[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]



 
                  PRIVACY IN THE COMMERCIAL
                         WORLD II
_____________________________________________________________________

                     HEARING

                   BEFORE THE

      SUBCOMMITTEE ON COMMERCE, TRADE,

           AND CONSUMER PROTECTION

                      OF THE

          COMMITTEE ON ENERGY AND
                   COMMERCE
         HOUSE OF REPRESENTATIVES

        ONE HUNDRED NINTH CONGRESS
           SECOND SESSION

                    ________

                 JUNE 20, 2006
                    ________

              Serial No. 109-99

                    ________

   Printed for the use of the Committee on Energy and Commerce




 Available via the World Wide Web: http://www.access.gpo.gov/
                                      congress/house

                    ________


                 U.S. GOVERNMENT PRINTING OFFICE

29-729 PDF              WASHINGTON : 2006
_________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government 
Printing  Office Internet: bookstore.gpo.gov  Phone: toll free 
(866) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2250 Mail:
Stop SSOP, Washington, DC 20402-0001








                      COMMITTEE ON ENERGY AND COMMERCE
                         Joe Barton, Texas, Chairman                  
Ralph M. Hall, Texas                         John D. Dingell, Michigan
Michael Bilirakis, Florida                    Ranking Member
  Vice Chairman                              Henry A. Waxman, California
Fred Upton, Michigan                         Edward J. Markey, Massachusetts
Cliff Stearns, Florida                       Rick Boucher, Virginia
Paul E. Gillmor, Ohio                        Edolphus Towns, New York
Nathan Deal, Georgia                         Frank Pallone, Jr., New Jersey
Ed Whitfield, Kentucky                       Sherrod Brown, Ohio
Charlie Norwood, Georgia                     Bart Gordon, Tennessee
Barbara Cubin, Wyoming                       Bobby L. Rush, Illinois
John Shimkus, Illinois                       Anna G. Eshoo, California
Heather Wilson, New Mexico                   Bart Stupak, Michigan
John B. Shadegg, Arizona                     Eliot L. Engel, New York
Charles W. "Chip" Pickering,  Mississippi    Albert R. Wynn, Maryland
  Vice Chairman                              Gene Green, Texas
Vito Fossella, New York                      Ted Strickland, Ohio
Roy Blunt, Missouri                          Diana DeGette, Colorado
Steve Buyer, Indiana                         Lois Capps, California
George Radanovich, California                Mike Doyle, Pennsylvania
Charles F. Bass, New Hampshire               Tom Allen, Maine
Joseph R. Pitts, Pennsylvania                Jim Davis, Florida
Mary Bono, California                        Jan Schakowsky, Illinois
Greg Walden, Oregon                          Hilda L. Solis, California
Lee Terry, Nebraska                          Charles A. Gonzalez, Texas
Mike Ferguson, New Jersey                    Jay Inslee, Washington
Mike Rogers, Michigan                        Tammy Baldwin, Wisconsin
C.L. "Butch" Otter, Idaho                    Mike Ross, Arkansas
Sue Myrick, North Carolina
John Sullivan, Oklahoma
Tim Murphy, Pennsylvania
Michael C. Burgess, Texas
Marsha Blackburn, Tennessee
                         Bud Albright, Staff Director
                        David Cavicke, General Counsel
          Reid P. F. Stuntz, Minority Staff Director and Chief Counsel

                                     _________

SUBCOMMITTEE ON COMMERCE, TRADE, AND CONSUMER PROTECTION
                    Cliff Stearns, Florida, Chairman
Fred Upton, Michigan                         Jan Schakowsky, Illinois    
Nathan Deal, Georgia                          Ranking Member
Barbara Cubin, Wyoming                       Mike Ross, Arkansas
George Radanovich, California                Edward J. Markey, Massachusetts
Charles F. Bass, New Hampshire               Edolphus Towns, New York          
Joseph R. Pitts, Pennsylvania                Sherrod Brown, Ohio
Mary Bono, California                        Bobby L. Rush, Illinois
Lee Terry, Nebraska                          Gene Green, Texas
Mike Ferguson, New Jersey                    Ted Strickland, Ohio
Mike Rogers, Michigan                        Diana DeGette, Colorado
C.L. "Butch" Otter, Idaho                    Jim Davis, Florida
Sue Myrick, North Carolina                   Charles A. Gonzalez, Texas
Tim Murphy, Pennsylvania                     Tammy Baldwin, Wisconsin
Marsha Blackburn, Tennessee                  John D. Dingell, Michigan
Joe Barton, Texas                             (Ex Officio)
  (Ex Officio)
  
  


  
  
  
  
  
  
                                    CONTENTS
                                   ____________

                                                                Page
Testimony of:
   Whitman, Meg, President and CEO, eBay, Inc..................   13
   Hendricks, Evan, Editor/Publisher, Privacy Times............   17
   Lenard, Dr. Thomas M., Senior Vice President for Research, 
     The Progress & Freedom Foundation.........................   24
   Swire, Peter, C. William Oï¿½Neill Professor of Law, Moritz 
     College of Law, The Ohio State University.................   30
   Taylor, Scott, Chief Privacy Officer, Hewlett-Packard Company. 34







PRIVACY IN THE 
COMMERCIAL WORLD II


TUESDAY, JUNE 20, 2006

House of Representatives,
Committee on Energy and Commerce,
Subcommittee on Commerce, Trade, 
and Consumer Protection,
Washington, DC.


The subcommittee met, pursuant to notice, at 2:40  p.m., in Room 2123, 
Rayburn House Office Building, Hon. Cliff Stearns [chairman] presiding.
Present:  Representatives Stearns, Deal, Radanovich, Terry, Otter, 
Blackburn, Barton [ex officio], Schakowsky, and Gonzalez.  
Staff Present,  David Cavicke, General Counsel; Shannon Jacquot, 
Counsel; Chris Leahy, Policy Coordinator; Brian McCullough, 
Professional Staff Member; Will Carty, Professional Staff Member; 
Billy Harvard, Legislative Clerk; Kelly Cole, Counsel; Consuela 
Washington, Minority Senior Counsel; Alex Gerlach, Minority Research 
Assistant; and Jonathan Brater, Minority Staff Assistant.  
Mr. Stearns.  Good afternoon.  The subcommittee will come to order.  
The Commerce, Trade, and Consumer Protection Subcommittee first began 
to work on comprehensive consumer privacy issues back in 2001 when we 
had a series of hearings on all facets of this issue, including 
commercial privacy policy, government privacy practices, and related 
consumer protection issues.  
In fact, our first hearing, aptly titled "Privacy in the Commercial 
World," was held over 5ï¿½years ago.  Todayï¿½s installment of that 
series, part II, has been a long time in coming, but the time is 
right to revisit comprehensive privacy after spending over 5ï¿½years 
on several of its elements, including legislative work on spyware, 
pretexting, and, most recently, data security legislation, which, it 
is my hope, will be brought to the floor for a vote very soon.  
My colleagues, the 5ï¿½years since the first privacy hearing back in 
2001 also has been a period marked by the Septemberï¿½11 attacks, 
which not only unleashed the military might of the United States, 
but also its ingenuity in using advanced technology, information 
collection, and sophisticated analyses as one of the major weapons 
countering the forces of terrorism and totalitarianism around the 
world.  
While certain things have changed since the first hearing, a great 
deal remains the same.  The United States continues to regulate 
privacy under a sector-specific disjointed approach, managing an 
ever-increasing number of local, State and Federal requirements 
dealing with notice, consent, and security protections in the 
health, on-line financial, and other contexts.  Although this 
collection of laws has increased, our protection against privacy-
infringing practices, and, to a lesser degree, identity theft, 
this body of law still contains gaping holes and major 
inconsistencies that leave consumers unprotected and businesses with 
uncertainties that directly affect their success.  
My hope, when I first introduced my bill, H.R. 1263, the Consumer 
Privacy Act of 2005, was to start the process of developing a 
consistent, Federal approach to privacy.  Back then, the committee 
was focused on constructing an approach to privacy that could become 
an overlay on all the work that has been done in the area of 
commercial privacy.  The approach would offer better uniformity and 
more efficient regulation as information technology, as the use of 
consumer information, and domestic and international commerce 
continued to become more integrated and in some cases converge.  
More uniform, stronger, and more consistent consumer protection was 
and still remains our goal.  Accordingly, the committee today would 
like to reenergize this effort with those principles and objectives 
in mind.  The subcommittee plans to continue its long-term 
examination of privacy issues with additional hearings and will 
begin to work through a draft bill.  
As I have said, a fundamental principle and one of the main drivers 
of our efforts in the area of privacy is to establish a uniform and 
consistent privacy regime for the American consumers and for American 
businesses.  In addition, we need to empower consumers, businesses, 
and the Federal government to make the application and enforcement 
of privacy practice in the United States the world benchmark.  With 
regard to data protection, we will examine how our work and data 
security can complement and enhance a national privacy regime.  
Further, I believe the Congress needs to take a closer look at 
international regulation of privacy, both how the national and 
supranational level is affecting U.S. business and its ability to 
compete globally.  We continue to be concerned about the privacy 
practices of other countries compromising the business decisions of 
some of our most successful and innovative companies.  
The outcome we are seeking from our efforts in this area is the 
assurance that the consumer has the knowledge and the control to 
make informed decisions that involve personal information, and that 
businesses have a consistent framework of law and regulation that 
stimulate innovation and success rather than hampering those goals.  
New technology continues to allow better and more efficient decisions 
and transactions in the commercial world.  We need to encourage that 
innovation because it is what enables our businesses in the United 
States to lead the rest of the world.  That is a leadership edge that 
we cannot compromise.  We do, however, need to recognize that as 
information technology and information sharing become more powerful, 
the ability to harm becomes just as powerful, and, as we have seen, 
ultimately destructive.  Identity theft remains a top concern for 
this committee and the American consumer.  Therefore, rigorous data 
security and data security policies are essential if we are to 
protect the progress that we are making in this area.  
In closing, the subcommittee has established, without question, the 
most comprehensive record on privacy and information security issues 
in our Congress.  This is a foundation that was built over years of 
studying these issues and working through some very good ideas and a 
number of legislative proposals.  It is time to continue that 
important task.  To reinitiate our work in the privacy area, I am 
particularly happy to have several leaders in commercial privacy, 
from business and from academia before us today, including 
Ms. Meg Whitman, President and CEO of eBay.  I want to thank all of 
you for joining us and offering your views today.  I look forward 
to continuing this important work and engaging all stakeholders, 
consumer groups, businesses, government, and academia, to craft 
sound, proactive, and necessary legislation in the field of consumer 
privacy that will spur innovation, protect consumers, and ensure that 
all American businesses will continue to lead the world with its 
innovation, productivity, and with regard for the privacy of the 
consumers that it serves.
With that, Ms. Schakowsky is recognized. 
[The prepared statement of the Hon. Cliff Stearns follows:]
Prepared Statement of the Hon. Cliff Stearns, Chairman, Subcommittee 
on Commerce, Trade, and Consumer Protection

Good afternoon.ï¿½ The Commerce, Trade and Consumer Protection 
Subcommittee first began to work on comprehensive consumer privacy 
issues back in 2001, when we had a series of hearings on all facets of 
the issue, including commercial privacy policy, government privacy 
practices, and related consumer protection issues.  In fact, our first 
hearing, aptly titled "Privacy in the Commercial World" was held over 
five years ago.  Todayï¿½s installment of that series, "Part Two", has 
been a long time in coming, but the time is right to revisit 
comprehensive privacy after spending over five years on several its 
elements, including legislative work on spyware, pre-texting, and, 
most recently, data security legislation, which I hope will be brought 
up for a House vote soon.  The five years since that first privacy 
hearing back in 2001 also has been a period marked by the September 
11th attacks, which not only unleashed the military might of the 
United States but also its ingenuity in using advanced technology, 
information collection, and sophisticated analysis as one of the 
major weapons countering the forces of terrorism and totalitarianism 
around the world.  And while certain things have changed since that 
first hearing, a great deal remains the same.  The United States 
continues to regulate privacy under a sector-specific, disjointed 
approach -- managing an ever-increasing number of local, state, and 
federal requirements dealing with notice, consent, and security 
protections in the health, on-line, financial, and other contexts.  
Although this collection of laws has increased our protections against 
privacy-infringing practices and to a lesser degree identity theft, 
this body of law still contains gaping holes and major inconsistencies 
that leave consumers unprotected and business with uncertainties that 
directly affect their success. 
My hope when I first introduced my bill, HR 1263, the "Consumer 
Privacy Act of 2005" was to start the process of developing a 
consistent, federal approach to privacy.  Back then, the Committee 
was focused on constructing an approach to privacy that could become 
an overlay on all the work that has been done in the area of commercial 
privacy.  The approach would offer better uniformity and more efficient 
regulation as information technology, the use of consumer information, 
and domestic and international commerce continue to become more 
integrated, and in some cases, converge.  More uniform, stronger, and 
more consistent consumer protection was and still remains the goal.  
Accordingly, the Committee today would like to re-energize this effort 
with those principles and objectives in mind.  The Subcommittee plans 
to continue its long-term examination of privacy issues with additional 
hearings, and will begin to work through a draft bill.  
As I have said, a fundamental principle and one of the main drivers of 
our efforts in the area of privacy is to establish a uniform and 
consistent privacy regime for the American consumer and business.  In 
addition, we need to empower consumers, business, and the federal 
government to make the application and enforcement of privacy 
practices in the United States the world benchmark.  With regard to 
data protection, we will examine how our work in data security can 
complement and enhance a national privacy regime.   Further, I believe 
the Congress needs to take a closer look at how international 
regulation of privacy, both and the national and supranational level, 
is affecting U.S. business and its ability to compete globally.  We 
continue to be concerned about the privacy practices of other countries 
compromising the business decisions of our some of our most successful 
and innovative companies.  
The outcome we are seeking from our efforts in this area is the 
assurance that the consumer has the knowledge and the control to make 
informed decisions that involve personal information, and that business 
has a consistent framework of law and regulation that stimulates 
innovation and success, rather than hampering those goals.  New 
technologies continue to allow better, more efficient decisions and 
transactions in the commercial world.  We need to encourage that 
innovation because it is what enables U.S. business to lead the rest
of the world.  That is a leadership edge that we cannot compromise.  
We do, however, need to recognize that as information technology and 
information sharing become more powerful the ability to harm becomes 
just as powerful and, as we have seen, destructive.  Identity theft 
remains a top concern for this Committee and American consumers.  
Therefore, rigorous data security and data security policies are 
essential if we are to protect the progress that we are making in 
this area.
In closing, this Subcommittee has established, without question, the 
most comprehensive record on privacy and information security issues 
in the Congress.  This is a foundation that has been built over years 
of studying these issues and working through some very good ideas in a 
number of legislative proposals.  It is time to continue that important 
task.  To reinitiate our work in the privacy area, I am particularly 
happy to have several leaders in commercial privacy from business and 
academia before us today, including Ms. Meg Whitman, President and CEO 
of eBay. Thank you all for joining us and offering your views today.  
I look forward to continuing this important work, and engaging all 
stakeholders --consumer groups, business, government, and academia to 
craft sound, proactive, and necessary legislation in the field of 
consumer privacy -- legislation that will spur innovation, protect 
consumers, and ensure that American business will continue to lead 
the world with itï¿½s innovation, productivity, and regard for the 
privacy of all the consumers it serves.
Thank you.

