[Senate Hearing 107-852]
[From the U.S. Government Publishing Office]
S. Hrg. 107-852
PRIVACY, IDENTITY THEFT, AND THE PROTECTION OF YOUR PERSONAL
INFORMATION IN THE 21ST CENTURY
=======================================================================
HEARING
before the
SUBCOMMITTEE ON TECHNOLOGY, TERRORISM,
AND GOVERNMENT INFORMATION
of the
COMMITTEE ON THE JUDICIARY
UNITED STATES SENATE
ONE HUNDRED SEVENTH CONGRESS
SECOND SESSION
__________
FEBRUARY 14, 2002
__________
Serial No. J-107-60
__________
Printed for the use of the Committee on the Judiciary
85-061 U.S. GOVERNMENT PRINTING OFFICE
WASHINGTON : 2003
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512-1800
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001
COMMITTEE ON THE JUDICIARY
PATRICK J. LEAHY, Vermont, Chairman
EDWARD M. KENNEDY, Massachusetts ORRIN G. HATCH, Utah
JOSEPH R. BIDEN, Jr., Delaware STROM THURMOND, South Carolina
HERBERT KOHL, Wisconsin CHARLES E. GRASSLEY, Iowa
DIANNE FEINSTEIN, California ARLEN SPECTER, Pennsylvania
RUSSELL D. FEINGOLD, Wisconsin JON KYL, Arizona
CHARLES E. SCHUMER, New York MIKE DeWINE, Ohio
RICHARD J. DURBIN, Illinois JEFF SESSIONS, Alabama
MARIA CANTWELL, Washington SAM BROWNBACK, Kansas
JOHN EDWARDS, North Carolina MITCH McCONNELL, Kentucky
Bruce A. Cohen, Majority Chief Counsel and Staff Director
Sharon Prost, Minority Chief Counsel
Makan Delrahim, Minority Staff Director
------
Subcommittee on Technology, Terrorism, and Government Information
DIANNE FEINSTEIN, California, Chairperson
JOSEPH R. BIDEN, Jr., Delaware JON KYL, Arizona
HERBERT KOHL, Wisconsin MIKE DeWINE, Ohio
MARIA CANTWELL, Washington JEFF SESSIONS, Alabama
JOHN EDWARDS, North Carolina MITCH McCONNELL, Kentucky
David Hantman, Majority Chief Counsel
Stephen Higgins, Minority Chief Counsel
C O N T E N T S
----------
STATEMENTS OF COMMITTEE MEMBERS
Page
Cantwell, Hon. Maria, a U.S. Senator from the State of Washington 19
Feinstein, Hon. Dianne, a U.S. Senator from the State of
California..................................................... 1
Grassley, Hon. Charles E., a U.S. Senator from the State of Iowa. 53
Hatch, Hon. Orrin G., a U.S. Senator from the State of Utah...... 54
Kyl, Hon. Jon, a U.S. Senator from the State of Arizona.......... 17
Thurmond, Hon. Strom, a U.S. Senator from the State of South
Carolina....................................................... 63
WITNESSES
Avila, Jonathan D., Executive Counsel, Walt Disney Company,
Burbank, California............................................ 34
Comer, Douglas B., Director of Legal Affairs and Technology
Policy, Intel Corporation, Washington, D.C..................... 30
Fisher, Susan, Executive Director, Doris Tate Crime Victims
Bureau, Carlsbad, California................................... 27
Gregg, Hon. Judd, a U.S. Senator from the State of New Hampshire. 3
Stana, Richard M., Director, Justice Issues, General Accounting
Office, Washington, D.C.; accompanied by Danny R. Burton,
Assistant Director, Dallas Field Office, General Accounting
Office; and Ronald J. Salo, Senior Analyst, Dallas Field
Office, General Accounting Office.............................. 6
Torres, Frank, Legislative Counsel, Consumers Union, Washington,
D.C............................................................ 38
SUBMISSIONS FOR THE RECORD
American Electronics Association, William T. Archey, President
and CEO, Washington, D.C., February 12, 2002, letter and
attachment..................................................... 49
American Medical Association, Division of Legislative Counsel,
Washington, D.C., statement.................................... 50
Intel Corporation, Jeff P. Nicol, Customer Privacy Manager, e-
Business Group, Santa Clara, California, statement............. 55
NCR Corporation, Laura Nyquist, Chief Privacy Officer, Dayton,
Ohio, statement................................................ 59
Privacy Times, Evan Hendricks, Editor/Publisher, Washington,
D.C., statement................................................ 60
PRIVACY, IDENTITY THEFT, AND THE PROTECTION OF YOUR PERSONAL
INFORMATION IN THE 21ST CENTURY
----------
THURSDAY, FEBRUARY 14, 2002
U.S. Senate,
Subcommittee on Technology, Terrorism, and Government
Information,
Committee on the Judiciary,
Washington, DC.
The Subcommittee met, pursuant to notice, at 2:37 p.m., in
room SD-226, Dirksen Senate Office Building, Hon. Dianne
Feinstein, presiding.
Present: Senators Feinstein, Cantwell, and Kyl.
Chairperson Feinstein. In the interest of time, I think we
will probably start. The Ranking Member has been delayed. He
will be along very shortly, but Senator Gregg, we are delighted
to have you here. I know Senator Kyl would like also to hear
your remarks, probably more than my remarks, so why do I not go
ahead and quickly make my remarks, and then in the meantime, he
should be here to hear yours, if that is agreeable with you.
Senator Kyl. I appreciate it. Whatever the Chairman wishes
to do is fine with me.
OPENING STATEMENT OF HON. DIANNE FEINSTEIN, A U.S. SENATOR FROM
THE STATE OF CALIFORNIA
Chairperson Feinstein. All right. Let me just begin then by
thanking you for your work on the Social Security numbers. I
know you are going to speak about that and I will let you do
it, but it has been a great pleasure for us to be able to work
with you and I want you to know that.
In 1928, Supreme Court Justice Louis Brandeis described
privacy, and I quote, as the ``right most valued by civilized
people,'' and he defined it simply as the right to be left
alone. With the advent of instant communication, the
preservation of this right, I very deeply believe, is at risk.
There are ominous signs that we are losing control over our
personal information. Here are just a few examples.
Some websites store and sell data on the most intimate
aspects of our personal lives--where we live, the value of our
homes, the mortgages that we have, our financial histories, and
even our medical conditions. Your Social Security number today
can be purchased for as little as $25 on the Internet. One
medical information service has, and can distribute at will,
data bases containing the phone number, the gender, and the
address of 368,000 people with clinical depression or 3.3
million people with allergies. And according to one privacy
advocate, a typical person's name and address are known to 500
companies or more. So without a doubt, the threat posed by the
misuse of personal information is there and needs to be
addressed.
First, as the General Accounting Office will report today,
identity theft crimes continue to surge. Identity theft occurs
when another person literally steals your identity for profit
or other illicit motive. Recently, the Federal Trade Commission
reported that identity theft was the largest complaint on the
Commission's consumer complaint list last year, representing 42
percent of its 204,000 complaints. Some privacy groups estimate
that as many as 750,000 people a year are victims of this
crime.
Second, stalkers and others with criminal intent can
increase their ability to harm their victims by gaining access
to their personal information. We will hear today from Susan
Fisher, whose brother was killed by an ex-girlfriend who
stalked him by gaining access to his personal records.
Third, many people simply do not want their personal
information, such as the amount of their bank account, the type
of medications they take, or their home address, widely shared
with other people, and I deeply believe that they have that
right to privacy.
Some have suggested that in light of the ongoing war on
terror, privacy needs to take a backseat to issues of safety
and security. I strongly challenge this view. Protecting basic
consumer privacy is compatible with enhanced security. In fact,
the goals of privacy and security are often complementary.
The recent acts of terror show how personal information can
be misused to advance terrorist or other criminal activities.
According to the Social Security Administration, six of the 19
hijackers in the September 11 attack were using Social Security
numbers illegally. Moreover, an al Qaeda associate recently
testified that the organization trained its operatives how to
obtain stolen licenses, credit cards, and Social Security
numbers.
It also must be acknowledged that efforts to protect
privacy must be balanced with the benefits so many Americans
enjoy because of the widespread use of personal information.
Many of us appreciate the ability to get instant credit, locate
long-lost college friends, purchase items swiftly on the
Internet, or be notified of products that might interest us.
