September 17, 1999 Honorable Bill Lockyer Attorney General of California Office of the Attorney General 1300 I Street Suite 1740 Sacramento, CA 95814 Dear Attorney General Lockyer: We welcome your recent communication to Congress opposing the current privacy language in H.R. 10 and urging the Congress to preserve privacy protections in existing state laws and to beef up federal privacy protections by requiring banks to obtain "explicit permission" from consumers before disclosing confidential data to affiliates or third parties. We applaud your leadership in this area and would like to provide you with additional background information detailing why consumers are harmed by the absence of strong privacy rules in the banking sector. Consumers want control over the internal use and sharing of personal information Consumers are deeply concerned with the privacy of their financial information. The continued growth of electronic commerce, use of the Internet, and integration of disparate businesses creates a growing urgency to establish privacy rules. Much of the concern with privacy in electronic commerce stems from a lack of privacy rules in sectors of the economy, such as financial and health, that handle a treasure trove of sensitive information on individuals. Between July 1998 and July 1999, 760 letters complaining about banks' handling of customer personal information were sent to federal agencies. Many of the complaints objected to banks' selling and sharing their personal information -- in the words of one angry consumer, "Your most recent attempt to share information (on) our account, probably at a price and profit . . . is inconceivable and reprehensible." A recent survey by AARP found that 92% of its members object to the sale of personal information by companies. More importantly, when asked. "In the future, banks, insurance companies, and investment firms may be able to merge into a single company. If they do, would you support or oppose these newly merged companies from internally sharing information about your accounts or your insurance policies?" 81% said that they opposed such internal sharing. 71% of the respondents stated that these newly merged companies should obtain written permission before sharing information. These statistics reflect the broad public concern about the privacy of personal information. The lack of privacy protection is linked to fraud Disclosing information to affiliates and third parties without consumer consent has led to documented fraud. The recently settled lawsuit by Minnesota Attorney General Hatch revealed how the disclosure of private information for marketing purposes can directly harm consumers. U.S. Bancorp had entered into an arrangement to provide personal information to a telemarketer in exchange for $4 million in commissions, some of which resulted in unauthorized charges to consumers' accounts. The sharing of credit card numbers among affiliates or with third parties is a critical ingredient to "negative option" schemes whereby an individual is charged for a "trial membership" by the business unless they call and cancel. Recently, a massive fraud scheme in which a convicted felon ran up $45.7 million in charges on individuals' credit cards was tied directly to the sale of databases of personal information by banks. According to court documents, Charter Pacific Bank provided a database of more than 3.7 million credit card numbers to the felon. According to the bank, the database is routinely sold to merchants (particularly online merchants) to assist in verifying accounts. The most glaring example of the harm from unauthorized information sharing involved affiliates. NationsBank/Securities settled for $7 million after the SEC accused the bank of sharing with NationsSecurities lists of customers with expiring CDs. The securities affiliate then allegedly used this information to sell uninsured, risky products in a misleading manner to the CD holders. Convenience and privacy The goal of privacy legislation should be to prohibit the use, sharing or selling of consumer information for purposes not directly connected to providing or servicing the product a consumer has purchased or applied for. Members of the financial services industry inaccurately suggest that privacy is at odds with convenience. While consumers' expect their information to be used to provide them with the service they have requested, they do not expect information to be used for other purposes -- inside or outside the institution. Use and sharing of personal information for other purpose -- including but not limited to marketing purposes -- should only occur with the consumer's consent. Ensuring that the law reflects consumers' expectations by providing them with control over the use and disclosure of sensitive personal information that they entrust to businesses is critical. As the statistics cited above reveal, individuals want financial institutions to protect their privacy. Individuals want to decide for themselves whether or not a specific product or convenience is in their interest. If in fact the consumer believes that a service offers a benefit they can always decide to allow information to be shared. Each of the services mentioned by the Roundtable can be provided to consumers in a fashion that protects their privacy. Individuals can choose to have streamlined access to account information provided, they can choose to use co-branded products, and they can choose to allow personal information to be used for marketing purposes. But, the choice should be for the individual to make. Like you, we believe that privacy and confidentiality must not be an afterthought in the overhaul of the financial system. Financial services' modernization legislation should not pass through Congress without strong privacy provisions. We join you in urging Congress to protect the privacy of personal information by ensuring that H.R. 10 leaves existing state privacy protections undisturbed and provides federal rules that give consumers the right to control the use and disclosure of their personal information. Sincerely, /s/ Deirdre Mulligan, Staff Counsel Center for Democracy and Technology /s/ Ram Avrahami, Director The Named Inc. /s/ Ken McEldowney, Executive Director Consumer Action /s/ Susan Grant, Vice President of Public Policy National Consumers League /s/ Beth Givens, Director Privacy Rights Clearinghouse /s/ Edmund Mierzwinski, Consumer Program Director U.S. Public Interest Research Group (PIRG)