Ms. Schakowsky.  Thank you, Chairman Stearns, for convening todayï¿½s 
hearing on privacy and the commercial world.  
As our committee knows all too well, the transition from shopping on 
Main Street to e-commerce has created new and unique challenges that 
make current laws inadequate to protect consumersï¿½ right to privacy.  
I am glad that we are exploring ways to close the gaps in the law 
that put consumersï¿½ sensitive information at risk.  
Although most industrialized nations have comprehensive privacy 
protection laws, the United States has had a piecemeal, fragmented 
approach, regulating by industry and product.  Our committee is 
guilty of perpetuating this haphazard approach.  We regulate by 
headline the problem of the day, be it spam, spyware, pretexting 
for phone records or information brokers.  
To our credit, we have been trying to close loopholes, but at the 
same time we have pushed off the big question of establishing broad 
privacy principles for another day.  I am glad that we are now moving 
forward to address this important issue.  
This piecemeal approach is also perpetuated by financial, commercial,
and other industries that have labeled even the minimal privacy 
protections we put forth as too burdensome.  However, I am sure you 
all know the old adage that with great power comes great 
responsibility.  
The Internet and the advances in technology have given the industry 
great power to reach consumers, sell their wares, and compile large 
databases of information.  The expansion of their reach also means 
that industry has also a greater responsibility to protect consumers 
and their private, personal information.  
I am pleased to hear that a number of industry leaders have come 
together, along with Professor Peter Swire, who has a long history of 
promoting consumer privacy, to start exploring broad legislation that 
would close the gaps in the law and set privacy principles that all 
industry should follow both on and off line.  
Since we are just beginning these discussions, it is unclear whether 
we will be able to agree on a common product.  Nevertheless, I am 
glad that some in industry are beginning to shift their thinking 
about personal consumer information and privacy.  
However, we shouldnï¿½t limit our scope to commercial practices.  We 
should thoroughly examine government practices as well.  Although we 
have one of the most secretive administrations in our countryï¿½s 
history, it simultaneously has been the most invasive into the 
publicï¿½s privacy.  
As I mentioned before, our committee unanimously passed legislation, 
the Prevention of Fraudulent Access to Phone Records Act, in order to 
better secure private phone records and put control of personal calls 
back in consumersï¿½ hands.  
However, that bill seems to have disappeared to an unclosed location.  
Eightï¿½days after it was pulled from the floor schedule, USA Today 
broke the story that the National Security Agency was acquiring the 
publicï¿½s phone records from three of the major carriers, without 
subpoenas, warrants, or any approval from the courts.  
If true, it has occurred without consumersï¿½ knowledge or consent and 
with total disregard to the Privacy Act and other laws like FISA, the 
Foreign Intelligence Surveillance Act, that govern how our 
intelligence agencies operate.  
Chairman Stearns, as you may recall, I along with every Democrat on 
our committee sent a letter to Chairman Barton calling for a hearing 
on the allegations concerning the phone companies and the NSA.  That 
letter was sent on Mayï¿½11, and we still have not received a response.  
If we are serious about privacy, about closing the loopholes, getting 
beyond patchwork legislation, then we cannot turn a blind eye to what 
is happening in our own backyard and the total disregard for privacy 
laws on the books by the Administration.  We are urging a response 
very soon.  We would appreciate your help.  This issue is not going 
away.  
Additionally, I think we need to look into the strong-armed tactics 
the Administration is employing to stopping investigations into its 
antiprivacy practices.  New Jersey and other States have been 
exploring whether the phone companies sharing of records is in 
violation of their privacy laws.  In retaliation, on Juneï¿½15, the 
Justice Department brought a suit against the New Jersey Attorney 
General Zulima Farber, to stop him from seeking information about 
the telephone companies cooperation with the NSA.  The rolling out 
of the disclaimer that it is in the interest of national security 
does not give the Administration a free pass to trample on civil 
liberties and Statesï¿½ rights and sue those who are trying to protect 
the American public from privacy invasions.  
Again, I look forward to hearing from todayï¿½s witnesses, and I thank 
you. 
Mr. Stearns.  The gentlewoman from Tennessee, Mrs. Blackburn, is 
recognized.  
Mrs. Blackburn.  Thank you, Mr. Chairman.  I want to thank you for 
your commitment to this issue and for holding the hearing today and 
for looking at different ways for Congress to act to protect privacy, 
the right to privacy, the expectation of privacy, and the expectation 
of security.  That is something that our constituents are interested 
in, and they are interested to see how we are going to be certain that 
we respect their right to privacy and at the same time meet their 
concerns on how we remain a secure Nation.  
My constituents in my district have expressed their concerns on 
identity theft to me.  We have had some town halls on identity theft, 
specifically on this issue.  I think that the data bill that passed 
out of committee is a good solid first step on addressing that problem. 
I am looking forward to continuing on that and working on that issue, 
but we still need to address the privacy protections regarding the 
buying and selling of consumer information.  
I know many people have stated that the EU has much better privacy 
protections than the U.S., and I believe the FTC should study the 
European Unionï¿½s standards and see if we should incorporate some of 
them, any of them, or a part of that into our regulations.  
Another concern that I have is that there have been several instances 
of foreign companies obtaining financial information of Americans and 
using this information to conduct identity theft.  When we hear of 
this, it is of tremendous concern, and I hope it is of concern to each 
one of the guests who are with us today.  
This will almost certainly continue until either two things happen, 
either one or the other:  either the Federal government will oversee 
international transactions of consumer data, or an outright prohibition 
of these transactions is implemented.  I am not one to want to hinder 
global commerce, but if it is required to protect the private 
information of American citizens, then maybe that is something we need 
to put on the table and talk about.  
One other area that needs to be addressed is the relative ease of being 
able to sell consumer information.  I believe that one possible way to 
protect this data is to ensure businesses do a preliminary background 
information of the buyers of the information.  
Mr. Chairman, these are just a few of the concerns.  I look forward to 
the hearing, and I yield the balance of my time.  
Mr. Stearns.  I thank the gentlewoman.  The gentleman from Texas, 
Mr. Gonzalez.  
Mr. Gonzalez.  I waive opening.  Thank you.
Mr. Stearns.  The gentleman waives opening.
The Chairman of the Full Committee, the gentleman from Texas, Mr. Barton.  
Chairman Barton.  Thank you, Mr. Chairman.  Good afternoon to our 
witnesses.  I want to thank you, Chairman Stearns, for holding this 
hearing and Congresswoman Schakowsky, the Ranking Member, for being 
supportive of the hearing.  
I am a co-chair of the Congressional Privacy Caucus.  I think that 
protecting the privacy of our citizens is one of the most important 
things that we have an obligation to do, and I think it is time for 
Congress to begin to honor that obligation.  
It seems like if not every week, every month now we get some widely 
publicized data security breach, and they seem to be getting worse 
instead of better.  Last week we held a hearing, the Oversight and 
Investigations Subcommittee, where we found out that the agency within 
the Department of Energy, which is responsible for security of our 
nuclear secrets was, itself, breached and over 1,500 records stolen 
of the personnel of that agency, along with their Social Security 
number.  That is at an agency that is tasked with protecting the 
secrets of our nuclear weapons program.  
It is no surprise, then, that the public has become increasingly 
alarmed by the prevalence of crimes of data security breaches and how 
their personal information is more and more able to be shared in the 
commercial world.  Citizens are looking both to the entities which 
have their information and to the Congress to take action to correct 
this problem.  
To that end, this committee and this subcommittee introduced the Data 
Act.  Through bipartisan work, the committee passed that act 42-0.  
It is waiting to go to the floor, and has been hung up from going to 
the floor of the House of Representatives because another committee 
with no jurisdiction feels threatened and the industry that has 
issues before that committee feels threatened.  So that bill that 
passed 42-0 has not yet been scheduled for a floor vote in this 
Congress.  
It is my intention to encourage the leadership to bring that bill to 
the floor as soon as possible, and I have had meetings about that 
and discussions about that today.  
This subcommittee has also held a hearing on the issue of Social 
Security numbers in commerce and how best to balance beneficial uses 
with the threats to personal privacy.  
However, these two issues are only a few of the many pieces of the 
privacy puzzle, and I think it is time to stop doing things on a 
piecemeal basis and to introduce comprehensive legislation.  That is 
the purpose of this hearing today, to see if there is support for a 
comprehensive approach to privacy protection.  
It is my belief that individuals must be informed in a clear and 
conspicuous manner when private companies or government agencies plan 
to collect, use, or disclose personally identifiable information.  
Let me repeat that.  It is my belief that the citizens of the United 
States of America must be informed in a clear and conspicuous fashion 
when private companies or governmental agencies are going to collect, 
use, or disclose personally identifiable information.  
I believe that consumers must be told with whom any information is 
going to be shared and why.  For the most sensitive information, an 
opt-in should be the standard operating procedure.  This information 
should not be shared at all unless an individual gives his or her 
express consent.  
Congress has dealt with the issue of consumer privacy protection, if 
at all, in the past on a sector-by-sector basis.  
As I said earlier, it is my belief that it is time now for a broader, 
more comprehensive approach.  Issue-specific, stop-gap measures are no 
longer enough.  I think it is ludicrous to claim that 
Gramm-Leach-Bliley is privacy protection.  It is disclosure.  It is 
not, in my opinion, privacy protection.  
Consumersï¿½ privacy is at risk in too many areas that are not covered.  
An increasingly complex patchwork of State and Federal laws has not 
been effective in serving the interests of consumers, and, at the 
same time, it has required businesses to navigate sometimes 
inconsistent legal obligations.  
Furthermore, growing anxiety about consumers and identity theft has 
begun to erode public trust and the safety of their information.  It 
is inevitable that this will threaten on-line commerce, the Internet, 
and commerce in general if this situation is not corrected.  
Last year, I was very glad to see a coalition of high-technology 
companies come together with the goal of working towards some widely 
agreed-upon principles for privacy legislation.  
As I understand it, their stated goals are twofold:  to establish a 
strong baseline privacy protection for consumers; and to provide 
organizations with a uniform standard on which they can build 
effective privacy policies and compliance efforts.  I think this is 
a great starting point, and I absolutely applaud their efforts.  
I am glad that we have some members of that coalition here today, 
and I am anxious to hear more of the progress of their work.  These 
are complex issues, and there is considerable repercussion among 
consumers in the industry if we move in this area. 
However, I think the repercussions are larger if we donï¿½t move.  If 
we fail to act, organizations will face increasing costs associated 
with consistent and overlapping obligations.  Consumers will feel 
even more tentative and even more worried about disclosing personal 
information.  
Without action, the vitality of e-commerce and the potential of the 
Internet as a significant economic force will be in jeopardy.  I am 
glad to work with the private sector as we discuss how to implement 
the appropriate consumer protections, while giving businesses a set 
of the Federal rules of the road that provide certainty without 
requiring an overly burdensome compliance regime.  
I wish to thank my co-chairman of the Privacy Caucus, Mr. Edward 
Markey of Massachusetts, for his work in this area.  He and others 
on both sides of the aisle are going to work very aggressively to 
put together a draft bill and hopefully mark it up and bring it to 
the floor of the House in this Congress.  Not in the next Congress, 
in this Congress.  
Thank you again, Mr. Chairman, and Ranking Member Schakowsky, for 
hosting this hearing.  I yield back the balance of my time.  
[The prepared statement of the Hon. Joe Barton follows:]
Prepared Statement of the Hon. Joe Barton, Chairman, Committee on 
Energy and Commerce

Good afternoon.  Thank you, Chairman Stearns, for holding this 
hearing.  This is an issue that is very important to me, and as 
co-chair of the Congressional Privacy Caucus, I plan to work toward 
putting together comprehensive privacy legislation to be considered 
in this Congress.
The widely-publicized data security breaches of the last year and a 
half have coincided with the publicï¿½s increased awareness of the 
relationship between identity theft and their personal information. 
Not surprisingly, the public has become increasingly alarmed by the 
prevalence of this crime and by how their personal information is 
shared in the commercial world.  Many citizens are looking both to 
the entities which have their information and to Congress to take 
action to correct this problem.  To that end, this committee 
introduced the DATA Act, and through bipartisan work, the Committee 
agreed unanimously to provide strong protections and remedies for 
American consumers and the security of their personal information.  It 
is my intention to bring that bill to the House floor for a vote.  
This subcommittee also recently held an important hearing on the uses 
of Social Security numbers in commerce, and how best to balance 
beneficial uses with the threats to personal privacy.  However, these 
are only a couple of pieces of the privacy puzzle, and I believe 
further legislation is needed.
Individuals must be informed in a clear and conspicuous manner when 
private companies or governmental agencies plan to collect, use, or 
disclose personally identifiable information.  I believe that 
consumers must be told with whom any information may be shared and 
why.  For the most sensitive information, an "opt-in" should be the 
standard.  This information should not be shared at all unless one 
gives his or her express consent.
Historically, Congress has dealt with the issue of consumer privacy 
sector by sector, but it is time for a broader, more comprehensive 
approach.  Issue-specific, stop-gap measures are no longer enough.  
Consumersï¿½ privacy is at risk in too many areas that are not covered.  
An increasingly complex patchwork of state and federal laws has not 
been effective in serving the interest of consumers, and at the same 
time, it has required businesses to navigate sometimes inconsistent 
legal obligations.  Furthermore, growing anxiety among consumers 
about privacy and ID theft has begun to erode public trust in the 
safety of their information.  It is inevitable that this will 
threaten online commerce, the Internet, and commerce in general if 
the situation is not corrected.
Late last year, I was very glad to see a coalition of high-tech 
companies come together with the goal of working toward some widely 
agreed upon principles for privacy legislation.  As I understand it, 
their stated goals are twofold: to establish strong baseline privacy 
protections for consumers, and to provide organizations with a 
uniform standard on which they can build effective privacy policies 
and compliance efforts.  I think this is a great starting point, and 
I absolutely applaud their efforts.  I am glad we have some members 
of that coalition here today, and I am anxious to hear more about the 
progress of their work.
Obviously, these are complex issues with considerable repercussions 
for consumers and for industry.  If we fail to act however, 
organizations will face increasing costs associated with inconsistent 
and overlapping obligations, and consumers will feel even more 
tentative and more worried about disclosing personal information.  
Finally, without action, the vitality of e-commerce and the potential 
of the Internet as a significant economic force may be in jeopardy.  
I am glad to work with the private sector as we discuss how we can 
implement the appropriate consumer protections, while giving 
businesses a set of federal "rules of the road" that provide
certainty without requiring an overly burdensome compliance regime.
I want to thank all our expert witnesses for participating today, 
and I look forward to working with all stakeholders to put together 
essential and historic privacy legislation.
Thank you, and I yield back the balance of my time.

Mr. Stearns.  I thank the gentleman. 
Mr. Stearns.  Mr. Terry.  
Mr. Terry.  I have no statement.  
Mr. Stearns.  With that, we will move to the opening--do you waive, 
Mr. Terry?  
Mr. Terry.  Yes, I waive.
Mr. Stearns.  All right, then you will have additional time.  
We are very pleased to move to our panel.  Ms. Meg Whitman is 
President and CEO of eBay; Dr. Thomas M. Lenard, Ph.D., Senior Vice 
President for Research, The Progress & Freedom Foundation; Professor 
Peter Swire, C. William Oï¿½Neill Professor of Law at Ohio State; 
Mr. Scott Taylor, Chief Privacy Officer for Hewlett-Packard Company; 
and Mr. Evan Hendricks, Editor/Publisher of Privacy Times.

STATEMENTS OF MEG WHITMAN, PRESIDENT AND CEO, eBAY INC.;  
THOMAS M. LENARD, Ph.D., SENIOR VICE PRESIDENT FOR RESEARCH, THE 
PROGRESS & FREEDOM FOUNDATION; PETER SWIRE, C. WILLIAM Oï¿½NEILL 
PROFESSOR OF LAW, MORITZ COLLEGE OF LAW, THE OHIO STATE UNIVERSITY; 
SCOTT TAYLOR, CHIEF PRIVACY OFFICER, HEWLETT-PACKARD COMPANY; AND 
EVAN HENDRICKS, EDITOR/PUBLISHER, PRIVACY TIMES 

Mr. Stearns.  Ms. Whitman, welcome, and we appreciate your opening 
statement. 	Ms. Whitman.  Thank you, Chairman Stearns and members 
of the committee.  I appreciate the chance to talk to you today about 
what I believe is the pressing need for Federal privacy legislation.  
As Chairman Barton mentioned, my name is Meg Whitman, and I am the 
President and Chief Executive Officer of eBay, Inc.  eBay, as most 
of you probably know, enables commerce on a local, national, and 
international basis with an array of Web sites, including eBay, 
PayPal, Skype, Kijiji, Rent.com, and Shopping.com.  We bring together 
millions of buyers and sellers every day to meet, talk, and trade.  
eBayï¿½s purpose, pioneering new communities around the world, built on 
commerce, sustained by trust, and inspired by opportunity, relies 
heavily on our commitment to protect our usersï¿½ privacy.  That is why 
we believe it is critical to safeguard privacy in a variety of ways.  
We tell our users how we use their personal information in a 
transparent, concise, plain English, privacy policy that is linked 
from every single page of our Web site.  We do not share, rent, or 
sell personally identifiable information to third parties for 
marketing purposes.  
Our payment service, PayPal, provides consumers with a safe way to 
shop without sharing their financial information, thereby reducing 
the possibility of identity theft.  
The eBay toolbar helps consumers detect fraudulent Web sites and the 
eBay Web site provides detailed information to our users about 
threats to their privacy and security.  
In fact, eBayï¿½s commitment to privacy is so strong that consumers 
have recognized our efforts by naming us as one of the companies 
they most trust to protect their privacy.  
Most importantly, we believe that these safeguards are just one 
component of a national privacy protection framework.  With this in 
mind, eBay supports the efforts to enact Federal privacy legislation 
establishing consistent national standards.  
Comprehensive and preemptive Federal privacy legislation will 
promote and protect individual privacy, and will help unify todayï¿½s 
patchwork of laws, some Federal, some State, some applying to all 
businesses, some focused on particular business sectors, some general, 
some technology specific which consistently will help the millions of 
small businesses who sell on eBay limit the growing cost of 
compliance, while providing a uniform, meaningful, and understandable 
set of protections for consumers.  
With new technologies raising new privacy issues almost every day, 
it is time to lay the foundation for a long-term approach to privacy 
protection.  If I may, I would like to suggest some principles to 
guide the drafting of thoughtful legislation in this area.  
First, Federal privacy legislation should create a strong unified 
national standard that would occupy the field and preempt State laws.  
Legislation without preemption would make the current situation 
possibly worse, not better, by creating additional uncertainty and 
compliance burdens.  
Second, in order to maintain trust and ensure the appropriate 
protections for consumers, Federal standards must be enforced.  We at 
eBay are committed to employing strong privacy practices for our 
consumers, and I know that many of my colleagues in the tech community 
feel the same.  But something must be done to hold the bad actors 
accountable for failing to put the safety and security of their 
consumers before other interests.  
Strong enforcement by the Federal Trade Commission is critical.  A 
private right of action would be counterproductive in this emerging 
area of the law, marked by rapidly evolving technology, standards, 
and practices.  
Third, any legislation must apply broadly and not burden any single 
sector or technology.  A law that discriminated against e-commerce, 
when all companies are increasingly handling growing volumes of 
consumersï¿½ information, would be both unfair and ineffective in 
covering the broad challenges to consumer privacy.  Treating 
consumersï¿½ data differently, depending on the type of business 
that collects it, would likewise be problematic.  
Fourth, Federal privacy legislation should accord with the sound 
data protection rules adopted by our countryï¿½s leading 
international trading partners and allies, covering reasonable 
notice, consumer consent regarding use and disclosure of 
information, practical access to data, general security standards 
and government enforcement authority.  Businesses selling 
internationally to consumers around the world benefit from 
consistent trading rules, including consistent privacy protections.  
Building on these guiding principles, industry, government, and 
consumers must work together to protect privacy, while we and other 
companies continue to work to protect our usersï¿½ privacy.  Federal 
privacy legislation is the next step in a comprehensive approach 
to privacy protection.  
Mr. Chairman, members of the committee, thank you again for inviting 
me to testify here today.  I will be happy to answer the question 
when the time comes.
Mr. Stearns.  Thank you.
[The prepared statement of Meg Whitman follows:]
Prepared Statement of Meg Whitman, President and CEO, eBay, Inc.

