Meetings
Transcript: Select text below to play or share a clip
[Michael Marcotte (Chair)]: Morning, everyone. This is the Vermont House Committee on Commerce and Economic Development. Again, it's Thursday, 03/19/2026 at ten in the morning. So we're back from a short break now, and we're here to have further discussions on h two eleven, which I know is in the queue right now. But I think last week, Dylan had offered to bring in someone from LexisNexis, and we have Rick Gardner with us, to have a discussion with the committee. So, Rick, good morning.
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: Hey. Good morning, everyone. Thanks for making some time for me. I appreciate it.
[Michael Marcotte (Chair)]: Well, thank you for, joining us. Did you have prepared remarks before we start having a discussion?
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: Yes. Thank you. Again, members of the committee, thanks for making some time for me this morning. So I'll just briefly introduce myself and provide some kind of initial comments and then happy to answer any questions that you all may have. So my name is Rick Gardner, Global Data Protection Officer for LexisNexis Risk Solutions Companies. I know you've talked with some of our team members, but just by way of background, so LexisNexis Resolutions works primarily in the fraud prevention, identity verification, and insurance underwriting spaces. We serve financial institutions such as banks and insurance companies, as well as government agencies throughout the state of Vermont. If I may, as a kind of a point of a personal privilege, actually, personally, my first ten years of my career, I worked in state government. I actually started off as a legislative staffer. I went to state government. I was an attorney with the Georgia Department of Revenue. So very much appreciate the work you guys do and the needs of state residents. Getting into H-two 11, so I'm here today really for two reasons. One, to speak to some specific portions of the bill that I wanted to talk through. And then also just to be a resource, we are a duly registered data broker in the state of Vermont and have been since the inception of that requirement. We're also registered as a data broker in the other states that require the registration, California, Oregon and Texas. We've also been involved in the development of the various omnibus state privacy statutes. So happy to share kind of our experience in that space as well as just practically speaking, how this works with companies such as ourselves, right? What do we do with the data? How does it work? How do we protect it? Things of that. Just again, to be a resource for the committee as this is being considered. And so to kind of hit on that first point in terms of some specific comments I'd like to make, we are absolutely supportive of comprehensive and thoughtful privacy legislation. We along with other data brokers are working through the California Delete Act right now as I'm sure the committee is aware that law for the delete the drop aspect of it, consumers could start filing requests with the state beginning on January 1. Data brokers such as ourselves will start processing that on August 1. And so we have a comprehensive privacy program in place for the CCPA and all the various omnibus state privacy laws. And with that, one of the things that we wanted to know for purposes of this legislation is the sectoral federal exemptions. And the 19 states that have omnibus privacy statutes, 20 if you include Oklahoma just recently passed their law and I believe it's pending their governor's signature. All have exceptions for the comprehensive federal privacy laws, FCRA, GLBA, DPPA, etcetera. There's also even in the California Delete Act, there's also exemptions for those sectoral privacy laws. So we think that makes sense. Happy to discuss that further. And then as I mentioned, have to be a resource for the committee for any questions you all may have. I would, again, just briefly in terms of opening remarks and something I think would be helpful for the committee is how does a company such as LexisNexis protect this data and ensure it's only being used for the purposes it's intended to be used for. So the way that we do that is multifaceted. So we require any customer who's going to access that data is going to go through a review process, right? So we're gonna know who we're dealing with, we're gonna do checks on them, we're gonna have a contract with them that will require the data is only being used for those purposes specifically allowed by those laws. Systematically, we also restrict the data so it's only being used for the purposes allowed by those laws. And then on the back end, we also have an audit function. So we audit our customers to make sure that they're only using the data as they're allowed to do so. Additionally, these services are credentials. And even within our customers, only people that have need to access the services would be able to access them. So just to give you kind of a picture of how we protect that data and keep it safe, also just using GLBA as an example. GLBA also has the safeguards rule at the federal level which we comply with to make sure we meet those security requirements as well. So again, that's who I am, that's why I'm here and happy to answer any questions there might be.
[Monique Priestley (Clerk)]: Thank you. Yeah, thanks so much Rick. Just as a starting, I'm just curious if you can help us understand the kind of universe of databases that the LexisNexis products kind of like oversee and the difference between the types of data and which ones are credentialed or not. For example, the open source world compliance database versus the database that is used to track food stamp fraud versus the database that is used for sheriffs across the country to be able to verify people and track people and that kind of stuff, versus the AML Insights database and how all of those different things exist and then who has access, who needs credentials, that kind of thing.
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: Yeah, no, great question and a broad question. I'll try to touch on the various components of it. So the regulated data sets such as like take a like an FCRA, for instance. So that data is kept completely separate and distinct in its own servers or within the server within kind of a segmented universe where it's only FCRA data. The FCRA data is used, a committee members may be aware of some of this already. Apologies if I'm telling you all something that you already know. But FCRA data, for instance, can only be used for certain permissible purposes. So FCR data can only be used for instance insurance underwriting. It can be used for credit decisioning, but it's going to be in its own server or again on a segmented area on a server where it's only FCRA data. That is going to be credentialed data. Again, there's a number of products that kind of fall under that kind of FCRA designation, but broadly speaking, that would be credentialed in order for that data to be accessed for non FCRA data. That would include, as far as the kind of regulated data sets, GLBA, DPPA, publicly available data. And then we could have data that fits in of none of the above type categories, right? For purposes of GLBA data, we do have a very strict requirements in place in terms of only those permissible purposes specifically allowed under GLBA. So for instance, fraud prevention to effect or administer a transaction specifically requested by the consumer. In most cases across our products, particularly those that would be offered to a bank or an insurance company. At the end of the day, is a consumer at the end of that that is asking for something, They wanna open up a bank account, they want an insurance policy, whatever it is that they're looking for. And then what we're in the background doing is we're saying this person is who they claim to be. And if there's some sort of indicia, if they're not who they claim to be, then that is flagged and then our customer can look into that more fully. For solutions available to law enforcement, those likewise are credentialed and also reviewed to make sure it is a legitimate law enforcement agency. Well compliance in particular is utilized for know your customer type rules, anti fraud, anti laundry law honoring that only uses publicly available data within that world compliance data set. It does not use any of these other regulated data sets that we have talked about. So there is a vetting process that the customers have to go through and checks and such, but not because of the nature of the data and the type of data that'll be in there. It's not the full credentialing process necessarily for other products, but it depends on the product, the solution, the market, etcetera. So hopefully that answers your question.
