Vermont Legislature SmartTranscripts:

[Speaker 0]: Good afternoon, everyone. This is the Vermont House Committee on Commerce and Economic Development. Again, it's Friday, the thirteenth, March twenty twenty six at 02:47 in the afternoon, so we're here to look at our final bill, hp11. I think we had a walkthrough yesterday with Rick and nothing has changed, don't believe.

[Rick (Office of Legislative Counsel)]: So Rick's table with the office of legislative counsel and draft 7.1 is still draft on the committee's table. Okay. Happy to entertain questions or changes, whatever the committee's.

[Speaker 0]: Maybe can take some testimony and then see if there's any changes that people would like or not like. Yep. Hello, you wanna

[Dylan (RELX/LexisNexis representative)]: Hey, Mr. Chair. For record, is looking to bring up the merits here for the relics today. I think to be with you on March 13 crossover project. I know this bill has been in front of the committee for a long period of time, and so I just want to take the commitment back to some testimony that was delivered from Elizabeth Allen, who is a privacy attorney with the Cal Privacy Agency. I had the opportunity to go back and listen to her testimony, explanation of how the California law is being implemented, and there was lot in there. So I encourage the committee to go back and review what she had said. Relevant to what Relics has been asking for, I think, is one particular statement. I'm just gonna quote Ms. Allen, which is both GLBA and is is an exception under our law. So to the extent that the data covered by GLBA, it's not covered by us, us being public health privacy. So it will forever not be able to be deleted under the fair. Under the Act for good reason. I just wanna leave the committee with that. So I start to provide additional feedback. Think the committee heard yesterday from represent Priestley, I appreciate the analogy that the effect of this bill will be to take one tool out of toolbox banks, private meetings, other financial institutions have available to you. That was a fairly accurate description of the Can you repeat that? I didn't quite hear that. I wanna put words in representative cases and outspoken. When I went back into the testimony sheet, I'd indicated that the effect of this bill would be to take one tool out the toolbox that would be available to entities conducting business in the state. I think that's accurate. It would also make Vermont an outlier in this case in the approach that is being taken here under the use case exemption approach versus a data level exemption approach taken in other practices like the California. That is, of course, a policy decision for the community to make. And I think that some of the instances, for example, the title, insurance, and example, that cropped up in the last six hours is one example of a use case that maybe had not been contemplated for. And I would just pose this question to the committee, how many other use cases are out there that are not yet contemplated, or might be contemplated in the future that are not gonna be covered under the approach taken here today. That may be a risk that the jury is willing to to take. That is your decision, but I do think it's worth pointing out that that is a risk, and and that is a risk that would be born here from my and one that is not being tested also. I also need to double down on comments yesterday that other states that have enacted deletion mechanisms for data brokers have chosen to enact on the best consumer privacy policy first. We think that that's the appropriate approach here. There are two privacy bills that characterize some of those currency bills that are sitting on the wall in this community, one of which is best in chamber, both with the inflation rights for consumers, not just for data brokers, but for any company holding to pay. That would be a comprehensive approach, and if there are gaps, they can be filled in, specific to entities that don't have a direct consumer relationship with brokers that could be addressed in the context by an office state policy. Understand that there were some current concerns yesterday from representative Carris Duncan about what type of information banks or insurance companies might utilize when they make decisions about whether or not to approve or offer products to customers, potential customers. I think if the intent here is to narrow what those types of entities can use when they make those decisions sorry, that was my takeaway.

[Emily Carris Duncan (Member)]: No, sorry, just my concern is about opacity and accuracy of that information. It's not better. We are in this place where information often goes stale, it becomes unethical, then as consumers, we're faced with this really opaque system that doesn't let us see our information or what is out there and what we can keep, and that might probably be what it said, issues of denial and issues of approval may be made with information that is not accurate.

[Dylan (RELX/LexisNexis representative)]: Good. Appreciate that clarification. I do think that if you're wrong, I'll make sure I'm to phone Frank here later testimony from mister Gilley, but I do think when a financial institution chooses to deny loan application, for example, they are obligated to provide information about why that was denied. And I think through the Fair Credit Reporting Act, it's too much able to issue to correct that information. So it's not always easy to understand that your opposite and jump in through hoops. It's it's not gonna be simple. I think we've gotta start to make that an easier process. I'm not sure that this is the right tool to sort of address the challenge against you. Regarding

[Michael Boutin (Member)]: the transparency part of it, you represent LexisNexis, correct?

[Dylan (RELX/LexisNexis representative)]: Relix, LexisNexis, that's right. Okay.

[Michael Boutin (Member)]: It's my understanding that you can request your report from Lexis because I've done that before. I've just asked for my report. They sent me 15,000,000 pages of it. It was like twenty, thirty pages. I'm not going to deny the fact that there was quite a bit. Now is that law that they have to provide that or is that just something that LexisNexis does? And that was a question that came late in the game, and I'm very sorry. I can follow-up. It would be nice to know, but I think it

[Speaker 0]: would probably be too late. I want

[Michael Boutin (Member)]: to be accurate. I'm almost positive. You can request it.

[Emily Carris Duncan (Member)]: We should all do that. A way our pacing of life. The information in these days is faster than we can even write.

[Dylan (RELX/LexisNexis representative)]: One of the other themes of discussion about the subcommittee's conversation with respect to this bill has been the appropriateness of a data level projection. I think some of the concerns have been that providing a data level exemption, for example, for GFDA or TPPA data, would allow entities that are holding GLPA and TPPA data to then turn around and use that data for other more nefarious purposes. I just want to be clear that that is not the way that those general pricing changes work. The example that I used in my previous testimony was when RELIS gets more vehicle history data from the Department of the Vehicle for the purpose of underwriting. They're very clear to use that Relics can use that data for. It cannot turn around and use it for some other purpose.

[Herb Olson (Member)]: Thanks, David. Can you go through that last scenario a little bit? Because were you talking about limitations imposed by Grand Leach by any or the FRS? That what you were talking about? No. Well, me focus on the Vermont privacy because it was written in 2018. Remember when. And at that time, whose data brokers were really not a thing. Maybe they have, but not to the extent that I think. And so I'm thinking, you mentioned, well, know, regulated entities won't have tool that they might otherwise have. I think, you know, I'm thinking that's not the right question, in my opinion. The question more is, you know, what information does a regulated entity need to do its work? And and I'm thinking about the projects are mainly directed at those regulated entities and not directed at the data broker it sounds like this rule is intended to cover regulated. I'm just not fully understanding why. Actually, just disagree with the premise that regulated entities won't have the information. I was paraphrasing Representative Priestley's comment yesterday about your box.

[Monique Priestley (Clerk)]: Don't worry, I'm gonna correct my analogy.

[Herb Olson (Member)]: All respect, dude. You know I'm saying? What do you see? My thought is that's not quite the right issue. The issue is how do we make sure that our institutions are able to do the work? And and I'm looking at the exemption six, I think it's pretty broad and allows for the information too. That's in the possession of data brokers to be used by regulated entities when they're using that data broker.

[Dylan (RELX/LexisNexis representative)]: I think there's maybe two parts to your question. Maybe the first part, which I'll take, which is what information do regulated entities like financial institutions need to conduct their business? That would seem to fall under the CFR. Are entities that are regulated by the Vermont Department of Financial Regulation, which rolls out the GLPA obligations. So if the concern is what information entities regulated by Vermont DFR and use. I would maybe look to that side and not this one. Do they lay the Vermont DFR? Essentially suggest that DFR amend that rule. That could be more active. And the follow-up here, I think what I heard you say was that the rules promulgated under DFR that apply to financial institutes, entities or other entities regulated by DFR don't apply to data brokers. And I think I didn't say that we are subject to the obligations under Vermont regulation to the extent that data we we are getting from a financial institution that is regulated by EFR. The obligations under GLPA and through DFR flow through

[Herb Olson (Member)]: to us? Well, it's been a while and it's a long regulation, but my recollection and understanding is that it's intended to be a tool to regulate regulated entities. And it's the obligation of the regulated end to part of the law. Are subsidiary obligations on a sort of party that's doing business with the regulated entity, but the primary obligations with the regulated entity. And that makes total sense for an agency that's regulated with companies. But it's not dealing with the data broker itself. And that's why I think we're asking the wrong kind of question when we talk about whether an entity level exemption is covers the field.

[Dylan (RELX/LexisNexis representative)]: So I'm asking for an entity level exemption. What was that? We're not asking for an entity level exemption. Well, okay. You had a question the other day, representative Olson, about said, this quantity level exemption seems like it's maybe too broad, the use case is too narrow. What's the middle ground? I think our answer to that would be data level exemption. To which? A data level exemption tied to To the privacy. Tied to the federal proxy to step that Or the state. So the way that that works though is that GLDA is obligation The United States to implement the GLDA regulation. That's where the the 2018 rule that you're referring to comes into play. That's where the the rule or the contract that anyone procuring motor vehicle data from DMV assigns a Vermont contract, not a federal contract. There's sort of parameters of what that looks like, but it's implemented by the states not too similar from how the Clean Air Act or Clean Water Act works, with AMR being readily mandated to the level.

[Herb Olson (Member)]: I'm not gonna I've talked too much already. I haven't heard anything that would suggest that the exemption from deletion that we have in Subdivision 6 is insufficient to make decisions.

[Dylan (RELX/LexisNexis representative)]: Glad you brought that up. What's that? I'm glad you brought that up. We've provided on multiple occasions in writing an explanation for why that is insufficient. I understand the representative Priestley expressed a concern yesterday that she did not have the opportunity to speak with the chief data privacy officer at my clients. If that is what the committee would require, that comfort with us. I'm happy to make that happen unless it's not been made of me today. Of course. But rest assured, when I submit written testimony, as a representative of relics, it is being reviewed by those individuals. And so I think I was concerned that some of the comments are yesterday that insinuated that it may be cutting through the noise of government affairs individuals is challenging. Happy to make other individuals available from my mind, but I somewhat disturbed by what I took to be.

[Herb Olson (Member)]: So I want to assure you that I actually did read every page, every paragraph of the individual. And I just left this conclusion that Subdivision 6 should be sufficient to allow that regulated and used to do the work. So whatever you might assume about anything else, I can assure you that, and I suspect other members of this event.

[Dylan (RELX/LexisNexis representative)]: As you would know, represents a lot some two lawyers who have up to two or three. Well, chat two lawyers can have two different opinions. Exactly. This does not provide bar attorneys with the comfort that there's no point to me. I hear a fairly significant level of uncertainty in their form of scrutiny. And I would just, again, draw the committee's attention back to the testimony from the health privacy where they point out the importance of those closing exemption. I appreciate it. And lastly, I just I know there were some concerns expressed that maybe not directed necessarily specifically at RELX, but about the timing of amendments that were proposed. Now I can't don't think that was directed at us, but this has been a good target for for now on draft. So I I get that 7.1. Right? Every time I'm going to feedback, has potential impact on entities that are going to be touched by this regulation, and I think it's to, you know, the ability to provide feedback. And so I apologize if some of that comes in the hours leading up to crossover. But for the record, we did provide the exemption language that we would like to see its bill on January 3 and provided subsequent additional written comments responding to questions from members of this committee over the course of the last ninety days or so. I

[Michael Boutin (Member)]: already know the answer, but I wanted on the record, if you don't mind. So I'm going to be asking for an amendment to the bill, and I would like for your statement on it. But it would be an exception. It would be an entity level that an exception for collected use or disclosed by an entity subject to the Graham Leach Family Act and its implementing regulations. We had talked about this, and just for the record, if you don't mind, your thoughts.

[Dylan (RELX/LexisNexis representative)]: Yeah, I appreciate you sharing that on me earlier this afternoon. I did share it with the chief gate proxy officer at Relics, and he's out of the office today and sort of not gotten any response back. This is a complicated area of of a lot of happening. It's worthy of consideration. I can't come from the record without Right. Discussing month, currently with my client.

[Emily Carris Duncan (Member)]: Questions?

[Chris D’Elia (President, Vermont Bankers Association)]: I guess

[Emily Carris Duncan (Member)]: I I'll start with my first question here, which is, any Your clients run into issues with data breaches a political course of business?

[Dylan (RELX/LexisNexis representative)]: My client that you're representing today?

[Emily Carris Duncan (Member)]: Or if you want to speak on behalf of any of the other clients that you But I'm trying understand from the consumer side effect, how exposed it's all of this really critical information that we have. Is also being used to identify who we are, the very large consequential type of things at times. But we also keep within the industry running into these issues of data broker bleachers or information being kind of leaked out there. And so I'm just curious if that is something, since you deal with clients that do deal with really large problems at the end, is that something that happens?

[Dylan (RELX/LexisNexis representative)]: First of thank you for the question.

