Protect your privacy
Tim Leslie’s unlikely crusade to defend consumer rights
In the fall of 1997, as state Senator Tim Leslie was gearing up to run for statewide office, he realized that he needed a fat and juicy issue, a cause he could claim for his own.
The veteran lawmaker had done a creditable job representing the people of his sprawling northeastern California 1st Senate District, which included Placer and El Dorado counties just east of Sacramento. But to run for the post of lieutenant governor, he needed an issue with serious statewide appeal, something he could point to and say, “This is important to all Californians, and I’ve led the way in dealing with it.”
That’s when he read an article in the Los Angeles Times about Bronti Kelly. It was just what Leslie was looking for—the kind of nightmarish tale that could happen to anyone.
The story, by Associated Press reporter David E. Kalish, describes how Kelly was working as a salesman in a Robinsons-May department store in Riverside, California, in early 1991, when he was 26. One day he was ushered into the personnel director’s office and told that security guards had caught him shoplifting in another Robinsons.
No way, he said, claiming he was doing Air Force reservist’s duty at the time. He later provided a letter from his commanding officer verifying that claim. He was fired anyway.
After that, no matter how hard he tried and despite his good employment record, Kelly couldn’t get another job. Company after company rejected him, without explanation. He survived on his $700-a-month reservist’s pay, but when his six-year stint ended in June 1993, he had no money coming in.
He spiraled downward from there—bankruptcy, eviction, living out of his car, then living on the streets and sleeping in public parking garages. He struggled to keep up appearances, however, using a pool shower at his former apartment complex to get clean.
Finally he landed a job at another department store, but he was fired the next day. In tears, he asked why. The store’s personnel manager told him to contact Store Protective Association, which keeps tabs on employees for about 100 chain retailers. Five months later, he got a letter from SPA. The old shoplifting charge, which he thought he’d cleared up, was still on his record, the letter read.
It was even worse than that. Kelly subsequently learned from the Los Angeles Police Department that its records indicated that he’d been arrested five years earlier for burglary and arson as well as shoplifting. Someone else, a criminal, had been using his identification.
The only possible explanation: Back in 1990, someone had snatched Kelly’s wallet containing his driver’s license, Social Security card, military I.D. and $4. That and a criminal mind were all it took for someone to steal his identity—and wreak havoc in his life.
Leslie was appalled by the story. After reading it, he had his staff do some research. They discovered that identity theft had reached epidemic levels and that the crime often had devastating effects on its victims, leaving them financially ruined and unable ever to restore their good credit ratings, not to mention get rid of their police records. And yet, under current law, it was treated merely as a misdemeanor.
Leslie had opened a Pandora’s box of problems. He began to see that identity theft was only one of many issues related to personal privacy on which lawmakers were way behind the curve. In the computer age, when huge amounts of information about each and every one of us can be, and is, stored in fileservers everywhere and is being passed around as freely as nickels and dimes, legislators had done almost nothing to protect people’s privacy—that is, their ability to control what happens to their personal information.
Tim Leslie had his fat and juicy issue. He would become a crusader for privacy rights.
In the three years since then, Leslie has played a leading role in protecting the public’s privacy. Only after he started pushing on privacy did Democrats in the Legislature realize that he’d co-opted one of their potential platforms. They’ve since become active on the issue, and this year two Democrats, Hannah-Beth Jackson in the Assembly and Jackie Speier in the Senate, have joined Leslie in leading the charge on the biggest privacy issue of the moment—personal-data sharing among financial-services companies.
But it was Tim Leslie who started the ball rolling, and this unlikely crusader remains a major player in the effort to protect citizens’ privacy in the computer age.
It’s an unlikely role for him. Leslie is a conservative Republican from a rural district, a devoted Christian who favors such family values issues as parental consent for minors’ abortions and stiffer penalties for drug dealers, as well as increased timber harvesting on national forests and construction of the controversial Auburn Dam above Sacramento. Besides, big-city liberal Democrats traditionally have owned consumer protection legislation. In contrast, Leslie is, as he puts it, “a business friendly legislator,” one who has received the financial as well as political support of business interests throughout his career.
These business interests—especially banks, insurance companies, savings and loans and credit agencies—are the same groups that happen to possess much of the citizens’ private personal information. And they have adamantly resisted efforts to restrict their use of it. The lobbyists who represent them in the Capitol, and against whom Leslie has battled, “are my friends,” he says. “These are people who have been supportive of me for 12 or 15 years.”
