[House Hearing, 106 Congress]
[From the U.S. Government Publishing Office]





  THE PRIVACY COMMISSION: A COMPLETE EXAMINATION OF PRIVACY PROTECTION

=======================================================================

                                HEARING

                               before the

                 SUBCOMMITTEE ON GOVERNMENT MANAGEMENT,
                      INFORMATION, AND TECHNOLOGY

                                 of the

                              COMMITTEE ON
                           GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED SIXTH CONGRESS

                             SECOND SESSION

                               __________

                             APRIL 12, 2000

                               __________

                           Serial No. 106-192

                               __________

       Printed for the use of the Committee on Government Reform


  Available via the World Wide Web: http://www.gpo.gov/congress/house
                      http://www.house.gov/reform

                               ----------

                   U.S. GOVERNMENT PRINTING OFFICE
70-436                     WASHINGTON : 2001


_______________________________________________________________________
 For sale by the Superintendent of Documents, U.S. Government Printing 
                                 Office
Internet: bookstore.gpo.gov  Phone: (202) 512-1800  Fax: (202) 512-2250
               Mail: Stop SSOP, Washington, DC 20402-0001


                     COMMITTEE ON GOVERNMENT REFORM

                     DAN BURTON, Indiana, Chairman
BENJAMIN A. GILMAN, New York         HENRY A. WAXMAN, California
CONSTANCE A. MORELLA, Maryland       TOM LANTOS, California
CHRISTOPHER SHAYS, Connecticut       ROBERT E. WISE, Jr., West Virginia
ILEANA ROS-LEHTINEN, Florida         MAJOR R. OWENS, New York
JOHN M. McHUGH, New York             EDOLPHUS TOWNS, New York
STEPHEN HORN, California             PAUL E. KANJORSKI, Pennsylvania
JOHN L. MICA, Florida                PATSY T. MINK, Hawaii
THOMAS M. DAVIS, Virginia            CAROLYN B. MALONEY, New York
DAVID M. McINTOSH, Indiana           ELEANOR HOLMES NORTON, Washington, 
MARK E. SOUDER, Indiana                  DC
JOE SCARBOROUGH, Florida             CHAKA FATTAH, Pennsylvania
STEVEN C. LaTOURETTE, Ohio           ELIJAH E. CUMMINGS, Maryland
MARSHALL ``MARK'' SANFORD, South     DENNIS J. KUCINICH, Ohio
    Carolina                         ROD R. BLAGOJEVICH, Illinois
BOB BARR, Georgia                    DANNY K. DAVIS, Illinois
DAN MILLER, Florida                  JOHN F. TIERNEY, Massachusetts
ASA HUTCHINSON, Arkansas             JIM TURNER, Texas
LEE TERRY, Nebraska                  THOMAS H. ALLEN, Maine
JUDY BIGGERT, Illinois               HAROLD E. FORD, Jr., Tennessee
GREG WALDEN, Oregon                  JANICE D. SCHAKOWSKY, Illinois
DOUG OSE, California                             ------
PAUL RYAN, Wisconsin                 BERNARD SANDERS, Vermont 
HELEN CHENOWETH-HAGE, Idaho              (Independent)
DAVID VITTER, Louisiana


                      Kevin Binger, Staff Director
                 Daniel R. Moll, Deputy Staff Director
           David A. Kass, Deputy Counsel and Parliamentarian
                    Lisa Smith Arafune, Chief Clerk
                 Phil Schiliro, Minority Staff Director
                                 ------                                

   Subcommittee on Government Management, Information, and Technology

                   STEPHEN HORN, California, Chairman
JUDY BIGGERT, Illinois               JIM TURNER, Texas
THOMAS M. DAVIS, Virginia            PAUL E. KANJORSKI, Pennsylvania
GREG WALDEN, Oregon                  MAJOR R. OWENS, New York
DOUG OSE, California                 PATSY T. MINK, Hawaii
PAUL RYAN, Wisconsin                 CAROLYN B. MALONEY, New York

                               Ex Officio

DAN BURTON, Indiana                  HENRY A. WAXMAN, California
          J. Russell George, Staff Director and Chief Counsel
               Heather Bailey, Professional Staff Member
                           Bryan Sisk, Clerk
                     Michelle Ash, Minority Counsel


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on April 12, 2000...................................     1
Statement of:
    Cate, Professor Fred, professor of law and Harry T. Ice 
      faculty fellow, Indiana University School of Law, 
      Bloomington; Travis Plunkett, legislative director, 
      Consumer Federation of America; Ari Schwartz, policy 
      analyst, Center for Democracy and Technology; and Sandra 
      Parker, esquire, director of government affairs and health 
      policy, Maine Hospital Association.........................    60
    Twentyman, Sallie, victim of credit card theft; Robert 
      Douglas, private investigator; and Paul Appelbaum, M.D., 
      chairman, Department of Psychiatry, director, Law and 
      Psychiatry Program, University of Massachusetts Medical 
      School.....................................................    14
Letters, statements, etc., submitted for the record by:
    Appelbaum, Paul, M.D., chairman, Department of Psychiatry, 
      director, Law and Psychiatry Program, University of 
      Massachusetts Medical School, prepared statement of the 
      American Psychiatric Association...........................    47
    Cate, Professor Fred, professor of law and Harry T. Ice 
      faculty fellow, Indiana University School of Law, 
      Bloomington, prepared statement of.........................    62
    Douglas, Robert, private investigator, prepared statement of.    26
    Horn, Hon. Stephen, a Representative in Congress from the 
      State of California, prepared statement of.................     3
    Hutchinson, Hon. Asa, a Representative in Congress from the 
      State of Arizona, prepared statement of....................     7
    Parker, Sandra, esquire, director of government affairs and 
      health policy, Maine Hospital Association, prepared 
      statement of...............................................   106
    Plunkett, Travis, legislative director, Consumer Federation 
      of America, prepared statement of..........................    75
    Schwartz, Ari, policy analyst, Center for Democracy and 
      Technology, prepared statement of..........................    87
    Turner, Hon. Jim, a Representative in Congress from the State 
      of Texas, prepared statement of............................    12
    Twentyman, Sallie, victim of credit card theft, prepared 
      statement of...............................................    17

 
  THE PRIVACY COMMISSION: A COMPLETE EXAMINATION OF PRIVACY PROTECTION

                              ----------                              


                       WEDNESDAY, APRIL 12, 2000

                  House of Representatives,
Subcommittee on Government Management, Information, 
                                    and Technology,
                            Committee on Government Reform,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 10 a.m., in 
room 2247, Rayburn House Office Building, Hon. Stephen Horn 
(chairman of the subcommittee) presiding.
    Present: Representatives Horn and Turner.
    Also present: Representatives Hutchinson and Moran of 
Virginia.
    Staff present: J. Russell George, staff director and chief 
counsel; Heather Bailey, professional staff member; Bonnie 
Heald, director of communications; Bryan Sisk, clerk; Ryan 
McKee, staff assistant; Michael Soon, intern; Kristin Amerling, 
minority deputy chief counsel; Michelle Ash and Trey Henderson, 
minority counsels; and Jean Gosa, minority assistant clerk.
    Mr. Horn. A quorum being present, the hearing of the 
Subcommittee on Government Management, Information, and 
Technology will come to order.
    The first Federal Privacy Commission was established in 
1977 to examine a similar issue to that being addressed today: 
How can private information be protected while allowing public 
access to information that can benefit society?
    Today, a few keystrokes on a computer can produce a 
quantity of information that was unimaginable in 1974. From e-
mail and e-commerce to e-government, technology has simplified 
the way people communicate, shop, and file their income tax 
returns.
    Last year, for example, more than 17 million people spent 
$20 billion for on-line purchases. At a subcommittee hearing on 
Monday, IRS Commissioner Charles Rossotti testified that as of 
March 31, nearly 21 million people had filed their tax returns 
electronically this year, a 16 percent increase over the same 
period last year.
    The downside of these technological advances is that a vast 
amount of personal information now flows over the Internet, and 
all too often, citizens are being victimized. Today names, 
addresses, Social Security numbers, and credit reports, as well 
as other personal information, can be bought by nearly anyone 
who is willing to pay the going rate.
    Today the subcommittee will examine this troubling issue 
and whether the time has come to establish another Federal 
commission on privacy. I welcome our witnesses, and look 
forward to their testimony.
    [The prepared statement of Hon. Stephen Horn follows:]

    [GRAPHIC] [TIFF OMITTED] T0436.001
    
    Mr. Horn. Panel one will be Ms. Sally Twentyman, victim of 
a credit card theft; Mr. Robert Douglas, private investigator; 
Paul Appelbaum, M.D., chairman of the Department of Psychiatry, 
director, Law and Psychiatry Program, University of 
Massachusetts Medical School. If you will come forward.
    Let me just say what the ground rules are. We swear in all 
witnesses, and we would like--we have your statements, they are 
all very fine, and we would like you to summarize it if you can 
in 5 minutes, and certainly not more than 10 minutes. Then we 
will have panel two later. If you would like to stay, we would 
certainly welcome that in case you have some comments in 
relationship to panel two.
    So if you will stand and raise your right hands, we will 
give you the oath.
    [Witnesses sworn.]
    Mr. Horn. The clerk will note all three witnesses affirmed 
the oath.
    Without objection, Mr. Moran will be a member of this 
panel, and we will have Mr. Moran, the distinguished gentleman 
from Virginia, to give us an opening statement then.
    Mr. Moran of Virginia. Well, thank you very much, Mr. 
Chairman. Chairman Horn and Mr. Turner and the distinguished 
staff, I am pleased to join with Congressman Hutchinson, who 
has just arrived, for this hearing on H.R. 4049, the Privacy 
Commission Act.
    As any Member of this House can attest, privacy is an 
enormous concern to our constituents. We hear about privacy at 
our town meetings, in our mail, and from so many citizens who 
are utilizing the new technologies that are driving our 
economy. Their concerns are valid. People know that their 
medical data, which is the most personal information about any 
of us, is increasingly being electronically stored and 
transmitted.
    As the World Wide Web has become commercialized, some 
companies have developed the means to profile Web users by the 
sites that they visit. While such profiling is not all that 
different from what direct marketers have done for many years, 
the idea of our purchases and shopping habits being profiled in 
cyberspace is somehow very unsettling to many people, and 
rightfully so.
    Even though many Web sites have moved aggressively to self-
regulate and to display very prominent statements about their 
own privacy rules, concerns among the public have not abated. 
Public opinion polls are clear that this remains a major issue 
for the American people.
    As serious as these concerns are, however, there is a 
countervailing danger of overreaction. The U.S. Internet 
economy is already worth an estimated $350 billion and is a 
harbinger of the potential in everything from business-to-
business transactions, to consumer retail, to financial 
services across the board. It is transforming our economy. By 
the end of this year, some 72 million American adults are 
expected to be on line; that is 35 percent of the American 
population. The Internet has flourished in the absence of 
burdensome government regulations or taxation. Given the stakes 
to our economy and the depth of public concern, it is clear to 
us that what is needed is a thoughtful, deliberate approach to 
privacy issues by this Congress.
    That is exactly what the Hutchinson-Moran bill provides. It 
sets up a 17-member commission appointed jointly by the 
President and the Republican and Democratic leadership of the 
House to examine any threats that exist to the privacy of 
Americans and to report back on whether additional legislation 
is necessary, and if it is, what protections it should contain. 
It also directs the commission to report on nonlegislative 
solutions. If self-regulation can be improved, how should 
industry achieve that objective? It requires an analysis of 
existing statutes and regulations on privacy, and an analysis 
of the extent to which any new regulations would impose undue 
costs or burdens on our economy. I would note that our 
colleague in the other body, Senator Kohl of Wisconsin, has 
sponsored similar legislation.
    In short, this is a balanced, measured approach to a 
complex issue that carries big costs to our economy. I commend 
Mr. Hutchinson for his leadership on it, and I commend you, 
Chairman Horn, for holding this hearing about it. It is good to 
see my colleague Mr. Turner as well. We look forward to hearing 
from our thoughtful witnesses as well.
    Thank you, Mr. Chairman.
    Mr. Horn. Well, thank you very much for that opening 
statement.
    Mr. Hutchinson is now with us. Without objection, he will 
be a member of this panel throughout the morning, and with Mr. 
Turner's consent, Mr. Hutchinson is free to give his opening 
statement.
    Mr. Hutchinson. Thank you, Mr. Chairman. I apologize for 
walking in here a couple of minutes late. I do thank you for 
conducting this hearing, and I want to thank the ranking 
member, Mr. Turner, also for his interest and support of this 
legislation and his participation in this important hearing. I 
would like permission to submit the written statement for the 
record.
    Mr. Horn. Without objection, it will be inserted at this 
point.
    I might tell all the witnesses, the minute we introduce 
you, your full statement is in the record, and then we want you 
to summarize.
    Mr. Hutchinson. My colleague Mr. Moran, I value his 
friendship, judgment, and participation on this important 
issue. He is the cosponsor with me. We are a team on this, and 
I thank him, and he has really been instrumental in bringing 
this issue forward.
    I just wanted to talk a little bit about how this came 
about. We all are familiar with the polls that show the No. 1 
concern of persons as we go into the next century being that of 
personal privacy. But to me, it is much more personal than 
that. During December, during our break, I conducted a 16-
county district tour; went through all of the 16 counties in my 
congressional district, held town meetings, and I came back and 
sat down in my living room and sort of penciled in what were 
the major concerns. Really, to my surprise, privacy was right 
at the top.
    We hear the stories of the hill country folks in Arkansas 
who really believe that they ought to have privacy; many of 
them moved to the hills for that reason, and they are concerned 
about the invasion of that privacy. It is really an 
unprecedented accumulation and transfer of personal information 
that we see today in our information society.
    So I came back with an intent to address that issue. I 
looked at what is happening in Congress and realized that there 
is a lot of different bills out there, many of them are good 
bills, that address privacy concerns, but I think there are 
about four different approaches to what we should do with 
privacy issues. First of all, there is the attitude, let us 
just do something now, regardless of what it is, let's just get 
something done. The problem is that doing it right sometimes 
takes more time, more thought, and I think it is more important 
than doing it quick and simply as a reaction of the pressing 
need to get something done. So I think that is the wrong 
approach.
    The second approach is let's pass legislation in a narrow 
area. We have bills that deal with financial records; we have 
bills that deal with medical privacy issues, and then we have 
separate bills that deal with on-line privacy. I am really a 
cosponsor of a number of those bills that I believe are good, 
and I want to support and push those through the legislative 
process. It is important that this commission not be used as a 
means to stop other efforts that are going through, and that is 
my intent.
    But I do believe that there is much more merit, rather than 
taking a sectarian approach of, you know, let's look at the 
financial records issue and health care records with the 
Internet, it is all-encompassing across every sector of our 
society. We are really different from the European approach 
that has taken a more comprehensive approach to privacy than we 
have taken industry by industry, and I think this commission 
would broaden it up.
    The fourth approach is let's leave it to the regulators. 
Excuse me, that is the third approach. Leave it to the 
regulators. As a legislator, I don't think that is the best 
approach. I believe there should be legislative involvement and 
a legislative discussion of this.
    Finally, that leads to the comprehensive commission that 
Congressman Moran and I are proposing, the structure he has 
outlined. It is certainly bipartisan. It is designed to conduct 
hearings across the country. We have set a time limit of 18 
months for a report, but it is important to note that they have 
authority if they deem necessary to issue an interim report 
prior to that 18 months, because there could be some need in a 
particular arena to issue an interim report. So it could move 
quicker than 18 months.
    But clearly, I believe that it is responsible, it is 
workable, and it is comprehensive; it is the right approach to 
privacy concerns. We have to be realistic this year. I hope 
that we can pass some other individual bills. But 
realistically, I believe this is the best thing that we can do 
this Congress, and the result will be greater protections of 
our individual freedom.
    I yield back.
    Mr. Horn. Thank you very much.
    [The prepared statement of Hon. Asa Hutchinson follows:]

