THE FORUM ON TECHNOLOGY & INNOVATION
+ + + + +
PRIVACY IN THE INFORMATION AGE:
PART II: FINANCIAL RECORDS PRIVACY
+ + + + +
WEDNESDAY,
MARCH 24, 2000
+ + + + +
This transcript was produced from tape provided by the Council on Competitiveness.
C-O-N-T-E-N-T-S
PAGE
Introduction, the Hon. Bill Frist 4
Introductions, the Hon. Jay Rockefeller 7
Presentation by Julie Johnson, Senior Vice
President, Bank One Corp. 9
Presentation by Paul Schwartz, Professor, Brooklyn
School of Law 14
Presentation by Julie Brill, Esq., Assistant
Attorney General, State of Vermont 21
P-R-O-C-E-E-D-I-N-G-S
MR. ROONEY: --Forum for Senator Frist, Senator Rockefeller, and the Council on Competitiveness, and I'm delighted to welcome you here today.
I just want to draw your attention to a couple of items in the packet, but actually before I do that, I always forget to do this first. I want to acknowledge the tremendous support we have from three wonderful foundations, the support without which we could not do what we do, and that is the W.K. Kellogg Foundation, the Alfred P. Sloan Foundation, and the David and Lucile Packard Foundation.
In your packets on the back side of the first item is the agenda for today's briefing. A very simple format. The Senators will very briefly introduce the topic and introduce the speakers all at once, and then the three speakers will come to the podium and briefly give you an overview of the financial privacy issue as they see it, and then the Senators will open the floor to your questions and moderate the round table discussion.
We do have a microphone there in the center of the room, and we very much encourage you to use it. I realize that with the seating it's a little tough for all of you to get to the mic, but it's always more interesting for everyone if the questions are live.
We ask that our non-congressional guests here give congressional staff priority at the microphone because that's the reason why the Senators are really doing this, is for the staff, although we're delighted to have all of you here.
The second item in your briefing packet is a green question card. For those of you who can't get to a mic or are shy, if you fill these out early on in the process and then hold them up, we will collect the cards from you and the Senators will ask questions on your behalf, National Press Club style.
Last, but not least, I want to draw attention to the third item in your packet, which is the blue evaluation card, and ask you to take a moment towards the end of the session and fill this out and drop it off at the registration desk as you leave. We pay a lot of attention to what you say. They help shape our briefings, and we really do want to hear from you.
And with that, I'll turn it over to Senator Frist.
SENATOR FRIST: Peter, thank you, and I think we'll just stay right here and use the microphones.
Do let us know if you can't hear. A lot of these mics, and also for the panelists, are very directional, and so let us know if you have a hard time hearing.
I do want to thank everyone for joining us for, as Peter mentioned, a second briefing in what is a three part series on this issue of privacy.
Our focus today, as you know from our agenda, shifts from the broader, more general debate over Internet privacy to the consumer's right to protect their own financial profiles that are gathered by financial institutions.
It was in March that the Federal Trade Commission proposed new rules for banks and other financial institutions to comply with the privacy requirements of last year's Financial Services Modernization Act, also known as the Gramm-Leach-Bliley Act.
It was just last week that the President proposed his own legislation to require new restrictions on how banks and others can share consumer financial data. Legislators on both sides of the aisle and in both chambers have introduced a number of bills on this particular subject.
The issue does come down to our topic today, and that is how do we balance the issues surrounding consumer privacy with the additional cost and barriers of those regulations.
On the one hand, as we all know, access to information is the life blood of our financial services sector. Accurate data, reliable data, readily available consumer financial data results in greater efficiencies and substantially lower cost in the long run to consumers.
Reliable consumer credit data, for example, has lowered mortgage cost and allowed credit of all kinds to be made available to more Americans than at any time in our history.
On the other hand, and we all hear it, consumers are wary of having information about them used in ways that they cannot anticipate, nor can they control, and more privacy controls may ultimately be in the best interest of industry. Consumers who feel more secure will do more business and use new financial services more fully.
We'll be discussing both of those issues today.
We're fortunate to have with us today three experts. They'll be introduced by my colleague Senator Jay Rockefeller.
SENATOR ROCKEFELLER: Thank you, Bill.
And once again, Bill Frist and I have this sort of ongoing battle with the powers that be in the Senate, which we're obviously not a part of that particular group, to try and get a larger room, and you know, this is actually a smaller crowd than we're accustomed to. We usually have 200 to 250 to 300, and that's simply because we can't get larger rooms.
So we want you to know that both of us are trying very hard and that we're fighting the system and losing so far.
So that makes no difference because your intellectual voltage will make up for the shortage of seats, and particularly after you hear Julie Johnson, Paul Schwartz, and Julie Brill.
Julie Johnson, who is right here, is the Senior Vice President of Bank One Corporation, one of America's largest bank holding companies. It's also, Bank One, one of the world's largest Visa credit card issuers, which brings in that whole phenomenon of sort of the same debates that we had when credit cards were coming out in the early stages and people saying, "Well, wait a second. What is that going to mean?" And there were some things that passed, and then credit cards obviously took off.
Bank One is also the parent company of Wingspan, which is the first purely on-line consumer bank. She's the Director of Information Policy and Privacy for that very large corporation and advises all of the bank's various businesses on information practice.
She serves as co-chair of the Privacy Working Group of the Consumer Bankers Association.
Now, what I would prefer to do, except that Peter says that I can't, is just to have Julie go up and speak and then introduce the next speaker.
Peter, can I do that? Thank you, Pete.
