b"<html>\n<title> - PERSONAL INFORMATION ACQUIRED BY THE GOVERNMENT FROM INFORMATION RESELLERS: IS THERE NEED FOR IMPROVEMENT?</title>\n<body><pre>[House Hearing, 109 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n\n\n   PERSONAL INFORMATION ACQUIRED BY THE GOVERNMENT FROM INFORMATION \n               RESELLERS: IS THERE NEED FOR IMPROVEMENT?\n\n=======================================================================\n\n                             JOINT HEARING\n\n                               BEFORE THE\n\n                            SUBCOMMITTEE ON\n                   COMMERCIAL AND ADMINISTRATIVE LAW\n\n                                AND THE\n\n                    SUBCOMMITTEE ON THE CONSTITUTION\n\n                                 OF THE\n\n                       COMMITTEE ON THE JUDICIARY\n                        HOUSE OF REPRESENTATIVES\n\n                       ONE HUNDRED NINTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                             APRIL 4, 2006\n\n                               __________\n\n                           Serial No. 109-98\n\n                               __________\n\n         Printed for the use of the Committee on the Judiciary\n\n\n      Available via the World Wide Web: http://judiciary.house.gov\n\n                                 _____\n\n                     U.S. GOVERNMENT PRINTING OFFICE\n                             WASHINGTON: 2006        \n\n26-912 PDF\n\nFor Sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512-1800  \nFax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001\n\n\n\n                       COMMITTEE ON THE JUDICIARY\n\n            F. JAMES SENSENBRENNER, Jr., Wisconsin, Chairman\nHENRY J. HYDE, Illinois              JOHN CONYERS, Jr., Michigan\nHOWARD COBLE, North Carolina         HOWARD L. BERMAN, California\nLAMAR SMITH, Texas                   RICK BOUCHER, Virginia\nELTON GALLEGLY, California           JERROLD NADLER, New York\nBOB GOODLATTE, Virginia              ROBERT C. SCOTT, Virginia\nSTEVE CHABOT, Ohio                   MELVIN L. WATT, North Carolina\nDANIEL E. LUNGREN, California        ZOE LOFGREN, California\nWILLIAM L. JENKINS, Tennessee        SHEILA JACKSON LEE, Texas\nCHRIS CANNON, Utah                   MAXINE WATERS, California\nSPENCER BACHUS, Alabama              MARTIN T. MEEHAN, Massachusetts\nBOB INGLIS, South Carolina           WILLIAM D. DELAHUNT, Massachusetts\nJOHN N. HOSTETTLER, Indiana          ROBERT WEXLER, Florida\nMARK GREEN, Wisconsin                ANTHONY D. WEINER, New York\nRIC KELLER, Florida                  ADAM B. SCHIFF, California\nDARRELL ISSA, California             LINDA T. SANCHEZ, California\nJEFF FLAKE, Arizona                  CHRIS VAN HOLLEN, Maryland\nMIKE PENCE, Indiana                  DEBBIE WASSERMAN SCHULTZ, Florida\nJ. RANDY FORBES, Virginia\nSTEVE KING, Iowa\nTOM FEENEY, Florida\nTRENT FRANKS, Arizona\nLOUIE GOHMERT, Texas\n\n             Philip G. Kiko, Chief of Staff-General Counsel\n               Perry H. Apelbaum, Minority Chief Counsel\n                                 ------                                \n\n           Subcommittee on Commercial and Administrative Law\n\n                      CHRIS CANNON, Utah Chairman\n\nHOWARD COBLE, North Carolina         MELVIN L. WATT, North Carolina\nTRENT FRANKS, Arizona                WILLIAM D. DELAHUNT, Massachusetts\nSTEVE CHABOT, Ohio                   CHRIS VAN HOLLEN, Maryland\nMARK GREEN, Wisconsin                JERROLD NADLER, New York\nRANDY J. FORBES, Virginia            DEBBIE WASSERMAN SCHULTZ, Florida\nLOUIE GOHMERT, Texas\n\n                  Raymond V. Smietanka, Chief Counsel\n\n                        Susan A. Jensen, Counsel\n\n                        Brenda Hankins, Counsel\n\n                   Mike Lenn, Full Committee Counsel\n\n                   Stephanie Moore, Minority Counsel\n                    Subcommittee on the Constitution\n\n                      STEVE CHABOT, Ohio, Chairman\nTRENT FRANKS, Arizona                JERROLD NADLER, New York\nWILLIAM L. JENKINS, Tennessee        JOHN CONYERS, Jr., Michigan\nSPENCER BACHUS, Alabama              ROBERT C. SCOTT, Virginia\nJOHN N. HOSTETTLER, Indiana          MELVIN L. WATT, North Carolina\nMARK GREEN, Wisconsin                CHRIS VAN HOLLEN, Maryland\nSTEVE KING, Iowa\nTOM FEENEY, Florida\n\n                     Paul B. Taylor, Chief Counsel\n                      E. Stewart Jeffries, Counsel\n                          Hilary Funk, Counsel\n                 Kimberly Betz, Full Committee Counsel\n           David Lachmann, Minority Professional Staff Member\n\n\n\n                            C O N T E N T S\n\n                              ----------                              \n\n                             APRIL 4, 2006\n\n                           OPENING STATEMENT\n\n                                                                   Page\nThe Honorable Chris Cannon, a Representative in Congress from the \n  State of Utah, and Chairman, Subcommittee on Commercial and \n  Administrative Law.............................................     1\nThe Honorable Melvin L. Watt, a Representative in Congress from \n  the State of North Carolina, and Ranking Member, Subcommittee \n  on Commercial and Administrative Law...........................     2\nThe Honorable Steve Chabot, a Representative in Congress from the \n  State of Ohio, and Chairman, Subcommittee on the Constitution..     3\nThe Honorable Jerrold Nadler, a Representative in Congress from \n  the State of New York, and Ranking Member, Subcommittee on the \n  Constitution...................................................     4\n\n                               WITNESSES\n\nMs. Linda D. Koontz, Director, Information Management Issues, \n  U.S. Government Accountability Office\n  Oral Testimony.................................................     7\n  Prepared Statement.............................................    10\nMs. Maureen Cooney, Acting Chief Privacy Officer, U.S. Department \n  of Homeland Security\n  Oral Testimony.................................................    44\n  Prepared Statement.............................................    45\nMr. Peter Swire, William O'Neill Professor of Law, Moritz College \n  of Law of the Ohio State University, Visiting Senior Fellow, \n  Center for American Progress\n  Oral Testimony.................................................    48\n  Prepared Statement.............................................    51\nMr. Stuart K. Pratt, President and Chief Executive Officer, \n  Consumer Data Industry Association\n  Oral Testimony.................................................    61\n  Prepared Statement.............................................    63\n\n                                APPENDIX\n               Material Submitted for the Hearing Record\n\nAdditional Material for the Record submitted by Linda D. Koontz, \n  Director, Information Management Issues, U.S. Government \n  Accountability Office..........................................    86\n\n \n   PERSONAL INFORMATION ACQUIRED BY THE GOVERNMENT FROM INFORMATION \n               RESELLERS: IS THERE NEED FOR IMPROVEMENT?\n\n                              ----------                              \n\n\n                         TUESDAY, APRIL 4, 2006\n\n                  House of Representatives,\n                         Subcommittee on Commercial\n                            and Administrative Law,\n                                Committee on the Judiciary,\n                                                    Washington, DC.\n    The Subcommittees met, pursuant to call, at 12:03 p.m., in \nRoom 2138 Rayburn House Office Building, the Honorable Chris \nCannon (Chairman of the Subcommittee on Commercial and \nAdministrative Law) presiding.\n    Mr. Cannon. I think we will get started here. The hearing \nwill be called to order.\n    As many of you know, the protection of personal information \nin the hands of the Federal Government has long been a top \npriority for my Subcommittee, the Subcommittee on Commercial \nand Administrative Law, and Chairman Chabot's Subcommittee, the \nConstitution Subcommittee. Both of our Subcommittees have \nplayed a major role in respect to protecting personal privacy \nand civil liberties under the leadership and guidance of Jim \nSensenbrenner, Chairman of the Judiciary Committee.\n    In this post-September 11th world, however, it is no easy \ntask to balance the competing goals of keeping our Nation \nsecure while at the same time protecting the privacy of our \nNation's citizens. Nevertheless, I believe that our respective \nSubcommittees and the Judiciary Committee are uniquely and best \nsuited to study and resolve these issues.\n    Our accomplishments to date include the establishment of \nthe first statutorily-created Privacy Office in a Federal \nagency, namely the Department of Homeland Security. That office \nhas since earned plaudits from both the public and private \nsectors. Based on the successes of that office, we also \nspearheaded the creation of a similar function in the Justice \nDepartment, which was signed into law in January of this year.\n    In addition, both my Subcommittee and the Constitution \nSubcommittee have considered the support of legislation \nrequiring a Federal agency to prepare a privacy impact analysis \nfor proposed and final rules and to include this analysis in \nthe Notice for Public Comment issued in conjunction with the \npublication of such rules.\n    Today's hearing focuses on the respective roles that the \nFederal Government and information resellers have with respect \nto personal information collected in commercial databases. As \nthe hearing title denotes, we approach this subject with an \nopen mind and willingness to understand the factors and nuances \nconcerning how Federal agencies and those in the private sector \nsafeguard personal information that they obtain from us.\n    As technological developments increasingly facilitate the \ncollection, use, and dissemination of personally identifiable \ninformation, the potential for misuse of such information \nescalates. Five years ago, the GAO warned: ``our Nation has an \nincreasing ability to accumulate, store, retrieve, cross-\nreference, analyze, and link vast numbers of electronic records \nin an ever-faster and more cost-efficient manner. These \nadvances bring substantial Federal information benefits as well \nas increasing responsibilities and concerns.'' Given the \nlargely unfettered use of Social Security numbers and the \navailability of other personally identifiable information, \nidentity theft has swiftly evolved into one of the most \nprolific crimes in the United States. According to the Federal \nTrade Commission, identity theft topped the list of consumer \ncomplaints filed with the Agency in 2005. The FTC estimates \nthat 10 million consumers were victims of some form of identity \ntheft in 2003.\n    As a result of this crime, American businesses suffered an \nestimated $48 billion in losses, while consumers incurred an \nadditional $5 billion in out-of-pocket losses. Just this week, \nthe Justice Department announced that nearly 4 million \nhouseholds, about 3 percent of all households in the Nation, \nlearned that they had been identity theft victims. Just last \nweek, I got a credit card in the mail with a little note saying \nthat my account had been viewed as one that might be subject to \nidentity theft, and so I have a new card with a new number. I \nhadn't memorized the old one, so it was not much of an \ninconvenience. But it is a broad problem.\n    Unfortunately, we continue to receive reports from GAO \nfinding shortcomings in how Federal agencies safeguard personal \ninformation, and the private sector's vulnerability was \nhighlighted by the many high-profile databases that have \noccurred in recent years. Questions have also been posed about \nthe accuracy of some of the data maintained in these commercial \ndatabases. It is against this complex but exceedingly \ninteresting backdrop that we are holding this hearing today.\n    I would now like to turn to my colleague Mr. Watt, the \ndistinguished Ranking Member of my Subcommittee, and ask him if \nhe has any opening remarks.\n    Mr. Watt. Thank you, Mr. Chairman. I will be brief.\n    Let me commend Chairman Sensenbrenner and Ranking Member \nConyers and Mr. Chabot and Mr. Nadler for taking steps to get \nthe GAO to conduct this investigation and produce this report. \nIt is clear that privacy issues that confront our country as a \nresult of extraordinary technological advances are significant \nand that the ramifications of how we treat the privacy of \npersonally identifiable information is heightened in the post-\n9/11 world. I say this as a member of both the Financial \nServices and Judiciary Committees, and have heard testimony \nfrom numerous witnesses on the enhanced concerns about the \nGovernment's acquisition, maintenance, and dissemination of \npersonal information and the opportunity for identity theft \ncreated by the massive data mining of this information.\n    One of the main recommendations of the 9/11 Commission was \nthe establishment of a Governmentwide watchdog to safeguard \ncivil liberties. The Commission found that currently, ``there \nis no office within the Government whose job it is to look \nacross the Government at the actions we are taking to protect \nourselves and to ensure that liberty concerns are appropriately \nconsidered.''\n    We have tried to get that recommendation passed, without \nany success up to this point, and I think the need for that \nkind of oversight body is continuing to grow and we need to do \nthat.\n    I am looking forward to the testimony of the witnesses. And \nwith that, Mr. Chairman, I will yield back the balance of my \ntime.\n    Mr. Cannon. The gentleman yields back. Thank you.\n    Now I would like to turn to my colleague Mr. Chabot, the \ndistinguished chair of the Constitution Subcommittee, and ask \nhim if he has any opening remarks.\n    Mr. Chabot. Yes, I do. Thank you, Mr. Chairman.\n    Mr. Cannon. The gentleman is recognized for 5 minutes.\n    Mr. Chabot. First I would like to thank you for holding \nthis hearing and thank all our witnesses for assisting us in \nour examination of issues related to the security and privacy \nof our personal information.\n    Security breaches reported in the media last year involving \nthe unauthorized access to and theft of personal information \nhighlighted an emerging area of concern to all of us, that \nbeing the treatment of our personal information as just another \ncommodity. Our concerns are well-founded, as recent statistics \nreleased by the Department of Justice reveal that identity \ntheft affected 3.6 million households across the Nation and \ncost our economy $3.2 billion during the first half of 2004 \nalone.\n    The security breaches also raise questions with regard to \nthe Federal Government's reliance on and contributions to the \nuse of personal information. Questions raised include: Are \nFederal agencies collecting information on us? What information \nis being collected? Where is the information going and where \nwill it eventually end up? What Federal laws guide collection \nactivities? And most importantly, how, as individuals affected \nby these collection activities, can we best monitor and ensure \nthat such information is being used as was intended?\n    Last spring, I, along with the Chairman and Ranking Member \nof the full Committee, Mr. Conyers, charged GAO with finding \nanswers to these questions. In particular, we sought to gain a \nbetter understanding of the Federal Government's involvement \nand reliance on data as it relates to fulfilling our Federal \nGovernment's top priorities, such as our Nation's law \nenforcement and antiterrorism efforts, and performing other \ncritical domestic functions such as effectively distributing \nbenefits.\n    Our inquiry was also prompted by the information age in \nwhich we live, where technology has allowed personal \ninformation to be universally available to anyone at any time, \nincluding to the Federal Government. The information provided \nby the commercial data suppliers has served an important role \nin supporting our Nation's law enforcement and antiterrorism \nefforts. It has also played an important role in assisting the \nFederal Government to perform other administrative \nresponsibilities. For example, last fall, commercial data \ncompanies provided critical assistance to FEMA to assist the \nvictims of Hurricane Katrina.\n    However, with the widespread availability of information \ncomes increased risks of privacy and security breaches, \nunauthorized uses, and other negative effects, to which the \nFederal Government is not immune.\n    I hope through today's hearing we can gain a better \nunderstanding of the existing Federal laws and policies in \nplace guiding commercial data suppliers and the Federal \nGovernment in handling personal information. Moreover, I look \nforward to discussing whether Federal laws such as the Privacy \nAct of 1974 and E-Government Act of 2002, which guide the \nFederal Government, and the Fair Credit Reporting Act and the \nGramm-Leach-Bliley Act, which guide the commercial data \nindustry, have been affected in addressing concerns raised by \nthe emerging industry.\n    With a better understanding of the existing framework, we \ncan ensure that the Federal Government continues to have access \nto the types of information that will enable it to fulfill its \nresponsibilities. At the same time, we can ensure that citizens \nknow when and how their information is being collected and used \nby the Federal Government.\n    I look forward to discussing these issues and learning \nwhether new legislation, such as the Federal Agency Privacy \nProtection Act which I have introduced in the previous \nCongresses, would be an appropriate remedy to ensure citizens' \nprivacy concerns over the use of their personal information by \nthe Federal Government. The Federal Agency Privacy Protection \nAct would require that all Federal agencies conduct privacy \nimpact assessments when issuing a notice regarding a new or \ninterpretive rule relating to the collection of personally \nidentifiable information on citizens, as well as when final \nrules are promulgated.\n    Again, I welcome the witnesses here with us today and look \nforward to their testimony.\n    I yield back the balance of my time.\n    Mr. Cannon. Thank you, Mr. Chabot.\n    Mr. Nadler, do you have an opening statement?\n    Mr. Nadler. Yes. Thank you, Mr. Chairman. I will be brief \nbecause I want to get to our witnesses.\n    Modern technology and security concerns have greatly \nthreatened the privacy of the most personal information about \nevery American. The nexus between private information resellers \nand Government action are especially troubling.\n    How we handle these complicated issues--and they are \ncomplicated--will affect the lives of every one of our \nconstituents. It is not simply a matter of identity theft but \nof the basic right to be secure in our persons, our papers, and \nour homes. People need to know that when they visit a doctor, \ngo to the store, read a book, engage in the practice of their \nreligion, they will not be subject to unwanted and uninvited \nprying eyes.