companies describe in detail their affiliate relationships to their customers. It is difficult to imagine how even the best-intentioned privacy notice, if required to describe those relationships in detail, could ever be comprehensible to anybody, to anybody here or to anyone likely to receive those notices. Interfering with those benefits of information flows, of course, impose costs on consumers. There are also additional costs, however, imposed by privacy laws, and I think this Committee is well aware of and I think that this is very relevant to the question of whether more restrictive privacy laws seem appropriate. We know that the cost of complying with Gramm-Leach-Bliley has been measured in the range of $2 to $5 billion a year for financial institutions, cost that are, of course, passed on, either to the customers directly or to shareholders, and indirectly to customers. These costs, however, are much greater. Experience and research in this area are consistent and, without exception, show that costs are much greater when a privacy law imposes a greater restriction on information-sharing, for example, opt- in. In fact, most of the available research on opt-in statutes in practice show that if they require contacting a consumer after the consumer has engaged in the transaction, after the consumer has opened the account, after the consumer has sought service, an opt-in statute effectively works as a ban on information flows that, in practice, the result is no consent and no opportunity to share information. I want to be clear, however. I think that those costs should be measured not only in dollars, but also would encourage the Committee and would direct the Committee's attention to the other types of costs that that can impose. And here research is particularly informative. Even a subject like informing consumers about opportunities, marketing, which seems to meet with very little support in any public forum today, nevertheless, is of obvious importance to many consumers and especially those less likely to have, for example, financial advisors, less likely to be well-endowed financially. We know, for example, that greater information restrictions disproportionately affect poor and also people located away from urban centers. This, of course, is also especially true with opt-in. I have mentioned in my written testimony and I will not belabor now a case study that economist Michael Staten and I did of just one financial institution, MBNA Corporation, and what the cost of opt-in would be on MBNA's customers. Those costs are significant and I would encourage the Committee to pay close attention to the consistent evidence of how great those costs can be, especially since, to use MBNA's numbers for the period of the case study, 2000 to 2001, fewer than one quarter of 1 percent of MBNA customers had opted out. So imposing any additional costs, given that fewer than one quarter of 1 percent had found the protection necessary, would seem dubious, at best. Remember, and I will quote here Alabama Attorney General Bill Pryor, it is customers and individuals who ultimately ``pay the price of either higher prices for what they buy or in terms of a restricted set of choices offered them in the marketplace, for restrictive privacy laws.'' Finally, I think it is important to keep in mind the larger context in which this debate is taking place. Gramm-Leach-Bliley passed in 1999 and notices were required to be mailed, the first set, by July 1, 2001. Only 14 months has passed during that time and we have seen significant changes and developments that would strike me as very positive in that time. While the issue of consumer confusion has already been noted, I think it is important here to return to the question of why notice is needed to be improved, why the developments of the past 14 months, in fact, warrant approval rather than disapproval from this Committee. Remember the law itself is very complex. If you have ever tried to explain it to anyone, you appreciate how complex the law is. The terms used, for example, in the ABA model notice that was previously read, largely came from the law and from the implementing regulations. If you want simple requirements to be explained to consumers, you will have to enact simple requirements. And in this area, that is very, very difficult. So, for example, distinctions between consumers and customers, which are so important to the law, do not make much sense to ordinary people. It is difficult to understand these. It should also be noted that clarity seems to be very much in the eye of the beholder. I had the experience on June 18, 2001, of appearing before the California General Assembly Committee on Banking and Finance, where the Committee Chairman lauded American Express for the clarity of its notice. In fact, he passed out copies to everyone in the audience, so, as he said, industry representatives could live up to the model set by American Express. Three weeks later, on July 9, 2001, USA Today cited American Express' notice as one of the least comprehensible it had read. There is much going on. There are market responses. We are seeing banks and other financial institutions offering privacy- related cards and other privacy-related services. We are seeing the quality of notices being improved, the Federal Trade Commission working to improve that quality. We are seeing new types of privacy protections, many from the States, such as do- not-call lists. In the absence of evidence of harms not being addressed by the current law, not just Gramm-Leach-Bliley, but the full range of Federal and State financial privacy laws, it seems inappropriate, or at least premature, to move forward with more restrictive privacy requirements. Thank you. Chairman Sarbanes. Thank you very much, sir. Now, we will hear from John Dugan, appearing today, I think it is fair to say, actually, representing the Financial Services Coordinating Council. I do not know that we will need a disclaimer here. Mr. Dugan. No disclaimer. Chairman Sarbanes. The Council includes the American Bankers Association, the American Council of Life Insurers, the American Insurance Association, and the Securities Industry Association. Mr. Dugan is a partner at Covington & Burling, here in town, and I must note, previously worked here on the Banking Committee staff as Minority General Counsel when Senator Garn was a Member of the Committee. We are very pleased to hear from you, Mr. Dugan. STATEMENT OF JOHN C. DUGAN PARTNER, COVINGTON & BURLING ON BEHALF OF THE FINANCIAL SERVICES COORDINATING COUNCIL Mr. Dugan. Thank you, Mr. Chairman, and Members of this Committee. It is a pleasure to be back here today. As you said, I represent the Financial Services Coordinating Council, and this organization represents thousands of large and small banks, insurance companies, and securities firms that, taken together, provide financial services to virtually every household in America. I have represented the FSCC on financial privacy issues since the organization was formed in late 1999. Every commercial privacy law strikes a balance between protecting the privacy interests of consumers and preserving the clear consumer benefits that arise from the free flow of information in the economy. While consumers expect limits on the disclosure of their information, they also expect companies to provide them with benefits that can only be obtained through information-sharing. For example, a long-time depositor in a bank wants and expects to receive a discount on a mortgage loan offered by a related mortgage company affiliate, and such ``relationship discounts'' can only be provided through information-sharing. Privacy laws try to balance these competing consumer expectations. In terms of financial privacy, we believe that Congress struck the right balance in the Gramm-Leach-Bliley Act. Financial institution consumers now must be provided notice of practices regarding information collection and disclosure, opt- out choice regarding sharing of information with nonaffiliated third parties, security in the form of mandatory policies, procedures, and controls, and enforcement of privacy protections via the financial regulatory agencies. By any measure compared to 3 years ago, consumers have much more meaningful information, choice, and security regarding their financial information. At the same time, the GLB Act appropriately allows financial institutions to share information for a variety of plainly legitimate purposes without consumer consent, for example, to carry out transactions requested by the consumer, to deter and detect fraud, to respond to regulators and judicial process, et cetera. The FSCC also continues to support Congress' decision to treat information-sharing by affiliates in the same manner as sharing within a single institution. In both cases, the opt-out requirement does not apply, as has already been stated. We think this decision reflected the fact that consumers are unlikely to distinguish between, for example, a community bank and its affiliated mortgage lending company. Instead, consumers expect that both affiliates are part of the same community banking organization where information is shared. Finally, we also continue to believe that Congress appropriately chose to provide consumers with the right to opt- out of information-sharing with third-party commercial companies. But Congress also rightly chose to reject an opt-in approach, which deprives consumers of benefits from information-sharing, as Professor Cate just described. Consumers rarely exercise opt-in consent of any kind, even those consumers who would want to receive the benefits of information-sharing if they knew about them. In essence, an opt-in creates a default rule that stops the free flow of information, and that makes financial services more expensive and inefficient. In contrast, an opt-out gives privacy- sensitive consumers just as much choice as opt-in, but without the default rule that denies consumer benefits. In terms of implementation, the Gramm-Leach-Bliley privacy provisions were enacted in 1999 and implementing regulations became effective just over a year ago. While tremendous progress has been made, this is still very much a work in progress. Nevertheless, the financial institutions and their regulators have received a minuscule number of customer complaints about the privacy provisions. For example, in response to a recent Freedom of Information Act request, the Federal Reserve reported that it had received only 25 privacy- related complaints out of the 4,503 complaints in total that it received in 2001, or .0056 percent of the total, with similarly low numbers reported by all the other Federal bank regulators. Having said that, the FSCC recognizes that privacy notices constitute one area in which improvements can and should be made. This is by no means as easy as it sounds, however, because the notice requirements of the Gramm-Leach-Bliley Act are, in fact, quite detailed, as we just heard. The financial institution regulators tried very hard when they issued their regulations to simplify, including through the use of sample clauses, and they told institutions that a notice complying with the GLB Act could fit on a six-page, tri-fold brochure. In their first notices, financial institutions generally took this approach. But a six-page notice is not short, and terms from the sample clauses such as ``nonaffiliated third-party'' and the other terms that were quoted earlier this morning are the types of legalese that have been sharply criticized. To address these concerns, many institutions have tried to simplify the language used in their next round of notices. In addition, both financial institutions and their regulators are exploring a simplified, short-form version of the notice that would supplement, but not replace, the longer legal notice required by the Gramm-Leach-Bliley Act. The basic idea is to use simplified terms, be much less legalistic than the longer notice, keep the length to one page, and use common language to make it easier for consumers to compare policies. The FSCC is leading one of the short-form notice projects in which we have hired a well-known language expert, and we have nearly completed the initial drafting phase. Let me now turn to the misunderstanding about the amount of State legislative action that has occurred since passage of Gramm-Leach-Bliley. During this period, no State legislature has adopted a comprehensive financial privacy statute that has exceeded the obligations of the Gramm-Leach-Bliley Act. Nearly 40 States did consider such privacy legislation in 2000, the year after the law passed, but no such statute was enacted. About half that number revisited the issue in 2001, again without final action. And this year, only California has come close to enacting a new law. But for the third time in 3 years, the legislature has chosen not to do so. We recognize the initiative in North Dakota which we will hear about and the action by regulators, but not legislatures, in New Mexico and Vermont. But taken together, these few actions simply do not constitute a groundswell of State action. The FSCC believes the States' diminished focus is due largely to an increased understanding that the Gramm-Leach- Bliley protections are real and need some time to work, and that it is more complicated than it first seems to impose new restrictions without causing major unintended consequences. In terms of new Federal privacy legislation, we believe that any action that Congress considers should be targeted to specific harms rather than take the form of sweeping data protection restrictions. For example, if the harm to consumers that people care about most is identify theft or excessive telemarketing, then legislation should remedy these problems specifically and not impose broad restrictions on information- sharing. The FSCC stands ready to work with public policymakers to address specific consumer harms. Let me emphasize, however, that the FSCC could not support any new financial privacy legislation that did not include Federal preemption to ensure a uniform national privacy standard. The FSCC also supports extending the FCRA provision that preempts State restrictions on affiliate-sharing, which would otherwise sunset by the end of 2003. Thank you. I would be happy to answer any questions. Chairman Sarbanes. Thank you, Mr. Dugan, for your testimony. We are pleased to have you back again with the Committee. Mr. Dugan. Thank you again, Senator. Chairman Sarbanes. We are now going to hear from Attorney General Mike Hatch, who has been the Attorney General of the State of Minnesota since 1998. He previously served in the 1980's as Minnesota's Commissioner of Commerce, the primary regulator, as I understand it, of banks, insurance companies, securities, and real estate firms doing business in Minnesota. Attorney General Hatch, we are pleased to have you with us. STATEMENT OF MIKE HATCH ATTORNEY GENERAL, THE STATE OF MINNESOTA Mr. Hatch. Thank you, Mr. Chairman. And I want to thank all of you for your leadership on this issue. I had the opportunity a couple of years ago to watch a hearing in the Minnesota legislature on the issue of privacy. The Wall Street Journal had covered it and pointed out that there were 58 lobbyists retained by a variety of different members of the financial industry, the telephone industry, HMO's, insurers, you name it. And they all piled in, and the pressure was immense. Both parties collapsed. They just caved in. I know that the pressure on you people is immense. I applaud you for your leadership and for your efforts here. It takes guts and courage and it is very refreshing to see that type of leadership in this country. So, I thank you very much. The question was raised about, gee, we have gotten all these notices. Why don't people understand them? I just want to point out, the first letter I received---- Chairman Sarbanes. I think if he could bring it right up here next to the table. Senator Shelby. Bring it up inside. Chairman Sarbanes. Yes. Senator Shelby. That would help. Chairman Sarbanes. Come right on around. Senator Shelby. Up near the Senator. Chairman Sarbanes. Don't block--we want Senator Stabenow to see this easel, too. Yes, that is it. Senator Shelby. Okay. Chairman Sarbanes. Now if we put the things on. Good. Senator Shelby. That is better. Chairman Sarbanes. Are you okay, Debbie, with that? Senator Stabenow. I can see it better than you. [Laughter.] Chairman Sarbanes. All right. The panel's okay. So go ahead. Mr. Hatch. Mr. Chairman, Members of the Committee, the point was raised by the financial industry here that, we have all these notices out there. People do need to understand what is going on. So what is the beef ? All of these notices were sent to me from a former Congressman, Alec Olson, from the 1970's. He is now, I am guessing, 75 to 80 years of age. He says, ``What is all this garbage? I don't understand it.'' Now if a retired Congressman doesn't understand it, how do we expect that two-thirds of our senior citizens who are the subjects of the rip-off that occurs because of this financial fraud, which is targeted to seniors, how do we expect them to be able to discern these issues? We heard the Attorney General from Vermont read that disclosure statement, and in the end, what they did not say is, listen, regardless of what you do, we are going to share this with our affiliated institutions and we are going to use it in other ways as well. Even if you did read it and understand it, you would have to be a Wall Street lawyer to figure that out. Here is a letter that I got a kick out of it because it was after Gramm-Leach-Bliley. This lady had gotten a notice from General Motors Corporation and she says: ``What is this business about an opt-out? Why do I have to notify them? And I have been in the financial industries for almost 20 years. I find this unacceptable and a bit unbelievable.'' Now what is significant, if you notice her name, she is from a leading investment bank in this country and she is in charge of their education. Look at her business card at the bottom. She did not know. And she thought it was unbelievable. Now if she doesn't know, and she is in charge of educating the members of that investment bank, how does that senior citizen know? Now if we go to the next exhibit, we will try to figure out, how do they know? This is actually before GLB. But let me assure you, the complaints in our office, we run a consumer division, the complaint load is higher than it was in the past. I do not attribute it to being higher because of GLB. I attribute it just that there is more increased abuse that goes on in a tighter--when employment gets a little rough, the economy gets cool, fraud tends to go up. It's the same thing. It hasn't changed. Two-thirds, again, still being targeted on seniors. This one is a Mr. Clinton--I do not know how to pronounce the last name--Sjosten, I guess. It is a Legal Aid lawyer writing this letter. He says that Mr. Clinton is 87 years old. He had a career as a janitor of a church. And he retired. He has been in a nursing home for 10 years. Telemarketers got that information from Montgomery Wards. They charged up $2,400 on him, an auto club membership. But he doesn't own a car. He hasn't had one for 10 years. A homeowner's warranty plan. But he doesn't own a home. He is in a nursing home. A dental plan. But he has no teeth. [Laughter.] Charged $2,400. And you ask, how can this be? How can we be so inhumane to our senior citizens that we allow this type of manipulation to go on? That is all he asks. I represented banks in private practice. I was a banking commissioner. Rural banks do not trade this information. They want it kept private. In our State, we have laws. I have represented companies. We have very strong common law, and I think it exists throughout the country, that says, listen, when you come into a bank with your business plan, if I am a business and I come in there with a business plan to get a loan, that bank cannot share it. Before Glass-Steagall in the 1920's, they would go out and distribute it. They would give it to their investment arm and then they would go steal the business, the idea, the trade secret, if you will, from the client. Well, that was shut down. The law is pretty clear. And banks know, you keep that confidential. But you know what? Under this GLB, you hear those notices that were read by the Attorney General? It said, your loan data is not public. With whom? What about the checks I write out as a business? What about the checks I receive? That is my customer list. That is a property right, for crying out loud. It is not only a liberty right, but also a property right. Somebody says, well, jeez, they won't respond in an opt-in. Yes, they will. Pay them. The financial banks--the people who are selling this stuff, our data, we are on about 300 lists each. This data is being traded around all over the place. And they sell it. They make money on it. Over 300 bucks a year, on average. Why don't they pay us a little royalty. You know how to get me to go sell my name? Give me some frequent flier miles, maybe I will do it. I do not know. Maybe some people will. But pay them. Don't hog it all for yourself. If it is a property right, why do we allow them to get away with it on an opt-out? Pay, and people will intelligently make a decision as to whether this property right will be given up. Do you know what will happen? Information will still flow. There will be companies that will sprout up that will engage in this. That is fine. That is called free enterprise. Why are we against that? Property rights. What about the personal liberty right? I go out and I give speeches and I ask them, please raise your hand if you have ever had a yeast infection, a hemorrhoid problem, filed for bankruptcy, bounced a check, had a mental illness, gone in for chemical dependency. I go through the whole routine. Please raise your hand. And there is a gasp. If you look at HIPPA, HIPPA is no better than GLB in terms of the opt-outs. Oh, we are going to have medical privacy. But then there is a little exemption that says, for telemarketing purposes, you are allowed to use it. Well, the exemption swallows the rule. All of this information is being traded. What about our right to define who we are? Thank God we did not have that type of information going when I was in my 20's. I wouldn't be sitting here at this table. [Laughter.] When you are in your 20's, you experiment with ideas, right? And thoughts. Your telephone company can sell the telephone numbers you have. What about search warrants? I, as a public official, cannot go pull your bank data without a search warrant without some probable cause because you have a reasonable expectation of privacy, right? Now, with these laws basically saying, you do not have a reasonable expectation of privacy, guaranteed there will be a day where a judge will say, because everybody else in the world can get this data, why can't the Government, too, without the search warrant? There is a very strong, compelling issue that is afoot here and it is not the bank's data. It is my data. That is the way it is in Europe. That is the way it is in other cultures. Most people think it is that way here. It is a reasonable expectation of why not--in most contracts we have in America, there is an offer and an acceptance. Where is the acceptance on an opt-out, to give up my private information? Why not just pay me for it? You would be amazed how many people will respond to a little money. That is okay. Now these are very important rights. It is a personal right. It is a property right. I applaud you for your courage in standing up on this issue and I wish you the best in getting a bill through. Thank you. Chairman Sarbanes. Thank you, Attorney General Hatch. We will now hear from Representative Jim Kasper, a Member of the North Dakota House of Representatives, who is very deeply involved in the referendum held earlier this year in North Dakota. As I understand it, I am sure that Representative Kasper will develop this, a statute had been passed that reduced the existing privacy rights under North Dakota law. It was taken to referendum by the citizens of North Dakota and overwhelmingly, the referendum was overwhelmingly passed, thereby negating the statute. Representative Kasper, we would be happy to hear from you. STATEMENT OF JAMES M. KASPER MEMBER, HOUSE OF REPRESENTATIVES THE STATE OF NORTH DAKOTA Mr. Kasper. Thank you, Chairman Sarbanes, and Members of the Committee. I want to comment before I start my testimony how much I agree with the three distinguished Senators and your opening remarks. You are right on. And the people of the United States are right on with you, as we found in North Dakota. I am a first-term representative in North Dakota. We have a part-time legislature in our State. We meet for 3 months every other year and then we go back to the real world of business. My background has been the insurance and financial securities business for my whole career. I even started that career in college as a senior to help support my newly gotten wife, who has been with me the 30-some years that we have been out of college. Little did I know when I came to the legislature of North Dakota that the bulk of my time in that freshman term would be spent battling the banks on the issue of privacy. But that is exactly what happened. North Dakota had a privacy law that was developed and enacted in 1985 at the bequest of the banks, and it allowed no affiliate and no nonaffiliate sharing of information. So private information was totally private. In 1997, our law was amended quietly at the request of the banks to allow affiliate- sharing, probably in anticipation of Gramm-Leach-Bliley. So, we had that item in North Dakota law. We also had the bank loopholes, so to speak, in North Dakota law where banks marketed and continue to market insurance in small towns. I have competed with the financial services of the banking industry my whole career in North Dakota. So, I have an idea of what they do, how they compete, and what their strategies are. It is my understanding that the banking industry is being led in their battle to defeat privacy laws like North Dakota by the organization that is represented here today and by, I think, a financial roundtable organization, are the groups that--there is a focused effort, in my opinion, to stop the privacy laws from changing. And that is what happened in North Dakota. The banking industry had their bank law introduced into our State Senate, Senate bill 2191. That, in essence, repealed North Dakota banking law and adopted the Gramm-Leach-Bliley definitions of privacy. I want to share with the Committee and read what their arguments were, why the North Dakota legislature should pass their law and throw out our very protective privacy law. Here is what they said: ``North Dakota needs to pass Senate bill 2191 to adopt Gramm-Leach-Bliley in North Dakota law so that we will be in compliance with Gramm-Leach-Bliley.'' This Committee knows that that is a joke. They knew that that was a joke, but that was one of their strategies-- confusion. ``North Dakota will experience job loss if we do not pass Senate bill 2191.'' Now, you tell me how we are going to lose jobs, but their idea was the bank calling centers will pull out of North Dakota if you do not pass 2191. ``North Dakota will experience negative economic development if we do not pass Senate bill 2191.'' Businesses will not come to North Dakota because it will be too onerous to comply with old North Dakota privacy law. There is no cost at all to comply with North Dakota privacy law. The businesses go on doing what they do and their information is protected because one thing in North Dakota law, not only do we protect consumer privacy, but we also protect all privacy. So business transactions, ag transactions, nonprofit transactions are all private. ``We do not want North Dakota to be the only State in the Nation, an island, which has different privacy laws from other States.'' Obviously, as the Attorney General from Vermont stated, there are other States that have privacy laws like North Dakota. And as the legislators of the various States begin to realize what GLB privacy is all about, we are going to see more State legislators introduce laws. I know of two States right now that are contemplating, legislators who are contemplating initiating privacy protection laws like North Dakota's in their legislature in their next session. The most funny of all, ``If we do not pass Senate bill 2191, the people of North Dakota may not be able to use their ATM's, credit cards, and their checking accounts.'' In a recent trip to California, at the invitation of Senator Jackie Speier to work with the California assembly, most of the goal was to try to convince some Republicans to support Senator Speier's bill because that has become a partisan issue, which it should not be. These were their same arguments. So this is a national strategy that I submit is being utilized and orchestrated by the banking industry to stop privacy laws from being passed and to try to repeal a North Dakota law. Anyway, these arguments convinced my colleagues in both the House and the Senate to overwhelmingly, with between a 70 and 80 percent vote, pass their bill. There were just a handful of us who attempted to stop that bill. Two of us were freshmen legislators, and you know how much credibility freshmen have any place. So the bill was passed. The law was signed by our governor, who was a former banker, and it was enacted into North Dakota law. Fortunately, that is not the end of the story because a group of citizens called Protect Our Privacy formed. Volunteers. No money. No budget. Just a goal to repeal Senate bill 2191 in North Dakota. And in the course of a few short weeks, gathered the number of signatures necessary, a little over 17,000, to repeal the law, or to refer it and put it to a vote to the people. When you consider that we only have 640,000 people, 17,000 is a big number. It is equivalent to almost 900,000 signatures in the State of California. Their initiative is going forward, as this Committee heard. And by the way, I predict that when and if their initiative is on the ballot, it will be on the ballot, unless the California legislature acts responsibly next year, that initiative is going to overwhelmingly succeed. The more money the big banks spend, the more the people get angry, and that is exactly what happened in North Dakota. The banks were well financed. Their first campaign statement showed they had $129,000 raised. We had $2,800. By the time the whole battle was done, their media blitz throughout the State of North Dakota was enormous. They attempted to persuade the people of our State that all the arguments which I shared with you earlier were needed to keep the bill. Our statement and position was very simple. Whose information is it, anyway? Do you own it? Should you have the right to control it? Or should the banks own it once they get it and be able to share it and sell it without your consent and knowledge? That was the focus. That is all we could talk about because that is the truth and the bottom line of this privacy battle--whose information should it be, as Attorney General Hatch has indicated? When the people understood, the vote was 73 percent to throw out the Senate bill 2191 and go back to North Dakota law. I submit that as more and more people in the United States become aware of what this is all about, you are going to see more and more State legislators move forward to do the same thing in their State. Unfortunately, that is time-consuming and costly and you have the might of the big banks, who will be there to try to thwart the issue every time it comes up in every State legislature. We had full-time lobbyists up there from the banking industry, three or four of them. The credit union lobbyists were involved. The big banks came in. The local bankers came in to talk to their legislators and the legislators were, frankly, somewhat misled and confused on this issue because they talk real good. But the people know better and the people of our country want their private information protected. If we do not do this, if we do not move forward with protection, because the lifeblood of this battle for financial services is the free-flowing of consumer confidential financial information, Gramm-Leach-Bliley does not foster competition. It eliminates competition. As a small business person in the financial services industry, I have a very difficult time competing with the Wells Fargos of the area. When a person comes in to get a loan and provides their tax return, their financial statement, their history, and the loan officer just goes to the insurance agent or the securities agent and says, here, here's some stuff. Look it over. Go call this guy. That happened on one occasion with my best client in Fargo, who I have served with life insurance for 20-some years. An insurance agent from Wells Fargo called on them and had all of their financial information and, in fact, showed them a sophisticated insurance proposal where they had to have gathered their incomes, their date of birth, et cetera. My client knew nothing of it, had never met the agent before, and this guy comes in and shows him the information. He called me. We looked at it. We threw it in the garbage. But the point is, why should that insurance agent have gotten that information in the first place? He shouldn't have. My mother in Beulah, my hometown, western North Dakota, just had a CD come due. The bank teller recommended that she put it into an annuity. The bank teller knows nothing about my mother's financial information and her background and her financial needs. My mother, thank goodness, said, I call my son on these things. [Laughter.] She did. And we are looking at what she should do with her CD. The point is, people are handling confidential information all over the place. It has run amuk. And I hope that this Committee will have the courage to stand up to the tremendous lobbying effort you are going to see and reverse the things in Gramm- Leach-Bliley that need to be reversed, such as no sharing of information to nonaffiliates, period. A no-opt. An opt-in sharing of information for affiliates. And the joint marketing agreement loophole, that needs to be fixed. I understand why it was introduced, to allow the small banks and credit unions to compete with the Wells Fargos of the world. That definitely needs to be fixed. Mr. Chairman, and Members of the Committee, I see my time is up. I have a lot more I could say about this issue. But I thank you very much for the opportunity to be here. Chairman Sarbanes. We thank you very much, Representative Kasper. It is a very instructive story that you tell and we really appreciate it. Before she leaves, I do want to add just one dissent to what you said. You said that the freshmen members of the legislature do not have much influence. [Laughter.] I agree with that statement generally. But I do want to underscore what a tremendous exception to that statement our freshman Member, Senator Stabenow, has been here, both in the Committee and in the Senate. Senator Stabenow. Thank you. Chairman Sarbanes. We will now turn to Phyllis Schlafly. We are very pleased that you are here with us today. As we all know, Phyllis Schlafly is the President of the Eagle Forum. She has been an outspoken advocate on a number of very important issues and has testified frequently here in Congress. She is the author/editor of numerous books and publications. Ms. Schlafly, we are delighted to have you with us today. STATEMENT OF PHYLLIS SCHLAFLY PRESIDENT, EAGLE FORUM Ms. Schlafly. Thank you, Mr. Chairman, and Senator Shelby. Totalitarian governments keep their subjects under constant surveillance by requiring that everyone carry ``papers'' that must be presented to any Government functionary on demand. This is an internal passport that everyone had to show to authorities for permission to travel within the country, to move to another city, or to apply for a new job. Having to show papers to Government functionaries was bad enough when papers meant merely what was on a piece of paper. In the computer era, personal information stored in databases can be used to determine your right to board a plane, drive a car, get a job, enter a hospital emergency room, start school, open a bank account, buy a gun, or access Government benefits such as Social Security, Medicare, or Medicaid. While each classification currently has its own set of rules, connecting