So, Julie, why don't you go ahead and speak?
MR. ROONEY: You have to be here.
SENATOR ROCKEFELLER: Okay? Why don't you go ahead and --
MS. JOHNSON: Do you want me to do it from here?
SENATOR ROCKEFELLER: Yeah, well, just do it from up there. We've put you up there.
And remember the success of all of this depends on your aggressiveness in your questions.
MS. JOHNSON: Thanks.
SENATOR ROCKEFELLER: And those are called green cards and the microphones.
MS. JOHNSON: Is this on?
SENATOR ROCKEFELLER: It's on.
MS. JOHNSON: Okay. Thank you for inviting me here today.
I am a privacy officer. There aren't a lot of us in the country. We have a self-help group. We talk to each other regularly, and I hope that I'm just one example of what you'll see in a variety of institutions. I don't think that the things I'm going to have to say are particularly unique to Bank One.
But I would like to introduce Bank One to you even though you may think you know us. Maybe I could introduce you to us in a way that you might not have otherwise thought about prior to today.
We are a $260 billion company. We have 85,000 employees. We have over 400 affiliates that operate on 1,500 different systems. We have 14 banking charters in 14 different states. Some of those are chartered under the rules of the OCC; some are FDIC; some are Fed.
We manufacture products in national lines of business. We offer retail banking products, investment products, insurance products. We are on line; we are off line.
I'm many things, but to my customers, I'm just a bank. They know me, and they expect that I know them and that I will always act in their best interest.
Over the next 12, 18 months, I'll be working with all of these affiliates, all of these systems, all of these lines of businesses to articulate a privacy policy that is understandable and is supported throughout my company, and I'm only going to have one policy because privacy is about what you believe in. It's about the values of your company. It's not some compliance issue.
This is going to cause a reassessment of every point of data collection in my company. We're going to have to review all of our authentication procedures. We're going to have to design new systems to facilitate a customer centric understanding of privacy preferences. We're going to have to develop a new account opening procedure for every product we offer. We are going to have to create a new enterprise-wide business rules for customer list management. We're going to have to train all 85,000 employees on the policy and its execution. We're going to have to build a customer service capability to respond to inquiries and process requests. We're going to have to prepare and mail 55 million privacy notices to 55 million households that represent 75 million customers.
The protections are significant. This is an enormous customer service challenge. It's huge.
Our customers are people that we want to deal with for a lifetime. We need to make sure that they continue to be comfortable with us, with our practices, and that they will stay with us over their lifetime.
And it's important to remember that over the lifetime of that customer relationship, that customer's needs change. It may be you may start out with a car loan when you're 16 and go to a student loan and a credit card, to when you get your first job opening up a savings account to an IRA; when your first home. When you're older, you may need a reverse mortgage to allow you to stay in your home.
I need to understand what my customers are throughout the lifetime of that relationship. I need them to give me information. I need them to trust me with what I do with it.
I can't expect them to understand my structure in order for them to protect their privacy and to maintain an ability for them to conveniently avail themselves of the products and services that I have to offer.
I said earlier that privacy is values driven. It is. I think that we talk about four different rights, privacy rights of consumers: the first to be left alone. That to me in a number of other financial institutions means that we need to offer to our customers choices about how they would like us to communicate with them, by telephone, by mail, or by E-mail.
They have a right to have some control over the uses of information. I think that you're going to see privacy policies are going to go beyond what's required to provide information on how they can use the resources of the DMA, how they can exempt themselves from preapproved credit offers by contacting the credit bureaus.
They have a right to have information be secure from criminal misuse. I think you're going to see us working much more aggressively and in collaborative efforts with Treasury and the Federal Trade Commission on identity theft.
Consumers have the right to insure information is accurate. I think that the new FCRA enforcement provisions in Title V are going to really sharpen that.
Gramm-Leach-Bliley does all of these things. It provides significant new protections for FCRA enforcement. It criminalizes ID theft. It provides choices that may not have been available heretofore to customers.
I think that it's significant. We are working hard. The last thing we need right now -- this is my advertisement -- is more legislation. We need some time to undertake what we are doing.
It's difficult only to the extent that it's also contextual. Not all customers have the same preferences. So we need to maintain flexibility so that we can accommodate the various preferences of our customers.
I've heard that there are some that think that there are a number of loopholes in Title V. I don't believe that there are for financial institutions. If what we're trying to do is shoehorn an omnibus data protection act into financial services legislation, I think that we're going about it the wrong way, and if there are loopholes that pertain to institutions that may not be covered under FCRA, like new institutions that are now newly going to be considered financial institutions for purposes of Gramm-Leach-Bliley, but are not financial institutions covered by FCRA, I think we need to deal with that.
But my plea, I guess, today to you is to leg us make this work. You are our customers. Our employees are our customers. It's a customer service issue, and we intend to be very proactive in its implementation.
SENATOR ROCKEFELLER: Okay, Julie. Thank you.
Paul Schwartz is our next speaker. Our speakers, incidentally, generally speak for about ten minutes, and if they speak for more than that, they learn about it.
(Laughter.)
SENATOR ROCKEFELLER: But he's a professor of law at the Brooklyn School of Law, where he is regarded as a leading international expert in privacy and information law.
He's published a lot, written two very well known books on privacy law and data protection.
Paul.
PROFESSOR SCHWARTZ: Thank you very much for that introduction, Senator Rockefeller, and thank you for the invitation today to speak at this briefing.