\n    The secret NSA wiretaps, some of the abuses of power by the \nJustice Department, some of the more extravagant claims by this \nAdministration are warning signs. I hope this Congress looks \nmore carefully at the question of privacy from both a technical \nand legal perspective. This study and this hearing are \nimportant steps in this direction.\n    Of course, in one sense, this study, this hearing, \neverything we are doing, in one sense is irrelevant, because \nthe Administration claimed in the NSA wiretap situation that \nthe President has inherent power to disobey the FISA law \nbecause of inherent power under article II and under the \nauthorization for the use of military force. And in fact, it \nclaims inherent power to go beyond that, and we have no way of \nknowing what the NSA or some other agency may in fact be doing \nthat might invade privacy. The Administration won't tell us. \nThey won't testify to us. It is all secret. And in fact, the \nAdministration is conducting an investigation into who revealed \nwhat we do know about the NSA wiretaps, because they think that \nought to have remained secret. I disagree, obviously, but that \nis their position.\n    And they have made it quite clear that, in fact, various \nGovernment agencies may be going far beyond what we know in \nwiretapping or otherwise invading the privacy of American \ncitizens regardless of what the law says and regardless of any \nlaw we may pass, because the President has inherent power to \ndisregard that during a war, and we are in a war on terrorism.\n    So everything we say, everything we investigate, everything \nwe hear, everything we do may in fact be irrelevant because the \nPresident claims the power to ignore it and may or may not be \nexercising that power in ways that are unknown to us. That is a \nfar greater threat to our liberty than probably anything else \nwe are talking about.\n    So I thank you, Mr. Chairman, for scheduling this hearing. \nBut I hope we realize that the ability of this Congress to deal \nwith this is very much circumscribed by the unprecedented and \ntyrannical claim of power that the Administration is making.\n    I thank you. I yield back.\n    Mr. Cannon. Far be it from me to disagree with the \ngentleman, but I think it is the role of Congress to oversee \nany president of either party.\n    Mr. Nadler. Well, I certainly agree with that.\n    Mr. Cannon. That is not the focus of this hearing, but we \ncertainly need to be doing that.\n    Mr. Nadler. Mr. Chairman, if I could just say.\n    Mr. Cannon. Certainly.\n    Mr. Nadler. You are not disagreeing with me. I certainly \nagree that we ought to be overseeing the Administration. My \npoint is that the Administration claims under the wartime power \nthat we have no power to do that.\n    Mr. Cannon. I understand that you are being very harsh \nabout the Administration. I think our objective is to transcend \nthe current status of affairs with the war on terror.\n    Without objection, the gentleman's entire statement will be \nplaced in the record. Hearing no objection, so ordered.\n    Without objection, all Members may place their statements \nin the record at this point. Hearing no objection, so ordered.\n    Without objection, the Chair will be authorized to declare \nrecesses of this hearing at any point. Hearing no objection, so \nordered.\n    I ask unanimous consent that Members have 5 legislative \ndays to submit written statements for inclusion in today's \nhearing record. Hearing no objection, so ordered.\n    I am now pleased to introduce the witnesses for today's \nhearing. Our first witness is Linda Koontz, who is the Director \nof GAO's Information and Management Issues Division. In that \ncapacity, she is responsible for issues regarding the \ncollection, use, and dissemination of Government information. \nMrs. Koontz has led GAO's investigations into the Government's \ndata mining activities as well as E-Government initiatives. In \naddition to obtaining her bachelor's degree from Michigan State \nUniversity, Ms. Koontz received certification as a Government \nfinancial manager. She is also a member of the Association for \nInformation and Image Management Standards Board.\n    Maureen Cooney, our next witness, is the Acting Chief \nPrivacy Officer for the Department of Homeland Security. Ms. \nCooney, we always appreciated working with your predecessor, \nNuala O'Connor Kelly, and we look forward to working with you \nas well. As I previously noted in my opening remarks, my \nSubcommittee, with the support of Chairman Jim Sensenbrenner, \nplayed a major role in establishing Ms. Cooney's office at the \nDepartment of Homeland Security. The legislation creating her \noffice not only mandated the appointment of a privacy officer, \nbut specified the officer's responsibilities. One of the \nprincipal responsibilities of the DHS Privacy Officer, as set \nout by statute, is the duty to assure that the use of \ntechnologies sustain and do not erode privacy protections \nrelating to the use, collection, and disclosure of personal \ninformation. In addition, the Privacy Officer must assure that \npersonal information is handled in full compliance with the \nPrivacy Act and assess privacy impact of the Department's \nproposed rules.\n    Before joining the DHS Privacy Office, Ms. Cooney worked on \ninternational privacy and security issues at the U.S. Federal \nTrade Commission, where she served as the principal liaison for \nthe FTC to the European Commission and article 29 Working Party \non Privacy Issues. She also played a major role on the rewrite \nof the Organization for Economic Cooperation and Development \nSecurity Guidelines for Information Systems and Networks. Prior \nto that assignment, Ms. Cooney worked on privacy and security \nissues with the Treasury Department in the Office of the \nComptroller of the Currency. We are really pleased that there \nare people that know as much about this as you do, who are here \nto help guide us.\n    Ms. Cooney received her bachelor's degree in American \nstudies from Georgetown University and her law degree from \nGeorgetown University Law Center.\n    Our third witness is Peter Swire, the C. William O'Neill \nProfessor in Law and Judicial Administration at the Moritz \nCollege of Law of Ohio State University. In addition to his \nacademic endeavors, Professor Swire is a consultant with the \nlaw firm Morrison & Foerster, where he provides advice on \nprivacy, cyberspace, and related matters. He is also currently \na visiting senior fellow at the Center for American Progress, a \nnonpartisan research and educational institute. Under the \nClinton administration, Professor Swire was OMB's Chief \nCounselor for Privacy.\n    Professor Swire received his undergraduate degree from \nPrinceton University and his law degree from Yale Law School. \nHe is a prolific writer, with numerous law review articles and \nother writings to his credit.\n    Our final witness is Stuart Pratt. Mr. Pratt is the \npresident and CEO of the Consumer Data Industry Association, an \ninternational trade association representing more than 250 \nconsumer information companies. Prior to his current position, \nMr. Pratt served as the association's vice president of \ngovernment relations. He is a well-known expert on the Fair \nCredit Reporting Act, identity fraud, and the issues of \nconsumer data and public record data issues. Mr. Pratt received \nhis undergraduate degree from Furman University in Greenville, \nSouth Carolina.\n    I extend to each of you my warm regards and appreciation \nfor your willingness to participate in today's hearing. In \nlight of the fact that your written statements will be included \nin the hearing record, I request that you limit your oral \nremarks to 5 minutes. Accordingly, please feel free to \nsummarize or highlight the salient points of your testimony.\n    You will note that we have a lighting system, which is not \nyet on but they are the two little gizmos in front of you. It \nstarts with a green light and you have 4 minutes before it \nturns yellow, and then at the 5-minute mark it turns red. It is \nmy habit to tap the gavel at 5 minutes. We will appreciate it \nif you would finish up your thoughts within that time frame. We \ndon't want to cut people off in the middle of your thinking, \nbut I find it works better if everybody realizes we have a 5-\nminute limit. I am probably going to be a little more \naggressive with questions so that we can give everybody an \nopportunity to ask questions.\n    After you have presented your remarks, the Subcommittee \nMembers, in the order they arrived, will be permitted to ask \nquestions of the witness. They will also be limited to 5 \nminutes.\n    Pursuant to the direction of the Chairman of the Judiciary \nCommittee, I ask the witnesses to please stand and raise your \nright hand to take the oath.\n    [Witnesses sworn.]\n    Mr. Cannon. Thank you. You may be seated.\n    The record should reflect that each of the witnesses \nanswered in the affirmative.\n    Ms. Koontz, would you please proceed with your testimony.\n\nTESTIMONY OF LINDA D. KOONTZ, DIRECTOR, INFORMATION MANAGEMENT \n         ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE\n\n    Ms. Koontz. Mr. Chairman and Members of the Subcommittees, \nI appreciate the opportunity to discuss the results of GAO's \nwork on the Federal Government's purchase of personal \ninformation from businesses known as information resellers. My \ntestimony summarizes the results of the report we did at the \nCommittee's request and that we are issuing today. For that \nreport we reviewed four agencies: Justice, Homeland Security, \nState, and Social Security.\n    Information is an extremely valuable resource and \ninformation resellers provide services that are important to a \nvariety of Federal agency functions. Specifically, for fiscal \nyear 2005, the four agencies we reviewed reported a combined \ntotal of approximately $30 million in obligations for the \npurchase of personal information from resellers.\n    The vast majority of this spending, about 91 percent, was \nfor law enforcement or counterterrorism. For example, the \nDepartment of Justice, the largest user among the four, used \nthe information for criminal investigations, locating witnesses \nand fugitives, and researching assets held by individuals of \ninterest. Reseller information was also used by others to \ndetect and investigate fraud, verify identities, and determine \neligibility for benefits.\n    As agreed, we also evaluated agency and reseller privacy \npolicies and practices against the Fair Information Practices, \na set of widely accepted principles for protecting the privacy \nand security of personal information. These principles, with \nvariations, are the basis of privacy laws in many countries and \nare the foundation of the Privacy Act. They are not legally \nbinding either on Federal agencies or resellers, but we believe \nthey do provide a useful framework for analyzing agency and \nreseller practices and serve as an appropriate basis for \nfurther discussion and debate.\n    Applying this framework to Federal agencies, we found some \ninconsistencies. Agencies did take steps to address the privacy \nand security of the information acquired from resellers, but \ntheir handling of this information did not always fully reflect \nthe Fair Information Practices. For example, although agencies \nissued privacy notices on information collections, these did \nnot always specifically state that information resellers were \namong the sources used. This is not consistent with the \nprinciple that the public should be informed about privacy \npolicies and have a ready means of learning about the use of \npersonal information. One reason for this kind of inconsistency \nis ambiguity in OMB's guidance regarding how privacy \nrequirements apply to Federal agency use of reseller \ninformation.\n    To address these inconsistencies, we made recommendations \nto OMB and to the agencies we reviewed. These agencies \ngenerally agreed with our report and reported actions they are \ntaking. In particular, the Privacy Office within Homeland \nSecurity has conducted a public workshop on the Government's \nuse of commercial data for homeland security and recently \nfinalized guidance on conducting privacy impact assessments, \nwhich includes very useful direction on the collection and use \nof commercial data.\n    Regarding resellers, they also took steps to protect \nprivacy, but these measures were not fully consistent with the \nFair Information Practices. For example, resellers generally \ninformed the public about key privacy practices and principles \nand they have recently taken steps to improve security \nsafeguards. However, the principles that the collection and use \nof personal information should be limited and its intended use \nspecified are largely at odds with the nature of the reseller \nbusiness, which is based on providing information to multiple \ncustomers for multiple purposes.\n    Further, resellers generally limit the extent to which \nindividuals can gain access to personal information held about \nthemselves, as well as the extent to which they can correct or \ndelete inaccurate information contained in reseller databases.\n    In response, information resellers raised concerns about \nour reliance on the Fair Information Practices and suggested it \nwould be unreasonable for them to comply with some aspects of \nthe principles that, they believe, were intended for \norganizations that collect information directly from consumers. \nNonetheless, we believe that analysis against a framework of \nthe Fair Information Practices is important as a starting point \nto frame potential issues and facilitate informed discussion, \nand we suggest that Congress consider these issues in its \ndeliberations.\n    In conclusion, privacy is ultimately about striking a \nbalance between competing interests. In this case, it is about \nbalancing the value of reseller information as to important \nGovernment functions against the privacy rights of individuals. \nI look forward to participating in the discussion on how best \nto strike that balance.\n    This concludes my statement. Thank you.\n    [The prepared statement of Ms. Koontz follows:]\n                 Prepared Statement of Linda D. Koontz\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    Mr. Cannon. Thank you, Ms. Koontz.\n    Ms. Cooney?\n\nTESTIMONY OF MAUREEN COONEY, ACTING CHIEF PRIVACY OFFICER, U.S. \n                DEPARTMENT OF HOMELAND SECURITY\n\n    Ms. Cooney. Thank you. Chairmen Cannon and Chabot, Ranking \nMembers Watt and Nadler, and Members of the Subcommittees on \nCommercial and Administrative Law and the Constitution, it is \nan honor to testify before you today. Because this marks my \nvery first appearance before the Subcommittee, I would like to \noffer a few biographical background notes.\n    It is my honor to currently serve as the Acting Chief \nPrivacy Officer for the Department of Homeland Security. I come \nto this position with 20 years of Federal service experience in \nrisk management and compliance and enforcement activities as \nwell as in consumer protection on global information privacy \nand security issues post-9/11. I was recruited from the Federal \nTrade Commission to join the Department of Homeland Security \nmore than 2 years ago as Chief of Staff of the Privacy Office \nand Senior Adviser for International Privacy Policy.\n    Since that time, it has been my privilege to help build the \nDHS Privacy Office with my colleagues and under the leadership \nof former Chief Privacy Officer Nuala O'Connor Kelly and \nSecretaries Chertoff and Ridge.\n    I appreciate this opportunity to address the subject of \npersonal information acquired by the Government from \ninformation resellers. The use of commercial data for homeland \nsecurity involves complex issues that touch on privacy, program \neffectiveness, and operational efficiency. I commend the \nGovernment Accountability Office for undertaking their \nanalysis, which will positively assist in informing privacy \npolicy development.\n    As my written statement points out, internally the primary \noversight mechanism used by the Privacy Office for ensuring \nappropriate use of personal information regardless of its \nsource is the privacy impact assessment, which is required to \nbe used by section 208 of the E-Government Act of 2002 and \nsection 222 of the Homeland Security Act.\n    Privacy impact assessments, or PIAs as we call them, can be \none of the most important instruments in establishing trust \nbetween the Department's operations and the public simply \nbecause they are generally very transparent. In fact, PIAs are \nfundamental at our Department in making privacy an operational \nelement within the DHS family. Privacy impact assessments allow \nfor the examination of privacy questions concerning a program \nor an information system's collection and use of information, \nincluding commercial reseller data.\n    As mentioned in my colleague Ms. Koontz's testimony, the \nDHS Privacy Office has issued official guidance on the conduct \nof privacy impact assessments. Various sections of that \nguidance are particularly relevant to the subject matter of \nthis hearing. I refer you to my written testimony on the \ndetails of that.\n    I am a little concerned that we may run out of time, so one \nof the points that I would like to make is that in addition to \nprivacy requirements under the Privacy Act of 1974, the privacy \nimpact assessment process really augments the system of record \nnotice provisions in the Privacy Act that provide for notice to \nthe public about the types of information collected by the \nGovernment and the treatment of that information. The DHS \nPrivacy Office reviews new systems of record notices to make \nsure that the presence of commercial data is made transparent \nif data is collected as a source of information in a system, \nand we are seeking to apply this to existing sources as well.\n    The Privacy Office also has been part of a broad-based \ndialogue on the use of commercial data both within and outside \nof the Department. In September of 2005, we hosted a public \nworkshop addressing privacy and technology, exploring the use \nof commercial data for homeland security. The workshop examined \nthe policy, legal, and technology issues associated with the \nGovernment's use of commercial personally identifiable data for \nhomeland security purposes.\n    With input from the public workshop, the DHS Privacy Office \nis now in the process of drafting specific guidance for our \nDepartment on the use of commercial data. The guidance will \naddress three broad categories of use: comparing data in \ncommercial and Government databases, obtaining data from \ncommercial sources for use in Government systems, and use of \nGovernment analytic tools on commercial databases.