[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]
PERSONAL INFORMATION ACQUIRED BY THE GOVERNMENT FROM INFORMATION
RESELLERS: IS THERE NEED FOR IMPROVEMENT?
=======================================================================
JOINT HEARING
BEFORE THE
SUBCOMMITTEE ON
COMMERCIAL AND ADMINISTRATIVE LAW
AND THE
SUBCOMMITTEE ON THE CONSTITUTION
OF THE
COMMITTEE ON THE JUDICIARY
HOUSE OF REPRESENTATIVES
ONE HUNDRED NINTH CONGRESS
SECOND SESSION
__________
APRIL 4, 2006
__________
Serial No. 109-98
__________
Printed for the use of the Committee on the Judiciary
Available via the World Wide Web: http://judiciary.house.gov
_____
U.S. GOVERNMENT PRINTING OFFICE
WASHINGTON: 2006
26-912 PDF
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512-1800
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001
COMMITTEE ON THE JUDICIARY
F. JAMES SENSENBRENNER, Jr., Wisconsin, Chairman
HENRY J. HYDE, Illinois JOHN CONYERS, Jr., Michigan
HOWARD COBLE, North Carolina HOWARD L. BERMAN, California
LAMAR SMITH, Texas RICK BOUCHER, Virginia
ELTON GALLEGLY, California JERROLD NADLER, New York
BOB GOODLATTE, Virginia ROBERT C. SCOTT, Virginia
STEVE CHABOT, Ohio MELVIN L. WATT, North Carolina
DANIEL E. LUNGREN, California ZOE LOFGREN, California
WILLIAM L. JENKINS, Tennessee SHEILA JACKSON LEE, Texas
CHRIS CANNON, Utah MAXINE WATERS, California
SPENCER BACHUS, Alabama MARTIN T. MEEHAN, Massachusetts
BOB INGLIS, South Carolina WILLIAM D. DELAHUNT, Massachusetts
JOHN N. HOSTETTLER, Indiana ROBERT WEXLER, Florida
MARK GREEN, Wisconsin ANTHONY D. WEINER, New York
RIC KELLER, Florida ADAM B. SCHIFF, California
DARRELL ISSA, California LINDA T. SANCHEZ, California
JEFF FLAKE, Arizona CHRIS VAN HOLLEN, Maryland
MIKE PENCE, Indiana DEBBIE WASSERMAN SCHULTZ, Florida
J. RANDY FORBES, Virginia
STEVE KING, Iowa
TOM FEENEY, Florida
TRENT FRANKS, Arizona
LOUIE GOHMERT, Texas
Philip G. Kiko, Chief of Staff-General Counsel
Perry H. Apelbaum, Minority Chief Counsel
------
Subcommittee on Commercial and Administrative Law
CHRIS CANNON, Utah Chairman
HOWARD COBLE, North Carolina MELVIN L. WATT, North Carolina
TRENT FRANKS, Arizona WILLIAM D. DELAHUNT, Massachusetts
STEVE CHABOT, Ohio CHRIS VAN HOLLEN, Maryland
MARK GREEN, Wisconsin JERROLD NADLER, New York
RANDY J. FORBES, Virginia DEBBIE WASSERMAN SCHULTZ, Florida
LOUIE GOHMERT, Texas
Raymond V. Smietanka, Chief Counsel
Susan A. Jensen, Counsel
Brenda Hankins, Counsel
Mike Lenn, Full Committee Counsel
Stephanie Moore, Minority Counsel
Subcommittee on the Constitution
STEVE CHABOT, Ohio, Chairman
TRENT FRANKS, Arizona JERROLD NADLER, New York
WILLIAM L. JENKINS, Tennessee JOHN CONYERS, Jr., Michigan
SPENCER BACHUS, Alabama ROBERT C. SCOTT, Virginia
JOHN N. HOSTETTLER, Indiana MELVIN L. WATT, North Carolina
MARK GREEN, Wisconsin CHRIS VAN HOLLEN, Maryland
STEVE KING, Iowa
TOM FEENEY, Florida
Paul B. Taylor, Chief Counsel
E. Stewart Jeffries, Counsel
Hilary Funk, Counsel
Kimberly Betz, Full Committee Counsel
David Lachmann, Minority Professional Staff Member
C O N T E N T S
----------
APRIL 4, 2006
OPENING STATEMENT
Page
The Honorable Chris Cannon, a Representative in Congress from the
State of Utah, and Chairman, Subcommittee on Commercial and
Administrative Law............................................. 1
The Honorable Melvin L. Watt, a Representative in Congress from
the State of North Carolina, and Ranking Member, Subcommittee
on Commercial and Administrative Law........................... 2
The Honorable Steve Chabot, a Representative in Congress from the
State of Ohio, and Chairman, Subcommittee on the Constitution.. 3
The Honorable Jerrold Nadler, a Representative in Congress from
the State of New York, and Ranking Member, Subcommittee on the
Constitution................................................... 4
WITNESSES
Ms. Linda D. Koontz, Director, Information Management Issues,
U.S. Government Accountability Office
Oral Testimony................................................. 7
Prepared Statement............................................. 10
Ms. Maureen Cooney, Acting Chief Privacy Officer, U.S. Department
of Homeland Security
Oral Testimony................................................. 44
Prepared Statement............................................. 45
Mr. Peter Swire, William O'Neill Professor of Law, Moritz College
of Law of the Ohio State University, Visiting Senior Fellow,
Center for American Progress
Oral Testimony................................................. 48
Prepared Statement............................................. 51
Mr. Stuart K. Pratt, President and Chief Executive Officer,
Consumer Data Industry Association
Oral Testimony................................................. 61
Prepared Statement............................................. 63
APPENDIX
Material Submitted for the Hearing Record
Additional Material for the Record submitted by Linda D. Koontz,
Director, Information Management Issues, U.S. Government
Accountability Office.......................................... 86
PERSONAL INFORMATION ACQUIRED BY THE GOVERNMENT FROM INFORMATION
RESELLERS: IS THERE NEED FOR IMPROVEMENT?
----------
TUESDAY, APRIL 4, 2006
House of Representatives,
Subcommittee on Commercial
and Administrative Law,
Committee on the Judiciary,
Washington, DC.
The Subcommittees met, pursuant to call, at 12:03 p.m., in
Room 2138 Rayburn House Office Building, the Honorable Chris
Cannon (Chairman of the Subcommittee on Commercial and
Administrative Law) presiding.
Mr. Cannon. I think we will get started here. The hearing
will be called to order.
As many of you know, the protection of personal information
in the hands of the Federal Government has long been a top
priority for my Subcommittee, the Subcommittee on Commercial
and Administrative Law, and Chairman Chabot's Subcommittee, the
Constitution Subcommittee. Both of our Subcommittees have
played a major role in respect to protecting personal privacy
and civil liberties under the leadership and guidance of Jim
Sensenbrenner, Chairman of the Judiciary Committee.
In this post-September 11th world, however, it is no easy
task to balance the competing goals of keeping our Nation
secure while at the same time protecting the privacy of our
Nation's citizens. Nevertheless, I believe that our respective
Subcommittees and the Judiciary Committee are uniquely and best
suited to study and resolve these issues.
Our accomplishments to date include the establishment of
the first statutorily-created Privacy Office in a Federal
agency, namely the Department of Homeland Security. That office
has since earned plaudits from both the public and private
sectors. Based on the successes of that office, we also
spearheaded the creation of a similar function in the Justice
Department, which was signed into law in January of this year.
In addition, both my Subcommittee and the Constitution
Subcommittee have considered the support of legislation
requiring a Federal agency to prepare a privacy impact analysis
for proposed and final rules and to include this analysis in
the Notice for Public Comment issued in conjunction with the
publication of such rules.
Today's hearing focuses on the respective roles that the
Federal Government and information resellers have with respect
to personal information collected in commercial databases. As
the hearing title denotes, we approach this subject with an
open mind and willingness to understand the factors and nuances
concerning how Federal agencies and those in the private sector
safeguard personal information that they obtain from us.
As technological developments increasingly facilitate the
collection, use, and dissemination of personally identifiable
information, the potential for misuse of such information
escalates. Five years ago, the GAO warned: ``our Nation has an
increasing ability to accumulate, store, retrieve, cross-
reference, analyze, and link vast numbers of electronic records
in an ever-faster and more cost-efficient manner. These
advances bring substantial Federal information benefits as well
as increasing responsibilities and concerns.'' Given the
largely unfettered use of Social Security numbers and the
availability of other personally identifiable information,
identity theft has swiftly evolved into one of the most
prolific crimes in the United States. According to the Federal
Trade Commission, identity theft topped the list of consumer
complaints filed with the Agency in 2005. The FTC estimates
that 10 million consumers were victims of some form of identity
theft in 2003.
As a result of this crime, American businesses suffered an
estimated $48 billion in losses, while consumers incurred an
additional $5 billion in out-of-pocket losses. Just this week,
the Justice Department announced that nearly 4 million
households, about 3 percent of all households in the Nation,
learned that they had been identity theft victims. Just last
week, I got a credit card in the mail with a little note saying
that my account had been viewed as one that might be subject to
identity theft, and so I have a new card with a new number. I
hadn't memorized the old one, so it was not much of an
inconvenience. But it is a broad problem.
Unfortunately, we continue to receive reports from GAO
finding shortcomings in how Federal agencies safeguard personal
information, and the private sector's vulnerability was
highlighted by the many high-profile databases that have
occurred in recent years. Questions have also been posed about
the accuracy of some of the data maintained in these commercial
databases. It is against this complex but exceedingly
interesting backdrop that we are holding this hearing today.
I would now like to turn to my colleague Mr. Watt, the
distinguished Ranking Member of my Subcommittee, and ask him if
he has any opening remarks.
Mr. Watt. Thank you, Mr. Chairman. I will be brief.
Let me commend Chairman Sensenbrenner and Ranking Member
Conyers and Mr. Chabot and Mr. Nadler for taking steps to get
the GAO to conduct this investigation and produce this report.
It is clear that privacy issues that confront our country as a
result of extraordinary technological advances are significant
and that the ramifications of how we treat the privacy of
personally identifiable information is heightened in the post-
9/11 world. I say this as a member of both the Financial
Services and Judiciary Committees, and have heard testimony
from numerous witnesses on the enhanced concerns about the
Government's acquisition, maintenance, and dissemination of
personal information and the opportunity for identity theft
created by the massive data mining of this information.
One of the main recommendations of the 9/11 Commission was
the establishment of a Governmentwide watchdog to safeguard
civil liberties. The Commission found that currently, ``there
is no office within the Government whose job it is to look
across the Government at the actions we are taking to protect
ourselves and to ensure that liberty concerns are appropriately
considered.''
We have tried to get that recommendation passed, without
any success up to this point, and I think the need for that
kind of oversight body is continuing to grow and we need to do
that.
I am looking forward to the testimony of the witnesses. And
with that, Mr. Chairman, I will yield back the balance of my
time.
Mr. Cannon. The gentleman yields back. Thank you.
Now I would like to turn to my colleague Mr. Chabot, the
distinguished chair of the Constitution Subcommittee, and ask
him if he has any opening remarks.
Mr. Chabot. Yes, I do. Thank you, Mr. Chairman.
Mr. Cannon. The gentleman is recognized for 5 minutes.
Mr. Chabot. First I would like to thank you for holding
this hearing and thank all our witnesses for assisting us in
our examination of issues related to the security and privacy
of our personal information.
Security breaches reported in the media last year involving
the unauthorized access to and theft of personal information
highlighted an emerging area of concern to all of us, that
being the treatment of our personal information as just another
commodity. Our concerns are well-founded, as recent statistics
released by the Department of Justice reveal that identity
theft affected 3.6 million households across the Nation and
cost our economy $3.2 billion during the first half of 2004
alone.
The security breaches also raise questions with regard to
the Federal Government's reliance on and contributions to the
use of personal information. Questions raised include: Are
Federal agencies collecting information on us? What information
is being collected? Where is the information going and where
will it eventually end up? What Federal laws guide collection
activities? And most importantly, how, as individuals affected
by these collection activities, can we best monitor and ensure
that such information is being used as was intended?
Last spring, I, along with the Chairman and Ranking Member
of the full Committee, Mr. Conyers, charged GAO with finding
answers to these questions. In particular, we sought to gain a
better understanding of the Federal Government's involvement
and reliance on data as it relates to fulfilling our Federal
Government's top priorities, such as our Nation's law
enforcement and antiterrorism efforts, and performing other
critical domestic functions such as effectively distributing
benefits.
Our inquiry was also prompted by the information age in
which we live, where technology has allowed personal
information to be universally available to anyone at any time,
including to the Federal Government. The information provided
by the commercial data suppliers has served an important role
in supporting our Nation's law enforcement and antiterrorism
efforts. It has also played an important role in assisting the
Federal Government to perform other administrative
responsibilities. For example, last fall, commercial data
companies provided critical assistance to FEMA to assist the
victims of Hurricane Katrina.
However, with the widespread availability of information
comes increased risks of privacy and security breaches,
unauthorized uses, and other negative effects, to which the
Federal Government is not immune.
I hope through today's hearing we can gain a better
understanding of the existing Federal laws and policies in
place guiding commercial data suppliers and the Federal
Government in handling personal information. Moreover, I look
forward to discussing whether Federal laws such as the Privacy
Act of 1974 and E-Government Act of 2002, which guide the
Federal Government, and the Fair Credit Reporting Act and the
Gramm-Leach-Bliley Act, which guide the commercial data
industry, have been affected in addressing concerns raised by
the emerging industry.
With a better understanding of the existing framework, we
can ensure that the Federal Government continues to have access
to the types of information that will enable it to fulfill its
responsibilities. At the same time, we can ensure that citizens
know when and how their information is being collected and used
by the Federal Government.