I was asked to provide a basic orientation regarding the issue of financial privacy, and I was also asked to be brief. Now, I cannot promise success regarding the creation of a framework for how to think about this complex and difficult issue, but I do think I can keep my remarks short, and it is, in fact, very important in life to have realistic goals. So here I go.
(Laughter.)
PROFESSOR SCHWARTZ: What I'm going to do is just make two points, and then I will mention a third point, which I probably won't have a chance to elaborate in any detail, but we can maybe come back to it in the questions.
The first thing that I'm going to do is just set up the legislative and regulatory landscape that we face.
The second thing is that I'm going to talk about the costs of privacy regimes, and in particular, about the costs of opting in or opting out.
And then finally, I'm going to point to some of the difficulties in the tasks that we face regarding financial privacy.
So my first point. Well, let me just be very crystal clear. The legal landscape that we face has three important elements which people have already alluded to. The first element, we have Gramm-Leach-Bliley enacted last year. This law and its Title V sets out a basic structure for financial privacy in the new deregulated landscape for financial institutions.
Second, we have a series of regulations that have been issued under Gramm-Leach-Bliley. They've been issued by the Federal Trade Commission, and they've also been issued in a notable interagency effort by the Board of Governors of the Federal Reserve System, the FDIC, the Office of the Comptroller of the Currency, and the Office of the Thrift Supervision.
Now, please note these regulations have been postponed. They were to take effect on November 13th, 2000, but financial institutions -- you can't hear? Okay, sure.
They were to take effect on November 13th, 2000, but financial institutions have been given until July 1st, 2001 for full compliance.
The third element in this landscape is the Clinton administration's financial privacy bill. What the Clinton bill does is tries to shift some of the default rules in the Gramm-Leach-Bliley Act. It also provides some additional protections.
Now, I've used this word "default" rule a few times, and I'd like to tell you what it is. The way to think of it is this. A default rule sets the burden if the consumer does nothing. If you are inactive, if there is inertia, the default rule will decide what happens, and so it decides what will happen. Will data be shared? Will data not be shared following consumer inactivity?
I'll give you an example. Gramm-Leach-Bliley requires opt out before disclosure of credit card details held by a financial institution. Before a financial institution can disclose details about a credit card, they can do it.
Clinton administration shifts that to opt in. Unless the consumer agrees to it, it will not happen.
I've also told you that the Clinton act provides some -- the Clinton bill -- additional protections, and an example of that would be new protections for health care information.
Second point, what are we to make of this? Well, first thing is that the choice between opt in and opt out is found in many other areas of law. It's not unique to financial privacy.
In my view, and this is my framework for you, our goal should be to find a way to permit consumers to make informed decisions about use of their information at the least cost to the consumers. That's how we should think about setting the defaults. How can we do this in the way that will be at the least cost to the consumers?
Okay. Well, now, let's me just go through then opt out and opt in. It's actually quite complex. Why not just opt out, you might ask, and remember I've told you that means that if you don't do anything, you the consumer, the information is going to get shared, and there may be some instances in which opt out is the way to go.
If that is the result that most people want, if most people want information to be shared in that particular context, you might want to set an opt out because then if I do nothing, I get what I wanted, which is the information gets shared.
But we have to be careful here, and let me suggest two reasons why we have to be careful with the opt out. The first reason is there is a frequent lack of information about data processing practices. So it is very difficult for us to assume that my preference is that the information gets shared if I do nothing because I may not know about what is going to happen.
The second aspect of the difficulty under opt out is the phenomenon of consumer inertia. All of us when faced with standardized terms frequently will accept them, will do nothing, and there's actually a, not to get too academic, but there is behavioral economics that studies this problem, and they term it "bounded rationality."
In many instances we don't act in a rational way if we're given take it or leave it terms.
Now, what about opt in? Well, opt in, here, too, let me just make very brief comments. At least potentially opt in can have a good result, and the result is what we can think of as an information forcing result, namely, the bank knows more about what it is going to do with your information than you do, and if the industry doesn't convince you to opt in, if it doesn't tell you enough to make you want to opt in, you will not act, and they will not get the information.
Hence, the information forcing result frequently of an opt in rule, namely, the industry has to divulge enough information for you to say, "I will opt in."
Another way to think of it, and the second point here is it does make information more costly for the industry to obtain because they have to convince you to take action, and as a result, it may force companies because of this increased price of information to internalize some of your costs that will follow from the sharing of the information.
We're going to raise the cost of information, and that may lead to more efficient use of the data.
Okay. Third and final point. In the Information Age, personal information is multi-functional. They are used for many purposes. What this means is that it becomes very, very difficult to draw lines, and let me give you two quick examples.
One is the sharing of names and addresses. One thing that we see in the regulations under Gramm-Leach-Bliley is under some circumstances a name and address will be public information, and under other instances it is considered to be non-public information, a very difficult line to draw, an absolutely necessary line to draw.
Final example, financial information also under certain circumstances becomes medical information, and one of the things that the Clinton bill does is it tries to protect that medical information when it is in the hands of the financial industry.
Thank you very much.
SENATOR ROCKEFELLER: Thank you, Paul, very much.
And from each of these obviously lots of questions should arise.
Julie Brill is our final speaker, and she's the Assistant Attorney General for the State of Vermont, where she leads Vermont's litigation and legislative efforts on privacy and fair credit reporting.
She co-chairs something called the Privacy Working Group of the National Association of Attorneys General, and she is an expert on consumer financial privacy issues.
MS. BRILL: Thank you.
And thank you very much, Senators Rockefeller and Frist, for inviting me.
