[Senate Hearing 107-]
[From the U.S. Government Publishing Office]


                                                      S. Hrg. 107- 990
 
                         FINANCIAL PRIVACY AND
                          CONSUMER PROTECTION

=======================================================================

                                HEARING

                               before the

                              COMMITTEE ON
                   BANKING,HOUSING,AND URBAN AFFAIRS
                          UNITED STATES SENATE

                      ONE HUNDRED SEVENTH CONGRESS

                             SECOND SESSION

                                   ON

  THE GROWING CONCERNS OVER THE WAY CONSUMERS' PERSONAL AND FINANCIAL 
  INFORMATION IS BEING SHARED OR SOLD BY THEIR FINANCIAL INSTITUTIONS

                               __________

                           SEPTEMBER 19, 2002

                               __________

  Printed for the use of the Committee on Banking, Housing, and Urban 
                                Affairs






                       U.S. GOVERNMENT PRINTING OFFICE
90-808                      WASHINGTON : 2003
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512-1800  
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001






            COMMITTEE ON BANKING, HOUSING, AND URBAN AFFAIRS

                  PAUL S. SARBANES, Maryland, Chairman

CHRISTOPHER J. DODD, Connecticut     PHIL GRAMM, Texas
TIM JOHNSON, South Dakota            RICHARD C. SHELBY, Alabama
JACK REED, Rhode Island              ROBERT F. BENNETT, Utah
CHARLES E. SCHUMER, New York         WAYNE ALLARD, Colorado
EVAN BAYH, Indiana                   MICHAEL B. ENZI, Wyoming
ZELL MILLER, Georgia                 CHUCK HAGEL, Nebraska
THOMAS R. CARPER, Delaware           RICK SANTORUM, Pennsylvania
DEBBIE STABENOW, Michigan            JIM BUNNING, Kentucky
JON S. CORZINE, New Jersey           MIKE CRAPO, Idaho
DANIEL K. AKAKA, Hawaii              JOHN ENSIGN, Nevada

           Steven B. Harris, Staff Director and Chief Counsel

                Linda L. Lord, Republican Staff Director

                        Dean Shahinian, Counsel

                   Daris D. Meeks, Republican Counsel

                  Mark F. Oesterle, Republican Counsel

             Sarah E. Dumont, Republican Professional Staff

   Joseph R. Kolinski, Chief Clerk and Computer Systems Administrator

                       George E. Whittle, Editor

                                  (ii)







                            C O N T E N T S

                              ----------                              

                      THURSDAY, SEPTEMBER 19, 2002

                                                                   Page

Opening statement of Chairman Sarbanes...........................     1

Opening statements, comments, or prepared statements of:
    Senator Shelby...............................................     2
    Senator Stabenow.............................................     3
    Senator Akaka................................................    26
    Senator Corzine..............................................    27
    Senator Carper...............................................    41

                               WITNESSES

William H. Sorrell, Attorney General, The State of Vermont.......     4
    Prepared statement...........................................    46
Fred H. Cate, Professor of Law, Indiana University School of Law.     8
    Prepared statement...........................................    53
John C. Dugan, Partner, Covington & Burling; on behalf of the 
  Financial Services Coordinating Council........................    11
    Prepared statement...........................................    57
Mike Hatch, Attorney General, The State of Minnesota.............    14
    Prepared statement...........................................    62
James M. Kasper, Member, House of Representatives, The State of 
  North Dakota...................................................    17
    Prepared statement...........................................    65
Phyllis Schlafly, President, Eagle Forum.........................    21
    Prepared statement...........................................    69
Edmund Mierzwinski, Consumer Program Director, U.S. Public 
  Interest Research Group; on behalf of: Consumer Action, 
  Consumer Federation of America, Consumer Task Force on 
  Automotive Issues, Consumers Union, Electronic Privacy 
  Information Center, Identity Theft Resource Center, 
  Junkbusters, Inc., Privacy Rights Clearinghouse, Private 
  Citizen, Inc., and U.S. Public Interest Research Group.........    23
    Prepared statement...........................................    72

                                 (iii)


                         FINANCIAL PRIVACY AND



                          CONSUMER PROTECTION

                              ----------                              


                      THURSDAY, SEPTEMBER 19, 2002

                                       U.S. Senate,
          Committee on Banking, Housing, and Urban Affairs,
                                                    Washington, DC.

    The Committee met at 10:07 a.m. in room SD-538 of the 
Dirksen Senate Office Building, Senator Paul S. Sarbanes 
(Chairman of the Committee) presiding.

         OPENING STATEMENT OF CHAIRMAN PAUL S. SARBANES

    Chairman Sarbanes. The hearing will come to order.
    This morning, the Committee meets to hear testimony on the 
issue of financial privacy and consumer protection. At the very 
outset, I want to acknowledge the interest and the contribution 
which Senator Shelby has made regarding this issue and I am 
pleased to be working with him on it.
    Senator Shelby. Thank you, Mr. Chairman.
    Chairman Sarbanes. During the past few years--even longer, 
actually--there have been growing concerns over the way 
consumers' personal and financial information is shared or sold 
by their financial institutions. In 1999, when we did the major 
revision of the structure of the financial industry, after 
considerable debate, we enacted certain Federal privacy 
protections, although many perceived them as not to be fully 
adequate to the challenge, and therefore, financial privacy 
remains a critical issues.
    The amount of sensitive personally identifiable financial 
information that, under current Federal law, can be circulated 
is vast. It includes savings and checking account balances, 
certificates of deposit maturity dates and balances, any check 
which an individual writes, any check that is deposited into a 
customer's account, stock and mutual fund purchases and sales, 
life insurance payouts, and other data. The universe of 
consumer data that the financial institutions can collect, 
warehouse, and then either share or sell is 
increasingly growing, some think at a very rapid pace. Modern 
technology makes this sharing cheaper, quicker, and easier than 
ever before. I think the real issue is that much of this is 
done without the knowledge or the approval of the customer 
regarding the specific information being transferred or the 
specific affiliated or nonaffiliated company to whom it is 
either being sold or shared.
    Financial privacy is in many respects a fundamental right 
that all consumers should enjoy. And obviously, if that is the 
case, if it is not adequately protected, we can have abuses.
    Recent reports and surveys indicate the public's ongoing 
concerns. Dr. Alan Westin of Columbia University, who heads 
Privacy and American Business, wrote this year: ``Both on and 
off the Internet, consumers are more concerned about privacy 
today than they have been at any point over the past 2 years.'' 
A survey published this year by that group and sponsored by the 
AICPA and Ernst & Young found that 79 percent of respondents 
agreed with the statement: ``Consumers have lost all control 
over how personal information is collected and used by 
companies.'' The same survey found that the number of 
respondents who disagreed with the statement: ``Existing laws 
and organizational practices provide a reasonable level of 
protection for consumers today.'' That was the statement, that 
existing laws and practices provided a reasonable level of 
protection. The number disagreeing with that statement has gone 
from 38 percent in 1999 to 62 percent in 2001.
    We obviously need to address the issue of whether consumers 
should have the right to choose whether his or her bank or 
other financial institution may circulate private financial 
information to others for purposes that the consumer may never 
have originally intended.
    At today's hearing, we will hear testimony with respect to 
a number of questions: Do consumers continue to be concerned 
about their financial privacy, the privacy of nonpublic 
personally identifiable data held by financial institutions? 
What types of concerns do consumers have about the possible 
uses of their financial information? Are the minimum financial 
privacy protections in Federal law adequate to meet the 
consumer's concerns? What recommendations would panelists make 
to the Committee regarding financial privacy protection?
    We have a number of very able witnesses with us this 
morning. In a sense, I apologize for the breadth of the panel, 
but we had many people that we wanted to hear from. I think 
what I will do, in view of that, is I will introduce each 
witness as we come to them, rather than introducing them all 
here at the outset because, by the time we get to the last 
witness, they may have forgotten what was said about them.
    [Laughter.]
    So before I begin the process of going to the witnesses, we 
thank all of you for coming today, we very much appreciate your 
participation, I yield to my colleagues for any opening 
remarks.
    First, I turn to Senator Shelby.

             STATEMENT OF SENATOR RICHARD C. SHELBY

    Senator Shelby. Thank you, Mr. Chairman. Thank you for 
calling this hearing. And I also want to thank you for your 
long-time interest and work in this area. We worked together on 
a number of initiatives dealing with financial privacy and I 
believe we will continue to work those issues because the more 
I see and talk to the American people, most of them do not 
realize what is going on yet. But they are learning. And 
hearings like this certainly help.
    Mr. Chairman, the subject of financial privacy is one that 
is very important to all of us and requires the Committee's 
thorough consideration, as you realize.
    I want to thank the witnesses for taking the time to come 
here to share their views and experiences with us. And I look 
forward to hearing from all of you.
    This issue of privacy is not a new one. In one way or 
another there has been an ongoing debate about privacy since 
the founding of this country. However, the issue has clearly 
evolved over time as a range of specific incidents and general 
trends have raised public concerns about new or different 
threats to our privacy. Where once only the Government 
possessed the ability to obtain and the means to exploit vast 
amounts of personal data, technology now makes it possible for 
just about anyone to collect, to store, to sell, or to do just 
about anything that they want to with a lot of our private 
items.
    I believe that the existence of such capabilities requires 
that we carefully, here in the Congress, examine the pros and 
cons of its use relative to the disclosure of personal 
information. Furthermore, as we move forward, I think it is 
extremely important that we continue to pay close attention to 
the significant role that technological capability is going to 
play in this debate. Consumer and industry demand for faster 
and more reliable information exchange is only going to 
increase. As technological capabilities are expanded to keep 
up, new and unforeseen issues concerning the use of sensitive 
personal financial information I believe will continuously 
arise.
    While it may not be possible to develop rules that deal 
with every possible scenario involving the use of confidential 
financial information, I believe the American people will 
demand that we establish some basic principles that will guide 
our future efforts.
    In order to do this I believe that it is important for this 
Committee, the Banking Committee, to draw from a broad range of 
perspectives in considering the basic questions regarding the 
various Federal laws touching on financial privacy. For 
instance: Are such laws effective? Are they targeted to 
consumer concerns? Do consumers even understand them? I am 
going to ask that again: Do consumers even understand them? Are 
they in sync with today's marketplace? What restrictions do 
they place on business activity?
    Additionally, in light of the fact that the States play an 
important role in this area, I think it is also essential for 
us to gain a better understanding of their efforts and to 
consider some basic questions about their activities. For 
instance: Do State officials have a greater perspective or 
awareness regarding the trends or concerns about financial 
privacy? What value is provided by preserving a State 
legislative role, thanks to Senator Sarbanes? What value is 
provided by preserving strictly a State enforcement role? How 
does State activity impact the financial services industry?
    It is my hope that this is just the first, Mr. Chairman, of 
what I hope are a whole series of opportunities to consider 
this issue. I look forward to a productive and informative 
dialogue here and I thank you for this hearing.
    Chairman Sarbanes. Thank you very much, Senator Shelby.
    Senator Stabenow.

              STATEMENT OF SENATOR DEBBIE STABENOW

    Senator Stabenow. Thank you, Mr. Chairman. And to you and 
to Senator Shelby, thank you for your leadership.
    I think this is one of the most important issues that we 
face as we move forward at this time, and I appreciate the fact 
that we have so many people willing to share their expertise 
with us today.
    This is a topic that, in our increasingly sophisticated 
world, is one that consumers are extremely concerned about, as 
has been indicated. We know that our financial decisions can be 
recorded, analyzed, shared, and sold, and consumers want to 
know that they have a basic level of privacy. We all want to 
know that we have that basic level of privacy.
    When we passed the privacy provisions of Gramm-Leach-
Bliley, we were breaking new ground. We gave the public a 
certain degree of control, but not as much as many would have 
liked. And since the Act was passed in 1999, the regulators 
have had the opportunity to set standards, as we know, and 
financial institutions have been complying with the law.
    Now it is appropriate to reflect on that legislation and 
how it is being implemented and where we should go from here. 
Is it sufficient? Is it being implemented effectively? As 
Senator Shelby said, do consumers really understand their 
privacy rights? Are the annual financial privacy disclosures 
effective or simply thrown away with all of the other things 
that come in the mail? What are regulators doing to make sure 
that these disclosures meet the spirit of the law?
    I also believe it is important to look at States, as 
Senator Shelby was mentioning. I know there have been a number 
of serious debates going on in States. In particular, there has 
been a lot of focus on North Dakota and California. I suspect 
the discussions will continue, from Sacramento to my hometown 
of Lansing, Michigan, to Annapolis, all across the country, 
this will become more and more of a debate and discussion, as 
it should.
    So, Mr. Chairman, thank you again for what I think is a 
very important hearing. I hope this helps us lay a foundation 
as we move into the next Congress to focus on this issue, which 
I know is of deep, deep concern to the American public.
    Chairman Sarbanes. Thank you very much, Senator Stabenow.
    We will now turn to our panel. We will first hear from 
Attorney General William Sorrell, who has been the Attorney 
General of the State of Vermont since 1997. Attorney General 
Sorrell is the Vice President of the National Association of 
Attorneys General and Co-Chair of its Consumer Protection 
Committee. Earlier, he served as Vermont's Secretary of 
Administration.
    Mr. Attorney General, we are very pleased to have you here.

                STATEMENT OF WILLIAM H. SORRELL

             ATTORNEY GENERAL, THE STATE OF VERMONT

    Mr. Sorrell. Thank you very much.
    Chairman Sarbanes. I think if you pull that microphone 
close to you, it will be helpful to all of us.
    Mr. Sorrell. Good morning.
    Chairman Sarbanes. That is better, yes.
    Mr. Sorrell. Thank you for inviting me to speak with you 
today on the important issue of financial privacy.
    The State Attorneys General are grateful for the work of 
this Committee on this important consumer issue and we 
especially want to commend Chairman Sarbanes and Senator Shelby 
for working so hard to address these issues in a bipartisan 
fashion.
    As this panel of witnesses demonstrates, concerns about the 
privacy of consumers' financial information is neither a 
Democratic issue, nor a Republican issue. It is not a liberal 
issue, nor a conservative issue. Rather, it cuts across 
traditional party and philosophical lines to touch all of us 
who are concerned about protecting our citizens.
    The Chairman did indicate that I am the Vice President of 
the National Association of Attorneys General. But I want to 
make clear for the record that I am here for myself and 
representing my Office of Attorney General for the State of 
Vermont.
    I am not here purporting to speak for the entire National 
Association of Attorneys General.
    Chairman Sarbanes. As they say on those ads that they put 
in the paper when they get all those academics to sign and give 
their institutions, just for the purpose of identification.
    [Laughter.]
    Mr. Sorrell. Thank you very much, Mr. Chairman.
    [Laughter.]
    Along with my esteemed colleagues on this panel, I am here 
today to tell you that the privacy provisions of Gramm-Leach-
Bliley are not working. Although this Committee worked hard to 
enact provisions to eliminate the abusive practices that were 
uncovered by the State Attorneys General in 1999, in fact, 
these practices are continuing largely unabated.
    I strongly recommend that this Committee undertake a 
thorough examination of the effects of Gramm-Leach-Bliley and 
the related regulations implemented by the Federal regulators 
in order to determine whether the law, as interpreted by the 
Federal agencies, carries out your intent. I believe you will 
find that it does not do so. I also believe you will want to 
enact strong provisions to correct problems that have arisen 
under Gramm-Leach-Bliley.
    What are some of these problems that consumers are facing?
    First and foremost, the unfortunate telemarketing practices 
that were uncovered in 1999, by Minnesota Attorney General 
Hatch are continuing. The U.S. Bancorp case demonstrated that 
major financial institutions were facilitating abusive 
telemarketing by selling their customers' account numbers and 
other nonpublic personal 
financial information to vendors, who then turned around and 
sold consumers memberships in travel clubs, gardening clubs, 
esoteric insurance products, often through improper use of 
information provided by the financial institution.
    This Committee wanted to put a stop to such practices, and 
so prohibited financial institutions from sharing account 
numbers. But the Federal agencies responsible for interpreting 
the law allow financial institutions to share or sell encrypted 
account numbers or other unique identifiers, thereby giving the 
telemarketers essentially the same access to consumers' 
accounts as before.
    So just as was the case prior to Gramm-Leach-Bliley, an 
eager telemarketer, paid on commission, is able to convert a 
consumer's ambiguous statement of interest into a purchase. The 
telemarketer simply informs the financial institution that a 
charge should be processed on that consumer's account. The 
telemarketer doesn't need the actual account number because the 
bank will convert the encrypted number or unique identifier 
into the account number for processing the charge. The consumer 
doesn't know how the charge appeared on her account since she 
never gave out her account number. In many instances, she 
doesn't even know she made a purchase.
    This Committee should undertake a thorough investigation of 
these continuing abusive telemarketing practices and afford 
greater protection to consumers in this regard.
    Gramm-Leach-Bliley is also not working because the notices 
required under the law are fundamentally incomprehensible to 
too many consumers. My written testimony fully covers the 
surveys and studies that demonstrate the dense writing of these 
notices, as well as the correspondingly high reading levels 
required to understand them.
    I thought, and with the Committee's indulgence, that I 
might just take a moment to read just one paragraph from one of 
these notices. This should serve to give the Committee a flavor 
of what consumers face in trying to decipher these notices and 
the excerpt I will read is from the American Bankers 
Association model, Gramm-Leach-Bliley privacy policy notice, 
that it sent out to its members for use in their notices.
    And in that notice, and I believe the average American 
household received roughly eight or more of these notices, 
under the heading, What Information We Disclose, if you get 
down in the body of the notice, here is what you find:

    We may disclose nonpublic personal information about you to 
the following types of ``affiliates'' (i.e., companies related 
to us by common control or ownership) and ``nonaffiliated third 
parties'' (i.e., third parties that are not members of our 
corporate family). Financial service providers, such as 
mortgage bankers, security brokers-dealers, and insurance 
agents. Nonfinancial companies, such as retailers, direct 
marketers, airlines and publishers. And others, such as 
nonprofit organizations.
    If you prefer that we not disclose nonpublic personal 
information about you to such nonaffiliated third parties [with 
respect to this loan or account], you may opt-out of those 
disclosures, that is, you may direct us not to make those 
disclosures (other than disclosures permitted by law). If you 
wish to opt-out of disclosures to nonaffiliated third parties, 
you may call the following toll-free number.

    I hope I have made my point.
    It stretches credulity to think that average consumers can 
readily work their way through these obtuse notices and reach a 
basic understanding of their rights to control the sharing of 
financial information. And then to make informed choices in 
this regard.
    This is exactly why the Attorneys General of 44 of the 
States and territories recently called on the Federal 
regulatory agencies to 
create standard notices to require much simpler language so 
that consumers can more readily understand the notices.
    This Committee should give serious consideration to 
requiring standard privacy notices similar to the nutritional 
notices that are required in the Federal Nutritional Labeling 
and Education Act.
    This Committee had the wisdom to ensure that States would 
have the authority to go further than Gramm-Leach-Bliley to 
enact more protective laws governing financial privacy.
    We hope the Committee will continue to allow States to 
protect their citizens as they see the need to do so. Indeed, 
several States had enacted more protective laws governing 
financial privacy prior to the adoption of Gramm-Leach-Bliley. 
Because consumers continued to be very concerned about the 
protection of their personal financial information, States have 
continued to adopt laws that are more protective than Federal 
law.
    Currently, there are six States that have enacted laws that 
require some form of opt-in before financial information can be 
shared by banks, and 14 States have enacted laws that require 
some form of consumer consent before financial information can 
be shared by insurance companies.
    As my co-panelist, Representative Kasper, will describe, 
North Dakota voters recently adopted a referendum reversing the 
State legislature's repeal of that State's opt-in law, thereby 
putting that State's banking opt-in law back on the books. In 
addition, two California localities, San Mateo County and Daley 
City, have recently adopted ordinances requiring affirmative 
consumer consent before financial information may be shared.
    These State and local laws are a reaction to the problems 
associated with Gramm-Leach-Bliley and an effort by these 
governments to exercise the power given them by this Committee 
under Section 507, to provide consumers with protections 
greater than those afforded under Federal law.
    The sharing of financial information among corporate 
affiliates remains another real concern. Should a consumer who 
opens an account with Citibank, for example, expect that, for 
purposes of ``preacquired account marketing,'' her account 
number will be shared with Travelers Insurance or any of the 
other 2,761 affiliates within Citigroup? The number and the 
breadth of affiliates currently associated with some of the 
country's major financial institutions is truly astounding.
    In addition to the Citigroup's 2,761 affiliates, the web 
site of the Federal Reserve lists 1,476 corporate affiliates 
for Bank of America, and 871 affiliates for KeyCorp, which is 
considered to be a mid-size bank.
    A perusal of these corporate affiliate lists demonstrates 
that these holding companies appear to be involved in widely 
disparate activities, including insurance, securities, 
international banking, real estate holdings and development, 
and equipment leasing.
    So a consumer holding a credit card with the lead bank or 
an insurance policy with a major insurer in any of these 
affiliate groups would not expect that his or her account 
number would be spread throughout the corporate affiliate 
structure for the purpose, not of servicing the consumer 
better, but of marketing products to the consumer.
    This Committee should require that financial institutions 
give consumers an effective choice before nonpublic personal 
financial information can be shared among affiliates.
    Moreover, the Congress should direct that the standard 
financial privacy notices to be created by the Federal 
regulatory agencies contain a standard format for information 
about affiliate-sharing practices and consumers' choices to 
prevent such sharing.
    Mr. Chairman, I referred to the following documents* in my 
written and oral testimony. I would like to have them submitted 
into the record: Affiliate lists for Bank of America, 
Citigroup, and KeyCorp; a report from my office and our 
Department of Banking and Insurance; an interim report to the 
Vermont legislature on financial privacy; the final of such 
report; and the American Bankers Association sample privacy 
notice. I hope those and my written testimony will be accepted 
into the record.
---------------------------------------------------------------------------
    *Held in Committee files.
---------------------------------------------------------------------------
    Chairman Sarbanes. They will be held in Committee files.
    Mr. Sorrell. Thank you very much for this opportunity.
    Chairman Sarbanes. Thank you very much. We very much 
appreciate hearing from you.
    We will now turn to Fred Cate, Professor of Law at the 
Indiana University School of Law in Bloomington, Indiana, and a 
Senior Policy Advisor at the Hunton & Williams Center for 
Information Policy Leadership.
    Professor Cate.

                   STATEMENT OF FRED H. CATE

                        PROFESSOR OF LAW

                INDIANA UNIVERSITY SCHOOL OF LAW

    Dr. Cate. Thank you very much, Mr. Chairman, distinguished 
Members of the Committee. I appreciate the opportunity to be 
here.
    I should offer the same qualification as my distinguished 
colleague, which is, of course, that my comments do not reflect 
the views of Indiana University.
    One would like to think that the University would have the 
good sense that they would.
    [Laughter.]
    But in any event, the University would want me to clarify 
that they do not necessarily.
    There is much to say, but I will do my best to limit myself 
to four points and try to make those as briefly as possible.
    First, there is no doubt but what consumers are concerned 
about financial privacy. It seems like there is no room to even 
debate that question. I think the issue is what do we make of 
that concern and what would this Committee and the Congress do 
in response to that concern?
    I, for one, do not find that concern tremendously 
surprising. Consumers should be concerned about financial 
privacy. They should be concerned about privacy in many areas 
because, frankly, many of the most effective and, in some 
cases, the only effective, steps to protect an individual's 
privacy are individual actions. They are not protections 
afforded by law. They are not protections afforded by policies 
or technologies, but, rather, the things that an individual 
himself or herself will do.
    So given that we have just had a deluge, twice now, of more 
than two billion privacy notices, given the attention given 
this issue in the press, it would, I think, be surprising if 
there weren't consumer concern about this issue, and I think 
that concern is largely healthy.
    Clearly, it is not healthy to the extent that it represents 
lack of knowledge about either banking practices or the law, 
and I will 
return to this in my conclusion.
    Second, in addition, however, to looking at the presence of 
consumer concern, we also have to look at consumer action. And 
what we know is that in response to tens of thousands of 
financial institutions, mailing billions of privacy notices, 
the opt-out rates seem to be consistently less than 5 percent. 
Many institutions report opt-out rates of 1 percent or less.
    This is true, by the way, not only in financial privacy. 
This is true with the FCRA opt-out provisions. This is true for 
the DMA's opt-out provisions. This is true for many companies 
that report what their specific industry opt-out rates are. A 
low response rate is very consistent.
    So before encouraging the Congress to adopt new laws or 
more restrictive privacy laws, it seems important to first 
understand why consumers aren't taking advantage of the rights 
that they currently have under existing law. Before giving new 
rights, why are the current rights not being used?
    Third, another reason for concern about going forward with 
more restrictive privacy laws on either the State or Federal 
level is, of course, that information serves many valuable, 
irreplaceable functions in this economy and in the society.
    This point seems so obvious that I do not want to belabor 
it here. It has been much written about. And probably the most 
articulate spokespeople coming from the Federal Reserve Board. 
Let me just offer one quote from Governor Gramlich: 
``Information about individual's needs and preferences is the 
cornerstone of any system that allocates goods and services 
within an economy.'' The more such information is available, 
``the more accurately and efficiently will the economy meet 
those needs and preferences.''
    This seems particularly true in the case of affiliate-
sharing. The number of affiliates which have been referred to 
certainly could give one pause. But I think it is worth noting 
that research shows that companies do not create affiliates 
just for the opportunity to create affiliates, that affiliate 
relationships are often driven by tax or liability issues, by 
regulatory requirements, by any number of State licensing 
issues.
    The question then of whether affiliate-sharing of 
information should be permitted or restricted would 
necessarily, if made a legal issue, require that companies 
describe in detail their affiliate relationships to their 
customers.
    It is difficult to imagine how even the best-intentioned 
privacy notice, if required to describe those relationships in 
detail, could ever be comprehensible to anybody, to anybody 
here or to anyone likely to receive those notices.
    Interfering with those benefits of information flows, of 
course, impose costs on consumers. There are also additional 
costs, however, imposed by privacy laws, and I think this 
Committee is well aware of and I think that this is very 
relevant to the question of whether more restrictive privacy 
laws seem appropriate.
    We know that the cost of complying with Gramm-Leach-Bliley 
has been measured in the range of $2 to $5 billion a year for 
financial institutions, cost that are, of course, passed on, 
either to the customers directly or to shareholders, and 
indirectly to customers.
    These costs, however, are much greater. Experience and 
research in this area are consistent and, without exception, 
show that costs are much greater when a privacy law imposes a 
greater restriction on information-sharing, for example, opt-
in. In fact, most of the available research on opt-in statutes 
in practice show that if they require contacting a consumer 
after the consumer has engaged in the transaction, after the 
consumer has opened the account, after the consumer has sought 
service, an opt-in statute effectively works as a ban on 
information flows that, in practice, the result is no consent 
and no opportunity to share information.
    I want to be clear, however.
    I think that those costs should be measured not only in 
dollars, but also would encourage the Committee and would 
direct the Committee's attention to the other types of costs 
that that can impose. And here research is particularly 
informative.
    Even a subject like informing consumers about 
opportunities, marketing, which seems to meet with very little 
support in any public forum today, nevertheless, is of obvious 
importance to many consumers and especially those less likely 
to have, for example, 
financial advisors, less likely to be well-endowed financially.
    We know, for example, that greater information restrictions 
disproportionately affect poor and also people located away 
from urban centers. This, of course, is also especially true 
with opt-in.
    I have mentioned in my written testimony and I will not 
belabor now a case study that economist Michael Staten and I 
did of just one financial institution, MBNA Corporation, and 
what the cost of opt-in would be on MBNA's customers. Those 
costs are significant and I would encourage the Committee to 
pay close attention to the consistent evidence of how great 
those costs can be, especially since, to use MBNA's numbers for 
the period of the case study, 2000 to 2001, fewer than one 
quarter of 1 percent of MBNA customers had opted out. So 
imposing any additional costs, given that fewer than one 
quarter of 1 percent had found the protection necessary, would 
seem dubious, at best.
    Remember, and I will quote here Alabama Attorney General 
Bill Pryor, it is customers and individuals who ultimately 
``pay the price of either higher prices for what they buy or in 
terms of a restricted set of choices offered them in the 
marketplace, for restrictive privacy laws.''
    Finally, I think it is important to keep in mind the larger 
context in which this debate is taking place.
    Gramm-Leach-Bliley passed in 1999 and notices were required 
to be mailed, the first set, by July 1, 2001. Only 14 months 
has passed during that time and we have seen significant 
changes and developments that would strike me as very positive 
in that time.
    While the issue of consumer confusion has already been 
noted, I think it is important here to return to the question 
of why notice is needed to be improved, why the developments of 
the past 14 months, in fact, warrant approval rather than 
disapproval from this Committee.
    Remember the law itself is very complex. If you have ever 
tried to explain it to anyone, you appreciate how complex the 
law is. The terms used, for example, in the ABA model notice 
that was previously read, largely came from the law and from 
the implementing regulations.
    If you want simple requirements to be explained to 
consumers, you will have to enact simple requirements. And in 
this area, that is very, very difficult. So, for example, 
distinctions between consumers and customers, which are so 
important to the law, do not make much sense to ordinary 
people. It is difficult to understand these.
    It should also be noted that clarity seems to be very much 
in the eye of the beholder.
    I had the experience on June 18, 2001, of appearing before 
the California General Assembly Committee on Banking and 
Finance, where the Committee Chairman lauded American Express 
for the clarity of its notice. In fact, he passed out copies to 
everyone in the audience, so, as he said, industry 
representatives could live up to the model set by American 
Express.
    Three weeks later, on July 9, 2001, USA Today cited 
American Express' notice as one of the least comprehensible it 
had read.
    There is much going on. There are market responses. We are 
seeing banks and other financial institutions offering privacy-
related cards and other privacy-related services. We are seeing 
the quality of notices being improved, the Federal Trade 
Commission working to improve that quality. We are seeing new 
types of privacy protections, many from the States, such as do-
not-call lists.
    In the absence of evidence of harms not being addressed by 
the current law, not just Gramm-Leach-Bliley, but the full 
range of Federal and State financial privacy laws, it seems 
inappropriate, or at least premature, to move forward with more 
restrictive privacy requirements.
    Thank you.
    Chairman Sarbanes. Thank you very much, sir.
    Now, we will hear from John Dugan, appearing today, I think 
it is fair to say, actually, representing the Financial 
Services Coordinating Council. I do not know that we will need 
a disclaimer here.
    Mr. Dugan. No disclaimer.
    Chairman Sarbanes. The Council includes the American 
Bankers Association, the American Council of Life Insurers, the 
American Insurance Association, and the Securities Industry 
Association. Mr. Dugan is a partner at Covington & Burling, 
here in town, and I must note, previously worked here on the 
Banking Committee staff as Minority General Counsel when 
Senator Garn was a Member of the Committee.
    We are very pleased to hear from you, Mr. Dugan.