    [GRAPHIC] [TIFF OMITTED] T0436.002
    
    [GRAPHIC] [TIFF OMITTED] T0436.003
    
    [GRAPHIC] [TIFF OMITTED] T0436.004
    
    [GRAPHIC] [TIFF OMITTED] T0436.005
    
    Mr. Horn. The gentleman from Texas, the ranking member, Mr. 
Turner.
    Mr. Turner. Thank you, Mr. Chairman. I want to commend Mr. 
Hutchinson and Mr. Moran for their work on this legislation. It 
is one of the most important issues that we face. As you 
mentioned, Mr. Hutchinson, the polls clearly indicate that 
privacy is one of the top concerns of the American people.
    I was pleased to join with you as a cosponsor of this bill 
because I think the commission will create a high profile for 
the issue and enable us to have a full and open discussion with 
the American people about these issues so that we can resolve 
them in the appropriate way.
    I was very pleased to hear your comments about your intent 
with regard to the commission was not to impede the progress of 
other legislation that we may achieve a bipartisan consensus on 
during the time that the commission is working. I think the 
commission can be a sounding board for a lot of those 
proposals. I know there are regulations at HHS pending on 
medical privacy. I hope that the commission would not impede 
those regulations, but also provide a sounding board for those 
regulations, because some of these privacy issues need to be 
dealt with right away. So if we find a consensus on it, and if 
the agencies are finding their way to protecting our privacy as 
HHS is trying to do with the medical regulations, I think the 
American people deserve those protections as soon as possible.
    The commission not only can provide a sounding board for 
the proposals that are out there and for actions that may be 
taken over the next 18 months, but at the end of the day, 
hopefully can come up with an overall recommendation in these 
various areas that represent a true consensus to protect the 
privacy of the American people.
    So I commend you, and I welcome our witnesses here today. 
We look forward to working on this bill and making it 
everything that I think the authors intend for it to be.
    Thank you, Mr. Chairman.
    Mr. Horn. Thank you very much.
    [The prepared statement of Hon. Jim Turner follows:]

    [GRAPHIC] [TIFF OMITTED] T0436.006
    
    [GRAPHIC] [TIFF OMITTED] T0436.007
    
    Mr. Horn. We will now begin with the first panel. We will 
start with Ms. Sallie Twentyman, who is the victim of credit 
card theft. Tell us about it.

 STATEMENTS OF SALLIE TWENTYMAN, VICTIM OF CREDIT CARD THEFT; 
ROBERT DOUGLAS, PRIVATE INVESTIGATOR; AND PAUL APPELBAUM, M.D., 
     CHAIRMAN, DEPARTMENT OF PSYCHIATRY, DIRECTOR, LAW AND 
 PSYCHIATRY PROGRAM, UNIVERSITY OF MASSACHUSETTS MEDICAL SCHOOL

    Ms. Twentyman. Mr. Chairman, I do appreciate the 
opportunity to appear here today to tell you about my 
experiences.
    Last summer my privacy was dealt a blow from which I will 
never totally recover when I became a victim of identity theft. 
I still don't know how, when, or where it happened, or who the 
perpetrator was. I probably never will. But what I do know is 
that I never received two of my renewal credit cards in the 
mail, and that someone used my name and Social Security number 
to access these two credit card accounts and to establish 
several other new credit card accounts in my name, all in just 
a matter of a few days and all from a fraudulent address. In 
one account alone, this person was able to get approximately 
$13,000 in cash in less than a week.
    Over the next several months, this fraudulent activity 
continued, with my list of residences extending to at least 
five different States, even after fraud alerts were placed on 
my name at each of the three credit bureaus in the country.
    Today, I am hopeful that the activity is winding down, but 
I still live each day knowing that my information is in the 
hands of criminals. This identity theft, especially when 
perpetrated by a group or a crime ring, as mine probably has 
been, is similar to what I call financial cancer. Even if, 
through my efforts, I manage to stop these criminals for a 
while, they are likely to begin using the information again in 
the future when they think that I am no longer watching. As 
identity theft takes new forms, as it does every year or two, I 
will be at high risk of being a victim of these newer forms of 
crime.
    So far, I haven't been responsible for repaying any of the 
fraudulent balances, which I appreciate, and I haven't even had 
pressure put on me, which is good, because I hear a couple of 
years ago people did have problems with that. I haven't applied 
for any new loans, so I don't know how difficult it would be to 
buy a car or get a mortgage at this point or get a student loan 
to send my teenagers to college, which is coming up in a couple 
of years.
    During the past 8 months, since my identity was stolen, I 
face some problems and frustrations which I do appreciate being 
able to come here and tell you about. I faced all of these just 
as a citizen, a very typical citizen who knew very little about 
identity theft when it happened to me.
    First of all, the Identity Theft and Assumption Deterrence 
Act made identity theft a crime, and that is very good, but it 
seems that no one has really been made responsible and are 
given the manpower needed for apprehending the criminals and 
enforcing the law. I realize it has kind of skyrocketed, and it 
is hard for so few people to investigate so many cases.
    I was unable to get most law enforcement officials to do 
anything. When I was unable to get out-of-state police 
departments to file police reports--because the criminals were 
very good; they knew to do it in States where I don't live--or 
to investigate the addresses out of which the thieves were 
acting, a local police officer made many phone calls for me, 
but in each case she, too, was unable to get police officials 
in these other jurisdictions to file reports.
    As our country moves from a brick-and-mortar economy to an 
electronically based economy, law enforcement agencies will 
need to establish ways of dealing with new electronic forms of 
crimes which do not fall into specific physical jurisdictions.
    I need to note, too, that every governmental agency that I 
contacted, including the FTC, the FBI, the Secret Service, and 
the Postal Service, politely took my report, or voice message, 
or e-mail, and several sincerely wanted to help, I know that 
they did. However, not a single one ever followed up with me to 
let me know that they had really done anything with my specific 
case, which made me--it is very lonely, feeling like nobody is 
doing anything.
    Financial institutions and other businesses need to be made 
accountable for protecting customers' personal information. 
Maybe stiff fines and other penalties need to be established 
when these institutions are negligent or when they continue to 
open new accounts after fraud alerts have been placed in the 
person's name. I don't really want to have to get an attorney 
to do things for me. I really feel they should be made 
accountable in some way.
    My bank did not protect my personal information and helped 
to spread this financial cancer. In fact, they allowed someone 
to change my birth date and mother's maiden name in their 
computers, which made it really hard when I tried to access my 
account and have something done.
    All the banks which issued the fraudulent credit act as if 
the losses were all theirs; since they wiped my slate clean, I 
did not owe anything. I would like to point out that their 
losses were over as soon as they passed on their costs to other 
consumers in the form of increased service charges and higher 
interest rates, but my personal information has been lost 
forever, and I am 44 years old, and there are a lot of years 
ahead of me.
    When a victim learns of his or her identity theft, we need 
a faster, more effective way of reporting the crime and 
beginning investigations. The bank told me to start with the 
credit bureaus, which I did. I left fraud alerts. It was very 
frustrating, though, getting through voice mails. When you are 
in shock, when you hear press one of this, two of that, three 
of that, I had to hang up several times and start over.
    Also, it took me 2 weeks to get my credit reports, and 
during the 2 weeks I just wondered what had been happening, and 
I wish I could have gotten them sooner. Maybe they could have 
been faxed to me, e-mailed to me, or something.
    I feel we need regulations regarding the issuance of 
instant credit in this country. These people managed to get 
instant credit several times, and the bank would call me 3 days 
later saying, I am sorry, I see we have a fraud alert, but we 
had issued the credit card, and we will take care of it. But it 
does keep going on.
    We need to also look into the efficacy of establishing some 
national hotline or fraud reporting agency in some way. I had 
to report to three different credit bureaus, but not everybody 
has to check them. Bank accounts who aren't issuing you credit 
don't have to. I wish there was someplace a victim could call 
and just put a block on their name totally; no bank accounts, 
no new cars, no mortgages, nothing without calling me first.
    You all are aware of the Internet. I must say that I can 
look at--I go to Infoseekers.com now, and I see that for $65 
they can buy everything about me, my Social Security number, 
name, address, how many kids I have, what properties I own, 
medical information. I really wish something could be done. I 
am not sure, but I will say that that is a sore point for me 
right now to go on line and see that.
    I also recently got an Internet security system and have 
been having hackers almost daily trying to get in. It has been 
something.
    I know that we need to protect Social Security numbers in 
the country. I am sure the commission would be looking at who 
needs it and who doesn't, and restrict it to who does. I don't 
feel like student IDs, driver's license, medical records, 
everything has to have Social Security numbers.
    Government officials and corporate officials need to really 
establish ways of authenticating electronic telephone 
transactions. I know they are doing it, I encourage it. Work 
diligently, please.
    Once again, I do thank you for the opportunity to share my 
experiences today. I deeply appreciate your efforts in helping 
to protect the privacy of all citizens.
    [The prepared statement of Ms. Twentyman follows:]