It's very exciting for me to be here and have a chance to talk to all of you here within a heartbeat of our country, and I hope it will be somewhat exciting for you to hear what's happening out at the state level.
I think what I'd like to do is just take a few minutes to paint a picture for you of the not too distant future. That's what we spend our time at the National Association of Attorneys General and in the consumer protection world thinking about, not so much what are we looking at today and trying to protect consumers right now on May 24th, 2000, but what do we need to do in order to protect consumers five years from now, seven years from now, ten years from now.
And one other piece of the landscape that I'd like to give you that Professor Schwartz I know would add to his list if he had been given 12 minutes rather than ten minutes --
(Laughter.)
MS. BRILL: -- is the Fair Credit Reporting Act, and I think it's important to understand the interplay of the Fair Credit Reporting Act with some of the work that's going on now in Gramm-Leach-Bliley.
The Fair Credit Reporting Act allows affiliates to share information and only a certain amount of that information or a certain amount of that sharing is -- do consumers learn about through notice and opt out, but much of the sharing or information is not told to consumers or are they notified about or do they -- or are they given a choice over.
So here's the future that some of us see. Some of us see a day when there will not be credit reporting agencies or there will be very few credit reporting agencies or they will be doing tasks very different from what they do now, and I think Senator Frist in his opening remarks did accurately describe the value the credit reporting agencies now play in our society.
They insure that people who don't know a banker or who don't know a particular company can get access to credit because that company can look up the bona fides of the credit worthiness of the consumer by pulling a credit report. You know, 100 years ago you had to know the banker in order to get a loan. Now you don't. They can look at your credit report, and it's really been one of the key areas that has moved credit through our nation and that has allowed us to be as economically viable as we are.
But so what happens when affiliates, large companies like Ms. Johnson's company and others, are able to share information among themselves? They will share experience information, and they'll share their own transaction information. They're not going to need to go to a credit reporting agency to decide if they want to give Julie Brill a loan. They'll just look at their own records because if they have 1,500 companies within their affiliate umbrella, they're going to have a lot of information about me and about you.
So what does that mean? That means that consumers will not have the protections that they currently have of going to more or less three entities to correct errors in their credit file. In the event that they don't get offers or they get refused an offer, they get notified about the existence of those credit reporting agencies, and they get to go to those agencies and correct the information.
Now, if in the new world of affiliate sharing and the large conglomerates who won't be looking to credit reporting agencies anymore, if what they decide to do is to offer to a certain segment of society certain goods and products at certain prices because their information says these are people who are good credit risks, and for others in their data base, they decide they're not going to offer those goods and services or at those prices, what is the consumer who's in the latter category to do? How do they even know where to go?
First of all, how do they know that they haven't been offered the good products at the good rates? Because they're not going to be given notices that they were denied a product or that they were denied a good rate as they would be under the Fair Credit Reporting Act. That won't apply. Okay?
So they won't know that they have been denied a product or a service, and if they somehow talk to their neighbor and they talk about the fact that, gee, my mortgage is nine percent and your mortgage is only seven percent, oh, my gosh, how do they even know where to go to figure out why they were offered such a high rate?
So I think it's important for you all to think about this future, this future of affiliates sharing all of this information in this totally unregulated fashion. That's what we spend our time thinking about. So that's the first picture I wanted to paint for you.
I wanted to build a little bit on what Professor Schwartz had said about the opt in issue. So this is another point I'm going to address. It's something that we at the state level have been also thinking about.
Why is it important to have an opt in for certain types of financial information? Is it important at all, or is an opt out with really vigorous notice good enough?
You'll hear many people tell you that the fact that information is being shared is really immaterial to consumers. All it means is that they're going to get an offer for some kind of product that, you know, they may or may not want and that they can just toss in the garbage, and that it's an envelope and it's maybe wasting paper, and maybe there's an environmental concern, but that's really it.
As I just tried to paint for you, we think there's much more going on here. We think that in the future what you're going to see is this issue of products and services being offered at different rates and to different people and for different purposes.
And so how does opt in play into that system? Well, it allows consumers to know who has their information. It allows them to, gee, they could even keep a list. And then they know if they aren't offered products, if they're not offered services, they know who to go to to correct the errors, and I see this as a really critical issue.
I come at this from -- I'll just tell you a brief story, and if I start to run over time, just cut me off, and we can deal with the rest of it in questions.
About, gosh, now maybe it's even ten years ago in Vermont we had a real poignant and strong example of how the error issue can affect people, and this came about in the credit reporting area.
We had all three credit reporting agencies report that every single member of several communities in Vermont were not paying their taxes, and it was because they had all hired the same subcontractor to go out and read the public records, and they misread the public records. They didn't understand what the tax lien situation was in Vermont and what a tax lien is.
And so everybody was listed as a dead beat in like, you know, 20 towns. So people tried to get a mortgage. They tried to get a home equity loan, and they were all told, no, they couldn't. They couldn't get it.
So you know, this became a big problem as you can imagine, and it's one of the reasons why in Vermont we have some very strong privacy protection laws which I'll talk about in a second because we've had this experience, and we recognize the importance of having consumers have some control over their information so that they know where to go in order to correct a problem.
I think one of the things that we hear, although we didn't hear it from Ms. Johnson; I was somewhat surprised, although perhaps I shouldn't have been, but one of the things that I spent all day yesterday -- I was at another conference talking about bank privacy, and I was the only consumer advocate type present, and it was all industry folks, and they were all saying, "Gee, you know, we now have this federal law. We should just let the federal law work and states should not enact more protective legislation."