                   STATEMENT OF JOHN C. DUGAN

                  PARTNER, COVINGTON & BURLING

                        ON BEHALF OF THE

            FINANCIAL SERVICES COORDINATING COUNCIL

    Mr. Dugan. Thank you, Mr. Chairman, and Members of this 
Committee. It is a pleasure to be back here today.
    As you said, I represent the Financial Services 
Coordinating Council, and this organization represents 
thousands of large and small banks, insurance companies, and 
securities firms that, taken together, provide financial 
services to virtually every household in America. I have 
represented the FSCC on financial privacy issues since the 
organization was formed in late 1999.
    Every commercial privacy law strikes a balance between 
protecting the privacy interests of consumers and preserving 
the clear consumer benefits that arise from the free flow of 
information in the economy. While consumers expect limits on 
the disclosure of their information, they also expect companies 
to provide them with benefits that can only be obtained through 
information-sharing. For example, a long-time depositor in a 
bank wants and expects to receive a discount on a mortgage loan 
offered by a related mortgage company affiliate, and such 
``relationship discounts'' can only be provided through 
information-sharing. Privacy laws try to balance these 
competing consumer expectations.
    In terms of financial privacy, we believe that Congress 
struck the right balance in the Gramm-Leach-Bliley Act. 
Financial institution consumers now must be provided notice of 
practices regarding information collection and disclosure, opt-
out choice regarding sharing of information with nonaffiliated 
third parties, security in the form of mandatory policies, 
procedures, and controls, and enforcement of privacy 
protections via the financial regulatory agencies.
    By any measure compared to 3 years ago, consumers have much 
more meaningful information, choice, and security regarding 
their financial information.
    At the same time, the GLB Act appropriately allows 
financial institutions to share information for a variety of 
plainly legitimate purposes without consumer consent, for 
example, to carry out transactions requested by the consumer, 
to deter and detect fraud, to respond to regulators and 
judicial process, et cetera.
    The FSCC also continues to support Congress' decision to 
treat information-sharing by affiliates in the same manner as 
sharing within a single institution. In both cases, the opt-out 
requirement does not apply, as has already been stated. We 
think this decision reflected the fact that consumers are 
unlikely to distinguish between, for example, a community bank 
and its affiliated mortgage lending company. Instead, consumers 
expect that both affiliates are part of the same community 
banking organization where information is shared.
    Finally, we also continue to believe that Congress 
appropriately chose to provide consumers with the right to opt-
out of information-sharing with third-party commercial 
companies.
    But Congress also rightly chose to reject an opt-in 
approach, which deprives consumers of benefits from 
information-sharing, as Professor Cate just described. 
Consumers rarely exercise opt-in consent of any kind, even 
those consumers who would want to receive the benefits of 
information-sharing if they knew about them. In essence, an 
opt-in creates a default rule that stops the free flow of 
information, and that makes financial services more expensive 
and inefficient. In contrast, an opt-out gives privacy-
sensitive consumers just as much choice as opt-in, but without 
the default rule that denies consumer benefits.
    In terms of implementation, the Gramm-Leach-Bliley privacy 
provisions were enacted in 1999 and implementing regulations 
became effective just over a year ago. While tremendous 
progress has been made, this is still very much a work in 
progress.
    Nevertheless, the financial institutions and their 
regulators have received a minuscule number of customer 
complaints about the privacy provisions. For example, in 
response to a recent Freedom of Information Act request, the 
Federal Reserve reported that it had received only 25 privacy-
related complaints out of the 4,503 complaints in total that it 
received in 2001, or .0056 percent of the total, with similarly 
low numbers reported by all the other Federal bank regulators.
    Having said that, the FSCC recognizes that privacy notices 
constitute one area in which improvements can and should be 
made. This is by no means as easy as it sounds, however, 
because the notice requirements of the Gramm-Leach-Bliley Act 
are, in fact, quite detailed, as we just heard. The financial 
institution regulators tried very hard when they issued their 
regulations to simplify, including through the use of sample 
clauses, and they told institutions that a notice complying 
with the GLB Act could fit on a six-page, tri-fold brochure. In 
their first notices, financial institutions generally took this 
approach. But a six-page notice is not short, and terms from 
the sample clauses such as ``nonaffiliated third-party'' and 
the other terms that were quoted earlier this morning are the 
types of legalese that have been sharply criticized.
    To address these concerns, many institutions have tried to 
simplify the language used in their next round of notices. In 
addition, both financial institutions and their regulators are 
exploring a simplified, short-form version of the notice that 
would supplement, but not replace, the longer legal notice 
required by the Gramm-Leach-Bliley Act. The basic idea is to 
use simplified terms, be much less legalistic than the longer 
notice, keep the length to one page, and use common language to 
make it easier for consumers to compare policies.
    The FSCC is leading one of the short-form notice projects 
in which we have hired a well-known language expert, and we 
have nearly completed the initial drafting phase.
    Let me now turn to the misunderstanding about the amount of 
State legislative action that has occurred since passage of 
Gramm-Leach-Bliley.
    During this period, no State legislature has adopted a 
comprehensive financial privacy statute that has exceeded the 
obligations of the Gramm-Leach-Bliley Act. Nearly 40 States did 
consider such privacy legislation in 2000, the year after the 
law passed, but no such statute was enacted. About half that 
number revisited the issue in 2001, again without final action. 
And this year, only California has come close to enacting a new 
law. But for the third time in 3 years, the legislature has 
chosen not to do so.
    We recognize the initiative in North Dakota which we will 
hear about and the action by regulators, but not legislatures, 
in New Mexico and Vermont. But taken together, these few 
actions simply do not constitute a groundswell of State action.
    The FSCC believes the States' diminished focus is due 
largely to an increased understanding that the Gramm-Leach-
Bliley protections are real and need some time to work, and 
that it is more complicated than it first seems to impose new 
restrictions without causing major unintended consequences.
    In terms of new Federal privacy legislation, we believe 
that any action that Congress considers should be targeted to 
specific harms rather than take the form of sweeping data 
protection restrictions. For example, if the harm to consumers 
that people care about most is identify theft or excessive 
telemarketing, then legislation should remedy these problems 
specifically and not impose broad restrictions on information-
sharing. The FSCC stands ready to work with public policymakers 
to address specific consumer harms.
    Let me emphasize, however, that the FSCC could not support 
any new financial privacy legislation that did not include 
Federal preemption to ensure a uniform national privacy 
standard. The FSCC also supports extending the FCRA provision 
that preempts State restrictions on affiliate-sharing, which 
would otherwise sunset by the end of 2003.
    Thank you. I would be happy to answer any questions.
    Chairman Sarbanes. Thank you, Mr. Dugan, for your 
testimony. We are pleased to have you back again with the 
Committee.
    Mr. Dugan. Thank you again, Senator.
    Chairman Sarbanes. We are now going to hear from Attorney 
General Mike Hatch, who has been the Attorney General of the 
State of Minnesota since 1998. He previously served in the 
1980's as Minnesota's Commissioner of Commerce, the primary 
regulator, as I understand it, of banks, insurance companies, 
securities, and real estate firms doing business in Minnesota.
    Attorney General Hatch, we are pleased to have you with us.

                    STATEMENT OF MIKE HATCH

            ATTORNEY GENERAL, THE STATE OF MINNESOTA

    Mr. Hatch. Thank you, Mr. Chairman. And I want to thank all 
of you for your leadership on this issue.
    I had the opportunity a couple of years ago to watch a 
hearing in the Minnesota legislature on the issue of privacy. 
The Wall Street Journal had covered it and pointed out that 
there were 58 lobbyists retained by a variety of different 
members of the financial industry, the telephone industry, 
HMO's, insurers, you name it. And they all piled in, and the 
pressure was immense. Both parties collapsed. They just caved 
in.
    I know that the pressure on you people is immense. I 
applaud you for your leadership and for your efforts here. It 
takes guts and courage and it is very refreshing to see that 
type of leadership in this country.
    So, I thank you very much.
    The question was raised about, gee, we have gotten all 
these notices. Why don't people understand them?
    I just want to point out, the first letter I received----
    Chairman Sarbanes. I think if he could bring it right up 
here next to the table.
    Senator Shelby. Bring it up inside.
    Chairman Sarbanes. Yes.
    Senator Shelby. That would help.
    Chairman Sarbanes. Come right on around.
    Senator Shelby. Up near the Senator.
    Chairman Sarbanes. Don't block--we want Senator Stabenow to 
see this easel, too.
    Yes, that is it.
    Senator Shelby. Okay.
    Chairman Sarbanes. Now if we put the things on. Good.
    Senator Shelby. That is better.
    Chairman Sarbanes. Are you okay, Debbie, with that?
    Senator Stabenow. I can see it better than you.
    [Laughter.]
    Chairman Sarbanes. All right. The panel's okay. So go 
ahead.
    Mr. Hatch. Mr. Chairman, Members of the Committee, the 
point was raised by the financial industry here that, we have 
all these notices out there. People do need to understand what 
is going on.
    So what is the beef ?
    All of these notices were sent to me from a former 
Congressman, Alec Olson, from the 1970's. He is now, I am 
guessing, 75 to 80 years of age. He says, ``What is all this 
garbage? I don't understand it.'' Now if a retired Congressman 
doesn't understand it, how do we expect that two-thirds of our 
senior citizens who are the subjects of the rip-off that occurs 
because of this financial fraud, which is targeted to seniors, 
how do we expect them to be able to discern these issues?
    We heard the Attorney General from Vermont read that 
disclosure statement, and in the end, what they did not say is, 
listen, regardless of what you do, we are going to share this 
with our affiliated institutions and we are going to use it in 
other ways as well. Even if you did read it and understand it, 
you would have to be a Wall Street lawyer to figure that out.
    Here is a letter that I got a kick out of it because it was 
after Gramm-Leach-Bliley. This lady had gotten a notice from 
General Motors Corporation and she says: ``What is this 
business about an opt-out? Why do I have to notify them? And I 
have been in the financial industries for almost 20 years. I 
find this unacceptable and a bit unbelievable.''
    Now what is significant, if you notice her name, she is 
from a leading investment bank in this country and she is in 
charge of their education. Look at her business card at the 
bottom. She did not know. And she thought it was unbelievable. 
Now if she doesn't know, and she is in charge of educating the 
members of that investment bank, how does that senior citizen 
know?
    Now if we go to the next exhibit, we will try to figure 
out, how do they know?
    This is actually before GLB. But let me assure you, the 
complaints in our office, we run a consumer division, the 
complaint load is higher than it was in the past. I do not 
attribute it to being higher because of GLB. I attribute it 
just that there is more increased abuse that goes on in a 
tighter--when employment gets a little rough, the economy gets 
cool, fraud tends to go up. It's the same thing. It hasn't 
changed.
    Two-thirds, again, still being targeted on seniors.
    This one is a Mr. Clinton--I do not know how to pronounce 
the last name--Sjosten, I guess. It is a Legal Aid lawyer 
writing this letter. He says that Mr. Clinton is 87 years old. 
He had a career as a janitor of a church. And he retired. He 
has been in a nursing home for 10 years. Telemarketers got that 
information from Montgomery Wards. They charged up $2,400 on 
him, an auto club membership. But he doesn't own a car. He 
hasn't had one for 10 years. A homeowner's warranty plan. But 
he doesn't own a home. He is in a nursing home. A dental plan. 
But he has no teeth.
    [Laughter.]
    Charged $2,400. And you ask, how can this be? How can we be 
so inhumane to our senior citizens that we allow this type of 
manipulation to go on? That is all he asks. I represented banks 
in private practice. I was a banking commissioner. Rural banks 
do not trade this information. They want it kept private. In 
our State, we have laws. I have represented companies. We have 
very strong common law, and I think it exists throughout the 
country, that says, listen, when you come into a bank with your 
business plan, if I am a business and I come in there with a 
business plan to get a loan, that bank cannot share it.
    Before Glass-Steagall in the 1920's, they would go out and 
distribute it. They would give it to their investment arm and 
then they would go steal the business, the idea, the trade 
secret, if you will, from the client. Well, that was shut down. 
The law is pretty clear. And banks know, you keep that 
confidential.
    But you know what? Under this GLB, you hear those notices 
that were read by the Attorney General? It said, your loan data 
is not public. With whom? What about the checks I write out as 
a business? What about the checks I receive? That is my 
customer list. That is a property right, for crying out loud. 
It is not only a liberty right, but also a property right.
    Somebody says, well, jeez, they won't respond in an opt-in. 
Yes, they will. Pay them.
    The financial banks--the people who are selling this stuff, 
our data, we are on about 300 lists each. This data is being 
traded around all over the place. And they sell it. They make 
money on it. Over 300 bucks a year, on average.
    Why don't they pay us a little royalty. You know how to get 
me to go sell my name? Give me some frequent flier miles, maybe 
I will do it. I do not know. Maybe some people will. But pay 
them. Don't hog it all for yourself.
    If it is a property right, why do we allow them to get away 
with it on an opt-out? Pay, and people will intelligently make 
a decision as to whether this property right will be given up.
    Do you know what will happen? Information will still flow. 
There will be companies that will sprout up that will engage in 
this. That is fine. That is called free enterprise. Why are we 
against that?
    Property rights. What about the personal liberty right? I 
go out and I give speeches and I ask them, please raise your 
hand if you have ever had a yeast infection, a hemorrhoid 
problem, filed for bankruptcy, bounced a check, had a mental 
illness, gone in for chemical dependency. I go through the 
whole routine. Please raise your hand. And there is a gasp.
    If you look at HIPPA, HIPPA is no better than GLB in terms 
of the opt-outs. Oh, we are going to have medical privacy. But 
then there is a little exemption that says, for telemarketing 
purposes, you are allowed to use it. Well, the exemption 
swallows the rule.
    All of this information is being traded. What about our 
right to define who we are? Thank God we did not have that type 
of information going when I was in my 20's. I wouldn't be 
sitting here at this table.
    [Laughter.]
    When you are in your 20's, you experiment with ideas, 
right? And thoughts. Your telephone company can sell the 
telephone numbers you have.
    What about search warrants?
    I, as a public official, cannot go pull your bank data 
without a search warrant without some probable cause because 
you have a reasonable expectation of privacy, right?
    Now, with these laws basically saying, you do not have a 
reasonable expectation of privacy, guaranteed there will be a 
day where a judge will say, because everybody else in the world 
can get this data, why can't the Government, too, without the 
search warrant?
    There is a very strong, compelling issue that is afoot here 
and it is not the bank's data. It is my data. That is the way 
it is in Europe. That is the way it is in other cultures. Most 
people think it is that way here. It is a reasonable 
expectation of why not--in most contracts we have in America, 
there is an offer and an acceptance. Where is the acceptance on 
an opt-out, to give up my private information? Why not just pay 
me for it? You would be amazed how many people will respond to 
a little money. That is okay.
    Now these are very important rights. It is a personal 
right. It is a property right. I applaud you for your courage 
in standing up on this issue and I wish you the best in getting 
a bill through.
    Thank you.
    Chairman Sarbanes. Thank you, Attorney General Hatch.
    We will now hear from Representative Jim Kasper, a Member 
of the North Dakota House of Representatives, who is very 
deeply involved in the referendum held earlier this year in 
North Dakota.
    As I understand it, I am sure that Representative Kasper 
will develop this, a statute had been passed that reduced the 
existing privacy rights under North Dakota law. It was taken to 
referendum by the citizens of North Dakota and overwhelmingly, 
the referendum was overwhelmingly passed, thereby negating the 
statute.
    Representative Kasper, we would be happy to hear from you.

                  STATEMENT OF JAMES M. KASPER

                MEMBER, HOUSE OF REPRESENTATIVES

                   THE STATE OF NORTH DAKOTA

    Mr. Kasper. Thank you, Chairman Sarbanes, and Members of 
the Committee.
    I want to comment before I start my testimony how much I 
agree with the three distinguished Senators and your opening 
remarks. You are right on. And the people of the United States 
are right on with you, as we found in North Dakota.
    I am a first-term representative in North Dakota. We have a 
part-time legislature in our State. We meet for 3 months every 
other year and then we go back to the real world of business.
    My background has been the insurance and financial 
securities business for my whole career. I even started that 
career in college as a senior to help support my newly gotten 
wife, who has been with me the 30-some years that we have been 
out of college.
    Little did I know when I came to the legislature of North 
Dakota that the bulk of my time in that freshman term would be 
spent battling the banks on the issue of privacy. But that is 
exactly what happened.
    North Dakota had a privacy law that was developed and 
enacted in 1985 at the bequest of the banks, and it allowed no 
affiliate and no nonaffiliate sharing of information. So 
private information was totally private. In 1997, our law was 
amended quietly at the request of the banks to allow affiliate-
sharing, probably in anticipation of Gramm-Leach-Bliley. So, we 
had that item in North Dakota law. We also had the bank 
loopholes, so to speak, in North Dakota law where banks 
marketed and continue to market insurance in small towns.
    I have competed with the financial services of the banking 
industry my whole career in North Dakota. So, I have an idea of 
what they do, how they compete, and what their strategies are.
    It is my understanding that the banking industry is being 
led in their battle to defeat privacy laws like North Dakota by 
the organization that is represented here today and by, I 
think, a financial roundtable organization, are the groups 
that--there is a focused 
effort, in my opinion, to stop the privacy laws from changing. 
And that is what happened in North Dakota.
    The banking industry had their bank law introduced into our 
State Senate, Senate bill 2191. That, in essence, repealed 
North Dakota banking law and adopted the Gramm-Leach-Bliley 
definitions of privacy.
    I want to share with the Committee and read what their 
arguments were, why the North Dakota legislature should pass 
their law and throw out our very protective privacy law. Here 
is what they said: ``North Dakota needs to pass Senate bill 
2191 to adopt Gramm-Leach-Bliley in North Dakota law so that we 
will be in compliance with Gramm-Leach-Bliley.''
    This Committee knows that that is a joke. They knew that 
that was a joke, but that was one of their strategies--
confusion.
    ``North Dakota will experience job loss if we do not pass 
Senate bill 2191.'' Now, you tell me how we are going to lose 
jobs, but their idea was the bank calling centers will pull out 
of North Dakota if you do not pass 2191. ``North Dakota will 
experience negative economic development if we do not pass 
Senate bill 2191.'' Businesses will not come to North Dakota 
because it will be too onerous to comply with old North Dakota 
privacy law.
    There is no cost at all to comply with North Dakota privacy 
law. The businesses go on doing what they do and their 
information is protected because one thing in North Dakota law, 
not only do we protect consumer privacy, but we also protect 
all privacy.
    So business transactions, ag transactions, nonprofit 
transactions are all private.
    ``We do not want North Dakota to be the only State in the 
Nation, an island, which has different privacy laws from other 
States.'' Obviously, as the Attorney General from Vermont 
stated, there are other States that have privacy laws like 
North Dakota. And as the legislators of the various States 
begin to realize what GLB privacy is all about, we are going to 
see more State legislators introduce laws. I know of two States 
right now that are contemplating, legislators who are 
contemplating initiating privacy protection laws like North 
Dakota's in their legislature in their next session.
    The most funny of all, ``If we do not pass Senate bill 
2191, the people of North Dakota may not be able to use their 
ATM's, credit cards, and their checking accounts.''
    In a recent trip to California, at the invitation of 
Senator Jackie Speier to work with the California assembly, 
most of the goal was to try to convince some Republicans to 
support Senator Speier's bill because that has become a 
partisan issue, which it should not be. These were their same 
arguments.
    So this is a national strategy that I submit is being 
utilized and orchestrated by the banking industry to stop 
privacy laws from being passed and to try to repeal a North 
Dakota law.
    Anyway, these arguments convinced my colleagues in both the 
House and the Senate to overwhelmingly, with between a 70 and 
80 percent vote, pass their bill. There were just a handful of 
us who attempted to stop that bill. Two of us were freshmen 
legislators, and you know how much credibility freshmen have 
any place. So the bill was passed. The law was signed by our 
governor, who was a former banker, and it was enacted into 
North Dakota law.
    Fortunately, that is not the end of the story because a 
group of citizens called Protect Our Privacy formed. 
Volunteers. No money. No budget. Just a goal to repeal Senate 
bill 2191 in North Dakota. And in the course of a few short 
weeks, gathered the number of signatures necessary, a little 
over 17,000, to repeal the law, or to refer it and put it to a 
vote to the people.
    When you consider that we only have 640,000 people, 17,000 
is a big number. It is equivalent to almost 900,000 signatures 
in the State of California.
    Their initiative is going forward, as this Committee heard. 
And by the way, I predict that when and if their initiative is 
on the ballot, it will be on the ballot, unless the California 
legislature acts responsibly next year, that initiative is 
going to overwhelmingly succeed.
    The more money the big banks spend, the more the people get 
angry, and that is exactly what happened in North Dakota. The 
banks were well financed. Their first campaign statement showed 
they had $129,000 raised. We had $2,800. By the time the whole 
battle was done, their media blitz throughout the State of 
North Dakota was enormous. They attempted to persuade the 
people of our State that all the arguments which I shared with 
you earlier were needed to keep the bill.
    Our statement and position was very simple. Whose 
information is it, anyway? Do you own it? Should you have the 
right to control it? Or should the banks own it once they get 
it and be able to share it and sell it without your consent and 
knowledge? That was the focus. That is all we could talk about 
because that is the truth and the bottom line of this privacy 
battle--whose information should it be, as Attorney General 
Hatch has indicated?
    When the people understood, the vote was 73 percent to 
throw out the Senate bill 2191 and go back to North Dakota law. 
I submit that as more and more people in the United States 
become aware of what this is all about, you are going to see 
more and more State legislators move forward to do the same 
thing in their State.
    Unfortunately, that is time-consuming and costly and you 
have the might of the big banks, who will be there to try to 
thwart the issue every time it comes up in every State 
legislature. We had full-time lobbyists up there from the 
banking industry, three or four of them. The credit union 
lobbyists were involved. The big banks came in. The local 
bankers came in to talk to their legislators and the 
legislators were, frankly, somewhat misled and confused on this 
issue because they talk real good. But the people know better 
and the people of our country want their private information 
protected.
    If we do not do this, if we do not move forward with 
protection, because the lifeblood of this battle for financial 
services is the free-flowing of consumer confidential financial 
information, Gramm-Leach-Bliley does not foster competition. It 
eliminates competition.
    As a small business person in the financial services 
industry, I have a very difficult time competing with the Wells 
Fargos of the area. When a person comes in to get a loan and 
provides their tax return, their financial statement, their 
history, and the loan officer just goes to the insurance agent 
or the securities agent and says, here, here's some stuff. Look 
it over. Go call this guy.
    That happened on one occasion with my best client in Fargo, 
who I have served with life insurance for 20-some years. An 
insurance agent from Wells Fargo called on them and had all of 
their financial information and, in fact, showed them a 
sophisticated insurance proposal where they had to have 
gathered their incomes, their date of birth, et cetera. My 
client knew nothing of it, had never met the agent before, and 
this guy comes in and shows him the information. He called me. 
We looked at it. We threw it in the garbage. But the point is, 
why should that insurance agent have gotten that information in 
the first place? He shouldn't have.
    My mother in Beulah, my hometown, western North Dakota, 
just had a CD come due. The bank teller recommended that she 
put it into an annuity. The bank teller knows nothing about my 
mother's financial information and her background and her 
financial needs.
    My mother, thank goodness, said, I call my son on these 
things.
    [Laughter.]
    She did. And we are looking at what she should do with her 
CD.
    The point is, people are handling confidential information 
all over the place. It has run amuk. And I hope that this 
Committee will have the courage to stand up to the tremendous 
lobbying 
effort you are going to see and reverse the things in Gramm-
Leach-Bliley that need to be reversed, such as no sharing of 
information to nonaffiliates, period. A no-opt.
    An opt-in sharing of information for affiliates. And the 
joint marketing agreement loophole, that needs to be fixed. I 
understand why it was introduced, to allow the small banks and 
credit unions to compete with the Wells Fargos of the world. 
That definitely needs to be fixed.
    Mr. Chairman, and Members of the Committee, I see my time 
is up. I have a lot more I could say about this issue. But I 
thank you very much for the opportunity to be here.
    Chairman Sarbanes. We thank you very much, Representative 
Kasper. It is a very instructive story that you tell and we 
really appreciate it.
    Before she leaves, I do want to add just one dissent to 
what you said. You said that the freshmen members of the 
legislature do not have much influence.
    [Laughter.]
    I agree with that statement generally. But I do want to 
underscore what a tremendous exception to that statement our 
freshman Member, Senator Stabenow, has been here, both in the 
Committee and in the Senate.
    Senator Stabenow. Thank you.
    Chairman Sarbanes. We will now turn to Phyllis Schlafly. We 
are very pleased that you are here with us today. As we all 
know, Phyllis Schlafly is the President of the Eagle Forum. She 
has been an outspoken advocate on a number of very important 
issues and has testified frequently here in Congress. She is 
the author/editor of numerous books and publications. Ms. 
Schlafly, we are delighted to have you with us today.

                 STATEMENT OF PHYLLIS SCHLAFLY

                     PRESIDENT, EAGLE FORUM

    Ms. Schlafly. Thank you, Mr. Chairman, and Senator Shelby.
    Totalitarian governments keep their subjects under constant 
surveillance by requiring that everyone carry ``papers'' that 
must be 
presented to any Government functionary on demand. This is an 
internal passport that everyone had to show to authorities for 
permission to travel within the country, to move to another 
city, or to apply for a new job.
    Having to show papers to Government functionaries was bad 
enough when papers meant merely what was on a piece of paper. 
In the computer era, personal information stored in databases 
can be used to determine your right to board a plane, drive a 
car, get a job, enter a hospital emergency room, start school, 
open a bank account, buy a gun, or access Government benefits 
such as Social Security, Medicare, or Medicaid.
    While each classification currently has its own set of 
rules, connecting all these dots would amount to the personal 
surveillance and monitoring that are the indicia of a police 
state. The Washington buzz words, ``information-sharing,'' are 
often put forth as the solution to 21st Century problems, but 
this has significant privacy implications that I am very happy 
you are addressing.
    The global economy is obsessed with gathering information. 
The lifestyle or profile of each consumer is a valuable 
commercial commodity. The checks you write and receive, the 
invoices you pay, and the investments you make reveal as much 
about you as a personal diary. Where I shop, how often I 
travel, when I visit my doctor, how I save for retirement are 
all actions known to financial institutions, which connect the 
dots of my life and create a valuable personal profile. This 
compilation of personal information is bad enough, but the 
sharing of it without my consent is even worse.
    True privacy protections encompass the principles of 
notice, access, correction, consent, preemption, and limiting 
data collection to the minimum necessary.
    The bill commonly known as Gramm-Leach-Bliley had the 
financial goal of streamlining financial services, thereby 
increasing affiliation and cross-company marketing. But it was 
conflicted with the goal of true financial privacy. Greater 
affiliation meant greater information-sharing. Interjecting the 
right of individuals to control their personal information into 
that streamlining equation was perceived as a threat to this 
big business scheme.
    Gramm-Leach-Bliley does not provide consumers with any 
opportunity to decide for themselves about the transfer of 
their private information among affiliates. Particularly 
troubling is the large number of companies marked as 
affiliates. For example, the Bank of America has nearly 1,500 
corporate affiliates, and Citigroup has over 2,700. There is no 
opportunity to stop this free flow of personal information.
    Gramm-Leach-Bliley did include a privacy notice provision. 
Privacy notices should be simple documents outlining what kinds 
of information are collected and how the business plans to use 
that information. However, the notices sent to consumers as a 
result of Gramm-Leach-Bliley turned out to be too complicated 
for the public to cope with and they were always written in 
very fine print.
    Gramm-Leach-Bliley provided the right to opt-out of 
information-sharing but only to third parties. Figuring out how 
to prevent the sale of your personal financial diary, and to 
whom you were actually denying it, was made very difficult. 
Real opt-out consent depends on being able to understand what 
you are saying no to.
    In 1998, the Clinton Administration proposed a Federal 
regulation called Know Your Customer, which would have turned 
your friendly local banker into a snoop reporting to the 
Federal database called FinCEN any deviation from what the bank 
decided is your deposits/withdrawal profile. The American 
people and the Eagle Forum was a part of this effort, responded 
with 300,000 angry e-mail criticisms and the regulation was 
withdrawn. The department subsequently said they would no 
longer receive e-mail criticisms. However, the Bank Secrecy Act 
still requires banks to share some personal information with 
the Government through suspicious activity reports.
    The Bush Administration's proposed regulations to implement 
the USA PATRIOT Act's Anti-Money Laundering provisions are even 
more intrusion than Know Your Customer. The Wall Street Journal 
reported that the Treasury Department entered into an agreement 
with the Social Security Administration to access a database to 
verify the authenticity of Social Security numbers provided by 
customers at account opening.
    Congress promised us that the Social Security number would 
never be used for anything else when it was created, and 
certainly not for identification purposes. Giving financial 
institutions access to Social Security Administration's 
database contemplates using the number as a national ID number, 
which is a step in the wrong direction.
    I remember after President Nixon opened up China, The New 
York Times printed a large picture of a warehouse of what were 
called dangens. This was a manila folder containing all the 
personal information on every person in China. It started in 
school. It followed them all through life, with all of their 
job information.
    It is the computer that makes it possible to create a 
dangen on every American citizen, and that is not America.
    In conclusion, neither Government nor private business 
should act as if they can own, share, display, or traffic our 
personal information. It is a property right issue. Our 
personal financial data should be protected by a firewall and 
accessible only to those to whom the individual gives the 
authority.
    Thank you very much, Mr. Chairman.
    Chairman Sarbanes. Thank you very much, Ms. Schlafly. We 
are very pleased to have you here today.
    Our concluding panelist is Ed Mierzwinski, who is the 
Consumer Program Director of the U.S. Public Interest Research 
Group. He comes today testifying on behalf of a number of 
consumer groups, both the broader groups--Consumer Action, 
Consumer Federation, Consumer Union, and then a number of 
groups that are more specifically focused on the privacy 
issue--the Electronic Privacy Information Center, Identity 
Theft Resource Center, Privacy Rights Clearinghouse, and 
Private Citizen.
    We are very pleased to have you here, sir.

                STATEMENT OF EDMUND MIERZWINSKI

                   CONSUMER PROGRAM DIRECTOR

              U.S. PUBLIC INTEREST RESEARCH GROUP

                             ON BEHALF OF:

            CONSUMER ACTION, CONSUMER FEDERATION OF AMERICA

                CONSUMER TASK FORCE ON AUTOMOTIVE ISSUES

         CONSUMERS UNION, ELECTRONIC PRIVACY INFORMATION CENTER

           IDENTITY THEFT RESOURCE CENTER, JUNKBUSTERS, INC.

        PRIVACY RIGHTS CLEARINGHOUSE, PRIVATE CITIZEN, INC., AND

                  U.S. PUBLIC INTEREST RESEARCH GROUP

    Mr. Mierzwinski. Thank you, Mr. Chairman and Members of the 
Committee, and in particular, I will recognize Senator Shelby, 
the founding Co-Chair of the bipartisan Congressional Privacy 
Caucus, for his leadership, as well as yours.
    The organizations that I am representing today believe 
strongly that people have a strong right to privacy and that 
privacy should be based on Fair Information Practices.
    Recognizing when it enacted the Gramm-Leach-Bliley Act, 
that it was increasing the potential for privacy invasions, 
Congress acted by establishing Title V to try to protect 
privacy. The basis of Title V we believe is flawed and a lot of 
that has already been articulated by some of the other 
witnesses on the pro-privacy side today.
    The primary basis of the Act is that it is based on notice. 
Notice is not enough. As we have seen from the first 2 years of 
examples, the notices are unclear, the notices are 
indecipherable, the notices are unreadable.
    The Privacy Rights Clearinghouse commissioned a consultant, 
Mark Hochhauser, on readability in 2001. He surveyed 60 of 
these notices and found that they were written essentially for 
a graduate school education.
    The average consumer has not been to graduate school. And I 
concur with General Sorrell that there should be something like 
a nutrition notice at the front of every privacy notice and the 
check-off box for voting out or voting in, whether it is an 
opt-out or an opt-in, and of course, we would prefer an opt-in, 
as I will discuss briefly. That check-out box should be on the 
front page, not on the 8th page of a 6-point type document with 
27 to 35 word compound sentences.
    This year, as part of California PIRG's efforts to enact 
the Jackie Speier legislation, SB-773, broad consensus 
legislation supported by a number of privacy and consumer 
organizations in the State of California, California PIRG 
updated the Hochhauser study with a study of 10 privacy notices 
in August. We found that the best of the 10 got a C minus. So 
notice is not enough.
    In my testimony, I also refer to a very disturbing decision 
by a U.S. District Court Judge in California in an unrelated 
financial privacy case, but a related case to notice 
provisions. In that decision, Judge Zimmerman suggests that a 
large telephone company may have hired consultants that taught 
it to purposely make its privacy notices deceptive. And I cite 
some of those notices. How to convince people not to opt-out. 
How to convince people that the notice is a nonevent.
    There were a series of consultants actually hired by the 
company to teach the company how to make its notices 
unreadable, essentially. So, I am very concerned about that. 
And that is, of course, one of the reasons that we think notice 
is not enough.
    The second problem we have with the bill, of course, is 
that the consent provision in the bill only applies to some 
transactions. It applies, not to all third parties. It applies 
to some third parties.
    Let's be very clear. It is an opt-out, meaning that you 
have to affirmatively say no, and it does not apply to all 
transactions. It only applies to some third parties, 
essentially limited to telemarketers.
    Transactions between and among affiliates and joint 
marketing partners--and there is no exception in the law that 
prevents large institutions, some of them have as many as 2,761 
affiliates, as we heard earlier, that prevents large 
institutions from also using outside joint marketing partners 
as well.
    So the fact is the bill is based on only part of the Fair 
Information Practices, which we believe the data-collectors 
should subscribe to.
    In recognition of the fact that there had been a major 
privacy scandal that had been discovered by the State of 
Minnesota Attorney General, Attorney General Hatch, and his 
office, the U.S. Bank case, the Congress included an encryption 
provision in Title V to try to tighten it up a little bit more. 
The encryption provision was included and it stated that 
telemarketers could not obtain the credit card numbers of 
consumers.
    The reason for that was that in the U.S. Bank case, as 
Attorney General Hatch has described, the consumer never gave 
out their credit card number to telemarketers. Their bank gave 
their credit card number to telemarketers.
    As the Attorney General has testified, and as General 
Sorrell has testified as well, the encryption provision has not 
worked.
    Essentially, Gramm-Leach-Bliley codified the preacquired 
account telemarketing programs that are in place at many of the 
largest banks in the country. These banks are no longer 
providing the credit card number directly to the telemarketer, 
but the telemarketer has a button that he or she pushes that 
allows the bank to bill the consumer.
    Now one of the witnesses testified that opt-out doesn't 
work and that opt-in would work even worse.
    In Attorney General Hatch's recent settlement with Fleet 
Bank, he sent a letter to the consumers who had been 
victimized--excuse me--Fleet Mortgage Company, an affiliate of 
Fleet Bank. You would think that this kind of tawdry 
telemarketing would be limited only to credit card companies, 
but mortgage companies are doing it, too.
    Attorney General Hatch sent a letter to a number of 
Minnesota consumers asking them whether they wanted to opt-in 
to his settlement and get their money back. Well, 50 percent of 
them responded within 2 weeks.
    If you write your opt-in letter well, and if you offer 
people something, opt-in does work. And if you are trying to 
get people's money back from a rip-off telemarketer who is in 
league with your bank, opt-in does work.
    So, we were very pleased to see that.
    The last point I want to make, of course, is that the best 
part of the Gramm-Leach-Bliley bill is, in fact, its States 
rights fail-safe, the so-called Sarbanes Amendment, that has 
allowed the States to experiment. As the great Justice Louis 
Brandeis said, ``The States are the laboratories of 
democracy.'' And although the industry has sent hundreds of 
lobbyists out to Fargo, out to Sacramento, out to 
Bradelborough, I have been to all these places, I have seen all 
the industry lobbyists, Montpelier, excuse me, in Vermont, and 
all the other State capitals where the State PIRG lobbyists 
work, the industry is trying to stop these laws, but these laws 
are being considered and you need to protect the right of the 
States to continue to try to pass stronger privacy laws.
    The costs of privacy have been articulated by industry as 
tremendous--billions and billions of notices, the loss of the 
free flow of 
information.
    I want to point out that there are costs to the lack of 
privacy as well. I would like to enter into the record a study* 
by independent consultant Robert Gellman which refutes a number 
of the industry-funded studies that the industry relies on to 
make its points.
---------------------------------------------------------------------------
    *Held in Committee files.
---------------------------------------------------------------------------
    The fact is the lack of adherence to Fair Information 
Practices leads to identity theft, which costs hundreds of 
thousands of consumers, hundreds of dollars a year in out-of-
pocket costs, hundreds of hours in trying to clear their good 
names, extra costs because their credit reports are in error 
and they must pay extra for sub-prime credit, the costs of 
profiling, the cost of being targeted and the cost of being put 
into a box that you are a Tobacco Road consumer and not a Gucci 
Gulch consumer on one of these 300 lists, and you pay too much 
for credit and you only get offered mediocre offers. These 
costs are very substantial and these costs affect consumers in 
a very negative way.
    In terms of the free flow of information, industry wants to 
have that one both ways. Many banks are limiting their flow of 
information about a consumer's good credit in order to prevent 
that consumer from having a good credit report and a good 
credit score.
    They are gaming the credit-scoring system and Comptroller 
Hawke did a speech on this several years ago, and he was very 
concerned about it. If a consumer's credit score is affected by 
a limit on how much information banks share with credit 
bureaus, that consumer doesn't get any offers. That consumer 
doesn't get any 
opportunities.
    So there are some very serious costs to a lack of privacy 
and identify theft is one. Profiling is another. The cost of 
paying too much for credit because banks are gaming the system 
is another.
    Stalking is even a problem of the costs of lack of privacy, 
as the case of Amy Boyer several years ago.
    I want to conclude briefly by saying that the State PIRG's 
and the other consumer and privacy groups that are signed on to 
our testimony today very much appreciate that you held this 
hearing. We will continue to work in the States on privacy, 
financial privacy issues, identity theft issues, credit-scoring 
reform, and other aspects of financial privacy.
    We are disappointed that some industry groups have tried to 
suggest that financial privacy prevents them from helping 
Director Ridge from fighting the terrorists as one of the 
excuses they make to try to roll back the State privacy laws.
    We are disappointed also that they say you won't be able to 
use your ATM card if we pass strong financial privacy laws. But 
that is life in the big city and we will continue to fight and 
we appreciate you fighting with us.
    Thank you very much.
    Chairman Sarbanes. Thank you all very much. This has been a 
very, very helpful panel.
    We have been joined since the panel began by two of our 
colleagues and I am going to turn to them now to see if they 
want to make an opening statement before we start directing 
questions to the panel.
    Senator Akaka.