\n    We will be hosting a meeting with our internal Privacy and \nData Integrity Board made up of senior Department managers on \nApril 11th to collaborate on this policy through a full and \nmeaningful discussion of an appropriate framework for using \ncommercial data.\n    The Privacy Office also has been discussing commercial data \nissues with the DHS Data Privacy and Integrity Advisory \nCommittee, our Federal advisory committee made up of U.S. \ncitizens with expertise in privacy information technology, \ninformation security, and public policy.\n    In October of 2005 the DHS Privacy Advisory Committee \npublished a report on the use of commercial data to reduce \nfalse positives in screening programs, and the Committee's \nrecommendations will be incorporated in our policy development.\n    Thank you for inviting me, and thank you for your support \nof the DHS Privacy Office.\n    [The prepared statement of Ms. Cooney follows:]\n                  Prepared Statement of Maureen Cooney\n    Chairmen Cannon and Chabot, Ranking Members Watt and Nadler, and \nMembers of the Subcommittees on Commercial and Administrative Law and \nthe Constitution, it is an honor to testify before you today on the \nactivities of the United States Department of Homeland Security, for \nwhich I am privileged to served as the Acting Chief Privacy Officer.\n    Thank you for inviting me to speak with you on the subject of \npersonal information acquired by the government from information \nresellers.\n    As you know, the DHS Chief Privacy Officer is the first statutorily \nrequired privacy officer in the Federal government. The \nresponsibilities of the DHS Chief Privacy Officer are set forth in \nSection 222 of the Homeland Security Act of 2002. They include:\n\n        (a)\n             assuring that the use of technologies sustain, and do not \n        erode, privacy protections relating to the use, collection and \n        disclosure of personal information;\n\n        (b)\n             assuring that personal information contained in Privacy \n        Act systems of records is handled in full compliance with fair \n        information practices as set out in the Privacy Act of 1974;\n\n        (c)\n             evaluating legislative and regulatory proposals involving \n        collection, use, and disclosure of personal information by the \n        Federal Government;\n\n        (d)\n             conducting a privacy impact assessment of proposed rules \n        of the Department on the privacy of personal information, \n        including the type of personal information collected and the \n        number of people affected; and\n\n        (e)\n             preparing a report to Congress on an annual basis on \n        activities of the Department that affect privacy, including \n        complaints of privacy violations, implementation of the Privacy \n        Act of 1974, internal controls and other matters.\\1\\\n---------------------------------------------------------------------------\n    \\1\\ The Homeland Security Act of 2002, Pub. L. No. 107-296, Title \nII, Sec. 116 Stat. 2155.\n\n    It is upon this statutory authority that the Chief Privacy Officer \nand the DHS Privacy Office review and approach the use of personal \ninformation by the Department, including the use of data from \ninformation resellers.\n    The use of data from information resellers for homeland security \ninvolves complex issues that touch on privacy, program effectiveness \nand operational efficiency. There are many benefits to the government \nwhen commercial data is used responsibly. It can save time, it is often \nmore precise, and is updated more quickly and, therefore, in certain \ncircumstances, it could be more accurate and therefore have greater \ndata integrity than other sources. At the same time, the government's \nuse of commercial data must be transparent and appropriate. The DHS \nPrivacy Office has been part of a broad based dialogue both within and \noutside of the Department on the use of commercial data.\n    As noted by the Government Accountability Office (GAO), unless an \ninformation reseller is operating a System of Records specifically on \nbehalf of a Federal agency, it is not subject to the provisions of the \nPrivacy Act of 1974. However, the Privacy Act applies to Federal \nagencies that bring data from information resellers into a Federal \nSystem of Records. The Privacy Office exercises oversight over the way \nDepartmental components access, use and maintain data obtained from \ninformation resellers as part of our responsibility to assure that \nDepartmental systems operate in accordance with Section 222(b) of our \nauthorizing statute--that information in DHS Systems of Records is \nhandled in a manner consistent with the fair information practices \nprinciples set out in the Privacy Act.\n    The main oversight mechanism used by the Privacy Office for \ninformation systems is the Privacy Impact Assessment (PIA). PIAs are \nfundamental in making privacy an operational element within the \nDepartment. Conducting PIAs demonstrates the Department's efforts to \nassess the privacy impact of utilizing new or changing information \nsystems, including attention to mitigating privacy risks. Touching on \nthe breadth of privacy issues, PIAs allow the examination of the \nprivacy questions that may surround a program or system's collection of \ninformation, including commercial reseller data, as well as the \nsystem's overall development and deployment. When worked on early in \nthe development process, PIAs provide an opportunity for program \nmanagers and system owners to build privacy protections into a program \nor system in the beginning. This avoids forcing the protections in at \nthe end of the developmental cycle when remedies can be more difficult \nand costly to implement.\n    With respect to the data types that are collected and their \nhandling, the PIA process augments the Systems of Record Notice \nprovisions in the Privacy Act that provide notice to the public about \nthe types of information collected and its treatment. The PIA can be \none of the most important instruments in establishing trust between the \nDepartment's operations and the public.\n    In accordance with Section 208 of the E-Government Act of 2002 and \nOMB's implementing guidance, the Department of Homeland Security is \nrequired to perform PIAs whenever it procures new information \ntechnology systems or substantially modifies existing systems that \ncontain personal information. Although the E-Government Act allows \nexceptions from the PIA requirement for national security systems, DHS \nis implementing Section 222 of the Homeland Security Act to require \nthat all DHS systems, including national security systems, must undergo \na PIA if they contain personal information. The Privacy Office has \nstaff with security clearances that allow them to work with programs to \nassess the privacy impact of classified systems or systems that contain \nclassified information. In cases where the publication of the PIA would \nbe detrimental to national security, the PIA document may not be \npublished or may be published in redacted form.\n    Every PIA must address at least two issues:\n    1. It must address the risks and effects of collecting, maintaining \nand disseminating information in identifiable form in an electronic \ninformation system; and\n    2. It must evaluate the protections and alternative processes for \nhandling information to mitigate potential privacy risks.\n    The Privacy Office has issued official guidance on the conduct of \nPrivacy Impact Assessments. The most up-to-date version of the guidance \nis available at the DHS Privacy Office Web site at http://www.dhs.gov/\ndhspublic/interapp/editorial/editorial--0511.xml. However, earlier \nversions of the guidance have been available internally to DHS for \nabout two years, with initial guidance issued in February 2004.\n    Various sections of the PIA guidance are particularly relevant to \nthe subject matter of this hearing. First, the guidance states that the \nPIA requirement applies broadly to personally identifiable information \nrather than to a much narrower category of ``private'' information. If \ninformation can be connected with an individual, it is personally \nidentifiable information, whether or not the information is private or \nsecret. This is important because much of the information purchased \nfrom information resellers is either publicly available, e.g., \naddresses and telephone numbers, or is derived from public records.\n    In addition, Section 1.2.2 of the guidance directs programs that \nuse data from commercial data aggregators to state this fact and then \nto explain in Section 1.3 why data from this source is being used. \nSection 2.3.4 requires a statement about whether data obtained from \ncommercial data aggregators is assessed for quality, and if so, what \nquality measures are used.\n    Some products offered by information resellers permit users to \n``ping'' resellers' databases either to obtain new information or to \nverify information in government databases. This ability to access \ninformation without bringing it into Federal systems raises the \nquestion about when information is actually ``collected'' by a \ngovernment agency. It is DHS policy that any time information from an \ninformation reseller is used in a decision-making process, whether the \ndecision involves correcting existing government information or \nobtaining new information, a PIA is required.\n    In order to clarify specific issues related to the use of data from \ninformation resellers, the DHS Privacy Office is in the process of \ndrafting specific guidance on the use of commercial data to complement \nthe general PIA guidance. The guidance on the use of commercial data \nwill apply specifically to the use of data from information resellers \nand will address three broad categories of use: comparing data in \ncommercial and government databases, obtaining data from commercial \nsources for use in government systems; and use of government analytic \ntools on commercial databases. The guidance will specify when PIAs must \nbe performed and what additional requirements might apply to programs \nthat use data from commercial sources. We expect this guidance to be \nreleased as soon as it completes Departmental clearance, and would be \nhappy to discuss it with you at that time.\n    The DHS Privacy Office has been part of a broad-based national \ndialog on these issues. In September of 2005, the Privacy Office held a \npublic workshop on the use of commercial data for homeland security. \nThe objective of the workshop was to look at the policy, legal, and \ntechnology issues associated with the government's use of commercial \npersonally identifiable data in homeland security. A broad range of \nexperts, including representatives from government, academia, and \nbusiness participated in the panel discussions. The panels addressed \nhow government agencies are using commercial data to aid in homeland \nsecurity; the legal issues raised by the government's use of commercial \ndata, particularly the applicability of the Privacy Act; current and \ndeveloping technologies that can aid the government in data analysis; \nways in which technology can help protect individual privacy while \nenabling government agencies to analyze data; and ways to build privacy \nprotections into the government's use of commercial data. At the end of \neach panel, the audience was given an opportunity to address questions \nto the panelists. The full transcript of the Workshop is available at \nwww.dhs.gov/privacy. A report summarizing the workshop is attached.\n    The Privacy Office has also been working with the DHS Data Privacy \nand Integrity Advisory Committee (DPIAC) on issues related to the use \nof commercial data. In October 2005, the DPIAC published a report on \nthe use of commercial data to reduce false positives in screening \nprograms. The report is available on the DHS Privacy Office Web site at \nhttp://www.dhs.gov/interweb/assetlibrary/privacy--advcom--rpt--\n1streport.pdf. The Committee recommends that commercial data be used \nfor screening programs only when:\n\n        <bullet>  It is necessary to satisfy a defined purpose\n\n        <bullet>  The minimization principle is used\n\n        <bullet>  Data quality issues are analyzed and satisfactorily \n        resolved\n\n        <bullet>  Access to the data is tightly controlled\n\n        <bullet>  The potential harm to the individual from a false \n        positive misidentification is substantial\n\n        <bullet>  Use for secondary purposes is tightly controlled\n\n        <bullet>  Transfer to third parties is carefully managed\n\n        <bullet>  Robust security measures are employed\n\n        <bullet>  The data are retained only for the minimum necessary \n        period of time\n\n        <bullet>  Transparency and oversight are provided\n\n        <bullet>  The restrictions of the Privacy Act are applied, \n        regardless of whether an exemption may apply\n\n        <bullet>  Simple and effective redress is provided\n\n        <bullet>  Less invasive alternatives are exhausted\n\n    The Committee is now working on a broader report that addresses the \nuse of commercial data in applications beyond screening. We are using \nthe work of the DPIAC to help inform our work on guidance for the \nDepartment.\n    We are living through a time of tremendous change as more and more \npersonal information becomes electronic. In electronic form such \ninformation is more easily collected, analyzed and used for various \npurposes and serves as a basis for decision-making in personal, social, \npolitical and economic spheres. It is the goal of the DHS Privacy \nOffice to ensure that commercial information used by the Department in \nthe performance of its mission is used responsibly and with respect for \nindividuals' legitimate expectations of privacy. We look forward to \nworking with the Committee and everyone involved on these important \nissues.\n    Thank you.\n\n    Mr. Cannon. We are thrilled how well you all have done in \nthat office.\n    Ms. Cooney. Thank you.\n    Mr. Cannon. It has been a great model for what we have done \notherwise, what we hope to do still.\n    Professor Swire, you are recognized for 5 minutes.\n\n  TESTIMONY OF PETER SWIRE, WILLIAM O'NEILL PROFESSOR OF LAW, \n MORITZ COLLEGE OF LAW OF THE OHIO STATE UNIVERSITY, VISITING \n          SENIOR FELLOW, CENTER FOR AMERICAN PROGRESS\n\n    Mr. Swire. Thank you, Mr. Chairman, and thank you to the \nCommittee for the invitation to participate today. And I \nexpress my appreciation for the leadership this Committee has \nshown, including in creating the Chief Privacy Officer office \nthat we have just heard the impressive discussion from Ms. \nCooney.\n    In my written testimony, I give a little bit of the history \nof this topic. In 1974, when the Privacy Act was passed, the \nmost important databases were primarily Government databases, \nlike IRS or Social Security. Today, by contrast, the databases \nare dominated by private-sector databases. That is where the \nrecords are. So the big question is how do we update our laws \nand practices to this new reality.\n    The overall theme of my testimony is that we are still \nearly on the learning curve about how to incorporate private \ndatabases into public agency activities. My written testimony \ngives some comments on the GAO report and the Fair Information \nPractices, but I highlight four recommendations.\n    First, because Federal agencies make such important \ndecisions based on the data, we must have accurate data and we \nhave to have effective ways to get redress when mistakes \ninevitably do occur.\n    Second, new mechanisms of accountability are likely needed \nas agencies rely more and more on these private-sector records. \nThere should be expanded use of privacy impact assessments, \nperhaps along the line of Chairman Chabot's bill, and there are \nother steps that I will go into.\n    Third, greater expertise and leadership is needed in the \nexecutive branch at the highest levels on privacy issues, \nincluding policy leadership from the Executive Office of the \nPresident. The lack of such leadership on privacy, I believe, \nhas led to significant and avoidable problems.\n    Fourth, as we continue along the learning curve, it is \nimportant to merge today's discussion about privacy with the \ndiscussions about information sharing in the war on terror, and \nI suggest a National Academy of Sciences study on privacy and \ninformation sharing might be useful.\n    Let me turn to a couple of things in more detail.\n    In order to think about accuracy of data over time, I think \nit makes sense for the Government to test and audit the \naccuracy of data, at least selectively, at the time that we \npurchase the data. S. 1789, the data breach bill that has been \npassed by the Senate Judiciary Committee, calls for audits like \nthis as new Government contracts are formed. I think that might \nhelp us get a sense of where the accuracy is and isn't.\n    However accurate data is on the front end, though, we are \ngoing to have issues on the back end. We are going to have \nmistakes that get made. Many people on the Committee likely \nknow about the troubles that Senator Kennedy or Congressman \nLewis have had getting off watch lists. Last month, Senator Ted \nStevens of Alaska told the story about his wife, which I hadn't \nheard about until I was researching this. Apparently, she was \nhaving great trouble getting on airplanes. Her first name is \nCatherine, the nickname for that is ``Cat,'' and they had her \ndown as Cat Stevens and she was having trouble getting on \nairplanes.\n    Now, if it is tough for Senators, including quite powerful \nSenators, to get their family members off of watch lists, it \nsuggests there are issues for all 300 million Americans. So how \nwe do redress is something to really think about going forward.\n    In the testimony I discuss some of the other accountability \nmechanisms--privacy impact assessments and the rest--that I \nthink can be considered and cites to legislation that does some \nof this.\n    I would like to turn to the question of the structure of \nprivacy protection in the executive branch. Step one has been \ncreation by your Committee of the Chief Privacy Officer in \nHomeland Security and now elsewhere, and I was pleased to get \nto testify on that in 2002 before your Committee when that was \nset up. In 2004, Congress created the Privacy and Civil \nLiberties Board for intelligence activities only. But the gap \nis for the rest, which is where a lot of commercial data is \nused. There is no White House leadership, there is no policy \nofficial who is on the job there. One recent example, I think, \nillustrates the need to have a policy official looking at these \nissues up front and correcting problems.