Before The House Committee on Banking & Financial Services

June 14, 2000

Mr. Chairman, thank you for the opportunity to testify before the Committee. My name is Evan Hendricks, Editor & Publisher of Privacy Times, a Washington newsletter since 1981. For the past 23 years, I have studied, reported on and published a wide range of privacy issues, including credit, medical, employment, Internet, communications and government records. I have authored books about privacy and the Freedom of Information Act. I have served as an expert witness in litigation, and as an expert consultant for government agencies and corporations.

Mr. Chairman, I am particularly heartened by your continued leadership on privacy, as you are consistently willing to give the issue a fair hearing. It was through this Committee that amendments to the Fair Credit Reporting Act were passed. And it was you who took the lead in tackling the difficult problems posed by the underworld of "information brokers" who specialize in stealing individuals' confidential information, resulting in important legislation. These were all bipartisan efforts that also would not have been possible without the leadership of the Committee's Ranking Minority Member, Congressman John J. LaFalce. I've seen first hand how Americans have benefited from your cooperative approach to privacy.

Today's hearing represents another advance, as we focus on the vital issue of financial institutions' use of medical data. To me, the issue is not whether overall, HR4585 is a good bill. For the most part, it is. The more important question is whether the Committee should devote its valuable resources to such a narrowly targeted bill at a time when there are many broader privacy issues that need to be addressed. I favor a broader approach.

The Bill

The legislation (HR 4585) is an excellent starting point because it is based upon the standard which must drive all privacy law: affirmative, informed consent. Specifically, it requires financial institutions that include insurance companies, insurance agents and other financial firms which possess individually identifiable health information to obtain a consumer's affirmative consent before sharing that information with an affiliate or a non-affiliated third party. This is the correct standard because Americans generally don't differentiate between affiliates or outsiders. However, they are concerned when information they give for one purpose is used for other purposes without their informed consent.

The measure generally requires consent before a financial institution could use health information in deciding whether to issue credit. The measure would bar financial institutions from requiring consent for obtaining health data as a condition of providing a loan or credit.

Another positive feature of the bill is that it gives consumers a right of access to their medical data, and a right to dispute the accuracy of that data. These are fundamental rights that are essential to privacy protection.

The bill's language needs to be tightened to ensure that some kinds of "consent" do not become mandatory. For instance, would not want a privacy bill to authorize a lender to access the medical database of its life insurance affiliate through some sort of blanket consent form. If you've ever read the consent forms typically used in insurance, banking and employment, you understand that this is a real danger.

Another problem is the limitation of coverage to "loan or credit" granting. This leaves open the possibility that medical information held by financial institutions could be used for marketing, pre-screening and employment.

A Broader Approach Is Needed

Given the limited scope of HR 4585, and the need to protect privacy of all kinds of financial information, I strongly urge the Committee to use the Clinton Administration's financial privacy legislation, introduced in the House by Rep. LaFalce, as the starting point. This bill better addresses the broader issues of financial privacy that were not adequately addressed in last year's Gramm-Leach-Bliley Act.

A Blueprint For Protecting Privacy in America

Privacy is inadequately protected in the United States because of major gaps in our national laws. The traditional approach has been to introduce narrowly tailored privacy bills as specific problems are identified. This has left us with a hodge-podge of privacy laws, such as the Fai/r Credit Reporting Act, the Cable Television Privacy Act, the Video Rental Privacy Protection Act, the Telephone Consumer Protection Act and the Gramm-Leach-Bliley Act, to name a few.

However, the United States still does not have national laws protecting the privacy of retail and Internet records, medical records and many kinds of financial and insurance records. Considering that we are in an "Age of Convergence," in which various mediums like Internet, cable, communications, banking and wireless data systems are converging, this approach is no longer tenable.

The most effective way to achieve the much needed, more comprehensive approach is for the Administration to propose a national legislative privacy package, and to set up "privacy infrastructure." Then the appropriate Congressional committees would be responsible for acting upon the parts of the package that come within their jurisdiction.

A major problem has been that this Administration, like others before it, has refused to do its part in presenting to Congress a national legislative package. In this Administration, much of the blame for this falls on the U.S. Department of Commerce, which has continued to rely on industry self-regulation long after such an approach has proven ineffective and unworkable. On the issue of privacy, the Commerce Department has an inherent conflict of interest and should get out of the privacy policy business altogether -- and should stick to counting beans.

The good news is that the Administration is finally moving to fulfill its obligation, albeit in fits and starts. (Better late than never.) As mentioned, the Administration has proposed more comprehensive legislation to protect financial privacy, fulfilling its promise to revisit privacy after the enactment of Gramm-Leach-Bliley.

The Federal Trade Commission has recommended national legislation to protect Internet privacy. The Department of Health & Human Services, due to Congressional inaction, has proposed rules to protect medical privacy. To its credit, HHS has recognized the limits of its rulemaking power, when compared to legislation.

What is also needed is what all other Western nations have: An Independent Office of the Privacy Commissioner. In the U.S., such an office could examine the hodge-podge of privacy laws and recommend to Congress how to bring them into line so there would be greater consistency -- a level playing field for Americans and the organizations that handle their data.

A Privacy Commissioner would also serve as a public resource and as an Ombudsman for Americans. Such an office was proposed in legislation (S 1735) introduced in the 103^rd Congress by Sen. Paul Simon.

It is important to note that the American public has made it clear that privacy is a priority, and that they want legal protection for their personal data. A wide array of opinion polls consistently confirm broad public support for the kind of national privacy policy that I have outlined here.

That is why, I believe, at this point in history, it would not be appropriate to invest scare Congressional resources in narrowly tailored legislative proposals that fail to address the broader concerns of the American public.

Finally, it is time that all parties recognize that the failure to protect privacy adequately is hurting prospects for e-commerce. Studies show that significant portions of the public are reluctant to engage in e-commerce because of privacy concerns. Moreover, they show that a majority of Internet users who begin to buy online actually abandon their "shopping carts" when they are asked for their credit card numbers. The moral of this story is clear: E-commerce cannot be successful without consumer confidence; and without privacy, there will not be consumer confidence.

By far, it's not too late to solve this problem. It will take a thoughtful mix of legislative and technical solutions to create a pro-privacy environment in which e-commerce can flourish.

But if we fail to undertake these steps, the next debate could, unfortunately, be over "Who Lost E-Commerce."

Again, Mr. Chairman, thank you for this opportunity. I would be happy to answer any questions.