[House Hearing, 107 Congress]
[From the U.S. Government Publishing Office]
PREVENTING IDENTITY THEFT BY TERRORISTS AND CRIMINALS
=======================================================================
JOINT HEARING
BEFORE THE
SUBCOMMITTEE ON
OVERSIGHT AND INVESTIGATIONS
OF THE
COMMITTEE ON FINANCIAL SERVICES
AND THE
SUBCOMMITTEE ON SOCIAL SECURITY
OF THE
COMMITTEE ON WAYS AND MEANS
OF THE
U.S. HOUSE OF REPRESENTATIVES
ONE HUNDRED SEVENTH CONGRESS
FIRST SESSION
__________
NOVEMBER 8, 2001
__________
Printed for the use of the Committee on Financial Services and
the Committee on Ways and Means
Serial No. 107-50
(Committee on Financial Services)
Serial No. 107-51
(Committee on Ways and Means)
U.S. GOVERNMENT PRINTING OFFICE
WASHINGTON : 2002
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512-1800
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001
HOUSE COMMITTEE ON FINANCIAL SERVICES
MICHAEL G. OXLEY, Ohio, Chairman
JAMES A. LEACH, Iowa JOHN J. LaFALCE, New York
MARGE ROUKEMA, New Jersey, Vice BARNEY FRANK, Massachusetts
Chair PAUL E. KANJORSKI, Pennsylvania
DOUG BEREUTER, Nebraska MAXINE WATERS, California
RICHARD H. BAKER, Louisiana CAROLYN B. MALONEY, New York
SPENCER BACHUS, Alabama LUIS V. GUTIERREZ, Illinois
MICHAEL N. CASTLE, Delaware NYDIA M. VELAZQUEZ, New York
PETER T. KING, New York MELVIN L. WATT, North Carolina
EDWARD R. ROYCE, California GARY L. ACKERMAN, New York
FRANK D. LUCAS, Oklahoma KEN BENTSEN, Texas
ROBERT W. NEY, Texas JAMES H. MALONEY, Connecticut
BOB BARR, Georgia DARLENE HOOLEY, Oregon
SUE W. KELLY, New York JULIA CARSON, Indiana
RON PAUL, Texas BRAD SHERMAN, California
PAUL E. GILLMOR, Ohio MAX SANDLIN, Texas
CHRISTOPHER COX, California GREGORY W. MEEKS, New York
DAVE WELDON, Florida BARBARA LEE, California
JIM RYUN, Kansas FRANK MASCARA, Pennsylvania
BOB RILEY, Alabama JAY INSLEE, Washington
STEVEN C. LaTOURETTE, Ohio JANICE D. SCHAKOWSKY, Illinois
DONALD A. MANZULLO, Illinois DENNIS MOORE, Kansas
WALTER B. JONES, North Carolina CHARLES A. GONZALEZ, Texas
DOUG OSE, California STEPHANIE TUBBS JONES, Ohio
JUDY BIGGERT, Illinois MICHAEL E. CAPUANO, Massachusetts
MARK GREEN, Wisconsin HAROLD E. FORD Jr., Tennessee
PATRICK J. TOOMEY, Pennsylvania RUBEN HINOJOSA, Texas
CHRISTOPHER SHAYS, Connecticut KEN LUCAS, Kentucky
JOHN B. SHADEGG, Arizona RONNIE SHOWS, Mississippi
VITO FOSSELLA, New York JOSEPH CROWLEY, New York
GARY G. MILLER, California WILLIAM LACY CLAY, Missouri
ERIC CANTOR, Virginia STEVE ISRAEL, New York
FELIX J. GRUCCI, Jr., New York MIKE ROSS, Arizona
MELISSA A. HART, Pennsylvania
SHELLEY MOORE CAPITO, West Virginia BERNARD SANDERS, Vermont
MIKE FERGUSON, New Jersey
MIKE ROGERS, Michigan
PATRICK J. TIBERI, Ohio
Terry Haines, Chief Counsel and Staff Director
------
Subcommittee on Oversight and Investigations
SUE W. KELLY, New York, Chair
RON PAUL, Ohio, Vice Chairman LUIS V. GUTIERREZ, Illinois
PETER T. KING, New York KEN BENTSEN, Texas
ROBERT W. NEY, Texas JAY INSLEE, Washington
CHRISTOPHER COX, California JANICE D. SCHAKOWSKY, Illinois
DAVE WELDON, Florida DENNIS MOORE, Kansas
WALTER B. JONES, North Carolina MICHAEL CAPUANO, Massachusetts
JOHN B. SHADEGG, Arizona RONNIE SHOWS, Mississippi
VITO FOSSELLA, New York JOSEPH CROWLEY, New York
ERIC CANTOR, Virginia WILLIAM LACY CLAY, Missouri
PATRICK J. TIBERI, Ohio
HOUSE COMMITTEE ON WAYS AND MEANS
BILL THOMAS, California, Chairman
PHILIP M. CRANE, Illinois, CHARLES B. RANGEL, New York
E. CLAY SHAW, Jr., Florida FORTNEY PETE STARK, California
NANCY L. JOHNSON, Connecticut ROBERT T. MATSUI, California
AMO HOUGHTON, New York WILLIAM J. COYNE, Pennsylvania
WALLY HERGER, California SANDER LEVIN, Michigan
JIM McCRERY, Louisiana BENJAMIN L. CARDIN, Maryland
DAVE CAMP, Michigan JIM McDERMOTT, Washington
JIM RAMSTAD, Minnesota GERALD D. KLECZKA, Wisconsin
JIM NUSSLE, Iowa JOHN LEWIS, Georgia
SAM JOHNSON, Texas RICHARD E. NEAL, Massachusetts
JENNIFER DUNN, Washington MICHAEL R. McNULTY, New York
MAC COLLINS, Georgia WILLIAM J. JEFFERSON, Louisiana
ROB PORTMAN, Ohio JOHN S. TANNER, Tennessee
PHILIP S. ENGLISH, Pennsylvania XAVIER BECERRA, California
WES WATKINS, Oklahoma KAREN L. THURMAN, Florida
J.D. HAYWORTH, Arizona LLOYD DOGGETT, Texas
JERRY WELLER, Illinois EARL POMEROY, North Dakota
KENNY HULSHOF, Missouri
SCOTT McINNIS, Colorado
RON LEWIS, Kentucky
MARK FOLEY, Florida
KEVIN BRADY, Texas
PAUL RYAN, Wisconsin
------
Subcommittee on Social Security
E. CLAY SHAW, Jr., Florida, Chairman
SAM JOHNSON, Texas ROBERT T. MATSUI, California
MAC COLLINS, Georgia LLOYD DOGGETT, Texas
J.D. HAYWORTH, Arizona BENJAMIN L. CARDIN, Maryland
KENNY HULSHOF, Missouri EARL POMEROY, North Dakota
RON LEWIS, Kentucky XAVIER BECERRA, California
KEVIN BRADY, Texas
PAUL RYAN, Wisconsin
C O N T E N T S
----------
Page
Hearing held on:
November 8, 2001............................................. 1
Appendix:
November 8, 2001............................................. 45
WITNESSES
Thursday, November 8, 2001
Bond, Hon. Philip J., Under Secretary for Technology, Department
of
Commerce....................................................... 7
Bovbjerg, Barbara D., Director, Education, Workforce and Income
Security Issues, U.S. General Accounting Office................ 13
Dugan, John C., Partner, Covington & Burling, on behalf of the
Financial Services Coordinating Council........................ 32
Hillman, Richard J., Director, Financial Markets and Community
Investment Issues, U.S. General Accounting Office.............. 13
Hendricks, Evan, Editor and Publisher, Privacy Times............. 36
Huse, Hon. James G., Jr., Inspector General, Social Security
Administration................................................. 9
Lehner, Thomas J., Executive Vice President, American Financial
Services Association........................................... 28
Pratt, Stuart K., Vice President, Government Relations,
Associated Credit Bureaus...................................... 26
Rotenberg, Marc, Executive Director, Electronic Privacy
Information Center; Adjunct Professor, Georgetown University
Law Center..................................................... 34
Sadaka, Thomas A., Special Counsel for Computer Crime and
Identity Theft Prosecutions, Florida Office of Statewide
Prosecution.................................................... 30
Streckewald, Fritz, Acting Assistant Deputy Commissioner for
Disability and Income Security Programs, Social Security
Administration................................................. 11
APPENDIX
Prepared statements:
Kelly, Hon. Sue W............................................ 47
Shaw, Hon. E. Clay Jr........................................ 49
Oxley, Hon. Michael G........................................ 46
Cardin, Hon. Benjamin L...................................... 51
Gutierrez, Hon. Luis V....................................... 53
Paul, Hon. Ron............................................... 54
Schakowsky, Hon. Janice D.................................... 56
Bond, Hon. Philip J.......................................... 57
Bovbjerg, Barbara D., and Richard J. Hillman, joint statement 87
Dugan, John C................................................ 113
Hendricks, Evan.............................................. 131
Huse, Hon. James G., Jr...................................... 62
Lehner, Thomas J............................................. 107
Pratt, Stuart K.............................................. 100
Rotenberg, Marc.............................................. 126
Sadaka, Thomas A............................................. 110
Streckewald, Fritz........................................... 73
Additional Material Submitted for the Record
Bovbjerg, Barbara D., and Richard J. Hillman:
Written response to questions from Congressman Gutierrez and
the
Subcommittee on Social Security............................ 96
Dugan, John C.:
Written response to questions from Congressman Gutierrez and
the
Subcommittee on Social Security............................ 123
Hendricks, Evan:
Written response to questions from Congressman Gutierrez and
the
Subcommittee on Social Security............................ 135
Huse, Hon. James G., Jr.:
Written response to questions from Congressman Gutierrez and
the
Subcommittee on Social Security............................ 67
Streckewald, Fritz:
Response to an inquiry from Congresswoman Kelly.............. 82
Response to an inquiry from Congressman Shaw................. 83
Written response to questions from Congressman Gutierrez and
the
Subcommittee on Social Security............................ 84
Comserv, Inc., prepared statement................................ 137
Erisa Industry Committee, prepared statement..................... 140
National Council on Teacher Retirement, prepared statement....... 142
JOINT HEARING: PREVENTING IDENTITY THEFT BY TERRORISTS AND CRIMINALS
----------
THURSDAY, NOVEMBER 8, 2001
U.S. House of Representatives,
Subcommittee on Oversight and Investigations,
Committee on Financial Services,
and the
Subcommittee on Social Security,
Committee on Ways and Means,
Washington, DC.
The subcommittees met, pursuant to call, at 10:10 a.m., in
room 2128, Rayburn House Office Building, Hon. Sue W. Kelly,
[chairwoman of the Subcommittee on Oversight and
Investigations], and E. Clay Shaw, Jr., [chairman of the
Subcommittee on Social Security], presiding.
Present from Subcommittee on Oversight and Investigations:
Chairwoman Kelly; Representatives Weldon, Inslee, Tiberi,
Jones, Shows and Clay.
Present from Subcommittee on Social Security: Chairman
Shaw; Representatives Matsui, Cardin, Becerra, Doggett,
Collins, Brady, and Ryan.
Also attending was Congresswoman Hooley.
Chairwoman Kelly. This joint hearing of the Committee on
Financial Services Subcommittee on Oversight and
Investigations, and Committee on Ways and Means Subcommittee on
Social Security, will now come to order.
I welcome today my colleagues, Clay Shaw, and Ben Cardin.
I'm delighted that we also have other colleagues here--Darlene
Hooley. Thank you very much.
I look forward to hearing what the witnesses have to say.
We're here this morning to see how we can prevent the awful
crime and terrible tragedy of identity theft by terrorists and
criminals. Our special intention is to protect the families of
the deceased from such theft and financial fraud at their most
vulnerable moment--when they are grieving from the shock of
their loss.
Through the rapid transmittal of the information in the
Death Master File from the Social Security Administration to
the financial services industry and the immediate use of that
information by the industry, we can prevent these crimes and
spare the families pain.
James Jackson and Derek Cunningham stole hundreds of
thousands of dollars in gems and watches from deceased
executives of our major corporations before being caught by law
enforcement. They stole the identity of the late CEO of Wendy's
International within days after his death and were not arrested
until about 2 months later.
In the past 2 months, we learned that identity theft could
be a tool of the hijackers who murdered thousands of our fellow
citizens, and of their accomplices as well.
Last week, the Inspector General of the Social Security
Administration testified that some of the 19 hijackers used
phony Social Security numbers to perpetrate their murders. And
we know that Lofti Raisi, an Algerian held on suspicion that he
trained four of the hijackers how to fly, used the Social
Security number of a New Jersey woman who has been dead for 10
years.
Even after these events, and after three of us serving on
the Financial Services Committee requested the SSA to ensure
the rapid transmission of the Death Master File, we've received
no commitment from the SSA to take any specific action.
The file is still physically shipped to an agency at the
Commerce Department, where copies are made and physically
shipped to subscribers.
In other words, ``snail-mail.''
There has been no reduction for years in the time that it
takes for the SSA to officially notify the financial services
industry of a death. Identity theft is now part of the first
war of the 21st Century, but the Federal Government is still
treating it in a 1960s way.
That must end. That is why we asked the General Accounting
Office to study the matter and report their findings to the
committee. That is why we're so pleased that the Ways and Means
Subcommittee on Social Security, chaired by my colleague,
Representative Clay Shaw, can join us in holding a joint
hearing today.
We need the Social Security Administration to take bold and
immediate action to get the information to the financial
services industry. We will hear from the SSA, the Commerce
Department, the General Accounting Office, and we expect an
innovative and effective solution.
We also need the financial services industry to ensure that
the information is immediately integrated into databases and
available for permanently deactivating Social Security numbers
of the deceased.
Moreover, with the passage of the USA Patriot Act, there
will soon be Treasury Department regulations requiring them to
verify the identification of new account-holders and for
customers to provide the identification requested by the
companies.
We know that the SSA and financial institutions can meet
this challenge. In the past 3 years, they've already met two
difficult challenges--the Y2K conversion and the aftermath of
the terrorist attacks.
The SSA was a leader among Government agencies in
successfully avoiding the Y2K glitch and the financial
institutions breezed through the turn of the millennium without
a single major problem.
As the acting SSA commissioner testified last week before
Representative Shaw's subcommittee, the SSA regional offices in
the New York and Pennsylvania area reacted with fortitude and
compassion to assist the victims and their families, and I want
to thank the Social Security Administration for their wonderful
assistance to New Yorkers, including the many of those in my
district.
After the horrendous destruction in New York City
interrupted the financial markets and killed many, financial
institutions there and across the country picked themselves up,
dusted off, and got back to work with an amazing speed and
grace, even while mourning their compatriots.
