[Senate Hearing 106-885]
[From the U.S. Government Publishing Office]
S. Hrg. 106-885
ID THEFT: WHEN BAD THINGS HAPPEN TO YOUR GOOD NAME
=======================================================================
HEARING
before the
SUBCOMMITTEE ON TECHNOLOGY, TERRORISM,
AND GOVERNMENT INFORMATION
of the
COMMITTEE ON THE JUDICIARY
UNITED STATES SENATE
ONE HUNDRED SIXTH CONGRESS
SECOND SESSION
on
EXAMINING THE EFFECTIVENESS AND FUNDING FOR THE IDENTITY THEFT AND
ASSUMPTION DETERRENCE ACT (P.L. 105-318)
__________
MARCH 7, 2000
__________
Serial No. J-106-70
__________
Printed for the use of the Committee on the Judiciary
U.S. GOVERNMENT PRINTING OFFICE
69-821 CC WASHINGTON : 2001
COMMITTEE ON THE JUDICIARY
ORRIN G. HATCH, Utah, Chairman
STROM THURMOND, South Carolina PATRICK J. LEAHY, Vermont
CHARLES E. GRASSLEY, Iowa EDWARD M. KENNEDY, Massachusetts
ARLEN SPECTER, Pennsylvania JOSEPH R. BIDEN, Jr., Delaware
JON KYL, Arizona HERBERT KOHL, Wisconsin
MIKE DeWINE, Ohio DIANNE FEINSTEIN, California
JOHN ASHCROFT, Missouri RUSSELL D. FEINGOLD, Wisconsin
SPENCER ABRAHAM, Michigan ROBERT G. TORRICELLI, New Jersey
JEFF SESSIONS, Alabama CHARLES E. SCHUMER, New York
BOB SMITH, New Hampshire
Manus Cooney, Chief Counsel and Staff Director
Bruce A. Cohen, Minority Chief Counsel
______
Subcommittee on Technology, Terrorism, and Government Information
JON KYL, Arizona, Chairman
ORRIN G. HATCH, Utah DIANNE FEINSTEIN, California
CHARLES E. GRASSLEY, Iowa JOSEPH R. BIDEN, Jr., Delaware
MIKE DeWINE, Ohio HERBERT KOHL, Wisconsin
Stephen Higgins, Chief Counsel and Staff Director
Neil Quinter, Minority Chief Counsel and Staff Director
(ii)
C O N T E N T S
----------
STATEMENTS OF COMMITTEE MEMBERS
Page
Kyl, Hon. Jon, U.S. Senator From the State of Arizona............ 1
Leahy, Hon. Patrick J., U.S. Senator From the State of Vermont... 1
Grassley, Hon. Charles E., U.S. Senator From the State of Iowa... 8
CHRONOLOGICAL LIST OF WITNESSES
Prepared Statement of Susan Herman, executive director of the
National Center for Victims of Crime........................... 3
Prepared Statement of James G. Huse, Jr., inspector general,
Social Security Administration................................. 4
Statement of Maureen Mitchell, registered nurse and licensed
realtor, Madison, OH........................................... 10
Panel consisting of Gregory Regan, special agent in charge,
Financial Crimes Division, U.S. Secret Service, Washington, DC;
and Jodie Bernstein, director, Bureau of Consumer Protection,
Federal Trade Commission, Washington, DC....................... 22
ALPHABETICAL LIST AND MATERIAL SUBMITTED
Bernstein, Jodie:
Testimony.................................................... 29
Prepared statement........................................... 31
Herman, Susan: Prepared statement................................ 3
Huse, James G., Jr.: Prepared statement.......................... 4
Mitchell, Maureen:
Testimony.................................................... 10
Prepared statement........................................... 16
Regan, Gregory:
Testimony.................................................... 22
Prepared statement........................................... 25
APPENDIX
Questions and Answers
Responses of Jodie Bernstein to Questions From Senators:
Feinstein.................................................... 47
Grassley..................................................... 48
ID THEFT: WHEN BAD THINGS HAPPEN TO YOUR GOOD NAME
----------
TUESDAY, MARCH 7, 2000
U.S. Senate,
Subcommittee on Technology, Terrorism,
And Government Information,
Committee on the Judiciary,
Washington, DC.
The subcommittee met, pursuant to notice, at 2:06 p.m., in
room SD-226, Dirksen Senate Office Building, Hon. Jon Kyl
(chairman of the subcommittee) presiding.
Also present: Senator Grassley.
OPENING STATEMENT OF HON. JON KYL, A U.S. SENATOR FROM THE
STATE OF ARIZONA
Senator Kyl. Good afternoon. This hearing before the Senate
Committee on Judiciary Subcommittee on Technology, Terrorism,
and Government Information will please come to order. The
subject of today's hearing is ``ID Theft: When Bad Things
Happen to Your Good Name.'' I welcome all of you to the
hearing.
I will begin by indicating that Senator Feinstein is in her
State of California because of her State's primary and
therefore will not be joining us today. There may be other
members of the panel, however, either on the Democrat or
Republican side, joining us as the hearing progresses.
There are some statements that I will put into the record
at the very beginning. Senator Patrick Leahy has a statement
for the record.
[The prepared statement of Senator Leahy follows:]
Prepared Statement of Senator Patrick J. Leahy
Less than two years ago, President Clinton signed the ``Identity
Theft and Assumption Deterrence Act of 1998'' into law to crack down on
the theft of another person's identification information that results
in harm to the person whose identification is stolen and then used for
false credit cards, fraudulent loans or for other illegal purposes.
This new law also set up a ``clearinghouse'' at the Federal Trade
Commission to keep track of consumer complaints of identity theft and
provide information to victims of this crime on how to deal with its
aftermath.
This law was the product of bipartisan concern and good faith
efforts to develop a legislative response to the growing problem of
identity theft. I am proud of the work Chairman Kyl, Senator Feinstein
and I, and others, did together to produce a strong, effective law.
Protecting the privacy of our personal information is a challenge,
especially in this information age. Every time we obtain or use a
credit card, place a toll-free phone call, surf the Internet, get a
driver's license, or go shopping online, we are leaving virtual pieces
of ourselves in the form of personal information, which can be used
without our consent or even our knowledge. Too frequently, criminals
are getting hold of this information and using, the personal
information of innocent individuals to carry out other crimes.
The consequences of identity theft for its victims can be severe.
These victims can have their credit ratings ruined and be unable to get
credit cards, student loans, or mortgages. They can be hounded by
creditors or collection agencies to repay debts they never incurred,
but were obtained in their name, at their address, with their social
security number or driver's license number. It can take months or even
years, and agonizing effort, to clear their good names and correct
their credit histories. I understand that, in some instances, victims
of identity theft have even been arrested for crimes they never
committed when the actual perpetrators provided law enforcement
officials with assumed names.
The FTC has recently made available online a number of valuable
resources for consumers and victims of identity theft. One such
document, called ``ID Theft: When Bad Things Happen to Your Good
Name,'' contains poignant stories from consumers about how ID thieves
have damaged their lives.
One consumer reported to the FTC that:
``Someone used my Social Security number to get credit in my
name. This has caused a lot of problems. I have been turned
down for jobs, credit, and refinancing offers. This is
stressful and embarrassing. I want to open my own business, but
it may be impossible with this unresolved problem hanging over
my head.''
Yet another consumer reported:
``My elderly parents are victims of credit fraud. We don't know
what to do. Someone applied for credit cards in their name and
charged nearly $20,000. Two of the card companies have cleared
my parents's name, but the third has turned the account over to
a collection agency. The agency doesn't believe Mom and Dad
didn't authorize the account. What can we do to stop the debt
collector?''
Identity theft is a problem that reaches into every state. One of
my constituents had to deal with this problem several years ago. In
June of 1997, on the night before her wedding, a woman stole Carla
Chadwick's purse. Ms. Chadwick, a resident of Burlington, Vermont,
canceled her credit cards and assumed that the story would end there.
Unfortunately, this was just the beginning of her nightmare. For the
next two years the thief assumed Ms. Chadwick's identity, and went on a
cross-country spending spree, damaging Ms. Chadwick's credit along the
way. The thief also checked into hospitals under Ms. Chadwick's name,
and accrued thousands of dollars in medical charges. This thief even
applied for welfare, again under Ms. Chadwick's name. Officials believe
that, in total, the thief racked up more than $58,000 of fraudulent
charges, all in Ms. Chadwick's good name.
The nightmare finally came to an end in December, 1999, when the
thief, later identified as Carla Mae Purdy, was arrested in Spokane,
Washington. Carla Mae Purdy now faces prosecution under the ``Identity
Theft and Assumption Deterrence Act of 1998,'' and Carla Chadwick can
reclaim control of her good name.
Such stories abound across the nation, and the ``Identity Theft and
Assumption Deterrence Act'' appears to be helping law enforcement catch
and prosecute ID thieves. For example:
In July, 1999, the United States Secret Service announced
the indictment of Terkesha Lane, a resident of West Palm Beach,
Florida. Ms. Lane allegedly stole the identity of a co-worker
by obtaining a driver's license in the victim's name. With that
driver's license, Ms. Lane apparently withdrew more than
$13,000 from the victim's bank account and charged
approximately $4,000 on fraudulently obtained credit cards.
Like Ms. Purdy who victimized a Vermonter, Ms. Lane faces
charges under the ``Identity Theft and Assumption Deterrence
Act.''
In July, 1999, a federal grand jury in Columbus, Ohio,
indicted nine individuals for Identity Theft. In this case, the
thieves used 36 fake or stolen names and checking accounts to
set up false bank accounts and withdraw real money. Officials
in Columbus say that this case represents one of the most
complex identity theft cases ever seen in the district.
In October, 1999, Anthony Jerome Johnson, a California man,
pled guilty to a federal charge of identity theft. Mr. Johnson
admitted stealing the identity of Donald Lightfoot and opening
two bank accounts in Lightfoot's name, as part of a scheme to
obtain $764,000.
The law we passed made prosecution of these individuals, and
restitution to these victims, possible.
Assisting crime victims is of critical concern to me and one I know
is shared by Chairman Kyl and Senator Feinstein. The ``Identity Theft
and Assumption Deterrence Act'' provides important remedies for victims
of identity fraud. Specifically, the law makes clear that these victims
are entitled to restitution, including payment for any costs and
attorney's fees in clearing up their credit histories and having to
engage in any civil or administrative proceedings to satisfy debts,
liens or other obligations resulting from a defendant's theft of their
identity. In addition, the new law directs the FTC to keep track of
consumer complaints of identity theft and provide information to
victims of this crime on how to deal with its aftermath.
The FTC has done a good job with the statutory mandate we gave
them, and I commend the Commissioners and staff for their work. The
Federal Trade Commission provides user-friendly assistance to victims
of identity theft on their website. The website informs victims of what
they need to do right away, such as calling the fraud departments of
the three major credit card bureaus. Also, the Federal Trade Commission
provides an easy to fill out on-line complaint form to help the FTC
track and combat identity theft, as well as links to other government
agencies on this issue. Victims of identity theft can check out this
site and learn about the applicable state and federal laws, learn about
recent identity theft-related cases from around the country, and other
helpful reports.
The ``Identity Theft and Assumption Deterrence Act'' was an
important accomplishment, but there may be more we can and should do to
address this problem. I look forward to reviewing the testimony of the
witnesses to evaluate how well the new law is working for law
enforcement and, most importantly, for the victims of identity theft
crimes.
Senator Kyl. In addition, we have for the record statements
provided by Susan Herman, Executive Director of the National
Center for Victims of Crime, which has been very, very helpful
to us in putting legislation together, and also testimony of
James Huse, Inspector General, Social Security Administration.
Both of those statements are very helpful and will be submitted
for the record.
[The prepared statements of Ms. Herman and Mr. Huse
follow:]
Prepared Statement of Susan Herman, Executive Director of the National
Center for Victims of Crime
Chairman Kyl and members of the Subcommittee, we appreciate the
opportunity to offer testimony on the important issue of identity theft
and our response to victims of this pervasive crime.
The number of identity theft cases is growing. Annual case
estimates are in the hundreds of thousands. Identity theft is a crime
that can strike any of us, yet its victims have been marginalized,
essentially left struggling to restore their good name and credit as
best they can. Since identity theft offenses are relatively new, and
certainly newly prominent, neither law enforcement nor victim services
have yet developed an adequate response.
The National Center for Victims of Crime operates a toll-free
information and referral line for victims of crime. One of the most
frequent complaints we get from victims of identity theft is that law
enforcement will not take a report. This is a significant problem,
because victims are routinely advised to get a copy of the police
report to use in clearing their credit record.
Until recently, the only official ``victim'' in many cases of
identity theft was the defrauded merchant or credit agency. The
individual's liability for wrongfully incurred charges was generally
limited, although it could take days of persistent phone calls and
letters on the part of that individual to establish that point. Today,
about half of the states have defined a separate ``identity theft''
offense, under which it is clear that a person whose identity is
stolen, including cases of credit card fraud, is also a victim in the
eyes of the law. However, even in those states, law enforcement
officers often mistakenly inform individual victims that only the
financial institution or commercial entity is a ``victim.''
Victims have also been told by law enforcement that they can't take
a report until they know where the crime was committed, Since identity
theft can be committed in person, over the phone, through the mail, or
over the Internet, this information is rarely available. Many laws
state that the crime may be deemed to have occurred where the victim
lives, but many front-line officers appear to be unaware of such
provisions, perhaps because they have been inadequately trained.
Even where police take reports, relatively few cases of identity
theft are solved. The San Diego Police Department reported that in 1999
there were 783 cases of identity theft, but only 50 ended in arrest.
The Los Angeles Police Department received more than 3,000 reports of
identity theft in 1999, but its Financial Crimes Division only solved
about one percent of such cases. Since cases of identity theft can be
very difficult to solve, they can drive down a police department's
success rate.
Victim service agencies have also not developed adequate services
for identity theft victims. Currently, few resources are available.
While the National Center has a referral database of thousands of
agencies and organizations serving victims of crime, fewer than a dozen
report that they serve victims of identity theft. And many of those
simply take reports. They do not have crisis lines, nor do they provide
counseling or any intervention or advocacy on behalf of identity theft
victims.
Perhaps one reason there are few services for victims of identity
theft is that guidelines for victim assistance grants from the Victims
of Crime Act (VOCA) Fund were changed only recently to allow funds to
be used for services to victims of financial crimes. With VOCA's
historical emphasis on victims of violent crime, many victim service
agencies remain unaware of this change and need active encouragement to
develop those services.
Victims of identity theft often do not know the full extent of the
crime for a long time. It can take one or more billing cycles for
charges to appear on a bill. In the case of stolen checks, new
instances of fraud can surface slowly over time. The person who has
stolen their identity may commit crimes using that identity, giving the
victim a criminal record that may resurface with any routine traffic
stop or background check.
A victim's financial security can be shattered. Even if they can
limit their financial losses, it can take countless hours of work over
several years to repair the damage to their credit rating and to
restore their good name. Credit reporting agencies can be slow to
change the credit record; fraudulent charges can reappear on the
victim's account or credit report after once being removed; and bill
collectors can appear time and again to attempt to collect wrongfully-
incurred debt.
Victims who obtain a criminal record through the misuse of their
identity have a particularly difficult time clearing their names.
Police records, often incurred under the victim's social security
number as well as name, can be hard to change. Some states are
considering legislation that would require courts, in cases of identity
fraud, to make a specific finding that the person whose identity was
falsely appropriated to commit the crime is innocent of the crime.
The effects of identity theft on victims are not well understood.
Many victims become hypervigilant; the fraudulent misuse of their
personal information makes them keenly aware of how many people in
their daily lives have access to their credit card information or
social security number. They find themselves unable to trust the
billing staff at their doctor's office, the department store clerk,
their office administrator, or the secretary at their child's school.
This inability to trust others in the ordinary business of life. takes
an emotional toll on victims.
Victims of identity theft also are excluded from many state level
victims' bills of rights. Victims who have had their identity
misappropriated often have a great interest in being kept apprised of
the-progress of the case, yet they have no legal rights to be kept
informed or to participate because those rights are limited to victims
of violent offenses.
The federal Identity Theft and Deterrence Act of 1998 and many new
laws at the state level have made significant improvements in our
nation's response to victims of identity theft. However, as this
problem continues to grow, it is clear there is more that we can and
should do. Every victim of crime deserves adequate resources and
assistance to rebuild their lives, even victims of non-violent crime
such as identity theft. The incidence of identity theft is growing, and
it is time to strengthen our national response.
__________
Prepared Statement of James G. Huse, Jr., Inspector General, Social
Security Administration
It is an honor to provide this Subcommittee with the Social
Security Administration's Office of the Inspector General's (SSA-OIG)
status of ongoing work and our perspective on the direction we need to
take to reduce the incidents of identity theft. Thanks to the
leadership of Senator Kyl and the efforts of this Subcommittee, the
Identity Theft and Assumption Deterrence Act of 1998 (Identity Theft
Act) was passed in October 1998. That Act provided this office with a
powerful weapon to combat Social Security number (SSN) misuse when used
to commit identity theft. While the SSN was never intended to be a
``national identifier,'' this Act acknowledges that the SSN is a
commonly used means of identification. Even before the passage of the
Identity Theft Act, this office had gained insight into the widespread
occurrence of identity theft, because of the vast number of complaints
received by the SSA-OIG Fraud Hotline. Because of this, we developed an
action plan to focus on SSN misuse. The American public has an
expectation that the Government will establish safeguards to protect
their SSN's from misuse. They also expect governmental action when
misuse occurs. This office will do its best to meet the public's
expectation.
From the beginning, our office has taken a proactive stance to work
with other Federal organizations to reduce the incidents and impact of
identity theft crimes by participating in national and international
work groups. We worked closely with the Federal Trade Commission (FTC)
to develop informational materials that provide a consistent message
throughout the Federal Government to assist and educate victims of
identity theft. We have met with several U.S. Attorney's Offices to
discuss the prosecutorial guidelines for identity theft and because
this issue is so important, I have detailed an attorney from my office
to the Department of Justice to assist in the prosecution of identity
theft cases.
Our office continues to share knowledge and data with the FTC. The
FTC and our Office of Investigations are developing a referral system
that will allow for the automated transfer of data between the
agencies. This referral system will not only improve our ability to
assist victims but allow us to detect individuals committing identity
theft more quickly. Based on a recent analysis by FTC, we estimate that
referrals of SSN misuse could reach 8,000 a month in addition to the
2,500 we already receive. Because of this expectation, we are
redesigning our systems to capture SSN misuse referrals in a more
defined structure that will delineate SSN misuse by type.
Our Office of Investigations is using existing programs to further
develop the referral process with the FTC. The fugitive felon program--
designed to implement sections of the Personal Responsibility and Work
Opportunity Reconciliation Act of 1996 (commonly known as the Welfare
Reform Act)--identifies individuals illegally receiving Supplemental
Security Income (SSI) payments through computer matching agreements
with State and local law enforcement entities. Oftentimes, these data
matches identify individuals whose SSN has been assumed by a fugitive.
We refer this information to the FTC and our investigative units follow
up on leads of those individuals who assumed the victim's SSN.
In fiscal year 1999, our Office of Investigations launched SSN
misuse pilot projects in five cities across the Nation. Our special
agents provide the lead in working with Federal and State law
enforcement agencies to review Hotline allegations and open an
investigation, if warranted. Partnering with other law enforcement
agencies allows us to have a greater impact with limited resources.
Because of this partnership, we are able to present cases for
prosecution, which if presented separately, would not be accepted. In
the past year through these task forces, we opened 79 investigations,
which so far, have resulted in the conviction of 18 individuals. U.S.
Attorney's Offices and Federal and State law enforcement agencies have
enthusiastically welcomed these pilots and have applauded my office for
taking the investigative lead. In one city, Federal and State law
enforcement agencies that were not part of the task force have asked to
join because of its success.
I would like to provide the Subcommittee with a synopsis of three
different investigations related to SSA programs and identity theft
that were successfully prosecuted.
In the first case, our Office of Investigations was instrumental in
the conviction of what is believed to be the first Federal prosecution
under the Identity Theft Act. Our Milwaukee Sub-office opened an
investigation, based on a referral from the Wisconsin Capitol Police,
of Waverly Burns who was receiving SSI payments. During the course of
the investigation, we discovered that Mr. Burns acquired the SSN of
another individual and then used this number to secure employment as a
cleaning crew supervisor. While working in this capacity, he gained
access to the offices of the Wisconsin Supreme Court and stole over
$80,000 in computer equipment. Meanwhile, he lied to SSA officials, in
a statement for determining continuing eligibility for SSI, claiming
that he was unemployed and continued to receive full SSI payments. Mr.
Burns used the stolen SSN to secure a State of Wisconsin identity card,
to open bank accounts and file fraudulent tax forms under the victim's
name and SSN.