[Monique Priestley (Clerk)]: Yeah, no, that was really helpful. I guess like two more just going off with that. So can you explain how regulated or unregulated the World Compliance database is and whether or not LexisNexis has marketing solution, data solutions that sells businesses?
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: Yeah, specifically in World Compliance that would absolutely not be used for marketing.
[Monique Priestley (Clerk)]: Sure, yes, separate questions, right?
[Michael Boutin (Member)]: Yeah, yeah, yeah.
[Herb Olson (Member)]: To be clear on that.
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: But yeah, so world compliance is used for purposes of helping our customers meet their legal obligations. So again, just using a bank as an example, a bank has kind of know your customer, anti money laundering type solutions. And so in order to meet their legal requirements, we provide solutions such as WorldCo to assist them. But consumers have the ability to see any data that would be in a WorldCo. It's typically going to be a politically exposed person, someone of that nature kind of meeting those specific federal requirements. But they can see that data, it could be suppressed, it could be corrected if it's wrong for some reason. So that type of framework is there. And as I mentioned, it is all publicly available data that anyone would be able to have access to. But yeah, sorry to your second part of the question around marketing. We do have some marketing solutions. It's a very narrow part of our business. So small amount would not use any regulated data sets and would not implicate any world compliance data either.
[Michael Marcotte (Chair)]: Hi,
[Edye Graning (Vice Chair)]: Rick. Thank you so much for being here.
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: Yeah, absolutely.
[Edye Graning (Vice Chair)]: So, and this is, I think, a different direction, but LexisNexis started as a media database, right? Or am I misunderstanding? To track stories and things like that. Is that accurate?
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: Yeah, so there's different aspects of kind of the LexisNexis kind of universe. So my particular company is LexisNexis Risk Solutions. We have a sister company, confusingly also called LexusNexus. LexusNexus Legal and Professional. So if there's any attorneys in the room or others who've done legal research, you may have utilized that service. So that would have information around any case law or statutes, a lot of that legal research is done through that. There is an aspect of that I believe that has like story, just new stories, things of that nature. LexisNexis Risk Solutions itself does have some data that would be kind of media data, things like that. But I think earlier on, the company kind of started serving insurance markets, in particular insurance underwriting. Over the years has gotten more involved in the fraud prevention space. So I think that media element has been there, but it's probably more prevalent in some of our sister companies than it is in ourselves directly.
[Edye Graning (Vice Chair)]: And then, when you mentioned the data that's regulated federally can't be used for other purposes, but the public data can be pulled into used with the other data in certain circumstances, can't it? How does that work?
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: Yeah, it could in certain circumstances. So just to give you a for instance, so we could have a fraud prevention product, for instance, that is using regulated data if allowed by the regulated laws. So just like, so for instance, under FCRA, we would not be using FCRA data for fraud prevention because it's not a permissible purpose under that particular law. But if a federal law allowed for the data to be used for fraud prevention purposes, that could be used in conjunction with publicly available data in order to generate a fraud solution. And so just to give you guys kind of a friend's sense of what that might look like is let's say you have multiple instances of a particular consumer being associated with a particular address. And they're always associated with that particular address, but you have some kind of deviation in another record. Well, could be because the person moved, right? It could be for various reasons, but it could also be, well, a fraudster put in the wrong information. Why does this deviate? So we'd be looking for things of that nature. But to your question, if the federal law allowed for it, you could have circumstances where publicly available data was being utilized in conjunction with regulated data.
[Edye Graning (Vice Chair)]: Yeah, I appreciate the fraud prevention angle because I know that when I get a fraud alert from credit card or something like that, I really appreciate it. That's incredibly beneficial. And it's a good relationship that I have with certain I I don't always love it if they turn off my credit card when I'm traveling, but they're better about that than they used to be. So I think there are pieces there, but I guess I'm wondering how our law, the one that two eleven as it stands, is going to impact your business going forward when it comes to using that public data and combining it with the regulated data? I know know that can answer.
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: Yeah, great question. I think as I touched on in the kind of introductory comments, what we think makes sense here is consistency across the various state requirements. So if you look at 19 states that have a kind of omnibus privacy law. They both have, well they multiple things in common, but as it pertains to publicly available data and fraud prevention for instance or GLBA data, they all have an exception for publicly available data and that comes out of some first amendment considerations around publicly available data which is why it initially got added and the CCPA itself and then from there got picked up in other state laws. And then additionally, all those state laws have exceptions for GLBA data. They all also to a certain extent have exceptions for fraud prevention. They could be a little bit kind of state over state, but it's still the case that in each state they do have a fraud prevention exception. As I mentioned, we're supportive of comprehensive privacy legislation. We're working through the DELETE Act. I think kind of the distinction here is at least in what I believe is the most recent version from last week, there's not a full exception for GLBA data as a whole. And then also on publicly available, there's a restriction around putting that data, combining the data, things of that nature. And so using that example we just spoke through, potentially wouldn't be available in all use cases if it's being combined with some other data set. And then as I mentioned, kind of consistency with other laws and I would say consistency within the federal law itself that we also have to comply with. And a lot of the provisions we already have in place for compliance with those laws as well.
[Edye Graning (Vice Chair)]: Okay, I'm not sure I fully understand how it's gonna impact you, but I guess maybe I'll ask. And again, you may not be able to say exactly. If you combine publicly available data with protected data, do you have to treat it differently currently?
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: I think the short answer to that is if we were using it with a regulated data set, it would broadly follow the same requirements. And so what I mean by that is like, so the regulated data, and I know we keep talking about fraud prevention, but just because that's the kind of the easy example. But I say that saying, any specifically permitted use in that instance, that data for that transaction would be being used for fraud prevention or to effectuate the transaction requested by the consumer. Now that same publicly available data could be used for something else, right, outside of that transaction. Maybe today the person's asking for a bank account to be opened, right, and tomorrow they're asking for an insurance policy say or something like that, right, which is a completely separate use case. So maybe that publicly available data is being used in multiple ways in multiple transactions. But for that transaction specifically for that use case, you know, for that regulated data, that publicly available data would be being used the same way.
[Edye Graning (Vice Chair)]: Okay. And just one last question. Is my location publicly available data?
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: Just to make sure I'm calling it
[Edye Graning (Vice Chair)]: Not my address, but my location, right? Because I know that I carry these silly devices with me that track me all the time.