And all of them did all of that, the Y2K conversion and the
recovery from the attacks, without any specific mandate in
Federal law.
Surely, we can work together to meet this challenge before
us now. I urge all parties to get together and, based on the
GAO's findings, leapfrog over the antiquated system now used,
and stop identity theft of the deceased.
Representative Shaw will chair the hearing for the first
panel of witnesses. I will chair the hearing for the second
panel.
Thank you.
[The prepared statement of Hon. Sue W. Kelly can be found
on page 47 in the appendix.]
Chairman Shaw. Thank you, Ms. Kelly. We appreciate being
here in your committee room and being able to join with you in
this hearing this morning.
Today, our two subcommittees join together to examine ways
to prevent identity theft by terrorists and criminals. When
Social Security numbers were created 65 years ago, their only
purpose was to track a worker's earnings so that Social
Security benefits could be calculated. But today, use of the
Social Security number is pervasive.
Our culture is hooked on Social Security numbers.
Businesses and Government use the number as their primary
source of identifying individuals. You can't even conduct the
most frivolous transaction, like renting a video at your local
store, without someone asking you first to render your 9-digit
Social Security ID.
Interestingly enough, I had a doctor's appointment last
Friday. It was a doctor I had never been to before. And I
noticed when I was signing in, my Social Security number was
required.
I mentioned that to him back in the examining room and I
told him, I said, the time is going to come when you're not
going to be able to get that number. And he said, well, I hope
it does, because he had been a victim of identity theft and it
took him many years through the various layers of collection
agencies to finally show that he was not the one that ran the
tremendous debt up on the credit cards.
Your Social Security number is a key that unlocks the doors
to your identity for any unscrupulous individual who gains
access to it. Once the door is unlocked, the criminal or
terrorist has at their fingertips all the essential elements
needed to carry out whatever dastardly act that they conceive.
We now know that some terrorists involved in the September
11th attacks illegally obtained Social Security numbers and
used them to steal identities and obtain false documents, thus
hiding their true identities and their motives. These
unspeakable acts shine an intense spotlight on the need for the
Government and the private industry to be vigilant in
protecting identities. It also demands that safeguards to
prevent identity theft are put in place and put in place now.
Earlier this year, I, along with several of my Ways and
Means colleagues, introduced H.R. 2036, the Social Security
Number Privacy and Identity Theft Prevention Act of 2001. This
bipartisan bill represents a balanced approach to protecting
the privacy of Social Security numbers, while allowing for
their legitimate uses.
Because of its broad scope, the bill has also been referred
to the Committee on Energy and Commerce and the Committee on
Financial Services, in addition to Ways and Means. I urge
prompt action by all three committees so that we may bring this
important legislation to the floor as quickly as possible.
It is a needed part of our Nation's response to terrorism.
Sadly, identity theft is a crime not perpetrated just
against the living. A Washington Post article on Saturday,
September 29th, reported that a man detained in Great Britain
and suspected of training the terrorists who hijacked the
airliners on September 11th, used the Social Security number of
a New Jersey woman who died in 1991.
The Associated Press reported on October 31st, that an
individual from North Carolina had been indicted on charges he
tried to steal the identity of someone killed in the terrorist
attack at the World Trade Center.
Therefore, today, we will take a hard look at the sharing
of death information. The Social Security Administration
maintains the most comprehensive file of death information in
the Federal Government. How this information is compiled, its
accuracy, and the speed with which it is shared with the public
will be explored.
Because the financial services industry relies
fundamentally on Social Security numbers as the common
identifier to assemble accurate financial information, they are
in a unique position to assist in the prevention of Social
Security number fraud and abuse. Their timely receipt of death
information and prompt updating of financial data is key in
preventing identity theft.
In the past, some businesses have not been enthusiastic
about further restricting the use of Social Security numbers.
It is my hope they will rethink their resistance in light of
September 11th.
Identity theft is a national security threat involving life
and property. Safeguards will be made and I predict sooner
rather than later.
Mr. Cardin.
[The prepared statement of Hon. E. Clay Shaw Jr. can be
found on page 49 in the appendix.]
Mr. Cardin. Thank you, Mr. Shaw. Let me thank both Chairman
Shaw and Chairwoman Kelly for convening this joint hearing
today.
This is an extremely important subject. We're working in a
very bipartisan way to do everything we can to prevent identity
theft.
The FBI considers identity theft to be one of the fastest-
growing crimes in the United States. 350,000 cases a year.
We can do better.
The focus of today's hearing is going to spend a lot of
time on the SSA's Death Master File, where it compiles the
names and Social Security numbers of those individuals who have
recently died.
Questions have been raised as to whether those files are as
up-to-date as they need to be and whether that information is
being shared, particularly with financial institutions, in the
most effective way in order to reduce the amount of identity
fraud.
I think there's a joint responsibility here and when the
panel presents their testimony, I hope that they will deal with
this. There's clearly a responsibility by SSA to have the
information available so that we can prevent identity theft.
But there's also responsibility in the private sector,
particularly of financial institutions, as to how they deal
with identity in the use of fraudulent or false information.
Both need to work together in order to accomplish it.
The Chairmen have given us examples that should chill all
of us. The fact that several of the hijackers had fraudulent SS
numbers, that is something that is unacceptable. The fact that
a terrorist apprehended in Britain had a Social Security number
that was from a deceased person that was 10 years old is
unacceptable. We can do better than that.
There is now, of course, a ring of thefts involving
recently-deceased business executives. Ms. Kelly mentioned the
Wendy's executive.
We need to be wiser in how we deal with the Social Security
numbers and updating the data bank at the public level, sharing
with the private sector, to avoid these types of crimes.
I think the questions being raised is whether we can update
these Death Master Files in a more effective way, would that
have prevented some of these ID thefts?
But I must at least raise some additional questions here as
we go through this hearing.
We have the question that the primary purpose, the primary
mission of the SSA's use of the Social Security card is to
maintain earnings records and pay benefits in the case of
death, retirement and disability.
I have concern about making the list more up-to-date and
easier to use, could compromise individual privacy and have the
unintended consequence of making it easier, rather than more
difficult, for people to steal and use false SSNs.
So there are tradeoffs here.
We also have the challenge of joint accounts, where one
person dies and you have another person account. If we all of a
sudden freeze those assets, in a way, we may be causing
unintended problems for our constituents.
So these are not easy issues.
But the bottom line is we cannot accept the number of
thefts that are occurring today through the use of Social
Security numbers. We need to do a better job. And we look
forward to working with the people who will be here today on
our panel and others so that we can effectively combat this
criminal activity.
Thank you, Mr. Chairman.
Chairman Shaw. Thank you.
Mr. Weldon, do you have a statement?
Mr. Weldon. No, thank you, Mr. Chairman.
Chairman Shaw. Mr. Inslee.
Mr. Inslee. No statement, Mr. Chairman.
Chairman Shaw. Mr. Tiberi.
Mr. Tiberi. No, thank you, Mr. Chairman.
Chairman Shaw. Ms. Hooley.
Ms. Hooley. Thank you, Chairman Shaw, and Chairwoman Kelly.
We've heard numerous times today identity theft is an equal
opportunity crime. It affects victims of all ages, all incomes,
and all ethnic backgrounds.
Ms. Kelly told us about Wendy's CEO. But more often than
not, identity theft is something that affects the ordinary
citizen, the person who is working hard, paying their taxes,
and trying to do their best in life.
For example, a little over a year ago, a young man from
Oregon named Sean Bolden, appeared before the full Banking
Committee to testify about his personal nightmare with identity
theft.
In Sean's case, identity thieves had opened dozens of
financial accounts with his Social Security number and, as a
result, at age 23, he was unable to obtain any credit
whatsoever, including student loans.
And then there's the case of the little boy in Salem,
Oregon, named Tyler Bales. Tyler was 16 months old when he lost
his battle with a rare genetic disease called Hurler's
Syndrome.
Now there's nothing more tragic than losing a child.
Unfortunately, the heartache of Tyler's loss hasn't been eased
for his parents.
Not only isn't it hard enough losing a 16-month-old child,
but last spring, the Bales learned, courtesy of the Internal
Revenue Service, that someone claimed Tyler as a dependent on
their 2000 income tax return and, as a result, the Bales'
income tax return was rejected.
As disturbing as that is, it gets worse.
Because of Federal disclosure issues, the IRS cannot give
out the name of the identity theft to the Salem Police
Department, even though identity theft is a felony offense in
Oregon. The thief could live right down the street or 3000
miles away. But because of a loophole in the IRS, the Bales and
the police department will never know who stole their son's
personal information.
Mr. Chair, I submit that Tyler Bales and Sean Bolden are
more than a name, a date of birth, or a Social Security number,
and that's why I've been a strong advocate of stamping out the
crime of identity theft.
In Tyler's case, I introduced H.R. 2077, the ID Theft
Loophole Closure bill. It is in the Ways and Means Committee.
It is a very simple bill that says the IRS, in fact, can give
out the information to the local police.
I know our economy in a large degree depends on the flow of
free information. However, it's imperative that we recognize
that private information is just that--private--and not a
salable commodity or something to be exposed by unscrupulous
individuals.
Literally, this is the fastest-growing crime there is. The
numbers are outrageous. And I could spend some times with
numbers, but I don't want to do that. What I want to express
today is this is happening more and more frequently. It's
happening with people who are committing other crimes.
In Salem, the police department has said that in the last 2
years, ID theft has increased by over 38 percent and much of
that is related to also methamphetamine abuse, is the
motivating factor.
We need to close some of these loopholes. We need to do
something with identity theft, instead of just talk about it.
And I think today's hearing is a good start and I yield back my
time.
Chairman Shaw. Thank you very much.
Now I'd like to introduce our first panel this morning.
We first have:
The Honorable Philip Bond, who is the Undersecretary of
Technology at the United States Department of Commerce;
Jim Huse is no stranger to the subcommittees, he is the
Inspector General of the Social Security Administration;
Fritz Streckewald, Acting Assistant Deputy Commissioner for
Disability and Income Security Programs of the Social Security
Administration;
Barbara Bovbjerg, the Director--Barbara, if I ever fail to
mispronounce your name, would you please call me down on it?
[Laughter.]
Ms. Bovbjerg. It's ``Bo-berg,'' and everyone has trouble
with it.
Chairman Shaw. And it seems, as long as I've known you, I'd
have gotten it right by now.
[Laughter.]
But you certainly are no stranger to the subcommittees,
because you're the Director of Education, Workforce and Income
Security of the General Accounting Office.
And Richard Hillman, who is the Director of the Financial
Markets and Community Investment of the General Accounting
Office.
Welcome to all the witnesses. We have your full statements
and they'll be made a part of the record. You may proceed as
you see fit.
Mr. Bond.
STATEMENT OF HON. PHILIP J. BOND, UNDER SECRETARY FOR
TECHNOLOGY, U.S. DEPARTMENT OF COMMERCE
Mr. Bond. Thank you, Mr. Chairman, Chairwoman Kelly,
Members of both subcommittees. I want to thank you for inviting
me here to address an important issue, obviously of combatting
fraudulent use of Social Security numbers of decreased
individuals.
The National Technical Information Service, NTIS, is a
component of the Department of Commerce. It's involved in this
issue because it makes available to the public the Social
Security Administration's Death Master File extract.
Let me just say by way of preface that as someone who spent
7 years working in the people's house, sitting back there in
the staff row, it's a special and deep honor for me to come
back here and work with you in trying to work toward a solution
and improvement in the system in this regard.
Obviously, September 11th has caused all of us to revisit
and reassess what we're doing in every branch of Government,
and certainly that is true at the Department of Commerce, where
Secretary Evans has us involved deeply in that reassessment.
So I want to commend you for holding this hearing, for the
leadership, and for bringing some attention to this matter. And
I'm confident that as the subcommittees look into this, that
they'll find that technology is part of the solution.
First, very quickly, a bit about NTIS.
For over 50 years, NTIS has collected, organized and
permanently preserved most of the research and technical
reports of the Federal Government. There are today about 3
million information products in its permanent collection.
NTIS, I want to stress, received no appropriated funds. It
is self-sustaining, basically on the sale of these largely
technical manuals and reports.
Many agencies in the Federal Government work with NTIS
because they know the agency has the ability to make their
information products more widely available, beyond their normal
constituency, and in different formats.
Clearly, it would be more expensive if all of the agencies
tried to replicate this infrastructure.
A quick example. The Defense Technical Information Center
provides its technical reports directly to the folks in their
community. But they turn to the NTIS for the release of
unclassified research to the public at large.
Similarly, the Social Security Administration distributes
the Death Master File to Federal agencies, some State and local
agencies, but they turn to the NTIS to make it available to
others, in part because SSA does not currently have the
capacity or the distribution networks.
Very quickly, my principal comments here will address what
NTIS does with the files once we receive them and I'll defer to
that agency on a description of the preparation of the files,
other than to say that, on a quarterly basis, they do the full
Master File and then monthly updates beyond that.
The Death Master File contains only basic information--
Social Security number, last name, first name, date of death,
date of birth, State or county of residence, zip code for the
last residence, and last lump-sum payment.
Obviously, the Death Master File can be a great help for
detecting erroneous or fraudulent payments.
Accordingly, SSA makes it available directly to a number of
agencies that pay benefits or have other needs for this
information, such as preparing statistical studies and to
States which use the list to detect fraud or administrative
errors, including fraudulent or erroneous food stamp payments,
for example.
At the same time, SSA makes the Death Master File available
to these Federal agencies, they make it available to NTIS for
reproduction and distribution to others.
We receive this information on a cartridge via overnight
mail and copy the information onto magnetic tape or cartridge
or CD, depending on what our end-user has requested.
And I want to stress that NTIS will of course be pleased to
consider other formats.
It typically takes 1 to 3 days for NTIS to complete this
production process, having received the cartridge and then
turning it around.
We send the file to more than one hundred subscribers,
either via overnight mail or first-class mail, if that is their
preference. All formats are sent out at the same time.
The turn-around time does depend in part on the size of the
file, but it is not generally a function of the fact that NTIS
offers it in various formats.
That is not the source of delay.
We understand that the Social Security Administration is
exploring new approaches to making the file available in a more
timely technological manner. These include sending the file to
NTIS electronically and sending updates on a weekly, rather
than monthly, basis.
Clearly, electronic transfer would certainly reduce the
turn-around time. Subscribers would probably find it easier to
obtain just the updates electronically rather than the massive
Master File.
In any event, we are committed to working with SSA to
improve the delivery of this important product.
Finally, let me express--I understand there's a desire in
the financial community for a web-based search capability. That
is an interesting proposal that we will certainly look at.
