Printed with permission from Star Systems Inc.
FILING ON THE PRIVACY ISSUE: A BACKGROUNDER
Longstanding tensions between consumers' right to privacy and the legitimate business needs of financial service providers came to a head last year when Congress passed legislation addressing privacy issues.
It was inevitable that Congress would act. Consumers have legitimate interests in privacy. Financial service providers have an equally legitimate need to gather and use information, not only to prevent fraud but also to expand consumer options.
In its first direct response, Congress last year addressed privacy issues as part of the Gramm-Leach-Bliley (GLB) Act, which achieved comprehensive reform of laws governing financial services. Title V of GLB put in place the most far-reaching set of privacy safeguards pertaining to financial information and certain personal data ever adopted by Congress.
Regulatory agencies must still complete the critical task of writing the detailed rules that will dictate how the new statute will be applied. But the major mandates of Title V are clear enough.
The following requirements apply to all covered institutions, including banks, credit unions, thrifts, insurance carriers, brokerage firms, credit card issuers, and electronic funds transfer (EFT) services:
- Businesses may not disclose a customer's account number for the purpose of marketing appeals by a third party.
- Businesses must develop practices to protect information from unauthorized access by outsiders - hackers, for instance.
- Companies must inform customers in a clear, timely manner of their policies concerning the sharing of information with unaffiliated third parties.
- Customers must be informed of their right to "opt-out" of that arrangement - that is, to refuse permission for the dissemination of certain types of data.
GLB: Just the Beginning Despite the historic nature of the legislation, passage of GLB has not satisfied the most ardent privacy advocates. Drafts of federal agencies' regulations to implement Title V were still works in progress when efforts began to enact even more stringent legislation at the national and state levels. Providers of financial services thought that the early months of 2000 would be a time for refining the fine print of detailed federal rules. Instead, the providers and the public they serve face the threat of additional legislation, most likely at the state level, that would further circumscribe - possibly in destructive ways - what companies can do with information about their customers.The new statute and the quest for more legislation at the federal and state levels create uncertainty in all sectors of the industry. There is good reason for the concern felt by banks, credit unions, thrifts, insurance carriers, brokerage firms, credit card issuers, and electronic funds transfer (EFT) services. As they consider appeals for yet another round of privacy legislation, policymakers would do well to consider the following points:
- Even a few states imposing disparate versions of privacy requirements would amount to a recipe for chaos.
- Additional restrictions would make compliance efforts by institutions not only cumbersome, but also expensive and confusing for both employees and consumers.
- At a time when U.S. authorities are attempting to reconcile policies here with privacy principles adopted by the European Union, adding new, different standards would complicate that process and may also slow it down.
- With enforcement agencies refining regulations to implement Title V and service providers striving to improve their voluntary privacy safeguards, logic dictates that systems now being honed be given a real-world test before yet new policies are even considered - let alone enacted.
It is crucial for the public and policymakers alike to understand that at least some of the additional privacy measures would have the unintended consequence of damaging consumers' interests. To that end, this paper seeks to examine the implications of the ongoing policy debate and put it in context.Reasonable outcomes - addressing consumers' concerns without forcing service providers into a straitjacket - will be more likely if the effort to impose new statutes is better understood. This reality places a new premium on informed decision making and accurate media coverage that provides factual information to help offset the often emotional arguments of those who seek still more onerous laws.
With these goals in mind, Star Systems, Inc. and its President and CEO, Ronald V. Congemi, offer this paper as a means of focusing discussion and identifying the relevant issues. The Dynamic in 1999: How We Got Here Though several earlier laws - such as the Fair Credit Reporting Act and the Electronic Fund Transfer Act - dealt with certain privacy concerns, there was a growing sense of unease over the issue among consumer advocates and some members of Congress as GLB moved toward passage in 1999.