              COMMENTS OF SENATOR DANIEL K. AKAKA

    Senator Akaka. Thank you very much, Mr. Chairman.
    It is good to hear witnesses from around the country on the 
issue of financial privacy.
    The sharing of consumers' financial information needs to be 
regulated to reduce frustrations and the likelihood of the 
misuse of that information. Financial institutions are required 
to provide their customers with information regarding their 
privacy policies on an annual basis. Financial institutions are 
prohibited from sharing nonpublic personally identifiable 
customer information with nonaffiliated third parties, unless 
customers are provided with an opportunity to opt-out.
    My constituents in Hawaii have contacted me to express 
their frustrations with the opt-out process. The opt-out 
process is time-consuming for many individuals and in some 
cases, privacy notices are too difficult to understand. I agree 
that the notices are not enough and are difficult to 
understand.
    Financial privacy is one of many areas in which consumers' 
financial literacy needs to be increased. Consumers need to be 
fully aware of their opportunities to exercise financial 
privacy restrictions and how to do so.
    In addition to education, a complete examination of the 
current laws intended to protect personal financial information 
is needed to ensure that consumers are protected.
    Again, Mr. Chairman, I thank you for conducting this 
hearing.
    Chairman Sarbanes. Thank you, Senator Akaka.
    Senator Corzine.

               COMMENTS OF SENATOR JON S. CORZINE

    Senator Corzine. Thank you, Mr. Chairman.
    I can only tell you that there is almost nothing that 
Senator Akaka said that I would disagree with or preparing 
myself for this, knowing the concerns of both the Chairman and 
Ranking Member with regard to this privacy issue, that I want 
to very much identify with, needs to be cleaned up.
    I hear about this all of the time as I visit with 
constituents around the State, a growing, growing concern about 
invasion of one's personal information, the integration of the 
marketing aspects of information collected by those that have 
access to financial transactions and so on.
    I am anxious to be a consistent and full participant in 
this process, and I will emphasize this financial literacy 
issue.
    I can tell you that I have read a lot of these statements 
myself. I usually go to sleep before I get to the end of them, 
and know where you are supposed to sign off.
    [Laughter.]
    I think it is a ruse on the public with regard to this 
opting-out process.
    So, I look forward to working with you and the other 
Members of the Committee in this area.
    Chairman Sarbanes. Thank you very much, Senator Corzine.
    Both Senator Corzine and Senator Akaka have been very, very 
active on the financial literacy issue and we certainly 
appreciate their concern.
    Professor Cate, I want to ask you a question right off the 
bat.
    The Financial Services Coordinating Council, who Mr. Dugan 
is representing here, issued a booklet, not too long ago on 
what they call the drawbacks of an opt-in regime. And you were 
the author of that booklet. You recall that, I presume.
    Dr. Cate. I do. I think it was 2 years ago. But, yes, sir.
    Chairman Sarbanes. All right. Now in that, you are arguing 
against the use of opt-in. And I do not want to address the 
opt-in issue for the moment.
    In the argument you make against opt-in, you say: 
``Lawmakers should resist the mounting pressure to expand the 
use of opt-in, for eight compelling reasons.'' And the first 
reason you give is, ``Opt-in and opt-out both give consumers 
the exact same level of control over how information about them 
is used. Under either system, it is the customer alone who 
makes the final and binding determination about data use.'' 
Now, of course, we have heard some criticisms about how the 
opt-out system works. But let me ask you this question. Am I to 
take from this statement that you support requiring opt-out for 
the sharing of any financial information?
    Dr. Cate. I think that would not be accurate to say that I 
support opt-out for the sharing of any financial information.
    Chairman Sarbanes. I see. Well, you make the point here 
that opt-out gives--under both, the consumer has exactly the 
same level of control and therefore, you should use it. The 
alternative to opt-out is opt-in. And then you are very 
critical of opt-in. But you say, with opt-out, they can control 
their information. Is that correct?
    Dr. Cate. Yes, sir, Mr. Chairman.
    Chairman Sarbanes. Should we have opt-out at least as a 
starting point or as a minimum for the sharing of financial 
information?
    Dr. Cate. I would not support that across the board.
    Chairman Sarbanes. Would not?
    Dr. Cate. I would not, sir.
    Chairman Sarbanes. How does that square with your statement 
here?
    Dr. Cate. It squares in this way. If there are areas or 
uses of information that the Congress believes that consumers 
should have control over, I think the opt-out is a better and 
certainly less expensive system for allowing consumers to 
exercise that control.
    I personally do not believe that under the First Amendment 
that the Congress has the Constitutional authority to extend to 
consumers the right to exercise control over all uses of their 
financial information.
    Chairman Sarbanes. You do not think the information belongs 
to the consumer?
    Dr. Cate. I think the question of who it belongs to is more 
or less irrelevant. Under the Constitution, I do not believe 
Congress has the authority to use the power of the courts or to 
use regulators to enforce that restraint on the flow of 
information.
    Chairman Sarbanes. To opt-out as well as to opt-in?
    Dr. Cate. Yes, sir, although I believe the opt-in restraint 
is more severe, and so the First Amendment impediment would be 
greater.
    Chairman Sarbanes. So if I am a consumer and I give this 
information to a financial institution, it is then gone. They 
can do what they wish with it?
    Dr. Cate. There are many uses of information, which, if 
they do not present a risk of harm or--many uses of 
information, most uses of information, which I think in this 
country we presume----
    Chairman Sarbanes. Should I make that judgment as the one 
who provided the information? Or do you get the information 
from me for a limited specific purpose, and then once you have 
it, can you then--you being the financial institution--turn 
around and do with it what you will?
    Dr. Cate. Well, Mr. Chairman, I believe it is a matter of 
law.
    If, in fact, information is obtained under an express 
condition that it will not be used elsewhere I think that 
restraint should be enforced, as the Federal Trade Commission 
has repeatedly done online and elsewhere.
    But the Constitution I think limits the power of the 
Government to create an impediment at the start to all uses of 
financial information or other forms of information, absent 
some form of substantial or compelling governmental interest.
    Chairman Sarbanes. That is interesting. What do you think 
of that, Ms. Schlafly? Do you think that we are precluded from 
placing some restraint on the use of that information?
    Ms. Schlafly. I am amazed.
    Chairman Sarbanes. I am stunned.
    Ms. Schlafly. I think the information about what I do and 
what I buy is my property. I do not think it belongs to 
somebody else. If there is anything the United States stands 
for, it is individual property rights.
    Chairman Sarbanes. Attorney General Hatch, what is your 
reaction to that?
    Mr. Hatch. Mr. Chairman, there is $15 to $20 billion of 
telemarketing fraud in this country each year. As I said, two-
thirds of it is targeted to senior citizens, who I do think we 
have some responsibility to guard.
    We know that most of this is done through what is called 
preacquired accounts, meaning that they have the information 
from a bank or a credit card company. They never have to ask 
for that information from the consumer because they already 
have it. It has already been obtained from the bank.
    That is a compelling State interest right there.
    I just don't understand. If opt-out and opt-in are the 
same, why would it make any difference as to which information 
is being protected? The point you were making, I do not know if 
we received an answer.
    Chairman Sarbanes. My concern with this statement is, the 
argument that is made against opt-in, which would be an up-
front permission from the provider of the information, or how 
it is used, the argument that is made is that the consumer can 
protect himself because he has opt-out.
    Now there is a big difference between the two, but opt-out 
at least means that if the consumer initiates it, he can then 
say that I do not want that information provided. The other 
way, with opt-in, they have to get the permission to begin 
with.
    Professor Cate uses the argument in this pamphlet that you 
should not have opt-in because you have opt-out. So, I just 
asked him, well, does he then apply opt-out to all aspects of 
providing information? I am told, no, he doesn't.
    I am now told that, amongst other things, he thinks there 
is a Constitutional impediment to doing this, which I do not 
agree with. But, in any event, even as a policy matter--that is 
our problem.
    Here we have--it is a disingenuous argument to say, we do 
not need opt-in, because they have opt-out.
    Then you ask, well, would you apply opt-out to all aspects 
of the sharing of financial information? Then it is, no, no, we 
wouldn't do that. So there is our problem.
    Yes, ma'am.
    Ms. Schlafly. Senator, it seems to me that the difference 
between opt-in and opt-out is the default. Those of us who use 
computers know how valuable it is what the computer defaults to 
when you do not make an affirmative choice.
    With opt-in and opt-out, one way the default goes to the 
bank and the other way it comes to you. I think that that is an 
extraordinary difference.
    Chairman Sarbanes. I think that is a very important point 
and I said at the outset, I wanted to be careful. Because there 
is a very strong argument that opt-out is not adequate, the one 
you just made. Therefore, you should have to get an affirmative 
decision.
    But I cannot even get Professor Cate to give me opt-out on 
the sharing of the financial information. That would be a 
beginning here. At least we would begin to parse this thing out 
and see if we could not make some advance.
    I am told, no, no.
    Well, I have used my time. If my colleagues will indulge 
me, I want to ask Mr. Dugan one more question.
    Mr. Dugan, you cited that these States were trying to pass 
these statutes now under the fact that under Gramm-Leach-
Bliley, it is specifically stated that the States' action in 
this field, that it is not preempted, that they can move ahead. 
And so, people go out and they fight these battles out in the 
State legislatures. As I understand it, you yourself have been 
in a number of State legislatures on this fight.
    Mr. Dugan. That is correct.
    Chairman Sarbanes. And you make the point that it has not 
yet passed, I think you said, in any State legislature. Is that 
right?
    Mr. Dugan. That is right. Any comprehensive statute.
    Chairman Sarbanes. I thought you said you drew from that 
the conclusion that this issue was a fading or a passing issue 
across the country, and that this was demonstrated that the 
public doesn't really care about this issue and that it is 
going to go away. Is that your view?
    Mr. Dugan. I do not think I quite said that. What I was 
trying to get at----
    Chairman Sarbanes. You came close to it. But, anyhow.
    Mr. Dugan. What I was trying to get at was this.
    Senator Shelby. You did not say it. You were hoping it.
    [Laughter.]
    Mr. Dugan. I think there is a perception, every State or 
many States in the country, that the trend has been for State 
legislatures to take this up and pass financial privacy 
legislation that goes beyond Gramm-Leach-Bliley. And all I was 
trying to say was, in our experience, the trend has been in the 
other direction, with the notable exception of California.
    Chairman Sarbanes. And North Dakota, by direct action of 
the people rather than the legislature.
    Mr. Dugan. That is right, but that was a restoring of a law 
that was previously on the books. My point is that the year 
after Gramm-Leach-Bliley passed, there was a huge set of bills 
introduced that went way beyond Gramm-Leach-Bliley in many 
States and debated in many States. None of them passed. Then 
the second year, it was about half that number. And in the 
third year, it had dwindled to a relatively few number of 
States that were doing it.
    I am not trying to say that there is no interest in it. 
There obviously is. There was intense interest in California.
    I am just saying that if you take and look at the country 
as a whole, and what legislatures have done, I think that there 
has been a repeated set of circumstances in which legislators 
have decided that it has not been as easy to pass something 
like this in a way that works that doesn't create unintended 
consequences.
    There is also a notion that this new Federal scheme has 
gone into effect, and we should give it a chance to work before 
we decide to layer on inconsistent privacy statutes across the 
country, which the FSCC thinks would be a disaster.
    Chairman Sarbanes. So, you think it is going to go away?
    Mr. Dugan. No, I did not say that. I think we have work to 
do. I think there has been a problem with the notices. They do 
have to get better.
    Chairman Sarbanes. Where are you going to be if California 
passes an initiative on this issue? The California legislature 
came close this year, as I understand it, very close. But where 
are you going to be if they pass an initiative in California?
    Mr. Dugan. Senator, that is a hypothetical situation.
    Chairman Sarbanes. Do you think an initiative would pass in 
California on the basis of the North Dakota experience?
    Mr. Dugan. I certainly would hope not.
    Chairman Sarbanes. Mr. Kasper, you wanted to add to that?
    Mr. Kasper. Yes, thank you, Mr. Chairman.
    Just an observation. If the other States in the last 2 to 3 
years were bombarded by the banking lobbyists as North Dakota 
legislators were, when they were confused and misled by the 
bank arguments, which I laid out earlier, I can understand why 
no legislation passed in those other States.
    We were different in the fact that we had a law to protect 
and the people decided to refer it. And when the people made 
connection with the truth, the people spoke loudly and clearly. 
That is what I believe is the sentiment all across the United 
States, as you have heard from your colleagues here on the 
panel and from the panel members themselves.
    This is a national strategy, I believe, by the financial 
services 
industry, led by the banking industry, to confuse the issue and 
kill any type of legislation that is attempted in North Dakota.
    I wish they could come to North Dakota now and talk to some 
of my legislative colleagues who went through this media battle 
and now understand the issue, who are very angry at the way 
that our legislators were misled by the lobbying efforts of the 
banking institutions.
    So you confuse. You mislead. Sometimes you out and out lie. 
And the legislators, with that type of pressure, are going to 
go along with no change because they may think that is what is 
in the best interest of their State, which it is not.
    Chairman Sarbanes. Yes, Attorney General Hatch.
    Mr. Hatch. Mr. Chairman, I would like to point out for 
Minnesota, that at least the lobbying effort that occurred did 
not diminish the issue. It is coming back and it will continue 
to come back until something passes.
    But I do want to point out, it wasn't just the banks. There 
is a lot of different interests involved in this. You have the 
telemarketing companies. You have, as I mentioned, insurers, 
HMO's.
    And frankly, if I took a poll of the banks in Minnesota, 
you would find probably a majority in favor of privacy, but 
they would be the smaller ones. They do not want this 
information out there. They do not want this information being 
taken by a Citibank or whoever, and then stealing their 
clients. It is not the small ones who are doing it.
    So do not give too bad a rap here to the banks of America. 
A lot of the small ones are not interested in this issue at 
all. They have operated very well with an opt-in system because 
they do not want to do it.
    As I mentioned before, a First Amendment right to 
disseminate, does this mean that an employee of mine--I have 
companies that represent companies, an employee can take the 
customer list? They have a First Amendment right to disseminate 
it? Does the bank have a right to take the bank deposits of my 
clients and go disseminate it to their competitors, their 
customer list? I do not think so.
    There has been very strong privacy rights by common law in 
this country with regard to property assets. I would hope that 
GLB did not touch that. But you know what? I suppose one could 
interpret it to have done so. What a tragedy?
    Chairman Sarbanes. I am going to yield now to Senator 
Shelby. Did you want to say something?
    Mr. Dugan. Mr. Chairman, I want to respond on the point 
about smaller banks.
    I think the fact is that smaller banks have to share 
information with other financial institutions to offer the 
range of competitive products that diversified financial 
institutions can provide. And we are very strong supporters of 
that kind of sharing, which is precisely what was recognized in 
Gramm-Leach-Bliley, and which was precisely what was recognized 
even in the California bill that almost passed.
    Chairman Sarbanes. Well, but should the consumer have a say 
in that? Shouldn't he have a say?
    That's all. That's all. I do not think there is any 
approach that would rule it out absolutely. It would just put 
the decisionmaking authority in the person who provides the 
information. It is personal information about them, and they 
should have, it seems to me, should be able to control where it 
goes and what is done with it.
    But I have strayed over my time. I yield to Senator Shelby.
    Senator Shelby. Thank you, Mr. Chairman. Again, I want to 
thank you for calling this hearing. I also want to commend 
Senator Sarbanes, that in the conference, we were all on it 
with the House, dealing with Gramm-Leach-Bliley, Senator 
Sarbanes had the foresight to offer the amendment to protect 
the States' ability to deal in this area over and above.
    I think that is so important to Senator Sarbanes. I have 
been involved with you and I have worked with you and I have 
worked with a lot of people on this. I believe myself that the 
people ultimately are going to prevail here. The people are 
going to win this battle, no matter how much money is spent 
against it because this is an important right of the people, as 
Ms. Schlafly talks about.
    Mr. Kasper, I have a few observations and some questions.
    One, I want to commend you for getting involved and what 
the people of South Dakota did. That was not isolated--of North 
Dakota, excuse me. Made a mistake.
    Mr. Kasper. That is all right.
    Senator Shelby. But what they did, they understood the 
issue. And if the people understand the issue, they are not 
going to give their privacy away. I believe that. Not many of 
them, and so forth.
    I do want to also take a few seconds and commend both the 
Attorneys General here. They have been outspoken. Somebody has 
to speak up for the people, and they do this.
    Ms. Schlafly, we have worked together on a number of 
issues, and this privacy issue cuts across all political 
philosophy, and all parties, Democrats, Republicans, and so 
forth.
    I have worked with Mr. Mierzwinski on a number of 
occasions.
    I wish my State of Alabama had a referendum proposition, a 
proposition where you could bypass the legislature, if you had 
so many people. A lot of the States do. And that goes back to 
the 
Sarbanes Amendment. That is going to be the linchpin to this, I 
believe.
    Now, I want to direct this to Mr. Dugan and Professor Cate.
    I would like to know from you, if you can, to the extent 
that you can provide the details here, what happens to, and I 
will just use myself here, my personal information when I open 
a checking account, get a credit card, and that kind of thing. 
Just say I were to go down the street here and open up a 
checking and savings account. What happens to that information? 
Let me just run down a list of questions.
    What information are they required to obtained from me? How 
does the bank use it? Do they share it? And yes, what do they 
actually share, and who with? Why do they share it? Well, I 
think we know that. Who do they share it with? Affiliates? 
Third parties? Partners in joint marketing agreements? You can 
create those. That is so easy.
    Do they sell it? What effort does the bank or financial 
institution make to ensure its security? Or how can it be 
secure once it is gone? What about affiliates and third parties 
who may gain access to the information? Do they undertake 
efforts to protect it? Who do they protect it from if they are 
using it?
    All these questions I think need to be answers because 
people in America, across all party lines, are going to be 
asking. They are beginning to. And hearings like this help. Can 
you help me there?
    Mr. Dugan. Well, let me start and there is quite a long 
list.
    Senator Shelby. Sure.
    Mr. Dugan. If there are other things, we would be happy to 
furnish it for the record as well. Professor Cate can jump in 
as well.
    Senator Shelby. Sure.
    Mr. Dugan. I think in the first instance, when information 
is collected from consumers, there are two kinds of 
information. The first is information that is used to make a 
judgment about making a loan to you or underwriting insurance 
for you. That kind of information is covered by the Fair Credit 
Reporting Act.
    And because that information can be used to make an 
important decision, it can have a very important effect on the 
consumer, the restrictions on that information under Federal 
law are stricter than they otherwise would be. In fact, that 
kind of information cannot be shared with third parties except 
under very specific circumstances such as sharing with the 
credit-reporting agencies. It can only be shared with 
affiliates subject to an opt-out.
    If the information doesn't relate to that kind of 
information, then the Gramm-Leach-Bliley system kicks in and 
the information can be shared to carry out things that I think 
everybody would say it should be shared for it. It obviously 
has to be shared with third parties when you write a check and 
the check goes through the clearing system to other banks to 
carry out your transaction. It has to be shared with third 
parties in order to do the very thing you have asked for. And 
nobody quibbles with that, and I am sure you do not, either, 
Senator. But I think you then get to the question of, is it 
shared for marketing purposes?
    I think institutions use it to--they would want to know, 
for example, if you were a good customer of the bank and you 
had a large deposit, that would be a customer that they would 
want to make sure was treated well with respect to other kinds 
of products. If you were a long-time customer of the bank, that 
kind of information, they would want to know that.
    And so, the information would be shared inside the bank in 
order to make decisions to cross-market products, and it would 
be shared with affiliates as necessary if they thought that 
would be useful to provide products and services to you.
    Now, if it gets to third parties, that is where Congress 
drew the line and said, if it goes to a nonaffiliated third-
party, then they have to give you the right to opt-out of that 
type of sharing.
    Senator Shelby. But you can create an affiliate fast, can't 
you? You can create a joint marketing agreement so fast.
    Mr. Dugan. We think affiliates----
    Senator Shelby. There are a thousand ways to get around.
    Mr. Dugan. We do not think it is getting around. We think 
an affiliate is all part of the same organization. If you have 
Citibank and Citibank Mortgage Lender, that is really the same 
thing to the consumer. It is all part of one organization.
    The line comes when the information is shared outside the 
commonly controlled organization, particularly to commercial 
companies or nonfinancial companies. And there, Congress drew 
the line and said, that is a place where the consumer should 
have some control and that is where they established the opt-
out.
    We think that is appropriate.
    Senator Shelby. You used the word scheme earlier. A lot of 
people believe this was a scheme. That is, the opt-out was a 
scheme to hijack people's personal information, knowing that 
with all the trouble and all the notices and not understanding 
what was going on, that most people wouldn't know the real 
issue. The notices were meant not to let them know, but to let 
them throw it away.
    Mr. Dugan. Well----
    Senator Shelby. Whereas--wait a minute--whereas, if you go 
with the premise that this is your information that you send 
that belongs to your checking account, your savings account, 
and all this, and it is your property right, as Ms. Schlafly 
talks about, which I believe, it belongs to you, and you have a 
confidential relationship, or should have--most people think 
they do--with their financial institution.
    Gosh, how can you justifying selling that, using that 
without the permission of the customer, the expressed 
permission? How can you do it?
    I think Attorney General Hatch made a good point.
    Mr. Dugan. From our point of view, I do not believe----
    Senator Shelby. And your point of view is the point of view 
of the people you represent, right?
    Mr. Dugan. It is the people who have to serve their 
customers every day, and it is an industry that is built on 
maintaining the trust of their customers.
    Senator Shelby. This is a way to break it down, isn't it?
    Mr. Dugan. Well, that is where we disagree.
    Senator Shelby. I think that is under attack all over 
America.
    Mr. Dugan. With all due respect, Senator, we think the 
information-sharing that goes on helps consumers, helps 
provide----
    Senator Shelby. How does it help them? I want to hear that.
    Mr. Dugan. I will give you an example.
    Let's say you had an opt-in scheme and at the beginning of 
a customer relationship--from our point of view, many consumers 
do not either opt-in or opt-out. They are less sensitive to 
this concern.
    If you have an opt-in scheme and they do not opt-in to some 
information-sharing, they just do not pay attention to it and 
they do not opt-in, then they do not get to hear about some of 
the benefits that would otherwise apply. For example, if 
someone has a deposit with a bank, it is a common practice for 
the bank to give a discount on a mortgage provided by an 
affiliated company. Or it may be the case that someone has a 
high-rate credit card loan and the institution knows that he or 
she has a high-rate credit card loan and also knows that that 
customer could qualify for a much lower interest rate home 
equity loan from an affiliated company.
    If an opt-in restriction were in place, as in one of the 
California bills, you have a situation where someone would be 
punished for calling up and trying to tell the customer that he 
qualified for something that was of real benefit to him, 
because he did not opt-in at the beginning of this 
relationship.
    Senator Shelby. Mr. Kasper.
    Mr. Kasper. Thank you, Senator Shelby.
    That begs the question. We are here talking about banking 
products. What about insurance and securities products. An 
inducement to purchase an insurance product is called a rebate 
and it is illegal under almost all State insurance laws.
    What about the small independent business people across the 
United States who are in the insurance and securities business 
as independent entrepreneurs trying to make a living competing 
with this inside information that is being passed around by the 
banks to their insurance organization to their securities 
organization?
    It wipes out competition. It wipes out small business.
    Our Nation is built on competition. This is anticompetition 
and the basis, the lifeblood of it is the free-flowing of this 
confidential information inside the financial conglomerates.
    Where we are heading with this is thousands and thousands 
of businesses being out of business because we cannot compete.
    Senator Shelby. And fewer choices for the consumer.
    Mr. Kasper. Absolutely fewer choices, Senator. Absolutely. 
The ones that benefit are the big institutions, not the 
consumer.
    Senator Shelby. Attorney General Hatch.
    Mr. Hatch. Mr. Chairman, Senator Shelby, I believe the 
question was about the industry, are they reflecting the needs 
of their customers?
    Exhibit A, what I filed, is a customer sheet. This is from 
Fleet Mortgage. These are their customer service reps and what 
they told the officers of Fleet Mortgage.
    I just briefly have a couple of comments.
    ``Ninety-five percent of my calls pertain to people wanting 
to cancel their policies. I think we should have to get a 
signature.''
    Another one says, ``They feel it is a fraud, it is a scam, 
they never wanted the insurance.''
    Another one is, ``I think it is more hassle than it is 
worth.''
    Another one is, ``I apologize for the inconvenience.''
    Another one is, ``Customers should have to sign up for the 
products. Don't just add them to accounts.''
    And by the way, this is the company. This is an affiliate 
of the company.
    The best one from an employee of Fleet Mortgage to its 
officers.
    Chairman Sarbanes. So these are some internal comments of 
the company.
    Mr. Hatch. Oh, yes, internal.
    Chairman Sarbanes. Internal.
    Mr. Hatch. I am hopefully not breaking too many laws here.
    [Laughter.]
    Chairman Sarbanes. No, no, no. But I mean this is what they 
are saying to one another. It is like these stock analysts who 
tell people to buy the stock. And meanwhile, they are sending 
e-mails to one another saying what a turkey the company is.
    Mr. Hatch. Correct. The best one is--this is from an 
analyst to the supervisor--I hope that Fleet Mortgage makes 
enough revenue from optional insurance to justify all the calls 
on our 800 line from customers trying to cancel.
    Now is that an industry that is really representing its 
customers? I do not think so. In fact, I cannot find one 
comment--and this is their whole list--there is not one of them 
that is positive about what they are doing. They are all 
complaining.
    Senator Shelby. Mr. Chairman, I hope that as we go along 
with hearings, that we will get deeper into this and I hope 
that we can get some inside information like that.
    I also want to mention, Mr. Chairman, that I saw--and I 
haven't talked with him--where Congressman John Dingell had 
initiated a probe into the tying of loans. In other words, I 
will loan you the money if you buy insurance or if you do so 
and so. I think that is something--because that is illegal. And 
that is something that I hope under your Chairmanship, that we 
will look into, also, because that does destroy competition in 
a big way.
    Ms. Schlafly, do you have any comments on this?
    Ms. Schlafly. I do think that we should consider this a 
property rights issue.
    Senator Shelby. Absolutely.
    Ms. Schlafly. I mean, I believe I own the information about 
how I am spending my money and what I am planning to do.
    Senator Shelby. In other words, who does the information 
belong to?
    Ms. Schlafly. Right.
    Senator Shelby. Do you give it away? Is it gone? Gosh, if 
it does, the American people are going to be in for a shock, 
aren't they, a big, big shock.
    One last question, Mr. Chairman. You have been very 
indulgent. How many signatures does it take to get a 
proposition on the ballot in California?
    Mr. Mierzwinski. Senator, I actually do not know the exact 
number, but I can tell you that our organization has been 
involved in a number of them. It is a significant number, 1 
percent or something of the people who voted in the last 
gubernatorial election across all of the counties.
    We have been involved in a number of these and we are part 
of a group that is, along with I believe the California Office 
of Consumers Union, Consumer Action, a California-based group, 
Privacy Rights Clearinghouse, we are seriously considering 
going directly to the ballot. And by the way, the industry is 
split on this. There is one Internet bank that is a pro-privacy 
bank that is supporting the initiative, e-Loan Bank.
    So, we are looking forward to working with an industry that 

