[House Hearing, 110 Congress]
[From the U.S. Government Printing Office]




 
    PRIVACY: THE USE OF COMMERCIAL INFORMATION RESELLERS BY FEDERAL 
                                AGENCIES

=======================================================================

                                HEARING

                               before the

                  SUBCOMMITTEE ON INFORMATION POLICY,
                     CENSUS, AND NATIONAL ARCHIVES

                                 of the

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED TENTH CONGRESS

                             SECOND SESSION

                               __________

                             MARCH 11, 2008

                               __________

                           Serial No. 110-108

                               __________

Printed for the use of the Committee on Oversight and Government Reform


  Available via the World Wide Web: http://www.gpoaccess.gov/congress/
                               index.html
                     http://www.oversight.house.gov



                     U.S. GOVERNMENT PRINTING OFFICE
46-195 PDF                 WASHINGTON DC:  2009
---------------------------------------------------------------------
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512�091800  
Fax: (202) 512�092104 Mail: Stop IDCC, Washington, DC 20402�090001

              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM

                 HENRY A. WAXMAN, California, Chairman
EDOLPHUS TOWNS, New York             TOM DAVIS, Virginia
PAUL E. KANJORSKI, Pennsylvania      DAN BURTON, Indiana
CAROLYN B. MALONEY, New York         CHRISTOPHER SHAYS, Connecticut
ELIJAH E. CUMMINGS, Maryland         JOHN M. McHUGH, New York
DENNIS J. KUCINICH, Ohio             JOHN L. MICA, Florida
DANNY K. DAVIS, Illinois             MARK E. SOUDER, Indiana
JOHN F. TIERNEY, Massachusetts       TODD RUSSELL PLATTS, Pennsylvania
WM. LACY CLAY, Missouri              CHRIS CANNON, Utah
DIANE E. WATSON, California          JOHN J. DUNCAN, Jr., Tennessee
STEPHEN F. LYNCH, Massachusetts      MICHAEL R. TURNER, Ohio
BRIAN HIGGINS, New York              DARRELL E. ISSA, California
JOHN A. YARMUTH, Kentucky            KENNY MARCHANT, Texas
BRUCE L. BRALEY, Iowa                LYNN A. WESTMORELAND, Georgia
ELEANOR HOLMES NORTON, District of   PATRICK T. McHENRY, North Carolina
    Columbia                         VIRGINIA FOXX, North Carolina
BETTY McCOLLUM, Minnesota            BRIAN P. BILBRAY, California
JIM COOPER, Tennessee                BILL SALI, Idaho
CHRIS VAN HOLLEN, Maryland           JIM JORDAN, Ohio
PAUL W. HODES, New Hampshire
CHRISTOPHER S. MURPHY, Connecticut
JOHN P. SARBANES, Maryland
PETER WELCH, Vermont
------ ------

                     Phil Schiliro, Chief of Staff
                      Phil Barnett, Staff Director
                       Earley Green, Chief Clerk
               Lawrence Halloran, Minority Staff Director

   Subcommittee on Information Policy, Census, and National Archives

                   WM. LACY CLAY, Missouri, Chairman
PAUL E. KANJORSKI, Pennsylvania      MICHAEL R. TURNER, Ohio
CAROLYN B. MALONEY, New York         CHRIS CANNON, Utah
JOHN A. YARMUTH, Kentucky            BILL SALI, Idaho
PAUL W. HODES, New Hampshire
                      Tony Haywood, Staff Director


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on March 11, 2008...................................     1
Statement of:
    Evans, Karen S., Administrator, Office of E-Government and 
      Information Technology, OMB; Linda D. Koontz, Director, 
      Information Management Issues, GAO; and Hugo Teufel III, 
      Chief Privacy Officer, Department of Homeland Security.....     6
        Evans, Karen S...........................................     6
        Koontz, Linda D..........................................    12
        Teufel, Hugo, III........................................    43
    Schwartz, Ari, deputy director, Center for Democracy and 
      Technology; Stuart Pratt, president, Consumer Data Industry 
      Association; and Paula J. Bruening, deputy director, Center 
      for Information Policy Leadership..........................    66
        Bruening, Paula J........................................    93
        Pratt, Stuart............................................    79
        Schwartz, Ari............................................    66
Letters, statements, etc., submitted for the record by:
    Bruening, Paula J., deputy director, Center for Information 
      Policy Leadership, prepared statement of...................    95
    Clay, Hon. Wm. Lacy, a Representative in Congress from the 
      State of Missouri, prepared statement of...................     3
    Evans, Karen S., Administrator, Office of E-Government and 
      Information Technology, OMB, prepared statement of.........     8
    Koontz, Linda D., Director, Information Management Issues, 
      GAO, prepared statement of.................................    14
    Pratt, Stuart, president, Consumer Data Industry Association, 
      prepared statement of......................................    81
    Schwartz, Ari, deputy director, Center for Democracy and 
      Technology, prepared statement of..........................    68
    Teufel, Hugo, III, Chief Privacy Officer, Department of 
      Homeland Security:
        Prepared statement of....................................    45
        Various e-mails..........................................    58


    PRIVACY: THE USE OF COMMERCIAL INFORMATION RESELLERS BY FEDERAL 
                                AGENCIES

                              ----------                              


                        TUESDAY, MARCH 11, 2008

                  House of Representatives,
   Subcommittee on Information Policy, Census, and 
                                 National Archives,
              Committee on Oversight and Government Reform,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 2:12 p.m., in 
room 2203, Rayburn House Office Building, Hon. Wm. Lacy Clay 
(chairman of the subcommittee) presiding.
    Present: Representatives Clay and Turner.
    Staff present: Darryl Piggee, staff director/counsel; Jean 
Gosa, clerk; Adam Bordes, professional staff member; Michelle 
Mitchell, legislative assistant, Office of Wm. Lacy Clay; 
Leneal Scott, information systems manager; and Charles 
Phillips, minority counsel.
    Mr. Clay. The Information Policy, Census, and National 
Archives Subcommittee of the Oversight and Government Reform 
Committee will now come to order. Today's hearing will examine 
the role of the agencies using commercial information resellers 
to obtain personal information about individuals and whether 
there are adequate privacy safeguards in place for such 
transaction. We will hear from both government and private 
sector witnesses about the adequacy of current privacy 
safeguards and solicit their recommendations for improving the 
protections afforded to personal information that is obtained 
and used by our agencies. And we will also examine whether our 
current privacy laws and regulations require additional privacy 
safeguards, such as those offered in my bill H.R. 4791, the 
Federal Agency Data Protection Act.
    Without objection, the Chair and ranking minority member 
will have 5 minutes to make opening statements, followed by 
opening statements not to exceed 3 minutes by any other Member 
who seeks recognition. Without objection, Members and witnesses 
may have 5 legislative days to submit a written statement or 
extraneous materials for the record.
    Since the enactment of our Nation's first comprehensive 
privacy laws over three decades ago, advances in computing and 
data mining have enabled agencies and the information service 
industry to aggregate and combine different sources of personal 
information in ways that no one could anticipate.
    From a privacy perspective, however, such activities have 
increased the risk of personal information being misused by 
agency personnel or inadequately protected by data bases that 
are used for multiple purposes. This problem has been further 
magnified by the agency community's use of commercial data. 
Brokers obtain specific and detailed information on individuals 
without ensuring that adequate privacy measures are in place. 
In fact, a recent GAO report confirms that both agencies and 
commercial data brokers are uneven in their application of 
those information safeguards required under the Privacy Act and 
that agencies continue to lack effective privacy practices in 
the handling of such information from commercial sources.
    While I realize that obtaining such information from 
private sources is vital to the work of our agencies, it is 
critical that such information be afforded the same privacy 
protections as data maintained on agency systems.
    I welcome all of our witnesses today and look forward to 
their testimony and I now yield to the distinguished ranking 
minority member, Mr. Turner of Ohio.
    [The prepared statement of Hon. Wm. Lacy Clay follows:]

    [GRAPHIC] [TIFF OMITTED] T6195.001
    
    [GRAPHIC] [TIFF OMITTED] T6195.002
    
    Mr. Turner. Thank you, Mr. Chairman.
    Mr. Chairman, I greatly appreciate your holding this 
hearing. This issue involves the careful balancing of 
individuals' right to privacy and the Federal Government's need 
to obtain information to protect national security in the war 
on terror and to provide other vital services. The role of 
commercial information resellers in supplying data about 
individuals to Federal agencies is certainly a new dimension 
both for opportunity and the need for concern. The government 
act requires that agencies conduct private investment 
assessments [PIAs], analysis of how personal information is 
collected, stored, shared and managed in a Federal system.
    Under the E-Government Act and related Office of Management 
and Budget's guidance, agencies must conduct PIAs before 
developing or procuring information technology that collects, 
maintains or disseminates information that is in a personally 
identifiable form. Some are concerned that OMB has not provided 
sufficient guidance on PIAs and that some agencies have not 
always notified the public that commercial information 
resellers were among the sources used.
    The importance of this hearing, obviously, is for us to be 
able to provide a balance. I understand that there will be a 
significant amount of concern of the impact of our looking at 
this issue on the commercial sector, and we also have concerns 
as to protecting individual privacy. This will be helpful 
because as we get more information, we can ensure that we do 
the right thing in proceeding.
    We certainly want to make certain that on all these issues 
that we have a balance. We're going to hear from all sides and 
perspectives that we can work together to improve the 
situation, address valid concerns while avoiding overreaching 
legislation that could negatively impact agency missions. As we 
look to the successes that have occurred in the commercial 
sector, we certainly don't want to overly restrict the ability 
of the Federal Government to overlook these resources, but we 
must look to affording protections.
    Mr. Chairman, I look forward to all the witnesses' 
testimony and yield back the balance of my time.
    Mr. Clay. If there are no additional opening statements, 
the subcommittee will now receive testimony from witnesses 
before us today. I want to start by introducing our first 
panel. Ms. Karen Evans is the Adiminstrator for the office of 
E-Government and Information Technology at the Office of 
Management and Budget. She is an experienced IT professional 
and leads the administration's program in information security. 
And welcome today.
    Ms. Evans. Thank you.
    Mr. Clay. We also have Ms. Linda Koontz who is the Director 
of Information Management issues at the U.S. Government 
Accountability Office. She is responsible for issues concerning 
the collection, use and dissemination of government information 
in an era of rapidly changing technology. Welcome, Ms. Koontz. 
Welcome back.
    We also have Mr. Hugo Teufel as the Chief Privacy Officer 
at the Department of Homeland Security. His office is 
responsible for all privacy policies throughout DHS, including 
agency compliance with the Privacy Act of 1974, the conducting 
of Privacy Impact Assessments and oversight of all agency 
activities relating to the use, collection and disclosure of 
personal information. Thank you too, Mr. Teufel, for being here 
today.
    It is the policy of the committee to swear in all witnesses 
before they testify. I'd like to ask you to please stand and 
raise your right hand.
    [Witnesses sworn.]
    Mr. Clay. Let the record reflect that the witnesses 
answered in the affirmative. I ask that each of the witnesses 
now give a brief summary of their testimony and to keep the 
summary under 5 minutes in duration. Your complete written 
statement will be included in the hearing record. Ms. Evans, 
let's begin with you.

