Copyright 1999 Federal Document Clearing House, Inc.
Federal Document Clearing House Congressional Testimony
July 20, 1999
SECTION: CAPITOL HILL HEARING TESTIMONY
LENGTH: 4314 words
HEADLINE:
TESTIMONY July 20, 1999 MARY J. CULNAN PROFESSOR HOUSE BANKING
AND FINANCIAL SERVICES FINANCIAL INSTITUTIONS AND CONSUMER CREDIT UNIONS
FINANCIAL PRIVACY
BODY:
PREPARED STATEMENT OF DR.
MARY J. CULNAN Professor The McDonough School of Business Georgetown University
Washington, D. C. Hearing on Emerging Financial Privacy Issues Before the U.S.
House of Representatives Committee on Banking and Financial Services
Subcommittee on Financial Institutions & Consumer Credit Washington, D. C.
Tuesday, July 20, 1999 Chairwoman Roukema and members of the Subcommittee, thank
you for inviting me to testify. I also want commend you for scheduling these
important hearings so quickly after the floor debate on H.R. 10, the "Financial
Services Act of 1999." My name is Mary Culnan. I am a professor at the McDonough
School of Business, Georgetown University where I teach electronic commerce. I
have been conducting research on the impact of technology on consumer privacy
for more than a decade. I have also been employed in the information systems
field for more than thirty years, first as a systems analyst for a Fortune 500
company, and as a professor of information systems since earning my doctorate in
1980. This is the seventh time I have testified before Congress on information
privacy issues, and the second time I have testified before the House Banking
Committee(1). In the United States today consumers benefit from a robust
information economy. Because most of us are not from very small towns but
instead live in a "society of strangers," we also enjoy a large measure of
personal privacy. The price we pay for that privacy is "surveillance" in the
form of information systems.(2) Because the majority of organizations can no
longer personally know their customers, the need for information to support
decisions involving risk and to serve customers as individuals have fueled the
growth of vast databases of personal information. These systems create benefits
for both consumers and organizations such as lower costs, targeted offerings,
personalized customer service and instant access to credit. However, their use
also raises privacy concerns when consumer expectations of privacy come into
conflict with what organizations believe is a legitimate commercial use of
personal information. My statement will be organized as follows. I will begin by
providing some context for the discussion of financial privacy. Next, I will
address two emerging issues related to financial privacy. First I will discuss
the privacy issues raised by secondary use of personal information, that is the
use of information collected for one purpose for other unrelated purposes. This
section will include a discussion of the privacy issues related to secondary use
of public records. I will conclude with a discussion of the new privacy issues
raised by the Internet. Many of my comments will be address the use of financial
information for marketing as that is my primary area of expertise. The Context
for Privacy Information privacy is the ability of individuals to control the
terms under which their personal information is acquired by others and used.
Underlying this definition is an implicit understanding that privacy is not
absolute; rather the individual's privacy interests are balanced with those of
society at large. Information privacy concerns can arise in three different
contexts, all of which are relevant to work of the Banking Committee(3):
Organizational reuse or sharing of the information gathered about consumers in
the course of routine consumer transactions, e.g. marketing; Authorized access
to personal information about one individual contained in public records, credit
reports and other databases, e.g. credit or hiring decisions; Unauthorized
access to an individual's personal information either through a security breach
or because the custodian of the information has not implemented appropriate
internal controls, e.g. pretext calling, identity theft or having one's credit
card number stolen online by hackers. Prior research on privacy
found that people are willing to disclose personal information
in exchange for some economic or social benefit subject to the
"privacy calculus," an assessment that their personal
information will subsequently be used fairly and they will not suffer
negative consequences in the future.(4) People disclose personal information to
gain the benefits of a relationship; the benefits of disclosure are balanced
with an assessment of the risks of disclosure. This hearing, then is as much
about disclosure as it is about privacy. The information economy depends on
consumers being willing to disclose personal information and to have that
information used by business for legitimate commercial purposes including
marketing. From the perspective of the financial services industry, privacy