actually believes that privacy is something that they can 
market.
    Senator Shelby. Mr. Kasper.
    Mr. Kasper. Thank you, Senator Shelby.
    When I was in California, I had the pleasure to meet Mr. 
Chris Larson, who is the Chairman of e-Loan.com, the bank that 
Ed Mierzwinski referred to.
    The amount of signatures that they will need in California 
is between 700,000 and 900,000. He is so serious about this 
issue, that he has personally put up a million dollars of his 
own money to help get those signatures on the ballot. I 
understand the way the California initiatives work, you can 
actually hire people to get your signatures. So it is between 
700,000 and 900,000.
    Senator Shelby. Mr. Chairman, thank you for your 
indulgence.
    Chairman Sarbanes. Thank you, Senator Shelby.
    Senator Akaka.
    Senator Akaka. Thank you very much, Mr. Chairman.
    Mr. Chairman, we seem to be listening to a choir that is 
singing the same song about a huge problem out there in 
America.
    Chairman Sarbanes. Well, there is some dissonant notes in 
this choir, I add.
    [Laughter.]
    Dr. Cate. Thank you, Mr. Chairman.
    [Laughter.]
    Senator Akaka. There is a huge problem out there in America 
having to do with the privacy notices. I just happened to have 
a few here that I have been looking at. I have been reading and 
rereading the notices. The notices are very complex and 
difficult to understand. What kinds of changes can be made to 
privacy notices to make them easier to understand? Also, what 
do the privacy notices fail to include that consumers should 
know?
    If we can get feedback on these questions, that may help us 
in our quest to craft language that can help.
    Mr. Dugan. I would be happy to respond, Senator.
    We agree with you that the privacy notices are more 
complicated than they should be. And as I said in my testimony, 
I think a real fundamental part of the problem is that there is 
always a tension with privacy notices about trying to give 
enough information to consumers to make an informed judgment, 
but not giving too much information so that people are confused 
and end up not reading the notices.
    I think the regulators tried very hard to come out with 
things that simplified the requirements of the statute. But in 
the end, it turned out that what they proposed, and some of the 
sample clauses that they proposed and some of the legal 
terminology that they used was very, very complicated. Indeed, 
some of the language that the Attorney General from Vermont 
quoted earlier was taken right out of these sample clauses.
    Regulators recognize this, as does the industry. But the 
industry is in a bit of a Catch-22 because when they see what 
the regulators have put out and what they put in these sample 
clauses, they have to hew pretty closely to it because, if they 
do not, they fear exposure to legal liability.
    And so, there is a question and there is, to be honest, 
some conservatism the first time out to go and do the letter of 
what was being prescribed, and in some cases, that came out 
sounding very legalistic and confusing.
    I think since then, there has been very much an effort to 
try to deviate somewhat and keep within the spirit of the law.
    But more importantly, there have been projects that the 
regulators have encouraged and the industry is now engaging in 
to try to come up with something that is simple, one page, that 
has common language terms, that language experts look at, that 
makes things easy to understand, to make the opt-out easy to 
understand and easy to exercise, and that people could use to 
compare among institutions.
    That is not an easy process. It is going to take some time 
to try to develop and there are several different efforts 
underway. But we believe that is an important direction to try 
to explore, and that is what we would see as the way to go 
about trying to improve the notices because we do believe that 
that is a legitimate issue.
    Senator Akaka. Mr. Kasper.
    Mr. Kasper. Thank you, Senator. I just jotted something 
down for your consideration.
    If the question and the notice said something like this: 
Federal law allows us to share and sell your personal financial 
information for marketing purposes and marketing products. If 
you do not tell us not to, question, yes or no? Do you want us 
to be able to share or to sell your information without your 
written permission in advance? Yes or no. That would be simple.
    Senator Akaka. Yes.
    Mr. Kasper. Bold letters, easy to understand. The consumer 
understands.
    Ms. Schlafly. How about a box to check?
    Mr. Kasper. That is right. Yes or no. Check the box. That 
is exactly what I meant. Check the box, yes or no.
    Senator Akaka. Mr. Hatch.
    Mr. Hatch. Mr. Chairman, Senator Akaka, I think that you 
get a very simple notice. People aren't going to respond to an 
opt-out. People do not read these things. There is no 
inducement for it.
    In this country, we are used to an offer and an acceptance 
being an agreement. You have to have an affirmative act on both 
sides.
    What we have done here is deviated from hundreds of years 
of commerce by saying that we are going to go to an opt-out. If 
the law was simply changed to saying, you cannot trade the 
information without permission, other than to serve the actual 
transactions involved, I guarantee you the bank, the credit 
card company, everybody, it would be very simple. It would be 
very clear, and they would offer something. And the consumer 
would respond to that offer. It might be frequent flier miles. 
It might be--if, indeed, about $300 is made off the sale of 
information on myself and on everybody else here in a year, and 
if 20 percent of it, if they offered that, some consumers are 
going to respond.
    Yes, I do want my magazine subscriptions to be disclosed. 
No, I do not want my checks to be disclosed to other people. 
But give me the choice. It is my property. It is a personal 
liberty right.
    If you have an opt-in, people will respond. There will be 
disclosure of information. It is just simply that people will 
pay for it. We are going to find out that it is a free 
enterprise system. It is a capitalist system, it should be. 
Let's let it work. They will make real clear disclosures. It 
will be clear. And they will even offer something for it.
    Mr. Sorrell. I agree with General Hatch, that if opt-in was 
the standard, the industry that is struggling now to come up 
with simpler and more comprehensible privacy notices would find 
a way quickly to say clearly what the right is and make the 
case that it should be granted, that it wouldn't be eight pages 
into the notice and it wouldn't be using this language that 
somebody mentioned, you have to be a lawyer to understand it. 
This lawyer does not understand it.
    So if opt-in was the standard, the industry would find a 
way, using its expertise, to make the most compelling case, to 
convince the consumer why it is in the consumer's best interest 
to give this permission.
    We have, as I think was said before, only minuscule 
privacy- 
related complaints post-Gramm-Leach-Bliley. The reason for that 
is because the average consumer doesn't understand the notices, 
doesn't understand what the industry is doing in terms of the 
sharing of information right now.
    These battles are not over in the State capitals. It is 
literally just beginning. Efforts by this Committee and 
comparable committees in State capitals around the country, 
this thing is just starting.
    Mr. Mierzwinski. Senator, I agree with the two Attorneys 
General that opt-in is the right way to go. Without opt-in, you 
need to improve the notices by going to something like an 
express statutory language that appears in a box, as General 
Sorrell suggested earlier, similar to the nutrition box on the 
front of the notice. Because the only right you have is the 
limited right to say no to some of the sharing. But most of the 
notices put that at the end of the eight pages. The right has 
to be moved forward and then needs to be marketed by the 
agencies. And the legal gobbledygook and doublespeak needs to 
be eliminated.
    Senator Akaka. Yes, Dr. Cate.
    Dr. Cate. Senator, two responses, if I may.
    First, I think we have to distinguish the setting in which 
you are talking about consent being obtained.
    If we are talking about the opt-in or opt-out or whatever 
the choice is being on the document that opens the account or 
you apply for the loan, clarity of the notice will I think 
undoubtedly come and getting consumers to respond is 
comparatively easy because they have to respond. They have to 
do something to move on.
    What Gramm-Leach-Bliley did and what I think is of greater 
concern, is to apply a requirement to data that has already 
been collected, so consumers who are not coming to an 
institution looking for service, but rather, requiring the 
institution to go out to the consumer. We know that it is very 
difficult and enormously intrusive to the consumer to actually 
reach them.
    There are many studies, there is testimony before the 
Federal Communications Commission, there have been court cases 
on this about the number of phone calls it takes, the number of 
letters it takes, and the fact that adding money to the offer 
makes absolutely no difference statistically. For example, the 
Post Office tells us that unsolicited commercial mail, not 
first-class mail, but unsolicited commercial mail, that half, 
52 percent of those are thrown away without being opened. So it 
won't matter how many $5 bills you stuff in the envelope. If 
they are thrown away without being opened, it is going to be 
very difficult to get consent, no matter what the consent 
system is.
    The first point is that it is critical to keep in mind here 
the difference between the settings in which we might ask for 
consent. The second point is the question of liability related 
to notice.
    It would be much easier to write standardized notices, 
which I think were suggested earlier and are a terrific idea, 
notices you could compare across institutions like food 
labeling.
    The problem right now is that all of the information you 
have to explain to comply with the law, and if you explain 
inaccurately in any degree, you are liable. It is a strict 
liability standard.
    So if you say, ``no, we do not share your information with 
third parties,'' but it turns out you actually have a 
processing service that does work for you under contract, even 
though it cannot do anything with the information other than 
process it, that violates the terms of the notice.
    Then you get these complicated statements--``we do not 
share information with third parties, other than for processing 
purposes''--and these lengthy explanations.
    If we move to a common sense regulatory system, if the FTC, 
for example, were empowered to develop a system of basic 
questions that consumers would find the answers useful to--``Do 
you share information with third parties for marketing? Yes or 
no?'' That would be a question that I think all of us would 
understand the answer to, and I think frankly that is what many 
of us care about.
    We are not actually interested in who processes your 
payroll or who processes your checks. We want to know, ``Are 
you sharing the information so that I am going to be getting 
mail.''
    That type of notice offers tremendous opportunities because 
it also allows for real customization. You can say, not only 
``Do you want to hear from us or not,'' but also you can say, 
``Do you want to hear from us by e-mail? Do you want to hear 
from us by mail?''
    We can actually allow a tremendous amount of consumer 
choice. But we are going to have to back away from this very 
complex strict liability regime to make that work.
    Senator Akaka. Mr. Kasper, did you have a comment?
    Mr. Kasper. I did, Senator. Thank you.
    I just wanted to be sure the record reflected, in 
responding to your question about what the notice should say. 
That does not mean that I agree that that is what the notice 
should be. I support no-opt for affiliate-sharing and opt-in 
for nonaffiliate-sharing.
    The comments from the industry spokesmen begs to ask, are 
you assuming, then, that the people of the United States are 
sitting at home breathlessly waiting for their telephone to 
ring so that they can buy something from you on the telephone 
that they neither want, nor need?
    I happen to believe that the answer is no. People will buy 
when they want, from whom they want, and what they want, if 
they are left alone. This bombardment by the telemarketing 
organizations and the banking organizations assumes that the 
people want the stuff. They do not want it. They do not want to 
be intruded upon. They want to be left alone.
    Senator Akaka. Mr. Chairman, I know that my time is up. I 
just want to mention that next year, we may be considering the 
Fair Credit Reporting Act. We will need to look at possible 
changes in the legislation to ensure that consumers have the 
necessary privacy protections.
    Thank you very much, Mr. Chairman.
    Chairman Sarbanes. Thank you very much, Senator Akaka.
    Senator Carper.

              COMMENTS OF SENATOR THOMAS R. CARPER

    Senator Carper. Thank you, Mr. Chairman.
    To our witnesses, welcome. We thank you for your testimony 
today and for your response to the questions that are being 
posed.
    When Congress was debating and finally passing Gramm-Leach-
Bliley, I was back in Delaware trying to govern the State as 
their Chief Executive and I did not participate in the debate 
here or in the conference.
    I do not know if any of you are comfortable in taking us 
back a couple of years to the time when that debate was ongoing 
and the compromise was worked out, which is now part of the law 
of the land. And just take a minute and tell this old governor, 
how did we end up with the compromise that we now have?
    Mr. Dugan. Well, I was involved at the time representing 
financial institutions.
    I think--and this is just one person's view of how this 
came about--that there was, in fact, tremendous concern about 
imposing an opt-in regime and that, on the other hand, I think 
there was true concern about when information is shared outside 
a corporate family, and it led to the notion that something 
should be done to provide consumers with control when 
information gets shared outside of a corporate family.
    That is where the debate first started about providing--
some people wanted to go further and some people thought that 
we did not need anything. But that is where Congress struck the 
balance and said, we should allow consumers the right, make 
institutions give consumers the right, to opt-out for sharing 
outside of the corporate family.
    On the other hand, smaller financial institutions came in 
and said, that is not quite fair because for us to compete and 
offer a range of financial services, there are relationships 
that we have to enter into, joint marketing relationships with 
other financial institutions--not just any company, but other 
financial institutions--in order to survive, and we have to be 
put on the same footing, the same playing field as affiliates. 
That is what caused the creation of the joint marketing 
exception for the sharing of information with other financial 
institutions.
    Congress also imposed strict limits on the redisclosure and 
reuse of information, however it was shared. There was also 
tremendous debate--when this thing got started, everybody 
thought it was simple, but there were many, many kinds of 
information that needed to be shared, and not just to carry out 
a transaction. The law recognized a whole host of exceptions 
from the opt-out restriction, these exceptions were very 
suspiciously viewed at the time, but turned out to be very 
wisely put in and have not been controversial since then. For 
example, sharing information with regulators, for judicial 
process, to detect fraud, to share with credit bureaus, etc.
    That was the basic structure that was put in place. The 
notion also was, you had to have notices because opt-out only 
works if you have meaningful notices, and you had to have a 
regulatory scheme to enforce it and actually write detailed 
regulations about it.
    What has happened since then is that this is the first time 
that the Government has written such detailed privacy 
regulations. In a sense, the financial services industry has 
been something of a guinea pig in that you have very detailed 
regulations being written for the first time where people had 
to struggle on how these kinds of things were sorted out and a 
number of decisions were made.
    I think a lot of progress was made, but, obviously, as I 
mentioned in context with the notices, there are more 
improvements that could be made.
    Senator Carper. General Hatch.
    Mr. Hatch. Mr. Chairman, Senator Carper, this is my 
recollection and it is from the hinterland. So, I could be 
totally wrong and I am sure the Chairman has a much better 
recollection of how this privacy provision got into play. But 
in the hinterland, in June, I sued a bank, U.S. Bank, and 
alleged that they had taken a million depositors and sold 22 
pieces of information to telemarketers, making a lot of money 
on this thing.
    The day before, the OCC Chairman Hawke had given a speech 
in San Francisco, and he had been harping about this for years, 
saying, banks, you have to clean up your act.
    They are all denying it.
    So the day afterwards--they all denied it--we filed the 
suit. Very clearly, we were in communication with the OCC on 
this issue. We filed the suit, and I will never forget it. On 
Wednesday, all the banks said, oh, we are not doing this. Just 
U.S. Bank.
    By Thursday, all of them were saying, I guess we are doing 
it. We are not going to do it any more, because we were 
basically saying, it was consumer fraud because they had said 
that there was a right to privacy in their literature. We were 
also alleging a common law right to privacy with regard to 
financial data.
    They were disclosing, for instance, your high balance, your 
low balance, all sorts of information from whence, you know, a 
telemarketer will know when to hit you, which day of the month, 
how much disposable income you have, what your age is. And, as 
I mentioned earlier, two-thirds of this is targeted to the 
senior citizens.
    We were plowing through on this suit, and the bank came in 
and we started doing some negotiation. We had an opt-in agreed.
    But then, I get a call and I am told that the GLB, Gramm-
Leach-Bliley, is going through, which had nothing to do, to my 
knowledge, with privacy. The Chairman would know better than I. 
But my understanding was that it did not have anything to do 
with privacy at that time.
    There was a grand debate over Glass-Steagall that was 
passed in 1933, and the Douglas Amendment that was passed in 
1956 with regard to what banks, what business they could get 
into.
    And next thing I know, all these banks are plowing into 
Minnesota, or at least these lobbyists plowing in, all these 
threats and no, you cannot settle this thing with an opt-in. 
Congress is going to preempt everything.
    But for the Chairman's amendment, everything we were 
involved with then would be worthless.
    I do not think this was any great thought-out privacy act. 
But for the efforts to hold it off and allow the States to do 
something, it was just simply a way to get around killing the 
right to privacy as it relates to banks. Maybe I am wrong.
    Chairman Sarbanes. Well, for the sake of full and of fair 
disclosure----
    [Laughter.]
    --we should register that the position of the industry at 
the time was that there should be no privacy protection. That 
was their basic position.
    Now, what we ended up with in the bill was, there was an 
effort made to try to deal with the privacy issue and we got 
what I regard as some minimal provisions. But also, in light of 
the fact that they were so minimal, we were able to get a 
provision in, an explicit provision, that the States could go 
beyond the Federal.
    My own view is that if we had not gotten that provision in, 
that we would still not have preempted. But it would have left 
open the argument to be made, which I am sure the industry 
would have made, that simply putting the standard, the minimal 
standards, in constituted a preemption, even though the 
legislation might not have said that there was a preemption.
    In any event, we were able to avoid all of that by getting 
the 
explicit provision that the States can go beyond, and 
therefore, I think, saving the Attorneys General a lot of 
litigation that otherwise would have occurred, asserting that 
the minimal standards in Gramm-Leach-Bliley constituted a 
preemption.
    But to put all of this into perspective, the industry's 
position at the time that we were considering this legislation 
was that there should be no privacy protections.
    Mr. Dugan, I have to say to you and your clients here today 
that this issue has not reached a point of equilibrium or a 
point of repose, in my judgment. In other words, I do not think 
that the current provisions about privacy protection are 
perceived by most people as being adequate.
    Therefore, I think this issue is going to remain on the 
agenda. And it seems to me that it behooves those that are 
interested in it to start thinking in a positive and 
constructive way about what the system could be that would 
provide the extent of protection that most people would 
conclude is appropriate, that puts the issue to rest and might 
well encompass within it accommodations for some of the 
administrative things that the industry is concerned about. At 
least that should be examined and considered.
    Otherwise, it is my prediction that if we continue along in 
the current path, there will be the equivalent of Enron and 
Worldcom one of these days in the privacy field, and you may 
well end up with a regime which you say, oh, how did we ever 
get to this point? And the answer is going to be, you got there 
because you weren't trying to work through to a positive and 
rational solution.
    Now, I want to commend the Attorneys General for the 
interest they have taken. It is extremely important. And I know 
the two of you are only reflective of many others in other 
States across the country who have interested themselves in 
this issue.
    Mr. Kasper, certainly you contributed immeasurably by 
coming here today and telling us the North Dakota experience. 
Of course, Mr. Mierzwinski has been working on this issue.
    Ms. Schlafly, I have to say, you added this property 
dimension issue, property rights dimension. It is a very 
interesting dimension. I had not really thought about it as 
much as I probably should have until you started speaking here 
today. It is very interesting.
    If it means so much economically to these institutions to 
get this information and use it, obviously it has some kind of 
property value. It starts out coming from the consumer. That 
value should be protected or at least compensated for, perhaps. 
It raises a very interesting question, over and above the basic 
privacy issues.
    Anything else, Senator Carper?
    Senator Carper. Just one last thing, if I could. I am going 
to ask if maybe Mr. Dugan would just reply for the record and 
not here today because the hour is late.
    My wife is from North Carolina. A member of her family's 
identity was stolen, a victim of identity theft. Probably 
everybody here knows someone personally who has gone through 
what she has gone through. It has not been fun.
    And just in the last week, I get a weekly report from a 
person on my staff in Delaware who heads up constituent 
services for me. We are beginning to see a growing number of 
people who call our office because they too are victims of 
identity theft.
    The question I am going to ask, perhaps, for Mr. Dugan--I 
do not mean to pick on you, but just for the record, if you 
could let me know what steps you are aware of that the 
financial services industry is taking to help combat this 
problem.
    Mr. Dugan. I would be happy to do that, Senator. And I do 
just want to say, very briefly, that you raise a very good 
point.
    That is precisely the kind of thing, we do think that that 
is a real issue. And it is that kind of issue that, if there is 
a need, should be addressed, that there is legislation that 
needs to be done to take some steps in that direction. That is 
something, a targeted kind of harm where there is a problem. 
Then we should try to come up with things that go right at 
that, as opposed to something very nebulous and broad-based 
about information-sharing generally, to try to get at the same 
thing.
    But we would be happy to respond.
    Senator Carper. Thank you.
    Mr. Mierzwinski. Senator, if I could add briefly. From the 
consumer groups' perspective, identity theft results largely 
from a failure of the big banks, the credit card companies, and 
the credit 
bureaus to adhere to all of the Fair Information Practices and 
take care of our information.
    It is too easy for a thief to represent themselves as me. 
All they need is my Social Security number, a very poor unique 
identifier, and my name. And then they apply in my name. The 
credit bureau gives the bank a copy of a credit report that 
says, he passes, and then the credit card is mailed to the 
wrong guy.
    That is how easy it is.
    We consider this debate over opt-in and opt-out sometimes 
covers up all of the other issues related to privacy. But how 
the institutions take care of information is just as important.
    Senator Carper. Thanks, Mr. Chairman.
    Chairman Sarbanes. I may note as we draw to a close that 
the European Union has developed privacy protections well 
beyond anything that we have here.
    American companies are trying to meet an adequacy standard. 
They have not been able to do that yet. They may have to go to 
Safe Harbor, which they do not want to do because they would 
have to elevate the protections they provide. But I am 
increasingly concerned about this. The EU is a growing economic 
force, and its size, both in terms of population and gross 
national product compares with the United States.
    If we are not careful, many of the advantages that we have 
had as the economic leader, and I think, suppose the EU moves 
ahead with better privacy protections. They seem to be moving 
ahead with better accounting standards, although we may now be 
able to remedy that situation.
    But they have this accountability--we used to say to them, 
you have to do American-style accounting because that is the 
best in the world, the most transparent. We have the best 
integrity of the markets. And now they are saying to us, what?
    [Laughter.]
    They are out there trying to compete with us because we are 
falling short. These issues have far-ranging implications, I 
think. And this does not strike me as the issue that you are 
either here or you are there.
    There is obviously a whole area in which we can work to try 
to reach a reasonable solution. But I do think if we are going 
to do that, we have to move significantly back in the direction 
that our starting point is that this information belongs to the 
individual who provides the information. And then you go from 
there in terms of what uses can be made of it and the 
individual's involvement in making that judgment.
    We want to thank all of you for coming. This has been an 
extremely helpful panel. We appreciate the time and the effort 
that each of our witnesses gave in preparing for it.
    The hearing stands adjourned.
    [Whereupon, at 12:35 p.m., the hearing was adjourned.]
    [Prepared statements and additional material supplied for 
the record follow:]
                PREPARED STATEMENT OF WILLIAM H. SORRELL
                   Attorney General, State of Vermont
                           September 19, 2002
    Good morning, and thank you for inviting me to speak with you today 
on the important issue of financial privacy. I would like at the outset 
to recognize and express my gratitude for the critical role played by 
this Committee in the protection of consumers' financial privacy. 
Unfortunately, the Gramm-Leach-Bliley Act (GLB) \1\ does not protect 
consumers' financial privacy as intended by this Committee. I recommend 
that this Committee take further action to ensure that its previous 
good work results in real protections for consumers.
---------------------------------------------------------------------------
    \1\ Pub. L. No. 106 -102 (1999).
---------------------------------------------------------------------------
    In these comments I address the following topics:

    1. The inability of GLB, as currently construed by Federal 
regulators, to stop the abusive telemarketing practices that gave rise 
to the financial privacy provisions of GLB in the first instance.
    2. The inability of consumers to exercise their rights under GLB 
because industry notices are incomprehensible.
    3. The problems associated with sharing of financial information 
among corporate affiliates.
    4. The need to allow States to continue to address problems 
associated with sharing of financial information both among affiliates 
and nonaffiliated third parties.
    5. Recommendations for Congressional action in these areas.
GLB Does Not Protect Consumers From Harms Associated With Sharing
Nonpublic Financial Information
    Congress intended Title V of GLB to protect consumers from abuses 
associated with sharing of nonpublic personal financial information. As 
a result of enforcement actions brought by State Attorneys General 
against information-sharing practices of major banking institutions, 
Congress created Title V to protect consumers with respect to such 
sharing of their financial information. However, the provisions of 
Title V are insufficient to protect consumers from the harms associated 
with these practices, and pose considerable risks to consumers. The 
provisions that allow financial institutions to share encrypted account 
numbers and other forms of billing information for marketing purposes 
are particularly troublesome. Moreover, the notices issued by financial 
institutions under GLB have been dense and require a high reading level 
to comprehend, resulting in consumer confusion and inability to 
exercise informed choice. Congress should act to correct these 
problems, thus ensuring Title V's capacity to protect consumers in the 
area of financial privacy.
GLB Does Not Protect Consumers From Fraudulent Telemarketing
    The information held by financial institutions about their 
customers is highly valuable. While financial institutions might not 
disclose this highly valuable information to their competitors, they do 
disclose this information to marketing partners and to third parties 
for the purpose of jointly marketing products and services unrelated to 
the customers' current service selection, and even unrelated to the 
particular type of services performed by the financial institution 
itself. The harm to a consumer resulting from this type of information-
sharing stems from the tactics sometimes used in marketing new products 
to the consumer, who usually does not realize that the marketer already 
has the consumer's credit card number, or access to the credit card 
account through an encrypted number or other unique means of 
identification.
    Indeed, it was well known in 1999 that practices of sharing 
customer financial information by major banking institutions 
facilitated these telemarketing abuses. In the spring of 1999, the 
Minnesota Attorney General announced a settlement with U.S. Bancorp, 
resolving allegations that U.S. Bancorp misrepresented its practice 
of selling highly personal and confidential financial information 
regarding its 
customers to telemarketers. One year later, thirty-nine additional 
States and the District of Columbia entered into a similar 
settlement.\2\ The States' investigation focused on the bank's sale of 
customer information--including names, addresses, telephone numbers, 
account numbers, and other sensitive financial data--to marketers. 
Based on this confidential information, the marketers made 
telemarketing calls and sent mail solicitations to the bank's customers 
in an effort to get them to buy the marketers' products and services, 
including dental and health coverage, travel benefits, credit card 
protection, and a variety of discount membership programs. Buyers were 
billed for these products and services by charges placed on their U.S. 
Bancorp credit card. In return for providing confidential information 
about its customers, U.S. Bancorp received a commission of 22 percent 
of net revenue on sales with a guaranteed minimum payment of $3.75 
million.
---------------------------------------------------------------------------
    \2\ The basis for the States' action was their charge that U.S. 
Bancorp misrepresented its privacy policy to its customers. In some 
account agreements provided to its customers, the bank listed the 
circumstances under which information would be disclosed, but failed to 
include any 
reference to the bank's practice of providing such information to 
vendors for direct marketing purposes.
---------------------------------------------------------------------------
    As a result of the evidence uncovered through the U.S. Bancorp 
case, Congress intended to limit the ability of financial services 
companies to sell or give their customers' nonpublic personal 
information to third-party telemarketers. Congress intended to 
forestall these abusive telemarketing practices by specifically 
prohibiting financial institutions from sharing an account number or 
similar form of access number or access code for a credit card account, 
deposit account, or transaction account of a consumer with any 
nonaffiliated third-party for use in telemarketing, direct mail 
marketing, or other marketing through electronic mail to the 
consumer.\3\
---------------------------------------------------------------------------
    \3\ Gramm-Leach-Bliley Act, Pub. L. 106 -102, Nov. 12, 1999, 113 
Stat. 1338, Section 502(d).
---------------------------------------------------------------------------
    However, the regulations adopted to implement GLB allow financial 
institutions to sell or to share encrypted credit card numbers or other 
unique identifiers, which enables the telemarketing abuses that were at 
the heart of Congressional concern to continue unabated. The Federal 
agencies' rules implementing this section on sharing of account numbers 
sets forth two ``examples,'' the first one of which states:

          Account number. An account number, or similar form of access 
        number or access code, does not include a number or code in an 
        encrypted form, as long as the bank does not provide the 
        recipient with a means to decode the number or code. CFR 
        Sec. 40.12(c) [emphasis added].

    Thus, a telemarketer or other recipient of an encrypted account 
number or unique identifier is able to notify a financial institution 
that a particular consumer indicated a desire to purchase an item, thus 
causing the consumer's account to be charged, without ever asking the 
consumer for permission to charge the account. The financial 
institution then uses its decode mechanism, which it never shares with 
an unaffiliated party, to determine which account to charge. This type 
of marketing is known as ``preacquired account'' telemarketing. The 
possibility of unauthorized charges and fraudulent practices in such 
circumstances is greatly increased over situations where the consumer 
must affirmatively give a credit card number for the account to be 
charged.
    Preacquired account telemarketing is inherently unfair and 
susceptible to causing deception and abuse, especially with elderly and 
vulnerable consumers. Preacquired account telemarketing turns on its 
head the normal procedures for obtaining consumer consent. Other than a 
cash purchase, providing a signature or an account number is a readily 
recognizable means for a consumer to signal assent to a deal. 
Preacquired account telemarketing removes these shorthand methods of 
consumer control. The telemarketer not only establishes the method by 
which the consumer will provide consent, but also decides whether the 
consumer actually consented.
    The Federal Trade Commission, in its recent Notice of Proposed 
Rulemaking 
regarding the Telemarketing Sales Rule, has proposed prohibiting 
``preacquired account'' telemarketing.\4\ Forty-nine States, the 
District of Columbia, and three Territories recently filed comments 
with the Federal Trade Commission that strongly support this 
proposal.\5\ In their comments, these States, Territories, and the 
District of Columbia noted that the consequence of this fundamentally 
unfair selling method is clear: Consumers are assessed charges for 
products they did not want, and did not understand they were 
purchasing.
---------------------------------------------------------------------------
    \4\ 67 Fed. Reg. 4491.
    \5\ Comments of 52 Attorneys General, the District of Columbia 
Corporation Counsel, and the Hawaii Office of Consumer Protection 
Regarding Proposed Amendments to the Telemarketing Sales Rule, April 
12, 2002, available at www.naag.org.

          Fleet Mortgage Corporation, for instance, entered into 
        contracts in which it agreed to charge its customer-homeowners 
        for membership programs and insurance policies sold using 
        preacquired account information. If the telemarketer told Fleet 
        that the homeowner had consented to the deal, Fleet added the 
        payment to the homeowner's mortgage account. Angry homeowners 
        who discovered the hidden charges on their mortgage account 
        called Fleet in large numbers.\6\ . . . Approximately one-fifth 
        of all calls by Fleet customers were about these preacquired 
        account ``sales.'' Customers overwhelmingly told Fleet that 
        they did not sign up for the product, and wanted to know how it 
        was added to their mortgage accounts without their approval, 
        consent, or signature.\7\
---------------------------------------------------------------------------
    \6\ The mortgage statements issued by Fleet hid the charges under 
the rubic ``opt.prod.'' at the very bottom of the bill in small print, 
such that it was extremely difficult to discover the charge or discern 
the purpose of the charge. For consumers on auto-draft from their 
checking or other bank account, Fleet gave no written notice of the 
charge.
    \7\ Comments of 52 Attorneys General, the District of Columbia 
Corporation Counsel, and the Hawaii Office of Consumer Protection 
Regarding Proposed Amendments to the Telemarketing Sales Rule, supra 
note 5.

    This Committee should take the lead in protecting consumers from 
such abusive telemarketing practices by prohibiting the use of 
encrypted numbers, unique identifiers, and other means for accessing a 
consumer's account.
    Moreover, it seems likely that, as information-sharing increases, 
the risk of misuse or misappropriation of such information increases as 
well. It may well be that the greater the quantity and level of detail 
of confidential information, and the more entities that possess such 
information, the higher the chance that the information will be stolen 
or misappropriated, or used for other inappropriate purposes, such as 
the improper denial of credit, insurance, or employment. I therefore 
urge this Committee to look beyond the known risks of telemarketing 
abuses to identify and evaluate less obvious risks, including potential 
identity theft.
GLB Notices are Inadequate to Advise Consumers of Their Rights With
Respect to Information Sharing
    The notices to consumers that are required under GLB \8\ are 
woefully inadequate. Consumers have been greatly confused by the dense 
information in the notices, which require a high education level to 
comprehend. As a result, consumers have not been adequately informed 
about their rights to opt-out of information-sharing with third 
parties.
---------------------------------------------------------------------------
    \8\ 15 U.S.C. Sec. 6802(b)(1)(A).
---------------------------------------------------------------------------
    The opt-out notices provided by financial institutions in their 
effort to comply with GLB have not been ``clear and conspicuous,'' as 
those terms are commonly understood. Opt-out notices mailed by many 
financial institutions have been unintelligible and couched in language 
several grade levels above the reading capacity of the majority of 
Americans.\9\ Experts have highlighted the inadequacy of such 
statements. Mark Hochhauser, Ph.D., a readability expert, reviewed 
sixty GLB opt-out notices. Dr. Hochhauser determined that these notices 
were written at an average third or fourth year college reading level, 
rather than the junior high level comprehensible to the general 
public.\10\ For example, the notice sent to customers by one financial 
institution stated:
---------------------------------------------------------------------------
    \9\ See Robert O'Harrow, Jr., ``Getting a Handle on Privacy's Fine 
Print: Financial Firms' Policy Notices Aren't Always `Clear and 
Conspicuous,' as Law Requires,'' The Washington Post, June 17, 2001, at 
H-01.
    \10\ Mark Hochhauser, Ph.D., ``Lost in the Fine Print: Readability 
of Financial Privacy Notices,'' http://www.privacyrights.org/ar/GLB-
Reading.htm (2001).

          If you prefer that we not disclose nonpublic personal 
        information about you to nonaffiliated third parties, you may 
        opt-out of those disclosures, that is, you may direct us not to 
        make those disclosures (other than disclosures permitted by 
        law).\11\
---------------------------------------------------------------------------
    \11\ See Hochhauser, supra n. 10.

    Recent surveys demonstrate that consumers either never see and read 
such complicated opt-out notices, or they do not understand them. A 
survey conducted by the American Bankers Association \12\ found that 41 
percent of consumers did not recall receiving their opt-out notices, 22 
percent recalled receiving them but did not read them, and only 36 
percent reported reading the notice. Another survey, conducted by 
Harris Interactive for the Privacy Leadership Initiative, announced its 
results in early December 2001.\13\ The Harris Survey indicated that 
only 12 percent of consumers carefully read GLB privacy notices most of 
the time, whereas 58 percent did not read the notices at all or only 
glanced at them. The Harris Survey further 
indicated that lack of time or interest and difficulty in understanding 
or reading the notices top the list of the reasons why consumers do not 
spend more time reading them.
---------------------------------------------------------------------------
    \12\ Available at http://www.aba.com/Press+Room/bankfee060701.htm.
    \13\ Available at http://www.ftc.gov/bcp/workshops/glb (hereinafter 
``Harris Survey'').
---------------------------------------------------------------------------
    Those consumers that do read the GLB notices have voiced numerous 
complaints, raising concerns that the financial institutions' 
unintelligible notices are an attempt to mislead them.\14\ The opt-out 
approach promulgated under GLB has proven so problematic that the 
Federal agencies that administer the regulations under GLB convened an 
Interagency Public Workshop to address the concerns that have been 
raised ``about clarity and effectiveness of some of the privacy 
notices'' sent out under GLB.\15\ The agencies noted that consumers 
have complained that ``the notices are confusing and/or misleading and 
that the opt-out disclosures are hard to find.'' \16\
---------------------------------------------------------------------------
    \14\ Harris Survey, supra n. 13.
    \15\ Interagency Public Workshop, ``Get Noticed: Effective 
Financial Privacy Notices,'' http://www.ftc.gov/bcp/workshops/glb/; see 
also Press Release, ``Workshop Planned to Discuss Strategies for 
Providing Effective Financial Privacy Notices,'' http://www.ftc.gov/
opa/2001/09/glbwkshop.htm (September 24, 2001).
    \16\ See Joint Notice Announcing Public Workshop and Requesting 
Public Comment, ``Public Workshop on Financial Privacy Notices,'' at 3.
---------------------------------------------------------------------------
    Where the vast majority of consumers do not even read opt-out 
notices, and those who read the notices cannot understand them, it 
cannot be said that they are able to understand their rights and 
exercise their choices intelligently. As a result, the Attorneys 
General of forty-two States, the District of Columbia, and two 
Territories called on the FTC and other Federal regulatory agencies to 
create standard notices and require much simpler language so that 
consumers can understand them.\17\
---------------------------------------------------------------------------
    \17\ See Comments of 44 Attorneys General to Federal Trade 
Commission Regarding GLB Notices, dated February 15, 2002, available at 
www.naag.org.
---------------------------------------------------------------------------
    Congress should step in and require the Federal agencies to create 
standard notice forms for use by the financial services industry under 
GLB. Standard notices for financial privacy could be modeled on the 
nutritional labeling required by the Congress under the Nutritional 
Labeling and Education Act. Use of such standard notices would enable 
consumers to much more easily understand their rights, and to exercise 
their choices allowed under Federal law.
The FCRA Does Not Adequately Protect Consumers From Abuses
Associated With Sharing of Nonpublic Personal Financial
Information Among Affiliates
    The concerns with respect to sharing of information with 
unaffiliated third parties --abusive telemarketing practices and 
incomprehensible notices--apply with equal force with respect to 
sharing of nonpublic personal financial information among corporate 
affiliates. The breadth and number of affiliates of some financial 
institutions is breathtaking, yet most consumers remain unaware of the 
existence or identity of their financial institutions' affiliates. 
Consumers should be better protected from the harms associated with 
affiliate-sharing by giving consumers an effective choice before 
credit-related information can be shared throughout a vast corporate 
complex.
    Under the FCRA, consumers have no choice as to whether their 
transaction and experience information will be shared with their 
financial institution's corporate affiliates. Moreover, once they are 
given a notice and opportunity to opt-out, all other information can 
also be shared with the corporate affiliate group. Thus information 
about the consumer's income, employment history, credit score, marital 
status, and medical history can be shared with ease among corporate 
affiliates.
    GLB greatly expanded the activities that were permissible under one 
corporate umbrella, as it allowed insurance, securities, and banking 
institutions to affiliate with each other. Even prior to enactment of 
GLB, financial institutions were allowed to affiliate with a broad 
spectrum of companies. The list of activities that are identified by 
the Federal Reserve Board in its rulemaking as ``financial'' in nature 
or closely related to financial activities, and therefore permissible 
for inclusion within a financial holding company, goes well beyond 
traditional financial activities, and includes the following:

 Insuring, guaranteeing, or indemnifying against loss, harm, 
    damage, illness, disability, or death, or providing and issuing 
    annuities, and acting as principal, agent, or broker for purposes 
    of the foregoing, in any State.

 Providing financial, investment, or economic advisory 
    services, including advising an investment company (as defined in 
    Section 3 of the Investment Company Act of 1940).

 Issuing or selling instruments representing interests in pools 
    of assets permissible for a bank to hold directly.