Given the landscape, it was hardly surprising that privacy advocates used the bill as a vehicle for their agenda. Ed Mierzwinski, spokesman for the U.S. Public Interest Research Group, summarized the anxiety of consumer advocates in the emotional terms common to this debate: "Consumers are going to be captive customers subject to the most sophisticated database profiling ever, and as a result targeted aggressively with overpriced products." But the pressure to act was not solely the result of energetic consumer advocacy efforts. Edward Gramlich, a member of the Federal Reserve Board, described the tension objectively when he told a House subcommittee: "The collision between economic interests in the value of customer information and individual privacy interests is an inevitable consequence of the growth in information technology. As information technology increases the flexibility of production processes to meet changes in product demands, the value of information about existing and probable demands also increases." Gramlich and other experts have also stressed the crucial contribution of enhanced information exchanges in providing better service to consumers at lower cost. That includes additional choices as to how, and from whom, customers get the services they want. But many of these benefits remain in the development stage and others have only begun to be made available to the public. Thus, the benefits lack immediacy for many consumers, making it far easier for those wanting to impose new restrictions to exploit fear of the future and limited negative experience.
The ability to exploit an isolated, but compelling, incident was illustrated recently when Minnesota authorities accused a major bank of selling personal information about its customers to a marketing firm. The bank consented to cease the practice and to pay a fine.
While there was no evidence that the Minnesota case represented a widespread practice, it gave the advocates of statutory policing (as opposed to self-regulation) a timely talking point. It also fed a belief that business organizations viewed private financial information as a commodity to be sold for profit rather than as a tool to benefit their customers.
Meanwhile, the privacy issue has gained greater currency through pervasive discussion of the related issue of security of online information. The Federal Trade Commission, having laid out a set of principles for Internet information practices, periodically reports to Congress on the degree of voluntary compliance by the operators of commercial sites. Last year, the FTC reported that among the 100 most frequently used Internet sites, only 20 percent were complying with all of the FTC's principles. (These stipulate that users should be informed about how personal information might be used, that they have an opportunity to consent to that use, that they have means of access to data compilations concerning them, and that the operator has provided security measures against improper scrutiny by other parties.)
The anxiety about Internet security is heightened by individual anecdotes that become "horror story" metaphors. While these may be atypical, it is prudent for the industry - as it shapes practices and public affairs policies - to understand the emotional appeal of these accounts. Consider, for example, a statement by FTC Commissioner Sheila F. Anthony last summer in testimony on Internet issues, when she talked of personal experience: "I was shocked to discover … that at least one of several 'information brokers' operating in the marketplace had my name and my husband's name, our address, the value of our house, our Social Security numbers and the years in which they were issued, our mothers' maiden names, the address where we lived … our two daughters' names, their Social Security numbers, their husbands' names … and even our three-year-old grandchild's name and Social Security number. I might add that there were several mistakes in that report on me."
When Anthony told members of Congress that she was "troubled" by what she perceived to be reluctance on the part of many Internet service providers to meet privacy concerns, she was reflecting widespread public sentiment. An annual survey of consumer sentiment carried out by three universities and AT&T Labs showed in the spring of 1999 that many Americans shared that view. According to the research, 87 percent of Internet users fretted about threats to their privacy, up from 81 percent the previous year. While this poll focused on use of the Internet, it is easy in the computer age to associate e-commerce with all commerce in which computers play any significant role and where privacy issues can arise.
The Rush to Legislate
The pressure to legislate has not abated with enactment of GLB. For elected officials, crusading in favor of tighter privacy laws is something of a "gimme" that shows them delivering an ostensible benefit for the average citizen without levying new taxes or spending large sums. That is an enviable posture for a political leader, particularly in an election year and in an environment in which many voters believe industry has assumed the "Big Brother" role that George Orwell had assigned to government.
Whatever the motivation, elected politicians across the nation are now racing to surpass the federal rule makers, creating a privacy pile-on. Issues at hand include:
- Legislators in at least 17 states are promoting bills aimed at imposing constraints more rigorous than those in GLB. This raises the threat of a hodgepodge of restrictions that would constitute an operational nightmare, particularly for any service provider operating across state lines.