all these dots would amount to the personal surveillance and monitoring that are the indicia of a police state. The Washington buzz words, ``information-sharing,'' are often put forth as the solution to 21st Century problems, but this has significant privacy implications that I am very happy you are addressing. The global economy is obsessed with gathering information. The lifestyle or profile of each consumer is a valuable commercial commodity. The checks you write and receive, the invoices you pay, and the investments you make reveal as much about you as a personal diary. Where I shop, how often I travel, when I visit my doctor, how I save for retirement are all actions known to financial institutions, which connect the dots of my life and create a valuable personal profile. This compilation of personal information is bad enough, but the sharing of it without my consent is even worse. True privacy protections encompass the principles of notice, access, correction, consent, preemption, and limiting data collection to the minimum necessary. The bill commonly known as Gramm-Leach-Bliley had the financial goal of streamlining financial services, thereby increasing affiliation and cross-company marketing. But it was conflicted with the goal of true financial privacy. Greater affiliation meant greater information-sharing. Interjecting the right of individuals to control their personal information into that streamlining equation was perceived as a threat to this big business scheme. Gramm-Leach-Bliley does not provide consumers with any opportunity to decide for themselves about the transfer of their private information among affiliates. Particularly troubling is the large number of companies marked as affiliates. For example, the Bank of America has nearly 1,500 corporate affiliates, and Citigroup has over 2,700. There is no opportunity to stop this free flow of personal information. Gramm-Leach-Bliley did include a privacy notice provision. Privacy notices should be simple documents outlining what kinds of information are collected and how the business plans to use that information. However, the notices sent to consumers as a result of Gramm-Leach-Bliley turned out to be too complicated for the public to cope with and they were always written in very fine print. Gramm-Leach-Bliley provided the right to opt-out of information-sharing but only to third parties. Figuring out how to prevent the sale of your personal financial diary, and to whom you were actually denying it, was made very difficult. Real opt-out consent depends on being able to understand what you are saying no to. In 1998, the Clinton Administration proposed a Federal regulation called Know Your Customer, which would have turned your friendly local banker into a snoop reporting to the Federal database called FinCEN any deviation from what the bank decided is your deposits/withdrawal profile. The American people and the Eagle Forum was a part of this effort, responded with 300,000 angry e-mail criticisms and the regulation was withdrawn. The department subsequently said they would no longer receive e-mail criticisms. However, the Bank Secrecy Act still requires banks to share some personal information with the Government through suspicious activity reports. The Bush Administration's proposed regulations to implement the USA PATRIOT Act's Anti-Money Laundering provisions are even more intrusion than Know Your Customer. The Wall Street Journal reported that the Treasury Department entered into an agreement with the Social Security Administration to access a database to verify the authenticity of Social Security numbers provided by customers at account opening. Congress promised us that the Social Security number would never be used for anything else when it was created, and certainly not for identification purposes. Giving financial institutions access to Social Security Administration's database contemplates using the number as a national ID number, which is a step in the wrong direction. I remember after President Nixon opened up China, The New York Times printed a large picture of a warehouse of what were called dangens. This was a manila folder containing all the personal information on every person in China. It started in school. It followed them all through life, with all of their job information. It is the computer that makes it possible to create a dangen on every American citizen, and that is not America. In conclusion, neither Government nor private business should act as if they can own, share, display, or traffic our personal information. It is a property right issue. Our personal financial data should be protected by a firewall and accessible only to those to whom the individual gives the authority. Thank you very much, Mr. Chairman. Chairman Sarbanes. Thank you very much, Ms. Schlafly. We are very pleased to have you here today. Our concluding panelist is Ed Mierzwinski, who is the Consumer Program Director of the U.S. Public Interest Research Group. He comes today testifying on behalf of a number of consumer groups, both the broader groups--Consumer Action, Consumer Federation, Consumer Union, and then a number of groups that are more specifically focused on the privacy issue--the Electronic Privacy Information Center, Identity Theft Resource Center, Privacy Rights Clearinghouse, and Private Citizen. We are very pleased to have you here, sir. STATEMENT OF EDMUND MIERZWINSKI CONSUMER PROGRAM DIRECTOR U.S. PUBLIC INTEREST RESEARCH GROUP ON BEHALF OF: CONSUMER ACTION, CONSUMER FEDERATION OF AMERICA CONSUMER TASK FORCE ON AUTOMOTIVE ISSUES CONSUMERS UNION, ELECTRONIC PRIVACY INFORMATION CENTER IDENTITY THEFT RESOURCE CENTER, JUNKBUSTERS, INC. PRIVACY RIGHTS CLEARINGHOUSE, PRIVATE CITIZEN, INC., AND U.S. PUBLIC INTEREST RESEARCH GROUP Mr. Mierzwinski. Thank you, Mr. Chairman and Members of the Committee, and in particular, I will recognize Senator Shelby, the founding Co-Chair of the bipartisan Congressional Privacy Caucus, for his leadership, as well as yours. The organizations that I am representing today believe strongly that people have a strong right to privacy and that privacy should be based on Fair Information Practices. Recognizing when it enacted the Gramm-Leach-Bliley Act, that it was increasing the potential for privacy invasions, Congress acted by establishing Title V to try to protect privacy. The basis of Title V we believe is flawed and a lot of that has already been articulated by some of the other witnesses on the pro-privacy side today. The primary basis of the Act is that it is based on notice. Notice is not enough. As we have seen from the first 2 years of examples, the notices are unclear, the notices are indecipherable, the notices are unreadable. The Privacy Rights Clearinghouse commissioned a consultant, Mark Hochhauser, on readability in 2001. He surveyed 60 of these notices and found that they were written essentially for a graduate school education. The average consumer has not been to graduate school. And I concur with General Sorrell that there should be something like a nutrition notice at the front of every privacy notice and the check-off box for voting out or voting in, whether it is an opt-out or an opt-in, and of course, we would prefer an opt-in, as I will discuss briefly. That check-out box should be on the front page, not on the 8th page of a 6-point type document with 27 to 35 word compound sentences. This year, as part of California PIRG's efforts to enact the Jackie Speier legislation, SB-773, broad consensus legislation supported by a number of privacy and consumer organizations in the State of California, California PIRG updated the Hochhauser study with a study of 10 privacy notices in August. We found that the best of the 10 got a C minus. So notice is not enough. In my testimony, I also refer to a very disturbing decision by a U.S. District Court Judge in California in an unrelated financial privacy case, but a related case to notice provisions. In that decision, Judge Zimmerman suggests that a large telephone company may have hired consultants that taught it to purposely make its privacy notices deceptive. And I cite some of those notices. How to convince people not to opt-out. How to convince people that the notice is a nonevent. There were a series of consultants actually hired by the company to teach the company how to make its notices unreadable, essentially. So, I am very concerned about that. And that is, of course, one of the reasons that we think notice is not enough. The second problem we have with the bill, of course, is that the consent provision in the bill only applies to some transactions. It applies, not to all third parties. It applies to some third parties. Let's be very clear. It is an opt-out, meaning that you have to affirmatively say no, and it does not apply to all transactions. It only applies to some third parties, essentially limited to telemarketers. Transactions between and among affiliates and joint marketing partners--and there is no exception in the law that prevents large institutions, some of them have as many as 2,761 affiliates, as we heard earlier, that prevents large institutions from also using outside joint marketing partners as well. So the fact is the bill is based on only part of the Fair Information Practices, which we believe the data-collectors should subscribe to. In recognition of the fact that there had been a major privacy scandal that had been discovered by the State of Minnesota Attorney General, Attorney General Hatch, and his office, the U.S. Bank case, the Congress included an encryption provision in Title V to try to tighten it up a little bit more. The encryption provision was included and it stated that telemarketers could not obtain the credit card numbers of consumers. The reason for that was that in the U.S. Bank case, as Attorney General Hatch has described, the consumer never gave out their credit card number to telemarketers. Their bank gave their credit card number to telemarketers. As the Attorney General has testified, and as General Sorrell has testified as well, the encryption provision has not worked. Essentially, Gramm-Leach-Bliley codified the preacquired account telemarketing programs that are in place at many of the largest banks in the country. These banks are no longer providing the credit card number directly to the telemarketer, but the telemarketer has a button that he or she pushes that allows the bank to bill the consumer. Now one of the witnesses testified that opt-out doesn't work and that opt-in would work even worse. In Attorney General Hatch's recent settlement with Fleet Bank, he sent a letter to the consumers who had been victimized--excuse me--Fleet Mortgage Company, an affiliate of Fleet Bank. You would think that this kind of tawdry telemarketing would be limited only to credit card companies, but mortgage companies are doing it, too. Attorney General Hatch sent a letter to a number of Minnesota consumers asking them whether they wanted to opt-in to his settlement and get their money back. Well, 50 percent of them responded within 2 weeks. If you write your opt-in letter well, and if you offer people something, opt-in does work. And if you are trying to get people's money back from a rip-off telemarketer who is in league with your bank, opt-in does work. So, we were very pleased to see that. The last point I want to make, of course, is that the best part of the Gramm-Leach-Bliley bill is, in fact, its States rights fail-safe, the so-called Sarbanes Amendment, that has allowed the States to experiment. As the great Justice Louis Brandeis said, ``The States are the laboratories of democracy.'' And although the industry has sent hundreds of lobbyists out to Fargo, out to Sacramento, out to Bradelborough, I have been to all these places, I have seen all the industry lobbyists, Montpelier, excuse me, in Vermont, and all the other State capitals where the State PIRG lobbyists work, the industry is trying to stop these laws, but these laws are being considered and you need to protect the right of the States to continue to try to pass stronger privacy laws. The costs of privacy have been articulated by industry as tremendous--billions and billions of notices, the loss of the free flow of information. I want to point out that there are costs to the lack of privacy as well. I would like to enter into the record a study* by independent consultant Robert Gellman which refutes a number of the industry-funded studies that the industry relies on to make its points. --------------------------------------------------------------------------- *Held in Committee files. --------------------------------------------------------------------------- The fact is the lack of adherence to Fair Information Practices leads to identity theft, which costs hundreds of thousands of consumers, hundreds of dollars a year in out-of- pocket costs, hundreds of hours in trying to clear their good names, extra costs because their credit reports are in error and they must pay extra for sub-prime credit, the costs of profiling, the cost of being targeted and the cost of being put into a box that you are a Tobacco Road consumer and not a Gucci Gulch consumer on one of these 300 lists, and you pay too much for credit and you only get offered mediocre offers. These costs are very substantial and these costs affect consumers in a very negative way. In terms of the free flow of information, industry wants to have that one both ways. Many banks are limiting their flow of information about a consumer's good credit in order to prevent that consumer from having a good credit report and a good credit score. They are gaming the credit-scoring system and Comptroller Hawke did a speech on this several years ago, and he was very concerned about it. If a consumer's credit score is affected by a limit on how much information banks share with credit bureaus, that consumer doesn't get any offers. That consumer doesn't get any opportunities. So there are some very serious costs to a lack of privacy and identify theft is one. Profiling is another. The cost of paying too much for credit because banks are gaming the system is another. Stalking is even a problem of the costs of lack of privacy, as the case of Amy Boyer several years ago. I want to conclude briefly by saying that the State PIRG's and the other consumer and privacy groups that are signed on to our testimony today very much appreciate that you held this hearing. We will continue to work in the States on privacy, financial privacy issues, identity theft issues, credit-scoring reform, and other aspects of financial privacy. We are disappointed that some industry groups have tried to suggest that financial privacy prevents them from helping Director Ridge from fighting the terrorists as one of the excuses they make to try to roll back the State privacy laws. We are disappointed also that they say you won't be able to use your ATM card if we pass strong financial privacy laws. But that is life in the big city and we will continue to fight and we appreciate you fighting with us. Thank you very much. Chairman Sarbanes. Thank you all very much. This has been a very, very helpful panel. We have been joined since the panel began by two of our colleagues and I am going to turn to them now to see if they want to make an opening statement before we start directing questions to the panel. Senator Akaka. COMMENTS OF SENATOR DANIEL K. AKAKA Senator Akaka. Thank you very much, Mr. Chairman. It is good to hear witnesses from around the country on the issue of financial privacy. The sharing of consumers' financial information needs to be regulated to reduce frustrations and the likelihood of the misuse of that information. Financial institutions are required to provide their customers with information regarding their privacy policies on an annual basis. Financial institutions are prohibited from sharing nonpublic personally identifiable customer information with nonaffiliated third parties, unless customers are provided with an opportunity to opt-out. My constituents in Hawaii have contacted me to express their frustrations with the opt-out process. The opt-out process is time-consuming for many individuals and in some cases, privacy notices are too difficult to understand. I agree that the notices are not enough and are difficult to understand. Financial privacy is one of many areas in which consumers' financial literacy needs to be increased. Consumers need to be fully aware of their opportunities to exercise financial privacy restrictions and how to do so. In addition to education, a complete examination of the current laws intended to protect personal financial information is needed to ensure that consumers are protected. Again, Mr. Chairman, I thank you for conducting this hearing. Chairman Sarbanes. Thank you, Senator Akaka. Senator Corzine. COMMENTS OF SENATOR JON S. CORZINE Senator Corzine. Thank you, Mr. Chairman. I can only tell you that there is almost nothing that Senator Akaka said that I would disagree with or preparing myself for this, knowing the concerns of both the Chairman and Ranking Member with regard to this privacy issue, that I want to very much identify with, needs to be cleaned up. I hear about this all of the time as I visit with constituents around the State, a growing, growing concern about invasion of one's personal information, the integration of the marketing aspects of information collected by those that have access to financial transactions and so on. I am anxious to be a consistent and full participant in this process, and I will emphasize this financial literacy issue. I can tell you that I have read a lot of these statements myself. I usually go to sleep before I get to the end of them, and know where you are supposed to sign off. [Laughter.] I think it is a ruse on the public with regard to this opting-out process. So, I look forward to working with you and the other Members of the Committee in this area. Chairman Sarbanes. Thank you very much, Senator Corzine. Both Senator Corzine and Senator Akaka have been very, very active on the financial literacy issue and we certainly appreciate their concern. Professor Cate, I want to ask you a question right off the bat. The Financial Services Coordinating Council, who Mr. Dugan is representing here, issued a booklet, not too long ago on what they call the drawbacks of an opt-in regime. And you were the author of that booklet. You recall that, I presume. Dr. Cate. I do. I think it was 2 years ago. But, yes, sir. Chairman Sarbanes. All right. Now in that, you are arguing against the use of opt-in. And I do not want to address the opt-in issue for the moment. In the argument you make against opt-in, you say: ``Lawmakers should resist the mounting pressure to expand the use of opt-in, for eight compelling reasons.'' And the first reason you give is, ``Opt-in and opt-out both give consumers the exact same level of control over how information about them is used. Under either system, it is the customer alone who makes the final and binding determination about data use.'' Now, of course, we have heard some criticisms about how the opt-out system works. But let me ask you this question. Am I to take from this statement that you support requiring opt-out for the sharing of any financial information? Dr. Cate. I think that would not be accurate to say that I support opt-out for the sharing of any financial information. Chairman Sarbanes. I see. Well, you make the point here that opt-out gives--under both, the consumer has exactly the same level of control and therefore, you should use it. The alternative to opt-out is opt-in. And then you are very critical of opt-in. But you say, with opt-out, they can control their information. Is that correct? Dr. Cate. Yes, sir, Mr. Chairman. Chairman Sarbanes. Should we have opt-out at least as a starting point or as a minimum for the sharing of financial information? Dr. Cate. I would not support that across the board. Chairman Sarbanes. Would not? Dr. Cate. I would not, sir. Chairman Sarbanes. How does that square with your statement here? Dr. Cate. It squares in this way. If there are areas or uses of information that the Congress believes that consumers should have control over, I think the opt-out is a better and certainly less expensive system for allowing consumers to exercise that control. I personally do not believe that under the First Amendment that the Congress has the Constitutional authority to extend to consumers the right to exercise control over all uses of their financial information. Chairman Sarbanes. You do not think the information belongs to the consumer? Dr. Cate. I think the question of who it belongs to is more or less irrelevant. Under the Constitution, I do not believe Congress has the authority to use the power of the courts or to use regulators to enforce that restraint on the flow of information. Chairman Sarbanes. To opt-out as well as to opt-in? Dr. Cate. Yes, sir, although I believe the opt-in restraint is more severe, and so the First Amendment impediment would be greater. Chairman Sarbanes. So if I am a consumer and I give this information to a financial institution, it is then gone. They can do what they wish with it? Dr. Cate. There are many uses of information, which, if they do not present a risk of harm or--many uses of information, most uses of information, which I think in this country we presume---- Chairman Sarbanes. Should I make that judgment as the one who provided the information? Or do you get the information from me for a limited specific purpose, and then once you have it, can you then--you being the financial institution--turn around and do with it what you will? Dr. Cate. Well, Mr. Chairman, I believe it is a matter of law. If, in fact, information is obtained under an express condition that it will not be used elsewhere I think that restraint should be enforced, as the Federal Trade Commission has repeatedly done online and elsewhere. But the Constitution I think limits the power of the Government to create an impediment at the start to all uses of financial information or other forms of information, absent some form of substantial or compelling governmental interest. Chairman Sarbanes. That is interesting. What do you think of that, Ms. Schlafly? Do you think that we are precluded from placing some restraint on the use of that information? Ms. Schlafly. I am amazed. Chairman Sarbanes. I am stunned. Ms. Schlafly. I think the information about what I do and what I buy is my property. I do not think it belongs to somebody else. If there is anything the United States stands for, it is individual property rights. Chairman Sarbanes. Attorney General Hatch, what is your reaction to that? Mr. Hatch. Mr. Chairman, there is $15 to $20 billion of telemarketing fraud in this country each year. As I said, two- thirds of it is targeted to senior citizens, who I do think we have some responsibility to guard. We know that most of this is done through what is called preacquired accounts, meaning that they have the information from a bank or a credit card company. They never have to ask for that information from the consumer because they already have it. It has already been obtained from the bank. That is a compelling State interest right there. I just don't understand. If opt-out and opt-in are the same, why would it make any difference as to which information is being protected? The point you were making, I do not know if we received an answer. Chairman Sarbanes. My concern with this statement is, the argument that is made against opt-in, which would be an up- front permission from the provider of the information, or how it is used, the argument that is made is that the consumer can protect himself because he has opt-out. Now there is a big difference between the two, but opt-out at least means that if the consumer initiates it, he can then say that I do not want that information provided. The other way, with opt-in, they have to get the permission to begin with. Professor Cate uses the argument in this pamphlet that you should not have opt-in because you have opt-out. So, I just asked him, well, does he then apply opt-out to all aspects of providing information? I am told, no, he doesn't. I am now told that, amongst other things, he thinks there is a Constitutional impediment to doing this, which I do not agree with. But, in any event, even as a policy matter--that is our problem. Here we have--it is a disingenuous argument to say, we do not need opt-in, because they have opt-out. Then you ask, well, would you apply opt-out to all aspects of the sharing of financial information? Then it is, no, no, we wouldn't do that. So there is our problem. Yes, ma'am. Ms. Schlafly. Senator, it seems to me that the difference between opt-in and opt-out is the default. Those of us who use computers know how valuable it is what the computer defaults to when you do not make an affirmative choice. With opt-in and opt-out, one way the default goes to the bank and the other way it comes to you. I think that that is an extraordinary difference. Chairman Sarbanes. I think that is a very important point and I said at the outset, I wanted to be careful. Because there is a very strong argument that opt-out is not adequate, the one you just made. Therefore, you should have to get an affirmative decision. But I cannot even get Professor Cate to give me opt-out on the sharing of the financial information. That would be a beginning here. At least we would begin to parse this thing out and see if we could not make some advance. I am told, no, no. Well, I have used my time. If my colleagues will indulge me, I want to ask Mr. Dugan one more question. Mr. Dugan, you cited that these States were trying to pass these statutes now under the fact that under Gramm-Leach- Bliley, it is specifically stated that the States' action in this field, that it is not preempted, that they can move ahead. And so, people go out and they fight these battles out in the State legislatures. As I understand it, you yourself have been in a number of State legislatures on this fight. Mr. Dugan. That is correct. Chairman Sarbanes. And you make the point that it has not yet passed, I think you said, in any State legislature. Is that right? Mr. Dugan. That is right. Any comprehensive statute. Chairman Sarbanes. I thought you said you drew from that the conclusion that this issue was a fading or a passing issue across the country, and that this was demonstrated that the public doesn't really care about this issue and that it is going to go away. Is that your view? Mr. Dugan. I do not think I quite said that. What I was trying to get at---- Chairman Sarbanes. You came close to it. But, anyhow. Mr. Dugan. What I was trying to get at was this. Senator Shelby. You did not say it. You were hoping it. [Laughter.] Mr. Dugan. I think there is a perception, every State or many States in the country, that the trend has been for State legislatures to take this up and pass financial privacy legislation that goes beyond Gramm-Leach-Bliley. And all I was trying to say was, in our experience, the trend has been in the other direction, with the notable exception of California. Chairman Sarbanes. And North Dakota, by direct action of the people rather than the legislature. Mr. Dugan. That is right, but that was a restoring of a law that was previously on the books. My point is that the year after Gramm-Leach-Bliley passed, there was a huge set of bills introduced that went way beyond Gramm-Leach-Bliley in many States and debated in many States. None of them passed. Then the second year, it was about half that number. And in the third year, it had dwindled to a relatively few number of States that were doing it. I am not trying to say that there is no interest in it. There obviously is. There was intense interest in California. I am just saying that if you take and look at the country as a whole, and what legislatures have done, I think that there has been a repeated set of circumstances in which legislators have decided that it has not been as easy to pass something like this in a way that works that doesn't create unintended consequences. There is also a notion that this new Federal scheme has gone into effect, and we should give it a chance to work before we decide to layer on inconsistent privacy statutes across the country, which the FSCC thinks would be a disaster. Chairman Sarbanes. So, you think it is going to go away? Mr. Dugan. No, I did not say that. I think we have work to do. I think there has been a problem with the notices. They do have to get better. Chairman Sarbanes. Where are you going to be if California passes an initiative on this issue? The California legislature came close this year, as I understand it, very close. But where are you going to be if they pass an initiative in California? Mr. Dugan. Senator, that is a hypothetical situation. Chairman Sarbanes. Do you think an initiative would pass in California on the basis of the North Dakota experience? Mr. Dugan. I certainly would hope not. Chairman Sarbanes. Mr. Kasper, you wanted to add to that? Mr. Kasper. Yes, thank you, Mr. Chairman. Just an observation. If the other States in the last 2 to 3 years were bombarded by the banking lobbyists as North Dakota legislators were, when they were confused and misled by the bank arguments, which I laid out earlier, I can understand why no legislation passed in those other States. We were different in the fact that we had a law to protect and the people decided to refer it. And when the people made connection with the truth, the people spoke loudly and clearly. That is what I believe is the sentiment all across the United States, as you have heard from your colleagues here on the panel and from the panel members themselves. This is a national strategy, I believe, by the financial services industry, led by the banking industry, to confuse the issue and kill any type of legislation that is attempted in North Dakota. I wish they could come to North Dakota now and talk to some of my legislative colleagues who went through this media battle and now understand the issue, who are very angry at the way that our legislators were misled by the lobbying efforts of the banking institutions. So you confuse. You mislead. Sometimes you out and out lie. And the legislators, with that type of pressure, are going to go along with no change because they may think that is what is in the best interest of their State, which it is not. Chairman Sarbanes. Yes, Attorney General Hatch. Mr. Hatch. Mr. Chairman, I would like to point out for Minnesota, that at least the lobbying effort that occurred did not diminish the issue. It is coming back and it will continue to come back until something passes. But I do want to point out, it wasn't just the banks. There is a lot of different interests involved in this. You have the telemarketing companies. You have, as I mentioned, insurers, HMO's. And frankly, if I took a poll of the banks in Minnesota, you would find probably a majority in favor of privacy, but they would be the smaller ones. They do not want this information out there. They do not want this information being taken by a Citibank or whoever, and then stealing their clients. It is not the small ones who are doing it. So do not give too bad a rap here to the banks of America. A lot of the small ones are not interested in this issue at all. They have operated very well with an opt-in system because they do not want to do it. As I mentioned before, a First Amendment right to disseminate, does this mean that an employee of mine--I have companies that represent companies, an employee can take the customer list? They have a First Amendment right to disseminate it? Does the bank have a right to take the bank deposits of my clients and go disseminate it to their competitors, their customer list? I do not think so. There has been very strong privacy rights by common law in this country with regard to property assets. I would hope that GLB did not touch that. But you know what? I suppose one could interpret it to have done so. What a tragedy? Chairman Sarbanes. I am going to yield now to Senator Shelby. Did you want to say something? Mr. Dugan. Mr. Chairman, I want to respond on the point about smaller banks. I think the fact is that smaller banks have to share information with other financial institutions to offer the range of competitive products that diversified financial institutions can provide. And we are very strong supporters of that kind of sharing, which is precisely what was recognized in Gramm-Leach-Bliley, and which was precisely what was recognized even in the California bill that almost passed. Chairman Sarbanes. Well, but should the consumer have a say in that? Shouldn't he have a say? That's all. That's all. I do not think there is any approach that would rule it out absolutely. It would just put the decisionmaking authority in the person who provides the information. It is personal information about them, and they should have, it seems to me, should be able to control where it goes and what is done with it. But I have strayed over my time. I yield to Senator Shelby. Senator Shelby. Thank you, Mr. Chairman. Again, I want to thank you for calling this hearing. I also want to commend Senator Sarbanes, that in the conference, we were all on it with the House, dealing with Gramm-Leach-Bliley, Senator Sarbanes had the foresight to offer the amendment to protect the States' ability to deal in this area over and above. I think that is so important to Senator Sarbanes. I have been involved with you and I have worked with you and I have worked with a lot of people on this. I believe myself that the people ultimately are going to prevail here. The people are going to win this battle, no matter how much money is spent against it because this is an important right of the people, as Ms. Schlafly talks about. Mr. Kasper, I have a few observations and some questions. One, I want to commend you for getting involved and what the people of South Dakota did. That was not isolated--of North Dakota, excuse me. Made a mistake. Mr. Kasper. That is all right. Senator Shelby. But what they did, they understood the issue. And if the people understand the issue, they are not going to give their privacy away. I believe that. Not many of them, and so forth. I do want to also take a few seconds and commend both the Attorneys General here. They have been outspoken. Somebody has to speak up for the people, and they do this. Ms. Schlafly, we have worked together on a number of issues, and this privacy issue cuts across all political philosophy, and all parties, Democrats, Republicans, and so forth. I have worked with Mr. Mierzwinski on a number of occasions. I wish my State of Alabama had a referendum proposition, a proposition where you could bypass the legislature, if you had so many people. A lot of the States do. And that goes back to the Sarbanes Amendment. That is going to be the linchpin to this, I believe. Now, I want to direct this to Mr. Dugan and Professor Cate. I would like to know from you, if you can, to the extent that you can provide the details here, what happens to, and I will just use myself here, my personal information when I open a checking account, get a credit card, and that kind of thing. Just say I were to go down the street here and open up a checking and savings account. What happens to that information? Let me just run down a list of questions. What information are they required to obtained from me? How does the bank use it? Do they share it? And yes, what do they actually share, and who with? Why do they share it? Well, I think we know that. Who do they share it with? Affiliates? Third parties? Partners in joint marketing agreements? You can create those. That is so easy. Do they sell it? What effort does the bank or financial institution make to ensure its security? Or how can it be secure once it is gone? What about affiliates and third parties who may gain access to the information? Do they undertake efforts to protect it? Who do they protect it from if they are using it? All these questions I think need to be answers because people in America, across all party lines, are going to be asking. They are beginning to. And hearings like this help. Can you help me there? Mr. Dugan. Well, let me start and there is quite a long list. Senator Shelby. Sure. Mr. Dugan. If there are other things, we would be happy to furnish it for the record as well. Professor Cate can jump in as well. Senator Shelby. Sure. Mr. Dugan. I think in the first instance, when information is collected from consumers, there are two kinds