should be about making consumers confident that disclosing their personal
information is a low risk proposition(5). Organizations can minimize the
perceived risks of disclosing personal information by observing fair information
practices. Fair information practices are global norms that serve as the basis
for U.S. privacy laws and self-regulatory programs as well as international
privacy laws. At the heart of fair information practices are the following
principles: Notice about what personal information is collected and how it will
be used, Choice (e.g. opt out) about subsequent uses of personal information for
other unrelated purposes, Access to their personal information and ability to
correct any errors, Data Stewardship including integrity and security for data
during both transmission and storage, and Enforcement and redress to ensure that
organizations "do what they say." Fair information practices mediate the privacy
concerns raised by disclosure and subsequent use of personal information by
empowering individuals with control over their personal information, even if
people do not choose to invoke the procedures. They also signal to consumers
that the firm will not behave opportunistically with their personal information,
and that the risks of disclosure are therefore minimal.(6) As a result,
protecting privacy by observing fair information practices is good for business
because doing so promotes consumer confidence and trust. I will now turn to a
discussion of some of the privacy issues facing the financial services industry
and the Subcommittee. Secondary Use of Personal Information Commercial Financial
Information Consumers understand that they need to disclose personal information
in order to qualify for automobile insurance, a mortgage or a credit card or to
open a bank or a brokerage account. Surveys also show that people do not object
to having other relevant sources of information such as their credit history or
driving record checked as part of the application process as long as the
information is relevant to the transaction. It is secondary use of the
information provided that raises privacy concerns. Secondary use refers to
collecting information for one purpose and subsequently using the information
for other purposes. Privacy concerns are raised when this reuse is unrelated to
or incompatible with the purpose for which the information was originally
collected, and the firm does not offer the consumer the opportunity to object to
this reuse. Secondary use includes unrelated use by the organization that
collected the information as well as sharing the information with third parties.
One of Washington's most prominent privacy attorneys stated that when the use of
information is not compatible with the purpose for which it was collected, "the
prospect of misinterpretation or crass exploitation usually follows."(7) The
most common form of secondary use is targeted marketing. Privacy concerns raised
by secondary use are potentially greater in the financial services industry
because along with medical information, personal financial information is viewed
as highly sensitive by consumers. Anyone who examines their monthly credit card
statement knows that a profile based on credit card or ATM transactions can
provide a detailed picture of an individual's life. Further, technology now
enables firms to analyze large databases of transaction data and to draw
inferences that promote subsequent unrelated uses by the organization with which
the consumer has a relationship, the organization's business partners, and
unrelated third parties. Public opinion surveys and my own research have shown
that firms can balance these privacy concerns with their legitimate business
need for the information by observing fair information practices. When consumers
are offered notice and choice (e.g. opt out), privacy concerns are no longer
significant and a majority of consumers do not object to secondary use of
personal information.(8) The provisions in the H.R. 10 which require banks,
securities firms, and insurance companies disclose their privacy policies and
provide consumers with the ability to opt out of the sharing of nonpublic
personal information with nonaffiliated third parties is an important first
step. However, I do not believe they are adequate for two reasons. First, the
disclosures are not required to reflect the core elements fair information
practices. The principles that the disclosure must incorporate should be
specified.(9) As discussed above, fair information practices are established
norms that have been embraced in the United States and worldwide(10). Individual
financial institutions would retain the freedom and flexibility to create the
language that they feel communicates these principles most effectively to their
customers. Second, consumers should also be offered a chance to opt out of
having their personal information shared with affiliates for marketing purposes.