And again, NTIS is pleased to look at that further. If
there's anything that we can or should do to expedite the
process, we want to do it as soon as possible.
Thank you, Mr. Chairman.
[The prepared statement of Hon. Philip J. Bond can be found
on page 57 in the appendix.]
Chairman Shaw. Thank you, Mr. Bond.
Mr. Huse.
STATEMENT OF HON. JAMES G. HUSE, JR., INSPECTOR GENERAL, SOCIAL
SECURITY ADMINISTRATION
Mr. Huse. Good morning, Mr. Chairman. Thank you for having
me. Chairwoman Kelly.
While I have testified on the issue of identity theft
before various committees in both the House and Senate, the
issues of September 11th lend a renewed urgency to this issue.
Identity theft was already a significant problem facing law
enforcement, the financial industry, and the American public
before September 11th. In the weeks since that terrible day, it
has become increasingly apparent that improperly obtained
Social Security numbers were a factor in the terrorists'
ability to assimilate themselves into our society while they
planned their attacks.
While this has heightened the urgency of the need for
Congress, the Social Security Administration, and my office to
take additional steps to protect the integrity of the Social
Security number, it has not altered the nature of the steps
that must be taken.
The Social Security number, no matter how much we avoid
labeling it as such, is our national identifier. As such, it is
incumbent upon those of us gathered here to do all in our power
to protect it and the people to whom it is issued. There are
three stages at which protections must be in place: upon
issuance, during the life of the number holder, and upon that
individual's death.
With respect to the issuance of SSNs, or what the Social
Security Administration refers to as the enumeration process,
our audit and investigative work has revealed a number of
vulnerabilities and resulted in a number of recommendations.
The most critical of these recommendations centers around
the authentication of documents presented by the individual
applying for an SSN or a replacement Social Security card.
If we are to preserve the integrity of the SSN, birth
records, immigration records, and other identification
documents presented to SSA must be independently verified as
authentic before an SSN is issued.
Further, if immigration records are to be relied upon, the
Immigration and Naturalization Service must be required to
authenticate those records.
Regrettably, this will subject the enumeration process to
delays. But just as we must endure lengthy waits at airports in
the name of higher security, so must we now sacrifice a degree
of customer service in the name of SSN integrity.
H.R.2036, introduced by the Social Security Subcommittee,
moves us closer to these protections, the importance of which
cannot be overstated. If we cannot stop the improper issuance
of SSNs by the Federal Government, then no degree of protection
after the fact will have any significant effect.
It would merely be closing the barn door after the horse
has gone.
The second and most difficult stage of protecting the SSN
comes during the life of the number-holder. Because the SSN has
become so integral a part of our lives, particularly with
respect to financial transactions, it is difficult to give the
number the degree of privacy it requires, but there are
important steps we can take.
We can limit the SSN's public availability to the greatest
extent practicable, without unduly limiting commerce. We can
prohibit the sale of SSNs, prohibit their display on public
records, and limit their use to valid transactions. And we can
put in place enforcement mechanisms and stiff penalties to
further discourage identity theft.
Finally, we must do more to protect the SSN after the
number-holder's death. The Social Security Administration
receives death information from a wide variety of sources and
compiles a Death Master File, which is updated monthly and
transmitted to various Federal agencies. It is also required to
be offered for sale to the public and can be accessed over the
internet through a number of sources, as we've already heard.
My concern under the current system is with the accuracy of
the death information. Accuracy in this area is critical to SSA
in the administration of its programs, to the financial
services industry, and to the American people. Our audit work
has revealed systemic errors in the Death Master File and we
have recommended steps that SSA can take to improve the
reliability of this critical data.
Among these recommendations were matching the Death Master
File against auxiliary benefit records to ensure that
individuals receiving benefits in one system are not listed as
deceased in another, and reconciling 1.3 million deaths
recorded in SSA's benefit payment files that do not appear in
the Death Master File.
We are faced with striking a balance between speed and
convenience, on the one hand, and accuracy and security on the
other. This is true in the case of the Death Master File, just
as it is true in the enumeration process.
At all three of these stages of an SSN's existence,
improvement is needed. H.R. 2036 addresses many of these
concerns. The Social Security Administration, my office, the
Congress, and the American people must act together to accord
the SSN the protections appropriate to the power it wields.
Thank you very much.
[The prepared statement of Hon. James G. Huse, Jr. can be
found on page 62 in the appendix.]
Chairman Shaw. Thank you, Mr. Huse.
Mr. Streckewald.
STATEMENT OF FRITZ STRECKEWALD, ACTING ASSISTANT DEPUTY
COMMISSIONER FOR DISABILITY AND INCOME SECURITY PROGRAMS,
SOCIAL SECURITY ADMINISTRATION
Mr. Streckewald. Chairman Shaw, Chairwoman Kelly, Members
of the subcommittees, thank you for asking me to appear before
you today to discuss the Social Security Administration's
collection, maintenance and distribution of death information.
We use this information for a number of important program
purposes and the integrity of this information is of utmost
importance to us.
SSA's Death Master File was created because of a 1980
Consent Judgement resulting from a lawsuit brought by a private
citizen. Under the Freedom of Information Act, we are required
to disclose the Death Master File to members of the public.
SSA obtains death reports from many sources, with 90
percent of the reports obtained from family members and funeral
homes. The remainder of the information comes from States and
other Federal agencies through data exchanges and reports from
postal authorities and financial institutions. We match death
reports of the approximately 2.5 million people who die
annually against our payment records and terminate benefits for
those individuals who are deceased. We annotate the deaths on
our master Social Security and Supplemental Security Income
beneficiary records and on the Social Security number record
file for beneficiaries and non-beneficiaries.
Since studies have shown that death reports from family
members and from funeral homes are over 99 percent accurate, we
do not verify these reports. For our beneficiaries, we are
currently verifying reports from financial institutions and
postal authorities after terminating benefits. However, we are
changing our policy to verify these reports before taking any
action.
Reports obtained through data exchange require verification
through our field offices before an individual's death is
posted to our payment records and their benefit is terminated.
This includes death data received from the States.
We do not verify death reports on persons who don't receive
Social Security benefits, and it would be difficult for us to
do so since we do not have addresses or other identifying
information on these individuals.
The Death Master File is updated daily based upon reports
SSA receives and contains approximately 70 million records,
including Social Security beneficiaries and non-beneficiaries,
with verified and unverified reports of death.
If available, the file contains the deceased's SSN, first
name, middle name, surname, date of death, date of birth,
State, county, zip code of the last address on our records, and
the zip code of the lump-sum death payment. The record is also
annotated to indicate where the report was verified.
Federal agencies, State and local government, and the
private sector use the national death data file, and we are
reimbursed for the cost of providing this information.
Currently, as required by law, SSA shares the full Death Master
File with Federal benefit-paying agencies that use the data to
conduct matches against their own beneficiary rolls, such as
the Department of Defense and the Office of Personnel
Management.
Under the matching agreement with SSA, these agencies are
required to independently verify the fact of death before
taking any adverse action.
The publicly available Death Master File is provided
monthly to the Department of Commerce, National Technical
Information Service, or NTIS, which in turn makes it available
to the public under the Freedom of Information Act. NTIS
distributes it to subscribers by either tape file or CD-ROM
version. Some of these private companies, including
genealogical publishing companies, create their own files from
the Death Master File. Some private websites have these files
on line.
In response to issues raised by the subcommittee Members,
we are exploring electronically transmitting our Death Master
File to the NTIS, rather than sending them through Federal
Express.
We are prepared to do that immediately, as soon as NTIS is
ready to receive it. Transmitting the data more frequently is
also possible, perhaps on a weekly or bi-weekly basis.
SSA also has an electronic data exchange of all States and
a large number of Federal agencies. This is an electronic
overnight query process that enables requesters to enter a
query for any individual. Using this process, State agencies
can access our death records so they can ensure that benefits
are not paid to deceased individuals.
Finally, I'd like to briefly mention recent initiatives to
strengthen the enumeration process.
In response to the events of September 11th and the
indication that some terrorists had Social Security numbers and
cards, some of which may have been fraudulently obtained, SSA
formed a high-level response team to re-examine the enumeration
process.
The response team, which includes representatives of SSA's
Office of the Inspector General, will help determine what
changes need to be made to ensure that we are taking all
necessary precautions to prevent those of criminal intent from
using Social Security numbers and cards to advance their
operations.
Thank you again for the opportunity to discuss with your
committees how SSA gathers and distributes death information.
I will be glad to answer any questions.
[The prepared statement of Fritz Streckewald can be found
on page 73 in the appendix.]
Chairman Shaw. Thank you.
Mrs. Bovbjerg.
STATEMENT OF BARBARA D. BOVBJERG, DIRECTOR, EDUCATION,
WORKFORCE AND INCOME SECURITY ISSUES; AND RICHARD J. HILLMAN,
DIRECTOR, FINANCIAL MARKETS AND COMMUNITY INVESTMENT ISSUES,
GENERAL ACCOUNTING OFFICE
Ms. Bovbjerg. Thank you, Mr. Chairman, Members of the
subcommittees.
I'm really pleased to be here before the subcommittee again
and to meet a new subcommittee to me, with my colleague,
Richard Hillman, to discuss the distribution of death
information to financial institutions.
As we've heard, the Social Security Administration collects
and records the names and Social Security numbers of the more
than two million Americans who die each year. This information
is critical to the integrity of the Federal benefit system.
Properly used and distributed, death information can also
help prevent the fraudulent use of Social Security numbers to
steal identities, to obtain false identification documents, and
to commit financial fraud.
In light of the recent terrorist attacks, it is more
important than ever to safeguard Social Security numbers from
criminal use.
Accordingly, our testimony today addresses three points.
First, how death information is collected and distributed and
how long this takes. Second, how the financial services
industry uses such information. And third, possible steps to
improve timeliness of distribution.
Our observations are based on prior GAO work, preliminary
work at the SSA and the National Technical Information Service,
and our discussions with financial services institutions.
First, let me describe the collection and distribution
process.
As we've heard, SSA receives about 90 percent of its death
information from funeral homes and relatives of the deceased,
and most of this information reaches SSA within a week of
death. SSA takes another week to process the information and
add it to individual Social Security records.
At the beginning of each month, SSA extracts this death
information from its records to the Death Master File, and
sends it to the NTIS. NTIS receives this information by the
fourth or fifth day of each month and mails it to subscribers
on tape or on CD-ROM within another 2 to 4 days.
Overall, most death information reaches these subscribers
within 1 to 2 months of death, depending on when the death
notice first reaches Social Security.
The remaining ten percent of death information comes to SSA
from other Federal agencies that learn of deaths through data
matches or undelivered benefit checks and from State vital
statistics bureaus. However, these death reports are less
timely than those sent directly from families and funeral
directors to SSA, and require verification by SSA before they
can be added to the Master File and distributed.
Death information may not reach SSA from State reports
until 3 to 4 months after the date of death and is not
available to private subscribers.
Let me now turn to how financial services institutions use
this information.
Representatives of such institutions told us they did not
use a formal process or a central data source to identify
deceased customers, although most receive death information
either from family members or, in the case of Social Security
beneficiaries with direct deposit, from SSA directly.
However, most also told us that they subscribe to fraud
prevention products or services offered by credit reporting
agencies for evaluating new credit applications. All three
credit reporting agencies subscribe to the Master File and make
this information available to their customers through these
proprietary fraud prevention products.
Most institutions we contacted expressed an interest in
receiving timely death information with frequent updates. Some
of these institutions were aware of the Master File, but
unfamiliar with the information they provide, or of the ability
to subscribe, while others were not aware of it at all.
Finally, let me turn to possible steps for improving the
distribution and use of death information.
As you've heard, SSA is exploring ways to speed up this
process and has stated that it would be relatively easy to
produce updates on a weekly, rather than a monthly, basis. SSA
and NTIS officials have stated that it should also be possible
for SSA to transmit updates to NTIS electronically and that
NTIS could transmit the information to subscribers
electronically as well.
SSA is also piloting the electronic death registration
system, which would enable States to collect and report deaths
electronically to SSA, both streamlining and centralizing the
collection reporting of such information.
However, existing restrictions on distribution of State-
provided data could complicate adoption of such an approach.
In conclusion, most death information is available to the
public within 2 months and improvements to the collection and
transmission processes could make this information more
complete and more timely. Educating the financial services
industry about the availability and contents of the Master File
would also be helpful.
Such measures are tangible steps that could act to narrow
the window of time in which a criminal can open new accounts
using a deceased person's identity and would raise the
likelihood that such behavior would be detected.
However, improving the use and timeliness of death
information will not by itself eliminate identity theft and is
not a panacea for addressing the larger issue of criminal
misuse of Social Security numbers.
That concludes my statement, Madam Chairwoman. Mr. Hillman
and I would be happy to answer any questions you have.
Chairwoman Kelly. Thank you very much.
Mr. Hillman, have you a statement, or is yours the same?
It's a joint statement?
Mr. Hillman. Yes, Madam Chairwoman.
[The prepared joint statement of Barbara D. Bovbjerg and
Richard J. Hillman can be found on page 87 in the appendix.]
Chairwoman Kelly. All right. Thank you very much.
I appreciate you all indulging us up here as some of us are
leaving to vote. This way, we can keep the hearing going
without keeping you all in your seats for too long a period of
time. I'm going to open the questioning.
Mr. Streckewald, I have a question for you. Actually, I
have a couple of questions for you.
On page 6, in your testimony, you describe the State
verification and exchange system that allows some States and
some Federal agencies to verify a death within one day. Have
you considered whether to open it to access by the financial
services industry?
Mr. Streckewald. We use that for, as you said, the State
governments. We have, as far as I know, not looked into using
it for financial institutions.
We do have the ability for employers to verify Social
Security numbers in a batch mode, which is like an overnight
type of mode as well. And so, employers can send us batches or
individual Social Security numbers, so that we can verify for
them.
I'm not aware that we have specifically looked at the
financial services' access to the information.
Chairwoman Kelly. I think that looks like the basis for a
system that's needed by the financial institutions, so that
they could do rapid verification.
Since the Patriot Act requires them to verify the identity
of any new account-holder, I don't understand why the SSA can't
commit to allowing that system to be used as part of
verification procedures.
Mr. Streckewald. We can certainly take a look at that and
get back to the subcommittees on what we find.
[The information referred to can be found on page 82 in the
appendix.]
Chairwoman Kelly. I wish you would, please. And to that
effect, I'm going to send a letter to the Secretary of the
Treasury with that recommendation to put into their
regulations, because I think that that's a way of rapidly
helping our financial institutions.