of information. The first is information that is used to make a judgment about making a loan to you or underwriting insurance for you. That kind of information is covered by the Fair Credit Reporting Act. And because that information can be used to make an important decision, it can have a very important effect on the consumer, the restrictions on that information under Federal law are stricter than they otherwise would be. In fact, that kind of information cannot be shared with third parties except under very specific circumstances such as sharing with the credit-reporting agencies. It can only be shared with affiliates subject to an opt-out. If the information doesn't relate to that kind of information, then the Gramm-Leach-Bliley system kicks in and the information can be shared to carry out things that I think everybody would say it should be shared for it. It obviously has to be shared with third parties when you write a check and the check goes through the clearing system to other banks to carry out your transaction. It has to be shared with third parties in order to do the very thing you have asked for. And nobody quibbles with that, and I am sure you do not, either, Senator. But I think you then get to the question of, is it shared for marketing purposes? I think institutions use it to--they would want to know, for example, if you were a good customer of the bank and you had a large deposit, that would be a customer that they would want to make sure was treated well with respect to other kinds of products. If you were a long-time customer of the bank, that kind of information, they would want to know that. And so, the information would be shared inside the bank in order to make decisions to cross-market products, and it would be shared with affiliates as necessary if they thought that would be useful to provide products and services to you. Now, if it gets to third parties, that is where Congress drew the line and said, if it goes to a nonaffiliated third- party, then they have to give you the right to opt-out of that type of sharing. Senator Shelby. But you can create an affiliate fast, can't you? You can create a joint marketing agreement so fast. Mr. Dugan. We think affiliates---- Senator Shelby. There are a thousand ways to get around. Mr. Dugan. We do not think it is getting around. We think an affiliate is all part of the same organization. If you have Citibank and Citibank Mortgage Lender, that is really the same thing to the consumer. It is all part of one organization. The line comes when the information is shared outside the commonly controlled organization, particularly to commercial companies or nonfinancial companies. And there, Congress drew the line and said, that is a place where the consumer should have some control and that is where they established the opt- out. We think that is appropriate. Senator Shelby. You used the word scheme earlier. A lot of people believe this was a scheme. That is, the opt-out was a scheme to hijack people's personal information, knowing that with all the trouble and all the notices and not understanding what was going on, that most people wouldn't know the real issue. The notices were meant not to let them know, but to let them throw it away. Mr. Dugan. Well---- Senator Shelby. Whereas--wait a minute--whereas, if you go with the premise that this is your information that you send that belongs to your checking account, your savings account, and all this, and it is your property right, as Ms. Schlafly talks about, which I believe, it belongs to you, and you have a confidential relationship, or should have--most people think they do--with their financial institution. Gosh, how can you justifying selling that, using that without the permission of the customer, the expressed permission? How can you do it? I think Attorney General Hatch made a good point. Mr. Dugan. From our point of view, I do not believe---- Senator Shelby. And your point of view is the point of view of the people you represent, right? Mr. Dugan. It is the people who have to serve their customers every day, and it is an industry that is built on maintaining the trust of their customers. Senator Shelby. This is a way to break it down, isn't it? Mr. Dugan. Well, that is where we disagree. Senator Shelby. I think that is under attack all over America. Mr. Dugan. With all due respect, Senator, we think the information-sharing that goes on helps consumers, helps provide---- Senator Shelby. How does it help them? I want to hear that. Mr. Dugan. I will give you an example. Let's say you had an opt-in scheme and at the beginning of a customer relationship--from our point of view, many consumers do not either opt-in or opt-out. They are less sensitive to this concern. If you have an opt-in scheme and they do not opt-in to some information-sharing, they just do not pay attention to it and they do not opt-in, then they do not get to hear about some of the benefits that would otherwise apply. For example, if someone has a deposit with a bank, it is a common practice for the bank to give a discount on a mortgage provided by an affiliated company. Or it may be the case that someone has a high-rate credit card loan and the institution knows that he or she has a high-rate credit card loan and also knows that that customer could qualify for a much lower interest rate home equity loan from an affiliated company. If an opt-in restriction were in place, as in one of the California bills, you have a situation where someone would be punished for calling up and trying to tell the customer that he qualified for something that was of real benefit to him, because he did not opt-in at the beginning of this relationship. Senator Shelby. Mr. Kasper. Mr. Kasper. Thank you, Senator Shelby. That begs the question. We are here talking about banking products. What about insurance and securities products. An inducement to purchase an insurance product is called a rebate and it is illegal under almost all State insurance laws. What about the small independent business people across the United States who are in the insurance and securities business as independent entrepreneurs trying to make a living competing with this inside information that is being passed around by the banks to their insurance organization to their securities organization? It wipes out competition. It wipes out small business. Our Nation is built on competition. This is anticompetition and the basis, the lifeblood of it is the free-flowing of this confidential information inside the financial conglomerates. Where we are heading with this is thousands and thousands of businesses being out of business because we cannot compete. Senator Shelby. And fewer choices for the consumer. Mr. Kasper. Absolutely fewer choices, Senator. Absolutely. The ones that benefit are the big institutions, not the consumer. Senator Shelby. Attorney General Hatch. Mr. Hatch. Mr. Chairman, Senator Shelby, I believe the question was about the industry, are they reflecting the needs of their customers? Exhibit A, what I filed, is a customer sheet. This is from Fleet Mortgage. These are their customer service reps and what they told the officers of Fleet Mortgage. I just briefly have a couple of comments. ``Ninety-five percent of my calls pertain to people wanting to cancel their policies. I think we should have to get a signature.'' Another one says, ``They feel it is a fraud, it is a scam, they never wanted the insurance.'' Another one is, ``I think it is more hassle than it is worth.'' Another one is, ``I apologize for the inconvenience.'' Another one is, ``Customers should have to sign up for the products. Don't just add them to accounts.'' And by the way, this is the company. This is an affiliate of the company. The best one from an employee of Fleet Mortgage to its officers. Chairman Sarbanes. So these are some internal comments of the company. Mr. Hatch. Oh, yes, internal. Chairman Sarbanes. Internal. Mr. Hatch. I am hopefully not breaking too many laws here. [Laughter.] Chairman Sarbanes. No, no, no. But I mean this is what they are saying to one another. It is like these stock analysts who tell people to buy the stock. And meanwhile, they are sending e-mails to one another saying what a turkey the company is. Mr. Hatch. Correct. The best one is--this is from an analyst to the supervisor--I hope that Fleet Mortgage makes enough revenue from optional insurance to justify all the calls on our 800 line from customers trying to cancel. Now is that an industry that is really representing its customers? I do not think so. In fact, I cannot find one comment--and this is their whole list--there is not one of them that is positive about what they are doing. They are all complaining. Senator Shelby. Mr. Chairman, I hope that as we go along with hearings, that we will get deeper into this and I hope that we can get some inside information like that. I also want to mention, Mr. Chairman, that I saw--and I haven't talked with him--where Congressman John Dingell had initiated a probe into the tying of loans. In other words, I will loan you the money if you buy insurance or if you do so and so. I think that is something--because that is illegal. And that is something that I hope under your Chairmanship, that we will look into, also, because that does destroy competition in a big way. Ms. Schlafly, do you have any comments on this? Ms. Schlafly. I do think that we should consider this a property rights issue. Senator Shelby. Absolutely. Ms. Schlafly. I mean, I believe I own the information about how I am spending my money and what I am planning to do. Senator Shelby. In other words, who does the information belong to? Ms. Schlafly. Right. Senator Shelby. Do you give it away? Is it gone? Gosh, if it does, the American people are going to be in for a shock, aren't they, a big, big shock. One last question, Mr. Chairman. You have been very indulgent. How many signatures does it take to get a proposition on the ballot in California? Mr. Mierzwinski. Senator, I actually do not know the exact number, but I can tell you that our organization has been involved in a number of them. It is a significant number, 1 percent or something of the people who voted in the last gubernatorial election across all of the counties. We have been involved in a number of these and we are part of a group that is, along with I believe the California Office of Consumers Union, Consumer Action, a California-based group, Privacy Rights Clearinghouse, we are seriously considering going directly to the ballot. And by the way, the industry is split on this. There is one Internet bank that is a pro-privacy bank that is supporting the initiative, e-Loan Bank. So, we are looking forward to working with an industry that actually believes that privacy is something that they can market. Senator Shelby. Mr. Kasper. Mr. Kasper. Thank you, Senator Shelby. When I was in California, I had the pleasure to meet Mr. Chris Larson, who is the Chairman of e-Loan.com, the bank that Ed Mierzwinski referred to. The amount of signatures that they will need in California is between 700,000 and 900,000. He is so serious about this issue, that he has personally put up a million dollars of his own money to help get those signatures on the ballot. I understand the way the California initiatives work, you can actually hire people to get your signatures. So it is between 700,000 and 900,000. Senator Shelby. Mr. Chairman, thank you for your indulgence. Chairman Sarbanes. Thank you, Senator Shelby. Senator Akaka. Senator Akaka. Thank you very much, Mr. Chairman. Mr. Chairman, we seem to be listening to a choir that is singing the same song about a huge problem out there in America. Chairman Sarbanes. Well, there is some dissonant notes in this choir, I add. [Laughter.] Dr. Cate. Thank you, Mr. Chairman. [Laughter.] Senator Akaka. There is a huge problem out there in America having to do with the privacy notices. I just happened to have a few here that I have been looking at. I have been reading and rereading the notices. The notices are very complex and difficult to understand. What kinds of changes can be made to privacy notices to make them easier to understand? Also, what do the privacy notices fail to include that consumers should know? If we can get feedback on these questions, that may help us in our quest to craft language that can help. Mr. Dugan. I would be happy to respond, Senator. We agree with you that the privacy notices are more complicated than they should be. And as I said in my testimony, I think a real fundamental part of the problem is that there is always a tension with privacy notices about trying to give enough information to consumers to make an informed judgment, but not giving too much information so that people are confused and end up not reading the notices. I think the regulators tried very hard to come out with things that simplified the requirements of the statute. But in the end, it turned out that what they proposed, and some of the sample clauses that they proposed and some of the legal terminology that they used was very, very complicated. Indeed, some of the language that the Attorney General from Vermont quoted earlier was taken right out of these sample clauses. Regulators recognize this, as does the industry. But the industry is in a bit of a Catch-22 because when they see what the regulators have put out and what they put in these sample clauses, they have to hew pretty closely to it because, if they do not, they fear exposure to legal liability. And so, there is a question and there is, to be honest, some conservatism the first time out to go and do the letter of what was being prescribed, and in some cases, that came out sounding very legalistic and confusing. I think since then, there has been very much an effort to try to deviate somewhat and keep within the spirit of the law. But more importantly, there have been projects that the regulators have encouraged and the industry is now engaging in to try to come up with something that is simple, one page, that has common language terms, that language experts look at, that makes things easy to understand, to make the opt-out easy to understand and easy to exercise, and that people could use to compare among institutions. That is not an easy process. It is going to take some time to try to develop and there are several different efforts underway. But we believe that is an important direction to try to explore, and that is what we would see as the way to go about trying to improve the notices because we do believe that that is a legitimate issue. Senator Akaka. Mr. Kasper. Mr. Kasper. Thank you, Senator. I just jotted something down for your consideration. If the question and the notice said something like this: Federal law allows us to share and sell your personal financial information for marketing purposes and marketing products. If you do not tell us not to, question, yes or no? Do you want us to be able to share or to sell your information without your written permission in advance? Yes or no. That would be simple. Senator Akaka. Yes. Mr. Kasper. Bold letters, easy to understand. The consumer understands. Ms. Schlafly. How about a box to check? Mr. Kasper. That is right. Yes or no. Check the box. That is exactly what I meant. Check the box, yes or no. Senator Akaka. Mr. Hatch. Mr. Hatch. Mr. Chairman, Senator Akaka, I think that you get a very simple notice. People aren't going to respond to an opt-out. People do not read these things. There is no inducement for it. In this country, we are used to an offer and an acceptance being an agreement. You have to have an affirmative act on both sides. What we have done here is deviated from hundreds of years of commerce by saying that we are going to go to an opt-out. If the law was simply changed to saying, you cannot trade the information without permission, other than to serve the actual transactions involved, I guarantee you the bank, the credit card company, everybody, it would be very simple. It would be very clear, and they would offer something. And the consumer would respond to that offer. It might be frequent flier miles. It might be--if, indeed, about $300 is made off the sale of information on myself and on everybody else here in a year, and if 20 percent of it, if they offered that, some consumers are going to respond. Yes, I do want my magazine subscriptions to be disclosed. No, I do not want my checks to be disclosed to other people. But give me the choice. It is my property. It is a personal liberty right. If you have an opt-in, people will respond. There will be disclosure of information. It is just simply that people will pay for it. We are going to find out that it is a free enterprise system. It is a capitalist system, it should be. Let's let it work. They will make real clear disclosures. It will be clear. And they will even offer something for it. Mr. Sorrell. I agree with General Hatch, that if opt-in was the standard, the industry that is struggling now to come up with simpler and more comprehensible privacy notices would find a way quickly to say clearly what the right is and make the case that it should be granted, that it wouldn't be eight pages into the notice and it wouldn't be using this language that somebody mentioned, you have to be a lawyer to understand it. This lawyer does not understand it. So if opt-in was the standard, the industry would find a way, using its expertise, to make the most compelling case, to convince the consumer why it is in the consumer's best interest to give this permission. We have, as I think was said before, only minuscule privacy- related complaints post-Gramm-Leach-Bliley. The reason for that is because the average consumer doesn't understand the notices, doesn't understand what the industry is doing in terms of the sharing of information right now. These battles are not over in the State capitals. It is literally just beginning. Efforts by this Committee and comparable committees in State capitals around the country, this thing is just starting. Mr. Mierzwinski. Senator, I agree with the two Attorneys General that opt-in is the right way to go. Without opt-in, you need to improve the notices by going to something like an express statutory language that appears in a box, as General Sorrell suggested earlier, similar to the nutrition box on the front of the notice. Because the only right you have is the limited right to say no to some of the sharing. But most of the notices put that at the end of the eight pages. The right has to be moved forward and then needs to be marketed by the agencies. And the legal gobbledygook and doublespeak needs to be eliminated. Senator Akaka. Yes, Dr. Cate. Dr. Cate. Senator, two responses, if I may. First, I think we have to distinguish the setting in which you are talking about consent being obtained. If we are talking about the opt-in or opt-out or whatever the choice is being on the document that opens the account or you apply for the loan, clarity of the notice will I think undoubtedly come and getting consumers to respond is comparatively easy because they have to respond. They have to do something to move on. What Gramm-Leach-Bliley did and what I think is of greater concern, is to apply a requirement to data that has already been collected, so consumers who are not coming to an institution looking for service, but rather, requiring the institution to go out to the consumer. We know that it is very difficult and enormously intrusive to the consumer to actually reach them. There are many studies, there is testimony before the Federal Communications Commission, there have been court cases on this about the number of phone calls it takes, the number of letters it takes, and the fact that adding money to the offer makes absolutely no difference statistically. For example, the Post Office tells us that unsolicited commercial mail, not first-class mail, but unsolicited commercial mail, that half, 52 percent of those are thrown away without being opened. So it won't matter how many $5 bills you stuff in the envelope. If they are thrown away without being opened, it is going to be very difficult to get consent, no matter what the consent system is. The first point is that it is critical to keep in mind here the difference between the settings in which we might ask for consent. The second point is the question of liability related to notice. It would be much easier to write standardized notices, which I think were suggested earlier and are a terrific idea, notices you could compare across institutions like food labeling. The problem right now is that all of the information you have to explain to comply with the law, and if you explain inaccurately in any degree, you are liable. It is a strict liability standard. So if you say, ``no, we do not share your information with third parties,'' but it turns out you actually have a processing service that does work for you under contract, even though it cannot do anything with the information other than process it, that violates the terms of the notice. Then you get these complicated statements--``we do not share information with third parties, other than for processing purposes''--and these lengthy explanations. If we move to a common sense regulatory system, if the FTC, for example, were empowered to develop a system of basic questions that consumers would find the answers useful to--``Do you share information with third parties for marketing? Yes or no?'' That would be a question that I think all of us would understand the answer to, and I think frankly that is what many of us care about. We are not actually interested in who processes your payroll or who processes your checks. We want to know, ``Are you sharing the information so that I am going to be getting mail.'' That type of notice offers tremendous opportunities because it also allows for real customization. You can say, not only ``Do you want to hear from us or not,'' but also you can say, ``Do you want to hear from us by e-mail? Do you want to hear from us by mail?'' We can actually allow a tremendous amount of consumer choice. But we are going to have to back away from this very complex strict liability regime to make that work. Senator Akaka. Mr. Kasper, did you have a comment? Mr. Kasper. I did, Senator. Thank you. I just wanted to be sure the record reflected, in responding to your question about what the notice should say. That does not mean that I agree that that is what the notice should be. I support no-opt for affiliate-sharing and opt-in for nonaffiliate-sharing. The comments from the industry spokesmen begs to ask, are you assuming, then, that the people of the United States are sitting at home breathlessly waiting for their telephone to ring so that they can buy something from you on the telephone that they neither want, nor need? I happen to believe that the answer is no. People will buy when they want, from whom they want, and what they want, if they are left alone. This bombardment by the telemarketing organizations and the banking organizations assumes that the people want the stuff. They do not want it. They do not want to be intruded upon. They want to be left alone. Senator Akaka. Mr. Chairman, I know that my time is up. I just want to mention that next year, we may be considering the Fair Credit Reporting Act. We will need to look at possible changes in the legislation to ensure that consumers have the necessary privacy protections. Thank you very much, Mr. Chairman. Chairman Sarbanes. Thank you very much, Senator Akaka. Senator Carper. COMMENTS OF SENATOR THOMAS R. CARPER Senator Carper. Thank you, Mr. Chairman. To our witnesses, welcome. We thank you for your testimony today and for your response to the questions that are being posed. When Congress was debating and finally passing Gramm-Leach- Bliley, I was back in Delaware trying to govern the State as their Chief Executive and I did not participate in the debate here or in the conference. I do not know if any of you are comfortable in taking us back a couple of years to the time when that debate was ongoing and the compromise was worked out, which is now part of the law of the land. And just take a minute and tell this old governor, how did we end up with the compromise that we now have? Mr. Dugan. Well, I was involved at the time representing financial institutions. I think--and this is just one person's view of how this came about--that there was, in fact, tremendous concern about imposing an opt-in regime and that, on the other hand, I think there was true concern about when information is shared outside a corporate family, and it led to the notion that something should be done to provide consumers with control when information gets shared outside of a corporate family. That is where the debate first started about providing-- some people wanted to go further and some people thought that we did not need anything. But that is where Congress struck the balance and said, we should allow consumers the right, make institutions give consumers the right, to opt-out for sharing outside of the corporate family. On the other hand, smaller financial institutions came in and said, that is not quite fair because for us to compete and offer a range of financial services, there are relationships that we have to enter into, joint marketing relationships with other financial institutions--not just any company, but other financial institutions--in order to survive, and we have to be put on the same footing, the same playing field as affiliates. That is what caused the creation of the joint marketing exception for the sharing of information with other financial institutions. Congress also imposed strict limits on the redisclosure and reuse of information, however it was shared. There was also tremendous debate--when this thing got started, everybody thought it was simple, but there were many, many kinds of information that needed to be shared, and not just to carry out a transaction. The law recognized a whole host of exceptions from the opt-out restriction, these exceptions were very suspiciously viewed at the time, but turned out to be very wisely put in and have not been controversial since then. For example, sharing information with regulators, for judicial process, to detect fraud, to share with credit bureaus, etc. That was the basic structure that was put in place. The notion also was, you had to have notices because opt-out only works if you have meaningful notices, and you had to have a regulatory scheme to enforce it and actually write detailed regulations about it. What has happened since then is that this is the first time that the Government has written such detailed privacy regulations. In a sense, the financial services industry has been something of a guinea pig in that you have very detailed regulations being written for the first time where people had to struggle on how these kinds of things were sorted out and a number of decisions were made. I think a lot of progress was made, but, obviously, as I mentioned in context with the notices, there are more improvements that could be made. Senator Carper. General Hatch. Mr. Hatch. Mr. Chairman, Senator Carper, this is my recollection and it is from the hinterland. So, I could be totally wrong and I am sure the Chairman has a much better recollection of how this privacy provision got into play. But in the hinterland, in June, I sued a bank, U.S. Bank, and alleged that they had taken a million depositors and sold 22 pieces of information to telemarketers, making a lot of money on this thing. The day before, the OCC Chairman Hawke had given a speech in San Francisco, and he had been harping about this for years, saying, banks, you have to clean up your act. They are all denying it. So the day afterwards--they all denied it--we filed the suit. Very clearly, we were in communication with the OCC on this issue. We filed the suit, and I will never forget it. On Wednesday, all the banks said, oh, we are not doing this. Just U.S. Bank. By Thursday, all of them were saying, I guess we are doing it. We are not going to do it any more, because we were basically saying, it was consumer fraud because they had said that there was a right to privacy in their literature. We were also alleging a common law right to privacy with regard to financial data. They were disclosing, for instance, your high balance, your low balance, all sorts of information from whence, you know, a telemarketer will know when to hit you, which day of the month, how much disposable income you have, what your age is. And, as I mentioned earlier, two-thirds of this is targeted to the senior citizens. We were plowing through on this suit, and the bank came in and we started doing some negotiation. We had an opt-in agreed. But then, I get a call and I am told that the GLB, Gramm- Leach-Bliley, is going through, which had nothing to do, to my knowledge, with privacy. The Chairman would know better than I. But my understanding was that it did not have anything to do with privacy at that time. There was a grand debate over Glass-Steagall that was passed in 1933, and the Douglas Amendment that was passed in 1956 with regard to what banks, what business they could get into. And next thing I know, all these banks are plowing into Minnesota, or at least these lobbyists plowing in, all these threats and no, you cannot settle this thing with an opt-in. Congress is going to preempt everything. But for the Chairman's amendment, everything we were involved with then would be worthless. I do not think this was any great thought-out privacy act. But for the efforts to hold it off and allow the States to do something, it was just simply a way to get around killing the right to privacy as it relates to banks. Maybe I am wrong. Chairman Sarbanes. Well, for the sake of full and of fair disclosure---- [Laughter.] --we should register that the position of the industry at the time was that there should be no privacy protection. That was their basic position. Now, what we ended up with in the bill was, there was an effort made to try to deal with the privacy issue and we got what I regard as some minimal provisions. But also, in light of the fact that they were so minimal, we were able to get a provision in, an explicit provision, that the States could go beyond the Federal. My own view is that if we had not gotten that provision in, that we would still not have preempted. But it would have left open the argument to be made, which I am sure the industry would have made, that simply putting the standard, the minimal standards, in constituted a preemption, even though the legislation might not have said that there was a preemption. In any event, we were able to avoid all of that by getting the explicit provision that the States can go beyond, and therefore, I think, saving the Attorneys General a lot of litigation that otherwise would have occurred, asserting that the minimal standards in Gramm-Leach-Bliley constituted a preemption. But to put all of this into perspective, the industry's position at the time that we were considering this legislation was that there should be no privacy protections. Mr. Dugan, I have to say to you and your clients here today that this issue has not reached a point of equilibrium or a point of repose, in my judgment. In other words, I do not think that the current provisions about privacy protection are perceived by most people as being adequate. Therefore, I think this issue is going to remain on the agenda. And it seems to me that it behooves those that are interested in it to start thinking in a positive and constructive way about what the system could be that would provide the extent of protection that most people would conclude is appropriate, that puts the issue to rest and might well encompass within it accommodations for some of the administrative things that the industry is concerned about. At least that should be examined and considered. Otherwise, it is my prediction that if we continue along in the current path, there will be the equivalent of Enron and Worldcom one of these days in the privacy field, and you may well end up with a regime which you say, oh, how did we ever get to this point? And the answer is going to be, you got there because you weren't trying to work through to a positive and rational solution. Now, I want to commend the Attorneys General for the interest they have taken. It is extremely important. And I know the two of you are only reflective of many others in other States across the country who have interested themselves in this issue. Mr. Kasper, certainly you contributed immeasurably by coming here today and telling us the North Dakota experience. Of course, Mr. Mierzwinski has been working on this issue. Ms. Schlafly, I have to say, you added this property dimension issue, property rights dimension. It is a very interesting dimension. I had not really thought about it as much as I probably should have until you started speaking here today. It is very interesting. If it means so much economically to these institutions to get this information and use it, obviously it has some kind of property value. It starts out coming from the consumer. That value should be protected or at least compensated for, perhaps. It raises a very interesting question, over and above the basic privacy issues. Anything else, Senator Carper? Senator Carper. Just one last thing, if I could. I am going to ask if maybe Mr. Dugan would just reply for the record and not here today because the hour is late. My wife is from North Carolina. A member of her family's identity was stolen, a victim of identity theft. Probably everybody here knows someone personally who has gone through what she has gone through. It has not been fun. And just in the last week, I get a weekly report from a person on my staff in Delaware who heads up constituent services for me. We are beginning to see a growing number of people who call our office because they too are victims of identity theft. The question I am going to ask, perhaps, for Mr. Dugan--I do not mean to pick on you, but just for the record, if you could let me know what steps you are aware of that the financial services industry is taking to help combat this problem. Mr. Dugan. I would be happy to do that, Senator. And I do just want to say, very briefly, that you raise a very good point. That is precisely the kind of thing, we do think that that is a real issue. And it is that kind of issue that, if there is a need, should be addressed, that there is legislation that needs to be done to take some steps in that direction. That is something, a targeted kind of harm where there is a problem. Then we should try to come up with things that go right at that, as opposed to something very nebulous and broad-based about information-sharing generally, to try to get at the same thing. But we would be happy to respond. Senator Carper. Thank you. Mr. Mierzwinski. Senator, if I could add briefly. From the consumer groups' perspective, identity theft results largely from a failure of the big banks, the credit card companies, and the credit bureaus to adhere to all of the Fair Information Practices and take care of our information. It is too easy for a thief to represent themselves as me. All they need is my Social Security number, a very poor unique identifier, and my name. And then they apply in my name. The credit bureau gives the bank a copy of a credit report that says, he passes, and then the credit card is mailed to the wrong guy. That is how easy it is. We consider this debate over opt-in and opt-out sometimes covers up all of the other issues related to privacy. But how the institutions take care of information is just as important. Senator Carper. Thanks, Mr. Chairman. Chairman Sarbanes. I may note as we draw to a close that the European Union has developed privacy protections well beyond anything that we have here. American companies are trying to meet an adequacy standard. They have not been able to do that yet. They may have to go to Safe Harbor, which they do not want to do because they would have to elevate the protections they provide. But I am increasingly concerned about this. The EU is a growing economic force, and its size, both in terms of population and gross national product compares with the United States. If we are not careful, many of the advantages that we have had as the economic leader, and I think, suppose the EU moves ahead with better privacy protections. They seem to be moving ahead with better accounting standards, although we may now be able to remedy that situation. But they have this accountability--we used to say to them, you have to do American-style accounting because that is the best in the world, the most transparent. We have the best integrity of the markets. And now they are saying to us, what? [Laughter.] They are out there trying to compete with us because we are falling short. These issues have far-ranging implications, I think. And this does not strike me as the issue that you are either here or you are there. There is obviously a whole area in which we can work to try to reach a reasonable solution. But I do think if we are going to do that, we have to move significantly back in the direction that our starting point is that this information belongs to the individual who provides the information. And then you go from there in terms of what uses can be made of it and the individual's involvement in making that judgment. We want to thank all of you for coming. This has been an extremely helpful panel. We appreciate the time and the effort that each of our witnesses gave in preparing for it. The hearing stands adjourned. [Whereupon, at 12:35 p.m., the hearing was adjourned.] [Prepared statements and additional material supplied for the record follow:] PREPARED STATEMENT OF WILLIAM H. SORRELL Attorney General, State of Vermont September 19, 2002 Good morning, and thank you for inviting me to speak with you today on the important issue of financial privacy. I would like at the outset to recognize and express my gratitude for the critical role played by this Committee in the protection of consumers' financial privacy. Unfortunately, the Gramm-Leach-Bliley Act (GLB) \1\ does not protect consumers' financial privacy as intended by this Committee. I recommend that this Committee take further action to ensure that its previous good work results in real protections for consumers. --------------------------------------------------------------------------- \1\ Pub. L. No. 106 -102 (1999). --------------------------------------------------------------------------- In these comments I address the following topics: 1. The inability of GLB, as currently construed by Federal regulators, to stop the abusive telemarketing practices that gave rise to the financial privacy provisions of GLB in the first instance. 