APPENDIX As described below, a limited framework of privacy protection currently exists under both Federal and State laws that applies to securities firms and other financial services firms. We also include a discussion of the European Union ("EU") Privacy Directive. I. Federal Laws Applicable to Securities Firms and Other Financial Institutions Outside of the federal securities regulatory scheme, a number of existing laws apply privacy restrictions to certain aspects of the securities industry’s business. At the federal level, Congress has enacted the Identity Theft and Assumption Deterrence Act of 1998 ("ITAD"), the Right to Financial Privacy Act of 1978 ("RFPA"), the Electronic Fund Transfer Act ("EFTA") (also enacted in 1978), and the Fair Credit Reporting Act of 1970 ("FCRA"). States have also addressed consumers’ right to financial privacy. The scope of privacy rights conferred by these laws, however, is limited. The Identity Theft and Assumption Deterrence Act of 1998 Through the ITAD,[1] Congress amended 18 U.S.C. § 1028(a)(7) to criminalize the knowing and wrongful use or intended use of another’s means of identification to commit a crime. The ITAD defined "means of identification" as "any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual."[2] Social Security numbers, fingerprints, and electronic addresses are included in the definition. In passing this law, Congress attempted to address the privacy concerns specific to the technological information age. The Right to Financial Privacy Act The RFPA [3] was enacted in response to the Supreme Court’s decision in United States v. Miller.[4] In Miller, the Court held that a criminal defendant could not raise a Fourth Amendment challenge to the government’s improper seizure of records from his bank (e.g., copies of checks, deposit slips, monthly statements), because a bank depositor has no legitimate expectation of privacy in these records. Enacted to redress the lack of constitutional protection for these records, the RFPA imposes some constraints and procedural requirements on the federal government’s collection of the financial records of a financial institution’s customers. Notably, however, the RFPA restricts only the federal government; it imposes no restrictions on a bank’s or securities firm’s disclosure or sale of information to state or local governments or to private parties. The RFPA restricts the federal government’s access to a financial institution’s customer information without the written consent of the customer or a valid subpoena, summons, search warrant, or formal written request. Except for search warrants, the RFPA also requires that the government give the customer advance notice of its intentions and a chance to challenge the government’s access to the records. The RFPA also prohibits financial institutions from releasing customer information to the government unless the government certifies in writing that it has complied with the RFPA. The Electronic Fund Transfer Act The EFTA,[5] enacted in 1978, was another effort to address problems specific to technological advances. The EFTA provides a framework for governing the use of electronic fund transfers. A financial institution must tell its customers, to the extent applicable, under what circumstances it "will in the ordinary course of business disclose information concerning the consumer's account to third persons."[6] Further, similar to the ITAD, this statute imposes criminal liability on any person who knowingly uses, attempts to use, or conspires to use a wrongfully obtained debit instrument. Significantly, however, transactions to purchase or sell securities or commodities through a broker-dealer are exempt from the definition of "electronic fund transfer" and, therefore, are not subject to the requirements of the EFTA The Fair Credit Reporting Act The FCRA was enacted to redress perceived abuses in the credit reporting industry. A 1993 Senate Report described that industry as follows: The credit reporting industry is centered around consumer reporting agencies, which collect and sell information concerning the credit histories and financial status of 90 percent of all Americans. Much of this information is submitted by credit providers, such as banks and finance companies, which obtain this information from their experience with individual consumers. The agencies also collect items of public record, such as arrests, lawsuits, and legal judgments. The consumer reporting agencies sell the information from their files to their customers. Customers include retailers, insurance companies, lenders, businesses that sell mailing lists, prospective employers, and government agencies. Thus, a consumer report can be a decisive factor in whether a consumer’s application for credit, an apartment, a job, or insurance will be accepted or rejected.[7] In general, the FCRA imposes restrictions on a consumer reporting agency’s provision of consumer reports to others. Entities engaged in this business must meet certain minimum standards designed to ensure that credit reports contain accurate and current information. The FCRA also guarantees consumers access to their credit reports, provides consumers with the right to dispute their credit report (including a mechanism to do so), and imposes penalties for its violation. The entities and reports covered by the FCRA are, however, narrowly limited. It only applies to "consumer reporting agenc[ies]," and only to their furnishing of "consumer report[s]."[8] Each of these phrases receives a detailed definition in the FCRA. "[C]onsumer reporting agency" generally means "any person which . . . regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties."[9] "Consumer report," in turn, is given a lengthy definition, generally covering reports on consumers’ creditworthiness.