I look forward to discussing these issues and learning
whether new legislation, such as the Federal Agency Privacy
Protection Act which I have introduced in the previous
Congresses, would be an appropriate remedy to ensure citizens'
privacy concerns over the use of their personal information by
the Federal Government. The Federal Agency Privacy Protection
Act would require that all Federal agencies conduct privacy
impact assessments when issuing a notice regarding a new or
interpretive rule relating to the collection of personally
identifiable information on citizens, as well as when final
rules are promulgated.
Again, I welcome the witnesses here with us today and look
forward to their testimony.
I yield back the balance of my time.
Mr. Cannon. Thank you, Mr. Chabot.
Mr. Nadler, do you have an opening statement?
Mr. Nadler. Yes. Thank you, Mr. Chairman. I will be brief
because I want to get to our witnesses.
Modern technology and security concerns have greatly
threatened the privacy of the most personal information about
every American. The nexus between private information resellers
and Government action are especially troubling.
How we handle these complicated issues--and they are
complicated--will affect the lives of every one of our
constituents. It is not simply a matter of identity theft but
of the basic right to be secure in our persons, our papers, and
our homes. People need to know that when they visit a doctor,
go to the store, read a book, engage in the practice of their
religion, they will not be subject to unwanted and uninvited
prying eyes.
The secret NSA wiretaps, some of the abuses of power by the
Justice Department, some of the more extravagant claims by this
Administration are warning signs. I hope this Congress looks
more carefully at the question of privacy from both a technical
and legal perspective. This study and this hearing are
important steps in this direction.
Of course, in one sense, this study, this hearing,
everything we are doing, in one sense is irrelevant, because
the Administration claimed in the NSA wiretap situation that
the President has inherent power to disobey the FISA law
because of inherent power under article II and under the
authorization for the use of military force. And in fact, it
claims inherent power to go beyond that, and we have no way of
knowing what the NSA or some other agency may in fact be doing
that might invade privacy. The Administration won't tell us.
They won't testify to us. It is all secret. And in fact, the
Administration is conducting an investigation into who revealed
what we do know about the NSA wiretaps, because they think that
ought to have remained secret. I disagree, obviously, but that
is their position.
And they have made it quite clear that, in fact, various
Government agencies may be going far beyond what we know in
wiretapping or otherwise invading the privacy of American
citizens regardless of what the law says and regardless of any
law we may pass, because the President has inherent power to
disregard that during a war, and we are in a war on terrorism.
So everything we say, everything we investigate, everything
we hear, everything we do may in fact be irrelevant because the
President claims the power to ignore it and may or may not be
exercising that power in ways that are unknown to us. That is a
far greater threat to our liberty than probably anything else
we are talking about.
So I thank you, Mr. Chairman, for scheduling this hearing.
But I hope we realize that the ability of this Congress to deal
with this is very much circumscribed by the unprecedented and
tyrannical claim of power that the Administration is making.
I thank you. I yield back.
Mr. Cannon. Far be it from me to disagree with the
gentleman, but I think it is the role of Congress to oversee
any president of either party.
Mr. Nadler. Well, I certainly agree with that.
Mr. Cannon. That is not the focus of this hearing, but we
certainly need to be doing that.
Mr. Nadler. Mr. Chairman, if I could just say.
Mr. Cannon. Certainly.
Mr. Nadler. You are not disagreeing with me. I certainly
agree that we ought to be overseeing the Administration. My
point is that the Administration claims under the wartime power
that we have no power to do that.
Mr. Cannon. I understand that you are being very harsh
about the Administration. I think our objective is to transcend
the current status of affairs with the war on terror.
Without objection, the gentleman's entire statement will be
placed in the record. Hearing no objection, so ordered.
Without objection, all Members may place their statements
in the record at this point. Hearing no objection, so ordered.
Without objection, the Chair will be authorized to declare
recesses of this hearing at any point. Hearing no objection, so
ordered.
I ask unanimous consent that Members have 5 legislative
days to submit written statements for inclusion in today's
hearing record. Hearing no objection, so ordered.
I am now pleased to introduce the witnesses for today's
hearing. Our first witness is Linda Koontz, who is the Director
of GAO's Information and Management Issues Division. In that
capacity, she is responsible for issues regarding the
collection, use, and dissemination of Government information.
Mrs. Koontz has led GAO's investigations into the Government's
data mining activities as well as E-Government initiatives. In
addition to obtaining her bachelor's degree from Michigan State
University, Ms. Koontz received certification as a Government
financial manager. She is also a member of the Association for
Information and Image Management Standards Board.
Maureen Cooney, our next witness, is the Acting Chief
Privacy Officer for the Department of Homeland Security. Ms.
Cooney, we always appreciated working with your predecessor,
Nuala O'Connor Kelly, and we look forward to working with you
as well. As I previously noted in my opening remarks, my
Subcommittee, with the support of Chairman Jim Sensenbrenner,
played a major role in establishing Ms. Cooney's office at the
Department of Homeland Security. The legislation creating her
office not only mandated the appointment of a privacy officer,
but specified the officer's responsibilities. One of the
principal responsibilities of the DHS Privacy Officer, as set
out by statute, is the duty to assure that the use of
technologies sustain and do not erode privacy protections
relating to the use, collection, and disclosure of personal
information. In addition, the Privacy Officer must assure that
personal information is handled in full compliance with the
Privacy Act and assess privacy impact of the Department's
proposed rules.
Before joining the DHS Privacy Office, Ms. Cooney worked on
international privacy and security issues at the U.S. Federal
Trade Commission, where she served as the principal liaison for
the FTC to the European Commission and article 29 Working Party
on Privacy Issues. She also played a major role on the rewrite
of the Organization for Economic Cooperation and Development
Security Guidelines for Information Systems and Networks. Prior
to that assignment, Ms. Cooney worked on privacy and security
issues with the Treasury Department in the Office of the
Comptroller of the Currency. We are really pleased that there
are people that know as much about this as you do, who are here
to help guide us.
Ms. Cooney received her bachelor's degree in American
studies from Georgetown University and her law degree from
Georgetown University Law Center.
Our third witness is Peter Swire, the C. William O'Neill
Professor in Law and Judicial Administration at the Moritz
College of Law of Ohio State University. In addition to his
academic endeavors, Professor Swire is a consultant with the
law firm Morrison & Foerster, where he provides advice on
privacy, cyberspace, and related matters. He is also currently
a visiting senior fellow at the Center for American Progress, a
nonpartisan research and educational institute. Under the
Clinton administration, Professor Swire was OMB's Chief
Counselor for Privacy.
Professor Swire received his undergraduate degree from
Princeton University and his law degree from Yale Law School.
He is a prolific writer, with numerous law review articles and
other writings to his credit.
Our final witness is Stuart Pratt. Mr. Pratt is the
president and CEO of the Consumer Data Industry Association, an
international trade association representing more than 250
consumer information companies. Prior to his current position,
Mr. Pratt served as the association's vice president of
government relations. He is a well-known expert on the Fair
Credit Reporting Act, identity fraud, and the issues of
consumer data and public record data issues. Mr. Pratt received
his undergraduate degree from Furman University in Greenville,
South Carolina.
I extend to each of you my warm regards and appreciation
for your willingness to participate in today's hearing. In
light of the fact that your written statements will be included
in the hearing record, I request that you limit your oral
remarks to 5 minutes. Accordingly, please feel free to
summarize or highlight the salient points of your testimony.
You will note that we have a lighting system, which is not
yet on but they are the two little gizmos in front of you. It
starts with a green light and you have 4 minutes before it
turns yellow, and then at the 5-minute mark it turns red. It is
my habit to tap the gavel at 5 minutes. We will appreciate it
if you would finish up your thoughts within that time frame. We
don't want to cut people off in the middle of your thinking,
but I find it works better if everybody realizes we have a 5-
minute limit. I am probably going to be a little more
aggressive with questions so that we can give everybody an
opportunity to ask questions.
After you have presented your remarks, the Subcommittee
Members, in the order they arrived, will be permitted to ask
questions of the witness. They will also be limited to 5
minutes.
Pursuant to the direction of the Chairman of the Judiciary
Committee, I ask the witnesses to please stand and raise your
right hand to take the oath.
[Witnesses sworn.]
Mr. Cannon. Thank you. You may be seated.
The record should reflect that each of the witnesses
answered in the affirmative.
Ms. Koontz, would you please proceed with your testimony.
TESTIMONY OF LINDA D. KOONTZ, DIRECTOR, INFORMATION MANAGEMENT
ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE
Ms. Koontz. Mr. Chairman and Members of the Subcommittees,
I appreciate the opportunity to discuss the results of GAO's
work on the Federal Government's purchase of personal
information from businesses known as information resellers. My
testimony summarizes the results of the report we did at the
Committee's request and that we are issuing today. For that
report we reviewed four agencies: Justice, Homeland Security,
State, and Social Security.
Information is an extremely valuable resource and
information resellers provide services that are important to a
variety of Federal agency functions. Specifically, for fiscal
year 2005, the four agencies we reviewed reported a combined
total of approximately $30 million in obligations for the
purchase of personal information from resellers.
The vast majority of this spending, about 91 percent, was
for law enforcement or counterterrorism. For example, the
Department of Justice, the largest user among the four, used
the information for criminal investigations, locating witnesses
and fugitives, and researching assets held by individuals of
interest. Reseller information was also used by others to
detect and investigate fraud, verify identities, and determine
eligibility for benefits.
As agreed, we also evaluated agency and reseller privacy
policies and practices against the Fair Information Practices,
a set of widely accepted principles for protecting the privacy
and security of personal information. These principles, with
variations, are the basis of privacy laws in many countries and
are the foundation of the Privacy Act. They are not legally
binding either on Federal agencies or resellers, but we believe
they do provide a useful framework for analyzing agency and
reseller practices and serve as an appropriate basis for
further discussion and debate.
Applying this framework to Federal agencies, we found some
inconsistencies. Agencies did take steps to address the privacy
and security of the information acquired from resellers, but
their handling of this information did not always fully reflect
the Fair Information Practices. For example, although agencies
issued privacy notices on information collections, these did
not always specifically state that information resellers were
among the sources used. This is not consistent with the
principle that the public should be informed about privacy
policies and have a ready means of learning about the use of
personal information. One reason for this kind of inconsistency
is ambiguity in OMB's guidance regarding how privacy
requirements apply to Federal agency use of reseller
information.
To address these inconsistencies, we made recommendations
to OMB and to the agencies we reviewed. These agencies
generally agreed with our report and reported actions they are
taking. In particular, the Privacy Office within Homeland
Security has conducted a public workshop on the Government's
use of commercial data for homeland security and recently
finalized guidance on conducting privacy impact assessments,
which includes very useful direction on the collection and use
of commercial data.
Regarding resellers, they also took steps to protect
privacy, but these measures were not fully consistent with the
Fair Information Practices. For example, resellers generally
informed the public about key privacy practices and principles
and they have recently taken steps to improve security
safeguards. However, the principles that the collection and use
of personal information should be limited and its intended use
specified are largely at odds with the nature of the reseller
business, which is based on providing information to multiple
customers for multiple purposes.
Further, resellers generally limit the extent to which
individuals can gain access to personal information held about
themselves, as well as the extent to which they can correct or
delete inaccurate information contained in reseller databases.
In response, information resellers raised concerns about
our reliance on the Fair Information Practices and suggested it
would be unreasonable for them to comply with some aspects of
the principles that, they believe, were intended for
organizations that collect information directly from consumers.
Nonetheless, we believe that analysis against a framework of
the Fair Information Practices is important as a starting point
to frame potential issues and facilitate informed discussion,
and we suggest that Congress consider these issues in its
deliberations.
In conclusion, privacy is ultimately about striking a
balance between competing interests. In this case, it is about
balancing the value of reseller information as to important
Government functions against the privacy rights of individuals.
I look forward to participating in the discussion on how best
to strike that balance.
This concludes my statement. Thank you.
[The prepared statement of Ms. Koontz follows:]
Prepared Statement of Linda D. Koontz
Mr. Cannon. Thank you, Ms. Koontz.
Ms. Cooney?
TESTIMONY OF MAUREEN COONEY, ACTING CHIEF PRIVACY OFFICER, U.S.
DEPARTMENT OF HOMELAND SECURITY
Ms. Cooney. Thank you. Chairmen Cannon and Chabot, Ranking
Members Watt and Nadler, and Members of the Subcommittees on
Commercial and Administrative Law and the Constitution, it is
an honor to testify before you today. Because this marks my
very first appearance before the Subcommittee, I would like to
offer a few biographical background notes.
It is my honor to currently serve as the Acting Chief
Privacy Officer for the Department of Homeland Security. I come
to this position with 20 years of Federal service experience in
risk management and compliance and enforcement activities as
well as in consumer protection on global information privacy
and security issues post-9/11. I was recruited from the Federal
Trade Commission to join the Department of Homeland Security
more than 2 years ago as Chief of Staff of the Privacy Office
and Senior Adviser for International Privacy Policy.
Since that time, it has been my privilege to help build the
DHS Privacy Office with my colleagues and under the leadership
of former Chief Privacy Officer Nuala O'Connor Kelly and
Secretaries Chertoff and Ridge.
I appreciate this opportunity to address the subject of
personal information acquired by the Government from
information resellers. The use of commercial data for homeland
security involves complex issues that touch on privacy, program
effectiveness, and operational efficiency. I commend the
Government Accountability Office for undertaking their
analysis, which will positively assist in informing privacy
policy development.
As my written statement points out, internally the primary
oversight mechanism used by the Privacy Office for ensuring
appropriate use of personal information regardless of its
source is the privacy impact assessment, which is required to
be used by section 208 of the E-Government Act of 2002 and
section 222 of the Homeland Security Act.
Privacy impact assessments, or PIAs as we call them, can be
one of the most important instruments in establishing trust
between the Department's operations and the public simply
because they are generally very transparent. In fact, PIAs are
fundamental at our Department in making privacy an operational
element within the DHS family. Privacy impact assessments allow
for the examination of privacy questions concerning a program
or an information system's collection and use of information,
including commercial reseller data.
As mentioned in my colleague Ms. Koontz's testimony, the
DHS Privacy Office has issued official guidance on the conduct
of privacy impact assessments. Various sections of that
guidance are particularly relevant to the subject matter of
this hearing. I refer you to my written testimony on the
details of that.