That has not deterred him. By all accounts and indications, Leslie’s Christian practice is sincere and deeply felt, and when he believes an issue is right, he’s willing to butt heads with members of his own Republican caucus, friendly lobbyists, even a Republican governor—a quality he’s proud of. As his official, staff-prepared bio points out, when the Republican administration of Governor Pete Wilson decided to eradicate the pesky non-native northern pike in Lake Davis, a primary source of drinking water for Plumas County, by dumping poison in the lake, Leslie fought to stop it. Then, when the poisoning became a fiasco, killing fish in streams far removed from the lake, Leslie “strove to provide reparations to the community for harm it incurred as a result of the poisoning.”
In person, Leslie is as soft-spoken and gentlemanly as they come, a small man with a round face who seems to define the phrase “mild mannered.” But his inner toughness is attested to by the fact that he’s been fighting multiple myeloma, a form of cancer, since 1986, when it initially was diagnosed. At the time he was 30 days away from his first successful election, for the Assembly.
Born in Ashland, Oregon, in 1942, Leslie lived in Southern California as a child and attended local schools. He earned a bachelor’s degree in political science at California State University, Long Beach, and a master’s in public administration from USC. In 1964 he and his wife, Clydene, moved to Northern California, where they started a family. They now have two grown children, Debbie and Scott, and two grandchildren.
Leslie’s first jobs were as a legislative representative and real estate salesman. In 1980 he made his first run for public office, for a seat on the Sacramento County Board of Supervisors. He narrowly lost.
During this time Leslie was active in Republican Party affairs. Because of his experience as a founding director of a community-based anti-drug-abuse organization, Governor George Deukmejian appointed him to the State Advisory Board on Drug Programs in 1985. The following year Leslie made his run for the Assembly.
As the Republican candidate in a heavily Republican district, Leslie was riding high, anticipating victory, when he found out about the cancer. For a few days, until he learned the illness was localized and treatable, he thought he’d be lucky to serve one term in the Assembly.
Instead he served three terms and then ran for the Senate, where he served two terms and attained ever-greater authority. By the time term limits forced him out, in 2000, he chaired the Senate Banking Committee and was vice chairman of the powerful Appropriations Committee.
After 14 years in the Legislature, however, the 58-year-old Leslie wasn’t ready to retire, so he ran, again successfully, for the 4th District Assembly seat being vacated by his fellow Republican Rico Oller. The district includes much of his former Senate district, and his district offices remain in Roseville. Meanwhile Oller, also facing the term limits bugbear, ran for and won Leslie’s Senate seat.
By that time Leslie already had made his unsuccessful 1998 bid for lieutenant governor and, more significant, survived another, even worse cancer scare. In fact, the two events occurred simultaneously. As former pro baseball player Dave Dravecky writes, profiling Leslie in his book Portraits in Courage, “For four days a month while campaigning in the fall of 1997, Tim wore a dispenser on his hip that dripped cancer-fighting drugs into his system. A fellow California legislator, Democratic Assemblyman Dick Floyd, told Tim he’d be willing to admit him to the ‘bald man’s caucus’ if his hair should fall out.”
The day after Christmas, Leslie underwent a successful bone marrow transplant. He went on to win the lieutenant governor’s race in the Republican primary but lost in November, when Democrats led by Gray Davis swept most top state offices.
By then, though, he’d put together his first, and major, package of a half-dozen privacy-related bills and begun working them through the Legislature. And here this conservative lawmaker from a rural district was the first among his peers to tackle, in a substantial and comprehensive way, one of the defining issues of the modern age.
That Americans are deeply worried about their privacy is beyond questioning. They’ve heard the horror stories about stolen identities, and they know that banks, insurance companies, credit agencies, hospitals and other businesses, as well as government agencies, have collected all kinds of information about them—how much they earn, owe, pay for housing, pay for transportation; where they work, attend school, worship, spend their entertainment dollars; what they buy at the supermarket, what magazines they subscribe to, what they charge on their credit cards.
They’ve heard about “cookies,” secret software bugs that companies can install in the computers of those who log onto their Web sites. These cookies then report back to the companies information about the computer owners’ Web surfing habits.
Many thousands of Americans also have had the experience of discovering that their credit has gone sour because of errors on their credit reports. The problem is more widespread than most people realize. Consumer Reports magazine reported in its July 2000 issue on a study where more than 50 percent of the credit reports checked contained errors.
Americans value their privacy. In a 1998 Lou Harris poll, 78 percent of the respondents said that they had refused to give a company personal information for privacy reasons. Even more, 82 percent, felt they had lost all control of their personal information. Overall, 90 percent said they are concerned about threats to their privacy.
