Before the
Securities and Exchange Commission
Washington, D.C.

Proposed Rule on
Privacy of Consumer Financial Information
File No. S7-6-00

COMMENTS OF THE
INDIVIDUAL REFERENCE SERVICES GROUP

Counsel:

Ronald Plesser
Emilio Cividanes
Piper Marbury Rudnick & Wolfe LLP
1200 19^th Street, N.W.
Washington, D.C. 20036
202/861-3900

March 31, 2000

The Individual Reference Services Group ("IRSG") welcomes this opportunity to comment on the proposed rule on the privacy of consumer financial information ("proposed regulation") implementing Title V of the Gramm-Leach-Bliley Act.

The IRSG represents leading information industry companies, including the three major credit bureaus, that provide commercial information services to help identify, verify, or locate individuals. Each of the member companies has adopted self-regulatory principles governing the dissemination and use of personal data, which the IRSG developed in 1997 in conjunction with the Federal Trade Commission.

Individual reference services are companies that furnish timely and accurate information to identify and locate individuals. The information is used by governmental, private sector, and non-profit entities for a wide range of beneficial purposes. These uses include an array of important government objectives such as prosecuting financial crimes, locating criminals, fugitives and witnesses to crimes, child support enforcement, finding biological parents, consumer protection, and environmental enforcement. For example, individual reference service products are helpful for verifying an individual's identity, locating a non-custodial spouse, and finding the spouse's hidden assets. Furthermore, the federal and state environmental agencies use individual reference service products to warn individuals who live or formerly lived in a hazardous waste area.

In the fight against identity theft, where verifying an individual's identity is crucial, individual reference service products are absolutely essential. Banks, credit card companies, and other types of credit institutions, as well as gas, electric, telephone utility companies and governmental entities distributing public entitlement programs are all becoming increasingly plagued by frauds who use an existing person's identity to illegally extract products, services and money. The best, and perhaps only, means of preventing this type of fraud is through the use of personal identifying data provided by individual reference services. Since the victims of identity theft are not only the businesses that lose billions to various forms of identity theft per year, but also the consumers whose credit is often ruined by this insidious act, everybody directly benefits by this application of the personal identifying information provided by individual reference services.

Individual reference service products are also an important tool for other types of fraud prevention efforts by businesses. The insurance industry, for example, relies on individual reference service products to investigate fraudulent claims. Credit card companies and department stores use them to detect and limit credit card fraud. Banks use them to detect and report credit card fraud, insider abuse, and money laundering. Many businesses use them to minimize the risk of financial fraud when they receive an unusual order for delivery of merchandise. Other businesses use them when performing due diligence before engaging in a business venture with a little-known corporation in the increasingly mobile world economy. These products are also widely used in the legal profession for uses as diverse as locating witnesses for trial and heirs to estates.¹

Individual reference service products are also very useful to non-profit health services seeking to locate participants in medical research experiments, and blood, bone marrow, and organ donors. These products also are used by the media and political campaign organizations to verify the identities of campaign donors.

The key building block for many individual reference service products is "credit header" information-non-financial identifying information obtained from a credit bureau's consumer reporting database. Credit headers consist of identifying information contained in a consumer reporting database, such as name, address, previous address, and telephone number; which does not, in and of itself, convey any information about a consumer's financial, credit, or employment status. The Federal Trade Commission and the courts have for years recognized that the FCRA operates to allow the use of this identifying information from a consumer reporting database in a broad fashion,² and Congress has implicitly ratified this position when, in adopting amendments to the FCRA in 1996 and 1997, it maintained the status quo regarding the availability of this identifying information.

The IRSG is concerned that the definition of "nonpublic personal information" in the proposed regulations, coupled with the statutory restriction on the reuse of such data, will result in the severe curtailment of long-standing, beneficial uses of identifying information that is made available through the operation of the FCRA. This would run afoul of the congressional mandate contained in section 506(c) of the Gramm-Leach-Bliley Act not to interfere with the operation of the FCRA, and would reduce the availability of products used by financial institutions to combat financial fraud. Among other solutions, giving meaning to the term "financial" in the statutory definition of "nonpublic personal information" would help preserve the commercial availability of identifying information from consumer reporting databases.

We believe that the regulating agencies, in the final regulations, must clarify that neither the credit bureaus' dissemination of identifying information to individual reference services, nor the bureaus' use of data from financial institutions to derive such information, runs afoul of the Gramm-Leach-Bliley Act.