   STATEMENTS OF KAREN S. EVANS, ADMINISTRATOR, OFFICE OF E-
 GOVERNMENT AND INFORMATION TECHNOLOGY, OMB; LINDA D. KOONTZ, 
 DIRECTOR, INFORMATION MANAGEMENT ISSUES, GAO; AND HUGO TEUFEL 
  III, CHIEF PRIVACY OFFICER, DEPARTMENT OF HOMELAND SECURITY

                  STATEMENT OF KAREN S. EVANS

    Ms. Evans. Good afternoon, Mr. Chairman and members of the 
subcommittee. Thank you for inviting me to speak about the use 
of commercial information resellers by Federal agencies and 
privacy safeguards on such information.
    Safeguarding the privacy of individuals and ensuring 
transparent agency use of personally identifiable information 
has been an administration priority. The administration has 
demonstrated progress through implementing the recommendations 
of the President's Identity Theft Task Force OMB guidance, 
diligent execution, and statutory requirements for the System 
of Record Notice [SORN], and Privacy Impact Assessments [PIAs], 
in increasing agency reporting.
    Building on the work of the President's task force, OMB 
issued memorandum 0716 in May 2007 to enhance agency PII 
protections. The guidance required agencies to establish breach 
notification policies and provided a framework for reducing the 
risk of PII breaches. M-07-16 required agencies to review their 
use of Social Security numbers and to identify incidences in 
which the collection or the use of Social Security numbers was 
unnecessary. Within 120 days, agencies were required to 
establish a plan to eliminate the unnecessary collection and 
use of Social Security numbers.
    In response to one of the task force recommendations, OMB 
and DHS also issued a list of 10 common risks impeding adequate 
protection of government information and best practices for 
avoiding and mitigating those risks. The risk covers a range of 
areas, such as security and privacy training, contracts and 
data sharing agreements, and physical security. All the best 
practices and important resources are interrelated and 
complementary and can be broadly applied when administering 
agency information security and privacy programs.
    Federal agencies have pursued diligent execution of the 
statutory requirements for SORN in the Privacy Act and PIAs in 
the E-Gov Act to ensure transparent agency use and handling of 
individuals' information. OMB released the Fiscal Year 2007 
Report on the Implementation of the Federal Information 
Security Management Act of 2002 on March 1st, which reports on 
key measures of agencies' security and privacy programs, 
including SORNs and PIAs.
    For example, the goal of the Federal Government is for 90 
percent of the applicable systems to have publicly posted PIAs. 
In 2007 we reached 84 percent. While this percent remains the 
same as it was in 2006, a substantial increase in the number of 
systems identified requiring PIAs from 2006 to 2007 is 
indicative of the agency progress.
    In next year's FISMA report, we are requiring new key 
privacy measures as outlined in memorandum 08-09 issued in 
January 2008. The increased reporting will enhance public 
confidence in the Federal agency privacy programs and further 
drive agency progress.
    Privacy warrants the administration's close attention. We 
need to ensure Federal agencies are adhering to the enduring 
principles of the Privacy Act and the E-Gov Act in the face of 
advancing technology that allows for greater collection, 
analysis and storage of information by the government and 
industry. In the course of pursuing their missions, agencies 
may determine if it's necessary to obtain these products for a 
variety of reasons, such as verifying beneficiary addresses or 
for law enforcement efforts.
    H.R. 4791 contains two provisions amending the E-Gov Act of 
2002 intended to strengthen privacy practices specifically 
related to agency use of commercial information resellers. In 
testimony provided to the subcommittee on February 14th, I 
shared concerns covering the entire bill. Today I focus my 
written statement on concerns related to sections 8 and 9, the 
data broker provisions.
    Although we strongly support enhancing privacy protections 
for information obtained by Federal agencies, we share several 
concerns expressed across the Federal agencies about the effect 
of this legislation. We are concerned these provisions would 
have a negative unintended consequence without the resulting 
enhancements and privacy protections. Information Federal 
agencies receive from commercial resellers must receive the 
same Privacy Act and E-Gov Act protections provided to other 
information obtained by agencies.
    We look forward to working with you to ensure agency 
privacy policies effectively provide those protections for 
reseller information while enabling each agency to maintain 
privacy policies that align with their diverse missions.
    I'd be happy to take questions at the appropriate time.
    Mr. Clay. Thank you so much, Ms. Evans.
    [The prepared statement of Ms. Evans follows:]

    [GRAPHIC] [TIFF OMITTED] T6195.003
    
    [GRAPHIC] [TIFF OMITTED] T6195.004
    
    [GRAPHIC] [TIFF OMITTED] T6195.005
    
    [GRAPHIC] [TIFF OMITTED] T6195.006
    
    Mr. Clay. Ms. Koontz, you may proceed.

                  STATEMENT OF LINDA D. KOONTZ

    Ms. Koontz. Mr. Chairman and members of the subcommittee, I 
appreciate the opportunity to be here today to discuss issues 
surrounding the Federal Government's purchase of personal 
information from businesses known as information resellers.
    I'd like to briefly summarize the results of our work on 
this topic. Information is an extremely valuable resource and 
the services provided by information resellers are important to 
a variety of Federal agency functions. Our work has shown that 
agencies make significant use of information obtained from 
information resellers. Specifically for fiscal year 2005, four 
agencies we reviewed--Justice, Homeland Security, State, and 
Social Security reported a combined total of approximately $30 
million to purchase personal information from resellers. The 
vast majority of the spending, just over 90 percent, was for 
law enforcement or counterterrorism.
    For example, the Department of Justice, the largest user 
among the four, used the information for criminal 
investigations, locating witnesses and fugitives, researching 
assets held by individuals of interest and detecting fraud in 
prescription drug transactions. Reseller information was also 
used to detect and investigate fraud, verify identities and 
determine benefit eligibility.
    While agencies took steps to address privacy and security 
of the information acquired from resellers, they did not do all 
that they could to protect individuals' privacy rights. 
Specifically, although agencies issued public notices on 
information they were collecting about individuals, these did 
not always specifically state that information resellers were 
among the sources used. In several of these cases, agency 
sources for personal information were described only in vague 
terms such as private organization, other public resources, or 
public source material.
    We also found that few agencies were conducting Privacy 
Impact Assessments which can be important tools for helping 
agencies identify privacy implications because they did not 
think they were required. Contributing to this rather uneven 
application of privacy principles were ambiguities in OMB 
guidance regarding the applicability of privacy requirements 
for Federal agency uses of reseller information.
    As a result we made recommendations to OMB to clarify its 
guidance and direct agencies to review their uses of 
information obtained from resellers. We've also recommended 
that the agencies we reviewed develop specific policies for the 
use of commercial data. OMB and the four agencies generally 
agreed with our report. Since then, agencies have taken action 
to address our recommendations.
    For example, DHS incorporated direction on the use of 
commercial data into its May 2007 Guidance on Privacy Impact 
Assessments. However, OMB has not taken the actions we've 
recommended.
    We would also like to comment on the proposed Federal 
Agency Data Protection Act which would require that agencies 
conduct Privacy Impact Assessments for their uses of commercial 
data and develop regulations governing the use of such data. 
These provisions are very consistent with our previous 
recommendations and should help ensure that Federal agencies 
appropriately tend to privacy concerns when using commercial 
data.
    In conclusion, privacy is ultimately about striking a 
balance between competing interests. In this case, it is about 
balancing the value that reseller information adds to important 
government functions against the privacy rights of individuals. 
I look forward to participating in the discussion on how to 
strike that balance.
    That concludes my statement. Thank you.
    Mr. Clay. Thank you so much, Ms. Koontz.
    [The prepared statement of Ms. Koontz follows:]

    [GRAPHIC] [TIFF OMITTED] T6195.007
    
    [GRAPHIC] [TIFF OMITTED] T6195.008
    
    [GRAPHIC] [TIFF OMITTED] T6195.009
    
    [GRAPHIC] [TIFF OMITTED] T6195.010
    
    [GRAPHIC] [TIFF OMITTED] T6195.011
    
    [GRAPHIC] [TIFF OMITTED] T6195.012
    
    [GRAPHIC] [TIFF OMITTED] T6195.013
    
    [GRAPHIC] [TIFF OMITTED] T6195.014
    
    [GRAPHIC] [TIFF OMITTED] T6195.015
    
    [GRAPHIC] [TIFF OMITTED] T6195.016
    
    [GRAPHIC] [TIFF OMITTED] T6195.017
    
    [GRAPHIC] [TIFF OMITTED] T6195.018
    
    [GRAPHIC] [TIFF OMITTED] T6195.019
    
    [GRAPHIC] [TIFF OMITTED] T6195.020
    
    [GRAPHIC] [TIFF OMITTED] T6195.021
    
    [GRAPHIC] [TIFF OMITTED] T6195.022
    
    [GRAPHIC] [TIFF OMITTED] T6195.023
    
    [GRAPHIC] [TIFF OMITTED] T6195.024
    
    [GRAPHIC] [TIFF OMITTED] T6195.025
    
    [GRAPHIC] [TIFF OMITTED] T6195.026
    
    [GRAPHIC] [TIFF OMITTED] T6195.027
    
    [GRAPHIC] [TIFF OMITTED] T6195.028
    
    [GRAPHIC] [TIFF OMITTED] T6195.029
    
    [GRAPHIC] [TIFF OMITTED] T6195.030
    
    [GRAPHIC] [TIFF OMITTED] T6195.031
    
    [GRAPHIC] [TIFF OMITTED] T6195.032
    
    [GRAPHIC] [TIFF OMITTED] T6195.033
    
    [GRAPHIC] [TIFF OMITTED] T6195.034
    
    [GRAPHIC] [TIFF OMITTED] T6195.035
    
    Mr. Clay. Mr. Teufel.