[Speaker 0]: To be

[Dylan (RELX/LexisNexis representative)]: clear, I'm not going get into specific examples of data breach that my client may have had, but I that also challenging to find a company in today's world that has not found some form data breach, including state agencies for them for non state government. We are subject to the reporting requirements. It's kind of breach notification act, and I think we're just subject to the data brokers to breach notification provisions in this code. And for the record, we do not have concerns with those permissions. I understand that your question may be getting up what is the universal data that is out there, but I just want to make sure that you're not opposed to the provisions of Okay,

[Emily Carris Duncan (Member)]: I guess if you could also, while you're talking, see if they can also come forward with all the data news.

[Dylan (RELX/LexisNexis representative)]: I can answer that question again. Okay, That's helpful. That's helpful. Okay.

[Emily Carris Duncan (Member)]: I guess that's it for my comments.

[Herb Olson (Member)]: Thank

[Monique Priestley (Clerk)]: you very much, John. And I had somebody who was watching this, somebody correct my analogy of the tools in the toolbox saying that the more accurate description would be that consumer says the screws can basically say they don't wanna be used by a screwdriver into a piece of wood, and that the banks can still use a screwdriver or they can instead of using the screwdriver on the consumer, they can use an Allen wrench. So it's like so anyways, I guess I misspoke as far as trying to think. We can keep diving into that till the end of the day. But I guess, yeah, I'm just apparently, my analogy is not great. I'm wondering so I guess, like, one, as far as timing on testimony, you I was not referring to you in general. Like, and then and Chris and Jamie and you and others have been great at, like, from the very beginning, providing testimony. I would have agreed like, liked to actually talk to the folks who, like, are operational in the field, trying to sift through this. And I'll be better in the future about specifically requesting that of you, for sure. So thank you for that. I think just a few questions as far as we're still contemplating the exemption language and that kind of stuff. And I was wondering if you might not be able to answer this, and that's fine. But I was wondering if you have insights into the operational, as far as it's my understanding that Relics has LexisNexis under it and all the things. And then there are certain databases that are VICRA certified, like AML insights, that people have to be credentialed in order to Like banks and stuff, they're credentialed to have access to that data. And so that's protected. So that's a whole trough of data that we're saying. That's the example of the database that the banks are using that people shouldn't be able to remove them because it's personally identifiable information, BII, social security and address and name and all those basic identifiers. But then if you can confirm and maybe you can't, I'm not sure. Then there's a whole host of other databases that Relix and LexisNexis maintain that are not necessarily FICR certified and are not necessarily access spec credentialed. And those are also sold. And so I think that's the space that I don't know if those fall under the exemptions we're talking about. And I don't know if they should. I think that's an outstanding question. How many databases are there? What types of data is in each of those? How are each of those used? Who gets to buy those? And then what's the whole ecosystem of how that works? That's the type of stuff that I've been trying to explore with individuals at different companies that I've been walking through on this. That's the type of conversation I had with the title insurance company with Garrett to say, please walk us through how all of this works so we can try to have a conversation about that, so we can understand the landscape of what we're trying to regulate. I'll stop so you can respond, but I have more questions.

[Dylan (RELX/LexisNexis representative)]: I think that that is a conversation either the CTO or the chief data privacy officer Sure.

[Monique Priestley (Clerk)]: Yeah. I guess another thing that would be helpful to know, and this is a question for the data broker space and your clients, but also thinking about the systems that are like the banks or insurance or whatever is buying. I don't even know the full extent of the entities that are buying this data and which data they're buying. But I'm curious about the process, the quality assurance. I assume the FICRA certified database is one that quality assurance and accuracy and all that kind of stuff is the utmost highest quality because there's entities that are making decisions like loans and mortgages and stuff like that, that they really do need utmost high quality data. Whether it's Relics or any other data broker in this space that's maybe falling outside this regulated space, especially if not being under thicker certification, sorry. I guess a question I have, just an outstanding question, is what kind of quality assurance measures are put on that data? Is that data, like what is the data going in? What is the data going out? How likely is it to result in false positives or denials of things that the people So speaking to Rutland's question about the LexisNexis consumer reports, I've also requested mine, although it never came to me. It was just Even though I put in all my information, I never received it. No, I didn't. I assure you, I assure you. I was trying to get up for my privacy tour, I never received it. And I gave it on my social and everything so it wouldn't get denied, lack of information. So that report is something that consumers can access. But I'm also curious, when it comes to a bank having a contractual agreement with Relic Store, I said, insert any other data broker, which I know you can't speak on the whole ecosystem, but as an example of things trying to process, is when a bank or insurance company or whatever has a contractual agreement with that data broker and say somebody is denied and the customer is wants to know, like, why was I declined for this mortgage? Like, my score is perfect and, like, all this stuff. There could be something, like a as far as so, like, It sounds like This is going to lead into another question. It sounds like I could have a charge for a crime, but maybe not an acquittal of a crime. Maybe the database doesn't have that I actually wasn't ever That I was found innocent or whatever. Maybe that was never updated. So there could be things like that went into the decision. I want to know why. So when I go to the bank and I say, hey, you denied me for this. That's not fair. I have nothing on my record. What information went into the automated decision? Maybe the person made a decision? Who's liable for the fact? Do the banks I don't think the person necessarily probably has access. I'm assuming but would like to know, does Relic say, oh, here's all the data that went into that decision? My understanding is that the contractual agreements often don't allow the banks to necessarily have insight to all of the data profile that made a decision on somebody. And that sometimes the results in court cases when somebody says they sue because they were denied, and the bank or insurance company doesn't know why and can't tell the person that. And I'm just like, where does the liability fall? Does it fall with a data broker? Does it fall with the entity that's using their data? That's an outstanding question that I think would help go into this.

[Dylan (RELX/LexisNexis representative)]: I'm going look to Chris and Jamie. Sure. It's the insurance company makes a decision. But I think your question was how would they

[Monique Priestley (Clerk)]: Do they have full transparency into that data if a decision is made? And then, like, if they get a score on somebody, they made a they made a decision based on a score, but what went into the score? And they have insight into what ends to that score that came from the data broker.

[Dylan (RELX/LexisNexis representative)]: So we're acknowledging that institution. And I'm gonna take it. This this is kind of the question that I thought representative Kirk's doctor was asking yesterday. Mhmm. If the concern is that these institutions are making decisions about insurance policies for lending, that are bringing additional information in, that committee legislature at large feels is inappropriate to be included in those decisions, then I think that would be better addressed to looking at regulations of those entities than trying to provide this fraud that you should write with that use case exemption approach.

[Monique Priestley (Clerk)]: So to clarify, you're saying we need to regulate the banks and insurance companies more rather than try to regulate the third parties that are unregulated by, like, that are operating data broker data outside of other regulation?

[Dylan (RELX/LexisNexis representative)]: I'm not suggesting not taking a policy position on Sure. That's what I'm saying. If the concern is that they're utilizing data outside of what you would normally think of, maybe the two month average team might think of this. Probably looking at my credit score to assess whether or I'm a good candidate for a mortgage. If there are other data points that are being used in that process, it would seem to be a simpler tool. Again, I'm not taking the ballistic decision from my partner, that you could look at what is and is not allowed to be used in those types of decisions to protect consumers' privacy and tech.

[Monique Priestley (Clerk)]: Yeah, and I think part of what we're trying to explore is that consumers don't even know what those data points are that are going into that and that there's no real visibility into again, like I said, I understand there's the certified databases that have everything that people would think is being tracked on them. We're talking to certain data brokers. There's things like data sets that I would never imagine are being shared with Vermont institutions, like whether or not you had a legal abortion. Does that really need to be something that is tracked? Does that need to is that ever going into a decision on something a financial decision? I don't like, I guess that's an outstanding question. And and should a consumer be able to know that that data is being collected and tracked and sold and then subsequently used in decisions? And if it is, should they be able to have the right to have that information deleted from their files?

[Dylan (RELX/LexisNexis representative)]: That's Still would seem to be a decision. This may just be my number figure. Right? Yeah. Yeah. Yeah. But it seems like that would be something that you have an in state regulatory agency that has broad authority over the types of transactions you're describing. So you'd be a more

[Herb Olson (Member)]: surgical

[Dylan (RELX/LexisNexis representative)]: approach that could lead could eliminate some of those unintended inputs

[Emily Carris Duncan (Member)]: without providing

[Monique Priestley (Clerk)]: But I don't think we actually have. I think it is a gap. And I think the CFPB found that data brokers are, like, the third party unrate. There are data brokers, I understand, that are in the regulated space, that are certified, that are doing all the things that are covered by state and federal exemptions. But there's a whole landscape of data brokers that are not covered and or data that is not covered under those exemptions. And that's the piece that we're trying to hone in on.

[Dylan (RELX/LexisNexis representative)]: If you can accomplish that. Different function. I wonder guess that there are these data workers that are not calling into those organizations or doing things in the marketplace that are viewed to be unsafely. I just think of different questions.

[Monique Priestley (Clerk)]: I don't think I actually think it's the key part of the discussion right now because we're exempting the ones that fall under all the stuff that you just said that is considered safe. And what we're trying to do is regulate the ones that are not.

[Dylan (RELX/LexisNexis representative)]: If you disagree, you're exactly Yeah. Because of the.

[Monique Priestley (Clerk)]: And I guess one more thing going off this. Looking into Relics internationally, I guess this is getting to this is an extension of this, which is that in Europe, with GDPR, Relics and other data broker partners are pushing for the regulation of these, let's just call them, I don't know, Wild West or third party or whatever it is, it's not the certified, like I said, the ones that we're trying to look at, not giving incentives, basically. In Europe, there's a lot of data broker partners, including your client, that are pushing and advocating for those that whole pool to be covered under the same laws that the ones that are certified and stuff are. In The US, in this in this bill, we don't have anything remotely close to the European privacy protections. And we're saying that, like and we don't have any rights to delete or any privacy protections in the state of Vermont. And the federal government is is lax in this area. And so on this bill, the same lobbying efforts that are pushing for regulation of those unregulated parties in Europe are pushing for us to not capture them in this bill. I'm just wondering if you could speak to that. I can provide I can provide a website that has all of the company's names on it.

[Emily Carris Duncan (Member)]: It's their lobbying website. Great.

[Dylan (RELX/LexisNexis representative)]: Of burning activities that don't fall under privacy regimes, recognizing that we don't have this privacy bill, whether it's GDPR or, like, 71 arrests for h two zero eight, like, I'm not sure that we're sorry if the impression the committee is getting is that we're arguing that we should not fall under this. I think the exact point is that we are saying that it would be fine to request bigger data that does not fall under does that requires any these any data that does fall under a dose. But if not, I think that's consistent with our position, at least you're taking a nerve, not having to study the dose slide back

[Monique Priestley (Clerk)]: Yeah, I know, for sure. It's not an exact match, but it is an interesting correlation.

[Dylan (RELX/LexisNexis representative)]: Today, come on and say, well, if you're subject to GDPR, you shouldn't the data's not subject to GDPR, then you wouldn't request stipulation. That's just not regulatory environment we're operating today.

[Emily Carris Duncan (Member)]: Your point about the need for omnibus

[Speaker 0]: bill.

[Emily Carris Duncan (Member)]: I think that it's, I hear that, I think, and I agree. I also get a little bit frustrated because our federal partners could be doing this work. I think oftentimes the states get saddled with having to clean up, which, you know, we're states, it's a very different thing, so I just wanted to put that out there. And I guess the other thing I wanted to think about was Monique's question made me think about if I said the nexus is arguing for some of these protections, it sort of actually, from what I was reading through, it sort of seems like the industry is really interested in trying to cleaning up some of your data because it's unreliable. And I was wondering if your clients ever What the cost of liability is for inaccurate data?

[Dylan (RELX/LexisNexis representative)]: I maybe misinterpreting what you're saying. I would just say it's a fairly competitive space, and so institutions can choose to use my client or Edyever, and if we're not providing products that is reliable, that they can count on, they're going go to one of our competitors. So there's a natural market inclination to ensure that we are providing services valuable to our clients. And I just want to clarify, I think it's not my role to get involved in federal regulatory affairs, but I think

[Speaker 0]: can do it really at

[Dylan (RELX/LexisNexis representative)]: a personal level. This would be much easier if we had one uniform policy across The United States. Absent that, states have taken action in the consumer on the front, has the opportunity to do that. I think you'll find some interesting conversations that we're having today. I accept the numbing spell, which is sort of what is that appropriate balance in which in and what out. But if it's getting the other things rather than breaking off a specific segment of that is trying to look up for the most.

[Speaker 0]: Other questions?