    [GRAPHIC] [TIFF OMITTED] T0436.008
    
    [GRAPHIC] [TIFF OMITTED] T0436.009
    
    [GRAPHIC] [TIFF OMITTED] T0436.010
    
    [GRAPHIC] [TIFF OMITTED] T0436.011
    
    Mr. Horn. Well, thank you for your story. I think it must 
make every one of us behind this podium and everyone in the 
seats out there that you just feel like you have been violated, 
and your whole person is in somebody else's hand and control.
    I am going to ask one or two questions now, and then we--we 
don't want to waste the talent here, and we will do all of them 
afterwards. But you mentioned the Secret Service. Did you go to 
the FBI?
    Ms. Twentyman. I left a message and was never called back.
    Mr. Horn. They never contacted you?
    Ms. Twentyman. I think I left two. I never heard back. The 
Secret Service I did hear from. They asked for some 
information. I faxed it, but I never heard back. I realize I 
could have called and really aggressively tried to get, tried 
harder, but I didn't. I mean, I felt like they knew.
    Mr. Horn. Did you contact your own Member of Congress?
    Ms. Twentyman. Sitting right over there, I did e-mail him 
about this.
    Mr. Horn. He is the kind of person that gets something 
done.
    Ms. Twentyman. That is right.
    Mr. Horn. OK.
    Ms. Twentyman. He catches his car thieves, too.
    Mr. Horn. I had a problem like that when a few Federal 
agencies wouldn't move, we just went right to the top, and 
believe me, they got a little dynamite stick under them and 
started moving. But that is another story.
    Ms. Twentyman. I think part of this is I wanted to also see 
the citizens--things seem to be winding down. I have been very 
proactive. I need to observe what is going on, because every 
citizen does not--I know my parents would not have been 
extremely assertive. I am just so thankful it is me instead of 
them and some people.
    Mr. Horn. Well, thank you. Stay with us, and we will have 
some more questions as we finish this panel.
    Mr. Robert Douglas is a private investigator. We are glad 
to have you here.
    Mr. Douglas. Thank you, Mr. Chairman. My name is Robert 
Douglas, and I am the founder of American Privacy Consultants.
    I appreciate the opportunity to appear before you in 
support of the creation of a privacy commission and to state my 
belief that a comprehensive review of current privacy law and 
the formulation of a privacy plan for the 21st century are 
important and long overdue.
    Prior to founding APC, I was a Washington, DC, private 
detective. In 1997, I began investigating the practice of 
information brokers selling personal financial information. I 
brought the results of that investigation here to Congress, and 
I would note in part of that testimony, which I have appended 
to my statement this morning, I addressed specifically the 
situation that happened to Ms. Twentyman where her maiden name 
and birth date records were changed within a financial 
institution, and I know the techniques that are used to do 
that, and it happens thousands of times a year around this 
country.
    My 1998 testimony resulted in passage of the Financial 
Information Privacy Act, which was incorporated in the Gramm-
Leach-Bliley financial modernization law.
    In 1998, I informed Congress that the use of identity 
theft, fraud, and deception was rampant in the information 
broker industry and extended well beyond personal financial 
information. It is my hope that passage of H.R. 4049 will 
result in a privacy commission that can act as a small, but 
very important, part of a broader mandate, to investigate the 
use of identity theft to access and steal many other types of 
personal information of citizens and residents of the United 
States.
    I am often asked what personal information can be gathered 
by the average citizen. The truth is almost anything can be 
learned about anybody in the United States today. The question 
is how. The impact of technology on privacy today is the 
ability to accumulate, store, filter, cross-reference, analyze, 
and disseminate vast amounts of information about anyone in a 
fast and cost-efficient manner that was previously unavailable 
to a point where almost anyone can now afford to participate in 
the buying or selling of data of any type about anybody. Simply 
put, privacy in the United States is too often a concept, not a 
reality.
    For the purpose of today's hearing, I would like to focus 
on several particularly egregious categories of personal 
information that are being advertised and sold on the World 
Wide Web. We did have a power point presentation, but I 
understand it is not able to be done in this room, so if you 
follow through my statement, I will do the charts that I have 
there in order.
    The first example is found at a company called 
Docusearch.com, and it is a list of searches. From this menu, 
one can see that anyone's Social Security number, address, and 
date of birth can be purchased. These are the essential 
ingredients for identity theft. With this information, a 
criminal can impersonate anyone they choose and gain access to 
all of the personal information concerning the target of the 
identity theft and do things like happened to Ms. Twentyman. 
That is how you get in, that is how you change a person's 
information, that is how you shut off their utilities if you 
are a stalker or harasser, that is how you steal their 
finances, that is how you take over their credit history.
    The following Web page from Docusearch is the description 
of the Social Security number search. This page documents--and 
this is very important--this page documents the use of credit 
headers for selling personal, biographical information first 
obtained as part of a normal, ordinary, day-to-day credit 
transaction and then sold to private investigators and 
information brokers by our Nation's credit bureaus.
    This is a common and widespread practice that must be 
revisited by Congress. While there are many useful and 
legitimate reasons for the access of credit header information 
in certain legal and investigative contexts, the wholesale and 
unregulated access of biographical data from credit reports 
goes on at an alarming rate. There are hundreds of Web sites on 
the Internet, and I repeat hundreds of Web sites on the 
Internet, selling biographical information obtained from credit 
reports.
    The sale of credit headers is the starting point for many 
forms of identity theft as it gives the identity thief all of 
the biographical information necessary to impersonate the true 
owner of the information. This ability to then impersonate the 
true owner opens up access to all forms of personal information 
sought by the identity thief. Congress should extend the same 
permissible purposes test currently in place for the access to 
credit data under the Fair Credit Reporting Act to the 
biographical data included in the credit header, which is now 
exempted under current interpretations of the FCRA.
    The next chart demonstrates another company called 
Strategic Data Services, and again, we see the sale of Social 
Security numbers, employment information, dates of birth, 
driver's license, but added to this we see where they will sell 
the physical address that goes to a post office box owner, 
something to someone who has a civil protection order, is 
trying to stay away from a stalker or a harasser, is terrifying 
to them, because they will reach out and get and pay extra for 
a private P.O. box specifically to hide their physical address, 
and yet here we have hundreds of Web sites selling it. The P.O. 
box's postal regulations recognize few exceptions for obtaining 
the corresponding physical address, yet here we see it for sale 
on the Internet.
    The next category shows the sale of driver and vehicle 
searches, general doc search. Included in the list are the sale 
of names and addresses associated with a license plate and the 
sale of a specific driver's license number. So if I see your 
license plate on your car on the street, and I want to find out 
who you are and where you live, I can buy that information.
    The following Web page shows the specific driver history 
records by name, and I would note that many Americans believe 
that the passage of the Drivers' Privacy Protection Act, which 
I am aware Senator Shelby just held hearings on, I believe, 
last week, looking to reinforce that act and strengthen it, but 
I am afraid he missed what I am about to talk about here many 
Americans believed would stop the sale of this type of 
information. However, the act allowed an exemption for private 
investigators. Unfortunately, although there are thousands and 
thousands of very lawful and upstanding private investigators 
in this country, there are a number of information brokers who 
are also private investigators or who have established 
relationships with private investigators that are subsequently 
accessing this information and selling it to almost anyone who 
submits a request on the Internet.
    The next page shows telephone searches, and this is an area 
that I am not aware that anyone in Congress has looked at to 
this date. One can see from the listing that any phone number 
can be traced back to its owner. Whether or not the individual 
owner has taken steps to protect their privacy by again paying 
extra for an unlisted or nonpublished phone number, it doesn't 
matter. It doesn't protect you one iota. Again, we have a page 
demonstrating exactly the sale of nonpublished phone number 
information.
    Again, another page demonstrating all of the other types of 
phone searches on another Web page, and I will try to move 
along here for you. But on that one it is very important to 
note that, in addition to being able to find the ownership site 
for selling the actual long-distance toll call records. In 
other words, you can purchase the long-distance phone records, 
including the number called, the date, time, and duration of 
the call. This is actually used in economic espionage, business 
espionage, on a fairly regular basis in this country.
    The next page is, again, financial searches. We can see 
that even though Gramm-Leach-Bliley was passed last November 12 
and signed by President Clinton, that both personal and 
corporate, private financial information continues to be sold 
on hundreds of Web sites on the Web. I have documented the 
specific bank account search here, and there is one portion in 
the description that I have bolded and underlined that should 
be alarming to this committee and to Congress, and that is this 
individual, whose name is Daniel Cohen and operates Docusearch, 
is claiming that he is accessing a Federal database. The 
article from Forbes Magazine that I have appended as appendix 
1, he goes further in that article and claims he is getting it 
from the Federal Reserve.
    As I pointed out in my speech to the FDIC about 2 weeks 
ago, I believe that to be a total falsehood. There is no such 
database with the Federal Reserve. But these are the types of 
lies these people are telling, even on the Internet, even to 
reporters like the reporter from Forbes and to our American 
citizens, which are making our citizens answer the question 
that Congressman Hutchinson found when he traveled to his 
district, and I am sure Congressman Moran and others, into 
believing that they have no longer any financial privacy in 
this country. They are actually stealing this information 
through impersonation, but are claiming to our citizens that 
they have lawful access via Federal databases, and I would hope 
that that would be of concern to this committee.
    The final page is a credit card activity page. To sum that 
one up, there are dozens of Web sites you can go on where I 
could buy Ms. Twentyman's actual credit card activity, where 
she had her dinner, what presents she bought for her family at 
Christmastime, right down to the individual transactions.
    The examples I have provided today demonstrate that a vast 
and varied amount of personal information is available on the 
Internet. These examples are just several of thousands 
available. I have provided committee staff with hundreds of 
other Web page examples of information being advertised and 
sold on the Internet, and without saying his or her name, 
because they asked me not to, I demonstrated to your staff, 
Chairman Horn, the other day that with one phone call, and I 
think that person could tell you that, in about 3 minutes I got 
a phone call back, and I knew her Social Security number and 
her address. And I have with me a complete report of that 
individual that I will show them later on today.
    If H.R. 4049 passes, and it should, I will do all I can to 
assist the privacy commission or any committee of Congress to 
understand and weed out the methods currently being used and 
developed to access our fellow citizens' personal and private 
information.
    In conclusion, and I apologize for running so long, the 
time is ripe to have a privacy commission with broad-based 
authority to
examine privacy in the United States today and to take 
appropriate steps to safeguard the privacy of all Americans 
while ensuring that steps are not so Draconian as to impede our 
booming information age economy. I thank you, Mr. Chairman.
    [The prepared statement of Mr. Douglas follows:]

    [GRAPHIC] [TIFF OMITTED] T0436.012
    
    [GRAPHIC] [TIFF OMITTED] T0436.013
    
    [GRAPHIC] [TIFF OMITTED] T0436.014
    
    [GRAPHIC] [TIFF OMITTED] T0436.015
    
    [GRAPHIC] [TIFF OMITTED] T0436.016
    
    [GRAPHIC] [TIFF OMITTED] T0436.017
    
    [GRAPHIC] [TIFF OMITTED] T0436.018
    
    [GRAPHIC] [TIFF OMITTED] T0436.019
    
    [GRAPHIC] [TIFF OMITTED] T0436.020
    
    [GRAPHIC] [TIFF OMITTED] T0436.021
    
    [GRAPHIC] [TIFF OMITTED] T0436.022
    
    [GRAPHIC] [TIFF OMITTED] T0436.023
    
    [GRAPHIC] [TIFF OMITTED] T0436.024
    
    [GRAPHIC] [TIFF OMITTED] T0436.025
    
    [GRAPHIC] [TIFF OMITTED] T0436.026
    
    [GRAPHIC] [TIFF OMITTED] T0436.027
    
    [GRAPHIC] [TIFF OMITTED] T0436.028
    
    Mr. Horn. Well, we thank you a lot, because you have just 
done a terrific job of taking us through how easy it is to have 
this happen, and we are indebted to you in terms of the 
excellent information you provided. I take it you have not ever 
been filing for Social Security numbers and anything like that. 
When did you get into this?
    Mr. Douglas. I came across it while I was working as an 
active private investigator in Washington, DC, and started to 
note that more and more information brokers were advertising in 
the PI trade magazines, and then relatively blatantly on the 
Internet. I did attend law school. I had some sense that this 
could not quite be right, some of the information that they 
were selling, and I began calling literally dozens of them and 
actually contracted with a few to find out what types of 
information they were able to obtain.
    Through the course of developing--and they will lie 
blatantly even to other private investigators, reporters, 
Members of Congress who have talked to them and claim all types 
of--you know, it is proprietary databases that we have, 
investigative sources. And there are certain key phrases that 
you can find on these Web pages that I could demonstrate to the 
committee or others, indicate that they are not getting the 
information legally.
    Any time they claim--on the page where they claim they are 
getting it from a Federal database, well, gee, they are getting 
it from a Federal database, but on the same page it tells them 
it takes 18 days to get it. So the reason it takes 10 to 18 
days is because what they are doing and what has happened to 
Mrs. Twentyman is they will buy your credit information, they 
will then in her case get someone in their office who is female 
and approximately her age to start calling her bank and calling 
whatever, the phone company, utility companies, whoever they 
want to obtain information from and impersonate her, and they 
now have her name, her date of birth, her address, her Social 
Security number, and with that information, you can get almost 
anything, including--and I demonstrated this to Chairman Leach 
2 years ago in the Banking Committee. What they do, the way 
they changed her date of birth and her mother's maiden name--
many banks use the mother's maiden name as the password to gain 
access. I have been advising banks for several years now to 
change that, and the OCC letter that was put out following my 
testimony also advised them to go from the maiden name to a PIN 
number.
    Mr. Horn. Explain OCC.
    Mr. Douglas. The Office of the Comptroller of the Currency, 
one of the regulatory bodies overseeing our financial 
institutions. They put out an advisory letter in the fall of 
1998 following my testimony advising them to change that, for 
the very reason as to what happened to Ms. Twentyman, because 
here is how it is done. If I want to change your--even your 
password, I call the bank, and I claim to be Mr. Horn, and I 
have the biographical data, but maybe I don't have the mother's 
maiden name. I say, gee, I am on the road, I need to get some 
information off my checking statement. I am afraid I have a 
check that is going to bounce. I am out of town. I have to take 
care of this today. I don't have my checkbook with me, 
sometimes they don't have the account number, can you help me.
    Well, because in fairness to the banks, they are in the 
customer service business--and this applies to any other 
institution, not just financial institutions. They are in the 
customer service business, they want to be helpful, they are 
trained to be helpful. So if you have enough data, date of 
birth, Social Security number, you start to sound real to them. 
If you have a good enough pretext, as we call it in the 
industry, falsehood, fraud, and you sound nice enough on the 
phone, you start to convince them.
    Now we get to the tricky question of mother's maiden name. 
I will say Smith. And the person will say, well, I am sorry, 
Mr. Horn, that is not what we have here on the account. And 
excuse me, but the response would be, well, goddamnit, who are 
you to have the wrong information? I know what my mother's 
maiden name is. I want a supervisor on the phone right now, or 
I am pulling my account out of this bank today. Well, hang on, 
hang on, Mr. Horn, I am sure we can work this out. They 
eventually convince them that somebody on their end has made a 
mistake, and then they change Ms. Twentyman's information so 
that now she cannot even access her own information, but I can.
    That is how it is done. It is done dozens of times, if not 
hundreds of times a day around this country.
    Mr. Horn. Well, thank you.
    Our last witness on this panel is Dr. Paul Appelbaum, the 
Chairman of the Department of Psychiatry and Director of the 
Law and Psychiatry program for the University of Massachusetts 
Medical School. Thank you for coming.
    Mr. Appelbaum. Thank you, Mr. Chairman. I am Paul 
Appelbaum, M.D., vice president of the American Psychiatric 
Association, a medical specialty society representing more than 
40,000 psychiatric physicians nationwide. My work treating 
patients, the empirical studies that I have conducted on 
medical records privacy, as well as my work consulting with 
State legislatures, State health agencies, and the U.S. Secret 
Service have given me a broad perspective on medical privacy 
issues. Thank you for the opportunity to testify today.
    Just a month ago, a leading computer magazine proclaimed in 
its cover story, we know everything about you. Privacy is dead. 
Get used to it. I greatly appreciate Representative 
Hutchinson's and Moran's efforts, as well as the subcommittee's 
interest, in remedying this loss of privacy.
    I focus my comments today on the importance of protecting 
doctor-patient confidentiality. The level of privacy enjoyed by 
patients has eroded dramatically, and physicians are often 
hampered in our ability to provide the highest quality medical 
care as a result. We have a 21st century health care delivery 
system, but patients are forced to live with privacy 
protections designed for the time of Marcus Welby, M.D.
    I note for your consideration several examples of today's 
health privacy crisis. A study by professors at UMass, Harvard, 
and Stanford revealed over 200 cases where patients at risk for 
genetic disorders had been harmed by disclosures of medical 
record information. Patients often forego insurance coverage to 
maintain their privacy. I treated a skilled tradesman for 2\1/2\ 
years who worked overtime to pay for his treatment because 
he didn't want his union, which administered his insurance 
plan, to know that he was receiving psychiatric care. Members 
of Congress have seen highly personal disclosures about their 
medical conditions, some true, some untrue. In one case, a 
major daily newspaper splashed headlines about a Member's 
mental health condition only days before the Member's primary. 
The San Diego Tribune reported that a pharmacy inappropriately 
disclosed a man's HIV status to his ex-wife, and the woman was 
able to use that information in a custody dispute.
    The Federal Government's appetite for identifiable patient 
information continues to grow. Witness last year's efforts by 
HCFA to collect highly personal information in its Oasis 
program, an effort that they were ultimately compelled, at 
least partially, to back down from, and how it grows the 
potential for abuse of this information.
    It is critically important to realize that privacy is not 
only a value in and of itself, it is an essential component of 
providing the highest quality medical care. Some patients 
refrain from seeking medical care or drop out of treatment in 
order to avoid any risk of disclosure of their records. Others 
simply will not provide the full information necessary for 
successful treatment, and we know this from a Louis Harris poll 
that this is a widespread behavior in our society today.
    Patients ask us not to include certain information in their 
medical record for fear that it will be indiscriminately used 
or disclosed. As a result, more patients do not receive needed 
care, and the medical records data themselves that we need for 
many purposes are inaccurate and tainted.
    We need a high level of confidentiality protection for all 
medical records so that all patients receive the privacy 
necessary for high-quality care. Communicable diseases, mental 
illness and substance abuse, sexual assault histories, cancer, 
reproductive and women's health issues, as well as many other 
conditions may be highly sensitive for patients, and 
information about these conditions is unlikely to be revealed 
without assurances that the privacy that exists in the doctor-
patient relationship will be maintained.
    We believe that many medical privacy proposals before the 
Congress as well as the regulations being proposed by the 
Department of Health and Human Services, need to incorporate 
additional medical privacy protections. The most significant 
action that Members of this subcommittee can take today to 
protect medical records privacy would be to contact HHS to 
express your belief that additional privacy protections should 
be included in HHS's final regulations, and to conduct hearings 
on their proposal.
    The American Psychiatric Association is very encouraged by 
Representative Hutchinson's and Moran's privacy commission 
legislation. Particularly important, in our view, is to focus 
this proposal on increasing public awareness of the need for 
additional actions to protect privacy, as well as the actions 
that citizens can already take to protect their own privacy; 
working on neglected areas of privacy policy, including the 
adequacy of privacy protection for employees--many employers 
have widespread access to their employees' medical records--and 
on the Federal Government's use of confidential information; 
and allowing the current efforts to produce greater privacy to 
flourish.
    We are particularly supportive of the work of the 
Bipartisan Privacy Caucus led by Representatives Markey and 
Barton, including legislation introduced to remedy the major 
financial and medical privacy problems contained in last year's 
Financial Services Modernization Act.
    Last and most important, we believe that all involved 
parties, whether brick or click private sector companies, 
privacy experts, consumers, patients and civil libertarians, 
must be fully involved in the work of a privacy commission. As 
part of this consensus-oriented approach, we believe it is 
essential that the membership of any commission contain a 
balance among all stakeholders, including the privacy 
community.
    Thank you for this opportunity to testify. I look forward 
to working with the committee on these important issues.
    Mr. Horn. Thank you, Dr. Appelbaum.
    [The information referred to follows:]