- New federal legislation with bipartisan backing, now pending, would toughen GLB's privacy regime.
- A bipartisan Privacy Caucus has sprung up on Capitol Hill to promote additional restrictions on the use of financial information. Senate Democrats have formed a separate Privacy Task Force for the same purpose.
- The Clinton administration has labeled on-line privacy a priority issue for action this year.
The irony is that Title V, as it now stands, goes further than anyone would have imagined a few years ago in terms of privacy protection. It requires service providers to give customers extensive explanations of their information-sharing policies. Companies must also notify patrons of security measures to prevent the theft of personal information. These disclosures must be distributed at the outset of a business relationship and annually thereafter.Pre-existing business relationships are also covered by the new disclosure requirement. Based on this disclosure, customers have the right to "opt out," or prevent their service provider from transferring nonpublic, personal information to an unaffiliated third party. Individuals can opt out at any time during their business relationship with the company.
Perhaps the most serious threat of privacy overkill comes from those who would replace "opt out" with "opt in" - an approach that requires consumers to actively accept the disclosure practices of financial institutions.
As discussed in more depth below, experience in other fields shows consumers regard "opt in" requirements as a burden, and they fail to take the active step of "opting in" even when it is to their clear benefit. In many instances, the failure to "opt in" to disclosure policies would deprive consumers of clearly beneficial services to which they have grown accustomed.
A provision of GLB that would allow state law, in some instances, to supersede the new federal rules heightens the potential impact of any new state measures.
Title V, as it now stands, contains a number of common sense exceptions that allow certain information transfers, even if a customer opts out. These exceptions are designed to facilitate a variety of routine transactions, such as verifying bank balances and enabling use of credit and ATM/debit cards. But new state rules might exclude some or all of the federal exceptions, thereby creating obstacles that would reduce convenience, add costs and/or weaken fraud-prevention measures.
Combined with an opt-in rule, elimination of such exceptions could unintentionally deprive consumers of access to services they prize because many services cannot exist without the data sharing excepted by Title V. Until customers realized that they must exercise an opt-in document to receive services, the financial institution could not provide the service. Thus, customers would unwittingly lose conveniences to which they have grown accustomed.
Indeed, shared financial information is critical to beneficial innovations including fraud reduction initiatives and expanded payment options. For example, databases operated by third parties rely on shared information from institutions across the country to verify account existence and availability of funds in order to help reduce check fraud. While the data is comprehensive, it contains no personal information; all identifiers are "scrubbed" by the participating financial institutions and only numeric information is shared.
Consumers also benefit from anti-fraud programs that use artificial intelligence to identify unusual or unexpected changes in an individual's credit card spending - a common tip-off of credit card theft. Such programs, which rely on the sharing of up-to-date information, could be at placed at risk by unwise state regulations.
There is also the possibility that state measures may encourage a flood of class action lawsuits against financial institutions over alleged privacy violations.
Holes in the Case for Additional Regulation
The case for additional regulation can be rebutted with hard facts. For one, the examples of actual harm to consumers because of privacy abuse are rare. Moreover, many familiar privacy problems are covered by existing law. For example:
- The Fair Credit Reporting Act deals with such issues as erroneous information that can undermine an individual's borrowing power.
- The Electronic Fund Transfer Act requires financial institutions to inform their customers of information disclosure policies.
- The Telephone Consumer Protection Act regulates telemarketing practices, requiring (among other things) that consumers have the opportunity to "opt out" of future solicitation by a specific company.
In the final stages of consideration of GLB, some experts pointed out that restrictions - no matter how well intended - can have unfortunate results. That had been the case in Maine, for instance, when the state attempted to protect the confidentiality of medical records. Though the Maine law that took effect early in 1999 had been discussed for years, it still had odd, unintended consequences. For example, it impeded close relatives from getting information on the condition of family members and slowed the delivery of gifts to hospital patients. The measure was soon repealed.Maine's experience was hardly unique. Fred H. Cate, a professor of law at the University of Indiana-Bloomington and an authority on privacy issues, told a House subcommittee:
"Other states have experienced similar results. It is extraordinarily difficult to close off information flows, even for the best of reasons, without imposing wide ranging costs on individuals and institutions alike."
