[House Hearing, 107 Congress]
[From the U.S. Government Printing Office]



 
         PREVENTING IDENTITY THEFT BY TERRORISTS AND CRIMINALS

=======================================================================

                             JOINT HEARING

                               BEFORE THE

                            SUBCOMMITTEE ON
                      OVERSIGHT AND INVESTIGATIONS

                                 OF THE

                    COMMITTEE ON FINANCIAL SERVICES

                                AND THE

                    SUBCOMMITTEE ON SOCIAL SECURITY

                                 OF THE

                      COMMITTEE ON WAYS AND MEANS

                                 OF THE

                     U.S. HOUSE OF REPRESENTATIVES

                      ONE HUNDRED SEVENTH CONGRESS

                             FIRST SESSION
                               __________

                            NOVEMBER 8, 2001
                               __________

    Printed for the use of the Committee on Financial Services and 
                    the Committee on Ways and Means

                           Serial No. 107-50
                   (Committee on Financial Services)

                           Serial No. 107-51
                     (Committee on Ways and Means)








                        U.S. GOVERNMENT PRINTING OFFICE
                                WASHINGTON : 2002
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512-1800  
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001















                 HOUSE COMMITTEE ON FINANCIAL SERVICES

                    MICHAEL G. OXLEY, Ohio, Chairman

JAMES A. LEACH, Iowa                 JOHN J. LaFALCE, New York
MARGE ROUKEMA, New Jersey, Vice      BARNEY FRANK, Massachusetts
    Chair                            PAUL E. KANJORSKI, Pennsylvania
DOUG BEREUTER, Nebraska              MAXINE WATERS, California
RICHARD H. BAKER, Louisiana          CAROLYN B. MALONEY, New York
SPENCER BACHUS, Alabama              LUIS V. GUTIERREZ, Illinois
MICHAEL N. CASTLE, Delaware          NYDIA M. VELAZQUEZ, New York
PETER T. KING, New York              MELVIN L. WATT, North Carolina
EDWARD R. ROYCE, California          GARY L. ACKERMAN, New York
FRANK D. LUCAS, Oklahoma             KEN BENTSEN, Texas
ROBERT W. NEY, Texas                 JAMES H. MALONEY, Connecticut
BOB BARR, Georgia                    DARLENE HOOLEY, Oregon
SUE W. KELLY, New York               JULIA CARSON, Indiana
RON PAUL, Texas                      BRAD SHERMAN, California
PAUL E. GILLMOR, Ohio                MAX SANDLIN, Texas
CHRISTOPHER COX, California          GREGORY W. MEEKS, New York
DAVE WELDON, Florida                 BARBARA LEE, California
JIM RYUN, Kansas                     FRANK MASCARA, Pennsylvania
BOB RILEY, Alabama                   JAY INSLEE, Washington
STEVEN C. LaTOURETTE, Ohio           JANICE D. SCHAKOWSKY, Illinois
DONALD A. MANZULLO, Illinois         DENNIS MOORE, Kansas
WALTER B. JONES, North Carolina      CHARLES A. GONZALEZ, Texas
DOUG OSE, California                 STEPHANIE TUBBS JONES, Ohio
JUDY BIGGERT, Illinois               MICHAEL E. CAPUANO, Massachusetts
MARK GREEN, Wisconsin                HAROLD E. FORD Jr., Tennessee
PATRICK J. TOOMEY, Pennsylvania      RUBEN HINOJOSA, Texas
CHRISTOPHER SHAYS, Connecticut       KEN LUCAS, Kentucky
JOHN B. SHADEGG, Arizona             RONNIE SHOWS, Mississippi
VITO FOSSELLA, New York              JOSEPH CROWLEY, New York
GARY G. MILLER, California           WILLIAM LACY CLAY, Missouri
ERIC CANTOR, Virginia                STEVE ISRAEL, New York
FELIX J. GRUCCI, Jr., New York       MIKE ROSS, Arizona
MELISSA A. HART, Pennsylvania         
SHELLEY MOORE CAPITO, West Virginia  BERNARD SANDERS, Vermont
MIKE FERGUSON, New Jersey
MIKE ROGERS, Michigan
PATRICK J. TIBERI, Ohio

             Terry Haines, Chief Counsel and Staff Director
                                 ------                                

              Subcommittee on Oversight and Investigations

                     SUE W. KELLY, New York, Chair

RON PAUL, Ohio, Vice Chairman        LUIS V. GUTIERREZ, Illinois
PETER T. KING, New York              KEN BENTSEN, Texas
ROBERT W. NEY, Texas                 JAY INSLEE, Washington
CHRISTOPHER COX, California          JANICE D. SCHAKOWSKY, Illinois
DAVE WELDON, Florida                 DENNIS MOORE, Kansas
WALTER B. JONES, North Carolina      MICHAEL CAPUANO, Massachusetts
JOHN B. SHADEGG, Arizona             RONNIE SHOWS, Mississippi
VITO FOSSELLA, New York              JOSEPH CROWLEY, New York
ERIC CANTOR, Virginia                WILLIAM LACY CLAY, Missouri
PATRICK J. TIBERI, Ohio
















                   HOUSE COMMITTEE ON WAYS AND MEANS

                   BILL THOMAS, California, Chairman

PHILIP M. CRANE, Illinois,           CHARLES B. RANGEL, New York
E. CLAY SHAW, Jr., Florida           FORTNEY PETE STARK, California
NANCY L. JOHNSON, Connecticut        ROBERT T. MATSUI, California
AMO HOUGHTON, New York               WILLIAM J. COYNE, Pennsylvania
WALLY HERGER, California             SANDER LEVIN, Michigan
JIM McCRERY, Louisiana               BENJAMIN L. CARDIN, Maryland
DAVE CAMP, Michigan                  JIM McDERMOTT, Washington
JIM RAMSTAD, Minnesota               GERALD D. KLECZKA, Wisconsin
JIM NUSSLE, Iowa                     JOHN LEWIS, Georgia
SAM JOHNSON, Texas                   RICHARD E. NEAL, Massachusetts
JENNIFER DUNN, Washington            MICHAEL R. McNULTY, New York
MAC COLLINS, Georgia                 WILLIAM J. JEFFERSON, Louisiana
ROB PORTMAN, Ohio                    JOHN S. TANNER, Tennessee
PHILIP S. ENGLISH, Pennsylvania      XAVIER BECERRA, California
WES WATKINS, Oklahoma                KAREN L. THURMAN, Florida
J.D. HAYWORTH, Arizona               LLOYD DOGGETT, Texas
JERRY WELLER, Illinois               EARL POMEROY, North Dakota
KENNY HULSHOF, Missouri
SCOTT McINNIS, Colorado
RON LEWIS, Kentucky
MARK FOLEY, Florida
KEVIN BRADY, Texas
PAUL RYAN, Wisconsin

                                 ------                                

                    Subcommittee on Social Security

                  E. CLAY SHAW, Jr., Florida, Chairman

SAM JOHNSON, Texas                   ROBERT T. MATSUI, California
MAC COLLINS, Georgia                 LLOYD DOGGETT, Texas
J.D. HAYWORTH, Arizona               BENJAMIN L. CARDIN, Maryland
KENNY HULSHOF, Missouri              EARL POMEROY, North Dakota
RON LEWIS, Kentucky                  XAVIER BECERRA, California
KEVIN BRADY, Texas
PAUL RYAN, Wisconsin















                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on:
    November 8, 2001.............................................     1
Appendix:
    November 8, 2001.............................................    45

                               WITNESSES
                       Thursday, November 8, 2001

Bond, Hon. Philip J., Under Secretary for Technology, Department 
  of 
  Commerce.......................................................     7
Bovbjerg, Barbara D., Director, Education, Workforce and Income 
  Security Issues, U.S. General Accounting Office................    13
Dugan, John C., Partner, Covington & Burling, on behalf of the 
  Financial Services Coordinating Council........................    32
Hillman, Richard J., Director, Financial Markets and Community 
  Investment Issues, U.S. General Accounting Office..............    13
Hendricks, Evan, Editor and Publisher, Privacy Times.............    36
Huse, Hon. James G., Jr., Inspector General, Social Security 
  Administration.................................................     9
Lehner, Thomas J., Executive Vice President, American Financial 
  Services Association...........................................    28
Pratt, Stuart K., Vice President, Government Relations, 
  Associated Credit Bureaus......................................    26
Rotenberg, Marc, Executive Director, Electronic Privacy 
  Information Center; Adjunct Professor, Georgetown University 
  Law Center.....................................................    34
Sadaka, Thomas A., Special Counsel for Computer Crime and 
  Identity Theft Prosecutions, Florida Office of Statewide 
  Prosecution....................................................    30
Streckewald, Fritz, Acting Assistant Deputy Commissioner for 
  Disability and Income Security Programs, Social Security 
  Administration.................................................    11

                                APPENDIX

Prepared statements:
    Kelly, Hon. Sue W............................................    47
    Shaw, Hon. E. Clay Jr........................................    49
    Oxley, Hon. Michael G........................................    46
    Cardin, Hon. Benjamin L......................................    51
    Gutierrez, Hon. Luis V.......................................    53
    Paul, Hon. Ron...............................................    54
    Schakowsky, Hon. Janice D....................................    56
    Bond, Hon. Philip J..........................................    57
    Bovbjerg, Barbara D., and Richard J. Hillman, joint statement    87
    Dugan, John C................................................   113
    Hendricks, Evan..............................................   131
    Huse, Hon. James G., Jr......................................    62
    Lehner, Thomas J.............................................   107
    Pratt, Stuart K..............................................   100
    Rotenberg, Marc..............................................   126
    Sadaka, Thomas A.............................................   110
    Streckewald, Fritz...........................................    73
              Additional Material Submitted for the Record

Bovbjerg, Barbara D., and Richard J. Hillman:
    Written response to questions from Congressman Gutierrez and 
      the 
      Subcommittee on Social Security............................    96
Dugan, John C.:
    Written response to questions from Congressman Gutierrez and 
      the 
      Subcommittee on Social Security............................   123
Hendricks, Evan:
    Written response to questions from Congressman Gutierrez and 
      the 
      Subcommittee on Social Security............................   135
Huse, Hon. James G., Jr.:
    Written response to questions from Congressman Gutierrez and 
      the 
      Subcommittee on Social Security............................    67
Streckewald, Fritz:
    Response to an inquiry from Congresswoman Kelly..............    82
    Response to an inquiry from Congressman Shaw.................    83
    Written response to questions from Congressman Gutierrez and 
      the 
      Subcommittee on Social Security............................    84
Comserv, Inc., prepared statement................................   137
Erisa Industry Committee, prepared statement.....................   140
National Council on Teacher Retirement, prepared statement.......   142



