[10] Significantly, however, the phrase does not include any report containing information solely as to transactions or experiences between the consumer and the person making the report. This category is often referred to as "experience information." Relying on the exception for "experience information" and the definition of "consumer reporting agency," a number of courts have held that the FCRA is inapplicable to banks providing outside parties with adverse credit information on their customers. The FCRA was amended in 1996, to replace the broad "legitimate business need" exception with a more restrictive one.[11] Under the amended law, credit reports can be disclosed only to a person that the consumer reporting agency has reason to believe "has a legitimate business need for the information: (i) in connection with a business transaction that is initiated by the consumer; or (ii) to review an account to determine whether the consumer continues to meet the terms of the account."[12] The "experience information" exception, however, was expanded. The FCRA now excepts from the definition of "consumer report" not only "any report containing information solely as to transactions or experiences between the consumer and the person making the report," but also "communication of that information among persons related by common ownership or affiliated by corporate control."[13] Thus, even if a bank qualifies as a "consumer reporting agency," it may disclose information about its customers to an affiliate. The same analysis applies to securities firms. Broker- dealers may disclose information about their customers to an affiliate because they collect private information through "transactions or experiences" (e.g., customers who open margin trading accounts). Moreover, broker-dealers are generally not in the business of providing such information in the form of consumer reports to third parties. Thus, NASD Notice to Members 97-12 explained that under the amended provisions "an entity may share without limitation ‘experience information’ (i.e., information derived from transactions or experiences with the consumer) with both affiliates and non-affiliates without becoming subject to the FCRA."[14] Other Federal Statutes Financial institutions also may be affected by other federal statutes, including the Fair Credit Billing Act[15] (restricting reporting of amounts a consumer disputes as delinquent to a third party), and the Telemarketing and Consumer Fraud and Abuse Prevention Act of 1991("Act")[16] (authorizing the Federal Trade Commission ("FTC") to regulate the conditions under which telemarketers may contact consumers).[17] Generally speaking, the FTC, pursuant to the Federal Trade Commission Act, and the States play an important role in regulating activity that may abuse consumer privacy. II. State Privacy Statutes Many states appear to have some statute governing the financial privacy of individuals. The content of these statutes varies. Like the RFPA, many states’ statutes govern only disclosure to government authorities -- that is, state and local government authorities.[18] Other states -- including Connecticut, Illinois, Maine and Maryland -- appear to have financial privacy statutes that cover disclosures to private as well as governmental entities.[19] These statutes restrict disclosure of confidential financial information except to the customer or the customer’s agent. The types of financial privacy statutes in effect in other states vary widely. Some states have laws resembling the federal EFTA and RFPA laws. Some states, notably California, have privacy guarantees in their state constitutions. In addition, common law doctrines, such as invasion of privacy, defamation, and implied contract, may recognize certain privacy protection for financial records. III. European Union Data Protection Directive Privacy concerns also have emerged recently in the international context. The EU’s 1995 enactment of a Directive on Data Protection ("DPD"), when fully implemented, will apply to U.S. securities firms doing business in the EU.[20] Article 1 sets forth a comprehensive system by which EU member states are obligated to protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data. Article 2(a) of the DPD defines "personal data" as any information concerning a person who can be identified by reference specific to his economic identity, among other factors.[21] Each EU member country is required to enact laws that implement the DPD. Significantly, part of the system to protect the privacy of EU citizens is a prohibition on the transfer by EU entities of personal data to third countries whose privacy protections are deemed inadequate.[22] The DPD applies to any company that receives or transfers personal data from the EU, including internationally active U.S. broker-dealers, investment advisers, investment companies, and banks. If EU member countries determine that privacy protections in the U.S. do not meet their standards for adequacy, the flow to the U.S. of personal data about EU citizens, including personal financial information, could be restricted. Such restrictions could impair the ability of U.S. financial services entities to function fully in the global market. The DPD contains a number of exemptions[23] and derogations[24] from the transfer restriction, including exceptions for: data flow necessary for the performance of a contract, data flow pursuant to the consent of the data subject, data flow necessary or legally required on important public interest grounds or for legal action, data flow that protects the vital interests of the data subject, and data that is already a part of the public record. The Department of Commerce has the lead role in negotiating with the EU on behalf of the U.S. Government with respect to the effects of the DPD on U.S. entities. The DPD became effective in October 1998. The U.S. and EU have agreed, however, that data flows to the U.S. would not be interrupted during negotiations. To date, the EU-US negotiations have focused on a self- regulatory model that would address EU concerns. On November 4, 1998, the Department of Commerce introduced to the U.S. industry a set of draft privacy principles that were meant to serve as a safe harbor from the DPD.