I also wondered if the SSA and the NTIS had ever
collaborated on a study to determine a faster means of getting
the information to the financial services industry, including
this one, and including sending it electronically or even
perhaps, that difficult word, contracting out the entire
process, from extraction to dissemination.
Mr. Streckewald. I think with recent events, we've come to
the conclusion with NTIS that we do need to get this
information to them quicker and that they need to be able to
distribute it quicker.
I think what remains to be worked out is just the details
of that. It's certainly technologically feasible and as we've
heard this morning, it seems like both agencies are willing to
move to perhaps a weekly or biweekly update of the information
and to transmit electronically rather than through overnight
mail.
Chairwoman Kelly. That I read in the testimony. My question
is, I really want to know how rapidly you're doing that, but
also there's another piece of this.
There's a victim. I had my credit card stolen. I think
there's a lot of people who have had things like that go on. I
want to know with regard to the Social Security number what
you're doing to help the victims who have their identity
stolen, or the families of victims.
Mr. Streckewald. We have a series of actions that kick into
place when we hear about this type of event. First of all, we
refer them to the inspector general hotline because it's
perhaps a criminal event that needs to be investigated.
But we also work very closely with the person. We give them
pamphlets that explain who they can contact. We give them
referrals to some of the national financial services
organizations so they can clarify and correct their credit
ratings.
So we do have procedures in place for referrals to hotlines
and other services that can help correct the problem.
Chairwoman Kelly. It's been my experience in working with
those that they are not terribly rapid. It takes a while. And
it takes going through several people to get it done.
I'm going to ask you this, Mr. Bond, and I would like you
both to answer both those questions, the prior question and
this one.
What's the possibility of allowing people to do this kind
of thing, to do it perhaps electronically with something as a
follow-up that would be a verification.
Mr. Bond. I'm sorry? Just to understand, a verification of
the receipt of the information or a verification of falsely
secured numbers?
Chairwoman Kelly. I'm extending this to the people who are
the victims of identity theft from the Social Security
Administration numbers.
Those people would have to, when you have that happen, if
it's in your family, you have to deal with a lot of different
people. What's the electronic possibilities of letting people
do that electronically, deal with people and do it rapidly,
rather than having to make a lot of telephone calls?
Mr. Huse. If I may be permitted, Chairwoman Kelly.
Chairwoman Kelly. By all means.
Mr. Huse. The Federal Trade Commission and our office of
the inspector general have a reciprocal information exchange
that going forward will only get better. But in the last 2
years, has rapidly improved the transmission of victim
information so that it gets to the credit-reporting bureaus
better than it used to.
Can it be improved? Yes. Like many other things in
Government, it is based on this application of resources and
we're certainly changing our approach to the amount of
resources we apply to this as this crisis has developed over
the last 5 years.
But that's the way it's done. It's better today, and does
use, by the way, e-mail and electronic transmission, if victims
have that available to them, to get the information to us.
From that clearinghouse, then, this information becomes
available to local, county and State law enforcement.
Again, I'm not trying to paint a rosy picture here, but at
least we have the dots on the paper and we're connecting them a
little bit better than we used to.
Chairwoman Kelly. What's the timeline on that?
Mr. Huse. It all depends on the application of resources.
We work in our budget submission process to try and gain those
to do this.
The technology is already there. It really is a matter of
adjusting IT resources and the human capital that you need to
make this happen.
We're just learning that this is an issue that the people
care about a great deal.
Mr. Bond. Madam Chairwoman, if I could add to that, too.
Technologically, of course, there's no reason you can't
expedite things via the internet and secure communications and
so forth. It really becomes part of a very fundamental e-
government initiative that both the Congress and the
Administration have to join hands on.
The Administration has sent up an aggressive proposal in
that regard and appointed people at OMB to oversee it, to try
to really push the agencies more toward quicker, more rapid
response for our shared constituents.
But it's going to be a very fundamental effort to apply
technology to the service of constituents.
Chairwoman Kelly. What's your timeline?
Mr. Bond. There is a multi-year plan out of OMB which does
require some significant funding here on the Hill. And that
will be one of the many issues in final appropriations
discussions for this year because the request was not fully
funded coming out of the two chambers.
Chairwoman Kelly. So it's a matter of appropriated funds
from Congress.
Is that correct?
Mr. Bond. Absolutely, to upgrade the IT capabilities in
many of the Federal agencies.
Mr. Streckewald. If I could, I would reinforce Mr. Bond's
comments that the Federal Government as a whole, through the
leadership of OMB and through individual agencies' initiatives,
is looking at customer-oriented electronic services.
In some ways, SSA has been providing this with our online
applications. But this particular example that you're using,
which is to help people correct identity theft problems, would
have to be a broad spectrum of stakeholders, financial
services, Government agencies, States, would have to come
together and plan this out and construct the communications
lines and the procedures for solving this.
But it is technologically feasible and OMB is trying to
lead us to a more electronically-focused, customer-oriented
Government.
Chairwoman Kelly. Mr. Huse.
Mr. Huse. One more thought on all of this.
I think we understand now, with this identity fraud crisis
issue and victim assistance as a key part of it, we've learned
a lot the last few years that our traditional approaches to
this just don't cut it. They don't work.
We have advanced a proposal in the budget process for
innovative ways to change this model, so that law enforcement,
Federal law enforcement integrates itself better with local law
enforcement because it's a total issue. It just can't be
relegated to the Federal Government or a burden on local
governments.
And this model means non-traditional approaches. The key to
it is rapid and effective information exchange. The work is
there and the ideas are there.
In fact, some of this is in 2036. Some of the pieces that
we need to get this done is in 2036. But I really want to
assure you, Madam Chairwoman, that we are committed to trying
to do this.
But, as I said, as in everything in Government, it is
resource-dependent.
Chairwoman Kelly. Most people who come before these
subcommittees ask for resources. That's not a surprise.
Mr. Huse. No.
Chairwoman Kelly. But we're essentially in a terrorist war
situation.
One of the things that America has always had is ingenuity.
This may be the time to do more with less. And I'm not saying
that you can't get the resources. What I'm simply saying is
that we have a limited budget. We all know that. And ingenuity
is going to have to be the order of the day for all of us.
This may be the time, when you need to have that larger
meeting, discuss how it's going to go and do it sooner rather
than later, so you can get help from the financial institutions
as well as from anyone else who is an interested stakeholder in
this.
I want to ask the GAO, since there's no one else who has
come back from the vote yet, I want to ask you, Barbara, if you
don't mind, have you considered whether the Social Security
Administration can open the State verification and exchange
system to the financial services industry to allow the
companies to verify?
Is that something that you've thought about?
Ms. Bovbjerg. GAO has done a lot of work on data sharing
and the importance, on the one hand, of sharing information
that allows you to safeguard benefits and safeguard identity
and, on the other hand, being concerned about privacy and
retention of personal information.
The death records are already public information, at least
for the most part. What remains to be worked out with the
States is this question of State restrictions on information
that they provide that is not verified by SSA. That seems to be
one of the sticking points. And we do hear about a resource
question.
I think we have been interested and have asked about the
feasibility of doing some sort of online look-up, web-based
approach that financial institutions could go to directly. And
we're not in a position to make any recommendations. We would
have to look at the cost versus benefits. But we thought that
that might show promise.
Chairwoman Kelly. Perhaps we should ask for a cost/benefit
analysis of something like that.
Ms. Bovbjerg. Well, may I add something?
Chairwoman Kelly. Yes.
Ms. Bovbjerg. Excuse me, Ms. Chairwoman.
We are doing some work that I wanted to call to your
attention for Congressman Johnson on the Social Security
Subcommittee that looks at law enforcement and identity theft
across governments.
And one of the questions that he has us addressing is
looking at the lead Federal and State law enforcement agencies
with responsibilities in identity theft investigation and
looking at how they cooperate across jurisdiction, including
across Federal agencies.
I'm not sure when that work will be published. That's being
done in another team. But I think that that will help get at
some of the issues that have been raised this morning.
Chairwoman Kelly. Thank you, and thank you for volunteering
that.
What exposure did you find that financial institutions
have? If a name is in the Master File and the institution
processes a payment any way?
Mr. Hillman, do you want to answer that?
Mr. Hillman. I'm not exactly sure what the exposure may be
to a financial institution who processes information and maybe
provides funds out to an individual of a deceased person.
But we could find that out for you and let you know.
Chairwoman Kelly. I would appreciate your taking a look at
that because that goes to the next question. And that is
whether or not--I'm trying to get the acronym here--the FFIEC,
the exam procedures, perhaps should take that into account.
I don't know if it does or not, but I think it's worth
taking a look at.
I'm concerned also with the education of financial
institutions with regard to what their exposure is and the
appropriate usage of the Death Master File.
So perhaps you could take a look at look at that also.
Mr. Hillman. We'd be happy to do that. We have looked at
the examination procedures, as you might expect, that financial
Federal regulators follow in looking at the financial services
industry.
And in general, those examination procedures look to the
safety and soundness of those depository institutions to ensure
that they have sufficient funds to conduct their businesses.
They haven't in all cases looked at other important areas
such as concerns with individuals or constituents. And I agree
with you that that would be an important topic to further
study.
Chairwoman Kelly. Thank you very much.
Mr. Brady, do you have any questions?
Mr. Brady. Thank you, Madam Chairwoman. I'm sorry I missed
the last part of the testimony. But, obviously, to solve this
problem will take a combination of prevention and enforcement
in the process.
We need to do all we can in prevention of identity theft.
But I think what everyone understands is that, in this open
society, it will be difficult to close that barn door
completely, in this open, information-based society.
So focusing a bit on the enforcement and the punishment
side of it, what are the chances someone engaging in identity
theft is going to get caught? What are the consequences in real
life when they do?
Who's the best responsible and available to do that, State
or Federal Government? What role can the business community
play in catching them?
And the bottom line, what would it take to make the
consequences harsher to be a real deterrent to people engaging
in it?
And I'll open it up to anyone who's got an opinion.
Mr. Huse. I'll take the first cut at an answer, Mr. Brady.
Mr. Brady. All right.
Mr. Huse. We don't do a great job from a criminal justice
perspective with identity thieves because it's a relatively new
crime.
We have a mixed result if you look across the Federal
judicial system in terms of sentencing on these crimes. We need
to do better.
One of the outreach efforts I think we need to make now
with the post-9/11 consciousness that we have is to educate
United States attorneys to the fact that these crimes need to
be a priority concern in each of the 94 judicial districts.
That may or may not be the case depending upon where you
are in the United States. Other trendier crimes get priority.
Most States have very vigorous and good identity crime
statutes themselves. So we need to cooperate more with local
and State law enforcement to prosecute there where we can.
Clearly, though, the key to identity fraud because it
transcends all boundaries is there has to be a better
information-sharing mechanism. And the Congress, when it passed
the Identity Theft Deterrence Act several years ago, an
Assumption Deterrence Act several years ago, and established
the clearing house in the FTC, I assure you that that is
working and will only get better as we engage it more.
So that's my first try at an answer.
Mr. Streckewald. If I could just elaborate a little bit.
That particular law that was passed in 1998, which for the
first time made it a Federal crime to fraudulently obtain
identification, sell identification, or misrepresent yourself
on obtaining any type of identification.
And for the first time, the Social Security number was
included as a means of identification. So that did provide law
enforcement with an added tool for enforcement.
Mr. Brady. How many prosecutions have there been?
Mr. Huse. We can get that for you and follow that up. One
thing I want to add, Mr. Brady, is one of the provisions of
2036, if it's passed, gives us some great civil money penalty
tools.
Also, for those identity crimes that fall maybe under the
prosecutorial thresholds in a given judicial district, but
still have a fact pattern that supports an offense, we can
sting those people with some money penalties, and I think
that's a good thing, too.
Mr. Brady. In real life, what are the consequences for
getting caught? What's an average sentence, punishment, for
identity theft?
Mr. Huse. Well, with sentencing guidelines, probably for a
first offender, it is several years of confinement. It depends
on the criminal history involved.
Mr. Brady. Sure.
Mr. Huse. But it's a 10-year felony, the misuse is a basic
Federal felony.
Mr. Brady. Is there a feel for what first-time, second-time
offenders, what they traditionally get? I'm not pushing. I'm
just curious.
We all know what guidelines are. We all know what happens
in real life.
Mr. Huse. As I said, it's confinement for several years. It
hasn't reached the point, even though the violation is just as
bad, of having, for example, the emotion involved of a bank
robbery or something like that. But it's just as pernicious.
Mr. Brady. What role--can I keep, while I'm on a roll?
Two questions, really. How can Washington help? Is it to
create more resources here at the Federal level, or to
complement better State prosecution efforts?
Second, what role can the business community play in
helping us catch and enforce this?
Mr. Huse. I'll let Barbara answer that.
Ms. Bovbjerg. I'll step into the breech.
We have talked in GAO about the need for both prevention
and for law enforcement. One of the things that we're doing
right now at the request of Chairman Shaw is looking at uses in
Government at all levels--Federal agencies, various departments
in State government, local government, and the courts, looking
at uses of the number and looking at how the number is being
safeguarded and developing options that could be considered for
safeguarding.
So my answer to your question is more in a prevention side
and working with SSA as they try to have the balance of making
information available, but at the same time safeguarding it.
That's always an issue with some of these web-based----
Mr. Brady. And clearly, we need to do both. I'm not
discounting either. I was just focusing on that side because
I'm not as aware of it.
And second, it just seems, when you look at the number of
people who have been hurt by identity theft and fraud, the
average time it takes to try and clear their name, the costs to
them, and then on September 11th, we had people who stole
identities and then stole thousands of people's lives as a
result of it.
So the obvious question is, what can we do to punish them
to the fullest extent, or to deter the next person who has that
in mind?
That was my focus.
Ms. Bovbjerg. And then I turn it over to the law
enforcement end of the table.
Mr. Huse. Well, I just wanted to take the piece of the
question, is it all about resources? And that goes to
Chairwoman Kelly's earlier comment.
It doesn't necessarily just mean resources, although some
modest adjustments are needed here and there because you're
short some capacity.
But basically, the key to this is rethinking this
particular crime top to bottom, and rethinking how we focus on
this crime.
We're trying to apply an old model to this that just
doesn't work. If we could just understand how serious it is,
that's a big, huge step, and then work with ways to, using the
magnificent technology that we have, to communicate better.
I think that's really the answer, rather than some new
agency or the like.
Mr. Brady. Thank you. Thank you all very much.
Chairman Shaw. Before I go to Ms. Hooley, I do have a
question for you, Mr. Huse.
Does the law distinguish in the case of identity theft
between a living person's identity who has been stolen or a
deceased person?