And I have a couple of responses to that. One is, you know, where was the industry last year when we were enacting Gramm-Leach-Bliley and we were all out in the state level and the consumer advocates were all screaming for more protective legislation, more protective legislation than what we were seeing coming working its way through the halls here, and the bank said no. "Nope, this is it. This is good enough. It gives us a chance."
And so what happened was because they weren't willing to go further as far as some of the consumer advocates wanted, the Sarbanes amendment came about, and for those of you who don't know, it's part of Title V, and it says that more protective state legislation will not be preempted, and the FTC gets to decide what's more protective and what isn't.
So now what I'm hearing when I go around and talk to people is, "Gee, the states shouldn't be allowed to enact more protective legislation. We need one system. We need one set of laws."
Well, I say, gee, if they dealt with this issue right the first time, probably the Sarbanes amendment wouldn't have come about, but that's where we are now. It's because the federal law wasn't deemed to be protective enough that the states wanted the ability to protect their citizens further if need be.
I would also say that one of the things that we hear is, you know, an opt in will lead to just disaster for the banks, and they can't possibly deal with it, and when I speak of banks actually I mean financial institutions because now banks and insurance companies and securities firms will all be engaging in the same activity. They can't possibly deal with it. They can't possibly deal with 50 different laws. It's just too difficult for them, and my response is several. I have several points to that.
One is that we still are in a federalist system. We still do have state laws, and insurance companies are particularly used to dealing with states because of McCann-Ferguson. Their only regulators are at the state level. Banks and securities firms are quire used to a dual system of regulation. They all have state regulators as well as federal regulators.
Unlike on-line transactions, you probably heard a lot about on-line transactions at your last meeting here. Banks and securities firms and insurance companies know who they're dealing with. They know where we live. It's not like it will be difficult for them to figure out that I'm from Vermont and you all are from Washington and someone else is from California. They know where we live. So they'll be able to comply with our laws, and we have lots of other national companies that deal with 50 or multiple state rules and regulations. It really isn't that difficult to do.
In Vermont we've had an opt in for financial information, as well as for credit reporting for about five or six years. The sky hasn't fallen. Consumers are given plenty of opportunities to buy products. They don't get lots of phone calls at night time asking them to opt into this and opt into that. It doesn't work that way. Businesses are very savvy in how to deal with an opt in, and they seek permission when they sign up the consumer originally for a service.
So I would just warn you as this debate works its way through, you'll hear a lot of arguments against an opt in, and many of them do not play out in terms of the experiences that the states have had on that issue.
SENATOR ROCKEFELLER: Thank you, Julie, very much.
Anybody have a question for the microphone, for the exuberant amongst you? For the less exuberant we collect these, and, Bill, if I might, I'll just ask one.
What does the -- this is from a congressional office, I think -- what does the FTC privacy report that was released this week mean for Internet banking? I guess this would be to you. And what information does Bank One's Wingspan Division collect? What kind of information? Do customers have access to that information collected about them?
Do you think your privacy policy gives customers the tools to make good decisions?
MS. JOHNSON: First of all, I'm not sure that I can speak to the FTC report that just came out this week. I have read the first draft. I have not read the final report, but I thought that it was a thoughtful piece of work. I thought that it really presented both sides of a number of really hard questions that needs a lot further vetting. So I really don't have an opinion on that.
At Wingspan we do our privacy policy that's posted. I think that any bank really has been in the business of providing customers with what they know about the customer for quite some time. We send you statements every month, and you have the opportunity to correct them, and you have rights with respect to accuracy, and we have commitments that we have to make to you.
So I don't see access as being a particularly difficult issue for financial institutions.
With respect to Internet sites particularly, I think that the future is going to be in technology. There are a couple of wonderful new software programs that are out. I don't know if you are all familiar with the I Decide. I Decide is a software that you can download, and it has an icon, a closed eye at the top of your screen, and if there's a cookie placed on the site, the eye opens. If your site is a part of network tracking so that you have all of those unknowns that may be out there on the site and you're confident about what's been disclosed in the privacy policy, I Decide has multiple eyes that open and then tells you how to disable those.
So I think that the future with Wingspan and all other on-line is going to be through technology.
SENATOR ROCKEFELLER: Let's see. We've got a bunch of questions again. People, go to the microphone if you'd like and let's go to the microphone, and even if you submitted a question, go to the microphone and we won't ask it again.
Yes, sir.
MR. GELMAN: All right. My name is Bob Gelman. I'm a privacy consultant here in Washington. In the past business has resisted privacy laws, and then when privacy laws seem to be in prospect, they supported sectoral laws rather than omnibus laws, broader based laws, and now that we have a fairly broad based sectoral law, namely, GLB, everyone has had to confront the problem of defining sectors and discover that it doesn't work very well.
And I wonder if the panelists might discuss that issue.
SENATOR ROCKEFELLER: All right. Let's turn it to each of the panelists.
Dr. Schwartz.
PROFESSOR SCHWARTZ: That's a very perceptive point. As I finished my talk, in talking about the problem of multi-functional data, this is what happens. The information can flow from sector to sector and becomes more and more difficult to define what a sector is. What is -- if you're going to a health care Web site and getting advice and so on and so forth.
I don't think we're ready as a practical matter in the United States to abandon the sector-by-sector approach, but it's fascinating to see this phenomenon that you're describing where even when we pick a very big sector, financial industry, it looks like, you know, the water is coming over the top of the dike, and it's hard to know where that begins and ends.