                  STATEMENT OF HUGO TEUFEL III

    Mr. Teufel. Good afternoon, Mr. Chairman and Ranking Member 
Turner and members of the committee. It's an honor to be here 
today to talk to you about commercial information and privacy. 
And it's also a pleasure to be here today with my colleagues 
who I hold in very high regard: Ms. Evans from OMB and Ms. 
Koontz from GAO, and we work together often. I gather I'm here 
to give an agency perspective and I will endeavor to do my best 
in giving that perspective.
    In my oral statement, which will be brief, I want to touch 
on a few highlights beyond what's in my written statement. And 
I note that the privacy implications of the use of commercial 
information are not new to my office, and so I want to go 
through a little timeline here for you.
    In September 2005 the Privacy Office held a workshop on 
commercial information.
    September 28, 2005, our Data Privacy and Integrity Advisory 
Committee issued the first of two reports on this information.
    And on April 4, 2006, Acting Chief Privacy Officer Maureen 
Cooney testified, I think before this committee, on the 
subject.
    Following that, on December 6, 2006, our Data Privacy and 
Integrity Advisory Committee issued its second report on 
commercial information.
    As Ms. Koontz noted, our PIA guidance has been updated to 
take into account the use of commercial information, and 
section 2 of the Privacy Impact Assessment Guidance talks about 
the sorts of things that operational components, Department-
Level components, programs at the Department thinking about 
using personally identifiable information, should consider when 
using commercial information.
    So we've got our PIA guidance that addresses this type of 
information, and our PIA guidance. And our authority to conduct 
Privacy Impact Assessments comes not just from section 208 of 
the E-Government Act, which is one of the three pillars of 
Federal privacy law, but also comes from section 222, 
subsection 4, which allows us to conduct Privacy Impact 
Assessments on proposed rules, and the subsection 1 of the old 
section 222, which relates to the uses of technology at the 
Department to make sure that they sustain privacy and do not 
erode privacy.
    So the next thing I want to talk about is training. We 
provide privacy impact assessment training throughout the 
government. We are looking at doing another workshop for 
Federal agency privacy officers in probably May or June this 
year. We recently have begun doing smaller training for 20 or 
fewer within the Department of Homeland Security on Privacy 
Impact Assessments. And we find that when we give PIA training, 
other agencies follow the lead that we have--the trail that we 
have blazed.
    System of Records Notices, which as you will recall were 
required under the privacy impact of 1974, and GAO and Ms. 
Koontz recently issued a report--actually I guess it was not so 
recent, it was maybe 9 months ago--on my office. And one of the 
things that Ms. Koontz mentioned was that we had a number of 
legacy agency System of Records Notices that we have to update. 
About 208 to be exact, give or take a couple. We have made 
substantial progress in revising our legacy agency System of 
Records Notices. We've just sent over 28 to Coast Guard for 
them to consider. And we anticipate that there will be a 
substantial number more that will be updated in the coming 
months. And of course we take into account the types of 
information that go into Systems of Records, as required under 
the Privacy Act of 1974.
    Then the last highlight I wanted to mention to you is 
component privacy officers. One of my recommendations that 
existed prior to Ms. Koontz's report but was highlighted or 
mentioned independently in her report was for an increase in 
component privacy officers at the Department. At the time of 
the report there were two component privacy officers at the 
Transportation Security Administration and at US-VISIT. In 
November, the Secretary--of last year--the Secretary agreed 
with me that there should be additional component privacy 
officers, and four operational components and two Department-
level components. And we and the components are moving forward 
on the hiring or the selection of those component privacy 
officers.
    So the last thing that I wanted to mention to you is 
something that you won't see on paper, and that's what happens 
day in and day out in my Office. And that is when operational 
components and program personnel come to my folks who work in 
the Compliance Section of the Office to talk about new systems. 
And one of the things that is discussed is whether commercial 
information is being used and if so, how it's being used. And 
using the Fair Information Practice Principles, which are set 
forth in my written testimony, we work through with the 
components and program personnel to make sure that commercial 
information is used appropriately.
    That's all I have to say. Thank you very much.
    Mr. Clay. Thank you so much, Mr. Teufel.
    [The prepared statement of Mr. Teufel follows:]

    [GRAPHIC] [TIFF OMITTED] T6195.036
    
    [GRAPHIC] [TIFF OMITTED] T6195.037
    
    [GRAPHIC] [TIFF OMITTED] T6195.038
    
    [GRAPHIC] [TIFF OMITTED] T6195.039
    
    [GRAPHIC] [TIFF OMITTED] T6195.040
    
    [GRAPHIC] [TIFF OMITTED] T6195.041
    
    [GRAPHIC] [TIFF OMITTED] T6195.042
    
    [GRAPHIC] [TIFF OMITTED] T6195.043
    
    Mr. Clay. I will recognize Ranking Member Turner for 5 
minutes.
    Mr. Turner. Thank you, Mr. Chairman. I want to thank each 
of you because you have outlined very clearly some of the 
dangers and problems that--is my mic on?
    Mr. Clay. Yes.
    Mr. Turner. Can you guys hear me? OK. Good. Because it 
doesn't sound like it's on.
    You've outlined the dangers and concerns that individuals 
have about the privacy aspect of their personal information. 
But I'm going to ask you a question that really goes to the 
broader umbrella of how we have to be concerned, why we protect 
personal information that we don't commercially restrict, some 
important information gathering for our economy.
    I want to tell you a story. I just recently took some 
people from my community on a tour of the Supreme Court 
building. And I had not been to the floor that had the library. 
And we walked into the library of the Supreme Court and here 
was this beautifully ornate room with all of these books and 
absolutely gorgeous and reverent to the point of the 
information that it contained--absolutely empty.
    Now, I'm a member of the Supreme Court Bar but I've never 
been to the library and I'd not researched in the library. So I 
asked the librarian, has this always been empty? And they were 
telling us, no; but in fact, by the advent of technology, a 
library that used to be packed now has information that is 
readily accessible to others. And certainly in the area of law.
    I know that we have had increased efficiency but also 
higher quality and that the level--the playing field has been 
leveled more among individuals seeking attorneys, that those 
attorneys might have access to information that could be vital 
to their case, as opposed to just hiring those that have the 
best research skills. We have people who are now more able to 
bring to bear in their case in their defense, or they are 
advocating information that's available to them.
    I noted, Ms. Koontz, that in your GAO report--and it seems 
like I'm always referring to footnotes--but you have a 
footnote.
    Ms. Koontz. That's where we put our best stuff.
    Mr. Turner. In footnote 7, when you cite that there's $30 
million that is planned to be spent to purchase personal 
information, your footnote No. 7 says, this figure may include 
information that--uses that do not involve or include personal 
information. And you go down to cite LexisNexis and West, and 
LexisNexis is in my district. And of course being a lawyer, 
I've used both.
    I would like each of you to speak for a moment on the issue 
of although we want to protect privacy, some of the things that 
we are actually seeking in a commercial marketplace where 
someone has taken the data information and reconfigured it for 
our use so that we can all do a better job of whatever we are 
doing; that our things that are just available in the library, 
how do we--how do we balance privacy and personal information 
without restricting things that we've seen in the law practice 
that actually makes the system work better?
    Ms. Koontz. And I do think that this issue is all about 
balance. It's clear from our work that the information obtained 
from information resellers is valuable to a number of agency 
functions, it's very important. But the balance then is that we 
have to do this within the context of personal privacy and with 
the laws and the guidance that we have now.
    I just want to speak for a minute to that footnote. The 
footnote, we love to be very exacting. And in all cases we knew 
that information from--you know, services from LexisNexis, for 
example, are procured sort of in bulk. And so it wasn't--we 
weren't able--we were mostly able to sever the legal services 
sorts of things from the purchase of personal information. But 
there were a few places where we thought, well, there might be 
a small amount of that still in there. But I mean, generally 
speaking, I think we were able to put things in separate 
buckets. But we wanted to make the reader aware it's not down 
to the dollar, probably. So I think that this is general--you 
know, generally a good number.
    But, again, that's what this is about, it is about balance. 
And I think that the PIA requirement, you know, is a very 
valuable way for agencies to think through how they're going to 
use information before they collect it, before they invest in 
information technology, and to look at the reason for 
collecting this information, any privacy risks that might 
present themselves and then come up with specific mitigation 
strategies. And this is a way of ensuring that we've done the 
right things in terms of privacy.
    Mr. Turner. Would you like to comment?
    Ms. Evans. Well, following off of your example, so looking 
at our guidance, we feel that the example that you gave, like 
LexisNexis, or looking at data for one-time use and querying 
into a system, is already covered. And so, you know, that would 
not necessarily require us to do or require, like LexisNexis, 
to do a privacy impact assessment. I believe the distinction 
that we are making, which GAO may agree or may not agree upon, 
is when we bring that data into a Federal system and we then 
start merging it in with other things that we are doing. That 
is where our guidance says where you're using it on a recurring 
basis, where it's more than just a one-time inquiry, like going 
into a library and looking at something, then you have to do 
the full privacy impact assessment. And that's where we are 
drawing the line with the commercial resellers, because you are 
bringing that information in, you're using it and you need to 
let the public know how you are using the information and where 
the source is coming from.
    So in your example, we think our guidance allows for you to 
still go to the library. It's when you start taking the 
information from the library and bringing it back into your 
agency and using it on a recurring basis that you need to 
disclose to the public how you're doing that.
    Mr. Turner. I appreciate that, because that really is the 
other distinction, I'm looking to your No. 1 footnote. When you 
described what it is that we are talking about here for this 
type of information, you include things such as an individual's 
name, their date, place of birth, mother's maiden name, 
biometric records. You go on to talk about employment. And some 
of those things--excluding biometric information, obviously--
are things that are available in the daily newspaper that may 
have been reported.
    Ms. Evans. Right.
    Mr. Turner. And we don't want our use, even commercial use 
of what would be in fact the evolution of our library, to also 
then be the same as data collection on the Federal Government.
    Ms. Evans. Right.
    Mr. Turner. And how do we do one without inhibiting what 
has become--what we have all become now used to as our sense of 
what a library is. Mr. Teufel.
    Mr. Teufel. Sure. I'm a nonpracticing lawyer as well, and 
it's a wonderful thing. You know, no billable hours for one 
thing.
    So what caught my eye as I went--as I was reading the 
legislation was--were the definitions. And I'm not sure that--
the definition seemed to be broad and would include the uses of 
Lexis and Westlaw or Nexis. I think maybe there's a provision 
in the definitions that talks about news, news clippings 
services, or news reporting services. But when I think about 
Lexis and Nexis and Westlaw, I'm not necessarily thinking about 
the data bases of driver's license records, marriages and 
divorces. I'm thinking about--I need to look up a GSBCA ruling 
or a Federal circuit ruling or a 10th Circuit ruling, or other 
things that are more of the types of things that lawyers tend 
to look at, than my concern was this definition within the 
legislation so broad as to encompass those lawyer-types of 
uses. So that was a concern that came to my eye as I read the 
legislation.
    Mr. Turner. Thank you. Mr. Chairman.
    Mr. Clay. Thank you, Mr. Turner.
    Ms. Evans, the April 2006 GAO report contained 
recommendations to OMB to clarify its guidance on the use of 
commercial data, yet nearly 2 years have passed and OMB has not 
taken steps to address its recommendations. Why hasn't OMB 
acted on this issue? And can we expect to see new guidance? And 
if so, when?
    Ms. Evans. Well, actually, we feel that we've taken the 
steps based on the actions that were identified by the 
President's Identity Theft Task Force, so we have issued 
additional guidance. We've also taken additional steps and 
asked the inspector generals to review the quality associated 
with Privacy Impact Assessments because we feel that's a very 
holistic approach in how the agencies look at it. We didn't 
issue guidance specifically for data commercial resellers 
because we were really looking at the program holistically.
    But every year as we send the guidance out--the draft 
guidance which will come out again this spring, and we are 
adding new requirements in for privacy--we also solicit GAO's 
comments before it becomes final. So if they feel that the 
actions that we've taken to date since the time that they've 
issued that report, how we've improved, I believe, the quality 
and have the measures and have the IG looking at the privacy 
aspects of the programs, we can work with GAO to issue any 
further guidance if necessary at this point.
    Mr. Clay. Ms. Koontz, any response?
    Ms. Koontz. I think what we've found in our work, that 
OMB's guidance says that agencies are to do a PIA if they 
systematically incorporate commercial data into existing data 
bases. The same guidance says if you merely query the data 
base, the reseller's data base, then that does not trigger the 
PIA requirement. And I think that our feeling was that there 
was a lot of room between systematic incorporation and merely 
querying a data base and that OMB's guidance can't go further 
to say, well, what does systematic incorporation mean? And when 
we went to agencies, they said, well, most of what we do is of 
the querying nature but sometimes we keep the queries, 
sometimes we keep the information. And that's somewhere in 
between, and we wanted more clarity around when--when agencies 
should do PIAs. And I think we were particularly concerned 
about the instance where the information was safe in that 
agency.
    Mr. Clay. Yes, sir.
    Mr. Teufel. Well, I would refer the committee to our PIA 
guidance. And we asked the questions, how are you using the 
information? Are you keeping it or not? And when we have our 
conversations with programmatic personnel, we talk about these 
sorts of things. And so we--I mean, the big issue is the ad hoc 
or one-time querying use versus the systematic use and that 
necessarily entails judgment. We think we do a very good job in 
exercising judgment and discretion, and certainly with our 
authorities to conduct Privacy Impact Assessments, some may 
feel that sometimes we do more PIAs than are necessary. But we 
think that's an important thing because PIAs are part of the 
transparency process, letting the public know what it is that 
the Department's doing. So in an ideal world, there is trust 
and confidence in what the Department is doing, but also so 
that the public is informed, can make informed decisions and 
advise its elected representatives of where it wants government 
to go.
    Mr. Clay. Thank you.
    Ms. Evans, OMB's PIA guidance from 2003 requires a PIA to 
be performed when an agency systematically incorporate 
information into their system; but then merely pinging or 
querying a data base does not require a PIA. Given the 
systematic use of this information by the Federal Government, 
why is this distinction necessary? Isn't the government using 
this information to inform decisionmaking?
    Ms. Evans. Well, and I think--well, the short answer is 
yes, you are using the information to inform decisions. But the 
example--I mean one example that I would give is, I also go out 
and do Google, and I Google information, and it comes up about 
a whole bunch of different things. But I don't incorporate the 
results of the Google search into a Federal information system.
    We are making a distinction between the systems that the 
Federal Government manages, the information we manage, versus 
just a general type of query. The point, though, that GAO has 
made--and we could go back and look at this--and that my 
colleague Hugo has also made, is that it may not necessarily be 
a change to the guidance or the policy because the framework 
exists to allow flexibility for each agency head and how they 
use the information. But it might be more of a sharing of best 
practices.
    Now, we do have a committee that we formalized off of the 
CIO Council that specifically deals with privacy practices. So 
some of the activities that DHS does and some of the other 
activities that the agencies do could help level the playing 
field across the board and share these best practices so that 
agencies then incorporate them into their existing ways that 
they then do their PIAs.
    Mr. Clay. Thank you.
    Ms. Koontz, in its 2006 report, GAO identified instances in 
which the use of reseller information was either not identified 
in Federal Register notices or was identified only in vague 
terms.
    In your opinion, why haven't agencies been identifying 
commercial resellers as a source of personal information?
    Ms. Koontz. We thought that both the OMB guidance and the 
agency guidance were not clear on this particular point. And it 
may be simply that the guidance predates--substantial use of 
personal information obtained from resellers. And it's a case 
of perhaps the guidance needs to catch up with what the current 
practice is.
    Mr. Clay. OK. And Mr. Teufel, the information contained in 
the 2006 GAO report on this subject is based on fiscal year 
2005 contracts with information sellers. Can you tell us what 
the value of DHS's contracts with the information resellers was 
for years--fiscal years 2006 and 2007?
    Mr. Teufel. I'm sorry, sir. I don't have that information 
available but I would be happy to get back to the committee 
with that information.
    Mr. Clay. OK. And you'll provide the committee with that?
    Mr. Teufel. I'll do my best, sir.
    [The information referred to follows:]

