[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]





   PERSONAL INFORMATION ACQUIRED BY THE GOVERNMENT FROM INFORMATION 
               RESELLERS: IS THERE NEED FOR IMPROVEMENT?

=======================================================================

                             JOINT HEARING

                               BEFORE THE

                            SUBCOMMITTEE ON
                   COMMERCIAL AND ADMINISTRATIVE LAW

                                AND THE

                    SUBCOMMITTEE ON THE CONSTITUTION

                                 OF THE

                       COMMITTEE ON THE JUDICIARY
                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED NINTH CONGRESS

                             SECOND SESSION

                               __________

                             APRIL 4, 2006

                               __________

                           Serial No. 109-98

                               __________

         Printed for the use of the Committee on the Judiciary


      Available via the World Wide Web: http://judiciary.house.gov

                                 _____

                     U.S. GOVERNMENT PRINTING OFFICE
                             WASHINGTON: 2006        

26-912 PDF

For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512-1800  
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001



                       COMMITTEE ON THE JUDICIARY

            F. JAMES SENSENBRENNER, Jr., Wisconsin, Chairman
HENRY J. HYDE, Illinois              JOHN CONYERS, Jr., Michigan
HOWARD COBLE, North Carolina         HOWARD L. BERMAN, California
LAMAR SMITH, Texas                   RICK BOUCHER, Virginia
ELTON GALLEGLY, California           JERROLD NADLER, New York
BOB GOODLATTE, Virginia              ROBERT C. SCOTT, Virginia
STEVE CHABOT, Ohio                   MELVIN L. WATT, North Carolina
DANIEL E. LUNGREN, California        ZOE LOFGREN, California
WILLIAM L. JENKINS, Tennessee        SHEILA JACKSON LEE, Texas
CHRIS CANNON, Utah                   MAXINE WATERS, California
SPENCER BACHUS, Alabama              MARTIN T. MEEHAN, Massachusetts
BOB INGLIS, South Carolina           WILLIAM D. DELAHUNT, Massachusetts
JOHN N. HOSTETTLER, Indiana          ROBERT WEXLER, Florida
MARK GREEN, Wisconsin                ANTHONY D. WEINER, New York
RIC KELLER, Florida                  ADAM B. SCHIFF, California
DARRELL ISSA, California             LINDA T. SANCHEZ, California
JEFF FLAKE, Arizona                  CHRIS VAN HOLLEN, Maryland
MIKE PENCE, Indiana                  DEBBIE WASSERMAN SCHULTZ, Florida
J. RANDY FORBES, Virginia
STEVE KING, Iowa
TOM FEENEY, Florida
TRENT FRANKS, Arizona
LOUIE GOHMERT, Texas

             Philip G. Kiko, Chief of Staff-General Counsel
               Perry H. Apelbaum, Minority Chief Counsel
                                 ------                                

           Subcommittee on Commercial and Administrative Law

                      CHRIS CANNON, Utah Chairman

HOWARD COBLE, North Carolina         MELVIN L. WATT, North Carolina
TRENT FRANKS, Arizona                WILLIAM D. DELAHUNT, Massachusetts
STEVE CHABOT, Ohio                   CHRIS VAN HOLLEN, Maryland
MARK GREEN, Wisconsin                JERROLD NADLER, New York
RANDY J. FORBES, Virginia            DEBBIE WASSERMAN SCHULTZ, Florida
LOUIE GOHMERT, Texas

                  Raymond V. Smietanka, Chief Counsel

                        Susan A. Jensen, Counsel

                        Brenda Hankins, Counsel

                   Mike Lenn, Full Committee Counsel

                   Stephanie Moore, Minority Counsel
                    Subcommittee on the Constitution

                      STEVE CHABOT, Ohio, Chairman
TRENT FRANKS, Arizona                JERROLD NADLER, New York
WILLIAM L. JENKINS, Tennessee        JOHN CONYERS, Jr., Michigan
SPENCER BACHUS, Alabama              ROBERT C. SCOTT, Virginia
JOHN N. HOSTETTLER, Indiana          MELVIN L. WATT, North Carolina
MARK GREEN, Wisconsin                CHRIS VAN HOLLEN, Maryland
STEVE KING, Iowa
TOM FEENEY, Florida

                     Paul B. Taylor, Chief Counsel
                      E. Stewart Jeffries, Counsel
                          Hilary Funk, Counsel
                 Kimberly Betz, Full Committee Counsel
           David Lachmann, Minority Professional Staff Member



                            C O N T E N T S

                              ----------                              

                             APRIL 4, 2006

                           OPENING STATEMENT

                                                                   Page
The Honorable Chris Cannon, a Representative in Congress from the 
  State of Utah, and Chairman, Subcommittee on Commercial and 
  Administrative Law.............................................     1
The Honorable Melvin L. Watt, a Representative in Congress from 
  the State of North Carolina, and Ranking Member, Subcommittee 
  on Commercial and Administrative Law...........................     2
The Honorable Steve Chabot, a Representative in Congress from the 
  State of Ohio, and Chairman, Subcommittee on the Constitution..     3
The Honorable Jerrold Nadler, a Representative in Congress from 
  the State of New York, and Ranking Member, Subcommittee on the 
  Constitution...................................................     4

                               WITNESSES

Ms. Linda D. Koontz, Director, Information Management Issues, 
  U.S. Government Accountability Office
  Oral Testimony.................................................     7
  Prepared Statement.............................................    10
Ms. Maureen Cooney, Acting Chief Privacy Officer, U.S. Department 
  of Homeland Security
  Oral Testimony.................................................    44
  Prepared Statement.............................................    45
Mr. Peter Swire, William O'Neill Professor of Law, Moritz College 
  of Law of the Ohio State University, Visiting Senior Fellow, 
  Center for American Progress
  Oral Testimony.................................................    48
  Prepared Statement.............................................    51
Mr. Stuart K. Pratt, President and Chief Executive Officer, 
  Consumer Data Industry Association
  Oral Testimony.................................................    61
  Prepared Statement.............................................    63

                                APPENDIX
               Material Submitted for the Hearing Record

Additional Material for the Record submitted by Linda D. Koontz, 
  Director, Information Management Issues, U.S. Government 
  Accountability Office..........................................    86

 
   PERSONAL INFORMATION ACQUIRED BY THE GOVERNMENT FROM INFORMATION 
               RESELLERS: IS THERE NEED FOR IMPROVEMENT?