Therefore, I believe it is critical that any initiative on
privacy strike a proper balance, and I think we have crafted
legislation to do just that.
Today's hearing will discuss the need for comprehensive
legislation to deter identity theft and protect personal
privacy. It will specifically address S. 1055, the Privacy Act
of 2001. I want to take just a brief moment to describe the
bill because it sets out where I stand on privacy.
The Privacy Act of 2001 creates a two-tiered system of
privacy protection that recognizes that not all information is
equally sensitive. For your most sensitive information, the
bill requires that companies get your consent before they sell
the data. It is called opt-in. For example, under the Privacy
Act, you must give your consent before a bank can sell
information about your account balance, the stocks you own,
your spending habits, or other personal financial data. That is
opt-in.
You must give your consent before a school, university,
life insurer, or any other entity sells or markets your
sensitive health data, such as your mental state, your disease
status, or the prescriptions that you buy. That is opt-in.
You must give your consent before the sensitive information
on your driver's license, such as your driver's license number,
your height, your weight, your sex or birthdate, can be sold.
That is opt-in.
The Privacy Act will also stop the practice of companies
selling Social Security numbers to any member of the public who
wants your number.
However, to reflect the legitimate needs of business, the
Privacy Act proposes a lower threshold for the sale of less-
sensitive information, such as a person's name and address.
Under this lower threshold, businesses must give notice of
their intent. They must give notice of their intent to use this
information. After giving notice, the business can sell this
less-sensitive data unless the individual tells them not to.
That is opt-out.
We have an impressive roster of witnesses at today's
hearing. As I mentioned, Senator Judd Gregg, who has shown a
lot of leadership on this subject, will testify as a first
panel on the privacy of Social Security numbers.
In the second panel, the GAO will give preliminary results
of its year-long study of identity theft.
In the third panel, we will hear testimony on this bill
from Susan Fisher of the Doris Tate Crime Victims Bureau, Frank
Torres of the Consumers Union, Doug Comer of Intel, and John
Avila of the Disney Corporation.
Senator Kyl should be along momentarily, but in the
interim, Senator Gregg, I will turn to you now.
Senator Gregg. Thank you, Senator.
Chairperson Feinstein. Before you do, Senator, if I might
just put in the record the statement of Laura Nyquist, the
Chief Privacy Officer of NCR Corporation.
I would also like to include a statement from the American
Medical Association.
Finally, I will include a statement by the Privacy Times,
the testimony of Evan Hendricks. I would like to add these to
the record.
Please go ahead, Senator.
STATEMENT OF HON. JUDD GREGG, A U.S. SENATOR FROM THE STATE OF
NEW HAMPSHIRE
Senator Gregg. Thank you, Senator. I appreciate the
courtesy of your inviting me to testify at this hearing, which
is an extremely important hearing on a very topical subject,
and I congratulate you for all the work you have put into this
issue as certainly one of the leaders in the Congress and the
country on the issue of how to protect people's privacy. I have
enjoyed very much having a chance to work with you on this
issue.
Chairperson Feinstein. Thank you.
Senator Gregg. I might just start by explaining how I
became involved in this issue. On October 15, 1999, a
constituent of mine, Amy Boyer, who was a young woman who came
from my hometown of Nashua, New Hampshire, was killed by a man
who had gone on the Internet and taken possession of her Social
Security number and other personal information by using access
which he had obtained through the Internet.
Until recently, we had thought that he had only obtained
the Social Security number in order to stalk Amy, but
unfortunately, it now turns out from court documents that he
had paid a $75 fee to a company and that company had then used
what they called a pretexter, who had posed as an insurance
official and had called her and obtained personal information
from her on the pretext that he was going to give her an
insurance award, I guess. As a result of collecting that
information, they then disseminated it to this individual over
the Internet. The whole transaction, it appears, occurred via
the Internet.
Unfortunately, the pretexter's approach worked. Amy Boyer
was stalked and she was killed by this individual.
As a result of this extraordinarily tragic event and
countless others which have come to my attention and which
Senator Feinstein has mentioned have come to her attention, I
believe that we should make some changes in how information,
personal information, is conveyed and used in the marketplace
and specifically relative to Social Security numbers. Senator
Feinstein and I have worked very closely on this issue.
We have developed language, which is S. 848, the Social
Security Number Misuse Prevention Act. This Act is part of the
bill which you are discussing here today, S. 1055, as I
understand, I believe the second title of that Act. Although I
am very interested in the other issues which are raised by your
bill, I want to confine myself to the Social Security issue,
because this is where I have concentrated most of my time, and
I feel a deep personal responsibility as the representative of
the family of Amy Boyer to do something in this area, so I have
committed a considerable amount of time trying to reach
legislation which will accomplish this.
In drafting S. 848, there really is only one primary goal
and that is to ensure that people would not be able to purchase
Social Security numbers and that companies would not be able to
sell Social Security numbers without an individual giving their
consent. In introducing this legislation, Senator Feinstein and
I have worked hard to strike a delicate balance between
legitimate business and other lawful uses of Social Security
numbers, of which there are many, and our shared desire to
limit general public access to Social Security numbers because
of the significant risk of invasion of privacy that comes from
people being able to obtain your Social Security number.
We have to understand that, like it or not, the Social
Security number has become a national identifier, and in many
instances, it is the only way to ensure accurate identification
of people. Health care providers use Social Security numbers to
maintain our health records to ensure we are receiving the
services we need and we have a right to. Banks and financial
institutions use them to prevent fraud against individuals.
Social Security numbers tell them that a loan applicant is
exactly who he or she says she is.
The National Center for Missing and Exploited Children and
the Association for Children, the enforcement of support, use
Social Security numbers to track down kidnappers and deadbeat
dads. Big Brothers/Big Sisters of America uses Social Security
numbers to do background checks on volunteers to make sure they
are not people who might harm the children who they are working
with.
A truly blanket prohibition, therefore, on Social Security
numbers would probably undermine a great deal of legitimate
uses. In reality, nobody wants to do this, so we worked on
striking a balance, myself and Senator Feinstein. I believe
that we have maybe not a perfect product, but we have succeeded
in identifying and responding to the key issues in a thoughtful
and, I believe, constructive way on this matter.
Under the legislation, obtaining a Social Security number
with wrongful intent is illegal. Under the legislation, no
Social Security number may be displayed, sold, purchased
without the individual's consent, except in the cases involving
public health, national security, law enforcement, and certain
limited business-to-business transactions. No individual may be
required to provide a Social Security number when purchasing a
commercial good or services unless the Social Security number
is absolutely necessary as defined by the Act, and the
definition is limited.
Under the legislation, within 1 year, Social Security
numbers may not appear on any driver's license, motor vehicle
registration, or any other document issued to an individual for
the purposes of identification of that individual. The obvious
reason for that is that as you are going through an airport or
something and you have to show your driver's license, you
should not have to disclose your Social Security number.
Under the bill, within 3 years, Social Security numbers may
not appear on checks issued for payment by Federal, State, or
local agencies, Federal Government agencies.
Finally, on the issuance of public records, which was and
remains a very difficult issue, we worked to strike a balance
between maintaining public access and limiting the potential
for harm that comes with that access. To that end, we
considered the impact of possibly having to redact Social
Security numbers from thousands, if not millions, of public
documents. This would be a hugely expensive and labor intensive
task and it is unclear whether we would in any significant way
further reduce the illegal activity we are trying to prevent.
In other words, it is unclear whether the administrative burden
and the cost would outweigh the potential benefit, and this is
a very real concern.
Under our compromise proposal, there is no requirement for
redaction of Social Security numbers until that document is
sold or displayed to the public, and then only where the number
appears on the face of the document or in a highly consistent
and predictable place inside the document.
For example, records which are known to always contain a
Social Security number on a particular page, and in that case,
the number would need to be redacted before that document could
be sold to the public. There is no requirement that the Records
Office would have to screen through documents that might
incidentally contain a Social Security number.
Madam Chairman, every year, as many as 700,000 instances of
identity theft are reported. Limiting availability of Social
Security numbers is one important way we can address this
issue. S. 848 as it is incorporated into your bill is a well
thought out, tightly woven piece of legislation that
effectively recognizes and balances the many concerns
surrounding the issue of Social Security numbers and their
theft and misuse. Passing this legislation is one of the most
important things that the Congress can do this year to reduce
identity theft and protect individual privacy while permitting
the continued legitimate and limited use of Social Security
numbers.