  JOINT HEARING: PREVENTING IDENTITY THEFT BY TERRORISTS AND CRIMINALS

                              ----------                              


                       THURSDAY, NOVEMBER 8, 2001

             U.S. House of Representatives,
     Subcommittee on Oversight and Investigations, 
                   Committee on Financial Services,
                                            and the
                          Subcommittee on Social Security, 
                               Committee on Ways and Means,
                                                    Washington, DC.
    The subcommittees met, pursuant to call, at 10:10 a.m., in 
room 2128, Rayburn House Office Building, Hon. Sue W. Kelly, 
[chairwoman of the Subcommittee on Oversight and 
Investigations], and E. Clay Shaw, Jr., [chairman of the 
Subcommittee on Social Security], presiding.
    Present from Subcommittee on Oversight and Investigations: 
Chairwoman Kelly; Representatives Weldon, Inslee, Tiberi, 
Jones, Shows and Clay.
    Present from Subcommittee on Social Security: Chairman 
Shaw; Representatives Matsui, Cardin, Becerra, Doggett, 
Collins, Brady, and Ryan.
    Also attending was Congresswoman Hooley.
    Chairwoman Kelly. This joint hearing of the Committee on 
Financial Services Subcommittee on Oversight and 
Investigations, and Committee on Ways and Means Subcommittee on 
Social Security, will now come to order.
    I welcome today my colleagues, Clay Shaw, and Ben Cardin. 
I'm delighted that we also have other colleagues here--Darlene 
Hooley. Thank you very much.
    I look forward to hearing what the witnesses have to say.
    We're here this morning to see how we can prevent the awful 
crime and terrible tragedy of identity theft by terrorists and 
criminals. Our special intention is to protect the families of 
the deceased from such theft and financial fraud at their most 
vulnerable moment--when they are grieving from the shock of 
their loss.
    Through the rapid transmittal of the information in the 
Death Master File from the Social Security Administration to 
the financial services industry and the immediate use of that 
information by the industry, we can prevent these crimes and 
spare the families pain.
    James Jackson and Derek Cunningham stole hundreds of 
thousands of dollars in gems and watches from deceased 
executives of our major corporations before being caught by law 
enforcement. They stole the identity of the late CEO of Wendy's 
International within days after his death and were not arrested 
until about 2 months later.
    In the past 2 months, we learned that identity theft could 
be a tool of the hijackers who murdered thousands of our fellow 
citizens, and of their accomplices as well.
    Last week, the Inspector General of the Social Security 
Administration testified that some of the 19 hijackers used 
phony Social Security numbers to perpetrate their murders. And 
we know that Lofti Raisi, an Algerian held on suspicion that he 
trained four of the hijackers how to fly, used the Social 
Security number of a New Jersey woman who has been dead for 10 
years.
    Even after these events, and after three of us serving on 
the Financial Services Committee requested the SSA to ensure 
the rapid transmission of the Death Master File, we've received 
no commitment from the SSA to take any specific action.
    The file is still physically shipped to an agency at the 
Commerce Department, where copies are made and physically 
shipped to subscribers.
    In other words, ``snail-mail.''
    There has been no reduction for years in the time that it 
takes for the SSA to officially notify the financial services 
industry of a death. Identity theft is now part of the first 
war of the 21st Century, but the Federal Government is still 
treating it in a 1960s way.
    That must end. That is why we asked the General Accounting 
Office to study the matter and report their findings to the 
committee. That is why we're so pleased that the Ways and Means 
Subcommittee on Social Security, chaired by my colleague, 
Representative Clay Shaw, can join us in holding a joint 
hearing today.
    We need the Social Security Administration to take bold and 
immediate action to get the information to the financial 
services industry. We will hear from the SSA, the Commerce 
Department, the General Accounting Office, and we expect an 
innovative and effective solution.
    We also need the financial services industry to ensure that 
the information is immediately integrated into databases and 
available for permanently deactivating Social Security numbers 
of the deceased.
    Moreover, with the passage of the USA Patriot Act, there 
will soon be Treasury Department regulations requiring them to 
verify the identification of new account-holders and for 
customers to provide the identification requested by the 
companies.
    We know that the SSA and financial institutions can meet 
this challenge. In the past 3 years, they've already met two 
difficult challenges--the Y2K conversion and the aftermath of 
the terrorist attacks.
    The SSA was a leader among Government agencies in 
successfully avoiding the Y2K glitch and the financial 
institutions breezed through the turn of the millennium without 
a single major problem.
    As the acting SSA commissioner testified last week before 
Representative Shaw's subcommittee, the SSA regional offices in 
the New York and Pennsylvania area reacted with fortitude and 
compassion to assist the victims and their families, and I want 
to thank the Social Security Administration for their wonderful 
assistance to New Yorkers, including the many of those in my 
district.
    After the horrendous destruction in New York City 
interrupted the financial markets and killed many, financial 
institutions there and across the country picked themselves up, 
dusted off, and got back to work with an amazing speed and 
grace, even while mourning their compatriots.
    And all of them did all of that, the Y2K conversion and the 
recovery from the attacks, without any specific mandate in 
Federal law.
    Surely, we can work together to meet this challenge before 
us now. I urge all parties to get together and, based on the 
GAO's findings, leapfrog over the antiquated system now used, 
and stop identity theft of the deceased.
    Representative Shaw will chair the hearing for the first 
panel of witnesses. I will chair the hearing for the second 
panel.
    Thank you.
    [The prepared statement of Hon. Sue W. Kelly can be found 
on page 47 in the appendix.]
    Chairman Shaw. Thank you, Ms. Kelly. We appreciate being 
here in your committee room and being able to join with you in 
this hearing this morning.
    Today, our two subcommittees join together to examine ways 
to prevent identity theft by terrorists and criminals. When 
Social Security numbers were created 65 years ago, their only 
purpose was to track a worker's earnings so that Social 
Security benefits could be calculated. But today, use of the 
Social Security number is pervasive.
    Our culture is hooked on Social Security numbers. 
Businesses and Government use the number as their primary 
source of identifying individuals. You can't even conduct the 
most frivolous transaction, like renting a video at your local 
store, without someone asking you first to render your 9-digit 
Social Security ID.
    Interestingly enough, I had a doctor's appointment last 
Friday. It was a doctor I had never been to before. And I 
noticed when I was signing in, my Social Security number was 
required.
    I mentioned that to him back in the examining room and I 
told him, I said, the time is going to come when you're not 
going to be able to get that number. And he said, well, I hope 
it does, because he had been a victim of identity theft and it 
took him many years through the various layers of collection 
agencies to finally show that he was not the one that ran the 
tremendous debt up on the credit cards.
    Your Social Security number is a key that unlocks the doors 
to your identity for any unscrupulous individual who gains 
access to it. Once the door is unlocked, the criminal or 
terrorist has at their fingertips all the essential elements 
needed to carry out whatever dastardly act that they conceive.
    We now know that some terrorists involved in the September 
11th attacks illegally obtained Social Security numbers and 
used them to steal identities and obtain false documents, thus 
hiding their true identities and their motives. These 
unspeakable acts shine an intense spotlight on the need for the 
Government and the private industry to be vigilant in 
protecting identities. It also demands that safeguards to 
prevent identity theft are put in place and put in place now.
    Earlier this year, I, along with several of my Ways and 
Means colleagues, introduced H.R. 2036, the Social Security 
Number Privacy and Identity Theft Prevention Act of 2001. This 
bipartisan bill represents a balanced approach to protecting 
the privacy of Social Security numbers, while allowing for 
their legitimate uses.
    Because of its broad scope, the bill has also been referred 
to the Committee on Energy and Commerce and the Committee on 
Financial Services, in addition to Ways and Means. I urge 
prompt action by all three committees so that we may bring this 
important legislation to the floor as quickly as possible.
    It is a needed part of our Nation's response to terrorism.
    Sadly, identity theft is a crime not perpetrated just 
against the living. A Washington Post article on Saturday, 
September 29th, reported that a man detained in Great Britain 
and suspected of training the terrorists who hijacked the 
airliners on September 11th, used the Social Security number of 
a New Jersey woman who died in 1991.
    The Associated Press reported on October 31st, that an 
individual from North Carolina had been indicted on charges he 
tried to steal the identity of someone killed in the terrorist 
attack at the World Trade Center.
    Therefore, today, we will take a hard look at the sharing 
of death information. The Social Security Administration 
maintains the most comprehensive file of death information in 
the Federal Government. How this information is compiled, its 
accuracy, and the speed with which it is shared with the public 
will be explored.
    Because the financial services industry relies 
fundamentally on Social Security numbers as the common 
identifier to assemble accurate financial information, they are 
in a unique position to assist in the prevention of Social 
Security number fraud and abuse. Their timely receipt of death 
information and prompt updating of financial data is key in 
preventing identity theft.
    In the past, some businesses have not been enthusiastic 
about further restricting the use of Social Security numbers. 
It is my hope they will rethink their resistance in light of 
September 11th.
    Identity theft is a national security threat involving life 
and property. Safeguards will be made and I predict sooner 
rather than later.
    Mr. Cardin.
    [The prepared statement of Hon. E. Clay Shaw Jr. can be 
found on page 49 in the appendix.]
    Mr. Cardin. Thank you, Mr. Shaw. Let me thank both Chairman 
Shaw and Chairwoman Kelly for convening this joint hearing 
today.
    This is an extremely important subject. We're working in a 
very bipartisan way to do everything we can to prevent identity 
theft.
    The FBI considers identity theft to be one of the fastest-
growing crimes in the United States. 350,000 cases a year.
    We can do better.
    The focus of today's hearing is going to spend a lot of 
time on the SSA's Death Master File, where it compiles the 
names and Social Security numbers of those individuals who have 
recently died.
    Questions have been raised as to whether those files are as 
up-to-date as they need to be and whether that information is 
being shared, particularly with financial institutions, in the 
most effective way in order to reduce the amount of identity 
fraud.
    I think there's a joint responsibility here and when the 
panel presents their testimony, I hope that they will deal with 
this. There's clearly a responsibility by SSA to have the 
information available so that we can prevent identity theft.
    But there's also responsibility in the private sector, 
particularly of financial institutions, as to how they deal 
with identity in the use of fraudulent or false information.
    Both need to work together in order to accomplish it.
    The Chairmen have given us examples that should chill all 
of us. The fact that several of the hijackers had fraudulent SS 
numbers, that is something that is unacceptable. The fact that 
a terrorist apprehended in Britain had a Social Security number 
that was from a deceased person that was 10 years old is 
unacceptable. We can do better than that.
    There is now, of course, a ring of thefts involving 
recently-deceased business executives. Ms. Kelly mentioned the 
Wendy's executive.
    We need to be wiser in how we deal with the Social Security 
numbers and updating the data bank at the public level, sharing 
with the private sector, to avoid these types of crimes.
    I think the questions being raised is whether we can update 
these Death Master Files in a more effective way, would that 
have prevented some of these ID thefts?
    But I must at least raise some additional questions here as 
we go through this hearing.
    We have the question that the primary purpose, the primary 
mission of the SSA's use of the Social Security card is to 
maintain earnings records and pay benefits in the case of 
death, retirement and disability.
    I have concern about making the list more up-to-date and 
easier to use, could compromise individual privacy and have the 
unintended consequence of making it easier, rather than more 
difficult, for people to steal and use false SSNs.
    So there are tradeoffs here.
    We also have the challenge of joint accounts, where one 
person dies and you have another person account. If we all of a 
sudden freeze those assets, in a way, we may be causing 
unintended problems for our constituents.
    So these are not easy issues.
    But the bottom line is we cannot accept the number of 
thefts that are occurring today through the use of Social 
Security numbers. We need to do a better job. And we look 
forward to working with the people who will be here today on 
our panel and others so that we can effectively combat this 
criminal activity.
    Thank you, Mr. Chairman.
    Chairman Shaw. Thank you.
    Mr. Weldon, do you have a statement?
    Mr. Weldon. No, thank you, Mr. Chairman.
    Chairman Shaw. Mr. Inslee.
    Mr. Inslee. No statement, Mr. Chairman.
    Chairman Shaw. Mr. Tiberi.
    Mr. Tiberi. No, thank you, Mr. Chairman.
    Chairman Shaw. Ms. Hooley.
    Ms. Hooley. Thank you, Chairman Shaw, and Chairwoman Kelly.
    We've heard numerous times today identity theft is an equal 
opportunity crime. It affects victims of all ages, all incomes, 
and all ethnic backgrounds.
    Ms. Kelly told us about Wendy's CEO. But more often than 
not, identity theft is something that affects the ordinary 
citizen, the person who is working hard, paying their taxes, 
and trying to do their best in life.
    For example, a little over a year ago, a young man from 
Oregon named Sean Bolden, appeared before the full Banking 
Committee to testify about his personal nightmare with identity 
theft.
    In Sean's case, identity thieves had opened dozens of 
financial accounts with his Social Security number and, as a 
result, at age 23, he was unable to obtain any credit 
whatsoever, including student loans.
    And then there's the case of the little boy in Salem, 
Oregon, named Tyler Bales. Tyler was 16 months old when he lost 
his battle with a rare genetic disease called Hurler's 
Syndrome.
    Now there's nothing more tragic than losing a child. 
Unfortunately, the heartache of Tyler's loss hasn't been eased 
for his parents.
    Not only isn't it hard enough losing a 16-month-old child, 
but last spring, the Bales learned, courtesy of the Internal 
Revenue Service, that someone claimed Tyler as a dependent on 
their 2000 income tax return and, as a result, the Bales' 
income tax return was rejected.
    As disturbing as that is, it gets worse.
    Because of Federal disclosure issues, the IRS cannot give 
out the name of the identity theft to the Salem Police 
Department, even though identity theft is a felony offense in 
Oregon. The thief could live right down the street or 3000 
miles away. But because of a loophole in the IRS, the Bales and 
the police department will never know who stole their son's 
personal information.
    Mr. Chair, I submit that Tyler Bales and Sean Bolden are 
more than a name, a date of birth, or a Social Security number, 
and that's why I've been a strong advocate of stamping out the 
crime of identity theft.
    In Tyler's case, I introduced H.R. 2077, the ID Theft 
Loophole Closure bill. It is in the Ways and Means Committee. 
It is a very simple bill that says the IRS, in fact, can give 
out the information to the local police.
    I know our economy in a large degree depends on the flow of 
free information. However, it's imperative that we recognize 
that private information is just that--private--and not a 
salable commodity or something to be exposed by unscrupulous 
individuals.
    Literally, this is the fastest-growing crime there is. The 
numbers are outrageous. And I could spend some times with 
numbers, but I don't want to do that. What I want to express 
today is this is happening more and more frequently. It's 
happening with people who are committing other crimes.
    In Salem, the police department has said that in the last 2 
years, ID theft has increased by over 38 percent and much of 
that is related to also methamphetamine abuse, is the 
motivating factor.
    We need to close some of these loopholes. We need to do 
something with identity theft, instead of just talk about it. 
And I think today's hearing is a good start and I yield back my 
time.
    Chairman Shaw. Thank you very much.
    Now I'd like to introduce our first panel this morning.
    We first have:
    The Honorable Philip Bond, who is the Undersecretary of 
Technology at the United States Department of Commerce;
    Jim Huse is no stranger to the subcommittees, he is the 
Inspector General of the Social Security Administration;
    Fritz Streckewald, Acting Assistant Deputy Commissioner for 
Disability and Income Security Programs of the Social Security 
Administration;
    Barbara Bovbjerg, the Director--Barbara, if I ever fail to 
mispronounce your name, would you please call me down on it?
    [Laughter.]
    Ms. Bovbjerg. It's ``Bo-berg,'' and everyone has trouble 
with it.
    Chairman Shaw. And it seems, as long as I've known you, I'd 
have gotten it right by now.
    [Laughter.]
    But you certainly are no stranger to the subcommittees, 
because you're the Director of Education, Workforce and Income 
Security of the General Accounting Office.
    And Richard Hillman, who is the Director of the Financial 
Markets and Community Investment of the General Accounting 
Office.
    Welcome to all the witnesses. We have your full statements 
and they'll be made a part of the record. You may proceed as 
you see fit.
    Mr. Bond.

     STATEMENT OF HON. PHILIP J. BOND, UNDER SECRETARY FOR 
            TECHNOLOGY, U.S. DEPARTMENT OF COMMERCE

    Mr. Bond. Thank you, Mr. Chairman, Chairwoman Kelly, 
Members of both subcommittees. I want to thank you for inviting 
me here to address an important issue, obviously of combatting 
fraudulent use of Social Security numbers of decreased 
individuals.
    The National Technical Information Service, NTIS, is a 
component of the Department of Commerce. It's involved in this 
issue because it makes available to the public the Social 
Security Administration's Death Master File extract.
    Let me just say by way of preface that as someone who spent 
7 years working in the people's house, sitting back there in 
the staff row, it's a special and deep honor for me to come 
back here and work with you in trying to work toward a solution 
and improvement in the system in this regard.
    Obviously, September 11th has caused all of us to revisit 
and reassess what we're doing in every branch of Government, 
and certainly that is true at the Department of Commerce, where 
Secretary Evans has us involved deeply in that reassessment.
    So I want to commend you for holding this hearing, for the 
leadership, and for bringing some attention to this matter. And 
I'm confident that as the subcommittees look into this, that 
they'll find that technology is part of the solution.
    First, very quickly, a bit about NTIS.
    For over 50 years, NTIS has collected, organized and 
permanently preserved most of the research and technical 
reports of the Federal Government. There are today about 3 
million information products in its permanent collection.
    NTIS, I want to stress, received no appropriated funds. It 
is self-sustaining, basically on the sale of these largely 
technical manuals and reports.
    Many agencies in the Federal Government work with NTIS 
because they know the agency has the ability to make their 
information products more widely available, beyond their normal 
constituency, and in different formats.
    Clearly, it would be more expensive if all of the agencies 
tried to replicate this infrastructure.
    A quick example. The Defense Technical Information Center 
provides its technical reports directly to the folks in their 
community. But they turn to the NTIS for the release of 
unclassified research to the public at large.
    Similarly, the Social Security Administration distributes 
the Death Master File to Federal agencies, some State and local 
agencies, but they turn to the NTIS to make it available to 
others, in part because SSA does not currently have the 
capacity or the distribution networks.
    Very quickly, my principal comments here will address what 
NTIS does with the files once we receive them and I'll defer to 
that agency on a description of the preparation of the files, 
other than to say that, on a quarterly basis, they do the full 
Master File and then monthly updates beyond that.
    The Death Master File contains only basic information--
Social Security number, last name, first name, date of death, 
date of birth, State or county of residence, zip code for the 
last residence, and last lump-sum payment.
    Obviously, the Death Master File can be a great help for 
detecting erroneous or fraudulent payments.
    Accordingly, SSA makes it available directly to a number of 
agencies that pay benefits or have other needs for this 
information, such as preparing statistical studies and to 
States which use the list to detect fraud or administrative 
errors, including fraudulent or erroneous food stamp payments, 
for example.
    At the same time, SSA makes the Death Master File available 
to these Federal agencies, they make it available to NTIS for 
reproduction and distribution to others.
    We receive this information on a cartridge via overnight 
mail and copy the information onto magnetic tape or cartridge 
or CD, depending on what our end-user has requested.
    And I want to stress that NTIS will of course be pleased to 
consider other formats.
    It typically takes 1 to 3 days for NTIS to complete this 
production process, having received the cartridge and then 
turning it around.
    We send the file to more than one hundred subscribers, 
either via overnight mail or first-class mail, if that is their 
preference. All formats are sent out at the same time.
    The turn-around time does depend in part on the size of the 
file, but it is not generally a function of the fact that NTIS 
offers it in various formats.
    That is not the source of delay.
    We understand that the Social Security Administration is 
exploring new approaches to making the file available in a more 
timely technological manner. These include sending the file to 
NTIS electronically and sending updates on a weekly, rather 
than monthly, basis.
    Clearly, electronic transfer would certainly reduce the 
turn-around time. Subscribers would probably find it easier to 
obtain just the updates electronically rather than the massive 
Master File.
    In any event, we are committed to working with SSA to 
improve the delivery of this important product.
    Finally, let me express--I understand there's a desire in 
the financial community for a web-based search capability. That 
is an interesting proposal that we will certainly look at.
    And again, NTIS is pleased to look at that further. If 
there's anything that we can or should do to expedite the 
process, we want to do it as soon as possible.
    Thank you, Mr. Chairman.
    [The prepared statement of Hon. Philip J. Bond can be found 
on page 57 in the appendix.]
    Chairman Shaw. Thank you, Mr. Bond.
    Mr. Huse.