    [GRAPHIC] [TIFF OMITTED] T0436.029
    
    [GRAPHIC] [TIFF OMITTED] T0436.030
    
    [GRAPHIC] [TIFF OMITTED] T0436.031
    
    [GRAPHIC] [TIFF OMITTED] T0436.032
    
    Mr. Horn. We are now going to question this panel and we 
will do it in 5-minute segments, alternating between majority 
and minority.
    Does Mr. Turner want to yield to Mr. Moran, or would you 
like to start?
    Mr. Turner. I yield to Mr. Moran of Virginia.
    Mr. Moran of Virginia. Well, thank you, my friend, and 
thank you, Mr. Chairman, my friend as well. This was very good 
testimony, and I particularly appreciate my constituent, Ms. 
Twentyman, to come forward and tell us what happened to you. I 
know that it is somewhat embarrassing, but I am glad that you 
have taken the initiative. As you say, I don't know that your 
mother's generation would be willing to, but you have stepped 
forward, and I appreciate it.
    It is just such a constituent that initiated the Driver's 
Privacy Protection Act. It was a woman who went to a health 
center to get advice, she had just had a miscarriage, and by 
the time she got home, she drove home, she lived in northern 
Virginia, there was a group picketing on her front lawn because 
they assumed that she had had an abortion, because that health 
clinic had also offered a full range of services to women. In 
addition to being--the irony of it and being distraught, she 
just couldn't imagine how they had known where she lived, and 
we found out that what they had done was simply write down the 
license numbers of the cars and the tag numbers and went to the 
State Division of Motor Vehicles that was in Alexandria and got 
the addresses, the names of everyone that had parked in that 
lot, and that just didn't seem right.
    The State was collecting $5 for every individual piece of 
information, direct marketing organizations, of course, were 
paying more. We found out that there were a number of 
organizations that were determined to continue that practice 
because they made a lot of money off of it, and most protective 
of that practice was the States. They were making millions, as 
Mr. Douglas has indicated. But the detectives particularly 
wanted to be exempted. We exempted them, and I know the 
newspapers and publishers' associations want to be exempted. I 
don't think the conference report finally exempted them, but 
they thought it was also a great idea to be able to access this 
information.
    So we are vulnerable. But it would seem, and I know Asa 
feels just as strongly, and I suspect my friend Mr. Horn and 
Mr. Turner do as well, that we should not try to impose a type 
of cookie cutter approach from the public sector if there is a 
way that the private sector can regulate itself. There does 
seem to be a number of initiatives being attempted that would 
enable you to do that.
    I guess I would like to solicit from the three of you, if 
you have seen ways in which your situation, Ms. Twentyman, 
could have been avoided, or you could have been protected. Mr. 
Douglas, this information you give us is just astounding, the 
access that people can get to our information, and then can 
shut us off from even getting our own information. Dr. 
Appelbaum, you have obviously explored this very extensively as 
well.
    Do you see efforts in the private sector developing that 
are able to self-regulate, or at least give people an option to 
keep their information private? What we did with the Driver's 
License Privacy Protection Act was to require that a box be on 
the license application that you can't miss if you don't want 
that information shared, you just check it, and then it is 
against the law to give out any information on that person's 
data without that person's permission.
    Let me see whether any of the three of you have come across 
ways that have already developed, nongovernmental ways that 
might have protected you. Dr. Appelbaum.
    Mr. Appelbaum. The medical information developments in the 
last several years have resulted in a widespread use of 
computerized medical records and aggregated databases in ever-
growing HMOs and hospital systems. Some of these systems are 
beginning to pay attention to these issues. For example, I can 
tell you that at the University of Michigan's Medical Center in 
Ann Arbor in the last year, having implemented an electronic 
medical record, they have simultaneously carved out and placed 
behind a firewall the psychiatric portion of those records, 
with limited access only to people in the Department of 
Psychiatry. So such efforts are, indeed, possible.
    The problem, I think from my perspective, is that the 
incentives all push in the other direction in terms of doing 
things easily, using information for marketing purposes and 
mining it for additional revenues. The private sector has every 
incentive not to pay attention to these issues. And though 
direct regulation may be a last resort, at the very least, I 
would think that some sort of balancing incentives should be 
given to these organizations so that they receive some 
encouragement to take privacy seriously.
    Mr. Douglas. I think you hit exactly on what is the main 
discussion or argument taking place in the business community 
today, and that is fair information practices and key phrases 
like opt-in versus opt-out. Currently, the burden is on the 
consumer, people like Ms. Twentyman, to safeguard their own 
information. If you were to sit down with a pen and paper and 
list all of the different places that you have private data, 
private information, you would still be writing at 5 p.m. So 
the burden is currently on you as the consumer, as an American 
citizen, to go out and find all of those places and tell them, 
if they will even listen to you, that you want to opt out, that 
you don't want your information being shared.
    The discussion today, I know the discussion within the 
financial community and certainly as we sit here today, the 
regulators are proposing regulations under Gramm-Leach-Bliley 
dealing with third party affiliates, opt-in versus opt-out, and 
it is very cumbersome. The average American consumer is not 
going to understand it. What many are arguing for today is that 
it should be opt in. As far as information practices, if I give 
you--and let me just use the example of the credit agencies, we 
all have to participate, almost all of us, in credit 
transactions on a daily basis. But we believe when we fill out 
a credit application, a mortgage application, a rental 
application, a department store application, that that 
information is between us, the credit bureau and the person 
making the decision as to whether they will grant that credit, 
but that is not the truth of the matter. The truth of the 
matter is, through the credit headers and the recompilation in 
the vast databases, a lot of that statistical information is 
being resold. Every day your and my information is running up 
millions of dollars for American business and the States, as 
you noted.
    As just one afterthought, you had mentioned the Newspaper 
Guild or somebody's resistance to the DPPA. Deep within the 
article that I have attached as appendix I from Forbes is a 
story of a company called Touchtone Services out of Colorado 
that I am very familiar with, because they are one of the few 
successful prosecutions of an information broker in this 
country, and Mr. Rap, who is the owner of that company, I think 
just got out of jail within the last week or two after serving, 
what, 70 days.
    Let me tell you what he did as part of the allegations. He 
was selling information on the Cosby family to the tabloids. We 
often wonder how the newspapers and the TV stations show up on 
our doorstep when there is a tragedy, like an aircraft crash or 
something like that, faster than even the police, because they 
go to these information brokers. They have one on contract, 
private investigators who know how to use these techniques of 
how to impersonate people. The Jon-Benet Ramsay, he 
impersonated Mr. Ramsay and was able to obtain his banking 
information. He was able to obtain where the Colorado 
detectives were secreting witnesses and in what hotels.
    In the Monica Lewinsky investigation, it was his firm that 
obtained Kathleen Willey from Richmond's phone records and sold 
it to a Montgomery County private investigator who turned it 
over to the attorney of a very prominent Democrat who is still 
under investigation in an Alexandria grand jury.
    Perhaps most egregious of all, and I went over this with 
your staff the other day, Mr. Horn, he was able to get the 
pager numbers of undercover LAPD police officers that were 
working on a very important investigation with the Israeli 
Mafia and they were able to clone those pagers, a little 
technical, but there is a way to do that, so that they, the bad 
guys, were getting the same pages that the undercover officers 
were getting, and they were then able to figure out who the 
secret witnesses were in the investigation and get the home 
addresses of the undercover police officers who, in one case, 
showed up on the doorstep while the officer was away and 
intimidated the wife of the officer.
    So we are not talking kid's play here. There are very 
serious things that are going on out there, and it all leads 
back to how our information is being bought, sold and packaged 
every day in this country.
    Mr. Moran of Virginia. Troubling. Thank you, Mr. Douglas.
    Mr. Horn. The gentleman from Arkansas, Mr. Hutchinson.
    Mr. Hutchinson. Thank you, Mr. Chairman. I want to join in 
the thanks to each of the panelists for your extraordinary 
testimony today. I want to focus with Mr. Douglas for just a 
moment. I really do appreciate your expertise. We need to have 
more people that have a background in the darker, sinister 
world.
    Mr. Douglas. My mother would be so happy to hear that.
    Mr. Hutchinson. I want to focus on Social Security numbers 
for just a second. We all have our stories of going into a 
business and cashing a check and they ask for your Social 
Security number, sometimes you don't even give them a check, 
you pay cash for it and they want to know your address and they 
want to know information.
    Mr. Douglas. Radio Shack, yes.
    Mr. Hutchinson. Your natural inclination, in the South we 
are particularly friendly, we just give them what they ask, we 
are accommodating. Of course, the dissemination of that 
information is a concern.
    But in reference to Social Security numbers, clearly, they 
are being used far beyond what was originally intended. What 
impact does that have on the dissemination of personal 
information?
    Mr. Douglas. It is the single biggest impact. It has become 
the national identifier, although the American people were told 
it would not be, and I think that is one of the reasons you see 
cynicism around the country and the concerns with privacy 
around the country that you talked about in your opening 
statement this morning when you were back in your district. 
Because people are aware of this, and they do know that--they 
are told on the one hand, don't provide that, you don't need to 
provide that, yet at last count I think 23 of the States in 
this Nation for the driver's license number use the Social 
Security number.
    So even if you provide your driver's license number, and we 
have all done this, especially if we live locally, Virginia has 
it, although again you can opt out of that process, but again 
how many do; the District uses it, that the clerk will record 
that on the back of the check.
    Many people, such as Ms. Twentyman, who end up as identity 
theft victims, need to remember there are 400,000 cases a year 
by the Secret Service's statistics, not some privacy whacko 
group; the Federal Government, recognizes 400,000 cases a year 
of identity theft in this country, that begin in just such a 
fashion, with information that is put down for purposes that is 
of questionable use. But yet, if you go in there, Mr. 
Hutchinson, and tell them well, no, I have been taught that I 
don't need to give that, in many cases they won't complete the 
transaction with you, even though that is not necessary for the 
transaction by any stretch of the imagination.
    So the Social Security number problem is the most frequent 
question I get when I talk to people on the Hill, and it is a 
very complex one, because it is so ingrained in so many systems 
around the country, and because it has become the default 
national identifier to tomorrow, say, well, for Congress to 
outlaw it, that somehow tomorrow it would crash the economy of 
this country.
    Mr. Hutchinson. You are saying that if we outlawed the use 
of Social Security numbers beyond the original intent, which is 
I guess you give it to your employer so that you can make sure 
you get credit for your FICA taxes that are paid.
    Mr. Douglas. Correct.
    Mr. Hutchinson. If we outlawed it beyond that limited use, 
what impact would that have?
    Mr. Douglas. I am sure you would hear loud and clear from 
the business communities that so many are using that as the 
national identifier, how will they now identify individual 
transactions that go through. That has become the national 
identifier. Every business in America that keeps information on 
our citizens and, you know, very valid reasons, whether it be 
medical records, financial records, the things that make our 
economy hum, to identify us use the Social Security number.
    Mr. Hutchinson. There is benefit to consumers for that as 
well.
    Mr. Douglas. Absolutely. That is one thing, and I touch on 
it a little bit more in my full statement. We need to be very 
careful, and that is why I wholly support this approach that is 
presented here today, because the piecemeal approach of 
legislation could be very dangerous.
    I think there needs to be--we need to take a deep breath. 
Gramm-Leach-Bliley just passed, the DPPA is just starting to 
kick in; I am not as familiar with the medical area, but it is 
just starting to kick in. We need to step back and take this 
18-month look at, first of all, how do some of those provisions 
that are out there kick in, what effects do they have, and to 
find a comprehensive way to deal with that. Because to just 
take a rash approach tomorrow because of concerns I think would 
have a serious impact on the business community.
    Mr. Hutchinson. Thank you. Do I have any time left, or is 
it gone?
    Mr. Horn. Sure.
    Mr. Douglas. My fault. I am so long-winded.
    Mr. Hutchinson. Let me just ask one more question if I 
might which follows up on that.
    Dr. Appelbaum, you mentioned that one thing the commission 
could do is to increase public awareness. If you would just 
sort of elaborate on that a little bit, particularly in the 
area of medical records. We have a limited amount of protection 
now, but there are some things that consumers can do to protect 
to a greater extent their own information; is that correct?
    Mr. Appelbaum. There is, yes. There are a number of such 
steps that they can take, of which most people are unaware. An 
increasing number of States, for example, give patients the 
right to access their own medical records and to make 
corrections to those records if errors are found, before the 
records are widely disseminated, potentially, to their 
disadvantage. Most people don't know that. There are 
institutions such as the Medical Information Bureau in my home 
State of Massachusetts which collects medical-related 
information for the insurance industry, and similarly will 
allow individuals to find out, not easily, but to find out the 
information that is being kept in their files, and correct it, 
and most people are unaware of that as well.
    Mr. Hutchinson. Let me interrupt, because I want to yield 
back my time, but the commission I think is important, that if 
you conduct hearings across the country, you engage in getting 
information of the problems that are out there, but also 
educating the public as to things that they can do themselves 
to protect privacy, and I think that is very important.
    Mr. Chairman, thank you for your leniency, and I yield 
back.
    Mr. Horn. I thank the gentleman and I now yield to the 
ranking member, Mr. Turner, the gentleman from Texas.
    Mr. Turner. Thank you, Mr. Chairman.
    Ms. Twentyman, I want to thank you for your testimony. It 
has been very enlightening to understand what you have gone 
through. I notice you mentioned in one part of your testimony 
that you had $13,000, I believe it was, in one credit card 
account alone that was taken?
    Ms. Twentyman. Just in 3 or 4 days.
    Mr. Turner. In 3 or 4 days.
    Ms. Twentyman. Right.
    Mr. Turner. You mentioned, I think, later in your testimony 
that you haven't personally been held accountable for any of 
these balances. These credit card companies, do they have some 
kind of protection for you as a credit card holder that ensures 
that you don't have to pay when somebody steals from your 
credit card account?
    Ms. Twentyman. I don't know whether it is insurance or 
what, but all of them have, as soon as I report it, they take 
it off my account and tell me I am no longer responsible for 
it. I am not sure with their bookkeeping what they do with that 
money, but fortunately I haven't had to repay any of it.
    Mr. Turner. Mr. Douglas, have you had any experience with 
that? Do these credit card companies just routinely insure 
against theft?
    Mr. Douglas. Yes, sir. The consumer is only liable in 
theory for $50, if they make prompt notification, to the credit 
card company and most credit card companies will even waive 
that $50 on behalf of the customer in order to hold on to the 
customer.
    The thing that should be noted on this, although the 
customer is not losing out, the business is. And they are not 
necessarily insured, they are self-insured in this area. 
Current statistics show that on Internet transactions, and only 
1 percent currently over the last Christmas season, only 1 
percent of purchases were made by the Internet, 25 to 35 
percent of credit card transactions currently made on the 
Internet are fraudulent, and the people picking up the tab on 
that are the Internet companies. They lose out. They end up 
biting the bullet on that. So again, if that area is not 
addressed, it will be a strain on the advance of the Internet 
economy.
    Mr. Turner. What kind of enforcement ability do we have to 
control this? It seems to me law enforcement is totally ill-
equipped to deal with any of this.
    Mr. Douglas. I think currently they are. I think they are 
scrambling quickly to catch up. I know the Washington Post has 
documented just within the last week some efforts on behalf of 
the FBI to get up to speed in some of these areas, but as in 
many areas of crime, the thieves are often far ahead. It should 
be noted, an awful lot of that, especially in the Internet 
transaction area, is occurring overseas where we have no 
enforcement jurisdiction. So many of the software packages that 
are being developed for Internet businesses, I-businesses, in 
order to preclude fraudulent transactions are totally ruling 
out any transaction from overseas.
    Mr. Turner. When you said 25 percent of the e-commerce 
transactions are fraudulent, you are talking about purchases?
    Mr. Douglas. That is correct.
    Mr. Turner. With use of a credit card?
    Mr. Douglas. Right. Somebody claiming to be Mr. Turner to 
buy a pair of Nikes is not Mr. Turner, but somebody else. We 
have all seen when you have gone to a Web site and ordered that 
you can have it delivered to another address. That is what they 
will do, they will put in the credit card information and have 
it delivered to another address, which is often a vacant home 
or they are in cahoots with somebody else.
    Mr. Turner. What is the source of that 25 percent figure? 
Who compiles that kind of information?
    Mr. Douglas. You will see that in almost any of the 
Internet commerce magazines that are tracking this information.
    Mr. Turner. What is the track record with regard to theft 
from bank accounts? Of course I don't mean just Internet 
banking, but theft from bank accounts of individuals? Do we 
have any compilation of totals or is that a very common thing?
    Mr. Douglas. I don't have any compilations of totals. When 
you deal with the identity theft that I have talked about, 
which is pretext, it is very hard to track, because often it is 
done and the person doesn't know how it is done; just as Ms. 
Twentyman said, they never have caught the person. So a lot of 
people don't report, a lot of people are embarrassed about it, 
and I am sorry to say that our most fragile and under protected 
citizenry in this country is senior citizens who this happens 
to quite regularly.
    A lot of this is done over the phone. I have talked about 
methods that are used to get it from the actual institutions, 
the same methods are used to defraud our citizens by phone, and 
senior citizens are the most vulnerable because they grew up in 
a generation that was polite and didn't just hang up the phone 
on somebody.
    Mr. Turner. Is there any source of compilation of theft 
from bank accounts using any of these methods, or is this the 
kind of information banks wouldn't like to talk about too much?
    Mr. Douglas. Well, let me give you an example. There was an 
information broker by the name, a company called Source One, 
run by one individual by the name of Peter Easton out of New 
York. The State of Massachusetts has been the most aggressive 
in this area. They civilly prosecuted, I think, 10 companies, 
and he was the only one that went to trial, and they found 
thousands of cases in just his situation alone. Touchtone that 
I talked about before from Colorado is currently under a 
proceeding in the FTC and they also, when they saw his records, 
found thousands of these cases. Docusearch employs 18 people, 
Touchtone employed 12 or 18 people, and these are just one of 
hundreds or dozens of companies around the country.
    So you could work the statistics backward that way from the 
few successful prosecutions and know that this is happening 
thousands of times a day around the country, if that is 
helpful.
    Mr. Turner. Thank you, Mr. Chairman.
    Mr. Horn. We thank you. Let me ask just a few questions to 
the panel. I might say for my colleagues, if you pick out your 
voting card, which is your identity card, the Social Security 
number you have is printed on the card. So be careful.
    Anyhow, how about the chance to look at H.R. 4049, the 
Hutchinson-Moran bill. Do you have any suggestions on it? There 
is the markup of the commission and their purposes and so forth 
rather well set out. Dr. Appelbaum, do you have any thoughts on 
it?
    Mr. Appelbaum. Yes, I do, Mr. Horn. The composition of the 
group is laid out in terms of its bipartisan nature. But I 
think for the purposes of achieving true privacy protection, it 
would be important to build into this legislation some balance 
among the various actors in this area, since interests are 
genuinely conflicting and everyone should be represented. The 
National Committee on Vital and Health Statistics, which is 
similarly charged to explore this area, has on it, although it 
was balanced from a partisan perspective, no consumer 
representatives, no patient representatives, no privacy 
advocates, and one practicing physician, and it is that kind of 
imbalance that we would hope would not occur with this new and 
very promising privacy commission proposal.
    Mr. Horn. So you are saying in the appointments by the 
majority leader, minority leader, Speaker, and President, there 
ought to be, the kind of person they pick would have some major 
concern, maybe, on this particular matter. I don't know how the 
gentleman who authored this feels.
    Mr. Hutchinson. Well, first of all, I agree completely that 
this commission should be composed of people that represent a 
broad range of the stakeholders in this issue, and second, that 
they are openminded to this issue. But the reason that was 
not--when we thought about specifically delineating different 
representatives on it that sure enough we will leave somebody 
out, for one thing, and the balance of it, and I felt like, and 
we have talked about this with Congressman Moran, that the 
political process would work; in other words, these 
stakeholders are going to be asking and putting pressure on the 
appointing people to make sure they are represented on it. I am 
certainly open, if we need, and we can do that fairly, to 
delineate that, but that was the thinking, anyway.
    Mr. Horn. You mentioned, Mr. Douglas, in your testimony 
about the Colorado case, and you also mentioned what went on in 
Virginia. Now, what are the penalties the States have? Have you 
sort of taken a look at those? I want to tell the staff on both 
sides that the American Law Division will be asked to give us a 
paper on the penalties. But I wondered what your experience is; 
just for this hearing.
    Mr. Douglas. When it comes to the use of pretext and other 
means of fraud and deception to gain information, most of the 
States have nothing specifically on point. In fact, the Federal 
Government didn't, until the Financial Information Privacy Act 
under Gramm-Leach-Bliley, and that is specific to a very narrow 
range of pretext methods used against financial institutions.
    As I noted in my written statement, most of the information 
brokers have figured out, or are either ignoring it or have 
gone underground, unfortunately, that is quite a few of them, 
or figured out other techniques that I am aware of to get 
around it. Gramm-Leach-Bliley's enactment brought the first 
Federal criminal provisions ranging from 5 to 10 years, 
depending upon the dollar amount involved, or the size of the 
company. But most of the States have nothing. There had been 
really no prosecutions.
    There is some argument that Federal or State wire fraud 
laws might apply. Perhaps the identity theft law that Congress 
passed a year or two ago might apply, but we have seen 
relatively few criminal prosecutions at all. In fact, only 1 
State criminal prosecution, no Federal criminal prosecutions, 
and about 12 civil prosecutions under Deceptive Trade Practices 
Act types of legislation the State mirrored on the FDC's 
regulations, if that is helpful.
    Mr. Horn. Have you had a chance to look at the Secretary of 
Health and Human Service's temporary regulations in this area 
and what the penalties are?
    Mr. Douglas. I have not.
    Mr. Horn. Have you had a chance to, Dr. Appelbaum?
    Mr. Appelbaum. Yes, we have looked at them extensively.
    Mr. Horn. Well, if you would like to file a statement for 
the record, that is fine. We will do it at this point. Because 
I realize sometimes in a hearing situation you don't have a 
chance to really see the language and all the rest of it, so we 
would welcome the thoughts from you, and your colleagues.
    Mr. Appelbaum. We will do that.
    Mr. Horn. To all of you I would ask, what is the extent of 
the problem with the law enforcement agencies and how easy is 
it to, let's be charitable and say provide incentives to them 
to give some of this information, which I guess you could also 
say are bribes. What has been your experience, Mr. Douglas, 
with these cases?
    Mr. Douglas. I am sorry, I misunderstood the question.
    Mr. Horn. Well, the question is, when your friendly local 
law enforcement agency has a lot of information and you, as a 
private detective, what are your feelings about what your 
colleagues do and maybe you do to gain information?
    Mr. Douglas. I am with you now. The purchase or bribing of 
information kept in Federal databases, including law 
enforcement, that area has actually subsided quite a bit with a 
round of prosecutions that took place around 10 years ago. It 
was quite common in the private investigative industry to have 
a friend in law enforcement, or many PIs are ex-law enforcement 
who would obtain NCIC information, which is arrest and 
prosecution records maintained in a Federal database. That has 
really come to a close, because a number of people have been 
prosecuted for it, so you don't see quite as much of that going 
on today.
    Mr. Horn. How about with insurance companies? Can they be 
subjected to sort of getting information out of them to people 
that maybe shouldn't have it?
    Mr. Douglas. Absolutely, and their Web sites, I didn't 
include any in my presentation today, but where I could go and 
find out what your life insurance policy is valued at; any of 
your insurance areas. I also didn't include in these charts 
stocks, bonds, mutual funds. Any position that you can think 
of, I can tell you a way to get it.
    Mr. Horn. Well, we thank you. We have to get to the next 
panel if we are going to adjourn at 12, so thank you very much. 
We really appreciate the time you have taken and the wisdom you 
have provided. I know, Ms. Twentyman, that it is really 
something like a stalker that is out somewhere.
    Our next panel consists of Professor Fred Cate, professor 
of law and Harry T. Ice faculty fellow at the Indiana 
University School of Law in Bloomington; Mr. Travis Plunkett, 
legislative director, Consumer Federation of America; Mr. Ari 
Schwartz, policy analyst, Center for Democracy and Technology; 
and Sandra Parker, esquire, director of Government Affairs and 
Health Policy, Maine Hospital Association.
    [Witnesses sworn.]
    Mr. Horn. All four, the clerk will note, have accepted the 
oath.
    So we will start with Professor Fred Cate, professor of law 
and Harry T. Ice faculty fellow at the Indiana University 
School of Law in Bloomington. Now, they have a school of law 
also in Indianapolis, don't they?
    Mr. Cate. Yes, Mr. Chairman, they do.
    Mr. Horn. But is the main one at Bloomington?
    Mr. Cate. They would resent the definition of ``main'' as 
being in Bloomington; there are two separate law schools.
    Mr. Horn. Well, you have a beautiful campus there in 
Bloomington. I was a fellow there for a week, 30 years ago, and 
it is impressive, what you are doing at Indiana.
    Mr. Cate. Thank you, Mr. Chairman.
    Mr. Horn. Please proceed.