[Michael Marcotte (Chair)]: And you
[Edye Graning (Vice Chair)]: know, I pop into some app and it needs my location, like maps, to get me to where I need to go. So does that become publicly available data?
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: I'm I'm not aware of a scenario where location data on a phone would be publicly available. So to my knowledge, no.
[Monique Priestley (Clerk)]: Yeah, thanks Rick. I have a few questions that are more specifically going to try to get, go down the rabbit hole of GLBI a little bit. So first, I'm just wondering if you can explain when Relix, LexisNexis arms buy data from data brokers. How often are you choosing as a CPO and I don't know if it's directly you or people under you, but how often is the privacy arm deciding not to purchase from certain data brokers because of the unknown source of the data, the provenance of the source of the data, where it's coming from, how it's sourced, the data quality, and then the chance of or the risk of inaccuracies in that data?
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: Yeah, no, great question and I really appreciate you asking it. So we vet all of our data sources. We a team that is our data acquisition team that we from a privacy standpoint work in conjunction with to review all of our data sources to make sure they're reputable, to make sure they're doing the things that they should be doing right to make sure everything is appropriate and all rights have been accounted for, etcetera. And so if we've come across a source that do not meet our checks, right, and there's some red flag for some reason, we won't utilize that source. And so we do have a process to control for anybody that we're obtaining data from. As I shared, some of our data, I would say the majority of our data is publicly available data. Also our customers will give us data but restrict what we can do. You can use this to process this transaction, that sort of thing. But to your specific question, we do vet our sources or potential sources to ensure they're doing what they should be doing before we decide to do business with them.
[Monique Priestley (Clerk)]: Right, so robust quality of data is a business differentiator for Relix and LexisNexis, right? And think from your testimony and that of Dylan and just others, it is understood and clear that your company is doing the best to find high quality data. And so I guess off of the former line, just wanted to confirm that there are data brokers that present data to you or that you look at to vets that you do not end up trusting the data that is coming from those data brokers and you will not buy it.
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: Yeah, that's right. And again, I really appreciate that question because I do think with the way that the data broker can be defined, it brings in a huge swath of companies. The reason I'm here today and the differentiator is we wanna say that we're doing good things in the world, right? And we want our services to be accurate, used appropriately, used for socially beneficial use cases. And a big part of that is ensuring that any data we got is obtained appropriately and also that it is accurate. Have both from a moral standpoint, a product usage standpoint, right? It's for all those, kind checking all those boxes, we want to ensure the data is accurate, right? Because if it's not, then that creates multiple issues.
[Monique Priestley (Clerk)]: And then as far as GLBA, could you help the committee understand how easy it is for an entity, like basically what checks the boxes for an entity to qualify as handling data that falls under GLBA? To my understanding, it's the mix of financial data with social security number, which doesn't seem like that high of a bar.
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: Yeah, think, kind of in a nutshell, and again, apologies if I'm telling the committee things that already knows, but I think you guys kind of like, kind of the first question, what is GLBA data, right? GLBA data is data obtained by a financial institution when someone is seeking a financial product or service. And I'm going out to open a bank account, I'm going to get an insurance policy. That data that's being collected is GLBA data. And so, we will obtain that data subject to the uses that are permitted under GLBA. The one that is most significant for us, but not would be the only one we'd use, but would be the fraud prevention data, right. So we would then obtain the data. We would use it for purposes of fraud prevention. And then as we touched on both for our customers as well as for our sources, we're getting, we have vetting processes in place. So for our customers, is, we talked a little bit about the credentialing. We also have an audit function where we audit our customers for their usage of the GWA data, right? And then also for any additional use, we ensure that, or excuse me, meant to kind of answer it on sources. We're also vetting our sources. The checks in place include the security protocols, contractual restrictions, technical restrictions around those usage limitations, and then the audit function to make sure the data was used appropriately.
[Monique Priestley (Clerk)]: Thanks, Kirk. Tying these last few questions together. So heard again that RELEX and LexisNexis have high quality standards and all of that, and that there's a lot of checks in place and you're doing solid vetting. But there is a universe of data brokers that you don't trust to buy data from yourself. And that I think could generally said, I don't know who trusts if you guys don't trust them. And then the bar for qualifying as GLBA, having GLBA data is a financial institution and social security number, that's a low one. And so again, understood that you guys take steps to ensure data quality. But if there is a universe of hundreds, if not thousands, of data brokers who potentially could qualify as having GLBA data that they're selling to sources and they're not trustworthy sources, the issue we're running into with trying to create an entity level for these sources that source data, provide data to financial institutions, the banks and the insurers that are trying to rely on high quality data from yourself, but then also could be sourcing from these other actors that are technically able to fall under that umbrella of the entity level with the GLBA protections. It feels like that is not only a risk to consumers, a risk to the institutions that are potentially getting that data that is risky, that your company does not trust. And also just an annoyance to Relics and LexisNexis, why would you I guess I'm curious. It seems like it would only benefit the players who are the good actors in this space for us to be able to try to put regulations in place to get the bad actors that you don't trust to behave in a way that is actually falling under any type of legal restrictions.
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: Yeah, no, appreciate those comments. You can't speak to what extent some of these other data brokers out there may have GLBA data. GLBA itself does include a number of requirements, including security requirements, use case restrictions. Certainly, we'd all agree that we don't want the bad actors out there abusing anyone's data. And so from that standpoint, I certainly agree, but I think as it pertains to GLBA with the protections that we have in place and protections for those laws and the consistency across other state requirements, we would recommend a general GLBA exception as opposed to not having that. But your point, but I hear what you're saying.
[Edye Graning (Vice Chair)]: Yeah, I can't reinforce what rep Priestley said enough, We want to work with you and the good companies that are in the market doing the right thing and figure out how to ensure that your business is protected in addition to ensuring that the consumers are protected from those factors in the market who are not taking the quality care of our data and of us in the same way. And so if there is specific language in the draft that is not a exemption for that level of data that we can work with you on, we are fully open to that, understanding that we need to be able to protect consumers, full stop. And so we understand that the marketplace today, the world we live in, is data driven. There is so much information already out there. We understand that completely. We know that information that gets out once it's out, out. But we want to stop that from being the case going forward as much as possible. And so protecting consumers is really a huge focus for us.
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: Yeah, absolutely. And very much appreciate that. And yeah, absolutely happy to continue to be a resource, work with the committee on potential language and yeah, answer any questions or either, not to cut it off here, but just if there are any follow ups, I'd happy to do that as well, but yeah, I'd appreciate the comments.