Thank you Chairman Barton, Chairman Stearns and members of the 
Committee.  I appreciate the chance to talk with you today about 
the pressing need for federal privacy legislation. 
My name is Meg Whitman and I am the President and Chief Executive 
Officer of eBay Inc.  eBay enables ecommerce on a local, national, 
and international basis with an array of websites - including the 
eBay Marketplaces, PayPal, Skype, Kijiji, Rent.com and Shopping.com - 
that bring together millions of buyers and sellers every day to trade 
on the worldï¿½s online marketplace.
eBayï¿½s purpose -- pioneering new communities around the world built 
on commerce, sustained by trust, and inspired by opportunity -- 
relies heavily upon our commitment to protect our usersï¿½ privacy.    
That is why we believe it is critical to safeguard our usersï¿½ privacy 
in a variety of ways:
eBay does not share, rent or sell personally identifiable information 
to third parties for marketing purposes, unless users expressly opt 
in. 
eBayï¿½s PayPal provides consumers a safe way to "shop without sharing" 
their financial information, thereby reducing the possibility of 
identity theft.  
eBayï¿½s toolbar helps consumers detect fraudulent websites, and
eBayï¿½s website provides detailed information to our users about 
threats to their privacy and security.

In fact, eBayï¿½s commitment to privacy is so strong that consumers 
have recognized our efforts by naming us as one of the companies they 
most trust to protect their privacy. 
Most importantly, we believe that these safeguards are just one 
component of a national privacy protection framework.  With this in 
mind, eBay supports the effort to enact federal privacy legislation 
establishing consistent national standards.  
Comprehensive and preemptive federal privacy legislation will promote 
and protect individual privacy and will help unify todayï¿½s crazy-quilt 
of laws - some federal, some state; some applying to all businesses, 
some focused on particular business sectors, some general, some 
technology-specific.  Consistency will help eBay businesses limit the 
growing costs of compliance, while providing uniform, meaningful, and 
understandable protections for consumers.  With new technologies 
raising new privacy issues, it is time to lay the foundation for a 
long-term approach to privacy protection.
Permit me to suggest some principles to guide the drafting of 
thoughtful legislation in this area:
First, federal privacy legislation should create a strong unified 
national standard that would "occupy the field" and preempt state 
laws. Legislation without preemption would make the current situation 
worse, not better, by creating additional uncertainty and compliance 
burdens.  
Second, in order to maintain trust and ensure the appropriate 
protections for consumers, federal standards must be enforced.  We 
at eBay are committed to employing strong privacy practices for our 
consumers, and I know that many of my colleagues in the tech 
community feel the same.  But something must be done to hold the bad 
actors accountable for failing to put the safety and security of 
their consumers before other interests.  Strong enforcement by the 
Federal Trade Commission is critical.  A private right of action 
would be counter-productive in this emerging area of the law marked 
by rapidly evolving technology, standards, and practices.
Third, any legislation must apply broadly, and not burden any single 
sector or technology.  A law that discriminated against ecommerce 
when all companies are increasingly handling growing volumes of 
consumer information would be both unfair and ineffective in covering 
the broad challenges to consumer privacy.  Treatingï¿½consumer data 
differently depending on the type of business that collects it would 
likewise be problematic.	
Fourth, federal privacy legislation should accord with the sound data 
protection rules adopted by our leading trading partners and allies, 
covering reasonable notice, consumer consent regarding use and 
disclosure of information, practical access to data, general security 
standards, and government enforcement authority.  Businesses selling 
internationally to consumers around the world benefit from consistent 
trading rules, including consistent privacy protections.
Building on the guiding principles, industry, government, and 
consumers must work together to protect privacy. While we and other 
companies will continue to work to protect our usersï¿½ privacy, 
federal privacy legislation is the next logical step in a 
comprehensive approach to privacy protection.
Mr. Chairman, members of the Committee, thank you again for inviting 
me to testify today.  Iï¿½d be happy to answer any questions. 

Mr. Stearns.  Dr. Lenard, you could just use her microphone or the 
other one.  
Mr. Hendricks.  Excuse me, Mr. Chairman.  I have a "canï¿½t miss" 
train.  
Mr. Stearns.  If that is okay with the rest of you, we should be 
through here.  Each of you has 5ï¿½minutes.  
Mr. Hendricks.
Mr. Hendricks.  Thank you, I appreciate it.  It is great to be at a 
hearing where so many points I donï¿½t have to make, because you have 
made them, Mr. Chairman, and the Ranking Member has made them, and 
the Chairman of the Full Committee has made some very important 
points.  That will save us a lot of time.  I appreciate that.  Thanks 
to the members here for letting me go.  
I think that I really salute your leadership on this issue and could 
not agree more on the need for comprehensive privacy legislation.  In 
a sense, this is a back-to-basics, a return to fundamentals, because 
our privacy policy started in the early 1970s when Senator Sam Irvin 
introduced the Privacy Act, and he wanted one law covering both the 
Federal agency sector and the private sector, and he also wanted a 
national oversight office to enforce and implement our privacy policy.  
He got half a loaf.  
The Privacy Act covered the Federal agencies.  We settled for a study 
commission to study the private sector.  Since then what has happened, 
as the Ranking Member said, we have legislated by anecdote, and we have 
a hodgepodge of laws.  Naturally States have moved in to fill the gap 
where Federal law has not been able to address issues. 
So as we look now at revisiting the need for a comprehensive law, I 
think the first thing you have to realize is to get a comprehensive 
law that will bring more uniformity, you have to start from a high 
threshold of protection.  To start from a high threshold of protection, 
you need to return to the fundamentals, the eight leading fair 
information practice principles that are outlined in the guidelines in 
the Organization for Economic Co-operation and Development.  Those were 
endorsed by the U.S. Government and most Western governments, Japan and 
many others.  
If you walk through those quickly, you can see that the first principle 
of openness basically means access to information.  I think why we have 
such an encouraging start here is the corporate leadership at this table 
is definitely leaning in favor of an access standards.  That is one of 
the first areas that must be addressed.  
Other areas that are very important are to specify uses of information 
and limit uses that will not be permissible.  The other thing is 
participation means to be able to correct errors that are in records. 
Most of these are reflected in the Fair Credit Reporting Act, one of 
our first privacy laws.  
Another thing that is getting a lot of ink lately is the need for 
security safeguards.  In fact, we have security safeguard standards in 
both the Privacy Act of 1974 and the Gramm-Leach-Bliley Act.  I couldnï¿½t 
agree more with the Chairman that the Gramm-Leach Bliley Act does not 
represent privacy protection to the extent that we need it in these days.  
Collection limitation is an important principle, and two examples of it 
would be to limit the collection of Social Security numbers, an issue 
this subcommittee has wrestled with, as well as the use of encryption 
technology, so that we limit the collection of information or its 
usefulness once it is stored.  
The final issue and one of the toughest issues is accountability, 
which means enforcement.  There, I would commend the subcommittee to 
the model created by the Fair Credit Reporting Act, which represents 
the goal of democratizing enforcement.  When you have 200 million 
people who are the subject of records, you need to spread enforcement 
as far and as wide as you can.  
The Fair Credit Reporting Act does that by giving certain jurisdiction 
to other agencies, others to State Attorneys General, and finally you 
need to have a private right of action to continue our tradition of 
putting responsibility on the individual to stand up and defend his 
own rights.  
The final thing in closing I would like to say, Mr. Chairman, is 
along with this, is you also need privacy infrastructure.  We seek 
that.  We have examples of that.  Right here next to me is a Chief 
Privacy Officer.  You have people, you have resources in place to 
implement and oversee privacy policy.  Hewlett-Packard is one early 
establisher of one of these offices.  Many fine companies have done 
that.  
Congress has mandated this by the Department of Homeland Security by 
having a statutorily mandated chief privacy officer, as are more and 
more of the Federal agencies.  
What we donï¿½t have, what every other country has, is a national 
privacy office.  Peter Swire could probably explain a little more about 
this, because he had some of that role when he was in the past 
administration.  But other countries I have seen have gotten great 
mileage and great returns for rather minimal investment from having a 
national privacy office that can oversee policy, provide guidance to 
government agencies, handle complaints and be a resource for the 
legislative branch and the media and the public. 
That is what I see as some of the outlines of the comprehensive policy. 
I will work extra hard to answer this committeeï¿½s questions in writing, 
since I will not be able to stay around today.  Thank you very much. 
[The prepared statement of Evan Hendricks follows:]
Prepared Statement of Evan Hendricks, Editor/Publisher, Privacy Times

	Mr. Chairman, Ranking Member Schakowsky, thank you for the 
	opportunity to testify before the Subcommittee.  My name is 
	Evan Hendricks, Editor & Publisher of Privacy Times, a 
	Washington newsletter since 1981.  For the past 28 years, I 
	have studied, reported on and published on a wide range of 
	privacy issues, including credit, medical, employment, 
	Internet, communications and government records.  I have 
	authored books about privacy and the Freedom of Information 
	Act.  I have served as an expert witness in litigation, and 
	as an expert consultant for government agencies and 
	corporations.  
	I am the author of the book, "Credit Scores and Credit 
	Reports: How The System Really Works, What You Can Do."
	Due to pre-existing travel plans and other commitments, I am 
	not able at this time to provide as detailed a prepared 
	statement as I would prefer.  Please allow me to make some 
	fundamental points. 
	I appreciate the opportunity to appear before the subcommittee 
	and applaud its work on H.R. 4127.  While the bill could still 
	be improved, it at least represents an important step forward 
	in consumer privacy protection, and underscores this 
	Committeeï¿½s desire to move our nationï¿½s policy in the right 
	direction.  Conversely, H.R. 3997 would have disastrous 
	consequences and should be withdrawn as an inexcusable effort 
	to weaken consumersï¿½ rights at a time that they clearly need 
	to be strengthened.  
	I also applaud the underlying purpose of this hearing - to 
	fashion a more comprehensive approach to protecting privacy.  
	In my view, a comprehensive approach is long overdue.   I am 
	particularly happy to be sharing the panel with my distinguished 
	colleagues from academia and industry.  I believe this panel 
	represents a hopeful potential for consensus on this all-
	important issue.  

A Brief History
	The first serious effort to establish a national privacy policy 
	came in the early 1970s in the wake of the Watergate scandal.  
	Sen. Sam Ervin, a longtime proponent of privacy, sought to 
	establish a national policy by proposing a comprehensive 
	"Privacy Act," creating rights of Fair Information Practices 
	(FIPs) for individuals, that would apply to both the 
	governmental and private sector.
	Lobbying and politics forced Sen. Ervin to cut a deal.  The 
	result was the Privacy Act of 1974, applying only to federal 
	agencies, and the creation of the Privacy Protection Study 
	Commission (PPSC), a blue-ribbon panel that held hearings, 
	studied information-privacy issues relating to most of the 
	private sectors, and made legislative and other recommendations 
	published in its final report.\1\ The PPSC agreed that 
	consumers needed 
	
	
	\1\Personal Privacy In The Information Age: The Report of the 
	Privacy Protection Study Commission, (July 1977 GPO Stock No. 
	052-003-00395) Herein referred to as the PPSC Report.
	
	
	
	legal protection, but recommended a sectoral 
	approach, rather than a comprehensive one.  The PPSC supported 
	separate statutes for financial, medical and insurance records.  
	The conclusion favoring a sectoral approach did not seem 
	unreasonable at the time, but in hindsight, it resulted in an 
	importance sense, of privacy being "divided and conquered" by 
	institutional forces at the cost of individual rights.  Many 
	of the legislative proposal stemming from the PPSCï¿½s 
	recommendations "died on the vine" in the late 1970s and were 
	forgotten.  
	The result for the past three decades has been a sort of  an 
	ad hoc, "hit-and-miss" response driven by anecdotes.  For 
	example, when Judge Robert Bork was nominated to be a Supreme 
	Court Justice, a local news reporter obtained his video rental 
	records and wrote a story about his movie viewing preferences.  
	Congress moved quickly to pass the "Video Privacy Protection 
	Act."  The ad hoc, sectoral approach is also driven by the 
	Congressional committee jurisdictional issues. 
	The product of 30 years of ad hoc development of our nationï¿½s 
	privacy policy is a growing list of Federal and State laws, 
	some of them effective, and some not.  On the federal level we 
	have Fair Credit Reporting Act (FCRA), Gramm-Leach-Bliley (GLB), 
	the Cable Television Privacy Act, the Telephone Consumer 
	Protection Act (TCPA), the Childrenï¿½s Online Privacy Protection 
	Act (COPPA),  Health Insurance Portability and Accountability 
	Act (HIPAA), and the Family Educational Rights and Privacy Act 
	(FERPA).
One downside of the sectoral approach is the plethora of uneven and 
potentially conflicting standards for the handling of personal data.  
Another downside is that important types of personal data are left 
uncovered by law or do not appear to be clearly covered.  
Of course, these shortcomings have inspired States to try to fill the 
gaps and to respond to fast evolving privacy issues in order to 
protect their citizens. 

Fair Information Practices (FIPs)
Prof. Alan F. Westin, of Columbia University, was one of the early, 
modern-day scholars of privacy.  In his 1967 book, Privacy and Freedom, 
he focused on the emerging issue of "information-privacy"  - how the 
amassing of personal data allowed for new forms of "data 
surveillance."  In the book, Westin defined privacy in part as "the 
claim of individuals, groups, or institutions to determine for 
themselves when, how and to what extent information about them is 
communicated to others."  Harvard Law Professor Charles Fried once 
referred to privacy as "that aspect of social order by which persons 
control access to information about themselves."\2\
	Similarly, the U.S. Supreme Court wrote, "To begin with, both 
	the common law and the literal understandings of privacy 
	encompass the individual's control of information concerning 
	his or her person." 
The goal of providing individuals with reasonable control over their 
personal information led to the formulation of Fair Information 
Practice Principles, an effort in which Prof. Westin was integrally 
involved.  In its 1973 report, the [HEW] Secretaryï¿½s Advisory Committee 
On Automated Personal Data Systems defined five principles fair 
information practice:  
(1) there must be no personal data recordkeeping systems whose very 
existence is secret; 
(2) there must be a way for an individual to find out what information 
about him is in a record and how it is used; 

\2\U.S. Dept. Of Justice v. Reporters Committee, 489 U.S. 749 (1989).  
  This definition of privacy was reaffirmed and expanded upon by the 
  Court in Office of Independent Counsel v. Favish, 541 US 157 (2004)


there must be a way for an individual to prevent information about him 
obtained for one purpose from being used or made available for other 
purposes without his consent; 
there must be a way for an individual to correct or amend a record of 
identifiable information about him; and any organization creating, 
maintaining, using, or disseminating records of identifiable personal 
data must assure the reliability of the data for their intended use 
and must take reasonable precautions to prevent misuse of the data.
One year after the 1973 report, the Watergate scandal raised the 
nationï¿½s privacy consciousness.  Prof. Westinï¿½s book and the HEW Task 
Force report became the foundation for enactment of the U.S. Privacy 
Act of 1974.  That Act, in turn in 1975 created the Privacy Protection 
Study Commission (PPSC), a blue-ribbon panel that held hearings, 
studied information-privacy issues relating to most of the private 
sectors, and made legislative and other recommendations published in 
its final report.\3\ 
The reportï¿½s introduction articulated three objectives\4\ that endorsed 
Fair Information Act Principles.  "These three objectives both subsume 
and conceptually augment the principles of the Privacy Act of 1974 and 
the five fair information practices principles set forth in the 1973 
report of the [HEW] Secretaryï¿½s Advisory Committee On Automated Personal 
Data Systems." 
The PPSC report set the foundation for analyzing and evaluating law, 
policy and organizational practices relating to the collection, use and 
disclosure of personal data.  Its methodology was to identity the 
principles of Fair Information Practice and then apply them to the 
issue at hand, whether it be a standard industry practice or the 
statute governing that industry.  
In 1980, the Organization of Economic Cooperation and Development, 
based in Paris, adopted the following eight principles of fair 
information practices, still referred to by some experts as the 
"Gold Standard" of privacy.
Collection Limitation
Data Quality
Purpose Specification
Use Limitation
Security Safeguards
Openness
Participation
Accountability

These principles were endorsed by the Governments of the United 
States, Japan and most Western European countries.  These 
principles effectively have been recognized by the United Nations 
in its work on privacy.  
	These principles are at the core of major U.S. information-
	privacy laws, like the Fair Credit Reporting Act of 1970, 
	and the U.S. Privacy Act of 1974.  They also are at the core 
	of the National Data Protection Laws of European countries, 
	as well as Canada, New Zealand and Australia, and the European 
	Union's Directive On Data Protection.  
	