[Dylan (RELX/LexisNexis representative)]: Thank you. Thank

[Jamie Feehan (Primmer Piper Eggleston & Cramer, for APCIA and State Farm)]: you, Chairman, members of the committee. Jamie Thiel with Premier again on behalf of the American Property Casualty Insurance Association and State Farm Insurance Company. I think I'm back to kind of invite you back to maybe provide some comments in response to some issues that have brought up over the last couple of days. It's not my intent to restate my opinion, that's money. And so that's a mischaracterization, that's what I would like to do today. Just again to restate that insurance companies are not data brokers, they do not sell personal information, protected personal information, however insurance companies access information from a variety of sources for processing applications, administering processing equipment for other purposes. I explained sort of several categories of that last time I was in and you know I think it's been said that what's in front of you is a novel approach to how to address potential deletion requests, and so my clients are trying to wade through the what ifs and the gaps as you've all been concerned about as well in terms of what may or may not interfere with an insurer's ability to continue to do the business that it needs to do for its policyholders and I think the example of the title show is also a good example of you know, oh there's a potential gap that we want to address. And the one area that I think I'd like to just spend a couple of minutes on is what may be another gap and that's in terms of claims processing. It all hinges on the definition of a direct customer relationship, right, with this exemption, Representative Olson and Human

[Emily Carris Duncan (Member)]: Rights Act,

[Speaker 0]: and we've been looking at

[Jamie Feehan (Primmer Piper Eggleston & Cramer, for APCIA and State Farm)]: quite a bit to see well does that actually cover combined with the fraud, combined with the legal obligations, combined with other things. And let me pose the example of a third party claim that is brought against an insurance company. I hit you representative, I'm gonna file a claim against your insurance company. Your insurance company doesn't have a direct relationship with me, happens to the insurance company. In order to let an insurance company out of the policy has to investigate the claims for their truth, to adjudicate, to find what the right community is, and then to process that. And so to do that we need the access of accurate information, personal information which could include bodily injury, which could include medical bills, include any loss of wages if we're talking about something like that. And so that's a one know one instance that if there's a multiple vehicle crash, multiple people involved, multiple vehicles involved, we've

[Dylan (RELX/LexisNexis representative)]: got third party instance box up again.

[Jamie Feehan (Primmer Piper Eggleston & Cramer, for APCIA and State Farm)]: So I'm not sure if that's comfortably addressed from our perspective. I was further sort of, my goodness, are we misinterpreting this wrongly when in the title insurance exemption, which we certainly support, I think it's a good exemption, but it includes underwriting. I would have thought that underwriting was already addressed under the existing definition of the existing relationship. Has intentionally interacting with the business for the purposes of accessing, purchasing, using, requesting, or obtaining information about the business's products or services. So if accessing or purchasing doesn't include steps taken I see complete the pre change processing and without getting the same exemption for underwriting, federal insurance, etcetera, etcetera, or any other insurance purpose that might be omitted, if we're misinterpreting the intent behind that. What were you reading from? This is the existing language under Delaware. Which section? It's connected. Exemption Page

[Dylan (RELX/LexisNexis representative)]: 34. Yeah.

[Jamie Feehan (Primmer Piper Eggleston & Cramer, for APCIA and State Farm)]: Ties back to the definition of direct customer relationship. Oh yeah. And I was reading from the definition of direct customer relationship. So it makes intuitive sense that it would be related to an existing policyholder without an applicant, if I'm wrong, and I do think there's an issue with the third party claims process being able to access information. Other areas are actuarial analysis, risk management analysis, things that information is collected through a variety of sources and potentially be through these data brokers which is why my original testimony they asked for an exemption for insurance companies along with the clinicians that they can spend that to still think that's the right approach to go to not have to play that what if game or what did we miss kind of gap.

[Edye Graning (Vice Chair)]: You said you're not data brokers. So why do you need to make sense to

[Monique Priestley (Clerk)]: inform the data

[Jamie Feehan (Primmer Piper Eggleston & Cramer, for APCIA and State Farm)]: to have our access to that information for policies, administration, term, renewal, when we get that information from data broker,

[Edye Graning (Vice Chair)]: such as So brokers that you do business with who capture the data in ways that may or may not be readily available or fall under any of these protected categories.

[Jamie Feehan (Primmer Piper Eggleston & Cramer, for APCIA and State Farm)]: We use data brokers to provide us with, for example, the three year driving use as an underwriting factor in an auto policy maker, we'll use them to provide a credit score to help plug into the model for underwriting it again, we'll use them to access medical data, if it's housed by a dairy bug, it may not be. That's, it's a fairly limited use, think it's kind of being overstated in terms of what insurance companies get from the bailippers, but it's pretty, pretty, I want to say, it's for those purposes and the requests are for those purposes and nothing more. And I think they're being used, I know they're being used, because for resources, you know, small insurance companies in particular don't have internal resources necessarily to go out and find this information or to develop the systems on their own. Over time, data brokers have built that role.

[Edye Graning (Vice Chair)]: It seems to me that business relationships, contracts, there's going to use the wrong terms, but it's been a rough week for me. But it seems like any valid, upstanding relationships are covered in here, and I would love to know where the language is that isn't covered.

[Dylan (RELX/LexisNexis representative)]: Yeah, want point out one example of

[Jamie Feehan (Primmer Piper Eggleston & Cramer, for APCIA and State Farm)]: hearing processing for third parties. This is exemption that's hinged to a direct customer relationship that the business has. There shouldn't be going on in that relationship with a third party.

[Edye Graning (Vice Chair)]: Okay, I'm not sure I read it the same way, someone else can ask the question.

[Dylan (RELX/LexisNexis representative)]: Yeah, sure, again that's why I

[Jamie Feehan (Primmer Piper Eggleston & Cramer, for APCIA and State Farm)]: was asking about intent, I thought it was the same thing with underwriting authority too, but it's now being restrained off the second follow-up, if the question Recent ambiguity, if underwriting was included, what about claims processing?

[Speaker 0]: Michael, I do.

[Michael Boutin (Member)]: So I already know how you feel about this because you're the one that gave me this information. But just for the record, adding in a clause that is the collected, used, or disclosed by an entity subject to the Graham Leech Bailey Act in implementing regulations.

[Jamie Feehan (Primmer Piper Eggleston & Cramer, for APCIA and State Farm)]: We could support that.

[Herb Olson (Member)]: Thank you.

[Michael Boutin (Member)]: I think, again, a reminder,

[Jamie Feehan (Primmer Piper Eggleston & Cramer, for APCIA and State Farm)]: I know that you've probably got the privacy regulation open, Vermont standard is an opt in option, which is already higher than virtually all other states, which again, for the fine means that provide, they do the cementing before the Chinese company there are protective information from our colleagues. Four

[Herb Olson (Member)]: issues. First as to the risk analysis, I mean, I'm reading subdivision six as you're being able to access data book information, personal information in connection with any sort of application, insurance application with the customer or a potential customer. And I don't know, to me, I would read that as encompassing information you needed to do your risk analysis. The other issues, actually. Think

[Jamie Feehan (Primmer Piper Eggleston & Cramer, for APCIA and State Farm)]: it was I raised those in the context of if they're not covered because I thought underwriting was covered, but underwriting is now specifically considered elsewhere, then we should roll on another insurance purposes. Well,

[Herb Olson (Member)]: okay, so that goes to the broad sort of exemption that President Putin was discussing. I mean, me that is far too broad because it encompasses really any information that the data broker may have, whether or not it's necessary for insurance companies business. And I don't think that's the purpose of what we're trying to do. I think we are trying to allow businesses to be able to do this. But I think we're kind of worried about having personal information disclosed. So this is necessary in order to feed folks. Other issue I thought I had was, I mean, I think the other problem I think I have with the grand finale, not as familiar with the federal, but I think the state rule is at least it's got extensive in terms of its reach and depth. My understanding of state law is that the privacy rule is directed at the regulated entities. And when they're trying to enforce the law, they're looking at the regulated end. It's and their enforcement power is really they're forcing power as to a data broker, as third party, for example, is sort of derivative, which is just sort of normal scope of regulatory machine. So that would be another reason why I would kind of worry about that kind of bad exemption. I had four, I don't mention the four now, I forget it.

[Jamie Feehan (Primmer Piper Eggleston & Cramer, for APCIA and State Farm)]: Well, I'll forget my response. That's okay. You

[Herb Olson (Member)]: have a legal obligation to investigate claims. Yes. Right? It's under contract. It's probably under law, some other regulation. I don't know why that would be encompassed. Your ability to get information in order to evaluate a third party quick be encompassed within one of those exemptions.

[Jamie Feehan (Primmer Piper Eggleston & Cramer, for APCIA and State Farm)]: Well, this is very helpful in terms of me and my clients understanding the intent behind these exemptionals. Absolutely. Know, the Greenleaf Bliley I think is important because as you say, it's highly robust and highly regulated, and I think there's extra comfort for folks to have the knowledge that GFR is watching over this. Part of the concern about investigating adjudicating claims on behalf

[Dylan (RELX/LexisNexis representative)]: of our policy, we stand in

[Jamie Feehan (Primmer Piper Eggleston & Cramer, for APCIA and State Farm)]: as a fiduciary for the policyholder. There could be some limitations that you know aren't accessible to the insurance company and so do we run afoul of that fiduciary obligation?

[Herb Olson (Member)]: And I guess the only thing that you said that I point out or maybe disagree with, don't know, would be that the privacy regulations regulate and court violations against regulators and not really designed or do they have the effect of consumer protections with respect to the date of birth, information, they

[Dylan (RELX/LexisNexis representative)]: We like different ones.

[Jamie Feehan (Primmer Piper Eggleston & Cramer, for APCIA and State Farm)]: Different on that. That's the balance of your bills.

[Herb Olson (Member)]: Yeah. Appreciate your comments. Thanks for your dialogue. Any

[Michael Boutin (Member)]: states have a data privacy delete or extensive to the point where it doesn't cover?

[Jamie Feehan (Primmer Piper Eggleston & Cramer, for APCIA and State Farm)]: I'm not aware of it. This is a novel approach. I'm not aware of any state that is taking this approach.

[Michael Boutin (Member)]: Not the exemption approach, but the fact that it's not accepted.

[Dylan (RELX/LexisNexis representative)]: The only only state I know

[Jamie Feehan (Primmer Piper Eggleston & Cramer, for APCIA and State Farm)]: of that has a delete mechanism is California. And as you've heard, exempts GLDA information. Perhaps there are others who know better about other things.

[Emily Carris Duncan (Member)]: I'll be honest with you. I'm not certainly an expert in GLBA. A little bit of the research that I've done, I'm not with a little bit of concern. I know the after benefit over the years certainly companies that are working on behalf of institutions that it has defined. It also includes things like marketing services. It's not just providing information to be learning across an investigation. I guess I'm just wanting to put on the record that I have some positives and concerns about how wide open that is. And also, just to make a note too, given that it's a 1999 bot and technology has really come into play, we're collecting way more data than just somebody's name and address and social security number, or collecting a

[Dylan (RELX/LexisNexis representative)]: lot of information from these strikes to date. Sure, understood. I would respond by saying two things.

[Jamie Feehan (Primmer Piper Eggleston & Cramer, for APCIA and State Farm)]: The first would be I encourage you to look specifically at Vermont's privacy regulation of DFO because it differs considerably from what you may find in these federal resources. The Greenwich Bileys was

[Dylan (RELX/LexisNexis representative)]: a bank of

[Jamie Feehan (Primmer Piper Eggleston & Cramer, for APCIA and State Farm)]: insurance, know how can one of those laws between the two perhaps be less limited but it comes with restrictions. With respect to insurance, they said states because it states regulated, you take care of this. So Vermont has its regulation which has very very limited marketing, joint marketing, positive tokens, has as I mentioned the opt in, it has been a number of over the years in Vermont, but it has still a testament to timing.

[Chris D’Elia (President, Vermont Bankers Association)]: To several people in the

[Speaker 0]: room about, I guess I'm willing to

[Jamie Feehan (Primmer Piper Eggleston & Cramer, for APCIA and State Farm)]: reveal my name today to everybody and ask it in the committee. I understand that under

[Speaker 0]: the cap, relative of the Fair Credit Reporting Act, financial data, made sense.

[Jamie Feehan (Primmer Piper Eggleston & Cramer, for APCIA and State Farm)]: So if for example I'm about to buy a

[Speaker 0]: new car, even after I've put in I can reach out to them.