[Michael Boutin (Member)]: How many players are there, the big ones that financial industry uses? About how many data brokers are there? Because I know there's LexisNexis, I know there's CLEAR, but that's about the end of my knowledge of what's available.
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: Yeah, great question. And so the first thing that came to mind, I don't think it's, I think it's helpful but not directly targeted, so let me unpack that. I believe in California for instance, there's about 500 registered data brokers give or take. I'm not sure in Vermont offhand what the number is, but that would be inclusive of all data brokers. That could be a marketing data broker, that could be a fraud prevention data broker. So that's probably the, at least for legitimate companies that are registered kind of the higher number if you will. I think the number of companies that is comparable to what we're doing would be much smaller. I could guess, but it would be just a guess. So, but it's a much smaller number for sure.
[Michael Boutin (Member)]: Do you see an amendment somewhere that maybe you register for an exemption?
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: Yeah. You'd have
[Michael Boutin (Member)]: to qualify for certain I mean, you'd have to qualify. Because there's data that you guys collect that can be very beneficial for legitimate businesses, is something that I've been drumming a lot. But if there's most financial institutions use, my guess is probably three to five different entities.
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: Yeah, I'd certainly be more than happy to review a proposed amendment in that space. I'm not aware of a similar requirement that's kind of on the books elsewhere, but certainly more than happy to look at it or review it, provide some comments, etcetera.
[Monique Priestley (Clerk)]: Rick, and just so off that line of questioning, the bill, we were really trying to take a lot of time to carefully craft things that would allow, again, the good actors to keep doing what they're doing respect the business requirements that they have. And so there is a pretty broad processing exemption as well as additional exemptions when it comes to identity verification, fraud prevention. I'm just curious if you could speak to why that isn't sufficient.
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: Yeah, no, I appreciate the thoughtfulness and appreciate the question. So, just as a for instance, I think one of the kind of current exemptions in the law is around kind of legal compliance. As I mentioned, for the services that we provide, it may not be like, LexisNexis doesn't have a KYC obligation, right?
[Michael Marcotte (Chair)]: We don't
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: have an anti money laundering obligation, but our customers do, right? So we're providing a service that facilitates another company's legal compliance. And that kind of side note on that, some of the omnibus privacy statutes actually kind of address that element, right? That there could be another service, right? That's assisting with an exemption for legal compliance. You noted, and I know we've been talking a lot about fraud prevention, right? But there is the fraud prevention kind of an exception there that I saw in two eleven, which I think is very helpful. But there's also some other elements in GLBA for instance around transaction requested by the consumer. There's use cases in GLBA around like institutional risk control, which is somewhat touched on, right? We talked about like the security into 11. But I think it's also for us, it's the usage, it's also compliance with, you know, we have our GLBA obligations and then we have our state obligations and making sure, right, we're covering both. So that's, but again, yeah, happy to continue to work through the language to see something that could work.
[Monique Priestley (Clerk)]: Rick, I guess more specifically the broad exemption for entities being able to function as a processor in the cases where you're providing a service, are you not a processor?
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: Well, yeah, no, great question. So it depends on the service, right? Typically the way processor is defined is that you are processing data on behalf of this company, right? And only this company, right? We may have a, and that can be the case, right? If a company says, hey, I'm giving you this data, you're processing it for me, great, you know, we're just a processor. But we have other data resources, right, that are our own data resources we may have acquired from another reputable source that we are then providing. Well, that's not the financial institutions bank that we're processing on their behalf. That's our data that we are making available to them. And so that's why I think the processor exemption is helpful, but it doesn't cover kind of the entirety of the service.
[Monique Priestley (Clerk)]: So I guess like thinking about the whole universe of data brokers, I guess like the question would be, and this is where we were running into an issue is like, do, so in your instance, I think you're, and correct me if I'm wrong, like there are services where you're acting as a processor and then there's just selling data that the banks and other entities, anybody can like depending on credentialing requirements and stuff like that can buy in the sphere of other brokers that is the data that can be bought that doesn't fall under the relationship of being a processor. But how is it that we can differentiate between the good actors who are the processing activities are covered by this exempted, but the sale of data files, for instance, is maybe not. How do we differentiate between the good actors that are selling data, reputable data and the bad actors that are selling potentially like not good data and or risky Yeah,
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: yeah, no, a great question. And yeah, so for us specifically, it does depend on that service. But even if we're not a process per se, all the things that we've discussed are still there, like very much still there, right? The auditing, the credentialing, and ensuring these are legitimate customers. It's just, it's not that we wouldn't wanna be a processor there, it's just the way that processor is defined, right. It's not data being processed strictly on behalf of this entity, right. And therefore not a processor, but functionally right? What it's being used for is that same thing, right? Serving that financial institution, right? In terms of differentiating, I know we're all aligned right on that, right? What is the best way to ensure that reputable data brokers are able to do what they need to do for the benefit of residents, etcetera, versus the non reputable brokers? I mean, I think part of that is certainly, what are those entities that are not registered, right, in Vermont and elsewhere, right. It's certainly a big red flag, right. If they haven't kind of met that initial threshold. I think that having these exemptions that we're kind of talking through, I mean, are longstanding exemptions that have use cases that have been in the market for quite some time. But yeah, certainly more than happy to figure out the best way to differentiate. And as I said, I think we're all certainly aligned on that point.
[Monique Priestley (Clerk)]: Then Rick, so from talking to data broker employees trying to understand this piece, this whole space, it sounds like it's relatively easy for identity to be created if it's using the sources from the dark web and that kind of stuff where it takes a social security number and it could be somebody else's address. If that type of information is used to apply for a credit card and that credit card company approves establishes an identity, really. And I am just curious if you could help us understand how often is Reliqs and or the institutions that are depending on it basically dealing with headaches caused by those false identities, false positives that exist for people who do have real identities, and just the messiness, I guess. And hopefully, regulating the non reputable I'm going to keep using that term, I guess is we're trying to help lessen the non reputable sources in order to hopefully also relieve headaches for you. I'm just curious if you could explore that with us.