Background-The IRSG's Effectiveness in Protecting Personal Privacy and Continuing Socially Beneficial Uses of Individual Reference Service Products

Recognizing the heightened interest in issues related to individual reference service products, the companies that comprise the IRSG stepped forward nearly three years ago to develop self-regulatory principles specifically tailored for the individual reference service industry sector. The IRSG companies took these steps even though there was no evidence-and there continues to be no evidence-of actual abuses or harm to consumers from individual reference service products.³

The IRSG principles define a set of guidelines aimed at describing a series of appropriate uses of identifying information obtained from consumer reporting databases and at protecting the privacy of the subjects of the information.⁴ For example, the principles prohibit the display of Social Security Numbers (SSNs), unlisted telephone numbers, date of birth, and mother's maiden name in any individual reference service product that is available to the general public via a web site, toll-free telephone number, etc. unless the data is retrieved from public record or publicly available information.

The IRSG principles have real "teeth" for consumers. First, any signatory company may be responsible under existing federal and state law on deceptive practices if the company fails to comply with these principles. Second, the signatories of these principles require by contract that all companies buying nonpublic data from them for resale abide by the principles. Non-complying companies risk losing access to the data. Third, companies that are signatories to the principles are subject to annual outside assurance reviews by qualified independent professionals. The first annual reviews, conducted using criteria developed by PricewaterhouseCoopers LLP, were completed on March 31, 1999, and the FTC was notified that the IRSG signatories had successfully completed them. Armed with the results of these outside reviews, the FTC-as well as state consumer protection authorities-are better equipped to investigate any signatory company that asserts that it abides by the IRSG principles but in reality fails to be in material compliance with them.

The IRSG principles were drafted after lengthy deliberations by companies with years of experience in these issues and in close consultation with the FTC. They were announced on December 17, 1997 and went into effect on December 31, 1998. In its December 1997 study entitled "Individual Reference Services: A Report to Congress," the FTC stated that the IRSG principles "show particular promise" and "are likely to influence virtually the entire individual reference services industry." As a result, unlike in other areas of privacy protection where it has urged the enactment of legislation, the FTC declined to recommend additional regulation of the individual reference services industry.

The IRSG companies have devoted considerable resources and worked diligently during the past two years to comply with these principles. For example, the IRSG signatories represent the sources of nearly all identifying information from credit reporting databases that is distributed commercially. This has enabled the IRSG to stop, for example, web sites operated by non-signatories from engaging in unauthorized practices, such as the sale of finder products that display SSNs obtained from consumer reporting databases. When these sites realize that they are in violation of the IRSG principles, they choose to comply with the principles rather than lose access to such identifying information from their data suppliers. In addition, the IRSG hosts an Internet Web site (www.irsg.org) that serves as a central location for consumers to find a comprehensive description of the IRSG principles. The site also provides user-friendly links to the information practice policies of each company.

This IRSG approach enables the continuation of socially beneficial uses of individual reference service products while protecting personal privacy. The IRSG approach is a measured response to the potential for misuse of information that is used only to identify and locate individuals for a range of beneficial purposes.

Financial Institutions Supply Identifying Data to Consumer Reporting Agencies,
Which Redisseminate It to Individual Reference Services

As explained above, individual reference services build their products and services upon identifying information supplied by consumer reporting agencies. This information provides the most current address data that is commercially available because the information is derived in part from the records of creditors. Because creditors tend to communicate with their customers frequently, address and other identifying information that creditors possess is ordinarily more current than that available from, for example, telephone directories or even motor vehicle records, which are updated less frequently.

Financial institutions are significant suppliers of the identifying information used by direct marketing services. Their role as suppliers stems from the fact that they attach identifying information to the account balance and other financial data that they routinely report to consumer reporting agencies in accordance with the FCRA.

We note here that financial institutions are not the only source of this identifying information. Rather, consumer reporting agencies obtain this data in the process of compiling information about a consumer's creditworthiness from several sources, including creditors, bankruptcy records and other public records, and state child welfare enforcement agencies. The consumer reporting agency compiles this information for a particular consumer, homogenizes the identifying information for "best address", etc., and then reassembles the information in its consumer reporting database. In this "file" or "report" stage, the identifying information is the product of various sources, none of which are specifically linked to it. That is, the identifying information that consumer reporting agencies sell as separate products does not reveal the existence of a customer relationship between a particular individual and any specific financial institution.