 STATEMENTS OF PROFESSOR FRED CATE, PROFESSOR OF LAW AND HARRY 
   T. ICE FACULTY FELLOW, INDIANA UNIVERSITY SCHOOL OF LAW, 
 BLOOMINGTON; TRAVIS PLUNKETT, LEGISLATIVE DIRECTOR, CONSUMER 
FEDERATION OF AMERICA; ARI SCHWARTZ, POLICY ANALYST, CENTER FOR 
DEMOCRACY AND TECHNOLOGY; AND SANDRA PARKER, ESQUIRE, DIRECTOR 
    OF GOVERNMENT AFFAIRS AND HEALTH POLICY, MAINE HOSPITAL 
                          ASSOCIATION

    Mr. Cate. Thank you very much.
    Mr. Horn. As you know, your statements are in the record; 
summarize it so we have time for questions.
    Mr. Cate. I will do so. Let me say for the record, I 
specialize in privacy and information law-related issues. I am 
testifying today not only as somebody who specializes in that 
area, but also on behalf of the Financial Services Coordinating 
Council, which, as I believe you know, is an alliance of the 
principal national trade organizations in each of the financial 
services sectors that deal with issues that cut across those 
sectors, including privacy.
    I think, as the prior panel showed, and something which I 
believe all of the members of this committee certainly already 
knew, the issue of privacy is not only incredibly urgent, it is 
also enormously complex. It arises in many different contexts, 
it involves many different types of information, it involves 
use of information by many different people. As a result, 
efforts to deal with privacy issues, whether those efforts are 
regulatory or legislative or technological, are themselves also 
inevitably quite complex, and there are a great variety of 
them. It is precisely because of this complexity and variety 
that the comprehensiveness of the proposal for a privacy study 
commission is certainly laudable. The idea of bringing together 
in one place a focus on a wide range of issues is certainly 
laudable.
    Let me be very specific, however, and offer two comments 
about the proposal itself.
    One is the issue of what do you do about financial 
information? Congress has just in the past year passed the 
Gramm-Leach-Bliley Financial Services Modernization Act, that 
has not even yet been implemented, regulations are currently 
pending, and that bill itself calls for a study to be conducted 
by the Department of the Treasury. The risk of duplicating that 
effort or of rewriting one set of regulations before an 
existing set even comes into play is a very great one and is 
something that I think this bill and the Congress in 
considering this bill will need to deal with explicitly. What 
is to be done about the fact that this is an area in which we 
have already recently undergone extensive regulation.
    I might also note in relation to the prior panel, financial 
services is an area that is already subject to considerable 
regulation. It has Federal regulators, it has State regulators. 
This is not an area without a framework of law that already 
exists and it is one that Congress has recently taken 
considerable steps to strengthen.
    The second point that I would like to make is the one which 
I believe was also made clearly on the last panel and that is 
really the key need that if there is a privacy study 
commission--the importance that its charge be broad, that it 
not be limited only to looking at the urgent need for privacy 
protection, but also at the cost of privacy protection, at the 
cost of inappropriate privacy protection, and at the 
alternatives to using laws or further regulation for privacy 
protection.
    Now, I think that is clearly captured within the pending 
legislation. I am not in any way suggesting that change to the 
bill as I read it, but rather highlighting the importance that 
if this commission is to engage in what Representative Moran 
called the ``thoughtful, deliberative'' process, it needs to 
have that broad charge and to consider the value of information 
flows, as well as some of the risk posed by those information 
flows.
    Let me stop there and allow for questions later.
    [The prepared statement of Mr. Cate follows:]