While some have argued that by providing notice to consumers, those who object
to the sharing of personal information with affiliates can choose to do business
with financial institutions that do not engage in this practice. However, if
large financial conglomerates become the norm as expected, consumers lose even
this limited opportunity for choice. Further, there has recently emerged
evidence that not all of these affiliate relationships are in the best interest
of the consumer(11). It should also be noted that the failure to offer an opt
out for affiliate sharing is at odds with the self-regulatory programs that
America's best companies have embraced(12). Consider the following examples: The
Direct Marketing Association's "Privacy Promise" which took effect on July 1,
1999, requires all of its members who market to consumers to give notice and
choice if personal information is shared with third parties and to respect
consumer requests not to receive solicitations from the company or its
affiliates.(13) The Online Privacy Alliance's Guidelines for Online Privacy
Policies states that individuals must be given the opportunity to exercise
choice regarding how individually identifiable information collected from them
online may be used when such use is unrelated to the purpose for which the
information was collected. At a minimum, individuals should be given the
opportunity to opt out of such use, including the vast majority of circumstances
where there is third party distribution of the information(14). To qualify for
the BBBOnline Privacy Seal, organizations must disclose the choices they provide
to consumers with regard to information that is shared with affiliates or third
party agents.(15) American Express has long offered its customers an easy opt
out from receiving American Express offers, offers from its business partners
and telemarketing solicitations. They have reported that a very small number of
customers actually opt out, but by providing this opportunity, trust in the
American Express brand is enhanced. Providing an opportunity to opt out of
affiliate sharing will not restrict the free flows of information so important
to our economy. Information about consumer choices and behavior can still be
analyzed and shared in the aggregate, minus only the information that identifies
the customer. Affiliates and other third parties will also save money by not
contacting people who have no interest in the products or services they are
offering. One final point needs to be made about the distinction between
"public" and "nonpublic" personal information that is made in H.R. 10. The
telephone book, one of the most widely available sources of public information,
is a good example that people value the ability to make choices about disclosing
even their name and address, and when offered choices, will exercise them. Bell
Atlantic provides its customers with a range of choices about how they will be
listed in its directory. These choices include not being listed at all, listing
only your name and phone number, not listing your first name, being listed under
a "pseudonym" (e.g. the name of your pet), or listing full name, address and
telephone number. Selecting any page at random from the local directory will
include listings that reflect a variety of these preferences. Consumers should
be able to opt out of having their names and addresses shared for marketing
purposes, even when this information is considered "public." Public Records
Technology has redefined the public record. Public records formerly existed as
"puddles of data," manual record systems or small files or databases contained
on standalone computer systems. Privacy was often protected by the effort
required to access to these records. Today, advances in technology and the
growth of the Internet have promoted the merging of puddles into readily
accessible lakes or even oceans of personal information(16). The time has come
to have a national discussion about the many ways public records are used in our
information society, and to examine the current balance between individual
privacy and the public interest. Similar to commercial information, public
records raise the same privacy issue of unrelated secondary use that may not be
governed to fair information practices(17). While the Drivers Privacy Protection
Act mandated notice and choice for motor vehicle records if the state elects to
make the information available for incompatible purposes as defined by the law,
secondary use of other types of public records are not governed by such
protections. Public opinion supports the distinction between compatible and
incompatible use of public record information. The 1992 Harris- Equifax Consumer
Privacy Survey asked how the public feels about individual consumer data being
available in public records. The majority of the public feels that private
sector use of public record information is acceptable when public is used for a
compatible purpose, such as relevance to the individual's application for
employment or a consumer benefit such as automobile insurance, but not when it
is used for unrelated purposes. These results are shown in the table below.
Question (Base = 1254 respondents) Generally All Right Auto insurance companies
checking the accident and driving record of a consumer applying to them for a
policy 77% Employers checking for criminal convictions when a person applies for
a job 75% Businesses checking bankruptcy and other financial records when a
consumer applies to them for credit 71% Private investigators obtaining public
record information on individuals for clients 34% Companies obtaining public
record lists in order to mail people information about products and services 32%
The media obtaining and publishing public record information about people in
public life or in the news 28% A private individual obtaining public record
information about another person 19% Second, a key difference between commercial
information and public records is that public record information is not
collected voluntarily. For example, few adults can survive without a driver's
license or an automobile, and a condition of having either is to register with
the state. When the state makes this information available for unrelated uses
such as marketing without an opportunity to opt out, the state is essentially
placing an unfair burden on the public. This is in direct contrast to marketing
use of commercial data where the individual has voluntarily "raised their hand"
in the marketplace by responding to an offer of some type. No such claim may be
made for all of those listed in the public records.(18) Public records play an
important legitimate role in our society. Providing enhanced access to public
records through technology can mean more efficient government and improved
service for its citizens. However, these benefits need to be balanced with
privacy concerns. For example, a 1997 Harris survey found that 75% of the public
see a problem with state and local governments putting public records on the
Internet for easier access by all interested parties. Because different types of
public records are used in different ways and raise different privacy issues,
the policy discussion should proceed on a case by case basis. Privacy and the
Internet When financial services move onto the Internet, they potentially raise
a new set of privacy issues due to the interactive nature of the medium. This in
addition to the privacy concerns raised by unrelated secondary use discussed
above. In the off line world, consumers leave a data trail only when they engage
in a transaction: withdraw money from an ATM, use a credit card, file an
insurance claim, trade securities or apply for a mortgage. On the Internet, not
only can transactions be recorded, but consumers can also be tracked when they
browse online, but do not engage in any transactions. When we visit a Web site,
our browser provides the Web site with the URL of the previous page we visited.