The FTC has long recognized that the FCRA operates to make this identifying information available for various commercial uses,⁵ including for use by individual reference services,⁶ and has indeed recently reiterated this view of the operation of the FCRA.⁷

The Proposed Regulation Threatens to Cut off the Availability of Highly Reliable Identifying Information to the Detriment of Socially Beneficial Efforts to Combat Financial Fraud, Locate Individuals, and Verify Their Identities

Contrary to the intent of Congress, the proposed regulation can be read to restrict the flow of non-financial identifying information by preventing third parties, such as consumer reporting agencies, from redisseminating such information about consumers if supplied by financial institutions for non-exempted uses. This approach to implementing Title V of the Gramm-Leach-Bliley Act rests upon reading its provisions out of context, and is neither faithful to congressional intent nor necessary to protect the privacy interests of consumers in sensitive financial information.

• The Gramm-Leach-Bliley Act affects third parties, not only financial institutions. Specifically, Section 502(c) restricts the ability of third parties to redisclose nonpublic personal information they receive from financial institutions. As summarized in the commentary to the proposed new regulation, this provision "places the institution that receives the information into the shoes of the institution that disclosed the information for purposes of determining whether redisclosures by the receiving institution are `lawful.'"

• By covering information "that is not intrinsically financial," the proposed regulation's definition of "nonpublic personal information" sweeps in non-financial, identifying information such as names, addresses, and SSNs contained in consumer reporting databases.⁸

• It is not clear whether the Act's exemption for consumer reporting agencies exempts the redissemination of identifying information contained in their databases. Section 502(e)(6)'s exemption for consumer reporting agencies might be read to cover only the protected data that the banks furnish to the agencies and the data that the agencies publish in "consumer reports." It is unclear whether the exemption applies to an agency's distribution of identifying information that it obtains from its database and sells without any accompanying financial information.

Consequently, the proposed regulation can be read to restrict the flow of identifying information from consumer reporting databases. Without any countervailing benefits, this improper application of Title V of the Gramm-Leach-Bliley Act would frustrate the accomplishment of the socially beneficial goals for which individual reference service products are used. For instance, misconstruing the Act this way would:

• Enable defrauders and other criminals, fugitives, and "deadbeat parents" to avoid detection and capture.

• Also inadvertently prevent, for example:

• Individuals from being located and notified of their rights as heirs under newly probated estates or as pension beneficiaries from jobs they left decades earlier;

• Notification from being provided to consumers whose identities have been assumed by a professional fraud;

• Non-profit health services from using individual reference service products to locate blood, bone marrow, and organ donors; and

• Political campaigns from being able to verify the identities of campaign contributors.

Although Title V of the Gramm-Leach-Bliley Act contains exceptions for certain law enforcement investigations and other governmental uses, misconstruing the Act's provisions to cut off identifying information from consumer reporting databases could also adversely affect governmental uses of individual reference service products. That is, exemptions for governmental uses alone will not ensure the continuation of individual reference services. Commercial companies are likely to find it too expensive to purchase and assemble individual reference service databases to serve only their governmental clients, or a very limited range of exempted users.

The Gramm-Leach-Bliley Act Does Not Authorize the Regulating Agencies to Restrict the Credit Bureaus' Dissemination of Identifying Information to Individual Reference Services

When read together, sections 502(c), 502(e)(6), 506(c), and the statutory definition of the term "nonpublic personal information" do not restrict the redissemination of identifying information by consumer reporting agencies.

Applying the restrictions to name, address, SSN, and similar identifying data contained in consumer reporting databases is an impermissible interpretation of the term "nonpublic personal information" because it effectively reads the statutory term "financial" out of the definition. Yet, Congress defined "nonpublic personal information" with care, differentiating protected information from other data by requiring that protected information be both "personally identifiable" and "financial," as well as having been obtained in one of the three ways enumerated in the Act. That is, "financial" narrows the scope of the term by limiting what type of personally identifiable information obtained in one of the three enumerated ways qualifies for protection under the Act. A name, address, and SSN helps transform anonymous or aggregate data into "personally identifiable information"; however, it does not itself constitute "financial information."

Consequently, the Act requires that the regulating agencies construe "nonpublic personal information" more narrowly to focus on information that is intrinsically financial. In a colloquy between Senators Gramm and Allard, Senator Gramm confirmed that "nonpublic personal information" was intended to apply to information that describes "an individual's financial condition."⁹ In defining the term "financial," Webster's Dictionary states that it "implies reference to money matters." The Freedom of Information Act contains a business information exemption that protects, among other things, "financial information obtained from a person [that is] privileged or confidential."¹⁰ Focusing on the type of information under review, judges interpreting this language in the context of personal financial information have concluded, for example, that only "some data" obtained from loan applications, such as the amount of an individual's annual income and the person's credit risk scores, is financial information,¹¹ while other data is not financial information because it does not bear sufficient similarity to "the pecuniary affairs of the individual."¹² Under these definitions, the term "financial information" would not encompass identifying information from consumer reporting databases.