    [GRAPHIC] [TIFF OMITTED] T0436.033
    
    [GRAPHIC] [TIFF OMITTED] T0436.034
    
    [GRAPHIC] [TIFF OMITTED] T0436.035
    
    [GRAPHIC] [TIFF OMITTED] T0436.036
    
    [GRAPHIC] [TIFF OMITTED] T0436.037
    
    [GRAPHIC] [TIFF OMITTED] T0436.038
    
    [GRAPHIC] [TIFF OMITTED] T0436.039
    
    [GRAPHIC] [TIFF OMITTED] T0436.040
    
    [GRAPHIC] [TIFF OMITTED] T0436.041
    
    [GRAPHIC] [TIFF OMITTED] T0436.042
    
    Mr. Horn. Well, thank you very much, Mr. Cate. We will go 
to Mr. Plunkett. Mr. Plunkett is the legislative director for 
the Consumer Federation of America.
    Mr. Plunkett. Good morning. Thank you very much for the 
opportunity to offer our comments today, Chairman Horn, and Mr. 
Turner. We commend the subcommittee for examining this 
important issue.
    We agree with everything we have heard so far on the 
significance and urgency of further action on privacy 
protection for Americans. I am going to commend Representative 
Hutchinson, because we have talked, I have talked with his 
staff and with him about our concern here. It is not that we 
don't see a need for action with the commission and on privacy, 
it is just a question for us of what is the most effective and 
timely course of action.
    I too will focus my comments on financial privacy and on 
that issue in particular, we believe that a commission may 
actually be harmful, not because of your desire to look at the 
issue and address concerns, but because momentum is building 
right now at the State and the Federal level to take action 
soon. Our fear is that it will stall if a commission is 
enacted.
    Like it or not, if Congress establishes a commission to 
examine privacy issues, many will urge, and we have already 
heard it to some extent this morning, that all major privacy 
proposals be stuck in a deep freeze for 18 months or more. The 
commission has an ambitious schedule and they might run a 
little over while the commission is operating.
    We do very much welcome the fact that the sponsors of this 
bill, Mr. Hutchinson in particular, see a need for further 
Federal action on privacy, and I commend Mr. Hutchinson for 
highlighting the need for more comprehensive Federal 
approaches. The American people clearly want it. The Wall 
Street Journal surveyed its subscribers about the most serious 
issue facing America in the 21st century, and the top concern 
was not the economy, education, or illegal drugs, it was the 
loss of personal privacy.
    On financial privacy, there is a great deal of research 
about what Americans want, very specific research, including a 
1999 survey by AARP, that found that 81 percent of its members 
oppose the internal sharing of their personal and financial 
information with affiliates, a key issue I will get to in a 
minute, and 92 percent oppose companies selling their personal 
information.
    The erosion of privacy, which we are all aware of and 
grappling with, leads not only to annoyances, and I put phone 
calls from pushy people at dinnertime in that category, it can 
be harmful. You have already heard a great deal about identity 
theft, which I would call the signature crime of the 
Information Age and the anecdotal evidence you have heard this 
morning is backed up by research. Law enforcement officials 
report a sudden sharp increase in identity theft.
    Another example regarding financial privacy, how this 
causes real harm, a bank in California's San Fernando Valley 
sold 3.7 million credit card numbers to a felon who then 
allegedly bilked card holders out of more than $45 million in 
charges worldwide.
    I would point out that consumers and businesses suffer when 
Americans are worried about their personal privacy. This is an 
issue that I think is very important to keep in mind. FTC 
Chairman Pitofsky recently noted that concerns about privacy 
are a major reason why Americans who do use the Internet don't 
make purchases. He also noted that consumers who do not use the 
Internet rank concerns about privacy as their top reason for 
not going on line.
    Now, the continuing gaps in financial privacy protection 
are particularly serious, and we take really a much different 
position than the previous speaker on this issue. Under Federal 
law, even the new Financial Services Modernization Act, the 
Gramm-Leach-Bliley Act, even our video rental records are 
better protected than confidential experience and transaction 
information held by financial institutions, in particular, held 
by those institutions and shared with their affiliates. 
Affiliate information-sharing is a very significant issue. We 
all expect that under the Gramm-Leach-Bliley Act, we are going 
to see the largest consolidation of the financial services 
industry in American history. That means that we, in terms of 
information-sharing and abuses and intrusions, what we have 
seen is the tip of the iceberg. It is going to happen. Most 
players in the market are honest, they are honest brokers, but 
we are going to see more intrusion and we are going to see more 
abuses.
    One of the worst information-sharing abuses on record did 
not involve the selling of information to outside third 
parties; it involved an affiliate. This is the NationsBank/
NationsSecurities case, which resulted in a total of $7 million 
in civil penalties. It was an inside affiliate-sharing 
agreement. NationsBank shared detailed customer information 
about maturing certificate of deposit holders with a 
NationsSecurities affiliate, which then switched, urged the CD 
holders to switch to a risky derivative fund. Many of these 
customers who did this lost portions of their life savings.
    Legislation to improve financial privacy protections has 
been introduced in at least 20 States and in both Houses of 
Congress. The bills in Congress are bipartisan, they are 
bicameral. Senator Shelby and Representative Markey are leading 
the charge and they have also set up, as many of you know, a 
Privacy Caucus. Several folks here are members, including 
Representative Hutchinson. Virtually all of these proposals 
would provide that information could not be shared with either 
an affiliate or a third party without informed consent.
    Once again, I would dispute what you have just heard. This 
isn't an issue that hasn't been studied, it isn't an issue that 
hasn't been debated extensively. It is the unfinished business 
of the Gramm-Leach-Bliley Act and the fact that so many States 
are looking at this issue, and several are moving these bills, 
they are not just introducing bills, and most of these bills 
deal with the same topic. Affiliate information-sharing shows 
me that it is a good idea to act soon and not wait for a good 
deal of time.
    I would note, even though I won't talk too much about this, 
you are going to hear more about this in a minute, that 
considerable progress has been made in terms of studying, 
debating various proposals on health privacy and Internet 
privacy as well. The Department of Health and Human Services, 
for instance, has received 60,000 comments on proposed health 
privacy regulations. The FTC has undergone numerous rulemaking 
proceedings on Internet privacy and has supervised or actually 
implemented several surveys as well.
    So in closing, let me just say that to his credit, 
Representative Hutchinson has clearly indicated that he doesn't 
want to delay progress of important privacy legislation with 
this commission. Our recommendation, and we have some modest 
recommendations which I won't go into regarding the language of 
the bill, but our broad recommendation is that the mandate of 
the commission be narrowed to address very specific issues in 
need of greater study.
    I think you are going to hear in a minute of issues that 
could be studied at greater length. We would urge those who do 
support the bill to make it clear repeatedly and on the record 
that the intent of the study is not to delay needed legislative 
action on financial privacy and health privacy and Internet 
privacy. Thank you.
    [The prepared statement of Mr. Plunkett follows:]

    [GRAPHIC] [TIFF OMITTED] T0436.043
    
    [GRAPHIC] [TIFF OMITTED] T0436.044
    
    [GRAPHIC] [TIFF OMITTED] T0436.045
    
    [GRAPHIC] [TIFF OMITTED] T0436.046
    
    [GRAPHIC] [TIFF OMITTED] T0436.047
    
    [GRAPHIC] [TIFF OMITTED] T0436.048
    
    [GRAPHIC] [TIFF OMITTED] T0436.049
    
    [GRAPHIC] [TIFF OMITTED] T0436.050
    
    [GRAPHIC] [TIFF OMITTED] T0436.051
    
    [GRAPHIC] [TIFF OMITTED] T0436.052
    
    Mr. Horn. Thank you. We now have Mr. Ari Schwartz, policy 
analyst for the Center for Democracy and Technology. You might 
tell us a little bit about that institution.
    Mr. Schwartz. Sure. Thank you, Chairman Horn and members of 
the panel. Thank you for inviting me to testify on the Privacy 
Commission Act.
    CDT believes that the focused privacy commission could help 
build privacy protections, but as Representative Hutchinson 
mentioned earlier, it should not be used to derail the current 
process on important legislative proposals already in front of 
Congress.
    Before going into detail about how such a commission might 
work, I would first like to explain CDT's view of the current 
state of consumer privacy. As some of you know, the Center for 
Democracy and Technology is committed to protecting privacy on 
the Internet. Recent studies have shown that individuals are 
growing more concerned about their loss of privacy, both on and 
off line.
    These growing concerns are well-founded. Stories of privacy 
invasions and security gaps in both the private and public 
sector are becoming almost daily occurrences. CDT believes that 
work in three areas, three legs of a stool if you will, are 
needed to help reverse this trend and build privacy protections 
for the future.
    First, CDT is working with many responsible companies, 
privacy experts and technologists on privacy-enhancing 
technologies which are necessary to build privacy into the 
infrastructure of communications technology such as the 
Internet and reverse the trend that we have been seeing so much 
of with privacy-invasive technologies. For example, we are 
working on a standard with the World Wide Web Consortium called 
the Platform for Privacy Preferences, or ``P3P'', which would 
make privacy notices easier to read.
    Many companies are beginning to build P3P into their 
Internet products. For example, last week Microsoft announced 
that it has plans to implement P3P in its upcoming consumer 
software products. Self-regulatory efforts by industry are also 
important to ensure enforcement on the Internet. As the economy 
becomes more global and decentralized, responsible practices 
become an increasingly important tool.
    Last, we believe that there is a role for Congress. 
Legislative approaches are needed. Without the means to imbed 
fair, predictable results, better encourage self-regulation, or 
go after bad actors in law, CDT fears that the actions of a 
single company could cause the public to question the motives 
of an entire industry. For the reasons that we have heard 
today, this is especially important in the financial, health 
and Internet areas.
    Congress must move forward in these areas in particular.
    A commission such as the one proposed could help learn how 
to protect privacy. In fact, over the past 30 years, we have 
seen various kinds of commissions at the U.S. Federal level. I 
have detailed those in my written testimony in the appendix. 
However, while the theoretical work of these commissions and 
panels have pushed privacy forward worldwide, the U.S. 
consumers have very little to show for it. Therefore, we urge 
you not to duplicate the work of those past committees and 
panels, but to move forward and focus the panel on issues that 
have not been studied.
    Some of the areas of special interest to this subcommittee 
may be: revising the Privacy Act of 1974. As early as 1977, a 
congressional commission found that the Privacy Act, which 
protects personal information within the Federal Government, 
was not as effective as it should be. The act should be 
examined again and recommendations should be made in light of 
the advent of government's use of the Internet and the spread 
of the Social Security number which we have already heard a 
little bit about today.
    Public records such as driver's license information and 
court records and other information that Mr. Douglas brought 
forward would also be a useful area to study. We need to 
reexamine how the government information is made available to 
the public. The claim that a government document is hard to 
find can no longer be used as an excuse to keep personally 
identifiable information available to anyone to sell or use as 
they wish.
    Similarly, government at all levels should be encouraged to 
post more public information to the Internet. With jurisdiction 
over both the Freedom of Information Act and the Privacy Act, 
the two great government accountability and openness acts of 
the past century, this discussion should be of great interest 
to this subcommittee in particular.
    On access and security issues, the commission could help 
Congress use the findings of the FTC advisory committee which 
is just finishing its work on these subjects.
    Last, a commission could examine the effectiveness of an 
individual's private right of action under privacy laws. While 
the private right of action should remain an integral part of 
privacy laws, we have seen time and time again that when this 
is the only option for Americans, they receive no redress. 
Again, this concern is most clear in the application of the 
Privacy Act of 1974.
    Creating a commission focused on these areas would allow 
its members to build on the work done in the past. While 
focusing the commission would better help use taxpayer dollars 
and allow us to further learn about privacy, the most vital 
concern facing the creation of a new congressional commission 
is a political one, as we have heard from Mr. Plunkett and Mr. 
Hutchinson. The commission must not be used to delay or deter 
from the discussion or progress of medical, financial or 
Internet bills that have already been mapped or studies.
    I thank you again for having me and look forward to your 
questions.
    [The prepared statement of Mr. Schwartz follows:]