Mr. Huse. I don't believe it does. I think the law deals
with the identity theft. I do know that a deceased person has
no rights because they're not here to have them. But in terms
of the identity theft, it still stays the same under the law.
Again, my staff----
Mr. Bond. I want to add, my understanding on that is that
an individual under law is considered to be a living
individual. And so the rights do not extend to the deceased.
So when you talk about privacy laws, those are applied to
living individuals and that is a fine point that I think some
of the Executive agency lawyers would want to talk to the
committee staff about in doing forward on your legislation.
Chairman Shaw. OK. If that answer needs sharpening up, let
us know.
Mr. Bond. OK.
Chairman Shaw. Ms. Hooley.
Ms. Hooley. Thank you, Mr. Chair.
In the case of Tyler Bales, you could not give the
information to local law enforcement agencies, even though
identity theft is a crime in Oregon.
So I want to know, do we need to as a body fix that?
Mr. Huse. Congresswoman, when you were speaking, I jotted
down on a card that case and I passed it back to our chief
investigator and I said, we should look at this case.
I don't know why under the IRS rules they didn't disclose.
And that may be some arcane rule. I mean, they're governed by
rules. We are at Social Security.
But, usually, I'd like to see if there wasn't a way that
the Social Security Administration might not be able to work
with that case and take it forward.
And I'm not criticizing IRS. I'm just not sure.
Ms. Hooley. What I'm looking for is if we can do that, in
the case of Oregon where identity theft is a crime.
Mr. Huse. Right.
Ms. Hooley. And I'm just trying to figure out, do we need
to fix it or if it's some rule that can be fixed.
Mr. Huse. That's why I'd like to look at that.
Ms. Hooley. OK.
Mr. Huse. And we'd be glad to talk to your staff about that
and look into that case and then get back to you, if that's OK.
Ms. Hooley. OK. I have a couple of other questions.
The Death Master File, it contains everything that a thief
would need to get up and running. It's now being transmitted, I
understand, to 104 customers, up from about 51 in 1999.
Is that correct?
Mr. Bond. Yes, that's about right.
Ms. Hooley. And all of the customers are paying for the
information.
Mr. Bond. Correct.
Ms. Hooley. And do they use it for the purpose to flag
financial holdings of the deceased individuals or is the
information being used for other purposes? And if so, what are
the other purposes?
Mr. Bond. It is a wide variety of purposes, from security
to checking for fraud, obviously. I'm just flipping through
here to try to see, because I had asked that question myself.
Having just been sworn in on October 30th, I'm trying to find
out everything I can quickly.
Ms. Hooley. I think sort of the irony of this thing is----
Mr. Bond. There are a couple of things that you need to
know about. One is just the private genealogy sites that people
talked about. That is one that is used, that you can go to. I
did my own search and found that the Jasper County Public
Library in Indiana has got the full Death Master File available
there.
So there's a variety of uses out there.
But the private sector is checking mostly for fraud in
financial transactions.
Ms. Hooley. I guess sort of for me the irony is that the
Internal Revenue Service can't pass the information on to law
enforcement, but they can sell it to other organizations to be
used.
And I just have a bit of a problem with that. Should I?
Mr. Huse. I don't think any of us here are tax experts. We
won't even go near there.
Mr. Bond. All I can add is that by the time it gets to
NTIS, it is, as was explained, considered subject to the FOIA
laws, and so it's out there.
Mr. Streckewald. I have a little more information on the
uses of that, at least in terms of the customers.
About 20 percent of the purchasers of the Death Master File
are public sector groups. Some colleges use it, perhaps for
research or checking against their databases of students. In
addition, several private insurance companies use it
extensively, along with a few banks.
But there are not a lot of financial institutions on the
list.
Mr. Bond. Here's the actual breakdown from NTIS,
Congresswoman. It's 20 percent State and local, 20 percent
information brokers, 15 percent insurance companies. Medical
and cancer research organizations make up 15 percent. Security
providers, five. Marketing companies, around five percent.
Credit reporting bureaus and agencies, five percent. Pension
funds, five percent. Banks and financial institutions, three.
And genealogy, three.
Ms. Hooley. Thank you. Thank you and I yield back my time.
Chairman Shaw. Thank you.
I want to pursue the question of Ms. Hooley. I want to
know, those death files, when they're put out, the Social
Security numbers are on them. And I guess they're readily
obtainable.
We know from experience and testimony before these
subcommittees that they still have value to those that would
attempt identity theft.
At the hearing that we had last week, we found that those
numbers do survive the decedent and have a real purpose in
State tax returns and things of this nature as an identifier.
And we also found that the numbers stay exactly the same.
There's no D for decedent or something put after the number. So
those numbers are still out there and for the layman looking at
it, wouldn't know whether that was a decedent or somebody who
was very much alive.
What is the suggestion--and I open this to any member of
the panel, that any of you might have--with how we could
safeguard those numbers and yet, release them for legitimate
purposes?
Obviously, insurance companies need them and some public
officials need them--public agencies need them, rather.
Are there any thoughts on that?
Mr. Streckewald. Yes. Let me see if I can give a couple
thoughts on that.
I think it goes to the whole purpose of the Death Master
File. Originally, it was a court settlement that required us to
do this under the Freedom of Information Act law. But we sell
the Death Master File for commercial purposes through NTIS, so
that those with a reason to know individuals' Social Security
numbers will know which numbers belong to deceased individuals.
If a number comes through their system and it matches up with a
number on the Death Master File, there's a problem.
So, in fact, the number is flagged. It is annotated when
you compare it against our Death Master File.
If the Death Master File is not used extensively, then, of
course, people won't have awareness of it.
So, on the one hand, if it's out there, anybody can use it
and try to take a number from it and create an identity or use
it to apply for a credit card. But if the financial services
and insurance companies and others make greater use of the
Death Master File, then they'll know which numbers belong to
deceased individuals.
Chairman Shaw. How can we safeguard that, those lists being
misused?
We have to assume that if they're out there, they're being
marketed, that they are available to the bad guys.
Mr. Streckewald. From Social Security's perspective, if a
person uses a Social Security fraudulently to work--sometimes
numbers are used fraudulently for working--if earnings are
reported on that number the year after the real number-holder
dies, then we automatically investigate because we know that
number belongs to a person who is shown as deceased on our
records.
We issue an alert to the field office and they call the
employer and ask who is this person that's giving these wages
under this number. On our records, it shows that the number
belongs to deceased individuals.
So, again, from the original purposes, earnings
recordation, we do track back and see if it belongs to a dead
person and if so, why are earnings being recorded.
Chairman Shaw. It takes a year. You know the person is
dead, money is coming in, it is going into his account. Why
wouldn't it be kicked out in the first----
Mr. Streckewald. Well, if a person works in January,
February and dies in March, those earnings are reported to us
after the end of the year. So we know that we haven't heard
from the IRS yet until the year is over.
The next year, if we receive earnings from that person,
that's suspicious and that triggers an alert.
Chairman Shaw. Yes, that would be suspicious. How do we
handle death in foreign countries? Someone has retired in a
foreign country, their money is being electronically
transferred to a bank down in Mexico. How is that dealt with?
Mr. Streckewald. I believe that we receive from embassies
lists of deceased beneficiaries in foreign countries--they have
Social Security numbers--so we would annotate our records and
we would terminate their benefits.
Chairman Shaw. How do the embassies accumulate that? Now
here, the funeral home turns them in. The death record is
required on that.
So where is it in countries that don't have that process in
place?
Mr. Huse. To get to a bottom line here, it's not a perfect
system and it's totally dependent on cooperation in those
countries to give that information back to the benefit officers
that we have in foreign stations.
So what happens is, periodically, the agency does send out
a survey team based on ages of beneficiaries--I think they set
the number in the 1990s, but they're take a look to see if
those people are still alive in the foreign population areas.
And those are done on a cycle basis by the international
operations.
Mr. Streckewald. It's the international operations. And in
fact, for countries that are considered to be high risk, such
as Yemen, they send a team out there.
Not only do they look at the elderly people, they ask to
see in person every beneficiary in Yemen. That's one example.
But we also go to the Philippines regularly and other
countries.
Chairman Shaw. Would it help if we actually sent checks to
foreign countries that required signatures, or is the expense
of doing that more than the savings on electronic transfer?
Mr. Streckewald. I think we'd have to take a look at that
and get back to you. I'm not sure. It certainly would be an
issue.
[The information referred to can be found on page 83 in the
appendix.]
Chairman Shaw. And actually ask for an endorsement on the
check. I think people would be a little less likely to endorse
or forge somebody's name than they would be to just simply let
the thing slide and let the money continue to accumulate in the
bank account.
That's my off-hand opinion.
Anyway, any further questions? The gentleman from
Wisconsin?
Mr. Ryan. No questions.
Chairman Shaw. OK. Well, at this point, I turn the gavel
over to Ms. Kelly, who will preside over the next panel.
Chairwoman Kelly. Let me make the introductions of the
second panel.
We have: Mr. Stuart Pratt, Vice President for Government
Relations, Associated Credit Bureaus;
Tom Lehner, Executive Vice President for Government
Affairs, American Financial Services Association;
Tom Sadaka, Special Counsel, Office of Statewide
Prosecution, Orlando, Florida. We welcome you, Mr. Sadaka. Am I
pronouncing that correctly?
Mr. Sadaka. Sadaka.
Chairwoman Kelly. John Dugan, Covington & Burling,
representing the Financial Services Coordinating Council.
Mark Rotenberg, Executive Director, Electronic Privacy
Information Center.
And Evan Hendricks, Editor and Publisher of Privacy Times.
We welcome you all. We look forward to your testimony. And
I'd like to advise all Members and witnesses, I intend to keep
to the 5-minute rule. So I'm going to remind witnesses when
they have a minute remaining. Please check the clock.
I will also ask unanimous consent that all Members'
questions be included in the record. I'd like to begin with
you, Mr. Pratt.
STATEMENT OF STUART K. PRATT, VICE PRESIDENT FOR GOVERNMENT
RELATIONS, ASSOCIATED CREDIT BUREAUS, INC.
Mr. Pratt. Thank you both very much for this opportunity to
appear before this joint hearing today.
For the record, my name is Stuart Pratt and I am the Vice
President of Government Relations for the Associated Credit
Bureaus.
By way of background, the ACB, as we're commonly known,
represents more than 500 consumer information companies and
produce a wide range of products, including fraud prevention,
risk management, credit reports, mortgage reports, tenant
employment screening services, check fraud, and verification
services.
And so the subject matter here today is obviously very
relevant to us and all of our members.
I think it's clear, perhaps more than ever before, that how
we authenticate, how we verify, and how we ensure the
authenticity of information in various types of applications is
an essential need in this country. Unfortunately, I think we've
learned that for all of the wrong reasons.
But at the core of this need is also the availability of
information to be used and deployed in the authentication of
application processes. And at the core of all of that, in many
cases still, is the need for the availability of the Social
Security number, which plays a particularly important role in
our ability and our members' ability to build authentication
and fraud prevention products, which then in turn allow us to
mediate disparate sets of information and bring them back
together in order to partner with our financial services
customer bases, insurance and so on, in ensuring that they are,
in fact, opening up lines of credit, depository accounts and so
on, for legitimate individuals and for legitimate purposes.
I want to applaud your subcommittee, of course, and the
Congress as a whole for the enactment of the USA Patriot Act
and the very fact that this Act itself recognizes the need to
have a robust system of authentication, and in turn
specifically directs the Secretary of the Treasury to establish
minimum standards for financial institutions to verify account
applicant information.
I think, further, Chairman Shaw, in your hearing last week,
we heard additional challenges in terms of even the enumeration
process, how do we authenticate and verify information about
individuals who are making applications for Social Security
numbers.
And in fact, I think we heard information in your hearing
last week about the challenges even the States will face on a
go-forward basis in authenticating and verifying individuals
who make applications for something as simple, but as
consequential, as a driver's license.
So it's a changed world in which we live.
The ACB was asked to address some questions or some areas
in our testimony and I thought I would attempt to do that very
quickly. And then of course we can amplify on that in questions
and answers that you may have.
You first asked how we, as consumer-reporting agencies, use
the Social Security Administration's Death Master File. And let
me start by discussing something about the scope of the
industry that we represent.
Our three major credit reporting system members--Equifax,
Experian, and TransUnion--each maintain databases of
approximately 200 million files on credit-active consumers in
this country.
In addition to that, members such as E-funds and Dole &
Media, maintain Nationwide systems as well that help prevent
checking account fraud and check fraud at the point of sale and
further.
In fact, we estimate, easily, that more than a billion
consumer reports are sold every year in this country. And those
consumer reports can carry forward and do carry forward in most
cases a notification where there is a Death Master File record
that we have been able to obtain.
There are many members within our association who are, in
fact, on that subscriber list. And I thought I would clarify
one point that I think was lost perhaps in the previous round
of testimony.
And that is that, when we say there were not many financial
institutions on that listing of subscribers, that's in part,
because the channel of distribution through which the DMF data
is made available to a majority of the financial institution
market place is through companies like the ones that we
represent here with the ACB.
You've asked about technical problems with the current
system and I think a lot of that has been covered in previous
testimony. I think our members are also encouraged by the fact
that there may be new and different technologies that could be
brought to bear. There could be greater efficiencies achieved.
And I think those are the right questions and I think we'll
have to work toward achieving the right answers.
Regarding other means of obtaining information, really, the
only other way that the Associated Credit Bureau's members
would be aware of an individual having died is through
notifications that come through the systems directly from
credit lenders.
When a credit lender is notified through a trustee of an
estate, they in turn will notify through coding back to us the
fact that that consumer's credit account is now associated with
a deceased individual. And that would be a code that would then
be included in a statement that would be included and
referenced on that account in subsequent credit reports issued
on that individual.
You've asked about outlining ways in which sources of
information can be better integrated. And let me just say that
today, integration is something that we achieve through the
systems that we have.
Unfortunately, I do want to state that the FTC's rules
under GLB restrain us significantly in terms of building fraud
prevention products outside of the Gramm-Leach-Bliley Act or
the Fair Credit Reporting Act.
And let me close by making just a couple of announcements.
I see I'm slowly losing time here.
Chairwoman Kelly. Mr. Pratt, you've lost time.
[Laughter.]
So if you could sum up, that would be great.
Mr. Pratt. Two announcements. Number one, we've asked all
of our DMF subscriber members of the Associated Credit Bureaus
to convert to monthly receipt. All members will convert to
monthly subscriptions with the DMF Master File, which I think
will help escalate and help make information available.
And number two, our members have established and will work
with a task force to work with the Social Security
Administration in working through technology and legal issues
that might be associated with escalating availability of
information from the Administration.