I am a little concerned that we may run out of time, so one
of the points that I would like to make is that in addition to
privacy requirements under the Privacy Act of 1974, the privacy
impact assessment process really augments the system of record
notice provisions in the Privacy Act that provide for notice to
the public about the types of information collected by the
Government and the treatment of that information. The DHS
Privacy Office reviews new systems of record notices to make
sure that the presence of commercial data is made transparent
if data is collected as a source of information in a system,
and we are seeking to apply this to existing sources as well.
The Privacy Office also has been part of a broad-based
dialogue on the use of commercial data both within and outside
of the Department. In September of 2005, we hosted a public
workshop addressing privacy and technology, exploring the use
of commercial data for homeland security. The workshop examined
the policy, legal, and technology issues associated with the
Government's use of commercial personally identifiable data for
homeland security purposes.
With input from the public workshop, the DHS Privacy Office
is now in the process of drafting specific guidance for our
Department on the use of commercial data. The guidance will
address three broad categories of use: comparing data in
commercial and Government databases, obtaining data from
commercial sources for use in Government systems, and use of
Government analytic tools on commercial databases.
We will be hosting a meeting with our internal Privacy and
Data Integrity Board made up of senior Department managers on
April 11th to collaborate on this policy through a full and
meaningful discussion of an appropriate framework for using
commercial data.
The Privacy Office also has been discussing commercial data
issues with the DHS Data Privacy and Integrity Advisory
Committee, our Federal advisory committee made up of U.S.
citizens with expertise in privacy information technology,
information security, and public policy.
In October of 2005 the DHS Privacy Advisory Committee
published a report on the use of commercial data to reduce
false positives in screening programs, and the Committee's
recommendations will be incorporated in our policy development.
Thank you for inviting me, and thank you for your support
of the DHS Privacy Office.
[The prepared statement of Ms. Cooney follows:]
Prepared Statement of Maureen Cooney
Chairmen Cannon and Chabot, Ranking Members Watt and Nadler, and
Members of the Subcommittees on Commercial and Administrative Law and
the Constitution, it is an honor to testify before you today on the
activities of the United States Department of Homeland Security, for
which I am privileged to served as the Acting Chief Privacy Officer.
Thank you for inviting me to speak with you on the subject of
personal information acquired by the government from information
resellers.
As you know, the DHS Chief Privacy Officer is the first statutorily
required privacy officer in the Federal government. The
responsibilities of the DHS Chief Privacy Officer are set forth in
Section 222 of the Homeland Security Act of 2002. They include:
(a)
assuring that the use of technologies sustain, and do not
erode, privacy protections relating to the use, collection and
disclosure of personal information;
(b)
assuring that personal information contained in Privacy
Act systems of records is handled in full compliance with fair
information practices as set out in the Privacy Act of 1974;
(c)
evaluating legislative and regulatory proposals involving
collection, use, and disclosure of personal information by the
Federal Government;
(d)
conducting a privacy impact assessment of proposed rules
of the Department on the privacy of personal information,
including the type of personal information collected and the
number of people affected; and
(e)
preparing a report to Congress on an annual basis on
activities of the Department that affect privacy, including
complaints of privacy violations, implementation of the Privacy
Act of 1974, internal controls and other matters.\1\
---------------------------------------------------------------------------
\1\ The Homeland Security Act of 2002, Pub. L. No. 107-296, Title
II, Sec. 116 Stat. 2155.
It is upon this statutory authority that the Chief Privacy Officer
and the DHS Privacy Office review and approach the use of personal
information by the Department, including the use of data from
information resellers.
The use of data from information resellers for homeland security
involves complex issues that touch on privacy, program effectiveness
and operational efficiency. There are many benefits to the government
when commercial data is used responsibly. It can save time, it is often
more precise, and is updated more quickly and, therefore, in certain
circumstances, it could be more accurate and therefore have greater
data integrity than other sources. At the same time, the government's
use of commercial data must be transparent and appropriate. The DHS
Privacy Office has been part of a broad based dialogue both within and
outside of the Department on the use of commercial data.
As noted by the Government Accountability Office (GAO), unless an
information reseller is operating a System of Records specifically on
behalf of a Federal agency, it is not subject to the provisions of the
Privacy Act of 1974. However, the Privacy Act applies to Federal
agencies that bring data from information resellers into a Federal
System of Records. The Privacy Office exercises oversight over the way
Departmental components access, use and maintain data obtained from
information resellers as part of our responsibility to assure that
Departmental systems operate in accordance with Section 222(b) of our
authorizing statute--that information in DHS Systems of Records is
handled in a manner consistent with the fair information practices
principles set out in the Privacy Act.
The main oversight mechanism used by the Privacy Office for
information systems is the Privacy Impact Assessment (PIA). PIAs are
fundamental in making privacy an operational element within the
Department. Conducting PIAs demonstrates the Department's efforts to
assess the privacy impact of utilizing new or changing information
systems, including attention to mitigating privacy risks. Touching on
the breadth of privacy issues, PIAs allow the examination of the
privacy questions that may surround a program or system's collection of
information, including commercial reseller data, as well as the
system's overall development and deployment. When worked on early in
the development process, PIAs provide an opportunity for program
managers and system owners to build privacy protections into a program
or system in the beginning. This avoids forcing the protections in at
the end of the developmental cycle when remedies can be more difficult
and costly to implement.
With respect to the data types that are collected and their
handling, the PIA process augments the Systems of Record Notice
provisions in the Privacy Act that provide notice to the public about
the types of information collected and its treatment. The PIA can be
one of the most important instruments in establishing trust between the
Department's operations and the public.
In accordance with Section 208 of the E-Government Act of 2002 and
OMB's implementing guidance, the Department of Homeland Security is
required to perform PIAs whenever it procures new information
technology systems or substantially modifies existing systems that
contain personal information. Although the E-Government Act allows
exceptions from the PIA requirement for national security systems, DHS
is implementing Section 222 of the Homeland Security Act to require
that all DHS systems, including national security systems, must undergo
a PIA if they contain personal information. The Privacy Office has
staff with security clearances that allow them to work with programs to
assess the privacy impact of classified systems or systems that contain
classified information. In cases where the publication of the PIA would
be detrimental to national security, the PIA document may not be
published or may be published in redacted form.
Every PIA must address at least two issues:
1. It must address the risks and effects of collecting, maintaining
and disseminating information in identifiable form in an electronic
information system; and
2. It must evaluate the protections and alternative processes for
handling information to mitigate potential privacy risks.
The Privacy Office has issued official guidance on the conduct of
Privacy Impact Assessments. The most up-to-date version of the guidance
is available at the DHS Privacy Office Web site at http://www.dhs.gov/
dhspublic/interapp/editorial/editorial--0511.xml. However, earlier
versions of the guidance have been available internally to DHS for
about two years, with initial guidance issued in February 2004.
Various sections of the PIA guidance are particularly relevant to
the subject matter of this hearing. First, the guidance states that the
PIA requirement applies broadly to personally identifiable information
rather than to a much narrower category of ``private'' information. If
information can be connected with an individual, it is personally
identifiable information, whether or not the information is private or
secret. This is important because much of the information purchased
from information resellers is either publicly available, e.g.,
addresses and telephone numbers, or is derived from public records.
In addition, Section 1.2.2 of the guidance directs programs that
use data from commercial data aggregators to state this fact and then
to explain in Section 1.3 why data from this source is being used.
Section 2.3.4 requires a statement about whether data obtained from
commercial data aggregators is assessed for quality, and if so, what
quality measures are used.
Some products offered by information resellers permit users to
``ping'' resellers' databases either to obtain new information or to
verify information in government databases. This ability to access
information without bringing it into Federal systems raises the
question about when information is actually ``collected'' by a
government agency. It is DHS policy that any time information from an
information reseller is used in a decision-making process, whether the
decision involves correcting existing government information or
obtaining new information, a PIA is required.
In order to clarify specific issues related to the use of data from
information resellers, the DHS Privacy Office is in the process of
drafting specific guidance on the use of commercial data to complement
the general PIA guidance. The guidance on the use of commercial data
will apply specifically to the use of data from information resellers
and will address three broad categories of use: comparing data in
commercial and government databases, obtaining data from commercial
sources for use in government systems; and use of government analytic
tools on commercial databases. The guidance will specify when PIAs must
be performed and what additional requirements might apply to programs
that use data from commercial sources. We expect this guidance to be
released as soon as it completes Departmental clearance, and would be
happy to discuss it with you at that time.
The DHS Privacy Office has been part of a broad-based national
dialog on these issues. In September of 2005, the Privacy Office held a
public workshop on the use of commercial data for homeland security.
The objective of the workshop was to look at the policy, legal, and
technology issues associated with the government's use of commercial
personally identifiable data in homeland security. A broad range of
experts, including representatives from government, academia, and
business participated in the panel discussions. The panels addressed
how government agencies are using commercial data to aid in homeland
security; the legal issues raised by the government's use of commercial
data, particularly the applicability of the Privacy Act; current and
developing technologies that can aid the government in data analysis;
ways in which technology can help protect individual privacy while
enabling government agencies to analyze data; and ways to build privacy
protections into the government's use of commercial data. At the end of
each panel, the audience was given an opportunity to address questions
to the panelists. The full transcript of the Workshop is available at
www.dhs.gov/privacy. A report summarizing the workshop is attached.
The Privacy Office has also been working with the DHS Data Privacy
and Integrity Advisory Committee (DPIAC) on issues related to the use
of commercial data. In October 2005, the DPIAC published a report on
the use of commercial data to reduce false positives in screening
programs. The report is available on the DHS Privacy Office Web site at
http://www.dhs.gov/interweb/assetlibrary/privacy--advcom--rpt--
1streport.pdf. The Committee recommends that commercial data be used
for screening programs only when:
It is necessary to satisfy a defined purpose
The minimization principle is used
Data quality issues are analyzed and satisfactorily
resolved
Access to the data is tightly controlled
The potential harm to the individual from a false
positive misidentification is substantial
Use for secondary purposes is tightly controlled
Transfer to third parties is carefully managed
Robust security measures are employed
The data are retained only for the minimum necessary
period of time
Transparency and oversight are provided
The restrictions of the Privacy Act are applied,
regardless of whether an exemption may apply
Simple and effective redress is provided
Less invasive alternatives are exhausted
The Committee is now working on a broader report that addresses the
use of commercial data in applications beyond screening. We are using
the work of the DPIAC to help inform our work on guidance for the
Department.
We are living through a time of tremendous change as more and more
personal information becomes electronic. In electronic form such
information is more easily collected, analyzed and used for various
purposes and serves as a basis for decision-making in personal, social,
political and economic spheres. It is the goal of the DHS Privacy
Office to ensure that commercial information used by the Department in
the performance of its mission is used responsibly and with respect for
individuals' legitimate expectations of privacy. We look forward to
working with the Committee and everyone involved on these important
issues.
Thank you.
Mr. Cannon. We are thrilled how well you all have done in
that office.
Ms. Cooney. Thank you.
Mr. Cannon. It has been a great model for what we have done
otherwise, what we hope to do still.
Professor Swire, you are recognized for 5 minutes.
TESTIMONY OF PETER SWIRE, WILLIAM O'NEILL PROFESSOR OF LAW,
MORITZ COLLEGE OF LAW OF THE OHIO STATE UNIVERSITY, VISITING
SENIOR FELLOW, CENTER FOR AMERICAN PROGRESS
Mr. Swire. Thank you, Mr. Chairman, and thank you to the
Committee for the invitation to participate today. And I
express my appreciation for the leadership this Committee has
shown, including in creating the Chief Privacy Officer office
that we have just heard the impressive discussion from Ms.
Cooney.
In my written testimony, I give a little bit of the history
of this topic. In 1974, when the Privacy Act was passed, the
most important databases were primarily Government databases,
like IRS or Social Security. Today, by contrast, the databases
are dominated by private-sector databases. That is where the
records are. So the big question is how do we update our laws
and practices to this new reality.
The overall theme of my testimony is that we are still
early on the learning curve about how to incorporate private
databases into public agency activities. My written testimony
gives some comments on the GAO report and the Fair Information
Practices, but I highlight four recommendations.
First, because Federal agencies make such important
decisions based on the data, we must have accurate data and we
have to have effective ways to get redress when mistakes
inevitably do occur.
Second, new mechanisms of accountability are likely needed
as agencies rely more and more on these private-sector records.
There should be expanded use of privacy impact assessments,
perhaps along the line of Chairman Chabot's bill, and there are
other steps that I will go into.
Third, greater expertise and leadership is needed in the
executive branch at the highest levels on privacy issues,
including policy leadership from the Executive Office of the
President. The lack of such leadership on privacy, I believe,
has led to significant and avoidable problems.
Fourth, as we continue along the learning curve, it is
important to merge today's discussion about privacy with the
discussions about information sharing in the war on terror, and
I suggest a National Academy of Sciences study on privacy and
information sharing might be useful.
Let me turn to a couple of things in more detail.
In order to think about accuracy of data over time, I think
it makes sense for the Government to test and audit the
accuracy of data, at least selectively, at the time that we
purchase the data. S. 1789, the data breach bill that has been
passed by the Senate Judiciary Committee, calls for audits like
this as new Government contracts are formed. I think that might
help us get a sense of where the accuracy is and isn't.
However accurate data is on the front end, though, we are
going to have issues on the back end. We are going to have
mistakes that get made. Many people on the Committee likely
know about the troubles that Senator Kennedy or Congressman
Lewis have had getting off watch lists. Last month, Senator Ted
Stevens of Alaska told the story about his wife, which I hadn't
heard about until I was researching this. Apparently, she was
having great trouble getting on airplanes. Her first name is
Catherine, the nickname for that is ``Cat,'' and they had her
down as Cat Stevens and she was having trouble getting on
airplanes.
Now, if it is tough for Senators, including quite powerful
Senators, to get their family members off of watch lists, it
suggests there are issues for all 300 million Americans. So how
we do redress is something to really think about going forward.