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: Yeah. So a little bit off the cuff, but I mean, certainly could follow-up with some real numbers to kind of substantiate. But very much appreciate the question because I think it really does highlight how much of a problem there is out there, right, in terms of people creating fake identities, especially with the onset of AI, right, it's just becoming more and more of an issue and really underscores like the criticality of having a good fraud prevention solution from reputable fraud prevention companies. So that being said, we catch a lot of instances, right, of people that, bad actors who have tried to create a false identity or commit fraud. By doing so, have you benefited not just our customers, but also consumers kind of at large. There can be instances where something is maybe incorrect or got flagged incorrectly. And in those instances like that, that could be, again, of in a nutshell, could be lifted. Oh, like that, sometimes it's just human error. Like that got tagged as fraud. Oh, it wasn't fraud. Okay, we just left that and this person's good to go. So there are tools in place to ensure in the event that there's a false positive that can be addressed.
[Monique Priestley (Clerk)]: Sorry, back to GLBA. You. As far as the Say we were exploring the entity level GLBA or even data level, and having an entity use data that qualifies under the GLBA coverage. The first say, in the way that they first source the data. So I'm a I don't even know payday lender or something. And I buy GLBA data that qualifies under GLBA protections. And that initial use of maybe trying to verify the recipients of payday loans or something falls under that protection. But say I have multiple arms, advertising arms, marketing arms, that kind of stuff, that then I am sharing the data with. So that use case that I got the initial data set for was covered, but then maybe I'm using the data across seven different departments for seven different reasons that weren't for that initial consumption of the GLBA data. That is also how do we protect those? That's what we're trying to do with a specific use case versus entity level or data level. The data, yes, it was GLBA. The entity that got it, yes, GLBA. But then the uses of that that might happen seven layers down, how do we, if we're not looking at use case exemptions, protect that information that was, say, single other things that might be in the data broker files. It's not only their social security and their identity, but it might also be that this is a new mother. This is somebody who struggled and has debt collectors chasing her. And she might be a great person for us to serve a Facebook ad to have a payday loan, apply for a payday loan. Those layers down don't feel protected. Your thoughts there.
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: Yeah. Appreciate the question. To that question, the committee knows, this has been a discussion point in other jurisdictions as well. Hey, do you do it just the entity? Is it the entity plus the data? I think as practical matter, if it was just an entity level exemption, that would exempt the financial institutions, right? The banks and insurance companies themselves, but not the services that they rely on to provide institutional risk control, fraud prevention, kind of things of that nature. So for that reason, would say a data, GOBA data exemption as opposed to only a financial institution, institute level exemption makes more sense and really gets the GLBA ecosystem. To your question, if that data is being taken in and being used kind of every which way and particularly to be serving up ads through social media. Would say that's a big issue, right? That's an issue with that customer. I would say in that case they really stepped out of what GLBA data is permitted to be used for. But the permissible purposes that are there, right, for fraud prevention, institutional risk control, effectuating transactions, right? Those are things that are, you know, surveying the integrity of the business. They're also serving consumers to ensure that that data is being used appropriately. And as I mentioned, in terms of responsible use, we have checks to make sure the data is only being used for those responsible use cases and nothing further.
[Michael Boutin (Member)]: So I appreciate the last comment that you just made. When a bank financial institution is accessing the data, is there a thing that they have to sign off on before they start using it?
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: For for our company specifically, yes. That will be in the contract and that's in the system itself.
[Michael Boutin (Member)]: And do they have to sign do they have to sign that agreement every single time someone logs into the profile?
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: I believe so, yes. There's like a pop up that says, you know, basically you are certifying that you're, you know, using it for for this. So it's in the contract and it is in the system and and I believe it is, you know, every time they they would go in.
[Michael Boutin (Member)]: And what happens when you discover that it was fraudulently used?
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: Yeah, as I mentioned that we do have an audit function that looks for that, is this data being used appropriately. It would depend on the factual scenario. If it was fraudulent being used or abused, that could be cut off, right? That we would terminate the relationship with that customer. If it was, if it's dug into, could take remediation, it depends on what the issue is, but there is an audit function on the back end to support the contracts, the system, right? So it's kind of a comprehensive universe.
[Monique Priestley (Clerk)]: Thank you. Rick, so I guess, again, with the exemption stuff. So under the Figure Reporting Act, consumers have the ability to know what's being collected, to correct it, to request it, to delete it, all that kind of stuff. And then they can be denied, of course. Under this law, we're trying to exempt what is needed business requirement wise for identity verification, fraud prevention, all of the good uses and legal uses and state law and federal law protected uses. My concern and question around the GLBA kind of thing is, this bill is trying to regulate data brokers, not financial institutions. But in that, one of the proposed exemptions was basically a data broker who is collecting and using data that is then provided to financial institutions. Then they are basically qualified to fall under this exemption, which
[Michael Marcotte (Chair)]: is
[Monique Priestley (Clerk)]: a big universe. And GLBA does not offer any rights to people to know their information, to delete their information, to correct their information. And so I'm worried and concerned about us basically creating this umbrella protection for a bunch of non reputable data brokers who have data that qualifies under GLBI, which then they are exempted from needing to do anything. And again, you're LexisNexis Relix reputable source, we're not concerned necessarily about you. We have this whole universe of hundreds, if not thousands, of brokers who are potentially going to get a free pass for any use of data because they are dealing in financial data and social security numbers.
[Michael Marcotte (Chair)]: Yeah,
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: we're certainly aligned on ensuring that, know, reputable companies are doing all the things they're supposed to do, you know, companies are not, know, none of us want them to have access to, you know, any data that they shouldn't. I think here, I'll just put out there for the committee for kind of food for thought. In the other states that have data broker registry or additional data broker requirements such as California, right, with the Delete Act. There's also the omnibus privacy law. I know that's also been considered in Vermont as well. And I say that just because I think kind of how they work in tandem, right, in terms of what are data brokers required to do? What are other companies required to do? Disclosures, opt outs, kind of the full universe. So just as the committees considering these issues, we would just again, putting that out there for food for thought in terms of how does this interact with a broader privacy law and not just the kind of the data broker universe. Oh, so yes, I have a question. Sorry, hand raised out there.
[Emily Carris Duncan (Member)]: Oh yes, hi. Emily Carris Duncan, thank you. Actually getting back to Michael's question, I was just curious if the forms that folks have to fill out kind of to move, if I understand it correctly, to use data for one purpose or another, is that something that's sort of internal company policy or is that just following a good practice in state law?
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: Yeah, no, great question. So under the GLBA itself, it does restrict what the data can be used for. So that component is specifically in law. I want to say, and I'd have to verify this, please take this with a grain of salt, that the law also talks about certifying what that permissible purpose is. But certainly I can definitively say by way of practice, our practice is contractually our customers have to certify that this is what the data would be used for.