	
\3\ Personal Privacy In The Information Age: The Report of the Privacy 
  Protection Study Commission, (July 1977; GPO Stock No. 052-003-00395) 
  Herein referred to as the PPSC Report.
\4\ The three general principles were: (1) minimize intrusiveness; (2) 
  open up record-keeping operations in ways that will minimize the 
  extent to which recorded information about an individual is itself a 
  source of unfairness in any decision about him made on the basis of 
  it (maximize fairness); and (3) create legitimate enforceable 
  expectations of confidentiality	
	
	

FIPs: The Goal, and the Measure of Success
	The extent to which we will be successful in fashioning the 
	kind of quality law that the American people want and deserve 
	in part will be determined by the extent we are able to 
	incorporate all eight of these principles into the statute.  
	Allow me to briefly explain why.

Openness = Access
	The first principle of privacy/FIP is that there should be no 
	record system whose very existence is secret.  On an individual 
	basis, Americans must have access to records about them held by 
	major organizations.  Americans have this right under the FCRA, 
	Privacy Act and a few other laws.  But because they do not have 
	these rights in relation to many other records, there 
	effectively are out of Americansï¿½ reach, thereby constituting 
	a form of secret records.  I salute the companies at the 
	witness table and others that have endorsed in principle 
	Americans right of access to records about them.  It probably 
	is the first step that legislation must tackle.  Companies that 
	have not had to implement access requirements worry that it 
	would lead to a tsunami of requests that would overwhelm them.  
	This has never materialized throughout recent history - even 
	throughout 2004 and 2005 when Americans for the first time were 
	entitled to free copies of their credit reports.  Some 
	companies also might fret that individual access might expose 
	their proprietary data.  But existing statutes are carefully 
	worded to preclude this possibility. 

Participation = Correction
	A key reason why access is important is so that individuals 
	can discover inaccurate information, dispute it, and have it 
	corrected or removed.  This goes to importance of accuracy in 
	Fair Information Practices, ensuring that people are judged on 
	the basis of accurate information. 

Purpose Specification/Use Limitation
	A fundamental precept of FIPs is that information collected 
	for one purpose should not be collected for other purposes 
	without the consent of the individual.  Even under the FCRA 
	and the Privacy Act, there are many allowable data uses 
	without the individualï¿½s prior consent.  The FCRA permits this 
	by broadly specifying "permissible purposes" - i.e. credit, 
	insurance and "legitimate business purpose."  Employment is 
	also a permissible purpose, but deemed so sensitive that it 
	requires prior consent by the job applicant.  The Privacy Act 
	allows federal agencies to share data without consent under 
	the "Routine Use" exception.  Unfortunately, this has proven 
	too broad a loophole that some Federal agencies are all too 
	willing to take advantage of. 

Data Quality
	Data quality relates to issues that could make information 
	less useful or unfair.  This goes beyond issues of "technical 
	accuracy."  It relates to such issues as completeness and 
	relevance, to borrow two terms from the FCRA.  For example, 
	it could be technically accurate that a landlord filed a 
	conviction action in court against the tenant.  But that would 
	unfairly portray the tenant if it were proven the landlordï¿½s 
	motion was frivolous and was done to retaliate against the 
	tenant for complaining about unlivable rental conditions - 
	as the latter information would be relevant and give a more 
	complete picture assuring fairness.  Maintaining data quality 
	sometimes requires appropriate audits.

Security Safeguards
	If information is not adequately protected, then it can be 
	breached and privacy can be compromised.  In fact, the Privacy 
	Act requires that agencies:

(10) establish appropriate administrative, technical and physical 
safeguards to insure the security and confidentiality of records and 
to protect against any anticipated threats or hazards to their security 
or integrity which could result in substantial harm, embarrassment, 
inconvenience, or unfairness to any individual on whom information is 
maintained;

Moreover, Congress grafted the Privacy Act language into the security 
safeguards section of the Gramm-Leach-Bliley Act governing financial 
institutions.  The problem is that aside from FTC actions, there is 
little enforcement of the Privacy Act or GLB security safeguards.  
That means organizations could calculate it is cheaper not to comply, 
as the chances of large fines, or other enforcement actions holding 
organizational heads accountable, were not great. 
On their face, the Privacy Act and GLB standards seem good.  But the 
recent litany of data breaches underscores that a duty without 
enforcement is not much of a duty and does not achieve its goals. 
	Real security requires more than just talking points.  It 
	requires leadership, good policies, employee training and 
	awareness, encryption and intrusion detection.

Collection Limitation
	This relates to collecting the minimal amount of data needed 
	to accomplish a task.  Itï¿½s also referred to as data 
	minimization, a standard under U.S. wiretap law.
	This principle can relate to our discussion in two important 
	ways.  First, it relates to limiting the collection and 
	storage of Social Security numbers (SSNs).  The SSN is the 
	identity thiefï¿½s first tool of choice.  Many of the publicized 
	security breaches have been potentially traumatic because they 
	involved (unencrypted) SSNs.  
	Second, it relates to encryption.  If personal data, like the 
	above-mentioned SSNs, are robustly encrypted, then even if 
	they are lost and stolen, they are usually unusable.   Thus, 
	encryption minimizes the amount of available personal data, 
	enhancing security and privacy. 

Accountability = Enforcement
A privacy law without adequate enforcement is a right without a remedy. 
Unfortunately, many privacy laws suffer from lax enforcement.  
It is vital to understand that when you are talking about laws 
affecting some 200 million people, you need to "democratize" 
enforcement.  You can never build a bureaucracy big enough to enforce 
such a widely applicable privacy law - nor would you want to.  
	The best model for enforcement is the FCRA.  Itï¿½s enforcement 
	scheme is 
FTC & Federal Banking Agencies
State Attorneys General
Private Right of Action
Statutory Damages
Actual Damages
Punitive Damages
Attorneyï¿½s fees
A privacy law cannot fully achieve its goals unless there is an 
adequate enforcement mechanism and that mechanism cannot be adequate 
if individuals do not have the ability to enforce their own rights.  
Iï¿½d be happy to provide the subcommittee with numerous examples.

Privacy ï¿½Infrastructureï¿½
	The other necessary aspect of an adequate national policy is 
	Privacy Infrastructure.  This relates to having the resources 
	in place to implement and oversee policy.  We have slowly begun 
	building this infrastructure.  For example, the statute creating 
	the Dept. of Homeland Security created the first statutorily 
	mandated Chief Privacy Officer.  The Bush Administration last 
	year directed Federal agencies to appoint a senior officer in 
	charge of privacy policy.  Many major corporations began 
	appointing Chief Privacy Officers in the late 1990s.
What is missing in the U.S. is what every other Western nation has: a 
national office in charge of overseeing privacy policy.  In other 
countries, they are called Office of the Privacy Commissioner or Office 
of Data Protection Commissioner.  In some countries they have 
regulatory powers; in others, they do not.  What is most important is 
that they are independent offices that typically answer to the 
legislative branch (the Parliament), not the executive.  They typically 
have jurisdiction over the public and private sectors.  These offices 
typically have limited staff, but pay great dividends in many 
countries because of their ability to focus attention on everything 
from questionable practices to emerging technologies.  They also serve 
as a resource for the public, media and legislative and government 
branches. 
	Sen. Sam Ervin originally proposed that the United States have 
	such an office, but politics forced him to settle for a study 
	commission.  The absence of a national office has greatly 
	retarded the evolution and development of national privacy 
	policy, and resulted in the hodge-podge of laws we have today. 
	In fact, an early job for a U.S. Privacy Commissioner would be 
	to do an accounting of what personal data of Americans actually 
	are protected, and identify gaps and potential conflicts in 
	existing laws.
	This subcommittee should include in its legislation the 
	creation of national privacy office.  In years past, 
	Sen. Paul Simon proposed creation of such an office.  At a 
	minimum, the office should have subpoena power and the ability 
	to conduct audits and handle complaints.  I am confident that 
	such an office would pay great dividends for millions of 
	Americans.  
	Again, thank you for this opportunity.  Iï¿½d be happy to answer 
	any questions.  
	
Mr. Stearns.  Mr. Hendricks, would you be able to stay an extra 
10ï¿½minutes, because these folks will be through in 10 or 15ï¿½minutes?  
Mr. Hendricks.  I will try my best, but I am sorry.
Mr. Stearns.  It is interesting, your comment relative to Ms. Whitman 
is a little different on some of these points.  I think it would be 
useful, some of these nuances, to talk about.  
Dr. Lenard.
Dr. Lenard.  Thank you, Chairman Stearns, Ranking Member Schakowsky, 
and members of the subcommittee.  I appreciate the opportunity to 
testify today.  I am a Senior Fellow and a Senior Vice President for 
Research at The Progress & Freedom Foundation.  We are a think tank 
that focuses on public policy issues that affect the information 
economy.  
I will give a slightly different perspective than perhaps some of the 
other members of the panel to the issue that we are discussing.  The 
advances in IT and finally the digital revolution have reduced the 
cost of gathering, storing, and manipulating information of all kinds, 
and this has naturally raised concerns on the part of individuals 
about what information is being collected, how it is being used, who 
has access to it, and how secure it is.  
When considering whether and how to regulate, however, we need to be 
mindful that we truly do live in an information economy, and that the 
personal information utilized by firms produces great value for 
consumers and for the economy generally.  
Moreover, regulation inevitably will have unpredictable and unintended 
consequences, especially when imposed on a medium like the Internet 
that is changing so rapidly.  Perhaps the most serious potential costs 
involve losses of innovation.  
Implicit in proposals to regulate the market for personal information 
is that there is a market failure resulting in too much information 
being produced and used, and that this is harming consumers.  But 
despite widespread perceptions that personal information is subject 
to misuse, there is not much in the way of hard evidence that consumers 
are being harmed by the legal use of personal information.  
Moreover, as a general matter, markets work better with more 
information.  As the cost of information goes down, market participants 
obtain more of it and make better decisions.  Indeed, increased use of 
personal information can correct market failures that otherwise would 
exist.  
Regulation that raises the cost of information will result in markets 
that function less well and will adversely affect competition, 
particularly on the Internet, where established firms have listed 
their own customers and visitors to the Web sites, but new firms must 
purchase such lists.  As long as there is a market for such 
information, entrants can begin competing relatively easily.  
However, if regulation reduces the size of the market and increases 
costs, competition from new entrants will be reduced.  The market 
also appears to provide incentives for firms to respond to consumersï¿½ 
privacy concerns in a variety of ways, including voluntary standards 
and new technologies such as spam filters.  Firms that violate 
consumersï¿½ expectations about privacy face a loss of reputation that 
translates into losses in the marketplace.  
Data security and identity fraud present a slightly different issue, 
because they deal with behavior that is illegal.  Again, contrary to 
the public perception, this is not a growing problem.  Indeed, 
identity fraud costs are, by most measures, declining.  This should 
not be surprising, because about 90ï¿½percent of the costs are borne 
directly by businesses which, therefore, have a strong incentive to 
invest in security, and reduce these costs.  
Businesses may not necessarily have the same incentives to notify in 
the event of a security breach, but our analysis indicates that a 
mandatory notification is somewhat dubious on cost-benefit grounds.  
The indirect costs both to consumers and to sectors of the economy 
that depend on the free flow of information are likely to be 
substantial, primarily because of a likelihood that both consumers 
and firms suffering a security breach will overreact to notification 
requirements.  
Whatever privacy and data security regulation we do adopt, however, 
should be at the Federal level and preempt State laws.  The effective 
markets are national and international in scope.  Federal preemption 
will reduce compliance costs and improve the benefit-cost balance.  
The privacy debate represents some of the most complex policymaking 
challenges that we have seen.  This requires a careful analysis of 
specific proposals and their likely consequences to assure that 
their benefits are sufficient to justify their costs.  Thus far, 
the evidence suggests the market for personal information is 
working pretty well and producing large benefits for consumers.  
Regulating in this rapidly changing technological environment, 
without evidence of significant market failure, runs the risk of 
adversely affecting innovation and slowing the progress of the IT 
revolution with potentially adverse implications for growth and 
productivity.  
Thank you very much.  
Mr. Stearns.  Thank you.
[The prepared statement of Dr. Thomas M. Lenard follows:]
Prepared Statement of Dr. Thomas M. Lenard, Senior Vice President 
for Research, The Progress & Freedom Foundation

Mr. Chairman and Members of the Subcommittee, thank you for the 
opportunity to testify today.  My name is Thomas Lenard.  I am senior 
fellow and senior vice president for research at The Progress & 
Freedom Foundation, a non-partisan, non-profit "think tank" that 
focuses on public policy issues that affect the digital revolution 
and the information economy generally.  Privacy and data security 
are clearly among the most important of these issues.  
The advances in information technology that define the digital 
revolution have reduced the costs of gathering, storing, manipulating 
and transmitting information of all kinds.  While the economic and 
social impacts of these advances have been overwhelmingly positive, 
they also have raised concerns on the part of individuals about what 
information is being collected, how it is being used, who has access 
to it and how secure it is.  These concerns have been exacerbated by 
a series of high-profile data-security breaches that have exposed 
millions of individuals to potential fraud and convinced much of the 
public that we face an epidemic of identity theft.  
When considering whether and how to regulate, however, we need to be 
mindful that we truly do live in an information economy and that the 
personal information utilized by firms produces great value for 
consumers and the economy.  It is the reason, for example, why any 
individual with a decent credit rating can get a loan approved 
virtually instantaneously.  It also facilitates competition generally, 
making it easier for new firms to enter markets that require customer 
data.  It is an area where the United States has a significant 
advantage over other countries that have more restrictive data and 
privacy laws and where consumer credit markets and other markets that 
rely on personal information donï¿½t work as smoothly. 
	Moreover, regulation will inevitably have unpredictable and 
	unintended consequences, especially when imposed on a medium 
	like the Internet that is changing so rapidly.  Perhaps the 
	most serious potential cost is a loss of innovation-new 
	uses of information and of the Internet itself that would 
	be frustrated by a new regulatory regime.  There are many 
	examples of ways in which information is now being used that 
	were not contemplated when the information was collected, 
	and which would be precluded by some of the measures that 
	have been proposed.
 	In deciding whether additional regulation is desirable, and, 
 	if so, in what form, the following basic public policy 
 	questions need to be addressed:\1\ 
Are there "failures" in the market for personal information?
If market failures exist, how do they adversely affect consumers?
Can such failures be remedied by government action?
Will the benefits of government regulation exceed the costs? 