                              ----------                              


                         TUESDAY, APRIL 4, 2006

                  House of Representatives,
                         Subcommittee on Commercial
                            and Administrative Law,
                                Committee on the Judiciary,
                                                    Washington, DC.
    The Subcommittees met, pursuant to call, at 12:03 p.m., in 
Room 2138 Rayburn House Office Building, the Honorable Chris 
Cannon (Chairman of the Subcommittee on Commercial and 
Administrative Law) presiding.
    Mr. Cannon. I think we will get started here. The hearing 
will be called to order.
    As many of you know, the protection of personal information 
in the hands of the Federal Government has long been a top 
priority for my Subcommittee, the Subcommittee on Commercial 
and Administrative Law, and Chairman Chabot's Subcommittee, the 
Constitution Subcommittee. Both of our Subcommittees have 
played a major role in respect to protecting personal privacy 
and civil liberties under the leadership and guidance of Jim 
Sensenbrenner, Chairman of the Judiciary Committee.
    In this post-September 11th world, however, it is no easy 
task to balance the competing goals of keeping our Nation 
secure while at the same time protecting the privacy of our 
Nation's citizens. Nevertheless, I believe that our respective 
Subcommittees and the Judiciary Committee are uniquely and best 
suited to study and resolve these issues.
    Our accomplishments to date include the establishment of 
the first statutorily-created Privacy Office in a Federal 
agency, namely the Department of Homeland Security. That office 
has since earned plaudits from both the public and private 
sectors. Based on the successes of that office, we also 
spearheaded the creation of a similar function in the Justice 
Department, which was signed into law in January of this year.
    In addition, both my Subcommittee and the Constitution 
Subcommittee have considered the support of legislation 
requiring a Federal agency to prepare a privacy impact analysis 
for proposed and final rules and to include this analysis in 
the Notice for Public Comment issued in conjunction with the 
publication of such rules.
    Today's hearing focuses on the respective roles that the 
Federal Government and information resellers have with respect 
to personal information collected in commercial databases. As 
the hearing title denotes, we approach this subject with an 
open mind and willingness to understand the factors and nuances 
concerning how Federal agencies and those in the private sector 
safeguard personal information that they obtain from us.
    As technological developments increasingly facilitate the 
collection, use, and dissemination of personally identifiable 
information, the potential for misuse of such information 
escalates. Five years ago, the GAO warned: ``our Nation has an 
increasing ability to accumulate, store, retrieve, cross-
reference, analyze, and link vast numbers of electronic records 
in an ever-faster and more cost-efficient manner. These 
advances bring substantial Federal information benefits as well 
as increasing responsibilities and concerns.'' Given the 
largely unfettered use of Social Security numbers and the 
availability of other personally identifiable information, 
identity theft has swiftly evolved into one of the most 
prolific crimes in the United States. According to the Federal 
Trade Commission, identity theft topped the list of consumer 
complaints filed with the Agency in 2005. The FTC estimates 
that 10 million consumers were victims of some form of identity 
theft in 2003.
    As a result of this crime, American businesses suffered an 
estimated $48 billion in losses, while consumers incurred an 
additional $5 billion in out-of-pocket losses. Just this week, 
the Justice Department announced that nearly 4 million 
households, about 3 percent of all households in the Nation, 
learned that they had been identity theft victims. Just last 
week, I got a credit card in the mail with a little note saying 
that my account had been viewed as one that might be subject to 
identity theft, and so I have a new card with a new number. I 
hadn't memorized the old one, so it was not much of an 
inconvenience. But it is a broad problem.
    Unfortunately, we continue to receive reports from GAO 
finding shortcomings in how Federal agencies safeguard personal 
information, and the private sector's vulnerability was 
highlighted by the many high-profile databases that have 
occurred in recent years. Questions have also been posed about 
the accuracy of some of the data maintained in these commercial 
databases. It is against this complex but exceedingly 
interesting backdrop that we are holding this hearing today.
    I would now like to turn to my colleague Mr. Watt, the 
distinguished Ranking Member of my Subcommittee, and ask him if 
he has any opening remarks.
    Mr. Watt. Thank you, Mr. Chairman. I will be brief.
    Let me commend Chairman Sensenbrenner and Ranking Member 
Conyers and Mr. Chabot and Mr. Nadler for taking steps to get 
the GAO to conduct this investigation and produce this report. 
It is clear that privacy issues that confront our country as a 
result of extraordinary technological advances are significant 
and that the ramifications of how we treat the privacy of 
personally identifiable information is heightened in the post-
9/11 world. I say this as a member of both the Financial 
Services and Judiciary Committees, and have heard testimony 
from numerous witnesses on the enhanced concerns about the 
Government's acquisition, maintenance, and dissemination of 
personal information and the opportunity for identity theft 
created by the massive data mining of this information.
    One of the main recommendations of the 9/11 Commission was 
the establishment of a Governmentwide watchdog to safeguard 
civil liberties. The Commission found that currently, ``there 
is no office within the Government whose job it is to look 
across the Government at the actions we are taking to protect 
ourselves and to ensure that liberty concerns are appropriately 
considered.''
    We have tried to get that recommendation passed, without 
any success up to this point, and I think the need for that 
kind of oversight body is continuing to grow and we need to do 
that.
    I am looking forward to the testimony of the witnesses. And 
with that, Mr. Chairman, I will yield back the balance of my 
time.
    Mr. Cannon. The gentleman yields back. Thank you.
    Now I would like to turn to my colleague Mr. Chabot, the 
distinguished chair of the Constitution Subcommittee, and ask 
him if he has any opening remarks.
    Mr. Chabot. Yes, I do. Thank you, Mr. Chairman.
    Mr. Cannon. The gentleman is recognized for 5 minutes.
    Mr. Chabot. First I would like to thank you for holding 
this hearing and thank all our witnesses for assisting us in 
our examination of issues related to the security and privacy 
of our personal information.
    Security breaches reported in the media last year involving 
the unauthorized access to and theft of personal information 
highlighted an emerging area of concern to all of us, that 
being the treatment of our personal information as just another 
commodity. Our concerns are well-founded, as recent statistics 
released by the Department of Justice reveal that identity 
theft affected 3.6 million households across the Nation and 
cost our economy $3.2 billion during the first half of 2004 
alone.
    The security breaches also raise questions with regard to 
the Federal Government's reliance on and contributions to the 
use of personal information. Questions raised include: Are 
Federal agencies collecting information on us? What information 
is being collected? Where is the information going and where 
will it eventually end up? What Federal laws guide collection 
activities? And most importantly, how, as individuals affected 
by these collection activities, can we best monitor and ensure 
that such information is being used as was intended?
    Last spring, I, along with the Chairman and Ranking Member 
of the full Committee, Mr. Conyers, charged GAO with finding 
answers to these questions. In particular, we sought to gain a 
better understanding of the Federal Government's involvement 
and reliance on data as it relates to fulfilling our Federal 
Government's top priorities, such as our Nation's law 
enforcement and antiterrorism efforts, and performing other 
critical domestic functions such as effectively distributing 
benefits.
    Our inquiry was also prompted by the information age in 
which we live, where technology has allowed personal 
information to be universally available to anyone at any time, 
including to the Federal Government. The information provided 
by the commercial data suppliers has served an important role 
in supporting our Nation's law enforcement and antiterrorism 
efforts. It has also played an important role in assisting the 
Federal Government to perform other administrative 
responsibilities. For example, last fall, commercial data 
companies provided critical assistance to FEMA to assist the 
victims of Hurricane Katrina.
    However, with the widespread availability of information 
comes increased risks of privacy and security breaches, 
unauthorized uses, and other negative effects, to which the 
Federal Government is not immune.
    I hope through today's hearing we can gain a better 
understanding of the existing Federal laws and policies in 
place guiding commercial data suppliers and the Federal 
Government in handling personal information. Moreover, I look 
forward to discussing whether Federal laws such as the Privacy 
Act of 1974 and E-Government Act of 2002, which guide the 
Federal Government, and the Fair Credit Reporting Act and the 
Gramm-Leach-Bliley Act, which guide the commercial data 
industry, have been affected in addressing concerns raised by 
the emerging industry.
    With a better understanding of the existing framework, we 
can ensure that the Federal Government continues to have access 
to the types of information that will enable it to fulfill its 
responsibilities. At the same time, we can ensure that citizens 
know when and how their information is being collected and used 
by the Federal Government.
    I look forward to discussing these issues and learning 
whether new legislation, such as the Federal Agency Privacy 
Protection Act which I have introduced in the previous 
Congresses, would be an appropriate remedy to ensure citizens' 
privacy concerns over the use of their personal information by 
the Federal Government. The Federal Agency Privacy Protection 
Act would require that all Federal agencies conduct privacy 
impact assessments when issuing a notice regarding a new or 
interpretive rule relating to the collection of personally 
identifiable information on citizens, as well as when final 
rules are promulgated.
    Again, I welcome the witnesses here with us today and look 
forward to their testimony.
    I yield back the balance of my time.
    Mr. Cannon. Thank you, Mr. Chabot.
    Mr. Nadler, do you have an opening statement?
    Mr. Nadler. Yes. Thank you, Mr. Chairman. I will be brief 
because I want to get to our witnesses.
    Modern technology and security concerns have greatly 
threatened the privacy of the most personal information about 
every American. The nexus between private information resellers 
and Government action are especially troubling.
    How we handle these complicated issues--and they are 
complicated--will affect the lives of every one of our 
constituents. It is not simply a matter of identity theft but 
of the basic right to be secure in our persons, our papers, and 
our homes. People need to know that when they visit a doctor, 
go to the store, read a book, engage in the practice of their 
religion, they will not be subject to unwanted and uninvited 
prying eyes.
    The secret NSA wiretaps, some of the abuses of power by the 
Justice Department, some of the more extravagant claims by this 
Administration are warning signs. I hope this Congress looks 
more carefully at the question of privacy from both a technical 
and legal perspective. This study and this hearing are 
important steps in this direction.
    Of course, in one sense, this study, this hearing, 
everything we are doing, in one sense is irrelevant, because 
the Administration claimed in the NSA wiretap situation that 
the President has inherent power to disobey the FISA law 
because of inherent power under article II and under the 
authorization for the use of military force. And in fact, it 
claims inherent power to go beyond that, and we have no way of 
knowing what the NSA or some other agency may in fact be doing 
that might invade privacy. The Administration won't tell us. 
They won't testify to us. It is all secret. And in fact, the 
Administration is conducting an investigation into who revealed 
what we do know about the NSA wiretaps, because they think that 
ought to have remained secret. I disagree, obviously, but that 
is their position.
    And they have made it quite clear that, in fact, various 
Government agencies may be going far beyond what we know in 
wiretapping or otherwise invading the privacy of American 
citizens regardless of what the law says and regardless of any 
law we may pass, because the President has inherent power to 
disregard that during a war, and we are in a war on terrorism.
    So everything we say, everything we investigate, everything 
we hear, everything we do may in fact be irrelevant because the 
President claims the power to ignore it and may or may not be 
exercising that power in ways that are unknown to us. That is a 
far greater threat to our liberty than probably anything else 
we are talking about.
    So I thank you, Mr. Chairman, for scheduling this hearing. 
But I hope we realize that the ability of this Congress to deal 
with this is very much circumscribed by the unprecedented and 
tyrannical claim of power that the Administration is making.
    I thank you. I yield back.
    Mr. Cannon. Far be it from me to disagree with the 
gentleman, but I think it is the role of Congress to oversee 
any president of either party.
    Mr. Nadler. Well, I certainly agree with that.
    Mr. Cannon. That is not the focus of this hearing, but we 
certainly need to be doing that.
    Mr. Nadler. Mr. Chairman, if I could just say.
    Mr. Cannon. Certainly.
    Mr. Nadler. You are not disagreeing with me. I certainly 
agree that we ought to be overseeing the Administration. My 
point is that the Administration claims under the wartime power 
that we have no power to do that.
    Mr. Cannon. I understand that you are being very harsh 
about the Administration. I think our objective is to transcend 
the current status of affairs with the war on terror.
    Without objection, the gentleman's entire statement will be 
placed in the record. Hearing no objection, so ordered.
    Without objection, all Members may place their statements 
in the record at this point. Hearing no objection, so ordered.
    Without objection, the Chair will be authorized to declare 
recesses of this hearing at any point. Hearing no objection, so 
ordered.
    I ask unanimous consent that Members have 5 legislative 
days to submit written statements for inclusion in today's 
hearing record. Hearing no objection, so ordered.
    I am now pleased to introduce the witnesses for today's 
hearing. Our first witness is Linda Koontz, who is the Director 
of GAO's Information and Management Issues Division. In that 
capacity, she is responsible for issues regarding the 
collection, use, and dissemination of Government information. 
Mrs. Koontz has led GAO's investigations into the Government's 
data mining activities as well as E-Government initiatives. In 
addition to obtaining her bachelor's degree from Michigan State 
University, Ms. Koontz received certification as a Government 
financial manager. She is also a member of the Association for 
Information and Image Management Standards Board.
    Maureen Cooney, our next witness, is the Acting Chief 
Privacy Officer for the Department of Homeland Security. Ms. 
Cooney, we always appreciated working with your predecessor, 
Nuala O'Connor Kelly, and we look forward to working with you 
as well. As I previously noted in my opening remarks, my 
Subcommittee, with the support of Chairman Jim Sensenbrenner, 
played a major role in establishing Ms. Cooney's office at the 
Department of Homeland Security. The legislation creating her 
office not only mandated the appointment of a privacy officer, 
but specified the officer's responsibilities. One of the 
principal responsibilities of the DHS Privacy Officer, as set 
out by statute, is the duty to assure that the use of 
technologies sustain and do not erode privacy protections 
relating to the use, collection, and disclosure of personal 
information. In addition, the Privacy Officer must assure that 
personal information is handled in full compliance with the 
Privacy Act and assess privacy impact of the Department's 
proposed rules.
    Before joining the DHS Privacy Office, Ms. Cooney worked on 
international privacy and security issues at the U.S. Federal 
Trade Commission, where she served as the principal liaison for 
the FTC to the European Commission and article 29 Working Party 
on Privacy Issues. She also played a major role on the rewrite 
of the Organization for Economic Cooperation and Development 
Security Guidelines for Information Systems and Networks. Prior 
to that assignment, Ms. Cooney worked on privacy and security 
issues with the Treasury Department in the Office of the 
Comptroller of the Currency. We are really pleased that there 
are people that know as much about this as you do, who are here 
to help guide us.
    Ms. Cooney received her bachelor's degree in American 
studies from Georgetown University and her law degree from 
Georgetown University Law Center.
    Our third witness is Peter Swire, the C. William O'Neill 
Professor in Law and Judicial Administration at the Moritz 
College of Law of Ohio State University. In addition to his 
academic endeavors, Professor Swire is a consultant with the 
law firm Morrison & Foerster, where he provides advice on 
privacy, cyberspace, and related matters. He is also currently 
a visiting senior fellow at the Center for American Progress, a 
nonpartisan research and educational institute. Under the 
Clinton administration, Professor Swire was OMB's Chief 
Counselor for Privacy.
    Professor Swire received his undergraduate degree from 
Princeton University and his law degree from Yale Law School. 
He is a prolific writer, with numerous law review articles and 
other writings to his credit.
    Our final witness is Stuart Pratt. Mr. Pratt is the 
president and CEO of the Consumer Data Industry Association, an 
international trade association representing more than 250 
consumer information companies. Prior to his current position, 
Mr. Pratt served as the association's vice president of 
government relations. He is a well-known expert on the Fair 
Credit Reporting Act, identity fraud, and the issues of 
consumer data and public record data issues. Mr. Pratt received 
his undergraduate degree from Furman University in Greenville, 
South Carolina.
    I extend to each of you my warm regards and appreciation 
for your willingness to participate in today's hearing. In 
light of the fact that your written statements will be included 
in the hearing record, I request that you limit your oral 
remarks to 5 minutes. Accordingly, please feel free to 
summarize or highlight the salient points of your testimony.
    You will note that we have a lighting system, which is not 
yet on but they are the two little gizmos in front of you. It 
starts with a green light and you have 4 minutes before it 
turns yellow, and then at the 5-minute mark it turns red. It is 
my habit to tap the gavel at 5 minutes. We will appreciate it 
if you would finish up your thoughts within that time frame. We 
don't want to cut people off in the middle of your thinking, 
but I find it works better if everybody realizes we have a 5-
minute limit. I am probably going to be a little more 
aggressive with questions so that we can give everybody an 
opportunity to ask questions.
    After you have presented your remarks, the Subcommittee 
Members, in the order they arrived, will be permitted to ask 
questions of the witness. They will also be limited to 5 
minutes.
    Pursuant to the direction of the Chairman of the Judiciary 
Committee, I ask the witnesses to please stand and raise your 
right hand to take the oath.
    [Witnesses sworn.]
    Mr. Cannon. Thank you. You may be seated.
    The record should reflect that each of the witnesses 
answered in the affirmative.
    Ms. Koontz, would you please proceed with your testimony.

TESTIMONY OF LINDA D. KOONTZ, DIRECTOR, INFORMATION MANAGEMENT 
         ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE

    Ms. Koontz. Mr. Chairman and Members of the Subcommittees, 
I appreciate the opportunity to discuss the results of GAO's 
work on the Federal Government's purchase of personal 
information from businesses known as information resellers. My 
testimony summarizes the results of the report we did at the 
Committee's request and that we are issuing today. For that 
report we reviewed four agencies: Justice, Homeland Security, 
State, and Social Security.
    Information is an extremely valuable resource and 
information resellers provide services that are important to a 
variety of Federal agency functions. Specifically, for fiscal 
year 2005, the four agencies we reviewed reported a combined 
total of approximately $30 million in obligations for the 
purchase of personal information from resellers.
    The vast majority of this spending, about 91 percent, was 
for law enforcement or counterterrorism. For example, the 
Department of Justice, the largest user among the four, used 
the information for criminal investigations, locating witnesses 
and fugitives, and researching assets held by individuals of 
interest. Reseller information was also used by others to 
detect and investigate fraud, verify identities, and determine 
eligibility for benefits.
    As agreed, we also evaluated agency and reseller privacy 
policies and practices against the Fair Information Practices, 
a set of widely accepted principles for protecting the privacy 
and security of personal information. These principles, with 
variations, are the basis of privacy laws in many countries and 
are the foundation of the Privacy Act. They are not legally 
binding either on Federal agencies or resellers, but we believe 
they do provide a useful framework for analyzing agency and 
reseller practices and serve as an appropriate basis for 
further discussion and debate.
    Applying this framework to Federal agencies, we found some 
inconsistencies. Agencies did take steps to address the privacy 
and security of the information acquired from resellers, but 
their handling of this information did not always fully reflect 
the Fair Information Practices. For example, although agencies 
issued privacy notices on information collections, these did 
not always specifically state that information resellers were 
among the sources used. This is not consistent with the 
principle that the public should be informed about privacy 
policies and have a ready means of learning about the use of 
personal information. One reason for this kind of inconsistency 
is ambiguity in OMB's guidance regarding how privacy 
requirements apply to Federal agency use of reseller 
information.
    To address these inconsistencies, we made recommendations 
to OMB and to the agencies we reviewed. These agencies 
generally agreed with our report and reported actions they are 
taking. In particular, the Privacy Office within Homeland 
Security has conducted a public workshop on the Government's 
use of commercial data for homeland security and recently 
finalized guidance on conducting privacy impact assessments, 
which includes very useful direction on the collection and use 
of commercial data.
    Regarding resellers, they also took steps to protect 
privacy, but these measures were not fully consistent with the 
Fair Information Practices. For example, resellers generally 
informed the public about key privacy practices and principles 
and they have recently taken steps to improve security 
safeguards. However, the principles that the collection and use 
of personal information should be limited and its intended use 
specified are largely at odds with the nature of the reseller 
business, which is based on providing information to multiple 
customers for multiple purposes.
    Further, resellers generally limit the extent to which 
individuals can gain access to personal information held about 
themselves, as well as the extent to which they can correct or 
delete inaccurate information contained in reseller databases.
    In response, information resellers raised concerns about 
our reliance on the Fair Information Practices and suggested it 
would be unreasonable for them to comply with some aspects of 
the principles that, they believe, were intended for 
organizations that collect information directly from consumers. 
Nonetheless, we believe that analysis against a framework of 
the Fair Information Practices is important as a starting point 
to frame potential issues and facilitate informed discussion, 
and we suggest that Congress consider these issues in its 
deliberations.
    In conclusion, privacy is ultimately about striking a 
balance between competing interests. In this case, it is about 
balancing the value of reseller information as to important 
Government functions against the privacy rights of individuals. 
I look forward to participating in the discussion on how best 
to strike that balance.
    This concludes my statement. Thank you.
    [The prepared statement of Ms. Koontz follows:]
                 Prepared Statement of Linda D. Koontz




































































    Mr. Cannon. Thank you, Ms. Koontz.
    Ms. Cooney?

