[Congressional Record Volume 146, Number 54 (Thursday, May 4, 2000)]
[Senate]
[Pages S3531-S3538]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. LEAHY (for himself, Mr. Sarbanes, Mr. Robb, Mr. Dodd. Mr. 
        Kerry, Mr. Bryan, Mr. Edwards, Mr. Durbin, Mr. Harkin, and Mrs. 
        Feinstein):
  S. 2513. A bill to strengthen control by consumers over the use and 
disclosure of their personal financial and health information by 
financial institutions, and for other purposes to the committee on 
Banking Housing, and Urban Affairs.

[[Page S3532]]

              financial information privacy protection act

  Mr. LEAHY. Mr. President, I am pleased today to introduce the 
Financial Information Privacy Protection Act of 2000, which was crafted 
by President Clinton and Vice President Gore. I am delighted to be 
joined by Senator Sarbanes, the Ranking Member of the Senate Banking 
Committee, who is a real leader in the Senate on protecting personal 
financial information. I am also pleased that Senators Robb, Dodd, 
Kerry, Bryan, Edwards, Durbin, Harkin and Feinstein are original 
cosponsors of this legislation to protect the financial privacy of all 
Americans.
  Last November, President Clinton signed into law the landmark 
Financial Modernization Act of 1999, which updates our financial laws 
and opens up the financial services industry to become more 
competitive, both at home and abroad. Many of my colleagues and I 
supported that legislation because we believe it will benefit 
businesses and consumers. It will make it easier for banking, 
securities, and insurance firms to consolidate their services, cut 
expenses and offer more products at a lower cost to all. But it also 
raises new concerns about our financial privacy.
  New conglomerates in the financial services industry may now offer a 
widening variety of services, each of which may require a customer to 
provide financial, medical or other personal information. Nothing in 
the new law prevents these new subsidiaries or affiliates of financial 
conglomerates from sharing this information for uses beyond those the 
customer thought he or she was providing it. For example, the new law 
has no requirement for the consumer to control whether these new 
financial subsidiaries or affiliates sell, share, or publish 
information on savings account balances, certificates of deposit 
maturity dates and balances, stock and mutual fund purchases and sales, 
life insurance payouts or health insurance claims. That is wrong.
  When President Clinton signed the financial modernization bill last 
year, he directed the National Economic Council to work with the 
Treasury Department and Office of Management and Budget to craft a 
legislative proposal to protect financial privacy in the new financial 
services marketplace. The result of that process is the bill we are 
introducing today.
  I believe the Financial Information Privacy Protection Act of 2000 
should serve as the foundation for model financial privacy legislation 
that Congress enacts into law this year. This bill is a common sense 
approach that can attract both consumers and the industry. It sands off 
the extremes at both ends of the issue. We need a catalyst to bring 
both sides together, and this bill can do it.
  Privacy is one of our most vulnerable rights in the information age. 
Digitalization of information offers tremendous benefits but also new 
threats. Some in Congress are content to punt the privacy issue down 
the field for another year. The public disagrees. People know that the 
longer we dawdle, the harder it will be to halt the erosion of privacy. 
A year is an eternity in the digital age.
  The right of privacy is a personal and fundamental right protected by 
the Constitution of the United States. But today, the American people 
are growing more and more concerned over encroachments on their 
personal privacy. To return personal financial privacy to the control 
of the consumer, the Administration's financial privacy legislation 
would create the following enforceable rights in Federal law.
  New Right To Opt-out of Information Sharing By Affiliates. The new 
financial modernization law permits consumers to say no to information 
sharing, selling or publishing among third parties in many cases, but 
not among affiliated firms. The Financial Information Privacy 
Protection Act of 2000 would require financial conglomerates, which 
will only grow under the new modernization law, to expand this 
protection to give consumers the right to notify it (opt-out) to stop 
all information sharing, selling or publishing of personal financial 
information among all third parties and affiliates.
  New Right For Consumers To Opt-In For Sharing of Medical Information 
and Personal Spending Habits. The Financial Information Privacy 
Protection Act of 2000 would require financial firms to get the 
affirmative consent (opt-in) of consumers before a firm could gain 
access to medical information within a financial conglomerate or share 
detailed information about a consumer's personal spending habits.
  New Right To Access and Correct Financial Information. The Financial 
Information Privacy Protection Act of 2000 would give consumers the 
right to review and correct their financial records, just like 
consumers today may review and correct their credit reports.
  New Right To Privacy Policy Up Front. The Financial Information 
Privacy Protection Act of 2000 would require financial firms to provide 
their privacy policies to consumers before committing to a customer 
relationship, not after. In addition, the bill's new rights would be 
enforced by federal banking regulators, the Federal Trade Commission 
and state attorney generals.
  As President Clinton warned all Americans: ``Although consumers put a 
great value on privacy of their financial records, our laws have not 
caught up to technological developments that make it possible and 
potentially profitable for companies to share financial data in new 
ways. Consumers who undergo physical exams to obtain insurance, for 
example, should not have to fear the information will be used to lower 
their credit card limits or deny them mortgages.'' I strongly agree.
  Unfortunately, if you have a checking account, you may have a 
financial privacy problem. Your bank may sell or share with business 
allies information about who you are writing checks to, when, and for 
how much. And even if you tell your bank to stop, it can ignore you 
under current law. This legislation returns to consumers the power to 
stop the selling or sharing of personal financial information.
  Americans ought to be able to enjoy the exciting innovations of this 
burgeoning information era without losing control over the use of their 
financial information. The Financial Information Privacy Protection Act 
of 2000 updates United States privacy laws to provide these fundamental 
protections of personal financial information in the evolving financial 
services industry. I urge my colleagues to support it.
  Mr. President, I ask unanimous consent that the full text of the 
Financial Information Privacy Protection Act of 2000 and a section-by-
section analysis of the bill be printed in the Record.
  There being no objection, the material was ordered to be printed in 
the Record, as follows:

                                S. 2513

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE AND TABLE OF CONTENTS.

       (a) Short Title.--This Act may be cited as the ``Financial 
     Information Privacy Protection Act of 2000''.
       (b) Table of Contents.--The table of contents for this Act 
     is as follows:

Sec. 1. Short title; table of contents.
Sec. 2. Opt-out requirement for disclosure to affiliates and 
              nonaffiliated third parties.
Sec. 3. Restricting the transfer of information about personal spending 
              habits.
Sec. 4. Restricting the use of health information in making credit and 
              other financial decisions.
Sec. 5. Limits on redisclosure and reuse of information.
Sec. 6. Consumer rights to access and correct information.
Sec. 7. Improved enforcement authority.
Sec. 8. Enhanced disclosure of privacy policies.
Sec. 9. Limit on disclosure of account numbers.
Sec. 10. General exceptions.
Sec. 11. Definitions.
Sec. 12. Issuance of implementing regulations.
Sec. 13. FTC rulemaking authority under the Fair Credit Reporting Act.

