The meeting of the Colorado Task Force on Information Technology ("Task Force") was called to order by I. Thomas Bieging, counsel to the Task Force at 2:00 p.m. on February 16, 2001 at the offices of McKenna & Cuneo, L.L.P., Denver, Colorado. Chairman of the Task Force, Ms. Donnetta Davidson, Colorado Secretary of State, was unable to attend as a result of illness.
Present were State Senator Kenneth Gordon, State Representative Matt Smith, Dr. Steven Lucas, Rick O'Donnell, Kathy Krause, Sarah Rosene, Ron Binz, Joe Dickerson, Amy Redfern, James Ginsburg, Spencer Guthrie, Al Dominguez and David Baker. Also present was Dana Williams, Administrative Assistant to Ms. Davidson. The meeting was recorded by tape.
Mr. Bieging opened the meeting and requested approval of the Minutes of the Meeting of January 9, 2001. Upon motion duly seconded and carried, the Minutes of the Meeting of January 9, 2001 were approved as prepared.
The Task Force discussed how information should be circulated to the Task Force members. It was noted that both members of the Task Force and the public have provided a substantial amount of information for the Task Force's consideration. It was agreed that Task Force members would receive information from Ms. Davidson by e-mail and that documents received by the Task Force should be posted to the Task Force web site if available in electronic form.
Mr. Bieging indicated that consistent with the Task Force's request in January, there would be three speakers presenting the Task Force with information regarding financial privacy, medical privacy, and privacy on the internet.
Messrs. John J. Byrne and Matthew Street, representatives of the American Bankers Association, spoke to the Task Force by way of video conference from Washington, D.C. Messrs. Byrne and Street spoke regarding the current status of financial privacy as represented by the federal statute and regulatory scheme under Gramm-Leach-Bliley Financial Services Modernization Act of 1999. Among the points made by Messrs. Byrne and Street were:
The American Bankers Association estimates that there is a $195 per household "value" gained by each household in the United States as a result of financial institutions' abilities to collect information regarding customers and to provide targeted marketing, avoid fraud and to provide ease of access in applications and other processes.
Gramm-Leach-Bliley (GLB) provides an extensive statutory and regulatory scheme for the protection of consumer finance information. The Sarbanes Amendment to GLB permits states to provide greater consumer protection while GLB itself preempts any state laws which would directly conflict with GLB's requirements. Additionally, the Fair Credit Reporting Act completely preempts the field relating to consumer credit reporting until 2004.
Consumer surveys indicate that consumers in general do not like the prospect of being required to use a significant number of PIN numbers or other identifying numbers. Additionally, with approximately 20 percent of the population moving each year, financial institutions find it difficult to track customers without social security numbers. Some concerns exist that if social security numbers are not available to identify customers, there may be an actual increase in fraud and identity theft. Approximately ten states have considered or passed legislation which restrict the ability by state agencies to utilize social security numbers. An example of a concern on restricting the use of social security numbers was the Red Cross's reliance on social security numbers to track blood supplies and the impact that restrictions might have on that usage.
The ABA has estimated that the average middle income family in the United States will receive approximately 15 to 20 privacy notices as mandated by GLB. By way of example, Bank of America has mailed out approximately 60 million privacy notices.
A variety of statutes, state and federal, exist with respect to financial privacy. Many of these statutes have been in effect for a significant number of years. These statutes include state right to financial privacy acts (30 states), unfair deceptive trade practices acts, and insurance sales privacy acts. Twenty states have considered the opt-in/opt-out provisions of GLB, and no state has enacted legislation in this area since GLB. Messrs. Byrne and Street opine that the reason for this is there is not enough current information as to the effectiveness of GLB; there is a desire to wait to see how GLB works; and there are several states which have set up task forces to study the issue.
Mr. Byrne responded to a question regarding "politically popular issues" and indicated that legislatures should use caution in promulgating statutes and regulations that may hinder the development of products or services.
In response to an inquiry by Mr. Binz, Mr. Byrne indicated that reuse or redisclosure of information obtained by third parties providing services to financial institutions would be subject to controls through bank regulatory enforcement actions and through Federal Trade Commission actions.
At the conclusion of their presentation and the question and answer period, the Task Force thanked Messrs. Byrne and Street for their input. Copies of the slides provided by the American Bankers Association were circulated to all members of the Task Force.
The second speaker to address the Task Force was Mr. Alex J. Brittin, a partner at McKenna & Cuneo, L.L.P.'s Washington, D.C., office. Mr. Brittin spoke to the Task Force on the topic of the federal statutory and regulatory schemes relating to the Health Insurance Portability and Accountability Act of 1996 (HIPPA). Mr. Brittin presented slides which outlined the applicability of HIPPA. Copies of the slides were presented to all Task Force members. Among the points made by Mr. Brittin included:
HIPPA grew out of a need, identified by Congress, to rationalize the medical claims processing system. Prior to HIPPA there had been no federal law relating to this area.
Mr. Brittin had reviewed Colorado laws and found them to be fairly stringent in certain areas regarding the privacy of medical information. The state government is precluded from releasing such data and individuals such as nurses and psychologists are prohibiting from disclosing that data. Interestingly, Mr. Brittin noted that there is no Colorado prohibition expressed regarding a physician's disclosure of medical information. There may, however, be licensing penalties associated with the unauthorized disclosure of medical information by physicians. States like California, Wisconsin, and Florida have robust state statutes dealing with the disclosure of medical information.