TESTIMONY OF MAUREEN COONEY, ACTING CHIEF PRIVACY OFFICER, U.S. 
                DEPARTMENT OF HOMELAND SECURITY

    Ms. Cooney. Thank you. Chairmen Cannon and Chabot, Ranking 
Members Watt and Nadler, and Members of the Subcommittees on 
Commercial and Administrative Law and the Constitution, it is 
an honor to testify before you today. Because this marks my 
very first appearance before the Subcommittee, I would like to 
offer a few biographical background notes.
    It is my honor to currently serve as the Acting Chief 
Privacy Officer for the Department of Homeland Security. I come 
to this position with 20 years of Federal service experience in 
risk management and compliance and enforcement activities as 
well as in consumer protection on global information privacy 
and security issues post-9/11. I was recruited from the Federal 
Trade Commission to join the Department of Homeland Security 
more than 2 years ago as Chief of Staff of the Privacy Office 
and Senior Adviser for International Privacy Policy.
    Since that time, it has been my privilege to help build the 
DHS Privacy Office with my colleagues and under the leadership 
of former Chief Privacy Officer Nuala O'Connor Kelly and 
Secretaries Chertoff and Ridge.
    I appreciate this opportunity to address the subject of 
personal information acquired by the Government from 
information resellers. The use of commercial data for homeland 
security involves complex issues that touch on privacy, program 
effectiveness, and operational efficiency. I commend the 
Government Accountability Office for undertaking their 
analysis, which will positively assist in informing privacy 
policy development.
    As my written statement points out, internally the primary 
oversight mechanism used by the Privacy Office for ensuring 
appropriate use of personal information regardless of its 
source is the privacy impact assessment, which is required to 
be used by section 208 of the E-Government Act of 2002 and 
section 222 of the Homeland Security Act.
    Privacy impact assessments, or PIAs as we call them, can be 
one of the most important instruments in establishing trust 
between the Department's operations and the public simply 
because they are generally very transparent. In fact, PIAs are 
fundamental at our Department in making privacy an operational 
element within the DHS family. Privacy impact assessments allow 
for the examination of privacy questions concerning a program 
or an information system's collection and use of information, 
including commercial reseller data.
    As mentioned in my colleague Ms. Koontz's testimony, the 
DHS Privacy Office has issued official guidance on the conduct 
of privacy impact assessments. Various sections of that 
guidance are particularly relevant to the subject matter of 
this hearing. I refer you to my written testimony on the 
details of that.
    I am a little concerned that we may run out of time, so one 
of the points that I would like to make is that in addition to 
privacy requirements under the Privacy Act of 1974, the privacy 
impact assessment process really augments the system of record 
notice provisions in the Privacy Act that provide for notice to 
the public about the types of information collected by the 
Government and the treatment of that information. The DHS 
Privacy Office reviews new systems of record notices to make 
sure that the presence of commercial data is made transparent 
if data is collected as a source of information in a system, 
and we are seeking to apply this to existing sources as well.
    The Privacy Office also has been part of a broad-based 
dialogue on the use of commercial data both within and outside 
of the Department. In September of 2005, we hosted a public 
workshop addressing privacy and technology, exploring the use 
of commercial data for homeland security. The workshop examined 
the policy, legal, and technology issues associated with the 
Government's use of commercial personally identifiable data for 
homeland security purposes.
    With input from the public workshop, the DHS Privacy Office 
is now in the process of drafting specific guidance for our 
Department on the use of commercial data. The guidance will 
address three broad categories of use: comparing data in 
commercial and Government databases, obtaining data from 
commercial sources for use in Government systems, and use of 
Government analytic tools on commercial databases.
    We will be hosting a meeting with our internal Privacy and 
Data Integrity Board made up of senior Department managers on 
April 11th to collaborate on this policy through a full and 
meaningful discussion of an appropriate framework for using 
commercial data.
    The Privacy Office also has been discussing commercial data 
issues with the DHS Data Privacy and Integrity Advisory 
Committee, our Federal advisory committee made up of U.S. 
citizens with expertise in privacy information technology, 
information security, and public policy.
    In October of 2005 the DHS Privacy Advisory Committee 
published a report on the use of commercial data to reduce 
false positives in screening programs, and the Committee's 
recommendations will be incorporated in our policy development.
    Thank you for inviting me, and thank you for your support 
of the DHS Privacy Office.
    [The prepared statement of Ms. Cooney follows:]
                  Prepared Statement of Maureen Cooney
    Chairmen Cannon and Chabot, Ranking Members Watt and Nadler, and 
Members of the Subcommittees on Commercial and Administrative Law and 
the Constitution, it is an honor to testify before you today on the 
activities of the United States Department of Homeland Security, for 
which I am privileged to served as the Acting Chief Privacy Officer.
    Thank you for inviting me to speak with you on the subject of 
personal information acquired by the government from information 
resellers.
    As you know, the DHS Chief Privacy Officer is the first statutorily 
required privacy officer in the Federal government. The 
responsibilities of the DHS Chief Privacy Officer are set forth in 
Section 222 of the Homeland Security Act of 2002. They include:

        (a)
             assuring that the use of technologies sustain, and do not 
        erode, privacy protections relating to the use, collection and 
        disclosure of personal information;

        (b)
             assuring that personal information contained in Privacy 
        Act systems of records is handled in full compliance with fair 
        information practices as set out in the Privacy Act of 1974;

        (c)
             evaluating legislative and regulatory proposals involving 
        collection, use, and disclosure of personal information by the 
        Federal Government;

        (d)
             conducting a privacy impact assessment of proposed rules 
        of the Department on the privacy of personal information, 
        including the type of personal information collected and the 
        number of people affected; and

        (e)
             preparing a report to Congress on an annual basis on 
        activities of the Department that affect privacy, including 
        complaints of privacy violations, implementation of the Privacy 
        Act of 1974, internal controls and other matters.\1\
---------------------------------------------------------------------------
    \1\ The Homeland Security Act of 2002, Pub. L. No. 107-296, Title 
II, Sec. 116 Stat. 2155.

    It is upon this statutory authority that the Chief Privacy Officer 
and the DHS Privacy Office review and approach the use of personal 
information by the Department, including the use of data from 
information resellers.
    The use of data from information resellers for homeland security 
involves complex issues that touch on privacy, program effectiveness 
and operational efficiency. There are many benefits to the government 
when commercial data is used responsibly. It can save time, it is often 
more precise, and is updated more quickly and, therefore, in certain 
circumstances, it could be more accurate and therefore have greater 
data integrity than other sources. At the same time, the government's 
use of commercial data must be transparent and appropriate. The DHS 
Privacy Office has been part of a broad based dialogue both within and 
outside of the Department on the use of commercial data.
    As noted by the Government Accountability Office (GAO), unless an 
information reseller is operating a System of Records specifically on 
behalf of a Federal agency, it is not subject to the provisions of the 
Privacy Act of 1974. However, the Privacy Act applies to Federal 
agencies that bring data from information resellers into a Federal 
System of Records. The Privacy Office exercises oversight over the way 
Departmental components access, use and maintain data obtained from 
information resellers as part of our responsibility to assure that 
Departmental systems operate in accordance with Section 222(b) of our 
authorizing statute--that information in DHS Systems of Records is 
handled in a manner consistent with the fair information practices 
principles set out in the Privacy Act.
    The main oversight mechanism used by the Privacy Office for 
information systems is the Privacy Impact Assessment (PIA). PIAs are 
fundamental in making privacy an operational element within the 
Department. Conducting PIAs demonstrates the Department's efforts to 
assess the privacy impact of utilizing new or changing information 
systems, including attention to mitigating privacy risks. Touching on 
the breadth of privacy issues, PIAs allow the examination of the 
privacy questions that may surround a program or system's collection of 
information, including commercial reseller data, as well as the 
system's overall development and deployment. When worked on early in 
the development process, PIAs provide an opportunity for program 
managers and system owners to build privacy protections into a program 
or system in the beginning. This avoids forcing the protections in at 
the end of the developmental cycle when remedies can be more difficult 
and costly to implement.
    With respect to the data types that are collected and their 
handling, the PIA process augments the Systems of Record Notice 
provisions in the Privacy Act that provide notice to the public about 
the types of information collected and its treatment. The PIA can be 
one of the most important instruments in establishing trust between the 
Department's operations and the public.
    In accordance with Section 208 of the E-Government Act of 2002 and 
OMB's implementing guidance, the Department of Homeland Security is 
required to perform PIAs whenever it procures new information 
technology systems or substantially modifies existing systems that 
contain personal information. Although the E-Government Act allows 
exceptions from the PIA requirement for national security systems, DHS 
is implementing Section 222 of the Homeland Security Act to require 
that all DHS systems, including national security systems, must undergo 
a PIA if they contain personal information. The Privacy Office has 
staff with security clearances that allow them to work with programs to 
assess the privacy impact of classified systems or systems that contain 
classified information. In cases where the publication of the PIA would 
be detrimental to national security, the PIA document may not be 
published or may be published in redacted form.
    Every PIA must address at least two issues:
    1. It must address the risks and effects of collecting, maintaining 
and disseminating information in identifiable form in an electronic 
information system; and
    2. It must evaluate the protections and alternative processes for 
handling information to mitigate potential privacy risks.
    The Privacy Office has issued official guidance on the conduct of 
Privacy Impact Assessments. The most up-to-date version of the guidance 
is available at the DHS Privacy Office Web site at http://www.dhs.gov/
dhspublic/interapp/editorial/editorial--0511.xml. However, earlier 
versions of the guidance have been available internally to DHS for 
about two years, with initial guidance issued in February 2004.
    Various sections of the PIA guidance are particularly relevant to 
the subject matter of this hearing. First, the guidance states that the 
PIA requirement applies broadly to personally identifiable information 
rather than to a much narrower category of ``private'' information. If 
information can be connected with an individual, it is personally 
identifiable information, whether or not the information is private or 
secret. This is important because much of the information purchased 
from information resellers is either publicly available, e.g., 
addresses and telephone numbers, or is derived from public records.
    In addition, Section 1.2.2 of the guidance directs programs that 
use data from commercial data aggregators to state this fact and then 
to explain in Section 1.3 why data from this source is being used. 
Section 2.3.4 requires a statement about whether data obtained from 
commercial data aggregators is assessed for quality, and if so, what 
quality measures are used.
    Some products offered by information resellers permit users to 
``ping'' resellers' databases either to obtain new information or to 
verify information in government databases. This ability to access 
information without bringing it into Federal systems raises the 
question about when information is actually ``collected'' by a 
government agency. It is DHS policy that any time information from an 
information reseller is used in a decision-making process, whether the 
decision involves correcting existing government information or 
obtaining new information, a PIA is required.
    In order to clarify specific issues related to the use of data from 
information resellers, the DHS Privacy Office is in the process of 
drafting specific guidance on the use of commercial data to complement 
the general PIA guidance. The guidance on the use of commercial data 
will apply specifically to the use of data from information resellers 
and will address three broad categories of use: comparing data in 
commercial and government databases, obtaining data from commercial 
sources for use in government systems; and use of government analytic 
tools on commercial databases. The guidance will specify when PIAs must 
be performed and what additional requirements might apply to programs 
that use data from commercial sources. We expect this guidance to be 
released as soon as it completes Departmental clearance, and would be 
happy to discuss it with you at that time.
    The DHS Privacy Office has been part of a broad-based national 
dialog on these issues. In September of 2005, the Privacy Office held a 
public workshop on the use of commercial data for homeland security. 
The objective of the workshop was to look at the policy, legal, and 
technology issues associated with the government's use of commercial 
personally identifiable data in homeland security. A broad range of 
experts, including representatives from government, academia, and 
business participated in the panel discussions. The panels addressed 
how government agencies are using commercial data to aid in homeland 
security; the legal issues raised by the government's use of commercial 
data, particularly the applicability of the Privacy Act; current and 
developing technologies that can aid the government in data analysis; 
ways in which technology can help protect individual privacy while 
enabling government agencies to analyze data; and ways to build privacy 
protections into the government's use of commercial data. At the end of 
each panel, the audience was given an opportunity to address questions 
to the panelists. The full transcript of the Workshop is available at 
www.dhs.gov/privacy. A report summarizing the workshop is attached.
    The Privacy Office has also been working with the DHS Data Privacy 
and Integrity Advisory Committee (DPIAC) on issues related to the use 
of commercial data. In October 2005, the DPIAC published a report on 
the use of commercial data to reduce false positives in screening 
programs. The report is available on the DHS Privacy Office Web site at 
http://www.dhs.gov/interweb/assetlibrary/privacy--advcom--rpt--
1streport.pdf. The Committee recommends that commercial data be used 
for screening programs only when:

          It is necessary to satisfy a defined purpose

          The minimization principle is used

          Data quality issues are analyzed and satisfactorily 
        resolved

          Access to the data is tightly controlled

          The potential harm to the individual from a false 
        positive misidentification is substantial

          Use for secondary purposes is tightly controlled

          Transfer to third parties is carefully managed

          Robust security measures are employed

          The data are retained only for the minimum necessary 
        period of time

          Transparency and oversight are provided

          The restrictions of the Privacy Act are applied, 
        regardless of whether an exemption may apply

          Simple and effective redress is provided

          Less invasive alternatives are exhausted

    The Committee is now working on a broader report that addresses the 
use of commercial data in applications beyond screening. We are using 
the work of the DPIAC to help inform our work on guidance for the 
Department.
    We are living through a time of tremendous change as more and more 
personal information becomes electronic. In electronic form such 
information is more easily collected, analyzed and used for various 
purposes and serves as a basis for decision-making in personal, social, 
political and economic spheres. It is the goal of the DHS Privacy 
Office to ensure that commercial information used by the Department in 
the performance of its mission is used responsibly and with respect for 
individuals' legitimate expectations of privacy. We look forward to 
working with the Committee and everyone involved on these important 
issues.
    Thank you.

    Mr. Cannon. We are thrilled how well you all have done in 
that office.
    Ms. Cooney. Thank you.
    Mr. Cannon. It has been a great model for what we have done 
otherwise, what we hope to do still.
    Professor Swire, you are recognized for 5 minutes.

  TESTIMONY OF PETER SWIRE, WILLIAM O'NEILL PROFESSOR OF LAW, 
 MORITZ COLLEGE OF LAW OF THE OHIO STATE UNIVERSITY, VISITING 
          SENIOR FELLOW, CENTER FOR AMERICAN PROGRESS

    Mr. Swire. Thank you, Mr. Chairman, and thank you to the 
Committee for the invitation to participate today. And I 
express my appreciation for the leadership this Committee has 
shown, including in creating the Chief Privacy Officer office 
that we have just heard the impressive discussion from Ms. 
Cooney.
    In my written testimony, I give a little bit of the history 
of this topic. In 1974, when the Privacy Act was passed, the 
most important databases were primarily Government databases, 
like IRS or Social Security. Today, by contrast, the databases 
are dominated by private-sector databases. That is where the 
records are. So the big question is how do we update our laws 
and practices to this new reality.
    The overall theme of my testimony is that we are still 
early on the learning curve about how to incorporate private 
databases into public agency activities. My written testimony 
gives some comments on the GAO report and the Fair Information 
Practices, but I highlight four recommendations.
    First, because Federal agencies make such important 
decisions based on the data, we must have accurate data and we 
have to have effective ways to get redress when mistakes 
inevitably do occur.
    Second, new mechanisms of accountability are likely needed 
as agencies rely more and more on these private-sector records. 
There should be expanded use of privacy impact assessments, 
perhaps along the line of Chairman Chabot's bill, and there are 
other steps that I will go into.
    Third, greater expertise and leadership is needed in the 
executive branch at the highest levels on privacy issues, 
including policy leadership from the Executive Office of the 
President. The lack of such leadership on privacy, I believe, 
has led to significant and avoidable problems.
    Fourth, as we continue along the learning curve, it is 
important to merge today's discussion about privacy with the 
discussions about information sharing in the war on terror, and 
I suggest a National Academy of Sciences study on privacy and 
information sharing might be useful.
    Let me turn to a couple of things in more detail.
    In order to think about accuracy of data over time, I think 
it makes sense for the Government to test and audit the 
accuracy of data, at least selectively, at the time that we 
purchase the data. S. 1789, the data breach bill that has been 
passed by the Senate Judiciary Committee, calls for audits like 
this as new Government contracts are formed. I think that might 
help us get a sense of where the accuracy is and isn't.
    However accurate data is on the front end, though, we are 
going to have issues on the back end. We are going to have 
mistakes that get made. Many people on the Committee likely 
know about the troubles that Senator Kennedy or Congressman 
Lewis have had getting off watch lists. Last month, Senator Ted 
Stevens of Alaska told the story about his wife, which I hadn't 
heard about until I was researching this. Apparently, she was 
having great trouble getting on airplanes. Her first name is 
Catherine, the nickname for that is ``Cat,'' and they had her 
down as Cat Stevens and she was having trouble getting on 
airplanes.
    Now, if it is tough for Senators, including quite powerful 
Senators, to get their family members off of watch lists, it 
suggests there are issues for all 300 million Americans. So how 
we do redress is something to really think about going forward.
    In the testimony I discuss some of the other accountability 
mechanisms--privacy impact assessments and the rest--that I 
think can be considered and cites to legislation that does some 
of this.
    I would like to turn to the question of the structure of 
privacy protection in the executive branch. Step one has been 
creation by your Committee of the Chief Privacy Officer in 
Homeland Security and now elsewhere, and I was pleased to get 
to testify on that in 2002 before your Committee when that was 
set up. In 2004, Congress created the Privacy and Civil 
Liberties Board for intelligence activities only. But the gap 
is for the rest, which is where a lot of commercial data is 
used. There is no White House leadership, there is no policy 
official who is on the job there. One recent example, I think, 
illustrates the need to have a policy official looking at these 
issues up front and correcting problems.
    You might have seen press reports about 2 weeks ago that 
the IRS has a proposed rule now to allow tax preparation 
companies, for the first time, to sell people's tax records or 
even to give them away to people with no limits on how they 
then get resold or redisclosed. It would be legal under this, 
if I sign my name for my company, to put my tax records up on 
the Internet. It is supposed to be done with consent, but, you 
know, when you sign your tax forms, you sign in about 27 places 
and maybe you missed this one. And suddenly you have consented 
to sale of your tax records.
    Now, when I worked at OMB, my office reviewed proposals 
such as this. We got it before it became policy. I think we 
would have noticed the lack of limits on redisclosure and 
resale. And I don't think the rule would have gone forward the 
way it did. If such a mistake had happened, I think we would 
have moved to correct it. But now this rule may be going final, 
and without a White House ability currently to spot and correct 
such mistakes, privacy problems, I think, turn out to be worse 
than they ought to be. So I think continued steps toward 
leadership on privacy in the executive branch are called for.
    The last point I want to make in my testimony is we have 
hearings on information sharing, how we have to use the data to 
fight terrorism, and we have hearings on privacy, how we have 
to stop uses of data that might lead to identity theft and the 
rest. I think we probably need to bring those two things 
together. One way to do that might be a National Academy of 
Sciences study on the two that would involve commercial 
databases but also how to do privacy and information sharing. I 
have been working on this in my own research. I think it is a 
big issue that a lot of people should come together to examine. 
So I suggest that as one possible thing for your Committee to 
consider.
    Thank you, and I look forward to questions.
    [The prepared statement of Mr. Swire follows:]
                   Prepared Statement of Peter Swire




