     SEC. 2. OPT-OUT REQUIREMENT FOR DISCLOSURE TO AFFILIATES AND 
                   NONAFFILIATED THIRD PARTIES.

       Section 502(a) of the Gramm-Leach-Bliley Act (15 U.S.C. 
     6802(a)) is amended to read as follows:
       ``(a) Disclosure of Nonpublic Personal Information.--Except 
     as otherwise provided in this subtitle, a financial 
     institution may not disclose any nonpublic personal 
     information to an affiliate or a nonaffiliated third party 
     unless such financial institution--
       ``(1) has provided to the consumer a clear and conspicuous 
     notice, in writing or electronic form or other form permitted 
     by the regulations implementing this subtitle, of the 
     categories of information that may be disclosed to the--
       ``(A) affiliate; or
       ``(B) nonaffiliated third party;

[[Page S3533]]

       ``(2) has given the consumer an opportunity, before the 
     time that such information is initially disclosed, to direct 
     that such information not be disclosed to such--
       ``(A) affiliate; or
       ``(B) nonaffiliated third party; and
       ``(3) has given the consumer the ability to exercise that 
     nondisclosure option through the same method of communication 
     by which the consumer received the notice described in 
     paragraph (1) or another method at least as convenient to the 
     consumer, and an explanation of how the consumer can exercise 
     such option.''.

     SEC. 3. RESTRICTING THE TRANSFER OF INFORMATION ABOUT 
                   PERSONAL SPENDING HABITS.

       Section 502(b) of the Gramm-Leach-Bliley Act (15 U.S.C. 
     6802(b)) is amended to read as follows:
       ``(b) Restriction on the Transfer of Information About 
     Personal Spending Habits.--
       ``(1) In general.--Notwithstanding subsection (a), if a 
     financial institution provides a service to a consumer 
     through which the consumer makes or receives payments or 
     transfers by check, debit card, credit card, or other similar 
     instrument, the financial institution shall not transfer to 
     an affiliate or a nonaffiliated third party--
       ``(A) an individualized list of that consumer's 
     transactions or an individualized description of that 
     consumer's interests, preferences, or other characteristics; 
     or
       ``(B) any such list or description constructed in response 
     to an inquiry about a specific, named individual;
     if the list or description is derived from information 
     collected in the course of providing that service.
       ``(2) Restriction on transfer of aggregate lists containing 
     certain health information.--Notwithstanding subsection (a), 
     a financial institution shall not transfer to an affiliate or 
     a nonaffiliated third party any aggregate list of consumers 
     containing or derived from individually identifiable health 
     information.
       ``(3) Exceptions.--
       ``(A) In general.--The financial institution may disclose 
     the information described in paragraph (1) or (2) to an 
     affiliate or a nonaffiliated third party if such financial 
     institution--
       ``(i) has clearly and conspicuously requested in writing or 
     in electronic form or other form permitted by the regulations 
     implementing this subtitle, that the consumer affirmatively 
     consent to such disclosure; and
       ``(ii) has obtained from the consumer such affirmative 
     consent and such consent has not been withdrawn.
       ``(B) Rule of construction.--This subsection shall not be 
     construed as preventing a financial institution from 
     transferring the information described in paragraph (1) or 
     (2) to an affiliate or a nonaffiliated third party for the 
     purposes described in paragraph (1), (2), (3), (5), (7), (8), 
     (9), or (10) of subsection (f).
       ``(C) Scope of application.--Paragraph (1) shall not apply 
     to the transfer of aggregate lists of consumers.''.

     SEC. 4. RESTRICTING THE USE OF HEALTH INFORMATION IN MAKING 
                   CREDIT AND OTHER FINANCIAL DECISIONS.

       (a) Restriction on Use of Consumer Health Information.--
     Section 502(c) of the Gramm-Leach-Bliley Act (15 U.S.C. 
     6802(c)) is amended to read as follows:
       ``(c) Use of Consumer Health Information Available From 
     Affiliates and nonaffiliated Third Parties.--In deciding 
     whether, or on what terms, to offer, provide, or continue to 
     provide a financial product or service to a consumer, a 
     financial institution shall not obtain or receive 
     individually identifiable health information about the 
     consumer from an affiliate or nonaffiliated third party, or 
     evaluate or otherwise consider any such information, unless 
     the financial institution--
       ``(1) has clearly and conspicuously requested in writing or 
     in electronic form or other form permitted by the regulations 
     implementing this subtitle, that the consumer affirmatively 
     consent to the transfer and use of that information with 
     respect to a particular financial product or service;
       ``(2) has obtained from the consumer such affirmative 
     consent and such consent has not been withdrawn; and
       ``(3) requires the same health information about all 
     consumers as a condition for receiving the financial product 
     or service.''.
       (b) Existing Protections For Health Information Not 
     Affected.--Title V of the Gramm-Leach-Bliley Act (15 U.S.C. 
     6801 et seq.) is amended by adding after section 510 the 
     following new section:

     ``SEC. 511. RELATION TO STANDARDS ESTABLISHED UNDER THE 
                   HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY 
                   ACT OF 1996.

       ``Nothing in this subtitle shall be construed as--
       ``(1) modifying, limiting, or superseding standards 
     governing the privacy and security of individually 
     identifiable health information promulgated by the Secretary 
     of Health and Human Services under sections 262(a) and 264 of 
     the Health Insurance Portability and Accountability Act of 
     1996; or
       ``(2) authorizing the use or disclosure of individually 
     identifiable health information in a manner other than as 
     permitted by other applicable law.''.
       (c) Definition of Individually Identifiable Health 
     Information.--Section 509 of the Gramm-Leach-Bliley Act (15 
     U.S.C. 6809) is amended by adding at the end the following 
     new paragraph:
       ``(12) Individually identifiable health information.--The 
     term `individually identifiable health information' means any 
     information, including demographic information obtained from 
     or about an individual, that is described in section 
     1171(6)(B) of the Social Security Act.''.
       (d) Technical and Conforming Amendment.--Section 505(a)(6) 
     of the Gramm-Leach-Bliley Act (15 U.S.C. 6805(a)(6)) is 
     amended by inserting before the period at the end ``to the 
     extent the provisions of such section are not inconsistent 
     with the provisions of this subtitle''.