[Emily Carris Duncan (Member)]: Okay, and then also for you all, just looking at the GLBA, marketing is kind of an exempted or allowed function, I guess. And I think kind of getting onto what Monique was saying, it's not necessarily that we're interested in folks that are in companies that are really doing this work and making sure that they're dotting their Ts and all that stuff, or dotting their Ts and crossing their eyes. Rather these companies that are also kind of less reputable and looking at things like those payday lenders and stuff that qualify as financial institutions, they also have the ability to market in various ways to their consumers. Do you have any thoughts on how exactly we think about separating out our good actors and our questionable actors?
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: Yeah, great question. Yeah, in terms of marketing, as I mentioned, that's a very, very small sliver of the business for us. We do not use any regulated data for purposes of marketing. And so I think any differentiation because I'd certainly appreciate marketing is a big concern. Certainly happy to work through kind of what the wording would look like, but yeah, kind of differentiating, these are companies that marketing versus ones that are not. I think that we kind of appropriate differentiation. Yeah, in terms of the regulated data, we're using it for only those purposes specifically allowed.
[Edye Graning (Vice Chair)]: Do you
[Michael Boutin (Member)]: question regarding the type of data that you collect or that you maintain. Do you collect relationship data as it not like siblings, that kind of data? That's available, that it is available on your platform. And the question for you is, according to this bill, would you have to delete that data?
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: I'd have to specifically look at, so apologies, I'm not trying to decide the question, but yeah, I need to specifically look at that provision as it pertains to delete. I guess I would put it this way, if it would be required to be deleted, we certainly would delete it. But
[Herb Olson (Member)]: yeah,
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: I just I don't recall offhand how it's worth it.
[Michael Boutin (Member)]: One of the exemptions for data level is fraud and my concern is that a relationship data, like a sibling, could be considered, well, that's not considered fraud information, But the question, it's not really a question, it's more like a statement of why exemption levels for data is difficult is because your definition of fraud data would be different. I look at that and I think relationship status, not status, that's not a good term, but relationship associate connection is beneficial for preventing fraud, especially when it comes to trying to figure out if a beneficiary is related, but you may look at that differently or somebody in this room may look at that differently. But ultimately I would say that that's fraud prevention, correct? Would you agree with that?
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: Yeah, hear what you're saying, in terms of, it could be different understandings of a particular provision. I think as it pertains to whether some relationships could have relevance to fraud prevention, I think it depends. I think they could, it could be about not so much about the relationship, Just about this individual, but I think for us, it would depend on the product and the solution. Appreciate your broader point around like people could understand differently, you know, what does that mean as a practical matter?
[Michael Boutin (Member)]: And that would have a negative impact on our financial industry. You don't have to answer that. That's a stake.
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: Yeah. Yeah. No. No. Appreciate it. Looks like sorry. It looks like there's a hand up. Mister Olson.
[Michael Marcotte (Chair)]: If I had someone in here first and and then her can jump. Sorry.
[Monique Priestley (Clerk)]: Rick, so I guess directly off that question. So definitely see the value in having family member data in reputable sources that are, again, they're credentialed protected by things like Fair Credit Reporting Act and things like that for verification purposes. But also, in the course of this, just exploring the we are exploring the non reputable sources as well that go into that might be relied on for KYC that are beyond the reputable source material that you provide. And I guess that actually triggers a question for me in that if my information is showing up and being sold by non reputable data brokers and then also the data of my sister and my father and my cousin and my aunts and my grandfather and everybody else that might be used to figure out my to have files that exist for figuring out my mother's maiden name and things like that. Again, if we do this entity level or even data level exemption covering the data brokers who are providing information to entities that fall under GLBA, then it seems like not only am I not providing Vermonters with the ability to request deletion from these non reputable data broker sources for myself. But I'm also inherently maybe blocking the deletion of all of those family members that are tied to the non reputable data broker sources that have my data. Just curious about that. And also just how much that can also mess you guys up when you're trying to do source data, quality data as well.
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: Yeah. I appreciate the question. I think it goes back to again, know we're all aligned on this. How do we differentiate a non reputable data broker from a reputable data broker, right? And making sure that the bad actors don't have the data, the good actors do and can use the data appropriately. So yeah, on that specific issue, yeah, certainly happy continue to work with you all on our way to word that right. And in a way that's appropriate, protects Vermont residents, etcetera. So I'm more than happy to work through kind of some specific wording on those points.
[Michael Boutin (Member)]: Thank you.
[Michael Marcotte (Chair)]: Herb?
[Herb Olson (Member)]: Hello, good people. Hello, Mr. Gardner. I'm sorry I came a little late. I didn't think you would want to be infected with what I got right now. So I did come in a little late and so I might have missed your opening. So maybe just as a baseline, I'm assuming Mr. Zoeghi has been representing you, I think, for quite a few weeks and he sent something out on February 26 with a suggested amendment to the bill. Is that still what we're talking about Mr. Groenington?
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: Yeah, thank you for the question. Yes, brief introduction for myself and then yeah, happy to hit on that question. So yeah, so Rick Gardner, Global Data Protection Officer for LexisNexis Resolutions. So we offer solutions primarily in the fraud prevention, identity verification insurance underwriting spaces. Yes, so in terms of the document you have in front of you and Dylan, please keep me honest. That is I think the latest and greatest and what we would recommend. And so yeah, just here to kind of speak to some of the specific notes on the bill and then also just to be as a resource as a reputable data broker, how we do what we do it as to serve the committee as it delivers.
[Herb Olson (Member)]: Yeah, so I appreciate that. So, you know, we've as the committee has been going through this process, I think some of the issues that have been raised, I don't want to repeat what how many framed it, but I think there are probably a couple of, you know, big kind of issues in terms of the proposal you're making. One is the breadth and depth of the kind of information that would be available under the exemption or the deletion exemption that you're suggesting, and also sort of the concomitant consumer rights under the bill would be eliminated from that kind of data as well. And I guess, so I am not going to repeat that, but I am wondering, I am still having trouble with understanding why the exemption that is being proposed in subdivision VI having to do with processors for business with which they have a direct relationship with the customer. Why that doesn't fit? The banks and insurance companies are going to have that relationship and it's a pretty broad, as far as I can see, it's a pretty broad exemption in terms of the kind of data. They're still going to be obligated, of course, to their own Gramm Leach buyer and frankly the state privacy protections are pretty bad too. So I'm having trouble understanding why it doesn't fit. I heard you say in part of your testimony, we do doesn't fit the definition of processor. And maybe that's, know, so that's like, I guess, a contractual relationship. Is it the contract that's hanging up? Because I don't understand why, you know, there's only a limited number frankly of regulated entities and I'm sure you got contracts with a lot of people, why you couldn't simply, you know, talk to them about a standard contract that would allow for you taking advantage of Subdivision 6?