On April 21, 1999, Waverly Burns was indicted for identity theft,
SSN misuse, and making false statements to SSA and the Internal Revenue
Service. On May 5, 1999, OIG Special Agents arrested Mr. Burns after
tracking him to Chicago. Mr. Burns pled guilty to using the identity of
another person to obtain employment, then using that employment to
commit burglary. Mr. Burns was sentenced to 21 months in prison and
ordered to pay over $62,000 in restitution directly to the Wisconsin
Supreme Court.
In the second case, our SSA/OIG special agents as part of the
Delaware Financial Crimes task force, investigated Zaid Gbolahan Jinadu
as he schemed to defraud several federally insured financial
institutions. He solicited the assistance of bank employees to provide
SSN's and other identifying data to open fraudulent credit card and
bank accounts. These compromised employees also helped him to take over
current accounts, make fraudulent wire transfers, receive cash advances
and negotiate numerous checks. Mr. Jinadu was indicted by a Federal
Grand Jury in the District of Delaware on October 26, 1999, on four
counts-one count each of bank fraud; identity theft; fraud in
connection with access devices; and misuse of SSN's. On December 20,
1999, Mr. Jinadu and his co-defendants entered a guilty plea to one
count of bank fraud and one count of identity theft. He is responsible
for fraud losses of approximately $281,122. Total known losses to
financial institutes by Mr. Jinadu and his cohorts during the past 4
years exceeds $4 million.
In our last case and perhaps one of the most egregious of identity
theft crimes was one perpetrated against an elderly individual. Our
Richmond Sub-office opened an investigation on Charles Fleming, a SSA
disability beneficiary, who stole the identity of a 67-year old
individual recovering from a stroke. He took personal documents from
the victim's home and used them to obtain a State driver's license and
SSN under the victim's name. Using these documents, he opened credit
card and loan accounts and found work. He concealed this employment
from SSA in order to continue receiving full disability benefits. Mr.
Fleming pled guilty to identity theft and received a sentence of 12
months and 1 day in a Federal penitentiary and 3 years of supervised
release. The court ordered him to pay restitution to SSA of over
$29,000 and to creditors of over $24,000. The victim is in the process
of repairing his credit rating with the assistance of FTC.
While it is apparent that our initial action plan has been
successful, we have recognized that identity theft is on the increase
and we need to expand our role. I believe the SSA-OIG should continue
to lead the law enforcement community in the investigations of SSN
misuse and identity theft to ensure the integrity of the SSN and SSA's
programs. Because of this, I directed our Offices of Audit and
Investigations to work together to define the most susceptible areas
where SSN misuse and identity theft impact on SSA's programs. After
completing this analysis, I focused our investigative resources on the
following areas involving SSN misuse if:
(1) there appears to be a failure of SSA's enumeration
business process or the wage and earnings reporting system,
since discrepancies in this vein can be indicative of SSN
misuse;
(2) there is the suspicion or an allegation involving the
counterfeiting of SSN's;
(3) there is concealment of work activity by false
identification, especially to obtain or maintain eligibility
for SSA benefits; and/or
(4) there appears that a fake SSN is being used to maintain a
fictitious identity for the purpose of receiving other Federal
and State program benefit payments.
The Office of Audit has also been instrumental in providing
recommendations to the Agency that, when implemented, will strengthen
the integrity and security of the enumeration function. Enumeration is
the process by which SSA assigns original SSN's, issues replacement
cards to individuals with existing SSN's, and verifies SSN's for
employers and other Federal agencies. SSA issues about 16 million new
and replacement cards annually. There are nearly 300 million active
cards at this time.
Over the past 3 years, members of Congress have asked the Inspector
General community to identify the most significant management issues
facing their agencies. In my most recent response I included identity
theft. False identities are being used to defraud SSA.
Unscrupulous individuals can assume the identity of another person
who is either alive or dead and work under the stolen identity.
Individuals have also assumed the identity of another person and placed
their assets under this identity in order to qualify for SSI payments
under their own SSN. I have shared this assessment with the Agency and
recommended that they concentrate on the prevention rather than the
detection of identity fraud. Because of this, I am also encouraging the
Agency to include SSN fraud and misuse as a key initiative in their
Strategic Plan.
In addition, SSA's Deputy Commissioner for Finance, Assessment and
Management and myself are co-chairs of the National Anti-Fraud
Committee. We formed this Committee to facilitate an exchange of
ideas--determining what problems we face and suggesting solutions. The
Committee is comprised of 10 Regional Anti-Fraud Committees located
throughout the country. In the past year, identity theft and SSN misuse
has become a major focus for discussion and because of its importance,
we have included it as an agenda item for the National Anti-Fraud
Conference that will take place in September.
Currently, there is proposed legislation before the Congress asking
to extend civil monetary penalties to those committing crimes involving
the misuse of a SSN, who are not being punished by the Federal courts.
I urge you to endorse this legislation. There are other legislative
remedies such as statutory law enforcement that will enable our
investigative offices to process these cases more efficiently and I
hope that you support this as well.
I thank the Subcommittee for giving me this opportunity to inform
you of our work in the identity theft arena. I pledge, with your
support, to vigorously attack the problem of SSN misuse and identity
theft before it becomes a national crisis. I would be more than happy
to provide the Subcommittee with any additional information or to
answer any questions that may arise from these Hearings.
Senator Kyl. In addition, we will keep the record open for
either questions or statements of Senators who could not be
here. And as I say that, Senator Grassley also has arrived. So,
Senator Grassley, thank you for being here.
Let me read a brief opening statement and then I will call
upon Senator Grassley and then hear from our first witness.
One of my goals as chairman of this subcommittee has been
to prevent criminals from using technology to prey on society.
There are few clearer violations of personal privacy than
actually having your identity stolen and then used to commit a
crime. Criminals often use Social Security numbers and other
personal information of law-abiding citizens to assume their
identity and steal their money. It is high-tech theft.
To combat this, I sponsored the Identity Theft and
Assumption Deterrence Act, which is now Public Law 105-318,
which prohibits the stealing of a person's identity. The aim of
the Act is to protect consumers and safeguard people's privacy.
The bill was prompted by Bob Hartle, of Phoenix, who approached
me about the problems he had suffered at the hands of an
identity thief.
With overwhelming bipartisan support, the bill became law
in October of 1998. Under the law, a conviction for identity
theft carries a maximum penalty of 15 years' imprisonment, a
fine, and forfeiture of any personal property used or intended
to be used to commit the crime. The bill also provides that the
Federal Trade Commission must assist people whose identities
have been stolen.
Violations of the Act are investigated by Federal law
enforcement agencies, including the U.S. Secret Service, the
FBI, the Postal Service, and the Social Security Administration
Office of Inspector General. Federal identity theft cases are
prosecuted by the U.S. Department of Justice.
Under the law, the Federal Trade Commission collects
complaints about identity theft from consumers who have been
victimized. The Commission helps victims of identity theft by
providing information to assist them in resolving the financial
and other problems that can result from this crime.
It has now been 16 months since the law was signed by the
President. The Office of Inspector General of the Social
Security Administration released a report in August of last
year, 10 months after the bill was signed into law. According
to this report, 81.5 percent of Social Security number misuse
allegations relate to identity theft.
The report reaches the following conclusion: identity theft
affects many areas of our society. Private citizens have had
their credit histories destroyed by individuals who steal and
use their Social Security numbers to obtain credit. These
individuals run up large credit debts and then move on without
paying the debt. This type of behavior not only destroys the
citizen's credit history, it adversely affects the national
economy as creditors raise interest rates to cover the losses
arising from this fraudulent activity. Identity theft can,
therefore, as the report shows, have a devastating effect.
One purpose of this hearing today is to survey the effect
of Public Law 105-318. The new law, I would say, seems to be
working quite well. For example, in February the law was used
to charge two men suspected of being involved in terrorist
activities targeting the United States.
Additionally, according to statistics from the Department
of Justice for fiscal year 1999, 1,147 cases were opened,
involving 1,350 possible defendants, including 169 cases opened
in the District of Arizona, my State, involving 178 possible
defendants. Five hundred thirty-five cases were closed, with
644 defendants being sentenced nationwide. Ten cases were
closed in Arizona, with 13 defendants being sentenced. Of the
644 defendants sentenced, 407 entered guilty pleas. In Arizona,
of the 13 defendants sentenced, 10 entered guilty pleas.
Today, the subcommittee will hear from three witnesses
about the effect of the Identity Theft and Assumption
Deterrence Act. Maureen Mitchell, from Madison, Ohio, is a
victim of identity theft and will discuss her case for us.
Gregory Regan is Special Agent in Charge of the Financial
Crimes Division for the Secret Service, which is one of the
primary Federal law enforcement agencies investigating identity
theft.
Finally, the subcommittee will hear from Jodie Bernstein,
the Director of the Bureau of Consumer Protection of the
Federal Trade Commission. She will discuss how the FTC has
responded to identity theft in carrying out its duties under
the 1998 law.
In closing, I would like to thank Senator Feinstein for her
support in helping the identity theft bill to become law. As
always, I must say it is a pleasure to work with her on
subcommittee initiatives that aim to ensure that the law keeps
pace with technology. I also give my thanks to Senator Grassley
and other members of the committee who have worked very closely
with me in pursuing these particular kinds of issues.
Before we hear from Ms. Mitchell, let me ask Senator
Grassley if he would like to make an opening statement.
STATEMENT OF HON. CHARLES E. GRASSLEY, A U.S. SENATOR FROM THE
STATE OF IOWA
Senator Grassley. Thank you very much for holding this
hearing, following up on the effectiveness of the identity
theft law that you were so instrumental in getting passed
within the last couple of years. I think the hearing shows a
recognition of the fact that it has become a very serious
problem and we may need to do more about it.
I think you have adequately described what the problem is.
I am here today to make sure that the laws adequately protect
the victims and that the criminals get the punishment they
deserve. If there are any changes that need to be made to make
this law better, I am ready to work with you on doing that.
I am very concerned about how the Internet can facilitate
this crime. While a lot of this information has been available
through other sources for a long time, the Internet and other
interactive computer services make collecting personal
information extremely simple. It is kind of like one-stop
shopping.
Through government and corporate resources readily
available on the Internet, an identity thief or stalker can
collect information necessary to find his or her victim. This
poses a real threat to all of us, but especially I am
concerned--and this comes from my work as chairman of the Aging
Committee--about the impact upon the elderly. So while the
Internet has brought about incredible changes for the better,
the legal system needs to be there to adequately safeguard the
confidentiality of individuals' personal records.
I am also concerned about the fact that personal
information is being marketed without the knowledge of the
persons affected. I have expressed my concern on a number of
occasions about cookies and other devices that collect
information about unsuspecting individuals using Web sites. And
I have been particularly concerned about the ease with which a
person's Social Security number can be utilized in stealing
identity.
In the last Congress, Senator Feinstein and I introduced
legislation to prohibit the commercial use of Social Security
numbers and to restrict their use by State departments of motor
vehicles, especially for commercial use. This bill would have
gone to the source to stop the dissemination of Social Security
numbers which criminals use all to easily to steal people's
identities. Unfortunately, we are now playing catch-up because
technology advances so rapidly. But this is such a problem, I
want to reintroduce this legislation to protect our
constituents.
Chairman Kyl, I hope that we can explore these difficult
policy issues here in this subcommittee through this hearing
and other meetings, and I want to work with you on any
necessary changes or enhancements of the identity theft law.
This is not a victimless crime and it should not be treated as
such.
Senator Kyl. Thank you very much, Senator Grassley, and you
are absolutely right. We are taking a survey of the situation
today to see whether there are changes that need to be made, to
see how well the law is working. And as you also pointed out,
as technology evolves, we are going to have to constantly keep
tracking it and keep up to date because it can obviate the work
that we do in this committee pretty fast if we don't continue
to monitor it.
Well, our first witness today is an actual victim of
identity theft, and I thought it would be interesting to have
you basically hear her case, her situation, to see how this
crime can occur, how devastating it can be, and what can be
done about it.
Ms. Maureen Mitchell is a registered nurse and a licensed
realtor. She lives in Madison, OH, with her husband, Raymond
Mitchell. They have two children. She and her husband are
victims of identity theft resulting in fraud in excess of
$110,000.
Ms. Mitchell, it is a pleasure to have you with us here
today.
STATEMENT OF MAUREEN MITCHELL, REGISTERED NURSE AND LICENSED
REALTOR, MADISON, OH
Ms. Mitchell. Thank you, Senator Kyl. It is a pleasure to
be here.
My husband and I have been married for 23 years. We have
always been financially prudent and fiscally responsible
people. We have never paid a debt late in our lives. We use
credit conservatively and wisely. We have a daughter in college
and a son in high school. We have always taken the normal
consumer protections to try and keep our private information
private. We do not throw out pre-approved solicitations intact,
we do not bank on the Internet, we don't order via the
Internet. We don't order merchandise through home shopping
networks. When we do use our credit card, we are conscientious
and always obtain a receipt.
In spite of all these precautions, we found ourselves
getting a phone call from our KeyBank Mastercard service
provider in September alerting us to an unusual pattern of
activity on our credit report that, based on our consumer
profile, caused them some concern.
It turns out there were a few thousand dollars' worth of
mail order charges placed on our Mastercard. We had never lost
our wallets, we never lost our credit cards, we had never been
burglarized. Yet, our account number was compromised. KeyBank
notified us. They closed our account. They reported the card
lost or stolen, which we objected to because that is not what
happened. They issued us new credit cards, and we thought that
would be the end of it.
We asked if there was anything else that we needed to do
and we were told no. I asked about making out a police report
and I was told that it was optional. I did make out a police
report on September 12 and reported the fraudulent use of our
credit card number. Two months later, on November 15, we
received a phone call from J.C. Penney informing us that
someone had used my husband's name and Social Security number
to open an account at a Penney's store in Schaumburg, IL. We
reside in Ohio.
Penney's suggested that we call and place consumer alerts
and fraud alerts on our credit reports with Trans Union,
Experian and Equifax, which we did, and Penney's kindly
provided us with those phone numbers. When I called Trans
Union, I was dismayed to learn that there had been 25 inquiries
into our credit in a 60-day period. There hadn't been 25
inquiries into our credit in the entire 23 years that we had
been married, and I asked Trans Union did that not send up red
flags to them. The response I got was that it was not their job
to monitor the number of inquiries. They did kindly give me the
names and phone numbers of those 25 merchants.
I then called Experian and found out that there had been
six changes of address filed in that 2-month period of time. We
have resided at the same residence for 20 years. Yet, six
addresses now appeared on our Experian credit report. I spent
the next few days frantically trying to call the merchants who
had made inquiries into our credit report to alert them that we
were not the applicants and to beg them not to extend credit in
our name.
I encountered automated answering system hell in trying to
notify these merchants. I was never offered the option of
pretending I had a rotary phone to speak to a human being, was
never offered the option of pressing an extension to report
fraud, was frequently asked to enter an account number, and I
didn't have an account number because we are not the ones who
opened the account. It was an effort in frustration and
futility, but I did persist.
Three days after we placed fraud alerts on our consumer
credit reports, we received three very alarming phone calls in
a 2-hour period of time. One was from Citibank, one was from
BankOne, and one was from Marquette Bank. Forty-five thousand
dollars of fraudulent loan applications had been made in a 2-
hour period at three different lenders in close geographic
proximity to each other in the greater Chicago area using my
husband's name and Social Security number.
BankOne faxed us an affidavit. We signed it, we had it
witnessed, we faxed it back. The Lansing, IL, detectives
apprehended a suspect as he left BankOne with the $15,000 he
had obtained fraudulently. This suspect was found to have an
Illinois driver's license and an Illinois State identification
card with his own picture on it, but my husband's name, my
husband's Social Security number, my husband's vital
statistics. This suspect said to the detectives as he was
arrested, I did not use a gun, I did not use a knife, call my
lawyer, I will plead guilty and they will put me on probation.
The detectives ran the suspect's fingerprints and he was
found to have 17 aliases and multiple priors. Yet, 2 days
later, Judge Thomas Panicki, in Cook County, IL, released this
suspect on his own recognizance on a signature bond. We were
appalled. These criminals know that if they use a weapon to
commit bank robbery, they will do mandatory jail time.
Technology has now become their weapon, but it is not the
typical gun and knife, and they are counting on being put on
probation instead of incarceration.
When this criminal was apprehended, it was only the tip of
the iceberg of the information of the damages that were done
fraudulently that was available. We have subsequently learned
that a Lincoln Navigator was purchased using our credit. A Ford
Expedition was purchased using our credit. Service Merchandise
accounts were set up. Household bank accounts were set up. They
are living large using our names and credit.
The scales of justice here seem to be tipped in the wrong
direction. This criminal is assumed innocent until proven
guilty. Yet, the victim of identity theft is assumed guilty
until proven innocent. We have had to prove our innocence over
and over again to 30 different merchants, 30 different ways.
This criminal is given a public defender to protect his legal
rights. Yet, if we need to hire an attorney to clean up this
mess and protect our rights, we are paying substantial legal
fees out-of-pocket.
It has come to light subsequently that the person who
purchased the Ford Expedition is not the same person who was
apprehended as he left the bank. This is an identity theft ring
that is operating in an insidious manner. The detectives who
apprehended this suspect are limited by their geographic
boundaries to the community in which they work for their
investigation. Yet, similar crimes are being committed in
surrounding communities, but the detectives are limited; they
can't investigate those crimes.
We have begged, pleaded, cajoled. We have submitted
notarized statements. We have over 100 pages of documentation
on this. I have met with our Congressman, Steve LaTourette. He
put me in touch with the FBI. I have met with the FBI. It was
only through the intervention of Senator Kyl's office that we
were actually able to obtain the Secret Service as the
investigative authority in this case.
As victims, we have found it to be a nightmare on filing
out the forms and affidavits that are required by the
individual merchants to prove our innocence. I strongly urge
that there be a uniform protocol established for victims to
fill out one set of forms and one set of documents.
We were very fortunate early on in making our phone calls
that I had contacted the Ohio Attorney General's office and
they steered us to contact the Federal Trade Commission. The
Federal Trade Commission advised us that we needed to contact
the Social Security Administration, the Department of Motor
Vehicles, the Internal Revenue Service, possibly our employers,
and all of the other avenues where your Social Security number
is your identifying number. Kathleen Lund, of the Federal Trade
Commission, provided us with good information, and also moral
support at a very difficult time.
It is almost indescribable to try and put into words what
it feels like to be a victim of identity theft. It has a huge
impact. We were told by the detectives in Illinois that we
needed to keep fraud alerts on for the rest of our lives
because the criminals know when the fraud alerts expire and our
information will be recirculated again. So the next time my
husband and I go to apply for a loan, whether it be for a
vehicle or to put our other child through college, we will have
to explain this story to the merchant, hope they believe us,
and hope that they don't perceive us to be the criminals.
Prior to the Identity Theft Act going into effect, we
wouldn't have even had a legal standing as victims here. We
wouldn't have been considered true victims. We are indeed
victims, but we are all victims because we are all paying for
this in the higher cost of consumer goods and the higher cost
of interest rates. The attempts on our credit exceeded
$150,000. The actual amounts obtained are $111,00, and they may
still be climbing. There may be information that we do not know
as of yet.
The criminals need to be held accountable. Technology needs
to be considered as a weapon, as serious a weapon as a gun or a
knife. We were thrown into a financial quagmire through no
carelessness on our part. We don't know how they obtained our
information, and all of us are vulnerable. People need to know
that the Federal Trade Commission is the national clearinghouse
on identity theft. They need to know that they are entitled to
Federal investigation for these crimes, and that as victims we
have rights to try and protect ourselves and assist in the
prosecution of criminals.
I included in my statement a list of 15 recommendations for
your review. I thank you for your time. I appreciate this
opportunity, and I hope you all never walk in the shoes of an
identity theft victim.
Senator Kyl. Thank you very much, Ms. Mitchell. I think
that brings alive the nature of the problem that is faced here
and makes it clear why we have to ensure that our law works.
One of the things you did was to provide 15 specific
recommendations for us. Let me begin by asking what more you
think the FTC could or should be doing in a situation like
this. In other words, did our attempt to provide a
clearinghouse activity with the FTC work? Could it work better?
What would you recommend in that regard?
Ms. Mitchell. I found that the information that we received
from the FTC was very valuable and very important for us. There
were things that we would not have thought of, bureaus to
notify, the Social Security Administration, the Internal
Revenue Service. We were so focused on trying to notify the
merchants to prevent further financial damage that we may have
indeed overlooked those other things.
I strongly urge that there be a uniform protocol for
victims, one set of documents once it is established that you
truly are a victim of identity theft. We have had to submit
handwriting samples to 20 different merchants. We have had to
submit notarized statements and affidavits. It is like filling
out your income tax returns 20 different times with 20
different sets of instructions. A uniform protocol for victims
to follow, I think, would make--it is not easy to walk in these
shoes. Whatever we can do to make it easier would be
appreciated.
Senator Kyl. That is an excellent suggestion and we will
pursue that with our later witnesses.
You also note that the police departments and local law
enforcement agencies need to know more about the Federal law so
that they will understand how it works and how they can take
advantage of it. I think that is a good idea and we are going
to have to try to figure out some ways to make sure that that
information gets out.