[Jamie Feehan (Primmer Piper Eggleston & Cramer, for APCIA and State Farm)]: Theoretically, I've got the legal minimum, if you will,

[Speaker 0]: but

[Jamie Feehan (Primmer Piper Eggleston & Cramer, for APCIA and State Farm)]: what if after doing that delete I simply get a renewal notice from my auto insurance, to shop around for the insurance that buy. Not necessarily limited. So I mean if I do the needed information that the folks would need in order to make an accurate assessment or is all that kind of information still available? I believe that would still be available as well because the information we have with the date of birth that has to be signed would be unrelated to your loan. We thought it's a sign on the policy

[Monique Priestley (Clerk)]: Jamie. Thanks. There was a lot. I'm just let's see. As far as other states, I mean, think one of the things here is, as far as the approaches and where we're at, is that we were the first state to pass the data broker registry. We still landed a privacy act. Meanwhile, a bunch of other states have privacy acts, they don't have a registry. So only Oregon and Texas and California have the registry. So I know Connecticut's working on registry. Maryland's working on a registry. New York's working on a registry. Massachusetts is working on registry. I don't even know who else is working on a registry. The little the people that I'm, like, talking to every day. Also working on deletion stuff. So, I mean, I I think, like, in this space, this is evolving just like any other law, and we're all trying to figure out what is the best. And so we started summer in 2018, and we're trying to figure out what's next. And even California's original bill for the privacy bill was 2018. And so they're also trying to evolve. And so that's just, I feel, the landscape. As far as the insurance entities, when you said the fairly limited data the insurance companies are collecting and using and processing the bankruptcy, this bill is not is not regulating the banks and the insurance companies in the way that they process data, the way that they use data, the way that they're you know, all of their stuff. It is attempting to try to when the data brokers are in this, like, unregulated space that isn't exempted by frickering boarding act and the federal state laws and all that kind of stuff. They were trying to trying to make it so that people can know what's in there and request the deletion from that. And I think there is so much data that is out there on every single one of us, we just don't know. And so we're not trying to tell the and I know this bill does. Tell the banks what they can and insurance companies, in your case, what they can and can't process. It's saying that the data that's kinda falls out of this unregulated space, people should be able to request deletion. So I'm hoping that this isn't being conflated, with that. As far as the ambiguity of the new exemption, again, that was getting on the call with them, the lawyer, back and forth as far as the title insurance. I also agree that I thought that it was covered. And going back and forth as far as what data is going into those decisions, how risky it is, how that's being used, the relationship between the customer, all that kind of stuff was hashing out over the course of a couple hours and then in the course of written stuff back and forth all the time. And I would love to do that with your clients. So I think I've offered with everybody, as this goes to the Senate, even I think all of the education that we can do on this stuff in general, this is this is a space that, like, we have to keep up with every single year because this tech is evolving. So, like, I would love to sit down with your clients and really get into the weeds of, like, what do you do and what data are you using? How is it being used? What how do you think this gets in the way of your stuff? That would be great, like that is ideal.

[Jamie Feehan (Primmer Piper Eggleston & Cramer, for APCIA and State Farm)]: I mean, you know, insurance numbers aren't on your data brokers, yet here we are. Fine, yeah yeah. So, but we are pulled in for the reasons I stated, Identifying those gaps is kind of a challenge. Yeah,

[Herb Olson (Member)]: yeah. Just

[Monique Priestley (Clerk)]: one more piece, far as the Grammly's Wiley GLBI, generally, understanding is opt out notice framework. As far as the CFPB reports, the Connecticut AG report, as far as based on their original privacy acts they had, where they had an entity level. In Connecticut, were told that that's too much of a loophole based on the federal CFPB report saying that states shouldn't just rely on things like GLBA because there are too many loops and gaps. And like you said, Vermont has tried to fill that in for sure. I totally, totally get that. Like I said, spent a lot of time with that sharks of the opt in and all that stuff. So totally heard. But in general, if we're saying, for instance, this, where it's is it Okay if I

[Dylan (RELX/LexisNexis representative)]: touch it? The

[Monique Priestley (Clerk)]: collected, used, or disclosed by an entity subject to Crown Leash Bilee, that is just massive. That is more the insurance companies. That is more than just the banks. And it is more than just the data that I would think is regulated by FICRA. But we don't know, right, unless we explore that. So again, happy to go down the weeds, Creamylch, Bilee. But from everything I understand, that is a huge universe of data and players. And they're not all regulated in the same way that banks and insurance companies are. And the data that is sourced is also in this area that is unregulated or outside of the regulations often.

[Chris D’Elia (President, Vermont Bankers Association)]: I appreciate the opportunity

[Jamie Feehan (Primmer Piper Eggleston & Cramer, for APCIA and State Farm)]: get on that. I'll just Yes,

[Monique Priestley (Clerk)]: yes, I'm in the state of Vermont, I get that there is no when it comes specific to banks and insurance companies, I get it, I it, I get it. There's more players in Grammysh Valley space than your clients, though. And I think that's the concern. And we don't even know all of those. And I don't even know if they have lobbies in the building that represent that we have access to to talk to. Yeah. Yeah.

[Chris D’Elia (President, Vermont Bankers Association)]: Good afternoon for the record, Christina, your president of Lamoille Anchors Association. Also for the record, when I left yesterday, it was my intent not to testify today, but I failed to testify just to explain. I'm sure like you, I'm sick of hearing me talk. You know, last night when I got home, I was thinking I should have borrowed my other device, given it to you so that you could adjust it out here.

[Dylan (RELX/LexisNexis representative)]: Okay,

[Monique Priestley (Clerk)]: so

[Chris D’Elia (President, Vermont Bankers Association)]: I was writing down questions on the sidelines. Emily, did you have the question on the data breach, I think there's problem. Yeah. Okay, so just in general terms. If you go to the Secretary,

[Emily Carris Duncan (Member)]: Attorney General's Office actually, yeah.

[Chris D’Elia (President, Vermont Bankers Association)]: Attorney General's office and look at the listening data. And I'll answer the questions from our perspective of how problematic they're terribly problematic because you have entities in the marketplace that are collecting data that don't have security measures in place to protect that data. The quick example is I can go to a Home Depot and sit in the parking lot with technology, and I can over the airways pick up the credit card and debit card slaves that are going on, right? So when a breach occurs, why it's problematic for us, but more importantly, our customers, is because there's the compromise of the card, there's the fraud involved, there's the breach process that you have

[Emily Carris Duncan (Member)]: to go

[Chris D’Elia (President, Vermont Bankers Association)]: through for investigation and making the consumer whole on that. So the reason why we've been advocates for privacy regulations in the broader context is because there's so many entities out there, including many small amount of businesses that collect information that don't have any security whatsoever. So that's the data breach piece, just to shed a little bit of light on. From our perspective on data breach, our systems are built and tested and continually updated on our security measures for our systems because I had in a meeting in Barbara seven years ago, they got over a thousand hits in one week to try and break into their system, so we spend a lot of time trying to prevent that from happening. Rep boot and credit report availability, Vermont's bond statute when we did the freeze and unfreeze allows for a person to access free credit report on an annual basis. They're the three credit reporting agencies so you can get three credit reports in a year so that you can look at the 20 pages plus that you've got out there. Representative Olson, EFR regulations in this space that Jamie talked about absolutely flow through the parties that we've contracted with. That's absolutely a given and I confirmed that with Aaron over at DFR just yesterday. There's no question in his mind that if we have a contractual relationship with an entity, that entity is responsible for protecting the information that we are gathering and sending them to help us with our work. Question.

[Herb Olson (Member)]: I was meaning something maybe a little different. I understand that the third party, there needs to be a contract between the regulated entity and the third party. My concern was, I don't quickly, looking through this strategy, the department's gonna go after the regulated entity. And I'm not sure the way that, at least what I'm reading here now, it's been a while, Chris, that someone who The department is gonna look at the regulated entity as someone who might've violated their regulation, even though and not and not just for example, the data broker, even even though there was contractual relationship between the bank or whatever and and the I would wanna explore that further, not only with Aaron, but

[Chris D’Elia (President, Vermont Bankers Association)]: with lawyer for financial institutions to see what legal remedies or obligations there are because I don't believe the date of birth gets off Scottford.

[Jamie Feehan (Primmer Piper Eggleston & Cramer, for APCIA and State Farm)]: Oh, well, I'd be interested in

[Herb Olson (Member)]: hearing that because, yeah, I had a different not Scott's feet, but, you know, yeah, I'd I'd be interested in exploring. Yep.

[Chris D’Elia (President, Vermont Bankers Association)]: I'm try and read this quickly. So again, I think Emily yesterday and you also yesterday asked questions about if we use information and deny, for example, the mortgage application, what do you get back for a response? And I just want to make sure I've got mortgage credit bureau report is to be obtained directly by bank from independent consumer reporting agency for mortgage loans and TriMerge credit report, which includes TransUnion, Equifax, Experian will be pulled. On home equity loans, a single report is pulled butchering as you need. On request, the applicant may receive a copy of their mortgage credit report. Any discrepancies in the report as determined by the borrower must be directed to the credit reporting agency. Credit reporting may be no more than one hundred and twenty days old. By reviewing a fair credit report, each credit reporting agency provides a guide to assist in regarding interpreting the report and the underwriting must note the following specific information, significant debt not disclosed on the consumer's application, but which appears on the credit reporting depending on the size and relative importance, etcetera, etcetera. All of that, what I'm saying is we provide information back to you as the applicant that says this is why you were not approved and you have the ability to work with us and directly with those entities including, I had mentioned OFAC yesterday and I apologize for leaving me with the acronym, but Office of Foreign Asset Control and then IP cross checks to, so that if we provide you that information based on the denial and you say, I don't agree with that information, there are remedies with us, through us or directly to cure those deficiencies that we make you aware of. So then last night, again, I got some information and I shared it with Chair Marcotte and when I shared it with the Chair, I caveated it by saying that I would look at this over in the Senate and then we had a brief conversation and he said, no, bring it up here. So when I joined you yesterday and I think historically when I've talked about this bill, I apologize, I'm loading the email, hopefully it loads, I had made the assertion that we are not data brokers. That was my belief in understanding when looking at the bill. However, when I got this email last night, the response that I got questioned that assertion. I'm gonna read to you how they got there. So, I'm just gonna read it because I think it'll be great. Our concern is that this latest version of 2.1 would supply a new definition of the concept of a direct relationship for the purposes of defining data brokers. I think this will bring our status under the law into question. For context, the data broker is basically someone who collects, sells, shares data for people they don't have a direct relationship with. Current version of the law defines data brokers and then lists illustrative examples of who is not in a direct relationship with consumers. Those items are now being deleted from two eleven. The slave is drafted to two eleven, we'll delete that list and replace it with a very vague, highly subjective definition of what a direct relationship consists of. This includes the conditions that a consumer must intend to interact with the business, and that a company is still a data broker and does not have a direct relationship with the consumer as to the broker personal information the business sells about the consumer that are collected outside of a first party interaction. So what they're concerned with is companies collecting data about a consumer outside that first party interaction. The consumer intends to initiate, they are arguably a data broker. So now they think there's this gray area where you're not exactly a consumer yet, but we've collected some information to perhaps help you determine whether you're gonna wanna be a consumer, and now they feel like they're falling into the possible category of the data broker. So the concerns are the definition would introduce a lot of subjectivity, you're a data broker based on consumer intentions, but how do you measure and record those intentions? This definition would be immensely difficult to administer in practice, how do you design rules around this definition? And for companies that do not make the definition scoping the relevant information for purposes of meeting registration disclosure requirements, etcetera. So I didn't think we were data partners.

[Edye Graning (Vice Chair)]: You're not.

[Chris D’Elia (President, Vermont Bankers Association)]: I hear you. I'm sharing with you the concerns of the gray area that they have expressed. So that was, again, something I've shared with the chair and with the intent of having further conversations with Senate, not bringing it up at 04:00 today, but there it is.

[Herb Olson (Member)]: I think you might have touched on this a little bit. We did, I think

[Kirk White (Ranking Member)]: we had a time to watch it.

[Herb Olson (Member)]: And I think I shared with you that, so what does the consumer mean? Is the consumer the individual that has signed the application or is it the person that walks in your door and hasn't Well, you haven't had it. The loan hasn't been executed. Right? When the loan's executed, the customer And so it was the pre signing of the loan, I guess. And I think I expressed and I still think that the consumer isn't limited like that. In my mind, you know, it's a consumer. You have a drink. They walk in the door and say, I need a look. Well, at that point, you're good customer. A consumer. You're not a Maybe not a customer yet, you're as a consumer. But we're

[Chris D’Elia (President, Vermont Bankers Association)]: not talking about customers or consumers, we're talking about a direct business relationship. So if I'm sitting on my couch tonight and I wanna shop for a mortgage and I go online and I pick up five mortgage companies and I'm shopping, the question that this raises is, do at that time, do I have a direct business relationship with those five entities or do I have a direct business relationship with the entity that I ultimately go with?

[Herb Olson (Member)]: And they're just expressing concern that that looks like a great I mean, I hear the concern maybe about need for clarification. But in my mind, if you're searching something and you send out something to the bank or, you know, the the credit the creditor or whatever, saying, give me a quote or whatever. I mean, at that point, I think it sounds to

[Chris D’Elia (President, Vermont Bankers Association)]: me like you have

[Herb Olson (Member)]: a direct relationship. But if folks think it needs some more clarity.

[Michael Boutin (Member)]: I

[Abbey Duke (Member)]: I just find it interesting that your folks you represent find that vague. Reads, a direct relationship means that a consumer has intentionally interacted with the business for the purpose of accessing, purchasing, using, requesting or obtaining information about the business's products or services. So if I just went online to get information about products or services, we have direct relationship.