Of course, these same people by and large very much enjoy the many conveniences and services provided by the Internet and computers and by the businesses and government agencies that are collecting, storing and transmitting so much personal information. What they want is for government to figure out a way to protect their privacy—their ability to control their personal information—while allowing other information to flow freely.
It’s probably an impossible task. “The horse is kinda out of the barn,” Tim Leslie agrees, “but that doesn’t mean we shouldn’t try” to protect people’s privacy.
Leslie’s Sacramento offices are on the fourth floor of the Capitol annex. They’re a tightly configured warren of small rooms, and even Leslie’s own office isn’t especially large, though it does have sufficient space for a small table and chairs in addition to his desk. The walls are wood paneled with recessed shelves filled with books, memorabilia and pictures of his family.
Leslie says candidly that he first grabbed hold of the privacy issue mainly because it looked promising for his upcoming campaign for lieutenant governor. But as his staffers researched it, they came up with more and more examples—horror stories, really—of the myriad ways personal privacy is disappearing. “The more I got into it, the more interested in it I became,” Leslie says.
During the 1997-98 legislative session, he introduced half a dozen bills designed to protect privacy on several levels. Appropriately enough, the first of them, SB 1374, was a response to Bronti Kelly’s identity theft nightmare. It gave district attorneys the ability to treat the crime, heretofore a misdemeanor, as a “wobbler”—that is, as either a misdemeanor or a felony. Severely damaging cases of identity theft like Kelly’s henceforth would bring down the full force of the law. A companion bill also made it easier for victims of identity theft to clear their police records.
He also co-authored SB 1382 to outlaw disclosure of medical records without a patient’s consent. The impetus for the bill, he said, came when he saw an advertisement targeted to pharmaceutical companies. “It said, ‘Give us the disease you’re interested in, and we’ll give you a list of patients,’ ” Leslie explains. As someone who’d battled a life-threatening illness for many years, the idea that information about patients’ diseases could be bought and sold in that way appalled him, he says.
The bill died in committee, but later it was reintroduced by another legislator and passed, which pleases Leslie greatly.
Leslie also authored bills that prevented unauthorized examination of taxpayer records, criminalized the newly identified terrorism of cyber-stalking, and—something close to his heart, he says—restricted telemarketers’ access to children’s personal information. All passed, either as his bills or in others’ bills, and were signed by the governor.
Another issue on which he’s been ahead of the curve is personal information held by banks and other financial-services companies. Of all his efforts to protect citizens’ privacy, this one has pitted him most directly against long-time allies and supporters.
His decision to take on the financial-services industries had its impetus in a historic piece of federal legislation that took effect in late 2000. Known formally as the Financial Services Modernization Act but informally as Gramm-Leach-Bliley, or GLB, after its co-authors, the new law promises to transform the financial-services industry.
Historically in this country, the three pillars of the industry—banking, insurance and securities—by law have been required to remain separate. Insurance companies could not own banks, banks could not own stock firms, and so forth. GLB ended all that by allowing these companies, subject to certain conditions, to merge.
The implications are huge and profound, as is bound to be the case when the most powerful capital-holding companies in the country are given leave to join forces. Such mergers are also certain to have major impacts on personal privacy. For one thing, nothing in GLB prohibits these companies, when they merge, from sharing customers’ personal information with each other.
Each possesses tremendous amounts of sensitive personal data. Banks have financial information, insurance companies know about our health records, credit card companies know about our spending habits, securities firms know how we invest, even whether we’re suckers for get-rich-quick schemes. When this information is shared, it gives whoever controls it unprecedented ability to market to targeted consumers. For corporations, possessing such information is a gold mine. For consumers, it’s a violation of their right to say who gets to have that information and how it’s to be used.
Banks have shown their willingness to trade consumers’ privacy for profits. In 1999, the attorneys general in Minnesota and New York sued US Bancorp and Chase Manhattan, respectively, for the sale of consumers’ data to third parties contrary to their policies. In the Minnesota case, US Bancorp sold customers’ account numbers and balances, types of accounts, Social Security numbers and phone numbers to a telemarketer, Memberworks. When Memberworks successfully sold a product such as a travel club to a bank customer, it automatically debited the account, which it was able to do because it possessed the account number. Many of the customers were not aware that they had given consent to have their accounts debited.
Another example: In 1998, the U.S. Securities and Exchange Commission fined Nation’s Bank nearly $7 million for deceiving bank customers, many of them elderly and naïve, into switching their savings into the riskier investments of its affiliated securities company. Many who lost their life savings didn’t even realize what had happened.
Gramm-Leach-Bliley requires companies to provide customers with an opportunity to say they don’t want their personal data to be provided to third parties—what’s called an “opt-out” provision—but it says nothing about the transfer of data among affiliated, or merged, companies. A bank and an insurance company that merge, for example, are free to share their customers’ data.