 Underwriting, dealing in, or making a market in securities.

 Leasing real or personal property (or acting as agent, broker, 
    or advisor in such leasing) without operating, maintaining, or 
    repairing the property.

 Appraising real or personal property.

 Check guaranty, collection agency, credit bureau, real estate 
    settlement services.

 Providing financial or investment advisory activities 
    including tax planning, tax preparation, and instruction on 
    individual financial management.

 Management consulting and counseling activities (including 
    providing financial career counseling).

 Courier services for banking instruments.

 Printing and selling checks and related documents.

 Community development or advisory activities.

 Providing financial data processing and transmission services, 
    facilities (including hardware, software, documentation, or 
    operating personnel), databases, advice, or access to these by 
    technological means.

 Leasing real or personal property (or acting as agent, broker, 
    or advisor in such leasing) where the lease is functionally 
    equivalent to an extension of credit.

 Providing investment, financial, or economic advisory 
    services.

 Operating a travel agency in connection with financial 
    services.\18\
---------------------------------------------------------------------------
    \18\ Examples 1- 4 are from 12 U.S.C. Sec. 4(k); examples 5 -13 are 
from 12 CFR Sec. 225.28; and examples 14 -16 are from 12 CFR 
Sec. 211.5(d).

    Thus the types of businesses with which traditional financial 
institutions may now affiliate themselves, in addition to banking, 
---------------------------------------------------------------------------
insurance, and securities brokerage, include:

 mortgage lenders;

 ``pay day'' lenders;

 finance companies;

 mortgage brokers;

 account servicers;

 check cashiers;

 wire transferors;

 travel agencies operated in connection with financial 
    services;

 collection agencies;

 credit counselors and other financial advisors;

 tax preparation firms;

 non-Federally insured credit unions; and

 investment advisors that are not required to register with the 
    Securities and Exchange Commission.\19\
---------------------------------------------------------------------------
    \19\ 16 CFR Sec. 313.1 (b).

    Also included among the list of permissible affiliates are 
institutions that are ``significantly engaged in financial 
---------------------------------------------------------------------------
activities,'' such as:

 A retailer that extends credit by issuing its own credit card 
    directly to consumers.

 A personal property or real estate appraiser.

 An automobile dealership that, as a usual part of its 
    business, leases automobiles on a nonoperating basis for longer 
    than 90 days.

 A career counselor that specializes in providing career 
    counseling services to individuals currently employed by or 
    recently displaced from a financial organization, individuals who 
    are seeking employment with a financial organization or individuals 
    who are currently employed by or seeking placement with the 
    finance, accounting or audit department of any company.

 A business that prints or sells checks for consumers, either 
    as its sole business or as one of its product lines.

 An accountant or other tax preparation service that is in the 
    business of completing income tax returns.

 An entity that provides real estate settlement services.\20\
---------------------------------------------------------------------------
    \20\ 16 CFR Sec. 313.3 (k)(2).

    The number and breadth of affiliates currently associated with some 
of the country's major financial institutions is astounding. Submitted 
with these comments for the Committee's official record are the 
corporate affiliate lists for Bank of America Corporation, Citigroup, 
Inc., and KeyCorp,\21\ which serve as three examples of the level of 
affiliation at large- and mid-sized banking institutions in this 
country. Bank of America lists 1,476 corporate affiliates; Citigroup 
lists 2,761 corporate affiliates; and KeyCorp lists 871. A perusal of 
these corporate affiliate lists demonstrates that these holding 
companies appear to be involved in widely disparate activities, 
including insurance, securities, international banking, real estate 
holdings, and development, and equipment leasing. Some of these 
affiliate operations may, in the normal course of their business, 
gather highly personal health information about consumers. A consumer 
holding a credit card with the lead bank or a property and casualty 
insurance policy with a major insurer in any of these affiliate groups 
would not expect that his or her transaction and experience information 
would be spread throughout the corporate affiliate structure for the 
purpose not of servicing the consumer better, but of marketing products 
to the consumer.
---------------------------------------------------------------------------
    \21\ These lists, and other corporate affiliate lists for bank 
holding companies can be obtained at http://132.200.33.161/nicSearch/
servlet/NICServlet?$GRP$=INSTHIST&REQ=MERGEDIN &MODE=SEARCH.
---------------------------------------------------------------------------
    The only appropriate mechanism for giving consumers control over 
sharing of information within such broad affiliate groups is to require 
that consumers be given effective notice and choice before their 
information may be shared with affiliates.
    Unfortunately, current notices to consumers about their rights 
under the FCRA with respect to sharing of nonpublic personal financial 
information with affiliates are highly inadequate, just like the 
notices about consumers' rights under GLB. Indeed, both GLB and the 
FCRA require that notices about information-sharing practices and 
information about how consumers can exercise their opt-out rights must 
be written in a ``clear and conspicuous'' manner.\22\ The Federal 
regulatory agencies have not yet issued any guidance on how these two 
notice requirements work together. Many financial institutions have 
incorporated their affiliate-sharing notices required under the FCRA 
within their notices about the sharing of information with unaffiliated 
third parties required under GLB. Consumers have experienced the same 
problems outlined previously, with respect to affiliate-sharing notices 
as they have experienced with notices about sharing of information with 
unaffiliated third parties.
---------------------------------------------------------------------------
    \22\ 15 U.S.C. Sec. 6802(b)(1)(A); 15 U.S.C. 
Sec. 1681a(d)(2)(A)(iii).
---------------------------------------------------------------------------
    Accordingly, Congress should require financial institutions to give 
consumers an effective choice before nonpublic personal financial 
information can be shared among affiliates. Moreover, Congress should 
direct that the standard financial privacy notices to be created by the 
Federal regulatory agencies contain a standard format for information 
about affiliate-sharing practices and consumers' choices to control 
such sharing.

Congress Should Continue to Allow States to Enact More Protective
Laws With Respect to Financial Privacy

    Prior to GLB, States had enacted provisions relating to financial 
privacy that were more protective than the provisions of Federal law. 
This Committee ensured the ability of States to continue to protect 
their citizenry by enacting Section 507 of GLB, which allows States to 
adopt financial privacy laws relating to sharing with unaffiliated 
third parties that are more protective than Title V. Due to the 
inadequacies of GLB discussed above, States and localities have been 
exercising this authority to ensure that their consumers' financial 
information is protected. Moreover, under the FCRA, the current 
preemption of more protective State laws relating to affiliate-sharing 
is due to sunset on December 31, 2003.
    This Committee should ensure that States continue to be entitled to 
enact more protective laws with respect to sharing of financial 
information with third parties and affiliates.

State Law on Information Sharing With Unaffiliated Third Parties

    Recognizing that many of the problems inherent with GLB stem from 
the Federal law's acceptance of consumer ``opt-out'' as an appropriate 
means of registering consumer choice, States and local governments have 
been actively adopting laws that require consumers to opt-in before 
their information can be shared. There are currently six States that 
have enacted laws that require some form of opt-in before 
financial information can be shared by banks.\23\ Fourteen States have 
enacted laws or regulations that require some form of consumer consent 
before financial information can be shared by insurance companies.\24\ 
In addition, North Dakota voters recently adopted a referendum 
reversing the State legislature's repeal of that State's opt-in law, 
putting that State's banking opt-in law back on the books. Two 
California localities--San Mateo County and Daly City--also have 
recently adopted ordinances requiring affirmative consumer consent 
before financial information can be shared. These laws are a reaction 
by State and local governments to the problems associated with GLB, and 
an effort by these governments to provide consumers with protections 
greater than those afforded under Federal law.
---------------------------------------------------------------------------
    \23\ Alaska (Alaska Stat. Sec. 06.05.175); Connecticut (Conn. Gen. 
Stat. Ann. Sec. 36a- 42); Illinois (205 Ill. Comp. Stat. Ann. 5/48.1); 
Maryland (Md. Code Ann., Financial Institutions Sec. 1-302); North 
Dakota (N.D. Cent. Code Sec. 6-08.1-04); and Vermont (VT. Stat. Ann. 
tit. 8, Sec. 10201 and BISHCA Regulation B-2001-01).
    \24\ Arizona (Ariz. Rev. Stat. Ann. Sec. 20-2113); California (Cal. 
Ins. Code Sec. 791.13); Connecticut (Conn. Gen. Stat. Ann. Sec. 38a-
988); Georgia (Ga. Code Ann. Sec. 33-39-14); Maine (Me. Rev. Stat. Ann. 
tit. 24-A, Sec. 2215); Massachusetts (Mass. Gen. Laws Ann. ch. 175I, 
Sec. 13); Minnesota (Minn. Stat. Ann. Sec. 72A.502); Montana (Mont. 
Code Ann. Sec. 33-19-306); Nevada (Nev. Admin. Code ch. 679B 
Sec. Sec. 679B.560 - 679B.750); New Jersey (N.J. Stat. Ann. 
Sec. 17:23A-13); New Mexico (N.M. Admin. Code tit. 13, 
Sec. Sec. 13.1.3.1 -13.1.1.28); North Carolina (N.C. Gen. Stat. 
Sec. 58 -39 -75); Ohio (Ohio Rev. Code Ann. Sec. 3904.13); Oregon (Or. 
Rev. Stat. Sec. 746.665); and Vermont (VT. BISHCA Regulation IH-2001-
01).
---------------------------------------------------------------------------
    Some States have adopted laws or regulations that are designed to 
address some of the specific problems consumers face under Federal law. 
For example, Vermont's new financial privacy regulations specifically 
prohibit banks, insurance companies, and securities firms from sharing 
encrypted account numbers or other unique identifiers that would allow 
telemarketers and others to access a consumer's account. See, that is, 
Vermont Department of Banking, Insurance, Securities, and Health Care 
Administration Regulation B-2001-01, Section 13 (available at http://
www. state.vt.us/atg/Banking%20Adopted%20Rule.pdf ).
    Congress should ensure that States can continue to be allowed to 
protect their consumers with respect to sharing of financial 
information with third parties by enacting laws that are more 
protective than GLB's Title V.

State Law on Affiliate Sharing

    Similarly, Congress should ensure that States can adopt laws that 
are more protective than the FCRA with respect to affiliate-sharing. 
The FCRA prohibits States from enacting or enforcing provisions with 
respect to sharing of information among affiliates until January 1, 
2004.\25\ Congress should allow this preemption provision to sunset, as 
scheduled, on January 1, 2004. After that date, States will be allowed 
to enact laws with respect to affiliate-sharing if two conditions are 
met:
---------------------------------------------------------------------------
    \25\ See 15 U.S.C. Sec. Sec. 1681t(b)(2) and (d).

 The State provision explicitly states that it is intended to 
---------------------------------------------------------------------------
    supplement the Federal FCRA.

 The State provision gives greater protection to consumers than 
    is provided under the Federal FCRA.\26\
---------------------------------------------------------------------------
    \26\ 15 U.S.C. Sec. 1681t(d).

    Currently, Vermont is the only State that has a law directly 
regulating affiliate-sharing. Vermont law, like Federal law, allows 
affiliates to share transaction and experience information without any 
notice to a consumer and without any way for a consumer to prevent the 
sharing. However, before financial institutions can share credit 
reporting information about Vermont consumers with their affiliates 
under Vermont law, the institutions must obtain affirmative consent--or 
opt-in--from the consumer.
    Because Vermont was the only State to have addressed the issue of 
affiliate-sharing at the time of the 1996 revisions to the FCRA, 
Congress specifically exempted Vermont's State consent provision from 
FCRA preemption ``with respect to the exchange of information among 
persons affiliated by common ownership or common corporate control.'' 
\27\ Congress should allow other States to address concerns with 
respect to affiliate-sharing by allowing the preemption of such State 
laws to sunset as scheduled.
---------------------------------------------------------------------------
    \27\ 15 U.S.C. Sec. 1681t(b)(2).
---------------------------------------------------------------------------
Recommendations for Congressional Action
    In sum, I recommend the following as appropriate steps for this 
Committee to take to ensure that consumers' financial privacy is 
protected:

    1. To prevent abusive telemarketing practices of the type that led 
to enactment of Title V in the first instance, prohibit financial 
institutions from using encrypted account numbers, unique identifiers, 
or other means to access a consumer's account without explicit 
authorization from the consumer.

    2. To ensure that consumers understand their rights under Federal 
law with respect to financial privacy, require the Federal Agencies 
responsible for GLB regulation to develop standard financial privacy 
notices similar to the nutritional labels developed by the Food and 
Drug Administration under the Nutritional Labeling and Education Act.

    3. Ensure that consumers have effective notice and choice with 
respect to affiliate-sharing.

    4. Continue to allow States to enact more protective provisions 
with respect to sharing of financial information among unaffiliated 
third parties.

    5. Allow the preemption of more protective State laws governing 
affiliate-sharing to sunset as scheduled on December 31, 2003.
                   PREPARED STATEMENT OF FRED H. CATE
           Professor of Law, Indiana University School of Law
                           September 19, 2002
    My name is Fred Cate, and I am a Professor of Law and Ira C. Batman 
Faculty Fellow at the Indiana University School of Law in Bloomington, 
and a Senior Policy Advisor at the Hunton & Williams Center for 
Information Policy Leadership. For the past 13 years, I have 
researched, written, and taught about information laws issues 
generally, and privacy law issues specifically. I directed the 
Electronic Information Privacy and Commerce Study for the Brookings 
Institution, served as a Member of the Federal Trade Commission's 
Advisory Committee on Online Access and Security, and currently am a 
Visiting Fellow, addressing privacy issues, at the American Enterprise 
Institute.
    I appreciate the opportunity to testify today, and I am doing so on 
my own behalf. My views should not be attributed to Indiana University 
or to any other institution or person.
The Importance of Consumer Concern
    The polling data, newspaper editorial pages, this summer's 
referendum in North Dakota, and anecdotal evidence all suggest that 
consumers are concerned about personal financial information and how it 
is accessed and used both by the Government and private industry. It is 
important to view this concern in context.
    The concern is not surprising, given the amount of press and 
political attention given privacy issues, the increased focus on 
privacy issues and the dramatic growth in privacy-related products and 
services by financial institutions, and the deluge of a billion or more 
privacy notices that financial institutions are required by Federal law 
to mail to their customers annually.
    When viewed in this context, I believe the existence of consumer 
concern is not only predictable but largely healthy: It tells us that 
consumers are paying more attention to important privacy issues, and 
are interested in how their privacy can be better protected. Given that 
many of the most effective privacy protections--especially to guard 
against identity theft--are the steps that individuals alone can each 
take individually, this new interest is critical.
The Absence of Consumer Action
    It is also important not to lose sight of the context of consumer 
action--as opposed merely to polls. Under the requirements of Gramm-
Leach-Bliley, by July 1, 2001, tens of thousands of financial 
institutions had mailed approximately 1 billion notices. If ever 
consumers would respond, this would appear to be the occasion: The 
notices came in an avalanche that seems likely to have attracted 
consumer attention, the press carried a wave of stories about the 
notices and about State efforts to supplement Gramm-Leach-Bliley's 
privacy provisions, privacy advocates lauded the opt-out opportunity 
and offered online services that would write opt-out requests for 
consumers, and the information at issue--financial information--is 
among the most sensitive and personal to most individuals.
    Yet the response rate was negligible. The available published 
information indicates that fewer than 5 percent of consumers responded 
to the deluge of notices by opting out of having their financial 
information shared with third parties. For many financial institutions, 
the response rate was lower than 1 percent. And this appears to be 
consistent with response rates to other privacy-related opt-out 
opportunities, such as the Fair Credit Reporting Act's opt-out 
provisions applicable to prescreening and sharing credit reports with 
affiliates; the Direct Marketing Association's mail, telephone, and e-
mail opt-out lists; and other company-specific lists.
    Before considering the adoption of new privacy laws, I would urge 
Congress to first consider why consumers do not take advantage of 
existing opportunities to restrict the sharing or use of information.
The Interference with Competing Desires
    Consumers' concern about privacy protection must also be examined 
in the context of other consumer issues. Consumers want not only more 
privacy, but also lower rates on mortgages and loans, higher returns on 
CD's and investments, and faster and more personalized service. Privacy 
laws can interfere with these other objectives, both by restricting the 
flow of information on which they depend, and by imposing high 
transaction costs on consumers and financial institutions alike.
Restricting the Benefits of Open Information Flows
    Consider just a few of the many examples of the consumer benefits 
that depend on accessible information and that are threatened by more 
restrictive privacy laws. Businesses and other organizations use 
personal information to identify and meet customer needs. According to 
Federal Reserve Board Governor Edward Gramlich: ``Information about 
individuals' needs and preferences is the cornerstone of any system 
that allocates goods and services within an economy.'' The more such 
information is available, ``the more accurately and efficiently will 
the economy meet those needs and preferences.'' \1\
---------------------------------------------------------------------------
    \1\ Financial Privacy, Hearings before the Subcommittee on 
Financial Institutions and Consumer Credit of the House Committee on 
Banking and Financial Services, July 21, 1999 (statement of Edward M. 
Gramlich).
---------------------------------------------------------------------------
    Information-sharing allows financial institutions to ``deliver the 
right products and services to the right customers, at the right time, 
more effectively and at lower cost,'' Fred Smith, Founder and President 
of the Competitive Enterprise Institute, has written.\2\ The use of 
personal information to recognize and respond to individual customer 
needs is the definition of good customer service. Personalized 
service--epitomized by George Bailey, small-town banker played by Jimmy 
Stewart in ``It's a Wonderful Life''--is what many consumers want. The 
Los Angeles Times reported in December 1999, about customers who are 
understandably ``irritated if the bank fails to inform them that they 
could save money by switching to a different type of checking 
account.'' But, of course, as the newspaper noted, ``to reach such a 
conclusion, the bank must analyze the customer's transactions. . . .'' 
\3\
---------------------------------------------------------------------------
    \2\ Fred L. Smith, Jr., Better to Share Information, Desert News 
(Salt Lake City, UT), October 14, 1999, at A22.
    \3\ Edmund Sanders, Your Bank Wants to Know You, The Los Angeles 
Times, December 23, 1999, at A1.
---------------------------------------------------------------------------
    By having a complete picture of its customers' financial 
situations, banks can offer them bundled services at a single lower 
price than if provided on an a la carte basis. Customers benefit in two 
ways: First, they are offered a range of diversified services that are 
most appropriate for their individual financial situations. Second, 
they get those services at a lower price.
    For example, a consumer may choose to link her mortgage loan with a 
checking or savings account at the lender's affiliate, and thereby 
avoid minimum balance requirements for the checking or savings account, 
and enjoy the convenience of being able to arrange for direct 
deductions from a bank account to make the monthly mortgage payment. A 
financial services institution can aggregate all of a customer's 
accounts to satisfy minimum balance requirements. It can make an 
instant decision whether to increase a credit line, based on its total 
relationship with the customer. Washington attorney L. Richard Fischer 
writes: ``Information-sharing also enables financial institutions to 
offer consumers popular products such as `affinity' or `co-brand' 
credit card accounts. Such programs provide frequent flyer miles, 
grocery, or gasoline rebates, and other benefits to credit cardholders. 
Other such programs permit universities and other not-for-profit 
organizations to benefit from cardholder use of their accounts.'' \4\
---------------------------------------------------------------------------
    \4\ Financial Privacy Hearings, supra (statement of L. Richard 
Fischer).
---------------------------------------------------------------------------
    To provide all of these and other opportunities, access to data is 
essential. Laws restricting affiliate-sharing or requiring opt-in 
consent make the provision of these services untenable. How could an 
affinity program work if the card issuer and unaffiliated partner could 
not share customer data? How could a lender accurately and rapidly 
judge the risk of increasing a customer's credit line if it could not 
look at all of her accounts with affiliated companies? How would a 
financial services institution identify appropriate candidates for debt 
consolidation, if it could not examine both the range of outstanding 
debts and homeownership or other relevant criteria?
    Information-sharing is especially critical for new and smaller 
businesses. By restricting the availability of information about their 
customers, privacy laws help to protect established businesses from 
competition. Laws designed to protect privacy act as barriers to that 
information-sharing, and therefore, writes Robert E. Litan, Director of 
the Economic Studies Program and Vice President of the Brookings 
Institution, ``raise barriers to entry by smaller, and often more 
innovative, firms and organizations.'' \5\
---------------------------------------------------------------------------
    \5\ Robert E. Litan, Balancing Costs and Benefits of New Privacy 
Mandates, Working Paper 99 -3, AEI-Brookings Joint Center for 
Regulatory Studies (1999).
---------------------------------------------------------------------------
The Cost of Regulation
    There is also a financial cost to privacy regulation. We have 
already seen that a major component of that cost is caused by the 
interference of privacy laws with open information flows. Another 
source of that cost is the burden of complying with privacy laws. 
Crafting, printing, and mailing the billion or more disclosure notices 
required by Gramm-Leach-Bliley, for example, is estimated to have cost 
$2-$5 billion. Much of that cost will be repeatedly annually.
    More burdensome opt-in laws, as discussed below, would prove even 
more costly. During its opt-in test, U.S. West found that to obtain 
permission to use information about its customer's calling patterns to 
market services to them cost between $21 and $34 per customer, 
depending on the method employed.\6\
---------------------------------------------------------------------------
    \6\ Brief for Petitioner and Interveners at 15-16, U.S. West, Inc. 
v. FCC, 182 F.3d 1224, 1239 (10th Cir. 1999) (No. 98 -9518), cert. 
denied 528 U.S. 1188 (2000).
---------------------------------------------------------------------------
    A 2000 Ernst & Young study of financial institutions representing 
30 percent of financial services industry revenues, found that 
financial services companies would send out three to six times more 
direct marketing material if they could not use shared personal 
information to target their mailings, at an additional cost of about $1 
billion per year.\7\
---------------------------------------------------------------------------
    \7\ Ernst & Young LLP, Customer Benefits from Current Information 
Sharing by Financial Services Companies 16 (December 2000).
---------------------------------------------------------------------------
    The study concluded that the total annual cost to consumers of opt-
in's restriction on existing information flows--precisely because of 
the difficulty of reaching customers--was $17 billion for the companies 
studied, or $56 billion if extrapolated to include the customers of all 
financial institutions. Those figures do not include the costs 
resulting from the reduced availability of personal information to 
reduce fraud, increase the availability and lower the cost of credit, 
provide co-branded credit cards and nationwide automated teller machine 
networks, and develop future innovative services and products.
    These costs do not include the increased burden to consumers of 
additional letters, telephone calls, and e-mails seeking consent: U.S. 
West had to call its customers an average of 4.8 times per household 
just to find an adult who could consent.
The Special Problem of Opt-In
    The burden of privacy laws is even greater when they forbid the use 
of information without affirmative, opt-in consent. While both opt-in 
and opt-out give consumers the same legal control about how their 
information is used, the two systems differ in the consequences they 
impose when consumers fail to act.
    The U.S. Post Office reports that 52 percent of unsolicited mail in 
this country is discarded without ever being read. It will not matter 
how great the potential benefit resulting from the information use, if 
the request is not read or heard, it cannot be acted on. Corporate 
trials of consent-based privacy systems demonstrate that no matter how 
good the offer or how easy the opt-in or the opt-out method, customers 
rarely respond.
    Under opt-out, consumers like those under Gramm-Leach-Bliley who 
failed to read or respond to a privacy notice, still received services. 
Under opt-in, consumers who did not respond could not have their 
information used. By virtue of not responding--whatever the reason--
those subject to opt-in are excluded from receiving information-
dependent services. Opt-in is more costly to consumers precisely 
because it fails to harness the efficiency of having them reveal their 
own preferences as opposed to having to explicitly ask them.
    For a practical, specific example of the impact of opt-in on 
consumers, Michael Staten, an economist, Distinguished Professor, and 
Director of the Credit Research Center at Georgetown University's 
McDonough School of Business, and I conducted a case study of MBNA 
Corporation, a diversified, multinational financial institution. 
Incorporated in 1981, and publicly-traded since 1991, by the end of 
2000, the company has experienced 40 consecutive quarters of growth, 
provided credit cards and other loan products to 51 million consumers, 
had $89 billion of loans outstanding and serviced 15 percent of all 
Visa/MasterCard credit card balances outstanding in the United 
States.\8\
---------------------------------------------------------------------------
    \8\ Michael E. Staten & Fred H. Cate, ``The Impact of Opt-In 
Privacy Rules on Retail Credit Markets: A Case Study of MBNA,''_Duke 
Law Journal_(forthcoming 2002).
---------------------------------------------------------------------------
    The case study examined the impact of three forms of opt-in: (1) 
Opt-in for sharing personal information with third parties; (2) Opt-in 
for sharing personal information with affiliates; and (3) Opt-in for 
any use (other than statutorily excluded uses) of personal information.
    The study found that any form of opt-in would have significant 
economic effects on MBNA and its customers, because of the company's 
extensive use of direct marketing to attract customers and its heavy 
reliance on personal information to identify out of the 1 billion 
prospect names the company receives annually from its more than 4,700 
affinity groups for which MBNA issues credit cards the 400 million 
names of people who are likely to be both qualified for and interested 
in a credit card solicitation.
    Given the low response rates to opt-in requests universally 
reflected by organizations that seek consent other than at time of 
service or in response to a communication initiated by the customer, 
the case study concludes that even the least restrictive opt-in 
regime--for third-party information-sharing--would result in the MBNA's 
marketing materials being 27 percent less well targeted. As a result, 
109 million people would receive solicitations who should not have. 
This translates into an 18 percent lower response rate and a 22 percent 
increase in direct mail costs per account booked. There would also be 
an additional 8 percent reduction in net income because of increased 
defaults and reduced account activity, resulting from less qualified 
people receiving credit card solicitations.
    The broader opt-in regimes would result in more significant losses 
to MBNA and its customers, largely in three areas. First, MBNA's 
affiliates would be unable to cross-sell services to existing customers 
or provide one-stop customer service, because of the restriction of 
sharing information across affiliates. Second, MBNA's corporate 
structure, which currently includes affiliates because of tax and 
regulatory reasons, would be less efficient and more expensive because 
centralized service units would no longer be able to provide services 
for all of the affiliates. Third, opt-in would interfere with fraud 
detection and prevention efforts which depend on information-sharing 
across affiliates and among companies.
    These costs would be incurred despite the fact that as of the end 
of 2000, only about 130,000 customers (one-quarter of 1 percent of 
MBNA's customer base) had exercised their legal right to opt-out of 
having their credit report information transferred across MBNA 
affiliates, and approximately 1 million customers (less than 2 percent) 
had taken advantage of MBNA's voluntary opt-out from receiving any type 
of direct mail marketing offers.
    The important point is not simply that complying with privacy laws 
is expensive, but rather that it imposes costs on consumers. Privacy 
polls rarely if ever ask consumers whether they are ready to bear that 
cost. But ultimately, it is consumers and individuals, in the words of 
Alabama Attorney General Bill Pryor, who ``pay the price in terms of 
either higher prices for what they buy, or in terms of a restricted set 
of choices offered them in the marketplace.'' \9\
---------------------------------------------------------------------------
    \9\ Bill Pryor, Protecting Privacy: Some First Principles, Remarks 
at the American Council of Life Insurers Privacy Symposium, July 11, 
2000, Washington, DC, at 4.
---------------------------------------------------------------------------
The Bigger Context
    It is also important to evaluate consumer concerns about financial 
privacy in a broader context. Gramm-Leach-Bliley was passed in 1999 and 
the first notices were required to be mailed by July 1, 2001. Only 14 
months has passed since that date, examinations of financial 
institutions under the new requirements are only now beginning, and 
enforcement has been limited. It is simply too early to judge 
meaningfully how well the new system is working.
    Despite the short time, however, financial institutions have been 
busy working with Federal regulators, consumer advocates, and others 
attempting to improve their privacy notices and increase the 
effectiveness of consumer education. There was considerable criticism 
of the first round of Gramm-Leach-Bliley privacy notices, a key element 
of the law. While some of that criticism may be justified, the 
complexity of privacy notices seems in large part to have reflected the 
complexity of the law and regulations requiring them. Title V uses many 
terms that consumers would likely find confusing and that must be used 
precisely to make sense of the law's requirements. For example, the law 
makes a significant distinction between ``consumers'' and 
``customers,'' and this distinction was necessarily reflected in many 
notices, even though many people use the terms interchangeably.
    It should also be noted that clarity may be in the eye of the 
beholder. On June 18, 2001, at a hearing on financial privacy of the 
California General Assembly's Committee on Banking and Finance, the 
Committee Chairman challenged the financial services industry 
representatives in the audience to live up to the standard set by 
American Express' privacy notice. In fact, he distributed to every 
person attending the hearing a copy of the American Express notice so 
that they could, in the Chairman's words, use it as a ``model.'' Two 
weeks later, on July 9, 2001, USA Today editorialized in favor of 
clearer privacy notices, citing American Express' notice--the same 
notice lauded only 2 weeks earlier--at its first example of a difficult 
to comprehend notice.\10\
---------------------------------------------------------------------------
    \10\ ``Confusing Privacy Notices Leave Consumers Exposed,'' USA 
Today, July 9, 2001, at 13A.
---------------------------------------------------------------------------
    As Federal Trade Commission Chairman Timothy Muris has noted, we 
are still learning:

          The recent experience with Gramm-Leach-Bliley privacy notices 
        should give everyone pause about whether we know enough to 
        implement effectively broad-based legislation based on notices. 
        Acres of trees died to produce a blizzard of barely 
        comprehensible privacy notices. Indeed, this is a statute that 
        only lawyers could love--until they found out it applied to 
        them.\11\
---------------------------------------------------------------------------
    \11\ Timothy J. Muris, Protecting Consumers' Privacy: 2002 and 
Beyond, 2001 Conference, Cleveland, OH, October 4, 2001.

    Today, regulators, industry, and consumers are learning from the 
emerging experience with Gramm-Leach-Bliley, and are collectively 
improving the quality and 
variety of available privacy protections. The Hunton & Williams Center 
for Information Policy Leadership, for example, hosts a project in 
which leading financial institutions are trying to develop layered 
notices--an approach that would make privacy disclosures easier to 
understand and compare. The Federal Trade Commission has hosted a 
workshop on effective financial privacy notices, and is working with 
industry and privacy rights advocates to improve notices. The 
Commission is also pushing forward related privacy initiatives, 
including a national do-not-call list and increased privacy 
enforcement.
    Many financial services companies have also responded with privacy-
related products and services, or options for individuals to control 
the use of their information beyond what is required by law. Many 
financial services companies report today that they do not share 
personal nonpublic financial information about their customers with 
third parties. Some provide opportunities for customers to opt-out of 
information-sharing that is expressly permitted by Gramm-Leach-Bliley. 
Citicorp, Capital One, Visa, and American Express all advertise credit 
cards offering privacy- and security-related enhancements. Bank of 
America and other banks are openly competing for consumer business 
based on how privacy protective they are. Companies are developing best 
practices for a variety of privacy protections; for example, Citigroup 
has released telemarketing best practices developed with State 
attorneys general.
    None of these developments is likely to prove a panacea for privacy 
protection, but their variety and the speed with which they are being 
developed suggest that they will afford consumers a greater choice of 
privacy alternatives than any law is likely to. Most importantly, there 
is virtually no evidence of tangible harms to consumers that are not 
already covered by Gramm-Leach-Bliley, the Fair Credit Reporting Act, 
or some other financial privacy law.
    Consumers have understandable concerns about their privacy, and 
some adjustments to Federal financial privacy law may eventually prove 
necessary. But in the absence of evidence consumers being physically or 
financially harmed by unregulated uses of their personal financial 
information, the Congress has the time to wait to see how existing laws 
are working and to allow market responses to more fully mature.
                               ----------
                  PREPARED STATEMENT OF JOHN C. DUGAN
                      Partner, Covington & Burling
                            on behalf of the
                Financial Services Coordinating Council
                           September 19, 2002
    My name is John Dugan, and I am a Partner with the law firm of 
Covington & Burling. I am testifying today on behalf of the Financial 
Services Coordinating Council (FSCC), whose members include the 
American Bankers Association, American Council of Life Insurers, 
American Insurance Association, and Securities Industry Association. 
These organizations represent thousands of large and small banks, 
insurance companies, and securities firms that, taken together, provide 
financial services to virtually every household in America. I have 
represented the FSCC on financial privacy issues since the organization 
was formed in late 1999, and in that capacity I have advised on 
implementation issues involving the privacy provisions of the Gramm-
Leach-Bliley Act (GLB Act) and related regulations; participated in the 
Federal Trade Commission's interagency task force on notices; helped 
coordinate our task force devoted to improvements in privacy notices; 
and testified on a number of occasions before the Congress and State 
legislatures on GLB Act issues and various financial privacy 
legislative proposals.
    The FSCC appreciates the opportunity to testify before this 
Committee on the status of financial privacy regulation, in our case 
from the perspective of the financial services industry. Our testimony 
focuses on: (1) the balance Congress struck in the Gramm-Leach-Bliley 
Act (GLB Act); (2) our experience with implementing the Act, including 
the reaction of our customers; (3) our views on the appropriate 
relationship between Federal and State privacy laws; and (4) some 
thoughts going forward.
The Balance Struck in the GLB Act
    Every commercial privacy law strikes a balance between protecting 
the privacy 
interests of consumers and preserving the clear consumer benefits that 
arise from the free flow of information in the economy. While consumers 
expect limits on the disclosure of their information, they also expect 
companies to provide them with benefits that can only be provided 
through information-sharing. For example, a loyal, long-time depositor 
in a bank wants and expects to receive a discount on a mortgage loan 
offered by a related mortgage company affiliate, and such 
``relationship discounts'' can only be provided through information-
sharing. Privacy laws try to balance these competing consumer 
expectations.
    In terms of financial privacy, we believe that Congress struck the 
right balance in 1999 when it adopted the privacy provisions of the GLB 
Act against the backdrop of the preexisting privacy protections 
provided by the Fair Credit Reporting Act and other Federal and State 
statutes. Through exceptionally broad definitions, the GLB Act's 
protections apply to virtually all personal information held about the 
individual consumers of more than 40,000 financial institutions in this 
country--including less traditional ``financial institutions'' such as 
check cashers, information aggregators, and financial software 
providers. Coupled with protections mandated by the Fair Credit 
Reporting Act (FCRA), these consumers now must be provided:

 Notice of the institution's practices regarding information 
    collection and disclosure, which must be clear, conspicuous, and 
    updated each year.