The Market for Personal Information
	Although privacy and data security are obviously inextricably 
	intertwined, it is useful to think of them separately for the 
	purposes of regulatory analysis.  So, the first question is 
	whether there are failures in the market for information and, 
	in particular, whether consumers are being harmed by the 
	legal use of personal information for commercial purposes.  
	The answer is that, despite widespread perceptions that 
	personal information is subject to misuse, there does not 
	appear to be much in the way of evidence, even anecdotal 
	evidence, of such harm.  
	Implicit in the proposals to regulate the market for personal 
	information is that there is a market failure resulting in 
	"too much" information being produced, disseminated and used.  
	As a general matter, however, markets work better with more 
	information.  As the cost of information goes down, market 
	participants obtain more of it and, consequently, make better 
	decisions.  For example, consumers benefit from receiving 
	information that is better targeted to their interests, as 
	well as from not receiving information that is not of interest 
	to them.  Similarly, legitimate marketers have an interest in 
	not sending messages to consumers who arenï¿½t interested in 
	them.  Merchants with more information can better estimate 
	demand, reducing inventory costs and even lessening swings in 
	overall economic activity.  They can also use geographic 
	computer-based information to put their new stores in 
	locations that best serve consumers, and to stock the most 
	useful merchandise for those consumers.
	Information can correct market failures that would otherwise 
	exist.  For example, asymmetric information is a form of market 
	failure that occurs when one party to a transaction has more 
	information than the other.  Both credit markets and insurance 
	markets are potentially subject to problems of this sort, 
	because lenders and insurers may have less information than 
	applicants about the applicantsï¿½ risk characteristics.  
	Asymmetric information problems of this sort may cause lenders 
	and insurers to be unwilling to offer transactions that 
	consumers would want and that would benefit them.  In general, 
	increased use of personal information alleviates, rather than 
	exacerbates, this type of market failure.
	Moreover, the "public good" nature of information-once 
	produced, it can be reused multiple times-means that 
	advertisers, credit institutions and insurance companies all 
	may use the same information.  The ability to sell for 
	advertising or marketing purposes information initially 
	collected for credit or insurance rating purposes increases 
	the value of that information.  Thus, the markets for 
	advertising and marketing information 
	
\1\For an elaboration of many of the points made in this testimony, see 
  Paul H. Rubin and Thomas M. Lenard, Privacy and the Commercial Use of 
  Personal Information, Kluwer Academic Publishers and The Progress & 
  Freedom Foundation, 2002.
	
	
	
	
	generate increased 
	information in markets that might truly be susceptible to 
	asymmetric information market failures-e.g., credit and 
	insurance markets. 
	The market also appears to provide incentives for firms to 
	respond to consumersï¿½ privacy concerns in a variety of ways.  
	Firms that violate consumer expectations about privacy face 
	a loss of "reputation" that translates into losses in the 
	marketplace.  When a firm does something that is perceived 
	as harming its reputation with consumers, the firm suffers 
	a substantial loss in value.  Firms, therefore, have a 
	strong incentive to avoid undertaking policies that risk 
	offending their customers.  The Internet speeds the 
	collection of information about consumers, but it also 
	enables consumers to more easily obtain information about 
	firmsï¿½ activities on the Web.  In addition, voluntary 
	standards, defined and enforced by third parties or 
	consortia of Web operators, are an important mechanism 
	for providing information to consumers about Web sitesï¿½ 
	information policies.  Finally, new technologies, such as 
	spam filters, are available to consumers who are concerned 
	about privacy. 

Data Security
	Data security presents a slightly different issue.  While 
	there may be no evidence of market failure or consumer harm 
	from the legal use of personal information in commercial 
	markets, that does not necessarily imply that firms have the 
	appropriate incentives to safeguard the information under 
	their control or take appropriate steps, whatever these may 
	be, if the data are compromised.
	The most recent data on identity theft and its costs (from a 
	2006 report from Javelin Strategy and Research) do not 
	support the public perception that identity theft is a 
	growing problem.  They show that the costs of identity fraud 
	have been essentially constant over the last several years 
	for which data are available (which would indicate that, in 
	a growing economy, they have been declining relative to total 
	transactions).  Since 2003, the number of victims of identity 
	fraud has declined by almost 12 percent-to 8.9 million 
	annually-while the average cost per victim has increased by 
	over 20 percent.  However, since most victims donï¿½t incur the 
	costs related to their fraud cases, the average consumer costs 
	have declined by 24 percent, although the time it takes 
	consumers to resolve fraud cases has increased from 33 to 
	40 hours.  
Other data suggest that costs have been decreasing over time.  
Estimates by Nilson show that over a longer period-1992 to 2004-the 
costs of credit card frauds decreased from $0.157 to $0.047 per $100 
in credit card sales.\2\  Similarly, Visa recently indicated that its 
fraud costs are at an all-time low of five cents per $100 of 
transactions.  This is a reflection of the fact that credit card 
firms are continually updating and improving levels of security.  The 
Nilson Report also indicates that fraudulent charges are lower as a 
percentage of credit card use in the U.S. than in the rest of the 
world; for example, credit card payments in the U.S. are three times 
the U.K. level, as compared with fraudulent charges, which are only 
about 1.2 times the U.K. level. 
It shouldnï¿½t be surprising that fraud costs per dollar of transaction 
are declining.  About 90 percent of the costs of identity theft and 
related frauds are borne directly by businesses, including banks, 
credit card issuers and merchants.  In addition, studies show that 
firms suffer large losses in stock value when security is breached.  
Interestingly, these studies are from a period before any consumer 
notification was required.  Despite the perception that information 
about security breaches was unavailable prior to enactment of the 
California notification requirement, information about breaches did 
become public before that time-perhaps as a result of securities 
regulatory requirements-and markets reacted accordingly.  Thus, even 
without any laws mandating notice to consumers, firms have had a 
very strong incentive to avoid data security breaches because the 
market penalizes them severely.
\2\These figures are for costs to card issuers.

It is unclear whether firms also have adequate incentives to notify 
compromised consumers, so the issue is an empirical one:  do the 
benefits of notification outweigh the costs?  This issue was addressed 
in an economic analysis of notification requirements for data 
security breaches I recently did with Paul Rubin, who is a professor 
of law and economics at Emory University as well as an adjunct PFF 
fellow.\3\ 
We found that a notification requirement is dubious on benefit-cost 
grounds.  The expected benefits to consumers of such a requirement 
are extremely small-probably under $10 per individual whose data have 
been compromised.  There are several reasons for this.  First, most 
cases of identity theft involve offline security breaches, which are 
not affected by notification requirements.  Second, the probability of 
an individual compromised by a security breach becoming an identity-
theft victim is extremely small.  Third, most of these are victims of 
fraudulent charges on their existing credit accounts, for which they 
have very limited liability, rather than victims of true identity 
theft.  Finally, even a well-designed notification program is likely 
to eliminate only a small fraction of the expected costs.
While the direct costs of notification may not be large, the indirect 
costs both to consumers and to sectors of the economy that depend on 
the free flow of information are likely to be substantial, primarily 
because of the likelihood that both consumers and firms suffering a 
security breach will overreact to notification.  Firms in the 
information business may start limiting access to their information 
in an effort to reduce their risk exposure.  Of particular concern 
is the prospect that the publicity associated with multiple 
notifications may induce consumers to shift their credit transactions 
offline, which the data show would actually increase their exposure 
to identity theft.

Effect on Competition
Many of the costs of privacy and data security regulations are likely 
to be relatively invariant with the size of the firm and therefore 
higher per unit of output for small than for large firms.  Many of 
the costs are also what economists call "sunk" costs, which means 
they are not recoverable if, for example, the business fails.  This 
is an added burden that will deter start-ups and could have an 
adverse effect on competition.
Most importantly, any regulation of the information sector that 
raises the costs of targeted advertising and obtaining accurate 
customer lists has a greater adverse effect on new entrants and small 
firms than it does on large, established firms.  This is particularly 
true for Internet advertising, where established firms have lists of 
their own customers and visitors to their web sites, but new firms 
must purchase such lists.  As long as there is a market for customer 
lists and other such information, entrants can begin competing 
relatively easily.  However, if regulation should reduce the size of 
the market and increase costs, competition from new entrants would 
be reduced.

Federal vs. State Regulation
Given the nature of the Internet, regulation at the state level has 
the potential to produce additional costs and impede interstate 
commerce due to inconsistencies.  A true federalist approach is not 
possible with markets and firms that are national, and even 
international, in scope.  Firms will tend to comply with a single set 
of rules.  In the absence of a preemptive federal statute, they will 
comply with the most stringent set of state regulations, which will 
in effect "preempt" other state regulations.  
Without federal preemption, companies are still faced with the 
prospect of familiarizing themselves with numerous different state 
laws to make sure they are in compliance.  The costs associated with 
this, which do not vary much with firm size, 

\3\Thomas M. Lenard and Paul H. Rubin, "An Economic Analysis of 
  Notification Requirements for Data Security Breaches," The Progress & 
  Freedom Foundation, Progress on Point, Release 12.12, July 2005.




constitute a particular burden for smaller firms.  Federal preemption 
of state privacy and data-security laws will reduce compliance costs 
and improve the benefit-cost balance.  

Conclusion
The privacy debate represents some of the most complex policy-making 
challenges we have seen.  This requires careful analysis of the actual 
proposals and their likely consequences to assure that, if adopted, 
their benefits are sufficient to justify their costs. 
Thus far, and despite perceptions to the contrary, the evidence 
suggests that the market for personal information is working well and 
producing large benefits for consumers.  Regulating in this rapidly 
changing technological environment, without evidence of significant 
market failure, runs the risk of adversely affecting innovation and 
slowing the progress of the IT revolution, with potentially adverse 
implications for growth and productivity.    

Mr. Stearns.  Professor Swire.
Mr. Swire.  Thank you, Mr. Chairman, Ranking Member Schakowsky, and 
members of the committee.  Thank you very much for the invitation to 
testify here before you today on the subject of Federal consumer 
privacy legislation.
My name is Peter Swire.  I am the C. William Oï¿½Neill Professor of 
Law at The Ohio State University, home of the Buckeyes.  Today I am 
representing the Consumer Privacy Legislation Forum.  To summarize 
the testimony, increased use and access to information, often made 
possible by advances in technology, have greatly benefited society 
through the exchange of ideas, enhanced economic productivity, and 
increased access to goods and services.
Without the appropriate safeguards, however, access to information 
can pose potential harm to consumers, resulting in a general lack of 
confidence that their information is safe.  Unaddressed, a loss of 
trust has an adverse impact on economic growth and innovation.  
I became aware of the promise and perils of information uses when I 
served as the Chief Counselor for Privacy in the U.S. Office of 
Management and Budget from 1999 until early 2001.  While at OMB, I 
worked on issues such as on-line privacy, medical privacy and 
financial privacy.  I also oversaw the Federal governmentï¿½s use of 
personal information.  We were subject to the Privacy Act and other 
legal requirements, so I learned what it is like to be regulated.  
From that experience, I came away with a keen appreciation for the 
benefits and protections that come from good privacy laws.  I also 
saw, however, the serious problems that can arise if privacy rules 
are not crafted carefully.
The CPL Forum, whose creation we are announcing today, grew out of 
an announcement last fall by eBay, Hewlett-Packard, and Microsoft, 
that they supported a national standard for privacy protection that 
will benefit consumers, while allowing commerce to flourish.  These 
companies, along with the Center for Democracy and Technology and 
myself, have become the steering committee for our Forum.  
It is an honor and privilege today to be appearing at this hearing 
alongside Ms. Meg Whitman, the CEO and President of eBay Inc., and 
Mr. Scott Taylor, the CPO of Hewlett-Packard.  Both Ms. Whitman and 
Mr. Taylor today are giving the perspective of their respective 
companies, and there may be specific items where the Forum as a group 
has not yet settled into a position.  
Having their personal participation, including at the CEO level, 
underscores the importance of the issue of comprehensive consumer 
privacy legislation.  Since the late winter, an expanded group of 
organizations has come together into the Forum to work on the topic 
of comprehensive consumer privacy legislation.  
The list of companies signing on to the Forumï¿½s statement today is a 
significant moment, showing the expanded number and range of industry 
leaders who are stepping forward on this issue.  In addition to the 
companies that are explicitly signing the statement, we are calling 
this the CPL Forum because we have reached out to and will continue to 
learn from a much broader array of experts and stakeholders, both on 
the industry and the consumersï¿½ side.  
The forum has been working on more detailed principles that would 
inform comprehensive consumer privacy legislation.  We hope and expect 
to have additional materials for public release in the future.  
I will now turn to the formal statement that we are making today for 
the Forum.  Here is the statement in support in principle for 
comprehensive privacy legislation.  
Quote:  "Today we live in a digital economy where both beneficial and 
potentially harmful uses of personal information are multiplying.  
Information about individuals is used by businesses to provide 
consumers with an unprecedented array of goods and services; increase 
productivity; promote access to financial products; and protect 
individuals, business, and society from fraud and other bad acts.  
However, that same information can also be misused to harm individuals, 
with results such as identity theft, deception, unwarranted intrusion, 
embarrassment and loss of consumer confidence."  
"The time has come for a serious process to consider comprehensive 
harmonized federalized privacy legislation to create a simplified, 
uniform, but flexible framework.  The legislation should provide 
protection for consumers from inappropriate collection and misuse of 
their personal information, and also enable legitimate businesses to 
use information to promote economic and social value.  In principle, 
such legislation would address businesses collecting personal 
information from consumers in a transparent manner with appropriate 
notice; providing consumers with meaningful choice of the use and 
disclosure of that information; allowing consumers reasonable access 
to personal information they had provided; and protecting such 
information from such misuse or unauthorized access.  Because a 
national standard would preempt laws, a robust standard is warranted."
That is our statement today, as signed by 12 companies.  In my 
written testimony, I explained some reasons the forum believes this 
process should be done now, why now is the time to move forward.  
But given the time, I will simply conclude today by thanking the 
committee for once again showing leadership on consumer privacy 
issues by calling this hearing today.  We appreciate being called to 
testify and pledge to work diligently to assist you in your continued 
consideration of these important issues.  
Mr. Stearns.  Thank you. 
[The prepared statement of Peter Swire follows:]
Prepared Statement of Peter Swire, C. William O"Neill Professor of 
Law, Moritz College of Law, The Ohio State University

Mr. Chairman, Ms. Ranking Member, thank you very much for the 
invitation to testify before you today on the subject of federal 
consumer privacy legislation.  My name is Peter Swire.  I am the 
C. William Oï¿½Neill Professor of Law at the Ohio State University, and 
today I am representing the Consumer Privacy Legislation Forum.  
	To summarize the testimony, increased use and access to 
	information, often made possible through advances in 
	technology, has greatly benefited society through the exchange 
	of ideas, enhanced economic productivity, and increased access 
	to goods and services.  Without the appropriate safeguards, 
	however, access to information can pose potential harms to 
	consumers, resulting in a general lack of confidence that their 
	information is safe.  Unaddressed, a loss of trust has an 
	adverse impact on economic growth and innovation.
	I became aware of the promise and perils of information uses 
	when I served as the Chief Counselor for Privacy in the 
	U.S. Office of Management and Budget from 1999 until early 
	2001.  While at OMB, I worked on issues such as online privacy, 
	medical privacy, and financial privacy.  I also oversaw the 
	federal governmentï¿½s own use of personal information.  We were 
	subject to the Privacy Act and other legal requirements, so I 
	learned what it feels like to be regulated.  From that 
	experience, I came away with a keen appreciation for the 
	benefits and protections that come from good privacy laws.  I 
	also saw, however, the serious problems that can arise if 
	privacy rules are not crafted carefully.
	The CPL Forum, whose creation we are announcing today, grew 
	out of the announcement last fall by eBay, Hewlett-Packard, 
	and Microsoft that they supported a national standard for 
	privacy protection that will benefit consumers while allowing 
	commerce to flourish.  Those companies, along with the Center 
	for Democracy and Technology and myself, have become the 
	Steering Committee for the CPL Forum.  It is an honor and 
	privilege today to be appearing at this hearing alongside 
	Ms. Meg Whitman, the CEO and President of eBay, Inc. and 
	Mr. Scott Taylor, the Chief Privacy Officer of Hewlett-
	Packard.  Both Ms. Whitman and Mr. Taylor today are giving 
	the perspectives of their respective companies, and there may 
	be specific items where the Forum as a group has not settled 
	into a group position.  Having their personal participation, 
	including at the CEO level, underscores the importance of the 
	issue of comprehensive consumer privacy legislation.
	Since the late winter, an expanded group of organizations has 
	come together into the Forum to work on the topic of 
	comprehensive consumer privacy legislation.  The list of 
	companies signing onto the Forumï¿½s statement today is a 
	significant moment, showing the expanded number and range of 
	industry leaders who are stepping forward on the consumer 
	privacy issue.  In addition to the companies that are 
	explicitly signing the statement, we are calling this the CPL 
	Forum because we have reached out to, and will continue to 
	learn from, a much broader array of experts and stakeholders, 
	both on the industry and consumer sides.  The Forum has been 
	working on more detailed Principles that would inform 
	comprehensive consumer privacy legislation.  We hope and 
	expect to have additional materials for public release in 
	the future.
	Let me now turn to the formal Statement of the CPL Forum 
	that we are releasing today.  
 