2. The inability of consumers to exercise their rights under GLB because industry notices are incomprehensible. 3. The problems associated with sharing of financial information among corporate affiliates. 4. The need to allow States to continue to address problems associated with sharing of financial information both among affiliates and nonaffiliated third parties. 5. Recommendations for Congressional action in these areas. GLB Does Not Protect Consumers From Harms Associated With Sharing Nonpublic Financial Information Congress intended Title V of GLB to protect consumers from abuses associated with sharing of nonpublic personal financial information. As a result of enforcement actions brought by State Attorneys General against information-sharing practices of major banking institutions, Congress created Title V to protect consumers with respect to such sharing of their financial information. However, the provisions of Title V are insufficient to protect consumers from the harms associated with these practices, and pose considerable risks to consumers. The provisions that allow financial institutions to share encrypted account numbers and other forms of billing information for marketing purposes are particularly troublesome. Moreover, the notices issued by financial institutions under GLB have been dense and require a high reading level to comprehend, resulting in consumer confusion and inability to exercise informed choice. Congress should act to correct these problems, thus ensuring Title V's capacity to protect consumers in the area of financial privacy. GLB Does Not Protect Consumers From Fraudulent Telemarketing The information held by financial institutions about their customers is highly valuable. While financial institutions might not disclose this highly valuable information to their competitors, they do disclose this information to marketing partners and to third parties for the purpose of jointly marketing products and services unrelated to the customers' current service selection, and even unrelated to the particular type of services performed by the financial institution itself. The harm to a consumer resulting from this type of information- sharing stems from the tactics sometimes used in marketing new products to the consumer, who usually does not realize that the marketer already has the consumer's credit card number, or access to the credit card account through an encrypted number or other unique means of identification. Indeed, it was well known in 1999 that practices of sharing customer financial information by major banking institutions facilitated these telemarketing abuses. In the spring of 1999, the Minnesota Attorney General announced a settlement with U.S. Bancorp, resolving allegations that U.S. Bancorp misrepresented its practice of selling highly personal and confidential financial information regarding its customers to telemarketers. One year later, thirty-nine additional States and the District of Columbia entered into a similar settlement.\2\ The States' investigation focused on the bank's sale of customer information--including names, addresses, telephone numbers, account numbers, and other sensitive financial data--to marketers. Based on this confidential information, the marketers made telemarketing calls and sent mail solicitations to the bank's customers in an effort to get them to buy the marketers' products and services, including dental and health coverage, travel benefits, credit card protection, and a variety of discount membership programs. Buyers were billed for these products and services by charges placed on their U.S. Bancorp credit card. In return for providing confidential information about its customers, U.S. Bancorp received a commission of 22 percent of net revenue on sales with a guaranteed minimum payment of $3.75 million. --------------------------------------------------------------------------- \2\ The basis for the States' action was their charge that U.S. Bancorp misrepresented its privacy policy to its customers. In some account agreements provided to its customers, the bank listed the circumstances under which information would be disclosed, but failed to include any reference to the bank's practice of providing such information to vendors for direct marketing purposes. --------------------------------------------------------------------------- As a result of the evidence uncovered through the U.S. Bancorp case, Congress intended to limit the ability of financial services companies to sell or give their customers' nonpublic personal information to third-party telemarketers. Congress intended to forestall these abusive telemarketing practices by specifically prohibiting financial institutions from sharing an account number or similar form of access number or access code for a credit card account, deposit account, or transaction account of a consumer with any nonaffiliated third-party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.\3\ --------------------------------------------------------------------------- \3\ Gramm-Leach-Bliley Act, Pub. L. 106 -102, Nov. 12, 1999, 113 Stat. 1338, Section 502(d). --------------------------------------------------------------------------- However, the regulations adopted to implement GLB allow financial institutions to sell or to share encrypted credit card numbers or other unique identifiers, which enables the telemarketing abuses that were at the heart of Congressional concern to continue unabated. The Federal agencies' rules implementing this section on sharing of account numbers sets forth two ``examples,'' the first one of which states: Account number. An account number, or similar form of access number or access code, does not include a number or code in an encrypted form, as long as the bank does not provide the recipient with a means to decode the number or code. CFR Sec. 40.12(c) [emphasis added]. Thus, a telemarketer or other recipient of an encrypted account number or unique identifier is able to notify a financial institution that a particular consumer indicated a desire to purchase an item, thus causing the consumer's account to be charged, without ever asking the consumer for permission to charge the account. The financial institution then uses its decode mechanism, which it never shares with an unaffiliated party, to determine which account to charge. This type of marketing is known as ``preacquired account'' telemarketing. The possibility of unauthorized charges and fraudulent practices in such circumstances is greatly increased over situations where the consumer must affirmatively give a credit card number for the account to be charged. Preacquired account telemarketing is inherently unfair and susceptible to causing deception and abuse, especially with elderly and vulnerable consumers. Preacquired account telemarketing turns on its head the normal procedures for obtaining consumer consent. Other than a cash purchase, providing a signature or an account number is a readily recognizable means for a consumer to signal assent to a deal. Preacquired account telemarketing removes these shorthand methods of consumer control. The telemarketer not only establishes the method by which the consumer will provide consent, but also decides whether the consumer actually consented. The Federal Trade Commission, in its recent Notice of Proposed Rulemaking regarding the Telemarketing Sales Rule, has proposed prohibiting ``preacquired account'' telemarketing.\4\ Forty-nine States, the District of Columbia, and three Territories recently filed comments with the Federal Trade Commission that strongly support this proposal.\5\ In their comments, these States, Territories, and the District of Columbia noted that the consequence of this fundamentally unfair selling method is clear: Consumers are assessed charges for products they did not want, and did not understand they were purchasing. --------------------------------------------------------------------------- \4\ 67 Fed. Reg. 4491. \5\ Comments of 52 Attorneys General, the District of Columbia Corporation Counsel, and the Hawaii Office of Consumer Protection Regarding Proposed Amendments to the Telemarketing Sales Rule, April 12, 2002, available at www.naag.org. Fleet Mortgage Corporation, for instance, entered into contracts in which it agreed to charge its customer-homeowners for membership programs and insurance policies sold using preacquired account information. If the telemarketer told Fleet that the homeowner had consented to the deal, Fleet added the payment to the homeowner's mortgage account. Angry homeowners who discovered the hidden charges on their mortgage account called Fleet in large numbers.\6\ . . . Approximately one-fifth of all calls by Fleet customers were about these preacquired account ``sales.'' Customers overwhelmingly told Fleet that they did not sign up for the product, and wanted to know how it was added to their mortgage accounts without their approval, consent, or signature.\7\ --------------------------------------------------------------------------- \6\ The mortgage statements issued by Fleet hid the charges under the rubic ``opt.prod.'' at the very bottom of the bill in small print, such that it was extremely difficult to discover the charge or discern the purpose of the charge. For consumers on auto-draft from their checking or other bank account, Fleet gave no written notice of the charge. \7\ Comments of 52 Attorneys General, the District of Columbia Corporation Counsel, and the Hawaii Office of Consumer Protection Regarding Proposed Amendments to the Telemarketing Sales Rule, supra note 5. This Committee should take the lead in protecting consumers from such abusive telemarketing practices by prohibiting the use of encrypted numbers, unique identifiers, and other means for accessing a consumer's account. Moreover, it seems likely that, as information-sharing increases, the risk of misuse or misappropriation of such information increases as well. It may well be that the greater the quantity and level of detail of confidential information, and the more entities that possess such information, the higher the chance that the information will be stolen or misappropriated, or used for other inappropriate purposes, such as the improper denial of credit, insurance, or employment. I therefore urge this Committee to look beyond the known risks of telemarketing abuses to identify and evaluate less obvious risks, including potential identity theft. GLB Notices are Inadequate to Advise Consumers of Their Rights With Respect to Information Sharing The notices to consumers that are required under GLB \8\ are woefully inadequate. Consumers have been greatly confused by the dense information in the notices, which require a high education level to comprehend. As a result, consumers have not been adequately informed about their rights to opt-out of information-sharing with third parties. --------------------------------------------------------------------------- \8\ 15 U.S.C. Sec. 6802(b)(1)(A). --------------------------------------------------------------------------- The opt-out notices provided by financial institutions in their effort to comply with GLB have not been ``clear and conspicuous,'' as those terms are commonly understood. Opt-out notices mailed by many financial institutions have been unintelligible and couched in language several grade levels above the reading capacity of the majority of Americans.\9\ Experts have highlighted the inadequacy of such statements. Mark Hochhauser, Ph.D., a readability expert, reviewed sixty GLB opt-out notices. Dr. Hochhauser determined that these notices were written at an average third or fourth year college reading level, rather than the junior high level comprehensible to the general public.\10\ For example, the notice sent to customers by one financial institution stated: --------------------------------------------------------------------------- \9\ See Robert O'Harrow, Jr., ``Getting a Handle on Privacy's Fine Print: Financial Firms' Policy Notices Aren't Always `Clear and Conspicuous,' as Law Requires,'' The Washington Post, June 17, 2001, at H-01. \10\ Mark Hochhauser, Ph.D., ``Lost in the Fine Print: Readability of Financial Privacy Notices,'' http://www.privacyrights.org/ar/GLB- Reading.htm (2001). If you prefer that we not disclose nonpublic personal information about you to nonaffiliated third parties, you may opt-out of those disclosures, that is, you may direct us not to make those disclosures (other than disclosures permitted by law).\11\ --------------------------------------------------------------------------- \11\ See Hochhauser, supra n. 10. Recent surveys demonstrate that consumers either never see and read such complicated opt-out notices, or they do not understand them. A survey conducted by the American Bankers Association \12\ found that 41 percent of consumers did not recall receiving their opt-out notices, 22 percent recalled receiving them but did not read them, and only 36 percent reported reading the notice. Another survey, conducted by Harris Interactive for the Privacy Leadership Initiative, announced its results in early December 2001.\13\ The Harris Survey indicated that only 12 percent of consumers carefully read GLB privacy notices most of the time, whereas 58 percent did not read the notices at all or only glanced at them. The Harris Survey further indicated that lack of time or interest and difficulty in understanding or reading the notices top the list of the reasons why consumers do not spend more time reading them. --------------------------------------------------------------------------- \12\ Available at http://www.aba.com/Press+Room/bankfee060701.htm. \13\ Available at http://www.ftc.gov/bcp/workshops/glb (hereinafter ``Harris Survey''). --------------------------------------------------------------------------- Those consumers that do read the GLB notices have voiced numerous complaints, raising concerns that the financial institutions' unintelligible notices are an attempt to mislead them.\14\ The opt-out approach promulgated under GLB has proven so problematic that the Federal agencies that administer the regulations under GLB convened an Interagency Public Workshop to address the concerns that have been raised ``about clarity and effectiveness of some of the privacy notices'' sent out under GLB.\15\ The agencies noted that consumers have complained that ``the notices are confusing and/or misleading and that the opt-out disclosures are hard to find.'' \16\ --------------------------------------------------------------------------- \14\ Harris Survey, supra n. 13. \15\ Interagency Public Workshop, ``Get Noticed: Effective Financial Privacy Notices,'' http://www.ftc.gov/bcp/workshops/glb/; see also Press Release, ``Workshop Planned to Discuss Strategies for Providing Effective Financial Privacy Notices,'' http://www.ftc.gov/ opa/2001/09/glbwkshop.htm (September 24, 2001). \16\ See Joint Notice Announcing Public Workshop and Requesting Public Comment, ``Public Workshop on Financial Privacy Notices,'' at 3. --------------------------------------------------------------------------- Where the vast majority of consumers do not even read opt-out notices, and those who read the notices cannot understand them, it cannot be said that they are able to understand their rights and exercise their choices intelligently. As a result, the Attorneys General of forty-two States, the District of Columbia, and two Territories called on the FTC and other Federal regulatory agencies to create standard notices and require much simpler language so that consumers can understand them.\17\ --------------------------------------------------------------------------- \17\ See Comments of 44 Attorneys General to Federal Trade Commission Regarding GLB Notices, dated February 15, 2002, available at www.naag.org. --------------------------------------------------------------------------- Congress should step in and require the Federal agencies to create standard notice forms for use by the financial services industry under GLB. Standard notices for financial privacy could be modeled on the nutritional labeling required by the Congress under the Nutritional Labeling and Education Act. Use of such standard notices would enable consumers to much more easily understand their rights, and to exercise their choices allowed under Federal law. The FCRA Does Not Adequately Protect Consumers From Abuses Associated With Sharing of Nonpublic Personal Financial Information Among Affiliates The concerns with respect to sharing of information with unaffiliated third parties --abusive telemarketing practices and incomprehensible notices--apply with equal force with respect to sharing of nonpublic personal financial information among corporate affiliates. The breadth and number of affiliates of some financial institutions is breathtaking, yet most consumers remain unaware of the existence or identity of their financial institutions' affiliates. Consumers should be better protected from the harms associated with affiliate-sharing by giving consumers an effective choice before credit-related information can be shared throughout a vast corporate complex. Under the FCRA, consumers have no choice as to whether their transaction and experience information will be shared with their financial institution's corporate affiliates. Moreover, once they are given a notice and opportunity to opt-out, all other information can also be shared with the corporate affiliate group. Thus information about the consumer's income, employment history, credit score, marital status, and medical history can be shared with ease among corporate affiliates. GLB greatly expanded the activities that were permissible under one corporate umbrella, as it allowed insurance, securities, and banking institutions to affiliate with each other. Even prior to enactment of GLB, financial institutions were allowed to affiliate with a broad spectrum of companies. The list of activities that are identified by the Federal Reserve Board in its rulemaking as ``financial'' in nature or closely related to financial activities, and therefore permissible for inclusion within a financial holding company, goes well beyond traditional financial activities, and includes the following:Insuring, guaranteeing, or indemnifying against loss, harm, damage, illness, disability, or death, or providing and issuing annuities, and acting as principal, agent, or broker for purposes of the foregoing, in any State. Providing financial, investment, or economic advisory services, including advising an investment company (as defined in Section 3 of the Investment Company Act of 1940). Issuing or selling instruments representing interests in pools of assets permissible for a bank to hold directly. Underwriting, dealing in, or making a market in securities. Leasing real or personal property (or acting as agent, broker, or advisor in such leasing) without operating, maintaining, or repairing the property. Appraising real or personal property. Check guaranty, collection agency, credit bureau, real estate settlement services. Providing financial or investment advisory activities including tax planning, tax preparation, and instruction on individual financial management. Management consulting and counseling activities (including providing financial career counseling). Courier services for banking instruments. Printing and selling checks and related documents. Community development or advisory activities. Providing financial data processing and transmission services, facilities (including hardware, software, documentation, or operating personnel), databases, advice, or access to these by technological means. Leasing real or personal property (or acting as agent, broker, or advisor in such leasing) where the lease is functionally equivalent to an extension of credit. Providing investment, financial, or economic advisory services. Operating a travel agency in connection with financial services.\18\ --------------------------------------------------------------------------- \18\ Examples 1- 4 are from 12 U.S.C. Sec. 4(k); examples 5 -13 are from 12 CFR Sec. 225.28; and examples 14 -16 are from 12 CFR Sec. 211.5(d). Thus the types of businesses with which traditional financial institutions may now affiliate themselves, in addition to banking, --------------------------------------------------------------------------- insurance, and securities brokerage, include: mortgage lenders; ``pay day'' lenders; finance companies; mortgage brokers; account servicers; check cashiers; wire transferors; travel agencies operated in connection with financial services; collection agencies; credit counselors and other financial advisors; tax preparation firms; non-Federally insured credit unions; and investment advisors that are not required to register with the Securities and Exchange Commission.\19\ --------------------------------------------------------------------------- \19\ 16 CFR Sec. 313.1 (b). Also included among the list of permissible affiliates are institutions that are ``significantly engaged in financial --------------------------------------------------------------------------- activities,'' such as: A retailer that extends credit by issuing its own credit card directly to consumers. A personal property or real estate appraiser. An automobile dealership that, as a usual part of its business, leases automobiles on a nonoperating basis for longer than 90 days. A career counselor that specializes in providing career counseling services to individuals currently employed by or recently displaced from a financial organization, individuals who are seeking employment with a financial organization or individuals who are currently employed by or seeking placement with the finance, accounting or audit department of any company. A business that prints or sells checks for consumers, either as its sole business or as one of its product lines. An accountant or other tax preparation service that is in the business of completing income tax returns. An entity that provides real estate settlement services.\20\ --------------------------------------------------------------------------- \20\ 16 CFR Sec. 313.3 (k)(2). The number and breadth of affiliates currently associated with some of the country's major financial institutions is astounding. Submitted with these comments for the Committee's official record are the corporate affiliate lists for Bank of America Corporation, Citigroup, Inc., and KeyCorp,\21\ which serve as three examples of the level of affiliation at large- and mid-sized banking institutions in this country. Bank of America lists 1,476 corporate affiliates; Citigroup lists 2,761 corporate affiliates; and KeyCorp lists 871. A perusal of these corporate affiliate lists demonstrates that these holding companies appear to be involved in widely disparate activities, including insurance, securities, international banking, real estate holdings, and development, and equipment leasing. Some of these affiliate operations may, in the normal course of their business, gather highly personal health information about consumers. A consumer holding a credit card with the lead bank or a property and casualty insurance policy with a major insurer in any of these affiliate groups would not expect that his or her transaction and experience information would be spread throughout the corporate affiliate structure for the purpose not of servicing the consumer better, but of marketing products to the consumer. --------------------------------------------------------------------------- \21\ These lists, and other corporate affiliate lists for bank holding companies can be obtained at http://132.200.33.161/nicSearch/ servlet/NICServlet?$GRP$=INSTHIST&REQ=MERGEDIN &MODE=SEARCH. --------------------------------------------------------------------------- The only appropriate mechanism for giving consumers control over sharing of information within such broad affiliate groups is to require that consumers be given effective notice and choice before their information may be shared with affiliates. Unfortunately, current notices to consumers about their rights under the FCRA with respect to sharing of nonpublic personal financial information with affiliates are highly inadequate, just like the notices about consumers' rights under GLB. Indeed, both GLB and the FCRA require that notices about information-sharing practices and information about how consumers can exercise their opt-out rights must be written in a ``clear and conspicuous'' manner.\22\ The Federal regulatory agencies have not yet issued any guidance on how these two notice requirements work together. Many financial institutions have incorporated their affiliate-sharing notices required under the FCRA within their notices about the sharing of information with unaffiliated third parties required under GLB. Consumers have experienced the same problems outlined previously, with respect to affiliate-sharing notices as they have experienced with notices about sharing of information with unaffiliated third parties. --------------------------------------------------------------------------- \22\ 15 U.S.C. Sec. 6802(b)(1)(A); 15 U.S.C. Sec. 1681a(d)(2)(A)(iii). --------------------------------------------------------------------------- Accordingly, Congress should require financial institutions to give consumers an effective choice before nonpublic personal financial information can be shared among affiliates. Moreover, Congress should direct that the standard financial privacy notices to be created by the Federal regulatory agencies contain a standard format for information about affiliate-sharing practices and consumers' choices to control such sharing. Congress Should Continue to Allow States to Enact More Protective Laws With Respect to Financial Privacy Prior to GLB, States had enacted provisions relating to financial privacy that were more protective than the provisions of Federal law. This Committee ensured the ability of States to continue to protect their citizenry by enacting Section 507 of GLB, which allows States to adopt financial privacy laws relating to sharing with unaffiliated third parties that are more protective than Title V. Due to the inadequacies of GLB discussed above, States and localities have been exercising this authority to ensure that their consumers' financial information is protected. Moreover, under the FCRA, the current preemption of more protective State laws relating to affiliate-sharing is due to sunset on December 31, 2003. This Committee should ensure that States continue to be entitled to enact more protective laws with respect to sharing of financial information with third parties and affiliates. State Law on Information Sharing With Unaffiliated Third Parties Recognizing that many of the problems inherent with GLB stem from the Federal law's acceptance of consumer ``opt-out'' as an appropriate means of registering consumer choice, States and local governments have been actively adopting laws that require consumers to opt-in before their information can be shared. There are currently six States that have enacted laws that require some form of opt-in before financial information can be shared by banks.\23\ Fourteen States have enacted laws or regulations that require some form of consumer consent before financial information can be shared by insurance companies.\24\ In addition, North Dakota voters recently adopted a referendum reversing the State legislature's repeal of that State's opt-in law, putting that State's banking opt-in law back on the books. Two California localities--San Mateo County and Daly City--also have recently adopted ordinances requiring affirmative consumer consent before financial information can be shared. These laws are a reaction by State and local governments to the problems associated with GLB, and an effort by these governments to provide consumers with protections greater than those afforded under Federal law. --------------------------------------------------------------------------- \23\ Alaska (Alaska Stat. Sec. 06.05.175); Connecticut (Conn. Gen. Stat. Ann. Sec. 36a- 42); Illinois (205 Ill. Comp. Stat. Ann. 5/48.1); Maryland (Md. Code Ann., Financial Institutions Sec. 1-302); North Dakota (N.D. Cent. Code Sec. 6-08.1-04); and Vermont (VT. Stat. Ann. tit. 8, Sec. 10201 and BISHCA Regulation B-2001-01). \24\ Arizona (Ariz. Rev. Stat. Ann. Sec. 20-2113); California (Cal. Ins. Code Sec. 791.13); Connecticut (Conn. Gen. Stat. Ann. Sec. 38a- 988); Georgia (Ga. Code Ann. Sec. 33-39-14); Maine (Me. Rev. Stat. Ann. tit. 24-A, Sec. 2215); Massachusetts (Mass. Gen. Laws Ann. ch. 175I, Sec. 13); Minnesota (Minn. Stat. Ann. Sec. 72A.502); Montana (Mont. Code Ann. Sec. 33-19-306); Nevada (Nev. Admin. Code ch. 679B Sec. Sec. 679B.560 - 679B.750); New Jersey (N.J. Stat. Ann. Sec. 17:23A-13); New Mexico (N.M. Admin. Code tit. 13, Sec. Sec. 13.1.3.1 -13.1.1.28); North Carolina (N.C. Gen. Stat. Sec. 58 -39 -75); Ohio (Ohio Rev. Code Ann. Sec. 3904.13); Oregon (Or. Rev. Stat. Sec. 746.665); and Vermont (VT. BISHCA Regulation IH-2001- 01). --------------------------------------------------------------------------- Some States have adopted laws or regulations that are designed to address some of the specific problems consumers face under Federal law. For example, Vermont's new financial privacy regulations specifically prohibit banks, insurance companies, and securities firms from sharing encrypted account numbers or other unique identifiers that would allow telemarketers and others to access a consumer's account. See, that is, Vermont Department of Banking, Insurance, Securities, and Health Care Administration Regulation B-2001-01, Section 13 (available at http:// www. state.vt.us/atg/Banking%20Adopted%20Rule.pdf ). Congress should ensure that States can continue to be allowed to protect their consumers with respect to sharing of financial information with third parties by enacting laws that are more protective than GLB's Title V. State Law on Affiliate Sharing Similarly, Congress should ensure that States can adopt laws that are more protective than the FCRA with respect to affiliate-sharing. The FCRA prohibits States from enacting or enforcing provisions with respect to sharing of information among affiliates until January 1, 2004.\25\ Congress should allow this preemption provision to sunset, as scheduled, on January 1, 2004. After that date, States will be allowed to enact laws with respect to affiliate-sharing if two conditions are met: --------------------------------------------------------------------------- \25\ See 15 U.S.C. Sec. Sec. 1681t(b)(2) and (d). The State provision explicitly states that it is intended to --------------------------------------------------------------------------- supplement the Federal FCRA. The State provision gives greater protection to consumers than is provided under the Federal FCRA.\26\ --------------------------------------------------------------------------- \26\ 15 U.S.C. Sec. 1681t(d). Currently, Vermont is the only State that has a law directly regulating affiliate-sharing. Vermont law, like Federal law, allows affiliates to share transaction and experience information without any notice to a consumer and without any way for a consumer to prevent the sharing. However, before financial institutions can share credit reporting information about Vermont consumers with their affiliates under Vermont law, the institutions must obtain affirmative consent--or opt-in--from the consumer. Because Vermont was the only State to have addressed the issue of affiliate-sharing at the time of the 1996 revisions to the FCRA, Congress specifically exempted Vermont's State consent provision from FCRA preemption ``with respect to the exchange of information among persons affiliated by common ownership or common corporate control.'' \27\ Congress should allow other States to address concerns with respect to affiliate-sharing by allowing the preemption of such State laws to sunset as scheduled. --------------------------------------------------------------------------- \27\ 15 U.S.C. Sec. 1681t(b)(2). --------------------------------------------------------------------------- Recommendations for Congressional Action In sum, I recommend the following as appropriate steps for this Committee to take to ensure that consumers' financial privacy is protected: 1. To prevent abusive telemarketing practices of the type that led to enactment of Title V in the first instance, prohibit financial institutions from using encrypted account numbers, unique identifiers, or other means to access a consumer's account without explicit authorization from the consumer. 2. To ensure that consumers understand their rights under Federal law with respect to financial privacy, require the Federal Agencies responsible for GLB regulation to develop standard financial privacy notices similar to the nutritional labels developed by the Food and Drug Administration under the Nutritional Labeling and Education Act. 3. Ensure that consumers have effective notice and choice with respect to affiliate-sharing. 4. Continue to allow States to enact more protective provisions with respect to sharing of financial information among unaffiliated third parties. 