In the testimony I discuss some of the other accountability
mechanisms--privacy impact assessments and the rest--that I
think can be considered and cites to legislation that does some
of this.
I would like to turn to the question of the structure of
privacy protection in the executive branch. Step one has been
creation by your Committee of the Chief Privacy Officer in
Homeland Security and now elsewhere, and I was pleased to get
to testify on that in 2002 before your Committee when that was
set up. In 2004, Congress created the Privacy and Civil
Liberties Board for intelligence activities only. But the gap
is for the rest, which is where a lot of commercial data is
used. There is no White House leadership, there is no policy
official who is on the job there. One recent example, I think,
illustrates the need to have a policy official looking at these
issues up front and correcting problems.
You might have seen press reports about 2 weeks ago that
the IRS has a proposed rule now to allow tax preparation
companies, for the first time, to sell people's tax records or
even to give them away to people with no limits on how they
then get resold or redisclosed. It would be legal under this,
if I sign my name for my company, to put my tax records up on
the Internet. It is supposed to be done with consent, but, you
know, when you sign your tax forms, you sign in about 27 places
and maybe you missed this one. And suddenly you have consented
to sale of your tax records.
Now, when I worked at OMB, my office reviewed proposals
such as this. We got it before it became policy. I think we
would have noticed the lack of limits on redisclosure and
resale. And I don't think the rule would have gone forward the
way it did. If such a mistake had happened, I think we would
have moved to correct it. But now this rule may be going final,
and without a White House ability currently to spot and correct
such mistakes, privacy problems, I think, turn out to be worse
than they ought to be. So I think continued steps toward
leadership on privacy in the executive branch are called for.
The last point I want to make in my testimony is we have
hearings on information sharing, how we have to use the data to
fight terrorism, and we have hearings on privacy, how we have
to stop uses of data that might lead to identity theft and the
rest. I think we probably need to bring those two things
together. One way to do that might be a National Academy of
Sciences study on the two that would involve commercial
databases but also how to do privacy and information sharing. I
have been working on this in my own research. I think it is a
big issue that a lot of people should come together to examine.
So I suggest that as one possible thing for your Committee to
consider.
Thank you, and I look forward to questions.
[The prepared statement of Mr. Swire follows:]
Prepared Statement of Peter Swire
Mr. Cannon. Thank you, Professor.
Mr. Pratt?
TESTIMONY OF STUART PRATT, PRESIDENT AND CHIEF EXECUTIVE
OFFICER, CONSUMER DATA INDUSTRY ASSOCIATION
Mr. Pratt. Chairmen Cannon and Chabot, Ranking Members Watt
and Nadler, Members of the Committees, thank you for this
opportunity to appear before you today.
We are here to discuss the GAO's report regarding
Government uses of data and some concerns that we do have with
regard to that report, that we hope will inform your thinking
here as the Committee.
First, while the report does survey governmental uses of
our members' systems, it does not discuss the value and
effectiveness of them. Government agencies are faced with
extraordinary challenges in accomplishing their missions.
Consider just a few examples of those: preventing money
laundering and terrorist financing, enforcing child support
orders, locating missing and exploited children, researching
fugitives, researching assets held by individuals of interest,
witness location, entitlement fraud, background screening for
national security investigations, and disaster assistance, as
was mentioned.
A real-world example of how these systems work, a public
record provider can provide for as little as $25 a search of
100 million criminal records in order for that to be done.
Otherwise, you would have to spend approximately $48,000 and it
would take days, if not weeks, to accomplish the same search.
These are just one of a number of examples we include in
our written testimony of the direct value of data products that
our members produce.
We do have other concerns with the report beyond its lack
of an adequate description of the value of our members'
services. First, the report does not help the reader understand
the breadth of the application of Federal laws to data products
used by Government agencies today. The report lists laws, but
it relegates an incomplete discussion of their requirements to
an appendix. Chairman Chabot mentioned several of these laws.
There is one that is not acknowledged directly in the report,
and that is that the FTC Act, section 5, also applies to data
practices and it does include enforcement actions relative to
privacy notices as well as to the security of sensitive
personal information.
One such law, the Fair Credit Reporting Act, applies to the
public sector equally as it does to the private sector, and
thus all decisions where there is a determination of a
consumer's eligibility such as approval or denial are made,
extensive rights are accorded to that consumer under this
statute. This is just one of many Federal statutes that need to
be considered in the context of this discussion today.
The GAO report does commingle a variety of different
business models under a single uniform ``information reseller''
term and then attempts to monolithically apply the OECD privacy
guidelines across every business model and every product. In
doing so, we think they make a mistake in thinking that Fair
Information Practices frameworks can operate as a one-size-
fits-all yardstick. We disagree, and the guidelines themselves
caution against such an approach. In fact, they state that the
application of the guidelines should be considered in the
context of different categories of personal information,
different protective measures to be applied, depending on their
nature and the context in which they are collected, stored,
processed, and disseminated. We don't think that the GAO fully
adhered to this OECD guidance itself, and there are certainly
other privacy guidelines that are more contemporary than those
of the OECD that were produced back in 1980.
Again, the implication of the GAO's report is that
congressional oversight was also incomplete and that its review
of the industry sector's uses of personal information was
insufficient. We disagree. The GAO does not properly account
for the system, for example, of public records in this country
and the inapplicability of many of the privacy principles to
such public records.
Just a couple of examples of how the actual privacy
principles would or wouldn't apply.
Consumer consent. If consumers had the ability to consent
or to control data that would go into a fraud prevention tool,
criminals could simply prohibit the kind of information we use
to stop identity theft.
Data quality. If a consumer could--if we applied data
quality to the principle of public records in the way that we
would under the way that we would under the Fair Credit
Reporting Act, we probably couldn't aggregate a system of
criminal histories in this country the way that we do today.
Use limitations. How would you apply a use limitation
concept to criminal histories or other types of public
records--records of eviction, professional licensing--used for
background screening in the way that we do today?
Access and correction. If we allow all types of databases
to be tied to an access and correction standard, then we are
allowing a fraudster to have access to a fraud prevention
system, and not only to do so but then to correct the
information that is used to prevent the very fraud which they
are going to attempt to commit.
The GAO report states in its conclusion that, Given that
reseller data may be used for many purposes that could affect
an individual's livelihood and rights, ensuring that
individuals have appropriate degrees of control or influence
over the way in which their personal information is obtained
and used--as envisioned in the Fair Information Practices--is
critical.
I don't know that we disagree with that, but we disagree
with the application of the principles, as we have discussed in
our testimony. A one-size-fits-all approach simply can't work
for all types of data systems that we have discussed. We also
don't think that the OECD guidelines should be used as an
overlay for all of the Federal laws that do today regulate
various aspects of personal information that are used in our
society today.
With that, we thank you for this opportunity to testify and
we welcome your questions.
[The prepared statement of Mr. Pratt follows:]
Prepared Statement of Stuart K. Pratt
Chairmen Cannon and Chabot, Ranking members Watt and Nadler, and
members of the committees, thank you for this opportunity to appear
before you today. For the record, my name is Stuart Pratt and I am
president and CEO of the Consumer Data Industry Association.\1\ Our
members appreciate this opportunity to discuss our serious concerns
with basic premises which underlie and methodologies employed in
drafting the report written by the General Accountability Office (GAO)
regarding the government's use of data provided by consumer data
companies.\2\
---------------------------------------------------------------------------
\1\ CDIA, as we are commonly known, is the international trade
association representing over 300 consumer data companies that provide
fraud prevention and risk management products, credit and mortgage
reports, tenant and employment screening services, check fraud and
verification services, systems for insurance underwriting and also
collection services.
\2\ The GAO employs the term information reseller and we have
concerns with the use of the term which will be discussed later in this
testimony. For example we do not believe that the term ``consumer
reporting agency'' as defined by the Fair Credit Reporting Act should
be commingled with other data products due to the specificity of law
which regulates this product. The GAO fails to draw this distinction in
its draft report.
---------------------------------------------------------------------------
the recognized value of cdia members' systems
CDIA's members are the leading companies producing consumer data
products and services for both the private and public sector markets.
The GAO report surveys governmental uses of our members' systems, but
leaves the reader with a less than complete perspective on the value
and effectiveness of such services. Consider the following examples of
governmental uses of our members products and services:
Preventing money laundering and terrorist financing
through investigative tools.
Enforcing child support orders through the use of
sophisticated location tools.\3\
---------------------------------------------------------------------------
\3\ In 2004 there were 5.5 million location searches conducted by
child support enforcement agencies to enforce court orders.
Assisting law enforcement and private agencies which
---------------------------------------------------------------------------
locate missing and exploited children through location tools.
Researching fugitives, assets held by individuals of
interest through the use of investigative tools which allow law
enforcement agencies tie together disparate data on given
individuals and thus to effectively target manpower resources.
Witness location through use of location tools.
Entitlement fraud prevention, eligibility
determinations, and identity verification through fraud
prevention data matching and analytical products.
Background screening for employment and security
clearances.
Disaster assistance.
Homeland security, law enforcement and entitlement program
management are all faced with extraordinary challenges in accomplishing
their missions. The GAO's report does not properly set the stage for
understanding how difficult it is to accomplish their missions.
Consider the facts regarding simply identity verification:
Personal identifiers change:
While it probably doesn't occur to most of us, the identifiers we
use in everyday life do change and more often than most might think.
For example, data from the U.S. Postal Service and the U.S. Census
confirm that over 40 million addresses change every year. More than
three million last names change due to marriage and divorce. While
trends in naming conventions are changing, this fact is still far more
often true for women than men.
We use our identifiers inconsistently:
It is a fact that we use our identifiers inconsistently for a wide
variety of reasons. First, many citizens choose to use nicknames rather
than a given name. However, there are times where, in official
transactions, a full name is required, Some consumers, when hurried,
use an initial coupled with a last name, rather than their full name or
nickname. Consumers are also inconsistent in the use of generational
designations (e.g., III, or Sr.). Finally, there are times where
consumers themselves do make mistakes when completing applications,
such as transposing a digit in an SSN. Thus, a consumer's identifiers
may be presented in different ways in different databases and, in some
cases, the data may be partially incorrect.
Personal identifiers are not always unique:
We think of our names as a very personal part of who we are.
However, our names are less uncommon and unique than we might think.
For example, families carry forward family naming conventions leading
to some consumers sharing entirely the same name. Further, U.S. Census
data shows that both first and last names are, in some cases amazingly
common. Fully 2.5 million consumers share the last name Smith. Another
3 million share the name Jones and more than thirteen million consumers
have one of ten common last names. First names are also used very
commonly leading to common naming combinations. Eight million males
have either the name James or John and a total of 57 million males have
one of ten common first names. An additional 26 million females have
one of ten common first names. Common naming conventions make it more
difficult and in some cases impossible to depend on name alone to
properly match consumer data.
Identifiers are shared:
Our birthday is a unique day in our lives, but it is, nonetheless,
a date shared with hundreds of thousands of others. Date of birth alone
is not an effective identifier. Family members who live together end up
sharing addresses and per our discussion above, where consumers share
the same name due to family traditions and the address at which they
live, distinguishing one consumer from another is complex.
Data entry errors do happen:
Hundreds of millions of applications for credit, insurance,
cellular phone services, and more are processed every year. There is no
doubt that in the process of entering a consumer's identifying
information errors can be made which carry forward into databases and
into the reporting of data to consumer reporting agencies.
We do not always update our records:
Consumers don't always remember to update records when they move or
when portions of their personal identifying information change. For
example, consumers are permitted to change their social security number
under certain circumstances in addition to officially changing their
names and while the percentages of consumers who take these steps is
small relative to the U.S. population, such changes do affect data
matching systems. It is important to know that some consumers try to
separate themselves from their records on purpose and apply with the
SSA for employer ID numbers (EINs) to use in lieu of their SSNs.\4\ A
non-custodial parent who does not want to pay child support might
employ such tactics in order to avoid being located and forced to
fulfill a court order. A consumer who does not want to take
responsibility for their mismanagement of credit and hopes that by
using new identifying to separate himself/herself from a credit report
is another example. Clearly fugitives are another example of a type of
person who will employ tactics to try and separate themselves from
their histories.
---------------------------------------------------------------------------
\4\ The FTC investigates ``file segregation'' schemes. Here's what
they say on their website about this activity: ``You're promised a
chance to hide unfavorable credit information by establishing a new
credit identity. The problem: File segregation is illegal. If you use
it, you could face fines or even a prison sentence.''
---------------------------------------------------------------------------
These facts about our identifying information demonstrate how
challenging it is to match records with individuals and why the
products, tools and services of our members are in such high demand.
Let's now consider what government representatives themselves have
said about the value they derive from the use of consumer reporting
agencies and other consumer data companies. On September 8, 2005, the
Department of Homeland Security held a workshop which explored its use
of commercial data. This public meeting brought forward important input
which informs the record of this hearing.
Regarding identity verification, Grace Mastalli, Principle Deputy
Director for the Information Sharing and Collaboration Program in DHS
stated the following regarding the value of CDIA member services:
``There are people without prescriptions, without driver's licenses,
and it the commercial data sources, in many instances right now, that
are facilitating not just placing people, but verifying their
identities to the claims . . .we get to make sure that entitlements go
to individuals who deserve them.''
Regarding how our members' systems contribute to the accuracy of
governmental systems, Mastalli indicated that ``we have sometimes used
commercial data, not just to support identity authentication, but to
assure the integrity of government data, and the accuracy of government
data. Unfortunately, in many respects, the commercial enterprises have
done better jobs of organizing and, what I call `cleaning' data to
eliminate errors in data.''
Mr. Jeff Ross, senior advisor in the area of money laundering and
terrorist financing, in the Office of Terrorist Financing and Financial
Crime at the Department of Treasury, also participated in this DHS
workshop. He pointed out that many crimes have a financial aspect to
them including narcotics trafficking, public corruption, terrorist
financing, and organized crime in general. His comments help explain
the investigative research value of CDIA member tools where he states
``so commercial data bases are very important to us in law enforcement
area to be used proactively . . . we have targets and need information,
where you are trying, also, to find a specific individual or entity
that should be involved . . . who could also be potential witnesses in
a case.''