STATEMENT OF HON. JAMES G. HUSE, JR., INSPECTOR GENERAL, SOCIAL 
                    SECURITY ADMINISTRATION

    Mr. Huse. Good morning, Mr. Chairman. Thank you for having 
me. Chairwoman Kelly.
    While I have testified on the issue of identity theft 
before various committees in both the House and Senate, the 
issues of September 11th lend a renewed urgency to this issue.
    Identity theft was already a significant problem facing law 
enforcement, the financial industry, and the American public 
before September 11th. In the weeks since that terrible day, it 
has become increasingly apparent that improperly obtained 
Social Security numbers were a factor in the terrorists' 
ability to assimilate themselves into our society while they 
planned their attacks.
    While this has heightened the urgency of the need for 
Congress, the Social Security Administration, and my office to 
take additional steps to protect the integrity of the Social 
Security number, it has not altered the nature of the steps 
that must be taken.
    The Social Security number, no matter how much we avoid 
labeling it as such, is our national identifier. As such, it is 
incumbent upon those of us gathered here to do all in our power 
to protect it and the people to whom it is issued. There are 
three stages at which protections must be in place: upon 
issuance, during the life of the number holder, and upon that 
individual's death.
    With respect to the issuance of SSNs, or what the Social 
Security Administration refers to as the enumeration process, 
our audit and investigative work has revealed a number of 
vulnerabilities and resulted in a number of recommendations.
    The most critical of these recommendations centers around 
the authentication of documents presented by the individual 
applying for an SSN or a replacement Social Security card.
    If we are to preserve the integrity of the SSN, birth 
records, immigration records, and other identification 
documents presented to SSA must be independently verified as 
authentic before an SSN is issued.
    Further, if immigration records are to be relied upon, the 
Immigration and Naturalization Service must be required to 
authenticate those records.
    Regrettably, this will subject the enumeration process to 
delays. But just as we must endure lengthy waits at airports in 
the name of higher security, so must we now sacrifice a degree 
of customer service in the name of SSN integrity.
    H.R.2036, introduced by the Social Security Subcommittee, 
moves us closer to these protections, the importance of which 
cannot be overstated. If we cannot stop the improper issuance 
of SSNs by the Federal Government, then no degree of protection 
after the fact will have any significant effect.
    It would merely be closing the barn door after the horse 
has gone.
    The second and most difficult stage of protecting the SSN 
comes during the life of the number-holder. Because the SSN has 
become so integral a part of our lives, particularly with 
respect to financial transactions, it is difficult to give the 
number the degree of privacy it requires, but there are 
important steps we can take.
    We can limit the SSN's public availability to the greatest 
extent practicable, without unduly limiting commerce. We can 
prohibit the sale of SSNs, prohibit their display on public 
records, and limit their use to valid transactions. And we can 
put in place enforcement mechanisms and stiff penalties to 
further discourage identity theft.
    Finally, we must do more to protect the SSN after the 
number-holder's death. The Social Security Administration 
receives death information from a wide variety of sources and 
compiles a Death Master File, which is updated monthly and 
transmitted to various Federal agencies. It is also required to 
be offered for sale to the public and can be accessed over the 
internet through a number of sources, as we've already heard.
    My concern under the current system is with the accuracy of 
the death information. Accuracy in this area is critical to SSA 
in the administration of its programs, to the financial 
services industry, and to the American people. Our audit work 
has revealed systemic errors in the Death Master File and we 
have recommended steps that SSA can take to improve the 
reliability of this critical data.
    Among these recommendations were matching the Death Master 
File against auxiliary benefit records to ensure that 
individuals receiving benefits in one system are not listed as 
deceased in another, and reconciling 1.3 million deaths 
recorded in SSA's benefit payment files that do not appear in 
the Death Master File.
    We are faced with striking a balance between speed and 
convenience, on the one hand, and accuracy and security on the 
other. This is true in the case of the Death Master File, just 
as it is true in the enumeration process.
    At all three of these stages of an SSN's existence, 
improvement is needed. H.R. 2036 addresses many of these 
concerns. The Social Security Administration, my office, the 
Congress, and the American people must act together to accord 
the SSN the protections appropriate to the power it wields.
    Thank you very much.
    [The prepared statement of Hon. James G. Huse, Jr. can be 
found on page 62 in the appendix.]
    Chairman Shaw. Thank you, Mr. Huse.
    Mr. Streckewald.

    STATEMENT OF FRITZ STRECKEWALD, ACTING ASSISTANT DEPUTY 
   COMMISSIONER FOR DISABILITY AND INCOME SECURITY PROGRAMS, 
                 SOCIAL SECURITY ADMINISTRATION

    Mr. Streckewald. Chairman Shaw, Chairwoman Kelly, Members 
of the subcommittees, thank you for asking me to appear before 
you today to discuss the Social Security Administration's 
collection, maintenance and distribution of death information.
    We use this information for a number of important program 
purposes and the integrity of this information is of utmost 
importance to us.
    SSA's Death Master File was created because of a 1980 
Consent Judgement resulting from a lawsuit brought by a private 
citizen. Under the Freedom of Information Act, we are required 
to disclose the Death Master File to members of the public.
    SSA obtains death reports from many sources, with 90 
percent of the reports obtained from family members and funeral 
homes. The remainder of the information comes from States and 
other Federal agencies through data exchanges and reports from 
postal authorities and financial institutions. We match death 
reports of the approximately 2.5 million people who die 
annually against our payment records and terminate benefits for 
those individuals who are deceased. We annotate the deaths on 
our master Social Security and Supplemental Security Income 
beneficiary records and on the Social Security number record 
file for beneficiaries and non-beneficiaries.
    Since studies have shown that death reports from family 
members and from funeral homes are over 99 percent accurate, we 
do not verify these reports. For our beneficiaries, we are 
currently verifying reports from financial institutions and 
postal authorities after terminating benefits. However, we are 
changing our policy to verify these reports before taking any 
action.
    Reports obtained through data exchange require verification 
through our field offices before an individual's death is 
posted to our payment records and their benefit is terminated. 
This includes death data received from the States.
    We do not verify death reports on persons who don't receive 
Social Security benefits, and it would be difficult for us to 
do so since we do not have addresses or other identifying 
information on these individuals.
    The Death Master File is updated daily based upon reports 
SSA receives and contains approximately 70 million records, 
including Social Security beneficiaries and non-beneficiaries, 
with verified and unverified reports of death.
    If available, the file contains the deceased's SSN, first 
name, middle name, surname, date of death, date of birth, 
State, county, zip code of the last address on our records, and 
the zip code of the lump-sum death payment. The record is also 
annotated to indicate where the report was verified.
    Federal agencies, State and local government, and the 
private sector use the national death data file, and we are 
reimbursed for the cost of providing this information. 
Currently, as required by law, SSA shares the full Death Master 
File with Federal benefit-paying agencies that use the data to 
conduct matches against their own beneficiary rolls, such as 
the Department of Defense and the Office of Personnel 
Management.
    Under the matching agreement with SSA, these agencies are 
required to independently verify the fact of death before 
taking any adverse action.
    The publicly available Death Master File is provided 
monthly to the Department of Commerce, National Technical 
Information Service, or NTIS, which in turn makes it available 
to the public under the Freedom of Information Act. NTIS 
distributes it to subscribers by either tape file or CD-ROM 
version. Some of these private companies, including 
genealogical publishing companies, create their own files from 
the Death Master File. Some private websites have these files 
on line.
    In response to issues raised by the subcommittee Members, 
we are exploring electronically transmitting our Death Master 
File to the NTIS, rather than sending them through Federal 
Express.
    We are prepared to do that immediately, as soon as NTIS is 
ready to receive it. Transmitting the data more frequently is 
also possible, perhaps on a weekly or bi-weekly basis.
    SSA also has an electronic data exchange of all States and 
a large number of Federal agencies. This is an electronic 
overnight query process that enables requesters to enter a 
query for any individual. Using this process, State agencies 
can access our death records so they can ensure that benefits 
are not paid to deceased individuals.
    Finally, I'd like to briefly mention recent initiatives to 
strengthen the enumeration process.
    In response to the events of September 11th and the 
indication that some terrorists had Social Security numbers and 
cards, some of which may have been fraudulently obtained, SSA 
formed a high-level response team to re-examine the enumeration 
process.
    The response team, which includes representatives of SSA's 
Office of the Inspector General, will help determine what 
changes need to be made to ensure that we are taking all 
necessary precautions to prevent those of criminal intent from 
using Social Security numbers and cards to advance their 
operations.
    Thank you again for the opportunity to discuss with your 
committees how SSA gathers and distributes death information.
    I will be glad to answer any questions.
    [The prepared statement of Fritz Streckewald can be found 
on page 73 in the appendix.]
    Chairman Shaw. Thank you.
    Mrs. Bovbjerg.

    STATEMENT OF BARBARA D. BOVBJERG, DIRECTOR, EDUCATION, 
 WORKFORCE AND INCOME SECURITY ISSUES; AND RICHARD J. HILLMAN, 
 DIRECTOR, FINANCIAL MARKETS AND COMMUNITY INVESTMENT ISSUES, 
                   GENERAL ACCOUNTING OFFICE