 Opt-Out Choice regarding the institution's sharing of 
    information with nonaffiliated third parties, and in certain 
    instances, with affiliates.

 Security in the form of mandatory policies, procedures, 
    systems, and controls to ensure that personal information remains 
    confidential.

 Protection against inappropriate redisclosure or reuse of 
    personal information that is shared with third parties.

 Enforcement of privacy protections via the full panoply of 
    enforcement powers of the agencies that regulate financial 
    institutions, for example, the Federal bank regulators, the 
    Securities and Exchange Commission, State insurance authorities, 
    and the Federal Trade Commission.

    In addition to these protections, customers of financial 
institutions that handle personal health information, for example, 
insurance companies, receive the extensive privacy protections of 
Federal and State medical privacy laws. Taken together, the FSCC 
believes that this set of provisions forms the most comprehensive set 
of privacy protections that has yet been implemented in the United 
States.
    We recognize that these protections are not as restrictive as some 
would have wanted, including some of the witnesses on today's panel. 
But by any measure, compared to 3 years ago consumers have much more 
meaningful information, choice, and security regarding the way that 
financial institutions handle their personal information.
    At the same time, the GLB Act appropriately allows financial 
institutions to share information with others for a variety of plainly 
legitimate purposes without separate consumer consent, that is, to 
carry out transactions requested by the consumer, to deter and detect 
fraud, to respond to regulators and judicial process, etc. While many 
of these ``doing business'' exceptions were viewed suspiciously by 
critics at the time the Act was passed, they have proven to be sensible 
and noncontroversial provisions covering sharing for which consumer 
consent is simply inappropriate.
    The FSCC also continues to support Congress' decision to treat 
information-sharing by companies under common control in the same 
manner as sharing within a single institution; both are situations in 
which the GLB Act's opt-out requirement does not apply. The fact is 
that many financial institutions operate through affiliated financial 
entities, often with very similar names, rather than through divisions 
of a single institution. For purposes of the opt-out, Congress sensibly 
elected to ignore such artificial separations and treat affiliates as 
part of a single organization rather than as entirely distinct 
entities. This decision reflected the fact that consumers are unlikely 
to distinguish between, for example, a community bank and the community 
bank's affiliated mortgage lending company. Instead, consumers are 
likely to expect that both affiliates are part of a single community 
banking organization where information is shared within that corporate 
family. The decision also 
reflected the fact that the sharing of sensitive credit and insurance 
application information with affiliates is already subject to an opt-
out requirement under the Fair Credit Reporting Act.
    Finally, we also continue to believe that Congress made the right 
choice in requiring that a financial institution provide its consumers 
with the right to opt-out of the financial institution's sharing of the 
consumers' personal information with third-party commercial companies. 
This decision reflected the view that the sharing of personal 
information with such nonaffiliated third parties (other than for the 
exceptions described above) is different in nature than sharing 
information with companies within a corporate family or with financial 
institution marketing partners--and that it is sufficiently different 
from consumer expectations that a consumer should be given the choice 
to opt-out of such sharing.
    In making this choice, however, Congress rightly rejected an opt-in 
approach, 
because there is a fundamental flaw with the way such requirements 
work. Opt-in provisions deprive consumers of benefits from information-
sharing (such as the 
depositor's relationship discount on a mortgage loan described above), 
because consumers rarely exercise opt-in consent of any kind-- even 
those consumers who would want to receive the benefits of information-
sharing if they knew about them. In essence, an opt-in creates a 
``default rule'' that stops the free flow of information. This in turn 
makes the provision of financial services more expensive and reduces 
the products and services that can be offered, which actually 
frustrates consumer expectations. In contrast, an opt-out gives 
privacy-sensitive consumers just as much choice as an opt-in, but 
without setting the default rule to deny benefits to consumers who are 
less privacy-sensitive.
Implementation of the GLB Act
    The privacy provisions of Gramm-Leach-Bliley were enacted in 1999, 
and financial institution regulators subsequently issued detailed 
privacy regulations that became effective just over a year ago. This 
appears to be the first time that the Federal Government has 
implemented such a comprehensive commercial privacy regulatory 
regime affecting such an important sector of the Nation's economy. In a 
sense, financial institutions have been the ``guinea pigs'' for this 
process, and much has been learned by both the regulators and our 
industry.
    The implementation process has been massive, involving eight 
Federal regulators, 51 State insurance regulators, and over 40,000 
financial institutions. Companies have conducted detailed auditing of 
their information practices; developed and issued over 2.5 billion 
privacy notices; established new compliance systems; trained personnel; 
and reconfigured systems to handle and monitor consumer opt-outs.
    Financial institutions have also upgraded their already extensive 
security policies, procedures, and systems to comply with the security 
mandates of the Act. For example, company employees with access to 
confidential customer information are often required to adhere to many 
different types of procedures designed to protect the physical security 
of that information, including disclosing information to other 
employees only on a ``need to know'' basis; locking confidential files 
and clearing desks before going home; and using special passwords to 
access information. In addition, some companies control access through 
use of security systems and computing platforms, where users are 
authenticated by means of logon identifications and/or secret 
passwords. In some cases digital certificates are also used for 
purposes of authentication and nonrepudiation; access control lists 
limit levels of access based on job employee functions; and formal data 
classification schemes ensure that sensitive data is stored only on 
secure platforms. These are just a sample of the many steps that firms 
are taking in the security area.
    In short, while tremendous progress has been made, GLB 
implementation is still very much a work in progress, and financial 
institutions continue to learn, adjust, and improve their privacy and 
security practices over time. One thing is certain, however: As the 
result of the Gramm-Leach-Bliley's notice, choice, and security 
requirements, financial institution customers are far more privacy and 
security-protected than they were 3 years ago, and far more protected 
than the customers of most other types of companies. We believe that 
consumers have responded favorably by continuing to put their trust in 
the companies that handle their financial assets and their financial 
needs.
    Indeed, despite generic polls showing that consumers remain 
concerned about their privacy, financial institutions have received a 
minuscule number of customer complaints about the GLB Act procedures or 
other privacy concerns. The same is true of financial regulators. For 
example, in response to a Freedom of Information Act request regarding 
all financial institution complaints received in 2001, the Federal 
Reserve reported that it had received only 25 privacy-related 
complaints out of the 4,503 complaints it received, or .0056 percent of 
the total, with similarly low numbers reported by the Office of Thrift 
Supervision (6 of 4,921, or .0012 percent), Federal Deposit Insurance 
Corporation (137 of 6,849, or .02 percent), and Office of the 
Comptroller of the Currency (368 of 17,228, or .0214 percent).
    In addition, most financial institutions do not share information 
with third parties, such as commercial companies, in a way that 
triggers the need for the GLB Act opt-out requirement. For example, 
roughly 89 percent of a recent sample of approximately 400 banks 
conducted by the American Bankers Association did not share information 
in this way. For those institutions that do share with third parties in 
a way that requires providing the opt-out to consumers, the opt-out 
rates have generally been low, and in nearly all cases under 10 
percent. The FSCC strongly disagrees with those who suggest that low 
opt-out rates mean that the GLB process is not working. To the 
contrary, our members believe that the low rates show that consumers 
trust their financial institutions to share their information in an 
appropriate manner, or that they are less sensitive to privacy concerns 
than has been suggested.
    Based on initial implementation experience, the FSCC recognizes 
that the privacy notices constitute one area in which improvements can 
be made. This is by no means as easy as it sounds, however, because the 
notice requirements of the GLB Act are quite detailed. The financial 
institution regulators tried hard to simplify these requirements in 
their implementing regulations, including through the use of sample 
clauses, and they told institutions that a notice complying with the 
GLB Act could fit on a six-page, ``tri-fold'' brochure. In their first 
round of notices, financial institutions generally took this approach 
and used the sample clauses, while at the same time carefully scrubbing 
the language to ensure compliance will all requirements of the statute 
and regulations.
    Proceeding this way was absolutely necessary to ensure that the 
notices satisfied the regulators' ``clear and conspicuous'' requirement 
and minimized exposure to legal liability. Indeed, the regulators have 
challenged very few privacy notices as failing to comply. Nevertheless, 
a six-page notice is not short, and language from the sample clauses 
such as ``nonaffiliated third-party'' and ``nonpublic personal 
information'' are obviously the type of ``legalese'' that some 
consumers and critics have found difficult to understand.
    Unfortunately, financial institutions now find themselves in a bit 
of a ``Catch-22.'' They spent hundreds of millions of dollars to 
carefully develop the first round of compliant notices and mail them to 
consumers, and financial institution consumers received more 
information about company privacy practices than consumers of virtually 
any other industry in the country. Yet these very same notices, because 
of their length and use of legalistic terms suggested by the 
regulations, have received a great deal of negative attention in the 
media.
    To address these concerns, the financial services industry is 
proceeding down two paths simultaneously. First, a number of 
institutions have simplified the language used in their second round of 
annual privacy notices, though carefully so as not to stray from the 
requirements of the regulation. We believe the second round of notices 
will be more ``user friendly'' than the initial notices.
    Second, both financial institutions and their regulators have 
focused on the idea of exploring a simplified ``short-form'' version of 
the notice that would supplement, but not replace, the longer ``legal 
notice'' required by the GLB Act and regulations. The FTC convened an 
interagency and industry workshop to discuss this and other notice 
issues, and industry efforts are underway to examine the short-form 
concept more carefully. The basic idea of the short-form notice is to 
use simplified terms, be much less legalistic than the longer notice, 
keep the length to one page, and use common language that would make it 
easier for consumers to compare institution privacy policies over time.
    The FSCC is leading a project on the short-form notice. We have 
convened a task force representing a cross-section of institutions from 
the banking, insurance, and securities industries; hired a well-known 
language expert to advise on short-form issues; and have nearly 
completed the initial drafting phase of several possible 
alternatives.
    While we believe this project is promising, it is by no means 
simple, as I mentioned previously. There is no true ``one-size-fits-
all'' solution, because institutions have different privacy practices 
that call for different types of disclosures.
Relation Between Federal and State Privacy Laws
    There seems to be a great deal of misunderstanding about Gramm-
Leach-Bliley's effect on State privacy laws, as well as on the amount 
of State legislative action that has occurred on financial privacy 
issues generally. On the first point, Section 507 of the GLB Act makes 
clear that its privacy provisions would not preempt any State law in 
effect simply because the State law affords greater privacy protections 
to consumers than the Act's provisions. Of course, this provision by 
its terms does nothing to limit the preemptive effect of any other 
Federal statute, specifically including the Fair Credit Reporting Act's 
preemption provision that applies to State law restrictions on 
affiliate information-sharing.
    Some State legislators seemed to interpret Section 507 as an 
affirmative invitation by the Federal Government to the States to adopt 
more restrictive financial privacy laws than Gramm-Leach-Bliley. This 
interpretation spawned a great deal of State legislative interest in 
new financial privacy laws immediately after passage of the GLB Act in 
1999. The FSCC and numerous other representatives disagreed with that 
interpretation and testified to that effect before a number of State 
legislatures. Our position consistently has been that there was no such 
Federal invitation for States to act in Gramm-Leach-Bliley; that States 
should not rush to act before the GLB Act has been fully implemented 
and given a chance to work; and that a patchwork, uneven body of 
differing State privacy regulation would be extremely costly and 
counterproductive. In short, we believe that a single uniform standard 
in Federal law is the most appropriate method for regulating financial 
privacy.
    This leads me to the second point of confusion. While there has 
been a flurry of activity and debate at the State level in the wake of 
passage of the GLB Act in 1999, during this period no State legislature 
has adopted a comprehensive financial privacy statute that has exceeded 
the obligations of the GLB Act. Nearly 40 States considered such 
privacy legislation in 2000, but no such statute was enacted. About 
half that number revisited the issue in 2001, again without final 
action. And this year, only California has come close to enacting a new 
privacy law, but for the third time in 3 years, the legislature has 
chosen not to act.
    We recognize that North Dakota first chose to conform a preexisting 
bank privacy opt-in law to the limits of Gramm-Leach-Bliley, only to 
have an initiative restore the preexisting law. In addition, regulators 
(but not legislatures) in New Mexico and Vermont have issued additional 
financial privacy regulations (though the Vermont legislature had 
earlier rejected an effort to increase financial privacy restrictions, 
and a lawsuit has been filed to challenge the Vermont regulation as 
beyond the scope of Vermont statutory authority). But taken together, 
these few actions simply do not constitute a groundswell of State 
action to impose more restrictive financial privacy regulation.
    To the contrary, with the notable exception of California, the 
State focus on financial privacy legislation has diminished 
considerably over time since the GLB Act was enacted. The FSCC believes 
this is due in large part to an increased understanding that: (1) The 
Gramm-Leach-Bliley protections are substantial and need to be given a 
chance to work before States decide to act further; and (2) it is not 
nearly as easy as it seems at first blush to adopt financial privacy 
restrictions without causing unintended consequences that increase 
costs and deprive consumers of real benefits.
Actions in the Future
    The Gramm-Leach-Bliley's privacy protections are real, and the 
implementation, adjustment, and enforcement process is ongoing. This is 
not to say that improvements cannot be made, however. In particular, 
the FSCC believes that the process for improving privacy notices is 
well worthwhile, and we plan to pursue that process actively in the 
coming months, both within the industry and with our regulators.
    In terms of Federal legislation, we believe that any additional 
action that Congress considers with respect to privacy issues should be 
targeted to specific harms rather than take the form of sweeping data 
protection restrictions. If the harm to consumers is identity theft, 
then the focus of legislation should be on deterring and remedying that 
problem specifically. Similarly, if consumers are most concerned about 
excessive telemarketing calls resulting from information-sharing, then 
we believe that solutions should address that issue specifically. To do 
otherwise by imposing broad restrictions on information use and 
sharing: (1) May do little to solve the specific harms at issue; and 
(2) may have very negative unintended consequences. Accordingly, the 
FSCC stands ready to work with this Committee and other public 
policymakers to address specific consumer harms.
    In this regard, however, the FSCC could not support any new 
financial privacy legislation that did not include Federal preemption 
to ensure a uniform national privacy standard. The FSCC has similar 
concerns with respect to the FCRA provision that preempts State 
restrictions on affiliate-sharing, but is scheduled to sunset by the 
end of 2003. The FSCC supports extending the sunset, as we believe that 
the uniform national affiliate-sharing provision has allowed financial 
institutions to serve their customers in the most efficient manner 
possible.
    Thank you for allowing me to present the views of the FSCC today. I 
would be happy to answer any questions.
                   PREPARED STATEMENT OF MIKE HATCH*
---------------------------------------------------------------------------
    *All Exhibits held in Committee files.
---------------------------------------------------------------------------
                  Attorney General, State of Minnesota
                           September 19, 2002
    I appreciate the opportunity to address the Senate Committee on 
Banking, Housing, and Urban Affairs on the critical issue of protecting 
the privacy of our citizens' financial information. This Committee has 
taken a leading role in the challenge to protect consumer financial 
privacy. I commend the bipartisan efforts of Senators Sarbanes and 
Shelby in addressing these issues.
    Unfortunately, Title V of the Gramm-Leach-Bliley Act (GLBA) is not 
working to protect consumers from the misuse of their financial 
information. The Act has confused consumers, provided a green light to 
the unauthorized sharing of personal 
financial data as part of misleading telemarketing campaigns, and is 
riddled with loopholes that exempt many business practices from any 
control. I will focus my 
remarks on three aspects of GLBA: (1) The opt-out provisions in Section 
502(b); (2) the limitations on sharing of account numbers in Section 
502(d); and (3) the favorable preemption standard in the Sarbanes 
Amendment, Section 507. While the alleged consumer ``protections'' in 
Section 502 have proven of limited value in protecting consumers, 
Section 507 is an important part of GLBA that may ultimately provide 
various State models for how to more fairly balance the needs of 
business with the privacy rights of consumers.
Opt-Out Is Ineffective To Protect Consumers
    The opt-out system is not an effective means of protecting consumer 
financial privacy. It puts the burden on consumers to look for the 
privacy notices, read and attempt to understand them, and then take 
affirmative action to halt the sharing of their nonpublic personal 
information with nonaffiliated third parties, such as telemarketers. 
This system is contrary to how consumers act in the marketplace and 
what consumers expect from Government efforts to remedy the imbalance 
of power in the marketplace. Businesses that want to share personal 
financial information should do no more and no less than is required in 
any consumer transaction--obtain prior express consent of the consumer; 
in other words, opt-in to the deal.
    The current system does more to confuse than to assist consumers. 
The opt-out notices flooding consumers' mailboxes have been a boon for 
the printing and postal industry, but they have not meant much for the 
typical consumer. The notices are dense and impenetrable. Even the most 
educated and persistent of consumers would have a hard time deciphering 
statements such as ``we may disclose [information to] . . . carefully 
selected business partners (that is, so they can alert you to valuable 
products and services)'' \1\ to mean the financial institution will 
allow telemarketers to charge your credit card account without 
obtaining a signature or account number from you. The ineffectiveness 
of the notice and opt-out procedure has been thoroughly documented.\2\
---------------------------------------------------------------------------
    \1\ See http://www.capitalone.com/indexn.nhp.
    \2\ See Mark Hochhauser, Ph.D., Lost in Fine Print II: Readability 
of Financial Privacy Notices, Privacy Rights Clearinghouse, May 2001, 
available at http://www.privacyrights.org/ar/GLB-Reading.htm. The eight 
Federal agencies that issued regulations implementing GLBA held a 
workshop in December 2001, that also documented consumer 
misunderstanding and noncomprehension of the notices. See http://
www.ftc.gov/bcp/workshops/glb/index.html.
---------------------------------------------------------------------------
GLBA Limitations On Account Number Sharing Have Had No
Meaningful Impact On Preacquired Account Telemarketing Abuses
    Each year, American consumers experience millions of dollars of 
unauthorized charges on bank, credit card, mortgage, and other accounts 
as a direct result of financial institutions sharing personal financial 
data. Despite an attempt at appearing to address this concern, GLBA has 
had no effect on the problem. In fact, GLBA may have inadvertently 
acted to legitimize financial institutions' participation in data-
sharing practices that result in deceptive telemarketing practices.
Preacquired Account Telemarketing Abuses
    Financial institutions sell to telemarketers the names, phone 
numbers, and other information about their customers along with the 
right to charge the accounts of those customers. Telemarketers use this 
charging authority to call consumers with a ``free trial'' or ``no 
risk'' offer for services like travel membership clubs and credit card 
protection insurance. The telemarketer, because it has the ability to 
directly charge the account, never obtains an account number, a 
signature, or any other 
traditional evidence of consent from the customer. This sales practice, 
known as preacquired account telemarketing, has led to a constant and 
heavy flow of complaints to Attorneys General and other consumer 
protection agencies.
    Preacquired account telemarketing is inherently unfair and causes 
deception and abuse, especially with elderly and vulnerable consumers. 
This sales practice turns on its head the normal procedures for 
obtaining consumer consent. Other than for a cash purchase, providing a 
signature or an account number is a readily recognizable means for a 
consumer to signal assent to a deal. Decades of consumer education have 
made many consumers aware that disclosing their account number may 
result in unexpected charges. The corollary to this is that many 
consumers believe that as long as they do not disclose their account 
number, no charge can be made on the account. Preacquired account 
telemarketing exploits this belief.
    When financial institutions share with the telemarketer the 
information needed to directly charge a customer's account, it removes 
these short-hand methods of consumer control over consent to a 
purchase. Preacquired account telemarketing strips the consumer of 
control over the transaction and exploits the belief that being careful 
about disclosing an account number provides protection. The 
telemarketer not only establishes the method by which the consumer will 
provide consent, but also decides whether the consumer actually 
consented.
    Our Office has brought a series of cases exposing this practice.\3\ 
Fleet Mortgage Corporation, for instance, entered into contracts in 
which it agreed to charge its customer-homeowners for membership 
programs and insurance policies sold using preacquired account 
information. If the telemarketer told Fleet that the homeowner had 
consented to the deal, Fleet added the payment to the homeowner's 
mortgage account. Angry homeowners who discovered the hidden charges on 
their mortgage account called Fleet in large numbers.\4\ A survey taken 
by Fleet of its customer service representatives is attached as Exhibit 
A. It showed that customers overwhelmingly told Fleet that they did not 
sign up for the product, and wanted to know how it was added to their 
mortgage accounts without their approval, consent, or signature. 
Fleet's employees shared the resentment of these consumers, with 
comments such as ``unethical for Fleet to add [optional insurance] 
without my permission;'' ``[homeowner] knows they are being slammed w/ 
ins they never authorized (and) thinks unethical & bad business by us . 
. . I agree with the customer;'' and ``they feel this is fraud. . . . 
It is a scam.'' \5\
---------------------------------------------------------------------------
    \3\ State of Minnesota v. U.S. Bancorp, Inc., Case No. 99-872 
(Consent Judgment, D. Minn. 1999); In The Matter of Damark 
International, Inc., Case No. C8-99-1038 (Assurance of Discontinuance, 
Damsey Cty. Ct. 1999); State of Minnesota v. Memberworks, Inc., Case 
No. MC99-010056 (Consent Judgment, Hennepin Cty. Dis. Ct. 2000); State 
of Minnesota v. Fleet Mortgage Corporation, 158 F.Supp.2d 962 and 181 
F.Supp.2d 995 (D. Minn. 2001) (Consent Judgment, D. Minn. 2002).
    \4\ Approximately one-fifth of all calls by Fleet customers were 
about these preacquired account charges. The mortgage statements issued 
by Fleet hid the charges under the rubric ``opt.prod.'' (optional 
product) at the very bottom of the bill in small print, such that it 
was extremely difficult to discover the charge or discern the purpose 
of the charge. For consumers on auto-draft from their checking or other 
bank account, Fleet gave no written notice of the charge.
    \5\ As a result of a settlement of our Office's case against Fleet 
Mortgage Corporation, its customers were given the opportunity to 
request a refund of charges for membership programs sold through 
preacquired account telemarketing. Over 72 percent of the customers 
currently being charged for such a program returned a form requiring a 
refund of charges, stated that they did not authorize the charge, and 
asked to have the program cancelled.
---------------------------------------------------------------------------
    The number of financial institution customers affected by this 
sales practice is staggering. An investigation of a subsidiary of one 
of the Nation's largest banks revealed an extraordinary number of 
complaints of unauthorized charges. During a 13 month period, this bank 
processed 173,543 cancellations of membership clubs and insurance 
policies sold by preacquired account sellers. Of this number of 
cancellations, 95,573, or 55 percent, of the consumers stated 
``unauthorized bill'' as the reason for the request to remove the 
charge.\6\
---------------------------------------------------------------------------
    \6\ The other primary reason given for cancelling (by 56,794 
customers, or 32 percent of the total) was a general ``request to 
cancel'' code that may have also included many consumers claiming 
unauthorized charges.
---------------------------------------------------------------------------
    The frail elderly, consumers who speak English as a second 
language, and other vulnerable groups are especially at risk with 
preacquired account telemarketers. A review of randomly selected sales 
of one preacquired account telemarketer investigated by our Office 
showed 58 percent of customers whose accounts were charged were over 
60. Sellers continually use preacquired account telemarketing to sell 
elderly consumers membership clubs, magazines, and other products for 
which they have no possible use. Examples from our Office's 
investigations of telemarketers using preacquired billing information 
include the following: Charges to the credit card of an 85-year old man 
with Alzheimer's; charges to the credit card of a 90-year old woman who 
asked to ``quit this'' and said ``sounds like a scam to me;'' charges 
to the credit card account of an Hispanic man who says ``no se es'' in 
response to a telemarketer's question; and charges to the bank checking 
account of an impaired 90-year old man who did not believe he consented 
to the charge. Attached as Exhibit B is a letter from a Legal Aid 
attorney listing a variety of useless and expensive membership clubs 
charged to the credit card of a retired church janitor in his late 
80's. The janitor was charged for a home protection plan even though he 
lived in a nursing home; an auto club membership even though he had no 
car; a dental plan even though he already had coverage; and a credit 
card security plan even though Federal law already protected him from 
theft of a credit card.
    These are just a few of the substantial number of consumer 
complaints our Offices have received about this sales practice. In 
fact, this Office receives as many complaints about these practices 
post-GLB as it did before enactment of the law.
GLBA Has Had No Impact On Preacquired Account Telemarketing Abuses
    GLBA has not changed the involvement of financial institutions in 
preacquired 
account telemarketing, and the abuses continue to occur. All 50 State 
Attorneys 
General recently filed comments with the Federal Trade Commission (FTC) 
stating that consumer complaints and State consumer protection 
enforcement actions against preacquired account telemarketers have 
continued without significant change after passage of the GLBA. The 
reason is not hard to discern.
    GLBA, in Section 502(d), prohibits a financial institution from 
disclosing, ``other than to a consumer reporting agency, an account 
number or similar form of access number or access code for a credit 
card account, deposit account, or transaction account of a consumer to 
any nonaffiliated third-party for use in telemarketing, direct mail 
marketing, or other marketing through electronic mail to the 
consumer.'' Thus, Section 502(d) prohibits the practice by financial 
institutions of providing the credit card numbers of its customers to 
nonaffiliated third-party telemarketers. When sellers of magazines, 
membership clubs, insurance programs, and other services solicited the 
financial institutions' customers via telemarketing calls, the 
customers were never asked to recite their credit card numbers because 
the sellers already had the numbers on hand with the capability to send 
through a charge.
    After Section 502(d) of GLBA was enacted, however, the Federal 
banking agencies promulgated rules that permitted financial 
institutions to continue sharing account numbers with third-party 
sellers as long as they were in encrypted form. As a result of this 
Rule, the practices of financial institutions and their third-party 
sellers have remained the same. Financial institutions may share 
encrypted or randomly generated reference numbers for their customer's 
accounts with third-party sellers. These sellers can still send through 
charges to consumers' accounts without consumers giving their credit 
card numbers. The encrypted numbers are simply decrypted by the 
financial institution and the charges are put directly on the 
consumer's account. This allows preacquired account telemarketing 
process to continue--legally and unimpeded. Unscrupulous telemarketers 
can still cause a charge to a consumer's account even when a consumer 
says ``no'' to the sale, or simply believes he or she is trying out a 
free trial offer.
    The essential characteristic of preacquired account telemarketing 
is the ability of the telemarketer to charge the consumer's account 
without traditional forms of consent--for example, paying cash, 
providing a signature, or providing a credit card or bank account 
number. The key is how the agreement between a company controlling 
access to a consumer's account and the telemarketer who preacquires the 
ability to charge a consumer's account affects the bargaining power 
between that telemarketer and the consumer. GLBA, as interpreted in 
implementing regulations, does not address this relationship.
GLBA's Favorable Preemption Language Is Critical To Future
Consumer Privacy Protections
    Although Title V of GLBA has done little to address the privacy 
needs of financial institution customers, the Sarbanes Amendment, 
Section 507, offers the best hope to secure protections for consumers. 
It is imperative that GLBA retain favorable preemption standards for 
State legislation.
    State legislatures have taken or considered a variety of approaches 
to protecting consumer information. North Dakota voters recently 
reinstated an opt-in approach to consumer financial information that 
had previously been in effect. California's legislature has alternately 
passed and seriously considered various consumer privacy initiatives. 
The Minnesota Senate has passed an opt-in financial privacy bill.
    State privacy initiatives have been the subject of enormous 
industry legislative pressure. In an article entitled, ``Lobbyists 
Swarm to Stop Tough Privacy Bills in States,'' The Wall Street Journal 
reported on the ``regimented lobbying forces of the Old Economy'' that 
have opposed such measure.\7\ Despite this intense effort, State 
privacy bills continue to advance in State legislatures. Proposed 
revisions to GLBA that would preempt such State action would be the 
death knell for meaningful reforms to protect consumers against misuse 
of their personal financial information.
---------------------------------------------------------------------------
    \7\ Zimmerman, R. and Simpson, G., ``Lobbyists Swarm to Stop Tough 
Privacy Bills in States,'' The Wall Street Journal (April 21, 2000).
---------------------------------------------------------------------------
Conclusion
    I thank the Committee for its consideration. Consumer protection 
efforts in the area of financial privacy are in a beginning stage of 
development. Title V of GLBA has not adequately protected the privacy 
of the average citizen. I hope that the Congress will support the 
continuation of State legislative efforts at meaningful reform of our 
privacy laws.
                               ----------
                 PREPARED STATEMENT OF JAMES M. KASPER
          Representative North Dakota House of Representatives
                           September 19, 2002
    Chairman Sarbanes and Members of the Senate Committee on Banking, 
Housing, and Urban Affairs. Thank you for the opportunity to share my 
views on financial privacy and consumer protection.
Background
    I am a first term member of the North Dakota House of 
Representatives and I am considered a conservative in my State of North 
Dakota. I have been active in political affairs for over 20 years in 
North Dakota. I believe I bring a unique perspective to the financial 
privacy issues as my business career is in the financial services 
industry. I am an independent licensed insurance and securities broker, 
and my practice is in the area of employee benefits plans and business 
insurance planning. My entire career has been spent in Fargo, North 
Dakota, with the exception of 1 year in Minneapolis, Minnesota. Because 
North Dakota law has allowed banks to sell insurance for many years, I 
have competed with banks this entire time, and have a very good 
understanding of how they compete and what their marketing practices 
are.
My First Legislative Term--2001
    Little did I realize that in my first Legislative session, 
beginning in January of 2001, a great deal of my time would be spent 
attempting to stop North Dakota banks from changing the very protective 
financial privacy law that North Dakota has had in effect since 1985. 
North Dakota privacy law protects not only consumer transactions, but 
all business and commercial transactions as well. Our bank privacy law, 
enacted in 1985, prohibited the sharing and sale of consumer 
information to anyone, affiliates and nonaffiliates, for any reason. In 
today's vernacular, we had a No-Opt for affiliates and a No-Opt for 
nonaffiliates. In 1997, the banking lobbyists quietly amended ND law to 
allow affiliate-sharing of information, so the banks in ND could 
legally share confidential information with their affiliates, without 
consent. Many citizens feel this needs to be addressed in our 2003 
Legislative Session.
National Strategy of Banking Industry
    As you know, the Gramm-Leach-Bliley Act (GLB) was passed by the 
Congress, with an implementation date for Title V of GLB of July 1, 
2001. GLB deregulated the financial services industry and allows banks, 
insurance companies, and securities companies to have common ownership 
and to market each other's products. It is my understanding that two 
organizations, the Financial Roundtable and the Financial Services 
Coordinating Council, have targeted all States that have a more 
protective privacy law than the minimum requirements of GLB, to 
eliminate those States' privacy laws. They seem to be determined to 
stop any State Legislature from enacting any privacy laws that are more 
protective of consumer privacy than GLB and also to repeal any State 
privacy laws that are more protective than GLB.
ND Banks Work to Repeal ND Privacy Law in 2001 Legislative Session
    To accomplish the bankers national goals required the repeal of our 
1985 North Dakota privacy law. Therefore, the North Dakota Bankers 
Association, the North Dakota Independent Bankers Association and the 
North Dakota Credit Union Association had Senate Bill 2191 (SB 2191) 
introduced in the North Dakota Senate. This bill's intent was to repeal 
our 1985 North Dakota privacy law, and replace it with the GLB 
definitions of privacy, thus reducing ND citizen's privacy protections.
    Senate Bill 2191 passed the ND Senate, in February 2001, and was 
assigned to the House of Representatives Industry, Business, and Labor 
Committee, of which I am a member. When I became aware of the intent of 
SB 2191, I made the decision to work to kill the bill. For 30 years, I 
have competed against the banks in ND and I have seen how they use 
credit leverage to obtain sales and to eliminate competition. I had 
also learned how people's personal and confidential financial 
information is being gathered all over the country, fed into huge 
computer data bases, and how consumer profiles of the citizens of our 
Nation are developed and sold to telemarketing companies. I believe 
these practices need to be stopped. I also believe they may be 
unconstitutional.
    The banks focused all of their power in the ND House to pass SB 
2191. They had 3 full-time lobbyists at the capitol for about 6 
consecutive weeks. The Credit Unions had two full-time lobbyists. 
Additionally, representatives of Wells Fargo, U.S. Bank, and other 
large banks, made numerous visits to most of the Legislators and almost 
every one of the Legislators had personal visits from their local 
bankers. All of these lobbyists were urging the Legislators to support 
SB 2191. Their reasons were quite interesting:
The Banks and Credit Unions Used the Following Arguments in Support of
SB 2191 in North Dakota:
 ``North Dakota needs to pass SB 2191 to adopt GLB in North 
    Dakota law, so we will be in compliance with GLB.'' We know this is 
    not correct, because GLB is the law in all States, but does 
    specifically allow State privacy law to supercede GLB, if the State 
    law provides greater privacy protection for consumers than GLB.

 ``North Dakota will experience job loss, if we do not pass SB 
    2191.'' Many of us believe the opposite is true. Because ND privacy 
    law provides protection for all financial transactions, including 
    businesses, ND could actually attract business and gain jobs, due 
    to our privacy laws.

 ``North Dakota will experience negative economic development 
    if we do not pass SB 2191. Businesses won't want to come to ND if 
    we do not have the GLB privacy definitions in our law. It will be 
    too expensive and too onerous to do business in ND.'' Again, this 
    argument was not correct. If a business does not have to waste its 
    time to Opt-Out, business expenses are reduced. With a No-Opt law, 
    a business will not need to use any of its resources to track its 
    privacy records, because there are none to track.