Is there anything else, one of the specific recommendations
that you would like to bring not only to our attention but to
the attention of the public at large here?
Ms. Mitchell. I think the credit reporting agencies and the
merchants who were defrauded of merchandise have an onus of
responsibility here. KeyBank alerted us to an unusual pattern
of activity on our credit report based on a consumer profile
that has been developed about us for the last 20 years that we
have been their customers. Trans Union, Experian and Equifax
also have consumer profiles about us for our entire adult
lives.
We hadn't moved in 20 years. Why would they assume that
moving 6 times in 2 months was not something to be alarmed
about? We had never over-extended ourselves with credit. Yet,
there were 25 inquiries in 2 months that didn't send up red
flags to them. I think they are the first line of defense.
It is already too late to safeguard the Social Security
numbers; they are out there. We live in a State where our
Social Security number up until recently appeared on our
driver's license through no choice of ours. We had to have it
that way. I think the credit reporting agencies can be a good
first line of defense for the consumers. We did take
precautions ourselves and they were not enough, and the credit
reporting agencies are the ones--the accuracy of the
information on your credit reports is very important. The
merchants use that and perceive it as gospel because it came
from the credit reporting agency. Yet, there doesn't seem to be
a system of verification of that information prior to it being
entered on your credit report. That needs to be remedied.
And I also can tell you that in the example of them buying
a Ford Expedition, there were four glaringly obvious errors on
that application. Our name was misspelled. There were two co-
buyers who said they resided together. Yet, one used an address
of North Grand and one used an address of West Grand on this
application. They purchased the 60,000-mile extended warranty
at the cost of $695. When that figure was transposed over to
the debit column, it was transposed over as $1,695. I don't
know how the merchants and lenders missed this.
They also put down the area code to verify their place of
employment as 300. That area code does not exist in the
continental United States. Yet, this loan was approved, and it
was a $40,000 vehicle. The credit reporting agencies need to
use due diligence and the merchants need to use due diligence.
Senator Kyl. Thank you.
Senator Grassley.
Senator Grassley. I have three short questions. After all
you have been through--and by the way, I have a staff person
whose sister and parents were victims, whether to the extent
you were, I don't know, but they were victims of stolen
identity.
After all is said and done, did you ever find out how the
criminals got your information?
Ms. Mitchell. No, we haven't. Unfortunately, Senator, we
are not all said and done yet. The case has not come to trial.
We do not know how they obtained our identity. We do not
believe it was through any carelessness on our part. And we
would like to know how it was accomplished, but right now we do
not know.
Senator Grassley. Is this something that the police can't
tell you or won't tell you? Is it some big secret?
Ms. Mitchell. I don't believe the police departments know
at this point how these people got this information about us.
We reside in one State; the criminals and the criminal activity
is taking place in another State.
Senator Grassley. Now, you spoke about a central location
you ought to be able to go to and have one form or one way of
filling out a document indicating that you have been defrauded
and to get the information out. I am aware of some companies
that provide a centralized service where consumers can register
their credit cards and make only one call if the cards are lost
or stolen.
Do you happen to know if these companies provide any
assistance with regard to identity fraud?
Ms. Mitchell. I don't know that, Senator. I know I
encountered numerous merchants with numerous automated
answering systems that never offered us the option of reporting
fraud by pressing a button. I don't know about the consumer
credit card companies. We only had one credit card number
compromised. The remainder of what happened to us is that the
criminals assumed our identity. It is not that they accessed
our accounts. They posed as us.
Senator Grassley. Will the credit bureaus include the fact
that your identity was stolen on the face of the credit report,
as well as reference police reports and the FTC reference
number?
Ms. Mitchell. I am glad you brought that up, Senator. Since
we have placed the fraud alerts on our credit reports, we have
received updated credit reports periodically, almost monthly.
The fraud alerts on our consumer credit reports appear on the
back page of the credit report, in the same size type as the
rest of the information.
In my recommendations, I put down that I strongly believe
that the fraud alert should appear on the front page of the
credit report, in bold-face type, to reduce the possibility of
it being overlooked. Consumer credit reports can contain eight,
nine pages of information of a 25-year credit history. Putting
the fraud alerts on the last page maximizes the opportunity of
it being overlooked. Placing it in bold-face print on the front
page minimizes it from being overlooked.
Senator Grassley. So in other words, it is helpful, but it
could be a lot more helpful?
Ms. Mitchell. Yes, it can.
Senator Grassley. Thank you, Mr. Chairman. Thank you.
Ms. Mitchell. Thank you, Senator.
Senator Kyl. We are talking about your recommendations up
here.
Ms. Mitchell. OK.
Senator Kyl. So I think having you present not only the
story of what happened to you and how, but also the kinds of
problems you have encountered and your specific recommendations
on how to deal with it has been very, very helpful. I would
like to thank you especially for that, as well as taking the
time to come here today and to be with us to present this
testimony.
We will take your testimony very seriously, and especially
your recommendations, and I think it would be good if we could
remain in touch with you and find out what happens not only to
your case, but also to track how long it takes finally for you
to be free of this problem, because it undoubtedly will suggest
other things that we can do so that at least people who come
later aren't going to be troubled to the same extent that you
and your husband have been.
Ms. Mitchell. Receiving the phone calls from the collection
specialists was heart-breaking at first. Now, it is almost
becoming somewhat of a challenge because as they call us and
ask us why we have failed to make the payment for our Lincoln
Navigator, we tell them the story that we didn't buy the
Lincoln Navigator. And then I always end my conversation with
them--I cite the Federal Trade Commission's reference number
and the police department's, et cetera. I now am able to tell
them through your office, appreciatively, that the Secret
Service has now taken this case.
And I close my remarks with the collection specialists by
saying it is ironic that you can now find the real Mr. and Mrs.
Mitchell when you want your money; too bad you didn't find the
real Mr. and Mrs. Mitchell before you loaned out the money.
Senator Kyl. Good point, good point.
Senator Grassley, anything further?
Senator Grassley. No.
Senator Kyl. I really appreciate your testimony today. This
has been very, very helpful, and we will stay in touch with
you. Thank you.
Ms. Mitchell. Thank you, Senator.
[The prepared statement of Ms. Mitchell follows:]
Prepared Statement of Maureen Mitchell
Mr. Chairman, Members of the Committee, my name is Maureen Mitchell
and it is a privilege to have been invited to submit this testimony
today.
I am 44 years old, my husband and I have been married for 23 years,
we have a daughter in college and a son in high school. I am a
Registered Nurse, and I have been a licensed Realtor for 20 years.
My husband and I have always been financially prudent and fiscally
responsible people. We have never overextended ourselves, and we have
always paid our bills in a timely manner. We also have exercised the
normal consumer precautions to ensure our privileged information
remains private. We have never lost our wallets, never been
burglarized, we obtain the receipts when we make credit card purchases,
we don't bank on the Internet, we don't order merchandise via the
Internet, we don't order through home shopping networks, we rarely
order from catalogs, and we always tear up the pre-approved
solicitations that arrive in the mail prior to disposing of them to
prevent someone from ``dumpster diving'' and obtaining our information.
We have never given our personal account numbers or social security
numbers over the phone. We even checked our credit reports in March of
1999 to ensure their accuracy. In spite of all the precautions we have
taken, we are now victims of identity theft.
It started on a Sunday afternoon, September 12, 1999, when we
received a phone call from our KeyBank Mastercard Service Center
questioning an unusual pattern of activity on our credit card. After
much discussion with the Service Center representative, it was verified
that neither my husband nor I had authorized or made the charges to the
account. I was told our credit card would be canceled, it would be
reported lost or stolen, and new cards would be issued. I objected to
the cards being reported lost or stolen because they were not: my
husband had his card in his wallet and I had mine in my wallet.
Nonetheless, I was told the cards had to be reported lost or stolen to
close the account (I subsequently learned that we could have insisted
that the account be closed at the request of the consumer due to
fraudulent use).
I was also told by the Service Center Representative to contact
KeyBank Special Services when they opened for business on Monday
morning. I called KeyBank Special Services at 8:15 A.M. Monday morning
and was told that four attempts were made to place charges on our
account, three were approved and the fourth was declined because the
bank became suspicious due to the unusual level of activity on our
credit card. KeyBank was able to determine the charges were made via a
phone order, not by someone actually having our credit card. The amount
obtained fraudulently was $2,164.55. I then went to our local KeyBank,
branch office (where we've banked for twenty years) to inform them
about the phone call from the Service Center, to verify the account was
closed and to inquire if there was anything else I needed to do. I was
told that there was nothing else I needed to do: the merchant slips
would take a week to come into the bank, and the bank would look into
it. I asked if I should make out a police report and was told that it
was an option but not really necessary. The bank would issue us new
credit cards with a different account number, the fraudulent charges
would never appear on our billing statement, and our new cards would
arrive in two weeks. I did, however, file a police report with our
local police department to report the fraudulent use of our KeyBank
Mastercard number. If KeyBank would have advised us, at this point, to
place Fraud Alerts on our credit reports, the following events would
not have occurred.
On November 15, 1999 we received a phone call from J.C. Penney's
credit department advising us that an account had been opened in
Illinois using my husband's name and social security number. A line of
credit had been extended in my husband's name, the persons making the
application said they were our niece and nephew and were authorized
users. When J.C. Penney's sent the bill to the address given on the
application, it was returned by the post office because ``no such house
number existed.'' The returned billing statement was what prompted J.C.
Penney's to call us. We were advised by J.C. Penney's to immediately
contact the three major credit reporting bureaus to place fraud alerts
on our credit reports, and Penney's kindly gave me the phone numbers to
contact. Upon contacting Trans Union, Experian and Equifax, we
discovered that we had been plunged into Identity Theft Hell!
In speaking to Trans Union, I discovered there had been 25
inquiries into our credit report in the previous 60 days (from
September 16 through November 15). None of those inquiries were
initiated by us legitimately seeking credit. I told the representative
at Trans Union that there had not been that many inquiries in the
previous twenty years, and questioned whether that many inquiries in
such a short time sent up ``red flags'' to Trans Union. The reply I
received was that it was not their job to monitor the number of
inquiries, and it was suggested that I call all the merchants who made
the inquiries to alert them. Trans Union did provide me with the names
and phone numbers of the merchants to contact. The list was extensive
and included numerous car dealerships, banks, credit card companies,
furniture stores, department stores, and communication service
providers. Trans Union did place Fraud Alerts on our credit reports at
this time.
I also called Experian and Equifax to place Fraud Alerts on our
credit reports, and learned that they too showed numerous inquiries
into our credit during the same 60 day period. I requested that each
credit reporting agency send me a copy of our credit reports, and I
spent the next three days frantically making phone calls to the
merchants who had made inquiries.
I now entered automated answering system hell! As I called each
merchant using the numbers provided by the credit reporting bureaus, I
would be connected to an automated answering system, ``Press one for
English, press two for Spanish, press three to increase your credit
limit, press four to check your account balance, press five to see when
the last payment was posted to your account, press 6 * * *'' I rarely
encountered an option to speak to a human being. I never was given the
option of pressing a number to report fraud, but I universally
encountered the request to enter an account number (keep in mind I
didn't have an account number because we were not the ones who opened
the account); nonetheless I persisted through automation hell, never
giving up hope that a ``live person'' would eventually come on the
line. As the automated system requested I enter an account number, I
waited; as the request was repeated, I waited; when I was unable to
enter an account number instead of being transferred to a human being,
I was disconnected! I then called back, went through additional
automated answering system hell, and when I heard enter your account
number I randomly entered 01010101010101 * * * hoping that I would
eventually enter the required number of digits to speak to a human
being. Instead a recording came on saying ``the numbers entered do not
match an account of record, please re-enter your account number.'' I
re-entered the numbers only to find that I was disconnected again
because ``the account numbers do not match our accounts of record.'' I
endured this frustration while trying to reach numerous merchants to
alert them that a fraudulent application had been made using our name.
This frustration of automation needs to be remedied. I strongly suggest
that merchants be required to provide an option on their automated
system to press a number to report fraud, and that the victim can speak
to a human being!
I also contacted our local police department who sent an officer
over to take our statement and file a police report. The officer
instructed me to fill out the police report as accurately and as
thoroughly possible. I also contacted the Federal Trade Commission's
Identity Theft Hotline and spoke to Kathleen Lund (877-438-4338).
Kathleen confirmed that we were indeed victims of identity theft based
on the facts that I gave her. She informed me of Title 18 (Identity
Theft and Deterrence Act), and told me that Identity Theft was a
Federal Offense. Kathleen told me to continue to write the police
report I was working on and to continue to try to call the merchants
who made inquiries. She assigned a reference number to our case and
gave me the phone number for the Federal Information Center (800-688-
9889) to contact to see if they had merchant numbers other than the
ones I had to try to circumvent the automated answering system hell I
was encountering. It truly was a relief to speak to a live human being
who was able to provide some guidance and encouragement during this
very stressful time. Kathleen advised me to call the Social Security
Administration, the Internal Revenue Service, the Department of Motor
Vehicles in our home state and in Illinois, and the State's Attorney
General's Office in our home state and in Illinois, to report that
someone was using our credit and my husband's social security number
fraudulently. Kathleen also asked me to keep her informed of any
further fraudulent activity. I called the Federal Information Center
and obtained the phone numbers I needed and then I made the necessary
phone calls. I then continued on my mission of calling the merchants to
alert them that the applications were made fraudulently.
While I was again enduring the frustration of automation, I
received three very alarming phone calls. The date was now November 18
(three days after we placed the fraud alerts on our credit reports),
and the first call was from Citibank in Illinois alerting us that an
application for a twenty-five thousand dollar ($25,000.00) loan had
just been made using my husband's name and social security number. The
application had been made in person by an individual posing as my
husband. The loan officer informed me that all of the pertinent
information had been verified, legitimate looking identification had
been presented and everything seemed fine until the Fraud Alerts on our
credit report were activated. I explained to the fraud department at
Citibank that we had placed the fraud alerts three days prior, when we
became aware we were victims of Identity Theft. Citibank's Fraud
Department said they were going to contact their Security Department,
check to see if the suspect was on their security camera and get back
to me.
While waiting to hear back from Citibank, I received another phone
call. It was a fraud investigator from Bank One (Thomas Retkowski)
informing me that an application for a fifteen thousand dollar loan
($15,000.00) had just been made in Illinois. I informed Thomas of the
prior call from Citibank, and we discussed setting something up so the
fraudulent applicants would return to the bank to pick up the money.
Thomas faxed us an affidavit to sign and have witnessed. While we were
in the process of faxing the affidavit back, another call came in.
Marquette Bank in Illinois had just accepted an application from
someone using my husband's name and social security number. This was
for a five thousand ($5,000.00) personal loan. I told this fraud
investigator about the other two applications and the affidavit we were
faxing to Bank One. These three fraudulent applications were made
within a two hour period (3:00-5:00 P.M. EST) and they totaled forty-
five thousand dollars ($45,000.00).
After we faxed the affidavit back to Thomas Retkowski at Bank One,
I continued to work on the police report. At 8:00 P.M. we received a
phone call from an Illinois detective informing us that a suspect had
been arrested as he left Bank One. The suspect had five thousand
dollars ($5,000.00) cash and two-five thousand dollar bank checks
($10,000.00) made payable to my husband's name. The money was recovered
when the suspect was arrested. The suspect was also found to have an
Illinois driver's license and an Illinois State Identification Card
with his own picture on it, but my husband's name and social security
number.
I called the Federal Trade Commission the following day and told
Kathleen Lund that a suspect had been apprehended in Illinois. I gave
her the detectives' names and the case number for her records. I
continued to type our police report, and I continued to try to notify
the merchants listed on the credit reports. In our mail on November 19,
1999, was a letter from PrimeCo, a cellular communication company,
notifying us that a cell phone account had been established in Illinois
using my husband's name and social security number. I called PrimeCo,
at the number they provided in the letter, to let them know that we had
not established the account. PrimeCo's fraud department immediately
canceled the service to the cell phone, offered to provide the
detectives with a copy of the application made to open the account, and
said the detectives could obtain ALL of the outgoing numbers that were
called from the fraudulent cell phone. The detectives needed to submit
this request in writing on police letterhead stationary. I called the
detectives to give them this information, and I was told they ran the
fingerprints of the suspect who had been arrested the previous day.
This suspect had 17 aliases and multiple priors. A preliminary hearing
was set for November 20, 1999, and the detective said he would let me
know what happened at the hearing.
I continued to make phone calls to try to resolve this nightmare
when I learned that the suspect was released on a signature bond at the
preliminary hearing. Words can't even begin to describe the horror I
felt knowing that a suspect with seventeen aliases, multiple priors and
an extensive criminal background was released on a signature bond in
his own recognizance. The hearing was in Cook County, Illinois and the
Judge was Thomas Panicki. I was also told that when this suspect was
arrested he had stated to the detectives: ``I didn't use a gun, I
didn't use a knife, call my lawyer I will plead guilty and they will
put me on probation''. It was appalling for me to realize the criminals
commit these crimes with a premeditated methodology that accomplishes
their criminal intent with the least possible risk for the criminal, if
apprehended, serving jail time. The criminals are still committing bank
robbery, fraud, identity theft, forgery and a litany of other criminal
acts, but because a traditional weapon was not used they face probation
instead of incarceration. These criminals are using weapons
nonetheless, their weapon is technology. It was technology that
provided these criminals with our personal information, it was
technology that produced the fraudulent documents used to obtain the
Illinois drivers license and State Identification Card. It was
technology used with criminal intent that thrust us into the nightmare
of identity theft. It was technology that provided these criminals with
my husbands previous employment information and employers address which
were then used on fraudulent applications. This same technology,
properly implemented and with appropriate safeguards, can be utilized
to circumvent the criminals' fraudulent intentions.
It was the consumer profile of our spending habits established by
the prior pattern of activity on our KeyBank Mastercard that prompted
KeyBank to call us about the ``unusual level of activity on our credit
card.'' This same consumer profile technology can also be used by the
credit reporting agencies to recognize an ``unusual pattern of
activity''. Our credit reports, as a result of fraudulent activity,
contained 30 inquiries in 60 days, yet our consumer profile showed
fewer than 30 inquiries in 20 years. Our consumer profile showed we had
resided at the same address for 20 years, yet the addresses listed on
our credit reports, as a result of fraudulent applications, changed six
times in 2 months. It is imperative that a system of ``checks and
balances'' be implemented and adhered with by the credit reporting
agencies.
As our Identity Theft saga continued we requested and received,
from some cooperative merchants, copies of the applications that were
made fraudulently. These applications contained numerous blatant errors
that should have alerted the merchants and the banks that something was
amiss. One example is an application that was made to purchase a Ford
Expedition. This vehicle was purchased using my husband's name along
with the name of a co-buyer. These two men presented themselves to the
car dealership as residing together, yet on the application one man
filled out the address as N. Grand and the other put W. Grand. On this
same application the employer's phone number is listed with an area
code of 300, this area code is not a valid area code in the continental
United States. Our last name was misspelled on the application and on
the fax from the lender approving the loan. On this same application
the 60 month 60,000 mile extended warranty was purchased showing a cost
of $695.00 on the application. When this figure was carried over to the
debit column to determine the amount of credit to be extended it was
entered as $1,695.00. In spite of these GLARING discrepancies this loan
was approved and these two men purchased a Ford Expedition using our
credit. If this was transaction was processed using due diligence and
an iota of common sense these blatant discrepancies would have been
caught. The possibility does exist that these criminals made the
purchase through a car salesman, car dealership and lender that were
co-conspirators, but I think that is a remote possibility. I do firmly
believe that sloppy business practices substantially contribute to the
criminal's ability to successfully defraud merchants and lenders. It
was due diligence that was exercised by a salesperson in an Illinois
furniture store that prevented the extension of credit to purchase
furniture. The salesperson realized that ``something wasn't right''
after scrutinizing the credit application. Credit was not extended by
the furniture store and the criminal was thwarted in this fraudulent
attempt. I think this is a good example of how good business practices
will diminish fraud.
We also were able to determine from pictures we received from the
car merchants that the criminals who purchased the vehicles were not
the same persons as the suspect who was apprehended leaving BankOne. We
have been victimized by an Identity Theft ring which operates in an
organized and insidious manner. The detectives told us that the
criminals know when the fraud alerts on our credit reports will expire
and if we fail to reactivate the fraud alerts our information will be
re-circulated through the ring again. We will have to keep fraud alerts
on our credit reports for the rest of our lives. So, in the future,
when my husband and I apply for any credit we will have to explain this
nightmare to the lender, hope they believe us and don't perceive us as
the criminals.
Our efforts to restore our good names and good credit have been
extensive. I have made hundreds of phone calls, I've met with our
Congressman (Steve LaTourette), I've sent dozens of notarized,
certified, return receipt requested letters to the merchants informing
them that the applications they received were fraudulent. We have
submitted numerous affidavits, notarized statements, and notarized
handwriting samples. We have filled out over twenty different sets of
forms and statements in order to comply with the merchants requests for
further information. It's like filling out your income tax return
twenty different times, using twenty different forms, and following
twenty different sets of instructions. I strongly suggest that a
standardized, uniform protocol be established so a victim of Identity
Theft can fill out one set of papers which should include a notarized
affidavit, a notarized handwriting sample, and a notarized statement
that will be universally accepted by the merchants and lenders.