Statement of Support in Principle for Comprehensive Consumer Privacy 
Legislation
"Today we live in a digital economy where both beneficial and 
potentially harmful uses of personal information are multiplying.  
Information about individuals is used by businesses to: provide 
consumers with an unprecedented array of goods and services; increase 
productivity; promote access to financial products; and protect 
individuals, business and society from fraud and other bad acts.  
However, that same information can also be misused to harm individuals, 
with results such as identity theft, deception, unwarranted intrusion, 
embarrassment, and loss of consumer confidence."
"The time has come for a serious process to consider comprehensive 
harmonized federal privacy legislation to create a simplified, uniform 
but flexible legal framework.  The legislation should provide protection 
for consumers from inappropriate collection and misuse of their personal 
information and also enable legitimate businesses to use information to 
promote economic and social value.  In principle, such legislation 
would address businesses collecting personal information from consumers 
in a transparent manner with appropriate notice; providing consumers 
with meaningful choice regarding the use and disclosure of that 
information; allowing consumers reasonable access to personal 
information they have provided; and protecting such information from 
misuse or unauthorized access.  Because a national standard would 
preempt state laws, a robust framework is warranted."
	That is our statement today, as signed by 12 companies.  Before 
	closing, let me briefly indicate four reasons why members of 
	the Forum believe that this process for federal privacy 
	legislation should occur now.
	First, it is important to promote consumer trust.  A nationwide 
	survey released in May 2006 by the Cyber Security Industry 
	Alliance reports that 94 percent of people polled cite identity 
	theft as a serious problem and only 24 percent feel that 
	businesses are placing the right emphasis on protecting 
	information.
	Second, address the patchwork.  Comprehensive federal consumer 
	privacy legislation can unify todayï¿½s inconsistent and 
	incomplete patchwork of obligations at both the state and 
	federal levels.  This approach would simplify compliance for 
	companies while at the same time providing uniform, meaningful, 
	and understandable protections for individuals.
	Third, fill the gaps.  Many organizations have already 
	developed effective privacy policies.  Bad or careless actors, 
	however, do not have the same policies in place, undermining 
	consumer trust.
	Fourth, provide an understandable U.S. framework.  Compared 
	with the current patchwork, comprehensive federal consumer 
	privacy legislation can be more easily understood by entities 
	and persons both inside and outside of the United States.  In 
	a global world of e-Commerce, this simplified and 
	understandable privacy framework helps consumers and businesses.
	In conclusion, this Committee is once again showing leadership 
	on consumer privacy issues by calling this hearing today.  We 
	thank the Committee for the invitation to testify, and pledge 
	to work diligently to assist you in your continued 
	consideration of these important issues. 


Appendix to Swire Statement

Statement of Support in Principle for Comprehensive Consumer Privacy 
Legislation
Today we live in a digital economy where both beneficial and 
potentially harmful uses of personal information are multiplying.  
Information about individuals is used by businesses to: provide 
consumers with an unprecedented array of goods and services; increase 
productivity; promote access to financial products; and protect 
individuals, business and society from fraud and other bad acts.  
However, that same information can also be misused to harm individuals, 
with results such as identity theft, deception, unwarranted intrusion, 
embarrassment, and loss of consumer confidence.
The time has come for a serious process to consider comprehensive 
harmonized federal privacy legislation to create a simplified, uniform 
but flexible legal framework.  The legislation should provide protection 
for consumers from inappropriate collection and misuse of their personal 
information and also enable legitimate businesses to use information to 
promote economic and social value.  In principle, such legislation 
would address businesses collecting personal information from consumers 
in a transparent manner with appropriate notice; providing consumers 
with meaningful choice regarding the use and disclosure of that 
information; allowing consumers reasonable access to personal 
information they have provided; and protecting such information from 
misuse or unauthorized access.  Because a national standard would 
preempt state laws, a robust framework is warranted.

CPL Forum members signing the statement today, June 20, 2006, are:

Eastman Kodak Co.
eBay Inc.
Eli Lilly and Co.
Google, Inc.
Hewitt Associates
Hewlett-Packard Co.
Intel Corp.
Microsoft Corp.
Oracle Corp. 
Procter & Gamble Co.
Sun Microsystems, Inc.
Symantec Corp.

Mr. Stearns.  Mr. Taylor.
Mr. Taylor.  Mr. Chairman, Ranking Member Schakowsky, distinguished 
committee members.  My name is Scott Taylor, and I am the Chief Privacy 
Officer at Hewlett-Packard Company.  HP is a leading global provider of 
computing and imaging products, services and solutions.  We operate in 
over 170 countries worldwide.  We are headquartered in Palo Alto.  We 
have 150,000 employees and revenues of $88 billion.  
Respecting our customersï¿½ privacy has been an integral part of HPï¿½s 
success over the years.  I very much appreciate the opportunity to 
share with you today HPï¿½s view on the importance of Congress 
considering a unifying, workable, and comprehensive Federal privacy 
standard.  
I would like to share three important messages.  First and foremost is 
that privacy is actually a core value at HP.  We firmly believe that 
the ability to succeed in the marketplace depends on keeping our 
customersï¿½ trust, and only by ensuring the privacy and the security of 
the personal information that we collect about our customers can we 
rightfully gain and maintain that trust.  
Consumers who purchase any one of the 10,000 products that HP produces 
must be confident not only in the quality of those products, but that 
we are going to do right by them, especially when it comes to 
protecting the personal information that we collect about them.  
The second message is that HP has long been a leader in strengthening 
consumer privacy protections.  We have a lengthy track record of 
advancing forward-looking workable privacy initiatives that respond to 
consumer needs.  HP was the first U.S. company certified by the 
Department of Commerce to participate in the European Unionï¿½s safe 
harbor program back in 2001.  
Our global Web site, hp.com, posts a privacy statement on every one of 
our 4.5 million pages, as well as privacy notices at every personal 
data collection point.  We are also active in efforts outside of our 
company.  HP was a founding sponsor of the Better Business Bureauï¿½s BBB 
online program, which was one of the earliest and today one of the most 
internationally recognized privacy protection self-certification 
programs.  
Finally, as Mr. Swire mentioned, HP was one of three U.S. companies 
who last fall launched the Consumer Privacy Legislation Forum, a group 
focused on advancing a national dialogue on a workable, responsive 
Federal privacy standard.  
This brings me to my third and final point.  HP does believe that it 
is time for Congress to consider a unifying Federal privacy law.  As 
a leader in e-commerce, HP is a strong proponent of corporate 
effective regulation.  We believe the future of e-commerce is dependent 
upon companies acting responsibly to advance consumersï¿½ needs.  
At the same time, however, we recognize that consumer privacy presents 
a series of challenges that have not yet been fully addressed.  For 
example, the patchwork of privacy regulations in existence today across 
numerous State statutes means that consumers are confused as to the 
extent of their protections in any given context.  
Companies also have to contend with that patchwork of quilts and laws 
and their very differing, often conflicting regulations that we need 
to interpret.  Further, there are heightened consumersï¿½ concerns about 
existing privacy threats, risks undermining the health of e-commerce.  
And no one is served, not consumers, not governments, and certainly not 
companies, by a lack of confidence in the security and privacy of 
personal information.  
All of this adds up to one thing.  We believe at HP that Congress 
should take steps to consider a comprehensive, Federal approach to 
protecting consumersï¿½ privacy, one that provides a workable national 
standard in lieu of the current patchwork of laws.  
I would like to be clear that HP is not looking for Congress to dictate 
the terms or the technologies for protecting privacy.  That would be 
counterproductive and self-defeating.  Rather, we are urging Congress 
to examine ways of establishing a workable, flexible benchmark that 
unifies the divergent laws and regulations that are in existence and at 
the same time responds to the very real needs of anxious consumers.  
We recognize that this is likely to be a multiyear effort, one that is 
going to require careful study and consideration by this committee and 
Congress as a whole.  But we also believe it is a process that is well 
worth embarking upon.  
At HP, we stand ready to serve as a resource to you, so that working 
together we may find meaningful, functional ways to protect the privacy 
of the American consumer and realize the full potential of e-commerce.  
Thank you.  
[The prepared statement of Scott Taylor follows:]
Prepared Statement of Scott Taylor, Chief Privacy Officer, Hewlett-
Packard Company

Mr. Chairman, Ranking Member Schakowsky, and distinguished Committee 
members, my name is Scott Taylor and I am the Chief Privacy Officer 
for Hewlett-Packard Company.  
Headquartered in Palo Alto, California, HP is a leading global provider 
of computing and imaging solutions and services, conducting business 
in over 170 countries around the world with 150,000 employees globally 
and revenues of $88 billion.  Respecting our customersï¿½ privacy has 
been in our DNA since the inception of the company and an integral 
part of our success. I very much appreciate the opportunity to share 
with you today our views on the importance of Congress considering a 
unifying, workable and comprehensive Federal privacy standard.  
I want to leave you with three important messages today:
First, privacy is a core HP value.  We firmly believe that our ability 
to succeed in the marketplace depends upon earning and keeping our 
customersï¿½ trust.  Only by ensuring the privacy and security of all 
the customer information that we handle can we rightfully gain and 
maintain that trust.
Second, HP has long been a leader in corporate efforts to strengthen 
consumer privacy protections globally.  From becoming the first U.S. 
company to participate in the EUï¿½s Safe Harbor program back in 2001, 
to having helped launch the Consumer Privacy Legislation Forum last 
fall, HP has a lengthy track record of advancing forward-looking, 
workable privacy initiatives that respond to consumer needs.  
And finally, in keeping with that record of leadership, HP believes 
it is time for Congress to consider establishing a comprehensive, 
flexible, and harmonized legal framework for protecting consumer 
privacy.  Consumers want it, companies need it, and our economy will 
be the better for it. 

Let me briefly address each of these points.

First and foremost, privacy is a core HP value.
As a company, HP is 100 percent committed to excellence in consumer 
and employee privacy, and for two fundamental reasons.
First, because itï¿½s the right thing to do.  We have an obligation to 
fulfill the trust that HP employees have given us in handling their 
information
Second, because successful customer relationships are fundamentally 
about trust.  Consumers who purchase any one of the 10,000 computer 
and imaging products produced by HP must be confident not only in 
the quality of our products, but in the integrity of their customer 
experience.   They must trust that we will do right by them, 
particularly when it comes to protecting the privacy and security 
of their personal information.
It is for this reason that HP operates one of the most rigorous 
global privacy policies of any major U.S. company.  In fact, in 
January 2005, TRUSTe and the Ponemon Institute named HP "The Most 
Trusted Company in America for Privacy." 

Secondly, HP has long been a leader in strengthening consumer 
privacy protections.
In fact, weï¿½ve been at the forefront of corporate efforts to 
strengthen global privacy protections for many years now.  
First, a bit about our own policies.  HPï¿½s global website, 
www.hp.com, posts a privacy statement on every page as well as 
privacy notices at every personal data collection point.  We 
offer a range of pro-consumer privacy protections for users, 
including choices about marketing contact preferences and an opt-in 
approach for sharing personal information with third parties outside 
our company.  My position -- Chief Privacy Officer -- is charged 
with ensuring that HPï¿½s global privacy policies match the highest 
standards of privacy excellence everywhere in the world.  
We are also active in efforts to advance dialogs on privacy issues 
outside our company.  HP was a founding sponsor of the Better 
Business Bureauï¿½s BBBOnLine Program, one of the earliest and, 
today, most internationally recognized privacy protection 
self-certification programs.
In 2001, we became the first American company certified by the 
Department of Commerce to participate in the European Unionï¿½s Safe 
Harbor program.  Our global privacy policy is, in fact, based on the 
Safe Harbor, a rigorous standard designed to be compatible with the 
European Unionï¿½s high data privacy requirements.
And finally, HP was one of three U.S. companies who last fall 
launched the Consumer Privacy Legislation Forum - a group of 
privacy-minded companies and consumer organizations focused on 
advancing a national dialogue on a workable, responsive Federal 
privacy standard.  
Which brings me to my final point:
HP believes it is time for Congress to consider a unifying Federal 
privacy law.  
As a leader in e-commerce, HP is a strong proponent of effective 
corporate self-regulation.  We believe that the future of e-commerce 
depends on companies acting responsibly to advance consumer needs.  
At the same time, however, we recognize that consumer privacy presents 
a series of challenges that have not yet been fully addressed.  For 
example, the patchwork of state-based privacy regulations in existence 
today with many different statutes means that consumers are confused 
as to the extent of their protections in any given context, and that 
companies must contend with a mix of differing and often conflicting 
regulations.  
Further, heightened consumer concerns about existing privacy threats - 
from spyware to phishing, spam to data breach, and any number of other 
challenges - risk undermining the economic health of e-commerce.  No 
one is served - not consumers, not governments, and certainly not 
corporations - by a lack of customer confidence in the security and 
privacy of personal information.
Which adds up to one thing: 
HP believes that Congress should take steps to consider a comprehensive 
federal approach to protecting consumer privacy - one that provides a 
workable national standard in lieu of the current patchwork of state 
laws.  This national baseline should be built on fundamental, sound 
privacy principles that include:
transparency and consumer choice;
scalability and flexibility;
information security;
accountability; and 
strong enforcement.

Let me be clear: we are not looking for Congress to dictate the terms 
or technologies for protecting privacy.  That would be counter-
productive and self-defeating.  Rather, we are urging Congress to 
examine ways of establishing a workable, flexible benchmark that 
unifies the divergent regulations currently in existence and, at the 
same time, responds to the very real needs of anxious consumers.
We recognize that this is likely to be a multi-year effort - one that 
will require careful study and consideration by this Committee and by 
the Congress as a whole.  But it is a process that we believe is well 
worth embarking upon. 
At HP, we stand ready to serve as a resource to you, so that working 
together, we may find meaningful, functional ways to protect the 
privacy of American consumers and realize the full potential of 
e-commerce. 
Thank you.  