Cookies can be used to identify a returning visitor to a web site, even if
surfers do not explicitly identify themselves. Privacy concerns
about disclosing personal information online threaten
electronic commerce from reaching its full potential. As in the off line world,
these concerns can be addressed if financial services firms observe fair
information practices: post a comprehensive privacy policy on their Web site and
subsequently ensure that their information practices conform to the policy. For
example, a 1997 Harris survey found that 87% of the Internet users they surveyed
had declined or had lied when asked by a Web site to provide personal
information. Sixty-three percent said they would have supplied the information
if the site had clearly informed them in advance how the information would be
used and the consumer was comfortable with these uses. The semi-annual Georgia
Tech surveys of Internet users have consistently reported similar results. It
is, therefore, clearly in the self-interest of the financial services industry
to observe fair information practices online.(19) However, if recent evidence
for commercial Web sites can be extrapolated to the financial services industry,
it is unlikely that the majority of financial Web sites have posted
comprehensive privacy policies that reflect the core elements of fair
information practices.(20) This situation needs to be remedied. Conclusion
Privacy concerns arise primarily when personal
information collected for one purpose is reused for unrelated purposes.
Privacy concerns may be addressed by observing fair information practices. This
represents a win-win solution for consumers and the financial services industry
as it promotes disclosure by reducing the perceived risk to the consumer while
consumers retain control over their personal information. The policy question is
whether this can be accomplished through self- regulation or whether legislation
is be required. In either case, the same principles should apply to information
gathered offline and over the Internet. However, care needs to be exercised to
ensure that any regulatory solution does not threaten electronic commerce by
prohibiting new Internet business models such as those where an intermediary
searches on behalf of a consumer for a favorable rate for a loan. The current
Federal Trade Commission process has worked well for promoting online privacy.
The FTC has convened workshops where participants represent a wide range of
stakeholders, conducted research and issued periodic progress reports to
Congress on the need for new privacy legislation. As a result, the private
sector has mobilized and initiated several promising self-regulatory
initiatives. While similar efforts may be underway in the financial services
industry, I am not aware of any with the exception of the practices of a small
numbers of firms who have a long-time commitment to privacy. I recommend the
Subcommittee charge the financial regulators to implement a similar process for
financial services. The OCC is a promising candidate as it has held at least one
workshop on financial privacy and appears to have an ongoing interest in the
issue. This concludes my statement. I would be happy to work with the
Subcommittee as you address this important issue. ______________________ 1. See
Statement and Testimony of Mary J. Culnan on Legislation to Amend the Fair
Credit Reporting Act, Subcommittee on Consumer Affairs and Coinage, House
Committee on Banking, Finance & Urban Affairs, June 6, 1991. 2. See Steven
Nock, The Cost of Privacy, New York, Aldine de Gruyter, 1993. 3. My testimony
addresses the first type of use. 4. R.S. Laufer and M. Wolfe, "Privacy as a
Concept and a Social Issue: A Multidimensional Developmental Theory," Journal of
Social Issues, Vol 33, No. 3, p. 22-42, 1977. 5. See for example Mary J. Culnan
and Sandra J. Milberg, "The Second Exchange: Managing Customer Information in
Marketing Relationships," 1998, available at www.msb.edu/faculty/culnanm. 6. For
empirical evidence, see for example the Harris surveys conducted for Equifax
Inc. and Privacy & American Business; Mary J. Culnan & Pamela J.