A sad irony exists with Identity Theft: The criminal is assumed
innocent until proven guilty, but the Identity Theft victim is assumed
guilty until proven innocent. The criminal can have a public defender
appointed to protect his legal rights, yet if we need to hire an
attorney to assist in clearing our names we will be paying substantial
legal fees out of pocket.
We have exhausted all known resources in an effort to clear our
names and restore our credit. I've met with numerous police officers,
I've met with FBI Agents, I've met with a Victim's Assistance Program
in our home state, and I've contacted a Victim Advocacy Program in
Illinois. I've spoken to prosecuting attorneys, and sent packages of
information to State's Attorneys. I was told by an assistant state
prosecutor in Illinois: ``No one in the state of Illinois serves jail
time for non-violent financial crimes.'' This prosecutor was not even
aware that Illinois has an Identity Theft Statute in the Revised Code.
I've begged, pleaded and cajoled to try and obtain a Federal
Investigator and a United States' Attorney to take our case. Identity
Theft cases encompass numerous geographic areas and requires a Federal
investigator and Federal prosecution. The detectives in the community
where the suspect was apprehended are limited to investigating crimes
within their geographic boundary, yet the same criminal is committing
the same crime a few towns away. It was suggested that I submit police
reports in each community where a merchant was defrauded, not an easy
task from 350 miles away.
In spite of the efforts of my husband and myself to acquire Federal
intervention into our case, it was the actions of Senator Jon Kyl and
James McDermond of his staff, that resulted in the United States Secret
Service and Postal Inspection Service initiating a Federal
investigation.
I have logged over 400 hours of time trying to clear our names and
restore our good credit. Words are unable to adequately express the
gamut of emotions that we have experienced as victims. The impact of
being a victim of Identity Theft is all encompassing. It affects you
physically, emotionally, psychologically, spiritually and financially.
This has truly been a life altering experience.
In spite of the extensive time and effort we have logged in trying
to resolve this, we now have adverse ratings on our credit reports. We
are also receiving phone calls from collection specialists wanting to
know why we are overdue on the payments for our Lincoln Navigator and
our Ford Expedition. I try to nicely explain to these collection
specialists that we are victims of Identity Theft and we did not
purchase these vehicles. I then provide them with the name and phone
number of the detective, the case number and the reference number
assigned by the Federal Trade Commission. I strongly suggest they not
call me back unless they provide whatever information they may have to
assist in the investigation. I always end my conversation with the
collection specialist by saying: ``It's amazing to me that you can find
the real Mr. & Mrs. Mitchell when you want to collect your money, too
bad you didn't find the real Mr. & Mrs. Mitchell before you loaned out
the money.''
Identity Theft has become a national epidemic. Banks and merchants
are being defrauded out of billions of dollars each year by Identity
Theft criminals. We all pay the price through the higher cost of
consumer goods, and higher interest rates on loans and credit cards.
This epidemic must be stopped. The compromising of real identities is
now the weakest link in the chain of financial transactions. The credit
that has been extended using our identities fraudulently exceeds
$111,000.00. Unfortunately for us, this saga is far from over. Once you
become a victim of Identity Theft your life is forever changed. We
still feel like we are ``waiting for the other shoe to drop.'' We do
not know how many more accounts may still be outstanding, we do not
know if a collection specialist is calling when our phone rings, we do
not know if our good names and financial reputations will ever be truly
restored. We need to be pro-active in the fight against Identity Theft
and fraud and we need to impose mandatory jail sentences on criminals
convicted of Identity Theft crimes.
``He that filches from me my good name robs me of that which not
enriches him and makes me poor indeed.'' (Shakespeare--Othello)
I've attached a list of personal recommendations for your review. I
thank you for your time and consideration and I truly hope you never
walk in the shoes of an Identity Theft Victim.
The following are my 15 recommendations:
1. Victims of Identity Theft need to know to call the FTC @ (877-
438-4338). The general public needs to know the Federal Trade
Commission is the National Clearinghouse for Identity Theft.
2. The general public, police departments, law enforcement
agencies, state prosecutors and judges need to know that a Federal
Identity Theft and Deterrence Law is in effect making Identity Theft a
Federal offense. (Title 18 US--Section 1028).
3. Since Identity Theft is a Federal Offense, investigations need
to be handled by Federal Investigators, and prosecutions handled by
U.S. attorneys. A good law needs adequate resources for investigation
and prosecution.
4. Criminals convicted under the Identity Theft Laws should be
prosecuted to the fullest extent of the Federal penalties and serve
mandatory jail time when convicted.
5. Social Security numbers should not be used as identification
numbers. The social security number should not appear on drivers
licenses, on medical insurance cards, on student identification cards,
or on any other documents other than income tax returns and wage
earnings statements. Identification numbers other than the social
security numbers can be assigned.
6. Credit Reporting Agencies must verify the accuracy of the
information received prior to posting information on credit reports.
The credit reporting agencies can use available technology to ``red-
flag'' information that does not fit the profile of the consumers'
previous spending habits. Change of addresses need to be verified by
the Credit Reporting Agencies prior to changing the address on the
consumers' credit report. The information disseminated by the credit
reporting agencies to the various lenders and merchants making credit
inquiries is perceived by these banks and merchants as accurate because
``it came from the credit bureau''. It seems incongruous to have banks
and merchants rely on the information appearing on credit reports when
this information has been entered without any verification of accuracy.
7. Banks, lenders, merchants, car dealerships etc. need to use due
diligence in scrutinizing the information received on loan applications
for inaccuracies and blatant errors. Applications for credit have been
approved with only the social security number matching, spelling of
name was incorrect, address was changed, birth date was wrong, yet the
loan was approved. Due diligence needs to be exercised at ALL steps of
the loan process to reduce the occurrence of fraud.
8. The Department of Motor Vehicles in each state should use
available technology to cross-reference the information in their data
bases to ensure that a license cannot be issued in another state
fraudulently with the same name and social security number as a valid
license in another state. Regulations prohibiting the Department of
Motor Vehicles from selling information should be enacted and enforced.
The same applies f6r state issued ID cards.
9. The utilization of Bio-Metric technology, which is currently
available, allowing a fingerprint, palm print or voice recognition
system to be used as confirmation of identification will substantially
reduce the current epidemic of credit fraud and identity theft.
10. Establish a standardized, universally accepted national
protocol for victims of Identity Theft to follow. The bona fide victim
should have to fill out one set of documents containing a notarized
affidavit, a police report, a notarized handwriting sample and whatever
other documentation may be necessary for the victim to be able to
submit copies to each merchant.
11. Require banks to notify consumers to place fraud alerts on
their credit reports if any of the consumers account or credit card
information is compromised and used fraudulently.
12. Educate the local law enforcement authorities regarding
Identity Theft. Provide the law enforcement officers who are taking
police reports from victims on credit card fraud or Identity Theft with
the materials needed to provide the victims with the information to
contact the Federal Trade Commission, and the credit reporting agencies
to place fraud alerts.
13. Impose financial penalties on merchants who, through their own
carelessness and lack of good business practices, abet the criminals
committing financial fraud.
14. Require the credit reporting agencies place the fraud alerts in
bold typeface in a prominent position on the first page of a consumers
credit report to reduce the chance of the alert being overlooked.
15. Eliminate advance checks and pre-approval solicitations being
sent through the mail. The banks can mail a notice for the customer to
obtain cash advance checks by coming into the bank to pick them up.
Senator Kyl. I am now going to call the other two witnesses
before us, Mr. Gregory Regan, Special Agent in Charge of the
Financial Crimes Division of the U.S. Secret Service, and Ms.
Jodie Bernstein, Director of the Bureau of Consumer Protection
of the Federal Trade Commission.
Now, we have written statements from both of you and they
will, of course, be included in the record. If you could
summarize the statements, I would appreciate that, and then we
will have some questions for you.
Mr. Regan.
PANEL CONSISTING OF GREGORY REGAN, SPECIAL AGENT IN CHARGE,
FINANCIAL CRIMES DIVISION, U.S. SECRET SERVICE, WASHINGTON, DC;
AND JODIE BERNSTEIN, DIRECTOR, BUREAU OF CONSUMER PROTECTION,
FEDERAL TRADE COMMISSION, WASHINGTON, DC
STATEMENT OF GREGORY REGAN
Mr. Regan. Yes, sir, thank you very much, Mr. Chairman. Mr.
Chairman, members of the subcommittee, thank you for the
opportunity to address the subcommittee concerning the subject
of identity theft and the Secret Service's efforts to combat
this problem.
My name is Gregory Regan and I am the Special Agent in
Charge of the Financial Crimes Division for the U.S. Secret
Service. A number of things have changed since the Secret
Service last testified on this subject on April 1, 1998, before
the Banking, Finance, and Urban Affairs Subcommittee. On behalf
of the Secret Service, I would like to thank the subcommittee,
and in particular the chairman, for taking a leadership role to
effect this change.
This subcommittee was instrumental in directing the Federal
Government's efforts to address this very serious problem. At a
time when very little attention was being paid to identity
theft victims, Senator Kyl was at the forefront. His efforts
created an increased congressional awareness to their plight.
In addition, he became a leading advocate for legislative
change. His actions resulted in a concerted effort by both
Congress and Federal law enforcement to address this problem.
We are proud to say that members of the Secret Service
worked hand-in-hand with Senator Kyl's staff in drafting
legislation which provided increased protection for the victims
of identity theft through enhancements to 18 U.S.C. 1028. These
enhancements became part of Senate bill 512, entitled The
Identity and Assumption Deterrence Act, which was signed into
law in October 1998.
The law accomplished four things simultaneously. First, it
identified people whose credit had been compromised as true
victims. Historically, with financial crimes such as bank fraud
or credit card fraud, the victim identified by statute was the
person, business, or financial institution that lost the money.
All too often, the victims of identity theft whose credit was
destroyed were not even recognized as victims. This is no
longer the case.
Second, the law established the Federal Trade Commission as
the one central point of contact for these victims to report
all instances of identity theft. This collection of all ID
theft cases allows for the identification of systemic
weaknesses and the ability of law enforcement to retrieve
investigation data at one central location. It further allows
the FTC to provide people with the information and assistance
they need in order to take the steps necessary to correct their
credit records.
Third, this law provided increased sentencing potential and
enhanced asset forfeiture provisions. These enhancements help
to reach prosecutorial thresholds and allow for the
repatriation of funds to victims.
Lastly, and probably most important in today's technology,
this law closed a loophole in 18 U.S.C. 1028 by making it
illegal to steal another person's personal identification
information with the intent to commit a violation. Previously,
under section 1028, only the production or possession of false
identity documents was prohibited. With advances in technology
such as e-commerce and the Internet, criminals today do not
need actual documents to assume an identity.
As we enter the new millennium, the strength of the
financial industry has never been greater. A strong economy,
burgeoning use of the Internet, and advanced technology,
coupled with increased spending, has led to fierce competition
within the financial sector. Although this provides benefits to
the consumer through readily available credit and consumer-
oriented financial services, it also creates a target-rich
environment for today's sophisticated criminals, many of whom
are organized and operate across international borders.
In addition, information collection has become a common by-
product of the newly emerging e-commerce. Internet purchases,
credit card sales, and other forms of electronic transactions
are being captured, stored and analyzed by entrepreneurs intend
on increasing their market share. This has led to an entirely
new business sector being created which promotes the buying and
selling of personal information.
A recently publicized Internet fraud investigation by the
Secret Service, Department of Defense, Postal Inspection
Service and the Social Security Administration Inspector
General's office highlighted the ease with which criminals can
obtain personal information through public sources. These
defendants had access to Web sites that published the promotion
lists of high-ranking military officers. The site further
documented personal information on these officers that was used
to fraudulently obtain credit, merchandise and other services.
In this particular case, the financial institution, in an
effort to operate in a consumer-friendly manner, issued credit
over the Internet in less than a minute. Approval for credit
was granted after conducting a credit check for the applicant,
who provided a true name and matching true Social Security
number. All other information provided, such as the date of
birth, address and telephone number that could have been used
for further verification, was fraudulent. The failure of this
bank to conduct a more comprehensive verification process
resulted in substantial losses, and more importantly a long
list of high-ranking military officers who became victims of
identity fraud.
The Internet provides the anonymity that criminals desire.
Now, with just a laptop and modem, criminals are capable of
perpetrating a variety of financial crimes without identity
documents through the use of stolen personal information. The
Secret Service has investigated several cases where cyber
criminals have hacked into Internet merchant sites and stolen
the personal information and credit card account numbers of
their customers. These account numbers are then used with
supporting personal information to order merchandise, which is
then sent throughout the world. Most account-holders are not
aware that their credit card account has been compromised until
they receive their billing statements.
Cyber criminals are also using information hacked from
sites on the Internet to extort money from companies. It is not
unprecedented for international hackers to hack into business
accounts, steal thousands of credit card account numbers, along
with the accompanying personal identifiers, then threaten the
companies with exposure unless the hackers are paid a
substantial amount of money.
The Secret Service continues to attack identity theft by
aggressively pursuing our core violations. As stated earlier,
identity theft and the use of false identification has become
an integral component of most financial criminal activity. In
order to be successful in suppressing identity theft, we
believe law enforcement agencies should continue to focus their
energy and available resources on the criminal activities which
incorporate the misuse or theft of identification information.
The Secret Service investigative program focuses on three
areas of criminal schemes within our core expertise. First, the
Secret Service emphasizes the investigation of counterfeit
instruments. By counterfeit instruments, I refer to counterfeit
currency; counterfeit checks, both commercial and government;
counterfeit credit cards; counterfeit stocks or bonds; and
virtually any negotiable instrument that can be counterfeited.
Many of these schemes would not be possible without the
compromise of innocent victims' financial identifiers.
Second, the Secret Service targets organized criminal
groups which are engaged in financial crimes on both a national
and international scale. Again, we see many of these groups,
most notably the Nigerian and Asian organized criminal groups,
prolific in their use of stolen financial and personal
information to further their financial crime activity.
And, last, we focus our resources in areas that have the
most deleterious effect on the communities in which we work. We
also work very closely with both Federal and local prosecutors
to ensure that our investigations are relevant, topical and
prosecutable under existing guidelines. No area today is more
relevant or topical than that of identity theft. Automated
teller machines, electronic commerce, online banking, online
trading, smart cards, all once considered futuristic concepts,
are now a reality. Each of these technology lends themselves to
creating a faceless society.
One innovation which appears to address the problem of
identity verification in Internet commerce has been developed
and introduced by a member of the financial community. This new
product is the first commercial venture by the credit card
industry to provide the public with an online authentication
process using chip technology in encryption. Although this
product may not end credit card fraud on the Internet, it is
the first step in providing a more secure environment in which
to conduct Internet commerce.
In addition, under the direction of the President, a
national summit on the subject of identity theft will commence
next week, on March 15, 2000, at the Omni Shoreham Hotel here
in Washington, to address this very serious issue.
As you have heard in this testimony, some very positive
steps are being taken to address and combat identity theft. The
Secret Service will always encourage both business and law
enforcement to work together to develop an environment in which
personal information is securely guarded. In this age of
instant access, knowledge is power. We cannot allow today's
criminals to abuse the very systems which were created for the
betterment of society.
The emotional toll on the lives of those whose identity has
been compromised cannot be fully accounted for in dollars and
cents. We do not believe, nor are we in the business of
inhibiting the free flow of information so vital to a free
society. We do, however, believe that those identified as
misusing personal information for criminal purposes should be
subject to punishment commensurate with the crime. The Secret
Service acknowledges identity theft as a very real problem and
pledges its support in the Federal Government's efforts to
eliminate it.
This concludes my testimony and I would be happy to answer
any questions you have, sir.
Senator Kyl. Thank you very much, Mr. Regan. That is great.
I will be asking some questions in a moment.
[The prepared statement of Mr. Regan follows:]
Prepared Statement of Gregory Regan
Mr. Chairman, members of the subcommittee, thank you for the
opportunity to address this subcommittee concerning the subject of
identity theft and the Secret Service's efforts to combat this problem.
My name is Gregory Regan, and I am the Special Agent in Charge of
the Financial Crimes Division of the United States Secret Service.
A number of things have changed since the Secret Service last
testified on this subject on April 1, 1998, before the Banking,
Finance, and Urban Affairs Subcommittee. On behalf of the Secret
Service, I would like to thank this subcommittee, and in particular,
the chairman for taking a leadership role to effect this change. This
subcommittee was instrumental in directing the Federal Government's
efforts to address this very serious problem.
At a time when very little attention was being paid to identity
theft victims, Senator Kyl was at the forefront. His efforts created an
increased congressional awareness to their plight. In addition, he
became a leading advocate for legislative change. His actions resulted
in a concerted effort by both Congress and Federal law enforcement to
address this problem.
We are proud to say that members of the Secret Service worked hand
in hand with Senator Kyl's staff in drafting legislation which provided
increased protection for the victims of identity theft through
enhancements to Title 18 United States Criminal Code, Section 1028.
These enhancements became part of Senate bill 512, entitled The
Identity Theft and Assumption Deterrence Act, which was signed into law
in October 1998.
This law accomplished four things simultaneously. First, it
identified people whose credit had been compromised as true victims.
Historically with financial crimes such as bank fraud or credit card
fraud, the victim identified by statute, was the person, business or
financial institution that lost the money. All too often the victims of
identity theft whose credit was destroyed, were not even recognized as
victims. This is no longer the case.
Second, this law established the Federal Trade Commission (FTC) as
the one central point of contact for these victims to report all
instances of identity theft. This collection of all ID theft cases
allows for the identification of systemic weaknesses and the ability of
law enforcement to retrieve investigative data at one central location.
It further allows the FTC to provide people with the information and
assistance they need in order to take the steps necessary to correct
their credit records.
Third, this law provided increased sentencing potential and
enhanced asset forfeiture provisions. These enhancements help to reach
prosecutorial thresholds and allow for the repatriation of funds to
victims.
Lastly, this law closed a loophole in Title 18, United States Code,
1028 by making it illegal to steal another person's personal
identification information with the intent to commit a violation.
Previously, under Section 1028 only the production or possession of
false identity documents was prohibited. With the advances in
technology such as e-commerce and the Internet, criminals today do not
need actual documents to assume an identity.
We believe the passage of this legislation was the catalyst needed
to bring together both the Federal and State Government's resources, in
a focused and unified response to the identity theft problem. Today,
law enforcement, regulatory and community assistance organizations have
joined forces through a variety of working groups, task forces, and
information sharing initiatives to assist victims of identity theft.
Victims no longer have to feel abandoned, with no where to turn.
Policies and procedures are being initiated to expedite the
reporting of this crime. Civil remedies are being created allowing for
victims to seek restitution. The Secret Service victim-witness
assistance program aids identity theft victims by providing resources
and contact information for credit bureaus and service programs. The
financial community continues to design and implement security measures
which minimize the exploitation of true persons names and
identification information.
The Secret Service has broad investigative responsibilities
relating to financial crimes. Today, some type of false identification
is a prerequisite for nearly all financial fraud crimes. False ID's
provide anonymity to criminals and allow for repeat victimization of
the same individual while perpetrating a variety of fraud schemes.
Often, in their attempt to remain anonymous, criminals may randomly
assume the identity of another individual through the creation of false
identification documents. In these cases, the goal may not be to target
an individual for the purposes of stealing his or her identity. Yet, by
coincidence, that individual's identity has been compromised through
the criminal's use of their personal identifiers.
False identification documents altered, counterfeited, or
fraudulently obtained, are routinely used with loan and check fraud
schemes, and almost all credit card fraud schemes. Ironically, the
credit industry through capital investments over the past 10 years has
strengthened the integrity of the system through security measures
which effectively thwart some types of direct counterfeiting.
Subsequently, criminals no longer simply create names and identities,
they must more often rely on the identifiers of real people.
As we enter the new millennium the strength of the financial
industry has never been greater. A strong economy, burgeoning use of
the Internet and advanced technology, coupled with increased spending
has led to fierce competition within the financial sector. Although
this provides benefits to the consumer through readily available
credit, and consumer oriented financial services, it also creates a
target rich environment for todays sophisticated criminals, many of
whom are organized and operate across international borders.
In addition, information collection has become a common by-product
of the newly emerging e-commerce. Internet purchases, credit card
sales, and other forms of electronic transactions are being captured,
stored, and analyzed by entrepreneurs intent on increasing their market
share. This has led to an entirely new business sector being created
which promotes the buying and selling of personal information.
With the advent of the Internet, companies have been created for
the sole purpose of data mining, data warehousing, and brokering of
this information. These companies collect a wealth of information about
consumers, including information as confidential as their medical
histories.