SENATOR ROCKEFELLER: Julie or Julie, comments?
MS. JOHNSON: Go ahead.
SENATOR ROCKEFELLER: Either one. Okay. Julie to my --
MS. JOHNSON: Go ahead.
SENATOR ROCKEFELLER: Julie to my right.
MS. BRILL: Okay. I think I made my point that I think as much sector regulation and legislation as possible has been visited upon the financial services industry. I think it is going to be difficult to try to expand those protections beyond financial services using financial institutions or financial institution laws as the vehicle.
I will say that the financial services industry is certainly open to talking to anybody about addressing medical issues. We absolutely believe and support the notion that it's inappropriate to use medical information to make a credit decision. I think that's consistent with other regulation against discrimination, and so we don't even see that as on the table for discussion.
SENATOR ROCKEFELLER: Julie, any comment?
MS. JOHNSON: I was just going to say that I agree very much with Bob. Bob and I are old friends in this area, and I would also want to focus the question or my answer to the question, again, on the future.
And you know, we're going to be seeing products that we won't even know how to define. We'll be seeing products that will look a little bit like a banking product, will look a lot like a securities product, and may look a little bit like some kind of an insurance product, and maybe we'll be part of a travel club.
I mean, you know, it's just going to be all over the map, and that's just in the financial area. You know, so I agree that the sectoral approach is not going to make a lot of sense in the future, and it does make some sense to establish ground rules on privacy generally.
SENATOR ROCKEFELLER: Let me turn to another question. Would each of you please comment on the President's new privacy legislation that he proposed last week?
Again, we'll start -- Paul, do you want to comment?
PROFESSOR SCHWARTZ: Yeah. Let me just say I guess in terms of my role providing a framework, I think one of the things that the bill does is generally shift a lot of the opt outs in GLB to opt ins, and then I think the other thing that the law does quite notably is it provides additional protections as for health care information.
SENATOR ROCKEFELLER: Other comments?
MS. BRILL: Yeah, I've looked at the proposal, and actually I believe in its legislative version it was introduced by one of the Senators from Vermont. It appears to plug some of the holes that I was talking about with regard to affiliate sharing because it says that even though some of this information may be held by affiliates, if it's financial information that deals with personal spending habits, if it's medical information, it's going to be there will have to be an opt in.
So it takes away some of the concerns that I was trying to outline for you. You know, the President, I think, analogized looking at personal spending habits as it's as if the postman is going through your mail and telling everybody what it is you're buying and how much your credit card bills are and that kind of thing, and I think there's a lot to that analogy.
MS. JOHNSON: I think that one of the concerns we would have on any opt in legislation, again, is that inertia of the consumer, that if they don't opt in, then the cost of us trying to reach them to convince them that they should opt in will provide for a long term harm to the consumer because it's going to be so terribly expensive.
I think that the most important thing that we can do is keep information freely flowing to keep competition vibrant, and that will enable our small banks in small communities to compete on an equal footing with large institutions.
(End of Tape 1, Side A.)
(Beginning of Tape 1, Side B.)
SENATOR ROCKEFELLER: -- went ahead on general privacy protection, and basically the gist of this question is: why don't Americans -- why aren't Americans entitled to the same protection as Europeans get? What is so special about us or different?
MS. BRILL: What's so special about not having access to credit unless you're a big business or a sovereign government? I mean in this country, in a democracy, we have democratization of credit, and that is through the free flow of information. Our credit is portable. It's affordable, and it is available to low income consumers as well as wealthy people.
And I don't really consider the protections of the benefits in Europe to be superior to what we have in the United States.
MS. JOHNSON: Well, we probably differ on that point. I think it is a very interesting question as to why culturally the European Union has moved so far on privacy and we have not, and to the extent that businesses want to engage in or share information across the Atlantic, you know, many of you probably know that the Commerce Department is working on some safe harbors to allow businesses to do that.
And so to the extent that you have companies that want to engage in business over there, they're going to now have to start paying attention to those rules and either comply with the safe harbors or comply with the European rules.
It's a very interesting question. I don't really have an answer to it because I think it's a cultural question more than anything. I'm not sure that credit is not available in France and England. I'd be interested in studies that would show to what extent low income credit or marginal income, marginal or medium income credit is more available here than in Europe. I'm just not aware of that one way or the other.
PROFESSOR SCHWARTZ: I guess one thing that the Europeans have done is they have expressed their information practices through omnibus, that is, nonsector laws, and I think it's important to realize it's not an us against them, not the Yankees against the Mets to use a New York example, but we in America have a great privacy tradition. We believe in fair information practices. Our Privacy Act of 1974 is a leading example of a statutory expression of fair information practices, and so I would say that Americans are entitled to have fair information practices expressed in good and clear laws.
MS. JOHNSON: One other big difference is in Europe. The people believe that the government is there to protect them. In this country, our protections are principally from the government. Your constitutional protections are, for instance, the right to be left alone is the right to not have government come intruding into your home. So we also have a different view of government in this country.
MS. BRILL: Can I just follow up on that? I think that's absolutely right, and I think what we're looking at in terms of five years, and maybe even we're there now, is rather than Big Brother, we're looking at Little Brother, and what is Little Brother doing? And Little Brother is double click. Little Brother is, you know, on the Internet. Little Brother might be some of these large financial organizations.
And I think that you're right. You're absolutely right that that is one of the cultural differences, but I think in terms of privacy, some of us are thinking that it's not just the government that we need to be focused on.