This view has a distinguished pedigree. It is shared to a considerable degree by such objective authorities as the Federal Reserve Board and most members of the FTC. Last year, while underscoring the need for better safeguards for Internet users, the FTC nonetheless came down on the side of self-regulation by industry as opposed to federal fiat.
Still, in passing GLB, Congress included restrictions on information use. Many members of Congress, including some of the most liberal, said that they were satisfied with the opt-out provision, the bar on transmission to third parties, and other safeguards. However, the landmark nature of Title V received insufficient notice, perhaps because the measures eventually adopted were billed as a "compromise." The last-minute amendment allowing states to enact still more restrictions - without regard to logic or the uniformity essential for our national markets - was itself a compromise that reflected the appetite for further regulation. It also demonstrated lack of understanding by some policymakers, much of the media and consumers themselves of how far GLB went and also the potential adverse impact on consumers of unreasonable regulation.
The Solid Case for a Moratorium
Because the chairmen of key congressional committees and some other leaders seem reluctant to propose new federal legislation so soon after GLB's enactment, it appears unlikely - despite election-year temptations - that Congress will rush to impose additional restrictions. But there are bound to be rhetorical rumblings in Washington. These will likely reinforce public apprehension and keep consumer advocacy groups energized. And, as discussed, at least some of the states, absent legal restrictions imposed by Washington, may well enact disparate legislation that will create new difficulties.
In this atmosphere, the best argument for those opposed to new legislation is that the already strong privacy provisions of GLB, as refined in the agency regulations now being sculpted, must be given a reasonable opportunity to take hold. Indeed, Congress appeared to be heading in this direction when it ordered a six-month study by regulators - to begin after GLB takes effect - on information sharing among affiliated providers. Therefore, Congress has good reason to place a broader moratorium on additional statutory restrictions, state as well as federal, until the new regulations are in place and until they can be tested in practice.
Trade associations and individual institutions must make this case in Washington, both to legislators and relevant executive branch officials. But state capitals in which problematic legislation is pending must also get the word. The key message at the state level is that GLB contains meaningful safeguards that both protect consumers' privacy rights and allow them to benefit from enhanced services. Therefore, it would be imprudent to torpedo the new privacy vessel - Title V - even before its maiden voyage.
Getting the word out also means educating news organizations, which can play an important part in shaping public opinion on this issue. With editorial board meetings, background papers, op-ed articles and other devices, the financial services industry should attempt to apply reality checks on the more expansive arguments of those who demand drastic measures now. Coverage that argues for pragmatism and patience can help calm the atmosphere and encourage legislators to think through the implications of additional "reform."
In this context, it is worth noting that the ability to resist inappropriate additional legislation is compounded by the fact that there is no hard and fast partisan or ideological division on this issue. Though more liberals, generally speaking, side with the privacy advocates, enough centrists and staunch conservatives are allied with them to make that faction seem broadly based. This complicates legislative strategies and also makes public relations more difficult because journalists are fond of "strange bedfellows" subplots and tend to ascribe more credibility to such alliances. The industry can easily be stereotyped in the media as predictable, self-interested and obsessed with the bottom line. The opposition is more colorful, more diverse and - ostensibly, at least - altruistic. So it is critical for service providers to meet this challenge with as many positive and precise messages as possible.
Beware of "Opt-In"
More specifically, it is imperative to encourage scrutiny of what is potentially the most burdensome and impractical requirement contained in pending federal and state bills. That is the "opt-in" standard, which would force institutions to seek the affirmative consent of all customers to each institution's privacy practices. This would obviously be a nightmare to administer because of the difficulty in getting consumers to respond to paper or e-mail requests without a clear incentive for doing so.