     SEC. 5. LIMITS ON REDISCLOSURE AND REUSE OF INFORMATION.

       Section 502 of the Gramm-Leach-Bliley Act (15 U.S.C. 6802) 
     is amended--
       (1) by redesignating subsections (d) and (e) as subsections 
     (e) and (f), respectively; and
       (2) by inserting after subsection (c) the following new 
     subsection:
       ``(d) Limits on Redisclosure and Reuse of Information.--
       ``(1) In general.--An affiliate or a nonaffiliated third 
     party that receives nonpublic personal information from a 
     financial institution shall not disclose such information to 
     any other person unless such disclosure would be lawful if 
     made directly to such other person by the financial 
     institution.
       ``(2) Disclosure under a general exception.--
     Notwithstanding paragraph (1), any person that receives 
     nonpublic personal information from a financial institution 
     in accordance with one of the general exceptions in 
     subsection (f) may use or disclose such information only--
       ``(A) as permitted under that general exception; or
       ``(B) under another general exception in subsection (f), if 
     necessary to carry out the purpose for which the information 
     was disclosed by the financial institution.''.

     SEC. 6. CONSUMER RIGHTS TO ACCESS AND CORRECT INFORMATION.

       Title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et 
     seq.) is amended by adding after section 511 (as added by 
     section 4(b) of this Act), the following new section:

     ``SEC. 512. ACCESS TO AND CORRECTION OF INFORMATION.

       ``(a) Access.--
       (1) In general.--Upon the request of a consumer, a 
     financial institution shall make available to the consumer 
     information about the consumer that is under the control of, 
     and reasonably available to, the financial institution.
       ``(2) Exceptions.--Notwithstanding paragraph (1), a 
     financial institution--
       ``(A) shall not be required to disclose to a consumer any 
     confidential commercial information, such as an algorithm 
     used to derive credit scores or other risk scores or 
     predictors;
       ``(B) shall not be required to create new records in order 
     to comply with the consumer's request;
       ``(C) shall not be required to disclose to a consumer any 
     information assembled by the financial institution, in a 
     particular matter, as part of the financial institution's 
     efforts to comply with laws preventing fraud, money 
     laundering, or other unlawful conduct; and
       ``(D) shall not disclose any information required to be 
     kept confidential by any other Federal law.
       ``(b) Correction.--A financial institution shall provide a 
     consumer the opportunity to dispute the accuracy of any 
     information disclosed to the consumer pursuant to subsection 
     (a), and to present evidence thereon. A financial institution 
     shall correct or delete material information identified by a 
     consumer that is materially incomplete or inaccurate.
       ``(c) Coordination and Consultation.--In prescribing 
     regulations implementing this section, the Federal agencies 
     specified in section 504(a) shall consult with one another to 
     ensure that the rules--
       ``(1) impose consistent requirements on the financial 
     institutions under their respective jurisdictions;
       ``(2) take into account conditions under which financial 
     institutions do business both in the United States and in 
     other countries; and
       ``(3) are consistent with the principle of technology 
     neutrality.
       ``(d) Charges For Disclosures.--A financial institution may 
     impose a reasonable charge for making a disclosure under this 
     section, which charge must be disclosed to the consumer 
     before making the disclosure. ''.

     SEC. 7. IMPROVED ENFORCEMENT AUTHORITY.

       (a) Compliance With Privacy Policy.--Section 503 of the 
     Gramm-Leach-Bliley Act (15 U.S.C. 6803) is amended by adding 
     at the end the following new subsection:
       ``(c) Compliance With Privacy Policy.--A financial 
     institution's failure to comply with any of its policies or 
     practices disclosed to a consumer under this section 
     constitutes a violation of the requirements of this 
     section.''.
       (b) Unfair and Deceptive Trade Practice.--Section 505(a)(7) 
     of the Gramm-Leach-Bliley Act (15 U.S.C. 6805(a)(7)) is 
     amended by adding at the end the following new sentence: ``A 
     violation of any requirement of this subtitle, or the 
     regulations of the Federal Trade Commission prescribed under 
     this subtitle, by a financial institution or other person 
     described in this paragraph shall constitute an unfair or 
     deceptive act or practice in commerce in violation of section 
     5(a) of the Federal Trade Commission Act.''.

[[Page S3534]]