Madam Chairman, I thank you for the chance to testify
today.
Chairperson Feinstein. Thanks very much, Senator Gregg. I
very much appreciate your comments. I think we have got a very
secure and good part of this bill, and perhaps you and I--I
know Senator Kyl was unavoidably detained. He is always here
faithfully on the dot. So perhaps you and I can talk with him a
little bit about it--
Senator Gregg. We will capture him somewhere.
Chairperson Feinstein [continuing]. Because I hope to move
this thing along. But thank you very much for your leadership
and for being here today.
Senator Gregg. I appreciate your courtesy.
Chairperson Feinstein. I very much appreciate it.
As you can probably tell from the buzzer and the beeper,
there is a vote going on, but what I would like to do is begin
the testimony and then perhaps 10 minutes into it, if Senator
Kyl is not able to be here, we will just take a brief break and
I can run down and vote and come back.
Let me begin with panel two and ask Mr. Richard Stana
please to come and have a seat. Mr. Stana is the Director for
Justice Issues at the GAO. During his 25-year career with GAO,
he has directed reviews on a wide variety of complex military
and domestic issues in headquarters, the field, and overseas
offices. Most recently, he has directed the GAO's work relating
to law enforcement, drug control, immigration, corrections,
court administration, and election systems. He has received
numerous awards throughout his career and he has been active in
many civic and community organizations, as well as his work
with the Federal Government.
Mr. Stana, we are delighted to have you here and we welcome
your testimony.
STATEMENT OF RICHARD M. STANA, DIRECTOR, JUSTICE ISSUES,
GENERAL ACCOUNTING OFFICE; ACCOMPANIED BY DANNY R. BURTON,
ASSISTANT DIRECTOR, DALLAS FIELD OFFICE, GENERAL ACCOUNTING
OFFICE; AND RONALD J. SALO, SENIOR ANALYST, DALLAS FIELD
OFFICE, GENERAL ACCOUNTING OFFICE
Mr. Stana. Thank you very much, Madam Chairman. I am
pleased to be here today to discuss the preliminary results of
our study on the extent or prevalence of identity theft and its
cost to the financial services industry, to victims, and to the
Federal justice system.
With me at the table are Dan Burton, Assistant Director on
this assignment, and Ron Salo, the lead analyst. Behind us is
Robert Rivas, who contributed substantially to this product.
As a matter of definition, identity theft involves stealing
another person's personal identifying information, such as
their Social Security number, date of birth, or mother's maiden
name, and then using the information to create a false identity
document to fraudulently establish credit and run up debt or to
take control of existing financial accounts in order to make
unauthorized purchases.
My prepared statement discusses in detail our preliminary
results. I would like to take this opportunity to briefly
summarize a few important points and comment on several facets
of identity theft that are addressed in S. 1055, the Privacy
Act of 2001.
The first point is that although identity theft numbers are
not easily captured and sometimes reflect different viewpoints,
the statistics we compiled indicate that identity theft
continues to rise. Data from national credit bureaus show that
the number of fraud alerts placed on consumer accounts is
increasing. The data ranges from an estimated low of about
30,000 victims annually to an estimated high of about 178,000
victims annually. Although these statistics are significant,
the lower-end figure understates the magnitude of the problem
because it does not take into account both account takeover
victims and identity theft victims. Neither estimate includes
victims whose wallets or purses were stolen but who did not
call the credit bureau.
The most current statistics compiled by the FTC's Identity
Theft Data Clearinghouse show that about 3,000 identity theft
victims call each week. Additionally, the Social Security
Administration's IG Fraud Hotline received over 65,000
allegations of Social Security number misuse in fiscal year
2001. About four of five SSN misuse allegations relate directly
to identity theft.
Statistics on arrests, investigations, and dollar losses
compiled by leading Federal law enforcement agencies, that is,
the Secret Services, the SSA IG, the IRS, the FBI, and the
Postal Inspection Service, all show an increasing trend in
criminal activity, as well as increasing law enforcement and
prosecutorial activity. But these statistics do not indicate
the full magnitude of victimization because not all incidents
of identity theft are reported and investigated, nor do these
statistics reflect activity at the State and local levels,
where most identity theft allegations are reported.
My second point is that the costs of identity theft to the
financial services industry, to victims, and to law enforcement
are substantial. The cost to the financial services industry in
terms of documented bank check fraud and Visa and MasterCard
total payment card fraud is about $1.8 billion from domestic
operations alone. Check fraud losses by banks for individual
accounts, considering both actual losses and loss avoidance,
reached an estimated $2.2 billion in 1999, which was twice the
amount of losses in 1997, according to the ABA. On average,
about $1 in $3 of check fraud losses are identity theft
related.
Visa and MasterCard reported two categories of payment card
fraud, account takeovers and fraudulent applications, which
they associate closely with identity theft. These rose 43
percent, from about $80 million in 1996 to about $114 million
in 2000. In the view of law enforcement, however, virtually all
categories of payment card fraud encompass identity theft.
Under their broader definition, the two associations' combined
total fraud losses from domestic operations alone rose 45
percent from 1996 to 2000. These statistics do not include data
from other firms, such as American Express, Diners Club, and
Discover, that comprise about 25 percent of general purpose
card markets.
It should be noted also that we found no comprehensive data
on direct fraud losses to the retail, insurance, or other
industries.
The cost of identity theft to individual victims can cause
potential severe emotional distress as well as economic harm.
Victims often feel personally violated and report significant
amounts of time trying to resolve the problems caused by
identity theft, problems such as bounced checks, loan denials,
credit card application rejections, and debt collection
harassment.
The most common harm reported to the FTC was denied credit
or other financial services. On the extreme end, victims had
been subjected to criminal investigations, arrest, or even
conviction. In terms of monetary harm, the FTC reported that
about 15 percent of the victims reporting a loss alleged losing
more than $5,000.
The cost to the Federal criminal justice system to
investigate, prosecute, incarcerate, and supervise offenders is
difficult to capture because information systems do not
separately track such costs. Nevertheless, in response to our
request, the FBI and Secret Service indicated the average cost
of an investigative matter was between $15,000 and $20,000. The
average white collar prosecution costs about $11,000. And the
average incarceration costs, about $17,000 per inmate, and
annual supervision, about $3,000 per offender.
Let me turn now--I am sorry?
Chairperson Feinstein. I am going to try to wait, ask them
to keep the vote open. You continue, and then we will recess
when you are finished.
Mr. Stana. Turning now to other aspects of identity theft,
although the scope of our work for the subcommittee did not
include an evaluation of various legislative proposals, we did
compile information that offers perspectives on various
provisions in S. 1055 that are designed to address some aspects
of identity theft.
For example, a major component of identity theft is
acquiring personal identifiers, such as SSNs or drivers'
licenses, to build false identities. According to a 1999 study
by the Sentencing Commission, drivers' licenses and SSNs are
the identification means most frequently used to generate or
breed other fraudulent identifiers. As you know, S. 1055 would
prohibit the use of SSNs and drivers' licenses for motor
vehicle registration documents.
Another potential source of personal identifiers for
identity thieves is the personal financial information sold by
financial institutions to non-affiliated third parties. Gramm-
Leach-Bliley established the opt-out standard which you
discussed before. S. 1055 would amend Gramm-Leach-Bliley to
provide consumers an opt-in standard, whereby a bank would need
prior consent of the consumers before selling personal
financial information to non-affiliated parties.
Resource levels and competing priorities can limit any one
level of government's capacity, including the Federal
Government's capacity, to address identity theft crimes. S.
1055 would empower State attorneys general to enforce the
Privacy Act. Although Gramm-Leach-Bliley does not have a
similar provision, the Act's legislative history indicates that
earlier versions of the House and Senate bills included a
similar State enforcement authority, which was dropped in
conference.
And finally, in a similar vein, resource constraints and
dollar threshold levels have limited the numbers and types of
cases that Federal law enforcement agencies have investigated.
One type of case that has not often been investigated involves
SSN misuse. Currently, the SSA IG devotes the vast majority of
its investigative resources to program integrity priority areas
rather than SSN misuse cases. SSN misuse allegations increased
more than five-fold, to about 65,000, in 2001. S. 1055 would
give SSA the authority to impose civil monetary penalties for
SSN misuse. Now, it is not clear how the SSA IG would carry out
this new authority or how many additional resources it would
require and at what cost.
