Presented at Twenty Third Annual Conference of International Data Protection Commissioners
By Beth Givens, Director
Paris, France
[NOTE: A shorter version of this paper was presented at the Paris Conference of the Data Protection Commissioners]
Esteemed Data Commissioners and fellow conference participants:
It is an honor and a pleasure to speak with you today. My name is Beth Givens and I am the director of the Privacy Rights Clearinghouse (PRC). The PRC is a nonprofit organization (referred to as non-government organization, or NGO in this presentation) based in San Diego, California, U.S. It was established in 1992 with funding from a special fund administered by the Public Utilities Commission, an agency of the state of California.
Summary of Presentation
I am going to describe the work of the PRC today in order to illustrate the main theme of this presentation: In an environment of limited privacy regulation, consumers must be able to have access to consumer education resources as well as problem-solving and intervention services. In addition to providing much-needed assistance, such consumer education and intervention services provide the function of a societal feedback loop.
The PRC acts as a feedback mechanism by obtaining information from consumers about their experiences in the marketplace. The PRC reports this information to legislators, regulatory agency officials, industry representatives, and other consumer groups. These entities can then take appropriate action when faced with evidence of actual or potential consumer harm and/or widespread confusion. The PRC also provides information to the media, not only to reach consumers with information on how to safeguard their privacy, but also to inform policymakers about critical privacy-related problems facing consumers.
Organizations that provide direct consumer assistance and complaint-handling are critically needed in an environment such as exists in the United States where privacy protection under the law is limited. In the U.S., the burden is largely on consumers to safeguard their own privacy. I will provide one case history in order to illustrate the need for organizations like the PRC -- the epidemic crime of identity theft in the U.S.
The PRC as well as the other privacy-related NGOs in the U.S. are not adequately funded to meet the needs of consumers in a largely unregulated marketplace. I will conclude by discussing the challenges of funding the work of the PRC and other U.S. privacy-related NGOs.
The Consumer Education Mission of the PRC
The Privacy Rights Clearinghouse (PRC) opened its doors in 1992 to serve the citizens of California, the most populous state in the nation. At that time, we were located within the Center for Public Interest Law at the University of San Diego School of Law. Our telephone hotline was staffed with law student interns. With the help of these law students, we began researching what we considered to be the major privacy issues facing consumers at that time. It is important to note that our focus then, as now, was informational privacy, not such constitutional privacy issues such as Fourth Amendment government intrusion violations for example.
Our single mission at that time, from 1992 to 1996, was consumer education. We researched and wrote a series of consumer guides, called Fact Sheets, on such topics as credit reporting, unwanted commercial mail (often called "junk" mail), telemarketing solicitations, harassing telephone calls, and cordless and cellular telephones.
We mailed these guides free of charge to consumers who called our hotline and who mailed order forms to us. And we distributed multiple copies of the guides to other nongovernment organizations and government agencies throughout the state so they could give them to their clients. These organizations included social services providers, district attorneys offices, civil liberties groups, low-income service providers, and other consumer groups.
I estimate that we distributed a quarter million guides to California consumers each year, and responded to 10,000 calls annually on our hotline. Our guides were written in both English and Spanish. We had a Spanish-speaking attorney on our staff. Keep in mind that during the early years, our service area was limited to the state of California.
Based on the types of topics that consumers brought to our attention via the hotline, we continued to develop Fact Sheets. Other topics included workplace privacy, medical records, wiretapping, government records, and the uses and misuses of the Social Security number. When we became aware of the growing problem of credit fraud, now called "identity theft," we developed the first consumer guides in the country to assist victims of this devastating crime and to give prevention tips to consumers. More recent Fact Sheet topics include Internet privacy, employment background checks, children's privacy issues, and just this year, financial privacy.
We have applied the following principles to our consumer guides:
- Use simple language and concepts. We attempt to write our publications using language and concepts understandable to the average consumer. Most guides are written in question and answer form and are segmented into several short sections.
- Provide action tips. Our guides always list things consumers can do to safeguard their privacy, whether or not there are legal protections that apply. This is an important consumer empowerment function.
- List additional resources. We have learned that many individuals want to dig deeper. So we list the relevant government agencies, consumer organizations, and industry trade and professional associations, including their telephone numbers and web addresses.
- Don't over-simplify or "dumb down" the content. We learned early not to over-simplify or condense the guides. Consumers are hungry for specific information about their legal rights. So we provide the legal citations to relevant state and federal laws. And we explain if no laws apply to certain situations.