Mastalli provided a very concrete example of how the sophistication
of private-sector data matching tools contributes to efficient use of
governmental law enforcement agents. She noted that ``. . . commercial
database providers provide accurate data--often more accurate than some
that we have, because they spend the time cleaning it and verifying it
and have matching capabilities that we in government have not yet
invested in to eliminate the 17 instances of an individual who has a
phonetically spelled name being recorded as 17 people instead of one.''
She goes on to explain that government cannot always anticipate
what data might be of value to a particular investigation. Mastalli
provided the following scenario: ``One extremely well-known law
enforcement intelligence example from immediately post 9/11 was when
there was a now well-publicized threat . . . that there might be cells
of terrorists training for scuba diving underwater bombing, similar to
those that trained for 9/11 to fly--but not land--planes. How does the
government best acquire that? The FBI applied the standard shoe-leather
approach--spent millions of dollars sending out every agent in every
office in the country to identify certified scuba training schools. The
alternative could and should have been for the Federal government to be
able to buy that data for a couple of hundred dollars from a commercial
provider, and to use that baseline and law enforcement resources,
starting with the commercial baseline. One of the issues here is that,
other than the name of the owner or manager of scuba diving schools,
there was no personally identifiable data.''
To further the point regarding the value of commercial data our
members supply, consider the following two examples:
Example 1:
In this example we learn how the aggregation of public records
creates low-cost research efficiencies that ensure that ``shoe
leather'' investigations conducted by highly trained personnel are
truly are targeted and results-focused. One commercial database
provider charges just $25 for an instant comprehensive search of
multiple criminal record sources, including fugitive files, state and
county criminal record repositories, proprietary criminal record
information, and prison, parole and release files, representing more
than 100 million criminal records across the United States.\5\ In
contrast, an in-person, local search of one local courthouse for felony
and misdemeanor records takes 3 business days and costs $16 plus
courthouse fees.\6\ An in-person search of every county courthouse
would cost $48,544 (3,034 county governments times $16). Similarly, a
state sexual offender search costs just $9 and includes states that do
not provide online registries of sexual offenders. An in-person search
of sexual offender records in all 50 states would cost $800.\7\
---------------------------------------------------------------------------
\5\ http://www.choicetrust.com/servlet/
com.kx.cs.servlets.CsServlet?channel=home&product=bgcheck&subproduct=def
ault&anchor=#. All RVI providers recommend that employers should
supplement `no criminal record found' results with a local county
records search before making a hiring decision as any national criminal
database will not contain all current criminal records since
courthouses add new records daily.
\6\ Id.
\7\ Assuming each in-person search costs $16, the same as an in-
person county courthouse search.
---------------------------------------------------------------------------
Example 2:
While this next example is drawn from the private sector, it helps
illustrate how fraud prevention and identity verification services
reduce fraud and is analogous to the value of such systems when used by
the government, as well. A national credit card issuer reports that
they approve more than 19 million applications for credit every year.
In fact they process more than 90,000 applications every day, with an
approval rate of approximately sixty percent. This creditor reports
that they identify one fraudulent account for every 1,613 applications
approved. This means that the tools our members provided were
preventing fraud in more than 99.9 percent of the transactions
processed.
The GAO paper should have done more to speak to the value of the
commercially available data and analytical tools our members provide
and not merely to provide an accounting of governmental uses. We hope
that the above discussion will inform the this hearing record and set a
more complete context for these committees' future deliberations.
concerns with gao's report
Now having an appropriate context for truly understanding the value
that our members' services bring to both the public and private
sectors, I would like to discuss serious concerns we have with the
GAO's presentation of current Federal laws and how they regulate our
members' practices as well as their attempt to apply the 1980
Organization for Economic Development (OECD) privacy guidelines to the
practices of ``information resellers.'' We believe that a thorough
understanding of the decades of congressional oversight and action is
essential to today's hearing.
The State of Current Federal Laws
The United States is on the forefront of establishing sector-
specific and enforceable laws regulating uses of personal information
of many types. The GAO does provide an accounting of some of these Acts
on page 18 of their draft report. Their accounting includes the Fair
Credit Reporting Act (15 U.S.C. 1681 et seq.),\8\ The Gramm-Leach-
Bliley Act (Pub. L. 106-102, Title V),the Health Insurance Portability
and Accountability Act (Pub. L. 104-191), and the Drivers Privacy
Protection Act (18 U.S.C. 2721 et seq.).
---------------------------------------------------------------------------
\8\ The GAO also lists the Fair and Accurate Credit Transactions
Act of 2003 (Pub. L. cite), however this act is in fact a series of
amendments to the FCRA.
---------------------------------------------------------------------------
While the GAO relegates their discussion of statutory requirements
to Appendix II of the draft report, we believe that such a discussion
is essential and that it should have been included in the body of the
report. In doing so, the GAO would have provided readers with a better
one-to-one understanding of the operation of current laws in contrast
with their views of the application of OECD guidelines US information
practices.\9\ For example, it is important to note that, predating the
Privacy Act of 1974 (and OMB implementing guidelines therein), the OECD
Guidelines of 1980 and the Gramm-Leach-Bliley Act of 1999 (and
implementing regulations therein), the E-Government Act of 2002 and the
Federal Information Security Management Act of 2002, was enactment of
the Fair Credit Reporting Act in 1970. Equally important is
understanding the breadth of the application of this law in particular
and thus why a discussion of consumer data companies in general should
not be commingled with a discussion of the practices of consumer
reporting agencies.
---------------------------------------------------------------------------
\9\ CDIA has serious concerns about the attempt by the GAO to
measure the acceptability of the practices of US consumer data
companies, which are in fact regulated by US laws today. This concern
will be discussed more fully later in this testimony.
---------------------------------------------------------------------------
The FCRA applies to both the private and public sectors and thus is
extremely relevant to today's discussion. It has been the focus of
careful oversight by the Congress resulting in significant changes in
both 1996 \10\ and again in 2003.\11\ There is no other law that is so
current in ensuring consumer rights and protections are adequate.\12\
---------------------------------------------------------------------------
\10\ See Pub. L. 104-208, Title II, Subtitle D, Chapter 1).
\11\ See FACT Act Amendments (Pub. L. 108-159).
\12\ It is also true that the Gramm-Leach-Bliley Act, Title V
provisions regulating the use of nonpublic personal information is
current due to the extensive role that federal banking regulators and
the Federal Trade Commission play in drafting regulations, issuing
guidance and enforcing the law.
---------------------------------------------------------------------------
Key to understanding the role of the FCRA is the fact that it
regulates any use of personal information (whether obtained from a
public or private source) defined as a consumer report. A consumer
report is defined as data which is gathered and shared with a third
party for a determination of a consumer's eligibility for enumerated
permissible purposes.
This concept of an eligibility test is a key to understanding how
Federal laws regulate personal information. The United States has a law
which makes clear that any third-party supplied data that is used to
accept or deny, for example, my application for a government
entitlement, employment,\13\ credit (e.g., student loans), insurance,
and any other transaction initiated by the consumer where there is a
legitimate business need. The breadth of the application of the FCRA to
how data is used to include or exclude a consumer is enormous. Again,
this law applies equally to governmental uses and not merely to the
private sector.
---------------------------------------------------------------------------
\13\ This includes national security investigations, background
checks for security clearances, basic employment screening processes
for new hires, review processes for promotions, and more.
---------------------------------------------------------------------------
Because personal information about consumers is used for decisions
to accept or deny access to a consumer, they have fundamental rights
which the GAO report does not discuss in any depth and which
demonstrate why it is inappropriate to attempt to overlay a discussion
of OECD privacy guidelines with this statute. Consider the following:
The right of access--consumers may request at any
time a disclosure of all information in their file at the time
of the request. This right is enhanced by requirements that the
cost of such disclosure must be free under a variety of
circumstances including where there is suspected fraud, where a
consumer is unemployed and seeking employment, or where a
consumer is receiving public assistance and thus would not have
the means to pay. Note that the right of access is absolute
since the term file is defined in the FCRA and it includes the
base information from which a consumer report is produced.
The right of correction--a consumer may dispute any
information in the file. The right of dispute is absolute and
no fee may be charged.
The right to know who has seen or reviewed
information in the consumer's file--as part of the right of
access, a consumer must see all ``inquiries'' made to the file
and these inquiries include the trade name of the consumer and
upon request, a disclosure of contact information, if
available, for any inquirer to the consumer's file.
The right to deny use of the file except for
transactions initiated by the consumer--consumers have the
right to opt out of non-initiated transactions, such as a
mailed offer for a new credit card.
The right to be notified when a consumer report has
been used to take an adverse action--This right, ensures that I
can act on all of the other rights enumerated above.
Beyond the rights discussed above, with every
disclosure of a file, consumers receive a notice providing a
complete listing all consumer rights. A separate GAO report
produced as a result of the FACT Act indicated that in a single
year, perhaps 50 million consumers see their files and receive
these notices.
Finally, all such products are regulated for accuracy
with a ``reasonable procedures to ensure maximum possible
accuracy'' standard. Further all sources which provide data to
consumer reporting agencies must also adhere to a standard of
accuracy which, as a result of the FACT Act, now includes new
rulemaking powers for the FTC and functional bank regulators.
The GAO report does not attempt to describe the delivery of
products regulated under the FCRA and thus fails to properly inform the
reader of the concomitant rights accorded in all of these cases. Every
CDIA member mentioned in this report is operating, in part and
sometimes solely as a consumer reporting agency. Therefore, in every
case where products sold to governmental agencies were used for a
determination of a consumer's eligibility, they were regulated by the
FCRA with all of the rights discussed above. The GAO's report should
have acknowledged this fact and discussed uses of consumer reports
separately from other data products.
Not all consumer data products are used for eligibility
determinations regulated by the FCRA. Congress has applied different
standards of protection that are appropriate to the use, the
sensitivity of the data, etc. Our members produce and sell a range of
fraud prevention and location products which are governed by other laws
such as GLB.
Fraud prevention systems deploy a diversity of strategies. In 2004
alone, businesses conducted more than 2.6 billion searches to check for
fraudulent transactions. As the fraud problem has grown, industry has
been forced to increase the complexity and sophistication of the fraud
detection tools they use.
Fraud detection tools are also known as Reference, Verification and
Information services or RVI services. RVI services are used not only to
identify fraud, but also to locate and verify information for public
and private sector uses. While fraud detection tools may differ, there
are four key models used.
Fraud databases--check for possible suspicious
elements of customer information. These databases include past
identities and records that have been used in known frauds or
are on terrorist watch lists, suspect phone numbers or
addresses, and records of inconsistent issue dates of SSNs and
the given birth years.
Identity verification products--crosscheck for
consistency in identifying information supplied by the consumer
by utilizing other sources of known data about the consumer.
Identity thieves must change pieces of information in their
victim's files to avoid alerting others of their presence.
Inconsistencies in name, address, or SSN associated with a name
raise suspicions of possible fraud.
Quantitative fraud prediction models--calculate fraud
scores that predict the likelihood an application or proposed
transaction is fraudulent. The power of these models is their
ability to assess the cumulative significance of small
inconsistencies or problems that may appear insignificant in
isolation.
Identity element approaches--use the analysis of
pooled applications and other data to detect anomalies in
typical business activity to identify potential fraudulent
activity. These tools generally use anonymous consumer
information to create macro-models of applications or credit
card usage that deviates from normal information or spending
patterns, as well as a series of applications with a common
work number or address but under different names, or even the
identification and further attention to geographical areas
where there are spikes in what may be fraudulent activity.
Who uses Fraud Detection Tools?
The largest users of fraud detection tools are financial
businesses, accounting for approximately 78 percent of all users.
However, there are many non-financial business uses for fraud detection
tools. Users include:
Governmental agencies--Fraud detection tools are used
by the IRS to locate assets of tax evaders, state agencies to
find individuals who owe child support, law enforcement to
assist in investigations, and by various federal and state
agencies for employment background checks.
Private use--Journalists use fraud detection services
to locate sources, attorneys to find witnesses, and individuals
use them to do background checks on childcare providers.
Location services and products
CDIA's members are also the leading location services providers in
the United States. These services, which help locate individuals, are a
key business-to-business tool that creates great value for consumers
and business alike. Locator services depend on a variety of matching
elements, but again, a key is the SSN. Consider the following examples
of location service uses:
There were 5.5 million location searches conducted by
child support enforcement agencies to enforce court orders.
Access to SSNs dramatically increases the ability of child
support enforcement agencies to locate non-custodial,
delinquent parents (often reported in the news with the moniker
``deadbeat dads''). For example, the Financial Institution Data
Match program required by the Personal Responsibility and Work
Opportunity Reconciliation Act of 1996 (PL 104-193) led to the
location of 700,000 delinquent individuals being linked to
accounts worth nearly $2.5 billion.
There were 378 million location searches used to
enforce contractual obligations to pay debts.
Tens of millions of searches were conducted by
pension funds (location of beneficiaries), lawyers (witness
location), blood donors organizations, as well as by
organizations focused on missing and exploited children.
Clearly location services bring great benefit to consumers,
governmental agencies and to businesses of all sizes.
cdia concerns with the gao's use of term information reseller
As discussed above, part our concern with the GAO's report is that
it commingles a variety of different business models under a single
term ``information reseller'' and in doing so the report also
commingles data products which are regulated under different Federal
laws. For example, CDIA's members which are operating as consumer
reporting agencies should not be discussed in the report as though they
are not in fact highly regulated businesses. Similarly, CDIA's members
which are defined as ``financial institutions'' under GLB are also
highly regulated with regard to how information is to be used (see
Section 502(e)) as well as though extensive federal agency rules
prescribing how such information should be secured.