And, for instance, I think that Professor Schwartz is right, that the laws that we have in existence, that some of them do focus on like the Privacy Act, on what the government can do with your information. But other laws focus on what companies can do.
SENATOR ROCKEFELLER: There's a question to Julie Johnson.
We hear a lot about the fears associated with affiliate sharing from Bank One's perspective. How can/will the consumers benefit from affiliate sharing?
MS. JOHNSON: A consumer may benefit from affiliate sharing if we know that they have a mortgage loan, that we could make an offer of a home improvement loan. If those two activities take place in separate affiliates, the cost then for us to determine whether or not there is a prospect of a homeowner instead of using our internal records would have to go down to the courthouse to find that out.
Oftentimes we can cross-sell a home improvement loan which consumers may need right at the time at the closing by underwriting the two loans simultaneously. The cost of credit is lower.
Julie mentioned earlier that there are products that are in the minds of bankers today that haven't even been developed. We don't know what they are.
Recently I got a solicitation from Morgan Stanley for a no downpayment mortgage loan, and it was like a margin account loan using my securities as collateral for a loan, a 100 percent loan. I think that that was a customer service. Other people might think that that's a harm, but I think that the affordability of credit is going to be tied to our efficient use of information, as well as our ability, again, to manage risk and to insure that we can keep fraud costs down.
I think that we haven't really even talked about fraud, but I think that's a significant benefit of information sharing, too.
SENATOR ROCKEFELLER: Let me just turn to -- we have a number of very specific questions as well. Consumer privacy is important in banking and finance, but so is information sharing.
I understand that the bank and finance industry had the first indication of the three new computer infestations during Y2K, but were precluded from sharing this knowledge. Why didn't or can't the BNF industry share and play nice with all of us for the greater good?
Any comments, folks?
PROFESSOR SCHWARTZ: News to me.
MS. BRILL: Yeah. Why wouldn't they have been able to share that information? They weren't giving out personally identifiable information by saying that there was a bug. I mean I'm not --
SENATOR ROCKEFELLER: And whoever asked this question, if you're still here, help educate me and others.
Okay. Next question.
SENATOR ROCKEFELLER: I just wanted to ask one to Julie on the right, and that is that when you indicated that if you -- one of the problems with opt in is that it becomes then more expensive for you to go back and convince the customer that they were wrong because they chose not to opt in. I'm a little confused by that.
In other words, why shouldn't it be more expensive? If the consumer has said to you, "I'm not interested," why shouldn't it be a little bit more expensive for you to go back and convince that consumer?
MS. BRILL: It would be more expensive.
SENATOR ROCKEFELLER: I know, but why shouldn't it be?
MS. BRILL: Oh.
SENATOR ROCKEFELLER: Because they've already said they don't want what you have to offer.
MS. BRILL: That's right. I think that there's a huge consumer education challenge that we have in front of us. If consumers are not going to opt in, then let's say that that customer is not as profitable as another customer. Am I going to decide that the costs are too great for me to go back and try to convince that customer to opt back in?
I think it really jeopardizes my ability to uniformly and fairly make offers known to my customers.
SENATOR ROCKEFELLER: Comments?
Paul.
PROFESSOR SCHWARTZ: Well, I don't know because I think that if you develop on what Senator Rockefeller was saying, if you, as it were, raised the cost of information for the financial services industry, they may figure out more efficient ways of contacting us because what the good, namely, the personal information, they have to bear more of the cost. Put it in economics terms. You force the financial industry through this opt in to internalize more of the cost of contacting you, and so hopefully they'll use the information in more efficient ways.
Another way to think of it is they're getting the information at a below market rate. They're getting it at a below market rate because they can just assume you want to be contacted by them, and that's not the true cost because the true cost would be the fact that you don't want to be contacted, as you were saying.
And so since they're getting it at a below market rate, they get to use it in a wasteful way. So I think that's another way of looking at it, which is end the welfare and move to opt in.
MS. BRILL: Are you all saying that you want to drive up the cost of credit?
MS. JOHNSON: I think what I would add or to comment to that is obviously we don't want to drive up the cost of credit, but someone has to pay for this information gathering or stopping the information gathering. Either the consumer is going to have to bear the cost of notifying each and every company if they don't want the information or the companies are going to have to bear the cost of trying to remind consumers of the benefits of having their information shared.
And I would say, like Senator Rockefeller, that it appears to be more appropriate for the company that's going to profit from the information, which is the company that's trying to get it, to bear those costs rather than the consumer bearing those costs because it will take something for the consumer to opt out of each and every -- each and every time they don't want their information shared. That costs something to consumers.
It's time. It's money.
MS. BRILL: If I have 75 million customers and I live in an opt in world where I think we all are agreed 15 percent will act and the other 85 percent will be overcome by inertia, the potential customer base for any new product that I might offer or a new way of delivery is going to be predicated on my knowing I've got 15 percent of that 75 million.
All of a sudden my opportunity cost is too high for me to go forward and make an investment in a new system or a new product or at least not as many systems and as many products.
PROFESSOR SCHWARTZ: Just a quick follow-up. I think take the opt and opt out argument. I think it should be made contextually. I don't think there should be one rule for every financial product and every financial industry. I think it's very important to make it contextual and figure out where if you have an opt in you will force industry to divulge information about their practices that will be useful for consumers.
There may be other circumstances under which an opt out makes sense. So I think I would argue in favor of a real close look at different contexts of information use.
SENATOR ROCKEFELLER: Paul, could you? I just received this question right now as we're talking about this cost of opting in, opting out. Could you just outline again briefly the various types of opt in and opt out that we're talking about so that people can equate in their own mind potential cost?