Madam Chairman, this concludes my oral statement. We would
be pleased to address any questions you or other members of the
subcommittee may have.
[The prepared statement of Mr. Stana follows:]
Statement of Richard M. Stana, Director, Justice Issues, U.S. General
Accounting Office, Washington, D.C.
Madam Chairwoman and Members of the Subcommittee:
I am pleased to be here today to discuss the preliminary results of
our ongoing study requested by the Subcommittee and Senator Charles
Grassley to develop information on the extent or prevalence of identity
theft and its cost to the financial services industry, victims, and the
federal criminal justice system. Generally, identity theft involves
``stealing'' another person's personal identifying information such as
Social Security number (SSN), date of birth, and mother's maiden name
and then using the information to fraudulently establish credit, run up
debt, or to take over existing financial accounts. Although not
specifically or comprehensively quantifiable, the prevalence and cost
of identity theft seem to be increasing, according to the available
data we reviewed and many officials of the public and private sector
entities we contacted. Given such indications, most observers agree
that identity theft certainly warrants continued attention,
encompassing law enforcement as well as prevention efforts. Various
recently introduced bills, including S. 1055 (Privacy Act of 2001),
have provisions designed to enhance such efforts. While the scope of
our work did not include an evaluation of S. 1055, we did compile
information that could be useful in discussing related issues, and my
testimony today will offer perspectives on several identity theft-
related provisions of the bill.
To obtain the most recent statistics on the incidence and societal
cost of identity theft, we interviewed responsible officials and
reviewed documentation obtained from the Department of Justice and its
components, including the Executive Office for U.S. Attorneys (EOUSA)
and the Federal Bureau of Investigation (FBI); the Department of the
Treasury and its components, including the Secret Service and the
Internal Revenue Service (IRS); the Social Security Administration's
(SSA) Office of the Inspector General (OIG); the Postal Inspection
Service; and the Federal Trade Commission (FTC). Also, we contacted
representatives of the three national consumer reporting agencies
(commonly referred to as ``credit bureaus'') and two payment card
associations (MasterCard and Visa). Further, at our request and with
the consent of the victims, FTC provided us with the names and
telephone numbers of 10 victims to interview. According to FTC staff,
the sample of 10 victims was selected to illustrate a range in the
extent and variety of the identity theft activities reported by
victims. The experiences of these 10 victims are not statistically
representative of all victims.
Background
Since our earlier report in May 1998,\1\ various actions
particularly passage of federal and state statutes have been taken to
address identify theft. Later that year, Congress passed the Identity
Theft and Assumption Deterrence Act of 19098 (the ``Identity Theft
Act'').\2\ Enacted in October 1998, the federal statute made identify
theft a separate crime against the person whose identity was stolen,
broadened the scope of the offense to include the misuse of information
as well as documents, and provided punishment generally, a fine or
imprisonment for up to 15 years or both. Under U.S. Sentencing
Commission guidelines even if (1) there is no monetary loss and (2) the
perpetrator has no prior criminal convictions a sentence of from 10 to
16 months incarceration can be imposed. Regarding state statutes, at
the time of our 1998 report, very few states had specific laws to
address identity theft. Now, less than 4 years later, a large majority
of states have enacted identify theft statues.
---------------------------------------------------------------------------
\1\ U.S. General Accounting Office, Identity Fraud: Information on
Prevalence, Cost, and Internet Impact is Limited, GAO/GGD-98-100BR
(Washington, D.C.: May 1, 1998).
\2\ Public Law 105-318 (1998). The relevant section of this
legislation is codified at 18 U.S.C. Sec. 1028(a)(7)(``fraud and
related activity in connection with identification documents and
information'').
---------------------------------------------------------------------------
Prevalence of Identity Theft
As we reported in 1998, there are no comprehensive statistics on
the prevalence of identity theft or identity fraud. Similarly, during
our current review, various officials noted that precise, statistical
measurement of identity theft trends is difficult for number of
reasons. Generally, federal law enforcement agencies do not have
information systems that specifically track identity theft cases. For
example, while the amendments of the Identity Theft Act are included as
subsection (a)(7) of section 1028, Title 18 of the U.S. Code, EOUSA
does not have comprehensive statistics on offenses charged specifically
under that subsection because docketing staff are asked to record cases
under only the U.S. Code section, not the subsection or the sub-
subsection. Also, the FBI and the Secret Service said that identity
theft is not typically a stand-alone crime; rather, it is almost always
a component of one or more white-collar or financial crimes, such as
bank fraud, credit card or access device fraud, or the use of
counterfeit financial instruments.
Nonetheless, a number of data sources can be used as proxies for
gauging the prevalence of identity theft. These sources can include
consumer complaints and hotline allegations, as well as law enforcement
investigations and prosecutions of identity theft-related crimes such
as bank fraud and credit card fraud. Each of these various sources or
measures seems to indicate that the prevalence of identity theft is
growing.
consumer reporting agencies: an increasing number of fraud alerts on
consumer files
According to the consumer reporting agency officials that we talked
with, the most reliable indicator of the incidence of identity theft is
the number of 7-year fraud alerts placed on consumer credit files.
Generally, fraud alerts constitute a warning that someone may be using
the consumer's personal information to fraudulently obtain credit.
Thus, a purpose of the alert is to advise credit grantors to conduct
additional identity verification or contact the consumer directly
before granting credit. One of the three consumer reporting agencies
that we contacted estimated that its 7-year fraud alerts involving
identity theft increased 36 percent over 2 recent years from about
65,600 in 1999 to 89,000 in 2000.\3\ A second agency reported that its
7 year fraud alerts increased about 53 percent in recent comparative
12-month periods; that is, the number increased from 19,347 during one
12-month period (July 1999 through June 2000) to 29,593 during the more
recent period (July 2000 through June 2001). The third agency reported
about 92,000 fraud alerts for 2000 but was unable to provide
information for any earlier year.\4\
---------------------------------------------------------------------------
\3\ These estimates are approximations based on the judgment and
experience of agency officials.
\4\ An aggregate figure totaling the number of fraud alerts
reported by the three consumer reporting agencies may be misleading,
given the likelihood that many consumers may have contacted more than
one agency. During our review, we noted that various Web sites
including those of two of the three national consumer reporting
agencies, as well as the FTC's Web site, advise individuals who believe
they are the victimes of identity theft or fraud to contact all three
national consumer reporting agencies.
---------------------------------------------------------------------------
ftc: an increasing number of calls to the identity theft data
clearinghouse
The Identity Theft Act requires the FTC to ``log and acknowledge
the receipt of complaints by individuals who certify that they have a
reasonable belief'' that one or more of their means of identification
have been assumed, stolen, or otherwise unlawfully acquired. In
response to this requirement, in November 1999, FTC established the
Identity Theft Data Clearinghouse (FTC Clearinghouse) to gather
information from any consumer who wishes to file a complaint or pose an
inquiry concerning identity theft.\5\ In November 1999, the first month
of operation, the FTC Clearinghouse responded to an average of 445
calls per week. By March 2001, the average number of calls answered had
increased to over 2,000 per week. In December 2001, the weekly average
was about 3,000 answered calls.
---------------------------------------------------------------------------
\5\ On November 1, 1999, FTC established a toll-free telephone
hotline (1-877-ID-THEFT) for consumers to report identity theft.
Information from complainants is accumulated in a central database (the
Identity Theft Data Clearinghouse) for use as an aid in law enforcement
and prevention of identity theft.
---------------------------------------------------------------------------
At a congressional hearing in September 2000, an FTC official
testified that Clearinghouse data demonstrate that identity theft is a
``serious and growing problem.'' \6\ More recently, during our review,
FTC staff cautioned that the trend of increased calls to FTC perhaps
could be attributed to a number of factors, including increased
consumer awareness, and may not necessarily be attributed to an
increase in the incidence of identity theft.
---------------------------------------------------------------------------
\6\ FTC, prepared statement on ``Identity Theft,'' hearing before
the Committee on Banking and Financial Services, U.S. House of
Representatives (Sept. 13, 2000).