\n    You might have seen press reports about 2 weeks ago that \nthe IRS has a proposed rule now to allow tax preparation \ncompanies, for the first time, to sell people's tax records or \neven to give them away to people with no limits on how they \nthen get resold or redisclosed. It would be legal under this, \nif I sign my name for my company, to put my tax records up on \nthe Internet. It is supposed to be done with consent, but, you \nknow, when you sign your tax forms, you sign in about 27 places \nand maybe you missed this one. And suddenly you have consented \nto sale of your tax records.\n    Now, when I worked at OMB, my office reviewed proposals \nsuch as this. We got it before it became policy. I think we \nwould have noticed the lack of limits on redisclosure and \nresale. And I don't think the rule would have gone forward the \nway it did. If such a mistake had happened, I think we would \nhave moved to correct it. But now this rule may be going final, \nand without a White House ability currently to spot and correct \nsuch mistakes, privacy problems, I think, turn out to be worse \nthan they ought to be. So I think continued steps toward \nleadership on privacy in the executive branch are called for.\n    The last point I want to make in my testimony is we have \nhearings on information sharing, how we have to use the data to \nfight terrorism, and we have hearings on privacy, how we have \nto stop uses of data that might lead to identity theft and the \nrest. I think we probably need to bring those two things \ntogether. One way to do that might be a National Academy of \nSciences study on the two that would involve commercial \ndatabases but also how to do privacy and information sharing. I \nhave been working on this in my own research. I think it is a \nbig issue that a lot of people should come together to examine. \nSo I suggest that as one possible thing for your Committee to \nconsider.\n    Thank you, and I look forward to questions.\n    [The prepared statement of Mr. Swire follows:]\n                   Prepared Statement of Peter Swire\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    Mr. Cannon. Thank you, Professor.\n    Mr. Pratt?\n\n   TESTIMONY OF STUART PRATT, PRESIDENT AND CHIEF EXECUTIVE \n          OFFICER, CONSUMER DATA INDUSTRY ASSOCIATION\n\n    Mr. Pratt. Chairmen Cannon and Chabot, Ranking Members Watt \nand Nadler, Members of the Committees, thank you for this \nopportunity to appear before you today.\n    We are here to discuss the GAO's report regarding \nGovernment uses of data and some concerns that we do have with \nregard to that report, that we hope will inform your thinking \nhere as the Committee.\n    First, while the report does survey governmental uses of \nour members' systems, it does not discuss the value and \neffectiveness of them. Government agencies are faced with \nextraordinary challenges in accomplishing their missions. \nConsider just a few examples of those: preventing money \nlaundering and terrorist financing, enforcing child support \norders, locating missing and exploited children, researching \nfugitives, researching assets held by individuals of interest, \nwitness location, entitlement fraud, background screening for \nnational security investigations, and disaster assistance, as \nwas mentioned.\n    A real-world example of how these systems work, a public \nrecord provider can provide for as little as $25 a search of \n100 million criminal records in order for that to be done. \nOtherwise, you would have to spend approximately $48,000 and it \nwould take days, if not weeks, to accomplish the same search.\n    These are just one of a number of examples we include in \nour written testimony of the direct value of data products that \nour members produce.\n    We do have other concerns with the report beyond its lack \nof an adequate description of the value of our members' \nservices. First, the report does not help the reader understand \nthe breadth of the application of Federal laws to data products \nused by Government agencies today. The report lists laws, but \nit relegates an incomplete discussion of their requirements to \nan appendix. Chairman Chabot mentioned several of these laws. \nThere is one that is not acknowledged directly in the report, \nand that is that the FTC Act, section 5, also applies to data \npractices and it does include enforcement actions relative to \nprivacy notices as well as to the security of sensitive \npersonal information.\n    One such law, the Fair Credit Reporting Act, applies to the \npublic sector equally as it does to the private sector, and \nthus all decisions where there is a determination of a \nconsumer's eligibility such as approval or denial are made, \nextensive rights are accorded to that consumer under this \nstatute. This is just one of many Federal statutes that need to \nbe considered in the context of this discussion today.\n    The GAO report does commingle a variety of different \nbusiness models under a single uniform ``information reseller'' \nterm and then attempts to monolithically apply the OECD privacy \nguidelines across every business model and every product. In \ndoing so, we think they make a mistake in thinking that Fair \nInformation Practices frameworks can operate as a one-size-\nfits-all yardstick. We disagree, and the guidelines themselves \ncaution against such an approach. In fact, they state that the \napplication of the guidelines should be considered in the \ncontext of different categories of personal information, \ndifferent protective measures to be applied, depending on their \nnature and the context in which they are collected, stored, \nprocessed, and disseminated. We don't think that the GAO fully \nadhered to this OECD guidance itself, and there are certainly \nother privacy guidelines that are more contemporary than those \nof the OECD that were produced back in 1980.\n    Again, the implication of the GAO's report is that \ncongressional oversight was also incomplete and that its review \nof the industry sector's uses of personal information was \ninsufficient. We disagree. The GAO does not properly account \nfor the system, for example, of public records in this country \nand the inapplicability of many of the privacy principles to \nsuch public records.\n    Just a couple of examples of how the actual privacy \nprinciples would or wouldn't apply.\n    Consumer consent. If consumers had the ability to consent \nor to control data that would go into a fraud prevention tool, \ncriminals could simply prohibit the kind of information we use \nto stop identity theft.\n    Data quality. If a consumer could--if we applied data \nquality to the principle of public records in the way that we \nwould under the way that we would under the Fair Credit \nReporting Act, we probably couldn't aggregate a system of \ncriminal histories in this country the way that we do today.\n    Use limitations. How would you apply a use limitation \nconcept to criminal histories or other types of public \nrecords--records of eviction, professional licensing--used for \nbackground screening in the way that we do today?\n    Access and correction. If we allow all types of databases \nto be tied to an access and correction standard, then we are \nallowing a fraudster to have access to a fraud prevention \nsystem, and not only to do so but then to correct the \ninformation that is used to prevent the very fraud which they \nare going to attempt to commit.\n    The GAO report states in its conclusion that, Given that \nreseller data may be used for many purposes that could affect \nan individual's livelihood and rights, ensuring that \nindividuals have appropriate degrees of control or influence \nover the way in which their personal information is obtained \nand used--as envisioned in the Fair Information Practices--is \ncritical.\n    I don't know that we disagree with that, but we disagree \nwith the application of the principles, as we have discussed in \nour testimony. A one-size-fits-all approach simply can't work \nfor all types of data systems that we have discussed. We also \ndon't think that the OECD guidelines should be used as an \noverlay for all of the Federal laws that do today regulate \nvarious aspects of personal information that are used in our \nsociety today.\n    With that, we thank you for this opportunity to testify and \nwe welcome your questions.\n    [The prepared statement of Mr. Pratt follows:]\n                 Prepared Statement of Stuart K. Pratt\n    Chairmen Cannon and Chabot, Ranking members Watt and Nadler, and \nmembers of the committees, thank you for this opportunity to appear \nbefore you today. For the record, my name is Stuart Pratt and I am \npresident and CEO of the Consumer Data Industry Association.\\1\\ Our \nmembers appreciate this opportunity to discuss our serious concerns \nwith basic premises which underlie and methodologies employed in \ndrafting the report written by the General Accountability Office (GAO) \nregarding the government's use of data provided by consumer data \ncompanies.\\2\\\n---------------------------------------------------------------------------\n    \\1\\ CDIA, as we are commonly known, is the international trade \nassociation representing over 300 consumer data companies that provide \nfraud prevention and risk management products, credit and mortgage \nreports, tenant and employment screening services, check fraud and \nverification services, systems for insurance underwriting and also \ncollection services.\n    \\2\\ The GAO employs the term information reseller and we have \nconcerns with the use of the term which will be discussed later in this \ntestimony. For example we do not believe that the term ``consumer \nreporting agency'' as defined by the Fair Credit Reporting Act should \nbe commingled with other data products due to the specificity of law \nwhich regulates this product. The GAO fails to draw this distinction in \nits draft report.\n---------------------------------------------------------------------------\n             the recognized value of cdia members' systems\n    CDIA's members are the leading companies producing consumer data \nproducts and services for both the private and public sector markets. \nThe GAO report surveys governmental uses of our members' systems, but \nleaves the reader with a less than complete perspective on the value \nand effectiveness of such services. Consider the following examples of \ngovernmental uses of our members products and services:\n\n        <bullet>  Preventing money laundering and terrorist financing \n        through investigative tools.\n\n        <bullet>  Enforcing child support orders through the use of \n        sophisticated location tools.\\3\\\n---------------------------------------------------------------------------\n    \\3\\ In 2004 there were 5.5 million location searches conducted by \nchild support enforcement agencies to enforce court orders.\n\n        <bullet>  Assisting law enforcement and private agencies which \n---------------------------------------------------------------------------\n        locate missing and exploited children through location tools.\n\n        <bullet>  Researching fugitives, assets held by individuals of \n        interest through the use of investigative tools which allow law \n        enforcement agencies tie together disparate data on given \n        individuals and thus to effectively target manpower resources.\n\n        <bullet>  Witness location through use of location tools.\n\n        <bullet>  Entitlement fraud prevention, eligibility \n        determinations, and identity verification through fraud \n        prevention data matching and analytical products.\n\n        <bullet>  Background screening for employment and security \n        clearances.\n\n        <bullet>  Disaster assistance.\n\n    Homeland security, law enforcement and entitlement program \nmanagement are all faced with extraordinary challenges in accomplishing \ntheir missions. The GAO's report does not properly set the stage for \nunderstanding how difficult it is to accomplish their missions. \nConsider the facts regarding simply identity verification:\nPersonal identifiers change:\n    While it probably doesn't occur to most of us, the identifiers we \nuse in everyday life do change and more often than most might think. \nFor example, data from the U.S. Postal Service and the U.S. Census \nconfirm that over 40 million addresses change every year. More than \nthree million last names change due to marriage and divorce. While \ntrends in naming conventions are changing, this fact is still far more \noften true for women than men.\nWe use our identifiers inconsistently:\n    It is a fact that we use our identifiers inconsistently for a wide \nvariety of reasons. First, many citizens choose to use nicknames rather \nthan a given name. However, there are times where, in official \ntransactions, a full name is required, Some consumers, when hurried, \nuse an initial coupled with a last name, rather than their full name or \nnickname. Consumers are also inconsistent in the use of generational \ndesignations (e.g., III, or Sr.). Finally, there are times where \nconsumers themselves do make mistakes when completing applications, \nsuch as transposing a digit in an SSN. Thus, a consumer's identifiers \nmay be presented in different ways in different databases and, in some \ncases, the data may be partially incorrect.\nPersonal identifiers are not always unique:\n    We think of our names as a very personal part of who we are. \nHowever, our names are less uncommon and unique than we might think. \nFor example, families carry forward family naming conventions leading \nto some consumers sharing entirely the same name. Further, U.S. Census \ndata shows that both first and last names are, in some cases amazingly \ncommon. Fully 2.5 million consumers share the last name Smith. Another \n3 million share the name Jones and more than thirteen million consumers \nhave one of ten common last names. First names are also used very \ncommonly leading to common naming combinations. Eight million males \nhave either the name James or John and a total of 57 million males have \none of ten common first names. An additional 26 million females have \none of ten common first names. Common naming conventions make it more \ndifficult and in some cases impossible to depend on name alone to \nproperly match consumer data.\nIdentifiers are shared:\n    Our birthday is a unique day in our lives, but it is, nonetheless, \na date shared with hundreds of thousands of others. Date of birth alone \nis not an effective identifier. Family members who live together end up \nsharing addresses and per our discussion above, where consumers share \nthe same name due to family traditions and the address at which they \nlive, distinguishing one consumer from another is complex.\nData entry errors do happen:\n    Hundreds of millions of applications for credit, insurance, \ncellular phone services, and more are processed every year. There is no \ndoubt that in the process of entering a consumer's identifying \ninformation errors can be made which carry forward into databases and \ninto the reporting of data to consumer reporting agencies.\nWe do not always update our records:\n    Consumers don't always remember to update records when they move or \nwhen portions of their personal identifying information change. For \nexample, consumers are permitted to change their social security number \nunder certain circumstances in addition to officially changing their \nnames and while the percentages of consumers who take these steps is \nsmall relative to the U.S. population, such changes do affect data \nmatching systems. It is important to know that some consumers try to \nseparate themselves from their records on purpose and apply with the \nSSA for employer ID numbers (EINs) to use in lieu of their SSNs.\\4\\ A \nnon-custodial parent who does not want to pay child support might \nemploy such tactics in order to avoid being located and forced to \nfulfill a court order. A consumer who does not want to take \nresponsibility for their mismanagement of credit and hopes that by \nusing new identifying to separate himself/herself from a credit report \nis another example. Clearly fugitives are another example of a type of \nperson who will employ tactics to try and separate themselves from \ntheir histories.\n---------------------------------------------------------------------------\n    \\4\\ The FTC investigates ``file segregation'' schemes. Here's what \nthey say on their website about this activity: ``You're promised a \nchance to hide unfavorable credit information by establishing a new \ncredit identity. The problem: File segregation is illegal. If you use \nit, you could face fines or even a prison sentence.''\n---------------------------------------------------------------------------\n    These facts about our identifying information demonstrate how \nchallenging it is to match records with individuals and why the \nproducts, tools and services of our members are in such high demand.\n    Let's now consider what government representatives themselves have \nsaid about the value they derive from the use of consumer reporting \nagencies and other consumer data companies. On September 8, 2005, the \nDepartment of Homeland Security held a workshop which explored its use \nof commercial data. This public meeting brought forward important input \nwhich informs the record of this hearing.\n    Regarding identity verification, Grace Mastalli, Principle Deputy \nDirector for the Information Sharing and Collaboration Program in DHS \nstated the following regarding the value of CDIA member services: \n``There are people without prescriptions, without driver's licenses, \nand it the commercial data sources, in many instances right now, that \nare facilitating not just placing people, but verifying their \nidentities to the claims . . .we get to make sure that entitlements go \nto individuals who deserve them.''\n    Regarding how our members' systems contribute to the accuracy of \ngovernmental systems, Mastalli indicated that ``we have sometimes used \ncommercial data, not just to support identity authentication, but to \nassure the integrity of government data, and the accuracy of government \ndata. Unfortunately, in many respects, the commercial enterprises have \ndone better jobs of organizing and, what I call `cleaning' data to \neliminate errors in data.''\n    Mr. Jeff Ross, senior advisor in the area of money laundering and \nterrorist financing, in the Office of Terrorist Financing and Financial \nCrime at the Department of Treasury, also participated in this DHS \nworkshop. He pointed out that many crimes have a financial aspect to \nthem including narcotics trafficking, public corruption, terrorist \nfinancing, and organized crime in general. His comments help explain \nthe investigative research value of CDIA member tools where he states \n``so commercial data bases are very important to us in law enforcement \narea to be used proactively . . . we have targets and need information, \nwhere you are trying, also, to find a specific individual or entity \nthat should be involved . . . who could also be potential witnesses in \na case.''