[The prepared statement of Stuart K. Pratt can be found on
page 100 in the appendix.]
Chairwoman Kelly. Thank you very much, Mr. Pratt.
We move now to Mr. Lehner.
STATEMENT OF THOMAS J. LEHNER, EXECUTIVE VICE PRESIDENT FOR
GOVERNMENT AFFAIRS, AMERICAN FINANCIAL SERVICES ASSOCIATION
Mr. Lehner. Thank you, Chairwoman Kelly, Chairman Shaw,
Members of the subcommittees. Thank you for inviting me to
testify today.
I'm Tom Lehner. I'm the executive vice president of the
American Financial Services Association. AFSA is the leading
trade association for market-funded financial services
companies.
Our 400 member companies include consumer and commercial
finance companies, auto finance/leasing companies, mortgage
lenders, credit card issuers, and industry suppliers.
I'm here to address the issue of identify theft using
Social Security numbers and, specifically, the industry's use
of the Social Security Administration's Death Master File.
Social Security numbers are the most unique identifier of
individuals in the United States. The financial services
industry uses these identifiers for a variety of reasons, such
as customer verification, credit checks, bankruptcy filings,
and monetary judgments such as tax liens.
The use of Social Security numbers is not generally secure.
They are readily available and, indeed, used by companies,
State and local governments, motor vehicle departments,
colleges, and even by consumers who willingly print the numbers
on the face of their checks.
Thieves often steal Social Security numbers and ultimately
the identity of individuals, both living and dead. Financial
institutions such as credit card companies and banks have also
incurred significant losses resulting from misuse of Social
Security numbers.
Consumers have also experienced monetary losses, impaired
credit and legal problems because others have amassed debts
using their identities.
Financial firms have an obvious interest in making sure
that individuals who open accounts are who they say they are.
Companies rely on the Social Security Death Master File to
protect against theft.
In most cases, firms do not directly subscribe to the Death
Master File, but access it indirectly through credit reporting
agencies or other vendors who do subscribe to it.
This is both more efficient and less costly to the
consumer.
For example, bank issuers of credit cards routinely obtain
consumer reports on card applicants from credit reporting
agencies. Because the credit bureaus periodically update their
files by comparing information to the Death Master File, the
credit report will contain an indicator if the individual has
been reported as deceased. And the bank can use this
information to decline the application or investigate the
circumstances.
Other financial firms such as securities broker/dealers
also access the Death Master File as part of the account-
opening process. This screening is typically done by third-
party vendors who utilize Death Master File information.
Consumer lenders regularly use information from credit-
reporting agencies to review and adjust the status of existing
accounts as well. It also helps to verify customers seeking to
refinance existing mortgages or those who are interested in
other services offered by the financial institution.
Naturally, financial firms have other sources of
information that might indicate that a customer has died and
that access to the account should be frozen or terminated. The
principal source is family members who called to notify the
institution of the death of the customer and may request
changes in the name on the account or the address where
statements are sent.
Lawyers and estate executors are another source of this
information.
Whether financial institutions obtain information about
deceased individuals directly from the Death Master File or
indirectly from other subscribers, they have an interest in
obtaining information and data that is accurate and current.
Delays between the date on which an individual dies and the
date on which this information is made available to the public
through the Death Master File increases the opportunity for
identity thieves to defraud survivors, beneficiaries and
financial institutions.
One of the disadvantages of the current Social Security
numbering system is that the agency is not always immediately
notified upon the death of an individual. There appears to be
no requirement for local officials to notify the Social
Security Administration when someone dies.
Despite their best intentions, having incomplete and
incorrect information makes it very difficult for the Social
Security Administration to issue an accurate Death Master File.
Many companies have established internal processes that
deal with fraud and identity theft. In addition, companies work
with customers who are victims of identity theft and they also
work with prosecutors to pursue those responsible.
AFSA supports the efforts to encourage the Social Security
Administration to obtain death information promptly and report
it more frequently. We also support the continued dialogue
between credit-reporting agencies and financial institutions to
facilitate the flow of the Death Master File information and
bureau files.
For example, there may need to be a change in procedures so
that when creditors report account status information to
credit-reporting agencies, and this information is placed in a
file of a customer about whom the bureau has received death
information, the creditor is made aware of this fact on a
timely basis.
We believe that more financial institutions would consider
subscribing to the data directly if the information provided
was in real time and more accurate. Whether financial
institutions obtain information about deceased individuals
directly from the DMF or indirectly from other subscribers,
it's in our interest and that of the consumer that we obtain
correct information.
We've hopeful that the Social Security Administration will
make both the procedural and policy changes necessary to ensure
the security of our individual unique identifiers, our Social
Security numbers.
Thank you.
[The prepared statement of Thomas J. Lehner can be found on
page 107 in the appendix.]
Chairwoman Kelly. Thank you very much and thank you for
limiting your testimony to the time.
We now move to Mr. Thomas Sadaka.
STATEMENT OF THOMAS A. SADAKA, SPECIAL COUNSEL, OFFICE OF
STATEWIDE PROSECUTION, ORLANDO, FL
Mr. Sadaka. Chairwoman Kelly, Chairman Shaw, I truly thank
you for the opportunity to be here today.
For the record, my name is Thomas Sadaka and I am Special
Counsel to the Statewide Prosecutor of Florida for computer
crime and identity theft prosecutions.
As the only representative of State government, as well as
State law enforcement, I think a bit of a background is in
order.
Florida ranks third in the Nation currently in identity
theft complaints, according to the FTC. As such, we have
embarked on a rather strenuous effort to combat and to curb the
epidemic of identity theft.
At the request of Gov. Bush and as a result of the Privacy
Technology Task Force, which addressed issues of Social
Security abuse, public records abuse, and identity theft in
general, we have impaneled a State-wide grand jury and have
partnered with the Florida Department of Law Enforcement to
focus specifically on identity theft cases as well as what
Florida can do to minimize the effects of identity theft and
the victimization of her citizens.
As such, the use of the Social Security number and the use
of other public records information has become apparent. It is
the constant in all of the crimes that we have currently
investigated.
The State of Florida, through my office, was instrumental
in passing an identity theft statute. In 1999, the statute went
into effect, and at that time, we were one of only three States
in the Nation to actually criminalize identity theft on the
local level.
That is improving. State law enforcement and legislatures
are quick to enact these laws and are quick to operate on them.
As such, the investigation and the prosecution of these
cases is moving along slowly. So while we've addressed the
after-the-fact dealings of identity theft, we now need to turn
to the issues of prevention of identity theft.
The use of the Social Security number and the use of other
public records information is vitally important to the identity
thief, as well as to the terrorists and others who want to
shelter from society who they truly are.
From the law enforcement encounter with the individual on
the street to the airport security checker who is relying on
the State-issued identification card, identity theft has a very
broad base, both public safety concern as well as financial
industry concern.
Our public safety issues are much more in the forefront now
since September 11th. But we've been addressing these issues
over the past year to try to develop fraud-proof identification
as well as uniform identifiers throughout the country so that
we can rely on information that's provided from other States.
State driver's license offices rely heavily on the Social
Security number. Every State requires a Social Security number
to be provided. Yet, the States don't avail themselves of the
information available from the Social Security Administration,
nor the other required information that would be available.
Several of the States do check the Master Death File. The
Florida legislature commissioned us in July to conduct a study
on developing a fraud-proof Florida DL.
So as part of that, I have been researching what other
States do in the issuance process of identification cards.
Of those that do some type of independent verification,
only a select number of them interact with the death index on a
real-time basis. And although the Social Security
Administration has made limited availability for online data
verification of Social Security, name and geographical region,
there are no States currently that avail themselves of that
ability.
The State of Florida is currently looking into the ability
to expand their infrastructure such that they can rely on the
information from the Social Security Administration.
There are two issues that face Congress. One is, the Social
Security number has become basically our de facto national
identifier. There are two subissues to that.
Do we want that to be the case? And if the Congress'
decision is that, yes, that is to be the case, then there need
to be laws and initiatives in place that can basically back up
the integrity of that number.
There needs to be the ability of both the financial
industry as well as State and local governments to verify that
the Social Security number that's provided by the citizen or by
the customer is truly that individual's Social Security number.
We need to confirm that the identify of that person is
their true identity.
We rely heavily on breeder documents. There are currently
262 different birth certificates in circulation in the United
States. Those linked with Social Security numbers and passports
and documents that are available from other countries create an
daunting task on the part of the administrator, who is issuing
this identification card.
The Social Security Administration has within its grasp and
within the other agencies of the Federal Government all of the
information that is necessary to both the State and local
governments, as well as the financial industry, to confirm the
identity of the person who is before them. That information
needs to be streamlined in its distribution and needs to be
made available.
If the other alternative is to not allow the Social
Security number to be used for that purpose, then we face
another undaunting task of developing some other unique
identifier, such that all of our citizens can be comfortable
that the information that is represented to financial
industries and to State and local governments is correct and
accurate information.
Again, I want to thank you very much for the opportunity to
be here today and I'd be more than willing to answer any
questions at the close of the testimony.
[The prepared statement of Thomas A. Sadaka can be found on
page 110 in the appendix.]
Chairwoman Kelly. Thank you very much.
We now move to Mr. Dugan.
STATEMENT OF JOHN C. DUGAN, PARTNER, COVINGTON & BURLING, ON
BEHALF OF THE FINANCIAL SERVICES COORDINATING COUNCIL
Mr. Dugan. Thank you very much, Madam Chairwoman, Mr.
Chairman. It's a pleasure to be here today.
I'm testifying today on behalf of the Financial Services
Coordinating Council, or FSCC, whose members are the American
Bankers Association, the American Council of Life Insurers, the
American Insurance Association, the Investment Company
Institute, and the Securities Industry Association.
The FSCC represents the largest and most diverse group of
financial institutions in the country, consisting of thousands
of large and small banks, insurance companies, investment
companies, and securities firms.
Together, these financial institutions provide financial
services to virtually very household in the United States.
The FSCC continues to believe that the Social Security
number plays a central role in deterring and detecting fraud
and identity theft because Social Security numbers are the best
unique identifier that financial institutions can use to
determine whether an individual really is who he or she says he
or she is.
To that end, the FSCC welcomes the attention the
subcommittees are giving to the misuse of Social Security
numbers of deceased individuals.
My testimony today makes three fundamental points. First,
Social Security numbers are key unique identifiers that are
essential to guard against identity theft.
Second, the SSA's Death Master File is a comprehensive
record of deceased individuals' Social Security numbers, but
delays in updating and disseminating this list can create
opportunities for fraud and identity theft.
Third, because financial institutions ultimately rely,
usually indirectly, almost exclusively on the Death Master File
to determine whether a Social Security number belongs to a
deceased individual, the more frequently the DMF is updated and
disseminated and the more accessible that information is, then
the more effective the list will be as a tool to detect and
deter fraud and identity theft.
On the first fundamental point, following the lead of the
Federal Government, the financial services industry has used
the Social Security number for many decades as a unique
identifier for a broad range of responsible purposes.
For example, our Nation's remarkably efficient credit-
reporting system relies fundamentally on the Social Security
number as a common identifier to compile disparate information
from many different sources into a reliable credit report.
The banking, insurance and securities industries each use
SSNs as unique identifiers for a variety of important
regulatory and business transactions, primarily to ensure again
that the person with whom the financial institution is dealing
really is that person.
It's that essential need to verify a person's identity
using a common unique identifier--the Social Security number--
that leads financial institutions to rely on the reporting of
deceased individual's SSNs to guard against identity theft.
We believe there are two keys to preventing the misuse of
Social Security numbers of deceased individuals.
First, the list of such numbers must be kept current.
Second, the current list must be widely accessible and easy to
search and cross-hatch against a given Social Security number.
Unfortunately, while the current DMF is used to accomplish
both these goals, there's clearly room for improvement.
On the first point, with respect to the currency of
information in the DMF, there can be significant delays in
updating the list. These are delays caused by the time taken
for deaths to be reported to the SSA, delays caused by the
entry of inaccurate information, and delays caused by the fact
that the SSA releases comprehensive updates on only a monthly
basis.
On the second point, the DMF is not provided in a form that
is readily searchable. As a result, because it contains such a
large amount of information, the most practical way to use the
list, at least for financial institutions, is through
intermediaries that convert the DMF into a searchable database
that can be used by financial institutions and others.
This service by third-party vendors is valuable, but it can
be costly, and cost can thus be a deterrent to the widespread
use of the DMF.
Obviously, if a centralized, searchable database containing
the DMF were widely available at a reasonable price, it's
likely that the DMF would be used more routinely for a wider
variety of authentication checks.
Let me now conclude by talking about financial
institutions' use of the Death Master File.
Although the main purpose of the DMF is to inform the SSA
that an individual has died, it's also purchased by private
information vendors. Financial institutions ultimately rely on
these vendors for accurate information about the status of
individuals' SSNs.
Therefore, while the accuracy of the DMF is crucial to
saving the SSA money, it's equally crucial to financial
institutions who seek to prevent fraud and identity theft.
For example, many large banks contract with information
vendors to compare the bank's list of individuals who have been
approved for credit cards against the DMF.
Similarly, banks, securities broker/dealers, mutual fund
transfer agents, and insurance companies frequently use these
information vendors to conduct the same kind of search with new
account openings, changes in parties on accounts, to determine
whether to allow a client to maintain a margin account, to
locate lost shareholders, and for other purposes.
Simply put, the more current the DMF is, then the more
current the vendor's data is, and the better financial
institutions can be at uncovering identity theft and other
fraud.
And with that, I would conclude. We certainly welcome
suggestions for achieving both of the goals I've outlined in
the testimony and we'd be happy to work with the subcommittees
and their staffs to facilitate these efforts.
Thank you very much.
[The prepared statement of John C. Dugan can be found on
page 113 in the appendix.]
Chairwoman Kelly. Thank you, Mr. Dugan.
We move next to Mr. Rotenberg. Mr. Rotenberg, I'm sorry I
did not have your testimony before we had this hearing.
Usually, I like to have a chance to read it before.
But I'm going to be very interested in what you have to say
today.
STATEMENT OF MARC ROTENBERG, EXECUTIVE DIRECTOR, ELECTRONIC
PRIVACY INFORMATION CENTER; ADJUNCT PROFESSOR, GEORGETOWN
UNIVERSITY LAW CENTER
Mr. Rotenberg. Well, thank you, Chairwoman Kelly, and
Chairman Shaw. I would ask that my statement be entered into
the record and I will briefly summarize the points that I'm
going to make this morning.
I appreciate the opportunity to be here. I'm the Director
of the Electronic Privacy Information Center. We are a public
interest research group in Washington concerned with privacy
issues relating to American consumers.