 ``We do not want North Dakota to be the only State in the 
    Nation, an `island,' which has different privacy laws than the 
    other States.'' Again, an untrue argument. I believe there are 5 
    States that have more protective privacy laws than GLB; Alaska, 
    Connecticut, Illinois, Maryland, and Vermont.

 ``If we do not pass SB 2191, the people of North Dakota may 
    not be able to use their ATM, credit cards, and their checking 
    accounts.'' Since June 11, 2002, when the people of ND repealed SB 
    2191, our ATM's, credit cards, and checking accounts are working 
    just fine, as they have since 1985, when we first passed our 
    privacy law.

    All of these scare tactics and more were part of a carefully 
orchestrated campaign by the ND banks, in conjunction with their 
national associations, to confuse the issues at best, and out and out 
lie to the Legislators at worst, about the truth of SB 2191.
    There were just a handful of Legislators that worked to stop this 
onslaught by the Bankers and Credit Unions. The final vote in the ND 
House, was 77 to 20 to pass SB 2191. The ND Senate voted by 34 to 12 to 
pass SB 2191. The Governor, a former banker, signed the bill and it 
became North Dakota law on July 1, 2001.
The Referral of SB 2191--The People of North Dakota Speak
    Fortunately, this was not the end of the story. In early July 2001, 
a small group of ordinary citizens formed a group to repeal SB 2191. 
They called themselves ``Protect Our Privacy.'' In North Dakota, the 
people are allowed to refer any act of the Legislature by gathering the 
minimum amount of signatures on petitions. In about 6 weeks volunteers 
gathered over 17,000 signatures, about 2.5 percent of our States 
population, far exceeding the minimum needed to refer SB 2191. The 
people of ND would now vote on the referral on June 11, 2002, to decide 
if they wanted to repeal SB 2191. That meant we had about 10 months 
before the referral vote. During this time the banks organized, hired 
an advertising agency, and raised big money to fight the referral. They 
even hired two incumbent North Dakota Legislators to be the co-chairs 
of their committee, which they ironically named ``Citizens for North 
Dakota's Future.''
Grass Roots Organization: ``Protect Our Privacy'' to Repeal SB 2191
    The grass roots organization against SB 2191 ``Protect Our 
Privacy,'' had no money and no paid staff. All we had was a small group 
of committed volunteers, who like Winston Churchill, were determined we 
would ``Never, Never, Never, Never Give Up.''
    To counter the power and money of the big banks, we wrote letters 
to the editor, appeared as guests on radio talk shows, held press 
conferences, and made appearances before civic groups. About 2 weeks 
before the vote on June 11, 2002, we obtained a contribution of $25,000 
from the National ACLU, which allowed some radio spots to be run the 
last 10 days before the vote. Prairie Public Television also hosted a 
half hour debate about 2 weeks before the vote. Other than this, the 
campaign to repeal SB 2191 was by word of mouth, truly grass roots. Mr. 
Chairman, I would like to provide the Committee with copies of relevant 
documents for the record, concerning these matters.
Big Bank Media Campaign to Keep SB 2191 Backfires
    All of this was small in comparison to the huge amounts of money 
the big banks spent on their advertising. Their media campaign was 
overwhelming in ND. Radio, TV, newspapers, talk shows, and civic 
presentations, began statewide. They obtained endorsement from our 
State Chamber of Commerce, from our former popular Governor, and most 
of the local Chambers of Commerce in our major cities. They even 
pirated the ``Protect Our Privacy'' group's name, adopting and 
registering the slogan, ``Protect Your Privacy'' and used it on their 
literature to further attempt to confuse ND voters. The various banks 
and credit unions placed pamphlets and brochures in their customers 
checking and savings statements and they placed signs in many lobbies, 
encouraging a yes vote on SB 2191.
    In their most memorable TV ad, they actually showed a wall being 
built around North Dakota, stating that we would become an island if SB 
2191 was repealed. The one thing the bankers would not talk about, 
however, was the truth about SB 2191. The banks want unlimited access 
to and the ability to sell and share their customers' personal and 
confidential financial information, without the customers' consent or 
knowledge. The Opt-Out notices required by GLB, which are supposed to 
be privacy notices and are supposed to provide consumers with an 
opportunity to stop the banks from sharing information, are a joke. 
Statistics indicate that over 95 percent of the people of our country 
throw these notices away because they: (1) Do not understand them; (2) 
do not realize their importance; and (3) do not know the ramifications 
of not sending them back to the financial institution.
The Vote in North Dakota-- June 11, 2002
    The people of North Dakota spoke loudly and clearly on June 11, 
2002, when by a 73 percent vote, they threw out and repealed SB 2191 
and thus returned North Dakota privacy law to our very protective 
privacy statutes. Despite being out-spent 10 to 1, despite the bankers 
deliberate attempt to confuse the issues with their media campaign and 
despite the power of the banks and their hired staff, the people of ND 
saw through the charade of SB 2191. Their message is a national message 
for the Congress as well.
The Message to the Congress from the People of ND by Their June 11, 
        2002
Vote on Privacy is:

 Give us back and protect our privacy.

 Our financial and personal information is ours. It does not 
    belong to the banks and other financial service companies, or 
    anyone else for that matter. It is not for sale.

 If we want to purchase a financial product, we are very 
    capable of initiating the call or contact ourselves.

 We are not waiting breathlessly at home for our phone to ring, 
    to be solicited by someone with the latest, greatest product, 
    financial or otherwise, that we just cannot do without.

 We want our identity protected.

 Our financial and personal information is a property right we 
    believe is protected under the U.S. Constitution.

 A bank should have no more right to sell my information than 
    it does to enter my property, steal my car and sell it without my 
    consent.
Why Do Banks Need Unlimited Access to People's Financial and
Personal Information?
    It is all about market share, profit, and corporate greed, just 
like what our Nation has recently experienced with the Enron scandal, 
wherein too many corporate executives will do anything to make profits 
and gain market share.
    The lifeblood needed to increase market share by the Financial 
Services companies is the free flowing and easy access to consumers' 
personal and confidential financial information. The GLB Act does not 
result in fair, open and more competition in the financial services 
industries. It results in the elimination of competition, wherein the 
big get bigger and small businesses by the thousands and hundreds of 
thousands will eventually be driven out of business, because they 
cannot compete with the financial might of the Citicorps and other mega 
financial conglomerates. GLB will have a long-term negative impact on 
rural America, as well. In ND, our State Legislature spends millions of 
dollars to attract new businesses to relocate to our State and our 
rural areas. Yet, we have a Federal Law, GLB, which places small 
businesses at a tremendous competitive disadvantage. When jobs 
disappear, the people leave. We are already experiencing this result 
all over America today.
Example of How Banks Share Information
    My best client is a small business in Fargo, North Dakota. I have 
handled their insurance needs for almost 20 years. When they have an 
insurance need they call me. Recently, one of the principals called and 
asked me to come to his office to look at a life insurance proposal 
they had just received from their big bank insurance agent. This agent 
had been given their corporate and personal financial information, 
including salaries, ownership percentages, ages, tax bracket, Social 
Security numbers, dates of birth, and additional confidential 
information, without their consent or knowledge. They had never met or 
heard of the insurance agent and they had not asked for any insurance 
proposals. My clients were astonished and upset that the bank gave this 
insurance agent their information without their consent or knowledge.
My Mother's Financial Needs
    My mother, who is a 79-year-old widow, just had a CD come due at 
her local bank, worth about $14,500. When discussing the CD renewal 
with the bank teller, she was told she should look at transferring the 
CD to an annuity. We learned later the bank teller was not licensed to 
sell annuities and did not know a thing about the rest of my mother's 
financial affairs. She just advised her to buy an annuity from the 
bank.
    The bank teller had no knowledge of my mother's financial needs, 
other than the fact she had a CD due. Despite this fact, a financial 
recommendation was made to purchase an insurance product from someone 
who was not licensed and had no idea what the impact would be on my 
mother's overall needs.
    These are two examples of what goes on literally thousands of times 
every day.
A California Trip in July 2002--Bank Tactics the Same Everywhere
    Senator Jackie Speier, (D) California, invited me to come to 
Sacramento to help move forward her privacy bill, which was in trouble 
in the California Assembly (House of Representatives). I spent 4 days 
in CA in early July 2002, a few weeks after the repeal of the SB 2191 
in North Dakota. I found the big banks were using the identical tactics 
in CA as they had in ND. One of their tactics was to confuse the 
issues. They also used intense lobbying pressure from banking 
representatives. Unfortunately, their tactics worked, as Senator 
Speier's bill was just recently defeated by a few votes. As I stated 
earlier, there appears to be a national strategy by the Banking 
Industry, to kill all attempts by State Legislatures to enact any State 
Legislation that is more protective than the GLB privacy rules. It 
worked again in California.
Where Should Congress and the Senate Banking Committee Go from Here
    It is imperative, in my opinion, that this Committee draft 
amendments to Title V of GLB, to do the following:
    For nonaffiliate transactions, enact a No-Opt provision, 
prohibiting the sharing and selling of personal and financial 
information to nonaffiliated third parties for any reason, with the 
exception of data processing for customer requested transactions such 
as ATM's etc., and for transactions required by law to comply with 
Federal and State statutes.
    Amend GLB to provide for an Opt-In method of privacy protection for 
all affiliates-sharing and selling of information. The people of our 
Nation should have the right to stop their information from being 
passed around, to affiliated companies, and it should only be allowed 
with their advanced written consent and knowledge.
    Repeal the Joint Marketing loophole. This charade of an exemption 
makes a mockery of the already weak privacy protections in current GLB, 
as almost any transaction can be designed by the banks to be exempt 
under this part of GLB.
    Enact Legislation to provide privacy protections for all financial 
transactions from all sources, including business, agriculture, and 
nonprofit financial transactions. Under GLB these types of entities 
have no privacy protection whatsoever. They should have the same 
privacy protections that consumers do.
What Will Happen if Congress Fails to Amend GLB?
    The people of the United States and the Legislators of the State 
Legislatures are beginning to realize the damage that has been done to 
the people of our country over the past number of years, due to the 
free flowing and public availability of their private and confidential 
information. I know of three States where Legislators are currently 
working on State Legislation to override the GLB privacy rules and to 
enact State Legislation similar to North Dakota's recently restored 
privacy law. I believe this is just the beginning of what will become a 
national ground swell, wherein the State Legislatures will enact real 
privacy protection for their citizens. Congress should act immediately 
to correct the mistakes made in GLB and change its privacy provisions, 
as suggested in this testimony.
California Initiative--2004 Vote
    Due to the failure of the CA Legislature to pass Senator Speier's 
privacy law in California, an initiated measure has begun, headed by 
Chris Larsen, Chairman and CEO of e-Loan.com an Internet mortgage loan 
company. I predict it will be overwhelmingly successful in 2004, 
regardless of how much money the big banks spend to defeat it. In fact, 
the more they spend, the larger the vote will be to pass the privacy 
law in CA, because the banks cannot address the truth about how they 
use people's private and confidential information. It is their dirty 
little secret, their Achilles heal. They want to be able to sell it and 
share it without the people's knowledge or consent, but they cannot 
talk about it truthfully and openly, because they know their customers 
are overwhelmingly against this practice.
The Real Tragedy Perpetrated on the American People
    I believe that the Congress needs to realize the damage and danger 
they have perpetrated on the American people by failing to pass real 
privacy protection. What has been done under GLB and its sister law, 
the Fair Credit Reporting Act, is to make people's private information 
a public commodity, available to all those who have the money to buy 
it. By allowing the privacy protections of the people of our Nation to 
continually be eroded, traded, and sold as just another commodity, the 
very fabric of our Republic is threatened. When our citizens no longer 
feel safe and secure in their homes and in the workplace, because their 
most personal and private information is no longer personal and 
private, we face the very real possibility that our citizens will lose 
confidence in our financial services industries. If that occurs, we 
will be in tremendous trouble. If you do not think it can happen today, 
all you need do is look back to 1929 and what occurred in our Nation 
then. Those who do not remember history are bound to repeat it.
    Strong and meaningful amendments are necessary now to strengthen 
the Federal privacy law in GLB. I urge this Committee to courageously 
move forward to do so.
    Thank you, Mr. Chairman, and all of the Committee Members, for the 
opportunity to share my experiences and viewpoints with you today. It 
has been an honor.
                               ----------
                 PREPARED STATEMENT OF PHYLLIS SCHLAFLY
                         President, Eagle Forum
                           September 19, 2002
    Totalitarian governments keep their subjects under constant 
surveillance by 
requiring everyone to carry ``papers'' that must be presented to any 
Government functionary on demand. This is an internal passport that 
everyone must show to authorities for permission to travel within the 
country, to move to another city, or to apply for a new job.
    Having to show ``papers'' to Government functionaries was bad 
enough in the era when ``papers'' meant merely what was on a piece of 
paper. In the computer era, personal information stored in databases 
can be used to determine your right to board a plane, drive a car, get 
a job, enter a hospital emergency room, start school, open a bank 
account, buy a gun, or access Government benefits such as Social 
Security, Medicare, or Medicaid.
    While each classification currently has its own set of rules, 
connecting all these dots would amount to the personal surveillance and 
monitoring that are the indicia of a police state. The Washington buzz 
words ``information-sharing'' are often put forth as the solution to 
21st Century problems, but this has significant privacy implications 
that must be addressed.
    Invasions of privacy are no longer limited to Government. Big 
business has become nearly as powerful in demanding, collecting, 
sharing, and selling our personal information. Information-gathering 
and sharing by Big Brother and Big Business raise varying levels of 
concern, and both are privacy invaders. Government and business often 
commingle and corroborate their information-sharing in the name of 
catching deadbeat dads, terrorists, money launderers, drug peddlers, 
and criminals.
    The global economy is obsessed with gathering information. The 
lifestyle or profile of each consumer is a valuable commercial 
commodity. The checks you write and receive, the invoices you pay, and 
the investments you make reveal as much about you as a personal diary. 
Where I shop, how often I travel, when I visit my doctor, how I save 
for retirement are all actions known to financial institutions, which 
connect the dots of my life and create a valuable personal profile. 
This compilation of personal information is bad enough, but the sharing 
of it without my consent is even worse.
    Thus far, big business has largely been unwilling to exercise self-
restraint to respect the privacy of consumers. The bottom-line dollar 
is viewed as more important. Financial institutions do not want to seek 
prior express permission to share customer profiles because they know 
that most people will not sign-up.
    True privacy protections encompass the principles of notice, 
access, correction, consent, preemption, and limiting data collection 
to the minimum necessary. These form the core of the Fair Information 
Practices (FIP) first codified in the 1974 Privacy Act, and they should 
serve as the model for every classification or compilation of personal 
information.
    Three years ago, Congress had the opportunity to dramatically 
change how financial institutions treat personal information by 
embracing these core principles, but the resulting law was only a 
slight improvement over no protections at all.
    On November 12, 1999, President Clinton signed into law the 
Financial Services Modernization bill, known more commonly as Gramm-
Leach-Bliley (GLB). This Act included several sections aimed at 
protecting sensitive personal information obtained and maintained by 
financial institutions, but in practice, these meager provisions are 
proving inadequate.
    Achieving true financial privacy was conflicted by the underlying 
goal of GLB, which was to streamline financial services, thereby 
increasing affiliation and cross-company marketing once affiliated. 
Greater affiliation meant greater information-sharing. Interjecting the 
right of individuals to control their personal information into that 
streamlining equation was perceived as a threat to this big business 
scheme.
    As a result, the GLB sections on privacy were severely watered 
down. Instead of personal information being kept confidential, 
financial institutions collect, repackage, and share the data. In some 
instances personal information is shared with the Government, and in 
other instances, it is shared with hundreds of other ``affiliated'' 
companies. Even under GLB, it is still legal. GLB failed to recognize 
that consumers are the rightful owners of their personal information. 
Your financial diary should be your property, not the bank's.
    GLB does not provide consumers with any opportunity to decide for 
themselves about the transfer of their private information among 
affiliates. Particularly troubling is the large number of companies 
marked as affiliates. For instance, Bank of America has nearly 1,500 
corporate affiliates, and Citigroup has over 2,700. There is no 
opportunity to stop this free flow of personal information.
    GLB did include a privacy notice provision. Privacy notices should 
be simple documents outlining what kinds of information are collected 
and how the business uses that information. However, the notices sent 
to consumers as a result of GLB turned out to be too complicated for 
the public to cope with.
    When GLB was set to go in effect, few consumers understood their 
rights. Notices began reaching consumers, and we began receiving 
questions about them through our website. Making the situation even 
more confusing, a mass e-mail was sent out by an unknown source 
claiming that anyone could opt-out of all information-sharing of 
banking, credit, and other financial records by calling the credit 
reporting companies. We tried to provide clarification and assistance 
through a special alert on our website, but financial institutions 
failed to explain the companies' privacy policies in simple terms.
    GLB also provided the right to opt-out of information-sharing but 
only to third parties. With all the confusion in the notices, figuring 
out how to prevent the sale of your personal financial diary, and to 
whom you were actually denying it, was yet another significant 
obstacle. Opt-out consent depends on being able to understand what you 
are saying no to. This is a misplaced burden, especially when combined 
with complex, unintelligible privacy notices. Again, the design of GLB 
failed to begin with answering the essential property rights question. 
The individual was burdened with seeking further explanation of his 
options and consent rights to ensure protection of his financial diary.
    If financial institutions want to offer such a range of popular 
services, they should have no problem simply explaining those services 
and letting individuals decide whether they want to sign-up for such 
offers. The burden should be on the financial institutions to be 
honest, to better market their products, and to respect the best 
interests of the customer. This would contribute to more confidence and 
trust in the customer-business relationship.
    One redeeming factor of GLB was in the area of preemption. To the 
financial institutions' chagrin, GLB set a floor of protections rather 
than ceiling. Stronger State privacy laws can be placed on top of GLB's 
limited protections. Some States have already taken action and more are 
likely to do so. For instance, when the question was put to the people 
of North Dakota, information-sharing without consent lost by 73 
percent. A financial privacy bill in California was narrowly defeated 
this year, but State legislators are expected to revisit the issue.
    The problems with the GLB privacy provisions are clear. Exceptions, 
such as sharing among affiliates, make notices very complex. Typically 
buried in small print, the limited opt-out consent burdens individuals, 
insufficiently protects nonpublic data, and minimizes the confidence in 
financial institutions' practices. The banking lobby is working hard to 
defeat greater financial privacy, but they should embrace better 
business practices that put their customers' interests first.
    It is also important to mention a disturbing trend in Government 
exchange and reliance on private collections of information, such as 
through financial institutions. The post-9/11 atmosphere encourages 
more information-sharing and verification of identity, but any actions 
should be done cautiously so as to not impact law-abiding citizens.
    In 1998, the Clinton Administration proposed a Federal regulation 
called Know Your Customer, which would have turned your friendly local 
banker into a snoop reporting to the Federal database called FinCEN any 
deviation from what the bank decided is your deposits/withdrawal 
profile. The American people responded with 300,000 angry e-mail 
criticisms and the regulation was withdrawn. However, the Bank Secrecy 
Act still requires banks to share personal information with the 
Government through suspicious activity reports.
    The Bush Administration's proposed regulations announced on July 17 
to implement the USA PATRIOT Act's Anti-Money Laundering provisions 
call for identity verification, but they are even more intrusive than 
Know Your Customer. On that very same day, The Wall Street Journal 
reported that the Treasury Department entered into an agreement with 
the Social Security Administration (SSA) ``to develop and implement a 
system by which financial institutions may access a database to verify 
the authenticity of Social Security numbers provided by customers at 
account opening.''
    Congress promised us that the SSN would never be used for anything 
else when it was created, and certainly not for identification 
purposes. Giving financial institutions access to SSA's database 
embraces the SSN as a national ID number, which is a step in the wrong 
direction. Such so-called antimoney laundering provisions are threats 
to the privacy of law-abiding citizens. Is access to our personal 
records housed in the Internal Revenue Service the next step?
    In conclusion, neither Government nor private business should act 
as if they can own, share, display, or traffic our personal information 
without our consent. Our personal financial data should be protected by 
a firewall and accessible only to those who have authority. Financial 
institutions are in a unique position of housing our financial diaries 
that often contain all the dots of life. Extra caution and care should 
be taken by these corporations to ensure protection not only from fraud 
but also from misuse and overuse within the companies. Unless financial 
institutions are willing to raise their privacy standards 
independently, Congress should revisit GLB to raise the floor of 
privacy protection for our financial diaries.
                PREPARED STATEMENT OF EDMUND MIERZWINSKI
                       Consumer Program Director
            U.S. Public Interest Research Group (U.S. PIRG)
                              on behalf of
            Consumer Action, Consumer Federation of America
  Consumer Task Force on Automotive Issues and Remar Sutton, President
         Consumers Union, Electronic Privacy Information Center
           Identity Theft Resource Center, Junkbusters, Inc.
     Privacy Rights Clearinghouse, Private Citizen, Inc., U.S. PIRG
                           September 19, 2002
    Chairman Sarbanes and Members of the Committee, thank you for the 
opportunity to testify before you today. As you know, U.S. PIRG \1\ 
serves as the national lobbying office for State Public Interest 
Research Groups, which are independent, nonprofit, nonpartisan research 
and advocacy groups with members around the country. Our testimony is 
also on behalf of Consumer Action, Consumer Federation of America, 
Consumer Task Force on Automotive Issues and Remar Sutton, President, 
Consumers Union, Electronic Privacy Information Center, Identity Theft 
Resource Center, Junkbusters, Inc., Privacy Rights Clearinghouse, 
Private Citizen, Inc.\2\ Many of these groups participating are members 
of the Privacy Coalition.\3\
---------------------------------------------------------------------------
    \1\ U.S. PIRG, www.uspirg.org is the national lobbying office for 
the State Public Interest Research Groups, www.pirg.org. State PIRG's 
are nonprofit, nonpartisan public interest advocacy groups.
    \2\ Consumer Action, www.consumer-action.org founded in 1971, is 
active on privacy issues both in California and on the national level 
working through its network of more than 6,500 community-based 
organizations. Consumer Federation of America, www.consumerfed.org is a 
coalition of 240 national, State, and local consumer groups around the 
country. Consumer Advocate Remar Sutton is President of the Consumer 
Task Force on Automotive Issues, http://www.auto issues.org/. He and 
the Task Force are founding members of www.privacyrightsnow.com. 
Consumers Union, www.consumer.org is the nonprofit, nonpartisan, 
noncommercial publisher of Consumers Report magazine and maintains 
advocacy offices in California, Washington, DC, and Texas. The 
Electronic Privacy Information Center (EPIC), www.epic.org was 
established in 1994 to focus public attention on emerging civil 
liberties issues and to protect privacy, the First Amendment, and 
Constitutional values. The Identity Theft Resource Center, http://www. 
idtheftcenter.org is a nationwide nonprofit organization dedicated to 
developing and implementing a comprehensive program against identity 
theft. Junkbusters, Inc., www.junkbusters. com offers free software and 
other tools to fight junk mail, spam, cookies, and other forms of 
privacy invasion. The Privacy Rights Clearinghouse, 
www.privacyrights.org is a nonprofit consumer information and advocacy 
program. Private Citizen, Inc., http://www.private-citizen.com is 
nationally known and respected as America's foremost consumer 
organization fighting against the direct marketing industrys privacy-
abusive practices.
    \3\ The Privacy Coalition was established in 2001 by a broad range 
of consumer, privacy, civil liberties, family-based, and conservative 
organizations that share strong views about the right to privacy. The 
groups had previously worked together on a more informal basis in 
opposition to the intrusive Know-Your-Customer rules and in support of 
financial privacy proposals offered in the 106th Congress by Members of 
the bi-partisan Congressional Privacy Caucus, Co-Chaired by Senate 
Banking Committee Members Richard Shelby and Christopher Dodd and House 

Energy and Commerce Committee Members Joe Barton and Ed Markey. Groups 
endorsing the 
coalition's legislative candidate Privacy Pledge are listed at 
www.privacypledge.org.
---------------------------------------------------------------------------
Summary
    The Congress knew that the 1999 Gramm-Leach Bliley Financial 
Services Modernization Act \4\ (GLBA)--a law long-sought by the 
financial industry to encourage the creation of integrated financial 
services firms--would exacerbate already-identified financial privacy 
threats. So Congress incorporated Title V to protect financial privacy, 
which included the following five key provisions. The most important 
and most successful is the last: The fail-safe States' rights provision 
allowing States to enact stronger financial privacy laws.
---------------------------------------------------------------------------
    \4\ Public Law 106 -102, 15 U.S.C. Sec. 6801, et seq. enacted 
November 12, 1999.

    (1) Title V defined certain confidential information as ``nonpublic 
---------------------------------------------------------------------------
personal information'' subject to strong privacy protection.

    Status: An important recent decision by the DC Circuit U.S. Court 
of Appeals upholding the GLBA financial privacy regulations has 
effectively closed the so-called credit header loophole exploited by 
Internet information brokers to obtain Social Security Numbers from 
credit bureaus without consumer consent. Creating a strict definition 
of protected information is an important and successful result of GLBA.

    (2) Title V required covered firms to provide, by July 2001, annual 
notice of their information-sharing practices with both affiliated and 
nonaffiliated third parties.

    Status: The core of the GLBA privacy scheme is limited to notice. 
Industry lobbyists will falsely portray their distribution of billions 
of privacy notices as successful privacy protection. Notice is not 
enough to protect privacy. Data collectors should adhere to a broader 
set of Fair Information Practices (discussed below). Worse, the first 
year's privacy notices were unreadable; this year's no better. Although 
notice is not enough to protect privacy, covered firms should do a 
better job of providing notice and regulators should penalize those 
that do not.

    (3) Title V required covered firms to provide in that notice an 
extremely limited statutory consumer right to opt-out (affirmatively 
act to say no) to the sharing of information with some, but not all, 
nonaffiliated third parties. Transactions between affiliates and also 
with many nonaffiliated third parties engaged in joint marketing 
contracts with an affiliate could continue regardless of whether or not 
a customer had chosen to ``opt-out.''

    Status: Notice is not enough, nor is the limited opt-out, to 
satisfy the Fair Information Practices. The vast majority of all 
information-sharing with both affiliates and many third parties is only 
covering by notice, not by this limited opt-out ``right.'' The 
provision is inadequate and fails to even rein in the practices of the 
telemarketers it is narrowly targeted at (see (4) ). The partial opt-
out should be replaced by an across-the-board affirmative consent (opt-
in) provision for all affiliate and third-party information-sharing. 
The failure of the GLBA to require any form of consumer consent for the 
vast majority of information-sharing transactions affected is one 
example of how the GLBA fails to meet the Fair Information Practices 
(discussed below).

    (4) Title V attempted, through an encryption provision, to restrict 
the tawdry practice of nonaffiliated telemarketers obtaining credit 
card numbers from banks, then signing consumers up for expensive 
``membership clubs'' and billing them when the consumer failed to 
affirmatively cancel within 30 days.

    Status: As Attorneys General Hatch of Minnesota and Sorrell of 
Vermont have testified today, telemarketers continue to find loopholes 
enabling them to bill consumers for products the consumer never 
ordered, using credit card numbers provided by the consumer's bank, not 
by the consumer. Consumers do not think they ordered anything, when 
they do not hand over cash, a check, or a credit card number. 
Unfortunately, the encryption provision has codified, instead of 
stopped, the growing epidemic of anticonsumer, controversial 
``preacquired account telemarketing.''

    (5) Finally, recognizing that it hadn't really completed the job of 
protecting privacy adequately, the Congress--in an extremely rare 
departure from its normal policy of preempting State action--explicitly 
included a fail-safe provision allowing States to enforce existing and 
to enact new stronger financial privacy laws.

    Status: The States' rights fail-safe is the most important, and 
most successful, privacy protection in GLBA. We commend the Chairman 
for his sponsorship of the provision added in conference committee 
known as the ``Sarbanes Amendment.'' States have been very active and 
although not all have yet been successful, we believe that there is a 
good chance that passage of strong new privacy laws in a few more 
States will provide Congress with the encouragement it needs to raise 
the bar nationally.
Financial Privacy and the Gramm-Leach-Bliley Act
    The 1999 Gramm-Leach-Bliley Financial Services Modernization Act 
was enacted to respond to changes in the marketplace. Banks, insurance 
companies, and securities firms were more and more selling products 
that looked alike. The firms wanted the privilege of and synergies 
derived from selling them all under one roof. Yet, the Gramm-Leach-
Bliley Act was also enacted against a backdrop of financial privacy 
invasions, and members wanted to ensure that the new law wouldn't make 
things worse. Consumer and privacy groups argued that if the Congress 
was going to create one-stop financial supermarkets, then privacy 
protections should extend to all information-sharing, whether with 
affiliates or with third parties. At the time, two examples were given 
of the need for stronger privacy laws.

 First, NationsBank (now Bank of America) had recently paid 
    civil penalties totaling $7 million to the Securities and Exchange 
    Commission and other agencies, plus millions more in private class 
    action settlements, over its sharing of confidential bank 
    accountholder information with an affiliated securities firm. 
    ``Registered representatives also received other NationsBank 
    customer information, such as financial statements and account 
    balances.'' \5\ In this case, conservative investors who held 
    maturing certificates of deposits (CD's) were switched into risky 
    financial derivative products. Some lost large parts of their life 
    savings.
---------------------------------------------------------------------------
    \5\ See the SEC's NationBank Consent Order, http://www.sec.gov/
litigation/admin/337532.txt.

 Second, Minnesota Attorney General Mike Hatch had recently 
    sued U.S. Bank and its holding company, accusing them of having 
    ``sold their customers' private, confidential information to 
    MemberWorks, Inc., a telemarketing company, for $4 million dollars 
    plus commissions of 22 percent of net revenue on sales made by 
    MemberWorks.'' \6\ As General Hatch has testified today in detail, 
    MemberWorks and other nonaffiliated third-party telemarketers sign 
    credit card customers up for add-on ``membership club'' products 
    and bill their credit cards as much as $89 or more if they do not 
    cancel within 30 days. The catch? The consumer never gave the 
    telemarketer her credit card number; her bank did, in a scheme 
    known as preacquired account telemarketing. General Hatch has 
    settled with both U.S. Bank and MemberWorks.
---------------------------------------------------------------------------
    \6\ See the complaint filed by the State of Minnesota against U.S. 
Bank, http://www.ag.state. mn.us/consumer/privacy/pr/
pr%5Fusbank%5F06091999.html.

    Industry has argued that these ``aberrations'' occurred before the 
enactment of GLBA. Yet, as General Hatch has also testified today, 
however, he has also recently settled a post-GLBA lawsuit with Fleet 
Mortgage Company over similar practices in the post-GLBA 
environment.\7\ He and numerous other Attorneys General have filed 
comments with the U.S. Treasury Department and the Federal Trade 
Commission seeking stronger laws restricting ``preacquired account 
telemarketing'' transactions involving banks and membership clubs run 
by telemarketers.
---------------------------------------------------------------------------
    \7\ See the complaint filed by the State of Minnesota against Fleet 
Mortgage, 28 December 2000, http://www.ag.state.mn.us/consumer/news/pr/
Comp_Fleet_122800.html.
---------------------------------------------------------------------------
    In response to these documented concerns about the risks to 
financial privacy, Congress included a specific financial privacy title 
in the Gramm-Leach-Bliley Act.
Basic Structure of the GLBA Financial Privacy Scheme and Its 
        Limitations
    The principal privacy protection in GLBA is an annual notice 
requirement. GLBA defines nonpublic personal information that must be 
protected. GLBA then requires covered entities to disclose their 
information-sharing policies with both affiliated companies (companies 
under the same corporate umbrella and ``common control'') and with 
nonaffiliated third parties. GLBA then requires firms to grant 
customers a limited right to opt-out of a small number of transactions 
with some nonaffiliated third parties (primarily telemarketers).
    The opt-out applies to neither affiliates nor any nonaffiliated 
third parties in a joint marketing relationship with the bank or other 
covered entity. The rationale for treating marketing partners as 
affiliates was ostensibly to create a level playing field for smaller 
institutions that might not have in-house affiliates selling every 
possible product larger firms might sell.\8\ Of course, large firms use 
joint marketing partners, too.
---------------------------------------------------------------------------
    \8\ The GLBA also includes numerous other exceptions to opt-out 
protections, including sharing for Government or law enforcement 
purposes and sharing for purposes related to completing a consumer 
transaction (such as a credit card purchase or ATM withdrawal).
---------------------------------------------------------------------------
    The result of this scheme is that most information-sharing is only 
``protected'' by notice. Sharing of confidential consumer information 
with either affiliates or joint marketing partners continues regardless 
of a consumer's privacy preference. Although we have no way of knowing 
how many joint marketing partners a company may have, we do know how 
many affiliates some of the largest financial services holding 
companies and bank holding companies have. For their recent joint 
comments to the Treasury Department on GLBA, State Attorneys General 
accessed the Federal Financial Institutions Examination Council and 
Federal Reserve websites and counted affiliates for Citibank (2,761), 
Key Bank (871), and Bank of America (1,476).\9\
---------------------------------------------------------------------------
    \9\ See 1 May 2002 Attorneys General Comments, http://
www.ots.treas.gov/docs/r.cfm?95421. pdf or http://www.epic.org/privacy/
financial/ag_glb_comments.html on the GLBA Information Sharing Study 
(Federal Register: February 15, 2002 (Volume 67, Number 32) ).
---------------------------------------------------------------------------
    The GLBA has failed to provide adequate protections for consumer 
privacy in modern financial services. Individuals face a multitude of 
potential risks through unrestricted and undisclosed information-
sharing of personal financial data information under the GLBA. 
Unfettered affiliate and nonaffiliate sharing permits comprehensive 
profiling, which results in aggressive target marketing techniques, 
identity theft, profiling, and fraud. Consumers have not been 
adequately informed or been given effective choice to evaluate the 
benefits of information-sharing against the potential harms causes by 
unrestricted information-sharing.
    The inherent weaknesses of the GLBA notwithstanding, the July 2002 
decision by the Court of Appeals upholding GLBA's regulations is 
nevertheless an important decision upholding the Constitutionality of a 
broad Government privacy regulation.\10\ Government has an important 
interest in protecting privacy and regulating the activities of 
companies that share and sell confidential consumer information. 
Financial privacy is not merely an issue of a few ``nuisance'' phone 
calls, as industry would like to portray it. When data collectors do 
not adhere to Fair Information Practices (discussed below) consumers 
face numerous privacy risks:
---------------------------------------------------------------------------
    \10\ See http://pacer.cadc.uscourts.gov/common/opinions/200207/01-
5202a.txt.