    Ms. Bovbjerg. Thank you, Mr. Chairman, Members of the 
subcommittees.
    I'm really pleased to be here before the subcommittee again 
and to meet a new subcommittee to me, with my colleague, 
Richard Hillman, to discuss the distribution of death 
information to financial institutions.
    As we've heard, the Social Security Administration collects 
and records the names and Social Security numbers of the more 
than two million Americans who die each year. This information 
is critical to the integrity of the Federal benefit system.
    Properly used and distributed, death information can also 
help prevent the fraudulent use of Social Security numbers to 
steal identities, to obtain false identification documents, and 
to commit financial fraud.
    In light of the recent terrorist attacks, it is more 
important than ever to safeguard Social Security numbers from 
criminal use.
    Accordingly, our testimony today addresses three points. 
First, how death information is collected and distributed and 
how long this takes. Second, how the financial services 
industry uses such information. And third, possible steps to 
improve timeliness of distribution.
    Our observations are based on prior GAO work, preliminary 
work at the SSA and the National Technical Information Service, 
and our discussions with financial services institutions.
    First, let me describe the collection and distribution 
process.
    As we've heard, SSA receives about 90 percent of its death 
information from funeral homes and relatives of the deceased, 
and most of this information reaches SSA within a week of 
death. SSA takes another week to process the information and 
add it to individual Social Security records.
    At the beginning of each month, SSA extracts this death 
information from its records to the Death Master File, and 
sends it to the NTIS. NTIS receives this information by the 
fourth or fifth day of each month and mails it to subscribers 
on tape or on CD-ROM within another 2 to 4 days.
    Overall, most death information reaches these subscribers 
within 1 to 2 months of death, depending on when the death 
notice first reaches Social Security.
    The remaining ten percent of death information comes to SSA 
from other Federal agencies that learn of deaths through data 
matches or undelivered benefit checks and from State vital 
statistics bureaus. However, these death reports are less 
timely than those sent directly from families and funeral 
directors to SSA, and require verification by SSA before they 
can be added to the Master File and distributed.
    Death information may not reach SSA from State reports 
until 3 to 4 months after the date of death and is not 
available to private subscribers.
    Let me now turn to how financial services institutions use 
this information.
    Representatives of such institutions told us they did not 
use a formal process or a central data source to identify 
deceased customers, although most receive death information 
either from family members or, in the case of Social Security 
beneficiaries with direct deposit, from SSA directly.
    However, most also told us that they subscribe to fraud 
prevention products or services offered by credit reporting 
agencies for evaluating new credit applications. All three 
credit reporting agencies subscribe to the Master File and make 
this information available to their customers through these 
proprietary fraud prevention products.
    Most institutions we contacted expressed an interest in 
receiving timely death information with frequent updates. Some 
of these institutions were aware of the Master File, but 
unfamiliar with the information they provide, or of the ability 
to subscribe, while others were not aware of it at all.
    Finally, let me turn to possible steps for improving the 
distribution and use of death information.
    As you've heard, SSA is exploring ways to speed up this 
process and has stated that it would be relatively easy to 
produce updates on a weekly, rather than a monthly, basis. SSA 
and NTIS officials have stated that it should also be possible 
for SSA to transmit updates to NTIS electronically and that 
NTIS could transmit the information to subscribers 
electronically as well.
    SSA is also piloting the electronic death registration 
system, which would enable States to collect and report deaths 
electronically to SSA, both streamlining and centralizing the 
collection reporting of such information.
    However, existing restrictions on distribution of State-
provided data could complicate adoption of such an approach.
    In conclusion, most death information is available to the 
public within 2 months and improvements to the collection and 
transmission processes could make this information more 
complete and more timely. Educating the financial services 
industry about the availability and contents of the Master File 
would also be helpful.
    Such measures are tangible steps that could act to narrow 
the window of time in which a criminal can open new accounts 
using a deceased person's identity and would raise the 
likelihood that such behavior would be detected.
    However, improving the use and timeliness of death 
information will not by itself eliminate identity theft and is 
not a panacea for addressing the larger issue of criminal 
misuse of Social Security numbers.
    That concludes my statement, Madam Chairwoman. Mr. Hillman 
and I would be happy to answer any questions you have.
    Chairwoman Kelly. Thank you very much.
    Mr. Hillman, have you a statement, or is yours the same? 
It's a joint statement?
    Mr. Hillman. Yes, Madam Chairwoman.
    [The prepared joint statement of Barbara D. Bovbjerg and 
Richard J. Hillman can be found on page 87 in the appendix.]
    Chairwoman Kelly. All right. Thank you very much.
    I appreciate you all indulging us up here as some of us are 
leaving to vote. This way, we can keep the hearing going 
without keeping you all in your seats for too long a period of 
time. I'm going to open the questioning.
    Mr. Streckewald, I have a question for you. Actually, I 
have a couple of questions for you.
    On page 6, in your testimony, you describe the State 
verification and exchange system that allows some States and 
some Federal agencies to verify a death within one day. Have 
you considered whether to open it to access by the financial 
services industry?
    Mr. Streckewald. We use that for, as you said, the State 
governments. We have, as far as I know, not looked into using 
it for financial institutions.
    We do have the ability for employers to verify Social 
Security numbers in a batch mode, which is like an overnight 
type of mode as well. And so, employers can send us batches or 
individual Social Security numbers, so that we can verify for 
them.
    I'm not aware that we have specifically looked at the 
financial services' access to the information.
    Chairwoman Kelly. I think that looks like the basis for a 
system that's needed by the financial institutions, so that 
they could do rapid verification.
    Since the Patriot Act requires them to verify the identity 
of any new account-holder, I don't understand why the SSA can't 
commit to allowing that system to be used as part of 
verification procedures.
    Mr. Streckewald. We can certainly take a look at that and 
get back to the subcommittees on what we find.
    [The information referred to can be found on page 82 in the 
appendix.]
    Chairwoman Kelly. I wish you would, please. And to that 
effect, I'm going to send a letter to the Secretary of the 
Treasury with that recommendation to put into their 
regulations, because I think that that's a way of rapidly 
helping our financial institutions.
    I also wondered if the SSA and the NTIS had ever 
collaborated on a study to determine a faster means of getting 
the information to the financial services industry, including 
this one, and including sending it electronically or even 
perhaps, that difficult word, contracting out the entire 
process, from extraction to dissemination.
    Mr. Streckewald. I think with recent events, we've come to 
the conclusion with NTIS that we do need to get this 
information to them quicker and that they need to be able to 
distribute it quicker.
    I think what remains to be worked out is just the details 
of that. It's certainly technologically feasible and as we've 
heard this morning, it seems like both agencies are willing to 
move to perhaps a weekly or biweekly update of the information 
and to transmit electronically rather than through overnight 
mail.
    Chairwoman Kelly. That I read in the testimony. My question 
is, I really want to know how rapidly you're doing that, but 
also there's another piece of this.
    There's a victim. I had my credit card stolen. I think 
there's a lot of people who have had things like that go on. I 
want to know with regard to the Social Security number what 
you're doing to help the victims who have their identity 
stolen, or the families of victims.
    Mr. Streckewald. We have a series of actions that kick into 
place when we hear about this type of event. First of all, we 
refer them to the inspector general hotline because it's 
perhaps a criminal event that needs to be investigated.
    But we also work very closely with the person. We give them 
pamphlets that explain who they can contact. We give them 
referrals to some of the national financial services 
organizations so they can clarify and correct their credit 
ratings.
    So we do have procedures in place for referrals to hotlines 
and other services that can help correct the problem.
    Chairwoman Kelly. It's been my experience in working with 
those that they are not terribly rapid. It takes a while. And 
it takes going through several people to get it done.
    I'm going to ask you this, Mr. Bond, and I would like you 
both to answer both those questions, the prior question and 
this one.
    What's the possibility of allowing people to do this kind 
of thing, to do it perhaps electronically with something as a 
follow-up that would be a verification.
    Mr. Bond. I'm sorry? Just to understand, a verification of 
the receipt of the information or a verification of falsely 
secured numbers?
    Chairwoman Kelly. I'm extending this to the people who are 
the victims of identity theft from the Social Security 
Administration numbers.
    Those people would have to, when you have that happen, if 
it's in your family, you have to deal with a lot of different 
people. What's the electronic possibilities of letting people 
do that electronically, deal with people and do it rapidly, 
rather than having to make a lot of telephone calls?
    Mr. Huse. If I may be permitted, Chairwoman Kelly.
    Chairwoman Kelly. By all means.
    Mr. Huse. The Federal Trade Commission and our office of 
the inspector general have a reciprocal information exchange 
that going forward will only get better. But in the last 2 
years, has rapidly improved the transmission of victim 
information so that it gets to the credit-reporting bureaus 
better than it used to.
    Can it be improved? Yes. Like many other things in 
Government, it is based on this application of resources and 
we're certainly changing our approach to the amount of 
resources we apply to this as this crisis has developed over 
the last 5 years.
    But that's the way it's done. It's better today, and does 
use, by the way, e-mail and electronic transmission, if victims 
have that available to them, to get the information to us.
    From that clearinghouse, then, this information becomes 
available to local, county and State law enforcement.
    Again, I'm not trying to paint a rosy picture here, but at 
least we have the dots on the paper and we're connecting them a 
little bit better than we used to.
    Chairwoman Kelly. What's the timeline on that?
    Mr. Huse. It all depends on the application of resources. 
We work in our budget submission process to try and gain those 
to do this.
    The technology is already there. It really is a matter of 
adjusting IT resources and the human capital that you need to 
make this happen.
    We're just learning that this is an issue that the people 
care about a great deal.
    Mr. Bond. Madam Chairwoman, if I could add to that, too.
    Technologically, of course, there's no reason you can't 
expedite things via the internet and secure communications and 
so forth. It really becomes part of a very fundamental e-
government initiative that both the Congress and the 
Administration have to join hands on.
    The Administration has sent up an aggressive proposal in 
that regard and appointed people at OMB to oversee it, to try 
to really push the agencies more toward quicker, more rapid 
response for our shared constituents.
    But it's going to be a very fundamental effort to apply 
technology to the service of constituents.
    Chairwoman Kelly. What's your timeline?
    Mr. Bond. There is a multi-year plan out of OMB which does 
require some significant funding here on the Hill. And that 
will be one of the many issues in final appropriations 
discussions for this year because the request was not fully 
funded coming out of the two chambers.
    Chairwoman Kelly. So it's a matter of appropriated funds 
from Congress.
    Is that correct?
    Mr. Bond. Absolutely, to upgrade the IT capabilities in 
many of the Federal agencies.
    Mr. Streckewald. If I could, I would reinforce Mr. Bond's 
comments that the Federal Government as a whole, through the 
leadership of OMB and through individual agencies' initiatives, 
is looking at customer-oriented electronic services.
    In some ways, SSA has been providing this with our online 
applications. But this particular example that you're using, 
which is to help people correct identity theft problems, would 
have to be a broad spectrum of stakeholders, financial 
services, Government agencies, States, would have to come 
together and plan this out and construct the communications 
lines and the procedures for solving this.
    But it is technologically feasible and OMB is trying to 
lead us to a more electronically-focused, customer-oriented 
Government.
    Chairwoman Kelly. Mr. Huse.
    Mr. Huse. One more thought on all of this.
    I think we understand now, with this identity fraud crisis 
issue and victim assistance as a key part of it, we've learned 
a lot the last few years that our traditional approaches to 
this just don't cut it. They don't work.
    We have advanced a proposal in the budget process for 
innovative ways to change this model, so that law enforcement, 
Federal law enforcement integrates itself better with local law 
enforcement because it's a total issue. It just can't be 
relegated to the Federal Government or a burden on local 
governments.
    And this model means non-traditional approaches. The key to 
it is rapid and effective information exchange. The work is 
there and the ideas are there.
    In fact, some of this is in 2036. Some of the pieces that 
we need to get this done is in 2036. But I really want to 
assure you, Madam Chairwoman, that we are committed to trying 
to do this.
    But, as I said, as in everything in Government, it is 
resource-dependent.
    Chairwoman Kelly. Most people who come before these 
subcommittees ask for resources. That's not a surprise.
    Mr. Huse. No.
    Chairwoman Kelly. But we're essentially in a terrorist war 
situation.
    One of the things that America has always had is ingenuity. 
This may be the time to do more with less. And I'm not saying 
that you can't get the resources. What I'm simply saying is 
that we have a limited budget. We all know that. And ingenuity 
is going to have to be the order of the day for all of us.
    This may be the time, when you need to have that larger 
meeting, discuss how it's going to go and do it sooner rather 
than later, so you can get help from the financial institutions 
as well as from anyone else who is an interested stakeholder in 
this.
    I want to ask the GAO, since there's no one else who has 
come back from the vote yet, I want to ask you, Barbara, if you 
don't mind, have you considered whether the Social Security 
Administration can open the State verification and exchange 
system to the financial services industry to allow the 
companies to verify?
    Is that something that you've thought about?
    Ms. Bovbjerg. GAO has done a lot of work on data sharing 
and the importance, on the one hand, of sharing information 
that allows you to safeguard benefits and safeguard identity 
and, on the other hand, being concerned about privacy and 
retention of personal information.
    The death records are already public information, at least 
for the most part. What remains to be worked out with the 
States is this question of State restrictions on information 
that they provide that is not verified by SSA. That seems to be 
one of the sticking points. And we do hear about a resource 
question.
    I think we have been interested and have asked about the 
feasibility of doing some sort of online look-up, web-based 
approach that financial institutions could go to directly. And 
we're not in a position to make any recommendations. We would 
have to look at the cost versus benefits. But we thought that 
that might show promise.
    Chairwoman Kelly. Perhaps we should ask for a cost/benefit 
analysis of something like that.
    Ms. Bovbjerg. Well, may I add something?
    Chairwoman Kelly. Yes.
    Ms. Bovbjerg. Excuse me, Ms. Chairwoman.
    We are doing some work that I wanted to call to your 
attention for Congressman Johnson on the Social Security 
Subcommittee that looks at law enforcement and identity theft 
across governments.
    And one of the questions that he has us addressing is 
looking at the lead Federal and State law enforcement agencies 
with responsibilities in identity theft investigation and 
looking at how they cooperate across jurisdiction, including 
across Federal agencies.
    I'm not sure when that work will be published. That's being 
done in another team. But I think that that will help get at 
some of the issues that have been raised this morning.
    Chairwoman Kelly. Thank you, and thank you for volunteering 
that.
    What exposure did you find that financial institutions 
have? If a name is in the Master File and the institution 
processes a payment any way?
    Mr. Hillman, do you want to answer that?
    Mr. Hillman. I'm not exactly sure what the exposure may be 
to a financial institution who processes information and maybe 
provides funds out to an individual of a deceased person.
    But we could find that out for you and let you know.
    Chairwoman Kelly. I would appreciate your taking a look at 
that because that goes to the next question. And that is 
whether or not--I'm trying to get the acronym here--the FFIEC, 
the exam procedures, perhaps should take that into account.
    I don't know if it does or not, but I think it's worth 
taking a look at.
    I'm concerned also with the education of financial 
institutions with regard to what their exposure is and the 
appropriate usage of the Death Master File.
    So perhaps you could take a look at look at that also.
    Mr. Hillman. We'd be happy to do that. We have looked at 
the examination procedures, as you might expect, that financial 
Federal regulators follow in looking at the financial services 
industry.
    And in general, those examination procedures look to the 
safety and soundness of those depository institutions to ensure 
that they have sufficient funds to conduct their businesses.
    They haven't in all cases looked at other important areas 
such as concerns with individuals or constituents. And I agree 
with you that that would be an important topic to further 
study.
    Chairwoman Kelly. Thank you very much.
    Mr. Brady, do you have any questions?
    Mr. Brady. Thank you, Madam Chairwoman. I'm sorry I missed 
the last part of the testimony. But, obviously, to solve this 
problem will take a combination of prevention and enforcement 
in the process.
    We need to do all we can in prevention of identity theft. 
But I think what everyone understands is that, in this open 
society, it will be difficult to close that barn door 
completely, in this open, information-based society.
    So focusing a bit on the enforcement and the punishment 
side of it, what are the chances someone engaging in identity 
theft is going to get caught? What are the consequences in real 
life when they do?
    Who's the best responsible and available to do that, State 
or Federal Government? What role can the business community 
play in catching them?
    And the bottom line, what would it take to make the 
consequences harsher to be a real deterrent to people engaging 
in it?
    And I'll open it up to anyone who's got an opinion.
    Mr. Huse. I'll take the first cut at an answer, Mr. Brady.
    Mr. Brady. All right.
    Mr. Huse. We don't do a great job from a criminal justice 
perspective with identity thieves because it's a relatively new 
crime.
    We have a mixed result if you look across the Federal 
judicial system in terms of sentencing on these crimes. We need 
to do better.
    One of the outreach efforts I think we need to make now 
with the post-9/11 consciousness that we have is to educate 
United States attorneys to the fact that these crimes need to 
be a priority concern in each of the 94 judicial districts.
    That may or may not be the case depending upon where you 
are in the United States. Other trendier crimes get priority.
    Most States have very vigorous and good identity crime 
statutes themselves. So we need to cooperate more with local 
and State law enforcement to prosecute there where we can.
    Clearly, though, the key to identity fraud because it 
transcends all boundaries is there has to be a better 
information-sharing mechanism. And the Congress, when it passed 
the Identity Theft Deterrence Act several years ago, an 
Assumption Deterrence Act several years ago, and established 
the clearing house in the FTC, I assure you that that is 
working and will only get better as we engage it more.
    So that's my first try at an answer.
    Mr. Streckewald. If I could just elaborate a little bit. 
That particular law that was passed in 1998, which for the 
first time made it a Federal crime to fraudulently obtain 
identification, sell identification, or misrepresent yourself 
on obtaining any type of identification.
    And for the first time, the Social Security number was 
included as a means of identification. So that did provide law 
enforcement with an added tool for enforcement.
    Mr. Brady. How many prosecutions have there been?
    Mr. Huse. We can get that for you and follow that up. One 
thing I want to add, Mr. Brady, is one of the provisions of 
2036, if it's passed, gives us some great civil money penalty 
tools.
    Also, for those identity crimes that fall maybe under the 
prosecutorial thresholds in a given judicial district, but 
still have a fact pattern that supports an offense, we can 
sting those people with some money penalties, and I think 
that's a good thing, too.
    Mr. Brady. In real life, what are the consequences for 
getting caught? What's an average sentence, punishment, for 
identity theft?
    Mr. Huse. Well, with sentencing guidelines, probably for a 
first offender, it is several years of confinement. It depends 
on the criminal history involved.
    Mr. Brady. Sure.
    Mr. Huse. But it's a 10-year felony, the misuse is a basic 
Federal felony.
    Mr. Brady. Is there a feel for what first-time, second-time 
offenders, what they traditionally get? I'm not pushing. I'm 
just curious.
    We all know what guidelines are. We all know what happens 
in real life.
    Mr. Huse. As I said, it's confinement for several years. It 
hasn't reached the point, even though the violation is just as 
bad, of having, for example, the emotion involved of a bank 
robbery or something like that. But it's just as pernicious.
    Mr. Brady. What role--can I keep, while I'm on a roll?
    Two questions, really. How can Washington help? Is it to 
create more resources here at the Federal level, or to 
complement better State prosecution efforts?
    Second, what role can the business community play in 
helping us catch and enforce this?
    Mr. Huse. I'll let Barbara answer that.
    Ms. Bovbjerg. I'll step into the breech.
    We have talked in GAO about the need for both prevention 
and for law enforcement. One of the things that we're doing 
right now at the request of Chairman Shaw is looking at uses in 
Government at all levels--Federal agencies, various departments 
in State government, local government, and the courts, looking 
at uses of the number and looking at how the number is being 
safeguarded and developing options that could be considered for 
safeguarding.
    So my answer to your question is more in a prevention side 
and working with SSA as they try to have the balance of making 
information available, but at the same time safeguarding it.
    That's always an issue with some of these web-based----
    Mr. Brady. And clearly, we need to do both. I'm not 
discounting either. I was just focusing on that side because 
I'm not as aware of it.
    And second, it just seems, when you look at the number of 
people who have been hurt by identity theft and fraud, the 
average time it takes to try and clear their name, the costs to 
them, and then on September 11th, we had people who stole 
identities and then stole thousands of people's lives as a 
result of it.
    So the obvious question is, what can we do to punish them 
to the fullest extent, or to deter the next person who has that 
in mind?
    That was my focus.
    Ms. Bovbjerg. And then I turn it over to the law 
enforcement end of the table.
    Mr. Huse. Well, I just wanted to take the piece of the 
question, is it all about resources? And that goes to 
Chairwoman Kelly's earlier comment.
    It doesn't necessarily just mean resources, although some 
modest adjustments are needed here and there because you're 
short some capacity.
    But basically, the key to this is rethinking this 
particular crime top to bottom, and rethinking how we focus on 
this crime.
    We're trying to apply an old model to this that just 
doesn't work. If we could just understand how serious it is, 
that's a big, huge step, and then work with ways to, using the 
magnificent technology that we have, to communicate better.
    I think that's really the answer, rather than some new 
agency or the like.
    Mr. Brady. Thank you. Thank you all very much.
    Chairman Shaw. Before I go to Ms. Hooley, I do have a 
question for you, Mr. Huse.
    Does the law distinguish in the case of identity theft 
between a living person's identity who has been stolen or a 
deceased person?
    Mr. Huse. I don't believe it does. I think the law deals 
with the identity theft. I do know that a deceased person has 
no rights because they're not here to have them. But in terms 
of the identity theft, it still stays the same under the law.
    Again, my staff----
    Mr. Bond. I want to add, my understanding on that is that 
an individual under law is considered to be a living 
individual. And so the rights do not extend to the deceased.
    So when you talk about privacy laws, those are applied to 
living individuals and that is a fine point that I think some 
of the Executive agency lawyers would want to talk to the 
committee staff about in doing forward on your legislation.
    Chairman Shaw. OK. If that answer needs sharpening up, let 
us know.
    Mr. Bond. OK.
    Chairman Shaw. Ms. Hooley.
    Ms. Hooley. Thank you, Mr. Chair.
    In the case of Tyler Bales, you could not give the 
information to local law enforcement agencies, even though 
identity theft is a crime in Oregon.
    So I want to know, do we need to as a body fix that?
    Mr. Huse. Congresswoman, when you were speaking, I jotted 
down on a card that case and I passed it back to our chief 
investigator and I said, we should look at this case.
    I don't know why under the IRS rules they didn't disclose. 
And that may be some arcane rule. I mean, they're governed by 
rules. We are at Social Security.
    But, usually, I'd like to see if there wasn't a way that 
the Social Security Administration might not be able to work 
with that case and take it forward.
    And I'm not criticizing IRS. I'm just not sure.
    Ms. Hooley. What I'm looking for is if we can do that, in 
the case of Oregon where identity theft is a crime.
    Mr. Huse. Right.
    Ms. Hooley. And I'm just trying to figure out, do we need 
to fix it or if it's some rule that can be fixed.
    Mr. Huse. That's why I'd like to look at that.
    Ms. Hooley. OK.
    Mr. Huse. And we'd be glad to talk to your staff about that 
and look into that case and then get back to you, if that's OK.
    Ms. Hooley. OK. I have a couple of other questions.
    The Death Master File, it contains everything that a thief 
would need to get up and running. It's now being transmitted, I 
understand, to 104 customers, up from about 51 in 1999.
    Is that correct?
    Mr. Bond. Yes, that's about right.
    Ms. Hooley. And all of the customers are paying for the 
information.
    Mr. Bond. Correct.
    Ms. Hooley. And do they use it for the purpose to flag 
financial holdings of the deceased individuals or is the 
information being used for other purposes? And if so, what are 
the other purposes?
    Mr. Bond. It is a wide variety of purposes, from security 
to checking for fraud, obviously. I'm just flipping through 
here to try to see, because I had asked that question myself. 
Having just been sworn in on October 30th, I'm trying to find 
out everything I can quickly.
    Ms. Hooley. I think sort of the irony of this thing is----
    Mr. Bond. There are a couple of things that you need to 
know about. One is just the private genealogy sites that people 
talked about. That is one that is used, that you can go to. I 
did my own search and found that the Jasper County Public 
Library in Indiana has got the full Death Master File available 
there.
    So there's a variety of uses out there.
    But the private sector is checking mostly for fraud in 
financial transactions.
    Ms. Hooley. I guess sort of for me the irony is that the 
Internal Revenue Service can't pass the information on to law 
enforcement, but they can sell it to other organizations to be 
used.
    And I just have a bit of a problem with that. Should I?
    Mr. Huse. I don't think any of us here are tax experts. We 
won't even go near there.
    Mr. Bond. All I can add is that by the time it gets to 
NTIS, it is, as was explained, considered subject to the FOIA 
laws, and so it's out there.
    Mr. Streckewald. I have a little more information on the 
uses of that, at least in terms of the customers.
    About 20 percent of the purchasers of the Death Master File 
are public sector groups. Some colleges use it, perhaps for 
research or checking against their databases of students. In 
addition, several private insurance companies use it 
extensively, along with a few banks.
    But there are not a lot of financial institutions on the 
list.
    Mr. Bond. Here's the actual breakdown from NTIS, 
Congresswoman. It's 20 percent State and local, 20 percent 
information brokers, 15 percent insurance companies. Medical 
and cancer research organizations make up 15 percent. Security 
providers, five. Marketing companies, around five percent. 
Credit reporting bureaus and agencies, five percent. Pension 
funds, five percent. Banks and financial institutions, three. 
And genealogy, three.
    Ms. Hooley. Thank you. Thank you and I yield back my time.
    Chairman Shaw. Thank you.
    I want to pursue the question of Ms. Hooley. I want to 
know, those death files, when they're put out, the Social 
Security numbers are on them. And I guess they're readily 
obtainable.
    We know from experience and testimony before these 
subcommittees that they still have value to those that would 
attempt identity theft.
    At the hearing that we had last week, we found that those 
numbers do survive the decedent and have a real purpose in 
State tax returns and things of this nature as an identifier.
    And we also found that the numbers stay exactly the same. 
There's no D for decedent or something put after the number. So 
those numbers are still out there and for the layman looking at 
it, wouldn't know whether that was a decedent or somebody who 
was very much alive.
    What is the suggestion--and I open this to any member of 
the panel, that any of you might have--with how we could 
safeguard those numbers and yet, release them for legitimate 
purposes?
    Obviously, insurance companies need them and some public 
officials need them--public agencies need them, rather.
    Are there any thoughts on that?
    Mr. Streckewald. Yes. Let me see if I can give a couple 
thoughts on that.
    I think it goes to the whole purpose of the Death Master 
File. Originally, it was a court settlement that required us to 
do this under the Freedom of Information Act law. But we sell 
the Death Master File for commercial purposes through NTIS, so 
that those with a reason to know individuals' Social Security 
numbers will know which numbers belong to deceased individuals. 
If a number comes through their system and it matches up with a 
number on the Death Master File, there's a problem.
    So, in fact, the number is flagged. It is annotated when 
you compare it against our Death Master File.
    If the Death Master File is not used extensively, then, of 
course, people won't have awareness of it.
    So, on the one hand, if it's out there, anybody can use it 
and try to take a number from it and create an identity or use 
it to apply for a credit card. But if the financial services 
and insurance companies and others make greater use of the 
Death Master File, then they'll know which numbers belong to 
deceased individuals.
    Chairman Shaw. How can we safeguard that, those lists being 
misused?
    We have to assume that if they're out there, they're being 
marketed, that they are available to the bad guys.
    Mr. Streckewald. From Social Security's perspective, if a 
person uses a Social Security fraudulently to work--sometimes 
numbers are used fraudulently for working--if earnings are 
reported on that number the year after the real number-holder 
dies, then we automatically investigate because we know that 
number belongs to a person who is shown as deceased on our 
records.
    We issue an alert to the field office and they call the 
employer and ask who is this person that's giving these wages 
under this number. On our records, it shows that the number 
belongs to deceased individuals.
    So, again, from the original purposes, earnings 
recordation, we do track back and see if it belongs to a dead 
person and if so, why are earnings being recorded.
    Chairman Shaw. It takes a year. You know the person is 
dead, money is coming in, it is going into his account. Why 
wouldn't it be kicked out in the first----
    Mr. Streckewald. Well, if a person works in January, 
February and dies in March, those earnings are reported to us 
after the end of the year. So we know that we haven't heard 
from the IRS yet until the year is over.
    The next year, if we receive earnings from that person, 
that's suspicious and that triggers an alert.
    Chairman Shaw. Yes, that would be suspicious. How do we 
handle death in foreign countries? Someone has retired in a 
foreign country, their money is being electronically 
transferred to a bank down in Mexico. How is that dealt with?
    Mr. Streckewald. I believe that we receive from embassies 
lists of deceased beneficiaries in foreign countries--they have 
Social Security numbers--so we would annotate our records and 
we would terminate their benefits.
    Chairman Shaw. How do the embassies accumulate that? Now 
here, the funeral home turns them in. The death record is 
required on that.
    So where is it in countries that don't have that process in 
place?
    Mr. Huse. To get to a bottom line here, it's not a perfect 
system and it's totally dependent on cooperation in those 
countries to give that information back to the benefit officers 
that we have in foreign stations.
    So what happens is, periodically, the agency does send out 
a survey team based on ages of beneficiaries--I think they set 
the number in the 1990s, but they're take a look to see if 
those people are still alive in the foreign population areas.
    And those are done on a cycle basis by the international 
operations.
    Mr. Streckewald. It's the international operations. And in 
fact, for countries that are considered to be high risk, such 
as Yemen, they send a team out there.
    Not only do they look at the elderly people, they ask to 
see in person every beneficiary in Yemen. That's one example. 
But we also go to the Philippines regularly and other 
countries.
    Chairman Shaw. Would it help if we actually sent checks to 
foreign countries that required signatures, or is the expense 
of doing that more than the savings on electronic transfer?
    Mr. Streckewald. I think we'd have to take a look at that 
and get back to you. I'm not sure. It certainly would be an 
issue.
    [The information referred to can be found on page 83 in the 
appendix.]
    Chairman Shaw. And actually ask for an endorsement on the 
check. I think people would be a little less likely to endorse 
or forge somebody's name than they would be to just simply let 
the thing slide and let the money continue to accumulate in the 
bank account.
    That's my off-hand opinion.
    Anyway, any further questions? The gentleman from 
Wisconsin?
    Mr. Ryan. No questions.
    Chairman Shaw. OK. Well, at this point, I turn the gavel 
over to Ms. Kelly, who will preside over the next panel.
    Chairwoman Kelly. Let me make the introductions of the 
second panel.
    We have: Mr. Stuart Pratt, Vice President for Government 
Relations, Associated Credit Bureaus;
    Tom Lehner, Executive Vice President for Government 
Affairs, American Financial Services Association;
    Tom Sadaka, Special Counsel, Office of Statewide 
Prosecution, Orlando, Florida. We welcome you, Mr. Sadaka. Am I 
pronouncing that correctly?
    Mr. Sadaka. Sadaka.
    Chairwoman Kelly. John Dugan, Covington & Burling, 
representing the Financial Services Coordinating Council.
    Mark Rotenberg, Executive Director, Electronic Privacy 
Information Center.
    And Evan Hendricks, Editor and Publisher of Privacy Times.
    We welcome you all. We look forward to your testimony. And 
I'd like to advise all Members and witnesses, I intend to keep 
to the 5-minute rule. So I'm going to remind witnesses when 
they have a minute remaining. Please check the clock.
    I will also ask unanimous consent that all Members' 
questions be included in the record. I'd like to begin with 
you, Mr. Pratt.