It was noted that the HIPPA regulations largely came about when Congress found itself gridlocked on issues relating to privacy policies. Foremost among the issues that caused the gridlock was parental notification.
In general, the HIPPA privacy regulations follow a scheme which tracks the data itself and creates firewalls and restrictions on the transfer of the data.
Cost of compliance is a major issue associated with the HIPPA regulations. It was also noted that the regulations can provide a line of discovery for trial counsel. Ms. Krause inquired as to whether problems associated with HIPPA would cause medical providers to record less information. Mr. Brittin acknowledged that possibility.
The HIPPA regulations extend to providers (doctors, hospital, suppliers), payers (insurance companies, HMOs, etc.) and clearing houses (processors of nonstandard medical claims). HIPPA technically extends to only the claims administration process.
Ten states are considering health privacy laws. In this area, HIPPA is a floor and will preempt any contrary law. However, HIPPA does not preempt any laws that may be deemed more stringent than HIPPA itself.
Talk circulates regarding potential legal challenges to the application of HIPPA.
Mr. Brittin outlined instances of the application of HIPPA or areas where HIPPA is not deemed to be applicable. One example was litigation in Boston, Massachusetts, regarding a pharmacy's disclosure of patients' names who receive certain high blood pressure medication. This information was disclosed to drug manufacturers who then sent unsolicited brochures to those patients regarding high blood pressure medications. A class action has been commenced maintaining that such disclosure was a breach of the patient's right to privacy.
HIPPA encourages the sale of "deidentified" data. It is deemed to be a public policy benefit to the use of that data for health-related studies.
The Task Force thanked Mr. Brittin for his input.
The third speaker group to speak to the Task Force was Messrs. Steven Keating and Richard Smith of the Privacy Foundation, Denver, Colorado. These gentlemen spoke to the Task Force regarding privacy and technology issues related to the internet. A video was shown to the Task Force that outlined some of the current activities that are taking place which suggest the surrender of identity or privacy by citizens around the world. Messrs. Keating and Smith then conducted a "tour" of a healthcare web site to point out the manner in which commercial entities collect information about users of the web site. Messrs. Keating and Smith pointed out:
The potential exists for state or federal agencies to abuse the use of social security numbers. An example of this is the requirement that states collect social security numbers in the course of driver license applications and use those social security numbers to locate "dead beat" parents. The Secretary of State of Michigan has initiated litigation to avoid such a requirement on the basis that such a use of social security numbers is coercive, even though it may be accomplish a laudable goal.
Public opinion surveys indicate that 80% of the people surveyed feel they have lost control of their personal data.
Cookies used in e-commerce make it easier to provide the benefits of e-commerce, but also allow commercial entities to track activities of users on the internet.
An area of growing concern is surveillance of internal e-mail by businesses. Businesses justify the surveillance on the basis that they seek to maintain the integrity of their systems and to preclude the use of those systems for improper conduct (sexual harassment, etc.). It is thought the problems with workplace privacy will grow as more workers telecommute. At present, the balance of power in this area resides with the employers.
With the miniaturization and sophistication of computers, it is anticipated that microchips will be put into more products. Ultimately, this may lead to the ability to better track individuals. An example of such tracking was the use of cameras at the recent Super Bowl to photograph all the entrants to the game and to immediately scan faces with facial recognition software to locate criminals. The process developed identification on approximately twenty "wanted" individuals. None of them were caught.
A tour of HealthCentral.com provided an example of how a profile of an individual can be built from recording the types of information that the individual accesses on a web site. Mr. Smith also described to the Task Force the concept of a "web bug." These are devices that can located on web pages that allow marketing organizations to follow internet users beyond the particular web page where data is being collected.
Mr. Smith predicted that ultimately, economics will create pressures on the web economy that will allow for the actual matching of data collected on the internet with identities of individuals. Online usage will ultimately turn into more direct marketing. Mr. Smith expressed concern that these steps will lead to the loss of confidentiality and identity.
Ms. Krause raised the question as to whether the concern for privacy is, in part, a function of age with older citizens being more concerned about privacy and loss identity than are younger citizens who are more familiar with information technology. Members of the Task Force acknowledge that this may well be the case.
Mr. Smith was asked if there are products that can block cookies and he indicated that such products are available, but difficult to access or use. Mr. Guthrie indicated that there is an enormous amount of law available to protect individuals, but question whether it is being utilized. He also noted that consumers can take action to not participate in order to preserve their anonymity.
The Task Force members thanked Messrs. Keating and Smith for their valuable input.
The Task Force then discussed the date for its next meeting and the topics. It was agreed that the meeting would be conducted on March 15 or March 16, 2001. Among the topics that the Task Force would like to consider are:
Results of the questionnaire sent by Governor Owens to state departments and agencies regarding the collection of personal information.
A discussion period to consider the information provided during the course of the meeting on February 16, 2001.
A discussion of the process that will be employed by the Task Force to create the report to the legislature.
There being no further business to come before the Task Force, the meeting was adjourned at 5:15 p.m.