       (c) Supplemental State Enforcement For FTC Regulated 
     Entities.--Section 505 of the Gramm-Leach-Bliley Act (15 
     U.S.C. 6805) is amended by adding at the end the following 
     new subsection:
       ``(e) State Action For Violations.--
       ``(1) Authority of the States.--In addition to such other 
     remedies as are provided under State law, if the attorney 
     general of a State, or an officer authorized by the State, 
     has reason to believe that any financial institution or other 
     person described in section 505(a)(7) has violated or is 
     violating this subtitle or the regulations prescribed 
     thereunder by the Federal Trade Commission, the State may--
       ``(A) bring an action on behalf of the residents of the 
     State to enjoin such violation in any appropriate United 
     States district court or in any other court of competent 
     jurisdiction; and
       ``(B) bring an action on behalf of the residents of the 
     State to enforce compliance with this subtitle and the 
     regulations prescribed thereunder by the Federal Trade 
     Commission, to obtain damages, restitution, or other 
     compensation on behalf of the residents of such State, or to 
     obtain such further and other relief as the court may deem 
     appropriate.
       ``(2) Rights of the federal trade commission.--The State 
     shall serve prior written notice of any action under 
     paragraph (1) upon the Federal Trade Commission and shall 
     provide the Commission with a copy of its complaint; provided 
     that, if such prior notice is not feasible, the State shall 
     serve such notice immediately upon instituting such action. 
     The Federal Trade Commission shall have the right--
       ``(A) to move to stay the action, pending the final 
     disposition of a pending Federal matter as described in 
     paragraph (4);
       ``(B) to intervene in an action under paragraph (1);
       ``(C) upon so intervening, to be heard on all matters 
     arising therein;
       ``(D) to remove the action to the appropriate United States 
     district court; and
       ``(E) to file petitions for appeal.
       ``(3) Investigatory powers.--For purposes of bringing any 
     action under this subsection, nothing in this subsection 
     shall prevent the attorney general, or officers of such State 
     who are authorized by such State to bring such actions, from 
     exercising the powers conferred on the attorney general or 
     such officers by the laws of such State to conduct 
     investigations or to administer oaths or affirmations or to 
     compel the attendance of witnesses or the production of 
     documentary and other evidence.
       ``(4) Limitation on state action while federal action is 
     pending.--If the Federal Trade Commission has instituted an 
     action for a violation of this subtitle, no State may, during 
     the pendency of such action, bring an action under this 
     section against any defendant named in the complaint of the 
     Commission for any violation of this subtitle that is alleged 
     in that complaint.''.
       (d) State Action For Violations of Ban on Pretext 
     Calling.--Section 522 of the Gramm-Leach-Bliley Act (15 
     U.S.C. 6822) is amended by adding at the end the following 
     new subsection:
       ``(c) State Action For Violations.--
       ``(1) Authority of the states.--In addition to such other 
     remedies as are provided under State law, if the attorney 
     general of a State, or an officer authorized by the State, 
     has reason to believe that any person (other than a person 
     described in subsection (b)(1)) has violated or is violating 
     this subtitle, the State may--
       ``(A) bring an action on behalf of the residents of the 
     State to enjoin such violation in any appropriate United 
     States district court or in any other court of competent 
     jurisdiction; and
       ``(B) bring an action on behalf of the residents of the 
     State to enforce compliance with this subtitle, to obtain 
     damages, restitution, or other compensation on behalf of the 
     residents of such State, or to obtain such further and other 
     relief as the court may deem appropriate.
       ``(2) Rights of federal agencies.--The State shall serve 
     prior written notice of any action commenced under paragraph 
     (1) upon the Attorney General and the Federal Trade 
     Commission, and shall provide the Attorney General and the 
     Commission with a copy of the complaint; provided that, if 
     such prior notice is not feasible, the State shall serve such 
     notice immediately upon instituting such action. The Attorney 
     General and the Federal Trade Commission shall have the 
     right--
       ``(A) to move to stay the action, pending the final 
     disposition of a pending Federal matter as described in 
     paragraph (4);
       ``(B) to intervene in an action under paragraph (1);
       ``(C) upon so intervening, to be heard on all matters 
     arising therein;
       ``(D) to remove the action to the appropriate United States 
     district court; and
       ``(E) to file petitions for appeal.
       ``(3) Investigatory powers.--For purposes of bringing any 
     action under this subsection, nothing in this subsection 
     shall prevent the attorney general, or officers of such State 
     who are authorized by such State to bring such actions, from 
     exercising the powers conferred on the attorney general or 
     such officers by the laws of such State to conduct 
     investigations or to administer oaths or affirmations or to 
     compel the attendance of witnesses or the production of 
     documentary and other evidence.
       ``(4) Limitation on state action while federal action is 
     pending.--If the Attorney General has instituted a criminal 
     proceeding or the Federal Trade Commission has instituted a 
     civil action for a violation of this subtitle, no State may, 
     during the pendency of such proceeding or action, bring an 
     action under this section against any defendant named in the 
     criminal proceeding or civil action for any violation of this 
     subtitle that is alleged in that proceeding or action.''.

     SEC. 8. ENHANCED DISCLOSURE OF PRIVACY POLICIES.

       (a) Timing of Notice to Consumers.--Section 503(a) of the 
     Gramm-Leach-Bliley Act (15 U.S.C. 6803(a)) is amended to read 
     as follows:
       ``(a) Disclosure Required.--
       ``(1) Time of disclosure.--A financial institution shall 
     provide a disclosure that complies with paragraph (2)--
       ``(A) to an individual upon the individual's request;
       ``(B) as part of an application for a financial product or 
     service from the financial institution; and
       ``(C) to a consumer, prior to establishing a customer 
     relationship with the consumer and not less frequently than 
     annually during the continuation of such relationship.
       ``(2) Disclosure format.--The disclosure required by 
     paragraph (1) shall be a clear and conspicuous notice, in 
     writing or in electronic form or other form permitted by the 
     regulations implementing this subtitle, of such financial 
     institution's policies and practices with respect to--
       ``(A) disclosing nonpublic personal information to 
     affiliates and nonaffiliated third parties, consistent with 
     section 502, including the categories of information that may 
     be disclosed;
       ``(B) disclosing nonpublic personal information of persons 
     who have ceased to be customers of the financial institution; 
     and
       ``(C) protecting the nonpublic personal information of 
     consumers.
     Such disclosure shall be made in accordance with the 
     regulations implementing this subtitle.''.
       (b) Notice of Rights to Access and Correct Information.--
     Section 503(b)(2) of the Gramm-Leach-Bliley Act (15 U.S.C. 
     6803(b)(2)) is amended by inserting ``, and a statement of 
     the consumer's right to access and correct such information, 
     consistent with section 512'' after ``institution''.
       (c) Technical and Conforming Amendment.--Section 
     503(b)(1)(A) of the Gramm-Leach-Bliley Act (15 U.S.C. 
     6803(b)(1)(A)) is amended by striking ``502(e)'' and 
     inserting ``502(f)''.

     SEC. 9. LIMIT ON DISCLOSURE OF ACCOUNT NUMBERS.

       Section 502 of the Gramm-Leach-Bliley Act (15 U.S.C. 6802) 
     is amended in subsection (e) (as so redesignated by section 
     5) by inserting ``affiliate or'' before ``nonaffiliated third 
     party''.

     SEC. 10. GENERAL EXCEPTIONS.

       Section 502(f) of the Gramm-Leach-Bliley Act (15 U.S.C. 
     6802)) (as so redesignated by section 5 of this Act) is 
     amended--
       (1) in the matter preceding paragraph (1), by striking 
     ``Subsections (a) and (b)'' and inserting ``Subsection (a)'';
       (2) in paragraph (1)--
       (A) by striking ``or'' at the end of subparagraph (B);
       (B) by inserting ``or'' after the semicolon at the end of 
     subparagraph (C); and
       (C) by inserting after subparagraph (C) the following new 
     subparagraph:
       ``(D) performing services for or functions solely on behalf 
     of the financial institution with respect to the financial 
     institution's own customers, including marketing of the 
     financial institution's own products or services to the 
     financial institution's customers;'';
       (3) in paragraph (4), by striking ``, and the institution's 
     attorneys, accountants, and auditors'';
       (4) in paragraph (5), by inserting ``section 21 of the 
     Federal Deposit Insurance Act,'' after ``title 31, United 
     States Code,'';
       (5) in paragraph (7), by striking ``or'' at the end;
       (6) in paragraph (8), by striking the period and inserting 
     a semicolon; and
       (7) by adding at the end the following new paragraphs:
       ``(9) in order to facilitate customer service, such as 
     maintenance and operation of consolidated customer call 
     centers or the use of consolidated customer account 
     statements; or
       ``(10) to the institution's attorneys, accountants, and 
     auditors.''.