Consumers routinely provide personal, financial, and health
information to companies engaged in business on the Internet. Consumers
may not realize that the information they provide in credit card
applications, loan applications, or with merchants they patronize, are
valuable commodities in this new age of information trading.
Data collection companies like all businesses are profit motivated,
and as such, may be more concerned with generating potential customers
rather than the misuse of this information by unscrupulous individuals.
This readily available personal information in conjunction with the
customer friendly marketing environment has presented ample
opportunities for criminals intent on exploiting the situation for
economic gain.
We have investigated numerous cases where criminals have used other
people's identities to purchase everything from computers to houses.
Financial institutions must continually practice due diligence lest
they fall victim to the criminal who attempts to obtain a loan or cash
a counterfeit check using someone else's identity.
As financial institutions and merchants become more cautious in
their approach to ``hand to hand'' transactions the criminals are
looking for other venues to compromise. Today, criminals need look no
further than the Internet.
For example, a recently publicized Internet fraud investigation by
the Secret Service, Department of Defense, Postal Inspection Service,
and the Social Security Administration Inspector General's Office
highlighted the ease with which criminals can obtain personal
information through public sources. These defendants accessed a Web
site that published the promotion list of high ranking military
officers. This site further documented personal information on these
officers that was used to fraudulently obtain credit, merchandise, and
other services.
In this particular case the financial institution, in an effort to
operate in a consumer friendly manner issued credit over the Internet
in less than a minute. Approval for credit was granted after conducting
a credit check for the applicant who provided a ``true name'' and
matching ``true Social Security number''. All other information
provided such as the date of birth, address and telephone number, that
could have been used for further verification, was fraudulent. The
failure of this bank to conduct a more comprehensive verification
process resulted in substantial losses and more importantly a long list
of high ranking military officers who became victims of identity fraud.
The Internet provides the anonymity criminals desire. In the past,
fraud schemes required false identification documents, and necessitated
a ``face to face'' exchange of information and identity verification.
Now with just a laptop and modem, criminals are capable of perpetrating
a variety of financial crimes without identity documents through the
use of stolen personal information.
The Secret Service has investigated several cases where cyber
criminals have hacked into Internet merchant sites and stolen the
personal information and credit card account numbers of their
customers. These account numbers are then used with supporting personal
information to order merchandise which is then sent throughout the
world. Most account holders are not aware that their credit card
account has been compromised until they receive their billing
statement.
Time and time again, criminals have demonstrated the ability to
obtain information from businesses conducting commerce on the Internet.
This information has been used to facilitate account takeover schemes
and other similar frauds. It has become a frightening reality that one
individual can literally take over another individual's credit card
account and or bank account without the true subscriber's knowledge.
Cyber criminals are also using information hacked from sites on the
Internet to extort money from companies. It is not unprecedented for
international hackers to hack into business accounts, steal thousands
of credit card account numbers along with the accompanying personal
identifiers, then threaten the companies with exposure unless the
hackers are paid a substantial amount of money.
The Secret Service continues to attack identity theft by
aggressively pursuing our core violations. It is by the successful
investigation of criminals involved in financial and computer fraud
that we are able to identify and suppress identity theft.
As stated earlier, identity theft, and the use of false
identification has become an integral component of most financial
criminal activity. In order to be successful in suppressing identity
theft we believe law enforcement agencies should continue to focus
their energy and available resources on the criminal activities which
incorporate the misuse or theft of identification information.
The Secret Service has achieved success through a consistent three
tiered process of aggressive pro-active investigations, identification
of systemic weaknesses, and partnerships with the financial sector to
adopt fixes to these weaknesses.
The Secret Service's investigative program focuses on three areas
of criminal schemes within our core expertise. First, the secret
service emphasizes the investigation of counterfeit instruments. By
counterfeit instruments, I refer to counterfeit currency, counterfeit
checks, both commercial and government, counterfeit credit cards,
counterfeit stocks or bonds, and virtually any negotiable instrument
that can be counterfeited. Many of these schemes would not be possible
without the compromise of innocent victims financial identities.
Second, the Secret Service targets organized criminal groups which
are engaged in financial crimes on both a national and international
scale. Again we see many of these groups, most notably the Nigerian and
Asian organized criminal groups, prolific in their use of stolen
financial and personal information to further their financial crime
activity.
And last, we focus our resources on cases that have the most
deleterious effect on the communities in which we work. The Secret
Service works in concert with the state, county, and local police
departments to ensure our resources are being targeted to those
criminal areas that are of a high concern to the local citizenry.
Further, we work very closely with both Federal and local prosecutors
to ensure that our investigations are relevant, topical and
prosecutable under existing guidelines. No area today is more relevant
or topical than that of identity theft.
It has been our experience that the criminal groups involved in
these types of crimes routinely operate in a multi- jurisdictional
environment. This has created problems for local law enforcement who
generally act as the first responders to their criminal activities. By
working closely with other Federal, state, and local law enforcement,
as well as international police agencies we are able to provide a
comprehensive network of intelligence sharing, resource sharing, and
technical expertise which bridges jurisdictional boundaries.
This partnership approach to law enforcement is exemplified by our
financial crimes task forces located throughout the country. Each of
these task forces pools the personnel and technical resources and to
maximize the expertise of each participating law enforcement agency. A
number of these task forces are focused on the Nigerian criminal
element operating in this country. As mentioned earlier, this
particular ethnic criminal group has historically been involved in a
myriad of financial crimes, which incorporate false identification and
identity theft.
In addition to our inter-dependant working relationship with law
enforcement on all levels, our partnership with the private sector has
proved invaluable. Representatives from numerous commercial sectors to
include the financial, telecommunications, and computer industries have
all pledged their support in finding ways to ensure consumer protection
while minimizing corporate losses. The Secret Service has entered into
several cooperative efforts with members of the financial sector to
address challenges posed by new and emerging technologies. These
initiatives have created some new and innovative approaches to
identification verification in business.
Automated teller machines, e-commerce, online banking, online
trading, smart cards, all once considered futuristic concepts, are now
a reality. Each of these technologies lends themselves to creating a
``faceless society''. In order for businesses to be successful, they
can no longer rely upon personal contact as a means of identity
verification.
One innovation which appears to address the problems of identity
verification for Internet commerce has been developed and introduced by
a member of the financial community. This new product is the first
commercial venture by the credit card industry to provide the public
with an online authentication process using chip technology and
encryption. Although this product may not end credit card fraud on the
Internet, it is the first step in providing a more secure environment
in which to conduct Internet commerce.
Efforts such as these provide a foundation by which law enforcement
and the private sector can build upon. By applying the technologies
used in this product and others being developed for the same purpose,
we can systemically eliminate the weaknesses in our economic
infrastructure, which allow for the misuse of personal information.
In conjunction with these technological advances, the Secret
Service is actively involved with a number of government sponsored
initiatives. At the request of the Attorney General, the Secret Service
joined an interagency identity theft subcommittee that was established
by the Department of Justice. This group which is made up of Federal
and state law enforcement, regulatory agencies, and professional
agencies meets regularly to discuss and coordinate investigative and
prosecutive strategies as well as consumer education programs.
In addition, under the direction of the President, the Treasury
Department, with the assistance of the Secret Service, has been tasked
with convening a national, summit on the subject of identity theft. The
purpose of this summit is to bring together various Federal, state, and
private sector entities to discuss and develop policies that will help
prevent identity theft crimes. This summit will commence next week on
March 15, 2000, at the Omni Shoreham Hotel, herein Washington, DC.
As you have heard in this testimony some very positive steps are
being taken to address and combat identity theft. The Secret Service
will always encourage both business and law enforcement to work
together to develop an environment in which personal information is
securely guarded. In this age of instant access, knowledge is power. We
cannot allow todays criminals to abuse the very systems which were
created for the betterment of society. The emotional toll on the lives
of those whose identity has been compromised cannot be fully accounted
for in dollars and cents. It is all of our responsibilities to protect
personal information.
We do not believe, nor are we in the business of inhibiting the
free flow of information so vital to a free society. We do, however,
believe that those identified as misusing personal information for
criminal purposes should be subject to punishment commensurate with the
crime. The concepts of criminal prosecution for the perpetrators,
restitution for the victims, and ethical responsibilities for those
earning a living through the use of personal information are noble
goals.
The Secret Service acknowledges that identity theft is a very real
problem and pledges its support in the Federal Government's efforts to
eliminate it.
This concludes my prepared statement. I would be happy to answer
any questions that you or any other member of the subcommittee may
have. Thank you.
GREGORY J., REGAN, SPECIAL AGENT IN CHARGE FINANCIAL CRIMES DIVISION
U.S. SECRET SERVICE
Mr. Gregory J. Regan was appointed Special Agent in Charge of the
Financial Crimes Division on January 3, 1999. Prior to this
appointment, he served as the Assistant Special Agent in Charge of the
Richmond Field Office.
Mr. Regan began his law enforcement career in 1980 as a Special
Agent with the Naval Investigative Service. In 1982, Mr. Regan was
appointed as a Special Agent with the U.S. Secret Service and assigned
to the New York Field Office. His subsequent career assignment included
duty on the Vice Presidential Protective Division, a prior assignment
to Financial Crimes Division, the Office of Congressional Affairs, and
the Counterfeit Division.
A native of Brooklyn, New York, Mr. Regan received a Bachelor of
Arts Degree from St. John's University in New York. He is married to
the former Margaret Stokey of Westbury, New York and they have five
children.
Mr. Regan is the Chairman of the Law Enforcement Advisory Committee
for the International Association of Financial Crimes Investigators;
and is a member of the Investigative Operations Committee for the
International Association of Chiefs of Police.
Throughout his tenure with the U.S. Secret Service, Mr. Regan has
been the recipient of numerous awards to include the law enforcement
officer of the year award from the International Association of Credit
Card Investigators.
Senator Kyl. Let's hear now from Ms. Jodie Bernstein.
STATEMENT OF JODIE BERNSTEIN
Ms. Bernstein. Thank you, Senator Kyl. As you said, I am
Jodie Bernstein and I am the Director of the Bureau of Consumer
Protection at the Federal Trade Commission. And I wanted to
thank you particularly for including us in this hearing and
giving us the opportunity to present the Commission's testimony
on these problems.
I would also like to introduce one of our staff, Beth
Grossman, who has been very much involved, in fact critical, to
the development of the FTC's initiatives following the passage
of the Act.
I would acknowledge also, as Ms. Mitchell did, Kathleen
Lund, of our staff, who was Ms. Mitchell's counselor. And she
doesn't often get the opportunity to be acknowledged for the
really wonderful work that she did in connection with an
individual case and was pleased to be able to attend this
hearing.
I will try to summarize my testimony, also, very briefly.
And as Ms. Mitchell said so eloquently, identity theft causes
significant and ongoing problems for its victims. Identity
thieves can run up debts in the tens of thousands of dollars
under their victims' names. Even when the victim is not legally
liable for the debts, the consequences are often considerable.
A victim's credit history is often scarred, and he or she
typically must spend hundreds of hours, sometimes over the
course of months and even years, contesting bills and
straightening out credit reporting errors.
The passage of the Act was an important step in combatting
identity theft and in helping its victims. The Act, as you so
correctly anticipated, strengthened the criminal laws against
identity theft and recognized that the individual whose
identity has been stolen is as much a victim as the financial
institutions that may have borne most of the monetary loss.
The Act also provided a framework for the FTC's new and
unique program to assist victims of identity theft. The FTC's
consumer assistance effort has three principal components, and
we have some graphics to help illustrate it.
First, we have established an identity theft hotline that
consumers can call toll-free at, as you see, 887-IDTHEFT. The
hotline provides the public with a central place to call to
report identity theft and to receive information on the steps
to take if they become identity theft victims.
Second, we have another slide. We have a complaint
clearinghouse, a database to track the reports that the FTC and
other agencies receive about identity theft. The database will
provide the FTC with information about the nature and extent of
consumers' ID theft-related problems. Later this year, we plan
to make the clearinghouse available to other law enforcement
agencies through a secure Web-based interface.
Through this secure Web site, criminal investigative
agencies like the Secret Service will be able to access the
database of complaints from their desktop PC's to spot patterns
of criminal activity that might not otherwise be apparent from
isolated reports. We have built this database on the model of a
different database that we developed that is called Consumer
Sentinel. It is a network to track consumer fraud generally,
and really Sentinel has been such a great success that we
expect to have no less of an effort from this database.
Third, the Commission has launched a significant consumer
education effort. We recently published a 21-page booklet, and
I think we have copies of it here today as well. And it is
called, as you know, ``Identity Theft: When Bad Things Happen
to Your Good Name.'' This booklet that was put together with
the assistance of several Federal agencies is a comprehensive
guide for consumers with information ranging from how consumers
can protect their personal information to how to correct
credit-related problems that may result from identity theft.
Several other agencies have agreed to reproduce and distribute
the booklet, which will be extremely helpful. We have produced
a number of shorter, more targeted pieces as well.
The FTC also provides consumers with information through
our identity theft Web site. The Web site, located at
consumer.gov/idtheft, contains our publications, as well as the
following: tips on what consumers can do to decrease the risk
of becoming a victim, the steps consumers should take if they
do become victims, information on recent identity theft cases
and scams, lists and links to many of the State identity theft
laws, links to other identity theft resources throughout the
Government, and finally a public complaint form--and this has
really been, I think, very useful--that allows consumers to
submit reports of identity theft directly to our database at
any time of the day or night. And because our database will
have a record of their report, they can phone our call center
during business hours for follow-up information.
Since we launched our toll-free number just a little over 3
months ago, we have been averaging over 400 calls a week from
consumers. After a recent press release, the number of calls
increased by about 25 percent. We expect that the volume of
calls will continue to rise as more and more people know about
the toll-free number. We anticipate that as it is more widely
known, we are anticipating based on prior experience that we
may be receiving more than 100,000 calls by next year.
Because our data collection efforts are new, though, we
can't yet do extensive data analysis of the calls. Our basic
complaint data, though--we have a little bit of analysis we
have been able to do--shows that the most common forms of
identity theft are as follows: first, credit card fraud. Fifty-
five percent of the callers report that someone either opened
up a credit card account in their name or, ``took over'' their
existing credit card account.
Second, 25 percent report that utility service, such as
telephone or cellular service, has been opened up in their
name. About 15 percent report a checking or savings account has
been opened in their name and/or that fraudulent checks had
been written. Ten percent complain that an identity thief
obtained a loan, such as a car loan, in their name.
Having succeeded in putting the basic components of the
program in place, we are looking at new, additional ways that
we can build on the foundation. And as we move forward, one
focus will be on identifying ways we can work together with the
private sector on this important issue. As the Identity Theft
Act recognized, private companies, such as credit card issuers
and credit bureaus, are essential to any effort to combat
identity theft. Indeed, they are often, as Maureen said, in the
best position to identify and prevent identity theft in the
first place--and nothing is better than prevention--and to
clear up fraudulent accounts opened in the consumer's name.
As you know, the Treasury Department is sponsoring a
national summit on identity theft next week which will
specifically address ways in which government, business leaders
and consumers can forge partnerships to counter identity theft.
The FTC has been assisting in organizing the summit. Both the
chairman of the Commission and I will participate in it, and we
are looking forward to the opportunity to explore new ways of
addressing the growing problem.
Thank you, Mr. Chairman, again on behalf of the Commission,
and we will be pleased to answer any of your questions.
[The prepared statement of Ms. Bernstein follows:]
Prepared Statement of Jodie Bernstein
Mr. Chairman Kyl, and members of the Subcommittee, I am Jodie
Bernstein, Director of the Bureau of Consumer Protection, Federal Trade
Commission (``FTC'' or ``Commission'').\1\ I appreciate the opportunity
to present the Commission's views on the important issue of identity
theft, and describe to you the Commission's achievements in
implementing the Identity Theft and Assumption Deterrence Act.\2\
---------------------------------------------------------------------------
\1\ The views expressed in this statement represent the views of
the Commission. My oral presentation and response to questions are my
own, and do not necessarily represent the views of the Commission or
any Commissioner.
\2\ Pub. L. No. 105-318, 112 Stat. 3007 (1998) (codified at 18
U.S.C. Sec. 1028).
---------------------------------------------------------------------------
In my remarks today, I will discuss the growing phenomenon of
identity theft, how the Commission has responded to identity theft,
both in carrying out its duties under the 1998 Act and its general
enforcement measures, and what we see as future challenges in
eradicating identity theft.
I. IDENTITY THEFT: A GROWING PROBLEM
By now, many people have confronted, directly or through a third
person, some form of identity theft: someone has used their name to
open up a credit card account or someone has used their identifying
information--name, social security number, mother's maiden name, or
other personal information--to commit fraud or engage in other unlawful
activities. Other common forms of identity theft include taking over an
existing credit card account and making unauthorized charges on it
(typically, the identity thief forestalls discovery by the victims by
contacting the credit card issuer and changing the billing address on
the account); taking out loans in another person's name; writing
fraudulent checks using another person's name and/or account number;
and using personal information to access, and transfer money out of,
another person's bank or brokerage account. In extreme cases, the
identity thief may completely take over his or her victim's identity--
opening a bank account, getting multiple credit cards, buying a car,
getting a home mortgage and even working under the victim's name.\3\
---------------------------------------------------------------------------
\3\ In at least one case, an identity thief reportedly even died
using the victim's name, and the victim had to get the death
certificate corrected. Michael Higgins, Identity Thieves, ABA Journal,
October 1998, at 42, 47.
---------------------------------------------------------------------------
Identity theft can arise from simple, low-tech practices such as
stealing someone's mail or ``dumpster diving'' through their trash to
collect credit card offers or obtain identifying information such as
account numbers or social security numbers. There are also far more
sophisticated practices at hand. In a practice known as ``skimming,''
identity thieves use computers to read and store the information
encoded on the magnetic strip of an ATM or credit card when that card
is inserted through either a specialized card reader or a legitimate
payment mechanism (e.g., the card reader used to pay for gas at the
pump in a gas station). Once stored, that information can be re-encoded
onto any other card with a magnetic strip, instantly transforming a
blank card into a machine-readable ATM or credit card identical to that
of the victim.
The Internet has dramatically altered the potential impact of
identity theft. Among other things, the Internet provides access to
collections of identifying information gathered through both illicit
and legal means. The global publication of identifying details that
heretofore were available only to the few increases the potential
misuse of that information. Similarly, Internet expands exponentially
the ability for a third party to disseminate the identifying
information, making it available for others to exploit. The recent
reports of a Russian hacker gaining access to the names, addresses and
credit card account numbers of hundreds of thousands of customers is an
extreme example of the type of harm that can occur through the
wholesale theft of identifying information. In this instance, the
hacker posted the names and credit card numbers on a website, providing
the wherewithal for others to commit identity theft by using those
credit card numbers to make purchases.\4\
---------------------------------------------------------------------------
\4\ John Markoff, Thief Reveals Credit Card Data When Web Extortion
Plot Fails, N.Y. Times, January 10, 2000, at A1.
---------------------------------------------------------------------------
Anecdotes and news stories provide one indication of the growth of
identity theft. Available statistics confirm this trend. The General
Accounting Office, for example, reports that consumer inquiries to the
Trans Union credit bureau's Fraud Victim Assistance Department
increased from 35,235 in 1992 to 522,922 in 1997,\5\ and that the
Social Security Administration's Office of the Inspector General
conducted 1,153 social security number misuse investigations in 1997
compared with 305 in 1996.\6\ In 1999, the telephone hotline
established by the Social Security Administration Inspector General
received reports of almost 39,000 incidents of misuse of Social
Security Numbers.\7\
---------------------------------------------------------------------------
\5\ Calls to this department included ``precautionary'' phone
calls, as well as calls from actual fraud or identity theft victims.
\6\ U.S. General Accounting Office, Identity Fraud: Information on
Prevalence, Cost, and Internet Impact is Limited (May 1998). The Social
Security Administration attributed the increase in investigations, in
part, to the hiring of additional investigators.
\7\ While we have created a database to capture information from
complaints to our new toll-free Identity Theft Hotline (discussed in
greater detail below), our data are still too limited to allow us to
draw any significant conclusions about the extent of identity theft.
---------------------------------------------------------------------------
For victims of identity theft, the costs can be significant and
long-lasting. Identity thieves can run up debts in the tens of
thousands of dollars under their victims' names. Even where the
individual consumer is not legally liable for these debts,\8\ the
consequences to the consumer are often considerable. A consumer's
credit history is frequently scarred, and he or she typically must
spend numerous hours sometimes over the course of months or even years
contesting bills and straightening out credit reporting errors. In the
interim, the consumer victim may be denied loans, mortgages, a driver's
license, and employment; a bad credit report may even prevent him or
her from something as simple as opening up a new bank account at a time
when other accounts are tainted and a new account is essential.
Moreover, even after the initial fraudulent bills are resolved, new
fraudulent charges may continue to appear, requiring ongoing vigilance
and effort by the victimized consumer.
---------------------------------------------------------------------------
\8\ The Fair Credit Billing Act, 15 U.S.C. Sec. 1601 et seq. and
the Electronic Fund Transfer Act, 15 U.S.C. Sec. 1693 et seq. limit
consumers' liability for fraudulent transactions in connection with
credit and debit cards, respectively.