By employing the term ``information reseller'' readers are left
with the wrong impression that such a term may exist in law or that it
is possible to consider the multiplicity of different business models
(and products produced therein) that make up the consumer data industry
as a single type of entity and one that, in the eyes of the GAO, is not
highly regulated. It is exceedingly difficult, if not impossible, to
make meaningful statements which have the breadth of those often made
in the draft report regarding the practices of many different types of
business models delivering different products and services. Finally, we
also strongly disagree with paper's attempt to simplify a discussion of
our members' businesses which are in fact highly regulated under a
variety of sector-specific laws by attempting to apply a set of OECD
guidelines as though there are not laws which were thoroughly debated
by the congress over the years and which are mature and protective of
consumer's today.
cdia concerns with gao oecd guideline application
Let me amplify on our concerns regarding how the GAO has attempted
to apply the 1980 OECD privacy guidelines as a scorecard against which
to evaluate the practices of CDIA members. Due to the GAO's mistaken
assumptions about the breadth of the application of current laws, the
GAO also makes the mistake of thinking that a fair information
practices framework can operate as a one-size-fits-all yardstick. We
disagree for a variety of reasons.
First, we are concerned about how the GAO attempted to make use of
the guidelines. Let us consider what the OECD said about their own
guidelines:
These Guidelines should not be interpreted as preventing:
a) the application, to different categories of personal data,
of different protective measures depending upon their nature
and the context in which they are collected, stored, processed
or disseminated;
Further to the question of how privacy guidelines are to be used,
in the 1977 Report of the U.S. Privacy Protection Commission it was
noted that ``[P]rivacy, both as a societal value and as an individual
interest, does not and cannot exist in a vacuum. . . . [T]he privacy
protections afforded [to societal relationships] must be balanced
against other significant values and interests. It is very common to
find such statements associated with guidelines because they are not
considered to be definitive rules with equal applicability to all data
flows. We do not believe that the GAO's report adheres to this guidance
provided by the authors of the OECD guidelines themselves or fully
accounts for the U.S. Privacy Commission's admonition regarding how to
apply guidelines.
Second, the GAO suggests, not purposefully, of course, but by
omission that there is a single global opinion regarding which set of
guiding principals is preeminent. To the contrary, consider the
following:
The 1973 HEW Report contains 5 principles.
The 1980 OECD Guidelines contain 8 principles.
The 1995 EU Data Protection Directive contains 11
principles.
The 2000 FTC Report on Online Privacy contains 4
principles; and
The 2004 APEC Privacy Framework contains 9
principles.
Each framework has to be applied with care and not monolithically
across all data uses however different they may be in terms of risk,
use, content and so on. The GAO does not explain why a particular set
of principles was chose and as previously stated, we believe that the
GAO's methodology by which the OECD principles was applied is flawed.
Third, as discussed above, there is an extraordinarily thorough
record of congressional oversight of various industry sectors' uses of
personal information. The U.S. has chosen a sector-specific structure
to consumer data laws which ensures regulatory structures which are
both appropriate to the data and which can be effectively enforced.
Sector-specific laws and regulations exist today because of such
oversight and due to the expertise of different committees overseeing
different aspects of American business. The GAO, by implication and
likely unintentionally, implies to the reader that all such oversight
was incomplete and that a single evaluative standard is the right
approach to analyzing our members business models and products. This,
however, is a very fundamental flaw in the GAO's approach. Sector
specific laws ensure that they are tailored to the industries, to the
uses of data and to the risks involved. How healthcare data (i.e.,
HIPAA) is regulated is inevitably different than how one might regulate
a telephone number (i.e., Do Not Call). Ultimately, tailored laws and
regulations ensure that consumers are protected, but also are empowered
by the data about them.
Fourth, the GAO's one-size-fits-all approach to applying the OECD
guidelines ignores a fundamental bifurcation that exists with regard to
information use and that is the difference between consumer data
products used for eligibility determinations and those which are not. A
fraud prevention product, for example does not end a transaction, but
provides a user with a ``caution flag'' which encourages the user to
take additional steps to further authenticate a person's identity. As
discussed above, where data is provided by our members for eligibility
determinations such as employment or credit, the FCRA already provides
a robust set of rights and protections for consumers. Regulation of
consumer data where it is used for eligibility determinations is
different than regulating consumer data used for fraud prevention or
investigative location tool used by law enforcement. By not accounting
for this essential bifurcation in uses, application of the OECD
guidelines leaves readers with the wrong impression about how good data
protection laws should operate.
Fifth, the GAO does not properly account for the system of public
records which exists in our country and which has been considered a key
pillar in the success of our democracy. Unlike other nations, our
government cannot withhold information about us from us. Governmental
transparency is achieved through open records and freedom of
information acts at the state and federal levels. The application of
many aspects of any one of a number of principles works against a
system that has been in place since the early days of our country's
existence. The GAO's report does readers a disservice by not discussing
the unique nature of public records and by attempting to apply the OECD
guidelines to this system of records.
To amplify on our general concern about the GAO's approach to
applying OECD guidelines, let's now consider some specific illustrative
examples.
Consumer Consent
The report states that ``[r]esellers generally do not adhere to the
principle that, where appropriate, information should be collected with
the knowledge and consent of the individual.'' \14\ The reader is left
with the wrong impression regarding the practices of our members, the
laws which currently regulate them and the appropriate application of a
consent standard. For example, the GAO does not attempt to apply a
consent-based standard on a product specific basis or even a business-
model-specific basis, which is an inherent flaw in their methodology.
If one were to apply such a standard to, for example, consumer credit
reports, then the result would be to give consumers the ability to pick
and choose which creditors' data would be reported to a credit bureau.
Consumers could allow creditors they intend to pay on time to report
and could prohibit from reporting those that they don't intend to pay
on time or at all. The result would be to turn the nation's credit
reporting system on its head and to affect the fundamental safety and
soundness principle upon which our banking system has operated since
the days of the great depression. In 1970, Congress recognized the
inapplicability of this fair information practices concept since it
would essentially work against the fundamental premise of data acting
as an independent affirmation of a consumer's own willingness to pay,
or otherwise qualify for a benefit. In a second example, of what value
would an identity verification tool be if consumers who intend to
commit fraud can decide which data will or won't be used? A third
example involves public records. How does one apply a consent standard
to records which are in the public domain? Through these examples, it
is clear that consent is not a universal concept which can be applied
to all data flows.
---------------------------------------------------------------------------
\14\ Page 44, Draft Report.
---------------------------------------------------------------------------
Data Quality
The title of the data quality discussion is ``Information Resellers
Do Not Ensure the Accuracy of Personal Information They Provide.'' This
is misleading. As discussed above, CDIA's members are committed to the
quality of information they collect. Further, in all cases where the
data is used to produce a consumer report used for an eligibility
decision, the standard for accuracy is found in the FCRA.\15\ It is a
standard that has been in place since 1970 (and amended extensively in
both 1996 and again in 2003) and which applies to eligibility decisions
such as applications for insurance, employment, government entitlements
or credit. The GAO report does not properly acknowledge this fact or
the breadth of the application of FCRA to consumer data transactions
involving consumer reporting agencies. However, applying an accuracy
standard to an investigative product used to locate individuals makes
little sense. These location services are predicated on possible
connections between addresses, names, etc., which are then followed up
with direct contacts by law enforcement agents or collection agencies,
for example. Location services are certainly high quality services and
often are very precise, but since these products are not used to make
an eligibility determination (e.g., job, credit) they are not regulated
in the same way. This said, the quotes drawn included in this testimony
regarding the high quality of consumer data products purchased by law
enforcement or counterterrorism agencies (81% of users according to the
GAO) speak for themselves. Like consumer consent, the concept of data
quality cannot be applied in the same manner to each consumer data
product as is implied by the GAO's methodology.
---------------------------------------------------------------------------
\15\ The standard of accuracy in FCRA can be found at Sec. 607(a).
A consumer reporting agency must use reasonable procedures to assure
the maximum possible accuracy of the information in the report.
---------------------------------------------------------------------------
Use Limitations
The GAO report states that ``[r]esellers do not generally limit the
use of information beyond those limitations required by law.'' It is
not clear what the GAO intends by this, but in fact both Title V of GLB
and Section 604 of the FCRA do, for example, impose significant
limitations on the use of nonpublic personal information and consumer
reports respectively. The GAO's report does not acknowledge these use
limitations in the context of their discussion. Further the GAO does
not state that use limitations cannot apply to public records which are
not gathered for purposes under the FCRA since such records are
generally available to the general public directly from Federal, state
and local agencies and courts. This said, the Drivers Privacy
Protection Act does impose use limitations on records coming from state
motor vehicle agencies. The draft report also states that ``[w]ithout
limiting use to predefined purposes, resellers cannot provide
individuals with assurance that their information will only be accessed
and used for identified purposes.'' This criticism of the system of
laws and contract is without basis. We have discussed the extent of the
laws which impose a variety of use limitations and as evidenced by the
GLB's service provider requirements (in effect since 2001), HIPAA's
business associate requirements (in effect since 2003), and the concept
of using contracts to limit use is an entirely appropriate system for
consumer data companies. In fact many laws which restrict uses of
information, also require that certifications through contracts be
obtained.
Access and Correction
CDIA's members when operating as consumer reporting agencies
provide full access and a right of correction for all consumer reports.
Consumer reports are used for eligibility determinations and thus our
members fully agree with the application of this principle. However the
application of an access and correction principle applied to a fraud
prevention and location data base would result in empowering criminals
to delete information that is used for pattern analysis and other
analytics which help in linking suspects or key pieces of information
necessary to stop fraud or to solve a case. The GAO's report does not
properly describe the harmful application of an access and correction
regime to location, investigative and fraud prevention systems which
are not used to stop a transaction or prevent a consumer's access to a
service or benefit (eligibility). In fact FTC Chairman Majoras stated
in a letter responding to questions about the imposition of an access
and correction obligation on information resellers:
``Before extending this approach to additional databases
[beyond FCRA], however, it is necessary to consider carefully
the impact of such extension. For example, requiring data
merchants to provide consumers with access to sensitive
information may itself present a significant security issue--in
some cases it may be difficult for the data merchant to verify
the identity of someone who claims to be a particular consumer
demanding to see his or her file. Similarly, for databases that
are used to prevent fraud or other criminal activities,
providing correction rights could pose serious problems; those
trying to perpetrate the fraud may take advantage of the right
to `correct' data to hide it from those they are trying to
defraud.''
The GAO report states in its conclusion that ``[g]iven that
reseller data may be used for many purposes that could affect an
individuals livelihood and rights, ensuring that individuals have an
appropriate degree of control or influence over the way in which their
personal information is obtained and used--as envisioned by the Fair
Information Principles--is critical.'' For all of the reasons discussed
above, the GAO has failed to support this claim because:
Their analysis does not properly account for the
severe regulation of consumer reporting agencies, and the
breadth of the FCRA's application to all eligibility
transactions which apply to all governmental transactions and
uses.
In taking a one-size-fits-all approach, the analysis
does not properly account for the destructive consequences of
applying various principles in the same way to all business
models and product which make up the consumer data industry.
In making this claim, the GAO often ignores or
undercuts decades of congressional oversight, legislative
enactments (FCRA, GLB, HIPAA, DPPA, etc.), federal regulatory
activities and law enforcement actions.
conclusion
In conclusion, the members of the CDIA believe that the GAO's
report is methodologically flawed and often misleads readers through
the attempt to apply a once-size-fits-all analysis of a set of privacy
guidelines. The consumer data industry does not consist of a single
entity called an ``information reseller.'' It is an industry with a
diversity of business models focused on the production of consumer
reports, fraud prevention tools, location and investigative products,
analytics services and more. CDIA's members create incredible value for
the government agencies which use their services. The consumer data
industry is a significantly regulated industry through sector-specific
laws which tailor the component information use principles to the types
of data, risks and uses involved. Our nation remains at the forefront
of enacting enforceable laws and regulations with which our members
commit themselves to complying each and every day.
We appreciate this opportunity to testify and we welcome your
questions.
Mr. Cannon. Thank you, Mr. Pratt. We appreciate your
testimony.
Now the gentleman from Ohio is recognized for 5 minutes.
Mr. Chabot. Thank you very much, Mr. Chairman.
Ms. Cooney, I will begin with you, if I can. Would you
elaborate on why privacy impact assessments are important, what
they are good for, and how you have seen them work in action?
Ms. Cooney. Certainly, I would be happy to. At the
Department of Homeland Security it has been a very important
tool, on the front end of any mission program that uses an
information system to collect personal information, to really
determine on the front end why are we collecting the
information, what information do we really need, how long will
we keep it, how accurate is the information from the sources
that we are taking it in from, how will we handle it, how do we
plan to share it internally or with other Federal agencies or
even State and local first responders, and what are the
possible redress mechanisms?
So with a mission as critical as ours is to protect the
homeland and security of the American people, we believe that
it is also very critical that at each step, from the very
beginning of a program through the entire lifecycle development
of the technologies that we use to collect and store
information, that we look critically at what we are doing and
use some basic planning as we do those programs. To us, like in
the private sector, it is important information management and
it is good ethical Government behavior.
We have met with cooperation, really, throughout the
Department in making that operationalized across business lines
and it has been a very satisfactory experience.
Mr. Chabot. Thank you very much.
Ms. Koontz, let me turn to you, if I can. What did the GAO
find in terms of the security of personnel information in the
GAO report? I know that you have already talked about it to
some degree, but could you elaborate a little on that?
Ms. Koontz. Sure. We found that the four Federal agencies
that we reviewed had put security protections in place to deal
with reseller information. For example, all four of them told
us that they had instituted passwords and other access controls
to make sure that there wasn't unauthorized access to reseller
information. Some of the agencies also had restricted access to
very sensitive reseller information only to those personnel who
have a need to use that kind of thing.
Some of the law enforcement agencies as well use something
known as cloaked logging. That is a procedure that actually
masks the searches that law enforcement personnel do against
reseller data so that even the vendor doesn't know what kind of
searchers are being done. And this is a way of protecting the
integrity of the investigations and making sure that subjects
of investigations cannot be tipped off as to the existence of
them.