     SEC. 11. DEFINITIONS.

       Section 509 of the Gramm-Leach-Bliley Act (15 U.S.C. 6809) 
     is amended--
       (1) in paragraph (3)--
       (A) by striking ``(3) Financial institution'' and all that 
     follows through ``The term `financial institution'' and 
     inserting ``(3) Financial institution.--The term `financial 
     institution''; and
       (B) by striking subparagraphs (B), (C), and (D);
       (2) by amending paragraph (4) to read as follows:
       ``(4) Nonpublic personal information.--The term ``nonpublic 
     personal information'' means--
       ``(A) any personally identifiable information, including a 
     Social Security number--
       ``(i) provided by a consumer to a financial institution, in 
     an application or otherwise, to obtain a financial product or 
     service from the financial institution;

[[Page S3535]]

       ``(ii) resulting from any transaction between a financial 
     institution and a consumer involving a financial product or 
     service; or
       ``(iii) obtained by the financial institution about a 
     consumer in connection with providing a financial product or 
     service to that consumer, other than publicly available 
     information, as such term is defined by the regulations 
     prescribed under section 504; and
       ``(B) any list, description or other grouping of one or 
     more consumers of the financial institution and publicly 
     available information pertaining to them.''; and
       (3) in paragraph (9), by inserting ``applies for or'' 
     before ``obtains''.

     SEC. 12. ISSUANCE OF IMPLEMENTING REGULATIONS.

       (a) In General.--The Federal agencies specified in section 
     504(a) of the Gramm-Leach-Bliley Act (15 U.S.C. 6804(a)) 
     shall prescribe regulations implementing the amendments to 
     subtitle A of title V of the Gramm-Leach-Bliley Act made by 
     this Act, and shall include such requirements determined to 
     be appropriate to prevent their circumvention or evasion.
       (b) Coordination, Consistency, and Comparability.--The 
     regulations issued under subsection (a) shall be issued in 
     accordance with the requirements of section 504(a) of the 
     Gramm-Leach-Bliley Act (15 U.S.C. 6804(a)), except that the 
     deadline in section 504(a)(3) shall not apply.

     SEC. 13. FTC RULEMAKING AUTHORITY UNDER THE FAIR CREDIT 
                   REPORTING ACT.

       Section 621(e) of the Fair Credit Reporting Act (15 U.S.C. 
     1681s(e)) is amended by adding at the end the following new 
     paragraph:
       ``(3) Regulations.--The Federal Trade Commission shall 
     prescribe such regulations as necessary to carry out the 
     provisions of this title with respect to any persons 
     identified under paragraph (1) of subsection (a). Prior to 
     prescribing such regulations, the Federal Trade Commission 
     shall consult with the Federal banking agencies referred to 
     in paragraph (1) of this subsection in order to ensure, to 
     the extent possible, comparability and consistency with the 
     regulations issued by the Federal banking agencies under that 
     paragraph.''.
                                  ____


   Financial Information Privacy Protection Act--Section-by-Section 
                                Analysis