[Chris D’Elia (President, Vermont Bankers Association)]: I'm here to share with you what was shared with me last night.

[Dylan (RELX/LexisNexis representative)]: How you choose to interpret it,

[Speaker 0]: obviously you

[Dylan (RELX/LexisNexis representative)]: have to get it.

[Edye Graning (Vice Chair)]: You would have to sell the data. If you're not going to sell the data, it doesn't have to buy.

[Emily Carris Duncan (Member)]: That's all super clear. Why I appreciate

[Edye Graning (Vice Chair)]: the concern. I just get uncomfortable when some of the words or phrases or parts of sentences are left out to create a picture that isn't the intention. We in this state experienced a situation where a very beloved nonprofit was collecting data from people who signed on to their Wi Fi and then selling that data for profit. That happened here in Vermont. That's not a direct relationship. That's a business collecting information from people who have happened to be and that's what this was designed to cover. So I appreciate it, right? And we're trying so hard to be so clear. And so it's good to have these conversations and to be able to make clear what the intention is and what goals are trying to do, but yeah, it

[Chris D’Elia (President, Vermont Bankers Association)]: will take your intentions back to Please, the memory of Just a few more items here. You guys know this already, but want to be clear once again, we are regulated entities, so we always have people looking over our shoulders when it comes to the Feds, when it comes to the states, so the brief discussion of more regulations for the banking industry should

[Monique Priestley (Clerk)]: have was good a cool down. I

[Chris D’Elia (President, Vermont Bankers Association)]: will also say, I don't think using the example of the abortion history, I would not put that in the context of information that we might be gathering. It's so far fetched.

[Monique Priestley (Clerk)]: Have access to the database, yeah.

[Chris D’Elia (President, Vermont Bankers Association)]: Would we, it's not even in the realm of thinking from our banking industry's perspective. So I would not use this as the example of having access to go pay it on somebody else. It's not, we don't care what that, we shouldn't care nor do we care about that. What we care about is what's your financial background, what's your history of payments, etcetera, what's your history from a criminal perspective, etcetera, those are things we care about. Please don't apply any other examples to us because I don't care about those things. Herb and I had a conversation today, it would be so nice, and this is the difficulty of it would be so nice to figure out what are those legitimate business pieces of data that are important out there for commerce? And then what's all the other crap that's out there that you guys are worried about, but honestly, think you even said it, you're not sure what the complete list of garbage is and target that and stop that from happening and that's, you're not gonna get there obviously at this time, but that to me is another way of coming at, right? We said, if you're collecting social media stuff on me, I should have every right to go out and delete that. But if there's bank account information out there that's important for commerce activities, could you be allowed to delete that? Well, if you do, you're not gonna go very far regarding access to future services. So that's the challenge. And so I guess I'll just leave it

[Herb Olson (Member)]: at that. That was sort of some of

[Chris D’Elia (President, Vermont Bankers Association)]: the questions you had yesterday, some of the questions you had today, and I've already spoken my piece on the rest of the bill. Michael? Yes. Sorry, not to preempt you, but I understand what your question is.

[Edye Graning (Vice Chair)]: We don't wanna make it

[Dylan (RELX/LexisNexis representative)]: say, family's. But

[Chris D’Elia (President, Vermont Bankers Association)]: I will say, Greg Priestley, I do appreciate your acknowledgement on the opt in, because that is so, that is at, again, such a higher level than where we are in any other state out there aside from perhaps California. And we've lived under that regime since 2001 and it's been updated at least on two, perhaps three occasions. So it is a living, breathing document that DFR, you may have been the architect on it, DFR has obviously looked at over.

[Dylan (RELX/LexisNexis representative)]: Hi. Are we going to close it out again?

[Speaker 0]: Here you are.

[Emily Carris Duncan (Member)]: But I was thinking about the comment that you just made about if you delete a bank account, And I guess, and I understand your point about functionality, but my thing about it, me thinking about it is like, if that bank account was inaccurate? What if that bank account was old? What if it's inactive? That sort of stuff. And I guess this whole bill has me thinking about just the proliferation of old information that exists about anybody and everybody. And that kind of coupled with institutions having to deal with protecting themselves from data breaches, but also the effects of data breaches from other institutions and the amount of energy, money, resource that goes into all of that. And I think really, just wanted to really quick just speak on intention that

[Dylan (RELX/LexisNexis representative)]: this is

[Chris D’Elia (President, Vermont Bankers Association)]: about working to clean up the ecosystem so that the risks are not so high, both for business and for individuals. So two things. One is that discussion needs to be informed about record retention requirements that we have, so there is a certain amount of time that we are required to keep information, which may be old, which you may not even be a customer anymore, but we're required to keep it too. I think I've said on the record, maybe not in this bill, but in a broader data privacy discussions, maybe not even this year, that when we talked about the provisions in the data privacy bill of allowing the customer access to the information to verify its accuracy, that absolutely exists today for us. You were to walk into your financial institution and say, I wanna look at the information you have on me, on my account, etcetera, You have every right to do that, you have every right to correct misinformation that's there. Our goal is to make sure it's accurate because we're servicing you as a customer. We are also, accuracy is important because we're uploading information to the credit reporting agencies and we want it to be accurate so you can continue to do what you do from a commerce perspective in the marketplace. So for that direct relationship that we have, you have every every right to access that and correct it. I think that's really interesting because for me as

[Emily Carris Duncan (Member)]: a consumer, my first thought would be going to the credit reporting agencies. It wouldn't necessarily be like, go to your bank. Even you also mentioned that this office of foreign asset control, I have no idea where that credit is.

[Chris D’Elia (President, Vermont Bankers Association)]: Well that's why we are informing you in our documents when, for example, again we talked about the loan piece, if we're denying you the reasons for why and, okay, so what is o fac, Chris? I never heard of that before, Help me not understand that information that you relied on to make the decision.

[Emily Carris Duncan (Member)]: Yeah, I get that. And this is not a value thing, it's not It's a value banking issue also about on the consumer protection and consumer marketing and awareness of consumer rights. There are so many things that consumers do have rights to, but we don't know that. And we don't know necessarily how to get to them if it's not common information. Right, and I know

[Chris D’Elia (President, Vermont Bankers Association)]: you said it's not about us, but your rights under the privacy regulations have to be disclosed, so you do How big is the front, though? Oh, weird. No, it's not the fine print at the bottom of the TV screen that's up there.

[Monique Priestley (Clerk)]: Is it in 12?

[Dylan (RELX/LexisNexis representative)]: It's in the ledger, so yes.

[Chris D’Elia (President, Vermont Bankers Association)]: And it is required to go to you so that you know when working with a deregulated identity clubhouse

[Dylan (RELX/LexisNexis representative)]: right there.

[Emily Carris Duncan (Member)]: Well, bringing back just my last point about prophesying to Michael too. It's just, I absolutely get that. And we struggle because I don't think we as country have a good system that marries the speed of life with the amount of information that we have, we need, and are technically responsible for it to live a responsible life.

[Chris D’Elia (President, Vermont Bankers Association)]: Well, we'll close on that.

[Dylan (RELX/LexisNexis representative)]: That's a bigger econferencing.

[Chris D’Elia (President, Vermont Bankers Association)]: Could Yeah. You sell some boring assets? What? Good mic drop.

[Monique Priestley (Clerk)]: Yes. Hey, Chris. Yeah, so as far as the thinking or being caught under the definition of data broker, not the intent, I feel like the piece there was the knowing blocks themselves were licensed to third parties, the brokered information of a consumer. So if the banks are selling or licensing data, we didn't think they were. Okay. I will

[Emily Carris Duncan (Member)]: take that back.

[Herb Olson (Member)]: Okay. Perfect. Okay.

[Monique Priestley (Clerk)]: Then as far again, the banks were not trying especially the data you're relying on to thicker certified data and state and federal law I'm just gonna keep saying that. All the protected data, that's not the concern. The garbage sphere of stuff and all of the source data that doesn't fall into those buckets that we're trying to exempt, that is the concern. So your social media stuff, the point of you don't have the right to know what that is in your data broker file, and you don't have the right to ask for it to be deleted. And that's what we are trying to do with this bill. We don't have that at all right now. I guess a question I have is talking to what said was a medium sized bank, as they were saying in order the cost to clean up one stream of data in their case, and like I said, I don't even know if this is relevant for Vermont banks as I'm asking, was they spent half $1,000,000 a year just to clean up one broker stream of data. And the concern there and the reason they have to spend so much time is because the liability is on them as far as that conversation. So I'm asking, how does this get handled in Vermont banks? How much are Vermont banks spending on cleaning up data that might be coming from sources that are not giving you great stuff. Is that even if guess maybe yeah. I'm not prepared to answer that. That's totally fine. That's totally fine. That's an outstanding question, I guess. And why we're trying to the source so, again, the sources that might that are not the high quality kinda sources that is the concern. And then is the liability on the banks? Or is it on are you able to pass that on directly to the data broker? I'm just wondering how much money are the banks wasting on

[Chris D’Elia (President, Vermont Bankers Association)]: that as well. I'll try and get you answers. On of

[Emily Carris Duncan (Member)]: work, if it produces losses on the balance sheet, are you allowed to write it off?

[Chris D’Elia (President, Vermont Bankers Association)]: I don't know how you can

[Emily Carris Duncan (Member)]: do it. I guess the cleaning up of the worker, the amount of Oh, it's like two, that's

[Chris D’Elia (President, Vermont Bankers Association)]: a business. You're always going on the balance sheet.

[Emily Carris Duncan (Member)]: I just don't know, I don't understand.

[Chris D’Elia (President, Vermont Bankers Association)]: Like I did with the other item, I'll phone a friend to see how those types of expenses expenses are dealt with. Thank you.

[Speaker 0]: Do you have any questions for Kirk?

[Jamie Feehan (Primmer Piper Eggleston & Cramer, for APCIA and State Farm)]: Thank you, sir. Yes, sir. Mr. Chair, I don't wanna miss the time in front

[Dylan (RELX/LexisNexis representative)]: of her, but I do know that I was able to get answers to some of

[Jamie Feehan (Primmer Piper Eggleston & Cramer, for APCIA and State Farm)]: the questions that were asked on the financial side.

[Speaker 0]: I forgot that probably before or after. Let's hear from Carrie.

[Edye Graning (Vice Chair)]: Afternoon. Good afternoon. Carrie Allen from

[Carrie Allen (Association of Rural Credit Unions)]: the Association of Rural Credit Units. Thank you so much for inviting us to this conversation. As you've heard, I think from everyone today, we are both a state and regulated entity, and we certainly follow GLBA very closely, as well as fair credit reporting policies, and happy to answer any concerns or questions that this committee may have around how credit unions are using data. Although we certainly do not believe that we are a data broker, we do interact with people to gain access to some information that help us make decision to prevent fraud, which would be our biggest concern, as well as some underwriting decisions. But for that reason, we certainly aren't selling the data to anyone else. And we're very careful about any data we are collecting, about how it may be integrated into our systems and are very careful about keeping data that we're not sure about out of those systems and also how we're protecting that. As Chris mentioned from the bank side, it is a huge concern. These are customers, our members' information, and it is of the utmost concern that we're protecting the information that we're stewards of. So it is certainly something that we're very cognizant of.

[Michael Boutin (Member)]: I'll ask the question that I've asked everybody else. What's your thoughts regarding this exemption, which would be correct?

[Emily Carris Duncan (Member)]: We would appreciate that exception. Okay, thank you. Just dig in my head, but when you guys are kind of vetting your third party partners, do you have specific security criteria that you look for or particular certifications or things like that so

[Carrie Allen (Association of Rural Credit Unions)]: that you know? Yeah, absolutely. And the regulators of financial institutions certainly want to see that vetting process as well. So yes, absolutely, there's a thorough process for risk management of both the institution and the parties that we're working with. One thing I did hear often today, and I think it's an important acknowledgment from the credit union space, is we recognize that the speed at which technology is advancing is faster than any of us could imagine. And representative Carris Duncan mentioned the speed at which we live and how that is all engaging with each other. And so we recognize that over the course of the next twelve, twenty four, thirty six months, the ways in which we all engage with partners and technology and the data that we as consumers are putting out into the space and consuming will continually change. And so we just acknowledge that this will likely be legislation that needs to continue to evolve.

[Dylan (RELX/LexisNexis representative)]: To answer the question earlier about whether we're obligated to provide the consumer report, we are a consumer reporting agency and so their fund, are obligated to provide that. If you just want to tell me your social security number, I'll get you.