I have also been on the faculty at Georgetown for more than
10 years, where I teach the law of information privacy.
I think it's critical to make clear at the outset for the
purposes of this hearing that there's a long-standing effort by
Congress and by the courts to protect the privacy of the Social
Security number in law. And this has been done from the outset
out of recognition that the particular status of this number,
which can be used in so many different contexts, is ripe for
misuse and abuse and, as we've seen in the last few years, the
growing crime of identity theft.
So, for example, Section 7 of the Privacy Act of 1974 makes
very clear in the collection and use of the SSN that Federal
agencies may only use the number for certain statutory
purposes.
And I'd like to say at the outset that the efforts of
Chairman Shaw and other Members of the subcommittees to move
forward legislation, H.R. 2036, which would extend similar
protections to the private sector and strengthen as well the
protections in the public sector, is a very important measure
that I hope you will move quickly in this session.
Now the second part of the problem to understand is that
the ID theft problem results from the growing dependence of the
Social Security number as a general form of identification
unrelated to the original purpose, which was of course the
management of SSA benefits.
And if I may, Chairwoman Kelly, to pick up on your opening
statement, I'd like to make a brief observation about this case
involving Lahfti Raisi, who is the Algerian who may be
responsible, in fact, for training the hijackers in the great
tragedy of September 11th.
Now it has been reported that Raisi took advantage of the
Social Security number of a deceased person in the State of New
Jersey, presumably to obtain access to facilities in other
places that he would not otherwise be able to go.
But it's not clear, at least from the reports that we have
reviewed, that Raisi sought the Social Security number of a
deceased person.
In other words, this may have just been a nine-digit number
pulled from the air that turned out, in fact, to be the number
of a person who was deceased.
And I make this point because it's critical to understand
that in the area of identity theft, there are many ways to
create Social Security numbers that are not one's own that
don't require access to a deceased's SSN.
You can spoof SSNs in a number of different ways. I can
look at a Social Security number and probably determine whether
it's accurate--in fact, a real Social Security number, computer
programs and financial institutions do this on a regular basis.
But my point here is I think we need to understand that it
is the growing dependence on the use of the Social Security
number and whether that number comes from a person who's
deceased or whether it's simply made up, is going to be an
ongoing problem in systems of identification going forward.
Now this then relates to my third point about the expanded
use of the Death Master File. And I fully appreciate the
interest of the financial institutions in having more timely,
more accurate information on an ongoing basis. So that when
they are making these determinations about whether or not an
SSN is the SSN of the person who represents it, they have
better information on which to make that decision.
But in expanding the use of the DMF, I'm concerned also
that it will create new opportunities for misuse and abuse by
others, who will use that information for other purposes.
Because, of course, now you will have access to a very
convenient file in electronic format that will give the public
a great deal of detailed personal information.
And so I think an assessment needs to be done. How do you
ensure that that information will be used only by the financial
institutions for the appropriate purpose and not by others for
ill-intended purpose?
I'd like to conclude, then, with three recommendations.
The first recommendation, having worked on this issue now
for more than 10 years, is to urge you once again to think
about systems of identification that are not solely dependent
on the Social Security number. It is the SSN that contributes
to ID theft and our growing use of the SSN leads to more ID
theft.
Second, as I suggested at the outset, I think the
legislation before the subcommittees is excellent.
And finally, if you do go forward with the proposal to make
the DMF readily available in electronic format, I urge you to
create some mechanism of oversight, some way to evaluate, maybe
a year out, how that information is being used, because it
could well be the case that that file will become a new source
of identity theft, and that could simply compound the tragedy.
Thank you.
[The prepared statement of Marc Rotenberg can be found on
page 126 in the appendix.]
Chairwoman Kelly. Thank you very much.
We now move to Mr. Hendricks.
STATEMENT OF EVAN HENDRICKS, EDITOR AND PUBLISHER, PRIVACY
TIMES
Mr. Hendricks. Thank you, Madam Chairwoman, and Mr.
Chairman. My name is Evan Hendricks, Editor and Publisher of
Privacy Times.
I've been qualified as an expert in identity theft cases by
the Federal courts and I realize I'm the last witness between
not only you and lunch, but the lunch of my son, Daniel, who
has accompanied me here today.
Chairwoman Kelly. We welcome your son.
Mr. Hendricks. Yes, thank you.
Chairwoman Kelly. Welcome, Daniel.
Mr. Hendricks. Thank you. This is an important issue. I'm
grateful to follow my colleague, Marc Rotenberg, because I
concur in his remarks and incorporate them.
What we've seen in this terrible tragedy is that not only
has identity theft figured in the use for passport and visa
purposes, but also the terrorists supported themselves by
committing identity theft and credit fraud.
We followed this in my newsletter, Privacy Times, which is
in its 21st year; there is an excellent article in the November
4th, Chicago Tribune which summarizes many of the activities
they did, including skimming, which is using a machine to swipe
a card and steal all the information and then make a
counterfeit card out of it.
There are two things that fraudsters want in this day and
age: either a Social Security number so that they can do
identity theft, or a credit card number and an expiration date.
We also know that the fraudsters are using stolen credit
card numbers to buy people's Social Security numbers so that
then they can commit more identity theft.
So it's becoming a vicious circle.
When the World Trade Center tragedy hit, unfortunately, it
became somewhat like when there's a black-out in New York: the
thieves know they can break into buildings because there's no
electronic burglar alarms any more.
And unfortunately, one of the World Trade victim's friends
took her credit card and went on a credit joyride, and I'm told
by my friends at the Privacy Rights Clearinghouse and the
Identity Theft Resource Center that a plane crash victim was
going to be picked up by a limo driver who had all his
information and then went on to commit identity theft.
As indicated by Congresswoman Hooley's opening remarks,
there are some really sick people out there and a lot of them
are now gravitating toward identity theft.
I come here to say that, like Mr. Rotenberg, the goal of
privacy laws is to give people control over their personal
information. And some of the gaps and the weaknesses in our
current privacy laws help the fraudsters get control over other
people's information.
One of the fundamental principles of privacy laws is the
information collected for one purpose should not be used for
another purpose without your knowledge and consent. And this is
at the heart of the Fair Credit Reporting Act, which is one of
the first privacy laws enacted in 1971, amended by Congress in
1996.
It's a good law and it recognizes in practice that there
are other purposes. And so, the Fair Credit Reporting Act
defines permissible purposes. And it also gives people
remedies, private right of action, penalties.
And I think even my colleague down the table, Mr. Pratt,
will agree, this privacy law has made the credit-reporting
industry a better industry. They do a better job handling data.
They have to be more responsive. And if things go wrong, people
have a remedy.
And so I'm also here to dispel the myth because there is
really not much of a conflict between privacy law and security:
all of our existing privacy laws make exceptions for law
enforcement, for health and safety, and for intelligence
purposes.
I think if you get into an honest discussion with the
investigators, you'll see that the privacy law has not impeded
the investigations here.
But that's why we look for solutions, as Mr. Rotenberg
said, we need to take advantage of information technology. We
need automated exchanges of data.
Just as the Fair Credit Reporting Act defines purposes and
gives people a degree of confidence that data will be used for
permissible purposes, so we need to expand that concept to our
larger society, including automating any sort of a Master Death
File that will be shared with the banks on an instant basis, or
with the credit-reporting agencies, too.
I also want to agree with Mr. Rotenberg that we need to
have a national oversight office. Every other western country
has an independent privacy commissioner that answers to the
legislative branch.
We need one, too.
In terms of three practical solutions, the first is that,
conceptually, people need to be plugged into their credit
report. The technology allows for it today, and actually, we're
gravitating toward this and we need to accelerate it. So if
there's activity on your credit report, you should receive some
sort of electronic alert.
This is not that difficult to set up and it would be one of
the best ways to guard against identity theft.
Second of all, though the credit reporting agencies sell a
service where they can do a trace on SSNs, it's not clear to me
that they do an audit of their own systems to see how many
names and addresses are associated with one SSN.
And if they did that simple audit function, they would
guard against some real problems and help clean up the
integrity of their databases.
The final thing I'd like to mention is something that's
called single-use credit card numbers. And Ms. Chairwoman, I
heard that you had your credit card number stolen. I don't know
if it was by skimming or through a database.
One company that I work with, called Privasys, has
developed these prototype cards. You punch your pin number into
the credit card so it can issue you a single-use number that is
only good for one purchase.
So if later that number is stolen, it's worthless.
And so, there are solutions that we need in law, in
organizational practice, and in technology.
Thanks very much. I'd be happy to answer any questions.
[The prepared statement of Evan Hendricks can be found on
page 131 in the appendix.]
Chairwoman Kelly. Thank you, Mr. Hendricks. I'm going to
ask just a couple of questions.
Mr. Rotenberg, on page 2 of your statement, I have to say,
I was multi-tasking up here and reading it at the same time.
I find this a fascinating statement. It is the financial
services industry's misplaced reliance on the SSN, lacks
verification procedures and aggressive marketing, that are
responsible for the financial consequences of identity theft.
I want you to enlarge on that.
Mr. Rotenberg. Well, my point, Chairwoman, is simply that
the SSN has been moved from the realm of processing Social
Security benefits within the Federal Government and the purpose
of tax identification when it become recognized by Congress for
that purpose in 1961, to a generalized identifier across the
financial services sector.
Chairwoman Kelly. Yes, sir, I do understand that. My
question is why you are blaming--it appears you're blaming the
financial service industry's use and reliance on that Social
Security number for some of the fraud.
As a matter of fact, that integrates with a comment by Mr.
Pratt when he talks about the Gramm-Leach-Bliley effect on the
FTC rules.
I'm wondering if the two of you can tell me--if what my
interpretation is is a correct one. Are you saying that the
Gramm-Leach-Bliley bill has had an effect on the use of the SSN
by the financial services industry that would increase the
ability for fraud to exist?
Mr. Pratt. If I may, from our perspective, the point we
wanted to make in the testimony was simply that the Gramm-
Leach-Bliley Act did take into account that there would be a
series of exceptions to a consumer's choice for how non-public
personal information could be transferred. And one of those
exceptions was for purposes under the Fair Credit Reporting
Act.
But the FTC's interpretation appears to foreclose on a
consumer reporting agency's ability once they have that
information to then build fraud prevention products that might
apply to other exceptions within the GLB 502[e] exceptions.
And clearly, to foreclose on our ability to build a fraud
prevention or a verification product which would use
identifying information outside of GLB and outside of the Fair
Credit Reporting Act.
So, in that case, the law seems to have tightened down the
screws a little too tightly on some information that we might
be able to use.
Chairwoman Kelly. Do you agree with that, Mr. Rotenberg?
Anyone is welcome to join in, but I want to ask that
specifically of Mr. Rotenberg.
Mr. Rotenberg. Well, I don't agree that one of the
consequences of GLB was to make the Social Security number more
widely available to financial institutions. I understand the
point that it in some ways may restrict certain verification
procedures.
But I do want to be clear about the point in my statement
here. Clearly, the theft itself is not committed by the
institutions. That's not what I said.
What I said, that the use of the SSN to link financial
records across institutions means that when the theft has
occurred, the damages are amplified.
And so, when I said earlier that we need to think about
systems of identification that are not so dependent on the SSN,
it is very much based on the experience that victims of ID
theft have had. When their Social Security numbers get out,
then they lose control of their bank account, their credit
account, and the other accounts that they may have with
financial institutions.
Mr. Hendricks. Madam Chairwoman, can I respond to that?
Chairwoman Kelly. Mr. Hendricks.
Mr. Hendricks. I'll give you one example.
Identity thieves are in the business of getting credit
fraudulently. They're able to do that because they apply for
credit in somebody else's name and Social Security number.
The first problem is the credit-reporting agencies are too
liberal in disclosing the innocent victim's credit report in
response to an application made by an imposter. In many of
these cases, I've seen that the city is different, the address
is different, and the spelling is different. Yet, they err on
the side of maximum disclosure from the credit-reporting agency
to the credit granter, and that's the first problem.
The second problem is that, if the imposter simply has your
Social Security number, I've seen cases--if you write these two
names down--Myra Coleman and Maria Gaten. If you have the same
Social Security number, their algorithms work so, since there's
an M and an R and another letter in the first name, that it's
similar enough to go ahead and disclose the information, even
though the names are completely different.
So there are some real application problems that were built
from earlier days when they were thinking--well, women get
married, they change their last name. People move a lot. As
opposed to now, where we have a clear threat of identity theft
and they need to update their rules for disclosing consumers'
credit reports.
Mr. Dugan. Madam Chairwoman, I'd just like to make two
points.
Number one, we think the Gramm-Leach-Bliley Act, in fact,
makes the misuse of Social Security numbers much more unlikely
because it gives individuals more control over the ability of a
financial institution to share that information with any non-
affiliated third party, number one.
And number two, to the extent that information is provided
for permissible purposes under the Gramm-Leach-Bliley Act, like
fraud prevention, then the law specifically prohibits the
recipient from using it for any other purpose.
So we think that that goes to that point particularly.
The second point I wanted to make was, it's nice to say
that it's easy to steal a Social Security number, and,
therefore, it's easy to steal someone's identity. But think
what it would be like if you did not have a Social Security
number used at all for identification purposes.
What Mr. Sadaka was saying earlier, you have to have some
way to have a common, unique identifier in many circumstances,
which is precisely what financial institutions use it for, to
make sure that they know you are the Madam Sue Kelly that comes
in the door and not a different Sue Kelly.
There have to be ways to link that up. And the use of the
Social Security number is the way we do that. Without it, and
with improper restrictions on its use, it would increase the
occurrence of identity theft, not decrease it.
Chairwoman Kelly. Thank you very much. I have just one
follow-up for Mr. Pratt.
What percent of your membership gets the DMF?
Mr. Pratt. I actually don't have a good answer for you, but
I'll be happy to follow up.
Chairwoman Kelly. I wish you would, please.
Mr. Pratt. And I think your question is in terms of the
total customer base, how many customers are using the DMF
product that our members produce.
Is that it?
Chairwoman Kelly. I'm going to withhold any of my further
questions because I've run out of time, and go to Chairman
Shaw.
Chairman Shaw. I'd like to direct my question to Mr. Pratt
again.
Our subcommittee has heard from many victims of identity
theft over the last 2 years and there are stories that raise
some very troubling issues pertaining to harassment and other
matters.
First of all, fraudulent accounts were opened using their
Social Security numbers, even though all of the information on
the application was actually incorrect, including their names,
addresses, and even their birthdays. And the Social Security
number was the only piece of information that was correct on
these applications.