     Section 1: Short Title; table of Contents
     Section 101: Opt-out Requirement for Disclosure to Affiliates 
         and Nonaffiliated Third Parties
       The Gramm-Leach-Bliley Act (GLBA) requires a financial 
     institution to give consumers notice of, and an opportunity 
     to prevent (opt out of), sharing of their nonpublic personal 
     information with companies that are not affiliated with the 
     financial institution (nonaffiliated third parties). Section 
     101 of the bill strengthens consumers' control over their 
     personal financial information by expanding this opt-out 
     right to cover information sharing between financial 
     institutions and their affiliates.
       Section 101 also requires that when a financial institution 
     notifies a consumer of its intent to share the consumer's 
     information and gives the consumer the opportunity to opt-
     out, the consumer must be able to exercise the opt-out choice 
     through the same method of communication by which the 
     financial institution communicated the opt-out notice to the 
     consumer, or by another method at least as convenient to the 
     consumer. For example, if a financial institution gives a 
     consumer an opt-out notice by electronic mail, the consumer 
     would have to be able to exercise the opt-out by a method at 
     least as convenient, such as by electronic mail or by 
     telephone, but could not be required to opt-out via an 
     individual letter.
       The GLBA currently includes general exceptions to the 
     notice and opt-out requirement--for example, to allow 
     processing a consumer's transaction, to prevent fraud, or to 
     control institutional risk. The bill would also apply these 
     exceptions to information sharing with affiliates.
     Section 102: Limitation on Transfer of Information About 
         Personal Spending Habits
       Section 102 of the bill strengthens consumers' control over 
     the detailed information that financial firms can learn about 
     their personal spending habits and sources of income. In the 
     course of providing a payment mechanism for consumers, 
     financial institutions such as credit card companies, banks 
     and brokers--when they provide checking or money market 
     accounts--learn to whom a consumer makes payments, from whom 
     the consumer receives payments, and what the payments are 
     for.
       The bill recognizes the special sensitivity of this 
     information. It requires that where a financial institution 
     is providing payment services for a consumer, the institution 
     cannot disclose the consumer's spending habits--whether in 
     the form of a list of the consumer's transactions or as a 
     description of the consumer's interests, preferences, or 
     other characteristics derived from payment information--
     unless the institution clearly and conspicuously requests 
     permission from the consumer, and the consumer affirmatively 
     consents (opts in). This applies for transfers to both 
     nonaffiliated third parties and affiliates.
       Section 102 includes the exceptions for transaction 
     processing, servicing of customer accounts, and other 
     necessary activities such as law enforcement.
     Section 103: Restricting the Use of Health Information in 
         Making Credit and Other Financial Decisions
       Limitation on Receipt of Consumer Health Information from 
           Affiliates
       Section 103(a) of the bill prevents financial institutions 
     from using a consumer's health information held at an 
     affiliate in order to discriminate in the provision of credit 
     and financial services. Section 103(a) provides that in 
     deciding whether, and on what terms, to offer, provide, or 
     continue to provide a particular financial product or service 
     to a consumer, a financial institution may not obtain, 
     receive, evaluate, or otherwise consider individually 
     identifiable health information about the consumer from an 
     affiliate unless the financial institution: (1) clearly and 
     conspicuously requests permission from the consumer; (2) 
     obtains the consumer's affirmative consent; and (3) requires 
     the same information about all consumers as a condition for 
     receiving the financial product or service.
       Relation to the Health Insurance Portability and 
           Accountability Act
       Section 103(b) of the bill clarifies that the provisions of 
     subtitle A of title V of the GLBA, which create protections 
     for the privacy of consumers' financial information, do not 
     in any way modify or override the requirements of the 
     regulations issued by the Secretary of Health and Human 
     Services implementing the privacy and security protections 
     for consumers' individually identifiable health information 
     under the Health Insurance Portability and Accountability Act 
     of 1996 (HIPAA). Nor do the requirements of the GLBA 
     governing protection of consumers' financial information 
     authorize any use of individually identifiable health 
     information that would be inconsistent with other laws that 
     apply to such information. Section 103(c) makes clear that 
     for purposes of this provision, the term ``individually 
     identifiable health information'' has the same meaning as 
     under the HIPAA.
     Section 104: Limits on Redisclosure and Reuse of Information
       The GLBA imposes certain limits on a nonaffiliated third 
     party's ability to redisclose nonpublic personal information 
     received from a financial institution. The GLBA does not 
     prohibit a third party from redisclosing this information to 
     its own affiliates or to affiliates of the financial 
     institution from whom it received the information. In 
     addition, the third party may disclose the information to 
     another company if that disclosure would be lawful if made 
     directly by the financial institution.
       Section 104 of the bill tightens the limits on redisclosure 
     and extends them to a financial institution's affiliates, in 
     order to parallel the new opt-out requirement for disclosure 
     of information to affiliates. Under section 104, when a 
     financial institution discloses nonpublic personal 
     information to either an affiliate or a nonaffiliated 
     third party, the recipient of the information may not 
     redisclose the information to any other person unless that 
     disclosure would be lawful if made directly by the 
     financial institution.
       Section 104 also clarifies how the limits on redisclosure 
     apply when a financial institution discloses a consumer's 
     nonpublic personal information to another company pursuant to 
     one of the general exceptions to the opt-out requirement. 
     Section 104 provides that an affiliate or a nonaffiliated 
     third party that receives nonpublic personal information from 
     a financial institution under one of the general exceptions 
     may use or disclose that information only: (1) as permitted 
     under that general exception; or (2) under another general 
     exception, if necessary to carry out the purpose for which 
     the information was originally disclosed under a general 
     exception.
       Since the opt-in requirement for the disclosure of personal 
     spending information by payment service providers is subject 
     to some, but not all, of the general exceptions, only a 
     subset of the general exceptions apply to reuse and 
     redisclosure by recipients of such information.
     Section 105: Consumer Rights to Access and Correct 
         Information
       Section 105 of the bill gives consumers the right to access 
     and to correct information about them that is under the 
     control of, and reasonably available to a financial 
     institution. A financial institution would not, however, be 
     required to give consumers access to confidential commercial 
     information, to make disclosures that would interfere with 
     law enforcement, or to create new records in order to comply 
     with a consumer's request for information.
       Section 105 also requires financial institutions to give 
     consumers the opportunity to dispute the accuracy of 
     information disclosed to the consumer and to present evidence 
     of any inaccuracy. The financial institution must correct or 
     delete material information identified by the consumer that 
     is materially incomplete or inaccurate. In addition, a 
     financial institution may impose a reasonable fee for making 
     information available to consumers, as long as consumers 
     receive prior notice of the fee.
       In promulgating regulations to implement the new access and 
     correction requirements, federal regulators must consult and 
     coordinate with one another in order to ensure that the 
     regulations: (1) impose consistent requirements across 
     financial institutions; (2) take into account conditions 
     under which the financial institutions do business in the 
     U.S. and abroad; and (3) are technology neutral.
     Section 106: Improved Enforcement Authority
       Compliance with Privacy Policy
       The GLBA does not clearly explain whether a financial 
     institution is legally required

[[Page S3536]]