5. Allow the preemption of more protective State laws governing affiliate-sharing to sunset as scheduled on December 31, 2003. PREPARED STATEMENT OF FRED H. CATE Professor of Law, Indiana University School of Law September 19, 2002 My name is Fred Cate, and I am a Professor of Law and Ira C. Batman Faculty Fellow at the Indiana University School of Law in Bloomington, and a Senior Policy Advisor at the Hunton & Williams Center for Information Policy Leadership. For the past 13 years, I have researched, written, and taught about information laws issues generally, and privacy law issues specifically. I directed the Electronic Information Privacy and Commerce Study for the Brookings Institution, served as a Member of the Federal Trade Commission's Advisory Committee on Online Access and Security, and currently am a Visiting Fellow, addressing privacy issues, at the American Enterprise Institute. I appreciate the opportunity to testify today, and I am doing so on my own behalf. My views should not be attributed to Indiana University or to any other institution or person. The Importance of Consumer Concern The polling data, newspaper editorial pages, this summer's referendum in North Dakota, and anecdotal evidence all suggest that consumers are concerned about personal financial information and how it is accessed and used both by the Government and private industry. It is important to view this concern in context. The concern is not surprising, given the amount of press and political attention given privacy issues, the increased focus on privacy issues and the dramatic growth in privacy-related products and services by financial institutions, and the deluge of a billion or more privacy notices that financial institutions are required by Federal law to mail to their customers annually. When viewed in this context, I believe the existence of consumer concern is not only predictable but largely healthy: It tells us that consumers are paying more attention to important privacy issues, and are interested in how their privacy can be better protected. Given that many of the most effective privacy protections--especially to guard against identity theft--are the steps that individuals alone can each take individually, this new interest is critical. The Absence of Consumer Action It is also important not to lose sight of the context of consumer action--as opposed merely to polls. Under the requirements of Gramm- Leach-Bliley, by July 1, 2001, tens of thousands of financial institutions had mailed approximately 1 billion notices. If ever consumers would respond, this would appear to be the occasion: The notices came in an avalanche that seems likely to have attracted consumer attention, the press carried a wave of stories about the notices and about State efforts to supplement Gramm-Leach-Bliley's privacy provisions, privacy advocates lauded the opt-out opportunity and offered online services that would write opt-out requests for consumers, and the information at issue--financial information--is among the most sensitive and personal to most individuals. Yet the response rate was negligible. The available published information indicates that fewer than 5 percent of consumers responded to the deluge of notices by opting out of having their financial information shared with third parties. For many financial institutions, the response rate was lower than 1 percent. And this appears to be consistent with response rates to other privacy-related opt-out opportunities, such as the Fair Credit Reporting Act's opt-out provisions applicable to prescreening and sharing credit reports with affiliates; the Direct Marketing Association's mail, telephone, and e- mail opt-out lists; and other company-specific lists. Before considering the adoption of new privacy laws, I would urge Congress to first consider why consumers do not take advantage of existing opportunities to restrict the sharing or use of information. The Interference with Competing Desires Consumers' concern about privacy protection must also be examined in the context of other consumer issues. Consumers want not only more privacy, but also lower rates on mortgages and loans, higher returns on CD's and investments, and faster and more personalized service. Privacy laws can interfere with these other objectives, both by restricting the flow of information on which they depend, and by imposing high transaction costs on consumers and financial institutions alike. Restricting the Benefits of Open Information Flows Consider just a few of the many examples of the consumer benefits that depend on accessible information and that are threatened by more restrictive privacy laws. Businesses and other organizations use personal information to identify and meet customer needs. According to Federal Reserve Board Governor Edward Gramlich: ``Information about individuals' needs and preferences is the cornerstone of any system that allocates goods and services within an economy.'' The more such information is available, ``the more accurately and efficiently will the economy meet those needs and preferences.'' \1\ --------------------------------------------------------------------------- \1\ Financial Privacy, Hearings before the Subcommittee on Financial Institutions and Consumer Credit of the House Committee on Banking and Financial Services, July 21, 1999 (statement of Edward M. Gramlich). --------------------------------------------------------------------------- Information-sharing allows financial institutions to ``deliver the right products and services to the right customers, at the right time, more effectively and at lower cost,'' Fred Smith, Founder and President of the Competitive Enterprise Institute, has written.\2\ The use of personal information to recognize and respond to individual customer needs is the definition of good customer service. Personalized service--epitomized by George Bailey, small-town banker played by Jimmy Stewart in ``It's a Wonderful Life''--is what many consumers want. The Los Angeles Times reported in December 1999, about customers who are understandably ``irritated if the bank fails to inform them that they could save money by switching to a different type of checking account.'' But, of course, as the newspaper noted, ``to reach such a conclusion, the bank must analyze the customer's transactions. . . .'' \3\ --------------------------------------------------------------------------- \2\ Fred L. Smith, Jr., Better to Share Information, Desert News (Salt Lake City, UT), October 14, 1999, at A22. \3\ Edmund Sanders, Your Bank Wants to Know You, The Los Angeles Times, December 23, 1999, at A1. --------------------------------------------------------------------------- By having a complete picture of its customers' financial situations, banks can offer them bundled services at a single lower price than if provided on an a la carte basis. Customers benefit in two ways: First, they are offered a range of diversified services that are most appropriate for their individual financial situations. Second, they get those services at a lower price. For example, a consumer may choose to link her mortgage loan with a checking or savings account at the lender's affiliate, and thereby avoid minimum balance requirements for the checking or savings account, and enjoy the convenience of being able to arrange for direct deductions from a bank account to make the monthly mortgage payment. A financial services institution can aggregate all of a customer's accounts to satisfy minimum balance requirements. It can make an instant decision whether to increase a credit line, based on its total relationship with the customer. Washington attorney L. Richard Fischer writes: ``Information-sharing also enables financial institutions to offer consumers popular products such as `affinity' or `co-brand' credit card accounts. Such programs provide frequent flyer miles, grocery, or gasoline rebates, and other benefits to credit cardholders. Other such programs permit universities and other not-for-profit organizations to benefit from cardholder use of their accounts.'' \4\ --------------------------------------------------------------------------- \4\ Financial Privacy Hearings, supra (statement of L. Richard Fischer). --------------------------------------------------------------------------- To provide all of these and other opportunities, access to data is essential. Laws restricting affiliate-sharing or requiring opt-in consent make the provision of these services untenable. How could an affinity program work if the card issuer and unaffiliated partner could not share customer data? How could a lender accurately and rapidly judge the risk of increasing a customer's credit line if it could not look at all of her accounts with affiliated companies? How would a financial services institution identify appropriate candidates for debt consolidation, if it could not examine both the range of outstanding debts and homeownership or other relevant criteria? Information-sharing is especially critical for new and smaller businesses. By restricting the availability of information about their customers, privacy laws help to protect established businesses from competition. Laws designed to protect privacy act as barriers to that information-sharing, and therefore, writes Robert E. Litan, Director of the Economic Studies Program and Vice President of the Brookings Institution, ``raise barriers to entry by smaller, and often more innovative, firms and organizations.'' \5\ --------------------------------------------------------------------------- \5\ Robert E. Litan, Balancing Costs and Benefits of New Privacy Mandates, Working Paper 99 -3, AEI-Brookings Joint Center for Regulatory Studies (1999). --------------------------------------------------------------------------- The Cost of Regulation There is also a financial cost to privacy regulation. We have already seen that a major component of that cost is caused by the interference of privacy laws with open information flows. Another source of that cost is the burden of complying with privacy laws. Crafting, printing, and mailing the billion or more disclosure notices required by Gramm-Leach-Bliley, for example, is estimated to have cost $2-$5 billion. Much of that cost will be repeatedly annually. More burdensome opt-in laws, as discussed below, would prove even more costly. During its opt-in test, U.S. West found that to obtain permission to use information about its customer's calling patterns to market services to them cost between $21 and $34 per customer, depending on the method employed.\6\ --------------------------------------------------------------------------- \6\ Brief for Petitioner and Interveners at 15-16, U.S. West, Inc. v. FCC, 182 F.3d 1224, 1239 (10th Cir. 1999) (No. 98 -9518), cert. denied 528 U.S. 1188 (2000). --------------------------------------------------------------------------- A 2000 Ernst & Young study of financial institutions representing 30 percent of financial services industry revenues, found that financial services companies would send out three to six times more direct marketing material if they could not use shared personal information to target their mailings, at an additional cost of about $1 billion per year.\7\ --------------------------------------------------------------------------- \7\ Ernst & Young LLP, Customer Benefits from Current Information Sharing by Financial Services Companies 16 (December 2000). --------------------------------------------------------------------------- The study concluded that the total annual cost to consumers of opt- in's restriction on existing information flows--precisely because of the difficulty of reaching customers--was $17 billion for the companies studied, or $56 billion if extrapolated to include the customers of all financial institutions. Those figures do not include the costs resulting from the reduced availability of personal information to reduce fraud, increase the availability and lower the cost of credit, provide co-branded credit cards and nationwide automated teller machine networks, and develop future innovative services and products. These costs do not include the increased burden to consumers of additional letters, telephone calls, and e-mails seeking consent: U.S. West had to call its customers an average of 4.8 times per household just to find an adult who could consent. The Special Problem of Opt-In The burden of privacy laws is even greater when they forbid the use of information without affirmative, opt-in consent. While both opt-in and opt-out give consumers the same legal control about how their information is used, the two systems differ in the consequences they impose when consumers fail to act. The U.S. Post Office reports that 52 percent of unsolicited mail in this country is discarded without ever being read. It will not matter how great the potential benefit resulting from the information use, if the request is not read or heard, it cannot be acted on. Corporate trials of consent-based privacy systems demonstrate that no matter how good the offer or how easy the opt-in or the opt-out method, customers rarely respond. Under opt-out, consumers like those under Gramm-Leach-Bliley who failed to read or respond to a privacy notice, still received services. Under opt-in, consumers who did not respond could not have their information used. By virtue of not responding--whatever the reason-- those subject to opt-in are excluded from receiving information- dependent services. Opt-in is more costly to consumers precisely because it fails to harness the efficiency of having them reveal their own preferences as opposed to having to explicitly ask them. For a practical, specific example of the impact of opt-in on consumers, Michael Staten, an economist, Distinguished Professor, and Director of the Credit Research Center at Georgetown University's McDonough School of Business, and I conducted a case study of MBNA Corporation, a diversified, multinational financial institution. Incorporated in 1981, and publicly-traded since 1991, by the end of 2000, the company has experienced 40 consecutive quarters of growth, provided credit cards and other loan products to 51 million consumers, had $89 billion of loans outstanding and serviced 15 percent of all Visa/MasterCard credit card balances outstanding in the United States.\8\ --------------------------------------------------------------------------- \8\ Michael E. Staten & Fred H. Cate, ``The Impact of Opt-In Privacy Rules on Retail Credit Markets: A Case Study of MBNA,''_Duke Law Journal_(forthcoming 2002). --------------------------------------------------------------------------- The case study examined the impact of three forms of opt-in: (1) Opt-in for sharing personal information with third parties; (2) Opt-in for sharing personal information with affiliates; and (3) Opt-in for any use (other than statutorily excluded uses) of personal information. The study found that any form of opt-in would have significant economic effects on MBNA and its customers, because of the company's extensive use of direct marketing to attract customers and its heavy reliance on personal information to identify out of the 1 billion prospect names the company receives annually from its more than 4,700 affinity groups for which MBNA issues credit cards the 400 million names of people who are likely to be both qualified for and interested in a credit card solicitation. Given the low response rates to opt-in requests universally reflected by organizations that seek consent other than at time of service or in response to a communication initiated by the customer, the case study concludes that even the least restrictive opt-in regime--for third-party information-sharing--would result in the MBNA's marketing materials being 27 percent less well targeted. As a result, 109 million people would receive solicitations who should not have. This translates into an 18 percent lower response rate and a 22 percent increase in direct mail costs per account booked. There would also be an additional 8 percent reduction in net income because of increased defaults and reduced account activity, resulting from less qualified people receiving credit card solicitations. The broader opt-in regimes would result in more significant losses to MBNA and its customers, largely in three areas. First, MBNA's affiliates would be unable to cross-sell services to existing customers or provide one-stop customer service, because of the restriction of sharing information across affiliates. Second, MBNA's corporate structure, which currently includes affiliates because of tax and regulatory reasons, would be less efficient and more expensive because centralized service units would no longer be able to provide services for all of the affiliates. Third, opt-in would interfere with fraud detection and prevention efforts which depend on information-sharing across affiliates and among companies. These costs would be incurred despite the fact that as of the end of 2000, only about 130,000 customers (one-quarter of 1 percent of MBNA's customer base) had exercised their legal right to opt-out of having their credit report information transferred across MBNA affiliates, and approximately 1 million customers (less than 2 percent) had taken advantage of MBNA's voluntary opt-out from receiving any type of direct mail marketing offers. The important point is not simply that complying with privacy laws is expensive, but rather that it imposes costs on consumers. Privacy polls rarely if ever ask consumers whether they are ready to bear that cost. But ultimately, it is consumers and individuals, in the words of Alabama Attorney General Bill Pryor, who ``pay the price in terms of either higher prices for what they buy, or in terms of a restricted set of choices offered them in the marketplace.'' \9\ --------------------------------------------------------------------------- \9\ Bill Pryor, Protecting Privacy: Some First Principles, Remarks at the American Council of Life Insurers Privacy Symposium, July 11, 2000, Washington, DC, at 4. --------------------------------------------------------------------------- The Bigger Context It is also important to evaluate consumer concerns about financial privacy in a broader context. Gramm-Leach-Bliley was passed in 1999 and the first notices were required to be mailed by July 1, 2001. Only 14 months has passed since that date, examinations of financial institutions under the new requirements are only now beginning, and enforcement has been limited. It is simply too early to judge meaningfully how well the new system is working. Despite the short time, however, financial institutions have been busy working with Federal regulators, consumer advocates, and others attempting to improve their privacy notices and increase the effectiveness of consumer education. There was considerable criticism of the first round of Gramm-Leach-Bliley privacy notices, a key element of the law. While some of that criticism may be justified, the complexity of privacy notices seems in large part to have reflected the complexity of the law and regulations requiring them. Title V uses many terms that consumers would likely find confusing and that must be used precisely to make sense of the law's requirements. For example, the law makes a significant distinction between ``consumers'' and ``customers,'' and this distinction was necessarily reflected in many notices, even though many people use the terms interchangeably. It should also be noted that clarity may be in the eye of the beholder. On June 18, 2001, at a hearing on financial privacy of the California General Assembly's Committee on Banking and Finance, the Committee Chairman challenged the financial services industry representatives in the audience to live up to the standard set by American Express' privacy notice. In fact, he distributed to every person attending the hearing a copy of the American Express notice so that they could, in the Chairman's words, use it as a ``model.'' Two weeks later, on July 9, 2001, USA Today editorialized in favor of clearer privacy notices, citing American Express' notice--the same notice lauded only 2 weeks earlier--at its first example of a difficult to comprehend notice.\10\ --------------------------------------------------------------------------- \10\ ``Confusing Privacy Notices Leave Consumers Exposed,'' USA Today, July 9, 2001, at 13A. --------------------------------------------------------------------------- As Federal Trade Commission Chairman Timothy Muris has noted, we are still learning: The recent experience with Gramm-Leach-Bliley privacy notices should give everyone pause about whether we know enough to implement effectively broad-based legislation based on notices. Acres of trees died to produce a blizzard of barely comprehensible privacy notices. Indeed, this is a statute that only lawyers could love--until they found out it applied to them.\11\ --------------------------------------------------------------------------- \11\ Timothy J. Muris, Protecting Consumers' Privacy: 2002 and Beyond, 2001 Conference, Cleveland, OH, October 4, 2001. Today, regulators, industry, and consumers are learning from the emerging experience with Gramm-Leach-Bliley, and are collectively improving the quality and variety of available privacy protections. The Hunton & Williams Center for Information Policy Leadership, for example, hosts a project in which leading financial institutions are trying to develop layered notices--an approach that would make privacy disclosures easier to understand and compare. The Federal Trade Commission has hosted a workshop on effective financial privacy notices, and is working with industry and privacy rights advocates to improve notices. The Commission is also pushing forward related privacy initiatives, including a national do-not-call list and increased privacy enforcement. Many financial services companies have also responded with privacy- related products and services, or options for individuals to control the use of their information beyond what is required by law. Many financial services companies report today that they do not share personal nonpublic financial information about their customers with third parties. Some provide opportunities for customers to opt-out of information-sharing that is expressly permitted by Gramm-Leach-Bliley. Citicorp, Capital One, Visa, and American Express all advertise credit cards offering privacy- and security-related enhancements. Bank of America and other banks are openly competing for consumer business based on how privacy protective they are. Companies are developing best practices for a variety of privacy protections; for example, Citigroup has released telemarketing best practices developed with State attorneys general. None of these developments is likely to prove a panacea for privacy protection, but their variety and the speed with which they are being developed suggest that they will afford consumers a greater choice of privacy alternatives than any law is likely to. Most importantly, there is virtually no evidence of tangible harms to consumers that are not already covered by Gramm-Leach-Bliley, the Fair Credit Reporting Act, or some other financial privacy law. Consumers have understandable concerns about their privacy, and some adjustments to Federal financial privacy law may eventually prove necessary. But in the absence of evidence consumers being physically or financially harmed by unregulated uses of their personal financial information, the Congress has the time to wait to see how existing laws are working and to allow market responses to more fully mature. ---------- PREPARED STATEMENT OF JOHN C. DUGAN Partner, Covington & Burling on behalf of the Financial Services Coordinating Council September 19, 2002 My name is John Dugan, and I am a Partner with the law firm of Covington & Burling. I am testifying today on behalf of the Financial Services Coordinating Council (FSCC), whose members include the American Bankers Association, American Council of Life Insurers, American Insurance Association, and Securities Industry Association. These organizations represent thousands of large and small banks, insurance companies, and securities firms that, taken together, provide financial services to virtually every household in America. I have represented the FSCC on financial privacy issues since the organization was formed in late 1999, and in that capacity I have advised on implementation issues involving the privacy provisions of the Gramm- Leach-Bliley Act (GLB Act) and related regulations; participated in the Federal Trade Commission's interagency task force on notices; helped coordinate our task force devoted to improvements in privacy notices; and testified on a number of occasions before the Congress and State legislatures on GLB Act issues and various financial privacy legislative proposals. The FSCC appreciates the opportunity to testify before this Committee on the status of financial privacy regulation, in our case from the perspective of the financial services industry. Our testimony focuses on: (1) the balance Congress struck in the Gramm-Leach-Bliley Act (GLB Act); (2) our experience with implementing the Act, including the reaction of our customers; (3) our views on the appropriate relationship between Federal and State privacy laws; and (4) some thoughts going forward. The Balance Struck in the GLB Act Every commercial privacy law strikes a balance between protecting the privacy interests of consumers and preserving the clear consumer benefits that arise from the free flow of information in the economy. While consumers expect limits on the disclosure of their information, they also expect companies to provide them with benefits that can only be provided through information-sharing. For example, a loyal, long-time depositor in a bank wants and expects to receive a discount on a mortgage loan offered by a related mortgage company affiliate, and such ``relationship discounts'' can only be provided through information- sharing. Privacy laws try to balance these competing consumer expectations. In terms of financial privacy, we believe that Congress struck the right balance in 1999 when it adopted the privacy provisions of the GLB Act against the backdrop of the preexisting privacy protections provided by the Fair Credit Reporting Act and other Federal and State statutes. Through exceptionally broad definitions, the GLB Act's protections apply to virtually all personal information held about the individual consumers of more than 40,000 financial institutions in this country--including less traditional ``financial institutions'' such as check cashers, information aggregators, and financial software providers. Coupled with protections mandated by the Fair Credit Reporting Act (FCRA), these consumers now must be provided: Notice of the institution's practices regarding information collection and disclosure, which must be clear, conspicuous, and updated each year. Opt-Out Choice regarding the institution's sharing of information with nonaffiliated third parties, and in certain instances, with affiliates. Security in the form of mandatory policies, procedures, systems, and controls to ensure that personal information remains confidential. Protection against inappropriate redisclosure or reuse of personal information that is shared with third parties. Enforcement of privacy protections via the full panoply of enforcement powers of the agencies that regulate financial institutions, for example, the Federal bank regulators, the Securities and Exchange Commission, State insurance authorities, and the Federal Trade Commission. In addition to these protections, customers of financial institutions that handle personal health information, for example, insurance companies, receive the extensive privacy protections of Federal and State medical privacy laws. Taken together, the FSCC believes that this set of provisions forms the most comprehensive set of privacy protections that has yet been implemented in the United States. We recognize that these protections are not as restrictive as some would have wanted, including some of the witnesses on today's panel. But by any measure, compared to 3 years ago consumers have much more meaningful information, choice, and security regarding the way that financial institutions handle their personal information. At the same time, the GLB Act appropriately allows financial institutions to share information with others for a variety of plainly legitimate purposes without separate consumer consent, that is, to carry out transactions requested by the consumer, to deter and detect fraud, to respond to regulators and judicial process, etc. While many of these ``doing business'' exceptions were viewed suspiciously by critics at the time the Act was passed, they have proven to be sensible and noncontroversial provisions covering sharing for which consumer consent is simply inappropriate. The FSCC also continues to support Congress' decision to treat information-sharing by companies under common control in the same manner as sharing within a single institution; both are situations in which the GLB Act's opt-out requirement does not apply. The fact is that many financial institutions operate through affiliated financial entities, often with very similar names, rather than through divisions of a single institution. For purposes of the opt-out, Congress sensibly elected to ignore such artificial separations and treat affiliates as part of a single organization rather than as entirely distinct entities. This decision reflected the fact that consumers are unlikely to distinguish between, for example, a community bank and the community bank's affiliated mortgage lending company. Instead, consumers are likely to expect that both affiliates are part of a single community banking organization where information is shared within that corporate family. The decision also reflected the fact that the sharing of sensitive credit and insurance application information with affiliates is already subject to an opt- out requirement under the Fair Credit Reporting Act. Finally, we also continue to believe that Congress made the right choice in requiring that a financial institution provide its consumers with the right to opt-out of the financial institution's sharing of the consumers' personal information with third-party commercial companies. This decision reflected the view that the sharing of personal information with such nonaffiliated third parties (other than for the exceptions described above) is different in nature than sharing information with companies within a corporate family or with financial institution marketing partners--and that it is sufficiently different from consumer expectations that a consumer should be given the choice to opt-out of such sharing. In making this choice, however, Congress rightly rejected an opt-in approach, because there is a fundamental flaw with the way such requirements work. Opt-in provisions deprive consumers of benefits from information- sharing (such as the depositor's relationship discount on a mortgage loan described above), because consumers rarely exercise opt-in consent of any kind-- even those consumers who would want to receive the benefits of information- sharing if they knew about them. In essence, an opt-in creates a ``default rule'' that stops the free flow of information. This in turn makes the provision of financial services more expensive and reduces the products and services that can be offered, which actually frustrates consumer expectations. In contrast, an opt-out gives privacy-sensitive consumers just as much choice as an opt-in, but without setting the default rule to deny benefits to consumers who are less privacy-sensitive. Implementation of the GLB Act The privacy provisions of Gramm-Leach-Bliley were enacted in 1999, and financial institution regulators subsequently issued detailed privacy regulations that became effective just over a year ago. This appears to be the first time that the Federal Government has implemented such a comprehensive commercial privacy regulatory regime affecting such an important sector of the Nation's economy. In a sense, financial institutions have been the ``guinea pigs'' for this process, and much has been learned by both the regulators and our industry. The implementation process has been massive, involving eight Federal regulators, 51 State insurance regulators, and over 40,000 financial institutions. Companies have conducted detailed auditing of their information practices; developed and issued over 2.5 billion privacy notices; established new compliance systems; trained personnel; and reconfigured systems to handle and monitor consumer opt-outs. Financial institutions have also upgraded their already extensive security policies, procedures, and systems to comply with the security mandates of the Act. For example, company employees with access to confidential customer information are often required to adhere to many different types of procedures designed to protect the physical security of that information, including disclosing information to other employees only on a ``need to know'' basis; locking confidential files and clearing desks before going home; and using special passwords to access information. In addition, some companies control access through use of security systems and computing platforms, where users are authenticated by means of logon identifications and/or secret passwords. In some cases digital certificates are also used for purposes of authentication and nonrepudiation; access control lists limit levels of access based on job employee functions; and formal data classification schemes ensure that sensitive data is stored only on secure platforms. These are just a sample of the many steps that firms are taking in the security area. In short, while tremendous progress has been made, GLB implementation is still very much a work in progress, and financial institutions continue to learn, adjust, and improve their privacy and security practices over time. One thing is certain, however: As the result of the Gramm-Leach-Bliley's notice, choice, and security requirements, financial institution customers are far more privacy and security-protected than they were 3 years ago, and far more protected than the customers of most other types of companies. We believe that consumers have responded favorably by continuing to put their trust in the companies that handle their financial assets and their financial needs. Indeed, despite generic polls showing that consumers remain concerned about their privacy, financial institutions have received a minuscule number of customer complaints about the GLB Act procedures or other privacy concerns. The same is true of financial regulators. For example, in response to a Freedom of Information Act request regarding all financial institution complaints received in 2001, the Federal Reserve reported that it had received only 25 privacy-related complaints out of the 4,503 complaints it received, or .0056 percent of the total, with similarly low numbers reported by the Office of Thrift Supervision (6 of 4,921, or .0012 percent), Federal Deposit Insurance Corporation (137 of 6,849, or .02 percent), and Office of the Comptroller of the Currency (368 of 17,228, or .0214 percent). In addition, most financial institutions do not share information with third parties, such as commercial companies, in a way that triggers the need for the GLB Act opt-out requirement. For example, roughly 89 percent of a recent sample of approximately 400 banks conducted by the American Bankers Association did not share information in this way. For those institutions that do share with third parties in a way that requires providing the opt-out to consumers, the opt-out rates have generally been low, and in nearly all cases under 10 percent. The FSCC strongly disagrees with those who suggest that low opt-out rates mean that the GLB process is not working. To the contrary, our members believe that the low rates show that consumers trust their financial institutions to share their information in an appropriate manner, or that they are less sensitive to privacy concerns than has been suggested. Based on initial implementation experience, the FSCC recognizes that the privacy notices constitute one area in which improvements can be made. This is by no means as easy as it sounds, however, because the notice requirements of the GLB Act are quite detailed. The financial institution regulators tried hard to simplify these requirements in their implementing regulations, including through the use of sample clauses, and they told institutions that a notice complying with the GLB Act could fit on a six-page, ``tri-fold'' brochure. In their first round of notices, financial institutions generally took this approach and used the sample clauses, while at the same time carefully scrubbing the language to ensure compliance will all requirements of the statute and regulations. Proceeding this way was absolutely necessary to ensure that the notices satisfied the regulators' ``clear and conspicuous'' requirement and minimized exposure to legal liability. Indeed, the regulators have challenged very few privacy notices as failing to comply. Nevertheless, a six-page notice is not short, and language from the sample clauses such as ``nonaffiliated third-party'' and ``nonpublic personal information'' are obviously the type of ``legalese'' that some consumers and critics have found difficult to understand. Unfortunately, financial institutions now find themselves in a bit of a ``Catch-22.'' They spent hundreds of millions of dollars to carefully develop the first round of compliant notices and mail them to consumers, and financial