A second troubling issue is that credit-reporting agencies
verified this incorrect information. Verifications of a name,
address, place of employment, age, or spouse's name were not
questioned. If the Social Security number matched up, the
information was verified and the fraudulent application was
approved.
First of all, can you explain how these fraudulent
applications could have been verified or accepted?
Mr. Pratt. Well, let me go to, if I could break out your
question into some parts.
Chairman Shaw. Maybe you could start just by telling us,
what is the process and what are the checkpoints?
Mr. Pratt. The checkpoints that we use are the Social
Security number, the name, the address, and, when available, we
may be also able to cross-check previous address. Those would
be the principle cross-checks.
Clearly, where we have 3 million consumers each year with
last names changing, our cross-checks try to accommodate the
fact that marriage and divorce occur and names can change in
cycle.
Date of birth, some of the other identifying elements that
you've indicated might have been on the application are not
transmitted to the consumer reporting systems.
These may be issues that are addressed today differently
than they may have been previously, but the cross-checks we use
today are Social Security number, name and address.
In terms of why an application was approved, I'm not trying
to put the monkey on someone's else back, but of course I can't
tell you why the application was approved.
We transmit the information. We show the lender what
information we believe in our file matches----
Chairman Shaw. Do you have any indication of where the
system failed in this event?
Mr. Pratt. Well, no, sir, I really don't, because I don't
have the facts in front of me specific to those particular
situations.
I'd have to look at those, I suppose, to better understand
where the failure occurred.
Chairman Shaw. Let me ask the question of liability
because, from your previous answer, it sounds like it's nothing
but negligence on the part of whoever is putting this
information together.
Under the current law, are creditors and credit-reporting
agencies accountable when their negligence contributes to
identity theft and to other Social Security number misuses?
Mr. Pratt. Well, I have to resist the industry being
characterized as negligent under the Fair Credit Reporting Act.
Chairman Shaw. I'm not characterizing the industry. I'm
just saying, in the event of negligence, are they liable?
That's a simple, straightforward question.
Mr. Pratt. The answer to the question would be, under the
Fair Credit Reporting Act, we're liable for being accurate. And
therefore, if we're not accurate and a lender in turn is also
liable as a user and as a furnisher under the same Fair Credit
Reporting Act.
Chairman Shaw. So it's your testimony that they would be
liable in the cases of negligence.
Mr. Pratt. There is negligence, there are willful and
negligent standards under the Fair Credit Reporting Act and
there are liabilities associated with the accuracy of the
information and the use of the information.
Chairman Shaw. I'll have to go to the Act and see exactly
what it says. What does it say--willful negligence, or do you
know?
Mr. Pratt. There are two standards of civil liability, for
example, and then of course there's administrative enforcement
through the Federal Trade Commission and other functional
regulators under the Act.
But the civil liability standards are willful and
negligence.
Chairman Shaw. Ordinary negligence.
Mr. Pratt. Yes.
Chairman Shaw. And that makes them liable.
Mr. Pratt. Those are two standards of liability depending
on the fact pattern, depending on how the suit is brought,
against any one of the parties that is regulated under the Act.
Chairman Shaw. Do you think the creditors and credit-
reporting agencies should be liable for these kinds of
mistakes?
Mr. Pratt. Well, I think we're on the same side of this
along with you. We don't want these mistakes to happen and we
want accurate information in our files, sir, really.
Chairman Shaw. If we weren't on the same side, I wouldn't
be here listening to you.
Mr. Pratt. I appreciate that.
Chairman Shaw. We're trying to figure this thing out so
that we don't disrupt a system of a national identifier that,
for good reason or bad reason, has been in place now for a
number of years.
But we do know that there's been serious misuse. We do know
that this is the fastest-growing crime in the country today.
And I personally believe and I think many other people
personally believe, and I think Mr. Sadaka would agree with me
on this--Mr. Sadaka, I think you agree that failure to do
something is going to create a snowball effect and that this
thing will be totally out of control after a reasonable period
of time.
Do you agree with that?
Mr. Sadaka. Yes, sir, I do.
Chairman Shaw. Thank you. I yield back my time.
Chairwoman Kelly. Thank you.
We go to Mr. Hooley.
Ms. Hooley. Thank you, Just a couple of quick questions.
Anyone from the industry side can answer the first
question. And that is, I understand the need for the industry
to have this master list, so you can flag your files to prevent
compromise by an identity thief.
What else do you do with the information? I mean, you use
it to flag your files. What else do you do with the
information?
Any one of you.
Mr. Lehner. Well, as I mentioned in my testimony, it's
oftentimes used to verify information on existing accounts, if
people change the status of their account for some of our
mortgage lenders. If a customer is refinancing their home,
they're changing credit products within a company.
Usually, that information is asked as a means to verify
that they are who they say they are.
Mr. Pratt. Our members as subscribers are using it
principally for fraud prevention.
Ms. Hooley. That's what I assume, all of you are using it
for fraud prevention.
Mr. Dugan. There are other reasons to use the information:
to track down or locate lost shareholders, or to review loan
applications. But principally, it's to make sure that the
person is who they say they are.
Ms. Hooley. Would you have any opposition to having it in
law that the information is solely used to flag the file of a
deceased individual or for fraud prevention?
Mr. Pratt. Like all good trade associations, I'd have to go
back and talk to the members, I guess, and find out whether
there's anything out there that I'm just not aware of here
today.
Ms. Hooley. OK. By the way, Mr. Pratt, thank you very much
for clearing up the file of Sean. I really appreciate your
doing that.
Mr. Pratt. Thank you.
Ms. Hooley. For either Evan or Marc Rotenberg, are you
aware of any instances where information from the Death Master
File has been intercepted by identity thieves?
Are you aware of that at all?
Mr. Hendricks. No, not per se. The cases that I've heard
of, the identity is just doing straight to the local government
agency and getting information off death certificates. I've
heard about cases like that and I've asked for more
documentation of that.
Ms. Hooley. Do you think we should use it solely for
flagging the files, using the Death Master list solely for
flagging the files or for fraud?
Mr. Hendricks. Yes. You create an automated information
exchange here and you specify what those purposes are and you
create penalties for people that violate that and remedies for
individuals whose privacy is violated.
I think that's the way to go. And I think if you look at
the kind of privilege that goes between a lawyer and a client
or a doctor and a patient, the privacy privilege is not so
people can hide or keep data secret. It's to allow for the open
exchange of information for the purposes you need--better
health care, better legal advice.
And I want to take that concept and expand it to everything
in our society. So privacy is protected within certain spheres,
but that allows for open data exchange within the approves
spheres.
Ms. Hooley. Thank you. That's all the questions I have.
Chairwoman Kelly. Thank you very much. I have a couple of
other questions. One for all of you as panel members.
I'd like to know if you can commit to participating on a
task force with the SSA to solve this problem.
I think that if we put together--if there's a task force of
the SSA, the GAO, the Commerce Department, and all of you, we
could probably get to the root of the problem and get it solved
much more quickly than every agency acting without consulting
the others.
So I'd like to ask for a commitment from all of you to
being a part of that task force. Can you commit to that?
Mr. Dugan. Madam Chairwoman, we'd be delighted to commit to
do that.
Chairwoman Kelly. Am I hearing that from all of you?
Mr. Pratt. Our testimony already indicates we support doing
that.
Mr. Sadaka. Absolutely, yes.
Mr. Lehner. Absolutely.
Mr. Hendricks. Yes.
Mr. Rotenberg. Yes.
Mr. Sadaka. We'd be very willing to commit as well.
Chairwoman Kelly. I thank you very much.
One final thing for you, Mr. Hendricks. Your son is going
to have to wait for lunch for one second.
You said in your testimony that there was an independent
national office to oversee and enforce the privacy law, was a
recommendation of the U.S. privacy protection study commission
in 1976.
I think it's time we consider something like that and I
hope that you will consider that within the framework of this
task force.
That being so, then I would like to, if there's no more
questions, the Chair notes that some Members may have
additional questions for this panel that they may wish to
submit in writing.
So without objection, the hearing record is going to remain
open for 30 days for Members to submit written questions to
these witnesses and to place their responses in the record.
On behalf of the subcommittees, I want to thank all of the
witnesses for taking the time to be here today. I believe it's
been a very productive hearing that has highlighted a problem
that can be solved with regards to identity theft.
This panel is excused with our appreciation. I want to
thank Chairman Shaw and his staff and other Members and all of
their assistants, and my staff, for making the hearing
possible.
The hearing is adjourned.
[Whereupon, at 12:25 p.m., the hearing was adjourned.]
A P P E N D I X
November 8, 2001
[GRAPHIC] [TIFF OMITTED] T6259.001
[GRAPHIC] [TIFF OMITTED] T6259.002
[GRAPHIC] [TIFF OMITTED] T6259.003
[GRAPHIC] [TIFF OMITTED] T6259.004
[GRAPHIC] [TIFF OMITTED] T6259.005
[GRAPHIC] [TIFF OMITTED] T6259.006
[GRAPHIC] [TIFF OMITTED] T6259.007
[GRAPHIC] [TIFF OMITTED] T6259.008
[GRAPHIC] [TIFF OMITTED] T6259.009
[GRAPHIC] [TIFF OMITTED] T6259.010
[GRAPHIC] [TIFF OMITTED] T6259.011
[GRAPHIC] [TIFF OMITTED] T6259.012
[GRAPHIC] [TIFF OMITTED] T6259.013
[GRAPHIC] [TIFF OMITTED] T6259.014
[GRAPHIC] [TIFF OMITTED] T6259.015
[GRAPHIC] [TIFF OMITTED] T6259.016
[GRAPHIC] [TIFF OMITTED] T6259.017
[GRAPHIC] [TIFF OMITTED] T6259.018
[GRAPHIC] [TIFF OMITTED] T6259.019
[GRAPHIC] [TIFF OMITTED] T6259.020
[GRAPHIC] [TIFF OMITTED] T6259.021
[GRAPHIC] [TIFF OMITTED] T6259.022
[GRAPHIC] [TIFF OMITTED] T6259.023
[GRAPHIC] [TIFF OMITTED] T6259.024
[GRAPHIC] [TIFF OMITTED] T6259.025
[GRAPHIC] [TIFF OMITTED] T6259.026
[GRAPHIC] [TIFF OMITTED] T6259.027
[GRAPHIC] [TIFF OMITTED] T6259.028
[GRAPHIC] [TIFF OMITTED] T6259.029
[GRAPHIC] [TIFF OMITTED] T6259.030
[GRAPHIC] [TIFF OMITTED] T6259.031
[GRAPHIC] [TIFF OMITTED] T6259.032
[GRAPHIC] [TIFF OMITTED] T6259.033
[GRAPHIC] [TIFF OMITTED] T6259.034
[GRAPHIC] [TIFF OMITTED] T6259.035
[GRAPHIC] [TIFF OMITTED] T6259.036
[GRAPHIC] [TIFF OMITTED] T6259.037
[GRAPHIC] [TIFF OMITTED] T6259.038
[GRAPHIC] [TIFF OMITTED] T6259.039
[GRAPHIC] [TIFF OMITTED] T6259.040
[GRAPHIC] [TIFF OMITTED] T6259.041
[GRAPHIC] [TIFF OMITTED] T6259.042
[GRAPHIC] [TIFF OMITTED] T6259.043
[GRAPHIC] [TIFF OMITTED] T6259.044
[GRAPHIC] [TIFF OMITTED] T6259.045
[GRAPHIC] [TIFF OMITTED] T6259.046
[GRAPHIC] [TIFF OMITTED] T6259.047
[GRAPHIC] [TIFF OMITTED] T6259.048
[GRAPHIC] [TIFF OMITTED] T6259.049
[GRAPHIC] [TIFF OMITTED] T6259.050
[GRAPHIC] [TIFF OMITTED] T6259.051
[GRAPHIC] [TIFF OMITTED] T6259.052
[GRAPHIC] [TIFF OMITTED] T6259.053
[GRAPHIC] [TIFF OMITTED] T6259.054
[GRAPHIC] [TIFF OMITTED] T6259.055
[GRAPHIC] [TIFF OMITTED] T6259.056
[GRAPHIC] [TIFF OMITTED] T6259.057
[GRAPHIC] [TIFF OMITTED] T6259.058
[GRAPHIC] [TIFF OMITTED] T6259.059
[GRAPHIC] [TIFF OMITTED] T6259.060
[GRAPHIC] [TIFF OMITTED] T6259.061
[GRAPHIC] [TIFF OMITTED] T6259.062
[GRAPHIC] [TIFF OMITTED] T6259.063
[GRAPHIC] [TIFF OMITTED] T6259.064
[GRAPHIC] [TIFF OMITTED] T6259.065
[GRAPHIC] [TIFF OMITTED] T6259.066
[GRAPHIC] [TIFF OMITTED] T6259.067
[GRAPHIC] [TIFF OMITTED] T6259.068
[GRAPHIC] [TIFF OMITTED] T6259.069
[GRAPHIC] [TIFF OMITTED] T6259.070
[GRAPHIC] [TIFF OMITTED] T6259.071
[GRAPHIC] [TIFF OMITTED] T6259.072
[GRAPHIC] [TIFF OMITTED] T6259.073
[GRAPHIC] [TIFF OMITTED] T6259.074
[GRAPHIC] [TIFF OMITTED] T6259.075
[GRAPHIC] [TIFF OMITTED] T6259.076
[GRAPHIC] [TIFF OMITTED] T6259.077
[GRAPHIC] [TIFF OMITTED] T6259.078
[GRAPHIC] [TIFF OMITTED] T6259.079
[GRAPHIC] [TIFF OMITTED] T6259.080
[GRAPHIC] [TIFF OMITTED] T6259.081
[GRAPHIC] [TIFF OMITTED] T6259.082
[GRAPHIC] [TIFF OMITTED] T6259.083
[GRAPHIC] [TIFF OMITTED] T6259.084
[GRAPHIC] [TIFF OMITTED] T6259.085
[GRAPHIC] [TIFF OMITTED] T6259.086
[GRAPHIC] [TIFF OMITTED] T6259.087
[GRAPHIC] [TIFF OMITTED] T6259.088
[GRAPHIC] [TIFF OMITTED] T6259.089
[GRAPHIC] [TIFF OMITTED] T6259.090
[GRAPHIC] [TIFF OMITTED] T6259.091
[GRAPHIC] [TIFF OMITTED] T6259.092
[GRAPHIC] [TIFF OMITTED] T6259.093
[GRAPHIC] [TIFF OMITTED] T6259.094
[GRAPHIC] [TIFF OMITTED] T6259.095
[GRAPHIC] [TIFF OMITTED] T6259.096
[GRAPHIC] [TIFF OMITTED] T6259.097