Armstrong, "Information Privacy Concerns, Procedural Fairness and Impersonal
Trust: An Emperical Investigation," Organization Science, Vol. 10, No. 1, p.
104-115, 1999; Mary J. Culnan, "Consumer Awareness of Name Removal Procedures:
Implications for Direct Marketing," Journal of Direct Marketing, Vol. 9, No. 2,
p. 10-19, 1995. 7. Ronald L. Plesser, formerly General Counsel of the Privacy
Protection Study Commission, quoted in Charles Piller, "Privacy in Peril,"
Macworld, July 1991, p. 8-14. 8. See for example the 1990 & 1996
Harris-Equifax surveys; Harris- Westin survey Commerce Communication and Privacy
Online, 1997; Culnan and Armstrong, "Information Privacy Concerns, Procedural
Fairness and Impersonal Trust," Organization Science, Vol. 10, No. 1, p.
104-115, 1999; Culnan, "Consumer Awareness of Name Removal Procedures:
Implications for Direct Marketing," Journal of Direct Marketing, Vol. 9, No. 2,
p. 10-19, 1995. 9. See for example the language proposed by Representative
Markey in his motion to recommit H.R. 10. 10. See Online Privacy Alliance,
"Guidelines for Online Privacy Policies," available at www.privacyalliance.org.
The OPA is a voluntary association of approximately 80 companies and
associations. See also the Federal Trade Commission's two reports to Congress,
Privacy Online: A Report to Congress, June 1998, and Self-Regulation and Privacy
Online: A Report to Congress, July 1999, both available at www.ftc.gov. 11. See
for example Robert O'Harrow Jr., Telemarketer Deals Challenged in Suit: Sale of
Consumer Financial Data Assailed, Washington Post, July 17, 1999, p. E1. 12. See
for example the privacy policies for American Express (www.americanexpress.com)
and Bank of America (www.nationsbank.com) which describe policies governing
their information offline and online. 13. Direct Marketing Association, Privacy
Promise Member Compliance Guide, September 1998. 14. See www.privacyalliance.org
15. See www.bbbonline.org 16. See Personal Privacy in an
Information Society, the Report of the Privacy
Protection Sutdy Commission, 1977 and Willis H. Ware, "The New Faces of
Privacy," The Information Society, Vol. 9, No. 3, p. 195-212, 1994. Ware was
Vice Chairman of the PPSC and has recently argued for the need to revisit the
privacy issues resulting from the automation and aggregation of public records.
He stated that the PPSC never extended its dialogue to "stress the totality of
public records" because public record laws and practice at that time did not
reflect today's high level of automation. 17. See for example, Mary J. Culnan,
Prepared Statement on H.R. 3365, Driver's Privacy Protection Act of 1993, House
Judiciary Committee, Subcommittee on Civil and Constitutional Rights, February
3, 1994. For example, motor vehicle records may be used for targeted marketing
by drawing inferences about an individual's lifestye based on the type of
automobile they driver, whether or not they wear glasses or their height/weight
ratio. None of these inferences are related to driving. Property records and
court records have also been used to draw inferences for direct marketing. The
Supreme Court will hear arguments on the Drivers Privacy Protection Act during
its upcoming session. 18. For legal arguments related to this point for motor
vehicle records, see Marc Rotenberg, Brief Amicus Curiae of the Electronic
Privacy Center in Support of Petitioners, Reno v. Condon, U.S. Supreme Court
98-1464, July 15, 1999, available at www.epic.org. 19. See for example E-Loan
which is a member of the Online Privacy Alliance (www.eloan.com). 20. The
Georgetown Internet Privacy Policy Survey found that while nearly two-thirds of
consumer-oriented .com Web sites posted some form of privacy disclosure, less
than 10% posted a comprehensive statement that included all core elements of
fair information practices. For the full report, see
www.msb.edu/faculty/culnanm/gippshome.html. I am the director of the Georgetown
study.
LOAD-DATE: July 21, 1999