\n    Mastalli provided a very concrete example of how the sophistication \nof private-sector data matching tools contributes to efficient use of \ngovernmental law enforcement agents. She noted that ``. . . commercial \ndatabase providers provide accurate data--often more accurate than some \nthat we have, because they spend the time cleaning it and verifying it \nand have matching capabilities that we in government have not yet \ninvested in to eliminate the 17 instances of an individual who has a \nphonetically spelled name being recorded as 17 people instead of one.''\n    She goes on to explain that government cannot always anticipate \nwhat data might be of value to a particular investigation. Mastalli \nprovided the following scenario: ``One extremely well-known law \nenforcement intelligence example from immediately post 9/11 was when \nthere was a now well-publicized threat . . . that there might be cells \nof terrorists training for scuba diving underwater bombing, similar to \nthose that trained for 9/11 to fly--but not land--planes. How does the \ngovernment best acquire that? The FBI applied the standard shoe-leather \napproach--spent millions of dollars sending out every agent in every \noffice in the country to identify certified scuba training schools. The \nalternative could and should have been for the Federal government to be \nable to buy that data for a couple of hundred dollars from a commercial \nprovider, and to use that baseline and law enforcement resources, \nstarting with the commercial baseline. One of the issues here is that, \nother than the name of the owner or manager of scuba diving schools, \nthere was no personally identifiable data.''\n    To further the point regarding the value of commercial data our \nmembers supply, consider the following two examples:\nExample 1:\n    In this example we learn how the aggregation of public records \ncreates low-cost research efficiencies that ensure that ``shoe \nleather'' investigations conducted by highly trained personnel are \ntruly are targeted and results-focused. One commercial database \nprovider charges just $25 for an instant comprehensive search of \nmultiple criminal record sources, including fugitive files, state and \ncounty criminal record repositories, proprietary criminal record \ninformation, and prison, parole and release files, representing more \nthan 100 million criminal records across the United States.\\5\\ In \ncontrast, an in-person, local search of one local courthouse for felony \nand misdemeanor records takes 3 business days and costs $16 plus \ncourthouse fees.\\6\\ An in-person search of every county courthouse \nwould cost $48,544 (3,034 county governments times $16). Similarly, a \nstate sexual offender search costs just $9 and includes states that do \nnot provide online registries of sexual offenders. An in-person search \nof sexual offender records in all 50 states would cost $800.\\7\\\n---------------------------------------------------------------------------\n    \\5\\ http://www.choicetrust.com/servlet/\ncom.kx.cs.servlets.CsServlet?channel=home&product=bgcheck&subproduct=def\nault&anchor=#. All RVI providers recommend that employers should \nsupplement `no criminal record found' results with a local county \nrecords search before making a hiring decision as any national criminal \ndatabase will not contain all current criminal records since \ncourthouses add new records daily.\n    \\6\\ Id.\n    \\7\\ Assuming each in-person search costs $16, the same as an in-\nperson county courthouse search.\n---------------------------------------------------------------------------\nExample 2:\n    While this next example is drawn from the private sector, it helps \nillustrate how fraud prevention and identity verification services \nreduce fraud and is analogous to the value of such systems when used by \nthe government, as well. A national credit card issuer reports that \nthey approve more than 19 million applications for credit every year. \nIn fact they process more than 90,000 applications every day, with an \napproval rate of approximately sixty percent. This creditor reports \nthat they identify one fraudulent account for every 1,613 applications \napproved. This means that the tools our members provided were \npreventing fraud in more than 99.9 percent of the transactions \nprocessed.\n    The GAO paper should have done more to speak to the value of the \ncommercially available data and analytical tools our members provide \nand not merely to provide an accounting of governmental uses. We hope \nthat the above discussion will inform the this hearing record and set a \nmore complete context for these committees' future deliberations.\n                       concerns with gao's report\n    Now having an appropriate context for truly understanding the value \nthat our members' services bring to both the public and private \nsectors, I would like to discuss serious concerns we have with the \nGAO's presentation of current Federal laws and how they regulate our \nmembers' practices as well as their attempt to apply the 1980 \nOrganization for Economic Development (OECD) privacy guidelines to the \npractices of ``information resellers.'' We believe that a thorough \nunderstanding of the decades of congressional oversight and action is \nessential to today's hearing.\nThe State of Current Federal Laws\n    The United States is on the forefront of establishing sector-\nspecific and enforceable laws regulating uses of personal information \nof many types. The GAO does provide an accounting of some of these Acts \non page 18 of their draft report. Their accounting includes the Fair \nCredit Reporting Act (15 U.S.C. 1681 et seq.),\\8\\ The Gramm-Leach-\nBliley Act (Pub. L. 106-102, Title V),the Health Insurance Portability \nand Accountability Act (Pub. L. 104-191), and the Drivers Privacy \nProtection Act (18 U.S.C. 2721 et seq.).\n---------------------------------------------------------------------------\n    \\8\\ The GAO also lists the Fair and Accurate Credit Transactions \nAct of 2003 (Pub. L. cite), however this act is in fact a series of \namendments to the FCRA.\n---------------------------------------------------------------------------\n    While the GAO relegates their discussion of statutory requirements \nto Appendix II of the draft report, we believe that such a discussion \nis essential and that it should have been included in the body of the \nreport. In doing so, the GAO would have provided readers with a better \none-to-one understanding of the operation of current laws in contrast \nwith their views of the application of OECD guidelines US information \npractices.\\9\\ For example, it is important to note that, predating the \nPrivacy Act of 1974 (and OMB implementing guidelines therein), the OECD \nGuidelines of 1980 and the Gramm-Leach-Bliley Act of 1999 (and \nimplementing regulations therein), the E-Government Act of 2002 and the \nFederal Information Security Management Act of 2002, was enactment of \nthe Fair Credit Reporting Act in 1970. Equally important is \nunderstanding the breadth of the application of this law in particular \nand thus why a discussion of consumer data companies in general should \nnot be commingled with a discussion of the practices of consumer \nreporting agencies.\n---------------------------------------------------------------------------\n    \\9\\ CDIA has serious concerns about the attempt by the GAO to \nmeasure the acceptability of the practices of US consumer data \ncompanies, which are in fact regulated by US laws today. This concern \nwill be discussed more fully later in this testimony.\n---------------------------------------------------------------------------\n    The FCRA applies to both the private and public sectors and thus is \nextremely relevant to today's discussion. It has been the focus of \ncareful oversight by the Congress resulting in significant changes in \nboth 1996 \\10\\ and again in 2003.\\11\\ There is no other law that is so \ncurrent in ensuring consumer rights and protections are adequate.\\12\\\n---------------------------------------------------------------------------\n    \\10\\ See Pub. L. 104-208, Title II, Subtitle D, Chapter 1).\n    \\11\\ See FACT Act Amendments (Pub. L. 108-159).\n    \\12\\ It is also true that the Gramm-Leach-Bliley Act, Title V \nprovisions regulating the use of nonpublic personal information is \ncurrent due to the extensive role that federal banking regulators and \nthe Federal Trade Commission play in drafting regulations, issuing \nguidance and enforcing the law.\n---------------------------------------------------------------------------\n    Key to understanding the role of the FCRA is the fact that it \nregulates any use of personal information (whether obtained from a \npublic or private source) defined as a consumer report. A consumer \nreport is defined as data which is gathered and shared with a third \nparty for a determination of a consumer's eligibility for enumerated \npermissible purposes.\n    This concept of an eligibility test is a key to understanding how \nFederal laws regulate personal information. The United States has a law \nwhich makes clear that any third-party supplied data that is used to \naccept or deny, for example, my application for a government \nentitlement, employment,\\13\\ credit (e.g., student loans), insurance, \nand any other transaction initiated by the consumer where there is a \nlegitimate business need. The breadth of the application of the FCRA to \nhow data is used to include or exclude a consumer is enormous. Again, \nthis law applies equally to governmental uses and not merely to the \nprivate sector.\n---------------------------------------------------------------------------\n    \\13\\ This includes national security investigations, background \nchecks for security clearances, basic employment screening processes \nfor new hires, review processes for promotions, and more.\n---------------------------------------------------------------------------\n    Because personal information about consumers is used for decisions \nto accept or deny access to a consumer, they have fundamental rights \nwhich the GAO report does not discuss in any depth and which \ndemonstrate why it is inappropriate to attempt to overlay a discussion \nof OECD privacy guidelines with this statute. Consider the following:\n\n        <bullet>  The right of access--consumers may request at any \n        time a disclosure of all information in their file at the time \n        of the request. This right is enhanced by requirements that the \n        cost of such disclosure must be free under a variety of \n        circumstances including where there is suspected fraud, where a \n        consumer is unemployed and seeking employment, or where a \n        consumer is receiving public assistance and thus would not have \n        the means to pay. Note that the right of access is absolute \n        since the term file is defined in the FCRA and it includes the \n        base information from which a consumer report is produced.\n\n        <bullet>  The right of correction--a consumer may dispute any \n        information in the file. The right of dispute is absolute and \n        no fee may be charged.\n\n        <bullet>  The right to know who has seen or reviewed \n        information in the consumer's file--as part of the right of \n        access, a consumer must see all ``inquiries'' made to the file \n        and these inquiries include the trade name of the consumer and \n        upon request, a disclosure of contact information, if \n        available, for any inquirer to the consumer's file.\n\n        <bullet>  The right to deny use of the file except for \n        transactions initiated by the consumer--consumers have the \n        right to opt out of non-initiated transactions, such as a \n        mailed offer for a new credit card.\n\n        <bullet>  The right to be notified when a consumer report has \n        been used to take an adverse action--This right, ensures that I \n        can act on all of the other rights enumerated above.\n\n        <bullet>  Beyond the rights discussed above, with every \n        disclosure of a file, consumers receive a notice providing a \n        complete listing all consumer rights. A separate GAO report \n        produced as a result of the FACT Act indicated that in a single \n        year, perhaps 50 million consumers see their files and receive \n        these notices.\n\n        <bullet>  Finally, all such products are regulated for accuracy \n        with a ``reasonable procedures to ensure maximum possible \n        accuracy'' standard. Further all sources which provide data to \n        consumer reporting agencies must also adhere to a standard of \n        accuracy which, as a result of the FACT Act, now includes new \n        rulemaking powers for the FTC and functional bank regulators.\n\n    The GAO report does not attempt to describe the delivery of \nproducts regulated under the FCRA and thus fails to properly inform the \nreader of the concomitant rights accorded in all of these cases. Every \nCDIA member mentioned in this report is operating, in part and \nsometimes solely as a consumer reporting agency. Therefore, in every \ncase where products sold to governmental agencies were used for a \ndetermination of a consumer's eligibility, they were regulated by the \nFCRA with all of the rights discussed above. The GAO's report should \nhave acknowledged this fact and discussed uses of consumer reports \nseparately from other data products.\n    Not all consumer data products are used for eligibility \ndeterminations regulated by the FCRA. Congress has applied different \nstandards of protection that are appropriate to the use, the \nsensitivity of the data, etc. Our members produce and sell a range of \nfraud prevention and location products which are governed by other laws \nsuch as GLB.\n    Fraud prevention systems deploy a diversity of strategies. In 2004 \nalone, businesses conducted more than 2.6 billion searches to check for \nfraudulent transactions. As the fraud problem has grown, industry has \nbeen forced to increase the complexity and sophistication of the fraud \ndetection tools they use.\n    Fraud detection tools are also known as Reference, Verification and \nInformation services or RVI services. RVI services are used not only to \nidentify fraud, but also to locate and verify information for public \nand private sector uses. While fraud detection tools may differ, there \nare four key models used.\n\n        <bullet>  Fraud databases--check for possible suspicious \n        elements of customer information. These databases include past \n        identities and records that have been used in known frauds or \n        are on terrorist watch lists, suspect phone numbers or \n        addresses, and records of inconsistent issue dates of SSNs and \n        the given birth years.\n\n        <bullet>  Identity verification products--crosscheck for \n        consistency in identifying information supplied by the consumer \n        by utilizing other sources of known data about the consumer. \n        Identity thieves must change pieces of information in their \n        victim's files to avoid alerting others of their presence. \n        Inconsistencies in name, address, or SSN associated with a name \n        raise suspicions of possible fraud.\n\n        <bullet>  Quantitative fraud prediction models--calculate fraud \n        scores that predict the likelihood an application or proposed \n        transaction is fraudulent. The power of these models is their \n        ability to assess the cumulative significance of small \n        inconsistencies or problems that may appear insignificant in \n        isolation.\n\n        <bullet>  Identity element approaches--use the analysis of \n        pooled applications and other data to detect anomalies in \n        typical business activity to identify potential fraudulent \n        activity. These tools generally use anonymous consumer \n        information to create macro-models of applications or credit \n        card usage that deviates from normal information or spending \n        patterns, as well as a series of applications with a common \n        work number or address but under different names, or even the \n        identification and further attention to geographical areas \n        where there are spikes in what may be fraudulent activity.\nWho uses Fraud Detection Tools?\n    The largest users of fraud detection tools are financial \nbusinesses, accounting for approximately 78 percent of all users. \nHowever, there are many non-financial business uses for fraud detection \ntools. Users include:\n\n        <bullet>  Governmental agencies--Fraud detection tools are used \n        by the IRS to locate assets of tax evaders, state agencies to \n        find individuals who owe child support, law enforcement to \n        assist in investigations, and by various federal and state \n        agencies for employment background checks.\n\n        <bullet>  Private use--Journalists use fraud detection services \n        to locate sources, attorneys to find witnesses, and individuals \n        use them to do background checks on childcare providers.\nLocation services and products\n    CDIA's members are also the leading location services providers in \nthe United States. These services, which help locate individuals, are a \nkey business-to-business tool that creates great value for consumers \nand business alike. Locator services depend on a variety of matching \nelements, but again, a key is the SSN. Consider the following examples \nof location service uses:\n\n        <bullet>  There were 5.5 million location searches conducted by \n        child support enforcement agencies to enforce court orders. \n        Access to SSNs dramatically increases the ability of child \n        support enforcement agencies to locate non-custodial, \n        delinquent parents (often reported in the news with the moniker \n        ``deadbeat dads''). For example, the Financial Institution Data \n        Match program required by the Personal Responsibility and Work \n        Opportunity Reconciliation Act of 1996 (PL 104-193) led to the \n        location of 700,000 delinquent individuals being linked to \n        accounts worth nearly $2.5 billion.\n\n        <bullet>  There were 378 million location searches used to \n        enforce contractual obligations to pay debts.\n\n        <bullet>  Tens of millions of searches were conducted by \n        pension funds (location of beneficiaries), lawyers (witness \n        location), blood donors organizations, as well as by \n        organizations focused on missing and exploited children.\n\n    Clearly location services bring great benefit to consumers, \ngovernmental agencies and to businesses of all sizes.\n     cdia concerns with the gao's use of term information reseller\n    As discussed above, part our concern with the GAO's report is that \nit commingles a variety of different business models under a single \nterm ``information reseller'' and in doing so the report also \ncommingles data products which are regulated under different Federal \nlaws. For example, CDIA's members which are operating as consumer \nreporting agencies should not be discussed in the report as though they \nare not in fact highly regulated businesses. Similarly, CDIA's members \nwhich are defined as ``financial institutions'' under GLB are also \nhighly regulated with regard to how information is to be used (see \nSection 502(e)) as well as though extensive federal agency rules \nprescribing how such information should be secured.