That being said, I think Federal agencies realize that the
security is an important component. We did not do a test of
security controls at the four agencies we reviewed so we can't
make an assessment of the efficacy of the controls that they
have in place. And work that we have done Government-wide on
security indicates that we found security weaknesses in almost
every area in the 24 major agencies, including the four
agencies that we reviewed.
Mr. Chabot. Thank you very much.
Mr. Swire, do the same security concerns exist with Federal
Government's maintenance of personal information as exist among
commercial data companies?
Mr. Swire. Well, many of the challenges are the same. The
Government uses overwhelmingly commercial software now, and
they are using platforms and vendors that are very, very
similar.
The Federal Government has some special challenges, though.
There are classified systems for some systems, and that is a
much harder standard to live up to. And also the Government
probably has lagged, despite FISMA and GISRA and these security
statutes, it has probably lagged the private-sector best
practices. It has been hard sometimes to get the personnel in
place, it has been hard to get the resources. So it has been a
very big challenge and the scorecards haven't always been
satisfactory.
Mr. Chabot. Thank you.
And finally, Mr. Pratt, I would like to turn to you. What
security policies are in place to ensure that citizens'
information is not easily accessible by identity thieves or
computer hackers?
Mr. Pratt. Well, I think the best baseline that we can see
in guidance and law and regulation would be those that we find
in the safeguards rules under Gramm-Leach-Bliley Act, which
apply not--really are applied across the board in many of our
member companies today. So that includes technical safeguards,
strategies that you would use simplistically--firewalls, if you
have online or offline systems. It includes employee training,
it includes employee background screening, it includes the
types of strategies discussed by the GAO in terms of, you know,
password access, how quickly passwords are changed and cycled
through, for example.
It includes even physical safeguards--who has access to a
data center, who can in fact get in and potentially walk out
with a hard drive that might contain sensitive personal
information.
So when you have the technical, the physical, as well as
the employee-based safeguards, you have, really, three legs of
a key stool which we need to ensure is applied to really all
kinds of sensitive personal information.
Mr. Chabot. Thank you very much. My time has expired, Mr.
Chairman.
Mr. Cannon. The gentleman yields back.
Mr. Nadler. The gentleman from New York, the Ranking Member
of the Constitution Subcommittee, is recognized for 5 minutes.
Mr. Nadler. Thank you, Mr. Chairman.
I would like to ask all the panelists, given the importance
of privacy impact assessments, as Ms. Cooney stated, do you
support a broader requirement that agencies prepare privacy
impact assessments for rules involving the collection of
personally identifiable information in all Government agencies?
Start with Ms. Cooney, then everybody else.
Ms. Cooney. Thank you. I would say that certainly under
Security 222 of the Homeland Security Act we read the
requirement by Congress to really require DHS to undertake
those types of privacy----
Mr. Nadler. No, no, clearly my question is do you think
that Congress should extend that to other agencies?
Ms. Cooney. We found it helpful at DHS. I am not sure what
the Administration view is, but I can tell you from our
experience it has been a very helpful process.
Mr. Nadler. So you would think it a good idea to extend it
to other agencies?
Ms. Cooney. It may be.
Mr. Nadler. Okay. Ms. Koontz?
Ms. Koontz. What we found in our work is that the privacy
impact assessments were not being done consistently from agency
to agency. And that was something that concerned us very much.
And as Ms. Cooney said very articulately, the privacy impact
assessments are a very powerful tool before you start building
an information system, before you start collecting information,
in order to assess what the privacy implications are and then
to put the controls in place up front. And to the extent that
they are made publicly available, I think they contributed to--
--
Mr. Nadler. Are you suggesting--this is for new rules. Is
it your suggestion that we need better enforcement of them?
Ms. Koontz. I think we need better implementation of the
existing requirements and I think that we saw that what
Homeland Security put in their guidance to be a model that
could be expanded to other agencies.
Mr. Nadler. Thank you.
Professor Swire?
Mr. Swire. I do support broadening the PIA's application to
rules. I think we have used that they are a useful tool. There
is an issue about scope. You don't want to have it for things
that only have a tangential relationship to a couple of
people's data. But in terms of enforcement, I think that goes
back to having OMB or the White House have a privacy office to
make sure agencies aren't falling down on the job. So you
spread it to the rules and then you have some coordination
across agencies.
Mr. Nadler. Thank you.
Mr. Pratt?
Mr. Pratt. I think from our perspective, really, you have
at DHS a good model for how an agency should oversee the uses
of private-sector information as well as data that would be
gathered under the aegis of the public agency. So to the extent
that you are suggesting other agencies that may use sensitive
personal information might need a similar infrastructure of
knowledgeable and highly trained individuals, that makes sense
to us. Certainly in the private sector we have chief
information privacy officers, we have the same types of reviews
in the financial services industry that go on with regard to
how information is used and protected and so on. So I don't
think that we ever have a problem with agencies understanding
how to protect and secure and use responsibly information they
obtain.
Mr. Nadler. I thank you.
Professor, do you think we could benefit from agency
privacy ombudsmen in other parts of the Government?
Mr. Swire. Well, there have been efforts to spread it. I
think there may be up to three or four different executive
orders or executive statements that say agencies are supposed
to have privacy offices, but implementation has really been
uneven over time.
So there are a number of agencies that haven't been nearly
as institutionalized as Homeland Security and haven't been as
systematic in----
Mr. Nadler. See, so again, as in your answer to the
previous question, if we had an office in the White House or
somewhere to make sure that all the agencies were complying
with privacy impact statements or with having the ombudsman
function properly, or the agency offices, whatever we want to
call them, function properly.
Mr. Swire. I can offer some perspective from having been in
that seat. It gives you one person to criticize by name. And
that has a very powerful effect, seeing your name in the
newspaper as a bad guy, and it leads you to try to get other
people to cooperate and make it all work a little bit better.
Mr. Nadler. It gives you a motive.
Mr. Swire. Yeah.
Mr. Nadler. Thank you.
Again, Professor Swire, to the extent that data processing
operations might move overseas, what protections do we have or
ought we have that we don't have to extend our protections for
that eventuality?
Mr. Swire. Well, this issue of overseas has been a powerful
issue that people are looking at. I must say, I have a slightly
different perspective because the United States complained very
much when Europe tried to do that to us. And Europe had in a
privacy directive rules that they wouldn't let data go to the
United States, and we wanted to make sure that American
companies could use that data responsibly.
I am a step more cautious. I think it is always good to
have the contractors under very good controls and make sure
those controls work. I am not personally as sure that we should
make a big line about overseas or not.
Mr. Nadler. Could I just ask if anybody else would want to
comment on that question? Ms. Cooney?
Ms. Cooney. Thank you, Mr. Nadler. I would like to tell you
that there is work presently going on that the Federal
Government is very involved in, and we are included in that
work in the DHS Privacy Office, both in the Organization for
Economic Cooperation and Development and in the APEC forum in
working on cross-border enforcement on privacy issues. There
has been some work already accomplished in certain areas, such
as combatting spam, and that has been fairly effective.
What we have found so far is that it is not done solely by
privacy practitioners or privacy enforcement officers, but it
might be done by consumer protection folks in certain areas,
criminal law enforcement in others, privacy professionals
working together.
So I would want you to know that that is an active part of
the agenda that we are working on as Federal partners in that.
Mr. Nadler. Thank you. Anybody else?
Thank you, Mr. Chairman.
Mr. Cannon. The gentleman yields back.
Mr. Franks, the gentleman from Arizona, is recognized for 5
minutes.
Mr. Franks. Well, Thank you, Mr. Chairman.
I want to direct this to anyone at the--in fact, I would
like, maybe, for everyone to take a shot at it. I am wondering,
in terms of what really are the challenges that we face to keep
people's data secret and accurate, is it more of a policy issue
that needs to be changed here from Congress, or is it more of a
mechanical issue of just the reality that, with the expansion
of computer technology and all of the different things that
happen today, is it more of a technology challenge or is it
more of a policy challenge?
Mr. Pratt. I will take a first stab at this. First of all,
I do think that in this country we need to protect, under the
rule of law, sensitive personal information no matter who
gathers it. Some of the different laws that we have discussed
in our testimony, which are also accounted for in the GAO
report, do deal with sectors of business in this country where
we have to secure and protect that information. The Gramm-
Leach-Bliley Act information safeguards rules are a good
example.
Certainly our membership has testified before several
different Committees saying that information safeguards
standards should apply to anybody who is going to gather
sensitive personal information such as my name and my address
and my Social Security number in that combination.
I think there are several effects to that, by the way.
First of all, fewer folks will gather that information. They
will think about it first. And that is good, because they
should. And if they are going to gather it, they should protect
it under that three-legged stool we have discussed. And I think
in doing so, it does create an enforcement mechanism also,
where there is failure in the marketplace. We think those are
all good outcomes that could result from the enactment of law
that would do that. There are several Committees that are
focused on that now that I think would move forward with an
effective program for protecting sensitive personal
information.
It is also education, though. And I would say within the
last 5 years, certainly the last decade, what we know and think
about as information security is very different than it was 10
years ago. And certainly the velocity of change with technology
makes it very challenging.
Mr. Swire. I think it is very much a policy issue where the
hard things come in. There is a lot of consensus on data
security. You can get pretty much everyone to agree on the
list. But which data is the right data to use? And this IRS
example from my testimony is one example. Should your tax
preparation agency be able to resell your data or not? They can
have perfect security, it is just a question of whether that
company should be reselling it or not. That is a policy
decision. That is where I think a lot of the work has to
happen.
Mr. Franks. Ms. Cooney?
Ms. Cooney. Thank you. I think the point that I would like
to make is that the process of data security and information
security practices is not one-size-fits-all and it is not a
one-step process. It is an iterative process. I think Mr.
Pratt's reference to the GLBA safeguards rule is very important
and that those general guidelines can be used across Government
systems as well as in the private sector, keeping in mind, as
they require it, that it is an iterative process and you need
to keep looking at your process both from a technology
standpoint, from a personnel standpoint, and from a policy
standpoint in terms of why do you need to keep this data and is
it the right data to keep.
On the accuracy issues, and it somewhat answers your
question, in terms of the application of the Fair Information
Practices principles to data accuracy in the private sector for
commercial resellers, whether all those principles should apply
or would easily apply is something that could be discussed. But
certainly a focus on allowing individuals some access to their
information to correct the information really should be looked
at, because originally that information would have been
collected for very different purposes. Many citizens may not
even know that a data aggregator has their information. And it
is a matter of fairness as well as carefulness with the
information.
Mr. Franks. So just to expand on your thought there, much
like the credit data that we access, you are convinced that
something along those lines for generalized data, that the
consumer would always have the right to ascertain what that
was, or at least in nonsecurity issues?
Ms. Cooney. Right. In many circumstances, when it doesn't
touch law enforcement or national security in particular,
although even in our case we need to be very concerned on our
end in the Federal Government to check on data accuracy.
Mr. Franks. My time is almost gone. Mr. Pratt, let me skip
quickly to you, sir. With the proliferation of ID theft, a lot
of times you can identify a particular culprit. Is this escape
of data happening mostly in Government databases or is it
private databases? Is there any one--is it just generalized or
is there some kind of particular area where we are
hemorrhaging?
Mr. Pratt. It is difficult to pin it down. Certainly, for
example, it could be as simple as somebody driving down the
street at the right time of the month to pick up your mail, so
you have something as simple as mailbox fraud. We saw last year
about 50 percent of all the media coverage focused on
universities that were losing sensitive personal information, I
think probably because they were at that time using Social
Security numbers as student ID. I think a lot of universities
have begun to change that practice.
So no, sir, I don't think there is any one place you can
go.
To your point, by the way, about the Fair Credit Reporting
Act and having access, let me just say it this way. The Fair
Credit Reporting Act is a terrible title for the law because,
in fact, the law applies to any kind of eligibility decision.
So any time data is used to deny me something, I can't get it,
I have a right of access. I have a right to correct it. I have
a right to expect that it was accurate in the first place. I
have private rights to enforce, I expect the Federal Trade
Commission to enforce, State attorneys general to enforce.
So I think it is very important. That was one of the issues
we had with the way the report was structured, is you might
walk away from that thinking that there was not this very, very
broad-based law that said whether it is my employment
application, my application to purchase a home, my application
to get a cellular phone account, my application to obtain a
utility--no matter how and where a consumer report is used, not
a credit report but a consumer report--I have all of those
rights that we have just begun to discuss. So I do think we
have a law on the books that is quite a bit broader than maybe
the title would imply.
Mr. Franks. Thank you.
Thank you, Mr. Chairman.
Mr. Cannon. The gentleman yields back.
Mr. Scott.
Mr. Scott. Thank you, Mr. Chairman.
I guess my first question is a little more basic. Who are
we talking about? Who are these resellers?
Ms. Koontz. I assume you mean the names of the companies?
Mr. Scott. Well, if you want to leave the names out, just
describe them.
Ms. Koontz. For our study, we defined information resellers
as being businesses that collect and aggregate information,
personal information about individuals and make them available
to consumers. So it is rather broad.
Mr. Scott. To consumers or to businesses?
Ms. Koontz. And to businesses, yes. To their customers.
Mr. Scott. The purpose for which you are gathering the data
can vary depending on what it is going to be used for. You
could be just compiling a mailing list. Is that what you are
talking about?
Ms. Koontz. I think we are talking about information
resellers who then collect this information and then they
convert it into information products, some of which are used
for marketing, some of which are used for other purposes.
Mr. Scott. Well, if you are using it for marketing you can
get a list that would be interested--where a certain product
would be interested in marketing to that group of people.
Ms. Koontz. Mm-hm.
Mr. Scott. Could be 80 percent accurate, but that is good
enough for mass mailing. Because it is better than kind of
saturation mailing. You knocked off 75 percent of the people
you don't want to mail to. Are we talking about that, too?