    [GRAPHIC] [TIFF OMITTED] T0436.053
    
    [GRAPHIC] [TIFF OMITTED] T0436.054
    
    [GRAPHIC] [TIFF OMITTED] T0436.055
    
    [GRAPHIC] [TIFF OMITTED] T0436.056
    
    [GRAPHIC] [TIFF OMITTED] T0436.057
    
    [GRAPHIC] [TIFF OMITTED] T0436.058
    
    [GRAPHIC] [TIFF OMITTED] T0436.059
    
    [GRAPHIC] [TIFF OMITTED] T0436.060
    
    [GRAPHIC] [TIFF OMITTED] T0436.061
    
    [GRAPHIC] [TIFF OMITTED] T0436.062
    
    [GRAPHIC] [TIFF OMITTED] T0436.063
    
    [GRAPHIC] [TIFF OMITTED] T0436.064
    
    [GRAPHIC] [TIFF OMITTED] T0436.065
    
    [GRAPHIC] [TIFF OMITTED] T0436.066
    
    [GRAPHIC] [TIFF OMITTED] T0436.067
    
    [GRAPHIC] [TIFF OMITTED] T0436.068
    
    Mr. Horn. Thank you very much. We will get back to 
questions.
    Our last panelist on panel two is Sandra Parker, esquire, 
Director of Government Affairs and Health Policy, the Maine 
Hospital Association. Thank you for coming down.
    Ms. Parker. Thank you for having me, Chairman Horn. We 
represent 38 main hospitals and their affiliated entities. I am 
here today to tell you about Maine's experiences in 
legislatively protecting the confidentiality of health care 
information, a small subset of the information referenced in 
H.R. 4049, but one that is particularly near and dear to us.
    Our members, and I think everyone in this room firmly 
believes that health care information is very private and it 
needs to be protected against inappropriate disclosures. Dr. 
Appelbaum did a fine job explaining the reasons and concerns 
people have, and I am not going to reiterate any of them, but I 
will tell you in recognition of those concerns, our hospitals 
have always had policies in place to protect the information, 
because we think it is important, and we will continue to have 
the policies, no matter what happens in Augusta, ME or 
Washington, DC.
    The Maine Legislature agreed with us. In fact, they wanted 
to see every health care practitioner have those practice and 
policies in places to protect the information, and they felt 
that the Maine citizens would benefit from a statewide 
consistent privacy standard in applying to everyone. So they 
began.
    In January 1997, they took up the very difficult task of 
translating those protective ideals into legislative language. 
Their initiative would apply only to health care providers in 
an effort to protect health care information at its source. 
Respecting the complexity of the task before them, they worked 
with a professional facilitator and met every 2 weeks with 
interested parties and a facilitator to exhaustively study the 
issue and try to anticipate all of the concerns. They worked 
through the spring, they worked through the summer, they worked 
through the fall and into the next year. Our dedicated 
legislators worked for 2 years to develop a bill just on health 
care information and studied it extensively.
    Still, consensus was hard to find, and it wasn't until the 
final hours of the session in the 1998 session that a 
compromise bill was quickly passed through the House and 
Senate. It was to be effective January 1, 1999.
    As we reviewed the bill and prepared to help our members 
comply with the anticipated new law, we began to uncover some 
unintended and troublesome consequences, despite their extreme 
hard work.
    I would like to just briefly illustrate a couple of those, 
nowhere near what is in my written statement, but just a quick 
illustration. To do that, I need to tell you three provisions 
of the law. First, health care information is defined very 
broadly and intentionally so. They didn't want any health care 
information to fall through the cracks. So they defined it as 
any information that identifies an individual directly and 
relates to their physical, mental, behavioral condition, 
medical treatment, personal or family history. It sounds like a 
terrific definition. We still stand by it, but it caused us 
some problems.
    The second piece I would like you to know is that with 
certain exceptions, the law required written authorization from 
the patient or their legally appointed representative before 
any disclosures could be made. Again, that sounds terrific, and 
again, it gave us some problems I would like to tell you about.
    The third piece you need to know is that written 
authorization is a defined term in our statute. They 
specifically denote the elements of a valid authorization and 
nothing else will do. It must be written and it must have those 
elements.
    Well, nowhere in the law did they reference directory 
information, and what I mean by that is if you find out that 
your good friend Sandra Parker is in the hospital and you call 
the medical center and ask how I am doing they tell you that I 
am in room 222 and in satisfactory condition. Our law never 
mentioned directory information, but confirmation that I am in 
the hospital and saying that I am in satisfactory condition 
relates to my medical treatment and physical well-being and, 
therefore, falls within the definition of health care 
information, therefore requires written authorization from me 
specifically in order to release it. So, that is what we did. 
There were delays, however, and when people were in the 
emergency room and they hadn't gotten to their routine 
paperwork yet and they said to their care giver could you go 
out and get so and so from the waiting room, we would have to 
say, well, no, we can't, because we can't tell them you are 
here until we get to the paperwork and sign the forms. They 
could not tell us. Oral authorization was not enough, it had to 
be written. Unless and until that paperwork was done, visitors 
couldn't be directed, clergy couldn't be called, phone calls 
couldn't be transferred, flowers couldn't even be accepted.
    It sounds like a good idea, but in practice we received 
many, many complaints about it.
    The idea that oral authorizations were not allowed was a 
problem for us. Maine residents often spend the harsh winter 
months in more temperate climes and would like to call their 
physicians or hospitals and get their medical records 
transferred and that option was completely removed from their 
control. They now had to get a special form with statutorily 
required elements, fill it out, sign it, date it, send it back 
to their provider before the provider could direct the records 
to the right place.
    The other major problem that we had was that the 
authorization of disclosure was given only to the patient and 
their legally appointed representative. That was also done 
intentionally, for good reason. We don't want anyone else to 
have control of that information. However, many, many people 
don't have legally appointed representatives, and by that I 
mean a guardian, a court-appointed guardian, someone with power 
of attorney, someone under an advanced directive statute. What 
we found was that when people didn't have a representative, a 
legally appointed representative and were unable to sign their 
paperwork, because they were too ill, they were medicated, they 
had a stroke, whatever it was, we had nowhere to go. We could 
release no information to anybody under any circumstances.
    So despite great effort, there were some problems. We 
approached the sponsor of the bill and we worked with her to 
amend it, and we submitted a bill, but before the legislature 
could reach our bill, the law went into effect on January 1, as 
scheduled, and the day it went into effect, the legislators' 
constituents began to call, and they called, and called and 
called and complained, so much so, so adamantly so, that the 
legislature suspended the law after it was in effect for just 2 
weeks and went back to the drawing board. There was extensive 
discussions about maybe not going forward at all, maybe we 
should wait for a Federal law, maybe we didn't need it, maybe 
it was an impossible task. But it was so important, so, so very 
important that the legislators, to their credit, gave it 
another try. They worked on it for 6 more months and amended 
the law.
    The amended law went into effect February 1, just a couple 
of months ago. So far, it seems to be effectively protecting 
information without provoking consumer outrage. Perhaps we will 
have more to do. We are still learning our lessons. But it is 
something that everyone in Maine believes in, and we will keep 
trying. It is that important.
    Thanks.
    [The prepared statement of Ms. Parker follows:]