  STATEMENT OF STUART K. PRATT, VICE PRESIDENT FOR GOVERNMENT 
           RELATIONS, ASSOCIATED CREDIT BUREAUS, INC.

    Mr. Pratt. Thank you both very much for this opportunity to 
appear before this joint hearing today.
    For the record, my name is Stuart Pratt and I am the Vice 
President of Government Relations for the Associated Credit 
Bureaus.
    By way of background, the ACB, as we're commonly known, 
represents more than 500 consumer information companies and 
produce a wide range of products, including fraud prevention, 
risk management, credit reports, mortgage reports, tenant 
employment screening services, check fraud, and verification 
services.
    And so the subject matter here today is obviously very 
relevant to us and all of our members.
    I think it's clear, perhaps more than ever before, that how 
we authenticate, how we verify, and how we ensure the 
authenticity of information in various types of applications is 
an essential need in this country. Unfortunately, I think we've 
learned that for all of the wrong reasons.
    But at the core of this need is also the availability of 
information to be used and deployed in the authentication of 
application processes. And at the core of all of that, in many 
cases still, is the need for the availability of the Social 
Security number, which plays a particularly important role in 
our ability and our members' ability to build authentication 
and fraud prevention products, which then in turn allow us to 
mediate disparate sets of information and bring them back 
together in order to partner with our financial services 
customer bases, insurance and so on, in ensuring that they are, 
in fact, opening up lines of credit, depository accounts and so 
on, for legitimate individuals and for legitimate purposes.
    I want to applaud your subcommittee, of course, and the 
Congress as a whole for the enactment of the USA Patriot Act 
and the very fact that this Act itself recognizes the need to 
have a robust system of authentication, and in turn 
specifically directs the Secretary of the Treasury to establish 
minimum standards for financial institutions to verify account 
applicant information.
    I think, further, Chairman Shaw, in your hearing last week, 
we heard additional challenges in terms of even the enumeration 
process, how do we authenticate and verify information about 
individuals who are making applications for Social Security 
numbers.
    And in fact, I think we heard information in your hearing 
last week about the challenges even the States will face on a 
go-forward basis in authenticating and verifying individuals 
who make applications for something as simple, but as 
consequential, as a driver's license.
    So it's a changed world in which we live.
    The ACB was asked to address some questions or some areas 
in our testimony and I thought I would attempt to do that very 
quickly. And then of course we can amplify on that in questions 
and answers that you may have.
    You first asked how we, as consumer-reporting agencies, use 
the Social Security Administration's Death Master File. And let 
me start by discussing something about the scope of the 
industry that we represent.
    Our three major credit reporting system members--Equifax, 
Experian, and TransUnion--each maintain databases of 
approximately 200 million files on credit-active consumers in 
this country.
    In addition to that, members such as E-funds and Dole & 
Media, maintain Nationwide systems as well that help prevent 
checking account fraud and check fraud at the point of sale and 
further.
    In fact, we estimate, easily, that more than a billion 
consumer reports are sold every year in this country. And those 
consumer reports can carry forward and do carry forward in most 
cases a notification where there is a Death Master File record 
that we have been able to obtain.
    There are many members within our association who are, in 
fact, on that subscriber list. And I thought I would clarify 
one point that I think was lost perhaps in the previous round 
of testimony.
    And that is that, when we say there were not many financial 
institutions on that listing of subscribers, that's in part, 
because the channel of distribution through which the DMF data 
is made available to a majority of the financial institution 
market place is through companies like the ones that we 
represent here with the ACB.
    You've asked about technical problems with the current 
system and I think a lot of that has been covered in previous 
testimony. I think our members are also encouraged by the fact 
that there may be new and different technologies that could be 
brought to bear. There could be greater efficiencies achieved.
    And I think those are the right questions and I think we'll 
have to work toward achieving the right answers.
    Regarding other means of obtaining information, really, the 
only other way that the Associated Credit Bureau's members 
would be aware of an individual having died is through 
notifications that come through the systems directly from 
credit lenders.
    When a credit lender is notified through a trustee of an 
estate, they in turn will notify through coding back to us the 
fact that that consumer's credit account is now associated with 
a deceased individual. And that would be a code that would then 
be included in a statement that would be included and 
referenced on that account in subsequent credit reports issued 
on that individual.
    You've asked about outlining ways in which sources of 
information can be better integrated. And let me just say that 
today, integration is something that we achieve through the 
systems that we have.
    Unfortunately, I do want to state that the FTC's rules 
under GLB restrain us significantly in terms of building fraud 
prevention products outside of the Gramm-Leach-Bliley Act or 
the Fair Credit Reporting Act.
    And let me close by making just a couple of announcements. 
I see I'm slowly losing time here.
    Chairwoman Kelly. Mr. Pratt, you've lost time.
    [Laughter.]
    So if you could sum up, that would be great.
    Mr. Pratt. Two announcements. Number one, we've asked all 
of our DMF subscriber members of the Associated Credit Bureaus 
to convert to monthly receipt. All members will convert to 
monthly subscriptions with the DMF Master File, which I think 
will help escalate and help make information available.
    And number two, our members have established and will work 
with a task force to work with the Social Security 
Administration in working through technology and legal issues 
that might be associated with escalating availability of 
information from the Administration.
    [The prepared statement of Stuart K. Pratt can be found on 
page 100 in the appendix.]
    Chairwoman Kelly. Thank you very much, Mr. Pratt.
    We move now to Mr. Lehner.