    Mr. Cannon. Thank you, Professor.
    Mr. Pratt?

   TESTIMONY OF STUART PRATT, PRESIDENT AND CHIEF EXECUTIVE 
          OFFICER, CONSUMER DATA INDUSTRY ASSOCIATION

    Mr. Pratt. Chairmen Cannon and Chabot, Ranking Members Watt 
and Nadler, Members of the Committees, thank you for this 
opportunity to appear before you today.
    We are here to discuss the GAO's report regarding 
Government uses of data and some concerns that we do have with 
regard to that report, that we hope will inform your thinking 
here as the Committee.
    First, while the report does survey governmental uses of 
our members' systems, it does not discuss the value and 
effectiveness of them. Government agencies are faced with 
extraordinary challenges in accomplishing their missions. 
Consider just a few examples of those: preventing money 
laundering and terrorist financing, enforcing child support 
orders, locating missing and exploited children, researching 
fugitives, researching assets held by individuals of interest, 
witness location, entitlement fraud, background screening for 
national security investigations, and disaster assistance, as 
was mentioned.
    A real-world example of how these systems work, a public 
record provider can provide for as little as $25 a search of 
100 million criminal records in order for that to be done. 
Otherwise, you would have to spend approximately $48,000 and it 
would take days, if not weeks, to accomplish the same search.
    These are just one of a number of examples we include in 
our written testimony of the direct value of data products that 
our members produce.
    We do have other concerns with the report beyond its lack 
of an adequate description of the value of our members' 
services. First, the report does not help the reader understand 
the breadth of the application of Federal laws to data products 
used by Government agencies today. The report lists laws, but 
it relegates an incomplete discussion of their requirements to 
an appendix. Chairman Chabot mentioned several of these laws. 
There is one that is not acknowledged directly in the report, 
and that is that the FTC Act, section 5, also applies to data 
practices and it does include enforcement actions relative to 
privacy notices as well as to the security of sensitive 
personal information.
    One such law, the Fair Credit Reporting Act, applies to the 
public sector equally as it does to the private sector, and 
thus all decisions where there is a determination of a 
consumer's eligibility such as approval or denial are made, 
extensive rights are accorded to that consumer under this 
statute. This is just one of many Federal statutes that need to 
be considered in the context of this discussion today.
    The GAO report does commingle a variety of different 
business models under a single uniform ``information reseller'' 
term and then attempts to monolithically apply the OECD privacy 
guidelines across every business model and every product. In 
doing so, we think they make a mistake in thinking that Fair 
Information Practices frameworks can operate as a one-size-
fits-all yardstick. We disagree, and the guidelines themselves 
caution against such an approach. In fact, they state that the 
application of the guidelines should be considered in the 
context of different categories of personal information, 
different protective measures to be applied, depending on their 
nature and the context in which they are collected, stored, 
processed, and disseminated. We don't think that the GAO fully 
adhered to this OECD guidance itself, and there are certainly 
other privacy guidelines that are more contemporary than those 
of the OECD that were produced back in 1980.
    Again, the implication of the GAO's report is that 
congressional oversight was also incomplete and that its review 
of the industry sector's uses of personal information was 
insufficient. We disagree. The GAO does not properly account 
for the system, for example, of public records in this country 
and the inapplicability of many of the privacy principles to 
such public records.
    Just a couple of examples of how the actual privacy 
principles would or wouldn't apply.
    Consumer consent. If consumers had the ability to consent 
or to control data that would go into a fraud prevention tool, 
criminals could simply prohibit the kind of information we use 
to stop identity theft.
    Data quality. If a consumer could--if we applied data 
quality to the principle of public records in the way that we 
would under the way that we would under the Fair Credit 
Reporting Act, we probably couldn't aggregate a system of 
criminal histories in this country the way that we do today.
    Use limitations. How would you apply a use limitation 
concept to criminal histories or other types of public 
records--records of eviction, professional licensing--used for 
background screening in the way that we do today?
    Access and correction. If we allow all types of databases 
to be tied to an access and correction standard, then we are 
allowing a fraudster to have access to a fraud prevention 
system, and not only to do so but then to correct the 
information that is used to prevent the very fraud which they 
are going to attempt to commit.
    The GAO report states in its conclusion that, Given that 
reseller data may be used for many purposes that could affect 
an individual's livelihood and rights, ensuring that 
individuals have appropriate degrees of control or influence 
over the way in which their personal information is obtained 
and used--as envisioned in the Fair Information Practices--is 
critical.
    I don't know that we disagree with that, but we disagree 
with the application of the principles, as we have discussed in 
our testimony. A one-size-fits-all approach simply can't work 
for all types of data systems that we have discussed. We also 
don't think that the OECD guidelines should be used as an 
overlay for all of the Federal laws that do today regulate 
various aspects of personal information that are used in our 
society today.
    With that, we thank you for this opportunity to testify and 
we welcome your questions.
    [The prepared statement of Mr. Pratt follows:]
                 Prepared Statement of Stuart K. Pratt
    Chairmen Cannon and Chabot, Ranking members Watt and Nadler, and 
members of the committees, thank you for this opportunity to appear 
before you today. For the record, my name is Stuart Pratt and I am 
president and CEO of the Consumer Data Industry Association.\1\ Our 
members appreciate this opportunity to discuss our serious concerns 
with basic premises which underlie and methodologies employed in 
drafting the report written by the General Accountability Office (GAO) 
regarding the government's use of data provided by consumer data 
companies.\2\
---------------------------------------------------------------------------
    \1\ CDIA, as we are commonly known, is the international trade 
association representing over 300 consumer data companies that provide 
fraud prevention and risk management products, credit and mortgage 
reports, tenant and employment screening services, check fraud and 
verification services, systems for insurance underwriting and also 
collection services.
    \2\ The GAO employs the term information reseller and we have 
concerns with the use of the term which will be discussed later in this 
testimony. For example we do not believe that the term ``consumer 
reporting agency'' as defined by the Fair Credit Reporting Act should 
be commingled with other data products due to the specificity of law 
which regulates this product. The GAO fails to draw this distinction in 
its draft report.
---------------------------------------------------------------------------
             the recognized value of cdia members' systems
    CDIA's members are the leading companies producing consumer data 
products and services for both the private and public sector markets. 
The GAO report surveys governmental uses of our members' systems, but 
leaves the reader with a less than complete perspective on the value 
and effectiveness of such services. Consider the following examples of 
governmental uses of our members products and services:

          Preventing money laundering and terrorist financing 
        through investigative tools.

          Enforcing child support orders through the use of 
        sophisticated location tools.\3\
---------------------------------------------------------------------------
    \3\ In 2004 there were 5.5 million location searches conducted by 
child support enforcement agencies to enforce court orders.

          Assisting law enforcement and private agencies which 
---------------------------------------------------------------------------
        locate missing and exploited children through location tools.

          Researching fugitives, assets held by individuals of 
        interest through the use of investigative tools which allow law 
        enforcement agencies tie together disparate data on given 
        individuals and thus to effectively target manpower resources.

          Witness location through use of location tools.

          Entitlement fraud prevention, eligibility 
        determinations, and identity verification through fraud 
        prevention data matching and analytical products.

          Background screening for employment and security 
        clearances.

          Disaster assistance.