    [GRAPHIC] [TIFF OMITTED] T6195.044
    
    [GRAPHIC] [TIFF OMITTED] T6195.045
    
    [GRAPHIC] [TIFF OMITTED] T6195.046
    
    [GRAPHIC] [TIFF OMITTED] T6195.047
    
    Mr. Clay. OK. Is it fair to say that the 2006 GAO report 
still accurately characterizes DHS's use of information 
reseller data? Have there been significant privacy improvements 
made that we should know about?
    Mr. Teufel. Well, sir, I think other than the numbers being 
different, I think the report probably does a pretty good job 
of describing things at the Department. That commercial 
information is used by--I'm guessing all, I'm trying to recall 
now--almost all, if not all, of the seven operational 
components and some of the Department-Level components.
    We've been doing a pretty good job of privacy. And since 
that report came out, we've made some improvements in how we do 
privacy. We are updating the legacy agency system of records 
notices. We've added to our Privacy Impact Assessment Guidance 
on how the Department handles commercial information. So so 
we've made improvements. We were doing a good job before. We 
are doing a better job today.
    Mr. Clay. Mr. Turner, you are recognized.
    Mr. Turner. Another issue that I'd like you to address that 
we should be concerned about is there are things that we do 
want our government to know. Whenever anything of significance 
happens, one of the first questions that you always hear from 
any reporter is, why didn't the government know? The government 
is expected to have knowledge of basic current events that we 
are all aware of, and then some information that might lead to 
issues of threat.
    Certainly issues that are publicly available that might 
pose--information from which decisionmaking should occur. How 
do we balance making certain that we don't inhibit or 
discourage the data brokers or resellers from doing business or 
providing information to the Federal Government?
    Ms. Koontz. I think if we talk about the kinds of 
recommendations that we made in our report, which were for 
Federal agencies to be very specific and forthright in 
notifying the public about their use of commercial data and 
also our suggestion that OMB clarify the guidance so we know 
when PIAs are required; admittedly, I think we have a sense 
that we would like to see PIAs done more frequently and for 
agencies to think through the use of this information before 
before they acquire it from virtually any source. But--and I 
think that none of these sorts of things that are intended for 
privacy would inhibit resellers from doing business with the 
government or providing the information that they provide now.
    Even the bill that we are looking at today doesn't place 
any new obligations on resellers. It says it's--instead it 
asks--asks the Federal Government, as it is obligated to, to 
think through very carefully how they're going to use this 
information, and how they're going to protect it also. So I 
don't see it as an inhibiting factor.
    Mr. Turner. Any other thoughts?
    Ms. Evans. First and foremost, I'd like to clarify one 
thing. I think just because we haven't issued an updated policy 
doesn't mean that we are focusing on the use of the information 
and how the agencies do Privacy Impact Assessments. I would say 
that the administration has really stepped up its efforts in 
this area as we continue with the implementation of the E-Gov 
Act and as we've built out on the foundation of what a Privacy 
Impact Assessment is supposed to be.
    So we have issued subsequent guidance to the agencies 
dealing with privacy information, how they collect information, 
what their systems are doing and for them to go back and look 
at it. We followup on this on a quarterly basis through the 
President's management agenda. So we track what the agencies 
are doing, what they said they're doing, how they're using the 
information. And we track the number of Privacy Impact 
Assessments, Systems of Records of Notice, what they say 
they're going to do, how you match that against everything that 
they're doing.
    So we have issued guidance in the bigger, broader aspect of 
information protection, information security and privacy. Not 
to this specific issue of commercial resellers, because we 
think that they need to look at this in a holistic way of how 
they're doing everything, not just necessarily narrowly focused 
on the use of commercial resellers.
    I don't think that what we are doing when you bring the 
information into the Federal Government would prohibit data 
brokers from working with the Federal Government. But I do 
agree with GAO that the agencies need to be very transparent 
about how we are using information to make sure that the public 
has the ability to comment on that.
    Mr. Teufel. Rigorous application of the fair information 
practice principles.
    Mr. Turner. One question that personally triggered me, you 
were talking about Google. And there's been some discussion on 
systematic use versus pinging. I have a question for you; this 
is for my own personal information. How do those distinctions 
fall within--I understand one computer doing 100 searches on 
the same thing. But what if 100 computers are doing the 
searches on the same thing? How does that get balanced?
    Like I'll give you an example. I won't use the Mayflower 
Hotel as an example. But we have a satellite that is coming 
into orbit and we are going to hit it down with an Aegis 
system. I'm assuming that there are a number of computers, as 
that current event was happening, was doing an inquiry similar 
on public records and information for that. So you have a 
number of computers all focused on the same current event that 
has happened versus one computer that is trying to determine as 
much information about a narrow topic.
    How does that affect you? You have a number of agencies 
perhaps with the same needs for the same information. How does 
that affect the analysis? The distinction between systematic 
and pinging?
    Ms. Evans. OK. So I'm going to try and not get real 
technical here. But let's focus on the agency and the use of 
the agency. And this is one of the reasons why we always talk 
about trying to keep things technology-neutral, just based on 
the example that you gave.
    I think the distinction here in GAO, Ms. Koontz has laid 
this out, is it's one thing when 1 agency or 100 agencies go 
and ask a question. It's what you do with the results of that 
question. And if you store that result back into a Federal 
information system is when all of these triggers then happen.
    If I go out and I look at that satellite, but I don't do 
anything with the information, it's for informational purposes 
and I'm looking, it doesn't matter whether 1 person did it or 
100 people did it. It makes a difference if one person, like, 
searches on you, and then I take that information in and now I 
store it in a Federal system and I start using it in 
conjunction with other information I have. That's when it's 
important for the Federal agency to say how they're using the 
information, what they're storing and how they're retrieving 
it. That's the Privacy Act implications of when you do the 
Systems of Records Notice, and then that is the PIA piece, 
Privacy Impact Assessment.
    Do you want to add anything?
    Ms. Koontz. I'll just add that there is definitely an issue 
here about whether we make decisions on the basis of storing 
information or we make decisions based on how we use 
information. And I think that it would be fair to say that the 
PIA guidance right now is more based on the storage model; that 
if we are going to bring it in and systematically incorporate--
although I would say I'm not sure what systematically 
incorporate means versus incorporate versus somehow keep the 
information--but the point is is that even if I ping a data 
base and I--I have existing data and I confirm that an address 
I have is--I think that's now the correct address because I 
have--I have corroborating information now. I am using that 
information despite the fact I'm not, quote, bringing it in or 
incorporating it into any kind of data base, but I'm using that 
as part of my decisionmaking ability. And I think that's one of 
the things that we need to look at going forward, concerning 
how we approach the use of reseller information from the 
Federal Government.
    Mr. Teufel. Well, when we mentioned satellite, I thought we 
were going to be talking about another DHS program. But we are 
not. Its use. I mean, it's all about use. Your example sounded 
more like situational awareness with the hundred computers as 
opposed to information that was mission-essential for the 
conduct of the operation of that particular agency's use.
    Mr. Turner. Your descriptions have been very helpful. Thank 
you, Mr. Chairman.
    Mr. Clay. This is a panel-wide question. Should information 
resellers that are governed under the Fair Credit Reporting Act 
and Gramm-Leach-Bliley Act be exempted from requirements in the 
proposed Federal Agency Data Protection Act? Why or why not? 
We'll start with Ms. Evans.
    Ms. Evans. Those particular acts are covered by the FTC and 
how they use that. I would not feel that it would be 
appropriate for me to answer that question right now. What I 
would rather do is take it for the record and be able to go 
back and discuss it more specifically with the FTC on that.
    Mr. Clay. Yes. That's right. Thank you, Ms. Evans. Ms. 
Koontz.
    Ms. Koontz. We do not think it's appropriate to exempt any 
data source, any specific data source, from the proposed 
provisions of the bill if it passes. Our feeling is that what 
this does is to bring the treatment of reseller information--