  STATEMENT OF THOMAS J. LEHNER, EXECUTIVE VICE PRESIDENT FOR 
  GOVERNMENT AFFAIRS, AMERICAN FINANCIAL SERVICES ASSOCIATION

    Mr. Lehner. Thank you, Chairwoman Kelly, Chairman Shaw, 
Members of the subcommittees. Thank you for inviting me to 
testify today.
    I'm Tom Lehner. I'm the executive vice president of the 
American Financial Services Association. AFSA is the leading 
trade association for market-funded financial services 
companies.
    Our 400 member companies include consumer and commercial 
finance companies, auto finance/leasing companies, mortgage 
lenders, credit card issuers, and industry suppliers.
    I'm here to address the issue of identify theft using 
Social Security numbers and, specifically, the industry's use 
of the Social Security Administration's Death Master File.
    Social Security numbers are the most unique identifier of 
individuals in the United States. The financial services 
industry uses these identifiers for a variety of reasons, such 
as customer verification, credit checks, bankruptcy filings, 
and monetary judgments such as tax liens.
    The use of Social Security numbers is not generally secure. 
They are readily available and, indeed, used by companies, 
State and local governments, motor vehicle departments, 
colleges, and even by consumers who willingly print the numbers 
on the face of their checks.
    Thieves often steal Social Security numbers and ultimately 
the identity of individuals, both living and dead. Financial 
institutions such as credit card companies and banks have also 
incurred significant losses resulting from misuse of Social 
Security numbers.
    Consumers have also experienced monetary losses, impaired 
credit and legal problems because others have amassed debts 
using their identities.
    Financial firms have an obvious interest in making sure 
that individuals who open accounts are who they say they are. 
Companies rely on the Social Security Death Master File to 
protect against theft.
    In most cases, firms do not directly subscribe to the Death 
Master File, but access it indirectly through credit reporting 
agencies or other vendors who do subscribe to it.
    This is both more efficient and less costly to the 
consumer.
    For example, bank issuers of credit cards routinely obtain 
consumer reports on card applicants from credit reporting 
agencies. Because the credit bureaus periodically update their 
files by comparing information to the Death Master File, the 
credit report will contain an indicator if the individual has 
been reported as deceased. And the bank can use this 
information to decline the application or investigate the 
circumstances.
    Other financial firms such as securities broker/dealers 
also access the Death Master File as part of the account-
opening process. This screening is typically done by third-
party vendors who utilize Death Master File information.
    Consumer lenders regularly use information from credit-
reporting agencies to review and adjust the status of existing 
accounts as well. It also helps to verify customers seeking to 
refinance existing mortgages or those who are interested in 
other services offered by the financial institution.
    Naturally, financial firms have other sources of 
information that might indicate that a customer has died and 
that access to the account should be frozen or terminated. The 
principal source is family members who called to notify the 
institution of the death of the customer and may request 
changes in the name on the account or the address where 
statements are sent.
    Lawyers and estate executors are another source of this 
information.
    Whether financial institutions obtain information about 
deceased individuals directly from the Death Master File or 
indirectly from other subscribers, they have an interest in 
obtaining information and data that is accurate and current. 
Delays between the date on which an individual dies and the 
date on which this information is made available to the public 
through the Death Master File increases the opportunity for 
identity thieves to defraud survivors, beneficiaries and 
financial institutions.
    One of the disadvantages of the current Social Security 
numbering system is that the agency is not always immediately 
notified upon the death of an individual. There appears to be 
no requirement for local officials to notify the Social 
Security Administration when someone dies.
    Despite their best intentions, having incomplete and 
incorrect information makes it very difficult for the Social 
Security Administration to issue an accurate Death Master File.
    Many companies have established internal processes that 
deal with fraud and identity theft. In addition, companies work 
with customers who are victims of identity theft and they also 
work with prosecutors to pursue those responsible.
    AFSA supports the efforts to encourage the Social Security 
Administration to obtain death information promptly and report 
it more frequently. We also support the continued dialogue 
between credit-reporting agencies and financial institutions to 
facilitate the flow of the Death Master File information and 
bureau files.
    For example, there may need to be a change in procedures so 
that when creditors report account status information to 
credit-reporting agencies, and this information is placed in a 
file of a customer about whom the bureau has received death 
information, the creditor is made aware of this fact on a 
timely basis.
    We believe that more financial institutions would consider 
subscribing to the data directly if the information provided 
was in real time and more accurate. Whether financial 
institutions obtain information about deceased individuals 
directly from the DMF or indirectly from other subscribers, 
it's in our interest and that of the consumer that we obtain 
correct information.
    We've hopeful that the Social Security Administration will 
make both the procedural and policy changes necessary to ensure 
the security of our individual unique identifiers, our Social 
Security numbers.
    Thank you.
    [The prepared statement of Thomas J. Lehner can be found on 
page 107 in the appendix.]
    Chairwoman Kelly. Thank you very much and thank you for 
limiting your testimony to the time.
    We now move to Mr. Thomas Sadaka.

   STATEMENT OF THOMAS A. SADAKA, SPECIAL COUNSEL, OFFICE OF 
               STATEWIDE PROSECUTION, ORLANDO, FL

    Mr. Sadaka. Chairwoman Kelly, Chairman Shaw, I truly thank 
you for the opportunity to be here today.
    For the record, my name is Thomas Sadaka and I am Special 
Counsel to the Statewide Prosecutor of Florida for computer 
crime and identity theft prosecutions.
    As the only representative of State government, as well as 
State law enforcement, I think a bit of a background is in 
order.
    Florida ranks third in the Nation currently in identity 
theft complaints, according to the FTC. As such, we have 
embarked on a rather strenuous effort to combat and to curb the 
epidemic of identity theft.
    At the request of Gov. Bush and as a result of the Privacy 
Technology Task Force, which addressed issues of Social 
Security abuse, public records abuse, and identity theft in 
general, we have impaneled a State-wide grand jury and have 
partnered with the Florida Department of Law Enforcement to 
focus specifically on identity theft cases as well as what 
Florida can do to minimize the effects of identity theft and 
the victimization of her citizens.
    As such, the use of the Social Security number and the use 
of other public records information has become apparent. It is 
the constant in all of the crimes that we have currently 
investigated.
    The State of Florida, through my office, was instrumental 
in passing an identity theft statute. In 1999, the statute went 
into effect, and at that time, we were one of only three States 
in the Nation to actually criminalize identity theft on the 
local level.
    That is improving. State law enforcement and legislatures 
are quick to enact these laws and are quick to operate on them.
    As such, the investigation and the prosecution of these 
cases is moving along slowly. So while we've addressed the 
after-the-fact dealings of identity theft, we now need to turn 
to the issues of prevention of identity theft.
    The use of the Social Security number and the use of other 
public records information is vitally important to the identity 
thief, as well as to the terrorists and others who want to 
shelter from society who they truly are.
    From the law enforcement encounter with the individual on 
the street to the airport security checker who is relying on 
the State-issued identification card, identity theft has a very 
broad base, both public safety concern as well as financial 
industry concern.
    Our public safety issues are much more in the forefront now 
since September 11th. But we've been addressing these issues 
over the past year to try to develop fraud-proof identification 
as well as uniform identifiers throughout the country so that 
we can rely on information that's provided from other States.
    State driver's license offices rely heavily on the Social 
Security number. Every State requires a Social Security number 
to be provided. Yet, the States don't avail themselves of the 
information available from the Social Security Administration, 
nor the other required information that would be available.
    Several of the States do check the Master Death File. The 
Florida legislature commissioned us in July to conduct a study 
on developing a fraud-proof Florida DL.
    So as part of that, I have been researching what other 
States do in the issuance process of identification cards.
    Of those that do some type of independent verification, 
only a select number of them interact with the death index on a 
real-time basis. And although the Social Security 
Administration has made limited availability for online data 
verification of Social Security, name and geographical region, 
there are no States currently that avail themselves of that 
ability.
    The State of Florida is currently looking into the ability 
to expand their infrastructure such that they can rely on the 
information from the Social Security Administration.
    There are two issues that face Congress. One is, the Social 
Security number has become basically our de facto national 
identifier. There are two subissues to that.
    Do we want that to be the case? And if the Congress' 
decision is that, yes, that is to be the case, then there need 
to be laws and initiatives in place that can basically back up 
the integrity of that number.
    There needs to be the ability of both the financial 
industry as well as State and local governments to verify that 
the Social Security number that's provided by the citizen or by 
the customer is truly that individual's Social Security number.
    We need to confirm that the identify of that person is 
their true identity.
    We rely heavily on breeder documents. There are currently 
262 different birth certificates in circulation in the United 
States. Those linked with Social Security numbers and passports 
and documents that are available from other countries create an 
daunting task on the part of the administrator, who is issuing 
this identification card.
    The Social Security Administration has within its grasp and 
within the other agencies of the Federal Government all of the 
information that is necessary to both the State and local 
governments, as well as the financial industry, to confirm the 
identity of the person who is before them. That information 
needs to be streamlined in its distribution and needs to be 
made available.
    If the other alternative is to not allow the Social 
Security number to be used for that purpose, then we face 
another undaunting task of developing some other unique 
identifier, such that all of our citizens can be comfortable 
that the information that is represented to financial 
industries and to State and local governments is correct and 
accurate information.
    Again, I want to thank you very much for the opportunity to 
be here today and I'd be more than willing to answer any 
questions at the close of the testimony.
    [The prepared statement of Thomas A. Sadaka can be found on 
page 110 in the appendix.]
    Chairwoman Kelly. Thank you very much.
    We now move to Mr. Dugan.

 STATEMENT OF JOHN C. DUGAN, PARTNER, COVINGTON & BURLING, ON 
     BEHALF OF THE FINANCIAL SERVICES COORDINATING COUNCIL

    Mr. Dugan. Thank you very much, Madam Chairwoman, Mr. 
Chairman. It's a pleasure to be here today.
    I'm testifying today on behalf of the Financial Services 
Coordinating Council, or FSCC, whose members are the American 
Bankers Association, the American Council of Life Insurers, the 
American Insurance Association, the Investment Company 
Institute, and the Securities Industry Association.
    The FSCC represents the largest and most diverse group of 
financial institutions in the country, consisting of thousands 
of large and small banks, insurance companies, investment 
companies, and securities firms.
    Together, these financial institutions provide financial 
services to virtually very household in the United States.
    The FSCC continues to believe that the Social Security 
number plays a central role in deterring and detecting fraud 
and identity theft because Social Security numbers are the best 
unique identifier that financial institutions can use to 
determine whether an individual really is who he or she says he 
or she is.
    To that end, the FSCC welcomes the attention the 
subcommittees are giving to the misuse of Social Security 
numbers of deceased individuals.
    My testimony today makes three fundamental points. First, 
Social Security numbers are key unique identifiers that are 
essential to guard against identity theft.
    Second, the SSA's Death Master File is a comprehensive 
record of deceased individuals' Social Security numbers, but 
delays in updating and disseminating this list can create 
opportunities for fraud and identity theft.
    Third, because financial institutions ultimately rely, 
usually indirectly, almost exclusively on the Death Master File 
to determine whether a Social Security number belongs to a 
deceased individual, the more frequently the DMF is updated and 
disseminated and the more accessible that information is, then 
the more effective the list will be as a tool to detect and 
deter fraud and identity theft.
    On the first fundamental point, following the lead of the 
Federal Government, the financial services industry has used 
the Social Security number for many decades as a unique 
identifier for a broad range of responsible purposes.
    For example, our Nation's remarkably efficient credit-
reporting system relies fundamentally on the Social Security 
number as a common identifier to compile disparate information 
from many different sources into a reliable credit report.
    The banking, insurance and securities industries each use 
SSNs as unique identifiers for a variety of important 
regulatory and business transactions, primarily to ensure again 
that the person with whom the financial institution is dealing 
really is that person.
    It's that essential need to verify a person's identity 
using a common unique identifier--the Social Security number--
that leads financial institutions to rely on the reporting of 
deceased individual's SSNs to guard against identity theft.
    We believe there are two keys to preventing the misuse of 
Social Security numbers of deceased individuals.
    First, the list of such numbers must be kept current. 
Second, the current list must be widely accessible and easy to 
search and cross-hatch against a given Social Security number.
    Unfortunately, while the current DMF is used to accomplish 
both these goals, there's clearly room for improvement.
    On the first point, with respect to the currency of 
information in the DMF, there can be significant delays in 
updating the list. These are delays caused by the time taken 
for deaths to be reported to the SSA, delays caused by the 
entry of inaccurate information, and delays caused by the fact 
that the SSA releases comprehensive updates on only a monthly 
basis.
    On the second point, the DMF is not provided in a form that 
is readily searchable. As a result, because it contains such a 
large amount of information, the most practical way to use the 
list, at least for financial institutions, is through 
intermediaries that convert the DMF into a searchable database 
that can be used by financial institutions and others.
    This service by third-party vendors is valuable, but it can 
be costly, and cost can thus be a deterrent to the widespread 
use of the DMF.
    Obviously, if a centralized, searchable database containing 
the DMF were widely available at a reasonable price, it's 
likely that the DMF would be used more routinely for a wider 
variety of authentication checks.
    Let me now conclude by talking about financial 
institutions' use of the Death Master File.
    Although the main purpose of the DMF is to inform the SSA 
that an individual has died, it's also purchased by private 
information vendors. Financial institutions ultimately rely on 
these vendors for accurate information about the status of 
individuals' SSNs.
    Therefore, while the accuracy of the DMF is crucial to 
saving the SSA money, it's equally crucial to financial 
institutions who seek to prevent fraud and identity theft.
    For example, many large banks contract with information 
vendors to compare the bank's list of individuals who have been 
approved for credit cards against the DMF.
    Similarly, banks, securities broker/dealers, mutual fund 
transfer agents, and insurance companies frequently use these 
information vendors to conduct the same kind of search with new 
account openings, changes in parties on accounts, to determine 
whether to allow a client to maintain a margin account, to 
locate lost shareholders, and for other purposes.
    Simply put, the more current the DMF is, then the more 
current the vendor's data is, and the better financial 
institutions can be at uncovering identity theft and other 
fraud.
    And with that, I would conclude. We certainly welcome 
suggestions for achieving both of the goals I've outlined in 
the testimony and we'd be happy to work with the subcommittees 
and their staffs to facilitate these efforts.
    Thank you very much.
    [The prepared statement of John C. Dugan can be found on 
page 113 in the appendix.]
    Chairwoman Kelly. Thank you, Mr. Dugan.
    We move next to Mr. Rotenberg. Mr. Rotenberg, I'm sorry I 
did not have your testimony before we had this hearing. 
Usually, I like to have a chance to read it before.
    But I'm going to be very interested in what you have to say 
today.