    Homeland security, law enforcement and entitlement program 
management are all faced with extraordinary challenges in accomplishing 
their missions. The GAO's report does not properly set the stage for 
understanding how difficult it is to accomplish their missions. 
Consider the facts regarding simply identity verification:
Personal identifiers change:
    While it probably doesn't occur to most of us, the identifiers we 
use in everyday life do change and more often than most might think. 
For example, data from the U.S. Postal Service and the U.S. Census 
confirm that over 40 million addresses change every year. More than 
three million last names change due to marriage and divorce. While 
trends in naming conventions are changing, this fact is still far more 
often true for women than men.
We use our identifiers inconsistently:
    It is a fact that we use our identifiers inconsistently for a wide 
variety of reasons. First, many citizens choose to use nicknames rather 
than a given name. However, there are times where, in official 
transactions, a full name is required, Some consumers, when hurried, 
use an initial coupled with a last name, rather than their full name or 
nickname. Consumers are also inconsistent in the use of generational 
designations (e.g., III, or Sr.). Finally, there are times where 
consumers themselves do make mistakes when completing applications, 
such as transposing a digit in an SSN. Thus, a consumer's identifiers 
may be presented in different ways in different databases and, in some 
cases, the data may be partially incorrect.
Personal identifiers are not always unique:
    We think of our names as a very personal part of who we are. 
However, our names are less uncommon and unique than we might think. 
For example, families carry forward family naming conventions leading 
to some consumers sharing entirely the same name. Further, U.S. Census 
data shows that both first and last names are, in some cases amazingly 
common. Fully 2.5 million consumers share the last name Smith. Another 
3 million share the name Jones and more than thirteen million consumers 
have one of ten common last names. First names are also used very 
commonly leading to common naming combinations. Eight million males 
have either the name James or John and a total of 57 million males have 
one of ten common first names. An additional 26 million females have 
one of ten common first names. Common naming conventions make it more 
difficult and in some cases impossible to depend on name alone to 
properly match consumer data.
Identifiers are shared:
    Our birthday is a unique day in our lives, but it is, nonetheless, 
a date shared with hundreds of thousands of others. Date of birth alone 
is not an effective identifier. Family members who live together end up 
sharing addresses and per our discussion above, where consumers share 
the same name due to family traditions and the address at which they 
live, distinguishing one consumer from another is complex.
Data entry errors do happen:
    Hundreds of millions of applications for credit, insurance, 
cellular phone services, and more are processed every year. There is no 
doubt that in the process of entering a consumer's identifying 
information errors can be made which carry forward into databases and 
into the reporting of data to consumer reporting agencies.
We do not always update our records:
    Consumers don't always remember to update records when they move or 
when portions of their personal identifying information change. For 
example, consumers are permitted to change their social security number 
under certain circumstances in addition to officially changing their 
names and while the percentages of consumers who take these steps is 
small relative to the U.S. population, such changes do affect data 
matching systems. It is important to know that some consumers try to 
separate themselves from their records on purpose and apply with the 
SSA for employer ID numbers (EINs) to use in lieu of their SSNs.\4\ A 
non-custodial parent who does not want to pay child support might 
employ such tactics in order to avoid being located and forced to 
fulfill a court order. A consumer who does not want to take 
responsibility for their mismanagement of credit and hopes that by 
using new identifying to separate himself/herself from a credit report 
is another example. Clearly fugitives are another example of a type of 
person who will employ tactics to try and separate themselves from 
their histories.
---------------------------------------------------------------------------
    \4\ The FTC investigates ``file segregation'' schemes. Here's what 
they say on their website about this activity: ``You're promised a 
chance to hide unfavorable credit information by establishing a new 
credit identity. The problem: File segregation is illegal. If you use 
it, you could face fines or even a prison sentence.''
---------------------------------------------------------------------------
    These facts about our identifying information demonstrate how 
challenging it is to match records with individuals and why the 
products, tools and services of our members are in such high demand.
    Let's now consider what government representatives themselves have 
said about the value they derive from the use of consumer reporting 
agencies and other consumer data companies. On September 8, 2005, the 
Department of Homeland Security held a workshop which explored its use 
of commercial data. This public meeting brought forward important input 
which informs the record of this hearing.
    Regarding identity verification, Grace Mastalli, Principle Deputy 
Director for the Information Sharing and Collaboration Program in DHS 
stated the following regarding the value of CDIA member services: 
``There are people without prescriptions, without driver's licenses, 
and it the commercial data sources, in many instances right now, that 
are facilitating not just placing people, but verifying their 
identities to the claims . . .we get to make sure that entitlements go 
to individuals who deserve them.''
    Regarding how our members' systems contribute to the accuracy of 
governmental systems, Mastalli indicated that ``we have sometimes used 
commercial data, not just to support identity authentication, but to 
assure the integrity of government data, and the accuracy of government 
data. Unfortunately, in many respects, the commercial enterprises have 
done better jobs of organizing and, what I call `cleaning' data to 
eliminate errors in data.''
    Mr. Jeff Ross, senior advisor in the area of money laundering and 
terrorist financing, in the Office of Terrorist Financing and Financial 
Crime at the Department of Treasury, also participated in this DHS 
workshop. He pointed out that many crimes have a financial aspect to 
them including narcotics trafficking, public corruption, terrorist 
financing, and organized crime in general. His comments help explain 
the investigative research value of CDIA member tools where he states 
``so commercial data bases are very important to us in law enforcement 
area to be used proactively . . . we have targets and need information, 
where you are trying, also, to find a specific individual or entity 
that should be involved . . . who could also be potential witnesses in 
a case.''
    Mastalli provided a very concrete example of how the sophistication 
of private-sector data matching tools contributes to efficient use of 
governmental law enforcement agents. She noted that ``. . . commercial 
database providers provide accurate data--often more accurate than some 
that we have, because they spend the time cleaning it and verifying it 
and have matching capabilities that we in government have not yet 
invested in to eliminate the 17 instances of an individual who has a 
phonetically spelled name being recorded as 17 people instead of one.''
    She goes on to explain that government cannot always anticipate 
what data might be of value to a particular investigation. Mastalli 
provided the following scenario: ``One extremely well-known law 
enforcement intelligence example from immediately post 9/11 was when 
there was a now well-publicized threat . . . that there might be cells 
of terrorists training for scuba diving underwater bombing, similar to 
those that trained for 9/11 to fly--but not land--planes. How does the 
government best acquire that? The FBI applied the standard shoe-leather 
approach--spent millions of dollars sending out every agent in every 
office in the country to identify certified scuba training schools. The 
alternative could and should have been for the Federal government to be 
able to buy that data for a couple of hundred dollars from a commercial 
provider, and to use that baseline and law enforcement resources, 
starting with the commercial baseline. One of the issues here is that, 
other than the name of the owner or manager of scuba diving schools, 
there was no personally identifiable data.''
    To further the point regarding the value of commercial data our 
members supply, consider the following two examples:
Example 1:
    In this example we learn how the aggregation of public records 
creates low-cost research efficiencies that ensure that ``shoe 
leather'' investigations conducted by highly trained personnel are 
truly are targeted and results-focused. One commercial database 
provider charges just $25 for an instant comprehensive search of 
multiple criminal record sources, including fugitive files, state and 
county criminal record repositories, proprietary criminal record 
information, and prison, parole and release files, representing more 
than 100 million criminal records across the United States.\5\ In 
contrast, an in-person, local search of one local courthouse for felony 
and misdemeanor records takes 3 business days and costs $16 plus 
courthouse fees.\6\ An in-person search of every county courthouse 
would cost $48,544 (3,034 county governments times $16). Similarly, a 
state sexual offender search costs just $9 and includes states that do 
not provide online registries of sexual offenders. An in-person search 
of sexual offender records in all 50 states would cost $800.\7\
---------------------------------------------------------------------------
    \5\ http://www.choicetrust.com/servlet/
com.kx.cs.servlets.CsServlet?channel=home&product=bgcheck&subproduct=def
ault&anchor=#. All RVI providers recommend that employers should 
supplement `no criminal record found' results with a local county 
records search before making a hiring decision as any national criminal 
database will not contain all current criminal records since 
courthouses add new records daily.
    \6\ Id.
    \7\ Assuming each in-person search costs $16, the same as an in-
person county courthouse search.
---------------------------------------------------------------------------
Example 2:
    While this next example is drawn from the private sector, it helps 
illustrate how fraud prevention and identity verification services 
reduce fraud and is analogous to the value of such systems when used by 
the government, as well. A national credit card issuer reports that 
they approve more than 19 million applications for credit every year. 
In fact they process more than 90,000 applications every day, with an 
approval rate of approximately sixty percent. This creditor reports 
that they identify one fraudulent account for every 1,613 applications 
approved. This means that the tools our members provided were 
preventing fraud in more than 99.9 percent of the transactions 
processed.
    The GAO paper should have done more to speak to the value of the 
commercially available data and analytical tools our members provide 
and not merely to provide an accounting of governmental uses. We hope 
that the above discussion will inform the this hearing record and set a 
more complete context for these committees' future deliberations.
                       concerns with gao's report
    Now having an appropriate context for truly understanding the value 
that our members' services bring to both the public and private 
sectors, I would like to discuss serious concerns we have with the 
GAO's presentation of current Federal laws and how they regulate our 
members' practices as well as their attempt to apply the 1980 
Organization for Economic Development (OECD) privacy guidelines to the 
practices of ``information resellers.'' We believe that a thorough 
understanding of the decades of congressional oversight and action is 
essential to today's hearing.
The State of Current Federal Laws
    The United States is on the forefront of establishing sector-
specific and enforceable laws regulating uses of personal information 
of many types. The GAO does provide an accounting of some of these Acts 
on page 18 of their draft report. Their accounting includes the Fair 
Credit Reporting Act (15 U.S.C. 1681 et seq.),\8\ The Gramm-Leach-
Bliley Act (Pub. L. 106-102, Title V),the Health Insurance Portability 
and Accountability Act (Pub. L. 104-191), and the Drivers Privacy 
Protection Act (18 U.S.C. 2721 et seq.).
---------------------------------------------------------------------------
    \8\ The GAO also lists the Fair and Accurate Credit Transactions 
Act of 2003 (Pub. L. cite), however this act is in fact a series of 
amendments to the FCRA.
---------------------------------------------------------------------------
    While the GAO relegates their discussion of statutory requirements 
to Appendix II of the draft report, we believe that such a discussion 
is essential and that it should have been included in the body of the 
report. In doing so, the GAO would have provided readers with a better 
one-to-one understanding of the operation of current laws in contrast 
with their views of the application of OECD guidelines US information 
practices.\9\ For example, it is important to note that, predating the 
Privacy Act of 1974 (and OMB implementing guidelines therein), the OECD 
Guidelines of 1980 and the Gramm-Leach-Bliley Act of 1999 (and 
implementing regulations therein), the E-Government Act of 2002 and the 
Federal Information Security Management Act of 2002, was enactment of 
the Fair Credit Reporting Act in 1970. Equally important is 
understanding the breadth of the application of this law in particular 
and thus why a discussion of consumer data companies in general should 
not be commingled with a discussion of the practices of consumer 
reporting agencies.
---------------------------------------------------------------------------
    \9\ CDIA has serious concerns about the attempt by the GAO to 
measure the acceptability of the practices of US consumer data 
companies, which are in fact regulated by US laws today. This concern 
will be discussed more fully later in this testimony.
---------------------------------------------------------------------------
    The FCRA applies to both the private and public sectors and thus is 
extremely relevant to today's discussion. It has been the focus of 
careful oversight by the Congress resulting in significant changes in 
both 1996 \10\ and again in 2003.\11\ There is no other law that is so 
current in ensuring consumer rights and protections are adequate.\12\
---------------------------------------------------------------------------
    \10\ See Pub. L. 104-208, Title II, Subtitle D, Chapter 1).
    \11\ See FACT Act Amendments (Pub. L. 108-159).
    \12\ It is also true that the Gramm-Leach-Bliley Act, Title V 
provisions regulating the use of nonpublic personal information is 
current due to the extensive role that federal banking regulators and 
the Federal Trade Commission play in drafting regulations, issuing 
guidance and enforcing the law.
---------------------------------------------------------------------------
    Key to understanding the role of the FCRA is the fact that it 
regulates any use of personal information (whether obtained from a 
public or private source) defined as a consumer report. A consumer 
report is defined as data which is gathered and shared with a third 
party for a determination of a consumer's eligibility for enumerated 
permissible purposes.
    This concept of an eligibility test is a key to understanding how 
Federal laws regulate personal information. The United States has a law 
which makes clear that any third-party supplied data that is used to 
accept or deny, for example, my application for a government 
entitlement, employment,\13\ credit (e.g., student loans), insurance, 
and any other transaction initiated by the consumer where there is a 
legitimate business need. The breadth of the application of the FCRA to 
how data is used to include or exclude a consumer is enormous. Again, 
this law applies equally to governmental uses and not merely to the 
private sector.
---------------------------------------------------------------------------
    \13\ This includes national security investigations, background 
checks for security clearances, basic employment screening processes 
for new hires, review processes for promotions, and more.
---------------------------------------------------------------------------
    Because personal information about consumers is used for decisions 
to accept or deny access to a consumer, they have fundamental rights 
which the GAO report does not discuss in any depth and which 
demonstrate why it is inappropriate to attempt to overlay a discussion 
of OECD privacy guidelines with this statute. Consider the following:

          The right of access--consumers may request at any 
        time a disclosure of all information in their file at the time 
        of the request. This right is enhanced by requirements that the 
        cost of such disclosure must be free under a variety of 
        circumstances including where there is suspected fraud, where a 
        consumer is unemployed and seeking employment, or where a 
        consumer is receiving public assistance and thus would not have 
        the means to pay. Note that the right of access is absolute 
        since the term file is defined in the FCRA and it includes the 
        base information from which a consumer report is produced.

          The right of correction--a consumer may dispute any 
        information in the file. The right of dispute is absolute and 
        no fee may be charged.

          The right to know who has seen or reviewed 
        information in the consumer's file--as part of the right of 
        access, a consumer must see all ``inquiries'' made to the file 
        and these inquiries include the trade name of the consumer and 
        upon request, a disclosure of contact information, if 
        available, for any inquirer to the consumer's file.

          The right to deny use of the file except for 
        transactions initiated by the consumer--consumers have the 
        right to opt out of non-initiated transactions, such as a 
        mailed offer for a new credit card.

          The right to be notified when a consumer report has 
        been used to take an adverse action--This right, ensures that I 
        can act on all of the other rights enumerated above.

          Beyond the rights discussed above, with every 
        disclosure of a file, consumers receive a notice providing a 
        complete listing all consumer rights. A separate GAO report 
        produced as a result of the FACT Act indicated that in a single 
        year, perhaps 50 million consumers see their files and receive 
        these notices.

          Finally, all such products are regulated for accuracy 
        with a ``reasonable procedures to ensure maximum possible 
        accuracy'' standard. Further all sources which provide data to 
        consumer reporting agencies must also adhere to a standard of 
        accuracy which, as a result of the FACT Act, now includes new 
        rulemaking powers for the FTC and functional bank regulators.

    The GAO report does not attempt to describe the delivery of 
products regulated under the FCRA and thus fails to properly inform the 
reader of the concomitant rights accorded in all of these cases. Every 
CDIA member mentioned in this report is operating, in part and 
sometimes solely as a consumer reporting agency. Therefore, in every 
case where products sold to governmental agencies were used for a 
determination of a consumer's eligibility, they were regulated by the 
FCRA with all of the rights discussed above. The GAO's report should 
have acknowledged this fact and discussed uses of consumer reports 
separately from other data products.
    Not all consumer data products are used for eligibility 
determinations regulated by the FCRA. Congress has applied different 
standards of protection that are appropriate to the use, the 
sensitivity of the data, etc. Our members produce and sell a range of 
fraud prevention and location products which are governed by other laws 
such as GLB.
    Fraud prevention systems deploy a diversity of strategies. In 2004 
alone, businesses conducted more than 2.6 billion searches to check for 
fraudulent transactions. As the fraud problem has grown, industry has 
been forced to increase the complexity and sophistication of the fraud 
detection tools they use.
    Fraud detection tools are also known as Reference, Verification and 
Information services or RVI services. RVI services are used not only to 
identify fraud, but also to locate and verify information for public 
and private sector uses. While fraud detection tools may differ, there 
are four key models used.

          Fraud databases--check for possible suspicious 
        elements of customer information. These databases include past 
        identities and records that have been used in known frauds or 
        are on terrorist watch lists, suspect phone numbers or 
        addresses, and records of inconsistent issue dates of SSNs and 
        the given birth years.

          Identity verification products--crosscheck for 
        consistency in identifying information supplied by the consumer 
        by utilizing other sources of known data about the consumer. 
        Identity thieves must change pieces of information in their 
        victim's files to avoid alerting others of their presence. 
        Inconsistencies in name, address, or SSN associated with a name 
        raise suspicions of possible fraud.

          Quantitative fraud prediction models--calculate fraud 
        scores that predict the likelihood an application or proposed 
        transaction is fraudulent. The power of these models is their 
        ability to assess the cumulative significance of small 
        inconsistencies or problems that may appear insignificant in 
        isolation.

          Identity element approaches--use the analysis of 
        pooled applications and other data to detect anomalies in 
        typical business activity to identify potential fraudulent 
        activity. These tools generally use anonymous consumer 
        information to create macro-models of applications or credit 
        card usage that deviates from normal information or spending 
        patterns, as well as a series of applications with a common 
        work number or address but under different names, or even the 
        identification and further attention to geographical areas 
        where there are spikes in what may be fraudulent activity.
Who uses Fraud Detection Tools?
    The largest users of fraud detection tools are financial 
businesses, accounting for approximately 78 percent of all users. 
However, there are many non-financial business uses for fraud detection 
tools. Users include:

          Governmental agencies--Fraud detection tools are used 
        by the IRS to locate assets of tax evaders, state agencies to 
        find individuals who owe child support, law enforcement to 
        assist in investigations, and by various federal and state 
        agencies for employment background checks.

          Private use--Journalists use fraud detection services 
        to locate sources, attorneys to find witnesses, and individuals 
        use them to do background checks on childcare providers.
Location services and products
    CDIA's members are also the leading location services providers in 
the United States. These services, which help locate individuals, are a 
key business-to-business tool that creates great value for consumers 
and business alike. Locator services depend on a variety of matching 
elements, but again, a key is the SSN. Consider the following examples 
of location service uses:

          There were 5.5 million location searches conducted by 
        child support enforcement agencies to enforce court orders. 
        Access to SSNs dramatically increases the ability of child 
        support enforcement agencies to locate non-custodial, 
        delinquent parents (often reported in the news with the moniker 
        ``deadbeat dads''). For example, the Financial Institution Data 
        Match program required by the Personal Responsibility and Work 
        Opportunity Reconciliation Act of 1996 (PL 104-193) led to the 
        location of 700,000 delinquent individuals being linked to 
        accounts worth nearly $2.5 billion.

          There were 378 million location searches used to 
        enforce contractual obligations to pay debts.

          Tens of millions of searches were conducted by 
        pension funds (location of beneficiaries), lawyers (witness 
        location), blood donors organizations, as well as by 
        organizations focused on missing and exploited children.