the requirements into line with how we treat other information 
sources as well.
    I also would question to some extent what the basis or the 
rationale would be for exempting--making exemption for Federal 
agencies not to do PIAs because resellers are covered by the 
two laws that you mentioned. These two laws do place 
restrictions on resellers' use and collection and disclosure of 
certain kinds of consumer and financial information. But I 
don't--you know, despite these requirements, I wouldn't think 
that would mean that we would be any less interested in having 
Federal agencies critically think through their use of 
commercial data.
    Mr. Clay. Thank you for that response.
    Mr. Teufel.
    Mr. Teufel. I'm with Karen. I'm very hesitant to answer the 
question without the benefit of guidance from FTC.
    Mr. Clay. OK. Let me start with you. Shouldn't we also be 
looking to add greater privacy safeguards with personal 
information that is shared with us by all nongovernmental 
sources such as employers, contractors, banks, etc.?
    Mr. Teufel. Well, sir, I think at DHS we do that.
    Mr. Clay. You do it now?
    Mr. Teufel. Certainly there's always room for improvement. 
But I think at DHS, as I'm thinking through the various 
programs at the Department and how we handle that with our PIA 
process, our SORN process and other things that we have in 
place, I think we do a pretty good job of protecting the 
privacy of individuals when we've obtained that information 
from non-Federal sources.
    Mr. Clay. Ms. Koontz, how about adding greater privacy?
    Ms. Koontz. I think that there's a recognition that we need 
to protect personally identifiable information regardless of 
source. There are a number of laws, of course, that seek to do 
just that, and we haven't evaluated the efficacy of all those 
requirements. But I do think that it's important for the 
Federal Government to pay particular attention to personal 
information that's obtained from third-party resources--third-
party sources, rather than from the individual themselves.
    Mr. Clay. Thank you. Ms. Evans, any comment?
    Ms. Evans. The President's Identity Theft Task Force did 
look at both the Federal Government as well as private 
industry. There were several recommendations that were made by 
the task force. My office was responsible for the Federal 
Government portion of implementing those recommendations. That 
group is chaired by the FTC and the Department of Justice and 
we are going to be issuing an update this spring, which I 
believe is next month, April, to where exactly we are in the 
progress that we've made on all the recommendations. So as soon 
as that report is out, I'd be happy to share that with the 
committee so that you can see, because it's full encompassing, 
private sector as well as public sector.
    Mr. Clay. Very good. We are very interested in seeing that. 
And let me thank this entire panel for your responses and your 
expert testimony. Panel one is dismissed. Thank you.
    Mr. Teufel. Thank you.
    Ms. Evans. Thank you.
    Mr. Clay. The committee will recess for 15 minutes and 
we'll return with panel two when we come back.
    [Recess.]
    Mr. Clay. We will now have our second panel.
    And that panel will include Mr. Ari Schwartz, who is the 
vice president and chief operating officer of the Center for 
Democracy and Technology. This work focuses on increasing 
individual control over personal and public information by 
promoting privacy protection in the digital age and expanding 
access to Government information via the Internet.
    Welcome, Mr. Schwartz.
    We also have on the panel Mr. Stuart Pratt, who is the CEO 
of the Consumer Data Industry Association, an international 
trade association representing the consumer information 
industry. Prior to his current position, Mr. Pratt served as 
the association's vice president of government relations. He is 
a well-known expert on the Fair Credit Reporting Act, identity 
fraud, and the issues of consumer data and public record data 
issues.
    Thank you for being here, Mr. Pratt.
    And our third witness, Ms. Paula Bruening, is deputy 
executive director of the Center for Information Policy 
Leadership at Hunton & Williams. At the center, she focuses on 
global, cyber privacy issues, as well as a frequent author and 
lecturer on information policy issues throughout the United 
States and Europe.
    And welcome.
    And I welcome you all.
    It is the policy of the subcommittee to swear in all 
witnesses before they testify. At this time, I would ask that 
you all stand and raise your right hand.
    [Witnesses sworn.]
    Mr. Clay. Let the record reflect that all the witnesses 
answered in the affirmative.
    I would ask that each witness now give an oral summary of 
his or her testimony, and to keep this summary under 5 minutes 
in duration. Bear in mind your complete written statement will 
be included in the hearing record.
    Mr. Schwartz, we will begin with you.

    STATEMENTS OF ARI SCHWARTZ, DEPUTY DIRECTOR, CENTER FOR 
  DEMOCRACY AND TECHNOLOGY; STUART PRATT, PRESIDENT, CONSUMER 
   DATA INDUSTRY ASSOCIATION; AND PAULA J. BRUENING, DEPUTY 
       DIRECTOR, CENTER FOR INFORMATION POLICY LEADERSHIP

                   STATEMENT OF ARI SCHWARTZ

    Mr. Schwartz. Chairman Clay, thank you for holding a public 
hearing on this important privacy issue and for inviting me to 
participate.
    Government's use of personal information is key to the 
functioning of many of its most essential programs, from 
determining eligibility for benefits to supporting law 
enforcement investigations. As the information economy grows, 
more personal information is being provided from commercial 
data brokers, who aggregate and categorize this information for 
a wide range of purposes to the private and Government sectors 
alike.
    As with any organization, Government agencies must take the 
management responsibility to ensure that their partners and 
employees are meeting standards of care and use of that 
information. In this case, there are many concerns that come 
from the use of personal data. Creating guidelines is a 
sensible and needed approach. Simply put, Congress should 
ensure that Americans do not lose privacy, security and quality 
protections that are already a part of law and policy only 
because a Government agency is using a private-sector data 
partner rather than to have the agency collect it themselves.
    The chairman's bill, H.R. 4791, would move the agencies in 
the right direction by requiring agencies to make important 
management considerations, by requiring the vetting of 
commercial partners through the privacy impact assessment [PIA] 
process. The PIA requirement, which passed as part of the E-
Government Act, was designed to provide greater transparency to 
how the Government collects and uses personal information. Over 
the past 6 years, PIAs have become an essential tool to help 
protect privacy. Mr. Teufel, on the previous panel, called one 
of them the three pillars of the U.S. Government privacy 
policy.
    However, as evidenced by OMB's FISMA report to Congress 
last month, the Federal Government has unevenly implemented the 
PIA process across agencies. The guidance issued pursuant to 
the act with respect to PIAs was vague and has simply not 
provided the agencies with the tools they need to successfully 
implement the PIA process unless they already had privacy 
experts on staff.
    While some agencies, like the Department of Homeland 
Security, have set high quality standards for the PIAs and have 
continued to improve them over time, the lack of clear guidance 
has led some agencies, such as the State Department, to create 
cursory PIAs or others, such as the Department of Defense, to 
have none at all. We, therefore, urge Congress to also require 
that OMB create a set of best practices for PIAs while it is 
updating the PIA guidance to cover agency use of any commercial 
partner.
    Even then, the transparency provided by the PIA process 
must not be viewed as a full solution for privacy. Congress 
must begin to address more fundamental privacy issues within 
Government agencies to ensure the trust of the American people. 
This should begin with a review of the Privacy Act of 1974.
    In 2000, the full committee passed a bill, sponsored by 
Ranking Member Davis and Representative Moran, to create a 
commission that would study the state of the Privacy Act and 
recommend updates to the law. The record shows that, even 8 
years ago, it was clear that this important law, the most 
direct legal protections that citizens have over the Federal 
Governments's regular use of information, was beginning to 
erode due to unforeseen advances in technology. We hope that 
the committee will once again take up a review of the Privacy 
Act to help protect the privacy of Americans into the future.
    We look forward to working with this subcommittee to help 
address these critical privacy issues in more detail in the 
near the future, and we thank you for your leadership on this 
important issue. I look forward to your questions.
    [The prepared statement of Mr. Schwartz follows:]

    [GRAPHIC] [TIFF OMITTED] T6195.048
    
    [GRAPHIC] [TIFF OMITTED] T6195.049
    
    [GRAPHIC] [TIFF OMITTED] T6195.050
    
    [GRAPHIC] [TIFF OMITTED] T6195.051
    
    [GRAPHIC] [TIFF OMITTED] T6195.052
    
    [GRAPHIC] [TIFF OMITTED] T6195.053
    
    [GRAPHIC] [TIFF OMITTED] T6195.054
    
    [GRAPHIC] [TIFF OMITTED] T6195.055
    
    [GRAPHIC] [TIFF OMITTED] T6195.056
    
    [GRAPHIC] [TIFF OMITTED] T6195.057
    
    [GRAPHIC] [TIFF OMITTED] T6195.058
    
    Mr. Clay. Thank you so much, Mr. Schwartz.
    Mr. Pratt, you are recognized for 5 minutes.