  STATEMENT OF MARC ROTENBERG, EXECUTIVE DIRECTOR, ELECTRONIC 
   PRIVACY INFORMATION CENTER; ADJUNCT PROFESSOR, GEORGETOWN 
                     UNIVERSITY LAW CENTER

    Mr. Rotenberg. Well, thank you, Chairwoman Kelly, and 
Chairman Shaw. I would ask that my statement be entered into 
the record and I will briefly summarize the points that I'm 
going to make this morning.
    I appreciate the opportunity to be here. I'm the Director 
of the Electronic Privacy Information Center. We are a public 
interest research group in Washington concerned with privacy 
issues relating to American consumers.
    I have also been on the faculty at Georgetown for more than 
10 years, where I teach the law of information privacy.
    I think it's critical to make clear at the outset for the 
purposes of this hearing that there's a long-standing effort by 
Congress and by the courts to protect the privacy of the Social 
Security number in law. And this has been done from the outset 
out of recognition that the particular status of this number, 
which can be used in so many different contexts, is ripe for 
misuse and abuse and, as we've seen in the last few years, the 
growing crime of identity theft.
    So, for example, Section 7 of the Privacy Act of 1974 makes 
very clear in the collection and use of the SSN that Federal 
agencies may only use the number for certain statutory 
purposes.
    And I'd like to say at the outset that the efforts of 
Chairman Shaw and other Members of the subcommittees to move 
forward legislation, H.R. 2036, which would extend similar 
protections to the private sector and strengthen as well the 
protections in the public sector, is a very important measure 
that I hope you will move quickly in this session.
    Now the second part of the problem to understand is that 
the ID theft problem results from the growing dependence of the 
Social Security number as a general form of identification 
unrelated to the original purpose, which was of course the 
management of SSA benefits.
    And if I may, Chairwoman Kelly, to pick up on your opening 
statement, I'd like to make a brief observation about this case 
involving Lahfti Raisi, who is the Algerian who may be 
responsible, in fact, for training the hijackers in the great 
tragedy of September 11th.
    Now it has been reported that Raisi took advantage of the 
Social Security number of a deceased person in the State of New 
Jersey, presumably to obtain access to facilities in other 
places that he would not otherwise be able to go.
    But it's not clear, at least from the reports that we have 
reviewed, that Raisi sought the Social Security number of a 
deceased person.
    In other words, this may have just been a nine-digit number 
pulled from the air that turned out, in fact, to be the number 
of a person who was deceased.
    And I make this point because it's critical to understand 
that in the area of identity theft, there are many ways to 
create Social Security numbers that are not one's own that 
don't require access to a deceased's SSN.
    You can spoof SSNs in a number of different ways. I can 
look at a Social Security number and probably determine whether 
it's accurate--in fact, a real Social Security number, computer 
programs and financial institutions do this on a regular basis.
    But my point here is I think we need to understand that it 
is the growing dependence on the use of the Social Security 
number and whether that number comes from a person who's 
deceased or whether it's simply made up, is going to be an 
ongoing problem in systems of identification going forward.
    Now this then relates to my third point about the expanded 
use of the Death Master File. And I fully appreciate the 
interest of the financial institutions in having more timely, 
more accurate information on an ongoing basis. So that when 
they are making these determinations about whether or not an 
SSN is the SSN of the person who represents it, they have 
better information on which to make that decision.
    But in expanding the use of the DMF, I'm concerned also 
that it will create new opportunities for misuse and abuse by 
others, who will use that information for other purposes. 
Because, of course, now you will have access to a very 
convenient file in electronic format that will give the public 
a great deal of detailed personal information.
    And so I think an assessment needs to be done. How do you 
ensure that that information will be used only by the financial 
institutions for the appropriate purpose and not by others for 
ill-intended purpose?
    I'd like to conclude, then, with three recommendations.
    The first recommendation, having worked on this issue now 
for more than 10 years, is to urge you once again to think 
about systems of identification that are not solely dependent 
on the Social Security number. It is the SSN that contributes 
to ID theft and our growing use of the SSN leads to more ID 
theft.
    Second, as I suggested at the outset, I think the 
legislation before the subcommittees is excellent.
    And finally, if you do go forward with the proposal to make 
the DMF readily available in electronic format, I urge you to 
create some mechanism of oversight, some way to evaluate, maybe 
a year out, how that information is being used, because it 
could well be the case that that file will become a new source 
of identity theft, and that could simply compound the tragedy.
    Thank you.
    [The prepared statement of Marc Rotenberg can be found on 
page 126 in the appendix.]
    Chairwoman Kelly. Thank you very much.
    We now move to Mr. Hendricks.

  STATEMENT OF EVAN HENDRICKS, EDITOR AND PUBLISHER, PRIVACY 
                             TIMES

    Mr. Hendricks. Thank you, Madam Chairwoman, and Mr. 
Chairman. My name is Evan Hendricks, Editor and Publisher of 
Privacy Times.
    I've been qualified as an expert in identity theft cases by 
the Federal courts and I realize I'm the last witness between 
not only you and lunch, but the lunch of my son, Daniel, who 
has accompanied me here today.
    Chairwoman Kelly. We welcome your son.
    Mr. Hendricks. Yes, thank you.
    Chairwoman Kelly. Welcome, Daniel.
    Mr. Hendricks. Thank you. This is an important issue. I'm 
grateful to follow my colleague, Marc Rotenberg, because I 
concur in his remarks and incorporate them.
    What we've seen in this terrible tragedy is that not only 
has identity theft figured in the use for passport and visa 
purposes, but also the terrorists supported themselves by 
committing identity theft and credit fraud.
    We followed this in my newsletter, Privacy Times, which is 
in its 21st year; there is an excellent article in the November 
4th, Chicago Tribune which summarizes many of the activities 
they did, including skimming, which is using a machine to swipe 
a card and steal all the information and then make a 
counterfeit card out of it.
    There are two things that fraudsters want in this day and 
age: either a Social Security number so that they can do 
identity theft, or a credit card number and an expiration date.
    We also know that the fraudsters are using stolen credit 
card numbers to buy people's Social Security numbers so that 
then they can commit more identity theft.
    So it's becoming a vicious circle.
    When the World Trade Center tragedy hit, unfortunately, it 
became somewhat like when there's a black-out in New York: the 
thieves know they can break into buildings because there's no 
electronic burglar alarms any more.
    And unfortunately, one of the World Trade victim's friends 
took her credit card and went on a credit joyride, and I'm told 
by my friends at the Privacy Rights Clearinghouse and the 
Identity Theft Resource Center that a plane crash victim was 
going to be picked up by a limo driver who had all his 
information and then went on to commit identity theft.
    As indicated by Congresswoman Hooley's opening remarks, 
there are some really sick people out there and a lot of them 
are now gravitating toward identity theft.
    I come here to say that, like Mr. Rotenberg, the goal of 
privacy laws is to give people control over their personal 
information. And some of the gaps and the weaknesses in our 
current privacy laws help the fraudsters get control over other 
people's information.
    One of the fundamental principles of privacy laws is the 
information collected for one purpose should not be used for 
another purpose without your knowledge and consent. And this is 
at the heart of the Fair Credit Reporting Act, which is one of 
the first privacy laws enacted in 1971, amended by Congress in 
1996.
    It's a good law and it recognizes in practice that there 
are other purposes. And so, the Fair Credit Reporting Act 
defines permissible purposes. And it also gives people 
remedies, private right of action, penalties.
    And I think even my colleague down the table, Mr. Pratt, 
will agree, this privacy law has made the credit-reporting 
industry a better industry. They do a better job handling data. 
They have to be more responsive. And if things go wrong, people 
have a remedy.
    And so I'm also here to dispel the myth because there is 
really not much of a conflict between privacy law and security: 
all of our existing privacy laws make exceptions for law 
enforcement, for health and safety, and for intelligence 
purposes.
    I think if you get into an honest discussion with the 
investigators, you'll see that the privacy law has not impeded 
the investigations here.
    But that's why we look for solutions, as Mr. Rotenberg 
said, we need to take advantage of information technology. We 
need automated exchanges of data.
    Just as the Fair Credit Reporting Act defines purposes and 
gives people a degree of confidence that data will be used for 
permissible purposes, so we need to expand that concept to our 
larger society, including automating any sort of a Master Death 
File that will be shared with the banks on an instant basis, or 
with the credit-reporting agencies, too.
    I also want to agree with Mr. Rotenberg that we need to 
have a national oversight office. Every other western country 
has an independent privacy commissioner that answers to the 
legislative branch.
    We need one, too.
    In terms of three practical solutions, the first is that, 
conceptually, people need to be plugged into their credit 
report. The technology allows for it today, and actually, we're 
gravitating toward this and we need to accelerate it. So if 
there's activity on your credit report, you should receive some 
sort of electronic alert.
    This is not that difficult to set up and it would be one of 
the best ways to guard against identity theft.
    Second of all, though the credit reporting agencies sell a 
service where they can do a trace on SSNs, it's not clear to me 
that they do an audit of their own systems to see how many 
names and addresses are associated with one SSN.
    And if they did that simple audit function, they would 
guard against some real problems and help clean up the 
integrity of their databases.
    The final thing I'd like to mention is something that's 
called single-use credit card numbers. And Ms. Chairwoman, I 
heard that you had your credit card number stolen. I don't know 
if it was by skimming or through a database.
    One company that I work with, called Privasys, has 
developed these prototype cards. You punch your pin number into 
the credit card so it can issue you a single-use number that is 
only good for one purchase.
    So if later that number is stolen, it's worthless.
    And so, there are solutions that we need in law, in 
organizational practice, and in technology.
    Thanks very much. I'd be happy to answer any questions.
    [The prepared statement of Evan Hendricks can be found on 
page 131 in the appendix.]
    Chairwoman Kelly. Thank you, Mr. Hendricks. I'm going to 
ask just a couple of questions.
    Mr. Rotenberg, on page 2 of your statement, I have to say, 
I was multi-tasking up here and reading it at the same time.
    I find this a fascinating statement. It is the financial 
services industry's misplaced reliance on the SSN, lacks 
verification procedures and aggressive marketing, that are 
responsible for the financial consequences of identity theft.
    I want you to enlarge on that.
    Mr. Rotenberg. Well, my point, Chairwoman, is simply that 
the SSN has been moved from the realm of processing Social 
Security benefits within the Federal Government and the purpose 
of tax identification when it become recognized by Congress for 
that purpose in 1961, to a generalized identifier across the 
financial services sector.
    Chairwoman Kelly. Yes, sir, I do understand that. My 
question is why you are blaming--it appears you're blaming the 
financial service industry's use and reliance on that Social 
Security number for some of the fraud.
    As a matter of fact, that integrates with a comment by Mr. 
Pratt when he talks about the Gramm-Leach-Bliley effect on the 
FTC rules.
    I'm wondering if the two of you can tell me--if what my 
interpretation is is a correct one. Are you saying that the 
Gramm-Leach-Bliley bill has had an effect on the use of the SSN 
by the financial services industry that would increase the 
ability for fraud to exist?
    Mr. Pratt. If I may, from our perspective, the point we 
wanted to make in the testimony was simply that the Gramm-
Leach-Bliley Act did take into account that there would be a 
series of exceptions to a consumer's choice for how non-public 
personal information could be transferred. And one of those 
exceptions was for purposes under the Fair Credit Reporting 
Act.
    But the FTC's interpretation appears to foreclose on a 
consumer reporting agency's ability once they have that 
information to then build fraud prevention products that might 
apply to other exceptions within the GLB 502[e] exceptions.
    And clearly, to foreclose on our ability to build a fraud 
prevention or a verification product which would use 
identifying information outside of GLB and outside of the Fair 
Credit Reporting Act.
    So, in that case, the law seems to have tightened down the 
screws a little too tightly on some information that we might 
be able to use.
    Chairwoman Kelly. Do you agree with that, Mr. Rotenberg? 
Anyone is welcome to join in, but I want to ask that 
specifically of Mr. Rotenberg.
    Mr. Rotenberg. Well, I don't agree that one of the 
consequences of GLB was to make the Social Security number more 
widely available to financial institutions. I understand the 
point that it in some ways may restrict certain verification 
procedures.
    But I do want to be clear about the point in my statement 
here. Clearly, the theft itself is not committed by the 
institutions. That's not what I said.
    What I said, that the use of the SSN to link financial 
records across institutions means that when the theft has 
occurred, the damages are amplified.
    And so, when I said earlier that we need to think about 
systems of identification that are not so dependent on the SSN, 
it is very much based on the experience that victims of ID 
theft have had. When their Social Security numbers get out, 
then they lose control of their bank account, their credit 
account, and the other accounts that they may have with 
financial institutions.
    Mr. Hendricks. Madam Chairwoman, can I respond to that?
    Chairwoman Kelly. Mr. Hendricks.
    Mr. Hendricks. I'll give you one example.
    Identity thieves are in the business of getting credit 
fraudulently. They're able to do that because they apply for 
credit in somebody else's name and Social Security number.
    The first problem is the credit-reporting agencies are too 
liberal in disclosing the innocent victim's credit report in 
response to an application made by an imposter. In many of 
these cases, I've seen that the city is different, the address 
is different, and the spelling is different. Yet, they err on 
the side of maximum disclosure from the credit-reporting agency 
to the credit granter, and that's the first problem.
    The second problem is that, if the imposter simply has your 
Social Security number, I've seen cases--if you write these two 
names down--Myra Coleman and Maria Gaten. If you have the same 
Social Security number, their algorithms work so, since there's 
an M and an R and another letter in the first name, that it's 
similar enough to go ahead and disclose the information, even 
though the names are completely different.
    So there are some real application problems that were built 
from earlier days when they were thinking--well, women get 
married, they change their last name. People move a lot. As 
opposed to now, where we have a clear threat of identity theft 
and they need to update their rules for disclosing consumers' 
credit reports.
    Mr. Dugan. Madam Chairwoman, I'd just like to make two 
points.
    Number one, we think the Gramm-Leach-Bliley Act, in fact, 
makes the misuse of Social Security numbers much more unlikely 
because it gives individuals more control over the ability of a 
financial institution to share that information with any non-
affiliated third party, number one.
    And number two, to the extent that information is provided 
for permissible purposes under the Gramm-Leach-Bliley Act, like 
fraud prevention, then the law specifically prohibits the 
recipient from using it for any other purpose.
    So we think that that goes to that point particularly.
    The second point I wanted to make was, it's nice to say 
that it's easy to steal a Social Security number, and, 
therefore, it's easy to steal someone's identity. But think 
what it would be like if you did not have a Social Security 
number used at all for identification purposes.
    What Mr. Sadaka was saying earlier, you have to have some 
way to have a common, unique identifier in many circumstances, 
which is precisely what financial institutions use it for, to 
make sure that they know you are the Madam Sue Kelly that comes 
in the door and not a different Sue Kelly.
    There have to be ways to link that up. And the use of the 
Social Security number is the way we do that. Without it, and 
with improper restrictions on its use, it would increase the 
occurrence of identity theft, not decrease it.
    Chairwoman Kelly. Thank you very much. I have just one 
follow-up for Mr. Pratt.
    What percent of your membership gets the DMF?
    Mr. Pratt. I actually don't have a good answer for you, but 
I'll be happy to follow up.
    Chairwoman Kelly. I wish you would, please.
    Mr. Pratt. And I think your question is in terms of the 
total customer base, how many customers are using the DMF 
product that our members produce.
    Is that it?
    Chairwoman Kelly. I'm going to withhold any of my further 
questions because I've run out of time, and go to Chairman 
Shaw.
    Chairman Shaw. I'd like to direct my question to Mr. Pratt 
again.
    Our subcommittee has heard from many victims of identity 
theft over the last 2 years and there are stories that raise 
some very troubling issues pertaining to harassment and other 
matters.
    First of all, fraudulent accounts were opened using their 
Social Security numbers, even though all of the information on 
the application was actually incorrect, including their names, 
addresses, and even their birthdays. And the Social Security 
number was the only piece of information that was correct on 
these applications.
    A second troubling issue is that credit-reporting agencies 
verified this incorrect information. Verifications of a name, 
address, place of employment, age, or spouse's name were not 
questioned. If the Social Security number matched up, the 
information was verified and the fraudulent application was 
approved.
    First of all, can you explain how these fraudulent 
applications could have been verified or accepted?
    Mr. Pratt. Well, let me go to, if I could break out your 
question into some parts.
    Chairman Shaw. Maybe you could start just by telling us, 
what is the process and what are the checkpoints?
    Mr. Pratt. The checkpoints that we use are the Social 
Security number, the name, the address, and, when available, we 
may be also able to cross-check previous address. Those would 
be the principle cross-checks.
    Clearly, where we have 3 million consumers each year with 
last names changing, our cross-checks try to accommodate the 
fact that marriage and divorce occur and names can change in 
cycle.
    Date of birth, some of the other identifying elements that 
you've indicated might have been on the application are not 
transmitted to the consumer reporting systems.
    These may be issues that are addressed today differently 
than they may have been previously, but the cross-checks we use 
today are Social Security number, name and address.
    In terms of why an application was approved, I'm not trying 
to put the monkey on someone's else back, but of course I can't 
tell you why the application was approved.
    We transmit the information. We show the lender what 
information we believe in our file matches----
    Chairman Shaw. Do you have any indication of where the 
system failed in this event?
    Mr. Pratt. Well, no, sir, I really don't, because I don't 
have the facts in front of me specific to those particular 
situations.
    I'd have to look at those, I suppose, to better understand 
where the failure occurred.
    Chairman Shaw. Let me ask the question of liability 
because, from your previous answer, it sounds like it's nothing 
but negligence on the part of whoever is putting this 
information together.
    Under the current law, are creditors and credit-reporting 
agencies accountable when their negligence contributes to 
identity theft and to other Social Security number misuses?
    Mr. Pratt. Well, I have to resist the industry being 
characterized as negligent under the Fair Credit Reporting Act.
    Chairman Shaw. I'm not characterizing the industry. I'm 
just saying, in the event of negligence, are they liable?
    That's a simple, straightforward question.
    Mr. Pratt. The answer to the question would be, under the 
Fair Credit Reporting Act, we're liable for being accurate. And 
therefore, if we're not accurate and a lender in turn is also 
liable as a user and as a furnisher under the same Fair Credit 
Reporting Act.
    Chairman Shaw. So it's your testimony that they would be 
liable in the cases of negligence.
    Mr. Pratt. There is negligence, there are willful and 
negligent standards under the Fair Credit Reporting Act and 
there are liabilities associated with the accuracy of the 
information and the use of the information.
    Chairman Shaw. I'll have to go to the Act and see exactly 
what it says. What does it say--willful negligence, or do you 
know?
    Mr. Pratt. There are two standards of civil liability, for 
example, and then of course there's administrative enforcement 
through the Federal Trade Commission and other functional 
regulators under the Act.
    But the civil liability standards are willful and 
negligence.
    Chairman Shaw. Ordinary negligence.
    Mr. Pratt. Yes.
    Chairman Shaw. And that makes them liable.
    Mr. Pratt. Those are two standards of liability depending 
on the fact pattern, depending on how the suit is brought, 
against any one of the parties that is regulated under the Act.
    Chairman Shaw. Do you think the creditors and credit-
reporting agencies should be liable for these kinds of 
mistakes?
    Mr. Pratt. Well, I think we're on the same side of this 
along with you. We don't want these mistakes to happen and we 
want accurate information in our files, sir, really.
    Chairman Shaw. If we weren't on the same side, I wouldn't 
be here listening to you.
    Mr. Pratt. I appreciate that.
    Chairman Shaw. We're trying to figure this thing out so 
that we don't disrupt a system of a national identifier that, 
for good reason or bad reason, has been in place now for a 
number of years.
    But we do know that there's been serious misuse. We do know 
that this is the fastest-growing crime in the country today.
    And I personally believe and I think many other people 
personally believe, and I think Mr. Sadaka would agree with me 
on this--Mr. Sadaka, I think you agree that failure to do 
something is going to create a snowball effect and that this 
thing will be totally out of control after a reasonable period 
of time.
    Do you agree with that?
    Mr. Sadaka. Yes, sir, I do.
    Chairman Shaw. Thank you. I yield back my time.
    Chairwoman Kelly. Thank you.
    We go to Mr. Hooley.
    Ms. Hooley. Thank you, Just a couple of quick questions.
    Anyone from the industry side can answer the first 
question. And that is, I understand the need for the industry 
to have this master list, so you can flag your files to prevent 
compromise by an identity thief.
    What else do you do with the information? I mean, you use 
it to flag your files. What else do you do with the 
information?
    Any one of you.
    Mr. Lehner. Well, as I mentioned in my testimony, it's 
oftentimes used to verify information on existing accounts, if 
people change the status of their account for some of our 
mortgage lenders. If a customer is refinancing their home, 
they're changing credit products within a company.
    Usually, that information is asked as a means to verify 
that they are who they say they are.
    Mr. Pratt. Our members as subscribers are using it 
principally for fraud prevention.
    Ms. Hooley. That's what I assume, all of you are using it 
for fraud prevention.
    Mr. Dugan. There are other reasons to use the information: 
to track down or locate lost shareholders, or to review loan 
applications. But principally, it's to make sure that the 
person is who they say they are.
    Ms. Hooley. Would you have any opposition to having it in 
law that the information is solely used to flag the file of a 
deceased individual or for fraud prevention?
    Mr. Pratt. Like all good trade associations, I'd have to go 
back and talk to the members, I guess, and find out whether 
there's anything out there that I'm just not aware of here 
today.
    Ms. Hooley. OK. By the way, Mr. Pratt, thank you very much 
for clearing up the file of Sean. I really appreciate your 
doing that.
    Mr. Pratt. Thank you.
    Ms. Hooley. For either Evan or Marc Rotenberg, are you 
aware of any instances where information from the Death Master 
File has been intercepted by identity thieves?
    Are you aware of that at all?
    Mr. Hendricks. No, not per se. The cases that I've heard 
of, the identity is just doing straight to the local government 
agency and getting information off death certificates. I've 
heard about cases like that and I've asked for more 
documentation of that.
    Ms. Hooley. Do you think we should use it solely for 
flagging the files, using the Death Master list solely for 
flagging the files or for fraud?
    Mr. Hendricks. Yes. You create an automated information 
exchange here and you specify what those purposes are and you 
create penalties for people that violate that and remedies for 
individuals whose privacy is violated.
    I think that's the way to go. And I think if you look at 
the kind of privilege that goes between a lawyer and a client 
or a doctor and a patient, the privacy privilege is not so 
people can hide or keep data secret. It's to allow for the open 
exchange of information for the purposes you need--better 
health care, better legal advice.
    And I want to take that concept and expand it to everything 
in our society. So privacy is protected within certain spheres, 
but that allows for open data exchange within the approves 
spheres.
    Ms. Hooley. Thank you. That's all the questions I have.
    Chairwoman Kelly. Thank you very much. I have a couple of 
other questions. One for all of you as panel members.
    I'd like to know if you can commit to participating on a 
task force with the SSA to solve this problem.
    I think that if we put together--if there's a task force of 
the SSA, the GAO, the Commerce Department, and all of you, we 
could probably get to the root of the problem and get it solved 
much more quickly than every agency acting without consulting 
the others.
    So I'd like to ask for a commitment from all of you to 
being a part of that task force. Can you commit to that?
    Mr. Dugan. Madam Chairwoman, we'd be delighted to commit to 
do that.
    Chairwoman Kelly. Am I hearing that from all of you?
    Mr. Pratt. Our testimony already indicates we support doing 
that.
    Mr. Sadaka. Absolutely, yes.
    Mr. Lehner. Absolutely.
    Mr. Hendricks. Yes.
    Mr. Rotenberg. Yes.
    Mr. Sadaka. We'd be very willing to commit as well.
    Chairwoman Kelly. I thank you very much.
    One final thing for you, Mr. Hendricks. Your son is going 
to have to wait for lunch for one second.
    You said in your testimony that there was an independent 
national office to oversee and enforce the privacy law, was a 
recommendation of the U.S. privacy protection study commission 
in 1976.
    I think it's time we consider something like that and I 
hope that you will consider that within the framework of this 
task force.
    That being so, then I would like to, if there's no more 
questions, the Chair notes that some Members may have 
additional questions for this panel that they may wish to 
submit in writing.
    So without objection, the hearing record is going to remain 
open for 30 days for Members to submit written questions to 
these witnesses and to place their responses in the record.
    On behalf of the subcommittees, I want to thank all of the 
witnesses for taking the time to be here today. I believe it's 
been a very productive hearing that has highlighted a problem 
that can be solved with regards to identity theft.
    This panel is excused with our appreciation. I want to 
thank Chairman Shaw and his staff and other Members and all of 
their assistants, and my staff, for making the hearing 
possible.
    The hearing is adjourned.
    [Whereupon, at 12:25 p.m., the hearing was adjourned.]

