[Monique Priestley (Clerk)]: Don't worry, I try again, and I'm like, I'm just not going say what

[Chris D’Elia (President, Vermont Bankers Association)]: you think. And then the

[Dylan (RELX/LexisNexis representative)]: second question was about what's the other universe of data? Wasn't confirmed that the only data that we pull is GLBI, FCRA, DPPA, I think, socket of data, but it's it's a very small piece, but they all they fall under the data that's

[Herb Olson (Member)]: on here.

[Speaker 0]: Questions for Dylan? Thank

[Emily Carris Duncan (Member)]: you. So when you guys are vetting your partners, do you look for specific certifications or specific criteria that you're trying to meet.

[Dylan (RELX/LexisNexis representative)]: Yes. And part of that, in addition to the internal requirements that we have, part of that flows through from entities like the State DMV in terms of requirements for the data required from them, both for our internal and any that we, any of that information that is shown to the clients. There's cybersecurity requirements that flow through to them. There's insurance requirements that flow through to them. It's fair.

[Monique Priestley (Clerk)]: Guess, sorry, this is a new question. I'm curious, Relix and LexisNexis are selling these data sets and maintaining quality and that kind of stuff. And a concern and what we don't have access to right now is, as far as testimony goes, is competitors or additional entities that are also selling their data sets. And I'm actually just curious, does LexisNexis or Relix have thoughts on the other players in this universe of space that could be muddying data that LexisNexis ends up sourcing or that banks are choosing Regulated entities could be choosing as a source in addition and or just all of these other data brokers too that are used, let's say not in the regulated financial insurance. And we haven't even been talking about advertising data and that kind of stuff. But all of this data is flowing between all of these entities at all times. I'm curious, does LexisNexis, it sounded like from the potential European push that they do have a concern over that space. I'm just curious, do you have thoughts about these more unregulated entities that are in competitors' Selects and Access and their data?

[Dylan (RELX/LexisNexis representative)]: I guess the only thing I'd offer at this point is just a comment that and this dates back to twenty seventeen, 'eighteen, when workday broker really popped up for the first time. Some of the horror stories that this folks sitting on this table heard were data brokers that were selling lists of Alzheimer's patients and others. That's not our business model,

[Jamie Feehan (Primmer Piper Eggleston & Cramer, for APCIA and State Farm)]: so

[Dylan (RELX/LexisNexis representative)]: the characterization of selling lists, I don't think necessarily fits with how we handle our data and how it's utilized for the products and services. For example, the identity verification example that I've given before about checking what address you were going with 17 years old, you were not selling this so bad for us to the financial institutions as a product itself internally, and it sits in between the consumer when you walk by logging the financial institution of your insurance company to verify your identity. That is different than selling a list of the addresses the tables. It's important when we talk about terminology, they're precise. So that's all I would say on that front. I would just come back to, I think if the intent is to regulate those bad actors, you can achieve that with the K-eleven exemptions of the plastics and you're going pay out a lot of those bad actors.

[Edye Graning (Vice Chair)]: It's late on a Friday, might as well ask the question we probably should have asked early on. Can I reach out to your client and look at the information that's held on me to make sure that it's accurate?

[Dylan (RELX/LexisNexis representative)]: As a credit reporting agency, absolutely.

[Edye Graning (Vice Chair)]: As an individual whose data is held by your client. LexisNexis is

[Dylan (RELX/LexisNexis representative)]: a credit reporting agency, just as you can with TransUnion or Equifax, you can ask for that information for obligated under our SCR-eighty five.

[Edye Graning (Vice Chair)]: And that's the only company that you're representing to? Yes, it's

[Dylan (RELX/LexisNexis representative)]: not just a true date of birth, but it's registered in the state of the law.

[Edye Graning (Vice Chair)]: Okay, so as the credit reporting agency, or that arm of the business is obligated to share information. Are there other arms of the business that aren't obligated to share information?

[Dylan (RELX/LexisNexis representative)]: I mean, you go on the Vermont Legislature website and you go look up statutes, could go but a product that Texas has that attorneys would use to search case law history, mean, that's not data that's, I think, really the subject of this conversation, but I'm not sure what you would request with respect to, like, language for that branch.

[Jonathan Cooper (Member)]: It's kind

[Michael Boutin (Member)]: of productive to where I've been trying to go. But let me follow-up on the questions you're trying to ask. Oh, man. There's There's conversation of what information can she ask for and legitimately get. LexisNexis will collect data that falls under the credit reporting, whatever. But does LexisNexis also hold data that is not covered underneath that? And if it does pull it, is that information available to Edye, if she wants it?

[Edye Graning (Vice Chair)]: To review to make sure it's accurate.

[Michael Boutin (Member)]: Is that what you were looking for?

[Edye Graning (Vice Chair)]: That's what I was

[Michael Boutin (Member)]: Counterproductive to where I was trying to get to get us to go, but

[Edye Graning (Vice Chair)]: a handout.

[Dylan (RELX/LexisNexis representative)]: I'm I'm in a service. I wanna make sure that the answer is yes. Follow-up. That'd be great. And I just got another answer coming real time here. The question about whether we're providing information about cases that haven't been forward adjudicated, we only provide information from the history of why cities are adjudicated, so we're not providing charge.

[Monique Priestley (Clerk)]: As Lex is next to his lobbyist, can you help me get my credit report since it's not working to get it through the form? Thanks. Awesome.

[Michael Boutin (Member)]: Useful for all of us if you want to.

[Jamie Feehan (Primmer Piper Eggleston & Cramer, for APCIA and State Farm)]: Well, don't think I can zip my strip

[Edye Graning (Vice Chair)]: right now. No, you can't.

[Kirk White (Ranking Member)]: Thanks.

[Emily Carris Duncan (Member)]: Just like to point out that I'm hoping on Friday night there are so many credit reporting agencies that we're so used to the top three. I had no idea. I knew LexisNexis as a a legal search engine, not a credit reporting agency. So I think the point I'm making is that, again, it's not speed of light versus the host that is actual reality. I'm looking at a list of 50 or more. Feel people aren't going to

[Speaker 0]: have a particular act in each one

[Emily Carris Duncan (Member)]: of these kind of reporting vacancies and beyond all the information they have. I'm not sure

[Dylan (RELX/LexisNexis representative)]: I disagree, but I would say what is being proposed in the snow is in a different meeting period. We're not offering a I don't think what's being contemplated here is just that we'll take some action on the behalf of the firm owners that are interested in this, and the question is, just give the ability to speak? Yeah. Yes. But I don't think it's gonna change how many credit reporting agencies there are or

[Chris D’Elia (President, Vermont Bankers Association)]: Oh, that's true. Wasn't the point

[Emily Carris Duncan (Member)]: I was taking at all. The point I'm making is actually the opposite. There's so many of that. It's a lot of work for good normal working union game to have to go around to credit reporting agencies that they didn't know existed.

[Herb Olson (Member)]: Questions for Dylan? So

[Speaker 0]: there's different arms of Lexus nectus or relics. Some are under GLBA or there are other HIPAA and other. And then there's other arms that aren't under those. Could put under this, I could put a request in under the other arms to delete my information. It should have my information so you can deal with financial institutions, insurance companies, whoever else is using your companies, your clients.

[Dylan (RELX/LexisNexis representative)]: Are recognizing about the language on the table today or the language under our proposal?

[Speaker 0]: Well, on the what's there today? So what what what is in the bill right now? I think our concern remains that it is not as clear as we would like

[Dylan (RELX/LexisNexis representative)]: it to be, that we are not obligated to delete the data covered by the FDA, FDA, FDA. If you were to insert the exemption valuation, we would not be we would be able to ascertain that as we are in California. And we do not share GLPA, SCRA, or data with other So they are only being held under those federal regulations and in accordance with the rules and regulations as well from CFR, BNB, and ever.

[Speaker 0]: So you're saying that I think maybe we need to understand that if we give a data level exemption that I think we wanna make sure that you're not using that for all arms and your that it's only for the the covered entities. And that the other you you can't use that exemption that covers your whole company. I think that's what I think someone would

[Dylan (RELX/LexisNexis representative)]: You would cover the data that's covered by this. Right. And we're not asking for it. Right. There's a piece of information there, it's GLBA data, whether it's here, here, or here, it's going to be covered.

[Speaker 0]: Right. But if you have other information you've collected from me that if I'm using the search engine for and I ask you to delete, then that would be the only information that would get deleted.

[Dylan (RELX/LexisNexis representative)]: Yeah. It would delete all the information that's safe to cover under the those. I

[Speaker 0]: I think that's really what we're trying to get at. But are we getting at that with this?

[Monique Priestley (Clerk)]: So just to add on what you're saying, why we're doing the use cases, the the use of the data is also important. So if you're if it's being used for, like, say, that Sprinker certified AML insight database, like, is you need credentialed access to get into it. You're not using it for anything else. It's not being used by LexisNexis for advertising or that kind of stuff. It's not whatever. I guess the concern is if you a company just not even say it's LexisNexis, just anybody a broker that has this information, they might have data that is covered in different data sets by certain regimes. And they're only using it for very specific use cases. But they have that same data that could be being used, even if it falls under that same regime, it's used for other purposes like advertising. When it falls out of being used for fraud prevention and identity verification and is then used for things like marketing and targeted advertising, People should be able to say, I don't want my data used in that way by the sensitive.

[Dylan (RELX/LexisNexis representative)]: Guess that's I'd say, as Jamie pointed out earlier, that's why looking at government privacy rules and the GLPA obligations that's left through both in terms

[Monique Priestley (Clerk)]: of the opt in versus opt out. That's just for banking and insurance, though, and those other DFR regulated things. We're saying there's a whole universe of other entities that are using data and those other data sets.

[Dylan (RELX/LexisNexis representative)]: It's for the data that we're getting from those entities because the automation flows through from those entities.

[Monique Priestley (Clerk)]: And I guess, like, wanted to I know the question is to you in this moment as far as representing Relics and LexisNexis, but I also wanna, like, keep in mind that we again, we're not hearing from other third parties about their practices, which you cannot speak to. That is an open ended question.

[Dylan (RELX/LexisNexis representative)]: So that's not an issue

[Carrie Allen (Association of Rural Credit Unions)]: that you

[Monique Priestley (Clerk)]: No, I'm not saying you sell it. I'm saying, do you use it for advertising purposes?

[Dylan (RELX/LexisNexis representative)]: Or license it for advertising.

[Jamie Feehan (Primmer Piper Eggleston & Cramer, for APCIA and State Farm)]: Any questions for Dylan?

[Speaker 0]: Like

[Michael Boutin (Member)]: I said, it's a huge symptom. So my thoughts have been very clear of where I stand. I think that we should approve the bill with the language that three out of the four of our partners here, because they're business, they represent businesses that operate in the state of Vermont. Didn't get all of them, but three out of four is pretty good. And I think that we should go with the language that was provided and move this on to the senate. And they can take additional testimony if they need be. But I think that if we're looking to pass a bill that will likely make it through the Senate and onto the governor's desk, I think having the exceptions for the business community is the best rep to go.

[Edye Graning (Vice Chair)]: Can you read that language, Peter?

[Michael Boutin (Member)]: I sure can. So this would actually go exemption eight, I believe.

[Chris D’Elia (President, Vermont Bankers Association)]: On the change? Says

[Michael Boutin (Member)]: seven, but I feel like it should be its own exemption. But I will leave that in the capable hands of our attorney.

[Edye Graning (Vice Chair)]: Page 37? Yeah.

[Speaker 0]: I'll take your word for it. It's a highlighted line with

[Michael Boutin (Member)]: the Oh, yeah. That's right. And it's collected, used, or disclosed by an entity subject to the Gramm Leach Lyle Act, and it's implementing regulations.

[Emily Carris Duncan (Member)]: That would replace the high level.

[Michael Boutin (Member)]: I don't think it would replace the high level. It would just be either additional. I think it probably belongs in its own subsection. Or not subsection, its own

[Dylan (RELX/LexisNexis representative)]: B, pretty eyes. Thank you. It's been a long way.

[Speaker 0]: Probably longer for you, but I'm away. At the end.

[Kirk White (Ranking Member)]: So at the end of this, I think.

[Herb Olson (Member)]: I'm waiting for a second, I guess.

[Michael Boutin (Member)]: Do you want me to make a motion? Well, do

[Herb Olson (Member)]: you need a second?

[Speaker 0]: Do you want to discuss it first or

[Emily Carris Duncan (Member)]: Oh, I

[Speaker 0]: Maybe we can or you can make a motion. I'll I'll say language.

[Herb Olson (Member)]: I can can say what I sort of said before that I thought I think that I mean, I understand why folks would like that. I think it's to drive. I think it covers those those federal and state regulations and statutes were directed at regulated entities. I don't think they really intent they they don't really do a great job both in in scope or who who can be held accountable Beyond that, basically the date of birth. So, to carve out that kind of information and that allowing the deletion of data broker information for those purposes, I think is too broad and inconsistent

[Speaker 0]: with the overall purpose of the legislation.

[Herb Olson (Member)]: Schweitzer.