Mr. Stearns.  I thank you, all of you.  I will start with my questions.   
Ms. Whitman, I will start with you, with your background.  It is nice 
to see you again.  I had an opportunity some time ago to tour eBay, 
and I remember that vividly.  
Almost everybody on the panel has indicated we need a comprehensive 
bill, and we need a Federal bill.  Mr. Hendricks, though, has pointed 
out, though, he does not want to see a private right of action in his 
opening statement.  
Ms. Whitman, you had indicated--he does want one and you do not.  
Ms. Whitman.  Yes.  
Mr. Stearns.  Having seven hearings on privacy before, it always has 
been a problem trying to reach a compromise.  I think it would be 
important for you, you have this opportunity now to say how you feel 
on this subject, and I was hoping Mr. Hendricks would give his opinion, 
but I am sure maybe someone else will contribute his, but we welcome 
your thinking here for the record.
Ms. Whitman.  Thank you very much.  Our point of view is that the FTC 
has, in fact, led the charge to protect consumer privacy, and so we 
believe it is the right enforcement body.  Also a private right of 
concern, I think our biggest concern is that this could lead to an 
onslaught of plaintiff bar class action lawsuits that would potentially 
inconsistently enforce privacy legislation and also lead to just 
enormous legal complexity and legal costs on behalf of companies.
Mr. Stearns.  The argument often goes, though, that if you donï¿½t have 
private right of action, you donï¿½t get punitive and civil damages, 
which a lot of people would say individual consumers should have the 
individual right, if there is a compromise here by a large corporation.  
Mr. Taylor, you are welcome to pitch in here.  But how would you answer 
that; with the Federal Trade Commission, perhaps, there is not the full 
rights of an individual consumer to have civil and punitive damages?  
Ms. Whitman.  You know, that may be the case.  I think the issue here 
is what is the right balance.  We certainly want to, as I said in my 
opening statement, have a very well-enforced baseline, transparent, 
consumer privacy protection.  
At the same time, I think we also want to be fair to all the 
constituencies and make sure that this doesnï¿½t get so complicated that 
the very best companies are, if you will, just brought to their knees 
by enormous lawsuits and potential damages.  So I think it can be under 
discussion, but I think we are just trying to find the right balance 
here in terms of what the right enforcement mechanism is.  
Mr. Stearns.  Mr. Taylor, you might want to comment, and I was going to 
ask Professor Swire what his comments were.  
Mr. Taylor.  I would agree with Ms. Whitman that we need to have a 
fundamental baseline that has flexibility and scalability, because I 
would agree with her that it is important that we donï¿½t grind this to 
a halt and make this too complex.
Mr. Stearns.  You support full preemption, then, as opposed to the 
private right of action.  Can you go on record and say, or are you 
saying it is more nuanced than that; that maybe there could be a 
compromise, using a State Attorney General enforcement?  
Mr. Taylor.  Yes, I would say there could be a compromise.
Mr. Stearns.  Professor Swire.
Mr. Swire.  In terms of me being here for the CPL Forum today, 
maybe being a plain law professor for a second I can point out 
we have statutes that have a variety of things, so we can look at 
those.  We have had the FCRA, which has had a private right of 
action since 1970.  We have HIPAA, which is only Federal enforcement.  
You all might have seen a front-page story in the Washington Post a 
couple of weeks ago that shows there hasnï¿½t yet been the first civil 
enforcement action 3ï¿½years after that got in play.  That is an 
example of a Federal-only statute.
In the CAN-SPAM statute that came out of this committee, State AGs 
have a role, and also some particular companies that basically stand 
in for the Internet, the ISPs, have a role.  So we have a variety of 
statutes to look at.  I think you can study how each of those has 
worked out.  
Mr. Stearns.  Ms. Whitman, another area I find of contention is the 
level of correction and notice that is in a rebus notice.  It is a 
notice that is sort of a limited notice?  How do you feel about this?  
The notice to the consumer in the event there is a problem, notice to 
the consumer advising that he or she, that their privacy--and then the 
consumer calls you.  Just like my credit report, I can get it corrected; 
I can get a free copy.  How do you feel about that, the level of notice 
and the ability of the consumer to get this corrected?  
Ms. Whitman.  One of the proposals I think we subscribe to is 
transparency.  I think notice is incredibly important.  I guess the 
nuance is if there has been a tiny two or three people, their 
information has been compromised, obviously you would notify those 
people, you would notify a very large group of people.  But is there 
some case where it doesnï¿½t make sense to notify?  
I think our bias at eBay, if there is ever a breach, no matter how 
small, that one must notify the consumers and make sure that you either 
reach them by phone, by email, or by snail mail, hand-based letter.  I 
think we do feel that notification and transparency are incredibly 
important because that allows consumers to take their own precautions, 
canceling their credit cards, whatever they would like to do.  
With regard to access, we do believe that consumers should be able to 
access their open information so far as the access is balanced, I think, 
with a reasonable standard.  But I think it is every consumers right to 
know what has happened with that information, and we ought to make 
ourselves available to consumers to be able to find out what we have 
about them that maybe they didnï¿½t understand in our privacy policies.  
Mr. Stearns.  That is a very important point.  Let us say I have been 
doing business with you for 10ï¿½years.  I say, I would like to say what 
eBay has on me.  Are you receptive to a procedure where I could notify 
you and see to eBay, please give me records of what you have as far as 
personal information on me, and you are receptive as a corporate CEO to 
say we are willing to live with that extra, perhaps, nuisance; or, even 
though there has been no notice and there has been no violation, but the 
person just wants to call?  
Ms. Whitman.  Yes, I think with a reasonableness test, we would be open 
to that.  The most important information that we have about consumers, 
of course, is in some ways their reputation that they build on eBay.  
We keep that forever.  
We now have over, I think, 70 billion feedback comments from our buyers 
and sellers.  People can access that at all times.  We would be happy 
to provide them basically with any information they want, subject to 
probably some minor reasonableness tests.  But I think that is an 
absolutely legitimate request.  
Mr. Stearns.  Do you agree, Mr. Taylor?  I think she is stretching out 
here.  I donï¿½t think the corporations--we had other hearings, and they 
are not all receptive to everybody having access to see what their 
records are without a notice, without any problems.  
Mr. Taylor.  HP does work very hard to allow access to information.  
One of our privacy principles is data access.  Of course, like 
Ms. Whitman said, it is as reasonable an access as we can provide.  
When consumers contact us, we do have a privacy mechanism to allow a 
general consumer to contact HP to question the content or data.  
Mr. Stearns.  So you are willing to go as far as the credit unions?  
Mr. Taylor.  I donï¿½t know if we are as willing to go or willing to go 
as far as the credit unions.
Mr. Stearns.  In other words, I can call up any credit union and say, 
tell me what you have got; or I can call up any credit union and find 
out in the credit report.  
Mr. Taylor.  In our case what we will do is if a consumer asks us to 
view their information, change their information, we will make our best 
attempt in the variety of databases to look for all active information 
that might be used, or active, about that user.  
Mr. Stearns.  You would want the Federal government to put that into 
legislation?  Would that bother you?  
Mr. Taylor.  I think reasonable access on behalf of consumers to 
information that companies have would not be an unreasonable request. 
Mr. Stearns.  All right.  My time has expired.  Ms. Schakowsky.  
Ms. Schakowsky.  Thank you.  I am really impressed with our panelists.  
Ms. Whitman, I know friends who live on eBay and make a living in some 
part on eBay.  It is a pleasure to hear you.  
I wanted to get to this issue of preemption also, and, Professor Swire, 
you said that because the setting of a national standard for privacy 
would preempt State laws, that a robust framework is warranted.  
In the preemption that you are imagining, would there be any room for 
States to go beyond the Federal legislation should we miss something?  
Mr. Swire.  Well, within this Forum, this group that we have been 
working with, the Center for Democracy and Technology and the dozen 
companies that have signed on in a bigger group that we have been 
talking with, I think it has been important to have companies consider 
moving forward in this whole process, companies that are working 
nationally, often globally.  I think that it has been very, very 
important for them to say, okay, if we are going to buy off on 
reasonable access, if we are going to buy off on some of the other 
things, then we really think one standard nationwide is the way to go, 
and without that, it is very hard for the companies to explain to 
themselves sort of what is achieved for simplicity out of the process.  
So that is the explanation for the scope of the bill, anyway, you would 
expect Federal preemption and expect to have some new consumer guarantees 
such as access with that.  
Ms. Schakowsky.  It is heartening that some of the major corporations at 
the very highest level have bought into this process, into this notion.  
Dr. Lenard, this committee has been dealing a lot with identity theft, 
with the problem of personal consumer information.  Quite frankly, I 
have never really heard someone come before us and make the argument 
that this really isnï¿½t a very serious problem.  
We are hearing that identity theft is the fastest growing problem.  We 
are constantly barraged with horror stories of people whose lives have 
been complicated if not ruined by the notion of identity theft.  So why 
is it that you think that it is not particularly a big deal for us to 
be worrying about?  
Dr. Lenard.  Well, a couple of things.  First of all, I think there are 
two separate issues:  One is the legal use of personal information in 
business, in commerce.  Obviously, identity theft is illegal.  A good 
deal of what I was trying to say is that I donï¿½t think there is evidence 
of a market failure or consumer harm from the legal and legitimate use of 
personal information in commerce.  I donï¿½t think there is evidence of it.  
Obviously, they are closely related.  Identity theft is not, according to 
the data, a growing problem.  The costs of identity theft have been 
relatively constant over the last 3 years, which suggests that they have 
been shrinking in a growing economy; they are shrinking relative to the 
amount of--
Ms. Schakowsky.  Can I interrupt for one second?  I would be curious 
about where you get your data because the FTC has told us that this 
problem is in fact increasing.  
Dr. Lenard.  It is a report by Javelin, which I would be happy to 
provide.  
Ms. Schakowsky.  That would be great.  Thank you.  Go ahead.  I 
interrupted you.  
Dr. Lenard.  And the Javelin report suggests that actually the number 
of people subject to identity fraud has declined by 12ï¿½percent over 
the last couple of years.  There is a lot of data showing that the 
losses due to fraud, credit cards, per $100 are at the lowest level.  
They have declined substantially over the last several years.  It is 
not surprising because most of these costs are borne by the businesses 
so they have incentive to make the investments in security to try to 
reduce those costs.  
Ms. Schakowsky.  The FTC has said that the cost is about--this fraud 
is about $50ï¿½billion a year.  I understand that you are saying that 
business itself has an incentive since they bear most of the cost, but 
I would be interested in the source of the data that you have just 
presented.  
Mr. Taylor, you are a CPO.  Is that a common position in large 
corporations now?  
Mr. Taylor.  Yes, I think it is a common position.  It is growing over 
time.  We have seen a lot of growth in the chief privacy officer 
positions in companies, especially in the last 3 to 5 years.  It is a 
position that is put in place to ensure that as we look at some of the 
emerging legislation, rules around the world, that we have somebody in 
place to actually interpret those for the company, working with legal 
and other organizations, and ensure that we are deploying a policy that 
is going to protect customers and consumersï¿½ personally-identifiable 
information.  
Ms. Schakowsky.  Professor Swire, since you fulfilled that role 
essentially for the Federal government, are you saying we donï¿½t have 
that position any longer and do you think that that would be valuable 
to have a privacy czar for the Federal government?
Mr. Swire.  It was done exclusively the first time.  It is a little bit 
hard to answer in some ways except that the decision was made when the 
current Administration came in not to fill that role.  I think so many 
things in the Federal government go across agencies that it makes sense 
to have someone looking at privacy across agencies and so having 
somebody in the executive office of the President, I think, does make 
sense.  
Ms. Schakowsky.  Certainly seems that way to me, given the use of 
private information that we are increasingly finding out about, some 
legal, maybe not legal in some cases, that we have someone whose job 
it is to focus on that.  
I am out of time.  Thank you.  
Mr. Stearns.  The gentleman from Texas, the Full Committee Chairman 
is recognized.  
Chairman Barton.  Thank you, Mr. Chairman.  
I just want a show of hands on this.  How many of the witnesses today 
support a Federal preemptive privacy standard?  Three.  Reluctant, 
four.  So we are on record on that.  
Would a Federal standard preempt a State from adopting a stricter 
standard?  
Mr. Swire.  I think that is what we have been understanding by 
preemption.  Uniform, yes.  
Chairman Barton.  Uniform standards, and that would preempt States 
from obviously weakening it but obviously strengthening it.  
On the private right of action, the gentlelady from eBay does not 
support that; isnï¿½t that correct?  
Ms. Whitman.  Correct.  
Chairman Barton.  Would you support a limited private right of action 
where you would limit the award to reasonable attorneyï¿½s fees in some 
specific capped dollar amount, $250,000 or something like that, as 
opposed to an unlimited private right of action?  
Ms. Whitman.  Let me consult my chief privacy officer.  
I would love to kind of think about this a little more.  I will give 
you a tentative answer that I think we would like to have one enforcement 
agency--that would be the FTC--that would be sort of held accountable.  
Again, what I am trying to do is simplify our lives, our usersï¿½ lives 
and at the same time very robustly supporting a Federal privacy 
legislation.  So letï¿½s take that under advisement, and we can get 
back to you.  
Chairman Barton.  I am not for unlimited private right of action, but 
I can see when somebody abuses my privacy, I can see wanting to take a 
private right of action that redresses that specific crime and gives 
me some financial reimbursement.  So that is just an option of going 
one way or the other.  
Ms. Whitman.  Let us think about that a little bit, and we can get 
back to you.  
Chairman Barton.  Professor Taylor, you speak on behalf of 12 
companies.  Can you read those companies into the record, please?  
Mr. Swire.  I think that was directed to me.  Twelve companies--
Chairman Barton.  Iï¿½m sorry.  There are five name tags and only four 
people.  So two of you represent two people.  
Mr. Swire.  Alphabetically listed, Eastman Kodak; eBay; Inc.; Eli Lilly 
and Company; Google, Inc.; Hewitt and Associates; Hewlett-Packard 
Company; Intel Corp.; Microsoft Corp.; Oracle Corporation; Procter & 
Gamble Company; Sun Microsystems, Inc.; and Symantec Corporation.
Chairman Barton.  Do you happen to know where a company like AOL might 
be in this issue?  
Mr. Swire.  We have talked to quite a few different companies.  To my 
recollection, we havenï¿½t had a meeting with AOL so I donï¿½t have 
information on that.  
Chairman Barton.  Dr. Lenard, you seem to be the one that seems to 
indicate there is not a real problem here.  Do you not read the 
newspapers, watch television?  Do you not see all of these data security 
breaches?  Citigroup is even running commercials on TV about identity 
theft.  How can you honestly sit here and tell this committee this is 
not a growing problem?  
Dr. Lenard.  Well, I guess there are a couple of things; One is, I 
think privacy--obviously they are interrelated--but privacy and 
identity theft, I am not sure--most of what is talked about in terms of 
privacy legislation I am not sure would have much--it is not obvious to 
me the connection between that and identity theft, but I think there is 
a lot more of kind of hue and cry.  As I strive to say in my testimony, 
I think the facts are actually contrary to the public perception in a 
number of regards and, then when you look at the facts closely, that 
the market is working pretty well.  It is obviously a rapidly changing 
technological environment.  There is not, as far as I can see, consumer 
harm from legitimate commercial use of personal information, legal 
commercial use of personal information.  Obviously, identity theft and 
identity fraud are illegal, and obviously, we need enforcement against 
it.  
But the fact is that there are incentives at work in the marketplace, 
pretty strong incentives to reduce that.  
Chairman Barton.  Are you familiar with the term pretexting?  
Dr. Lenard.  Yes, I am familiar with it.  I am not saying--
Chairman Barton.  There are companies now in existence to proactively 
invade your privacy and sell the results of their ill-gotten gains to 
anybody with a hundred bucks.  And we have a bill that has passed this 
committee, hasnï¿½t gone to the floor yet, but you donï¿½t consider that to 
be a problem?
Dr. Lenard.  Obviously, it is.  
Chairman Barton.  The concept of spoofing, where people send false ID 
information on your telephone caller ID.  I can go on and on and on.  
Dr. Lenard.  Obviously, those are bad things, and that is a legitimate 
law enforcement problem.
Chairman Barton.  You did hold you your hand up that you support a 
comprehensive Federal privacy--
Dr. Lenard.  I support--I think the major rationale for privacy 
legislation is Federal preemption, in other words, I think--
Chairman Barton.  To the extent it is a problem, you think we need a 
Federal standard on it.  
Dr. Lenard.  To the extent we have a lot of different State laws and 
inconsistent State laws that people in companies have to deal with, it 
is better to have one Federal law.  
Chairman Barton.  Mr. Chairman, my time has expired.  
Mr. Stearns.  I thank the gentleman.  
Ms. Whitman has left, and I understand that Scott Shipman, the Chief 
Privacy Officer, is standing in.  
Chairman Barton.  What happened to Mr. Hendricks?  
Mr. Stearns.  He said he had to catch a train.  I gave him an 
opportunity to answer about his opening statement, and he decided he 
had to leave.  
The gentlelady from Tennessee, Mrs. Blackburn.  
Mrs. Blackburn.  Thank you, Mr. Chairman.  
Letï¿½s see where I want to start here.  Letï¿½s go back.  In the opening 
statement, I said something about the EU standards.  Professor Swire, 
I think I will come to you with this one.  When you look at the 
standards that are used there, we continue to hear this a good bit.  
Is that something you would default to more or less?  
Mr. Swire.  Accepting a European approach?  Is that the question?  
Mrs. Blackburn.  Basically.  Are theirs tighter than ours?  Are they 
doing a better job than our private companies are doing here?  
Mr. Swire.  Well, I actually wrote a book on that back in 1998 which 
probably three people made it through without their eyes glazing over, 
but I think that--
Mrs. Blackburn.  You are saying you are ahead of your time.  
Mr. Swire.  Could be.  The European rules are not business friendly in 
important respects, in ways that donï¿½t help consumers but put a lot of 
burdens on businesses.  
Mrs. Blackburn.  That is helpful to know, and I appreciate that.  
All right.  Letï¿½s see, I think it is Mr. Taylor.  I have got so many 
sheets of paper with me right now.  Your companyï¿½s policies, do you 
have the same policy globally, or do these change from market to 
market when you are looking at privacy policy?  
Mr. Taylor.  Our master privacy policy is consistent globally.  Same 
principles apply in all cases.  There are some minute changes that are 
necessary in certain countries, but the base policy is the same 
everywhere in the world.  
Mrs. Blackburn.  Okay.  Well, Professor Swire, let me come back to 
you.  If we were to write a comprehensive bill, what are maybe the top 
components of that that you think we should include?  
Mr. Swire.  Well, in our statement, we took a list; that is the list 
that the Federal Trade Commission has often used.  There should be 
notice to individuals.  There should be choice.  We say there should be 
reasonable access, which is something that has been controversial 