[25] Commerce issued those draft International Safe Harbor Privacy Principles under its statutory authority to foster international commerce. The intended goal of the safe harbor is that a U.S. entity that voluntarily complies with the principles will be presumed by the EU to have adequate privacy protections for personal data.[26] Provision of personal data to such an entity would not be arrested as long as the it self-certifies to compliance. We understand that these principles would apply to the financial services industry. The draft International Safe Harbor Privacy Principles[27] are: *Notice. When individuals first provide personal information to an organization, the organization must provide them with clear and conspicuous notice about the type of personal information that the organization collects, how the information is collected, the purpose for the data collection, to whom the information will be disclosed and the methods by which the organization allows individuals to limit the use and disclosure of the information. *Choice. Individuals must have the opportunity to choose to opt out of the organization’s use of their personal information for a matter unrelated to the original use for which the information was initially disclosed. Organizations must, with respect to the use of sensitive information, such as medical information, allow individuals an opportunity to affirmatively opt in. *Onward Transfer. Organizations must give individuals notice and the right to choose whether and how the organization transfers their personal information to a third party. When an individual is not provided with a choice because the transfer is related to the original use of the information, the third party must provide the same privacy protections as the individual received from the original recipient organization. *Security. Organizations must take reasonable precautions to protect the information they collect concerning an individual from loss, misuse, disclosure, or other breaches of security. *Data Integrity. Organizations must take reasonable measures to keep data accurate, complete and up- to-date, and may process data only for the intended use. *Access. Individuals must have the right to reasonable access to personal data that an organization collects about them. *Enforcement. Privacy protection must include methods to verify organizations’ claims about their privacy policies, recourse methods to resolve individuals’ complaints and disputes, and methods of remediating problems and consequences for non- compliance with the principles. We understand that the Department of Commerce and the EU Directorate General XV, while having identified substantial common ground, continue to negotiate on the parameters of the safe harbor and its application.[28] **FOOTNOTES** [1]: Pub. L. No. 105-318,112 Stat. 3007 (1998) (codified at 18 U.S.C. §1028). [2]: 18 U.S.C. § 1028(d)(3). [3]: Pub. L. No. 95-630, tit. XI, 92 Stat. 3641, 3697-3710 (1978) (codified as amended at 12 U.S.C. §§ 3401-22). [4]: 425 U.S. 435 (1976). [5]: Pub. L. No. 95-630, tit. XX, 92 Stat. 3641, 3728-41 (1978) (codified at 15 U.S.C. §§ 1693 to 1693r). [6]: Id. at §1693c(a)(9). [7]: See S. Rep. No. 103-209, at 1 (1993). [8]: 15 U.S.C. § 1681a(d), (f). [9]: 15 U.S.C. § 1681a(f). [10]: See 15 U.S.C. § 1681a(d). [11]: Pub. L. No.104-208, Div. A, tit. II, §§ 2403-05, 2420,110 Stat. 3009, 3009-430 to -434, 3009-454 (1996). [12]: 15 U.S.C. § 1681b(a)(3)(F). [13]: 15 U.S.C. § 1681a(d)(2)(A)(i) & (ii). We note that courts have not interpreted this exception. [14]: NASD Regulation Request for Comment, 97-12 (Mar. 1997). [15]: 15 U.S.C. §1666-1666j. [16]: 15 U.S.C. §§ 6101-6108. [17]: Although persons involved in the securities industry, such as brokers and investment advisers, are exempt from any such FTC rule, the Act required that the SEC adopt, for the securities industry, rules similar to those set by the FTC. At the request of the SEC, major self-regulatory organizations ("SROs") havechanged their rules to correspond to those of the FTC. See Exchange Act Release No. 39010, at 4-5. [18]: L. Richard Fischer, The Law of Financial Privacy 5-37 (2d ed. 1991). [19]: Id. [20]: Council Directive 95/46/EC of 24 October 1995, on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L 281) 31 [hereinafter "DPD"]. [21]: DPD, art. 2(a). [22]: DPD, art. 25. [23]: DPD, art. 13. [24]: DPD, art. 26(1). [25]: Draft International Safe Harbor Privacy Principles (Apr. 19, 1999) . The principles were revised as of April 9, 1999. [26]: Organizations may also qualify for the safe harbor if they are subject to, and their activities are governed by, a "US statutory, regulatory, administrative or other body of law (or body of rules issued by national securities exchanges, registered securities associations, registered clearing agencies, or a Municipal SecuritiesRule-making Board) that also effectively protects personal data privacy." DraftInternational Safe Harbor Privacy Principles (Apr. 19, 1999) . [27]: Draft International Safe Harbor Privacy Principles (Apr. 19, 1999) . [28]: The EU, however, has rejected the notion that the financial services industry should be deemed to meet the requirements of the safe harbor just because they are "heavily regulated." David L. Aaron, Under Secretary of Commerce for International Trade, "Enabling Privacy in a Virtual World," Address at the SmartCard Forum Symposium (May 20, 1999). 1