This last point deserves additional discussion. Protecting privacy in the United States is a complex endeavor. This is reflected in our consumer education efforts as well. As you are well aware, the U.S. has adopted the sectoral approach to privacy legislation rather than the omnibus approach of most other developed nations in the world. A patchwork of laws applies to specific industry practices, leaving many aspects of informational privacy with little to no legal protection at all.
We have found that many consumers are surprised to learn that their privacy is not protected across the board. A message that we repeat over and over is, "the burden is on you, the consumer, to safeguard your privacy." We strongly believe that oversimplifying the task of safeguarding one's privacy is a disservice to consumers. As a result, our guides are not short, and I think most consumers whom we have served appreciate that.
Our Second Mission: Consumer Advocacy
In 1996, the state-sponsored funding program came to an end, leaving our future in jeopardy. We moved from the ivory towers of the University environment and joined a San Diego-based nonprofit organization, the Utility Consumers' Action Network (UCAN), in order to increase our fundraising options.
At the same time, we developed an Internet web site containing the full texts of our publications, www.privacyrights.org. As a result, we expanded our reach. Instead of just serving the citizens of California, we were able to reach out to the entire country. Increasingly, we obtained telephone calls and e-mail messages from consumers throughout the U.S.
By joining a nonprofit organization (NGO), we were no longer restricted to our single mission of consumer education. We could now engage more freely in consumer advocacy activities. Since 1996, we have represented consumers' interests in many legislative and regulatory proceedings, both in California and on the national level. We have testified in legislative committee hearings involving privacy-related measures. We have also participated in such regulatory proceedings as the workshops of the Federal Trade Commission and the U.S. Department of Commerce. In addition, I have been a member of several ad hoc public policy task forces on such topics as electronic court records and identity theft.
Our two-part mission of consumer education and consumer advocacy has continued to the present day. I cannot overestimate the importance of our direct contact with consumers. Because we have listened to tens of thousands of consumers' questions, complaints, and problems, we can bring their experiences to the attention of lawmakers, regulators, industry representatives, and other consumer organizations. This is the societal feedback loop function that I mentioned at the beginning of this presentation. And it is an especially important function in an environment of limited privacy regulation and weak privacy laws such as exists in the U.S.
Let me describe how this feedback function has worked by discussing our efforts to assist victims of identity theft.
Case History: Identity Theft
In 1993 we began to receive telephone calls from individuals who told us that criminals were able to obtain credit cards and loans in their name, even though their wallets had not been stolen and no official identification documents had been obtained by the criminals. We learned that this growing crime had a name -- identity theft. In the ensuing years, our staff has spoken with thousands of victims. The typical victim is unable to obtain credit cards, finance a home or automobile, rent an apartment, and in some situations, find employment. Some have been wrongfully jailed because of crimes committed by the imposters in their names.
The common denominator for virtually all such crimes is the ease with which the criminals can obtain the victim's Social Security number (SSN). In an unfortunate series of decisions since the Social Security system was first implemented in 1936, the SSN has been allowed to be used for many other purposes. In addition to being the key identifier to obtain and access financial services, it is also used as an insurance policy account number, student identification number, military serial number, and in some states the driver's license number. When the SSN gets into the wrong hands, it is relatively easy for the imposter to obtain credit, rent an apartment, order telephone services, even purchase a home or an automobile, all in the name of the victim. When the imposter's bills go unpaid month after month, the creditors contact the victims to demand payment. That is when the nightmare begins.
By piecing together the stories of the victims who called us, we were able to publish a guide in 1994 containing tips on how to recover from identity theft. We eventually joined forces with another California consumer organization, CALPIRG, on this effort. This guide has continually evolved as we learned more and more from victims, law enforcement officials, attorneys representing victims, credit industry representatives, and government officials.
I strongly believe that an important aspect of our feedback function is to give consumers a direct voice in this process. From those first puzzling days when we did not fully understand the crime, we asked victims if they were willing to share their experiences with the media and with legislators on the state and federal level. Many jumped at the chance to tell their stories. They wanted to ensure that others did not have to endure what they did. And they wanted to inform lawmakers about the importance of criminalizing identity theft, assisting victims, and preventing the crime altogether. We continue to maintain a data base of identity theft victims who are willing to be interviewed by media reporters and to testify in legislative committee hearings and agency workshops. We also invite victims to write about their experiences so we can post them on our web site.