In one real-life test of the opt-in procedure, US West tried the system when it sought to solicit customers' permission to track patterns in telephone use for market research purposes. Though the parallel with financial services is not exact, the experience of US West underscores the problems of opt-in. The company was unable to reach one-third of those whose permission was sought, despite repeated attempts. Those individuals, therefore, were not offered the services being developed by the research effort. Further, the opt-in procedure is so inherently inefficient that it cost US West nearly $30 for each consumer who was contacted.
Fred Cate, the Indiana University law professor mentioned above, and a co-author, Professor Michael E. Staten of the Georgetown School of Business, recently produced a valuable paper on this subject which they titled "The Fallacy of 'Opt-In'." Their research demonstrates that this approach - except under the most unusual circumstances - imposes unreasonable burdens on all concerned - consumers as well as business - without adding to security of personal information in any measurable way.
The Cate-Staten study points out that the European Union adopted the opt-in standard for the collection and use of any personal information. In practice, however, EU member states have not used that option except in very special cases involving highly sensitive data. As the academics put it:
"'Opt-in' may be the law on the books throughout Europe, but 'opt-out' is the reality because government officials realize the blow that an 'opt-in' requirement would deal to European economic performance."
In depicting the negative consequences of unreasonable restrictions, it is useful to distinguish between harmful and benign uses of personal information. Maintaining confidentiality about a person's medical history clearly deserves high priority, for instance, because misuse of it could affect the individual's career prospects. That is a very different situation than, say, determining that a particular person's age and financial status indicate that he or she is a plausible recipient of a letter describing annuity programs.
Yet that distinction is often lost in the current political debate swirling around Title V. A bill pending in California - with some influential backing - would not only impose the opt-in requirement, but would also prescribe heavy fines for transfer of any personal financial information, public or nonpublic, even if no actual damage to the individual consumer has occurred. This would take privacy safeguards, as administered in the nation's largest state, to a very different and very frightening level. It would also inhibit the birth of new companies and make existing smaller enterprises leery of new ventures. Hence competition would be discouraged and consumer choice limited.
Advocates of opt-in regulations assume that consumers do not want, or have nothing to gain from, one of the large opportunities available in the modern financial marketplace - carefully directed offers to those persons most likely to have a need for new products and services developed by studying data derived from consumers' behavior and resources. The ability to create such opportunities is one of the main dividends of allowing financial service providers reasonable flexibility in the use of information about their customers.
Financial institutions, obviously, have a large stake in preventing extreme restrictions. Opt-in is the worst example of that threat, but not the only specter haunting the industry. The general public also has a large - if sometimes less obvious - interest in heading off unreasonable laws. The best way to avoid new statutory constraints is to raise awareness of the public's stake by focusing on specific facts. In capsule form, consumers' interests are at risk because:
- Increasing the efficiency of operations helps everyone because it enhances service and controls costs.
- Burdensome regulation, by contrast, will create unnecessary additional costs that inevitably trickle down to consumers.
- Unreasonable regulation imposes a special burden on companies struggling to establish themselves and smaller existing providers. These hardships squelch competition and ultimately reduce consumer options.
- Unreasonable regulation may deprive consumers information about products and services that can be communicated with the individual needs of the consumer in mind.
- As a corollary, unreasonable regulation may consign consumers to a continued onslaught of mass-market solicitations by mail, phone, and e-mail for non-relevant goods and services.
- Reasonable use of financial information is necessary to combat fraud, the price of which radiates throughout society.
- Additional legislation could well open the gates to frivolous litigation - a wasteful process that in the long run benefits no one.
These are sound, factual principles. They deserve to be put forward vigorously and promptly, even as federal regulators are honing rules necessary to implement GLB. It is useful to recall that the tug of war over privacy has been going on for many years. Whatever the fate of the particular legislative proposals now being considered, the contest will most probably continue well into the future as technology evolves. Just as financial service providers will seek to continuously improve ways of delivering their products, they would be wise to vigorously engage in the privacy debate -- effectively -- and indefinitely.Printed with permission from Star Systems Inc