\n    By employing the term ``information reseller'' readers are left \nwith the wrong impression that such a term may exist in law or that it \nis possible to consider the multiplicity of different business models \n(and products produced therein) that make up the consumer data industry \nas a single type of entity and one that, in the eyes of the GAO, is not \nhighly regulated. It is exceedingly difficult, if not impossible, to \nmake meaningful statements which have the breadth of those often made \nin the draft report regarding the practices of many different types of \nbusiness models delivering different products and services. Finally, we \nalso strongly disagree with paper's attempt to simplify a discussion of \nour members' businesses which are in fact highly regulated under a \nvariety of sector-specific laws by attempting to apply a set of OECD \nguidelines as though there are not laws which were thoroughly debated \nby the congress over the years and which are mature and protective of \nconsumer's today.\n           cdia concerns with gao oecd guideline application\n    Let me amplify on our concerns regarding how the GAO has attempted \nto apply the 1980 OECD privacy guidelines as a scorecard against which \nto evaluate the practices of CDIA members. Due to the GAO's mistaken \nassumptions about the breadth of the application of current laws, the \nGAO also makes the mistake of thinking that a fair information \npractices framework can operate as a one-size-fits-all yardstick. We \ndisagree for a variety of reasons.\n    First, we are concerned about how the GAO attempted to make use of \nthe guidelines. Let us consider what the OECD said about their own \nguidelines:\n\n        These Guidelines should not be interpreted as preventing:\n\n        a) the application, to different categories of personal data, \n        of different protective measures depending upon their nature \n        and the context in which they are collected, stored, processed \n        or disseminated;\n\n    Further to the question of how privacy guidelines are to be used, \nin the 1977 Report of the U.S. Privacy Protection Commission it was \nnoted that ``[P]rivacy, both as a societal value and as an individual \ninterest, does not and cannot exist in a vacuum. . . . [T]he privacy \nprotections afforded [to societal relationships] must be balanced \nagainst other significant values and interests. It is very common to \nfind such statements associated with guidelines because they are not \nconsidered to be definitive rules with equal applicability to all data \nflows. We do not believe that the GAO's report adheres to this guidance \nprovided by the authors of the OECD guidelines themselves or fully \naccounts for the U.S. Privacy Commission's admonition regarding how to \napply guidelines.\n    Second, the GAO suggests, not purposefully, of course, but by \nomission that there is a single global opinion regarding which set of \nguiding principals is preeminent. To the contrary, consider the \nfollowing:\n\n        <bullet>  The 1973 HEW Report contains 5 principles.\n\n        <bullet>  The 1980 OECD Guidelines contain 8 principles.\n\n        <bullet>  The 1995 EU Data Protection Directive contains 11 \n        principles.\n\n        <bullet>  The 2000 FTC Report on Online Privacy contains 4 \n        principles; and\n\n        <bullet>  The 2004 APEC Privacy Framework contains 9 \n        principles.\n\n    Each framework has to be applied with care and not monolithically \nacross all data uses however different they may be in terms of risk, \nuse, content and so on. The GAO does not explain why a particular set \nof principles was chose and as previously stated, we believe that the \nGAO's methodology by which the OECD principles was applied is flawed.\n    Third, as discussed above, there is an extraordinarily thorough \nrecord of congressional oversight of various industry sectors' uses of \npersonal information. The U.S. has chosen a sector-specific structure \nto consumer data laws which ensures regulatory structures which are \nboth appropriate to the data and which can be effectively enforced. \nSector-specific laws and regulations exist today because of such \noversight and due to the expertise of different committees overseeing \ndifferent aspects of American business. The GAO, by implication and \nlikely unintentionally, implies to the reader that all such oversight \nwas incomplete and that a single evaluative standard is the right \napproach to analyzing our members business models and products. This, \nhowever, is a very fundamental flaw in the GAO's approach. Sector \nspecific laws ensure that they are tailored to the industries, to the \nuses of data and to the risks involved. How healthcare data (i.e., \nHIPAA) is regulated is inevitably different than how one might regulate \na telephone number (i.e., Do Not Call). Ultimately, tailored laws and \nregulations ensure that consumers are protected, but also are empowered \nby the data about them.\n    Fourth, the GAO's one-size-fits-all approach to applying the OECD \nguidelines ignores a fundamental bifurcation that exists with regard to \ninformation use and that is the difference between consumer data \nproducts used for eligibility determinations and those which are not. A \nfraud prevention product, for example does not end a transaction, but \nprovides a user with a ``caution flag'' which encourages the user to \ntake additional steps to further authenticate a person's identity. As \ndiscussed above, where data is provided by our members for eligibility \ndeterminations such as employment or credit, the FCRA already provides \na robust set of rights and protections for consumers. Regulation of \nconsumer data where it is used for eligibility determinations is \ndifferent than regulating consumer data used for fraud prevention or \ninvestigative location tool used by law enforcement. By not accounting \nfor this essential bifurcation in uses, application of the OECD \nguidelines leaves readers with the wrong impression about how good data \nprotection laws should operate.\n    Fifth, the GAO does not properly account for the system of public \nrecords which exists in our country and which has been considered a key \npillar in the success of our democracy. Unlike other nations, our \ngovernment cannot withhold information about us from us. Governmental \ntransparency is achieved through open records and freedom of \ninformation acts at the state and federal levels. The application of \nmany aspects of any one of a number of principles works against a \nsystem that has been in place since the early days of our country's \nexistence. The GAO's report does readers a disservice by not discussing \nthe unique nature of public records and by attempting to apply the OECD \nguidelines to this system of records.\n    To amplify on our general concern about the GAO's approach to \napplying OECD guidelines, let's now consider some specific illustrative \nexamples.\nConsumer Consent\n    The report states that ``[r]esellers generally do not adhere to the \nprinciple that, where appropriate, information should be collected with \nthe knowledge and consent of the individual.'' \\14\\ The reader is left \nwith the wrong impression regarding the practices of our members, the \nlaws which currently regulate them and the appropriate application of a \nconsent standard. For example, the GAO does not attempt to apply a \nconsent-based standard on a product specific basis or even a business-\nmodel-specific basis, which is an inherent flaw in their methodology. \nIf one were to apply such a standard to, for example, consumer credit \nreports, then the result would be to give consumers the ability to pick \nand choose which creditors' data would be reported to a credit bureau. \nConsumers could allow creditors they intend to pay on time to report \nand could prohibit from reporting those that they don't intend to pay \non time or at all. The result would be to turn the nation's credit \nreporting system on its head and to affect the fundamental safety and \nsoundness principle upon which our banking system has operated since \nthe days of the great depression. In 1970, Congress recognized the \ninapplicability of this fair information practices concept since it \nwould essentially work against the fundamental premise of data acting \nas an independent affirmation of a consumer's own willingness to pay, \nor otherwise qualify for a benefit. In a second example, of what value \nwould an identity verification tool be if consumers who intend to \ncommit fraud can decide which data will or won't be used? A third \nexample involves public records. How does one apply a consent standard \nto records which are in the public domain? Through these examples, it \nis clear that consent is not a universal concept which can be applied \nto all data flows.\n---------------------------------------------------------------------------\n    \\14\\ Page 44, Draft Report.\n---------------------------------------------------------------------------\nData Quality\n    The title of the data quality discussion is ``Information Resellers \nDo Not Ensure the Accuracy of Personal Information They Provide.'' This \nis misleading. As discussed above, CDIA's members are committed to the \nquality of information they collect. Further, in all cases where the \ndata is used to produce a consumer report used for an eligibility \ndecision, the standard for accuracy is found in the FCRA.\\15\\ It is a \nstandard that has been in place since 1970 (and amended extensively in \nboth 1996 and again in 2003) and which applies to eligibility decisions \nsuch as applications for insurance, employment, government entitlements \nor credit. The GAO report does not properly acknowledge this fact or \nthe breadth of the application of FCRA to consumer data transactions \ninvolving consumer reporting agencies. However, applying an accuracy \nstandard to an investigative product used to locate individuals makes \nlittle sense. These location services are predicated on possible \nconnections between addresses, names, etc., which are then followed up \nwith direct contacts by law enforcement agents or collection agencies, \nfor example. Location services are certainly high quality services and \noften are very precise, but since these products are not used to make \nan eligibility determination (e.g., job, credit) they are not regulated \nin the same way. This said, the quotes drawn included in this testimony \nregarding the high quality of consumer data products purchased by law \nenforcement or counterterrorism agencies (81% of users according to the \nGAO) speak for themselves. Like consumer consent, the concept of data \nquality cannot be applied in the same manner to each consumer data \nproduct as is implied by the GAO's methodology.\n---------------------------------------------------------------------------\n    \\15\\ The standard of accuracy in FCRA can be found at Sec. 607(a). \nA consumer reporting agency must use reasonable procedures to assure \nthe maximum possible accuracy of the information in the report.\n---------------------------------------------------------------------------\nUse Limitations\n    The GAO report states that ``[r]esellers do not generally limit the \nuse of information beyond those limitations required by law.'' It is \nnot clear what the GAO intends by this, but in fact both Title V of GLB \nand Section 604 of the FCRA do, for example, impose significant \nlimitations on the use of nonpublic personal information and consumer \nreports respectively. The GAO's report does not acknowledge these use \nlimitations in the context of their discussion. Further the GAO does \nnot state that use limitations cannot apply to public records which are \nnot gathered for purposes under the FCRA since such records are \ngenerally available to the general public directly from Federal, state \nand local agencies and courts. This said, the Drivers Privacy \nProtection Act does impose use limitations on records coming from state \nmotor vehicle agencies. The draft report also states that ``[w]ithout \nlimiting use to predefined purposes, resellers cannot provide \nindividuals with assurance that their information will only be accessed \nand used for identified purposes.'' This criticism of the system of \nlaws and contract is without basis. We have discussed the extent of the \nlaws which impose a variety of use limitations and as evidenced by the \nGLB's service provider requirements (in effect since 2001), HIPAA's \nbusiness associate requirements (in effect since 2003), and the concept \nof using contracts to limit use is an entirely appropriate system for \nconsumer data companies. In fact many laws which restrict uses of \ninformation, also require that certifications through contracts be \nobtained.\nAccess and Correction\n    CDIA's members when operating as consumer reporting agencies \nprovide full access and a right of correction for all consumer reports. \nConsumer reports are used for eligibility determinations and thus our \nmembers fully agree with the application of this principle. However the \napplication of an access and correction principle applied to a fraud \nprevention and location data base would result in empowering criminals \nto delete information that is used for pattern analysis and other \nanalytics which help in linking suspects or key pieces of information \nnecessary to stop fraud or to solve a case. The GAO's report does not \nproperly describe the harmful application of an access and correction \nregime to location, investigative and fraud prevention systems which \nare not used to stop a transaction or prevent a consumer's access to a \nservice or benefit (eligibility). In fact FTC Chairman Majoras stated \nin a letter responding to questions about the imposition of an access \nand correction obligation on information resellers:\n\n        ``Before extending this approach to additional databases \n        [beyond FCRA], however, it is necessary to consider carefully \n        the impact of such extension. For example, requiring data \n        merchants to provide consumers with access to sensitive \n        information may itself present a significant security issue--in \n        some cases it may be difficult for the data merchant to verify \n        the identity of someone who claims to be a particular consumer \n        demanding to see his or her file. Similarly, for databases that \n        are used to prevent fraud or other criminal activities, \n        providing correction rights could pose serious problems; those \n        trying to perpetrate the fraud may take advantage of the right \n        to `correct' data to hide it from those they are trying to \n        defraud.''\n\n    The GAO report states in its conclusion that ``[g]iven that \nreseller data may be used for many purposes that could affect an \nindividuals livelihood and rights, ensuring that individuals have an \nappropriate degree of control or influence over the way in which their \npersonal information is obtained and used--as envisioned by the Fair \nInformation Principles--is critical.'' For all of the reasons discussed \nabove, the GAO has failed to support this claim because:\n\n        <bullet>  Their analysis does not properly account for the \n        severe regulation of consumer reporting agencies, and the \n        breadth of the FCRA's application to all eligibility \n        transactions which apply to all governmental transactions and \n        uses.\n\n        <bullet>  In taking a one-size-fits-all approach, the analysis \n        does not properly account for the destructive consequences of \n        applying various principles in the same way to all business \n        models and product which make up the consumer data industry.\n\n        <bullet>  In making this claim, the GAO often ignores or \n        undercuts decades of congressional oversight, legislative \n        enactments (FCRA, GLB, HIPAA, DPPA, etc.), federal regulatory \n        activities and law enforcement actions.\n                               conclusion\n    In conclusion, the members of the CDIA believe that the GAO's \nreport is methodologically flawed and often misleads readers through \nthe attempt to apply a once-size-fits-all analysis of a set of privacy \nguidelines. The consumer data industry does not consist of a single \nentity called an ``information reseller.'' It is an industry with a \ndiversity of business models focused on the production of consumer \nreports, fraud prevention tools, location and investigative products, \nanalytics services and more. CDIA's members create incredible value for \nthe government agencies which use their services. The consumer data \nindustry is a significantly regulated industry through sector-specific \nlaws which tailor the component information use principles to the types \nof data, risks and uses involved. Our nation remains at the forefront \nof enacting enforceable laws and regulations with which our members \ncommit themselves to complying each and every day.\n    We appreciate this opportunity to testify and we welcome your \nquestions.\n\n    Mr. Cannon. Thank you, Mr. Pratt. We appreciate your \ntestimony.\n    Now the gentleman from Ohio is recognized for 5 minutes.\n    Mr. Chabot. Thank you very much, Mr. Chairman.\n    Ms. Cooney, I will begin with you, if I can. Would you \nelaborate on why privacy impact assessments are important, what \nthey are good for, and how you have seen them work in action?\n    Ms. Cooney. Certainly, I would be happy to. At the \nDepartment of Homeland Security it has been a very important \ntool, on the front end of any mission program that uses an \ninformation system to collect personal information, to really \ndetermine on the front end why are we collecting the \ninformation, what information do we really need, how long will \nwe keep it, how accurate is the information from the sources \nthat we are taking it in from, how will we handle it, how do we \nplan to share it internally or with other Federal agencies or \neven State and local first responders, and what are the \npossible redress mechanisms?\n    So with a mission as critical as ours is to protect the \nhomeland and security of the American people, we believe that \nit is also very critical that at each step, from the very \nbeginning of a program through the entire lifecycle development \nof the technologies that we use to collect and store \ninformation, that we look critically at what we are doing and \nuse some basic planning as we do those programs. To us, like in \nthe private sector, it is important information management and \nit is good ethical Government behavior.\n    We have met with cooperation, really, throughout the \nDepartment in making that operationalized across business lines \nand it has been a very satisfactory experience.