institution consumers received more information about company privacy practices than consumers of virtually any other industry in the country. Yet these very same notices, because of their length and use of legalistic terms suggested by the regulations, have received a great deal of negative attention in the media. To address these concerns, the financial services industry is proceeding down two paths simultaneously. First, a number of institutions have simplified the language used in their second round of annual privacy notices, though carefully so as not to stray from the requirements of the regulation. We believe the second round of notices will be more ``user friendly'' than the initial notices. Second, both financial institutions and their regulators have focused on the idea of exploring a simplified ``short-form'' version of the notice that would supplement, but not replace, the longer ``legal notice'' required by the GLB Act and regulations. The FTC convened an interagency and industry workshop to discuss this and other notice issues, and industry efforts are underway to examine the short-form concept more carefully. The basic idea of the short-form notice is to use simplified terms, be much less legalistic than the longer notice, keep the length to one page, and use common language that would make it easier for consumers to compare institution privacy policies over time. The FSCC is leading a project on the short-form notice. We have convened a task force representing a cross-section of institutions from the banking, insurance, and securities industries; hired a well-known language expert to advise on short-form issues; and have nearly completed the initial drafting phase of several possible alternatives. While we believe this project is promising, it is by no means simple, as I mentioned previously. There is no true ``one-size-fits- all'' solution, because institutions have different privacy practices that call for different types of disclosures. Relation Between Federal and State Privacy Laws There seems to be a great deal of misunderstanding about Gramm- Leach-Bliley's effect on State privacy laws, as well as on the amount of State legislative action that has occurred on financial privacy issues generally. On the first point, Section 507 of the GLB Act makes clear that its privacy provisions would not preempt any State law in effect simply because the State law affords greater privacy protections to consumers than the Act's provisions. Of course, this provision by its terms does nothing to limit the preemptive effect of any other Federal statute, specifically including the Fair Credit Reporting Act's preemption provision that applies to State law restrictions on affiliate information-sharing. Some State legislators seemed to interpret Section 507 as an affirmative invitation by the Federal Government to the States to adopt more restrictive financial privacy laws than Gramm-Leach-Bliley. This interpretation spawned a great deal of State legislative interest in new financial privacy laws immediately after passage of the GLB Act in 1999. The FSCC and numerous other representatives disagreed with that interpretation and testified to that effect before a number of State legislatures. Our position consistently has been that there was no such Federal invitation for States to act in Gramm-Leach-Bliley; that States should not rush to act before the GLB Act has been fully implemented and given a chance to work; and that a patchwork, uneven body of differing State privacy regulation would be extremely costly and counterproductive. In short, we believe that a single uniform standard in Federal law is the most appropriate method for regulating financial privacy. This leads me to the second point of confusion. While there has been a flurry of activity and debate at the State level in the wake of passage of the GLB Act in 1999, during this period no State legislature has adopted a comprehensive financial privacy statute that has exceeded the obligations of the GLB Act. Nearly 40 States considered such privacy legislation in 2000, but no such statute was enacted. About half that number revisited the issue in 2001, again without final action. And this year, only California has come close to enacting a new privacy law, but for the third time in 3 years, the legislature has chosen not to act. We recognize that North Dakota first chose to conform a preexisting bank privacy opt-in law to the limits of Gramm-Leach-Bliley, only to have an initiative restore the preexisting law. In addition, regulators (but not legislatures) in New Mexico and Vermont have issued additional financial privacy regulations (though the Vermont legislature had earlier rejected an effort to increase financial privacy restrictions, and a lawsuit has been filed to challenge the Vermont regulation as beyond the scope of Vermont statutory authority). But taken together, these few actions simply do not constitute a groundswell of State action to impose more restrictive financial privacy regulation. To the contrary, with the notable exception of California, the State focus on financial privacy legislation has diminished considerably over time since the GLB Act was enacted. The FSCC believes this is due in large part to an increased understanding that: (1) The Gramm-Leach-Bliley protections are substantial and need to be given a chance to work before States decide to act further; and (2) it is not nearly as easy as it seems at first blush to adopt financial privacy restrictions without causing unintended consequences that increase costs and deprive consumers of real benefits. Actions in the Future The Gramm-Leach-Bliley's privacy protections are real, and the implementation, adjustment, and enforcement process is ongoing. This is not to say that improvements cannot be made, however. In particular, the FSCC believes that the process for improving privacy notices is well worthwhile, and we plan to pursue that process actively in the coming months, both within the industry and with our regulators. In terms of Federal legislation, we believe that any additional action that Congress considers with respect to privacy issues should be targeted to specific harms rather than take the form of sweeping data protection restrictions. If the harm to consumers is identity theft, then the focus of legislation should be on deterring and remedying that problem specifically. Similarly, if consumers are most concerned about excessive telemarketing calls resulting from information-sharing, then we believe that solutions should address that issue specifically. To do otherwise by imposing broad restrictions on information use and sharing: (1) May do little to solve the specific harms at issue; and (2) may have very negative unintended consequences. Accordingly, the FSCC stands ready to work with this Committee and other public policymakers to address specific consumer harms. In this regard, however, the FSCC could not support any new financial privacy legislation that did not include Federal preemption to ensure a uniform national privacy standard. The FSCC has similar concerns with respect to the FCRA provision that preempts State restrictions on affiliate-sharing, but is scheduled to sunset by the end of 2003. The FSCC supports extending the sunset, as we believe that the uniform national affiliate-sharing provision has allowed financial institutions to serve their customers in the most efficient manner possible. Thank you for allowing me to present the views of the FSCC today. I would be happy to answer any questions. PREPARED STATEMENT OF MIKE HATCH* --------------------------------------------------------------------------- *All Exhibits held in Committee files. --------------------------------------------------------------------------- Attorney General, State of Minnesota September 19, 2002 I appreciate the opportunity to address the Senate Committee on Banking, Housing, and Urban Affairs on the critical issue of protecting the privacy of our citizens' financial information. This Committee has taken a leading role in the challenge to protect consumer financial privacy. I commend the bipartisan efforts of Senators Sarbanes and Shelby in addressing these issues. Unfortunately, Title V of the Gramm-Leach-Bliley Act (GLBA) is not working to protect consumers from the misuse of their financial information. The Act has confused consumers, provided a green light to the unauthorized sharing of personal financial data as part of misleading telemarketing campaigns, and is riddled with loopholes that exempt many business practices from any control. I will focus my remarks on three aspects of GLBA: (1) The opt-out provisions in Section 502(b); (2) the limitations on sharing of account numbers in Section 502(d); and (3) the favorable preemption standard in the Sarbanes Amendment, Section 507. While the alleged consumer ``protections'' in Section 502 have proven of limited value in protecting consumers, Section 507 is an important part of GLBA that may ultimately provide various State models for how to more fairly balance the needs of business with the privacy rights of consumers. Opt-Out Is Ineffective To Protect Consumers The opt-out system is not an effective means of protecting consumer financial privacy. It puts the burden on consumers to look for the privacy notices, read and attempt to understand them, and then take affirmative action to halt the sharing of their nonpublic personal information with nonaffiliated third parties, such as telemarketers. This system is contrary to how consumers act in the marketplace and what consumers expect from Government efforts to remedy the imbalance of power in the marketplace. Businesses that want to share personal financial information should do no more and no less than is required in any consumer transaction--obtain prior express consent of the consumer; in other words, opt-in to the deal. The current system does more to confuse than to assist consumers. The opt-out notices flooding consumers' mailboxes have been a boon for the printing and postal industry, but they have not meant much for the typical consumer. The notices are dense and impenetrable. Even the most educated and persistent of consumers would have a hard time deciphering statements such as ``we may disclose [information to] . . . carefully selected business partners (that is, so they can alert you to valuable products and services)'' \1\ to mean the financial institution will allow telemarketers to charge your credit card account without obtaining a signature or account number from you. The ineffectiveness of the notice and opt-out procedure has been thoroughly documented.\2\ --------------------------------------------------------------------------- \1\ See http://www.capitalone.com/indexn.nhp. \2\ See Mark Hochhauser, Ph.D., Lost in Fine Print II: Readability of Financial Privacy Notices, Privacy Rights Clearinghouse, May 2001, available at http://www.privacyrights.org/ar/GLB-Reading.htm. The eight Federal agencies that issued regulations implementing GLBA held a workshop in December 2001, that also documented consumer misunderstanding and noncomprehension of the notices. See http:// www.ftc.gov/bcp/workshops/glb/index.html. --------------------------------------------------------------------------- GLBA Limitations On Account Number Sharing Have Had No Meaningful Impact On Preacquired Account Telemarketing Abuses Each year, American consumers experience millions of dollars of unauthorized charges on bank, credit card, mortgage, and other accounts as a direct result of financial institutions sharing personal financial data. Despite an attempt at appearing to address this concern, GLBA has had no effect on the problem. In fact, GLBA may have inadvertently acted to legitimize financial institutions' participation in data- sharing practices that result in deceptive telemarketing practices. Preacquired Account Telemarketing Abuses Financial institutions sell to telemarketers the names, phone numbers, and other information about their customers along with the right to charge the accounts of those customers. Telemarketers use this charging authority to call consumers with a ``free trial'' or ``no risk'' offer for services like travel membership clubs and credit card protection insurance. The telemarketer, because it has the ability to directly charge the account, never obtains an account number, a signature, or any other traditional evidence of consent from the customer. This sales practice, known as preacquired account telemarketing, has led to a constant and heavy flow of complaints to Attorneys General and other consumer protection agencies. Preacquired account telemarketing is inherently unfair and causes deception and abuse, especially with elderly and vulnerable consumers. This sales practice turns on its head the normal procedures for obtaining consumer consent. Other than for a cash purchase, providing a signature or an account number is a readily recognizable means for a consumer to signal assent to a deal. Decades of consumer education have made many consumers aware that disclosing their account number may result in unexpected charges. The corollary to this is that many consumers believe that as long as they do not disclose their account number, no charge can be made on the account. Preacquired account telemarketing exploits this belief. When financial institutions share with the telemarketer the information needed to directly charge a customer's account, it removes these short-hand methods of consumer control over consent to a purchase. Preacquired account telemarketing strips the consumer of control over the transaction and exploits the belief that being careful about disclosing an account number provides protection. The telemarketer not only establishes the method by which the consumer will provide consent, but also decides whether the consumer actually consented. Our Office has brought a series of cases exposing this practice.\3\ Fleet Mortgage Corporation, for instance, entered into contracts in which it agreed to charge its customer-homeowners for membership programs and insurance policies sold using preacquired account information. If the telemarketer told Fleet that the homeowner had consented to the deal, Fleet added the payment to the homeowner's mortgage account. Angry homeowners who discovered the hidden charges on their mortgage account called Fleet in large numbers.\4\ A survey taken by Fleet of its customer service representatives is attached as Exhibit A. It showed that customers overwhelmingly told Fleet that they did not sign up for the product, and wanted to know how it was added to their mortgage accounts without their approval, consent, or signature. Fleet's employees shared the resentment of these consumers, with comments such as ``unethical for Fleet to add [optional insurance] without my permission;'' ``[homeowner] knows they are being slammed w/ ins they never authorized (and) thinks unethical & bad business by us . . . I agree with the customer;'' and ``they feel this is fraud. . . . It is a scam.'' \5\ --------------------------------------------------------------------------- \3\ State of Minnesota v. U.S. Bancorp, Inc., Case No. 99-872 (Consent Judgment, D. Minn. 1999); In The Matter of Damark International, Inc., Case No. C8-99-1038 (Assurance of Discontinuance, Damsey Cty. Ct. 1999); State of Minnesota v. Memberworks, Inc., Case No. MC99-010056 (Consent Judgment, Hennepin Cty. Dis. Ct. 2000); State of Minnesota v. Fleet Mortgage Corporation, 158 F.Supp.2d 962 and 181 F.Supp.2d 995 (D. Minn. 2001) (Consent Judgment, D. Minn. 2002). \4\ Approximately one-fifth of all calls by Fleet customers were about these preacquired account charges. The mortgage statements issued by Fleet hid the charges under the rubric ``opt.prod.'' (optional product) at the very bottom of the bill in small print, such that it was extremely difficult to discover the charge or discern the purpose of the charge. For consumers on auto-draft from their checking or other bank account, Fleet gave no written notice of the charge. \5\ As a result of a settlement of our Office's case against Fleet Mortgage Corporation, its customers were given the opportunity to request a refund of charges for membership programs sold through preacquired account telemarketing. Over 72 percent of the customers currently being charged for such a program returned a form requiring a refund of charges, stated that they did not authorize the charge, and asked to have the program cancelled. --------------------------------------------------------------------------- The number of financial institution customers affected by this sales practice is staggering. An investigation of a subsidiary of one of the Nation's largest banks revealed an extraordinary number of complaints of unauthorized charges. During a 13 month period, this bank processed 173,543 cancellations of membership clubs and insurance policies sold by preacquired account sellers. Of this number of cancellations, 95,573, or 55 percent, of the consumers stated ``unauthorized bill'' as the reason for the request to remove the charge.\6\ --------------------------------------------------------------------------- \6\ The other primary reason given for cancelling (by 56,794 customers, or 32 percent of the total) was a general ``request to cancel'' code that may have also included many consumers claiming unauthorized charges. --------------------------------------------------------------------------- The frail elderly, consumers who speak English as a second language, and other vulnerable groups are especially at risk with preacquired account telemarketers. A review of randomly selected sales of one preacquired account telemarketer investigated by our Office showed 58 percent of customers whose accounts were charged were over 60. Sellers continually use preacquired account telemarketing to sell elderly consumers membership clubs, magazines, and other products for which they have no possible use. Examples from our Office's investigations of telemarketers using preacquired billing information include the following: Charges to the credit card of an 85-year old man with Alzheimer's; charges to the credit card of a 90-year old woman who asked to ``quit this'' and said ``sounds like a scam to me;'' charges to the credit card account of an Hispanic man who says ``no se es'' in response to a telemarketer's question; and charges to the bank checking account of an impaired 90-year old man who did not believe he consented to the charge. Attached as Exhibit B is a letter from a Legal Aid attorney listing a variety of useless and expensive membership clubs charged to the credit card of a retired church janitor in his late 80's. The janitor was charged for a home protection plan even though he lived in a nursing home; an auto club membership even though he had no car; a dental plan even though he already had coverage; and a credit card security plan even though Federal law already protected him from theft of a credit card. These are just a few of the substantial number of consumer complaints our Offices have received about this sales practice. In fact, this Office receives as many complaints about these practices post-GLB as it did before enactment of the law. GLBA Has Had No Impact On Preacquired Account Telemarketing Abuses GLBA has not changed the involvement of financial institutions in preacquired account telemarketing, and the abuses continue to occur. All 50 State Attorneys General recently filed comments with the Federal Trade Commission (FTC) stating that consumer complaints and State consumer protection enforcement actions against preacquired account telemarketers have continued without significant change after passage of the GLBA. The reason is not hard to discern. GLBA, in Section 502(d), prohibits a financial institution from disclosing, ``other than to a consumer reporting agency, an account number or similar form of access number or access code for a credit card account, deposit account, or transaction account of a consumer to any nonaffiliated third-party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.'' Thus, Section 502(d) prohibits the practice by financial institutions of providing the credit card numbers of its customers to nonaffiliated third-party telemarketers. When sellers of magazines, membership clubs, insurance programs, and other services solicited the financial institutions' customers via telemarketing calls, the customers were never asked to recite their credit card numbers because the sellers already had the numbers on hand with the capability to send through a charge. After Section 502(d) of GLBA was enacted, however, the Federal banking agencies promulgated rules that permitted financial institutions to continue sharing account numbers with third-party sellers as long as they were in encrypted form. As a result of this Rule, the practices of financial institutions and their third-party sellers have remained the same. Financial institutions may share encrypted or randomly generated reference numbers for their customer's accounts with third-party sellers. These sellers can still send through charges to consumers' accounts without consumers giving their credit card numbers. The encrypted numbers are simply decrypted by the financial institution and the charges are put directly on the consumer's account. This allows preacquired account telemarketing process to continue--legally and unimpeded. Unscrupulous telemarketers can still cause a charge to a consumer's account even when a consumer says ``no'' to the sale, or simply believes he or she is trying out a free trial offer. The essential characteristic of preacquired account telemarketing is the ability of the telemarketer to charge the consumer's account without traditional forms of consent--for example, paying cash, providing a signature, or providing a credit card or bank account number. The key is how the agreement between a company controlling access to a consumer's account and the telemarketer who preacquires the ability to charge a consumer's account affects the bargaining power between that telemarketer and the consumer. GLBA, as interpreted in implementing regulations, does not address this relationship. GLBA's Favorable Preemption Language Is Critical To Future Consumer Privacy Protections Although Title V of GLBA has done little to address the privacy needs of financial institution customers, the Sarbanes Amendment, Section 507, offers the best hope to secure protections for consumers. It is imperative that GLBA retain favorable preemption standards for State legislation. State legislatures have taken or considered a variety of approaches to protecting consumer information. North Dakota voters recently reinstated an opt-in approach to consumer financial information that had previously been in effect. California's legislature has alternately passed and seriously considered various consumer privacy initiatives. The Minnesota Senate has passed an opt-in financial privacy bill. State privacy initiatives have been the subject of enormous industry legislative pressure. In an article entitled, ``Lobbyists Swarm to Stop Tough Privacy Bills in States,'' The Wall Street Journal reported on the ``regimented lobbying forces of the Old Economy'' that have opposed such measure.\7\ Despite this intense effort, State privacy bills continue to advance in State legislatures. Proposed revisions to GLBA that would preempt such State action would be the death knell for meaningful reforms to protect consumers against misuse of their personal financial information. --------------------------------------------------------------------------- \7\ Zimmerman, R. and Simpson, G., ``Lobbyists Swarm to Stop Tough Privacy Bills in States,'' The Wall Street Journal (April 21, 2000). --------------------------------------------------------------------------- Conclusion I thank the Committee for its consideration. Consumer protection efforts in the area of financial privacy are in a beginning stage of development. Title V of GLBA has not adequately protected the privacy of the average citizen. I hope that the Congress will support the continuation of State legislative efforts at meaningful reform of our privacy laws. ---------- PREPARED STATEMENT OF JAMES M. KASPER Representative North Dakota House of Representatives September 19, 2002 Chairman Sarbanes and Members of the Senate Committee on Banking, Housing, and Urban Affairs. Thank you for the opportunity to share my views on financial privacy and consumer protection. Background I am a first term member of the North Dakota House of Representatives and I am considered a conservative in my State of North Dakota. I have been active in political affairs for over 20 years in North Dakota. I believe I bring a unique perspective to the financial privacy issues as my business career is in the financial services industry. I am an independent licensed insurance and securities broker, and my practice is in the area of employee benefits plans and business insurance planning. My entire career has been spent in Fargo, North Dakota, with the exception of 1 year in Minneapolis, Minnesota. Because North Dakota law has allowed banks to sell insurance for many years, I have competed with banks this entire time, and have a very good understanding of how they compete and what their marketing practices are. My First Legislative Term--2001 Little did I realize that in my first Legislative session, beginning in January of 2001, a great deal of my time would be spent attempting to stop North Dakota banks from changing the very protective financial privacy law that North Dakota has had in effect since 1985. North Dakota privacy law protects not only consumer transactions, but all business and commercial transactions as well. Our bank privacy law, enacted in 1985, prohibited the sharing and sale of consumer information to anyone, affiliates and nonaffiliates, for any reason. In today's vernacular, we had a No-Opt for affiliates and a No-Opt for nonaffiliates. In 1997, the banking lobbyists quietly amended ND law to allow affiliate-sharing of information, so the banks in ND could legally share confidential information with their affiliates, without consent. Many citizens feel this needs to be addressed in our 2003 Legislative Session. National Strategy of Banking Industry As you know, the Gramm-Leach-Bliley Act (GLB) was passed by the Congress, with an implementation date for Title V of GLB of July 1, 2001. GLB deregulated the financial services industry and allows banks, insurance companies, and securities companies to have common ownership and to market each other's products. It is my understanding that two organizations, the Financial Roundtable and the Financial Services Coordinating Council, have targeted all States that have a more protective privacy law than the minimum requirements of GLB, to eliminate those States' privacy laws. They seem to be determined to stop any State Legislature from enacting any privacy laws that are more protective of consumer privacy than GLB and also to repeal any State privacy laws that are more protective than GLB. ND Banks Work to Repeal ND Privacy Law in 2001 Legislative Session To accomplish the bankers national goals required the repeal of our 1985 North Dakota privacy law. Therefore, the North Dakota Bankers Association, the North Dakota Independent Bankers Association and the North Dakota Credit Union Association had Senate Bill 2191 (SB 2191) introduced in the North Dakota Senate. This bill's intent was to repeal our 1985 North Dakota privacy law, and replace it with the GLB definitions of privacy, thus reducing ND citizen's privacy protections. Senate Bill 2191 passed the ND Senate, in February 2001, and was assigned to the House of Representatives Industry, Business, and Labor Committee, of which I am a member. When I became aware of the intent of SB 2191, I made the decision to work to kill the bill. For 30 years, I have competed against the banks in ND and I have seen how they use credit leverage to obtain sales and to eliminate competition. I had also learned how people's personal and confidential financial information is being gathered all over the country, fed into huge computer data bases, and how consumer profiles of the citizens of our Nation are developed and sold to telemarketing companies. I believe these practices need to be stopped. I also believe they may be unconstitutional. The banks focused all of their power in the ND House to pass SB 2191. They had 3 full-time lobbyists at the capitol for about 6 consecutive weeks. The Credit Unions had two full-time lobbyists. Additionally, representatives of Wells Fargo, U.S. Bank, and other large banks, made numerous visits to most of the Legislators and almost every one of the Legislators had personal visits from their local bankers. All of these lobbyists were urging the Legislators to support SB 2191. Their reasons were quite interesting: The Banks and Credit Unions Used the Following Arguments in Support of SB 2191 in North Dakota: ``North Dakota needs to pass SB 2191 to adopt GLB in North Dakota law, so we will be in compliance with GLB.'' We know this is not correct, because GLB is the law in all States, but does specifically allow State privacy law to supercede GLB, if the State law provides greater privacy protection for consumers than GLB. ``North Dakota will experience job loss, if we do not pass SB 2191.'' Many of us believe the opposite is true. Because ND privacy law provides protection for all financial transactions, including businesses, ND could actually attract business and gain jobs, due to our privacy laws. ``North Dakota will experience negative economic development if we do not pass SB 2191. Businesses won't want to come to ND if we do not have the GLB privacy definitions in our law. It will be too expensive and too onerous to do business in ND.'' Again, this argument was not correct. If a business does not have to waste its time to Opt-Out, business expenses are reduced. With a No-Opt law, a business will not need to use any of its resources to track its privacy records, because there are none to track. ``We do not want North Dakota to be the only State in the Nation, an `island,' which has different privacy laws than the other States.'' Again, an untrue argument. I believe there are 5 States that have more protective privacy laws than GLB; Alaska, Connecticut, Illinois, Maryland, and Vermont. ``If we do not pass SB 2191, the people of North Dakota may not be able to use their ATM, credit cards, and their checking accounts.'' Since June 11, 2002, when the people of ND repealed SB 2191, our ATM's, credit cards, and checking accounts are working just fine, as they have since 1985, when we first passed our privacy law. All of these scare tactics and more were part of a carefully orchestrated campaign by the ND banks, in conjunction with their national associations, to confuse the issues at best, and out and out lie to the Legislators at worst, about the truth of SB 2191. There were just a handful of Legislators that worked to stop this onslaught by the Bankers and Credit Unions. The final vote in the ND House, was 77 to 20 to pass SB 2191. The ND Senate voted by 34 to 12 to pass SB 2191. The Governor, a former banker, signed the bill and it became North Dakota law on July 1, 2001. The Referral of SB 2191--The People of North Dakota Speak Fortunately, this was not the end of the story. In early July 2001, a small group of ordinary citizens formed a group to repeal SB 2191. They called themselves ``Protect Our Privacy.'' In North Dakota, the people are allowed to refer any act of the Legislature by gathering the minimum amount of signatures on petitions. In about 6 weeks volunteers gathered over 17,000 signatures, about 2.5 percent of our States population, far exceeding the minimum needed to refer SB 2191. The people of ND would now vote on the referral on June 11, 2002, to decide if they wanted to repeal SB 2191. That meant we had about 10 months before the referral vote. During this time the banks organized, hired an advertising agency, and raised big money to fight the referral. They even hired two incumbent North Dakota Legislators to be the co-chairs of their committee, which they ironically named ``Citizens for North Dakota's Future.'' Grass Roots Organization: ``Protect Our Privacy'' to Repeal SB 2191 The grass roots organization against SB 2191 ``Protect Our Privacy,'' had no money and no paid staff. All we had was a small group of committed volunteers, who like Winston Churchill, were determined we would ``Never, Never, Never, Never Give Up.'' To counter the power and money of the big banks, we wrote letters to the editor, appeared as guests on radio talk shows, held press conferences, and made appearances before civic groups. About 2 weeks before the vote on June 11, 2002, we obtained a contribution of $25,000 from the National ACLU, which allowed some radio spots to be run the last 10 days before the vote. Prairie Public Television also hosted a half hour debate about 2 weeks before the vote. Other than this, the campaign to repeal SB 2191 was by word of mouth, truly grass roots. Mr. Chairman, I would like to provide the Committee with copies of relevant documents for the record, concerning these matters. Big Bank Media Campaign to Keep SB 2191 Backfires All of this was small in comparison to the huge amounts of money the big banks spent on their advertising. Their media campaign was overwhelming in ND. Radio, TV, newspapers, talk shows, and civic presentations, began statewide. They obtained endorsement from our State Chamber of Commerce, from our former popular Governor, and most of the local Chambers of Commerce in our major cities. They even pirated the ``Protect Our Privacy'' group's name, adopting and registering the slogan, ``Protect Your Privacy'' and used it on their literature to further attempt to confuse ND voters. The various banks and credit unions placed pamphlets and brochures in their customers checking and savings statements and they placed signs in many lobbies, encouraging a yes vote on SB 2191. In their most memorable TV ad, they actually showed a wall being built around North Dakota, stating that we would become an island if SB 2191 was repealed. The one thing the bankers would not talk about, however, was the truth about SB 2191. The banks want unlimited access to and the ability to sell and share their customers' personal and confidential financial information, without the customers' consent or knowledge. The Opt-Out notices required by GLB, which are supposed to be privacy notices and are supposed to provide consumers with an opportunity to stop the banks from sharing information, are a joke. Statistics indicate that over 95 percent of the people of our country throw these notices away because they: (1) Do not understand them; (2) do not realize their importance; and (3) do not know the ramifications of not sending them back to the financial institution. The Vote in North Dakota-- June 11, 2002 The people of North Dakota spoke loudly and clearly on June 11, 2002, when by a 73 percent vote, they threw out and repealed SB 2191 and thus returned North Dakota privacy law to our very protective privacy statutes. Despite being out-spent 10 to 1, despite the bankers deliberate attempt to confuse the issues with their media campaign and despite the power of the banks and their hired staff, the people of ND saw through the charade of SB 2191. Their message is a national message for the Congress as well. The Message to the Congress from the People of ND by Their June 11, 2002 Vote on Privacy is: Give us back and protect our privacy. Our financial and personal information is ours. It does not belong to the banks and other financial service companies, or anyone else for that matter. It is not for sale. If we want to purchase a financial product, we are very capable of initiating the call or contact ourselves. We are not waiting breathlessly at home for our phone to ring, to be solicited by someone with the latest, greatest product, financial or otherwise, that we just cannot do without. We want our identity protected. Our financial and personal information is a property right we believe is protected under the U.S. Constitution. A bank should have no more right to sell my information than it does to enter my property, steal my car and sell it without my consent. Why Do Banks Need Unlimited Access to People's Financial and Personal Information? It is all about market share, profit, and corporate greed, just like what our Nation has recently experienced with the Enron scandal, wherein