                            A P P E N D I X




                            November 8, 2001













[GRAPHIC] [TIFF OMITTED] T6259.001

[GRAPHIC] [TIFF OMITTED] T6259.002

[GRAPHIC] [TIFF OMITTED] T6259.003

[GRAPHIC] [TIFF OMITTED] T6259.004

[GRAPHIC] [TIFF OMITTED] T6259.005

[GRAPHIC] [TIFF OMITTED] T6259.006

[GRAPHIC] [TIFF OMITTED] T6259.007

[GRAPHIC] [TIFF OMITTED] T6259.008

[GRAPHIC] [TIFF OMITTED] T6259.009

[GRAPHIC] [TIFF OMITTED] T6259.010

[GRAPHIC] [TIFF OMITTED] T6259.011

[GRAPHIC] [TIFF OMITTED] T6259.012

[GRAPHIC] [TIFF OMITTED] T6259.013

[GRAPHIC] [TIFF OMITTED] T6259.014

[GRAPHIC] [TIFF OMITTED] T6259.015

[GRAPHIC] [TIFF OMITTED] T6259.016

[GRAPHIC] [TIFF OMITTED] T6259.017

[GRAPHIC] [TIFF OMITTED] T6259.018

[GRAPHIC] [TIFF OMITTED] T6259.019

[GRAPHIC] [TIFF OMITTED] T6259.020

[GRAPHIC] [TIFF OMITTED] T6259.021

[GRAPHIC] [TIFF OMITTED] T6259.022

[GRAPHIC] [TIFF OMITTED] T6259.023

[GRAPHIC] [TIFF OMITTED] T6259.024

[GRAPHIC] [TIFF OMITTED] T6259.025

[GRAPHIC] [TIFF OMITTED] T6259.026

[GRAPHIC] [TIFF OMITTED] T6259.027

[GRAPHIC] [TIFF OMITTED] T6259.028

[GRAPHIC] [TIFF OMITTED] T6259.029

[GRAPHIC] [TIFF OMITTED] T6259.030

[GRAPHIC] [TIFF OMITTED] T6259.031

[GRAPHIC] [TIFF OMITTED] T6259.032

[GRAPHIC] [TIFF OMITTED] T6259.033

[GRAPHIC] [TIFF OMITTED] T6259.034

[GRAPHIC] [TIFF OMITTED] T6259.035

[GRAPHIC] [TIFF OMITTED] T6259.036

[GRAPHIC] [TIFF OMITTED] T6259.037

[GRAPHIC] [TIFF OMITTED] T6259.038

[GRAPHIC] [TIFF OMITTED] T6259.039

[GRAPHIC] [TIFF OMITTED] T6259.040

[GRAPHIC] [TIFF OMITTED] T6259.041

[GRAPHIC] [TIFF OMITTED] T6259.042

[GRAPHIC] [TIFF OMITTED] T6259.043

[GRAPHIC] [TIFF OMITTED] T6259.044

[GRAPHIC] [TIFF OMITTED] T6259.045

[GRAPHIC] [TIFF OMITTED] T6259.046

[GRAPHIC] [TIFF OMITTED] T6259.047

[GRAPHIC] [TIFF OMITTED] T6259.048

[GRAPHIC] [TIFF OMITTED] T6259.049

[GRAPHIC] [TIFF OMITTED] T6259.050

[GRAPHIC] [TIFF OMITTED] T6259.051

[GRAPHIC] [TIFF OMITTED] T6259.052

[GRAPHIC] [TIFF OMITTED] T6259.053

[GRAPHIC] [TIFF OMITTED] T6259.054

[GRAPHIC] [TIFF OMITTED] T6259.055

[GRAPHIC] [TIFF OMITTED] T6259.056

[GRAPHIC] [TIFF OMITTED] T6259.057

[GRAPHIC] [TIFF OMITTED] T6259.058

[GRAPHIC] [TIFF OMITTED] T6259.059

[GRAPHIC] [TIFF OMITTED] T6259.060

[GRAPHIC] [TIFF OMITTED] T6259.061

[GRAPHIC] [TIFF OMITTED] T6259.062

[GRAPHIC] [TIFF OMITTED] T6259.063

[GRAPHIC] [TIFF OMITTED] T6259.064

[GRAPHIC] [TIFF OMITTED] T6259.065

[GRAPHIC] [TIFF OMITTED] T6259.066

[GRAPHIC] [TIFF OMITTED] T6259.067

[GRAPHIC] [TIFF OMITTED] T6259.068

[GRAPHIC] [TIFF OMITTED] T6259.069

[GRAPHIC] [TIFF OMITTED] T6259.070

[GRAPHIC] [TIFF OMITTED] T6259.071

[GRAPHIC] [TIFF OMITTED] T6259.072

[GRAPHIC] [TIFF OMITTED] T6259.073

[GRAPHIC] [TIFF OMITTED] T6259.074

[GRAPHIC] [TIFF OMITTED] T6259.075

[GRAPHIC] [TIFF OMITTED] T6259.076

[GRAPHIC] [TIFF OMITTED] T6259.077

[GRAPHIC] [TIFF OMITTED] T6259.078

[GRAPHIC] [TIFF OMITTED] T6259.079

[GRAPHIC] [TIFF OMITTED] T6259.080

[GRAPHIC] [TIFF OMITTED] T6259.081

[GRAPHIC] [TIFF OMITTED] T6259.082

[GRAPHIC] [TIFF OMITTED] T6259.083

[GRAPHIC] [TIFF OMITTED] T6259.084

[GRAPHIC] [TIFF OMITTED] T6259.085

[GRAPHIC] [TIFF OMITTED] T6259.086

[GRAPHIC] [TIFF OMITTED] T6259.087

[GRAPHIC] [TIFF OMITTED] T6259.088

[GRAPHIC] [TIFF OMITTED] T6259.089

[GRAPHIC] [TIFF OMITTED] T6259.090

[GRAPHIC] [TIFF OMITTED] T6259.091

[GRAPHIC] [TIFF OMITTED] T6259.092

[GRAPHIC] [TIFF OMITTED] T6259.093

[GRAPHIC] [TIFF OMITTED] T6259.094

[GRAPHIC] [TIFF OMITTED] T6259.095

[GRAPHIC] [TIFF OMITTED] T6259.096

[GRAPHIC] [TIFF OMITTED] T6259.097