---------------------------------------------------------------------------
ssa/oig: an increasing number of fraud hotline allegations
SSA/OIG operates a fraud hotline to receive allegations of fraud,
waste, and abuse. In recent years, SSA/OIG has reported a substantial
increase in calls related to identity theft. For example, allegations
involving SSN misuse increased more than fivefold, from about 11,000 in
fiscal year 1998 to about 65,000 in fiscal year 2001. However, the
increased number of allegations may be due partly to additional fraud
hotline staffing, which increased from 11 to over 50 personnel during
this period. SSA/OIG officials attributed the trend in allegations
partly to a greater incidence of identity theft. Also, irrespective of
staffing levels, a review performed by SSA/OIG of a sample of 400
allegations of SSN misuse indicated that up to 81 percent of all
allegations of SSN misuse related directly to identity theft.
federal law enforcement: increasing indications of identity theft-
related crime
Although federal law enforcement agencies do not have information
systems that specifically track identity theft cases, the agencies
provided us with case statistics for identity theft-related crimes.
Regarding bank fraud, for instance, the FBI reported that its arrests
increased from 579 in 1998 to 645 in 2000 and was even higher (691) in
1999. The Secret Service reported that, for recent years, it has
redirected its identity theft-related efforts to focus on high-dollar,
community-impact cases. Thus, even though the total number of identity
theft-related cases closed by the Secret Service decreased from 8,498
in fiscal year 1998 to 7,071 in 2000, the amount of fraud losses
prevented in these cases increased from a reported average of $73,382
in 1998 to an average of $217,696 in 2000.\7\ IRS reported on the
extent of questionable refund schemes involving a ``high frequency'' of
identity fraud, that is, cases very likely to have elements of identity
fraud. Regarding such cases, for a 5-year period (calendar years 1996
to 2000), IRS reporting detecting fraudulent refund claims totaling
$1.76 billion and that 83 percent ($1.47 billion) of this total
occurred in 1999 and 2000. The Postal Inspection Service, in its fiscal
year 2000 annual report, noted that identity theft is a growing trend
and that the agency's investigations of such crime had ``increased by
67 percent since last year.''
---------------------------------------------------------------------------
\7\ In compiling case statistics, the Secret Service defined
``identity theft'' as any case related to the investigation of false,
fraudulent, or counterfeit identification; stolen, counterfeit, or
altered checks or Treasury securities; stolen altered, or counterfeit
credits cards; or financial institution fraud.
---------------------------------------------------------------------------
Cost of Identity Theft to the Financial Services Industry
We found no comprehensive estimates of the cost of identity theft
to the financial services industry.\8\ Some data on identity theft-
related losses such as direct fraud losses reported by the American
Banking Association (ABA) and payment card associations indicated
increasing costs. Other data, such as staffing of the fraud departments
of banks and consumer reporting agencies, presented a mixed and, in
some instances, incomplete picture. For example, one consumer reporting
agency reported that staffing of its fraud department had doubled in
recent years, whereas another agency reported relatively constant
staffing levels. Furthermore, despite concerns about security and
privacy, the use of e-commerce has grown steadily in recent years. Such
growth may indicate greater consumer confidence but may also have
resulted from an increase in the number of people who have access to
Internet technology.
---------------------------------------------------------------------------
\8\ Generally, regarding the financial services industry, the scope
of our work focused primarily on abstaining information from banks, two
payment card associations (MasterCard and Visa), and the three national
consumer reporting agencies.
---------------------------------------------------------------------------
Regarding direct fraud losses, in its 2000 bank industry survey on
check fraud, the ABA reported that total check fraud-related losses
against commercial bank accounts considering both actual losses ($679
million) and loss avoidance ($1.5 billion) reached an estimated $2.2
billion in 1999, which was twice the amount in 1997.\9\ Regarding
actual losses, the report noted that the 1999 figure ($679 million) was
up almost 33 percent from the 1997 estimate ($512 million). However,
not all check fraud-related losses were attributed to identity theft,
which the ABA defined as account takeovers (or true name fraud).
Rather, the ABA reported that, of the total check fraud-related losses
in 1999, the percentages attributable to identity theft ranged from 56
percent for community banks (assets under $500 million) to 5 percent
for superregional/money center banks (assets of $50 billion or more)
and the average for all banks was 29 percent.
---------------------------------------------------------------------------
\9\ ABA, Deposit Account Fraud Survey Report 2000. The ABA defined
``loss avoidance'' as the amount of losses avoided as a result of the
banks' prevention systems and procedures. Because the overall response
rate by banks to the survey was only 11 percent, the ABA's data should
be interpreted with caution.
---------------------------------------------------------------------------
The two major payment card associations, MasterCard and Visa, use
very similar (although not identical) definitions regarding which
categories of fraud constitute identity theft. Generally, the
associations consider identity theft to consist of two fraud categories
account takeovers and fraudulent applications.\10\ On the basis of
these two categories, the associations' aggregated identity theft-
related losses from domestic (U.S. operations) rose from $79.9 million
in 1996 to $114.3 million in 2000, an increase of about 43 percent. The
associations' definitions of identity theft-related fraud are
relatively narrow, in the view of law enforcement, which considers
identity theft as encompassing virtually all categories of payment card
fraud. Under this broader definition, the associations' total fraud
losses from domestic operations rose from about $760 million in 1996 to
about $1.1 billion in 2000, an increase of about 45 percent. However,
according to the associations, the annual total fraud losses
represented about \1/10\th of 1 percent or less of U.S. member banks'
annual sales volume during 1996 through 2000.
---------------------------------------------------------------------------
\10\ Other fraud categories that the associations do not consider
to be identity-theft related include, for example, lost and stolen
cards, never-received cards, counterfeit cards, and mail order/
telephone order fraud.
---------------------------------------------------------------------------
Regarding staffing and cost of fraud departments, in its 2000 bank
industry survey on check fraud, the ABA reported that the amount of
resources that banks devoted to check fraud prevention, detection,
investigation, and prosecution varied according to bank size. For check
fraud-related operating expenses (not including actual losses) in 1999,
the ABA reported that over two-thirds of the 446 community banks that
responded to the survey each spent less than $10,000, and about one-
fourth of the 11 responding superregional/money center banks each spent
$10 million or more for such expenses.
One national consumer reporting agency told us that staffing of its
Fraud Victim Assistance Department doubled in recent years, increasing
from 50 individuals in 1997 to 103 in 2001. The total cost of the
department was reported to be $4.3 million for 2000. Although not as
specific, a second agency reported that the cost of its fraud
assistance staffing was ``several million dollars.'' And, the third
consumer reporting agency said that the number of fraud operators in
its Consumer Services Center had increased in the 1990s but has
remained relatively constant at about 30 to 50 individuals since 1997.
Regarding consumer confidence in online commerce, despite concerns
about security and privacy, the use of e-commerce by consumers has
steadily grown. For example, in the 2000 holiday season, consumers
spent an estimated $10.8 billion online, which represented more than a
50 percent increase over the $7 billion spent during the 1999 holiday
season. Further, in 1995, only one bank had a Web Site capable of
processing financial transactions; but, by 2000, a total of 1,850 banks
and thrifts had Web sites capable of processing financial
transactions.\11\
---------------------------------------------------------------------------
\11\ Federal Deposit Insurance Corporation, Evolving Financial
Products, Services, and Delivery Systems (Washington, D.C.). (Feb. 14,
2001).
---------------------------------------------------------------------------
The growth in e-commerce could indicate greater consumer confidence
but could also result from the increasing number of people who have
access to and are becoming familiar with Internet technology. According
to an October 2000 Department of Commerce report, Internet users
comprised about 44 percent (approximately 116 million people) of the
U.S. population in August 2000. This was an increase of about 38
percent from 20 months prior.\12\ According to Commerce's report, the
fastest growing online activity among Internet users was online
shopping and bill payment, which grew at a rate of 52 percent in 20
months.
---------------------------------------------------------------------------
\12\ Department of Commerce, Falling Through the Net: Toward
Digital Inclusion (Oct. 2000). This report was the fourth in a series
of studies issued by Commerce on the technological growth of U.S.
Households and individuals.