     to abide by commitments it makes to consumers in its privacy 
     policy if those commitments are not required by law. Section 
     106(a) of the bill clarifies that a financial institution's 
     failure to comply with any of the privacy policies or 
     practices disclosed to a consumer constitutes a violation 
     of law.
       Clarification of Federal Trade Commission (FTC) Enforcement 
           Authority
       Section 106(b) of the bill makes clear that if a financial 
     institution or other person under the FTC's enforcement 
     jurisdiction under subtitle A of title V of the GLBA engages 
     in an activity that violates subtitle A, that activity 
     constitutes an unfair and deceptive trade practice under the 
     Federal Trade Commission Act. Consequently, in addressing 
     such a violation, the FTC could use all the enforcement tools 
     it has with respect to unfair or deceptive acts or practices 
     under the FTC Act.
       State Enforcement Authority Concurrent with FTC
       Section 106(c) of the bill gives States concurrent 
     authority with the FTC to enforce the GLBA's privacy 
     requirements with respect to FTC-regulated entities. Section 
     106(d) gives the States concurrent authority with the FTC to 
     enforce the GLBA's prohibitions on ``pretext calling,'' which 
     involves obtaining customer information from a financial 
     institution under false pretenses. Enforcement with regard to 
     banking institutions would continue to be done solely by the 
     federal banking agencies.
     Section 107: Enhanced Disclosure of Privacy Policies
       Timing of Disclosure of Privacy Policy
       The GLBA requires financial institutions to provide their 
     privacy policies to consumers at the time of establishing a 
     customer relationship and at least annually during the 
     continuation of the relationship. The phrase ``at time of 
     establishing a customer relationship'' does not provide clear 
     guidance regarding when a financial institution must provide 
     its privacy policy to those individuals seeking to become its 
     customers. Section 107(a) of the bill is intended to clarify 
     the timing of notice delivery, and to ensure that individuals 
     are able to receive copies of financial institutions' privacy 
     policies before they commit time and resources to dealing 
     with any one financial institution. The bill specifically 
     clarifies that financial institutions must provide their 
     privacy policies to individuals upon request and as part of 
     an application for a financial product or service. Thus, 
     consumers will be empowered to comparison shop based on 
     privacy practices.
       Content of Privacy Policy--Disclosure of Rights to Access 
           and Correct Information
       Section 107(b) requires a financial institution's privacy 
     policy to include a statement of the consumer's rights to 
     access and correct information held by the financial 
     institution (see discussion of section 105 regarding 
     consumers' rights to access and correct information).
     Section 108: Prohibition on Sharing of Account Numbers
       The GLBA prohibits financial institutions from disclosing 
     consumers' account numbers or access codes to nonaffiliated 
     third parties (other than consumer reporting agencies) for 
     marketing purposes. Section 108 of the bill extends this 
     prohibition to disclosures to affiliates.
     Section 109: Exceptions to the Opt-out and Opt-in 
         Requirements
       Agency and Joint Marketing Exception
       Section 502(c) of the GLBA creates an exception to the opt-
     out requirement where a financial institution discloses a 
     consumer's nonpublic personal information to a nonaffiliated 
     third party that is acting as the financial institution's 
     agent. This exception permits a financial institution to 
     disclose consumers' nonpublic personal information to third 
     parties in connection with outsourcing certain functions, 
     such as back-office operations or direct mailings to market 
     the financial institution's own products, without giving 
     consumers the option to prevent disclosure. The financial 
     institution is, however, required to give consumers notice of 
     such disclosures and to enter into agreements with the third 
     parties to maintain the confidentiality of the consumers' 
     information.
       Among the services and functions covered by the principal-
     agent exception are certain joint marketing arrangements, 
     where a third party markets financial products or services 
     pursuant to a joint agreement between two or more financial 
     institutions. The joint marketing agreement exception was 
     enacted to allow financial institutions without affiliates, 
     particularly small institutions, to be able to jointly market 
     their products under the same rules that affiliates may do 
     so--that is, free from any opt-out requirement.
       As noted in the discussion of sections 101 and 102 above, 
     the bill imposes the same restrictions on information sharing 
     between affiliates that now apply to information sharing 
     between financial institutions and nonaffiliated third 
     parties. Therefore, because coverage of information sharing 
     among affiliates and with third parties would be equivalent, 
     the joint marketing exception is rendered unnecessary, and is 
     eliminated. The bill also moves the remaining principal-agent 
     exception from section 502(c) of the GLBA to the list of 
     general exceptions in 502(e), which is redesignated as 
     502(f).
       Customer Service and Consolidated Statements
       Among the general exceptions to the notice and opt-out 
     requirements in the GLBA are disclosures for servicing 
     customer accounts and resolving customer disputes or 
     inquires. These exceptions are intended to permit financial 
     institutions to share information in response to customer 
     service needs. Section 109(7) of the bill expands the general 
     exceptions to include disclosures necessary to facilitate 
     customer service such as maintenance and operation of 
     consolidated customer call centers and the use of 
     consolidated customer account statements.
       Technical Amendments
       Section 109 of the bill makes technical amendments to the 
     list of general exceptions in section 502(e) of the GLBA, by 
     splitting an existing exception that deals with disclosures 
     to rating agencies and attorneys, and by adding a conforming 
     statutory reference.
     Section 110: Definitions
       ``Financial Institution''
       The financial privacy requirements of subtitle A of title V 
     of the GLBA apply to ``financial institutions,'' which are 
     defined as institutions the business of which is engaging in 
     activities that have been specified as ``financial 
     activities'' under certain statutes and regulations. The 
     GLBA, however, specifically excludes three types of entities 
     from the definition of ``financial institution.'' They are: 
     (1) any person or entity to the extent engaged in a financial 
     activity that is subject to the jurisdiction of the Commodity 
     Futures Trading Commission; (2) the institutions of the Farm 
     Credit System; and 3) institutions chartered by Congress to 
     engage in certain securitization or secondary market sale 
     transactions, as long as such institutions do not sell or 
     transfer nonpublic personal information to nonaffiliated 
     third parties. Section 109(1) of the bill eliminates these 
     exclusions in order to ensure consistency in the protection 
     of consumers' nonpublic personal information under the GLBA. 
     The bill preserves the existing general exception for 
     disclosures in connection with securitization or secondary 
     market sales transactions.
       ``Nonpublic Personal Information''
       Section 110(2) of the bill revises the definition of 
     ``nonpublic personal information'' in order to clarify that 
     the term includes a consumer's Social Security number. This 
     provision also clarifies that publicly available information 
     about consumers also would be covered whether or not that 
     information is disclosed as part of a larger list of 
     consumers or as it pertains to an individual consumer. Under 
     current law, this type of information is covered only if it 
     is part of a list of more than one consumer.
       ``Consumer''
       Under the GLBA, the term ``consumer'' is defined as an 
     individual who obtains a financial product or service from a 
     financial institution for personal, family, or household 
     purposes, or such person's legal representative. Section 
     109(3) of the bill amends the definition of ``consumer'' to 
     clarify that the term includes an individual who applies for, 
     but does not necessarily obtain, such products or services 
     from a financial institution.
     Section 111: Implementing Regulations
       Section 110(a) of the bill authorizes the federal 
     regulators who have rulemaking authority under subtitle A of 
     title V of the GLBA to issue regulations implementing the 
     amendments made by the bill. The bill requires these agencies 
     to include in their regulations requirements they determine 
     are appropriate to prevent circumvention or evasion of any of 
     the bill's requirements. Section 110(b) provides that in 
     issuing their regulations, the agencies must follow the 
     procedures and requirements set forth in section 504(a) of 
     the GLBA that currently apply to their rulemaking authority. 
     Specifically, the agencies must consult with each other and 
     with representatives of state insurance authorities, and must 
     issue consistent and comparable rules, to the extent 
     possible. The statutory deadline in section 504(a)(3), which 
     is set in relation to the date of the enactment of the GLBA, 
     is obsolete for purposes of the regulations implementing this 
     bill, and therefore does not apply.
     Section 112: FTC Rulemaking Authority Under the Fair Credit 
         Reporting Act (FCRA)
       Section 112 of the bill amends section 621(e) of FCRA by 
     establishing rulemaking authority for the Federal Trade 
     Commission. This amendment creates parity with the federal 
     banking agencies and the National Credit Union 
     Administration, which each obtained rulemaking authority 
     under the FCRA for their respective regulated entities 
     pursuant to section 506 of the GLBA. Extending this authority 
     to the FTC fills a gap in administrative enforcement under 
     the FCRA.

