June 29, 1999 United States Congress Washington, DC 20510-6300 RE: Privacy concerns in H.R. 10 Dear Representative: We are writing to urge you to take steps to ensure that legislation to modernize the financial services industry contains strong privacy protections for consumers. We are deeply concerned with several provisions in H.R. 10 that are intended to address the privacy interests of individuals in the integrated financial services marketplace the bill envisions. The continued growth of electronic commerce, use of the Internet, and integration of disparate businesses creates a growing urgency to establish privacy rules. Much of the concern with privacy in electronic commerce stems from a lack of privacy rules in sectors of the economy, such as financial and health, that handle a treasure trove of sensitive information on individuals. We appreciate your efforts to protect individuals' privacy, however the current language of H.R. 10 falls far short of providing the protections needed by consumers and in some instances will actually undermine protections afforded under existing state laws. Fairness and control over personal information As currently drafted Title V, Subtitle A, Section 501 does not address consumers' need to control the flow of personal information between and amongst related and unrelated companies. We believe that the sensitive nature of personal financial information demand enhanced consumer control over its use and disclosure. The appropriate method of ensuring that individuals' sensitive information is handled appropriately is to require companies to obtain their explicit permission prior to using it or disclosing it for unrelated purposes. The current draft falls far short of this goal. We urge you to reinsert the bi-partisan Commerce Committee provision on privacy, and to allow a vote on an "opt-in" requirement for both affiliate and third-party sharing of information. At a minimum, legislation should not be passed unless it includes the bi-partisan financial privacy opt-out provision adopted by the Commerce Committee on a voice vote. That provision would protect consumers whenever personal information is used for any secondary purpose, both inside and outside a financial institution. Illicit access to personal information Title V, Subtitle B, Section 521 was inserted to limit the practice or "pre-text calling" whereby an individual attempts through trickery to obtain another individual's personal information from a bank or other institution. We applaud your effort to address this troubling activity. However, paragraphs (c) and (g) of Section 521, undermine your goal. Section (c) exempts pre-text calling by law enforcement agencies. This is extremely troubling. Under the Right to Financial Privacy, 12 USC 3401 et seq, banks are generally prohibited from disclosing financial records to the government without a court order. Under RFPA, nearly all federal investigators must provide "formal written requests" to inspect the financial records of an individual kept by a financial institution and the individual who's records are sought must be given notice and an opportunity to challenge the access. This exception would suggest that law enforcement officials are free to engage in pretext calling rather than follow the requirements established under RFPA. Similarly troubling is paragraph (g) which states that the provision does not apply to private investigators seeking to collect child support. While ensuring that child support obligations are met is a worthy goal, it too should be done under legal requirements set out in RFPA to protect individuals' privacy. We urge you to remove these provisions from H.R. 10. Medical privacy Title III, Subtitle D, Section 351 addresses the confidentiality of health and medical information. While we understand that the intent of this language, as offered by Congressman Ganske (R-IA), was to limit the sharing of information between financial industries and their affiliates, the provision does exactly the opposite. As drafted it will permit the broad sharing of sensitive medical information without individuals' knowledge or consent. As written the bill will preempt existing state privacy laws, and establish instead a backdoor access to sensitive medical information. To make matters worse, the section takes away the Secretary of Health and Human Services authority, granted under the Health Insurance Portability and Accountability Act, to promulgate regulations if Congress fails to meet its statutory August deadline to pass a comprehensive medical privacy law. In effect, H.R. 10 presents the worst case scenario for health care consumers: it provides legal authorization for the use of medical information without consent between unrelated industries and prevents states from passing stronger laws in the future. The current provision will undermine state laws designed to protect individual privacy and further exacerbate the risks to privacy due to the absence of comprehensive federal protections. We believe that the complex issue of medical privacy will be best addressed through the ongoing congressional effort to meet the August deadline for the enactment of a comprehensive federal health privacy law. To that end, we request that Section 351 be removed entirely. We thank you for your attention to the important privacy considerations in H.R. 10. We are available to discuss these issues with you at your convenience. You may reach us at (202) 637-9800. Sincerely, Jerry Berman Executive Director Deirdre Mulligan Staff Counsel