Ms. Koontz. Well, that is some of it. Some of it is for
marketing purposes. But I think you have hit on a key point
that we talked about in our report, is that the privacy
principles basically talk about accuracy for a specific
purpose. And the specific purpose in this case is often
determined by the user. So it is difficult for the reseller to
assure the degree of accuracy for a particular purpose because
they are not the ones that are determining that purpose.
Mr. Scott. Well, you don't care whether it is accurate or
not if all they are going to do is just mass mail. If the
Government gets hold of it, it is going to take some adverse
action based on this kind of superficial dragnet where you come
in and gather up a lot of names, most of which would be in the
category you are aiming at, where the person gathering the data
didn't have any interest in accuracy. So what do you do in that
case? Is that the information we are talking about?
Ms. Koontz. That is part of the information that we are
talking about. There are all kinds of information products that
are offered by resellers. And I think it does put more of a,
shall we say, an obligation, too. In this case we are talking
about the use of these data products by Federal agencies and it
puts, I think, an obligation on the part of the Federal agency
to determine that the accuracy is appropriate for the use that
they are using it for. Which is, for example, the reason that
law enforcement corroborates this information with other
sources before they take any action against an individual.
Mr. Scott. Is the information subject to the Freedom of
Information?
Ms. Koontz. I don't know.
Mr. Swire. There is a privacy exception to the Freedom of
Information Act and it often would prevent a Freedom of
Information Act request from going through.
Mr. Scott. To get the whole list?
Mr. Swire. Yes.
Mr. Scott. If you are doing law enforcement activities, do
I understand that the Levy Guidelines are no longer in effect,
where you had to actually be investigating a crime before you
started gathering information on people? Professor?
Mr. Swire. Yes, that is correct. They were changed very
substantially after 9/11.
Mr. Scott. Before 9/11, before you started gathering
information on people and setting up dossiers, you had to
actually be investigating a crime, not just gathering
information. Is that right?
Mr. Swire. There were detailed predicates for each stage as
the investigation went further, yes.
Mr. Scott. And that is no longer in effect, so the
Government is now just gathering information?
Mr. Swire. There are guidelines that Attorney General
Ashcroft issued. I have read them, but I don't have them
clearly in my head. They are quite a bit more permissive,
because the idea is share data and use data more intensively.
Mr. Scott. Professor, did I understand you to say there is
some idea that you could actually sell tax records?
Mr. Swire. Well, this was actually a subject of a public
hearing today somewhere else in town. But H&R Block or any
other tax preparer, under the proposed rule, would be allowed
to sell tax records or databases of tax records for the first
time to outside parties.
Mr. Scott. That is records that they prepared?
Mr. Swire. That they prepared for you as the taxpayer. If
you signed off, as one of your signatures to them, they would
then be able to resell that.
It got quite a press hit a couple of weeks ago, when people
found out about it. And deserves to.
Mr. Scott. Thank you, Mr. Chairman.
Mr. Cannon. The gentleman yields back.
Ms. Wasserman Schultz, did you have questions?
Good. Thank you. The Ranking Member is recognized for 5
minutes. Mr. Watt?
Mr. Watt. Thank you, Mr. Chairman.
Ms. Koontz, I know you all did the study and you are not
doing policy, but I particularly wanted to hear from you and
Mr. Pratt about whether you thought that Professor Swire's
suggestion that we reinstitute a privacy officer in the White
House that has kind of umbrella authority from agency to
agency, whether you think that is a good idea, whether there
are particular good pros to doing that or particular bad cons
to doing that.
I will ask that question of you, if you can address it from
a policy perspective. And I would like to get Mr. Pratt's view
on it, too.
Ms. Koontz. We haven't studied the question of the need for
a privacy officer in OMB or in the Executive Office of the
President. I can see, though, that the idea probably has some
merit, in terms of further discussion, as a way of having a
focal point for privacy issues and the Federal Government. I
mean, I think we have seen some benefits from, for example,
within the Department of Homeland Security, where you have a
highly placed official who has a broad privacy responsibility,
and that seems to be something that is useful in terms of
looking at these policy issues.
Mr. Watt. Mr. Pratt?
Mr. Pratt. Our association hasn't actually studied that
same question any more--so I suspect--than the GAO. My first
reaction is that sometimes centralization can be a red flag,
because you start to remove the expertise and the knowledge you
might need. So the knowledge you might need in HHS might be
different than the knowledge you might need in DHS.
So I don't know if a--just off the top of my head, I don't
know if a central office would make things better or if it is
just simply important to make sure that there are knowledgeable
professionals who are thinking about data use issues on an
agency-by-agency basis.
And of course Federal Trade Commission has established its
new division, which does focus on information use and identity
theft issues as well as----
Mr. Watt. Who is that? I am sorry.
Mr. Pratt. The Federal Trade Commission has established a
new division under the Bureau of Consumer Protection, which
focuses specifically on information protection and identity
theft. So there is an office there that focuses on data flows
in that regard.
Mr. Watt. Under what authority is it doing that, and is
that----
Mr. Pratt. It is not the same principle. It isn't the same
principle as an omnibus individual, if you will, at the level
of the White House. They really oversee--their scope of
authority would be no broader than the FTC's scope of authority
generally in the marketplace.
Mr. Watt. Do you concede that despite the concerns, the
potential on the downside that maybe having a more consistent
set of principles across the Government would be facilitated by
this suggestion?
Mr. Pratt. I don't know yet because, again, one of the
difficulties we have even had with the GAO report, and we
certainly appreciate the hard work that the researchers did in
putting it together, it demonstrates one of the difficulties,
and that is we feel that the GAO took the principles and
applied them too monolithically across something called an
information reseller. And really, to Mr. Scott's question, I
suppose information resellers are consumer reporting agencies.
They may be financial institutions under the Gramm-Leach-Bliley
Act, consumer reporting agencies under the Fair Credit
Reporting Act. So I don't know if centralizing expertise works
better than just simply making sure that you have knowledgeable
individuals operating at an agency level.
Again, I think also I am probably not in the best position
to discuss the effectiveness of the current operation of the
Privacy Act or the OMB guidelines that implement that. It is
probably the domain of Professor Swire.
Mr. Watt. Professor Swire, there was a lot of debate about,
when this Privacy and Civil Liberties Oversight Board was set
up, about whether it should have subpoena power. I know that
the Agency just got structured in February--I mean the people
who were appointed. But can you just give us kind of the pros
and cons of--or maybe better, even, what are the real problems
with not having subpoena power?
Mr. Swire. Well, there are various jobs the Privacy and
Civil Liberties Board could do. One of them is to be inside the
executive branch during clearance, when they are trying to
figure out how do you do a new program. And I don't think
subpoena power is needed for that. That is talking to the
people, being in the room, building confidence that the board
can help.
When it comes to finding out if there are problems out
there in the agencies, there is a question of how you find that
out. One way is to go to the IGs, right. We have Inspectors
General, and especially if we have some good whistleblower
protections so the people are allowed to talk to the IGs, then
that may be one way to do the investigation.
If you think that is not working, then you look around, who
else might do it? It could be the Department of Justice, but
you have to have a good step toward a criminal investigation.
If you don't have that, then maybe somebody else, like this
board, with subpoena power might be your best chance to find
problems in the agencies and do something about it.
It really has to do with whether the IG system is working,
because they were supposed to be the ones to subpoena, and
whether you need a second look with some expertise.
Mr. Watt. Can I just ask one more question, Mr. Chairman?
Ms. Cooney, how is your office going to coordinate with
this Privacy and Civil Liberties Oversight Board? How do you
see these two things meshing together, Homeland Security and
this oversight board?
Ms. Cooney. Sure. Under the oversight board there actually
is a Privacy and Civil Liberties Officer for the DNI. We
coordinate with that Privacy and Civil Liberties Officer now,
Alex Joel, in a very cooperative way. As he is setting up his
operation, he has come to DHS to ask us what our experience has
been, for advice on the startup. And we are working very
closely right now, along with others, including the new Privacy
and Civil Liberties Officer and DOJ and others, on building in
a privacy architecture for the information sharing environment
across the Federal Government.
So I think it is going to be a very collaborative process
and it has been very positive so far.
Mr. Watt. Thank you, Mr. Chairman.
Mr. Cannon. I would like, before I ask a couple of
questions here, I would like to thank the panel for being here
today. It think this report is very, very helpful, Ms. Koontz,
and you have done a remarkable job in helping us to understand
it.
Ms. Cooney, we appreciate what you have done. Can I just
ask, are you coordinating with the people at Justice that are
setting up the same process that you are doing? Could you
comment on that briefly?
Ms. Cooney. Yes, we are. Actually, before the appointment
of the Privacy and Civil Liberties Officer there, we worked,
really, for several months before that in providing advice in
terms of our experience, our budget, the type of personnel that
we have hired, which is quite multi-disciplinary. And as Mr.
Pratt noted, it takes expertise along a wide range of areas. We
have technology experts, we have policy experts, we coordinate
closely with our Office of the General Counsel on legal issues.
And I am very proud to say we have a Chief Counsel to the
Privacy Office, who is embedded with us, reporting to our
General Counsel, so that is very cooperative.
We have a compliance team that has a private-sector
background. We have folks who had enforcement and compliance
experience in the Government realm. We have international. All
of those things are really needed if your agency does work
across a wide scope and has a lot of different dynamic
programs.
We have shared that type of information with the Department
of Justice. And since Jane Horvath has joined the Department of
Justice, we have met several times, e-mail, talk about issues.
And I think that is the way it should be, and we are happy to
do that.
Mr. Cannon. Well, I--you know, if you look at DHS, which is
hard to do because it is so big--it takes the Almighty to
comprehend it, and I am not sure it would take the Almighty,
but it is beyond my capacity to understand the Department of
Justice. It seems to me that the idea, and I guess it goes to
your comment, Mr. Pratt, that having a decentralized process
may be helpful.
But Professor Swire, we appreciate your comments and look
forward to working with you on what a of a--how we would sort
of oversee this whole process. I think it is vitally important
that we take these huge, monstrous organizations and get them
thinking about what they do, and then cumulate activity rather
than mandating it. But at some point, you have to have some
kind of overarching oversight of that. So we will revisit that.
Mr. Pratt, can I ask a couple of questions of you? The GAO
has reported that information resellers generally allow
individuals limited access to correct their personal
information. Why can't individuals get data about themselves
corrected when it is wrong? And if the consumer reporting
agencies are able to accommodate such corrections, as they are
required by the Fair Credit Reporting Act, why can't
information resellers do likewise?
Mr. Pratt. Really, it depends. Again, it is just taking
that Fair Information Practice, and then we have to walk
through the various products that it might apply to. So as you
say, consumer reports, absolutely. Those reports are used to
deny me access to a benefit or service. And that is one of the
basic fair information principles we are working off of. If I
can't get something because information has told the user that
I should not get the credit, I should not drive off the car lot
with the car, then that makes sense to us and we understand
that.
A fraud prevention product is another type of data product
that is used. A fraud prevention product, were we to disclose
it, would mean we are disclosing the recipe, because we would
be disclosing the various data elements which are cross-matched
which raise a yellow flag.
Now, a fraud prevention product doesn't deny me access, but
it probably slows me down. Somebody is going to ask me more
questions. You know, Congressman Cannon, are you really who you
say you are; can I have another item of identification from you
to make sure that you are who you say you are.
And I think that is also true of some of the investigative
tools that we have, location tools. In other words, a location
tool really just--and I have seen some about me, where it will
show where I have lived previously. And so it is not really--it
just says you lived in Houston, Texas, for a period of time,
one of your friends now lives in Los Angeles. It really just
shows an investigator how they might candidly conduct a
national security investigation were I applying for a national
security level of clearance. So that is a different kind of
tool.
So accuracy and how you apply accuracy really pivots, I
think, off of that.
In terms of correction, though, public records are a
particular challenge. Because if you have a court record and
you have simply taken that same image data and put it into a
national database, the real key to correcting that is to make
sure the consumer knows how to get back to the court in order
to correct the information in the first place. Because if you
don't correct it at the courthouse, it is still publicly
available, there are is still a Web site from which you can
obtain it, and in fact all you have done is fix the
intermediate source.
And by the way, that principle was corrected in the Fair
Credit Reporting Act to ensure that a reseller in the context
of a consumer reporting agency, where access and correction do
apply, that the consumer would be referred back to the data
source in order to correct it at the source rather than to try
to correct it at the mid level.
Mr. Cannon. Let me just get one more question before my
time expires.
When a data breach occurs, shouldn't an information
reseller be required to notify those whose information was
compromised? And if so, how should notification take place?
What follow-ups, if any, should be required of information
resellers to monitor compromised information?
Mr. Pratt. Well, I don't know that we think about it in
terms of information resellers. There are several different
bills that have been worked on by various Committees, and the
fundamental question is, when you have a certain type of
information that we tend to think of as sensitive personal
information--If I have secured it in the first place, of
course, I have done the right thing. If for some reason my
security protocols have failed, yes, we think that there is a
risk of identity theft, a significant risk of identity theft.
Absolutely.
The reason we make that distinction, Mr. Chairman, is
because there are cases where a laptop is stolen, but when you
do the forensics on the laptop, you determine that it was
really stolen in order to just simply fence the laptop. And in
fact it was never opened, it was never started back up again,
nobody ever looked at the data, the hard drive wasn't tampered
with. So notifying a thousand consumers that their data was on
a hard drive of a laptop that was stolen that was never dealt
with from a technology perspective probably creates false
positives which move consumers away from really being
proactive.
So we think the key to good notices is the trigger--when
should I do it so that you and I as consumers really can act on
other rights that we should have.
Mr. Cannon. Of course the question does occur, who makes
that judgment?
Mr. Pratt. It is a difficult one, yes, sir.
Mr. Cannon. Thank you.
We appreciate your being here today. Since we don't have, I
don't think, any further questions, we will now stand
adjourned.
[Whereupon, at 1:21 p.m., the Subcommittees adjourned.]
A P P E N D I X
----------
Material Submitted for the Hearing Record
Additional Material for the Record submitted by Linda D. Koontz,
Director, Information Management Issues, U.S. Government Accountability
Office