  Mr. SARBANES. Mr. President, I rise today to address a very important 
issue: the protection of every American's personal, sensitive, 
financial and medical information which is held by their financial 
institutions. I am pleased to join Senator Leahy, the chairman of the 
Senate Democratic Privacy Task Force, and Senators Dodd, Kerry, Bryan, 
Edwards, Robb, Durbin, Harkin, and Feinstein in co-sponsoring the 
Financial Information Privacy Protection Act.
  This bill, submitted to us by the Clinton-Gore Administration, seeks 
to

[[Page S3537]]

protect a fundamental right of privacy for every American who entrusts 
his or her highly sensitive and confidential financial and medical 
information to a financial institution.
  Every American should at least have the opportunity to say `no' if he 
or she does not want that nonpublic information disclosed. Every 
American should have the right to have especially sensitive information 
held by his or her financial institution kept confidential unless 
consent is given. Every American should be allowed to make certain that 
the information to be shared is accurate and, if not, to have it 
corrected. And these rights should be enforced.
  Mr. President, the Financial Information Privacy Protection Act would 
accomplish these objectives.
  Few Americans understand that, under current Federal law, a financial 
institution could take information it obtained about a customer through 
his or her transactions, and sell or transfer that information to an 
affiliated party without the customer being able to object. And that 
customer has no right to get access to or to correct that information.
  The amount of information that could be disclosed is enormous. It 
includes, for example:
  Savings and checking account balances;
  Certificate of deposit maturity dates and balances;
  Checks an individual writes;
  Checks deposited into a customer's account;
  Stock and mutual fund purchases and sales;
  Life insurance payouts; and
  Health insurance claims.
  Today's technology makes it easier, faster, and less costly than ever 
for institutions to have immediate access to large amounts of customer 
information; to analyze that data; and to send that data to others. 
Banks, securities firms, and insurance companies are increasingly 
affiliating and cross-marketing and, in the process, they are selling 
the products of affiliates to existing customers. This can entail the 
warehousing of large amounts of highly sensitive customer information 
and selling it to or sharing it with other companies, for purposes 
unknown to the customer. While cross-marketing can bring new and 
beneficial products to receptive consumers, it can also result in 
unwanted invasions of personal privacy.
  Surveys show that the public is widely concerned about privacy. Major 
corporations have bumped up against privacy concerns when expanding 
their marketing services. Citizen groups have expressed serious 
concerns about the privacy implications of financial institutions' 
sharing or selling the information they collect without the knowledge 
of the party involved.
  Along with medical records, financial records rank among the kinds of 
personal data Americans most expect will be kept from prying eyes. As 
with medical data, though, the privacy of even highly sensitive 
financial data has been increasingly put at risk by mergers, electronic 
data-swapping and the move to an economy in which the selling of other 
people's personal information is highly profitable--and legal.
  On January 19, 1999, I introduced the Financial Information Privacy 
Act of 1999 (S. 187) to provide consumers with important privacy 
protections for their financial information. Some of these protections 
are reflected in this bill, including a right for consumers to object, 
or opt out, of their financial institutions sharing with affiliates 
customer information, such as account transactions, balances and 
maturity dates as well as rights for the consumer to have access to and 
to correct mistakes in information that would be shared.
  The Gramm-Leach-Bliley Act, enacted last November, contained some 
limited federal financial privacy protections for consumers. While an 
important beginning, these protections failed to meet the expectations 
of Americans and did not contain the important protections that I have 
just referred to.
  When the President signed the Gramm-Leach-Bliley Act, he observed 
that the privacy protections contained in the new legislation were 
inadequate. In his State of the Union Address this year, the President 
reiterated the need for stronger privacy legislation. Last Sunday, the 
President announced a proposal for improved financial privacy 
protections. He said, ``We can't let breakthroughs in technology break 
down walls of privacy.'' I agree and applaud the Clinton-Gore 
Administration's proposal as an important step forward.
  The Financial Privacy Protection Act reflects the Administration's 
proposal and contains important financial privacy protections.
  The Act would provide an ``opt out'' for affiliate sharing, allowing 
customers to object to a financial institution's sharing customer 
financial data with any affiliated firms.
  It also would provide an ``opt in'' for sharing some types of 
``sensitive information.'' A financial institution would need to have a 
consumer's affirmative consent before releasing his or her medical 
information or personal spending habits, reflected on checks written 
and credit card charges, to either an affiliate or an unaffiliated 
third party.
  The Act also provides consumers with rights of access and correction. 
A consumer would be able to see the information to be released and 
correct material errors.
  The Act also requires financial institutions to make privacy notices 
available to consumers who request them and makes other important 
improvements to the law.
  As we proceed in an age of technological advances and cross-industry 
marketing of financial services, we need to be mindful of the privacy 
concerns of the American public. I ask myself the question, ``Whose 
information is this, the individual's or the institution's?'' I believe 
it is the individual's.
  Consumers who wish to keep their sensitive financial and medical 
information private should be given a right to do so. The passage of 
the Financial Information Privacy Act would be a step toward that goal.
  Mr. DODD. Mr. President, after numerous unsuccessful attempts, last 
year, Congress enacted legislation to modernize our nation's financial 
services laws. This important legislation will help to provide 
consumers greater choices for financial products and services and will 
also ensure that U.S. financial services companies are better equipped 
to handle the challenges of competing in a global marketplace.
  As part of the financial services modernization legislation, limited 
provisions were included to help protect consumers' personal financial 
privacy. While these provisions were constructive, I believe that 
Congress must continue to press for the strongest possible privacy 
protections for financial services consumers.
  I rise today in support of legislation, the Financial Information 
Privacy Protection Act of 2000, which affords additional privacy 
protections for financial services consumers.
  Although it does not fully address my concerns with respect to the 
protection of financial and medical information, this legislation is a 
modest, but important step, in ensuring what I believe to be 
fundamental for all financial consumers, whether they execute their 
transactions in person, by mail or phone, or online. Consumers should 
have the ultimate control over the sharing of their personal financial 
information.
  This legislation provides that among affiliates of financial 
institutions as well as to unaffiliated third parties, consumers would 
be afforded the opportunity to ``op-out'' of the sharing of their 
personal financial information.
  Additionally, this legislation gives enhanced protection to 
consumers' medical records. Under this legislation, financial 
institutions would be required to obtain an affirmative consent from a 
consumer before the consumer's medical information could be shared 
among affiliates. Although I believe this is an important component in 
safeguarding the privacy of medical information, I continue to believe 
that it is critical we pass comprehensive medical privacy legislation 
this year so that consumers can be assured that their medical 
information is protected regardless of the context in which it 
generated or used.
  As we continue to wrestle with finding the proper balance between the 
providing new financial products and services while at the same time 
providing consumers with the strongest possible protections for their 
personal financial and medical information, This legislation is a 
positive step in the right direction.

[[Page S3538]]

                                 ______