\n    Mr. Chabot. Thank you very much.\n    Ms. Koontz, let me turn to you, if I can. What did the GAO \nfind in terms of the security of personnel information in the \nGAO report? I know that you have already talked about it to \nsome degree, but could you elaborate a little on that?\n    Ms. Koontz. Sure. We found that the four Federal agencies \nthat we reviewed had put security protections in place to deal \nwith reseller information. For example, all four of them told \nus that they had instituted passwords and other access controls \nto make sure that there wasn't unauthorized access to reseller \ninformation. Some of the agencies also had restricted access to \nvery sensitive reseller information only to those personnel who \nhave a need to use that kind of thing.\n    Some of the law enforcement agencies as well use something \nknown as cloaked logging. That is a procedure that actually \nmasks the searches that law enforcement personnel do against \nreseller data so that even the vendor doesn't know what kind of \nsearchers are being done. And this is a way of protecting the \nintegrity of the investigations and making sure that subjects \nof investigations cannot be tipped off as to the existence of \nthem.\n    That being said, I think Federal agencies realize that the \nsecurity is an important component. We did not do a test of \nsecurity controls at the four agencies we reviewed so we can't \nmake an assessment of the efficacy of the controls that they \nhave in place. And work that we have done Government-wide on \nsecurity indicates that we found security weaknesses in almost \nevery area in the 24 major agencies, including the four \nagencies that we reviewed.\n    Mr. Chabot. Thank you very much.\n    Mr. Swire, do the same security concerns exist with Federal \nGovernment's maintenance of personal information as exist among \ncommercial data companies?\n    Mr. Swire. Well, many of the challenges are the same. The \nGovernment uses overwhelmingly commercial software now, and \nthey are using platforms and vendors that are very, very \nsimilar.\n    The Federal Government has some special challenges, though. \nThere are classified systems for some systems, and that is a \nmuch harder standard to live up to. And also the Government \nprobably has lagged, despite FISMA and GISRA and these security \nstatutes, it has probably lagged the private-sector best \npractices. It has been hard sometimes to get the personnel in \nplace, it has been hard to get the resources. So it has been a \nvery big challenge and the scorecards haven't always been \nsatisfactory.\n    Mr. Chabot. Thank you.\n    And finally, Mr. Pratt, I would like to turn to you. What \nsecurity policies are in place to ensure that citizens' \ninformation is not easily accessible by identity thieves or \ncomputer hackers?\n    Mr. Pratt. Well, I think the best baseline that we can see \nin guidance and law and regulation would be those that we find \nin the safeguards rules under Gramm-Leach-Bliley Act, which \napply not--really are applied across the board in many of our \nmember companies today. So that includes technical safeguards, \nstrategies that you would use simplistically--firewalls, if you \nhave online or offline systems. It includes employee training, \nit includes employee background screening, it includes the \ntypes of strategies discussed by the GAO in terms of, you know, \npassword access, how quickly passwords are changed and cycled \nthrough, for example.\n    It includes even physical safeguards--who has access to a \ndata center, who can in fact get in and potentially walk out \nwith a hard drive that might contain sensitive personal \ninformation.\n    So when you have the technical, the physical, as well as \nthe employee-based safeguards, you have, really, three legs of \na key stool which we need to ensure is applied to really all \nkinds of sensitive personal information.\n    Mr. Chabot. Thank you very much. My time has expired, Mr. \nChairman.\n    Mr. Cannon. The gentleman yields back.\n    Mr. Nadler. The gentleman from New York, the Ranking Member \nof the Constitution Subcommittee, is recognized for 5 minutes.\n    Mr. Nadler. Thank you, Mr. Chairman.\n    I would like to ask all the panelists, given the importance \nof privacy impact assessments, as Ms. Cooney stated, do you \nsupport a broader requirement that agencies prepare privacy \nimpact assessments for rules involving the collection of \npersonally identifiable information in all Government agencies?\n    Start with Ms. Cooney, then everybody else.\n    Ms. Cooney. Thank you. I would say that certainly under \nSecurity 222 of the Homeland Security Act we read the \nrequirement by Congress to really require DHS to undertake \nthose types of privacy----\n    Mr. Nadler. No, no, clearly my question is do you think \nthat Congress should extend that to other agencies?\n    Ms. Cooney. We found it helpful at DHS. I am not sure what \nthe Administration view is, but I can tell you from our \nexperience it has been a very helpful process.\n    Mr. Nadler. So you would think it a good idea to extend it \nto other agencies?\n    Ms. Cooney. It may be.\n    Mr. Nadler. Okay. Ms. Koontz?\n    Ms. Koontz. What we found in our work is that the privacy \nimpact assessments were not being done consistently from agency \nto agency. And that was something that concerned us very much. \nAnd as Ms. Cooney said very articulately, the privacy impact \nassessments are a very powerful tool before you start building \nan information system, before you start collecting information, \nin order to assess what the privacy implications are and then \nto put the controls in place up front. And to the extent that \nthey are made publicly available, I think they contributed to--\n--\n    Mr. Nadler. Are you suggesting--this is for new rules. Is \nit your suggestion that we need better enforcement of them?\n    Ms. Koontz. I think we need better implementation of the \nexisting requirements and I think that we saw that what \nHomeland Security put in their guidance to be a model that \ncould be expanded to other agencies.\n    Mr. Nadler. Thank you.\n    Professor Swire?\n    Mr. Swire. I do support broadening the PIA's application to \nrules. I think we have used that they are a useful tool. There \nis an issue about scope. You don't want to have it for things \nthat only have a tangential relationship to a couple of \npeople's data. But in terms of enforcement, I think that goes \nback to having OMB or the White House have a privacy office to \nmake sure agencies aren't falling down on the job. So you \nspread it to the rules and then you have some coordination \nacross agencies.\n    Mr. Nadler. Thank you.\n    Mr. Pratt?\n    Mr. Pratt. I think from our perspective, really, you have \nat DHS a good model for how an agency should oversee the uses \nof private-sector information as well as data that would be \ngathered under the aegis of the public agency. So to the extent \nthat you are suggesting other agencies that may use sensitive \npersonal information might need a similar infrastructure of \nknowledgeable and highly trained individuals, that makes sense \nto us. Certainly in the private sector we have chief \ninformation privacy officers, we have the same types of reviews \nin the financial services industry that go on with regard to \nhow information is used and protected and so on. So I don't \nthink that we ever have a problem with agencies understanding \nhow to protect and secure and use responsibly information they \nobtain.\n    Mr. Nadler. I thank you.\n    Professor, do you think we could benefit from agency \nprivacy ombudsmen in other parts of the Government?\n    Mr. Swire. Well, there have been efforts to spread it. I \nthink there may be up to three or four different executive \norders or executive statements that say agencies are supposed \nto have privacy offices, but implementation has really been \nuneven over time.\n    So there are a number of agencies that haven't been nearly \nas institutionalized as Homeland Security and haven't been as \nsystematic in----\n    Mr. Nadler. See, so again, as in your answer to the \nprevious question, if we had an office in the White House or \nsomewhere to make sure that all the agencies were complying \nwith privacy impact statements or with having the ombudsman \nfunction properly, or the agency offices, whatever we want to \ncall them, function properly.\n    Mr. Swire. I can offer some perspective from having been in \nthat seat. It gives you one person to criticize by name. And \nthat has a very powerful effect, seeing your name in the \nnewspaper as a bad guy, and it leads you to try to get other \npeople to cooperate and make it all work a little bit better.\n    Mr. Nadler. It gives you a motive.\n    Mr. Swire. Yeah.\n    Mr. Nadler. Thank you.\n    Again, Professor Swire, to the extent that data processing \noperations might move overseas, what protections do we have or \nought we have that we don't have to extend our protections for \nthat eventuality?\n    Mr. Swire. Well, this issue of overseas has been a powerful \nissue that people are looking at. I must say, I have a slightly \ndifferent perspective because the United States complained very \nmuch when Europe tried to do that to us. And Europe had in a \nprivacy directive rules that they wouldn't let data go to the \nUnited States, and we wanted to make sure that American \ncompanies could use that data responsibly.\n    I am a step more cautious. I think it is always good to \nhave the contractors under very good controls and make sure \nthose controls work. I am not personally as sure that we should \nmake a big line about overseas or not.\n    Mr. Nadler. Could I just ask if anybody else would want to \ncomment on that question? Ms. Cooney?\n    Ms. Cooney. Thank you, Mr. Nadler. I would like to tell you \nthat there is work presently going on that the Federal \nGovernment is very involved in, and we are included in that \nwork in the DHS Privacy Office, both in the Organization for \nEconomic Cooperation and Development and in the APEC forum in \nworking on cross-border enforcement on privacy issues. There \nhas been some work already accomplished in certain areas, such \nas combatting spam, and that has been fairly effective.\n    What we have found so far is that it is not done solely by \nprivacy practitioners or privacy enforcement officers, but it \nmight be done by consumer protection folks in certain areas, \ncriminal law enforcement in others, privacy professionals \nworking together.\n    So I would want you to know that that is an active part of \nthe agenda that we are working on as Federal partners in that.\n    Mr. Nadler. Thank you. Anybody else?\n    Thank you, Mr. Chairman.\n    Mr. Cannon. The gentleman yields back.\n    Mr. Franks, the gentleman from Arizona, is recognized for 5 \nminutes.\n    Mr. Franks. Well, Thank you, Mr. Chairman.\n    I want to direct this to anyone at the--in fact, I would \nlike, maybe, for everyone to take a shot at it. I am wondering, \nin terms of what really are the challenges that we face to keep \npeople's data secret and accurate, is it more of a policy issue \nthat needs to be changed here from Congress, or is it more of a \nmechanical issue of just the reality that, with the expansion \nof computer technology and all of the different things that \nhappen today, is it more of a technology challenge or is it \nmore of a policy challenge?\n    Mr. Pratt. I will take a first stab at this. First of all, \nI do think that in this country we need to protect, under the \nrule of law, sensitive personal information no matter who \ngathers it. Some of the different laws that we have discussed \nin our testimony, which are also accounted for in the GAO \nreport, do deal with sectors of business in this country where \nwe have to secure and protect that information. The Gramm-\nLeach-Bliley Act information safeguards rules are a good \nexample.\n    Certainly our membership has testified before several \ndifferent Committees saying that information safeguards \nstandards should apply to anybody who is going to gather \nsensitive personal information such as my name and my address \nand my Social Security number in that combination.\n    I think there are several effects to that, by the way. \nFirst of all, fewer folks will gather that information. They \nwill think about it first. And that is good, because they \nshould. And if they are going to gather it, they should protect \nit under that three-legged stool we have discussed. And I think \nin doing so, it does create an enforcement mechanism also, \nwhere there is failure in the marketplace. We think those are \nall good outcomes that could result from the enactment of law \nthat would do that. There are several Committees that are \nfocused on that now that I think would move forward with an \neffective program for protecting sensitive personal \ninformation.\n    It is also education, though. And I would say within the \nlast 5 years, certainly the last decade, what we know and think \nabout as information security is very different than it was 10 \nyears ago. And certainly the velocity of change with technology \nmakes it very challenging.\n    Mr. Swire. I think it is very much a policy issue where the \nhard things come in. There is a lot of consensus on data \nsecurity. You can get pretty much everyone to agree on the \nlist. But which data is the right data to use? And this IRS \nexample from my testimony is one example. Should your tax \npreparation agency be able to resell your data or not? They can \nhave perfect security, it is just a question of whether that \ncompany should be reselling it or not. That is a policy \ndecision. That is where I think a lot of the work has to \nhappen.\n    Mr. Franks. Ms. Cooney?\n    Ms. Cooney. Thank you. I think the point that I would like \nto make is that the process of data security and information \nsecurity practices is not one-size-fits-all and it is not a \none-step process. It is an iterative process. I think Mr. \nPratt's reference to the GLBA safeguards rule is very important \nand that those general guidelines can be used across Government \nsystems as well as in the private sector, keeping in mind, as \nthey require it, that it is an iterative process and you need \nto keep looking at your process both from a technology \nstandpoint, from a personnel standpoint, and from a policy \nstandpoint in terms of why do you need to keep this data and is \nit the right data to keep.\n    On the accuracy issues, and it somewhat answers your \nquestion, in terms of the application of the Fair Information \nPractices principles to data accuracy in the private sector for \ncommercial resellers, whether all those principles should apply \nor would easily apply is something that could be discussed. But \ncertainly a focus on allowing individuals some access to their \ninformation to correct the information really should be looked \nat, because originally that information would have been \ncollected for very different purposes. Many citizens may not \neven know that a data aggregator has their information. And it \nis a matter of fairness as well as carefulness with the \ninformation.\n    Mr. Franks. So just to expand on your thought there, much \nlike the credit data that we access, you are convinced that \nsomething along those lines for generalized data, that the \nconsumer would always have the right to ascertain what that \nwas, or at least in nonsecurity issues?\n    Ms. Cooney. Right. In many circumstances, when it doesn't \ntouch law enforcement or national security in particular, \nalthough even in our case we need to be very concerned on our \nend in the Federal Government to check on data accuracy.\n    Mr. Franks. My time is almost gone. Mr. Pratt, let me skip \nquickly to you, sir. With the proliferation of ID theft, a lot \nof times you can identify a particular culprit. Is this escape \nof data happening mostly in Government databases or is it \nprivate databases? Is there any one--is it just generalized or \nis there some kind of particular area where we are \nhemorrhaging?\n    Mr. Pratt. It is difficult to pin it down. Certainly, for \nexample, it could be as simple as somebody driving down the \nstreet at the right time of the month to pick up your mail, so \nyou have something as simple as mailbox fraud. We saw last year \nabout 50 percent of all the media coverage focused on \nuniversities that were losing sensitive personal information, I \nthink probably because they were at that time using Social \nSecurity numbers as student ID. I think a lot of universities \nhave begun to change that practice.\n    So no, sir, I don't think there is any one place you can \ngo.\n    To your point, by the way, about the Fair Credit Reporting \nAct and having access, let me just say it this way. The Fair \nCredit Reporting Act is a terrible title for the law because, \nin fact, the law applies to any kind of eligibility decision. \nSo any time data is used to deny me something, I can't get it, \nI have a right of access. I have a right to correct it. I have \na right to expect that it was accurate in the first place. I \nhave private rights to enforce, I expect the Federal Trade \nCommission to enforce, State attorneys general to enforce.\n    So I think it is very important. That was one of the issues \nwe had with the way the report was structured, is you might \nwalk away from that thinking that there was not this very, very \nbroad-based law that said whether it is my employment \napplication, my application to purchase a home, my application \nto get a cellular phone account, my application to obtain a \nutility--no matter how and where a consumer report is used, not \na credit report but a consumer report--I have all of those \nrights that we have just begun to discuss. So I do think we \nhave a law on the books that is quite a bit broader than maybe \nthe title would imply.\n    Mr. Franks. Thank you.\n    Thank you, Mr. Chairman.\n    Mr. Cannon. The gentleman yields back.\n    Mr. Scott.\n    Mr. Scott. Thank you, Mr. Chairman.\n    I guess my first question is a little more basic. Who are \nwe talking about? Who are these resellers?\n    Ms. Koontz. I assume you mean the names of the companies?\n    Mr. Scott. Well, if you want to leave the names out, just \ndescribe them.\n    Ms. Koontz. For our study, we defined information resellers \nas being businesses that collect and aggregate information, \npersonal information about individuals and make them available \nto consumers. So it is rather broad.\n    Mr. Scott. To consumers or to businesses?\n    Ms. Koontz. And to businesses, yes. To their customers.\n    Mr. Scott. The purpose for which you are gathering the data \ncan vary depending on what it is going to be used for. You \ncould be just compiling a mailing list. Is that what you are \ntalking about?\n    Ms. Koontz. I think we are talking about information \nresellers who then collect this information and then they \nconvert it into information products, some of which are used \nfor marketing, some of which are used for other purposes.