Tracking the experiences of victims over time is another important feedback function that consumer organizations can engage in. The PRC and CALPIRG conducted a survey of victims who had contacted both organizations in May 2000. We asked a series of questions to determine how they became victims, what experiences they had, and what their current situation was. The survey's findings have contributed greatly to our understanding of the crime. We learned, for example, that the average amount of time needed by victims to regain financial health is about two years. We also learned that typical victims did not learn they were victims of this crime until it had been in progress for 14 months. Findings like these enable lawmakers, industry representatives, and law enforcement to develop crime prevention and victim assistance strategies. The study, titled "Nowhere to Turn: Victims Speak Out on Identity Theft," can be found at www.privacyrights.org/ar/idtheft2000.htm.
One more feedback function deserves mention. We are able to give victims a realistic assessment of the steps they must take to recover their financial health and the amount of time they are probably going to have to spend on this process. Most victims, understandably, want the criminals brought to justice immediately. We preach patience and counsel them that very few such cases are actually investigated because of severe shortages in law enforcement staff and funding for financial crimes. Even though we must be the bearers of bad news, we believe that it is important for victims to understand the larger picture.
Today, the PRC is assisted in our work with identity theft victims by the Identity Theft Resource Center, a program affiliated with us and also located in San Diego. Its director has written a series of guides for victims that walks them through virtually every step of the recovery process. Its web site is www.idtheftcenter.org.
Now the federal government has established its own consumer assistance service and feedback mechanism for identity theft victims. In 1999 Congress passed the Identity Theft Assumption and Deterrence Act into law (18 U.S.C. 1028). In addition to creating a federal offense, this law established the Federal Trade Commission (FTC) as an identity theft clearinghouse. The FTC operates a toll-free telephone hotline for victims to call (877) IDTHEFT. It now receives as many as 4,000 calls a week, up from several hundred calls a week when it was first launched. Visit its web site at www.consumer.gov/idtheft.
A vital component of the FTC's identity theft clearinghouse is its victims data base. It now contains 120,000 records. Law enforcement officials, prosecutors and policymakers are able to access this growing resource in order to analyze crime trends, obtain state-specific data, look for crime hot-spots, and seek information on specific cases.
In summary, the PRC's direct contact with identity theft victims has resulted in the following:
- Identification and documentation of a growing problem, in effect, an early-warning system.
- Gathering information directly from those affected on the nature of the problem and how to best assist victims.
- Development of consumer guides with tips on how victims can help themselves to recover their financial health and how consumers can take steps to prevent becoming victims.
- Empowering the victims by enabling them to tell their stories and advise policymakers.
- Sharing information with credit industry representatives to encourage them to alter their policies and practices.
- Sharing information with lawmakers and regulatory agencies in order to encourage them to adopt laws and regulations to criminalize identity theft, assist victims, and prevent this crime.
- Development of a credible voice with the media who then spread the word about identity theft to consumers and policymakers alike.
- Long-term tracking of specific victim's experiences to learn how the crime affects them over time and how they cope with it.
The Funding Challenge
There is no doubt in my mind that organizations like the Privacy Rights Clearinghouse are a necessity in an environment of limited privacy regulation. In addition to informing consumers how to safeguard their privacy, we also act as the eyes and ears of the marketplace by sharing information about consumers' experiences with lawmakers, government agency officials, industry representatives, and other consumer organizations.
But funding is a constant challenge, not only for the PRC but for all NGOs in the U.S. who assist consumers and who work in the public policy arena. The work of the PRC needs to be expanded and our longevity assured. There are no easy answers to the question of how best to fund operations like the PRC. It is beyond the scope of this presentation to discuss the various funding scenarios that would ensure the continuation of our work.
Conclusion
Suffice it to say that if the U.S. continues down the road of limited privacy protection under the law, consumers must be able to turn to organizations like the PRC in order to ask questions and voice their complaints. Such organizations must continue our vital role as societal feedback loop so that policymakers in both government and industry can rectify instances of consumer harm and prevent such occurrences in the future.
In closing, I want to stress that widespread implementation of privacy-related consumer education programs is not a magic bullet that can serve to justify industry self-regulation. By stating that the consumer education and feedback functions are necessary in an environment of limited privacy regulation, I do not mean to imply that industry self-regulation and the sectoral approach to privacy laws can indeed work if there is sufficient consumer education available in the marketplace. There is no substitute for strong privacy protection in law serving as the foundation all individuals, not just those who possess the necessary communication skills, literacy level, and assertiveness to seek the help of consumer organizations.