PROFESSOR SCHWARTZ: I guess one way, to go back to what I was saying, it's really the what happens if you do nothing. I recently just installed a mouse on a new computer, and they had all of the settings already set for me as it turned out, and I just went through it and I just clicked next, next, next if I agreed with it. I didn't have to do anything unless I saw something I didn't like.
And so that's a way to think of this opt in, opt out. What happens if you do nothing? And under opt out if you do nothing, the information gets shared. Under opt in, you have to agree; you have to opt into the financial services industry and say it's okay. I opt in. You may use it.
SENATOR ROCKEFELLER: And then the other question is: is this transaction by transaction or the decision is made on an ongoing basis when you say opt in/opt out?
PROFESSOR SCHWARTZ: Well, depending on then whether we're looking at GLB or the Clinton approach, basically in GLB, as you know, the rule is you get notice when you sign up for the bank, and if I'm getting this correctly, affiliates may share information freely, and then if it's going to go -- and correct me if I'm wrong -- if it's going to go to a nonaffiliated company, you get a chance to opt out. So that would be one example.
MS. BRILL: At the state level with our opt in, these opt ins can occur once. They can occur when you sing up for your credit card. You can opt in to the information sharing so that you can be offered products and services. So, you know, although I understand what Ms. Johnson is saying, that there is inertia that would set in and that's what we're talking about, that's what Professor Schwartz is talking about, who bears the burden of that inertia?
I think an opt in can be structured so that it's easy for consumers to opt in and that they'd want to do it, and that they just would have to do it once, and it would cover all services and products offered in the future.
SENATOR ROCKEFELLER: Isn't one of the considerations in opt in and opt out, too, that when you have an opt out, that assumes that the consumer is able to get a very clear understanding visually as well as intellectually, as well as being able to understand what it is they're opting out of. So that means the placement of the opt out, the ease with which one can deal with the opt out, and secondly, is the opt out written, you know, in language which most of us can understand?
So that people can say, oh, well, you know, in Web sites 90 percent of all information is there, but the question is: what does "there" mean? Is it understandable? Is it visible? Is it in little writing or big writing? Is it in legal writing? Isn't that a factor?
PROFESSOR SCHWARTZ: Yeah, that is a very major concern, and actually the regulations try to help business about this, and they spend a great deal of effort talking about what is a clear disclosure, and they give samples of what the clear disclosure is, and it's a very important point because we can only assimilate so much information at any given time.
And so in the FTC regs. and in the other regs. they try to give industry very clear indications. This is the kinds of sample notices we think you should do, and also we require that the notice and the opt out be made in a clear and understandable way.
MS. BRILL: And I think that every financial institution understands that the opt in, and I think the regulators made this clear to us, that the opt in has to be so conspicuous, it has to be so easy, your opt out, so easy to exercise that it really is almost an equivalent of opt in with respect to your ease of execution.
And so that's something that all institutions are going to be very mindful of, is making that clear and conspicuous. And in fact, in the regulations prior to this with FCRA, the customers had to write a letter to exercise their opt out. Under the regulations implementing Gramm-Leach-Bliley, that's no longer sufficient. You either have to provide an 800 number or a check-off form to make it very conspicuous, very easy for the customer to execute.
PROFESSOR SCHWARTZ: If you want me to follow up, I have the regs. here from the FTC, and they talk, for example, reasonable opt out means a designated check-off box in a prominent position on the relevant forms; a reply form that includes the address to which the form should be made; an electronic means to opt out; a toll free number.
It also says what unreasonable opt out means, and, again, this is the FTC regulations. You do not provide a reasonable means of opting out if the only means of opting out is for the consumer to write his or her own letter to exercise that opt out right, or that, by the way, is the kinds of things that my 71 year old mother, you know, frequently kind of asks me to do as one of the lawyers in the family.
(b) The only means of opting out as described in any notice subsequent to the initial notice is to use a check-off box that you provided with the initial notice, but did not include with this subsequent notice.
MS. BRILL: The question is, I mean, I think that the regulatory notices are much, much better than the notices that the banks were providing previously, and I've spent a lot of time looking at the old notices because we're doing enforcement work in that issue, and they were extremely difficult to understand.
Having said that, I think there still will be a group of consumers that won't understand the new notices. There are always going to be a group of consumers that just won't understand what's happening.
And so, again, it comes to the question of what happens to those consumers who don't understand. Are they going to be forced into one group or the other group?
SENATOR ROCKEFELLER: We're going to end at 1:30, which it is.
Have you got parting comments?
SENATOR FRIST: No, I don't. Do you? Well, you give them.
SENATOR ROCKEFELLER: All right. We always have this little ritual we go through, and Bill and I fight over it and remain friends.
We remind everybody to fill out their evaluation forms because evaluation forms, in fact, determine how well we're doing, and they have an influence on how we do in the future.
Now, the next tech. forum is going to be very interesting because it's going to be a merger of the two forums that Bill and I co-chair together, which is the Alliance for Health Care and this alliance or this forum, and that will be on June 21st in Room -- and this is a happy moment -- Room 216 of the Hart Building. That is the room. That's what we want, and it will be on, well, medical privacy, and that obviously is a place where the two forums would come together.
So June 21st, same time, 216 Hart building. Come, bring all of your friends because there's lots of room there.
I want to thank the panelists very, very much for coming, and this is very good, and we conclude.
(Applause.)
(Whereupon, the forum in the above-entitled matter was concluded.)