---------------------------------------------------------------------------
Cost of Identity Theft to Victims
Identity theft can cause substantial harm to the lives of
individual citizens potentially severe emotional or other nonmonetary
harm, as well as economic harm. Even though financial institutions may
not hold victims liable for fraudulent debts, victims nonetheless often
feel ``personally violated'' and have reported spending significant
amounts of time trying to resolve the problems caused by identity theft
problems such as bounced checks, loan denials, credit card application
rejections, and debt collection harassment. For the 23-month period
from its establishment in November 1999 through September 2001, the FTC
Identity Theft Data Clearinghouse received 94,100 complaints from
victims, including 16,781 identity theft complaints contributed by SSA/
OIG. The leading types of nonmonetary harm cited by consumers were
``denied credit or other financial services (mentioned in over 7,000
complaints) and ``time lost to resolve problems'' (mentioned in about
3,500 complaints). Also, in nearly 1,300 complaints, identity theft
victims alleged that they had been subjected to ``criminal
investigation, arrest, or conviction.'' Regarding monetary harm, FTC
Clearinghouse data for the 23-month period indicated that 2,633 victims
reported dollar amounts as having been lost or paid as out-of-pocket
expenses as a result of identity theft. Of these 2,633 complaints, 207
each alleged losses above $5,000; another 203 each alleged losses above
$10,000.
From its database of identity theft victims, after obtaining the
individuals' consent, FTC provided us with the names and telephone
numbers of 10 victims. We contacted the victims to obtain an
understanding of their experiences. In addition to the types of harm
mentioned above, several of the victims expressed to us feelings of
``invaded privacy'' and ``continuing trauma.'' In particular, such
``lack of closure'' was cited when elements of the crime involved more
than one jurisdiction and/or if the victim had no awareness of any
arrest being made. Some victims told us of filing police reports in
their home state but not being able to do so in the states where the
perpetrators committed fraudulent activities using the stolen
identities. Only 2 of the 10 victims told us they were aware that the
perpetrator had been arrested.
In a May 2000 report, two nonprofit advocacy entities the
California Public Interest Research Group (CALPIRG) and the Privacy
Rights Clearinghouse presented findings based on a survey (conducted in
spring 2000) of 66 identity theft victims who had contacted these
organizations.\13\ According to the report, the victims spent 175
hours, on average, actively trying to resolve their identity theft-
related problems.
---------------------------------------------------------------------------
\13\ CALPRIG (Sacramento, CA) and Privacy Rights Clearinghouse (San
Diego, CA), ``Nowhere to Turn: Victims Speak Out on Identity Theft''
(May 2000).
---------------------------------------------------------------------------
Also, not counting legal fees, most victims estimated spending $100
for out-of-pocket costs. The May 2000 report stated that these finding
may not be representative of the plight of all victims. Rather, the
report noted that the findings should be viewed as ``preliminary and
representative only of those victims who have contacted our
organizations for further assistance (other victims may have had
simpler cases resolved with only a few calls and felt no need to make
further inquiries).''
Later, at a national conference, the Director of Privacy Rights
Clearinghouse expanded on the results of the May 2000 report. For
instance, regarding the 66 victims surveyed, the Director noted that
one in six (about 15 percent) said that they had been the subject of a
criminal record because of the actions of an impostor.\14\ Further, the
Director provided additional comments substantially as follows:
---------------------------------------------------------------------------
\14\ Beth Givens, Director, Privacy Rights Clearinghouse,
``Identity Theft: Growing Problem of Wrongful Criminal Records,'' paper
presented at the SEARCH National Conference on Privacy, Technology and
Criminal Justices Information, Washington, D.C. (June 2000).
Unlike checking for credit report inaccuracies, there
is no easy way for consumers to determine if they have become
the subject of a criminal record.
Indeed, victims of identity theft may not discover
that they have been burdened with a criminal record until, for
example, they are stopped for a traffic violation and are then
arrested because the officer's checking of the driver's license
number indicated that an arrest warrant was outstanding.
Federal Criminal Justice System Costs
Regarding identity theft and any other type of crime, the federal
criminal justice system incurs costs associated with investigation,
prosecutions, incarceration, and community supervision.\15\ Generally,
we found that federal agencies do not separately maintain statistics on
the person hours, portions of salary, or other distinct costs that are
specifically attributable to cases involving identity theft. As an
alternative, some of the agencies provided us with average cost
estimates based, for example, on work year counts for white-collar
crime cases a category that covers financial crimes, including identity
theft.
---------------------------------------------------------------------------
\15\ As agreed with the requesters, our study focused on the costs
of identify theft to the federal government only and not to state or
local governmental entities; although, since 1998, most states have
enacted laws that criminalize identity theft.
---------------------------------------------------------------------------
In response to our request, the FBI estimated that the average cost
to investigate white-collar crimes handled by the agency's white-collar
crime program was approximately $20,000 during fiscal years 1998 to
2000, based on budget and workload data for the 3 years. However, an
FBI official cautioned that the average cost figure has no practical
significance because it does not capture the wide variance in the scope
and costs of white-collar crime investigations. Also, the official
cautioned that while identity theft is frequently an element of bank
fraud, wire fraud, and other types of white-collar or financial crimes
some cases (including some high-cost cases) do not involve elements of
identity theft.
Similarly, Secret Service officials in responding to our request
for an estimate of the average cost of investigating financial crimes
that included identity theft as a component said that cases vary so
much in their makeup that to put a figure on average cost is not
meaningful. SSA/OIG officials responded that the agency's information
systems do not record time spent by function to permit making an
accurate estimate of what it costs the OIG to investigate cases of SSN
misuse.
Regarding prosecutions, in fiscal year 2000, federal prosecutors
handled approximately 13,700 white- collar crime cases, at an estimated
average cost of about $11,400 per case, according to EOUSA. The total
cases included those that were closed in the year, those that were
opened in the year, and those that were still pending at year end.
EOUSA noted that the $11,400 figure was an estimate and that the actual
cost could be higher or lower.
According to Bureau of Prisons (BOP) officials, federal offenders
convicted of white-collar crimes generally are incarcerated in minimum-
security facilities. For fiscal year 2000, the officials said that the
cost of operating such facilities averaged about $17,400 per inmate.
After being released from BOP custody, offenders are typically
supervised in the community by federal probation officers for a period
of 3 to 5 years. For fiscal year 2000, according to the Administrative
Office of the United States Courts, the cost of community supervision
averaged about $2,900 per offender which is an average for ``regular
supervision'' without special conditions, such as community service,
electronic monitoring, or substance abuse treatment.
Observations on Identity Theft and Legislative Proposals
Given indications that the prevalence and cost of identity theft
have increased in recent years, most observers agree that such crime is
serious and warrants continued attention from law enforcement,
industry, and consumers. Since our May 1998 report, various actions
particularly passage of federal and state statutes have been taken to
address identity theft. A current focus for policymakers and criminal
justice administrators is to ensure that relevant legislation is
effectively enforced. Along these lines, we identified several
initiatives including coordinating committees, multi jurisdictional
task forces, and information clearinghouses that might help define the
dimensions of the problem and help focus limited enforcement resources.
Moreover, there is general agreement that, in addition to
investigating and prosecuting violations of these laws, a multi pronged
approach to combating identity theft must include prevention efforts,
such as limiting access to personal information. As you know, at the
request of this Subcommittee and others, we have ongoing work looking
at government agencies' use of SSNs and whether better safeguards or
protections are needed. Prevention efforts can be particularly
important, given the personal toll that this crime seems to exact on
its victims and how difficult it is to investigate and prosecute
perpetrators.
Although the scope of our work for today's testimony did not
include an evaluation of various legislative proposals designed to
combat identity theft, we did compile information that offers
perspectives on various provisions of S. 1055 that are designed to
address some aspects of the crime. For example, a major component of
identity theft is acquiring personal identifiers such as SSNs, which
are used in some states as driver's license numbers to build false
identities. According to a 1999 study by the U.S. Sentencing
Commission,\16\ driver's licenses and SSNs are two of the most commonly
misused identification means. In fact, the Commission's study reported
that driver's licenses and SSNs are the identification means most
frequently used to generate or ``breed'' other fraudulent identifiers.
A provision (title II, section 205) of S. 1055 would prohibit the use
of SSNs on driver's licenses or motor vehicle registration documents.
In 1992, California enacted a law specifying that the SSN collected on
a driver's license application shall not be displayed on the driver's
license, including any magnetic tape or strip used to store data on the
license. More recently, in November 2001, Ohio passed a law prohibiting
the display of an SSN on a person's driver's license unless the person
requests that the number be displayed. According to the American
Association of Motor Vehicle Administrators, most states either
prohibit display of the SSN on the face of the license or give the
applicant the option to choose whether to display it.