    Clearly location services bring great benefit to consumers, 
governmental agencies and to businesses of all sizes.
     cdia concerns with the gao's use of term information reseller
    As discussed above, part our concern with the GAO's report is that 
it commingles a variety of different business models under a single 
term ``information reseller'' and in doing so the report also 
commingles data products which are regulated under different Federal 
laws. For example, CDIA's members which are operating as consumer 
reporting agencies should not be discussed in the report as though they 
are not in fact highly regulated businesses. Similarly, CDIA's members 
which are defined as ``financial institutions'' under GLB are also 
highly regulated with regard to how information is to be used (see 
Section 502(e)) as well as though extensive federal agency rules 
prescribing how such information should be secured.
    By employing the term ``information reseller'' readers are left 
with the wrong impression that such a term may exist in law or that it 
is possible to consider the multiplicity of different business models 
(and products produced therein) that make up the consumer data industry 
as a single type of entity and one that, in the eyes of the GAO, is not 
highly regulated. It is exceedingly difficult, if not impossible, to 
make meaningful statements which have the breadth of those often made 
in the draft report regarding the practices of many different types of 
business models delivering different products and services. Finally, we 
also strongly disagree with paper's attempt to simplify a discussion of 
our members' businesses which are in fact highly regulated under a 
variety of sector-specific laws by attempting to apply a set of OECD 
guidelines as though there are not laws which were thoroughly debated 
by the congress over the years and which are mature and protective of 
consumer's today.
           cdia concerns with gao oecd guideline application
    Let me amplify on our concerns regarding how the GAO has attempted 
to apply the 1980 OECD privacy guidelines as a scorecard against which 
to evaluate the practices of CDIA members. Due to the GAO's mistaken 
assumptions about the breadth of the application of current laws, the 
GAO also makes the mistake of thinking that a fair information 
practices framework can operate as a one-size-fits-all yardstick. We 
disagree for a variety of reasons.
    First, we are concerned about how the GAO attempted to make use of 
the guidelines. Let us consider what the OECD said about their own 
guidelines:

        These Guidelines should not be interpreted as preventing:

        a) the application, to different categories of personal data, 
        of different protective measures depending upon their nature 
        and the context in which they are collected, stored, processed 
        or disseminated;

    Further to the question of how privacy guidelines are to be used, 
in the 1977 Report of the U.S. Privacy Protection Commission it was 
noted that ``[P]rivacy, both as a societal value and as an individual 
interest, does not and cannot exist in a vacuum. . . . [T]he privacy 
protections afforded [to societal relationships] must be balanced 
against other significant values and interests. It is very common to 
find such statements associated with guidelines because they are not 
considered to be definitive rules with equal applicability to all data 
flows. We do not believe that the GAO's report adheres to this guidance 
provided by the authors of the OECD guidelines themselves or fully 
accounts for the U.S. Privacy Commission's admonition regarding how to 
apply guidelines.
    Second, the GAO suggests, not purposefully, of course, but by 
omission that there is a single global opinion regarding which set of 
guiding principals is preeminent. To the contrary, consider the 
following:

          The 1973 HEW Report contains 5 principles.

          The 1980 OECD Guidelines contain 8 principles.

          The 1995 EU Data Protection Directive contains 11 
        principles.

          The 2000 FTC Report on Online Privacy contains 4 
        principles; and

          The 2004 APEC Privacy Framework contains 9 
        principles.

    Each framework has to be applied with care and not monolithically 
across all data uses however different they may be in terms of risk, 
use, content and so on. The GAO does not explain why a particular set 
of principles was chose and as previously stated, we believe that the 
GAO's methodology by which the OECD principles was applied is flawed.
    Third, as discussed above, there is an extraordinarily thorough 
record of congressional oversight of various industry sectors' uses of 
personal information. The U.S. has chosen a sector-specific structure 
to consumer data laws which ensures regulatory structures which are 
both appropriate to the data and which can be effectively enforced. 
Sector-specific laws and regulations exist today because of such 
oversight and due to the expertise of different committees overseeing 
different aspects of American business. The GAO, by implication and 
likely unintentionally, implies to the reader that all such oversight 
was incomplete and that a single evaluative standard is the right 
approach to analyzing our members business models and products. This, 
however, is a very fundamental flaw in the GAO's approach. Sector 
specific laws ensure that they are tailored to the industries, to the 
uses of data and to the risks involved. How healthcare data (i.e., 
HIPAA) is regulated is inevitably different than how one might regulate 
a telephone number (i.e., Do Not Call). Ultimately, tailored laws and 
regulations ensure that consumers are protected, but also are empowered 
by the data about them.
    Fourth, the GAO's one-size-fits-all approach to applying the OECD 
guidelines ignores a fundamental bifurcation that exists with regard to 
information use and that is the difference between consumer data 
products used for eligibility determinations and those which are not. A 
fraud prevention product, for example does not end a transaction, but 
provides a user with a ``caution flag'' which encourages the user to 
take additional steps to further authenticate a person's identity. As 
discussed above, where data is provided by our members for eligibility 
determinations such as employment or credit, the FCRA already provides 
a robust set of rights and protections for consumers. Regulation of 
consumer data where it is used for eligibility determinations is 
different than regulating consumer data used for fraud prevention or 
investigative location tool used by law enforcement. By not accounting 
for this essential bifurcation in uses, application of the OECD 
guidelines leaves readers with the wrong impression about how good data 
protection laws should operate.
    Fifth, the GAO does not properly account for the system of public 
records which exists in our country and which has been considered a key 
pillar in the success of our democracy. Unlike other nations, our 
government cannot withhold information about us from us. Governmental 
transparency is achieved through open records and freedom of 
information acts at the state and federal levels. The application of 
many aspects of any one of a number of principles works against a 
system that has been in place since the early days of our country's 
existence. The GAO's report does readers a disservice by not discussing 
the unique nature of public records and by attempting to apply the OECD 
guidelines to this system of records.
    To amplify on our general concern about the GAO's approach to 
applying OECD guidelines, let's now consider some specific illustrative 
examples.
Consumer Consent
    The report states that ``[r]esellers generally do not adhere to the 
principle that, where appropriate, information should be collected with 
the knowledge and consent of the individual.'' \14\ The reader is left 
with the wrong impression regarding the practices of our members, the 
laws which currently regulate them and the appropriate application of a 
consent standard. For example, the GAO does not attempt to apply a 
consent-based standard on a product specific basis or even a business-
model-specific basis, which is an inherent flaw in their methodology. 
If one were to apply such a standard to, for example, consumer credit 
reports, then the result would be to give consumers the ability to pick 
and choose which creditors' data would be reported to a credit bureau. 
Consumers could allow creditors they intend to pay on time to report 
and could prohibit from reporting those that they don't intend to pay 
on time or at all. The result would be to turn the nation's credit 
reporting system on its head and to affect the fundamental safety and 
soundness principle upon which our banking system has operated since 
the days of the great depression. In 1970, Congress recognized the 
inapplicability of this fair information practices concept since it 
would essentially work against the fundamental premise of data acting 
as an independent affirmation of a consumer's own willingness to pay, 
or otherwise qualify for a benefit. In a second example, of what value 
would an identity verification tool be if consumers who intend to 
commit fraud can decide which data will or won't be used? A third 
example involves public records. How does one apply a consent standard 
to records which are in the public domain? Through these examples, it 
is clear that consent is not a universal concept which can be applied 
to all data flows.
---------------------------------------------------------------------------
    \14\ Page 44, Draft Report.
---------------------------------------------------------------------------
Data Quality
    The title of the data quality discussion is ``Information Resellers 
Do Not Ensure the Accuracy of Personal Information They Provide.'' This 
is misleading. As discussed above, CDIA's members are committed to the 
quality of information they collect. Further, in all cases where the 
data is used to produce a consumer report used for an eligibility 
decision, the standard for accuracy is found in the FCRA.\15\ It is a 
standard that has been in place since 1970 (and amended extensively in 
both 1996 and again in 2003) and which applies to eligibility decisions 
such as applications for insurance, employment, government entitlements 
or credit. The GAO report does not properly acknowledge this fact or 
the breadth of the application of FCRA to consumer data transactions 
involving consumer reporting agencies. However, applying an accuracy 
standard to an investigative product used to locate individuals makes 
little sense. These location services are predicated on possible 
connections between addresses, names, etc., which are then followed up 
with direct contacts by law enforcement agents or collection agencies, 
for example. Location services are certainly high quality services and 
often are very precise, but since these products are not used to make 
an eligibility determination (e.g., job, credit) they are not regulated 
in the same way. This said, the quotes drawn included in this testimony 
regarding the high quality of consumer data products purchased by law 
enforcement or counterterrorism agencies (81% of users according to the 
GAO) speak for themselves. Like consumer consent, the concept of data 
quality cannot be applied in the same manner to each consumer data 
product as is implied by the GAO's methodology.
---------------------------------------------------------------------------
    \15\ The standard of accuracy in FCRA can be found at Sec. 607(a). 
A consumer reporting agency must use reasonable procedures to assure 
the maximum possible accuracy of the information in the report.
---------------------------------------------------------------------------
Use Limitations
    The GAO report states that ``[r]esellers do not generally limit the 
use of information beyond those limitations required by law.'' It is 
not clear what the GAO intends by this, but in fact both Title V of GLB 
and Section 604 of the FCRA do, for example, impose significant 
limitations on the use of nonpublic personal information and consumer 
reports respectively. The GAO's report does not acknowledge these use 
limitations in the context of their discussion. Further the GAO does 
not state that use limitations cannot apply to public records which are 
not gathered for purposes under the FCRA since such records are 
generally available to the general public directly from Federal, state 
and local agencies and courts. This said, the Drivers Privacy 
Protection Act does impose use limitations on records coming from state 
motor vehicle agencies. The draft report also states that ``[w]ithout 
limiting use to predefined purposes, resellers cannot provide 
individuals with assurance that their information will only be accessed 
and used for identified purposes.'' This criticism of the system of 
laws and contract is without basis. We have discussed the extent of the 
laws which impose a variety of use limitations and as evidenced by the 
GLB's service provider requirements (in effect since 2001), HIPAA's 
business associate requirements (in effect since 2003), and the concept 
of using contracts to limit use is an entirely appropriate system for 
consumer data companies. In fact many laws which restrict uses of 
information, also require that certifications through contracts be 
obtained.
Access and Correction
    CDIA's members when operating as consumer reporting agencies 
provide full access and a right of correction for all consumer reports. 
Consumer reports are used for eligibility determinations and thus our 
members fully agree with the application of this principle. However the 
application of an access and correction principle applied to a fraud 
prevention and location data base would result in empowering criminals 
to delete information that is used for pattern analysis and other 
analytics which help in linking suspects or key pieces of information 
necessary to stop fraud or to solve a case. The GAO's report does not 
properly describe the harmful application of an access and correction 
regime to location, investigative and fraud prevention systems which 
are not used to stop a transaction or prevent a consumer's access to a 
service or benefit (eligibility). In fact FTC Chairman Majoras stated 
in a letter responding to questions about the imposition of an access 
and correction obligation on information resellers:

        ``Before extending this approach to additional databases 
        [beyond FCRA], however, it is necessary to consider carefully 
        the impact of such extension. For example, requiring data 
        merchants to provide consumers with access to sensitive 
        information may itself present a significant security issue--in 
        some cases it may be difficult for the data merchant to verify 
        the identity of someone who claims to be a particular consumer 
        demanding to see his or her file. Similarly, for databases that 
        are used to prevent fraud or other criminal activities, 
        providing correction rights could pose serious problems; those 
        trying to perpetrate the fraud may take advantage of the right 
        to `correct' data to hide it from those they are trying to 
        defraud.''

    The GAO report states in its conclusion that ``[g]iven that 
reseller data may be used for many purposes that could affect an 
individuals livelihood and rights, ensuring that individuals have an 
appropriate degree of control or influence over the way in which their 
personal information is obtained and used--as envisioned by the Fair 
Information Principles--is critical.'' For all of the reasons discussed 
above, the GAO has failed to support this claim because:

          Their analysis does not properly account for the 
        severe regulation of consumer reporting agencies, and the 
        breadth of the FCRA's application to all eligibility 
        transactions which apply to all governmental transactions and 
        uses.

          In taking a one-size-fits-all approach, the analysis 
        does not properly account for the destructive consequences of 
        applying various principles in the same way to all business 
        models and product which make up the consumer data industry.

          In making this claim, the GAO often ignores or 
        undercuts decades of congressional oversight, legislative 
        enactments (FCRA, GLB, HIPAA, DPPA, etc.), federal regulatory 
        activities and law enforcement actions.
                               conclusion
    In conclusion, the members of the CDIA believe that the GAO's 
report is methodologically flawed and often misleads readers through 
the attempt to apply a once-size-fits-all analysis of a set of privacy 
guidelines. The consumer data industry does not consist of a single 
entity called an ``information reseller.'' It is an industry with a 
diversity of business models focused on the production of consumer 
reports, fraud prevention tools, location and investigative products, 
analytics services and more. CDIA's members create incredible value for 
the government agencies which use their services. The consumer data 
industry is a significantly regulated industry through sector-specific 
laws which tailor the component information use principles to the types 
of data, risks and uses involved. Our nation remains at the forefront 
of enacting enforceable laws and regulations with which our members 
commit themselves to complying each and every day.
    We appreciate this opportunity to testify and we welcome your 
questions.