[Rick (Office of Legislative Counsel)]: What's the other question?

[Speaker 0]: Well, does that adding that language broaden the scope?

[Rick (Office of Legislative Counsel)]: If you add in basically an entity level, that's what the language is. I think it's we would maybe board it to match California's or NC level exemption, that'd be my suggestion, but if you want a specific language you can. But I think this amounts to what would be an NC level exemption. So any financial institution that as defined by a grander's broadly, which is pretty broad, I can't tell you how many entities are financial institutions under that act. I'm not a GLBA expert, but it's a lot. It's you know, it's

[Dylan (RELX/LexisNexis representative)]: not just banks, it's not Cool. I

[Rick (Office of Legislative Counsel)]: mean, so yeah, they're, it's not an exhaustive list, It's as every, it's like use cases, like if you, if you do work that equals this definition, federal definition, and so my answer is that it would expand scope. It's a choice. It's a choice you can make, and that's really it. You're not going to destroy the bill if you include that exemption. There will still be data brokers that aren't covered by GLBA, but you've heard several witnesses say that they're seeking that so they would not have to delete consumer data because in their opinion, it affected

[Dylan (RELX/LexisNexis representative)]: business uses.

[Emily Carris Duncan (Member)]: So So for the whole kind of

[Kirk White (Ranking Member)]: discussion of this bill, my concern has always been that this novel approach of using use cases has not been tried. No, has not been done. Vermont would potentially be the first state to do that. I don't question that it possibly is a good idea. And I also have listened carefully to the testimony over weeks about the need. But I do have concerns that we're a tiny state in a big sea of people potentially trying a new regime. Michael's idea to add this, Rutland's idea to add this, be a way to broaden it a bit and get a little more comfort from the business community. I like that idea. All along today, plan has been to support this bill with significant reservations and really wanting the Senate to spend a lot of time thinking about what are the unintended consequences of this use case direction. So I think it sounds like a good idea to include that GLBA exemption. But I also understand your concerns.

[Speaker 0]: Tony, you haven't spoken yet. Go ahead, Tony.

[Anthony “Tony” Micklus (Member)]: Hi, all. I think oh, I went purple. Don't know about that. Anyway That's happens

[Emily Carris Duncan (Member)]: when they come back from

[Speaker 0]: the board.

[Dylan (RELX/LexisNexis representative)]: We haven't driven a shift on.

[Anthony “Tony” Micklus (Member)]: I'm I'm okay now. My color's coming back. You know, I I've been looking at this in in a couple of different ways. I mean, you know, what are the ramifications of of doing, you know, overregulating? And, you know, what what I see here is there's a real potential of a complete disruption of of commerce, of the way we do business day to day. Now let's go to the other extreme where we do nothing, and, really, we're just dealing with what we've always been dealing for the past twenty years or however many years. To me, I would rather take baby steps because I would be I am far more concerned about disrupting commerce than I am about, you know, people finding out that I love peanut butter ice cream and up marketing that to me. I And realized that it gets a little more serious than that. But I really like rep Boutin's amendment. I think it really hits exactly where we need to be. Is it gonna eliminate everything? No. But I'm pretty sure that if people are under this GLBA act, they're probably not selling data about whether I've had an abortion. They're probably not selling data that says that I'm Alzheimer's. So I'm more concerned. I'm not, I don't think, I think it's gonna do some of what we did. My apologies for for that. But I I think it's gonna do some some of it. It's gonna get us partway there. It's gonna get the worst. It's gonna get the dirtiest of the garbage out while still protecting commerce and giving us the ability to continue to go and and maybe tweak this in another, you know, in 2027 or whatever.

[Monique Priestley (Clerk)]: Just a question. I'm curious if, so the exemption is really broad in collecting using data under GLBA entity level in essence. I'm curious if everyone feels the same way if in addition to the banks and insurance companies, they understand that GLBA covers payday loan payday lenders, people who buy entities that buy people's debt in order to go for debt collection, auto dealers, tax preparers, and fintechs. I'm just curious if that changes anything, especially given all of the historic payday lending conversations we've had, the coerced debt conversation where we really spent a lot of time trying to craft legislation that really tried to protect Vermont consumers around their debt issues and predatory debt situations, in the past predatory lending situations, and trying to strike that balance of consumer protection with businesses, again, when we have exemptions that are trying to cover the state federal laws. Right. Yeah.

[Michael Boutin (Member)]: I get what you're saying. We're not a big fan of payday loans. We've had this conversation. I also understand that that's a choice that somebody makes.

[Chris D’Elia (President, Vermont Bankers Association)]: But

[Michael Boutin (Member)]: to use them as the reason to potentially impact the good entities, that to me, doesn't negate the impact to our financial entities that are good. So, yeah, it may, for lack of a better term, protect them. And I think a lot of that has to do with skip tracing. My guess is that they might use it, data brokers for skip tracing. For folks that don't know what skip tracing is, it's where they try to find a debtor that has stopped their loan and nobody can find And they use ways to to find individuals. But I I think that even though and and I appreciate knowing that it covers those entities. I still think that, you know, keeping the ecosphere for the good entities is really important.

[Monique Priestley (Clerk)]: Can you clarify what the impact to the financial institutions that you're saying is going to happen?

[Michael Boutin (Member)]: So, I think you've asked this multiple times, have you?

[Monique Priestley (Clerk)]: I mean, this is a big change. So yeah, I'm asking you to testify. Right.

[Michael Boutin (Member)]: So we've had multiple testimony indicating that the bill could have a negative impact on our financial entities and how they do business. And the fact is that these entities, are regulated, highly regulated, are very much involved in the usage of this data. And you may not like that or an individual may not like that. There's a lot of things that I don't like that happen nowadays, but it's unfortunate that we can't just magically make things go away. And I just think that we need to make sure that we are not negatively impacting you know, good players in the market.

[Herb Olson (Member)]: So I get what you're concerned is in terms of not wanting to negatively impact these businesses that we need to live and do business and everything. What I've tried to express is I just can't get my head around why Subdivision 6 isn't sufficient to allow banks and insurance companies to get the information they need in order to process an application. Whether it's background, it's credit related, maybe not the credit report itself, that's covered somewhere else.

[Edye Graning (Vice Chair)]: That's number one.

[Herb Olson (Member)]: Yeah, that's number one. But six, in my mind, really pretty broad. It doesn't even I could see someone trying to draft that. Might be a little narrower to to emphasize the data that a bank or an insurance company actually needs that's necessary to process the application, but it doesn't do that. It just says when a consumer is coming into the bank, it's coming into an insurance company, I want a loan, I want a policy. That information, the data, it's all within the context of data deletion exemption. And that information isn't gonna be deleted, it's gonna be available to those companies to do what they need to do. And then I contrast that with the way I'm reading your amendment, which I think drives it a lot more. And then it becomes, yeah, we do regulate insurance companies, we regulate banks, but we're not regulating the data brokers on these issues. And so I would much prefer what I think is a pretty broad exempt exemption already in in subdivision six rather than going with something either broader that doesn't really get at the concerns we have about debt brokers. So I I get it. I don't I don't want people not be able to get loans and insurance policies and whatever. I I just think that six is sufficient to is more than sufficient to do that.

[Michael Boutin (Member)]: Think there's there's way more things that go along behind the scenes of financial institutions that involve the data brokers than just underwriting for loans.

[Herb Olson (Member)]: Yeah. I didn't mean to limit it just to loans. Right.

[Monique Priestley (Clerk)]: Any

[Herb Olson (Member)]: services that the financial institution has with the customer is gonna be subject to that exemption. The existing exemption without driving it too far and not directed at the right edit. The privacy banks and stuff, they're directed at institutions, financial institutions, insurance companies, that's good, that's great. It's not directed at data banks. But Windsor?

[Emily Carris Duncan (Member)]: Do you guys wanna share

[Edye Graning (Vice Chair)]: perspective on this, if that's okay? It's a 43 page bill. There are a number of pages that are strikeouts, right? So let's say it's a 40 page bill. The whole page is carve outs for what cannot be deleted. Whole page already, right? So we can look at this and say, if we don't make sure that this specific language is in there, then we're going to make a huge problem. But we would then be ignoring what Herb is pointing out, right? If you look at all the different romanettes, there are so many very clear, specific instances where we've looked at what happens in business and said, yeah, that has to keep happening. You can't delete that information. We're talking about information that can be deleted. So, and I appreciate that perspective so much, and I appreciate all of the people who came to us and said, this is a case in business that we need to make sure keeps happening or it's going to cause problems. And that language was worked into this, which is why there's a whole page of these specific instances that we will not allow people to delete information. And so I hear that there are nerves around doing things differently, but I also think that this finds that balance of we want to make sure that the good actors can do their work, and the bad actors can't. And that's the time and the care that was put into all of these different exemptions, is that the right word, in this section? So, yeah, I can't support that language understanding, right? I mean, this is something I've been biting on my tongue all day. Grambling Twilight was put in place because these businesses were taking advantage of consumers. So now they're covered under this. And that's what laws do. Laws try to find that balance in how do we keep business working well and protect consumers. And that's what we're really That is 100% the focus of this.

[Emily Carris Duncan (Member)]: Get it. Branding I money was a huge fight,

[Edye Graning (Vice Chair)]: but it happened at a time where consumers had just been you know, our whole market crash.

[Monique Priestley (Clerk)]: Get that. No,

[Michael Boutin (Member)]: we definitely don't want a market crash. And I get that. I understand that there's a desire to go beyond I'm trying to accomplish. I get that. I like what Tony said, which is taking a baby step and a step that aligns with California, which we've talked a lot about.

[Herb Olson (Member)]: I

[Michael Boutin (Member)]: I I've guess worked in the financial industry for twenty years. We've got four people that have testified that have worked in the financial industry, and I'm sure far longer than twenty years. And the only one that does not agree is the one that wants to make it even more broad. That's no offense to

[Dylan (RELX/LexisNexis representative)]: to

[Michael Boutin (Member)]: So it just So I mean, to me, it's a way to protect our financial industry. And we did that with the core step. Right? We we want to protect our our financial industry. And I I think that we need to do that with the data privacy bill. And I also think that if we want it to pass, I think I get a lot of conversations about bills that we put here. It's like conversations about having the arguments over in the Senate or setting ourselves up for whatever it is where we Thank you. Me, fundamentally, don't like that motion and I'm not saying that's what's happening here for the record. I want to pass a bill out of here that I feel comfortable with knowing that I'm not hurting the financial institutions that work so hard to benefit us as Vermonters and us as Americans. And

[Emily Carris Duncan (Member)]: that's just my thought. We all have disagreements, But we all still love each other. I just want to say I do appreciate everybody's work on this. It has been quite a doozy, I think we are trying to clean up a mess that is much bigger than ours. But the thing I've been really stuck on is what constitutes a financial institution under the Brentwood Boutin. And it's really broad. It's very, very broad. It

[Dylan (RELX/LexisNexis representative)]: says here

[Emily Carris Duncan (Member)]: that a career counselor that specializes in providing counseling services for individuals currently employed or recently displaced by a financial organization. So that's just because they deal with counseling people in the financial industry, they are also under this financial institution. And a career counselor is not necessarily the same as a credit counselor. I don't know what kind of certifications they have to keep records or to blah blah blah, whatever. I have no idea. There are other Let's see what else. Real estate, certainly in various capacities, a company that prints themselves checks. I am concerned about the blindness of it because it's not just the financial industry

[Dylan (RELX/LexisNexis representative)]: that

[Emily Carris Duncan (Member)]: we know and trust, that we have in our personal, can, with this, it of balloons out a little bit.

[Michael Boutin (Member)]: Can I make a comment about the check part? And I'm not positive, and somebody could try to correct me. For a company that issues checks, who may not be the one that's taking the order, That company may do a check with a third party data broker that has your checking account information. That's the kind of ecosphere that we're talking about. I totally understand.

[Emily Carris Duncan (Member)]: Understand. I do. I understand the knock on the text. I understand that banks and institutions have to use some of these folks to get this information. But again, I keep coming back to With this particular definition, I guess, what am trying to say? Financials, the banks that we know, it has been testified that they work with folks, that they can vet, and they work with folks. But we also have this scheme of people that would be with them. I'm not vetted. I don't have to carry specific security patches or whatever. So I just I just

[Speaker 0]: And Chris can help you.

[Chris D’Elia (President, Vermont Bankers Association)]: In the broader policy, the sense of who now are based on financial activities has defined federal definitions which are very specific to banking. This is a pedophile. No, no, It's related to what banks are able to do, not what the private environment is able to do as you're pulling up this list today. So I hear the concerns about payday brokers, I hear the concern, because we know I've

[Dylan (RELX/LexisNexis representative)]: been involved in being able to vote because they're concerned.