To privacy advocates, allowing affiliated companies to share data is no different than allowing third-party sales in terms of the results. Both violate a basic privacy principal, which says: “Information that has been collected for one purpose shall not be used for other purposes without the consent of the individual.” They prefer an “opt-in” process, in which the businesses are required to obtain a customer’s permission before sharing private information.
Besides, as has become alarmingly clear to privacy rights groups, the opt-out process is confusing and largely ineffective. Facing a June 30, 2001, deadline, banks and other financial-services institutions sent out more than a billion “privacy notices” informing customers of their rights. With few exceptions, however, the notices were difficult to read and unclear, and as a result, it’s estimated, as few as 1 percent of the consumers exercised their option to protect the privacy of their records.
Tim Leslie has his own take on Gramm-Leach-Bliley. He agrees that data should not be shared among affiliated companies, but he goes further. As far as he’s concerned, the opt-out provision is largely a sham. “There’s a huge loophole in Gramm-Leach-Bliley,” he says, because even when a customer opts out, the bill still allows such sharing to occur “where the companies have a certain kind of business arrangement.”
GLB does contain a provision enabling states to enact stronger privacy provisions. This frustrates Leslie, who believes it doesn’t make sense to have 50 different state laws governing companies that do business nationally and internationally, but so be it, he says. In 1999 he introduced SB 1372, which would have prohibited financial companies from sharing customers’ data unless the customers opted to do so.
In fact, three such bills were introduced—Assemblywoman Sheila Kuehl’s AB 1707, Speier’s AB 1337 and Leslie’s bill. Kuehl and Speier are liberal Democrats from Santa Monica and Hillsborough, respectively. As one privacy advocate noted, however, “Leslie’s bill [was] all the more remarkable because he’s a Republican and the chair of the Senate Banking Committee.”
All three bills sought fundamental privacy provisions: full disclosure and access to records, opt-in consent for all data sharing, whether with affiliates or third parties, and penalties for noncompliance. And all three were killed during the 2000 legislative session because of strong and orchestrated opposition from the financial-services industries. In fact, a total of 30 similar bills introduced in 30 different statehouses around the country all went down to defeat that year, destroyed by the ability of the powerful and wealthy companies to campaign against them.
Leslie seems bemused when talking about the fate of his bill. He describes it as “essentially a Republican bill,” in that it recognized that legislation was needed and tried to make that legislation as business friendly as possible. When his friends the banking lobbyists told him they didn’t like the opt-in provision because it was “too complex,” he relented and amended it to include an opt-out provision, whereby the onus would be on customers to tell the companies not to share their information. Half a loaf was better than no loaf, he thought.
“I didn’t want some monster of a bill that would be complex to implement and take a heavy-handed approach, levying fines, that sort of thing,” he says. “I wanted a sweet, simple process.”
The lobbyists insisted they needed access to the information in order to better determine what products they could develop for customers. But Leslie had an average person’s grasp of the issue: “My feeling was,” he says, “when I go to the bank and open an account, it’s my business.”
Despite Leslie’s making all the changes the banking lobbyists said they wanted, they nevertheless came to him one day and said, “Sorry, we have to tell you we oppose it.” The bill subsequently lost by one vote in the Senate Judiciary Committee.
“I can’t say how disappointed I am at the Judiciary Committee’s vote,” Leslie later said in a press release. “Financial institutions now have carte blanche to pass around the intimate details of our lives. If the Legislature ever does get around to protecting financial privacy, there might not be enough privacy to protect.”
Leslie notes that both Republicans and Democrats voted against his bill. With its opt-out provision, “AB 1372 was too weak for the Democrats but too strong for the Republicans,” Leslie now surmises. “I couldn’t win for losing.” But the fact that he didn’t please either party suggests to him that he was “on the right track.”
Actually, he’s been on the right track for several years, and in that time many other legislators, most of them Democrats, have joined him in sponsoring privacy legislation. Just last year, for example, the Legislature enacted nine different bills, ranging from protecting tax-return and medical information to prohibiting the Board of Equalization from releasing certain information. Most important, it passed SB 12, written by Senator Steve Peace, a Democrat from San Diego, establishing the Office of Privacy Protection in the state’s Department of Consumer Affairs. The office will be responsible for handling privacy complaints and developing strategies to protect privacy.
This year, when Leslie returned to the Legislature as a freshman assemblyman, he resubmitted his financial-services bill, this time as AB 21. He did so on the opening day, when lawmakers traditionally introduce what they consider to be their most important piece of legislation.