\n    Mr. Scott. Well, if you are using it for marketing you can \nget a list that would be interested--where a certain product \nwould be interested in marketing to that group of people.\n    Ms. Koontz. Mm-hm.\n    Mr. Scott. Could be 80 percent accurate, but that is good \nenough for mass mailing. Because it is better than kind of \nsaturation mailing. You knocked off 75 percent of the people \nyou don't want to mail to. Are we talking about that, too?\n    Ms. Koontz. Well, that is some of it. Some of it is for \nmarketing purposes. But I think you have hit on a key point \nthat we talked about in our report, is that the privacy \nprinciples basically talk about accuracy for a specific \npurpose. And the specific purpose in this case is often \ndetermined by the user. So it is difficult for the reseller to \nassure the degree of accuracy for a particular purpose because \nthey are not the ones that are determining that purpose.\n    Mr. Scott. Well, you don't care whether it is accurate or \nnot if all they are going to do is just mass mail. If the \nGovernment gets hold of it, it is going to take some adverse \naction based on this kind of superficial dragnet where you come \nin and gather up a lot of names, most of which would be in the \ncategory you are aiming at, where the person gathering the data \ndidn't have any interest in accuracy. So what do you do in that \ncase? Is that the information we are talking about?\n    Ms. Koontz. That is part of the information that we are \ntalking about. There are all kinds of information products that \nare offered by resellers. And I think it does put more of a, \nshall we say, an obligation, too. In this case we are talking \nabout the use of these data products by Federal agencies and it \nputs, I think, an obligation on the part of the Federal agency \nto determine that the accuracy is appropriate for the use that \nthey are using it for. Which is, for example, the reason that \nlaw enforcement corroborates this information with other \nsources before they take any action against an individual.\n    Mr. Scott. Is the information subject to the Freedom of \nInformation?\n    Ms. Koontz. I don't know.\n    Mr. Swire. There is a privacy exception to the Freedom of \nInformation Act and it often would prevent a Freedom of \nInformation Act request from going through.\n    Mr. Scott. To get the whole list?\n    Mr. Swire. Yes.\n    Mr. Scott. If you are doing law enforcement activities, do \nI understand that the Levy Guidelines are no longer in effect, \nwhere you had to actually be investigating a crime before you \nstarted gathering information on people? Professor?\n    Mr. Swire. Yes, that is correct. They were changed very \nsubstantially after 9/11.\n    Mr. Scott. Before 9/11, before you started gathering \ninformation on people and setting up dossiers, you had to \nactually be investigating a crime, not just gathering \ninformation. Is that right?\n    Mr. Swire. There were detailed predicates for each stage as \nthe investigation went further, yes.\n    Mr. Scott. And that is no longer in effect, so the \nGovernment is now just gathering information?\n    Mr. Swire. There are guidelines that Attorney General \nAshcroft issued. I have read them, but I don't have them \nclearly in my head. They are quite a bit more permissive, \nbecause the idea is share data and use data more intensively.\n    Mr. Scott. Professor, did I understand you to say there is \nsome idea that you could actually sell tax records?\n    Mr. Swire. Well, this was actually a subject of a public \nhearing today somewhere else in town. But H&R Block or any \nother tax preparer, under the proposed rule, would be allowed \nto sell tax records or databases of tax records for the first \ntime to outside parties.\n    Mr. Scott. That is records that they prepared?\n    Mr. Swire. That they prepared for you as the taxpayer. If \nyou signed off, as one of your signatures to them, they would \nthen be able to resell that.\n    It got quite a press hit a couple of weeks ago, when people \nfound out about it. And deserves to.\n    Mr. Scott. Thank you, Mr. Chairman.\n    Mr. Cannon. The gentleman yields back.\n    Ms. Wasserman Schultz, did you have questions?\n    Good. Thank you. The Ranking Member is recognized for 5 \nminutes. Mr. Watt?\n    Mr. Watt. Thank you, Mr. Chairman.\n    Ms. Koontz, I know you all did the study and you are not \ndoing policy, but I particularly wanted to hear from you and \nMr. Pratt about whether you thought that Professor Swire's \nsuggestion that we reinstitute a privacy officer in the White \nHouse that has kind of umbrella authority from agency to \nagency, whether you think that is a good idea, whether there \nare particular good pros to doing that or particular bad cons \nto doing that.\n    I will ask that question of you, if you can address it from \na policy perspective. And I would like to get Mr. Pratt's view \non it, too.\n    Ms. Koontz. We haven't studied the question of the need for \na privacy officer in OMB or in the Executive Office of the \nPresident. I can see, though, that the idea probably has some \nmerit, in terms of further discussion, as a way of having a \nfocal point for privacy issues and the Federal Government. I \nmean, I think we have seen some benefits from, for example, \nwithin the Department of Homeland Security, where you have a \nhighly placed official who has a broad privacy responsibility, \nand that seems to be something that is useful in terms of \nlooking at these policy issues.\n    Mr. Watt. Mr. Pratt?\n    Mr. Pratt. Our association hasn't actually studied that \nsame question any more--so I suspect--than the GAO. My first \nreaction is that sometimes centralization can be a red flag, \nbecause you start to remove the expertise and the knowledge you \nmight need. So the knowledge you might need in HHS might be \ndifferent than the knowledge you might need in DHS.\n    So I don't know if a--just off the top of my head, I don't \nknow if a central office would make things better or if it is \njust simply important to make sure that there are knowledgeable \nprofessionals who are thinking about data use issues on an \nagency-by-agency basis.\n    And of course Federal Trade Commission has established its \nnew division, which does focus on information use and identity \ntheft issues as well as----\n    Mr. Watt. Who is that? I am sorry.\n    Mr. Pratt. The Federal Trade Commission has established a \nnew division under the Bureau of Consumer Protection, which \nfocuses specifically on information protection and identity \ntheft. So there is an office there that focuses on data flows \nin that regard.\n    Mr. Watt. Under what authority is it doing that, and is \nthat----\n    Mr. Pratt. It is not the same principle. It isn't the same \nprinciple as an omnibus individual, if you will, at the level \nof the White House. They really oversee--their scope of \nauthority would be no broader than the FTC's scope of authority \ngenerally in the marketplace.\n    Mr. Watt. Do you concede that despite the concerns, the \npotential on the downside that maybe having a more consistent \nset of principles across the Government would be facilitated by \nthis suggestion?\n    Mr. Pratt. I don't know yet because, again, one of the \ndifficulties we have even had with the GAO report, and we \ncertainly appreciate the hard work that the researchers did in \nputting it together, it demonstrates one of the difficulties, \nand that is we feel that the GAO took the principles and \napplied them too monolithically across something called an \ninformation reseller. And really, to Mr. Scott's question, I \nsuppose information resellers are consumer reporting agencies. \nThey may be financial institutions under the Gramm-Leach-Bliley \nAct, consumer reporting agencies under the Fair Credit \nReporting Act. So I don't know if centralizing expertise works \nbetter than just simply making sure that you have knowledgeable \nindividuals operating at an agency level.\n    Again, I think also I am probably not in the best position \nto discuss the effectiveness of the current operation of the \nPrivacy Act or the OMB guidelines that implement that. It is \nprobably the domain of Professor Swire.\n    Mr. Watt. Professor Swire, there was a lot of debate about, \nwhen this Privacy and Civil Liberties Oversight Board was set \nup, about whether it should have subpoena power. I know that \nthe Agency just got structured in February--I mean the people \nwho were appointed. But can you just give us kind of the pros \nand cons of--or maybe better, even, what are the real problems \nwith not having subpoena power?\n    Mr. Swire. Well, there are various jobs the Privacy and \nCivil Liberties Board could do. One of them is to be inside the \nexecutive branch during clearance, when they are trying to \nfigure out how do you do a new program. And I don't think \nsubpoena power is needed for that. That is talking to the \npeople, being in the room, building confidence that the board \ncan help.\n    When it comes to finding out if there are problems out \nthere in the agencies, there is a question of how you find that \nout. One way is to go to the IGs, right. We have Inspectors \nGeneral, and especially if we have some good whistleblower \nprotections so the people are allowed to talk to the IGs, then \nthat may be one way to do the investigation.\n    If you think that is not working, then you look around, who \nelse might do it? It could be the Department of Justice, but \nyou have to have a good step toward a criminal investigation. \nIf you don't have that, then maybe somebody else, like this \nboard, with subpoena power might be your best chance to find \nproblems in the agencies and do something about it.\n    It really has to do with whether the IG system is working, \nbecause they were supposed to be the ones to subpoena, and \nwhether you need a second look with some expertise.\n    Mr. Watt. Can I just ask one more question, Mr. Chairman?\n    Ms. Cooney, how is your office going to coordinate with \nthis Privacy and Civil Liberties Oversight Board? How do you \nsee these two things meshing together, Homeland Security and \nthis oversight board?\n    Ms. Cooney. Sure. Under the oversight board there actually \nis a Privacy and Civil Liberties Officer for the DNI. We \ncoordinate with that Privacy and Civil Liberties Officer now, \nAlex Joel, in a very cooperative way. As he is setting up his \noperation, he has come to DHS to ask us what our experience has \nbeen, for advice on the startup. And we are working very \nclosely right now, along with others, including the new Privacy \nand Civil Liberties Officer and DOJ and others, on building in \na privacy architecture for the information sharing environment \nacross the Federal Government.\n    So I think it is going to be a very collaborative process \nand it has been very positive so far.\n    Mr. Watt. Thank you, Mr. Chairman.\n    Mr. Cannon. I would like, before I ask a couple of \nquestions here, I would like to thank the panel for being here \ntoday. It think this report is very, very helpful, Ms. Koontz, \nand you have done a remarkable job in helping us to understand \nit.\n    Ms. Cooney, we appreciate what you have done. Can I just \nask, are you coordinating with the people at Justice that are \nsetting up the same process that you are doing? Could you \ncomment on that briefly?\n    Ms. Cooney. Yes, we are. Actually, before the appointment \nof the Privacy and Civil Liberties Officer there, we worked, \nreally, for several months before that in providing advice in \nterms of our experience, our budget, the type of personnel that \nwe have hired, which is quite multi-disciplinary. And as Mr. \nPratt noted, it takes expertise along a wide range of areas. We \nhave technology experts, we have policy experts, we coordinate \nclosely with our Office of the General Counsel on legal issues. \nAnd I am very proud to say we have a Chief Counsel to the \nPrivacy Office, who is embedded with us, reporting to our \nGeneral Counsel, so that is very cooperative.\n    We have a compliance team that has a private-sector \nbackground. We have folks who had enforcement and compliance \nexperience in the Government realm. We have international. All \nof those things are really needed if your agency does work \nacross a wide scope and has a lot of different dynamic \nprograms.\n    We have shared that type of information with the Department \nof Justice. And since Jane Horvath has joined the Department of \nJustice, we have met several times, e-mail, talk about issues. \nAnd I think that is the way it should be, and we are happy to \ndo that.\n    Mr. Cannon. Well, I--you know, if you look at DHS, which is \nhard to do because it is so big--it takes the Almighty to \ncomprehend it, and I am not sure it would take the Almighty, \nbut it is beyond my capacity to understand the Department of \nJustice. It seems to me that the idea, and I guess it goes to \nyour comment, Mr. Pratt, that having a decentralized process \nmay be helpful.\n    But Professor Swire, we appreciate your comments and look \nforward to working with you on what a of a--how we would sort \nof oversee this whole process. I think it is vitally important \nthat we take these huge, monstrous organizations and get them \nthinking about what they do, and then cumulate activity rather \nthan mandating it. But at some point, you have to have some \nkind of overarching oversight of that. So we will revisit that.\n    Mr. Pratt, can I ask a couple of questions of you? The GAO \nhas reported that information resellers generally allow \nindividuals limited access to correct their personal \ninformation. Why can't individuals get data about themselves \ncorrected when it is wrong? And if the consumer reporting \nagencies are able to accommodate such corrections, as they are \nrequired by the Fair Credit Reporting Act, why can't \ninformation resellers do likewise?\n    Mr. Pratt. Really, it depends. Again, it is just taking \nthat Fair Information Practice, and then we have to walk \nthrough the various products that it might apply to. So as you \nsay, consumer reports, absolutely. Those reports are used to \ndeny me access to a benefit or service. And that is one of the \nbasic fair information principles we are working off of. If I \ncan't get something because information has told the user that \nI should not get the credit, I should not drive off the car lot \nwith the car, then that makes sense to us and we understand \nthat.\n    A fraud prevention product is another type of data product \nthat is used. A fraud prevention product, were we to disclose \nit, would mean we are disclosing the recipe, because we would \nbe disclosing the various data elements which are cross-matched \nwhich raise a yellow flag.\n    Now, a fraud prevention product doesn't deny me access, but \nit probably slows me down. Somebody is going to ask me more \nquestions. You know, Congressman Cannon, are you really who you \nsay you are; can I have another item of identification from you \nto make sure that you are who you say you are.\n    And I think that is also true of some of the investigative \ntools that we have, location tools. In other words, a location \ntool really just--and I have seen some about me, where it will \nshow where I have lived previously. And so it is not really--it \njust says you lived in Houston, Texas, for a period of time, \none of your friends now lives in Los Angeles. It really just \nshows an investigator how they might candidly conduct a \nnational security investigation were I applying for a national \nsecurity level of clearance. So that is a different kind of \ntool.\n    So accuracy and how you apply accuracy really pivots, I \nthink, off of that.\n    In terms of correction, though, public records are a \nparticular challenge. Because if you have a court record and \nyou have simply taken that same image data and put it into a \nnational database, the real key to correcting that is to make \nsure the consumer knows how to get back to the court in order \nto correct the information in the first place. Because if you \ndon't correct it at the courthouse, it is still publicly \navailable, there are is still a Web site from which you can \nobtain it, and in fact all you have done is fix the \nintermediate source.\n    And by the way, that principle was corrected in the Fair \nCredit Reporting Act to ensure that a reseller in the context \nof a consumer reporting agency, where access and correction do \napply, that the consumer would be referred back to the data \nsource in order to correct it at the source rather than to try \nto correct it at the mid level.\n    Mr. Cannon. Let me just get one more question before my \ntime expires.\n    When a data breach occurs, shouldn't an information \nreseller be required to notify those whose information was \ncompromised? And if so, how should notification take place? \nWhat follow-ups, if any, should be required of information \nresellers to monitor compromised information?\n    Mr. Pratt. Well, I don't know that we think about it in \nterms of information resellers. There are several different \nbills that have been worked on by various Committees, and the \nfundamental question is, when you have a certain type of \ninformation that we tend to think of as sensitive personal \ninformation--If I have secured it in the first place, of \ncourse, I have done the right thing. If for some reason my \nsecurity protocols have failed, yes, we think that there is a \nrisk of identity theft, a significant risk of identity theft. \nAbsolutely.\n    The reason we make that distinction, Mr. Chairman, is \nbecause there are cases where a laptop is stolen, but when you \ndo the forensics on the laptop, you determine that it was \nreally stolen in order to just simply fence the laptop. And in \nfact it was never opened, it was never started back up again, \nnobody ever looked at the data, the hard drive wasn't tampered \nwith. So notifying a thousand consumers that their data was on \na hard drive of a laptop that was stolen that was never dealt \nwith from a technology perspective probably creates false \npositives which move consumers away from really being \nproactive.\n    So we think the key to good notices is the trigger--when \nshould I do it so that you and I as consumers really can act on \nother rights that we should have.\n    Mr. Cannon. Of course the question does occur, who makes \nthat judgment?\n    Mr. Pratt. It is a difficult one, yes, sir.\n    Mr. Cannon. Thank you.\n    We appreciate your being here today. Since we don't have, I \ndon't think, any further questions, we will now stand \nadjourned.\n    [Whereupon, at 1:21 p.m., the Subcommittees adjourned.]\n                            A P P E N D I X\n\n                              ----------                              \n\n\n               Material Submitted for the Hearing Record\n\n   Additional Material for the Record submitted by Linda D. Koontz, \nDirector, Information Management Issues, U.S. Government Accountability \n                                 Office\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n                                 <all>\n\x1a\n</pre></body></html>\n"