 Consumers pay a much higher price than dinner interruptions 
    from telemarketers. Many unsuspecting constituents of yours may be 
    paying $89/year or more for essentially worthless membership club 
---------------------------------------------------------------------------
    products they did not want and did not order.

 Easy access to confidential consumer identifying information 
    leads to identity theft. Identity theft may affect 500,000-700,000 
    consumers each year. Identity theft victims in a recent PIRG/
    Privacy Rights Clearinghouse survey faced average out-of-pocket 
    costs of $808 and average lost time of 175 hours over a period of 
    1- 4 years clearing an average $17,000 of fraudulent credit off 
    their credit reports. It is difficult to measure the costs of 
    higher credit these consumers pay, let alone attempt to quantify 
    the emotional trauma caused by the stigma of having their good 
    names ruined by a thief who was aided and abetted by their bank and 
    credit bureau's sloppy information practices.\11\
---------------------------------------------------------------------------
    \11\ See ``Nowhere To Turn: A Survey of Identity Theft Victims, May 
2000, CALPIRG and Privacy Rights Clearinghouse, http://calpirg.org/
CA.asp?id2=3683&id3=CA&.

 Reliance on the Social Security Number as a unique identifier 
    in the private sector has proliferated. Easy access to Social 
    Security Numbers by Internet information brokers and others also 
---------------------------------------------------------------------------
    leads to stalking.

 The failure to safeguard information and maintain its accuracy 
    leads to mistakes in credit reports and consequently consumers pay 
    higher costs for credit or are even denied opportunities.

 Although the industry witnesses will testify to a vast ``free 
    flow of information'' driving our economy that should not be 
    constrained, more and more firms are choosing to stifle the flow of 
    information themselves--to maintain their current customers as 
    captive customers. When a bank intentionally fails to report a 
    consumer's complete credit report information to a credit bureau, 
    that consumer is unable to shop around for the best prices and 
    other sellers are unable to market better prices to that 
    consumer.\12\
---------------------------------------------------------------------------
    \12\ See speech by Comptroller of the Currency John Hawke at http:/
/www.occ.treas.gov/ftp/release/99-51.txt 7 June 1999: ``Some lenders 
appear to have stopped reporting information about subprime borrowers 
to protect against their best customers being picked off by 
competitors. Many of those borrowers were lured into high-rate loans as 
a way to repair credit histories.'' According to U.S. PIRG's sources in 
the lending industry, this practice continues.

 The unlimited collection and sharing of personal data poses 
    profiling threats. Profiles can be used to determine the amount one 
    pays for financial services and products obtained from within the 
    ``financial supermarket'' structure. As just one example, 
    information about health condition or lifestyle can be used to 
    determine interest rates for a credit card or mortgage. Even with a 
    history of spotless credit, an individual, profiled on undisclosed 
    factors, can end up paying too much for a financial service or 
    product. Because there are no limits on the sharing of personal 
    data among corporate affiliates, a customer profile can be 
    developed by a financial affiliate of the company and sold or 
    shared with an affiliate that does not fall within the broad 
    definition of ``financial institution.'' A bank, for instance, that 
    has an affiliation with a travel company could share a customer 
    profile resulting in the bank's customer receiving unwanted 
    telephone calls and unsolicited direct mail for offers of 
    memberships in travel clubs or the like that the individual never 
    wanted or requested.\13\
---------------------------------------------------------------------------
    \13\ For additional discussion of the profiling issue, and related 
privacy threats posed by information-sharing, see 1 May 2002 comments 
of EPIC, U.S. PIRG, Consumers Union, and Privacy Rights Clearinghouse 
on the GLBA Information Sharing Study (Federal Register: February 15, 
2002 (Volume 67, Number 32) ) available at http://www.epic.org/privacy/
financial/glb_ 
comments.pdf.

    We will now discuss the success or failure of the five key privacy 
---------------------------------------------------------------------------
provisions summarized above in greater detail.

    (1) Title V defined certain confidential information as ``nonpublic 
personal information'' subject to strong privacy protection.

    Status: An important recent decision by the DC Circuit, U.S. Court 
of Appeals upholding the GLBA financial privacy regulations has 
effectively closed the so-called credit header loophole exploited by 
Internet information brokers to obtain Social Security Numbers from 
credit bureaus without consumer consent. Creating a strict definition 
of protected information is an important and successful result of GLBA.
    The GLBA created a category of protected ``nonpublic personal 
information.'' The final GLBA financial privacy rules issued by 7 
Federal financial agencies defined Social Security Numbers as nonpublic 
personal information (NPPI). A key provision is that the transfer of 
Social Security Numbers from financial institutions to credit bureaus 
is only allowed for regulated Fair Credit Reporting Act purposes (e.g., 
for use in a credit report) but not for unregulated purposes, where the 
credit bureau would be considered a nonaffiliated third-party. The 
agencies correctly interpreted the law to prevent the sharing of Social 
Security Numbers unless consumers are given notice of the practice and 
a right to opt-out.
    In 1993, the Federal Trade Commission had (improperly in our view) 
granted an exemption to the definition of credit report when it 
modified a consent decree with TRW (now Experian). The FTC said that 
certain information would not be regulated under the Fair Credit 
Reporting Act (FCRA). The so-called credit header loophole allowed 
credit bureaus to separate a consumer's so-called header or identifying 
information from the balance of an otherwise strictly regulated credit 
report and sell it to anyone for any purpose. Credit headers included 
information ostensibly not bearing on creditworthiness and therefore 
not part of the information collected or sold as a consumer credit 
report. The sale of credit headers involves stripping a consumer's 
name, address, Social Security Number, and date of birth \14\ from the 
remainder of his credit report and selling it outside of the FCRA's 
consumer protections. Although the information, marketing and locater 
industries contend that header information is derived from numerous 
other sources, in reality, the primary source of credit header data is 
likely financial institution information.
---------------------------------------------------------------------------
    \14\ In a separate 2001 decision by the DC Circuit, U.S. Court of 
Appeals (No. 00-1141, 13 April 2001, cert denied, 10 June 2002 by 
Supreme Court), Trans Union I vs. FTC, http://laws.findlaw.com/dc/
001141a.html, the FTC's order against Trans Union, http://www.ftc.gov/
os/2000/03/transunionopinionofthecommission.pdf prohibiting Trans Union 
from selling actual credit information for illegal marketing purposes 
was upheld. This decision also removed dates of birth from credit 
headers, since age is a determinant of credit scores and therefore has 
a bearing on creditworthiness.
---------------------------------------------------------------------------
    In their unsuccessful arguments to the courts, the credit bureau 
Trans Union and a number of companies that sell information, organized 
into the now-apparently-defunct Individual References Services Group, 
argued that the GLBA included a Fair Credit Reporting Act savings 
clause and therefore their sale of Social Security Numbers was legal. 
As the FTC explains in the preamble to its Gramm-Leach-Bliley Financial 
Privacy Rule:

          The Commission recognizes that Sec. 313.15(a)(5) permits the 
        continuation of the traditional consumer reporting business, 
        whereby financial institutions report information about their 
        consumers to the consumer reporting agencies and the consumer 
        reporting agencies, in turn, disclose that information in the 
        form of consumer reports to those who have a permissible 
        purpose to obtain them. Despite a contrary position expressed 
        by some commenters, this exception does not allow consumer 
        reporting agencies to redisclose the nonpublic personal 
        information it receives from financial institutions other than 
        in the form of a consumer report. Therefore, the exception does 
        not operate to allow the disclosure of credit header 
        information to individual reference services, direct marketers, 
        or any other party that does not have a permissible purpose to 
        obtain that information as part of a consumer report. 
        Disclosure by a consumer reporting agency of the nonpublic 
        personal information it receives from a financial institution 
        pursuant to the exception, other than in the form of a consumer 
        report, is governed by the limitations on reuse and 
        redisclosure in Sec. 313.11, discussed above in ``Limits on 
        reuse.'' Those limitations do not permit consumer reporting 
        agencies to disclose credit header information that they 
        received from financial institutions to nonaffiliated third 
        parties. . . . If consumer reporting agencies 
        receive credit header information from financial institutions 
        outside of an 
        exception, the limitations on reuse and redisclosure may allow 
        them to continue to sell that information. This could occur if 
        the originating financial institutions disclose in their 
        privacy policies that they share consumers' nonpublic personal 
        information with consumer reporting agencies, and provide 
        consumers with the opportunity to opt-out. [Emphasis added, 
        Footnotes omitted.] \15\
---------------------------------------------------------------------------
    \15\ Excerpted from pages 80-83, Federal Trade Commission, 16 CFR 
Part 313, Privacy Of Consumer Financial Information, Final Rule, http:/
/www.ftc.gov/os/2000/05/glb000512.pdf.

    There is a slight chance that credit bureaus will eventually 
convince financial institutions to provide notice of their sharing of 
Social Security Numbers, triggering the right to share Social Security 
Numbers for consumers who do not opt-out. So, the Congress should act 
to close the credit header loophole completely. Several House bills and 
a Senate bill, S. 1014, sponsored by Senator Bunning of the Banking 
Committee (although the bill has been referred to the Finance 
Committee) would completely close the credit header loophole and take 
other steps to improve Social Security Number privacy.
    In the 106th Congress, legislation named for the first-known victim 
of an Internet stalker was defeated after it was seen that the proposal 
actually was a Trojan Horse that expanded the availability of Social 
Security Numbers to customers of the Individual References Services 
Group (IRSG). IRSG member companies included credit companies and other 
information firms engaged in the sale of nonpublic personal information 
to information brokers, private detectives, and others.\16\ The IRSG 
was established as a supposed self-regulatory organization and received 
a tacit endorsement from the Federal Trade Commission \17\ for its 
efforts to police its industry. The association reportedly has 
dissolved following its unsuccessful attempts to overturn the GLBA 
regulations.
---------------------------------------------------------------------------
    \16\ See the U.S. PIRG Fact Sheet, ``Why The Amy Boyer Law Is A 
Trojan Horse'' at http://www.pirg.org/consumer/trojanhorseboyer.pdf.
    \17\ See for example, Testimony of FTC Commissioner Mozelle 
Thompson before the House Banking Committee, 28 July 1998, http://
www.ftc.gov/os/1998/9807/pretexttes.htm.

    (2) Title V required covered firms to provide, by July 2001, annual 
notice of their information-sharing practices with both affiliated and 
---------------------------------------------------------------------------
nonaffiliated third parties.

    Status: The core of the GLBA privacy scheme is limited to notice. 
Industry lobbyists will falsely portray their distribution of billions 
of privacy notices as successful privacy protection. Notice is not 
enough to protect privacy. Data collectors should adhere to a broader 
set of Fair Information Practices (discussed below). Worse, the first 
year's privacy notices were unreadable; this year's no better. Although 
notice is not enough to protect privacy, covered firms should do a 
better job of providing notice and regulators should penalize those 
that do not.
    The notices provided by banks, securities firms, and other covered 
institutions have been widely panned by a variety of experts for their 
inscrutable, dense language. While the banks and others have complained 
that the law required such detail, we respectfully disagree that the 
law required banks to confuse customers. Mark Hochhauser, readability 
consultant to the Privacy Rights Clearinghouse, analyzed dozens of the 
initial notices: ``Readability analyses of 60 financial privacy notices 
found that they are written at a 3rd- 4th year college reading level, 
instead of the junior high school level that is recommended for 
materials written for the general public.'' \18\
---------------------------------------------------------------------------
    \18\ See ``Lost in the Fine Print: Readability of Financial Privacy 
Notices'' by Mark Hochhauser at http://www.privacyrights.org/ar/GLB-
Reading.htm.
---------------------------------------------------------------------------
    In response, a number of consumer and privacy groups formed a 
coalition to petition the financial regulatory agencies to strengthen 
the notices using existing authority. Apparently in response to the 
petition of 26 July 2001 and other complaints, the agencies held a 
workshop in December 2001. We are unaware of significant improvement to 
the notices in 2002. According to the petition filed by the consortium 
of consumer and privacy groups:

          In passing Sec. Sec. 501-510 of the GLBA, Congress gave 
        consumers the right to prevent financial institutions from 
        transferring their personal financial information to third 
        parties. To that end, the Act requires the institutions to 
        notify customers of the right to opt-out and to provide 
        convenient means of exercising it. However, in notices mailed 
        out thus far, most financial institutions have employed dense, 
        misleading statements and confusing, cumbersome procedures to 
        prevent consumers from opting out. Such notices evince a clear 
        failure of the Act's implementing regulations to effectuate 
        Congressional intent. Accordingly, we ask the Agencies to 
        revise the regulations and require that financial institutions 
        provide understandable notices and convenient opt-out 
        mechanisms.\19\
---------------------------------------------------------------------------
    \19\ The petition is available at http://www.privacyrightsnow.com/
glbpetition.pdf. See the website http://www.privacyrightsnow.com for 
additional information about the coalition.
---------------------------------------------------------------------------
    According to a smaller August 2002 California PIRG survey \20\ of 
10 bank privacy notices issued in the second year, 2002: ``Most banks 
received a failing grade and the best received a ``C-.''
---------------------------------------------------------------------------
    \20\ See the CALPIRG report Privacy Denied: A Survey Of Bank 
Privacy Policies, 15 August 2002, http://calpirg.org/
CA.asp?id2=7606&id3=CA&.
---------------------------------------------------------------------------
    As for the notion that no company would seek to make notices 
confusing on purpose, so consumers would fail to take advantage of an 
opt-out right, we would encourage the Committee to review a recent 
Federal court decision. The U.S. District court decision in the case 
Darcy Ting et al vs. AT&T describes how the long-distance carrier AT&T 
may have used consultants to help it write legal notices to its 
customers in such a way that the consumers would view an amendment to 
their customer service agreement (CSA) as a ``nonevent'' and not either 
``opt-out'' of the change or, worse, ``defect'' to another carrier. The 
key provision reduced legal remedies (by requiring mandatory 
arbitration). From the district court ruling:

          22. AT&T conducted market research to assist it in developing 
        the contract documents. One part of AT&T's research, the 
        Quantitative Study, included the following key findings and 
        recommendations: In the letter it should be made clear that 
        this agreement is being sent for informational purposes only. 
        The fact that no action is required on the part of the customer 
        needs to be made. (sic) . . .

          23. Another part of AT&T's research, the Qualitative Study, 
        concluded that after reading the bolded text in the cover 
        letter which States ``[p]lease be assured that your AT&T 
        service or billing will not change under the AT&T Consumer 
        Services Agreement; there is nothing you need to do,'' ``[a]t 
        this point most would stop reading and discard the letter.'' 
        [Emphasis in original.] . . .

        . . . 24. . . . While presenting the CSA as a nonevent may have 
        helped AT&T retain its customers, it also made customers less 
        alert to the fact that they were being asked to give up 
        important legal rights and remedies.

                   (U.S. District court decision, Darcy Ting et al vs. 
AT&T \21\)
---------------------------------------------------------------------------
    \21\ See especially paragraphs 21-24 of U.S. District Judge Bernard 
Zimmerman's 15 January 2002 opinion in Darcy Ting et al vs. AT&T (Case 
01-02969BZ, Northern District of California). Now on appeal to the 9th 
Circuit Court of Appeals.

    (3) Title V required covered firms to provide in that notice an 
extremely limited statutory consumer right to opt-out (affirmatively 
act to say no) to the sharing of information with some, but not all, 
nonaffiliated third parties. Transactions between affiliates and also 
with many nonaffiliated third parties engaged in joint marketing 
contracts with an affiliate could continue regardless of whether or not 
---------------------------------------------------------------------------
a customer had chosen to ``opt-out.''

    Status: Notice is not enough, nor is the limited opt-out, to 
satisfy the Fair Information Practices. The vast majority of all 
information-sharing with both affiliates and many third parties is only 
covering by notice, not by this limited opt-out ``right.'' The 
provision is inadequate and fails to even rein in the practices of the 
telemarketers it is narrowly targeted at (see (4) below). The partial 
opt-out should be replaced by an across-the-board affirmative consent 
(opt-in) provision for all affiliate and third-party information-
sharing.
    The failure of the GLBA to require any form of consumer consent for 
the vast majority of information-sharing transactions affected is one 
example of how GLBA fails to meet the Fair Information Practices.
    Ideally, consumer groups believe that all privacy legislation 
enacted by either the States or the Congress should be based on Fair 
Information Practices, which were originally proposed by a Health, 
Education, and Welfare (HEW) task force and then embodied into the 1974 
Privacy Act and into the 1980 Organization for Economic Cooperation and 
Development (OECD) guidelines. The 1974 Privacy Act applies to 
Government uses of information.\22\ Consumer and privacy groups 
generally view the following as among the key elements of Fair 
Information Practices:
---------------------------------------------------------------------------
    \22\ As originally outlined by a Health, Education, and Welfare 
(HEW) task force in 1973, then codified in U.S. statutory law in the 
1974 Privacy Act and articulated internationally in the 1980 
Organization of Economic Cooperation and Development (OECD) Guidelines, 
information use should be subject to Fair Information Practices. Noted 
privacy expert Beth Givens of the Privacy Rights Clearinghouse has 
compiled an excellent review of the development of FIP's, ``A Review of 
the Fair Information Principles: The Foundation of Privacy Public 
Policy.'' October 1997. http://www.privacyrights.org/AR/fairinfo.html. 
The document cites the version of FIP's in the original HEW guidelines, 
as well as other versions.

    1) Collection Limitation Principle: There should be limits to the 
collection of personal data and any such data should be obtained by 
lawful and fair means and, where appropriate, with the knowledge or 
---------------------------------------------------------------------------
consent of the data subject.

    2) Data Quality Principle: Personal data should be relevant to the 
purposes for which they are to be used, and, to the extent necessary 
for those purposes, should be accurate, complete. and kept up-to-date.

    3) Purpose Specification Principle: The purposes for which personal 
data are collected should be specified not later than at the time of 
data collection and the subsequent use limited to the fulfillment of 
those purposes or such others as are not incompatible with those 
purposes and as are specified on each occasion of change of purpose.

    4) Use Limitation Principle: Personal data should not be disclosed, 
made available, or otherwise used for purposes other than those 
specified in accordance with the Purpose Specification Principle 
except: a) with the consent of the data subject; or b) by the authority 
of law.

    5) Security Safeguards Principle: Personal data should be protected 
by reasonable security safeguards against such risks as loss or 
unauthorized access, destruction, use, modification, or disclosure of 
data.

    6) Openness Principle: There should be a general policy of openness 
about developments, practices, and policies with respect to personal 
data. Means should be readily available of establishing the existence 
and nature of personal data, and the main purposes of their use, as 
well as the identity and usual residence of the data controller.

    7) Individual Participation Principle: An individual should have 
the right: a) to obtain from a data controller, or otherwise, 
confirmation of whether or not the data controller has data relating to 
him; b) to have communicated to him, data relating to him within a 
reasonable time; at a charge, if any, that is not excessive; in a 
reasonable manner; and in a form that is readily intelligible to him; 
c) to be given reasons if a request made under subparagraphs (a) and 
(b) is denied, and to be able to challenge such denial; and d) to 
challenge data relating to him and, if the challenge is successful to 
have the data erased, rectified, completed or amended.

    8) Accountability Principle: A data controller should be 
accountable for complying with measures which give effect to the 
principles stated above.\23\
---------------------------------------------------------------------------
    \23\ Organization for Economic Cooperation and Development, Council 
Recommendations Concerning Guidelines Governing the Protection of 
Privacy and Transborder Flows of Personal Data, 20 I.L.M. 422 (1981), 
O.E.C.D. Doc. C (80) 58 (Final) (October 1, 1980), at http://
www.oecd.org//dsti/sti/it/secur/prod/PRIV-EN.HTM as quoted in Gellman, 
``Privacy, Consumers, and Costs: How The Lack of Privacy Costs 
Consumers and Why Business Studies of Privacy Costs are Biased and 
Incomplete,'' March 2002, http://www.epic.org/reports/dmfprivacy.html 
or http://www.cdt.org/publications/dmfprivacy.pdf.

    Consumer groups disagree with industry organizations over whether 
certain self-regulatory or statutory schemes are adequately based on 
Fair Information Practices. Industry groups often seek to block 
legislation or offer substitute legislation intended to ``dumb-down'' 
---------------------------------------------------------------------------
the Fair Information Practices, as they were able to do with the GLBA.

 First, industry groups seek to substitute a weaker opt-out 
    choice, instead of providing opt-in consent before secondary uses,

 Second, industry groups claim that notice is enough. They 
    claim that the right of review and correction are unnecessary.

 Third, they contend that either agency enforcement or self-
    regulation is an adequate substitute for a consumer private right 
    of action (also missing from GLBA).

    Privacy advocates and other consumer groups believe that consumers 
should provide consent for all information-sharing circumstances--by 
and among both affiliates and third parties. Second, that protection 
should be on an opt-in basis since it gives consumers control.
How The Gramm-Leach-Bliley Act Falls Short of the
Fair Information Practices:
    First, it fails to require any form of consent (either opt-in or 
opt-out) for most forms of information-sharing for secondary purposes, 
including experience and transaction information shared between and 
among either affiliates or affiliated third parties.
    Second, while consumers generally have access to and dispute rights 
over their account statements, they have no knowledge of, let alone 
rights to review or dispute, the development of detailed profiles on 
them created by financial institutions.
    The Act does provide for disclosure of privacy policies, although a 
review of a sample of privacy policies suggests that companies are not 
following the spirit of GLBA. See (3). None are fully explaining all 
their uses of information, including the development of consumer 
profiles for marketing purposes. None are listing all the types of 
affiliates that they might share information with. None are describing 
the specific products, most of which are of minimal or even negative 
value to consumers, that third-party telemarketers might offer for sale 
to consumers who fail to opt-out. Yet all the privacy policies make a 
point of describing how consumers who elect to opt-out will give up 
``beneficial'' opportunities.

    (4) Title V attempted, through an encryption provision, to restrict 
the tawdry practice of nonaffiliated telemarketers obtaining credit 
card numbers from banks, then signing consumers up for expensive 
``membership clubs'' and billing them when the consumer failed to 
affirmatively cancel within 30 days.

    Status: As Attorneys General Hatch of Minnesota and Sorrell of 
Vermont have testified today, the telemarketers continue to find 
loopholes enabling them to bill 
consumers for products the consumer never ordered, using credit card 
numbers 
provided by the consumer's bank, not by the consumer. Consumers do not 
think 
they ordered anything, when they do not hand over cash, a check, or a 
credit card 
number. Unfortunately, the encryption provision has codified, instead 
of stopped, 
the growing epidemic of anticonsumer, controversial ``preacquired 
account telemarketing.''
    In December 2000, the Minnesota Attorney General filed a new suit 
against Fleet Mortgage, an affiliate of FleetBoston, for substantially 
the same types of violations as U.S. Bank engaged in. That complaint 
was settled in June. The State's complaint explains the problem with 
sharing confidential account information with third-party 
telemarketers. The complaint states that when companies obtain a credit 
card number in advance, consumers lose control over the deal:

          Other than a cash purchase, providing a signed instrument or 
        a credit card account number is a readily recognizable means 
        for a consumer to signal assent to a telemarketing deal. 
        Preacquired account telemarketing removes these short-hand 
        methods for the consumer to control when he or she has agreed 
        to a purchase. The telemarketer with a preacquired account 
        turns this process on its head. Fleet not only provides its 
        telemarketing partners with the ability to charge the Fleet 
        customer's mortgage account, but also Fleet allows the 
        telemarketing partner to decide whether the consumer actually 
        consented. For many consumers, withholding their credit card 
        account number or signature from the telemarketer is their 
        ultimate defense against unwanted charges from telemarketing 
        calls. Fleet's sales practices remove this defense.\24\
---------------------------------------------------------------------------
    \24\ 28 December 2000, Complaint of State of Minnesota vs. Fleet 
Mortgage, see http://www. ag.state.mn.us/consumer/news/pr/
Comp_Fleet_122800.html.

    This complaint alleged that the company was providing account 
numbers to the telemarketer. In our view, either Gramm-Leach-Bliley or 
the FTC Telemarketing Sales Rule needs to be amended so that 
telemarketers cannot initiate the billing of a consumer who has not 
affirmatively provided his or her credit card or other account number. 
Whether this case stems from pre-Gramm-Leach-Bliley acquisition of full 
account numbers, or post-Gramm-Leach-Bliley encrypted numbers or 
authorization codes, is not the question. In either case, consumers 
have lost control over their accounts.
    How do the credit card companies and the telemarketers respond to 
consumer complaints? Data from consumer complaints to U.S. PIRG and to 
the FTC and the legal complaints and accompanying materials of the 
State of Minnesota all show the following pattern: Consumers who call 
their credit card company to complain about their bills are transferred 
to the telemarketer, whose agents were trained to continue to try to 
confuse the consumer. The telemarketer then claims that the consumer 
assented to the confusing trial offer by giving their ``date of birth'' 
or some other piece of information (but not, of course, a credit card 
number, let alone an ``expiration date.''). Sometimes the telemarketer 
would play a piece of recorded tape from the call where the consumer 
had provided a date of birth--arguing that providing your date of birth 
was proof that the consumer had agreed to the transaction. This 
response to complaints made about unauthorized charges was designed to 
convince consumers to ``eat'' the charge.
    Providing a date of birth in response to a trick question is not 
providing a credit card number to order a product. Preacquired account 
telemarketing should be banned. We are encouraged that the proposed FTC 
amendments to the Telemarketing Sales Rule would ban preacquired 
account telemarketing.\25\
---------------------------------------------------------------------------
    \25\ See 67 FR 4492 available at http://www.ftc.gov/os/2002/01/
16cfr310.pdf.
---------------------------------------------------------------------------
    No bank--indeed, no firm--should be allowed to earn commissions 
from companies (whether affiliated, joint marketing partners, or third-
party telemarketers) that bill consumers for products they do not want 
and have not ordered, through the scheme known as ``preacquired account 
telemarketing,'' which eliminates a consumer's fundamental control over 
her purchase decisions by allowing the consumer's bank to make purchase 
decisions for her and bill her credit card without her knowledge or 
consent.

    (5) Finally, recognizing that it hadn't really completed the job of 
protecting privacy adequately, the Congress--in an extremely rare 
departure from its normal policy of preempting State action--explicitly 
included a fail-safe provision allowing States to enforce existing and 
enact new stronger financial privacy laws.

    Status: The States' rights fail-safe is the most important, and 
most successful, privacy protection in GLBA. We commend the Chairman 
for his sponsorship of the provision added in conference committee 
known as the ``Sarbanes Amendment.'' States have been very active and 
although not all have yet been successful, we believe that there is a 
good chance that passage of strong new privacy laws in a few more 
States will provide Congress with the encouragement it needs to raise 
the bar nationally.
    Our organizations and others, including, as State Representative 
Jim Kasper reports today, the grassroots-based Protect Our Privacy 
coalition in North Dakota, have fought to enact stronger privacy 
protections in State law. While we have faced significant opposition 
from vested financial interests, we strongly believe that the fail-safe 
States' rights' provision of Title V is its most important provision.
    Five States have some form of ``opt-in'' financial privacy 
provisions: Alaska, Connecticut, Illinois, Maryland, and Vermont. Each 
has laws applying to different aspects of financial information. In 
three States, legislative repeals of stronger pre-GLBA legislation 
occurred in 2000-2001: North Dakota, Maine, and Florida. However, in 
June 2002, North Dakota citizens reversed that State's repeal action on 
a 73 percent-27 percent ballot referendum vote.\26\ The result of the 
referendum was reinstatement of the previous opt-in based law. Vermont 
is the only State that has a law that specifically regulates affiliate-
sharing.\27\ The State of Vermont is also vigorously defending a 
lawsuit by insurance associations seeking to overturn its financial 
privacy laws.
---------------------------------------------------------------------------
    \26\ See the website of the North Dakota grassroots group that beat 
the banks 73 percent-27 percent in a June referendum on financial 
privacy at http://www.protectourprivacy.net.
    \27\ Comments of 44 Attorneys General to Federal Trade Commission 
Regarding GLB Notices. February 15, 2002 (available at www.naag.org).
---------------------------------------------------------------------------
    Consumers Union, Privacy Rights Clearinghouse, California PIRG, and 
other groups have been strong supporters of proposed California 
legislation by State Senator Jackie Speier. As originally introduced, 
SB 773 \28\ would have required that all information-sharing, whether 
by and between affiliates or with third parties, would require opt-in 
consent. In its final form, although still defeated in the State 
assembly last month, the bill would have required an opt-out for all 
sharing between 
either affiliates or nonaffiliated joint marketing partners (no consent 
protection under Federal law) and required an opt-in for sharing with 
other third parties (opt-out under current Federal law).
---------------------------------------------------------------------------
    \28\ See legislative history of SB 773 at http://
www.leginfo.ca.gov/cgi-bin/postquery?bill_ 
number=sb_773&sess=CUR&house=B&author=speier.
---------------------------------------------------------------------------
    Passage of SB 773, even in its weakened form, would have granted 
California consumers vastly improved financial privacy rights over 
current law.
    In our view, passage of such a strong bill in such a large State 
would have had a very good chance to lead to similar Federal 
legislation, vindicating the fail-safe States' rights model adopted by 
GLBA. The success of the citizens of North Dakota and the near success 
of the California legislature in enacting the Speier bill, despite an 
overwhelming campaign by the industry, strongly suggest that the 
States' rights provision of Title V has been successful and should be 
continued.
    We are also encouraged that extant preemption provisions in the 
Fair Credit Reporting Act (15 USC 1681 et seq.) expire on 1 January 
2004. At that time, States will be free to experiment with 
strengthening both of the core laws protecting their financial 
privacy--FCRA and GLBA. Uncertainty over the relationship between the 
FCRA's preemption provisions and GLBA's FCRA savings clause regarding 
affiliate sharing has helped the financial industry to successfully 
oppose State laws seeking to further regulate financial privacy. When 
that FCRA preemption provision expires, there will be greater clarity 
for legislators about States' rights to regulate affiliated 
transactions.
Recommendations
(1) Strengthen GLBA
    Gramm-Leach-Bliley Act should be strengthened. Consumers should be 
granted an affirmative informed consent right (opt-in) before nonpublic 
personal information is shared with either affiliates or third parties.
    Providing informed consent and providing notice are only two of a 
set of Fair Information Practices that give consumers control over the 
use of their confidential information. Protection of privacy requires 
data collectors to adhere to all of the Fair Information Practices. 
Efforts by industry groups to ``dumb-down'' the Fair Information 
Practices should be resisted.
(2) Resist Efforts to Eliminate States' Right to Enact Stronger Laws
    Congress should resist efforts by industry lobbies to eliminate the 
right of States to pass stronger financial privacy laws. Congress 
should also reject proposed Federal legislation (H.R. 3068) and similar 
amendments to place a moratorium on stronger financial privacy laws.
    In addition, Congress should reject the specious claims of some 
financial industry lobbyists that strong State privacy laws deter 
homeland security. According to a February 2002, Associated Press 
story:

          The banking industry is reaching out to Homeland Security 
        Director Tom Ridge and lawmakers in search of Federal help to 
        block State consumer privacy laws that bankers argue will 
        hinder their efforts to spot terrorists. Industry lobbyists 
        have been arguing that State laws that prohibit banks from 
        sharing consumer information without permission might preclude 
        them from alerting law enforcement to potential crimes. ``We 
        would have trouble communicating with law enforcement . . . and 
        it would be extremely chaotic. We need a uniform privacy 
        standard,'' said David Liddle of the Financial Services 
        Roundtable, an industry lobby. . . .'' \29\
---------------------------------------------------------------------------
    \29\ See ``Banks Seek to Block State Privacy Laws,'' 19 February 
2002, Sharon Thiemer, Associated Press.

    As far as we know, Director Tom Ridge has not dignified these 
requests with any comment.
(3) Reject Claims That Costs of Privacy Are Too High
    We urge the Congress to reject industry claims that privacy's costs 
are too high and its benefits too low. We have reviewed a number of 
presumably industry-funded studies purporting to make this claim and 
find their methodology lacking. We refer the Committee to an alternate 
study, by an independent consultant, which critiques the industry 
studies and points out numerous benefits of privacy as well as the 
costs of insufficient privacy protection. As Robert Gellman points out:

          The cost of privacy is a legitimate issue, but the studies 
        and the conclusions drawn from them have serious flaws. . . . 
        In fact, the costs incurred by both business and individuals 
        due to incomplete or insufficient privacy protections reach 
        tens of billions of dollars every year. [Emphasis added.] \30\
---------------------------------------------------------------------------
    \30\ See Gellman, ``Privacy, Consumers, and Costs: How The Lack of 
Privacy Costs Consumers and Why Business Studies of Privacy Costs are 
Biased and Incomplete,'' March 2002, http://www.epic.org/reports/
dmfprivacy.html or http://www.cdt.org/publications/dmfprivacy.pdf.
---------------------------------------------------------------------------
Conclusion
    Thank you for the opportunity to provide our views before the 
Committee today on the important matter of financial privacy. You, Mr. 
Chairman, and other Committee Members, especially Senator Shelby and 
Senator Dodd, Senate Co-Chairs of the Bi-Partisan Congressional Privacy 
Caucus, should be commended for your leadership on financial privacy. 
We look forward to working with you to strengthen consumer privacy 
rights.