[Chris D’Elia (President, Vermont Bankers Association)]: Debt collectors, had that lengthy discussion with regard to court's debt. Maybe there's a way to parse those negative people out and still address what Rep. Boutin is proposing to do away with the concerns of the list that you have while still not implicating the good actors. Just the thought and. Appreciate that thought. Yeah.

[Speaker 0]: Tony?

[Herb Olson (Member)]: Hey.

[Anthony “Tony” Micklus (Member)]: I I just wanna point out that the the the fin what is it? The the FB I lost it here. The the financial regulation bill that we're talking about adding in here, it's a 145 page bill was written in 1999. Unless, and I understand and appreciate what everyone is saying, but unless someone can tell me they've gone through that 145 page document, looked through it and said, Yeah, we looked through it and we think that these exceptions on line six are going to be enough and it's not going to disrupt commerce. I can't support this.

[Edye Graning (Vice Chair)]: I

[Emily Carris Duncan (Member)]: said you had.

[Herb Olson (Member)]: It's like, can you say that again? Because I I think it gets to the heart of what I've been trying to talk about, Tony, which is that I thought that that Subdivision 6 encompassed data brokers to the extent that they're being used as processor for the banks and credit unions and insurance companies. You Is this something?

[Anthony “Tony” Micklus (Member)]: I don't know. I don't know if that covers it. And when we when and and listening to Chris's testimony, there are things that that doesn't cover, and that's my concern.

[Herb Olson (Member)]: Yeah. And and, there might be some things, think Tony, that could be clarified, and I would hope that people would continue to work on that. I specifically hope that people would think about what is the information that's really needed by insurance companies and financial institutions to do their job. I think that would be a very productive conversation to have going forward, Tom. But here it is crossover. And I'm, you know, we're doing the best we can. I I'm convinced that six is is sufficient. I I don't know. I haven't read the 188 pages. But I have read the the Vermont piracy reg. And I'm I'm not comfortable myself that the Vermont privacy reg, even though I think it's more protective than than the federal rule of attorney, I'm not convinced that that does a trick in terms of data brokers and trying to give consumers the opportunity to have some control over that.

[Emily Carris Duncan (Member)]: Yeah.

[Anthony “Tony” Micklus (Member)]: So I I I think, you

[Herb Olson (Member)]: know, I I still appreciate where you're coming from and the baby steps and all that. I just like to take that yard step, I guess.

[Anthony “Tony” Micklus (Member)]: So so my response to that is, I I agree with you. I really do hope that we tweak in all this stuff. But are we gonna do that at the risk of disrupting commerce? Let's look at what happened in the house session today. What happened with the whole PFAs? Do we wanna create a similar situation here? Because I'm afraid if we over regulate, that's what's gonna happen.

[Speaker 0]: Last, think we've taken a lot of testimony. I want to remind everybody that this bill could move it today, but it has other places it has to go, which means that we have time. I think Chris brings up an interesting thought, do we is it possible to carve it down and tighten it up so that we're only after the bad actors, if we're talking about, say, the yonder's and others that are in that list, maybe a way of doing that. I don't know. But I think there's time to explore that, if people want to explore that, that we can always bring an amendment to the bill when it comes to the floor. So, I mean, don't think that this is over out of the house yet. It's time to do other things.

[Jamie Feehan (Primmer Piper Eggleston & Cramer, for APCIA and State Farm)]: I was gonna suggest, can we advance it with the GLBA amendment as proposed? Like, work to find that by restricting it to specific things covered under the GL specific entities covered under the GLBA.

[Speaker 0]: We can do anything we want as long as you got a I guess

[Monique Priestley (Clerk)]: I do want to talk about that. I guess when Chris said as far as the payday lenders not being here specifically of regular I wasn't here, what we heard when we did the Earned Wage Access was that was legislation to prohibit them basically being able to exist here. I think that brings up a really good point in that the majority So this is regulating data brokers, not the financial institutions and the insurance companies. And even the payday lenders in all of this. It is regulating the data that is sourced by those entities, so like the payday lenders. And the majority of the data brokers that were in the whole sphere of data brokers aren't even in Vermont, but they're impacting Vermont consumers. Vermont consumers often do not have insight into what those data brokers are, what information they have, whether or not that information is accurate. And if they request to be deleted, I have an automatic service that puts in 300 deletion requests. It's only been able to do 80 of them. Because I just keep getting, you don't have the right in Vermont to be deleted from a source. You don't have the right in Vermont to be deleted from a source. And so I think, again, I guess another question to Tony's piece is we're not trying to severely disrupt and stop the economic activity of the banks and the insurance companies and that kind of thing. And I think from testimony, heard that the banks and insurance companies and all insert every company that relies on Databroker data. I don't mean to keep singling you out because you're the ones representing customer experience. There's a whole sphere of other entities that are relying and buying this data broker data and licensing it. And now I lost my train of thought. Hold So what we heard from people who are testifying is that we're trying to carve out, as you keep saying here, the information that doesn't interrupt those transactions to the entities that are regulated and the data going to them is regulated and falling in this regulated space. And in the cases where this is falling under things like verification for approvals of mortgages or approvals of loans or insert other use cases we're trying to account for, there are other sources. And I sent everybody the six different pillars of categories verification data that is out there. And the data broker space is this one tiny little pillar of all of that. And so when that basically, we're trying to get to the space that is the unregulated space. And from all of these data brokers, the 8,600 of them or whatever that is the most I don't even know what the most recent count is. That was two years ago or whatever when we did it. This space that is sourcing lots of other companies beyond the financial institutions and insurance companies, again, and stuff that we're trying to make sure that we're saving space for. And there's lots of other verification methods and players in this space. And so to open up this massive with collect and this exemption opens up in a way that the Consumer Financial Protection Bureau has said don't open up the GLBA exemptions in your privacy laws. From the 2024 report. So I'm just like, why are we I'm just continuing. It's just interesting that we keep spinning on trying to make when this financial expert federal entity is telling us in general to states, don't keep as Edye said, don't keep relying on this. We keep hearing this over and over in the privacy space that HIPAA, FERPA, all of these, they have loopholes. They have gaps. They have gray areas that need to be adapted to the way that our current technological use cases and ecosystems interact and the players in them. And I don't know why we would go against that type of guidance to potentially just keep putting people at risk. Yes.

[Speaker 0]: Okay.

[Dylan (RELX/LexisNexis representative)]: So

[Edye Graning (Vice Chair)]: I think your amendment needs more boxing in. If you're willing to work on figuring out what that is, and can we pass it as it stands, understanding that you're gonna keep working on that when it blows up to raise the means? A Is possibility that we can and you can still vote no, I don't know if we have the votes to get it out. That's the question. Do we?

[Michael Boutin (Member)]: I don't have a problem working beyond here, but not as currently.

[Dylan (RELX/LexisNexis representative)]: I

[Michael Boutin (Member)]: I don't think it would get I can't feel comfortable that we would get to where That's not all about me. Mean, for me, it's all about me.

[Dylan (RELX/LexisNexis representative)]: Oh, we know. And it's the same thing.

[Michael Boutin (Member)]: Would rather pass it out and then work on the amendment, but pass it out with this and then work on the amendment. Because I think there might be ways that we could curtail, get rid of payday loans and get rid of kiosks, To kiosks, which I don't know if they're regulated under the bills. They should be. Well, no, they shouldn't because I don't

[Jamie Feehan (Primmer Piper Eggleston & Cramer, for APCIA and State Farm)]: want them to just

[Michael Boutin (Member)]: look at it. So I mean, that's where I would stand on it. And I don't mind making the motion.

[Jonathan Cooper (Member)]: I feel like the amendment takes the stuff that you have in temporary and so I wouldn't feel like we were making and then I think we'd be taking one baby step with one foot and one yard step with the other foot, and then we're hit a ball. So, I wouldn't support the amendment as this, but perhaps it can be worked as vice chair mentions into a thing that is more harmonious with the legislation as it is. You know, I think that there's a lot of as we spend some time hearing about representation and collective bargaining with elements that are necessarily adversary, both the attempt to get past that. One of the challenges for people to think about is whether or not there's an element of business that has an adversarial relationship with consumers. And that's a weird thought, because that runs counter to a lot of what I think my inclinations are. And mostly that ends up getting filled with anecdotes. I'm not sure what the harm is in getting junk mail that I don't want, but I think, or people knowing things about me, I don't know

[Chris D’Elia (President, Vermont Bankers Association)]: what they know about me, that's true of

[Jamie Feehan (Primmer Piper Eggleston & Cramer, for APCIA and State Farm)]: a lot of people, I don't

[Emily Carris Duncan (Member)]: know what they know about me.

[Jonathan Cooper (Member)]: However, I think that I appreciated the I have some anxieties about the use case approach because then it feels like our law is behind the advance of adding to it, because we set this approach, you know, necessarily be incomplete, and then we try to make

[Chris D’Elia (President, Vermont Bankers Association)]: it more complete, and then we try to make it more complete. And I think

[Jonathan Cooper (Member)]: that that does what a lot of laws do, it ends up being behind its moat. But I feel like it's, I do support the bill as we have it moving to the second, because I think that's where, then, like there's more time, there's more to go on even before it gets there. I think as the chair has reminded us all, I am comfortable with it feeling like it's underpinning necessity, this approach, and otherwise it becomes thing that's not comfortable with itself, and I think that is the worst outcome.

[Speaker 0]: Kirk, can I just, Michael, I if you want to motion that and the committee can vote?

[Abbey Duke (Member)]: I just wanted to echo what Tom said. I mean, there's two approaches, right? You can leave it wide open and then try and narrow the gaps, or we can vote it out here in its most, more toward its original intention, and then see if we can see what places we need to expand and open. And I feel like I don't support the amendment as written. I feel like it is just throwing the door wide open. And while I would be open to it, if it was narrowed and in appropriate ways that I could support it, but I can't support that amendment right now.

[Speaker 0]: So I

[Michael Boutin (Member)]: just wanna make a comment about the teddy bear. It's a teddy bear, and I would gladly accept the the help of stuffing it once once we get the teddy bear.

[Herb Olson (Member)]: You gotta throw the bear.

[Michael Boutin (Member)]: And with that, I'll I'll make the motion to upper two eleven draft.

[Speaker 0]: I have to move to amend that. I'm sorry. I amend 7.1 h two eleven with your mind. Correct. I make that motion. Is there a second to that?

[Anthony “Tony” Micklus (Member)]: I'll second it.

[Speaker 0]: Okay. Any further discussion of representing the amendment? All in favor? Regent Mayor? All opposed? Defeated? I would suggest you're willing to work with Chris and Rick. What is the form of the word? See if you can come up with some language that we could insert that narrows this down so it doesn't leave a big gaping hole. I think the committee would be open to that.

[Emily Carris Duncan (Member)]: And I certainly can do

[Michael Boutin (Member)]: that. Can't support it the way that it is. So

[Speaker 0]: with that, I think we've we're all of ourselves. Think Chris is over there. I guess I then just take a motion to report favorably draft 7.1 and a page to the left. Is there a second? Seconded. Okay. This move by recognizing White, seconded by recognizing Granny to report favorably on HM11 draft number 7.1. Is there any further discussion? If not, the clerk can call the name.

[Monique Priestley (Clerk)]: Representative Bosch? Yes.

[Monique Priestley (Clerk)]: Representative Boutin? No. Representative Carris Duncan?

[Emily Carris Duncan (Member)]: Yes.

[Monique Priestley (Clerk)]: Representative Cooper? Yes. Representative Duke? Yes. Representative Nicholas?

[Chris D’Elia (President, Vermont Bankers Association)]: No. Representative Olson? Yes. Representative Priestley? Yes. Representative White?

[Monique Priestley (Clerk)]: Yes. Representative Granting? Yes. Representative Markup? Yes. 9920.

[Anthony “Tony” Micklus (Member)]: Right? Mhmm.

[Dylan (RELX/LexisNexis representative)]: Right?

[Monique Priestley (Clerk)]: Yeah.

[Speaker 0]: I think it was a good discussion we had today. Let's see if we can get the most further with it. Representative wants to take that on, we can go to the office with the minister to assist him. We need to let him know if we need to take testimony on this next week. We certainly can take more testimony.

[Jamie Feehan (Primmer Piper Eggleston & Cramer, for APCIA and State Farm)]: And then

[Speaker 0]: we need a question next week. We don't have We haven't really sat down with Jonathan yet to move the agenda. Know that we have the lumber dealers in at 09:00 on Tuesday. They've also invited us to run on Tuesday. Otherwise, sure we can find something to pick up and probably have taken an excess ammonia on the CTE subject as well. But I think you'll see a lot of TDA. Okay. Again, committee, thank you. I hope you have a good weekend. I hope that the weather

[Dylan (RELX/LexisNexis representative)]: Snow, yes.

[Speaker 0]: We don't see snow here, but maybe in the South there is, so drive careful and enjoy your weekend, get charged up again because it's going to be another long week, I think.