---------------------------------------------------------------------------
II. THE FEDERAL TRADE COMMISSION'S AUTHORITY
A. Overview
The FTC's mission is to promote the efficient functioning of the
marketplace by protecting consumers from unfair or deceptive acts or
practices and increasing consumer choice by promoting vigorous
competition. The Commission's primary legislative mandate is to enforce
the Federal Trade Commission Act (``FTC Act''), which prohibits unfair
methods of competition and unfair or deceptive acts or practices in or
affecting commerce.\9\ With certain exceptions, the FTC Act provides
the Commission with broad civil law enforcement authority over entities
engaged in or whose business affects commerce,\10\ and provides the
authority to gather information about such entities.\11\ The Commission
also has responsibility under more than forty additional statutes
governing specific industries and practices.\12\
---------------------------------------------------------------------------
\9\ 15 U.S.C. Sec. 45(a).
\10\ Certain entities such as banks, savings and loan associations,
and common carriers as well as the business of insurance are wholly or
partially exempt from Commission jurisdiction. See Section 5(a)(2) of
the FTC Act, 15 U.S.C. Sec. 45(a)(2), and the McCarran-Ferguson Act, 15
U.S.C. Sec. 1012(b).
\11\ 15 U.S.C. Sec. 46(a).
\12\ In addition to the credit laws discussed in the text, the
Commission also enforces over 30 rules governing specific industries
and practices, e.g., the Used Car Rule, 16 C.F.R. Part 455, which
requires used car dealers to disclose warranty terms via a window
sticker; the Franchise Rule, 16 C.F.R. Part 436, which requires the
provision of information to prospective franchisees; and the
Telemarketing Sales Rule, 16 C.F.R. Part 310, which defines and
prohibits deceptive telemarketing practices and other abusive
telemarketing practices.
---------------------------------------------------------------------------
Two of the Commission's specific statutory mandates are
particularly relevant in the context of identity theft. The Fair Credit
Billing Act and Fair Credit Reporting Act each provide important
protections for consumers who may be trying to clear their credit
records after having their identities stolen. The Fair Credit Billing
Act, which amended the Truth in Lending Act, provides for the
correction of billing errors on credit accounts and limits consumer
liability for unauthorized credit card use.\13\ The Fair Credit
Reporting Act (``FCRA'') regulates credit reporting agencies and places
on them the responsibility for correcting inaccurate information in
credit reports.\14\ In addition, entities that furnish information to
credit reporting agencies have obligations under the FCRA to ensure the
accuracy of the information they report.\15\ Finally, the FCRA limits
the disclosure of consumer credit reports only to entities with
specified ``permissible purposes'' (such as evaluating individuals for
credit, insurance, employment or similar purposes) and under specified
conditions (such as certifications from the user of the report).\16\
---------------------------------------------------------------------------
\13\ 15 U.S.C. Sec. Sec. 1601 et seq.
\14\ 15 U.S.C. Sec. Sec. 1681e, 1681i.
\15\ 15 U.S.C. Sec. 1681s-2.
\16\ 15 U.S.C. Sec. 1681-1681u.
---------------------------------------------------------------------------
B. The commission's involvement in identity theft issues
As an outgrowth of its broader concern about financial privacy, the
Commission has been involved in the issue of identity theft for some
time. In 1996, the Commission convened two public meetings in an effort
to learn more about identity theft, its growth, consequences, and
possible responses. At an open forum convened by the Commission in
August 1996, consumers who had been victims of this type of fraud,
representatives of local police organizations and other federal law
enforcement agencies, members of the credit industry, and consumer and
privacy advocates discussed the impact of identity theft on industry
and on consumer victims. Subsequent press coverage helped to educate
the public about the growth of consumer identity theft and the problems
it creates. In November 1996, industry and consumer representatives met
again in working groups to explore solutions and ways to bolster
efforts to combat identity theft.
Having developed a substantial base of knowledge about identity
theft, the Commission testified before this subcommittee in May 1998 in
support of the Identity Theft and Assumption Deterrence Act. Following
the passage of the Act, the Commission testified again, in April 1999,
before the House Subcommittee on Telecommunications, Trade and Consumer
Protection and the Subcommittee on Finance and Hazardous Materials of
the Commerce Committee. This latest testimony focused on identity theft
in the financial services industry.
C. The Identity Theft and Assumption Deterrence Act of 1998
The Identity Theft and Assumption Deterrence Act of 1998
(``Identity Theft Act'' or ``the Act'') addresses identity theft in two
significant ways. First, the Act strengthens the criminal laws
governing identity theft. Specifically, the Act amends 18 U.S.C.
Sec. 1028 (``Fraud and related activity in connection with
identification documents'') to make it a federal crime to:
knowingly transfer[] or use[], without lawful authority, a
means of identification of another person with the intent to
commit, or to aid or abet, any unlawful activity that
constitutes a violation of Federal law, or that constitutes a
felony under any applicable State or local law.\17\
---------------------------------------------------------------------------
\17\ 18 U.S.C. Sec. 1028(a)(7). The statute further defines ``means
of identification'' to include ``any name or number that may be used,
alone or in conjunction with any other information, to identify a
specific individual,'' including, among other things, name, address,
social security number, driver's license number, biometric data, access
devices (i.e., credit cards), electronic identification number or
routing code, and telecommunication identifying information.
The second way in which the Act addresses the problem of identity
theft is by focusing on consumers as victims.\18\ In particular, the
Act requires the Federal Trade Commission to develop a centralized
complaint and consumer education service for victims of identity theft.
More specifically, the Act directs that the Commission establish
procedures to: (1) log the receipt of complaints by victims of identity
theft; (2) provide identity theft victims with informational materials;
and (3) refer complaints to appropriate entities, including the major
national consumer reporting agencies and law enforcement agencies.\19\
---------------------------------------------------------------------------
\18\ Prior to the passage of the Act, financial institutions rather
than individuals tended to be viewed as the primary victims of identity
theft because individual consumers' financial liability is often
limited. Setting up an assistance process for consumer victims is
consistent with one of the Act's stated goals, to recognize the
individual victims of identity theft. See S. Rep. No. 105-274, at 4
(1998).
\19\ Pub. L. No. 105-318 Sec. 5, 112 Stat. 3010 (1998) (codified at
18 U.S.C. Sec. 1028 note).
---------------------------------------------------------------------------
III. CURRENT EFFORTS: THE FTC'S CONSUMER ASSISTANCE PROGRAM
In enacting the Identity Theft Act, Congress recognized that
coordinated efforts are essential because identity theft victims often
need assistance from both government agencies at the national and state
or local level, and private businesses. Accordingly, the FTC's role
under the Act is primarily one of managing information sharing among
public and private entities. The goals of the FTC's information
``clearinghouse''. are fourfold: (1) to support criminal law
enforcement efforts by collecting data in one central database and
making referrals as appropriate \20\; (2) to provide consumers with
information to help them prevent or minimize their risk of identity
theft; (3) to streamline the resolution of the credit and financial
difficulties consumers may have when they become victims of identity
theft; and (4) to enable analysis of the extent of, and factors
contributing to, identity theft in order to enrich policy discussions.
In order to fulfill the purposes of the Act, the Commission has begun
implementing a plan that centers on three principal components:
---------------------------------------------------------------------------
\20\ Most identity theft cases are best addressed through criminal
prosecution. The FTC itself has no direct criminal law enforcement
authority. Under its civil law enforcement authority provided by
section 5 of the FTC Act, the Commission may, in appropriate cases,
bring actions to stop practices that involve or facilitate identity
theft. The practices the Commission expects to focus its law
enforcement resources on are those where the effect is widespread and
where civil remedies are likely to be effective. See, e.g., FTC v. J.K.
Publications, Inc., et al., No. CV 99-00044 ABC (AJWx) (C.D. Cal., Mar.
16, 1999) (order granting preliminary injunction) (alleging that
defendants obtained consumers' credit card numbers without their
knowledge and billed consumers' accounts for unordered or fictitious
Internet services); FTC v. James J. Rapp and Regana L. Rapp,
individually and doing business as Touch Tone Information Inc., et al.,
Docket No. CV 99-WM-783 (D. Colo., filed April 21, 1999) (alleging that
defendants obtained private financial information under false
pretenses).
---------------------------------------------------------------------------
(1) Toll-free telephone line. The Commission has established a
toll-free telephone number, 1-877-ID THEFT (438-4338), that consumers
can call to report incidents of identity theft. Consumers who call the
Identity Theft Hotline receive telephone counseling from specially
trained FTC and contractor personnel to help them resolve problems that
may have resulted from the misuse of their identities. In addition, the
hotline phone counselors enter information from the consumers'
complaints into a centralized database, the Identity Theft Data
Clearinghouse. In operation since November 1, 1999, the Identity Theft
Hotline has averaged over 400 calls per week.
Our aim with each consumer call is to provide the comprehensive
information needed to guard against or resolve problems caused by
identity theft, and to assist in streamlining the process for the
consumer wherever possible. Although there is generally no way for
consumers to avoid contacting the many creditors who may be involved,
our goal is that consumers should be able to make a single phone call
to our hotline to report the offense, receive the information and
assistance they need, and have their complaints referred to the
appropriate government agency.
In particular, consumers who are victims of identity theft receive
specific information about how to try to prevent additional harm to
their finances and credit histories. The phone counselors instruct the
callers to contact each of the three credit reporting agencies to
obtain copies of their credit reports and request that a fraud alert be
placed on their credit report.\21\ We advise consumers to review the
information on the credit reports carefully to detect any additional
evidence of identity theft. The counselors also routinely inform
callers of their rights under the Fair Credit Reporting Act and provide
them with the procedures for correcting misinformation on a credit
report. Consumers receive additional information telling them how to
contact each of the creditors or service providers where the identity
thief has established or accessed an account, and to follow up in
writing by certified mail, return receipt requested. Where the identity
theft involves ``open end'' credit accounts,\22\ consumers are advised
on how to take advantage of their rights under the Fair Credit Billing
Act, which, among other things, limits their responsibility for
unauthorized charges to fifty dollars in most instances. Consumers who
have been contacted by a debt collector regarding debts left behind by
the identity thief are advised of their rights under the Fair Debt
Collection Practices Act, which limits debt collectors in their
collection of debts.
---------------------------------------------------------------------------
\21\ These fraud alerts request that the consumer be contacted when
new credit is applied for in that consumer's name.
\22\ The Fair Credit Billing Act applies to ``open end'' credit
accounts, such as credit cards, revolving charge accounts, and
overdraft checking accounts. It does not cover installment contracts
such as loans or extensions of credit that are repaid on a fixed
schedule.
---------------------------------------------------------------------------
In addition, the FTC phone counselors advise consumers to notify
their local police departments, both because local law enforcement may
be in the best position to catch and prosecute identity thieves, and
because getting a police report often helps consumers in demonstrating
to would-be creditors and debt collectors that they are genuine victims
of identity theft. Almost half the states have enacted their own
identity theft laws, and our counselors, in appropriate circumstances,
will refer consumers to other state and local authorities, to pursue
potential criminal investigation or prosecution.
(2) Identity Theft complaint database. As mentioned above, detailed
information from the complaints received on the FTC's toll-free
Identity Theft Hotline is entered into the FTC's Identity Theft Data
Clearinghouse (``Clearinghouse''). The Clearinghouse is designed to
become a comprehensive, government-wide repository of information
collected from victims of identity theft. In the near future, it will
begin incorporating complaints received by other government agencies,
such as the Social Security Administration. Consumers can also enter
their own complaint information via the public user complaint form at
www.consumer.gov/idtheft.\23\
---------------------------------------------------------------------------
\23\ See page 14, infra.
---------------------------------------------------------------------------
Having designed and built the Clearinghouse database itself, the
Commission is now developing the tools to extract and analyze the
information it contains.\24\ The information collected in the
Clearinghouse will provide the Commission with a better understanding
of how identity theft occurs. In particular, we will look at whether
certain types of transactions or business practices lead to greater
opportunities for the theft of a person's personal information or
facilitate the misuse of that information once obtained. As we begin to
identify trends and patterns in the occurrence of identity theft, we
will share this information with our law enforcement partners so that
they may better target their resources.\25\
---------------------------------------------------------------------------
\24\ While Congress authorized the appropriation of such sums as
may be necessary to carry out the FTC's obligations under the Identity
Theft Act, Pub. L. No. 105-318 Sec. 5(b), 112 Stat. 310 (1998), no
funds have been appropriated for the Commission's identity theft
program. Our ability to fully build out our database, including making
the information contained therein electronically available to our law
enforcement partners, as well as our ability to perform sophisticated
analyses of the data we collect, is contingent on the appropriation of
adequate funds. Our budget requests for the next three years ask for
funding of $2.8 million to complete the development of the system and
maintain our call handling and consumer education responsibilities.
Appropriations at the requested level would enable us to handle 100,000
calls for fiscal year 2001, and 200,000 annually thereafter. We have,
in addition, submitted a reprogramming request to provide $625,000 in
funds for fiscal year 2000. Of this request, which is now pending with
the Appropriations Subcommittees, $525,000 would be distributed to the
agency's contract account, and $100,000 to our equipment account.
\25\ In addition to our collaborative work with our law enforcement
partners, the Commission is looking for opportunities to work with
private sector entities who are critical to addressing identity theft
issues. For example, credit reporting agencies could provide
substantial assistance by detailing for this project how their existing
fraud operations and databases function, and how information could most
efficiently be shared with them.
---------------------------------------------------------------------------
Moreover, the Identity Theft Data Clearinghouse will be available
to law enforcement agencies at the federal, state, and local level
through a secure, web-based interface. The Commission expects that the
Clearinghouse will allow the many agencies involved in combating
identity theft to share data, enabling these offices to work more
effectively to track down identity thieves and assist consumers.\26\
Criminal law enforcement agencies could take advantage of this central
repository of complaints to spot patterns that might not otherwise be
apparent from isolated reports. For example, federal law enforcement
agencies may be able to identify more readily when individuals may have
been victims of an organized or large-scale identity theft ring.
---------------------------------------------------------------------------
\26\ The Commission has successfully undertaken a similar effort
with respect to consumer fraud. The FTC's Consumer Sentinel network is
a bi-national database of telemarketing, direct mail, and Internet
complaints accessible to law enforcement officials throughout the U.S.
and Canada. Currently the Sentinel database contains more than 210,000
entries, and is used by more than 200 law enforcement offices, ranging
from local sheriff's offices to FBI field offices.
---------------------------------------------------------------------------
In addition, the Clearinghouse will facilitate the referral process
required by the Identity Theft Act. Building upon the Commission's
experience in sharing data and making referrals to combat consumer
fraud through its successful Consumer Sentinel network,\27\ we envision
making identity theft referrals in a variety of ways beyond simply
referring individual callers to appropriate agencies. As mentioned
above, Clearinghouse members will be able to access this secure
database directly from their desktops in order to support their
investigations. In addition, the Commission plans to disseminate
complaint information through customized standard reports, extracting
for our law enforcement partners the Clearinghouse complaints that meet
the criteria they have designated. Finally, when, during the course of
our own in-house data analysis, we identify trends or patterns in the
data that appear to have ramifications for our law enforcement
partners, we will notify them of that information. Numerous law
enforcement agencies have already expressed an interest in receiving
information and referrals in these ways.\28\
---------------------------------------------------------------------------
\27\ See supra note 26.
\28\ Pursuant to the requirements of the Identity Theft Act, the
FTC hopes to gain the cooperation of the three major credit reporting
agencies to establish an analogous information sharing and referral
system to allow us to refer complaints received on our toll-free number
to individual credit bureaus for assistance or resolution, as
appropriate.
---------------------------------------------------------------------------
(3) Consumer Education. The FTC has taken the lead in coordinating
the efforts of government agencies and organizations to develop and
disseminate comprehensive consumer education material for victims of
identity theft, and those concerned with preventing identity theft.\29\
The results of the FTC's efforts include both print publications and a
website, located at www.consumer.gov/idtheft. This collaborative
consumer education effort is ongoing; we hope to lead a similar joint
effort with many of the private sector financial institutions that have
an interest in preventing and curing the effects of identity theft.
---------------------------------------------------------------------------
\29\ Among the organizations the FTC has brought into this effort
are the Federal Reserve Board, the Office of the Comptroller of the
Currency, the Federal Deposit Insurance Corporation, the National
Credit Union Administration, the Office of Thrift Supervision, the
Department of Justice, the U.S. Secret Service, the Federal Bureau of
Investigation, the Postal Inspection Service, the Internal Revenue
Service, the Social Security Administration, the Federal Communications
Commission, the Securities and Exchange Commission, the U.S. Trustees,
and the National Association of Attorneys General.
---------------------------------------------------------------------------
The FTC's most recent publication in this area is a booklet
entitled: Identity Theft: When Bad Things Happen to Your Good Name.\30\
The 21-page booklet covers a wide range of topics, including how
identity theft occurs, how consumers can protect their personal
information and minimize their risk, what steps to take immediately
upon finding out they are a victim, and how to correct credit-related
and other problems that may result from identity theft. It also
describes federal and state resources that are available to consumers
who have particular problems as a result of identity theft. In addition
to our own initial distribution of this booklet, the Social Security
Administration has ordered and plans to distribute 100,000 copies of
the booklet. The Federal Deposit Insurance Corporation has also
indicated that it will print and distribute the booklet.
---------------------------------------------------------------------------
\30\ In April, 1999 the FTC took the interim step of issuing a
consumer alert, Identity Crisis * * * What to Do If Your Identity Is
Stolen, which gives consumers an overview of what to do if they are
victims of identity theft.
---------------------------------------------------------------------------
The Identity Theft web page features a web-based complaint form,
allowing consumers to send complaints directly into the Identity Theft
Data Clearinghouse. The website also includes the comprehensive
identity theft booklet as well as other publications, tips for
consumers, testimony and reports, information on recent identity theft
cases, links to identity theft-related state and federal laws,
descriptions of common identity theft scams, and links to other
organizations and resources.\31\
---------------------------------------------------------------------------
\31\ The www.consumer.gov site is a multi-agency ``one-stop''
website for consumer information. The FTC hosts the server and provides
all technical maintenance for the site. It contains a wide array of
consumer information and currently has links to information from 61
federal agencies. The consumer.gov project was awarded the Hammer Award
in March 1999.
---------------------------------------------------------------------------
Finally, the Commission recognizes that the success of this effort
hinges on the public's awareness of these resources. On February 17,
2000, the Commission announced its Identity Theft Program, promoting
the toll-free number, the website and our consumer education
campaign.\32\ We anticipate that we will see an increase in our call
volume and website visits following these efforts to raise the public
awareness of identity theft.
---------------------------------------------------------------------------
\32\ While the toll-free number has been operational since November
1999, we waited several months to make a major announcement in order to
fully train the telephone counselors, and otherwise smooth out the data
collection operations. Even without a formal announcement, the toll-
free line has received an average of 400 calls per week.
---------------------------------------------------------------------------
iv. ongoing issues
In May 1998, the Commission testified before this subcommittee in
support of the Identity Theft and Assumption Deterrence Act. The
Commission continues to believe that the Act is an important tool in
addressing the problem of identity theft. Since its passage, the FTC
has increased its efforts to develop a program to quantify the data
regarding identity theft, to provide assistance to identity theft
victims who seek help in resolving identity theft disputes, and provide
consumers and others a central place in the federal government to go
for information about identity theft. Already, in the relatively brief
time our identity theft hotline has been operational, the FTC has
assisted over 4000 consumers who have been, or are worried about
becoming, victims of identity theft. We anticipate that our consumer
assistance program will continue to expand and grow over the coming
months.
Notwithstanding our efforts and those of other law enforcement
agencies, however, identity theft continues to pose significant
problems for consumers. Some preliminary areas of concern to the
Commission are as follows:
Prevention. Although many bank, credit card issuers, and other
companies have put into place extensive systems to guard against
identity theft, there nonetheless remain a number of continuing
practices that may contribute to the problem of identity theft. Fraud
alerts, for instance, are not fulproof. Identity thieves may be able to
open accounts in the victim's name notwithstanding a fraud alert either
because the fraud alert is not picked up by the credit scoring or other
automated system used by the new creditor, or because the creditor
fails to take sufficient precautions to verify the applicant's
legitimacy when presented with a fraud alert. One caller to the FTC's
hotline whose wallet had been stolen, for example, reported that after
placing a fraud alert on her credit reports, at least seven fraudulent
accounts were opened in her name at various retail establishments that
granted ``instant credit'' based only on a credit score that did not
take into account fraud alerts.\33\
---------------------------------------------------------------------------
\33\ Of course, it is important to the prevention of identity theft
that creditors pay attention and follow-up with appropriate
verification procedures wherever there are possible indicia of fraud.