sometimes.  There needs to be data security.  There needs to be 
accountability.  
Mrs. Blackburn.  You are saying, keep it very simple and broad.  
Mr. Swire.  I think so.  You have a big country here with a lot of 
different industries, and if you write a statute that tries to lock in 
how some people do it, other people do it a different way, so you have 
to be cautious about that.  
Mrs. Blackburn.  And the industry is still changing, and it is new, and 
it is young.  
Dr. Lenard, you mention a Javelin Strategy & Research report that must 
be just absolutely amazing.  I am kind of from the same school of 
thought as the Chairman, I find it incredible that, in your statement, 
you say, since 2003, the number of victims has declined by almost 
12ï¿½percent to 8.9 million annually while the average cost per victim 
has increased over 20ï¿½percent.  
My goodness, to me that is just an astounding statistic that the level 
of individual fraud and the crime perpetrated on the holder of the 
information, the owner of that information by someone who has created 
that theft.  And then you go on with your explanation:  However, since 
most victims donï¿½t incur the costs related to their fraud cases, the 
average consumer costs have declined by 24ï¿½percent, although the time 
it takes to resolve the fraud case has increased from 33 to 40ï¿½hours.  
To me that is just astounding that it takes that much time.  And when 
we hold identity theft town hall meetings and we hear from individuals, 
they are horrified with what has happened to them and the amount of 
time.  I think 40ï¿½hours is, from some of the stories I have heard, if 
people got through that in that period of time, they would consider 
themselves very fortunate, because for some people, it takes months and 
months and month to unravel this once their information has been listed.  
So if you will please submit a copy of that study and that report, I 
would appreciate being able to see that and read through that.  It would 
be helpful.  
My last question, Mr. Shipman, payment systems, such as Paypal, do you 
want to give a very brief step of the--when I go on eBay and make a 
purchase and I submit my information to Paypal, and then they give me my 
receipt number; then why donï¿½t you walk through that process, the steps 
that are taken for protecting that personal information?  How do I have 
confidence that that transaction really has completed itself and 
completed itself in privacy, which sometimes you sit there and you say, 
well, I havenï¿½t seen my goods yet; I havenï¿½t seen the things I purchased 
yet, and oh, my goodness, I hope it went to the right spot.  
Why donï¿½t you walk us through that?  
Mr. Shipman.  Certainly.  Thank you.  I think that the key step to note 
with Paypal is that, unlike purchasing at a restaurant or purchasing in 
a store, the seller actually does not ever receive the purchase 
instrument that you have used to provide that payment.  That is where 
Paypal--
Mrs. Blackburn.  The purchase instrument?  
Mr. Shipman.  The credit card, check, bank account number.  That is 
where Paypal in and of itself is a privately enabled--
Mrs. Blackburn.  Letï¿½s back up.  So the actual merchant never gets 
that?  That just goes to Paypal?  So you have taken one person--you are 
not a three-party transaction, you are simply a two-party.  
Mr. Shipman.  So what in effect happens is the seller is paid without 
ever seeing your credit card number, your checking account, your bank 
account, and therefore, they donï¿½t have the opportunity, one, to do 
something wrong if they intended to; and two, to lose it if they didnï¿½t 
intend to do anything wrong but otherwise would care less.  In and of 
itself, there is a privacy system built in.  
Mrs. Blackburn.  Very good.  Thank you.  I yield back.
Mr. Stearns.  I thank the gentlelady.  
Mr. Gonzalez of Texas.  
Mr. Gonzalez.  Thank you very much.  I got an e-mail a minute ago, one 
of my staff members who knew about our hearing today, he said:  
Ironically, some scam artist sent out a mass e-mail this morning using 
eBay as a cover to find personal information.  
So it is happening as we speak, and that is just the price we pay for 
technology.  All the advantages it gives us, obviously, there is 
exposure.  
Professor Swire, if you would help me think this through.  If we didnï¿½t 
have any State regulation regarding privacy duties and responsibilities 
on the part of the companies and we didnï¿½t have any Federal statute, 
Gramm-Leach-Bliley, just doesnï¿½t matter, what would be the basis for 
those companies as far as any liabilities, responsibilities or duties?  
Mr. Swire.  Part of it would come from State common law.  Is there any 
tort that happened here?  Is there some contract that got broken?  And 
the contracts that get broken, the Federal Trade Commission might come 
in and say, you did something deceptive.  So the base line has been, if 
a company promises to take care of your information and breaks the 
promise, that is a deceptive trade practice.  And so the FTC or the 
State AGs have been able to bring actions when those things happen.  It 
is State enforcement, but it is enforcing the broken promise, broken 
contract.  
Mr. Gonzalez.  What about the individual consumer?  
Mr. Swire.  Common law has not done very well here at all.  Basically, 
when it comes to information privacy, common law has not developed, and 
there is, with rare exceptions, no common law way to proceed.
Mr. Gonzalez.  So, but for some sort of State or Federal regulatory 
scheme that would empower a consumer to bring a cause of action, we 
probably donï¿½t have anything out there.  
Mr. Swire.  With rare exceptions, yes.  
Mr. Gonzalez.  What we may have out there right now under the discussion 
we are having here, and if we had Ms. Whitman and Mr. Taylorï¿½s way, we 
would not have that individual or consumer right cause of action.  
Mr. Swire.  That is one of the arguments.  Do you have private right?  
Do you have State AGs, FTC; who gets to be involved?  
Mr. Gonzalez.  Do you see an advantage to having a private cause of 
action right?  
Mr. Swire.  Today I am here trying to speak on behalf of this Forum of 
people with different perspectives on this and some other issues, and 
we hope to have a principles document that comes out with more detail 
later, but we are not quite there yet today.  
Mr. Gonzalez.  Wouldnï¿½t you say the objective of most laws is to make a 
person whole again?  The individual that is harmed, the individual that 
suffers the loss.  
Mr. Swire.  When I teach torts, that is what you say; we are supposed 
to get you back to where you started.  
Mr. Gonzalez.  But this would be an exception to that because if it 
was Charlie Gonzalezï¿½s information that is mishandled, misused, and so 
on, I donï¿½t have a cause of action.  It is only if some elected official 
or appointed official in the State or Federal government chooses to 
prosecute, chooses to bring a cause of action.  
Mr. Swire.  That is the logic for private rights of action when you have 
torts as the basic way to proceed; that is the reason.  
Mr. Gonzalez.  I wouldnï¿½t have that.  The only remedy that we are seeking 
here, if we are talking about preemption at the Federal level without a 
private cause of action in any form, shape, or manner, and not even what 
the Chairman of the Full Committee is suggesting, Charlie Gonzalez is 
never going to be made whole again.  Whatever I lost, whatever my 
identity theft resulted in my economic loss, reputation, and so on, I 
would have no cause of action.  I would just suffer that loss.  
Mr. Swire.  You are making the argument for a private right of action.  
Mr. Gonzalez.  I definitely know that is what I am doing, because that 
is my reference, to be honest with you.  When we talk about Federal 
anything and about preemption, it seems to me that we have--and I am not 
doing a number on corporate America or business mindsets or anything like 
that.  I understand how it works.  But it seems to me that they always 
come to us and say, we shouldnï¿½t have a private cause of action, there 
will be lawsuit abuse.  We will have the class actions and such, even 
though we have some Federal law regarding class actions now, as I 
understand it is.  
But I really do believe we are taking away a valuable right, and that 
right belongs to the individual consumer that trusted the individual 
that they shared that information with to keep their promise about 
safeguarding that information without any kind of negligence or any kind 
of ill will or intentional tort.  I donï¿½t understand why we actually do 
that.  
So let me ask, and I know Ms. Whitman is gone.  Is it Mr. Shipman?  
Mr. Shipman.  Shipman.  
Mr. Gonzalez.  What is your position?  Why would you all fear your 
individual customer to come to you and say, hey, you breached your 
agreement with me; you said you would safeguard my information, and you 
didnï¿½t?  What is so wrong with that individual having some sort of 
remedy to seeking some redress?  
Mr. Shipman.  I think it is entirely appropriate for an individual at 
some level to have a remedy, and certainly what was said earlier was 
that there is a balance that needs to take place.  There is certainly 
a concern that we donï¿½t want to overburden business.  We donï¿½t want to 
overburden eBayï¿½s sellers that run business.  We donï¿½t want to 
overburden the myriad of hundreds of thousands of eBay sellers that 
run small businesses.  
With that said, I think to the extent that what I have heard of the 
conversation today talking about is we want to provide some sort of 
remedy, and certainly, if we look to the examples of either CAN-SPAM 
or some of the other laws that Professor Peter Swire has mentioned, I 
think we do see there are examples that have worked where it is a large, 
broad uniform Federal legislation that has a strong preemptive component 
but then may allow AG enforcement to provide the customer or the 
consumer with a level of individual protection, individual right.  
Certainly, we are not there yet, and what we are talking about is a 
discussion on Federal privacy legislation and where we are at in that 
principles document is certainly evolving.  But, naturally, it does beg 
the question to look and see what has worked and what is out there 
working, and actually, I think that would be a good place to start.  
Mr. Gonzalez.  The beauty of a private cause of action, it belongs to 
the individual citizen, and it doesnï¿½t necessarily have to depend on 
the whims or political considerations of an elected official or an 
appointed official because I will tell you right now that goes into the 
mix of factors in deciding whether there is going to be enforcement of 
any particular regulatory statute out there, whether it is State or 
Federal level.  I have seen it.  I have experienced it.  Everybody is 
guilty of it, regardless, at some point in time politically, and it is 
just wrong.  I am hoping that we again maybe seek that balance that 
Ms. Whitman was talking about.  Again, I am going to Dr. Lenardï¿½s 
concern not to have a regulatory scheme that makes the legal collection, 
dissemination and sharing of information so difficult that it bogs down 
our economic system and actually can be a deterrence or impediment to 
technological advances in a healthy marketplace.  
With that, I yield back the balance of my time.  
Mr. Stearns.  Mr. Deal, the gentleman from Georgia.  
Mr. Deal.  I thank you.  
Last week this Full Committee passed a health information technology 
bill.  We did not include in that privacy language.  There are those who 
wanted us to do so; others who said that it is not the appropriate 
vehicle for doing it.  
My first question is:  Is the health information arena so different that 
it cannot be adequately encompassed within some overarching uniform 
privacy standards, and if it is not, why not?  
Mr. Swire.  I think, from the panel, I spent the most time living through 
HIPAA and all its wonders.  A couple of observations:  One thing is that, 
for the over one million covered entities who are under HIPAA today, they 
have gone through a big process already that other sectors havenï¿½t gone 
through in quite the same way, so they have gone and bought systems and 
put in security and privacy.  And so when I talk to health care people, 
they think the idea of tearing that down and having to do something 
different is unfair to them.  That is one observation about health IT.  
Another thing is that there is a series of public concerns around health 
care information that are pretty special.  Health care research is a very 
special universe.  How are you going to do the medical research to save 
all our lives or our grandchildrenï¿½s lives?  So there are some very 
special things in health care that are pretty different as a sector.  
So those are two reasons for caution in saying, heck, letï¿½s just put it 
all off into a different thing.  I think the third and final point is 
health care is inside your body, inside your brain.  It is very 
sensitive data and people sort of think of that as way up there on the 
sensitive scale.  
Mr. Deal.  So rather than having to undue HIPAA, perhaps we should look 
at refining additional privacy rules, if necessary, to deal with the 
implementation and encouraging the implementation of health records 
being computerized, et cetera, and interoperability among hospitals, 
doctors offices, and other medical providers.  Is that generally what I 
hear you saying?  
Mr. Swire.  Let me be really, really clear, this is individually me 
speaking here, this is not the forum.  
Mr. Deal.  I have the rare opportunity on behalf of all the law students 
in the country to cross-examine a tort professor, something I have 
always wanted to do.  
Mr. Swire.  I have a few students in the room here today who are 
enjoying it.  
The question is, to refine the health care but not try to merge them, 
and I think that is the direction that I would be pointing to.  
Mr. Deal.  All right.  Let me go to a broader issue here, and that 
relates to rights of actions and the basis for rights of action.  It 
seems to me that there are some very different issues, and I think 
Dr. Lenard tried to distinguish between the identity theft issue and 
privacy breaches.  They may not necessarily be the same.  They may be 
the same, but they may not necessarily be the same.  
With regard to that, is it possible to devise a regulatory, or a 
statutory rather, format that defines the responsibility of information 
collection systems, whether it be, in the commercial sector, and define 
those responsibilities?  And if a company conforms to those requirements, 
that they would not be liable in an action either administratively or a 
private right of action for individuals, for example, who are able to 
breach that system or for individuals within their own corporate 
structure who certainly without authority breach the system and use 
information outside?  
I am not sure that I am communicating my concerns.  My concern is, are 
we able to define a standard of care statutorily that a corporation or 
a business can say we have complied with this, but nevertheless, there 
may be identity theft; there may be breaches that perhaps they were 
unable to prevent.  Is that a realistic goal?  Because I donï¿½t think 
we can ever hold people to an absolute standard.  In other words, is 
it going to be a strict liability standard?  Is that what is being 
asked, strict liability?  
Mr. Swire.  It sounded for a moment as though you were saying, could 
there be a safe harbor area?  
Mr. Deal.  Let me put it in another situation, in a medical context.  If 
we are dealing with medical malpractice, there are standards of conduct 
that are the test by which the determination is made whether or not 
there is negligence that leads to a cause of action.  That is the same 
kind of analogy I would make here.  Or are we going to have a standard 
that is a strict liability standard without regard for due diligence, 
without regard to lack of negligence?  What are we talking about?  
Mr. Swire.  This is one place where this is in more detail than at least 
the Forum as a group has gotten to something yet.  
Mr. Deal.  Donï¿½t you think that is where the heart of this issue might 
lie?  
Mr. Swire.  In every regulatory regime, you have mens rea issues.  What 
is intentional enough to get you extra bad or is negligent, or is it 
going to be strict liability?  So that is something that has to be very 
clear or else people donï¿½t know what game they are playing.  
Mr. Shipman.  I think that what we are seeing from the FTC today is 
certainly a security standard through their enforcement actions.  If 
you read the various documents that they publish and review the cases, 
out of that is evolving a standard.  Now I think to your question, can 
you draw a line and say, to the left of that is one thing and to the 
right of that is another, and the challenge there is naturally 
technology, and technology, as we all know, continues to move.  
So to create any type of strict standard where you follow that line 
could be problematic on both fronts.  One, it could become too weak of 
a standard at some point, or it could be too strict based on where we 
draw it.
Mr. Deal.  Mr. Chairman, with your indulgence Mr. Terry had to leave 
and if I may ask a question on his behalf.  Since we are talking about 
the possibility of preempting State statutes, his question was, is there 
any State that the panel is aware of that has done a very thorough job 
of adopting State protections by State statute?  And if so, who are 
they?  Are there some models out there at the State level that you 
would recommend?  
Mr. Swire.  Perhaps not surprisingly, California has been active in the 
area and has been more regulatory than most States.  For certain 
financial records, Vermont has been more regulatory than more States; 
North Dakota at one point.  So there is a fair bit of variation out 
there.  I donï¿½t have one State to hold up as the perfect one for there 
has been a fair bit of experimentation.  
Mr. Deal.  Thank you.  
Mr. Stearns.  Thank you.  Mr. Otter has left so I think we have 
concluded.  I would just ask Mr. Lenard, isnï¿½t it true that, in the 
European Union, they had no private right of action in their privacy 
legislation?  
Mr. Shipman, isnï¿½t that true?
Mr. Shipman.  That is correct, based on my understanding.  
Mr. Stearns.  Mr. Taylor.  
Mr. Taylor.  Yes.
Mr. Stearns.  So over in the European Union, they are pretty much 
highly regulatory, and yet they have no private right of action.  And 
in fact, you have to pay your own attorneyï¿½s fees.  
I guess the one question I have before we conclude is, we put together 
a bill here and then you do business in the European Union, how does 
the handling of business in countries that have different regulatory 
schemes, how does that affect eBay, if someone works for Hewlett-
Packard--how does eBay handle somebody in the European Union with a 
different set of privacy regulations if we passed a Federal bill?  
Mr. Shipman.  That is a challenge for large sellers as well as for 
eBay, Paypal, and Skype.  One of the things we have worked very hard on 
is synchronizing our own policies and access, as we talked about earlier, 
to make sure all of our customers have a baseline standard with which 
they can expect to receive information, answer questions, and access 
their information across the eBay platform.  
So the simplest form of answer to you is that providing Federal 
legislation in the United States actually makes it easier, because in 
fact we now have a standard to point to within the U.S. as we already 
do within Europe and certainly within the APEC framework in Asia.  
Mr. Stearns.  Anyone else like to comment before we conclude?  
Mr. Taylor.  I would be happy to comment.  
Very similar scenario at HP.  When the European Union established safe 
harbor and developed principles, HP actually built its privacy 
principles in our policy against the EU standard, and we did that really 
for the simple purpose of being able to have one consistent global 
standard that met the requirements or the bar every place in the world.  
Mr. Stearns.  Wouldnï¿½t that be another reason why we as Members of 
Congress when we legislate here should take into account some of the 
other continentsï¿½ privacy to try to at least as much as possible have 
one regulatory scheme that would be universal application so companies 
like you can do international global business without fear of different 
kinds of litigation problems or standards?  
Mr. Taylor.  HP certainly isnï¿½t advocating adopting the EU standard, 
but I think, as we develop the framework and look at the principles, I 
think it is important for us to look at other best practices and what 
other countries or groups of countries have done.  I think there are 
things that we can do.  
Mr. Stearns.  Mr. Shipman, would you like to see the United States adopt 
the European standard?  
Mr. Shipman.  Absolutely not.  This is America, and I think, as such, I 
think we need laws that make sense for us.  Certainly, we do have the 
luxury of time, which is we can see what has worked and what hasnï¿½t 
worked.  
Mr. Stearns.  In the European Union standard.  
Dr. Lenard.  
Dr. Lenard.  The one thing I would add is that, in the APEC, the APEC 
framework as distinct from the European framework has harm as a central 
feature of it, so that the regulation--that is obviously a big 
advantage.  I think that is something to look to for some guidance.  
Mr. Stearns.  Professor Swire, anything you want to comment?  
If not, I want to thank all of you for your patience, and I think we 
had a very balanced hearing, and I appreciate your attention.  And 
with that, the subcommittee is adjourned. 
[Whereupon, at 4:14 p.m., the subcommittee was adjourned.]