---------------------------------------------------------------------------
\16\ U.S. Sentencing Commissions, Identity Theft Final Report
(Washington, D.C.) (Dec. 15, 1999)
---------------------------------------------------------------------------
Another potential source of personal identifiers for identity
thieves is the personal financial information sold by financial
institutions to non-affiliated third parties. The Gramm-Leach-Bliley
Act of 1999 \17\ (GLBA) established the ``opt-out'' standard currently
in effect. That is, unless an exception applies under the current
standard, a financial institution must give consumers notice and the
opportunity to opt-out before the financial institution can disclose
private financial information to non-affiliated third parties.
Generally, to implement the opt-out standard, financial institutions
are required by law to send consumers an opt-out notice informing them
of their right to prohibit its disclosure. In addition, financial
institutions have to provide consumers an initial notice and customers
an annual notice to inform them of the institution's information
policies and practices. These requirements for federally regulated
financial institutions became effective July 1, 2001. Limited data are
available about the response to and effectiveness of such notices.
However, another provision (title III, section 302) of S. 1055 would
impose a stricter standard if the financial institution seeks to sell
the information. Specifically, that provision would amend GLBA to
provide consumers an ``opt-in'' standard, whereby a bank would need
prior consent of the customers before selling personal financial
information to non-affiliated third parties.
---------------------------------------------------------------------------
\17\ Public Law 106-102 (1999).
---------------------------------------------------------------------------
Resource levels and competing priorities can limit any one level of
government's capacity, including the federal government's capacity, to
address identity theft crimes. Another provision (title VI, section
601) of S. 1055 would empower state attorneys general to enforce this
act. Regarding precedent for such a provision, although GLBA does not
have a similar provision, the act's legislative history indicates that
earlier versions of the House and Senate bills included similar state
enforcement authority, which was dropped in conference. In further
reference to precedent, however, one example of an enacted provision is
in the antitrust context. State attorneys general have the authority to
bring civil actions on behalf of resident consumers who have been
injured as a result of violations of federal antitrust laws.
In a similar vein, resource constraints and dollar threshold levels
have limited the numbers and types of cases that federal law
enforcement agencies have investigated. One type of case that has not
often been investigated involves SSN misuse. Currently, SSA/OIG devotes
its investigative resources to program integrity priority areas rather
than SSN misuse cases. SSN misuse allegations increased more than
fivefold, from about 11,000 in fiscal year 1998 to about 65,000 in
fiscal year 2001. Title II, section 207 of S. 1055 would give SSA the
authority to impose civil monetary penalties for SSN misuse. It is not
clear how the SSA/OIG would carry out this new authority or how many
additional resources it would require and at what cost.
In sum, while legislative and other actions have been taken in
recent years to address identity theft, incidence and cost data
indicate that more can and should be done. The provisions contained in
S. 1055 and other proposed legislation are aimed at enhancing the
prevention and enforcement tools available to law enforcement,
industry, and consumers. These legislative proposals deserve careful
attention and analysis.
Madam Chairwoman, this concludes my prepared statement. I would be
pleased to answer any questions that you or other members of the
subcommittee may have.
Contacts and Acknowledgments
For further information regarding this testimony, please contact
Richard M. Stana at (202) 512-8777 or Danny R. Burton at (214) 777-
5600. Individuals making key contributions to this testimony included
David P. Alexander, Shirley A. Jones, Robert J. Rivas, and Ronald J.
Salo.
Chairperson Feinstein. Thank you very much. I think it is
fair to say that we have got a substantial and rising problem
in the United States. I mean, some law enforcement people have
told me that it is the single largest rising crime in America.
Would you agree with that?
Mr. Stana. I do not know if it is the single largest crime,
but I cannot think of one that is rising faster. It is touching
every facet of our society. It is touching victims, it is
touching businesses, it is touching government, and from that
standpoint alone, it suggests that more needs to be done.
Chairperson Feinstein. I have also been told that the
burden of proof is really on the victim, who has to go and
reestablish their identity, and that the average length of time
that it takes a victim to reestablish their identity is 18
months. Did you do any work in that area?
Mr. Stana. We phoned ten victims that were identified
through the FTC's data clearinghouse and asked them a number of
things, like the impact of their victimization, how long it
took them to unwind their case, and some of the impacts that
they received from being a victim. They told us, on average--of
course, there were some at the low end, some at the high end--
but about 150 to 200 hours it took them of their personal time
to unwind the case.
Oftentimes, they did not lose financially as much as they
just lost their ability to get car loans. Interestingly, in
four cases we identified, the identity theft victim actually
went to jail for some time while they were trying to unwind
their identity.
I might also mention, Senator, that one interesting facet
of this is about three-quarters of the victims have no idea how
their identity was stolen. They do not know if it came from
somebody who stole mail. They do not know if it came from the
Internet. They do not know if it came from a huge data base.
But the 25 percent who did know, about half of those found that
it was somebody who they have a personal relationship with, a
friend, a co-worker, somebody down the street who stole their
identity.
Chairperson Feinstein. I am told that the two major centers
for identity theft are Los Angeles and Oakland, California,
interestingly enough, and some of the testimony that I have
received indicates that, often, obituary columns are good
sources of information that lead to the theft of identity
because mother's name, father's name are listed there, and then
the individual has a basis to go out and get access to the
Social Security number or the driver's license and they can
also look up the financial data, buy the financial data of the
individual.
I am particularly aware of one case where, I think it was
the No. 2 executive at the Cedars of Lebanon Hospital in Los
Angeles, he passed away and the obituary was in the Los Angeles
Times. His widow was essentially bilked of, I think, $300,000
by identity thieves who got what they needed to get the
documents right out of the obituary column. Have you
encountered anything like that in your examination?
Mr. Stana. Well, the key pieces of information that are
used to create an identity, a false identity, are the names,
address, Social Security number, date of birth, and mother's
maiden name, and if you can get a combination of those from
various sources, if you have some from an obituary, for
example, a mother's maiden name and the name and the address,
and go into some research engine on the Internet and pull down
other information, you can easily build a new identity.
This really underscores two things. Not only do we need to
pay attention to the law enforcement needs related to identity
theft, but the prevention needs are tremendous. I know you
addressed some of them in S. 1055, but the need for individuals
to protect their personal identifiers like they would protect
their wallet or their purse is just so important. It cannot be
understated.
Chairperson Feinstein. Mr. Stana, I must go to the vote, so
we will take a brief recess. If you would not mind staying,
Senator Cantwell is going to be here following the vote and she
has indicated that she has some questions she would like to
ask. So if you do not mind------
Mr. Stana. Not at all.
Chairperson Feinstein. and everybody else does not mind, we
will take a brief 10-minute, strict 10-minute, recess.
[Recess.]
Chairperson Feinstein. We will reconvene, and thank you
very much for your forbearance.
I am delighted to be joined by the Ranking Member. He and I
have worked very closely on this committee now for a number of
years, and speaking for myself, I find it most enjoyable to
work with him. Mr. Stana, if it is all right with you, I will
defer to the Ranking Member now for his comments.
STATEMENT OF HON. JON KYL, A U.S. SENATOR FROM THE STATE OF
ARIZONA
Senator Kyl. Thank you, Senator Feinstein. I am not going
to read my entire opening statement. I will ask that be put in
the record. I welcome all of the witnesses. I am sorry I missed
Senator Gregg.
Senator Feinstein is absolutely right. We have worked on
this particular problem for many years now together, and
probably nothing has been more frustrating to either one of us
than the inability to stop this kind of crime. We can diminish
it. We can help the people who have been victims of the crime,
although we are clearly not doing enough to do that. And I
guess one of the biggest frustrations I have and one of the
things that makes me most humble, in other words, to
demonstrate that will all of the great power we are supposed to
have, we still cannot get this problem solved. It is a very
difficult thing and it bothers me a great deal.
I just have a couple of questions to ask of you. I
appreciate your testimony. We reviewed that. My apologies for
not being here right at the very beginning. Senator Feinstein
probably said we have a lot of different commitments. This
week, for the first time ever, all four of my major committees
held hearings at exactly the same time on the same day. It is a
little hard to be in all four places at the same time.
Chairperson Feinstein. Thanks very much, Senator. I am glad
you are here.