                   STATEMENT OF STUART PRATT

    Mr. Pratt. Thank you, Mr. Chairman, for this opportunity to 
appear before you today.
    Government's use of CDIA member products brings value to 
citizens individually and to Government, which works on their 
behalf. This is an important context, I think, for the 
committee as it considers H.R. 4791. Let me just share a couple 
of examples of how products are used and, really, the logic 
behind these.
    Our members provide products which help Government agencies 
to enforce child support enforcement orders, to locate missing 
and exploited children, to prevent entitlement fraud, to 
provide background screening for employment and security 
clearances, to assist with various natural disasters, and also 
with witness location and with various law enforcement 
investigations.
    Equally important, I think, to the context of our 
discussion today is the fact that these many products that I've 
just described are heavily regulated under a range of current 
Federal laws. And these laws affect both the public and the 
private sector. Two laws that are particularly important, I 
think, for today are the Fair Credit Reporting Act and the 
Gramm-Leach-Bliley Act, which have already been mentioned in 
the first panel.
    H.R. 4791 proposes to improve Government's effort to 
protect personal information and to ensure that citizens are 
notified when personal information is lost. Actually, both of 
these goals make a lot of sense for us. Our members live under 
data security requirements today. Our members live under breach 
notification requirements today. And so, having those apply to 
the Government in the same way that they would apply to the 
private sector makes all the sense in the world.
    Our written comments provide some thoughts on how you might 
tailor those provisions just a little bit to make sure that 
they are very effective. But, overall, those are good ideas.
    The bill also proposes privacy impact assessments and 
certain contractual requirements where the Government obtains 
data from an entity, termed a ``data broker.'' And this is 
really some new territory that is being built within this 
proposal. And we understand the importance of this focus on 
governmental uses to ensure there is a trust between Government 
and its citizens. And that really goes all the way back to the 
Privacy Act.
    In this case, though, is seems to us perhaps the question 
is where the data is regulated, or where the data is not 
regulated--in other words, where is the trust, and how do 
consumers feel about their personal information being used by 
Government.
    In the case of our members' products, the bridge of trust 
already exists through existing laws. And it is for this reason 
that we urge the committee to exclude from the definition of 
``data broker'' entities that are subject to the Gramm-Leach-
Bliley Act privacy rules, consumer reporting agencies regulated 
under the Fair Credit Reporting Act, and publicly available 
data sources provided by the private sector.
    And our reasons for this are several. For example, the 
contract requirements in this proposal stipulate that a 
Government agency must obtain data from a data broker, and they 
appear to assume that data is unregulated. Further, the 
contract would, for example, impose an accuracy requirement on 
a consumer reporting agency which already has an accuracy 
requirement under the Fair Credit Reporting Act.
    So, Mr. Chairman, here, perhaps, it's just an alignment 
question. You already have a Federal law. The Government is 
going to purchase data that's already under an accuracy 
standard. And then the question is, how would the contractual 
accuracy standard interplay with the standard of law that's 
already provided for under the Fair Credit Reporting Act?
    The contractual provisions also would impose, more or less, 
a one-size-fits-all approach to the concept of--well, let me 
just back up here--would also provide a one-size-fits-all to 
location tools. And a location tool is a tool that's used to 
try to find a noncustodial parent to enforce a child support 
enforcement order. That's not really an accuracy tool or a tool 
based on accuracy, but it's a way to try to locate that 
individual and to get them to pay what they owe in delinquent 
child support. So, again, here maybe the one-size-fits-all 
approach of the accuracy requirement might go a little outside 
of the bounds of where you might like it to be at the end of 
the day.
    The concept of a privacy impact assessment is sound, there 
is no doubt about it, and it's appropriate to Government 
processes. However, we think that requiring a PIA across the 
board may well have some adverse effects. For example, will 
Government continue to use the private-sector tools for skip 
tracing where a consumer hasn't paid his student loan if the 
PIA requirements are highly restrictive? Where the Government 
is a user, defined under the Fair Credit Reporting Act, and is 
using a consumer report for background screening, is there a 
need for a privacy impact assessment, when the Government is 
regulated under the FCRA, as is the private sector?
    So, Mr. Chairman, in conclusion, there seem to be a lot of 
good ideas in this proposal that you have put together. I think 
there may be some places where we have other good laws already 
on the books. Some of these laws come from other committees on 
which you serve, as well. And here today, we're just offering 
some thoughts on how we might be able to more effectively align 
current Federal laws with the ideas that you have in this bill.
    And, with that, I will look forward to your questions. 
Thank you.
    [The prepared statement of Mr. Pratt follows:]

    [GRAPHIC] [TIFF OMITTED] T6195.059
    
    [GRAPHIC] [TIFF OMITTED] T6195.060
    
    [GRAPHIC] [TIFF OMITTED] T6195.061
    
    [GRAPHIC] [TIFF OMITTED] T6195.062
    
    [GRAPHIC] [TIFF OMITTED] T6195.063
    
    [GRAPHIC] [TIFF OMITTED] T6195.064
    
    [GRAPHIC] [TIFF OMITTED] T6195.065
    
    [GRAPHIC] [TIFF OMITTED] T6195.066
    
    [GRAPHIC] [TIFF OMITTED] T6195.067
    
    [GRAPHIC] [TIFF OMITTED] T6195.068
    
    [GRAPHIC] [TIFF OMITTED] T6195.069
    
    [GRAPHIC] [TIFF OMITTED] T6195.070
    
    Mr. Clay. Thank you so much for your testimony.
    Ms. Bruening, you are recognized for 5 minutes.

                  STATEMENT OF PAULA BRUENING

    Ms. Bruening. Thank you, Chairman Clay, for having me here 
today. I am honored to testify about Government use of 
commercial information and H.R. 4791.
    The Center for Information Policy Leadership is a think 
tank in policy development organization located in the law firm 
of Hunton & Williams. The center and its 41 member companies 
believe that difficult information policy issues must be 
resolved in a responsible fashion if we're to fully realize the 
benefits of an information economy.
    While I've consulted with center colleagues and members, my 
comments today reflect my views and do not necessarily reflect 
the views of the center member companies, Hunton & Williams or 
any firm clients.
    The provisions of H.R. 4791 highlight the growing practice 
of Government access and use of information collected and 
retained by business and the lack of comprehensive, overarching 
legal protections for that information when such access is 
obtained.
    Without question, the information collected by companies 
can serve as a critical resource for Government in law 
enforcement, anti-terrorism efforts, fraud reduction, delivery 
of services, and administration of programs. With appropriate 
controls, Government should continue to be able to access it. 
Government should not be precluded from using valuable 
information for these important purposes, but it should do so 
under established, rigorous guidance that ensures its use is 
both effective and responsible.
    Today, the lack of legal protections related to the 
Government's use of data collected in the private sector, due 
in part to the limitations of the Privacy Act, raises serious 
risks to U.S. business and compromises opportunities for 
growth. Access to information by the Government without the 
protection of law places companies of all kinds in the position 
of acting as Government data gatherers that are unable to 
assure their customers that information they release to the 
Government will be used for specified limited purposes, that it 
will be handled properly when it is no longer useful, and that 
the consumer has redress when data it is mishandled. This 
failure of governance erodes consumer confidence in the 
companies themselves, reduces trust in the information field 
commerce more generally, and compromises the growth of the 
digital marketplace.
    Moreover, because of the lack of sound guidance and 
potential for nearly unfettered access by Government to this 
information, every privacy question related to data collection 
in the private sector is shattered by the issues of 
undisciplined Government access and use of information.
    Efforts to resolve issues of consumer protection and 
privacy in new services, products, business models and 
technologies are complicated by this constant concern, making 
it more difficult to build consumer confidence that data is 
being used responsibly.
    The lack of oversight further compromises U.S. businesses' 
ability to engage with organizations and consumers 
internationally. Even as companies become more global in 
presence and reach, it has become increasingly unattractive to 
transfer data to U.S. companies because of concerns about U.S. 
Government access to information about foreign nationals that 
might occur outside the bounds of law of their home countries 
and without any real oversight in U.S. law. Lack of broad 
protection and accountability challenges businesses' ability to 
make the case that information from foreign companies and about 
foreign nationals will be managed in a trustworthy fashion, 
limiting opportunities to transfer and exchange data that can 
enable innovative business models, research and services.
    It is time to consider the myriad ways in which Government 
accesses, maintains and uses information collected throughout 
the private sector and develop an overarching governing 
structure for data use that establishes discipline and 
accountability in the practice. This inquiry must be forward-
thinking and broad in scope, as the solutions we arrive at must 
be sufficiently rigorous to promote trust and sufficiently 
flexible to adapt to as-yet-unanticipated technological and 
marketplace developments.
    Developing guidance will require a review of new and 
emerging technologies for data collection and storage and the 
trajectory of future technological development. It will be 
important to consider the legitimate needs and activities of 
Government for this data and the manner in which it is to be 
used to further legitimate Government objectives. It must 
involve development of reliable structures that establish 
accountability, oversight and protocols for Government 
collection, retention, use and disposal of data. At the same 
time, it must assure that access to data is not unduly hindered 
when it is legitimately needed.
    The goal of this inquiry must be to develop a system of 
governance that fosters data use that is both effective and 
responsible. Government entities must be required to identify 
clear objectives for data use and to understand what and how 
data will be used to accomplish those objectives. Limits must 
be set for data use and procedures established for data 
management. Citizens must have redress when data has been 
misused. Governance must include oversight, both within 
agencies and by other branches of Government, to instill 
confidence that the goals of effectiveness and responsibility 
are achieved.
    Thank you very much, and I look forward to the discussion 
this afternoon.
    [The prepared statement of Ms. Bruening follows:]