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: Yeah, no, a great question. So yeah, in a nutshell, in some instances we would be you know just a process or some products etc for a particular bank you know for the data and this is really the crux of it. There's the data that they're giving to us, right? That they're saying, hey, please process this on my behalf at my instruction, great. We're your processor for that data. But we are also obtaining data from a reputable third party data source that we vetted that we may then be making available to that bank, right? So it's not data we're strictly processing at their direction on their behalf that they've provided. It is third party data that we are providing to that bank. Now, albeit for the same purpose, right? It could be for fraud prevention, right? But it is not their data we're processing on their behalf, right? It's our own data resource that we've acquired.
[Herb Olson (Member)]: Yeah. So that's why I'm having trouble understanding. So you're taking that, I think you're suggesting that the processor would only be limited to data that you receive from, say, bank or insurer because I'm having trouble seeing the narrowness of I don't see the definition of processor is that narrow but help me understand why you think it is yeah
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: so I think it's it's it kind of boils down to, even if it's not necessarily just data that is provided by them, but it's data we're obtaining for them, right. It's data we're obtaining for any, not just bank A, but bank A, bank B, bank C, right? Our own data asset that we've acquired that we are then making available to multiple customers who are obtaining those services. Now, perhaps here, and maybe this is something we could continue to look at, how processor is defined, But under most omnibus privacy laws, and again, I know this is more targeted to data brokers, but just in terms of the way other states have looked at this or the way it's defined and even other jurisdictions outside of The US, you know, processor is data being processed on behalf of another entity. And in this case, we have data that's not strictly processed on their behalf. You know, it's our own data that we're a controller of that we are making available to them.
[Herb Olson (Member)]: Yeah. And that's why I'm hung up a little bit. I don't see I'm I'm having trouble squaring the the text with the concern you I mean, it sounds like a legitimate concern, but I I'm having trouble understanding the how those two fit together. Thanks. Thanks very much.
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: Yeah, no, thanks for the question. And, yeah, Dylan, we can discuss that and maybe we can follow-up with some materials a little bit more specific, but I appreciate the question.
[Michael Boutin (Member)]: Somebody else can go, but I do have a question. Is there somebody else that can go before me? Oh, Phil.
[Edye Graning (Vice Chair)]: I think Herb said exactly what the issue is, We feel like we have crafted this bill in a way that ensures that the folks in the market that are the good actors or are covered and protected. And if there is something specific that isn't what And we have not Yeah, understanding our language, Not in the context of how anybody else looks at it anywhere else. What we have set up for this state, it appears to us that you are fully protected to continue in the way that you're telling us that you're doing your work, right?
[Monique Priestley (Clerk)]: I have a question, Rick, while giving Rev. Boutin a chance to try to craft his time filler. I'm curious, the bottom line of concern for Relics as far as potential business interruption, I'm just curious, is it more of a potential data deleted from sources that Relics would be in LexisNexis would be getting? Deletion requests? You operate internationally and you have really strong privacy policies and deletion mechanisms on every single product that you have in the ecosystem. I'm curious, you already have that structure set up. So I'm just like, well, I guess, what is the real concern from LexisNexis as far as what this bill will, like, I guess why it's being lobbied?
[Michael Boutin (Member)]: Yeah, yeah, yeah.
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: No, I appreciate the question and yeah, I appreciate the comments on the processor components and certainly happy to dive deeper into that and see what room may be available there. But in terms of, yeah, the heart of the concern, I think kind of boils down to two things. One is due to the use cases that we provide, the services that we provide, when somebody deletes data for fraud prevention say, it can actually, it can harm them, right? Like their data is not there to make sure that their account is not stolen, things of that nature. Also, worry about the fraudsters, right. Also opting out and not being available to be identified as such. So it's protecting kind of those use cases number one. I think number two, it's also from a consistency standpoint, going back to kind of what the other states have done and not just what the other states have done, but also our obligations under the various federal statutes, Ensuring we're doing everything we have to be doing under both federal and state law. So think that's kind of the universe, right? What we're using data for, consistency with other state laws and our obligations under federal and state law.
[Monique Priestley (Clerk)]: Thank you. For the first part, the concern about the deleting data that's used for fraud prevention, I think we've covered that there are certain databases that are credentialed and covered by Fair Credit Reporting Act and things that you maintain that those could be requested or denied. I guess we also had somebody come in that's an expert in the identity verification space as far as talking through the know your customer avenues of, yes, there is the non documentary methods of using data brokers, there is both the reputable sources and the non reputable sources. But then there's documentary aspects of using a license and a passport in somebody's face and mobile device use, and typing, and methods, and all this kind of stuff. So I guess I am still again, I'm still trying to figure out I feel like we are really trying to carefully craft the protection of not interrupting your business with the fraud prevention piece and maintaining integrity of those pieces where they are reputable data sources that are high quality controls, but also protections under federal state and federal laws. So I'm still struggling with trying to figure that out, how we're not doing that.
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: Yeah. And very much appreciate the thoughtfulness and appreciate the, yeah, the opportunity to to to to share as well. So, Deb, yeah, points points well taken.
[Michael Boutin (Member)]: Alright. So Sorry. Just
[Michael Marcotte (Chair)]: waiting a little bit. So I I I hear what you're saying about consistency, and we've talked about that over the years. And when first passed our first data privacy bill that unfortunately didn't make it all the way through. Two or three years ago, we were talking about entity level exemptions, which we did. Now we're talking about, now that's changed, and it's data level exemption. And so, I'm just thinking that this may be the next generation, because as we keep going forward with all of this, start to see where the holes are and start trying to plug them. And so this may just be the next generation and how do we get to a point that satisfies the good players in the market and separates out the bad players? I think that's what we're trying to figure out.
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: Yep. Michael? I do appreciate that.
[Michael Boutin (Member)]: Who's not here for that conversation years ago? No. But that's
[Michael Marcotte (Chair)]: I mean, but that's true. No.
[Michael Boutin (Member)]: No. I can't. That's where
[Michael Marcotte (Chair)]: everybody was at that time was entity level and everybody fought for that. And then it's it's switched to now it's data level. And now, you know, this is maybe a new a new way of approaching it.