    Mr. Cannon. Thank you, Mr. Pratt. We appreciate your 
testimony.
    Now the gentleman from Ohio is recognized for 5 minutes.
    Mr. Chabot. Thank you very much, Mr. Chairman.
    Ms. Cooney, I will begin with you, if I can. Would you 
elaborate on why privacy impact assessments are important, what 
they are good for, and how you have seen them work in action?
    Ms. Cooney. Certainly, I would be happy to. At the 
Department of Homeland Security it has been a very important 
tool, on the front end of any mission program that uses an 
information system to collect personal information, to really 
determine on the front end why are we collecting the 
information, what information do we really need, how long will 
we keep it, how accurate is the information from the sources 
that we are taking it in from, how will we handle it, how do we 
plan to share it internally or with other Federal agencies or 
even State and local first responders, and what are the 
possible redress mechanisms?
    So with a mission as critical as ours is to protect the 
homeland and security of the American people, we believe that 
it is also very critical that at each step, from the very 
beginning of a program through the entire lifecycle development 
of the technologies that we use to collect and store 
information, that we look critically at what we are doing and 
use some basic planning as we do those programs. To us, like in 
the private sector, it is important information management and 
it is good ethical Government behavior.
    We have met with cooperation, really, throughout the 
Department in making that operationalized across business lines 
and it has been a very satisfactory experience.
    Mr. Chabot. Thank you very much.
    Ms. Koontz, let me turn to you, if I can. What did the GAO 
find in terms of the security of personnel information in the 
GAO report? I know that you have already talked about it to 
some degree, but could you elaborate a little on that?
    Ms. Koontz. Sure. We found that the four Federal agencies 
that we reviewed had put security protections in place to deal 
with reseller information. For example, all four of them told 
us that they had instituted passwords and other access controls 
to make sure that there wasn't unauthorized access to reseller 
information. Some of the agencies also had restricted access to 
very sensitive reseller information only to those personnel who 
have a need to use that kind of thing.
    Some of the law enforcement agencies as well use something 
known as cloaked logging. That is a procedure that actually 
masks the searches that law enforcement personnel do against 
reseller data so that even the vendor doesn't know what kind of 
searchers are being done. And this is a way of protecting the 
integrity of the investigations and making sure that subjects 
of investigations cannot be tipped off as to the existence of 
them.
    That being said, I think Federal agencies realize that the 
security is an important component. We did not do a test of 
security controls at the four agencies we reviewed so we can't 
make an assessment of the efficacy of the controls that they 
have in place. And work that we have done Government-wide on 
security indicates that we found security weaknesses in almost 
every area in the 24 major agencies, including the four 
agencies that we reviewed.
    Mr. Chabot. Thank you very much.
    Mr. Swire, do the same security concerns exist with Federal 
Government's maintenance of personal information as exist among 
commercial data companies?
    Mr. Swire. Well, many of the challenges are the same. The 
Government uses overwhelmingly commercial software now, and 
they are using platforms and vendors that are very, very 
similar.
    The Federal Government has some special challenges, though. 
There are classified systems for some systems, and that is a 
much harder standard to live up to. And also the Government 
probably has lagged, despite FISMA and GISRA and these security 
statutes, it has probably lagged the private-sector best 
practices. It has been hard sometimes to get the personnel in 
place, it has been hard to get the resources. So it has been a 
very big challenge and the scorecards haven't always been 
satisfactory.
    Mr. Chabot. Thank you.
    And finally, Mr. Pratt, I would like to turn to you. What 
security policies are in place to ensure that citizens' 
information is not easily accessible by identity thieves or 
computer hackers?
    Mr. Pratt. Well, I think the best baseline that we can see 
in guidance and law and regulation would be those that we find 
in the safeguards rules under Gramm-Leach-Bliley Act, which 
apply not--really are applied across the board in many of our 
member companies today. So that includes technical safeguards, 
strategies that you would use simplistically--firewalls, if you 
have online or offline systems. It includes employee training, 
it includes employee background screening, it includes the 
types of strategies discussed by the GAO in terms of, you know, 
password access, how quickly passwords are changed and cycled 
through, for example.
    It includes even physical safeguards--who has access to a 
data center, who can in fact get in and potentially walk out 
with a hard drive that might contain sensitive personal 
information.
    So when you have the technical, the physical, as well as 
the employee-based safeguards, you have, really, three legs of 
a key stool which we need to ensure is applied to really all 
kinds of sensitive personal information.
    Mr. Chabot. Thank you very much. My time has expired, Mr. 
Chairman.
    Mr. Cannon. The gentleman yields back.
    Mr. Nadler. The gentleman from New York, the Ranking Member 
of the Constitution Subcommittee, is recognized for 5 minutes.
    Mr. Nadler. Thank you, Mr. Chairman.
    I would like to ask all the panelists, given the importance 
of privacy impact assessments, as Ms. Cooney stated, do you 
support a broader requirement that agencies prepare privacy 
impact assessments for rules involving the collection of 
personally identifiable information in all Government agencies?
    Start with Ms. Cooney, then everybody else.
    Ms. Cooney. Thank you. I would say that certainly under 
Security 222 of the Homeland Security Act we read the 
requirement by Congress to really require DHS to undertake 
those types of privacy----
    Mr. Nadler. No, no, clearly my question is do you think 
that Congress should extend that to other agencies?
    Ms. Cooney. We found it helpful at DHS. I am not sure what 
the Administration view is, but I can tell you from our 
experience it has been a very helpful process.
    Mr. Nadler. So you would think it a good idea to extend it 
to other agencies?
    Ms. Cooney. It may be.
    Mr. Nadler. Okay. Ms. Koontz?
    Ms. Koontz. What we found in our work is that the privacy 
impact assessments were not being done consistently from agency 
to agency. And that was something that concerned us very much. 
And as Ms. Cooney said very articulately, the privacy impact 
assessments are a very powerful tool before you start building 
an information system, before you start collecting information, 
in order to assess what the privacy implications are and then 
to put the controls in place up front. And to the extent that 
they are made publicly available, I think they contributed to--
--
    Mr. Nadler. Are you suggesting--this is for new rules. Is 
it your suggestion that we need better enforcement of them?
    Ms. Koontz. I think we need better implementation of the 
existing requirements and I think that we saw that what 
Homeland Security put in their guidance to be a model that 
could be expanded to other agencies.
    Mr. Nadler. Thank you.
    Professor Swire?
    Mr. Swire. I do support broadening the PIA's application to 
rules. I think we have used that they are a useful tool. There 
is an issue about scope. You don't want to have it for things 
that only have a tangential relationship to a couple of 
people's data. But in terms of enforcement, I think that goes 
back to having OMB or the White House have a privacy office to 
make sure agencies aren't falling down on the job. So you 
spread it to the rules and then you have some coordination 
across agencies.
    Mr. Nadler. Thank you.
    Mr. Pratt?
    Mr. Pratt. I think from our perspective, really, you have 
at DHS a good model for how an agency should oversee the uses 
of private-sector information as well as data that would be 
gathered under the aegis of the public agency. So to the extent 
that you are suggesting other agencies that may use sensitive 
personal information might need a similar infrastructure of 
knowledgeable and highly trained individuals, that makes sense 
to us. Certainly in the private sector we have chief 
information privacy officers, we have the same types of reviews 
in the financial services industry that go on with regard to 
how information is used and protected and so on. So I don't 
think that we ever have a problem with agencies understanding 
how to protect and secure and use responsibly information they 
obtain.
    Mr. Nadler. I thank you.
    Professor, do you think we could benefit from agency 
privacy ombudsmen in other parts of the Government?
    Mr. Swire. Well, there have been efforts to spread it. I 
think there may be up to three or four different executive 
orders or executive statements that say agencies are supposed 
to have privacy offices, but implementation has really been 
uneven over time.
    So there are a number of agencies that haven't been nearly 
as institutionalized as Homeland Security and haven't been as 
systematic in----
    Mr. Nadler. See, so again, as in your answer to the 
previous question, if we had an office in the White House or 
somewhere to make sure that all the agencies were complying 
with privacy impact statements or with having the ombudsman 
function properly, or the agency offices, whatever we want to 
call them, function properly.
    Mr. Swire. I can offer some perspective from having been in 
that seat. It gives you one person to criticize by name. And 
that has a very powerful effect, seeing your name in the 
newspaper as a bad guy, and it leads you to try to get other 
people to cooperate and make it all work a little bit better.
    Mr. Nadler. It gives you a motive.
    Mr. Swire. Yeah.
    Mr. Nadler. Thank you.
    Again, Professor Swire, to the extent that data processing 
operations might move overseas, what protections do we have or 
ought we have that we don't have to extend our protections for 
that eventuality?
    Mr. Swire. Well, this issue of overseas has been a powerful 
issue that people are looking at. I must say, I have a slightly 
different perspective because the United States complained very 
much when Europe tried to do that to us. And Europe had in a 
privacy directive rules that they wouldn't let data go to the 
United States, and we wanted to make sure that American 
companies could use that data responsibly.
    I am a step more cautious. I think it is always good to 
have the contractors under very good controls and make sure 
those controls work. I am not personally as sure that we should 
make a big line about overseas or not.
    Mr. Nadler. Could I just ask if anybody else would want to 
comment on that question? Ms. Cooney?
    Ms. Cooney. Thank you, Mr. Nadler. I would like to tell you 
that there is work presently going on that the Federal 
Government is very involved in, and we are included in that 
work in the DHS Privacy Office, both in the Organization for 
Economic Cooperation and Development and in the APEC forum in 
working on cross-border enforcement on privacy issues. There 
has been some work already accomplished in certain areas, such 
as combatting spam, and that has been fairly effective.
    What we have found so far is that it is not done solely by 
privacy practitioners or privacy enforcement officers, but it 
might be done by consumer protection folks in certain areas, 
criminal law enforcement in others, privacy professionals 
working together.
    So I would want you to know that that is an active part of 
the agenda that we are working on as Federal partners in that.
    Mr. Nadler. Thank you. Anybody else?
    Thank you, Mr. Chairman.
    Mr. Cannon. The gentleman yields back.
    Mr. Franks, the gentleman from Arizona, is recognized for 5 
minutes.
    Mr. Franks. Well, Thank you, Mr. Chairman.
    I want to direct this to anyone at the--in fact, I would 
like, maybe, for everyone to take a shot at it. I am wondering, 
in terms of what really are the challenges that we face to keep 
people's data secret and accurate, is it more of a policy issue 
that needs to be changed here from Congress, or is it more of a 
mechanical issue of just the reality that, with the expansion 
of computer technology and all of the different things that 
happen today, is it more of a technology challenge or is it 
more of a policy challenge?
    Mr. Pratt. I will take a first stab at this. First of all, 
I do think that in this country we need to protect, under the 
rule of law, sensitive personal information no matter who 
gathers it. Some of the different laws that we have discussed 
in our testimony, which are also accounted for in the GAO 
report, do deal with sectors of business in this country where 
we have to secure and protect that information. The Gramm-
Leach-Bliley Act information safeguards rules are a good 
example.
    Certainly our membership has testified before several 
different Committees saying that information safeguards 
standards should apply to anybody who is going to gather 
sensitive personal information such as my name and my address 
and my Social Security number in that combination.
    I think there are several effects to that, by the way. 
First of all, fewer folks will gather that information. They 
will think about it first. And that is good, because they 
should. And if they are going to gather it, they should protect 
it under that three-legged stool we have discussed. And I think 
in doing so, it does create an enforcement mechanism also, 
where there is failure in the marketplace. We think those are 
all good outcomes that could result from the enactment of law 
that would do that. There are several Committees that are 
focused on that now that I think would move forward with an 
effective program for protecting sensitive personal 
information.
    It is also education, though. And I would say within the 
last 5 years, certainly the last decade, what we know and think 
about as information security is very different than it was 10 
years ago. And certainly the velocity of change with technology 
makes it very challenging.
    Mr. Swire. I think it is very much a policy issue where the 
hard things come in. There is a lot of consensus on data 
security. You can get pretty much everyone to agree on the 
list. But which data is the right data to use? And this IRS 
example from my testimony is one example. Should your tax 
preparation agency be able to resell your data or not? They can 
have perfect security, it is just a question of whether that 
company should be reselling it or not. That is a policy 
decision. That is where I think a lot of the work has to 
happen.
    Mr. Franks. Ms. Cooney?
    Ms. Cooney. Thank you. I think the point that I would like 
to make is that the process of data security and information 
security practices is not one-size-fits-all and it is not a 
one-step process. It is an iterative process. I think Mr. 
Pratt's reference to the GLBA safeguards rule is very important 
and that those general guidelines can be used across Government 
systems as well as in the private sector, keeping in mind, as 
they require it, that it is an iterative process and you need 
to keep looking at your process both from a technology 
standpoint, from a personnel standpoint, and from a policy 
standpoint in terms of why do you need to keep this data and is 
it the right data to keep.
    On the accuracy issues, and it somewhat answers your 
question, in terms of the application of the Fair Information 
Practices principles to data accuracy in the private sector for 
commercial resellers, whether all those principles should apply 
or would easily apply is something that could be discussed. But 
certainly a focus on allowing individuals some access to their 
information to correct the information really should be looked 
at, because originally that information would have been 
collected for very different purposes. Many citizens may not 
even know that a data aggregator has their information. And it 
is a matter of fairness as well as carefulness with the 
information.
    Mr. Franks. So just to expand on your thought there, much 
like the credit data that we access, you are convinced that 
something along those lines for generalized data, that the 
consumer would always have the right to ascertain what that 
was, or at least in nonsecurity issues?
    Ms. Cooney. Right. In many circumstances, when it doesn't 
touch law enforcement or national security in particular, 
although even in our case we need to be very concerned on our 
end in the Federal Government to check on data accuracy.
    Mr. Franks. My time is almost gone. Mr. Pratt, let me skip 
quickly to you, sir. With the proliferation of ID theft, a lot 
of times you can identify a particular culprit. Is this escape 
of data happening mostly in Government databases or is it 
private databases? Is there any one--is it just generalized or 
is there some kind of particular area where we are 
hemorrhaging?
    Mr. Pratt. It is difficult to pin it down. Certainly, for 
example, it could be as simple as somebody driving down the 
street at the right time of the month to pick up your mail, so 
you have something as simple as mailbox fraud. We saw last year 
about 50 percent of all the media coverage focused on 
universities that were losing sensitive personal information, I 
think probably because they were at that time using Social 
Security numbers as student ID. I think a lot of universities 
have begun to change that practice.
    So no, sir, I don't think there is any one place you can 
go.
    To your point, by the way, about the Fair Credit Reporting 
Act and having access, let me just say it this way. The Fair 
Credit Reporting Act is a terrible title for the law because, 
in fact, the law applies to any kind of eligibility decision. 
So any time data is used to deny me something, I can't get it, 
I have a right of access. I have a right to correct it. I have 
a right to expect that it was accurate in the first place. I 
have private rights to enforce, I expect the Federal Trade 
Commission to enforce, State attorneys general to enforce.
    So I think it is very important. That was one of the issues 
we had with the way the report was structured, is you might 
walk away from that thinking that there was not this very, very 
broad-based law that said whether it is my employment 
application, my application to purchase a home, my application 
to get a cellular phone account, my application to obtain a 
utility--no matter how and where a consumer report is used, not 
a credit report but a consumer report--I have all of those 
rights that we have just begun to discuss. So I do think we 
have a law on the books that is quite a bit broader than maybe 
the title would imply.
    Mr. Franks. Thank you.
    Thank you, Mr. Chairman.
    Mr. Cannon. The gentleman yields back.
    Mr. Scott.
    Mr. Scott. Thank you, Mr. Chairman.
    I guess my first question is a little more basic. Who are 
we talking about? Who are these resellers?
    Ms. Koontz. I assume you mean the names of the companies?
    Mr. Scott. Well, if you want to leave the names out, just 
describe them.