    [GRAPHIC] [TIFF OMITTED] T6195.071
    
    [GRAPHIC] [TIFF OMITTED] T6195.072
    
    [GRAPHIC] [TIFF OMITTED] T6195.073
    
    [GRAPHIC] [TIFF OMITTED] T6195.074
    
    [GRAPHIC] [TIFF OMITTED] T6195.075
    
    [GRAPHIC] [TIFF OMITTED] T6195.076
    
    Mr. Clay. Thank you so much for your testimony.
    Let's start with Mr. Schwartz.
    This question is similar to the one I asked Ms. Evans from 
OMB earlier. OMB's PIA guidance from 2003 requires a PIA to be 
performed when agencies systematically incorporate information 
into their system, but that merely pinging or querying a data 
base does not require a PIA.
    Given the systematic use of this information by the Federal 
Government, why is this distinction necessary? And isn't the 
Government using this information to inform decisionmaking?
    Mr. Schwartz. It's an excellent question. I think that it 
really gets to the heart of the matter about where we stand 
with PIAs today.
    I think we agree with Ms. Evans about agency flexibility, 
and there would be room for agency flexibility. But I disagree 
with her in how she was talking about that flexibility. To me, 
it doesn't matter where the information is stored; it is how 
the information is used and what it is going to be used for.
    And I can illustrate this pretty easily in some of the 
other issues by talking about that the PIA is really a 
management function of the agency, in terms of information 
policy management, which is why this----
    Mr. Clay. Why should it matter, how agencies are accessing 
the information?
    Mr. Schwartz. Well, I don't think that's what the 
distinction should be.
    Mr. Clay. OK.
    Mr. Schwartz. It should be how they are using information 
and what they are using for.
    So an example I can give is that we've been talking about 
the use of the information, which resulted in the question of 
how do we stop misuse of information. The information that an 
agency may be pinging from a data base may be entirely accurate 
and may follow all the rules and laws that it is supposed to 
follow, but there is still the question of how that Government 
employee uses the information.
    We've had cases where a drug enforcement agent has gone and 
looked up their ex-girlfriend's record using a commercial data 
base, looked up the ex-girlfriend's boyfriend's records using a 
commercial data base. That shouldn't be allowed today, and it's 
not allowed. The question is, how do you effect those rules? 
And what the privacy officers tell me today is that the only 
tool that they have at their disposal to make sure that's in 
place is the privacy impact assessment.
    So if we're not covering this data and not looking at how 
that management goes into effect, we're going to miss those 
cases where we could have stopped misuse before it happens.
    Mr. Clay. It is a tool, and a needed tool. Is what you're 
telling me?
    Mr. Schwartz. Yes, absolutely.
    Mr. Clay. Thank you for that.
    Any comment on that?
    Mr. Pratt. If I may, let's just take a consumer reporting 
agency as one example.
    And I think that Mr. Schwartz gives a great example of 
browsing. Browsing is always something that you want to 
control, and there's some technological strategy for how you 
can control browsing. If you're a using a consumer reporting 
agency data base, it is not an unregulated data base. It will 
register an inquiry showing that the Government agency accessed 
the data base. And, in fact, contracts and Federal law would 
prohibit the browsing activity.
    So I think that if Mr. Schwartz is simply saying that there 
needs to be an effective oversight mechanism within the 
Government agency to ensure that browsing doesn't occur or that 
other data security practices are effective in protecting data, 
I mean, that makes sense. I just wanted to make the distinction 
between that and the idea that the data is just sitting on a 
screen and anybody should be able to walk up or that law 
doesn't somehow constrain it.
    The same is true, by the way, for the Gramm-Leach-Bliley 
Act. If you are using fraud-prevention tool or a locator tool, 
it is used for a certain purpose, and there is a certain 
limited amount of data that will be made available.
    So those are just two examples of where Federal laws today 
set up a regime where both the end user, in many cases by 
contract and in some cases by Federal law, is restricted in 
terms of its use of that information.
    Mr. Clay. You know, Mr. Pratt, in your testimony, you 
mention that sections 8 and 9 of H.R. 4791 are unnecessary or 
inconsistent with current law. Please define what those 
provisions are and how they would unduly burden CDIA's members.
    And if we follow your train of thought, you know, there 
would not be many teeth left in the original intent of the 
bill, and it would only be a shadow of its original self.
    Mr. Pratt. Well, we hope not, meaning I think we share the 
same goal, which is to make sure that when Government obtains 
information it understands why it is obtaining it, it 
understands the uses of that information, it understands what 
current Federal law requires or imposes.
    And so when we talk about, for example, section 8, that's 
the section which defines the data broker, and then in 
following, section 9 is the section which establishes, not just 
the PIA review, but it also talks about the contract.
    And so, again, one of our concerns is a Government agency 
imposing wrongly or imprecisely an accuracy requirement on a 
data product which isn't built to be accurate but to be a law 
enforcement research tool, or a skip tracing tool to try to 
locate, again, somebody who has not paid a student loan.
    So there seems to be just a little bit of a one-size-fits-
all in the current structure of the bill that you've proposed. 
And so, we're not suggesting there should be no teeth, but I'm 
suggesting that the FCRA has a lot of teeth with regard to 
accuracy and a lot of teeth with regard to the end user, the 
Government, and the restrictions that they must have and the 
contracts that they must sign off on, and the private liability 
and the civil enforcement powers that apply to the FCRA.
    The same is true for contracts under GLB. It's that there 
is a limited set of uses, and they contract for those uses. So 
those are not data-mining browsing data bases. Those are data 
bases used for particular----
    Mr. Clay. OK. I look forward to working with you on those 
sections.
    Mr. Pratt. Thank you, sir. We appreciate that.
    Mr. Clay. Let me also say, to followup, how exactly are 
PIAs, which would be the responsibility of an agency to carry 
out, an undue burden for your membership? It seems to me that 
our proposed legislation places nearly all of the burden on the 
agencies obtaining the information, does it not?
    Mr. Pratt. It does. Our concern is that--and I think I 
heard this at least implied in some of the previous panel's 
discussion--it is a resource question, first of all. Saying we 
will require PIAs across the board almost on a product-specific 
basis would require individuals with the right core 
competencies to be able to do that well. So there is a training 
issue. And there's an appropriations resource question, just 
how many new FTEs we have to hire on a Government agency basis.
    So at the beginning of the dialog was, first, have we 
staffed properly each governmental agency to have the right 
core competency around data management? And then you move to 
the question of, well, how then do we use data under the Fair 
Credit Reporting Act? That may be a different flow.
    But, for now, our concern is that what are going to find is 
that some agencies say, ``Well, we just won't clean up our 
internal data base. We just can't use the private sector 
anymore. We don't have anybody who can do this PIA this year, 
so we just simply won't use private sector. We'll just be less 
effective in doing what it is that we're required to do by a 
Federal law.''
    Mr. Clay. OK, then.
    Please explain the information reseller industry's position 
regarding the appropriate use of information in public records 
that is not specifically restricted by law. Given that 
resellers aggregate information from multiple sources, 
including public record, and make it more readily available 
than paper records located in places such as courthouses, 
shouldn't resellers be responsible for protecting the privacy 
of the individuals involved?
    Mr. Pratt. That it is a great question. It's actually one 
of the tough societal questions we're wrestling with right now.
    A couple of things. First of all, and it was mentioned in 
the first panel, a Google search. In Maryland today, for 
example, I can go to my courthouse and I can go online and 
actually find my deed. And on my deed is a certain amount of 
personal information. I would say, over the last 10 years, 
though, the State government and local government agencies that 
are storing a great deal of information have been removing 
sensitive personal information, making those kinds of documents 
less prone to contributing to the risk of identity theft, for 
example.
    But the key here is, this is all publicly available. And 
it's not actually in paper records, in many cases. Now it's an 
online process. Most of the court systems have online systems 
available. In fact, State laws often require online systems to 
be available to fulfill their mission.
    So between Google searches and your ability to go to 
certain Web sites where you can just simply pick up the URL and 
click through to the public record, that data is out there 
today and it is publicly available information. So our view is 
that a data reseller that has publicly available information is 
in no different position than the courthouse itself with regard 
to the same information.
    Do we want a Social Security number--this is a different 
question--do we want a Social Security number in a deed for a 
home? Our members' answer is no.
    Mr. Clay. No.
    Mr. Pratt. In other words, we are working with State 
governments right now to try to pull back data where it is not 
appropriately or necessarily part of a public record.
    Mr. Clay. OK. But now, Mr. Pratt, here is what GAO has told 
us, is that information resellers generally allow individuals 
limited ability to access and correct their personal 
information.
    Mr. Pratt. That's a great point.
    Mr. Clay. So how do we square with that?
    Mr. Pratt. Well, again, this would be a general data base, 
not an FCRA-regulated data base. If it is built for Fair Credit 
Reporting Act purposes, you have the right to correct the 
information.
    One of the big challenges is, if you don't correct the 
information at the courthouse level, then the same data can be 
gathered by another company, subsequently, under general public 
record and Freedom of Information Act laws today.
    So it isn't so much that we don't want to correct the 
record, but we want to make sure if a record is going to be 
corrected it is not just artificially corrected in a single 
private-sector data base, but that the consumer goes to the 
right original source, so that it's corrected in the 
courthouse, so every data base that might have that public 
record are all going to reflect the correct information.
    Mr. Clay. And the court clerk has a responsibility then to 
redact or to block out?
    Mr. Pratt. The court should. I mean, candidly, one of the 
challenges is for courts to make sure that they have a way for 
consumers to correct their information.
    By the way, not every court does today. That's one of the 
challenges we have in the public record discussion that we've 
had in this country for some time. I, as an individual, may not 
easily get the attention of a court to correct information, or 
it may take a longer period of time than we would like. We 
think we're getting closer to solutions, but that is a problem 
we're still facing.
    Mr. Clay. Thank you for your response.
    Let me go to Ms. Bruening.
    An important thing in the testimony seems to be that 
information collected by the Government from all sources, not 
just data brokers, is inadequately protected or safeguarded. 
Please explain the reasons why you believe this is so. For 
example, is it due to an outdated Government privacy act or an 
effect of private-sector regulations?
    Ms. Bruening. Well, first, Mr. Chairman, I think it is 
important to emphasize that data is being collected from all 
kinds of private-sector sources, not just data resellers. Our 
ISPs are being asked for information, retailers are asked for 
information, our telecommunication services. So this practice 
goes on throughout the private sector.
    The other point I think that's important to be made is that 