[Michael Boutin (Member)]: So I have a bank account. I designate Monique Priestley as the person that can access my account when I die. However, I don't die for ten years, which is a good thing. In that time, she actually gets married and her last name is Smith. Talked about how, because I thought about when you were talking about maiden names, that information is collected on your level. Now, Monique Priestley does not exist anymore. Monique Smith does. So the bank that's trying to reach out to Monique Priestley can't find that person because she would delete her data, right? Yeah, of course. From the
[Monique Priestley (Clerk)]: things that weren't protected that could get denial. She doesn't have
[Michael Boutin (Member)]: a direct relationship according to two eleven to the bank. She does not. So when we talk about holes that I'm trying to like, those are the kind of holes that cause a problem in the financial industry. And you would be able to currently be able to say, Oh, Monique Priestley? Well, actually, she's also known as Monique Smith. So the bank would be like, Oh, I bet you she got.
[Michael Marcotte (Chair)]: Correct?
[Michael Boutin (Member)]: Yeah. Do they excuse you for that?
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: Yeah. As we touched on, we want to ensure for a variety of reasons, we want to ensure our data is accurate, both to make sure that the service works appropriately, we're providing services to the right person, etcetera. So in that example, we would certainly work to keep our records up to date to recognize this person has been married. And so it would depend, but certainly, we try to keep our data as accurate as possible.
[Michael Marcotte (Chair)]: I'm just wondering that you still have that direct relationship with the person that owned the account. You as the owner of the account, you deceased, you already put instructions in there of who it is. And I think that's still that's still a direct relationship that they that they can ask LexisNexis or another broker to find that person.
[Michael Boutin (Member)]: But there's there is no direct there's no direct relationship with Monique. Because it says direct relationship means a consumer that has intentionally interacted with a business. She hasn't interacted. I have. I've interacted.
[Michael Marcotte (Chair)]: You have to you've gotta have permission from the person you're designating. No. I don't.
[Michael Boutin (Member)]: No, no, no. Legitimately, sorry, I didn't That sounded like I snipped at you in a
[Michael Marcotte (Chair)]: I still think that direct relationship still exists even though you're deceased. Because if they're fulfilling a they're fulfilling they they have to find that person or it gets us cheated to the state.
[Michael Boutin (Member)]: But it it it means that consumer has intentionally interacted being that consumer, that consumer
[Michael Marcotte (Chair)]: And I think you you, as the consumer, have already directed directly interacted. And I think that's the way I look at it. I don't look at it as them having to try to find Monique. They would do that on your behalf. If they can't, then it gets escheted to the state, and then it'd be up to Monique to find, see that it's on there at some point.
[Michael Boutin (Member)]: That's the
[Michael Marcotte (Chair)]: way I would look at it. I know you look at it Can
[Edye Graning (Vice Chair)]: I screw it?
[Monique Priestley (Clerk)]: Sure. I think he's gonna go. Rick, I think you're gonna go. I don't know what I'm hearing. So just to leave you on a thing that would be helpful when we do a follow-up is that from looking at reading the Consumer Financial Protection Bureau report from 2024 that is advising states to not keep giving entity level exemptions and highlighting all of the loopholes under GLBA. The state's privacy laws should not be continuing to use over and over and over again, as well as the Connecticut AG's report from last year, which also convinced the Connecticut legislature to stop using entity level exemptions in their privacy bill for GLBI and switch to data level. That's another area that I would love to explore with you because I think we're being told by federal experts to not keep perpetuating that and as well as state AGs. So it'd be helpful to figure out, navigate that.
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: Yeah, thank you for the comment. And yeah, I do need drop, but I'm happy to continue the conversation, talk through some of those elements you raised. And I know something's always a little lost via the screen. So maybe next time we could do something in person, but yeah, really and truly do appreciate the committee's time. I appreciate the thoughtfulness. I appreciate you letting me to share some thoughts today. And so thank you all very much.
[Michael Marcotte (Chair)]: Thanks, Thank you for joining us today.
[Edye Graning (Vice Chair)]: We really appreciate your time. Absolutely.
[Rick Gardner (Global Data Protection Officer, LexisNexis Risk Solutions)]: Thanks, Bob. Thank you all. Alrighty, bye bye.
[Michael Marcotte (Chair)]: Dylan, you want to add something?
[Dylan Zwicky (Representative for RELX/LexisNexis)]: Yeah, just Dylan Zwicky. Appreciate the joke's comments about the history with respect to what Dave Brog said. I do think it's important to correct the record that RELX never likes Nexus' position on exemptions in 2020, whenever that data privacy bill was, was always for a data level exemption. Our position has not changed, I realize. There were other actors that may have been asking for entity level positions, but with respect to some evolution in thinking about privacy, ours has
[Michael Marcotte (Chair)]: not evolved. Okay. I'm just saying overall, right, that we started at entity level exemptions, and now I think we're going to that's what Alexis and Exxus was on the data level exemption. And I just think that everything just keeps evolving. So if we had passed our data privacy bill then, I think we'd be here today or next year or the year after trying to now up it and change it. And maybe we're getting ahead of the curve. I don't know. But if we can keep talking and seeing what we can work out, that would be great.
[Dylan Zwicky (Representative for RELX/LexisNexis)]: Yeah, I appreciate that. Just I think, and there may be instances where there was advocacy around entity level exemptions where today the discussion might be around data for my client in particular. Don't think that that I mean, certainly there is a discussion now about use case, but it has not been an evolution of my decisions.
[Michael Marcotte (Chair)]: Yes, understood. Thank you. Anything else, committee? Probably good information. Super generous of these times. We appreciate you, Bill, and thank you for arranging that. It's been helpful. So I think that's all we have for today, unless you all want to come back out to the floor, have Let's more have some dinner.
[Michael Boutin (Member)]: I'm thinking 07:00. I dropped my dog off at doggy daycare. It's Okay.
[Michael Marcotte (Chair)]: So that's it. They will be back at nine tomorrow. Usual, hear from our you hearing from our
[Emily Carris Duncan (Member)]: Interns.
[Michael Marcotte (Chair)]: Interns tomorrow? They don't? Yeah. Are we? Okay. So we'll hear from our interns. We'll see what's going on. Anybody's noticing anything in other committees and keep up keep your eyes open now for senate bills coming over. Those are starting to come into play, so and we'll give you an update of what we're looking after next week.