    Ms. Koontz. For our study, we defined information resellers 
as being businesses that collect and aggregate information, 
personal information about individuals and make them available 
to consumers. So it is rather broad.
    Mr. Scott. To consumers or to businesses?
    Ms. Koontz. And to businesses, yes. To their customers.
    Mr. Scott. The purpose for which you are gathering the data 
can vary depending on what it is going to be used for. You 
could be just compiling a mailing list. Is that what you are 
talking about?
    Ms. Koontz. I think we are talking about information 
resellers who then collect this information and then they 
convert it into information products, some of which are used 
for marketing, some of which are used for other purposes.
    Mr. Scott. Well, if you are using it for marketing you can 
get a list that would be interested--where a certain product 
would be interested in marketing to that group of people.
    Ms. Koontz. Mm-hm.
    Mr. Scott. Could be 80 percent accurate, but that is good 
enough for mass mailing. Because it is better than kind of 
saturation mailing. You knocked off 75 percent of the people 
you don't want to mail to. Are we talking about that, too?
    Ms. Koontz. Well, that is some of it. Some of it is for 
marketing purposes. But I think you have hit on a key point 
that we talked about in our report, is that the privacy 
principles basically talk about accuracy for a specific 
purpose. And the specific purpose in this case is often 
determined by the user. So it is difficult for the reseller to 
assure the degree of accuracy for a particular purpose because 
they are not the ones that are determining that purpose.
    Mr. Scott. Well, you don't care whether it is accurate or 
not if all they are going to do is just mass mail. If the 
Government gets hold of it, it is going to take some adverse 
action based on this kind of superficial dragnet where you come 
in and gather up a lot of names, most of which would be in the 
category you are aiming at, where the person gathering the data 
didn't have any interest in accuracy. So what do you do in that 
case? Is that the information we are talking about?
    Ms. Koontz. That is part of the information that we are 
talking about. There are all kinds of information products that 
are offered by resellers. And I think it does put more of a, 
shall we say, an obligation, too. In this case we are talking 
about the use of these data products by Federal agencies and it 
puts, I think, an obligation on the part of the Federal agency 
to determine that the accuracy is appropriate for the use that 
they are using it for. Which is, for example, the reason that 
law enforcement corroborates this information with other 
sources before they take any action against an individual.
    Mr. Scott. Is the information subject to the Freedom of 
Information?
    Ms. Koontz. I don't know.
    Mr. Swire. There is a privacy exception to the Freedom of 
Information Act and it often would prevent a Freedom of 
Information Act request from going through.
    Mr. Scott. To get the whole list?
    Mr. Swire. Yes.
    Mr. Scott. If you are doing law enforcement activities, do 
I understand that the Levy Guidelines are no longer in effect, 
where you had to actually be investigating a crime before you 
started gathering information on people? Professor?
    Mr. Swire. Yes, that is correct. They were changed very 
substantially after 9/11.
    Mr. Scott. Before 9/11, before you started gathering 
information on people and setting up dossiers, you had to 
actually be investigating a crime, not just gathering 
information. Is that right?
    Mr. Swire. There were detailed predicates for each stage as 
the investigation went further, yes.
    Mr. Scott. And that is no longer in effect, so the 
Government is now just gathering information?
    Mr. Swire. There are guidelines that Attorney General 
Ashcroft issued. I have read them, but I don't have them 
clearly in my head. They are quite a bit more permissive, 
because the idea is share data and use data more intensively.
    Mr. Scott. Professor, did I understand you to say there is 
some idea that you could actually sell tax records?
    Mr. Swire. Well, this was actually a subject of a public 
hearing today somewhere else in town. But H&R Block or any 
other tax preparer, under the proposed rule, would be allowed 
to sell tax records or databases of tax records for the first 
time to outside parties.
    Mr. Scott. That is records that they prepared?
    Mr. Swire. That they prepared for you as the taxpayer. If 
you signed off, as one of your signatures to them, they would 
then be able to resell that.
    It got quite a press hit a couple of weeks ago, when people 
found out about it. And deserves to.
    Mr. Scott. Thank you, Mr. Chairman.
    Mr. Cannon. The gentleman yields back.
    Ms. Wasserman Schultz, did you have questions?
    Good. Thank you. The Ranking Member is recognized for 5 
minutes. Mr. Watt?
    Mr. Watt. Thank you, Mr. Chairman.
    Ms. Koontz, I know you all did the study and you are not 
doing policy, but I particularly wanted to hear from you and 
Mr. Pratt about whether you thought that Professor Swire's 
suggestion that we reinstitute a privacy officer in the White 
House that has kind of umbrella authority from agency to 
agency, whether you think that is a good idea, whether there 
are particular good pros to doing that or particular bad cons 
to doing that.
    I will ask that question of you, if you can address it from 
a policy perspective. And I would like to get Mr. Pratt's view 
on it, too.
    Ms. Koontz. We haven't studied the question of the need for 
a privacy officer in OMB or in the Executive Office of the 
President. I can see, though, that the idea probably has some 
merit, in terms of further discussion, as a way of having a 
focal point for privacy issues and the Federal Government. I 
mean, I think we have seen some benefits from, for example, 
within the Department of Homeland Security, where you have a 
highly placed official who has a broad privacy responsibility, 
and that seems to be something that is useful in terms of 
looking at these policy issues.
    Mr. Watt. Mr. Pratt?
    Mr. Pratt. Our association hasn't actually studied that 
same question any more--so I suspect--than the GAO. My first 
reaction is that sometimes centralization can be a red flag, 
because you start to remove the expertise and the knowledge you 
might need. So the knowledge you might need in HHS might be 
different than the knowledge you might need in DHS.
    So I don't know if a--just off the top of my head, I don't 
know if a central office would make things better or if it is 
just simply important to make sure that there are knowledgeable 
professionals who are thinking about data use issues on an 
agency-by-agency basis.
    And of course Federal Trade Commission has established its 
new division, which does focus on information use and identity 
theft issues as well as----
    Mr. Watt. Who is that? I am sorry.
    Mr. Pratt. The Federal Trade Commission has established a 
new division under the Bureau of Consumer Protection, which 
focuses specifically on information protection and identity 
theft. So there is an office there that focuses on data flows 
in that regard.
    Mr. Watt. Under what authority is it doing that, and is 
that----
    Mr. Pratt. It is not the same principle. It isn't the same 
principle as an omnibus individual, if you will, at the level 
of the White House. They really oversee--their scope of 
authority would be no broader than the FTC's scope of authority 
generally in the marketplace.
    Mr. Watt. Do you concede that despite the concerns, the 
potential on the downside that maybe having a more consistent 
set of principles across the Government would be facilitated by 
this suggestion?
    Mr. Pratt. I don't know yet because, again, one of the 
difficulties we have even had with the GAO report, and we 
certainly appreciate the hard work that the researchers did in 
putting it together, it demonstrates one of the difficulties, 
and that is we feel that the GAO took the principles and 
applied them too monolithically across something called an 
information reseller. And really, to Mr. Scott's question, I 
suppose information resellers are consumer reporting agencies. 
They may be financial institutions under the Gramm-Leach-Bliley 
Act, consumer reporting agencies under the Fair Credit 
Reporting Act. So I don't know if centralizing expertise works 
better than just simply making sure that you have knowledgeable 
individuals operating at an agency level.
    Again, I think also I am probably not in the best position 
to discuss the effectiveness of the current operation of the 
Privacy Act or the OMB guidelines that implement that. It is 
probably the domain of Professor Swire.
    Mr. Watt. Professor Swire, there was a lot of debate about, 
when this Privacy and Civil Liberties Oversight Board was set 
up, about whether it should have subpoena power. I know that 
the Agency just got structured in February--I mean the people 
who were appointed. But can you just give us kind of the pros 
and cons of--or maybe better, even, what are the real problems 
with not having subpoena power?
    Mr. Swire. Well, there are various jobs the Privacy and 
Civil Liberties Board could do. One of them is to be inside the 
executive branch during clearance, when they are trying to 
figure out how do you do a new program. And I don't think 
subpoena power is needed for that. That is talking to the 
people, being in the room, building confidence that the board 
can help.
    When it comes to finding out if there are problems out 
there in the agencies, there is a question of how you find that 
out. One way is to go to the IGs, right. We have Inspectors 
General, and especially if we have some good whistleblower 
protections so the people are allowed to talk to the IGs, then 
that may be one way to do the investigation.
    If you think that is not working, then you look around, who 
else might do it? It could be the Department of Justice, but 
you have to have a good step toward a criminal investigation. 
If you don't have that, then maybe somebody else, like this 
board, with subpoena power might be your best chance to find 
problems in the agencies and do something about it.
    It really has to do with whether the IG system is working, 
because they were supposed to be the ones to subpoena, and 
whether you need a second look with some expertise.
    Mr. Watt. Can I just ask one more question, Mr. Chairman?
    Ms. Cooney, how is your office going to coordinate with 
this Privacy and Civil Liberties Oversight Board? How do you 
see these two things meshing together, Homeland Security and 
this oversight board?
    Ms. Cooney. Sure. Under the oversight board there actually 
is a Privacy and Civil Liberties Officer for the DNI. We 
coordinate with that Privacy and Civil Liberties Officer now, 
Alex Joel, in a very cooperative way. As he is setting up his 
operation, he has come to DHS to ask us what our experience has 
been, for advice on the startup. And we are working very 
closely right now, along with others, including the new Privacy 
and Civil Liberties Officer and DOJ and others, on building in 
a privacy architecture for the information sharing environment 
across the Federal Government.
    So I think it is going to be a very collaborative process 
and it has been very positive so far.
    Mr. Watt. Thank you, Mr. Chairman.
    Mr. Cannon. I would like, before I ask a couple of 
questions here, I would like to thank the panel for being here 
today. It think this report is very, very helpful, Ms. Koontz, 
and you have done a remarkable job in helping us to understand 
it.
    Ms. Cooney, we appreciate what you have done. Can I just 
ask, are you coordinating with the people at Justice that are 
setting up the same process that you are doing? Could you 
comment on that briefly?
    Ms. Cooney. Yes, we are. Actually, before the appointment 
of the Privacy and Civil Liberties Officer there, we worked, 
really, for several months before that in providing advice in 
terms of our experience, our budget, the type of personnel that 
we have hired, which is quite multi-disciplinary. And as Mr. 
Pratt noted, it takes expertise along a wide range of areas. We 
have technology experts, we have policy experts, we coordinate 
closely with our Office of the General Counsel on legal issues. 
And I am very proud to say we have a Chief Counsel to the 
Privacy Office, who is embedded with us, reporting to our 
General Counsel, so that is very cooperative.
    We have a compliance team that has a private-sector 
background. We have folks who had enforcement and compliance 
experience in the Government realm. We have international. All 
of those things are really needed if your agency does work 
across a wide scope and has a lot of different dynamic 
programs.
    We have shared that type of information with the Department 
of Justice. And since Jane Horvath has joined the Department of 
Justice, we have met several times, e-mail, talk about issues. 
And I think that is the way it should be, and we are happy to 
do that.
    Mr. Cannon. Well, I--you know, if you look at DHS, which is 
hard to do because it is so big--it takes the Almighty to 
comprehend it, and I am not sure it would take the Almighty, 
but it is beyond my capacity to understand the Department of 
Justice. It seems to me that the idea, and I guess it goes to 
your comment, Mr. Pratt, that having a decentralized process 
may be helpful.
    But Professor Swire, we appreciate your comments and look 
forward to working with you on what a of a--how we would sort 
of oversee this whole process. I think it is vitally important 
that we take these huge, monstrous organizations and get them 
thinking about what they do, and then cumulate activity rather 
than mandating it. But at some point, you have to have some 
kind of overarching oversight of that. So we will revisit that.
    Mr. Pratt, can I ask a couple of questions of you? The GAO 
has reported that information resellers generally allow 
individuals limited access to correct their personal 
information. Why can't individuals get data about themselves 
corrected when it is wrong? And if the consumer reporting 
agencies are able to accommodate such corrections, as they are 
required by the Fair Credit Reporting Act, why can't 
information resellers do likewise?
    Mr. Pratt. Really, it depends. Again, it is just taking 
that Fair Information Practice, and then we have to walk 
through the various products that it might apply to. So as you 
say, consumer reports, absolutely. Those reports are used to 
deny me access to a benefit or service. And that is one of the 
basic fair information principles we are working off of. If I 
can't get something because information has told the user that 
I should not get the credit, I should not drive off the car lot 
with the car, then that makes sense to us and we understand 
that.
    A fraud prevention product is another type of data product 
that is used. A fraud prevention product, were we to disclose 
it, would mean we are disclosing the recipe, because we would 
be disclosing the various data elements which are cross-matched 
which raise a yellow flag.
    Now, a fraud prevention product doesn't deny me access, but 
it probably slows me down. Somebody is going to ask me more 
questions. You know, Congressman Cannon, are you really who you 
say you are; can I have another item of identification from you 
to make sure that you are who you say you are.
    And I think that is also true of some of the investigative 
tools that we have, location tools. In other words, a location 
tool really just--and I have seen some about me, where it will 
show where I have lived previously. And so it is not really--it 
just says you lived in Houston, Texas, for a period of time, 
one of your friends now lives in Los Angeles. It really just 
shows an investigator how they might candidly conduct a 
national security investigation were I applying for a national 
security level of clearance. So that is a different kind of 
tool.
    So accuracy and how you apply accuracy really pivots, I 
think, off of that.
    In terms of correction, though, public records are a 
particular challenge. Because if you have a court record and 
you have simply taken that same image data and put it into a 
national database, the real key to correcting that is to make 
sure the consumer knows how to get back to the court in order 
to correct the information in the first place. Because if you 
don't correct it at the courthouse, it is still publicly 
available, there are is still a Web site from which you can 
obtain it, and in fact all you have done is fix the 
intermediate source.
    And by the way, that principle was corrected in the Fair 
Credit Reporting Act to ensure that a reseller in the context 
of a consumer reporting agency, where access and correction do 
apply, that the consumer would be referred back to the data 
source in order to correct it at the source rather than to try 
to correct it at the mid level.
    Mr. Cannon. Let me just get one more question before my 
time expires.
    When a data breach occurs, shouldn't an information 
reseller be required to notify those whose information was 
compromised? And if so, how should notification take place? 
What follow-ups, if any, should be required of information 
resellers to monitor compromised information?
    Mr. Pratt. Well, I don't know that we think about it in 
terms of information resellers. There are several different 
bills that have been worked on by various Committees, and the 
fundamental question is, when you have a certain type of 
information that we tend to think of as sensitive personal 
information--If I have secured it in the first place, of 
course, I have done the right thing. If for some reason my 
security protocols have failed, yes, we think that there is a 
risk of identity theft, a significant risk of identity theft. 
Absolutely.
    The reason we make that distinction, Mr. Chairman, is 
because there are cases where a laptop is stolen, but when you 
do the forensics on the laptop, you determine that it was 
really stolen in order to just simply fence the laptop. And in 
fact it was never opened, it was never started back up again, 
nobody ever looked at the data, the hard drive wasn't tampered 
with. So notifying a thousand consumers that their data was on 
a hard drive of a laptop that was stolen that was never dealt 
with from a technology perspective probably creates false 
positives which move consumers away from really being 
proactive.
    So we think the key to good notices is the trigger--when 
should I do it so that you and I as consumers really can act on 
other rights that we should have.
    Mr. Cannon. Of course the question does occur, who makes 
that judgment?
    Mr. Pratt. It is a difficult one, yes, sir.
    Mr. Cannon. Thank you.
    We appreciate your being here today. Since we don't have, I 
don't think, any further questions, we will now stand 
adjourned.
    [Whereupon, at 1:21 p.m., the Subcommittees adjourned.]
                            A P P E N D I X

                              ----------                              


               Material Submitted for the Hearing Record

   Additional Material for the Record submitted by Linda D. Koontz, 
Director, Information Management Issues, U.S. Government Accountability 
                                 Office


























































































































































































                                 
