A Communication From the Chief Legal Officers Of the Following States: California Connecticut Hawaii Idaho Indiana Iowa Maine Maryland   Massachusetts Minnesota Mississippi Missouri New Hampshire New York North Dakota Northern Mariana Islands   Pennsylvania Puerto Rico Rhode Island Tennessee Vermont West Virginia Wyoming September 13, 1999 Re: Opposition to H.R. 10, the Financial Services Act of 1999 Dear Conferee: The undersigned Attorneys General are writing to you regarding the Financial Services Act of 1999. As the states' chief legal officers, we have been asked to do a technical analysis of the Act's impact on our states' consumers. Based on our analysis, we strongly oppose provisions that will not provide adequate protection for private financial and medical records. This situation is not only bad for consumers, it fails to achieve the Act's goal of a "level playing field" between insurance companies that are affiliated with banks and those that are not. In particular, we are concerned that the privacy provisions of the Act specifically allow practices that will further erode the rights of consumers to exercise some degree of control over their financial and medical records. H.R. 10 permits widespread use and disclosure of sensitive information without the individual's knowledge or consent, while providing only limited remedies for violations and no effective limitations on re-disclosure. The legislation provides that a financial institution need not give its customers a right to opt out of disclosure if a non-affiliated third party using the information is selling the financial institution's "own products or services." We ask for your assistance in ensuring that Attorneys General can continue to help consumers. The attached position paper sets forth suggested changes to the language of H.R. 10 that would help achieve the goals of a more competitive financial market without sacrificing consumer welfare. Thank you for your consideration of our views. Very truly yours, H.R. 10 Lacks Meaningful Privacy Protections In its current version, H.R. 10 not only fails to enact much-needed standards and requirements to protect the vast amount of sensitive personal data that is collected and disseminated, but appears to proceed in the wrong direction by specifically allowing practices that will further erode the rights of consumers to exercise some degree of control over their financial and medical records. We are most concerned with the four areas discussed below. Sharing and Selling of Personal Information The ability and willingness of financial, insurance and medical organizations to share consumer data, and the uses to which such data can be put by means of various behavior modeling and scoring techniques, has grown rapidly, far outpacing what minimal consumer protections exist in this area. We believe most consumers would be very concerned to learn the extent to which their personal data are collected, tracked and used for commercial purposes, often by companies they have never heard of and with whom they have no relationship. Under these circumstances, it is unrealistic to suggest that concerns for consumer privacy can be dealt with by market forces. It seems far more likely, given the pervasiveness of data sharing and use that already exists, that market pressures will force virtually all companies to use consumer data to the full extent allowed by law, leaving consumers who are concerned about privacy without alternatives. In the case of H.R. 10, the affected businesses offer services that are essential to today's consumers who simply do not have the option of declining to purchase insurance, investment and banking services. We strongly urge that consumers be given notice and a meaningful opportunity to choose whether or not their personal information can be provided either to affiliates or to third parties (other than legitimate law enforcement authorities). Given the sensitive nature of such data, we believe the only means of effectively controlling its use and dissemination is to require that companies obtain consumers' explicit permission prior to using, sharing or selling it for any purpose, other than legitimate law enforcement purposes, not directly connected to providing the services the consumer contracted for. We therefore urge adoption of an "opt-in" requirement with respect to the sharing of information with affiliates or with commercial third parties as the only effective means of providing consumers with a choice and with the degree of control they indicate they want and need with respect to their personal information. Although we believe an opt-in provision will best serve consumers' needs, any legislation should at least require that consumers be given notice and an opportunity to opt out with respect to the sharing of personal information. The current language of H. R. 10 requires consumers to "opt out" of disclosure in order to avoid having their personal information shared by financial institutions with non-affiliated third parties. Yet even the minimal protection afforded by this "opt out" approach is eroded by an exemption that substantially weakens it. At Section 502(b)(2), the legislation provides that a financial institution need not give its customers a right to opt out of disclosure if a non-affiliated third party that uses the information (i.e. a telemarketer) is selling the financial institution's "own products or services." There is nothing in the legislation that would prevent a financial institution from diversifying into the sale of non-financial services (such as discount buying clubs) and hiring third-party telemarketers to sell those services. In such cases, the exemption in Section 502(b)(2) would not prevent the unfettered sharing of private financial information with the telemarketers. There is no reason to distinguish a customer's right to control private information in a situation where a non-affiliated telemarketer is selling a financial institution's services, rather than the telemarketer's own services. In either case, an entity other than the financial institution is obtaining access to the consumer's personal data. To draw a distinction based solely on the identity of the owner of services being sold is arbitrary and does nothing to address the deeper concern: the fact that an independent third party has access to information that the consumer may consider private. Accordingly, if Congress pursues an "opt out" approach to the disclosure of private financial information, we urge that the exemption at Section 502(b)(2) of H.R. 10 be stricken. Additionally, we urge Congress to adopt privacy protections requiring notice and opt-out provisions which apply to information sharing among affiliated entities. As currently drafted, H.R. 10 at Sections 502 (a) and (b) only provides for the opportunity to receive notice of and opt out of information sharing among non-affiliated entities. Yet consumers do not differentiate between affiliates and nonaffiliates when seeking to protect against the sharing of personal financial information. Congress likewise should not differentiate between the two, and should provide equal privacy protections in both contexts. Medical Information No consumer information is more sensitive than medical records, yet there is no comprehensive system for protecting such information or ensuring its accuracy. It would seem more appropriate to deal with such a vital subject in a deliberate manner that focuses on the requirements relevant to this particular type of information, rather than in legislation revising the structure of the financial services industry. We agree with the instructions to the House conferees to recede to the Senate provisions on this issue, thereby allowing Congress to address the issue of medical privacy in a more deliberate manner, as contemplated by the Health Insurance Portability and Accountability Act of 1996. If provisions regarding medical information privacy are retained in H.R. 10, we strongly urge adoption of requirements that will ensure consumers access to their own medical information and protect such information from disclosure, other than for legitimate law enforcement purposes, without the informed consent of the individual. The language currently in H.R. 10 would move in the opposite direction, permitting widespread use and disclosure of sensitive information without the individual's knowledge or consent, while providing only limited remedies for violations and no apparent limitations on re-disclosure. Obtaining Information by Pretext While H.R. 10 generally prohibits obtaining the customer information of a financial institution by false or fictitious statements or documents, there are a number of exceptions to this rule. The most troubling of these exceptions is that made for private investigators in connection with an attempt to collect child support. Although we do not quarrel with the goal of facilitating collection of delinquent child support payments, we believe this portion of H.R. 10 is unnecessary and is subject to abuse. Given that the caller will be making fictitious statements, and no doubt using a fictitious name, it will be virtually impossible to ensure that those making such calls meet the criteria set forth in Section 521 of the bill. Accordingly, we urge that this section of H.R. 10 be deleted. As an alternative, we suggest that disclosure of financial information that is reasonably necessary to collect delinquent child support payments be made an affirmative obligation of financial institutions. Specifying precisely who is permitted to receive such data and the criteria that must be met before disclosure can be made, and requiring that financial institutions ensure the criteria are met before making any disclosure, would facilitate collection but greatly reduce the opportunities for abuse. Relation to State Laws Consumers in our states are extremely concerned about privacy issues. The rapid development of technology has permitted the creation and manipulation of ever larger and more complex data bases. Revision of the structure of the financial services industry will almost certainly hasten this process. The states have traditionally served as an arena for developing and testing the means of assuring consumer protection in a changing environment. We strongly believe that an issue as fundamental as privacy requires the full efforts of the states as well as the Congress to deal effectively with the challenges presented. We therefore urge that any legislation affecting consumer privacy not preempt existing state laws or limit the ability of state legislatures to respond to the needs of their citizens in the future.