At the very least, using the existing definition of "financial" in section 4(k) of the Bank Holding Company Act of 1956, the definition of "financial information" should require that the identifying information not only be obtained by a financial institution in connection with the provision of a financial product or service to a consumer, but that the data also be used in making decisions about such products or services (e.g., the price or interest rate that a consumer will be charged for a product or service, the consumer's eligibility for such a product or service, etc.). Name, address, SSN, and other identifying information from consumer reporting databases do not meet that definition.

Section 506(c) of the Gramm-Leach-Bliley Act provides an additional reason why the restrictions of Title V of the Act should not apply to name, address, Social Security Number, and similar identifying data supplied by consumer reporting agencies. Section 506(c) makes clear that the Gramm-Leach-Bliley Act may not "modify, limit, or supersede the operation of the Fair Credit Reporting Act." Unlike certain other issues, the redissemination of header information is not explicitly addressed by the Gramm-Leach-Bliley Act. Where, as here, the FCRA operates to allow the sale by consumer reporting agencies of identifying information from their consumer reporting database, and the Gramm-Leach-Bliley Act does not explicitly address this activity, then section 506(c) must be read to exempt this FCRA-approved redissemination of data.

The Final Regulation Should Clarify That the Credit Bureaus' Use of Data From Financial Institutions to Derive the Identifying Information They Distribute to Individual Reference Services Does Not Run Afoul of the Gramm-Leach-Bliley Act

Clarifying that consumer reporting agencies may furnish identifying information to individual reference services is not necessarily sufficient to ensure the continued availability of this data for use in fraud prevention and other similar beneficial uses.

Financial institutions may view the section 502(c) prohibition on a third party's reuse of "nonpublic personal information"-as the term is now redefined by the proposed new regulations-as barring them from releasing identifying data to consumer reporting agencies for use by individual reference services. This would interfere with the flow of identifying information that the FCRA operates to make available. Unless the banks are reassured that such uses of data supplied by them do not run afoul of the Gramm-Leach-Bliley Act, they may contractually restrict consumer reporting agencies from redisseminating the identifying information in their databases to individual reference services.

Consequently, the regulating agencies should in the final regulations reassure financial institutions that the status quo-i.e., the redissemination of identifying data supplied by them to consumer reporting agencies-does not run afoul of the Gramm-Leach-Bliley Act.

Conclusion

The IRSG urges the regulating agencies to ensure that the final regulations clarify that neither the credit bureaus' dissemination of identifying information to individual reference services, nor the bureaus' use of data from financial institutions to derive such information, runs afoul of the Gramm-Leach-Bliley Act.

Footnotes

¹ See generally Federal Trade Commission, "Individual Reference Services-A Report to Congress" Ch. III (December 1997).

² See, e.g., Federal Trade Commission v. TRW Inc., No. 3-91CV2661-H (N.D. Tex. Jan. 14, 1993) ("Agreed Order Amending [Dec. 1991] Consent Order"); Trans Union Corp. v. Federal Trade Commission, 81 F.3d 228, 232 n. 1 (D.C. Cir. 1996) (citing 1993 amendment to TRW consent decree).

³ See generally Federal Trade Commission, "Individual Reference Services-A Report to Congress" Ch. IV (December 1997); Board of Governors of the Federal Reserve, "Report to Congress Concerning the Availability of Consumer Identifying Information and Financial Fraud" (March 1997).

⁴ The text of the IRSG principles is available at www.irsg.org.

⁵ See Federal Trade Commission v. TRW Inc., No. 3-91CV2661-H (N.D. Tex. Jan. 14, 1993) ("Agreed Order Amending [Dec. 1991] Consent Order").

⁶ See Federal Trade Commission, "Individual Reference Services-A Report to Congress" (December 1997).

⁷ See In Re Trans Union, (March 1, 2000).

⁸ Cf. 47 U.S.C. § 222(f)(1) (excluding identifying information ("subscriber list information") from the scope of the "customer proprietary network information" protected under the "privacy of customer information" provisions of the Telecommunications Act of 1996).

⁹ 145 Cong. Rec. S13902 (Nov. 4, 1999).

¹⁰ 5 U.S.C. § 552(b)(4).

¹¹ Rural Housing Authority v. U.S.D.A., 498 F.2d 73, 79 (D.C. Cir. 1974).

¹² Washington Post Co. v. D.H.H.S., 690 F.2d 252, 283 (D.C. Cir. 1982) (Tamm, J., dissenting).