Another assemblymember, Hannah-Beth Jackson, a Democrat from Santa Barbara, later introduced an “opt-in” bill similar to the three bills defeated in 2000. On the Senate side, Jackie Speier introduced her own “opt-in” bill. Leslie said at the time that he was happy to see those bills in the hopper, too. “It could help” the play on his opt-out bill, he said, by giving lawmakers a choice.
Jackson’s bill died in the Assembly Banking Committee, a victim of powerful lobbying by the financial-services businesses, but Speier’s bill, SB 773, passed the Senate comfortably. For four hours on June 16, the members of the Assembly Banking Committee listened to arguments for and against the bill. Following the hearing, Speier reluctantly amended the bill to make it more palatable to the banks by allowing an opt-out provision for data sharing among affiliates and subsidiaries while retaining an opt-in provision for data sharing with third parties.
That was enough to sway the powerful chairman of the committee, Lou Papan, a Millbrae Democrat and co-founder of a bank in his district. When the committee met again a week later to vote on Speier’s bill, Papan voted in favor, giving supporters reason to hope it would pass.
It failed by one vote. Two vacillating Democrats abstained, including Carl Washington, from Paramount, who ironically had co-authored Jackson’s nearly identical bill.
Afterward, Speier was livid at the brute power wielded by the banking industry, telling the Sacramento Bee, “It was one of the most offensive hearings that I’ve taken part in during my 13 years in the Legislature. … ”
Everyone thought that was the end of Speier’s bill, at least for this session. But later Papan rescued it, saying that because of procedural errors made during the hearing he wanted the committee to reconsider it. Earlier this week, on Monday, July 16, the committee heard the bill for a third time and this time passed it, after exempting smaller, community-based banks from the opt-in provision. It will now go to the Assembly Judiciary Committee and then to Appropriations before heading back to the Assembly floor.
There’s a slim chance that Speier’s bill could come out of the Legislature this session, but it may have to be put over until next year, says Kevin O’Neill, who is Tim Leslie’s legislative director. In either case, it’s unknown whether Governor Gray Davis, who has received huge amounts of campaign funding from financial-services companies, will sign it.
In the meantime, Leslie’s AB 21 remains very much alive, having passed the Assembly Banking Committee in late May. It’s now before Judiciary. But it has a long way to go before it even reaches the Senate side, and it’s hampered by being a Republican-sponsored bill in a Democrat-controlled Legislature.
Still, it’s a good bill, O’Neill says. Though it contains an opt-out provision, it requires that customers be told of their right to prohibit the sharing of their personal information in clear layperson’s language and that a postage-paid return form be provided for them to do so.
Eventually, some kind of financial-services bill will pass, Leslie argues. It’s inevitable, and he intends to keep working for it. Even some of the banking lobbyists have said to him privately that the legislation is needed. But the companies they represent have been so successful in blocking all legislation that they remain unwilling to compromise. That may change, however, now that Speier’s bill has passed its greatest hurdle.
If the Democrats don’t beat him to it, Leslie has until 2006 to get a bill passed. That’s when he’ll be term-limited out of the Assembly, and out of political life. He’ll be 64 then, a good age for retirement. He expects then to become more heavily involved with Hope Unlimited, a nonprofit, faith-based organization dedicated to helping “street children” in Latin America, particularly in Brazil.
Thousands of impoverished Brazilian children live on the streets, where they survive by stealing and prostitution and sniff glue to get high. Hope Unlimited operates two facilities for these kids where they’re housed, fed and given standard and vocational education and “a big dose of God’s love,” Leslie says. “The transformation of these children is phenomenal.”
He’s visited the Hope Unlimited sites on several occasions. Currently he sits on the group’s international advisory board and works aggressively to court funding for the organization, especially from American corporations operating in Brazil.
As far as he knows, his health is good. He underwent a three-year post-transplant checkup a few months ago, and it showed no signs of recurrence of the cancer. “I feel fine,” he says. “It apparently worked for me.”
Leslie says his illness has drawn him even closer to his wife, Clydene. “When people wonder what I’ve learned from all this,” he says, “I tell them it’s the importance of a caregiver when you’re going through a serious medical problem. If my wife hadn’t been there as a caregiver, I wouldn’t have made it.”
And, it might be added, California wouldn’t have had its unlikely crusader for privacy rights. Leslie realizes that the role might seem an odd fit, at least to those who don’t know him well. But some issues simply transcend political ideology and party lines, and the right of people to control their personal information is one of them. Privacy, Tim Leslie believes, is not a Republican issue or a Democratic issue. It’s a human issue.