One Arlington, Virginia resident who called the FTC had been disturbed
to find that her ATM card no longer worked. When she called her bank,
she learned that someone using her name had reported her card lost, and
asked that a replacement card be sent--to Brooklyn, New York. The
sudden change-of-address presumably should have raised a red flag, but,
in fact, apparently triggered no further investigation. Such
oversights, often committed out of an understandable desire to provide
prompt customer service, do not appear to be uncommon.
---------------------------------------------------------------------------
In addition, although individual credit issuers have systems to
detect automatically unusual patterns of activity, it is more difficult
to detect unusual activity across creditors. Thus, for example, if an
identity thief opens 30 different credit accounts in the course of 2
days, none of the 30 individual creditors may notice anything unusual.
However, taken as a whole, the pattern of activity would likely trigger
suspicion. Thus, one possible area for further action lies in bringing
together creditors and credit reporting agencies (the group that is
probably best placed to notice when there have been numerous credit
applications or new accounts opened) to develop mechanisms for
detecting such fraud--and thus heading off identity theft.
Remediation. Identity theft victims continue to face numerous
obstacles to resolving the credit problems that frequently result from
identity theft.\34\ For example, many consumers must contact and re-
contact creditors, credit bureaus, and debt collectors, often with
frustrating results. Using the data collected from consumer complaints,
the Commission is actively monitoring the nature and extent of problems
reported by consumers, and looking at possible means of addressing
these problems, including ways of streamlining the remediation process.
---------------------------------------------------------------------------
\34\ Some identity theft victims face significant, non-credit-
related problems as well. For example, in a small but troubling number
of cases, consumers calling the FTC's toll-free number have reported
that they themselves have been arrested because of something an
identity thief did while using their name, or that they learned they
had a criminal arrest or conviction on record because an identity thief
used identification with their name rather than his or her own when
arrested for committing some other crime. Needless to say, correcting
legal arrest or conviction records can prove extremely difficult.
---------------------------------------------------------------------------
In particular, the FTC believes that, as a first step, it would
benefit consumers if they could make a single phone call--presumably,
to any of the major credit bureaus or to the FTC's hotline--and have a
fraud alert placed on all three of their credit reports, and copies of
each of their three reports sent to their home address. The success of
such an effort depends on the cooperation of the major credit
bureaus.\35\
---------------------------------------------------------------------------
\35\ Another question potentially raised by the experiences of
identity theft victims is whether the protections currently afforded by
laws such as the Fair Credit Reporting Act and Fair Credit Billing Act
are adequate for resolving the problems commonly faced by identity
theft victims. Because the data the Commission has gathered in the
short time its hotline has been operational are limited, it would be
premature to try to resolve such questions at this time.
---------------------------------------------------------------------------
As the FTC's new identity theft program expands, the Commission
will have more data and experience from which to draw in determining
what additional actions may need to be taken to best assist identity
theft victims.
V. COOPERATIVE EFFORTS
The Commission has been working closely with other agencies in a
number of ways to establish a coordinated effort to identify the
factors that lead to identity theft, work to minimize those
opportunities, enhance law enforcement and help consumers resolve
identity theft problems. In April 1999, for example, Commission staff
held a meeting with representatives of 17 federal agencies as well as
the National Association of Attorneys General to discuss implementing
the consumer assistance provisions of the Identity Theft Act. In
addition, FTC staff participates in the identity theft subcommittee of
the Attorney General's Council on White Collar Crime, which has, among
other things, developed guidance for law enforcement field offices on
how best to assist identity theft victims. FTC staff also coordinates
with staff from the Social Security Administration's Inspector
General's Office on the handling of social security number misuse
complaints, a leading source of identity theft problems.
Furthermore, almost half of the states have now enacted their own
statutes specifically criminalizing identity theft. Others have passed,
or are considering, further legislation to assist victims of identity
theft,\36\ including legislation specifically designed to help victims
clear up their credit records.\37\ The Commission is committed to
working with states and local governments on this issue, and learning
from their efforts.
---------------------------------------------------------------------------
\36\ See, e.g., Iowa Code Sec. 714.16B (creating a private right of
action for victims of identity theft).
\37\ See Cal. Civ. Code Sec. 1785.6 (providing that if a consumer
provides a credit bureau with a copy of police report of identity
theft, the credit bureau ``shall promptly and permanently block
reporting any information that the consumer alleges appears on his or
her credit report as a result of a violation of Section 530.5 of the
Penal Code [the California identity theft statute] so that the
information cannot be reported''; the information may be unblocked
``only upon a preponderance of the evidence'' establishing that the
information was blocked due to fraud, error, or that the consumer knew
or should have known that he or she obtained goods, services, or moneys
as a result of the blocked transactions).
---------------------------------------------------------------------------
Most recently, FTC staff has been assisting the Department of
Treasury on plans for the upcoming National Summit on Identity Theft on
March 15-16. The Summit provides a significant opportunity for
government and business leaders to develop partnerships to combat
identity theft and assist its victims.
VI. CONCLUSION
The Commission, working closely with other federal agencies and the
private sector, has already made strides towards identifying ways to
reduce the incidence of identity theft. More focused law enforcement,
greater consumer education and increased awareness by the private
sector will all contribute to this effort. The FTC also looks forward
to working with the Subcommittee to find ways to prevent this crime and
to assist its victims.
Senator Kyl. Thank you very much. I appreciate the
testimony that both of you have given to us.
Let me just get right to the heart of a couple of questions
I had regarding the FTC. Have you been appropriated enough
money, do you think, to accomplish the various tasks that the
statute mandates to the FTC? If not, is there anything else
that you need?
Ms. Bernstein. We really haven't been appropriated any
money for this program. What we have done so far in my bureau
is shifting funds from other programs to try to staff, as we
have, this program, and I think we have done well. However, we
have a pending reprogramming request for $625,000 for the
current fiscal year, and the Commission submitted a budget that
requested $2.8 million for each of the next 3 years. We have
estimated that if the reprogramming request was granted and the
new budget put in place that we would be well provided for in
terms of resources to be able to run a really more aggressive
program.
Senator Kyl. Was that the budget request from the White
House?
Ms. Bernstein. Yes.
Senator Kyl. OK, good, and if you need help on the
reprogramming, too, be sure and let us know about that.
Ms. Bernstein. Thank you.
Senator Kyl. Have the credit bureaus been working, do you
think, well with the FTC to address the problem generally?
Ms. Bernstein. With every effort to be diplomatic, I would
say that we would have hoped for more cooperation.
Senator Kyl. I kind of thought so. What about a special
number? And I am not suggesting that the Federal Government
mandate this, but considering one of Ms. Mitchell's problems,
do you think that if we encouraged the credit bureaus to have a
special number for ID theft reporting that people wouldn't have
as much trouble getting through to a real person to talk about
these things?
Ms. Bernstein. I would think that that would be a great
assistance to people. Just one central source, whether it be to
the FTC or whether they do it separately, any way, as Maureen
said, that you could cut down on the number of efforts that the
individual has to make would be extremely helpful.
Senator Kyl. Any recommendations that you would like to
make to us in that regard I would appreciate very much, not
necessarily as amendments to the existing law, not necessarily
law, but recommendations that we might implement by encouraging
credit agencies to do certain things or in some other way
effectuating them. That would all be appreciated.
With respect to local law enforcement, one of Ms.
Mitchell's concerns was that they didn't seem to be as aware of
the Federal law as they need to be. What more can we do to get
notice--and maybe this is a question really for both of you--
notice more to the local law enforcement agencies?
Mr. Regan. Yes, sir. We try to address that through our
task force involvement. We have currently 28 task forces
throughout the country and they include State, local and county
police officers. Unfortunately, we are comparatively a small
agency. So our task forces aren't in every city, but where they
are we include all law enforcement agencies in that area and we
try to get it out like that.
We also have an Internet site, on which we put several
things out there now. In fact, we see the future of identity
theft basically being on the electronic side. We are moving
toward a cashless society, or an electronic commerce type
society ourselves here in the United States, and we are seeing
most of the crime activity being used within the Internet,
either the Internet being used as a tool to move it forward or
to hide behind it, to be anonymous, and so forth.
Identity theft is a component of what is going on there.
The theft of people's account numbers through Internet hacking
and through skimming, which is the theft of account information
off the back of mag strips, are all part of it. And one of the
things we are doing with local law enforcement--and I think you
have a copy of it, sir--is we printed this up for local law
enforcement and it is called ``Best Practices for Seizing
Electronic Evidence.''
And what this is for is to give the local police officer,
who is usually the first responder, because, like I say, we are
a comparatively small agency--if there is a problem, the local
police officer is the first one on the scene. And if, in fact,
it is an identity theft where they use the electronic medium,
what is that police officer supposed to do with that computer?
And it is supposed to make him a little bit comfortable in what
could be considered evidence within that area, what holds
information, what would hold account numbers in people's names,
and so forth, and how to safely handle it, as well as a list of
contacts and how to track back e-mail headers, and so forth.
So we are doing certain things like that as outreach to the
field now, and we continue to do it. This is also available on
our Internet site for those agencies we haven't gotten the
booklets to yet. We have distributed over 60,000 of them this
year, and we are hoping to do another 100,000 by the end of
this coming year.
Senator Kyl. I might suggest that maybe there be some
reference also when you do this again to the Federal law so
that they can appreciate the fact that there are both Federal
and State laws involved. This looks very helpful, by the way.
Mr. Regan. Yes, sir, thank you.
Senator Kyl. My understanding is that what has happened is
since we got the law passed that a lot of people are now being
charged under this new law, but that we might not be aware of
the true magnitude of the crime because there are a lot of plea
bargains taken, and that frequently the new law is the charge
that is dropped in the course of making the plea bargain.
It is obviously helpful to have that additional crime to
charge because you can more likely get a plea bargain and a
better sentence, but frequently this is the particular charge
that is dropped. So we may not have a real good handle on the
number of situations in which people have actually been guilty
of this particular crime.
Can you discuss that with us at all at this point?
Mr. Regan. Yes, sir. I think you are a hundred percent
correct. I think this law is used extensively in financial
crimes. It would be virtually impossible to perform most
financial crimes without some form of false identification, not
necessarily an identity theft, but some form of false
identification.
When you talk about credit fraud, it is usually an identity
theft. When you talk about skimming, it would be an identity
theft. And what all too often will happen is we will pick up an
individual and that individual might be indicted on 15, 20
counts. And the agreement comes out that they take a plea to
certain counts, maybe a bank card count or a credit card count.
And the other counts, although they were all part of the
indictment, just fall off by the plea, so that it is very hard
to capture that information that comes through. But I think
that this violation is used extensively in Federal financial
criminal investigations, sir.
Senator Kyl. Well, we will, of course, want to continue to
follow the progress of that to make sure that what we have done
is worthwhile for law enforcement agencies. And if there are
any changes that need to be made in it, we can, based on your
recommendations, make those changes.
Are you getting the information you need from the FTC for
the Secret Service to initiate an investigation when it is
warranted?
Mr. Regan. Yes, sir, very much so. In fact, we are working
very, very closely with the FTC and it is working out very
well. In fact, I have worked with Beth Grossman myself on
numerous occasions and it is a pleasure to work with them on
this.
Ms. Bernstein. Mr. Chairman, I may mention in connection
with the local law enforcement question that you asked that we
think that when the identity theft clearinghouse is really
fully established for the benefit of local law enforcement--
that has been our experience with our database that that is
just a boon to a local law enforcement person. When he or she
gets a call and is perhaps in a small community somewhere and
doesn't have a lot of assistance to be able to dial into that
database and quickly find out whether there have been other
complaints about that particular theft, what has happened with
it, where they can get assistance, it has just been an enormous
help in other fraud areas that we have used. So when we are up
to the place where it is fully developed--and we are not too
far from that--I think it will be an enormous assistance to
local law enforcement.
Senator Kyl. That is great. That is one of the two
directions we want to go. Let me focus on the other direction,
and that is how to make the system more user-friendly and
effective for the actual victims, people like Ms. Mitchell.
Maybe you could walk us through what happens when somebody
like Ms. Mitchell calls the FTC hotline. What do you do? And
then more specifically, how is that helping her to both prevent
continual violations of her identity or credit and cleaning up
the credit violations that have already occurred?
Ms. Bernstein. Well, the first thing that happens is Ms.
Mitchell, for example, would call and in this case Kathleen
Lund answers the telephone. And I would say that we have
specially trained those counselors who are dealing with
identity theft because it is more complicated; it is criminal
as opposed to other types of fraud which are often civil, as
you know. And we have worked hard to be sure that we were
providing the counselors with enough information so that they
would know how to proceed.
And Kathleen would then ask her what happened, obviously,
and she would tell her, get the relevant information about it.
And then the first thing to do would be to advise her of what
steps she ought to take immediately, and those steps, of
course, are, as you heard from Ms. Mitchell, to notify the
credit bureaus, to notify creditors, the merchants that she
talked about, and most particularly to call the police. It is
important to have a police report on record very quickly.
She would then provide her with fuller information, which
she can get on a Web site or we would put into the mail,
whatever is convenient for her, to begin the process of getting
those fraud alerts on the credit reports because that is the
first line of defense.
Senator Kyl. Now, how, physically, does that actually
occur?
Ms. Bernstein. How physically does it occur?
Senator Kyl. Yes. She has now notified the FTC.
Ms. Bernstein. The FTC tells her the numbers of the credit
bureaus, and there are three of them, as she indicated, and
they have a line that we ask her to call because that is what
the process is. She then calls the credit bureau--and hopefully
she doesn't get a ringing phone; hopefully, she gets a real
person--and reports what has happened to her and asks them to
immediately put a fraud flag on her credit report.
The purpose of that obviously is to alert others--
merchants, the fellow who is going to issue a loan for a car--
when he or she asks for a credit report, which they do before
opening a line of credit, to see that there is already a fraud
alert on that credit report. That really should be a warning to
that creditor to think carefully before extending credit to
what may not be the appropriate person. So, that is how that
gets done.
Now, Ms. Mitchell's experience was, I think--and she made a
valuable point about it--if it is on the last page of the
credit report and it is in type that doesn't jump out at the
person who is reviewing it and they are in a hurry, it
certainly would be an improvement--and it doesn't have to be by
Federal law; it could certainly be something that the committee
could encourage the credit bureaus to undertake voluntarily to
improve the fraud alerts that are on the credit reports.
Senator Kyl. How do you at the FTC, or the credit bureaus
themselves, verify the validity of the information presented by
somebody such as Ms. Mitchell so that they know that it is not
a scam themselves?
Ms. Bernstein. Well, we have some ways of verifying who the
person is. We can communicate back with them. They give us an
address. We can check them out as to whether or not we have
other indications of who they are. We have not experienced
getting false claims into our system. That would be something
that we would be careful with, obviously, before we proceed.
The credit bureaus also have their regular means of
verifying who people are that they have to do all the time
because they are issuing credit reports. So they have various
means of verification, like drivers' licenses and other
documentation that they can ask for before proceeding.
Senator Kyl. I think one thing that has occurred to me is
that maybe we need to ask some of the credit agency or credit
bureau people to come and testify to us, and we can present
some concerns and questions to them and maybe they can tell us
what they might do to improve the situation. Do you think that
might be a helpful exercise?
Ms. Bernstein. I think it would be very helpful.
Senator Kyl. OK, I think we will consider doing that. Would
it be possible to accomplish this notification electronically
through the FTC, do you think?
Ms. Bernstein. You mean a generalized notification to the
credit bureaus?
Senator Kyl. Yes.
Ms. Bernstein. Yes, I think so; I think it could be.
Senator Kyl. In other words, Ms. Mitchell has notified us.
We have determined, at least prime facie, that there is a valid
complaint on her part. Would the three of you please verify
this independently and flag it, if appropriate?
Ms. Bernstein. Right, and let us know that it has been
verified or it has been flagged.
Senator Kyl. Would you consider doing that and get back to
us to see how easy that would be, or difficult?
Ms. Bernstein. I would be glad to do that, and I would need
to see how easy it is to do.
Senator Kyl. Yes.
Ms. Bernstein. But Beth here is almost as good on computers
as the thieves are, and she will be able to tell me.
Senator Kyl. Single-handedly.
Ms. Bernstein. Single-handedly is right.
Senator Kyl. Well, check that out as an additional way
maybe to get this process undertaken.
Ms. Bernstein. We would be glad to explore that, or perhaps
there is another way that that would be useful, and we will be
glad to respond to that.
Senator Kyl. Well, I think what I am getting at here for
both of you is, first of all, to compliment both of you for
helping us to use the law that we passed, to confirm that we
are on the right track, that it seems to be a positive
development in the area. It obviously doesn't solve the
problem, but it can make life a little easier for those whose
identity has been stolen, and at least help you also to go
after the perpetrators.
What we would like to do is to get any other suggestions
that either the Secret Service or the FTC have as additional
experience shows you what is working and what isn't working,
either to modify your internal operating procedures or perhaps
to give us additional suggestions as to what we should do with
the law.
I would also ask on behalf of my colleagues on the
committee to get the data together in whatever good, reportable
form you are comfortable with and get that to us as soon as you
can so that we can report to our colleagues how it is working
and what changes may be needed--and we will call on you to
determine what the best reportable form for that is and when
you can get that data to us--and then finally any suggestions
that you would have about any additional hearings, including
perhaps the credit agencies.
And I would suggest would it not be appropriate not only to
have credit bureaus, but also a couple of the larger credit-
extending agencies? I don't want to pick on anybody in
particular, but one of the major automobile manufacturers and
sellers of automobiles extending credit, somebody like that. We
will work with you so that you can give us some suggestions as
to maybe the most representative of that kind of entity.
There was one other thing in my mind and now it has flown
out. Well, any other suggestions from either of you as to what
the committee should be doing at this point in our continuing
oversight? Anything else from either of you?
[No response.]
Senator Kyl. What will you be doing, either or both of you,
at next week's seminar, and can you describe for us briefly how
that will occur and what the public might expect from that, how
they could tune in and participate. This is the President's
symposium or whatever it is called.
Mr. Regan. Yes, sir. As far as the Secret Service and
myself in particular, I will be chairing one of the committees
addressing law enforcement and our response to it, and more
importantly how do we respond both nationally and
internationally, because one of the things we are seeing on the
identity theft issue today is there is no such thing as a case
here in, say, Washington, DC.
What we will see is they are organized and they are rings,
as we heard earlier, and they are often both national and
international in scope. A lot of things we are dealing with are
on the international side of the house on how to deal with
countries in the G-8 with law enforcement issues over there,
how to identify points of compromise.
One of the questions that Senator Grassley brought up, did
you ever find out how your point of compromise came about--
well, it is very difficult at times when you are dealing with a
multitude of different ways for your identity to be stolen.
Some of the Nigerian organized criminal groups are very, very
good at recruitment of individuals from banks and from private
industry, and so forth, to get background information. The
Chinese gangs have moved into the electronic age where they are
using hacking devices and Internet theft to actually get into
it.
So we are trying to identify how points of compromise come
about and shut them down. More importantly, how can law
enforcement respond, especially as the technology moves forward
and electronically everyday it just enhances. You know, today's
computer equipment is really obsolete 6 months down the road,
and that is kind of what we are looking at.
Because we are going to an electronic commerce society, the
United States becomes a huge pool of potential victims because
we all have credit now. You know, 5 years ago who would have
thought that you could go to a gas station, take your debit
card and fill up your car and never see the attendant? People
don't even get their paychecks anymore; they are electronically
deposited into their accounts.
So we are moving away from paper and we are moving toward
electronics, and it is a good thing. But with all this
enthusiasm for the Internet, you have got to temper it with a
little caution. We are seeing the same tools that are being
used to make our lives a little better are also being used to
defraud financial institutions and steal people's identities.
Senator Kyl. So you will be participating in the program?
Mr. Regan. Yes, sir.
Senator Kyl. Ms. Bernstein, before you answer, let me just
for the benefit of the audience make something kind of clear
here. This subcommittee of the Judiciary Committee is the
Subcommittee on Technology, Terrorism, and Government
Information. And it is not always the case that all three of
those things intersect, but at least two of the three intersect
here. Government information could, as a result of Social
Security numbers and other information, be involved as well.
The charge for our subcommittee is to try to keep track of
the evolution of technology and how law needs to keep pace with
that evolution. A couple of other examples: cell phone cloning
didn't exist 10 or 12 years ago. It all of a sudden got to be a
big crime and we needed to bring the law with respect to cell
phone cloning up to date. We are trying to do the same with
Internet gambling. Activity that has been prohibited since 1961
under the Federal Wire and Telephone Act, we suddenly find may
be somewhat outdated as a result of the difference in the
transmission of the data. So the Senate unanimously passed
revisions to that law.
And there will be other efforts, including this identity
theft, which isn't necessarily dependent upon electronic
transfer of data or hacking into a computer system to get the
information. Sometimes, it is as simple as going through a
garbage can, but it is usually still pulling off a slip that
has to do with some credit card or something else that is
transmitted electronically, but not necessarily always.
So, that is what our subcommittee is all about, and it
takes the efforts of entities like the FTC and the Secret
Service to help us do our job. So for anybody that is concerned
or interested in that, you are welcome to contact our staff for
further information. Or if you have some suggestions about
other things we need to do, we would be happy to take those,
too.