too many corporate executives will do anything to make profits and gain market share. The lifeblood needed to increase market share by the Financial Services companies is the free flowing and easy access to consumers' personal and confidential financial information. The GLB Act does not result in fair, open and more competition in the financial services industries. It results in the elimination of competition, wherein the big get bigger and small businesses by the thousands and hundreds of thousands will eventually be driven out of business, because they cannot compete with the financial might of the Citicorps and other mega financial conglomerates. GLB will have a long-term negative impact on rural America, as well. In ND, our State Legislature spends millions of dollars to attract new businesses to relocate to our State and our rural areas. Yet, we have a Federal Law, GLB, which places small businesses at a tremendous competitive disadvantage. When jobs disappear, the people leave. We are already experiencing this result all over America today. Example of How Banks Share Information My best client is a small business in Fargo, North Dakota. I have handled their insurance needs for almost 20 years. When they have an insurance need they call me. Recently, one of the principals called and asked me to come to his office to look at a life insurance proposal they had just received from their big bank insurance agent. This agent had been given their corporate and personal financial information, including salaries, ownership percentages, ages, tax bracket, Social Security numbers, dates of birth, and additional confidential information, without their consent or knowledge. They had never met or heard of the insurance agent and they had not asked for any insurance proposals. My clients were astonished and upset that the bank gave this insurance agent their information without their consent or knowledge. My Mother's Financial Needs My mother, who is a 79-year-old widow, just had a CD come due at her local bank, worth about $14,500. When discussing the CD renewal with the bank teller, she was told she should look at transferring the CD to an annuity. We learned later the bank teller was not licensed to sell annuities and did not know a thing about the rest of my mother's financial affairs. She just advised her to buy an annuity from the bank. The bank teller had no knowledge of my mother's financial needs, other than the fact she had a CD due. Despite this fact, a financial recommendation was made to purchase an insurance product from someone who was not licensed and had no idea what the impact would be on my mother's overall needs. These are two examples of what goes on literally thousands of times every day. A California Trip in July 2002--Bank Tactics the Same Everywhere Senator Jackie Speier, (D) California, invited me to come to Sacramento to help move forward her privacy bill, which was in trouble in the California Assembly (House of Representatives). I spent 4 days in CA in early July 2002, a few weeks after the repeal of the SB 2191 in North Dakota. I found the big banks were using the identical tactics in CA as they had in ND. One of their tactics was to confuse the issues. They also used intense lobbying pressure from banking representatives. Unfortunately, their tactics worked, as Senator Speier's bill was just recently defeated by a few votes. As I stated earlier, there appears to be a national strategy by the Banking Industry, to kill all attempts by State Legislatures to enact any State Legislation that is more protective than the GLB privacy rules. It worked again in California. Where Should Congress and the Senate Banking Committee Go from Here It is imperative, in my opinion, that this Committee draft amendments to Title V of GLB, to do the following: For nonaffiliate transactions, enact a No-Opt provision, prohibiting the sharing and selling of personal and financial information to nonaffiliated third parties for any reason, with the exception of data processing for customer requested transactions such as ATM's etc., and for transactions required by law to comply with Federal and State statutes. Amend GLB to provide for an Opt-In method of privacy protection for all affiliates-sharing and selling of information. The people of our Nation should have the right to stop their information from being passed around, to affiliated companies, and it should only be allowed with their advanced written consent and knowledge. Repeal the Joint Marketing loophole. This charade of an exemption makes a mockery of the already weak privacy protections in current GLB, as almost any transaction can be designed by the banks to be exempt under this part of GLB. Enact Legislation to provide privacy protections for all financial transactions from all sources, including business, agriculture, and nonprofit financial transactions. Under GLB these types of entities have no privacy protection whatsoever. They should have the same privacy protections that consumers do. What Will Happen if Congress Fails to Amend GLB? The people of the United States and the Legislators of the State Legislatures are beginning to realize the damage that has been done to the people of our country over the past number of years, due to the free flowing and public availability of their private and confidential information. I know of three States where Legislators are currently working on State Legislation to override the GLB privacy rules and to enact State Legislation similar to North Dakota's recently restored privacy law. I believe this is just the beginning of what will become a national ground swell, wherein the State Legislatures will enact real privacy protection for their citizens. Congress should act immediately to correct the mistakes made in GLB and change its privacy provisions, as suggested in this testimony. California Initiative--2004 Vote Due to the failure of the CA Legislature to pass Senator Speier's privacy law in California, an initiated measure has begun, headed by Chris Larsen, Chairman and CEO of e-Loan.com an Internet mortgage loan company. I predict it will be overwhelmingly successful in 2004, regardless of how much money the big banks spend to defeat it. In fact, the more they spend, the larger the vote will be to pass the privacy law in CA, because the banks cannot address the truth about how they use people's private and confidential information. It is their dirty little secret, their Achilles heal. They want to be able to sell it and share it without the people's knowledge or consent, but they cannot talk about it truthfully and openly, because they know their customers are overwhelmingly against this practice. The Real Tragedy Perpetrated on the American People I believe that the Congress needs to realize the damage and danger they have perpetrated on the American people by failing to pass real privacy protection. What has been done under GLB and its sister law, the Fair Credit Reporting Act, is to make people's private information a public commodity, available to all those who have the money to buy it. By allowing the privacy protections of the people of our Nation to continually be eroded, traded, and sold as just another commodity, the very fabric of our Republic is threatened. When our citizens no longer feel safe and secure in their homes and in the workplace, because their most personal and private information is no longer personal and private, we face the very real possibility that our citizens will lose confidence in our financial services industries. If that occurs, we will be in tremendous trouble. If you do not think it can happen today, all you need do is look back to 1929 and what occurred in our Nation then. Those who do not remember history are bound to repeat it. Strong and meaningful amendments are necessary now to strengthen the Federal privacy law in GLB. I urge this Committee to courageously move forward to do so. Thank you, Mr. Chairman, and all of the Committee Members, for the opportunity to share my experiences and viewpoints with you today. It has been an honor. ---------- PREPARED STATEMENT OF PHYLLIS SCHLAFLY President, Eagle Forum September 19, 2002 Totalitarian governments keep their subjects under constant surveillance by requiring everyone to carry ``papers'' that must be presented to any Government functionary on demand. This is an internal passport that everyone must show to authorities for permission to travel within the country, to move to another city, or to apply for a new job. Having to show ``papers'' to Government functionaries was bad enough in the era when ``papers'' meant merely what was on a piece of paper. In the computer era, personal information stored in databases can be used to determine your right to board a plane, drive a car, get a job, enter a hospital emergency room, start school, open a bank account, buy a gun, or access Government benefits such as Social Security, Medicare, or Medicaid. While each classification currently has its own set of rules, connecting all these dots would amount to the personal surveillance and monitoring that are the indicia of a police state. The Washington buzz words ``information-sharing'' are often put forth as the solution to 21st Century problems, but this has significant privacy implications that must be addressed. Invasions of privacy are no longer limited to Government. Big business has become nearly as powerful in demanding, collecting, sharing, and selling our personal information. Information-gathering and sharing by Big Brother and Big Business raise varying levels of concern, and both are privacy invaders. Government and business often commingle and corroborate their information-sharing in the name of catching deadbeat dads, terrorists, money launderers, drug peddlers, and criminals. The global economy is obsessed with gathering information. The lifestyle or profile of each consumer is a valuable commercial commodity. The checks you write and receive, the invoices you pay, and the investments you make reveal as much about you as a personal diary. Where I shop, how often I travel, when I visit my doctor, how I save for retirement are all actions known to financial institutions, which connect the dots of my life and create a valuable personal profile. This compilation of personal information is bad enough, but the sharing of it without my consent is even worse. Thus far, big business has largely been unwilling to exercise self- restraint to respect the privacy of consumers. The bottom-line dollar is viewed as more important. Financial institutions do not want to seek prior express permission to share customer profiles because they know that most people will not sign-up. True privacy protections encompass the principles of notice, access, correction, consent, preemption, and limiting data collection to the minimum necessary. These form the core of the Fair Information Practices (FIP) first codified in the 1974 Privacy Act, and they should serve as the model for every classification or compilation of personal information. Three years ago, Congress had the opportunity to dramatically change how financial institutions treat personal information by embracing these core principles, but the resulting law was only a slight improvement over no protections at all. On November 12, 1999, President Clinton signed into law the Financial Services Modernization bill, known more commonly as Gramm- Leach-Bliley (GLB). This Act included several sections aimed at protecting sensitive personal information obtained and maintained by financial institutions, but in practice, these meager provisions are proving inadequate. Achieving true financial privacy was conflicted by the underlying goal of GLB, which was to streamline financial services, thereby increasing affiliation and cross-company marketing once affiliated. Greater affiliation meant greater information-sharing. Interjecting the right of individuals to control their personal information into that streamlining equation was perceived as a threat to this big business scheme. As a result, the GLB sections on privacy were severely watered down. Instead of personal information being kept confidential, financial institutions collect, repackage, and share the data. In some instances personal information is shared with the Government, and in other instances, it is shared with hundreds of other ``affiliated'' companies. Even under GLB, it is still legal. GLB failed to recognize that consumers are the rightful owners of their personal information. Your financial diary should be your property, not the bank's. GLB does not provide consumers with any opportunity to decide for themselves about the transfer of their private information among affiliates. Particularly troubling is the large number of companies marked as affiliates. For instance, Bank of America has nearly 1,500 corporate affiliates, and Citigroup has over 2,700. There is no opportunity to stop this free flow of personal information. GLB did include a privacy notice provision. Privacy notices should be simple documents outlining what kinds of information are collected and how the business uses that information. However, the notices sent to consumers as a result of GLB turned out to be too complicated for the public to cope with. When GLB was set to go in effect, few consumers understood their rights. Notices began reaching consumers, and we began receiving questions about them through our website. Making the situation even more confusing, a mass e-mail was sent out by an unknown source claiming that anyone could opt-out of all information-sharing of banking, credit, and other financial records by calling the credit reporting companies. We tried to provide clarification and assistance through a special alert on our website, but financial institutions failed to explain the companies' privacy policies in simple terms. GLB also provided the right to opt-out of information-sharing but only to third parties. With all the confusion in the notices, figuring out how to prevent the sale of your personal financial diary, and to whom you were actually denying it, was yet another significant obstacle. Opt-out consent depends on being able to understand what you are saying no to. This is a misplaced burden, especially when combined with complex, unintelligible privacy notices. Again, the design of GLB failed to begin with answering the essential property rights question. The individual was burdened with seeking further explanation of his options and consent rights to ensure protection of his financial diary. If financial institutions want to offer such a range of popular services, they should have no problem simply explaining those services and letting individuals decide whether they want to sign-up for such offers. The burden should be on the financial institutions to be honest, to better market their products, and to respect the best interests of the customer. This would contribute to more confidence and trust in the customer-business relationship. One redeeming factor of GLB was in the area of preemption. To the financial institutions' chagrin, GLB set a floor of protections rather than ceiling. Stronger State privacy laws can be placed on top of GLB's limited protections. Some States have already taken action and more are likely to do so. For instance, when the question was put to the people of North Dakota, information-sharing without consent lost by 73 percent. A financial privacy bill in California was narrowly defeated this year, but State legislators are expected to revisit the issue. The problems with the GLB privacy provisions are clear. Exceptions, such as sharing among affiliates, make notices very complex. Typically buried in small print, the limited opt-out consent burdens individuals, insufficiently protects nonpublic data, and minimizes the confidence in financial institutions' practices. The banking lobby is working hard to defeat greater financial privacy, but they should embrace better business practices that put their customers' interests first. It is also important to mention a disturbing trend in Government exchange and reliance on private collections of information, such as through financial institutions. The post-9/11 atmosphere encourages more information-sharing and verification of identity, but any actions should be done cautiously so as to not impact law-abiding citizens. In 1998, the Clinton Administration proposed a Federal regulation called Know Your Customer, which would have turned your friendly local banker into a snoop reporting to the Federal database called FinCEN any deviation from what the bank decided is your deposits/withdrawal profile. The American people responded with 300,000 angry e-mail criticisms and the regulation was withdrawn. However, the Bank Secrecy Act still requires banks to share personal information with the Government through suspicious activity reports. The Bush Administration's proposed regulations announced on July 17 to implement the USA PATRIOT Act's Anti-Money Laundering provisions call for identity verification, but they are even more intrusive than Know Your Customer. On that very same day, The Wall Street Journal reported that the Treasury Department entered into an agreement with the Social Security Administration (SSA) ``to develop and implement a system by which financial institutions may access a database to verify the authenticity of Social Security numbers provided by customers at account opening.'' Congress promised us that the SSN would never be used for anything else when it was created, and certainly not for identification purposes. Giving financial institutions access to SSA's database embraces the SSN as a national ID number, which is a step in the wrong direction. Such so-called antimoney laundering provisions are threats to the privacy of law-abiding citizens. Is access to our personal records housed in the Internal Revenue Service the next step? In conclusion, neither Government nor private business should act as if they can own, share, display, or traffic our personal information without our consent. Our personal financial data should be protected by a firewall and accessible only to those who have authority. Financial institutions are in a unique position of housing our financial diaries that often contain all the dots of life. Extra caution and care should be taken by these corporations to ensure protection not only from fraud but also from misuse and overuse within the companies. Unless financial institutions are willing to raise their privacy standards independently, Congress should revisit GLB to raise the floor of privacy protection for our financial diaries. PREPARED STATEMENT OF EDMUND MIERZWINSKI Consumer Program Director U.S. Public Interest Research Group (U.S. PIRG) on behalf of Consumer Action, Consumer Federation of America Consumer Task Force on Automotive Issues and Remar Sutton, President Consumers Union, Electronic Privacy Information Center Identity Theft Resource Center, Junkbusters, Inc. Privacy Rights Clearinghouse, Private Citizen, Inc., U.S. PIRG September 19, 2002 Chairman Sarbanes and Members of the Committee, thank you for the opportunity to testify before you today. As you know, U.S. PIRG \1\ serves as the national lobbying office for State Public Interest Research Groups, which are independent, nonprofit, nonpartisan research and advocacy groups with members around the country. Our testimony is also on behalf of Consumer Action, Consumer Federation of America, Consumer Task Force on Automotive Issues and Remar Sutton, President, Consumers Union, Electronic Privacy Information Center, Identity Theft Resource Center, Junkbusters, Inc., Privacy Rights Clearinghouse, Private Citizen, Inc.\2\ Many of these groups participating are members of the Privacy Coalition.\3\ --------------------------------------------------------------------------- \1\ U.S. PIRG, www.uspirg.org is the national lobbying office for the State Public Interest Research Groups, www.pirg.org. State PIRG's are nonprofit, nonpartisan public interest advocacy groups. \2\ Consumer Action, www.consumer-action.org founded in 1971, is active on privacy issues both in California and on the national level working through its network of more than 6,500 community-based organizations. Consumer Federation of America, www.consumerfed.org is a coalition of 240 national, State, and local consumer groups around the country. Consumer Advocate Remar Sutton is President of the Consumer Task Force on Automotive Issues, http://www.auto issues.org/. He and the Task Force are founding members of www.privacyrightsnow.com. Consumers Union, www.consumer.org is the nonprofit, nonpartisan, noncommercial publisher of Consumers Report magazine and maintains advocacy offices in California, Washington, DC, and Texas. The Electronic Privacy Information Center (EPIC), www.epic.org was established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and Constitutional values. The Identity Theft Resource Center, http://www. idtheftcenter.org is a nationwide nonprofit organization dedicated to developing and implementing a comprehensive program against identity theft. Junkbusters, Inc., www.junkbusters. com offers free software and other tools to fight junk mail, spam, cookies, and other forms of privacy invasion. The Privacy Rights Clearinghouse, www.privacyrights.org is a nonprofit consumer information and advocacy program. Private Citizen, Inc., http://www.private-citizen.com is nationally known and respected as America's foremost consumer organization fighting against the direct marketing industrys privacy- abusive practices. \3\ The Privacy Coalition was established in 2001 by a broad range of consumer, privacy, civil liberties, family-based, and conservative organizations that share strong views about the right to privacy. The groups had previously worked together on a more informal basis in opposition to the intrusive Know-Your-Customer rules and in support of financial privacy proposals offered in the 106th Congress by Members of the bi-partisan Congressional Privacy Caucus, Co-Chaired by Senate Banking Committee Members Richard Shelby and Christopher Dodd and House Energy and Commerce Committee Members Joe Barton and Ed Markey. Groups endorsing the coalition's legislative candidate Privacy Pledge are listed at www.privacypledge.org. --------------------------------------------------------------------------- Summary The Congress knew that the 1999 Gramm-Leach Bliley Financial Services Modernization Act \4\ (GLBA)--a law long-sought by the financial industry to encourage the creation of integrated financial services firms--would exacerbate already-identified financial privacy threats. So Congress incorporated Title V to protect financial privacy, which included the following five key provisions. The most important and most successful is the last: The fail-safe States' rights provision allowing States to enact stronger financial privacy laws. --------------------------------------------------------------------------- \4\ Public Law 106 -102, 15 U.S.C. Sec. 6801, et seq. enacted November 12, 1999. (1) Title V defined certain confidential information as ``nonpublic --------------------------------------------------------------------------- personal information'' subject to strong privacy protection. Status: An important recent decision by the DC Circuit U.S. Court of Appeals upholding the GLBA financial privacy regulations has effectively closed the so-called credit header loophole exploited by Internet information brokers to obtain Social Security Numbers from credit bureaus without consumer consent. Creating a strict definition of protected information is an important and successful result of GLBA. (2) Title V required covered firms to provide, by July 2001, annual notice of their information-sharing practices with both affiliated and nonaffiliated third parties. Status: The core of the GLBA privacy scheme is limited to notice. Industry lobbyists will falsely portray their distribution of billions of privacy notices as successful privacy protection. Notice is not enough to protect privacy. Data collectors should adhere to a broader set of Fair Information Practices (discussed below). Worse, the first year's privacy notices were unreadable; this year's no better. Although notice is not enough to protect privacy, covered firms should do a better job of providing notice and regulators should penalize those that do not. (3) Title V required covered firms to provide in that notice an extremely limited statutory consumer right to opt-out (affirmatively act to say no) to the sharing of information with some, but not all, nonaffiliated third parties. Transactions between affiliates and also with many nonaffiliated third parties engaged in joint marketing contracts with an affiliate could continue regardless of whether or not a customer had chosen to ``opt-out.'' Status: Notice is not enough, nor is the limited opt-out, to satisfy the Fair Information Practices. The vast majority of all information-sharing with both affiliates and many third parties is only covering by notice, not by this limited opt-out ``right.'' The provision is inadequate and fails to even rein in the practices of the telemarketers it is narrowly targeted at (see (4) ). The partial opt- out should be replaced by an across-the-board affirmative consent (opt- in) provision for all affiliate and third-party information-sharing. The failure of the GLBA to require any form of consumer consent for the vast majority of information-sharing transactions affected is one example of how the GLBA fails to meet the Fair Information Practices (discussed below). (4) Title V attempted, through an encryption provision, to restrict the tawdry practice of nonaffiliated telemarketers obtaining credit card numbers from banks, then signing consumers up for expensive ``membership clubs'' and billing them when the consumer failed to affirmatively cancel within 30 days. Status: As Attorneys General Hatch of Minnesota and Sorrell of Vermont have testified today, telemarketers continue to find loopholes enabling them to bill consumers for products the consumer never ordered, using credit card numbers provided by the consumer's bank, not by the consumer. Consumers do not think they ordered anything, when they do not hand over cash, a check, or a credit card number. Unfortunately, the encryption provision has codified, instead of stopped, the growing epidemic of anticonsumer, controversial ``preacquired account telemarketing.'' (5) Finally, recognizing that it hadn't really completed the job of protecting privacy adequately, the Congress--in an extremely rare departure from its normal policy of preempting State action--explicitly included a fail-safe provision allowing States to enforce existing and to enact new stronger financial privacy laws. Status: The States' rights fail-safe is the most important, and most successful, privacy protection in GLBA. We commend the Chairman for his sponsorship of the provision added in conference committee known as the ``Sarbanes Amendment.'' States have been very active and although not all have yet been successful, we believe that there is a good chance that passage of strong new privacy laws in a few more States will provide Congress with the encouragement it needs to raise the bar nationally. Financial Privacy and the Gramm-Leach-Bliley Act The 1999 Gramm-Leach-Bliley Financial Services Modernization Act was enacted to respond to changes in the marketplace. Banks, insurance companies, and securities firms were more and more selling products that looked alike. The firms wanted the privilege of and synergies derived from selling them all under one roof. Yet, the Gramm-Leach- Bliley Act was also enacted against a backdrop of financial privacy invasions, and members wanted to ensure that the new law wouldn't make things worse. Consumer and privacy groups argued that if the Congress was going to create one-stop financial supermarkets, then privacy protections should extend to all information-sharing, whether with affiliates or with third parties. At the time, two examples were given of the need for stronger privacy laws. First, NationsBank (now Bank of America) had recently paid civil penalties totaling $7 million to the Securities and Exchange Commission and other agencies, plus millions more in private class action settlements, over its sharing of confidential bank accountholder information with an affiliated securities firm. ``Registered representatives also received other NationsBank customer information, such as financial statements and account balances.'' \5\ In this case, conservative investors who held maturing certificates of deposits (CD's) were switched into risky financial derivative products. Some lost large parts of their life savings. --------------------------------------------------------------------------- \5\ See the SEC's NationBank Consent Order, http://www.sec.gov/ litigation/admin/337532.txt. Second, Minnesota Attorney General Mike Hatch had recently sued U.S. Bank and its holding company, accusing them of having ``sold their customers' private, confidential information to MemberWorks, Inc., a telemarketing company, for $4 million dollars plus commissions of 22 percent of net revenue on sales made by MemberWorks.'' \6\ As General Hatch has testified today in detail, MemberWorks and other nonaffiliated third-party telemarketers sign credit card customers up for add-on ``membership club'' products and bill their credit cards as much as $89 or more if they do not cancel within 30 days. The catch? The consumer never gave the telemarketer her credit card number; her bank did, in a scheme known as preacquired account telemarketing. General Hatch has settled with both U.S. Bank and MemberWorks. --------------------------------------------------------------------------- \6\ See the complaint filed by the State of Minnesota against U.S. Bank, http://www.ag.state. mn.us/consumer/privacy/pr/ pr%5Fusbank%5F06091999.html. Industry has argued that these ``aberrations'' occurred before the enactment of GLBA. Yet, as General Hatch has also testified today, however, he has also recently settled a post-GLBA lawsuit with Fleet Mortgage Company over similar practices in the post-GLBA environment.\7\ He and numerous other Attorneys General have filed comments with the U.S. Treasury Department and the Federal Trade Commission seeking stronger laws restricting ``preacquired account telemarketing'' transactions involving banks and membership clubs run by telemarketers. --------------------------------------------------------------------------- \7\ See the complaint filed by the State of Minnesota against Fleet Mortgage, 28 December 2000, http://www.ag.state.mn.us/consumer/news/pr/ Comp_Fleet_122800.html. --------------------------------------------------------------------------- In response to these documented concerns about the risks to financial privacy, Congress included a specific financial privacy title in the Gramm-Leach-Bliley Act. Basic Structure of the GLBA Financial Privacy Scheme and Its Limitations The principal privacy protection in GLBA is an annual notice requirement. GLBA defines nonpublic personal information that must be protected. GLBA then requires covered entities to disclose their information-sharing policies with both affiliated companies (companies under the same corporate umbrella and ``common control'') and with nonaffiliated third parties. GLBA then requires firms to grant customers a limited right to opt-out of a small number of transactions with some nonaffiliated third parties (primarily telemarketers). The opt-out applies to neither affiliates nor any nonaffiliated third parties in a joint marketing relationship with the bank or other covered entity. The rationale for treating marketing partners as affiliates was ostensibly to create a level playing field for smaller institutions that might not have in-house affiliates selling every possible product larger firms might sell.\8\ Of course, large firms use joint marketing partners, too. --------------------------------------------------------------------------- \8\ The GLBA also includes numerous other exceptions to opt-out protections, including sharing for Government or law enforcement purposes and sharing for purposes related to completing a consumer transaction (such as a credit card purchase or ATM withdrawal). --------------------------------------------------------------------------- The result of this scheme is that most information-sharing is only ``protected'' by notice. Sharing of confidential consumer information with either affiliates or joint marketing partners continues regardless of a consumer's privacy preference. Although we have no way of knowing how many joint marketing partners a company may have, we do know how many affiliates some of the largest financial services holding companies and bank holding companies have. For their recent joint comments to the Treasury Department on GLBA, State Attorneys General accessed the Federal Financial Institutions Examination Council and Federal Reserve websites and counted affiliates for Citibank (2,761), Key Bank (871), and Bank of America (1,476).\9\ --------------------------------------------------------------------------- \9\ See 1 May 2002 Attorneys General Comments, http:// www.ots.treas.gov/docs/r.cfm?95421. pdf or http://www.epic.org/privacy/ financial/ag_glb_comments.html on the GLBA Information Sharing Study (Federal Register: February 15, 2002 (Volume 67, Number 32) ). --------------------------------------------------------------------------- The GLBA has failed to provide adequate protections for consumer privacy in modern financial services. Individuals face a multitude of potential risks through unrestricted and undisclosed information- sharing of personal financial data information under the GLBA. Unfettered affiliate and nonaffiliate sharing permits comprehensive profiling, which results in aggressive target marketing techniques, identity theft, profiling, and fraud. Consumers have not been adequately informed or been given effective choice to evaluate the benefits of information-sharing against the potential harms causes by unrestricted information-sharing. The inherent weaknesses of the GLBA notwithstanding, the July 2002 decision by the Court of Appeals upholding GLBA's regulations is nevertheless an important decision upholding the Constitutionality of a broad Government privacy regulation.\10\ Government has an important interest in protecting privacy and regulating the activities of companies that share and sell confidential consumer information. Financial privacy is not merely an issue of a few ``nuisance'' phone calls, as industry would like to portray it. When data collectors do not adhere to Fair Information Practices (discussed below) consumers face numerous privacy risks: --------------------------------------------------------------------------- \10\ See http://pacer.cadc.uscourts.gov/common/opinions/200207/01- 5202a.txt. Consumers pay a much higher price than dinner interruptions from telemarketers. Many unsuspecting constituents of yours may be paying $89/year or more for essentially worthless membership club --------------------------------------------------------------------------- products they did not want and did not order. Easy access to confidential consumer identifying information leads to identity theft. Identity theft may affect 500,000-700,000 consumers each year. Identity theft victims in a recent PIRG/ Privacy Rights Clearinghouse survey faced average out-of-pocket costs of $808 and average lost time of 175 hours over a period of 1- 4 years clearing an average $17,000 of fraudulent credit off their credit reports. It is difficult to measure the costs of higher credit these consumers pay, let alone attempt to quantify the emotional trauma caused by the stigma of having their good names ruined by a thief who was aided and abetted by their bank and credit bureau's sloppy information practices.\11\ --------------------------------------------------------------------------- \11\ See ``Nowhere To Turn: A Survey of Identity Theft Victims, May 2000, CALPIRG and Privacy Rights Clearinghouse, http://calpirg.org/ CA.asp?id2=3683&id3=CA&. Reliance on the Social Security Number as a unique identifier in the private sector has proliferated. Easy access to Social Security Numbers by Internet information brokers and others also --------------------------------------------------------------------------- leads to stalking. The failure to safeguard information and maintain its accuracy leads to mistakes in credit reports and consequently consumers pay higher costs for credit or are even denied opportunities. Although the industry witnesses will testify to a vast ``free flow of information'' driving our economy that should not be constrained, more and more firms are choosing to stifle the flow of information themselves--to maintain their current customers as captive customers. When a bank intentionally fails to report a consumer's complete credit report information to a credit bureau, that consumer is unable to shop around for the best prices and other sellers are unable to market better prices to that consumer.