    [GRAPHIC] [TIFF OMITTED] T0436.069
    
    [GRAPHIC] [TIFF OMITTED] T0436.070
    
    [GRAPHIC] [TIFF OMITTED] T0436.071
    
    [GRAPHIC] [TIFF OMITTED] T0436.072
    
    Mr. Horn. Well, that is very helpful experience.
    Let me ask you, what is the most important privacy issue 
you have confronted, either with the clientele you represent, 
or just your own experience? So let's just go down the line, 
Professor Cate.
    Mr. Cate. I guess I would say the single most important 
privacy issue is trying to find a solution to problems that are 
not clearly defined. So we talk about opt in and opt out, and 
things like this. In other words, we have a lot of terms on one 
side of the equation, tools for protecting privacy, without 
being clear about what it is we are trying to accomplish. I 
think that was exactly the issue Congress faced with Gramm-
Leach-Bliley.
    Mr. Horn. Mr. Plunkett.
    Mr. Plunkett. Well, I will stick with our theme since it is 
our focus on financial privacy. One of the things I didn't 
mention which has been touched on by a lot of the speakers and 
is in our testimony is that the standards, the principles, the 
building blocks, if you will, for strong privacy protection are 
fairly well-known. In fact, they are reflected in the 1974 
Privacy Act. They are called fair information practices. One of 
the most important is that the information that you provide 
should not be used for a secondary purpose. That obviously 
means for a purpose other than for which it was given.
    Our concern, once again, with financial institutions is 
that if you open a bank account, you may not know that your 
bank is affiliated or soon will be affiliated with an insurance 
company, and there are abuses that can occur there, and I think 
the NationsBank/NationsSecurities example I gave illustrates 
that. But there are also problems when cross marketing occurs, 
because that insurance company, in our opinion, shouldn't have 
your account transaction and experience information, because 
that is not the purpose for which you gave them the 
information.
    So to answer your question, I think applying the fair 
information practices to all of these issues, it can get 
complicated when you are dealing with the details, no doubt. 
But the hardest thing for us is to ask people to back up and 
say, well, don't forget the principles. They are fairly well 
established, they are fairly well-known, accepted, and please 
use them.
    Mr. Horn. Mr. Schwartz.
    Mr. Schwartz. I would say I have three areas. First, 
children's privacy is very important, because they--it has been 
shown that they are not really sure what they are consenting to 
when they actually do consent to something, medical privacy, 
because the information is so vital, and last information that 
is held by the government, because there are so many vital 
services that are needed when you turn over that type of 
information.
    So those three areas are really in terms of if you are 
going to do a tiered approach, those three areas would be the 
first place to focus in our minds.
    Mr. Horn. Ms. Parker.
    Ms. Parker. At least from our experience, the most 
difficult piece of protecting this information was the balance, 
the balance between necessary and desirable communication and 
the balance against the time that it took to get written 
authorizations to release the information.
    Mr. Horn. Well, I thank you for those answers. I noticed in 
one of the papers here, I believe it was Mr. Schwartz' one, 
where you noted the updating of the Privacy Act of 1974, and 
you made a point here that the quote, to make matters worse, 
the Office of Management and Budget has not updated its Privacy 
Act guidance since a year after the act was passed.
    What do you feel is the reason for that, and what do you 
think they ought to do in updating?
    Mr. Schwartz. Well, it has only been a year since the OMB 
has gotten a Chief Counsel for Privacy, so hopefully we are 
moving down that path. This past year we also had all of the 
agencies right there on Privacy Act implementation, where they 
stand on the reports, and the OMB and the Chief Counsel for 
Privacy in particular will be handing out a final report based 
on those to the Congress.
    Also, GAO is looking into privacy-owned government Web 
sites, another important issue that should be covered by the 
Privacy Act more than it is, but as I said in my written 
statement, the Internet--the Privacy Act wasn't designed with 
the Internet in mind. So we really do need to reexamine the 
Privacy Act. I think this kind of commission would be a perfect 
venue to do that, and it certainly would be great to have more 
oversight hearings on the Privacy Act when OMB's report moves 
forward.
    Mr. Horn. Mr. Plunkett, is there legitimate need to 
exchange information between the banks and third-party 
affiliates, specifically for the various life needs, like check 
printing and credit billing in small community banks, and 
wouldn't you agree that these need to be known before laws are 
enacted which could have unintended consequences, which could 
cripple entities such as the small community banks?
    That is a question that Mr. Hutchinson has left for me to 
ask, because he had to go to another meeting.
    Mr. Plunkett. That is a good question. The legislation that 
Mr. Markey and Mr. Barton have introduced allows for explicit 
approval for the financial institutions to share information 
when it is for the intended purpose; that is, if you are 
opening up a checking account, they can certainly share your 
checking account information to those that are printing your 
checks. That is a fairly, I think a fairly easy problem to fix 
and absolutely there is a legitimate reason in that 
circumstance to share information.
    Mr. Horn. Any other comments on that by anybody? Professor 
Cate.
    Mr. Cate. If I may just say, Mr. Chairman, I think the 
difficulty here is that there are a lot of uses that we might 
consider valuable that aren't that immediately obvious. For 
example, fraud prevention or detection, monitoring accounts to 
determine if there are charges out of the ordinary, monitoring 
an account to determine whether that customer is speaking to a 
balance in a noninterest-bearing account--these are all things 
which we could debate on whether it is within the purpose for 
which the person originally disclosed the information. I think 
we would also all consider them to be valuable uses. I think 
this really sort of highlights the complexity here.
    I obviously disagree that this issue has been thoroughly 
and well studied and we now know what to do and should do it. I 
think the fact that you have 22 States that have introduced 22 
different bills, none of them agree on what to do and how to do 
it, and in fact a large part of that is that we have so little 
sense, I think exactly what the Maine experience showed. It was 
easy to focus on the privacy side; it was very hard to focus on 
what are all the valuable, useful things we do with useful 
information every day that we don't want to put a stop to.
    Mr. Horn. Thank you. Well, thank you. I just have one 
question before I yield to Mrs. Maloney.
    Some of you have had experience on the privacy laws abroad, 
and I am curious what your thinking is on the European 
Community's privacy laws. You will recall the European 
Community asked all of their Member States to put together a 
privacy law about 2 years ago, and then they put it off for a 
while, and there were real concerns in this country in terms of 
the free flow of data between corporations of the United States 
subsidiaries in Europe and European subsidiaries in the United 
States, and that was one of the reasons they put it off.
    I just wondered what your thinking is there, and would that 
have made a major impact on the economy. Again, they wanted, I 
guess even a census date that the individual signed the form, 
which sounded a little much. But go ahead.
    Mr. Cate. Well, Mr. Chairman, thank you. I think the answer 
is absolutely it would have made an enormous impact on not only 
the economy of international trade between the United States 
and Europe, but also within Europe, which is probably why 
Europe has really not implemented the directive. Half of the 
countries haven't implemented it at all, they have not even 
made the pretense of implementing it. The others have 
implemented laws which we are told by data protection 
commissioners in Europe are not being enforced currently.
    So, for example, if you read the law, what is the law today 
in England, Greece, or Portugal, it would tell you that the law 
is opt in affirmative consent. You must get consent, for 
example, from every employee in writing before you process 
their data. What we know is that is not taking place in any of 
those countries, that in fact they are simply using a slightly 
different mechanism than we use. We tend to write exceptions 
into law; they are simply putting those exceptions into 
practice.
    Mr. Horn. Any comments on that, Mr. Plunkett?
    Mr. Plunkett. I would note that in the so-called safe 
harbor negotiations, many of the same entities, financial 
institutions in particular, that talk about the expense of 
complying with meaningful privacy protections, and by that I 
mean privacy protections that extend to affiliates which I 
spoke about earlier and information-sharing to affiliates, many 
of the same companies that are objecting there are willing to 
go along with an agreement that is close to being consummated, 
the so-called safe harbor agreement, that will provide European 
customers of American institutions with greater privacy 
protection than with American customers.
    Mr. Horn. Now I yield to the gentlewoman from New York. It 
is good to see her here, a former ranking member.
    Mrs. Maloney. Great to see you, Mr. Horn, and thank you for 
calling this important hearing. I would like to request that my 
opening statement be put in the record.
    Mr. Horn. Without objection, it will be put where all the 
opening statements were, as if read.
    Mrs. Maloney. Thank you. Then I would like to just ask a 
few questions. I am not against this bill, but I hope that the 
intent is not to stop other protections from going forward, and 
the protections that we already have in place.
    Last year, as a member of the Banking Committee, I had an 
opportunity to participate in the conference on the Gramm-
Leach-Bliley Financial Services Reform Act where we had a 
considerable debate over issues related to the privacy of 
financial institutions and passed some privacy protections for 
consumers of financial institutions. These regulations have not 
even been in place yet. Shortly over 2 billion consumers will 
be receiving privacy notices in the mail, and my question is, 
would this commission in any way halt or hinder this work that 
we have already done? This commission?
    Mr. Cate. Well, if I can speak to that, I would say 
certainly, you know, our view is that it should not.
    Mrs. Maloney. So it would not. Is that clear in the bill?
    Mr. Cate. I believe there is no language in the bill that 
would suggest it has the power to stop the implementation or 
that it is the intent of Congress to stop the implementation of 
any existing law. You might even argue further, I mean this 
would suggest to me why, if the commission goes forward, you 
would probably want people on it, some of the members of it, to 
be involved in the implementation of that law, to bring the 
experience of that process to the commission.
    Mrs. Maloney. I would like to mention----
    Mr. Plunkett. Could I respond as well?
    Mrs. Maloney. Sure. Anybody can comment.
    Mr. Plunkett. I would agree that the intent of the act is 
not to inhibit implementation of the Gramm-Leach-Bliley act. I 
would note, though, that the regulations that are ongoing don't 
deal with the significant flaw in the act that these State 
bills and the Federal bills have identified, which is the 
affiliate-sharing loophole.
    Mrs. Maloney. But a number of States are going forward with 
their initiatives, as I understand it, is that correct?
    Mr. Plunkett. Well, they are moving through the process, 
including in New York, from what I understand.
    Mrs. Maloney. Now, I would like to ask about another issue. 
We actually had several hearings on this particular matter, the 
Health Insurance Portability Act, a 1996 act. It provided that 
if Congress was not able to reach consensus and enact 
legislation on medical privacy by August 1999, the Secretary of 
Health and Human Services would come forward with medical 
privacy regulations to ensure that Federal medical privacy 
protections are in place. Since Congress failed to meet the 
August 1999 deadline, the Secretary is now, as we sit here, in 
the process of finalizing medical confidentiality regulations.
    I would just like to ask the members of the panel, do you 
believe that if a privacy commission were created, the 
administration should delay moving forward with these 
regulations until after the commission completed its report? I 
would like to really--you know, in other words, the question I 
am asking is one that--would this in any way hinder work that 
is already in place from going forward or stop other 
protections from going forward?
    I don't know if the proper person to ask is the panel or 
Mr. Hutchinson himself, but you know, the fact that we have 
been working in this committee actually since 1996 and that 
these are supposed to come forward, I believe, shortly, would 
this in any way hinder that from going forward in?
    Mr. Hutchinson. If the gentlewoman would yield.
    Mrs. Maloney. Absolutely.
    Mr. Hutchinson. The answer is no. There was some discussion 
and some urging to put in the commission bill a moratorium on 
other regulations and legislation moving forward until the 
commission did its work, and we specifically rejected that, 
because again, I view this commission and this legislation as 
complementary and not as a substitute. So there would not be a 
prohibition there. In fact, I think many of those will be 
adopted this year, won't they?
    Mrs. Maloney. Well, yes, they are supposed to come forward, 
and as we mentioned while you were not in the room, the 
financial services bill, the bipartisan Leach-Bliley bill had 
privacy for the financial institutions, and they are in the 
process of coming forward with them, and as I mentioned, 
roughly 2 billion consumers will be getting notices. This will 
not in any way hinder the work of the Banking Committee on the 
privacy issue?
    Mr. Hutchinson. The answer is it will absolutely not 
interfere.
    Mrs. Maloney. Now, obviously, who is on this commission is 
going to have a lot to do with how well it operates. I 
understand from reading it that there is no criteria for the 
commission's membership.
    I would just like to ask Mr. Cate, Mr. Plunkett, and Mr. 
Schwartz, what are your ideas of criteria for membership on 
this, and what do you think would be the appropriate criteria 
for membership on the commission?
    Mr. Schwartz. I will address that, partly because I 
addressed it in my written testimony and was not able to 
address it orally.
    Mrs. Maloney. I am sorry. I missed it then.
    Mr. Schwartz. We think that it is very important that 
consumer groups, privacy advocates, and the other--along with 
many of the other groups that would be affected in the 
financial health industries be represented on the panel. We 
have specific concerns that the schedule for the panel, 20 
meetings in 18 months, is really quite a heavy load for--
particularly for consumers groups and civil liberties groups, 
because even the time constraints on limited staff resources 
can be very difficult, so we hope that that can be addressed as 
well.
    Mr. Cate. If I may also respond and wholly join in that 
comment, I think one of the assumptions is that if a commission 
goes forward, it has a tremendous amount of deliberation to do, 
that it is not so much unearthing new information, it is 
working out ways of working with existing information. I think 
one of the things that would be of concern in the bill is the 
requirement for 20 hearings in five different locations in 18 
months, that it would be preferable to have this commission be 
able to spend a greater amount of its time in deliberation as 
to how to reconcile these issues as opposed to engage quite so 
much as a fact-finding body.
    If I may also just add one point: in addition to the 
representation along types of groups, consumer groups, industry 
groups and so forth, I too would reiterate the point that I 
think it is important that the experiences that the members 
bring to the table, whether those are experiences from business 
or industry or consumer groups or academia, it makes no 
difference, that those experiences reflect a broad range of 
interests and approaches to privacy; that what you don't want 
is a group of people who are all focused on privacy, but just 
from different points of view, since we have clearly I think 
come to understand that these privacy issues touch on, as the 
Maine experience shows, so many other realms of our lives that 
you would want that well represented.
    Mrs. Maloney. Just as a followup, Mr. Cate, in reading your 
testimony, you stated that the commission's work might 
duplicate the Treasury study on Gramm-Leach-Bliley on financial 
privacy. Do you think that the commission is unnecessary as a 
whole, or just unnecessary with regards to the financial 
services industry? Could you sort of clarify your thoughts on 
that?
    Mr. Cate. Yes. Unfortunately, I can only make them as clear 
as they are, and you may find that they are somewhat befuddled 
to start with. I think it is very important that the commission 
not duplicate existing work, and I think there is a real risk 
with the Treasury study under way currently that you would not 
want the commission to do the same type of study.
    Mrs. Maloney. When is the Treasury supposed to complete 
their study, do you know exactly?
    Mr. Cate. I believe they have another full year to complete 
it. So there would be some overlap potentially between the 
commission and the Treasury study. That is true in other areas 
as well. I mean there are certainly other studies and other 
studies done in the past. I don't think you want any of those 
duplicated.
    I think that doesn't put an end to the question, though. 
The question is, if there is a commission, how can it build on 
the work that the Treasury is doing. There would be a variety 
of ways. I mean one way would be to exclude financial 
information, to say look, the Treasury has been dealing with 
that, we are going to leave that out. Another way would be to 
say include financial services information, but with particular 
attention to not sort of going through the same types of 
hearings, the same types of deliberation, but rather to draw on 
what the Treasury and other financial regulators are doing. I 
am sure there are many other ways of doing that. That is 
instruction it seems to me Congress would want to give either 
through legislative history or the legislation.
    Mrs. Maloney. Is my time up, Mr. Chairman?
    Mr. Horn. Go ahead.
    Mrs. Maloney. Thank you, Mr. Chairman.
    You made a statement about the valuable--useful use of 
information, and I think one of the most startling things in 
our country now, and really in our economy and in our life, is 
just the fast-changing pace of the so-called information age. 
We have had hearings on many of the things that may be driving 
these tremendous, or one component, the tremendous success of 
our economy is this whole information age that is allowing so 
much to happen so quickly.
    Would you elaborate in your statement on really not wanting 
to curtail the use of information and being able to grow on 
this new phenomena, but also to protect privacy and some of the 
valuable, useful uses of information that we don't want to 
hinder in the growth of possibilities for individuals and 
really growth of our country?
    Mr. Cate. Well, yes. Thank you. Let me offer two responses. 
One is I think it is critically important that we do a better 
job, and by we I mean all of us. Certainly academia bears a 
shared responsibility, for not having engaged in the type of 
research as to how we use information. We really know very 
little about that. We know a lot about privacy, we know very 
little about, if you will, the infrastructure uses of 
information. How does a business, how does Congress use 
information about individuals and in what ways does it benefit 
our lives? What are ways in which--public records is a good 
example that was raised earlier. In the financial services 
context, I think that type of an investigation has really first 
begun.
    I did a study which was published just a month ago now 
which was just the tip of the iceberg in looking at the types 
of beneficial uses that come out of allowing relatively 
unhindered access to basic personal information. Who has an 
account, where, what do they use it for, etc. The best example 
of that is probably fraud prevention, that if we can look 
across accounts, you see patterns of consumer behavior, which 
then when you see anomalies, may alert the bank or the credit 
card issuer or whomever to the fact that there is something 
here that that consumer may need to be notified about or there 
may need to be further inquiry.
    As we heard on the first panel, given that it is the 
businesses and then ultimately consumers that sustain those 
losses, that cover those losses where there is fraud, for 
example, allowing that type of use seems important. But I think 
the second response was more the process response. I think that 
is why if there is to be a commission, or if there is not to be 
a commission, it is important that we all be engaged more in 
the process of figuring out what are the other uses of this 
type of information. They may be as pedestrian as confirming 
where to make a flower delivery for a patient in the hospital, 
but that really matters to real people who are in distress.
    Mr. Plunkett. Could I just jump in and say that nothing in 
any of the financial privacy proposals that we or I believe 
anybody supports would prevent fraud prevention or inhibit 
fraud prevention. It is important also to note the increasing, 
again, uneasiness that Americans have about erosion of their 
privacy. I do not want anybody to get into this situation where 
they are putting privacy at odds with economic interests. As I 
mentioned before, when it comes to, for instance, being at ease 
with electronic commerce, privacy protection may actually be 
the best thing for more people using the World Wide Web and the 
Internet, and taking advantage of electronic commerce because 
they won't worry that their privacy is being violated.
    Mrs. Maloney. Well, I appreciate your testimony. My time is 
up. I would just appreciate, Mr. Hutchinson, if in the, I don't 
know, intent or some place in the bill you would let it be 
clear that you in no way want to hinder the work going forward 
from the 1996 Health Insurance Portability Act on privacy and 
also the work of the Banking Committee on the Gramm-Leach-
Bliley, so that it doesn't hinder this work going forward.
    Mr. Horn. We are going to have a markup on this. That might 
come up there. I will tell you, if this commission doesn't 
pass, there won't be much passed, because they have had 
numerous privacy bills in the Senate, in the House; they have 
gone nowhere, except the one on the banking and the human 
services regulations issued by the Secretary. So I look on it 
the other way, that this is the way to get a privacy law on the 
book, is get that commission moving.
    I thank the gentlewoman for being here.
    The last word I will give to the prime author of the 
legislation, Mr. Hutchinson. I want to say that both the 
Democratic side and the Republican side will be forwarding you 
and the first panel some questions that we haven't been able to 
get to. We hope you will write the answers and they will go in 
this part of the record.
    In addition, we will keep the record open to any citizen 
for the next 2 weeks, roughly 14 days.
    So please send it to the staff. It is B-373, I believe. The 
chief counsel and staff director, Mr. George, is over there, 
and we will work it out with everybody as to the questions and 
they will go into the official record.
    So I now yield for the last word on this subject for 5 
minutes to the gentleman from Arkansas.
    Mr. Hutchinson. I thank the Chairman. Again, I want to 
express my appreciation for this hearing, your willingness to 
schedule a markup on this legislation. I just want to make a 
couple of comments. First, I want to thank Ms. Parker for being 
here and testifying on this and giving us the experience from 
Maine. I think that is very instructive and helpful as we look 
at this in Congress and our responsibility.
    There has been some questions about the criteria for 
membership, and I would emphasize that, you know, this can be 
changed; obviously, that is what the markup is for, and if 
wisdom prevails that we ought to specify different criteria for 
involvement in this commission, then I am certainly open to 
that. But the reason that was not included is, as I stated 
before, there is always a fear of leaving someone out. I can 
just see itemizing who should belong to this commission and 
someone coming up and saying, well, how about our group, or how 
about this particular stakeholder. So you start down a risky 
path.
    The other reason is that it is consistent with other 
commissions in the past that you leave the particular makeup of 
the commission to the appointing officials and allowing a 
bipartisan consensus to develop on it. So I would expect that 
all of the important stakeholders should be and will be 
represented on the commission. But again, if we need to be more 
specific than that, then that might be an option.
    The second issue, and I want to talk to Mr. Plunkett for a 
moment, and I very much appreciate your testimony today, and I 
specifically wanted you on this panel because I knew you 
disagreed with the commission. I think it is important as you 
consider legislation that you hear from both sides. I 
appreciate your work on privacy. You and I can get together and 
we can push some of these bills through and we can get some 
passed this session, but there are a lot of other players out 
there, and I think in fact because it could be a short 
legislative session, it is going to be difficult, as the 
chairman said, to develop a consensus on an individual bill. 
But it is very important that this not be used as an excuse not 
to continue passing some privacy regulations or some privacy 
initiatives.
    I see this as complementary. If you passed everything on 
your wish list, Mr. Plunkett, this year, I still think we need 
a privacy commission, because you still have on-line privacy 
issues, you have developing technology, you have got new 
criminals out there that create new methods of invading 
someone's privacy. So I think that we need to see how the laws 
that we passed are going to work, we need to see how the FTC 
and the other regulations that are being considered on 
financial privacy, how they are working out there, and that is 
part of the function of this commission, to see what 
supplementary we need to do.
    For example, Mr. Plunkett, I mean there is the opt-in, opt-
out question right now, am I correct?
    Mr. Plunkett. Oh, yes.
    Mr. Hutchinson. And so if there is not--I mean the 
regulations that are going to be adopted are going to be under 
the--where you have to specifically opt out, is that correct?
    Mr. Plunkett. In some cases. In other cases it won't be 
allowed, yes.
    Mr. Hutchinson. So if you want to change that, unless we 
pass some legislation, the commission would have to look at 
that.
    Now, I think the debate was whether we should even look at 
that at all, because it is already under consideration by an 
ongoing regulatory body, and I think that is a fair 
consideration we need to talk about some more. But regardless 
of what we pass, I see the need for a commission to look at the 
new challenges in the future, and to look at it comprehensively 
rather than just sectorially, what are we doing in financial 
privacy, what are we doing in health care records and what are 
we doing with on-line. It intersects and cross-sections each 
other. So that was the purpose of it.
    I know that was a little bit of a speech----
    Mr. Plunkett. After my speech, you have a right.
    Mr. Hutchinson. So thank you again, Ms. Parker and 
gentlemen, for your testimony today. I yield back, Mr. 
Chairman.
    Mr. Horn. I thank the gentleman very much. I hear the 
gentlewoman from New York has one question.
    Mrs. Maloney. Mr. Chairman, I have another item that really 
came out of the Banking Committee and I would like to ask Mr. 
Hutchinson for clarification. I would like to see it in this 
bill, and I am waiting to see the final language, but I am not 
against this bill and will probably support it.
    But one thing that we were very concerned about is that 
each State is different in their financial services, very 
different. So States wanted the freedom to come forward with 
stricter provisions and insurance or privacy or banking or 
their own special needs, and in your bill, do you see that this 
would not in any way hinder the ability for States to go 
forward with stricter provisions?
    Mr. Hutchinson. No. The commission will have to look at 
what the States have done, consider their approach, and 
consider whether you want to have a comprehensive Federal 
approach, or where you have a Federal floor which is 
supplemented by the States.
    Mrs. Maloney. That is what we supported in Banking.
    Mr. Hutchinson. And that would certainly be my inclination, 
but that is something that the commission would have to debate.
    Mrs. Maloney. Thank you.
    Mr. Horn. I thank the gentlewoman. I would like to thank 
the staff on both sides. Let me just go down the line. The 
staff director, chief counsel for the House Subcommittee on 
Government Management is Russell George; the counsel next to me 
for this particular hearing is Ms. Bailey; Bonnie Heald, 
director of communications back there; and Bryan Sisk, clerk; 
and Ryan McKee, staff assistant; Michael Soon, intern; and Mr. 
Turner's counsel is Trey Henderson, counsel; and Jean Gosa, 
minority clerk; and Julie Bryan is our faithful court reporter. 
So thank you very much for being with us.
    With that, we are adjourned.
    [Whereupon, at 12:20 p.m., the subcommittee was adjourned.]
    [Additional information submitted for the hearing record 
follows:]

[GRAPHIC] [TIFF OMITTED] T0436.073

[GRAPHIC] [TIFF OMITTED] T0436.074

[GRAPHIC] [TIFF OMITTED] T0436.075

[GRAPHIC] [TIFF OMITTED] T0436.076

[GRAPHIC] [TIFF OMITTED] T0436.077

[GRAPHIC] [TIFF OMITTED] T0436.078