the Federal Privacy Act was passed in 1974 at a time during 
mainframe computing, and it certainly has not anticipated where 
we are today. It probably didn't even anticipate a couple of 
different jumps we've made since 1974 in terms of computing.
    We're now in an age of cloud computing. We're collecting 
data in all kinds of different ways, through different kinds of 
technologies. In some cases, the Government may access that 
information and bring it into its own systems of records. In 
other cases, it doesn't. It merely pings data bases or obtains 
information from data bases, never bringing it into Government.
    So the definitions in the Privacy Act are challenged by 
this new kind of technology and these new kinds of data uses. 
And so, given that, we're left with very little protection for 
the kinds of information access that the Government is using in 
the private sector.
    Mr. Clay. You know, you also cite the lack of a cohesive or 
modernized definition of what is a system of records, in your 
testimony. How is current law limited in its definition of what 
constitutes a system of record? Do you have recommendations on 
how to improve the current definition?
    Ms. Bruening. Well, as I mentioned, the way that 
information is maintained and stored today is very different 
from the traditional ways we've thought about that, in terms of 
data bases, and therefore the way we access it very different.
    In the past, we thought about systems of records as the 
ability to search for information on the basis of an identifier 
or a person's name. In many cases, that's not how Government 
uses information anymore. And, you know, data mining is the 
prime example. There are other analytics tools that have very 
creative ways of using information about individuals that would 
not involve a system of records as it is defined in the Privacy 
Act.
    I don't have the recommendation for how to fix it. I think 
this is a big question. It's one that would require a lot of 
serious thinking on the part of people in a range of areas, 
whether it's technology, the law, people who are involved in 
data management, security people. So I don't have the answer, 
but it is a question I think that requires some very serious 
attention, because it is raising some significant concerns for 
the business community, as I'm sure it is elsewhere.
    Mr. Clay. Please explain for us how ineffective protections 
for personal data negatively impact business. Is it because of 
legal liability or an issue of consumer trustworthiness in 
modern technology? Do ineffective privacy safeguards have a 
tangible impact on electronic commerce or online banking 
activities?
    Ms. Bruening. Well, I think one of the prime examples in 
the area of, sort of, our ability as American business to 
engage with companies outside of the United States is an action 
that was recently taken by the province of British Columbia in 
Canada, which limited the ability of Canadian companies in 
British Columbia to outsource data for processing in the United 
States. And that action was taken on the basis of concerns 
about the perceived lack of protection for information that is 
potentially accessed by Government.
    And what that does is create inefficiencies in business, 
and it puts businesses at a competitive disadvantage. I think 
it also does impact the relationship of companies with their 
consumers. I think that responsible companies put a lot of time 
and effort into addressing the privacy concerns that are raised 
by some of their new businesses models and the new technologies 
that they deploy.
    But what happens is, in attempting to address those 
questions, what we've come to call the elephant in the room--
although, I guess in a political year that's not the best term, 
but we will call it the rhinoceros in the room--tends to be, no 
matter what we do to protect privacy, this data is accessible 
by Government, and where does that leave us in our relationship 
with consumers. And so, that is of very serious concern on the 
part of companies.
    Mr. Clay. Thank you for your response.
    Let me start--yes, sir, Mr. Schwartz?
    Mr. Schwartz. I want to followup on something that Ms. 
Bruening said that I agree with, in terms of her comments on a 
definition of systems of records. And you heard Ms. Evans on 
the last panel talk about, in terms of, in the case of 
commercial resellers, information being systematically 
incorporated. And one of things she said then was, if it is 
turned into a part of a system of records. Right?
    And so, this shows both the weakness of the Privacy Act in 
that there are fewer and fewer data bases that are qualifying 
as Privacy Act system of records today because of the decay 
that Ms. Bruening talked about in technology, being able to 
search out information without necessarily searching on an 
identifier or a name.
    So we have a lot more information that is being brought 
into the Government that may not necessarily be in a system of 
records. And I think Ms. Koontz was getting at that in the last 
panel, too. It is hard to figure out what ``systematically 
incorporated'' means today, with this definition of system of 
records that we have. And because OMB has not defined that 
better, you have a lot of confusion at agencies about that. You 
have agencies with a lot of different standards.
    Mr. Clay. This is a series of questions for the entire 
panel. Let's start with Mr. Schwartz and move down. This is a 
yes-or-no question.
    Is it considered a best practice today for large 
organizations to conduct a privacy impact assessment when 
purchasing or subscribing to a service that could have a major 
impact on the privacy of its customers or citizens?
    Mr. Schwartz. Yes.
    Mr. Clay. Mr. Pratt? And you can elaborate, if you'd like.
    Mr. Pratt. Is it a yes-or-no?
    Mr. Clay. You can elaborate.
    Mr. Pratt. Every private-sector company that's going to 
obtain data is going to do several things. They are going to 
say, is it sensitive personal information under a State data 
breach law, so do I have to protect it in a certain way? Is it 
regulated under the Fair Credit Reporting Act? Does the 
contract, if I'm contracting with an entity, put certain 
restraints on what I must do?
    So I suppose, in essence, that is a privacy assessment. Am 
I going to secure it because it is sensitive personal 
information? Is it a consumer report, so then do I have 
additional responsibilities such as properly disposing of it, 
limiting access to it and so on?
    So, in that sense, yes, I think private-sector laws 
regulating entities all across this country are, in fact, 
conducting privacy assessments with regard to sensitive 
personal information of all types, many of which are 
represented by the members of the CDIA.
    Mr. Clay. OK.
    Ms. Bruening.
    Ms. Bruening. Yes, privacy impact assessments are a best 
practice. They serve a very important role.
    The concern is, however, that within Government it isn't 
enough to simply conduct a privacy impact assessment; that 
there needs to be oversight both within an agency and from 
other branches of Government so that you can get the kind of 
accountability and responsibility in that use that you need.
    Mr. Clay. Mr. Schwartz, should information resellers that 
are governed under the Fair Credit Reporting Act or Gramm-
Leach-Bliley be exempted from requirements in the proposed 
Federal Agency Data Protection Act?
    Mr. Schwartz. I think that they should. The question of 
whether they take steps toward accuracy--and, again, you also 
heard Mr. Pratt speak earlier about different kinds of data 
bases, so it is not necessarily--I think that there is some 
distinction there about whether the information broker has to 
follow FCRA for certain data bases and not for other data 
bases, and that's confusing, I think. And it is the 
responsibility of the agency to figure out where the coverage 
lies, what the protections are, and to do that kind of review.
    PIAs, in particular, are set at different levels. And the 
OMB guidance today has said that agencies are supposed to do 
the PIA based on what the potential of impact of privacy is. 
And that's really what the goal should be here. It is 
completely incumbent on the agency to do this review.
    As I said earlier, beyond the accuracy issues and beyond 
figuring out who the partner is, it is also to figure out what 
the rules are internally for the use of that information, and 
to set that up in a way that the program officers understand 
those rules. The PIA is the only way do that today under U.S. 
law.
    Mr. Clay. OK, let me go to Ms. Bruening.
    What is your feeling?
    Ms. Bruening. Unfortunately, I'm not in a position to speak 
to the specifics of the provisions of the bill.
    However, I think what your question does highlight is the 
fact that we really need to be careful that we don't approach 
this question in a piecemeal fashion; that this really is a 
question about how Government treats data once it is brought 
into Government, so that we can--you know, are we asking the 
right questions? Are we setting appropriate objectives? Are we 
setting the right priorities about those objectives? Are we 
looking closely at what data is being used and how it is being 
used and whether it is going to get us to the objectives that 
we want to reach? And is there accountability around that? And 
do we have the right kind of processes and procedures for 
management of that data once it is brought into Government?
    Mr. Clay. Mr. Pratt, go ahead. You may respond.
    Mr. Pratt. Thank you, Mr. Chairman.
    I see it this way: There already is an assessment any time 
a Government agency is going to have to purchase a consumer 
report, whether they're going to hire an employee and they need 
to conduct a background check, whether it's for a national 
security investigation. And legal counsel, not just a privacy 
officer, but legal counsel are going to have to determine and 
ensure that the State or Federal Government agency is going to 
comply with the Fair Credit Reporting Act, that there is a 
certain permissible purpose for which the data can be obtained.
    And, by the way, the permissible purpose--obtaining for a 
permissible purpose under the 2003 amendments made it very 
clear that the user had to obtain and use the data for the 
permissible purpose. This is not just a question of what the 
consumer reporting agency does to deliver a report for 
permissible purpose.
    So, to me, it is just apples and oranges. A consumer 
reporting agency delivering a consumer report to a Government 
agency knows that Government agency, by contract and by Federal 
law, is going to have to comply with everything that is 
required of it, including notifying the consumer if the 
decision based on that data was adverse to the consumer, the 
adverse action notice that we're familiar with.
    Same thing on the Gramm-Leach-Bliley Act side. I am selling 
you a look-up service product, you are going to use it for 
look-up services. Now, to the extent it should not be used for 
other purposes, that's probably part of what a Government 
agency should do well. But that's not really a privacy impact 
assessment, or maybe there's some semantics here in terms of 
what we mean by the scope of a privacy impact.
    But if you are buying it for a skip tracing purpose, that's 
what it's going to be used for and that's what the contract's 
going to limit you to. That's different than ISP data. That's 
different than telecom data. That's different than 
depersonalized credit card transaction data that the U.S. 
Secret Service might use, for example, to try to locate a belt 
skimming operation in Miami.
    So there really are, I think, different approaches, and so 
I don't think--you can look at it holistically, but at the 
granular level you are going to take different approaches.
    Mr. Clay. Yes, sir, Mr. Schwartz?
    Mr. Schwartz. I don't think it is different at all from the 
private impact assessments that we see from the--the ones that 
receive good marks from OMB in the FISMA reports. You go back 
and you look at their PIAs that they've done, they all go 
through how the information is used, what was management's 
intent for the use of the data. That's what they are supposed 
to do.
    So this idea that this is only focused on what FCRA is, I 
think is another universe from what's going on in Government, 
or what should be going on in the Government, which is covering 
how this information is managed and used.
    Mr. Clay. Thank you very much for your responses.
    And that will conclude the testimony from the second panel. 
This hearing is adjourned. Thank you.
    [Whereupon, at 4:05 p.m., the subcommittee was adjourned.]