Testimony before the Assembly Standing Committee on Consumer Affairs and Protection, Assembly Standing Committee on Oversight, Analysis and Investigation and the Assembly Legislative Commission on Science and Technology


Wednesday, June 7, 2000; 10:00 a.m.
Legislative Office Building Hearing Room C Albany, New York

Chairwoman Pheffer, Chairman Parment, Chairman Sweeney, members of the committees. My name is Edward Reinfurt and on behalf of The Business Council of New York State, Inc. I want to thank you for the holding this hearing on a topic which is receiving increasing attention in capitols throughout the nation and the world.

We are particularly pleased that you allowed for a panel presentation comprised of several members of The Business Council, each of whom will address a specific aspect of the privacy issue, including a number of the questions raised in your hearing notice. I am pleased to be joined this morning by Tom Eldering of Unified Technologies; Lynn Lyford of Electronic Data Systems (EDS) and Harriet Pearson of IBM.

Let me say at the outset that we very much appreciate the statement included in the hearing notice that "The Committees and Commission...recognize that the exchange of information can be a legitimate business transaction and that prohibiting such transactions may have serious consequences for New York State businesses..."

Understanding the full implications of policy issues and options in the cyberage necessitates an understanding of the technology and technology options which exists today or which are reasonably expected to exist in the near future.

The privacy concerns being expressed today are not new. What is new is an information revolution that necessitates different models of enforcement, cooperation and collaboration in order to respect and protect that privacy.

In our remarks today we plan to respond to the questions you have raised by concentrating on several distinct aspects of the privacy debate. First, Harriet Pearson will provide the perspective of one of the leading Internet players, which has taken an aggressive role in showing how industry efforts can be a more effective means of ensuring privacy protection than old, conventional methods. Next Lynn Lyford will speak to her company's privacy policy as an example of what progressive companies are doing. Tom Eldering will provide the perspective of a smaller technology company that must constantly deal with privacy issues as it works to assist the information and data needs of its clients.

But first, I would like to offer some comments on behalf of our member companies and the thousands of businesses which would be impacted by the various proposals under consideration in New York and other jurisdictions.

We had hoped to have completed for this hearing the results of an Internet Privacy Survey which we commissioned the Marist College Institute of Public Opinion to conduct on actual Internet practices of representative sites in New York State.

Much attention has been given to the surveys conducted on the national level of the web sites which receive the most Internet traffic. These include some of the most widely known dot.coms companies. These companies have spent millions of dollars developing their sites and, often, millions of dollars in advertising their sites.

But these sites are not average web sites any more than General Motors is the average business on Main Street in any city of this country.

Our decision to know more about the Internet practices of our member companies came out of discussions with Attorney General Spitzer and the legislative task forces and committees in the Senate and Assembly which were studying this issue.

One of the purposes of the Marist study was to enable us to know more about the state-of-the-art of privacy policies of representative companies in our membership so that we could establish a benchmark of best practices and then work with our members to improve their privacy policy and practices.

For purposes of this survey we decided to do a random sampling of the web sites of small members of The Business Council, medium size members, large members and, finally, the Top Fortune 500 companies headquartered in New York State. Small was defined as members with less than 100 employees; medium size employers were those which had 100 to 500 employees; large employers included those with over 500 employees; and the Fortune list included those 46 companies on the Fortune 500 list which are headquartered in New York State.

The Marist Survey will be completed shortly but we do have the interim survey results as they relate to small, medium and large companies. The Fortune 46 portion of the survey will soon be completed at which time we will make the findings available to your committees and other interested parties.

The first question posed in the hearing notice deals with personally identifiable information which is collected by web sites. Marist did survey this question and since this is one of the issues of greatest interest to policy makers we would like to present the preliminary findings.

At first blush, some would be surprised to learn that 96% of small company web sites, 99% of medium and 100% of large company web sites collect or have the ability to collect personally identifiable information of some type.

But as you look closer at the underlying details the findings are less surprising and, indeed, are very logical and understandable.

The most common type of information which is or can be collected by these web sites is an e-mail address. The numbers are the same as was just cited, 96% of the small, 99% of the medium and 100% of the large.

The next highest type of personally identifiable information which can or is collected is name and address and here the %'s range from 60 to 80% depending on the size of employer.

When you get to the type of personally identifiable information which seems of be of greater concern to policy makers — credit card information, for instance, the percentages are much lower, 8%, 11% and 18% for small, medium and large employers.

Social Security numbers are even lower, 4%, 8% and 18% respectively.

Now when you think about why these web sites want to be able to collect this information we would offer a simple answer. Most of these sites are commercial web sites that were developed to enable businesses to do business on the web. It is very difficult to respond to a customer inquiry over the Internet without having some way of responding to that customer. E-mail is by far the preference of choice, so, it is perfectly logical that if you want an e-mail response you need to provide the business to which you have directed your inquiry with your e-mail address. Likewise, if you want a product shipped to you the business needs a name and a shipping address.

The industrial valve company that has a web site establishes a web site for the same reason that most companies have established web sites - to better serve their customers and to grow their business. This company would never think of misusing the data provided by its customers for a very, compelling reason. A company's customer base is its most valuable asset. Without customers the valve company is out of business.

The ability to analyze data, though, can help the valve company better serve its customers. It can provide 24-hour 7-day-a- week help centers and ability to track visits to maintenance or repair questions can assist the production or engineering department in product design.

My point in all of this is to make the case that the vast majority of web sites of our members, and we would suspect of most businesses, are designed to better serve customers. Data and information are protected and respected as they would be in any other form, whether on a disk or in a customer sales file.

However, a number of the legislative proposals under consideration do not make a distinction between data which is shared between business customers or between consumers and businesses which are involved in commercial transaction or providing business information over the Internet. This is a major concern to us and one we ask you to consider as you develop many of the proposals which will have far reaching implications which go beyond the so-called dot.com companies. In an attempt to solve problems which some policy makers believe exist in some segments of the Internet community, we urge you not to impose restrictions on the vast majority of the other commercial players who have a long history of protecting and respecting the confidentiality of the information they obtain from their customers.

With that I will stop and now turn the discussion over to Harriet Pearson of IBM.

IBM Testimony
EDS Testimony
UNIFIED Technologies Testimony