Finally, Ms. Bernstein, what will your participation be in
this meeting next week?
Ms. Bernstein. Mr. Chairman, two of us are on panels. I am
participating on a panel that is going to take some further
initiatives for public-private partnerships for consumer
education. Some of the things we have talked about today
undoubtedly will be raised, and the private sector folks, I
believe, will be attending and will participate on the panel.
So we hope to get some commitments, if you will, from the
private sector. We have in the past, and we are optimistic.
Hugh Stevenson, who is also on our staff, is on a panel
that will be discussing additional ways to be of assistance to
victims. That is something that you addressed, I know, in
connection with the sponsorship of the legislation itself. And
while we believe we have done a good job of training counselors
to do a certain amount, there may be some other ways in which
we can provide, either with other Government agencies or with
the private sector, better ways to assist victims because it is
such a difficult, difficult thing to undertake.
Senator Kyl. I would especially be interested in the
conclusions in that regard because I still don't think we have
gone far enough in being able to help somebody like Ms.
Mitchell actually go back and clear her credit.
Ms. Mitchell, could you come to the dias for one last
question here that I neglected to ask before?
My question is this. What would be helpful to you that you
don't currently have to help you clear your credit or to
prevent entities from extending credit to the people who have
stolen your identity? Once you know, in other words, that it
has occurred and you have contacted the FTC and now you have
got to go about the job of getting your credit cleared and
stopping any further violations, what would be useful for you
to have, if anything, to do that?
Ms. Mitchell. I think there would be two things that would
be very helpful. One would be the fraud alerts appearing on the
credit reports in a very conspicuous place.
Senator Kyl. Right, we got that.
Ms. Mitchell. The other would be once it is established
that a victim is a bona fide victim with whatever system of
verification needs to be there, then one package of boilerplate
documents to be filled out, a protocol that is universally
accepted by all of the merchants who have been defrauded,
rather than having the victim fill out 20 or 30 different
protocols.
Senator Kyl. Excellent. Now, what I would like to suggest,
Ms. Bernstein, is when you meet with these folks next week, put
that to them, because this would be better done voluntarily
than through a law.
Ms. Bernstein. We agree.
Senator Kyl. See if they are willing to work on this
problem with you and develop this protocol, and also more
clearly and forthrightly post the fraud alert on their credit
reporting. Maybe if you could get back to us after that or
after you have had some contact with them, contact our staff so
that we can see what we need to do, maybe calling them before
us to see whether they are agreeable to these things, perhaps
getting a report back from you. Most especially, we want to be
able to report back to Ms. Mitchell.
So if there is nothing else that the three of you have, I
will declare this meeting adjourned, but I thank you very, very
much for joining us today. It has been very, very helpful.
Mr. Regan. Thank you, Senator.
Ms. Bernstein. Thank you.
Senator Kyl. The hearing is adjourned.
[Whereupon, at 3:20 p.m., the subcommittee was adjourned.]
A P P E N D I X
----------
Questions and Answers
----------
Responses of Jodie Bernstein to Questions From Senator Feinstein
Question 1. It is my understanding that the identity theft victim
bears the responsibility for correcting errors on her credit record
even after reporting the theft to the major credit bureaus and having a
fraud alert placed on her file. For example, it is typically up to the
identity fraud victim to call the affected creditors individually and
alert them to the fraudulent activity in her name.
This task can be incredibly burdensome. There is no standardized
form to report identity theft, so the victim must fill out multiple
sets of forms with the same information. Despite months of effort and
hundreds of phone calls, victims still report not being able to get
their credit rating restored.
Do you think more can be done to assist identity theft victims who
are trying to restore their credit rating? Is it possible to draft a
single, standardized set of documents that victims could fill out?
Answer 1. We believe that more can, and should, be done to assist
victims of identity theft restore their credit standing, and the
Federal Trade Commission is working with other public and private
organizations to identify the most effective ways to accomplish this.
Many of the identity fraud victims who call the FTC's Identity Theft
Hotline report their frustration at having to fill out numerous and
different forms, and make a series of telephone calls in their attempt
to resolve their identity theft-related disputes. Certainly, a single
standardized affidavit, accepted by the credit reporting agencies
(``CRA'') and major financial and credit granting institutions, would
relieve some of this burden and streamline the complaint process. As I
noted in my testimony before the Subcommittee, we would support such an
effort, and are ready to work with industry to develop a form that
would meet the needs of the affected institutions.
A standardized form is just one measure that would relieve the
burden on identity theft victims. Another practical step to streamline
the complaint process would be to reduce the number of telephone calls
the consumer has to make to report identity theft. Currently, an
identity theft victim must contact each of the three major CRA's to
request that a fraud alert be placed on her credit report. We would
welcome a system that allowed a victim to call one of the agencies, and
for that agency to transmit the information to the other two CRA's. In
addition, some consumers learn only after calling our hotline that they
should alert the CRA's if they are victims or potential victims of
identity theft (e.g. if their wallet was lost or stolen). Assuming the
availability of appropriate funding, we are prepared to establish the
technology that would, with the consumer's consent, transmit the data
to the CRA's to enable them to place a fraud alert on the credit report
and send the victim a copy of their credit report, thus eliminating the
need for the consumer to call the CRA's. We have raised this idea with
representatives for the industry, and will move forward as soon as we
obtain an indication of their willingness to pursue this system.
Question 2. What is your best estimate of the annual number of
victims of identity fraud in this country? What is your best estimate
of the annual financial costs of identity fraud to American consumers
and American industry?
Answer 2. To the best of our knowledge, no current reliable
statistics exist on the overall extent of identity theft in this
country. From the limited available information, however, we estimate
that there are hundreds of thousands of identity theft victims
annually. According to the General Accounting Office's May 1998 report
on identity fraud (which, too, found no comprehensive statistics on
identity fraud), Trans Union, one of the nation's three major credit
bureaus, reported that they received over 500,000 calls to their fraud
victim assistance department in 1997, approximately two-thirds of which
involved incidents of identity theft. Government agencies, too, have
heard from significant numbers of identity theft victims. In 1999, for
example, the Social Security Administration's Office of Inspector
General received 39,000 consumer complaints of ``social security number
misuse,'' a category generally equivalent to identity theft. The FTC,
for its part, has recently received as many as 1,000 calls per week to
its recently launched toll-free Identity Theft Hotline, and we believe
that so far we are hearing from only a small minority of all identity
theft victims.
As to the financial costs of identity theft, the Treasury
Department has estimated that credit card fraud alone results in $2-3
billion dollars in fraud losses annually.
Question 3. In your testimony, you describe the practice of
``skimming'' in which identity thieves use sophisticated devices to
intercept personal information on credit cards and ATM cards. How
widespread is this practice? What can be done to stop this practice?
Answer 3. The Commission is very concerned about the practice of
skimming and its implications for identity theft, but, as a civil law
enforcement agency, lacks first-hand knowledge about the extent of this
criminal practice. The American Bankers Association, however, has
described skimming as the most significant problem facing the credit
card industry today and in the near future. One important measure being
taken to combat skimming--announced at the recent National Summit on
Identity Theft--is the U.S. Secret Service's skimming database.
Developed in partnership with the financial industry, the database
helps identify common suspects and address trends in skimming and
related financial crimes. We hope that this will serve as a model for
ways in which the public and private sector can cooperate to thwart not
only skimming but other fraudulent practices as well.
__________
Responses of Jodie Bernstein to Questions From Senator Grassley
Question 1. In your testimony, you referred to the Fair Credit
Billing Act and the Fair Credit Reporting Act, and how these two laws
provide important protections for consumers trying to clear up their
credit records after having their identity stolen. Are statistics
compiled by the FTC, or any other agency, to support whether these two
laws are successfully aiding consumers? Do we know with certainty that
consumer liability is limited and that credit reporting agencies are
correcting inaccurate information?
Answer 1. As noted in our testimony, the Commission believes that
the Fair Credit Billing Act and the Fair Credit Reporting Act provide
important protections to consumers as they attempt to undue the credit
damage done by an identity thief. Section 133 of the Fair Credit
Billing Act (15 U.S.C. 1643) specifically limits liability of credit
cardholders in the case of unauthorized use to $50. The Commission has
received few complaints about companies not complying with this
provision; indeed, it is our understanding that in most instances,
credit card issuers waive the $50 charge and impose no liability on
consumers for fraudulent credit card charges.
Section 611 of the Fair Credit Reporting Act (15 U.S.C. 1681i)
requires consumer reporting agencies to investigate information in
their files that is disputed by consumers as inaccurate or incomplete,
and to delete or correct information based on the results of the
investigation. Similarly, Section 623 of the Fair Credit Reporting Act
(15 U.S.C. 1681s-2) requires credit information furnishers to
reinvestigate information provided to credit reporting agencies that is
disputed by consumers as inaccurate or incomplete and to report the
results of that investigation to the credit reporting agencies. Because
our identity theft database is still new, it is still too early for us
to determine the extent to which the credit report inaccuracies that
often result from identity theft are being promptly corrected by credit
reporting agencies and credit information furnishers. We continue to
monitor complaints from consumers on this issue. That the Commission is
committed to enforcing the requirements of the Fair Credit Reporting
Act is demonstrated by the FTC's recent actions against three major
credit bureaus for failing to maintain toll-free telephone numbers with
personnel accessible to consumers during normal business hours. Those
actions were based on Section 609(c)(1)(B) of the Fair Credit Reporting
Act, and were settled by an agreement filed on January 13, 2000, under
which those credit bureaus paid civil penalties totaling $2,500,000.
Question 2. How do we know whether consumer information is provided
only to entities with ``permissible purposes?'' Is that something we
only find out when a consumer files a complaint?
Answer 2. Consumer complaints are a principle way we learn of
consumer information being provided for impermissible purposes. Many of
the complaints we receive come to us through the toll-free number
connected with our Consumer Response Center, where our phone counselors
enter them into our consumer complaint database. This data reveals
individual cases of impermissible use of consumer information, as well
as broader trends.
The Commission also learns of law violations through periodic
reviews of industry business practices. For example, in the recent case
against Trans Union, the Commission upheld the decision of an FTC
administrative law judge, ordering Trans Union to stop selling consumer
reports in the form of target marketing lists. The complaint had
charged the sale of such lists violated the FCRA because the marketers
to whom they were sold lacked a permissible purpose. The Commission had
earlier entered into settlements with Experian and Equifax on similar
charges.
Question 3. How many individuals have been prosecuted under the
Identity Theft and Assumption Deterrence Act, since its passage in
1998, for knowingly transferring or using the identity of another
person? How many have been convicted? Do you have any recommendations
for changes in the identity theft law to enhance its effectiveness?
Answer 3. As you know, the Commission does not have jurisdiction to
bring criminal prosecutions, and we do not have statistics on the total
number of cases brought by the Department of Justice under the Identity
Theft and Assumption Deterrence Act. The most recent data available to
us, compiled by the U.S. Sentencing Commission, indicate that there
were 12 criminal convictions under the Identity Theft and Assumption
Deterrence Act in fiscal year 1999.
Such statistics may underestimate the number of recent identity
theft cases for at least two reasons. First, because prosecutions under
the Act may be brought only for crimes committed after the Act went
into effect, there is necessarily a certain amount of lag time before
convictions may be entered under the new statute. Second, identity
theft is often part of a larger financial criminal scheme, and an
identity theft prosecution may involve multiple counts under several
different statutes; in a plea bargain one or more of these initial
charges (including, in some instances, the identity theft charge) may
be dropped.
We believe that at the present time law enforcement agencies have
sufficiently little experience with the Identity Theft and Assumption
Deterrence Act that it is therefore premature for us to make any
recommendations for changes. As the FTC's Identity Theft Data
Clearinghouse grows, however, and we have additional data available to
us, we expect to revisit the issue of whether there are additional
legislative measures that would more effectively combat identity theft
and ensure that its victims are made whole.
Question 4. According to your testimony, it sounds like the
centralized complaint and consumer education service has gotten
underway only in the last few months. How long do you think it will
take before you have the system in full operation?
Answer 4. The core elements of the centralized complaint and
consumer education service were developed and implemented within the
statutory one year period after passage of the Identity Theft and
Assumption Deterrence Act in October 1998. While awaiting an
appropriation to support the fuller development of the program, we have
continued to build upon those core elements. The program's current
operating components include:
Toll-free Telephone Number
The FTC established a toll-free number, 1-877-IDTHEFT (1-877-438-
4338), that consumers can call to report identity theft and receive
guidance on the steps they can take to resolve credit and other
problems that may have resulted from the identity theft. The number
became operational on November 1, 1999.
Data Clearinghouse
The FTC built and implemented the data collection functions of the
Identity Theft Data Clearinghouse, a database to track identity theft
complaints received by the FTC and other agencies. The database was
launched in early November, in conjunction with the release of the
toll-free number.
Since November 1, 1999, the Commission has continued developing the
centralized complaint service in a number of ways. We have established
basic data accessing and reporting capabilities, enabling the FTC to
begin to analyze and identify trends and patterns in the consumer
complaint information we collect. In addition, the FTC has been meeting
with the Social Security Administration's Office of Inspector General
(SSA OIG) to establish mechanisms to download information obtained by
the SSA Fraud Hotline into the FTC's Identity Theft Data Clearinghouse,
as well as to refer complaints from the Clearinghouse to the SSA OIG's
investigative staff. Finally, we have built the prototype for a web-
based interface through which law enforcement agencies at the federal,
state, and local level can access the Identity Theft Data
Clearinghouse.
We added a public complaint form to the FTC's identity theft web
site in mid-February. This form allows consumers to submit an identity
theft complaint to the FTC via the Internet any time of the day or
night. Consumers who use this form have access to all of the consumer
education and referral material at the web site. In addition, their
complaints go directly into the clearinghouse for analysis with the
other consumer complaints about identity theft.
Consumer Education
As the first step in our consumer education campaign, we developed
a consumer publication entitled Identity Crises * * * What to do If
Your Identity is Stolen that covers the basic steps victims should take
when they discover that their identity has been stolen. We also revised
a number of more targeted credit-related publications that may be of
assistance to identity theft victims. In addition, by November 1, 1999
the FTC had established a web site devoted to identity theft issues at
www.consumer.gov/idtheft. The web site contains tips for consumers,
information on state and federal identity theft laws, recent cases and
scams, links to other government agencies, and our consumer
publications.
In addition, the FTC published a comprehensive booklet for
consumers entitled Identity Theft: When Bad Things Happen to Your Good
Name, which was released to the public on February 17, 2000. The
booklet, which included contributions from over a dozen other
government agencies, provides guidance on what to do to decrease the
risk of identity theft; how to protect your personal information; the
steps to take if you do become an identity theft victim; how to resolve
credit problems that may result from identity theft; and who to contact
in the government for assistance. I was pleased to be able to provide
copies of this 21-page booklet, as well as other of our consumer
education materials, to the Subcommittee at the time of my recent
testimony.
The Commission achieved these accomplishments without yet receiving
any appropriations earmarked for the Identity Theft Program. Additional
steps to make the centralized complaint and consumer education service
even more fully operational is dependent upon receiving necessary
funding. There are several additional features that the Commission
plans to add later this year if the agency receives approval of a
pending $625,000 reprogramming request. Specifically, if funded, the
FTC will make operational the web-based interface to provide direct
access to the Identity Theft Data Clearinghouse by law enforcement
agencies at the federal, state, and local level. With the receipt of
necessary funding, the Commission would also be able to establish
mechanisms to download into the FTC's data clearinghouse consumer
complaint information gathered by other law enforcement partners, such
as the Federal Reserve Board and the Office of the Comptroller of the
Currency, thus enriching the data clearinghouse. The Commission would
also further build out its data analysis tools to enable increased
levels of review, analysis, and reporting on the data gathered through
the complaint clearinghouse. This would permit us to identify
categories of complaints suitable for referral to other law enforcement
agencies for investigation or other action. The Commission would also
develop automated mechanisms to make and track such referrals.
Question 4A. Has the FTC notified all law enforcement agencies to
refer victims to the FTC hotline?
Answer 4A. From the outset, Commission staff has worked closely
with all of the major federal law enforcement agencies that have a role
in investigating and prosecuting identity theft. Representatives from
these agencies are currently referring victims of identity theft to the
FTC hotline. These agencies include the Department of Justice, the
Federal Bureau of Investigation, the U.S. Secret Service, the U.S.
Postal Inspection Service, and the Social Security Administration's
Office of the Inspector General, as well as the banking regulatory
agencies and other agencies with regulatory and policy-making
functions. We are also working actively with the National Association
of Attorneys General and the International Association of the Chiefs of
Police and others to get word of our hotline out at the state and local
level.
The Commission actively reaches out to federal, state and local
entities to provide information on and more effectively combat identity
theft. In April 1999, the FTC held a meeting with representatives of 17
federal agencies and the National Association of Attorneys General to
discuss implementation of the consumer assistance provisions of the
Identity Theft and Assumption Deterrence Act, including design of the
identity theft database and plans for producing and disseminating
consumer education materials. In addition, among other efforts, we have
been participating in ongoing meetings with the Department of Justice's
Identity Theft Subcommittee of the AG's White Collar Crime Committee,
the Office of the Comptroller of the Currency's Bank Fraud Working
Group, and have attended various meetings of local law enforcement and
business groups that focus on identity theft prevention and
prosecution. Most recently, the FTC was a key participant in the
Treasury Department's National Summit on Identity Theft. At each of
these gatherings, FTC staff actively promote the toll-free number and
database as part of our ongoing effort to make the database as
comprehensive as possible.
Question 4B. Do you know if this (referral process) is happening?
Answer 4B. Yes, we do. For the past six weeks, we have been
monitoring how callers to the FTC Identity Theft Hotline heard about
our service. We have found that, on average, approximately 22 percent
of the callers were referred to the FTC Identity Theft Hotline by local
law enforcement or other government agencies. This is a significant
source of referrals to our hotline. The remaining callers report having
heard about the FTC's ID Theft Hotline from three basic sources:
approximately 33 percent were referred by credit bureaus, banks and
creditors; around 32 percent heard about the hotline from newspaper,
television or radio reports; and about 9 percent learned about our
hotline from friends or family members. (The remaining 4 percent were
unable to specify the source.)
Question 5. What is the criteria used for referring complaints to
the appropriate law enforcement authority?
Answer 5. As mentioned above, our referral function is not yet
completely built and implemented, due to the need for additional
funding. We therefore have not established firm automatic referral
criteria. Ultimately the Commission envisions making identity theft
referrals in a variety of ways, and the criteria will vary accordingly.
Currently, our phone counselors refer individual callers to
appropriate agencies where those agencies or consumer assistance groups
can offer real assistance to a caller with a particular problem. We
also routinely refer callers to their local police to file a report,
because we have found that even if the police are unable to investigate
and catch the identity thief, having a police report can be of great
assistance to the victim in clearing up the credit-related problems
that may arise as a result of identity theft.
In addition, the Commission plans to disseminate complaint
information through customized standard reports, extracting for our law
enforcement partners the Clearinghouse complaints that meet the
criteria they have designated. For example, as mentioned above, we are
currently working with the Social Security Administration's Office of
the Inspector General to establish specific criteria tailored to that
agency's law enforcement priorities. We will provide the SSA OIG the
information they want in the format and time frame they choose.
Finally, when, during the course of our own in-house data analysis, we
identify trends or patterns in the data that appear to have
ramifications for our law enforcement partners, we will notify them of
that information. Numerous law enforcement agencies have already
expressed an interest in receiving information and referrals in these
various ways.
Finally, we are designing systems so that our law enforcement
partners can retrieve data directly from our database using their own
desktop computers.
Question 6. I serve as Chairman of the Special Committee on Aging
and, although I have a keen interest in the issue of identity theft in
general, I have a real interest in whether elderly citizens are
particularly vulnerable to having their identity stolen, as well. Will
the FTC's centralized complaint database be able to collect information
that will tell us the age group of the victims?
Answer 6. The database is able to reveal this information now. All
information consumers provide to the FTC Identity Theft Hotline is
strictly voluntary. Victims who call the hotline are asked for their
date of birth. From its inception in November 1999 until March 31,
2000, approximately 52 percent of the callers have been willing to
provide that information. Of the consumers who provided their age,
about nine percent are age 65 and older. Approximately 26 percent were
between the age of 45 and 64, inclusive. Approximately 39 percent were
between 30 and 44 years old. Approximately 23 percent were between 19
and 29 years old, and less than three percent were age 18 and under.
Question 6A. Will it provide us with enough information to identify
whether specific kinds of individuals are being targeted?
Answer 6A. Besides the consumer's address, with city, state, and
zip code information, the database does not collect other types of
demographic information. It does not, for example, collect information
on the consumer's education level, type of employment, income level, or
ethnicity. However, it does collect information on whether the victim
has a relationship with the suspect. We have found that, through
February 29, 2000, approximately 15 percent of the victims indicated
that they had a relationship, such as a family, employment, or
professional relationship, with the suspect.