\12\ --------------------------------------------------------------------------- \12\ See speech by Comptroller of the Currency John Hawke at http:/ /www.occ.treas.gov/ftp/release/99-51.txt 7 June 1999: ``Some lenders appear to have stopped reporting information about subprime borrowers to protect against their best customers being picked off by competitors. Many of those borrowers were lured into high-rate loans as a way to repair credit histories.'' According to U.S. PIRG's sources in the lending industry, this practice continues. The unlimited collection and sharing of personal data poses profiling threats. Profiles can be used to determine the amount one pays for financial services and products obtained from within the ``financial supermarket'' structure. As just one example, information about health condition or lifestyle can be used to determine interest rates for a credit card or mortgage. Even with a history of spotless credit, an individual, profiled on undisclosed factors, can end up paying too much for a financial service or product. Because there are no limits on the sharing of personal data among corporate affiliates, a customer profile can be developed by a financial affiliate of the company and sold or shared with an affiliate that does not fall within the broad definition of ``financial institution.'' A bank, for instance, that has an affiliation with a travel company could share a customer profile resulting in the bank's customer receiving unwanted telephone calls and unsolicited direct mail for offers of memberships in travel clubs or the like that the individual never wanted or requested.\13\ --------------------------------------------------------------------------- \13\ For additional discussion of the profiling issue, and related privacy threats posed by information-sharing, see 1 May 2002 comments of EPIC, U.S. PIRG, Consumers Union, and Privacy Rights Clearinghouse on the GLBA Information Sharing Study (Federal Register: February 15, 2002 (Volume 67, Number 32) ) available at http://www.epic.org/privacy/ financial/glb_ comments.pdf. We will now discuss the success or failure of the five key privacy --------------------------------------------------------------------------- provisions summarized above in greater detail. (1) Title V defined certain confidential information as ``nonpublic personal information'' subject to strong privacy protection. Status: An important recent decision by the DC Circuit, U.S. Court of Appeals upholding the GLBA financial privacy regulations has effectively closed the so-called credit header loophole exploited by Internet information brokers to obtain Social Security Numbers from credit bureaus without consumer consent. Creating a strict definition of protected information is an important and successful result of GLBA. The GLBA created a category of protected ``nonpublic personal information.'' The final GLBA financial privacy rules issued by 7 Federal financial agencies defined Social Security Numbers as nonpublic personal information (NPPI). A key provision is that the transfer of Social Security Numbers from financial institutions to credit bureaus is only allowed for regulated Fair Credit Reporting Act purposes (e.g., for use in a credit report) but not for unregulated purposes, where the credit bureau would be considered a nonaffiliated third-party. The agencies correctly interpreted the law to prevent the sharing of Social Security Numbers unless consumers are given notice of the practice and a right to opt-out. In 1993, the Federal Trade Commission had (improperly in our view) granted an exemption to the definition of credit report when it modified a consent decree with TRW (now Experian). The FTC said that certain information would not be regulated under the Fair Credit Reporting Act (FCRA). The so-called credit header loophole allowed credit bureaus to separate a consumer's so-called header or identifying information from the balance of an otherwise strictly regulated credit report and sell it to anyone for any purpose. Credit headers included information ostensibly not bearing on creditworthiness and therefore not part of the information collected or sold as a consumer credit report. The sale of credit headers involves stripping a consumer's name, address, Social Security Number, and date of birth \14\ from the remainder of his credit report and selling it outside of the FCRA's consumer protections. Although the information, marketing and locater industries contend that header information is derived from numerous other sources, in reality, the primary source of credit header data is likely financial institution information. --------------------------------------------------------------------------- \14\ In a separate 2001 decision by the DC Circuit, U.S. Court of Appeals (No. 00-1141, 13 April 2001, cert denied, 10 June 2002 by Supreme Court), Trans Union I vs. FTC, http://laws.findlaw.com/dc/ 001141a.html, the FTC's order against Trans Union, http://www.ftc.gov/ os/2000/03/transunionopinionofthecommission.pdf prohibiting Trans Union from selling actual credit information for illegal marketing purposes was upheld. This decision also removed dates of birth from credit headers, since age is a determinant of credit scores and therefore has a bearing on creditworthiness. --------------------------------------------------------------------------- In their unsuccessful arguments to the courts, the credit bureau Trans Union and a number of companies that sell information, organized into the now-apparently-defunct Individual References Services Group, argued that the GLBA included a Fair Credit Reporting Act savings clause and therefore their sale of Social Security Numbers was legal. As the FTC explains in the preamble to its Gramm-Leach-Bliley Financial Privacy Rule: The Commission recognizes that Sec. 313.15(a)(5) permits the continuation of the traditional consumer reporting business, whereby financial institutions report information about their consumers to the consumer reporting agencies and the consumer reporting agencies, in turn, disclose that information in the form of consumer reports to those who have a permissible purpose to obtain them. Despite a contrary position expressed by some commenters, this exception does not allow consumer reporting agencies to redisclose the nonpublic personal information it receives from financial institutions other than in the form of a consumer report. Therefore, the exception does not operate to allow the disclosure of credit header information to individual reference services, direct marketers, or any other party that does not have a permissible purpose to obtain that information as part of a consumer report. Disclosure by a consumer reporting agency of the nonpublic personal information it receives from a financial institution pursuant to the exception, other than in the form of a consumer report, is governed by the limitations on reuse and redisclosure in Sec. 313.11, discussed above in ``Limits on reuse.'' Those limitations do not permit consumer reporting agencies to disclose credit header information that they received from financial institutions to nonaffiliated third parties. . . . If consumer reporting agencies receive credit header information from financial institutions outside of an exception, the limitations on reuse and redisclosure may allow them to continue to sell that information. This could occur if the originating financial institutions disclose in their privacy policies that they share consumers' nonpublic personal information with consumer reporting agencies, and provide consumers with the opportunity to opt-out. [Emphasis added, Footnotes omitted.] \15\ --------------------------------------------------------------------------- \15\ Excerpted from pages 80-83, Federal Trade Commission, 16 CFR Part 313, Privacy Of Consumer Financial Information, Final Rule, http:/ /www.ftc.gov/os/2000/05/glb000512.pdf. There is a slight chance that credit bureaus will eventually convince financial institutions to provide notice of their sharing of Social Security Numbers, triggering the right to share Social Security Numbers for consumers who do not opt-out. So, the Congress should act to close the credit header loophole completely. Several House bills and a Senate bill, S. 1014, sponsored by Senator Bunning of the Banking Committee (although the bill has been referred to the Finance Committee) would completely close the credit header loophole and take other steps to improve Social Security Number privacy. In the 106th Congress, legislation named for the first-known victim of an Internet stalker was defeated after it was seen that the proposal actually was a Trojan Horse that expanded the availability of Social Security Numbers to customers of the Individual References Services Group (IRSG). IRSG member companies included credit companies and other information firms engaged in the sale of nonpublic personal information to information brokers, private detectives, and others.\16\ The IRSG was established as a supposed self-regulatory organization and received a tacit endorsement from the Federal Trade Commission \17\ for its efforts to police its industry. The association reportedly has dissolved following its unsuccessful attempts to overturn the GLBA regulations. --------------------------------------------------------------------------- \16\ See the U.S. PIRG Fact Sheet, ``Why The Amy Boyer Law Is A Trojan Horse'' at http://www.pirg.org/consumer/trojanhorseboyer.pdf. \17\ See for example, Testimony of FTC Commissioner Mozelle Thompson before the House Banking Committee, 28 July 1998, http:// www.ftc.gov/os/1998/9807/pretexttes.htm. (2) Title V required covered firms to provide, by July 2001, annual notice of their information-sharing practices with both affiliated and --------------------------------------------------------------------------- nonaffiliated third parties. Status: The core of the GLBA privacy scheme is limited to notice. Industry lobbyists will falsely portray their distribution of billions of privacy notices as successful privacy protection. Notice is not enough to protect privacy. Data collectors should adhere to a broader set of Fair Information Practices (discussed below). Worse, the first year's privacy notices were unreadable; this year's no better. Although notice is not enough to protect privacy, covered firms should do a better job of providing notice and regulators should penalize those that do not. The notices provided by banks, securities firms, and other covered institutions have been widely panned by a variety of experts for their inscrutable, dense language. While the banks and others have complained that the law required such detail, we respectfully disagree that the law required banks to confuse customers. Mark Hochhauser, readability consultant to the Privacy Rights Clearinghouse, analyzed dozens of the initial notices: ``Readability analyses of 60 financial privacy notices found that they are written at a 3rd- 4th year college reading level, instead of the junior high school level that is recommended for materials written for the general public.'' \18\ --------------------------------------------------------------------------- \18\ See ``Lost in the Fine Print: Readability of Financial Privacy Notices'' by Mark Hochhauser at http://www.privacyrights.org/ar/GLB- Reading.htm. --------------------------------------------------------------------------- In response, a number of consumer and privacy groups formed a coalition to petition the financial regulatory agencies to strengthen the notices using existing authority. Apparently in response to the petition of 26 July 2001 and other complaints, the agencies held a workshop in December 2001. We are unaware of significant improvement to the notices in 2002. According to the petition filed by the consortium of consumer and privacy groups: In passing Sec. Sec. 501-510 of the GLBA, Congress gave consumers the right to prevent financial institutions from transferring their personal financial information to third parties. To that end, the Act requires the institutions to notify customers of the right to opt-out and to provide convenient means of exercising it. However, in notices mailed out thus far, most financial institutions have employed dense, misleading statements and confusing, cumbersome procedures to prevent consumers from opting out. Such notices evince a clear failure of the Act's implementing regulations to effectuate Congressional intent. Accordingly, we ask the Agencies to revise the regulations and require that financial institutions provide understandable notices and convenient opt-out mechanisms.\19\ --------------------------------------------------------------------------- \19\ The petition is available at http://www.privacyrightsnow.com/ glbpetition.pdf. See the website http://www.privacyrightsnow.com for additional information about the coalition. --------------------------------------------------------------------------- According to a smaller August 2002 California PIRG survey \20\ of 10 bank privacy notices issued in the second year, 2002: ``Most banks received a failing grade and the best received a ``C-.'' --------------------------------------------------------------------------- \20\ See the CALPIRG report Privacy Denied: A Survey Of Bank Privacy Policies, 15 August 2002, http://calpirg.org/ CA.asp?id2=7606&id3=CA&. --------------------------------------------------------------------------- As for the notion that no company would seek to make notices confusing on purpose, so consumers would fail to take advantage of an opt-out right, we would encourage the Committee to review a recent Federal court decision. The U.S. District court decision in the case Darcy Ting et al vs. AT&T describes how the long-distance carrier AT&T may have used consultants to help it write legal notices to its customers in such a way that the consumers would view an amendment to their customer service agreement (CSA) as a ``nonevent'' and not either ``opt-out'' of the change or, worse, ``defect'' to another carrier. The key provision reduced legal remedies (by requiring mandatory arbitration). From the district court ruling: 22. AT&T conducted market research to assist it in developing the contract documents. One part of AT&T's research, the Quantitative Study, included the following key findings and recommendations: In the letter it should be made clear that this agreement is being sent for informational purposes only. The fact that no action is required on the part of the customer needs to be made. (sic) . . . 23. Another part of AT&T's research, the Qualitative Study, concluded that after reading the bolded text in the cover letter which States ``[p]lease be assured that your AT&T service or billing will not change under the AT&T Consumer Services Agreement; there is nothing you need to do,'' ``[a]t this point most would stop reading and discard the letter.'' [Emphasis in original.] . . . . . . 24. . . . While presenting the CSA as a nonevent may have helped AT&T retain its customers, it also made customers less alert to the fact that they were being asked to give up important legal rights and remedies. (U.S. District court decision, Darcy Ting et al vs. AT&T \21\) --------------------------------------------------------------------------- \21\ See especially paragraphs 21-24 of U.S. District Judge Bernard Zimmerman's 15 January 2002 opinion in Darcy Ting et al vs. AT&T (Case 01-02969BZ, Northern District of California). Now on appeal to the 9th Circuit Court of Appeals. (3) Title V required covered firms to provide in that notice an extremely limited statutory consumer right to opt-out (affirmatively act to say no) to the sharing of information with some, but not all, nonaffiliated third parties. Transactions between affiliates and also with many nonaffiliated third parties engaged in joint marketing contracts with an affiliate could continue regardless of whether or not --------------------------------------------------------------------------- a customer had chosen to ``opt-out.'' Status: Notice is not enough, nor is the limited opt-out, to satisfy the Fair Information Practices. The vast majority of all information-sharing with both affiliates and many third parties is only covering by notice, not by this limited opt-out ``right.'' The provision is inadequate and fails to even rein in the practices of the telemarketers it is narrowly targeted at (see (4) below). The partial opt-out should be replaced by an across-the-board affirmative consent (opt-in) provision for all affiliate and third-party information- sharing. The failure of the GLBA to require any form of consumer consent for the vast majority of information-sharing transactions affected is one example of how GLBA fails to meet the Fair Information Practices. Ideally, consumer groups believe that all privacy legislation enacted by either the States or the Congress should be based on Fair Information Practices, which were originally proposed by a Health, Education, and Welfare (HEW) task force and then embodied into the 1974 Privacy Act and into the 1980 Organization for Economic Cooperation and Development (OECD) guidelines. The 1974 Privacy Act applies to Government uses of information.\22\ Consumer and privacy groups generally view the following as among the key elements of Fair Information Practices: --------------------------------------------------------------------------- \22\ As originally outlined by a Health, Education, and Welfare (HEW) task force in 1973, then codified in U.S. statutory law in the 1974 Privacy Act and articulated internationally in the 1980 Organization of Economic Cooperation and Development (OECD) Guidelines, information use should be subject to Fair Information Practices. Noted privacy expert Beth Givens of the Privacy Rights Clearinghouse has compiled an excellent review of the development of FIP's, ``A Review of the Fair Information Principles: The Foundation of Privacy Public Policy.'' October 1997. http://www.privacyrights.org/AR/fairinfo.html. The document cites the version of FIP's in the original HEW guidelines, as well as other versions. 1) Collection Limitation Principle: There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or --------------------------------------------------------------------------- consent of the data subject. 2) Data Quality Principle: Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete. and kept up-to-date. 3) Purpose Specification Principle: The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose. 4) Use Limitation Principle: Personal data should not be disclosed, made available, or otherwise used for purposes other than those specified in accordance with the Purpose Specification Principle except: a) with the consent of the data subject; or b) by the authority of law. 5) Security Safeguards Principle: Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure of data. 6) Openness Principle: There should be a general policy of openness about developments, practices, and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller. 7) Individual Participation Principle: An individual should have the right: a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; b) to have communicated to him, data relating to him within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible to him; c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and d) to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended. 8) Accountability Principle: A data controller should be accountable for complying with measures which give effect to the principles stated above.\23\ --------------------------------------------------------------------------- \23\ Organization for Economic Cooperation and Development, Council Recommendations Concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, 20 I.L.M. 422 (1981), O.E.C.D. Doc. C (80) 58 (Final) (October 1, 1980), at http:// www.oecd.org//dsti/sti/it/secur/prod/PRIV-EN.HTM as quoted in Gellman, ``Privacy, Consumers, and Costs: How The Lack of Privacy Costs Consumers and Why Business Studies of Privacy Costs are Biased and Incomplete,'' March 2002, http://www.epic.org/reports/dmfprivacy.html or http://www.cdt.org/publications/dmfprivacy.pdf. Consumer groups disagree with industry organizations over whether certain self-regulatory or statutory schemes are adequately based on Fair Information Practices. Industry groups often seek to block legislation or offer substitute legislation intended to ``dumb-down'' --------------------------------------------------------------------------- the Fair Information Practices, as they were able to do with the GLBA. First, industry groups seek to substitute a weaker opt-out choice, instead of providing opt-in consent before secondary uses, Second, industry groups claim that notice is enough. They claim that the right of review and correction are unnecessary. Third, they contend that either agency enforcement or self- regulation is an adequate substitute for a consumer private right of action (also missing from GLBA). Privacy advocates and other consumer groups believe that consumers should provide consent for all information-sharing circumstances--by and among both affiliates and third parties. Second, that protection should be on an opt-in basis since it gives consumers control. How The Gramm-Leach-Bliley Act Falls Short of the Fair Information Practices: First, it fails to require any form of consent (either opt-in or opt-out) for most forms of information-sharing for secondary purposes, including experience and transaction information shared between and among either affiliates or affiliated third parties. Second, while consumers generally have access to and dispute rights over their account statements, they have no knowledge of, let alone rights to review or dispute, the development of detailed profiles on them created by financial institutions. The Act does provide for disclosure of privacy policies, although a review of a sample of privacy policies suggests that companies are not following the spirit of GLBA. See (3). None are fully explaining all their uses of information, including the development of consumer profiles for marketing purposes. None are listing all the types of affiliates that they might share information with. None are describing the specific products, most of which are of minimal or even negative value to consumers, that third-party telemarketers might offer for sale to consumers who fail to opt-out. Yet all the privacy policies make a point of describing how consumers who elect to opt-out will give up ``beneficial'' opportunities. (4) Title V attempted, through an encryption provision, to restrict the tawdry practice of nonaffiliated telemarketers obtaining credit card numbers from banks, then signing consumers up for expensive ``membership clubs'' and billing them when the consumer failed to affirmatively cancel within 30 days. Status: As Attorneys General Hatch of Minnesota and Sorrell of Vermont have testified today, the telemarketers continue to find loopholes enabling them to bill consumers for products the consumer never ordered, using credit card numbers provided by the consumer's bank, not by the consumer. Consumers do not think they ordered anything, when they do not hand over cash, a check, or a credit card number. Unfortunately, the encryption provision has codified, instead of stopped, the growing epidemic of anticonsumer, controversial ``preacquired account telemarketing.'' In December 2000, the Minnesota Attorney General filed a new suit against Fleet Mortgage, an affiliate of FleetBoston, for substantially the same types of violations as U.S. Bank engaged in. That complaint was settled in June. The State's complaint explains the problem with sharing confidential account information with third-party telemarketers. The complaint states that when companies obtain a credit card number in advance, consumers lose control over the deal: Other than a cash purchase, providing a signed instrument or a credit card account number is a readily recognizable means for a consumer to signal assent to a telemarketing deal. Preacquired account telemarketing removes these short-hand methods for the consumer to control when he or she has agreed to a purchase. The telemarketer with a preacquired account turns this process on its head. Fleet not only provides its telemarketing partners with the ability to charge the Fleet customer's mortgage account, but also Fleet allows the telemarketing partner to decide whether the consumer actually consented. For many consumers, withholding their credit card account number or signature from the telemarketer is their ultimate defense against unwanted charges from telemarketing calls. Fleet's sales practices remove this defense.\24\ --------------------------------------------------------------------------- \24\ 28 December 2000, Complaint of State of Minnesota vs. Fleet Mortgage, see http://www. ag.state.mn.us/consumer/news/pr/ Comp_Fleet_122800.html. This complaint alleged that the company was providing account numbers to the telemarketer. In our view, either Gramm-Leach-Bliley or the FTC Telemarketing Sales Rule needs to be amended so that telemarketers cannot initiate the billing of a consumer who has not affirmatively provided his or her credit card or other account number. Whether this case stems from pre-Gramm-Leach-Bliley acquisition of full account numbers, or post-Gramm-Leach-Bliley encrypted numbers or authorization codes, is not the question. In either case, consumers have lost control over their accounts. How do the credit card companies and the telemarketers respond to consumer complaints? Data from consumer complaints to U.S. PIRG and to the FTC and the legal complaints and accompanying materials of the State of Minnesota all show the following pattern: Consumers who call their credit card company to complain about their bills are transferred to the telemarketer, whose agents were trained to continue to try to confuse the consumer. The telemarketer then claims that the consumer assented to the confusing trial offer by giving their ``date of birth'' or some other piece of information (but not, of course, a credit card number, let alone an ``expiration date.''). Sometimes the telemarketer would play a piece of recorded tape from the call where the consumer had provided a date of birth--arguing that providing your date of birth was proof that the consumer had agreed to the transaction. This response to complaints made about unauthorized charges was designed to convince consumers to ``eat'' the charge. Providing a date of birth in response to a trick question is not providing a credit card number to order a product. Preacquired account telemarketing should be banned. We are encouraged that the proposed FTC amendments to the Telemarketing Sales Rule would ban preacquired account telemarketing.\25\ --------------------------------------------------------------------------- \25\ See 67 FR 4492 available at http://www.ftc.gov/os/2002/01/ 16cfr310.pdf. --------------------------------------------------------------------------- No bank--indeed, no firm--should be allowed to earn commissions from companies (whether affiliated, joint marketing partners, or third- party telemarketers) that bill consumers for products they do not want and have not ordered, through the scheme known as ``preacquired account telemarketing,'' which eliminates a consumer's fundamental control over her purchase decisions by allowing the consumer's bank to make purchase decisions for her and bill her credit card without her knowledge or consent. (5) Finally, recognizing that it hadn't really completed the job of protecting privacy adequately, the Congress--in an extremely rare departure from its normal policy of preempting State action--explicitly included a fail-safe provision allowing States to enforce existing and enact new stronger financial privacy laws. Status: The States' rights fail-safe is the most important, and most successful, privacy protection in GLBA. We commend the Chairman for his sponsorship of the provision added in conference committee known as the ``Sarbanes Amendment.'' States have been very active and although not all have yet been successful, we believe that there is a good chance that passage of strong new privacy laws in a few more States will provide Congress with the encouragement it needs to raise the bar nationally. Our organizations and others, including, as State Representative Jim Kasper reports today, the grassroots-based Protect Our Privacy coalition in North Dakota, have fought to enact stronger privacy protections in State law. While we have faced significant opposition from vested financial interests, we strongly believe that the fail-safe States' rights' provision of Title V is its most important provision. Five States have some form of ``opt-in'' financial privacy provisions: Alaska, Connecticut, Illinois, Maryland, and Vermont. Each has laws applying to different aspects of financial information. In three States, legislative repeals of stronger pre-GLBA legislation occurred in 2000-2001: North Dakota, Maine, and Florida. However, in June 2002, North Dakota citizens reversed that State's repeal action on a 73 percent-27 percent ballot referendum vote.\26\ The result of the referendum was reinstatement of the previous opt-in based law. Vermont is the only State that has a law that specifically regulates affiliate- sharing.\27\ The State of Vermont is also vigorously defending a lawsuit by insurance associations seeking to overturn its financial privacy laws. --------------------------------------------------------------------------- \26\ See the website of the North Dakota grassroots group that beat the banks 73 percent-27 percent in a June referendum on financial privacy at http://www.protectourprivacy.net. \27\ Comments of 44 Attorneys General to Federal Trade Commission Regarding GLB Notices. February 15, 2002 (available at www.naag.org). --------------------------------------------------------------------------- Consumers Union, Privacy Rights Clearinghouse, California PIRG, and other groups have been strong supporters of proposed California legislation by State Senator Jackie Speier. As originally introduced, SB 773 \28\ would have required that all information-sharing, whether by and between affiliates or with third parties, would require opt-in consent. In its final form, although still defeated in the State assembly last month, the bill would have required an opt-out for all sharing between either affiliates or nonaffiliated joint marketing partners (no consent protection under Federal law) and required an opt-in for sharing with other third parties (opt-out under current Federal law). --------------------------------------------------------------------------- \28\ See legislative history of SB 773 at http:// www.leginfo.ca.gov/cgi-bin/postquery?bill_ number=sb_773&sess=CUR&house=B&author=speier. --------------------------------------------------------------------------- Passage of SB 773, even in its weakened form, would have granted California consumers vastly improved financial privacy rights over current law. In our view, passage of such a strong bill in such a large State would have had a very good chance to lead to similar Federal legislation, vindicating the fail-safe States' rights model adopted by GLBA. The success of the citizens of North Dakota and the near success of the California legislature in enacting the Speier bill, despite an overwhelming campaign by the industry, strongly suggest that the States' rights provision of Title V has been successful and should be continued. We are also encouraged that extant preemption provisions in the Fair Credit Reporting Act (15 USC 1681 et seq.) expire on 1 January 2004. At that time, States will be free to experiment with strengthening both of the core laws protecting their financial privacy--FCRA and GLBA. Uncertainty over the relationship between the FCRA's preemption provisions and GLBA's FCRA savings clause regarding affiliate sharing has helped the financial industry to successfully oppose State laws seeking to further regulate financial privacy. When that FCRA preemption provision expires, there will be greater clarity for legislators about States' rights to regulate affiliated transactions. Recommendations (1) Strengthen GLBA Gramm-Leach-Bliley Act should be strengthened. Consumers should be granted an affirmative informed consent right (opt-in) before nonpublic personal information is shared with either affiliates or third parties. Providing informed consent and providing notice are only two of a set of Fair Information Practices that give consumers control over the use of their confidential information. Protection of privacy requires data collectors to adhere to all of the Fair Information Practices. Efforts by industry groups to ``dumb-down'' the Fair Information Practices should be resisted. (2) Resist Efforts to Eliminate States' Right to Enact Stronger Laws Congress should resist efforts by industry lobbies to eliminate the right of States to pass stronger financial privacy laws. Congress should also reject proposed Federal legislation (H.R. 3068) and similar amendments to place a moratorium on stronger financial privacy laws. In addition, Congress should reject the specious claims of some financial industry lobbyists that strong State privacy laws deter homeland security. According to a February 2002, Associated Press story: The banking industry is reaching out to Homeland Security Director Tom Ridge and lawmakers in search of Federal help to block State consumer privacy laws that bankers argue will hinder their efforts to spot terrorists. Industry lobbyists have been arguing that State laws that prohibit banks from sharing consumer information without permission might preclude them from alerting law enforcement to potential crimes. ``We would have trouble communicating with law enforcement . . . and it would be extremely chaotic. We need a uniform privacy standard,'' said David Liddle of the Financial Services Roundtable, an industry lobby. . . .'' \29\ --------------------------------------------------------------------------- \29\ See ``Banks Seek to Block State Privacy Laws,'' 19 February 2002, Sharon Thiemer, Associated Press. As far as we know, Director Tom Ridge has not dignified these requests with any comment. (3) Reject Claims That Costs of Privacy Are Too High We urge the Congress to reject industry claims that privacy's costs are too high and its benefits too low. We have reviewed a number of presumably industry-funded studies purporting to make this claim and find their methodology lacking. We refer the Committee to an alternate study, by an independent consultant, which critiques the industry studies and points out numerous benefits of privacy as well as the costs of insufficient privacy protection. As Robert Gellman points out: The cost of privacy is a legitimate issue, but the studies and the conclusions drawn from them have serious flaws. . . . In fact, the costs incurred by both business and individuals due to incomplete or insufficient privacy protections reach tens of billions of dollars every year. [Emphasis added.] \30\ --------------------------------------------------------------------------- \30\ See Gellman, ``Privacy, Consumers, and Costs: How The Lack of Privacy Costs Consumers and Why Business Studies of Privacy Costs are Biased and Incomplete,'' March 2002, http://www.epic.org/reports/ dmfprivacy.html or http://www.cdt.org/publications/dmfprivacy.pdf. --------------------------------------------------------------------------- Conclusion Thank you for the opportunity to provide our views before the Committee today on the important matter of financial privacy. You, Mr. Chairman, and other Committee Members, especially Senator Shelby and Senator Dodd, Senate Co-Chairs of the Bi-Partisan Congressional Privacy Caucus, should be commended for your leadership on financial privacy. We look forward to working with you to strengthen consumer privacy rights.