[The prepared statement of Senator Kyl follows:]
Statement of Hon. Jon Kyl, a U.S. Senator from the State of Arizona
Thank you Senator Feinstein for convening this important hearing on
the issues of privacy, identity theft, the protection of our personal
information. I am very aware of the American public's continuing
concern about the collection and the distribution of personal
information. For several years Senator Feinstein and I have worked to
prevent criminals from gaining access to a citizen's personal
information to commit identity crimes. In 1998, Congress passed the
Identity Theft and Assumption Deterrence Act which increased protection
for the victims of identity theft. I am very proud that I was able to
introduce that particular piece of legislation; however, I realize that
we need to do more.
Identity theft is escalating at an alarming rate. It is a crime
that is not limited to a particular age, gender, economic, or racial
group, but instead is found in all parts of our society. The Federal
Trade Commission reports that it has processed over 97,000 entries from
consumers and victims regarding identity theft, as of June 2001. I am
eager for today's witnesses to fill us in on the details, and update us
on the severity of the problem we are facing. I also look forward to
their suggestions about where best we can direct our efforts to protect
our citizens.
The collection of and retention of an individual's personal,
financial, and health information has become a highly profitable
industry in today's e-commerce. An entire industry has arisen that
operates solely for the purpose of collecting and brokering private
information. This information is a valuable commodity for companies in
today's competitive consumer marketplace and these industries with
their vast databases should protect the information they contain.
It is also important to note, at this time, that this collection of
information is beneficial to consumers. They are offered products that
are tailored to their specific needs; companies are forced to be more
competitive; and the exchange of information facilitates the growth of
our economy. Therefore, we must carefully balance the restrictions we
place on business. An overly restrictive standard could harm the
nation's economic health. Online retail sales have jumped 67% from the
fourth quarter of 1999 to the fourth quarter of 2000. Retail sales at
the end of 2001 totaled approximately 104 billion dollars. It is clear
that the public, in increasing numbers, continues to have confidence in
the Internet for the purchase of goods and services.
It is the responsibility of the private sector, government, and
consumers to lessen likelihood of this private information will fall
into the wrong hands. It is a common misconception that the increase in
identity fraud and identity theft is caused by the Internet. Although,
e-mail scams and attacks by hackers are increasing, the FTC reports
that the two most common causes of identity theft are, lost or stolen
purses and wallets, and mail theft. Also, that the majority of
identity- theft crimes are committed by individuals we personally
know--for example, family members, friends, or coworkers.
Identity theft is a crime that affects all Americans and
encompasses many different types of fraud. The Federal Trade
Commission's Identity Theft Hotline reports that:
about 43% of complaints involved credit-card fraud
about 21% of complaints involved activation of
telephone, cellular, or other utility service in the victim's
name
about 14% of complaints involved bank accounts that
have been opened in their name, and/or fraudulent checks have
been negotiated in the victim's name
7% of complaints involved consumer loans or mortgages
that were obtained in the victim's name
7% of the victims reported that identity the identity
thief had obtained or forged a government document, filed a
fraudulent document, or obtained government benefits under
their name.
One major area of personal information is personnel medical
records. Access to these records is an extremely sensitive issue facing
Congress. Medical technology is advancing at an exponential rate.
Medical professionals will be able access a patient's medical history;
even his or her genetic profile will be accessible to potentially
arrive at better and more accurate treatments. However, there is a
concern that this data could be used to deny an individual medical
insurance, employment, or even a mortgage. Even the use for marketing
purposes, without an individual's permission, is extremely intrusive.
Senator Feinstein, you have assembled what promises to be a very
interesting and informative group of witnesses here today. I look
forward to their testimony and delving into their privacy concerns and
recommendations. I would like to extend my thanks for the time they
have taken to assist this Subcommittee in grappling with some very
complex issues that will touch the lives of many Americans.
In closing, I look forwarding to working with my esteemed colleague
from California, who has always shared my concern about identity theft
and the protection of our citizens' privacy.
Chairperson Feinstein. I am pleased to welcome Senator
Cantwell. If you have a comment, Senator, or would you like to
make a statement?
STATEMENT OF HON. MARIA CANTWELL, A U.S. SENATOR FROM THE STATE
OF WASHINGTON
Senator Cantwell. Yes. Thank you, Senator Feinstein. I will
be brief and add a longer statement to the record, but I
particularly wanted to thank you and Senator Kyl for your
leadership on this important issue, actually both issues of
consumer privacy and the issue of identity theft. I am
particularly pleased that we are going to hear from the General
Accounting Office who are going to give us some concrete data
about the growing problem of identity theft.
I have introduced a bill that will be considered in this
subcommittee giving victims of identity theft greater tools to
recover their identity and restore their good credit and I
appreciate, too, that Senators Feinstein and Kyl have a bill
that will enhance identity theft prevention which will also be
considered.
These are very critical issues and a growing problem and I
appreciate the committee's attention to them. Thank you.
Chairperson Feinstein. Thanks very much, Senator.
[The prepared statement of Senator Cantwell follows:]
Statement of Hon. Maria Cantwell, a U.S. Senator from the State of
Washington
I want to thank Chairwoman Feinstein for holding this hearing.
Particularly, I want to thank her, and Senator Kyl for their leadership
on the extraordinarily important issues of consumer privacy and
identity theft.
I am particularly pleased that we have the General Accounting
Office here today to give us some good data about the growth and cost
of identity theft. I have introduced a bill that we will be considering
in a few weeks in this Subcommittee that will give victims of identity
theft the tools to recover their identity and restore their good
credit. I appreciate too, that Senators Feinstein and Kyl have a bill
that will enhance identity theft prevention, which we will also
consider. These are critical issues, and as we will hear, it is a
problem growing at an unprecedented rate.
Let me turn to the broader issues of consumer privacy. Consumer
privacy is a complex issue: with the rapidly changing capabilities of
new technologies, and information being collected by a wide range of
entities, I see this as an urgent matter. As new technologies are
developed, new uses of personal information continue to arise. Many
will prove a great benefit to consumers, but all will come with the
concern that privacy be protected. We are only at the tip of the
iceberg on these issues.
I think a lot of people are asking the right questions: The first
question has to be ``what are consumer expectations in regard to their
privacy?"
Consumers and businesses alike need clear, recognizable `rules of
the road' for privacy. Privacy law needs to be as clear to everyone as
the basic rules of driving--you know to drive to the right of the
center divider, you know to stop at the red hexagon--and you know to
yield to a crossing pedestrian.
For me, the bottom line is that we need a federal legal framework
so consumers know their privacy protections and businesses know how to
handle a consumer's information. So expectations can be met. I look
forward to continuing to work with the members of this Committee and
others in Congress to enact the appropriate protections for the good of
the consumer and the good of the economy.
Again, thank you Madam Chairwoman and I look forward to hearing the
testimony today.
Chairperson Feinstein. I have two more quick questions and
then I will turn to the Ranking Member. Mr. Stana, how many
Social Security number misuse cases are being investigated by
the Social Security Administration Office of the IG?
Mr. Stana. The short answer is, less than 2 percent of the
allegations that are given to the Social Security IG are
investigated.
Chairperson Feinstein. Why is that?
Mr. Stana. Well, it boils down to three things, really. It
is threshold, priorities, and resources. Oftentimes, these
allegations involve small amounts of money, or one case as
opposed to a ring, and so it gets pushed off for threshold
reasons.
Priority, the Social Security IG focuses more on program
fraud rather than misuse fraud, so these cases fall through the
cracks. The fact is, they are falling into a hole. Nobody is
investigating them.
And the third reason is there just are not enough resources
to do the whole job.
Chairperson Feinstein. Is the same true for the FTC?
Mr. Stana. It is interesting. You are bringing up a good
point. The infrastructure has been created by the 1998 Act that
I know you all have helped to enact into law, and we have the
FTC creating a clearinghouse of data. More and more calls are
coming in each week, so the public is beginning to become aware
of the potential for having this data in a central place.
The fact of the matter is, we built a library that not many
people are coming to to check out books. There is only one
part-time Secret Service agent that is going there to mine the
data. Nobody else is using it.
Similarly, task forces are being created around the country
to combat white collar crime and part of that is identity fraud
as one of the crimes. But there is not as much action in those
task forces related to identity theft that the growth in this
crime would suggest needs to be.
Chairperson Feinstein. Thank you. I am hopeful that this
bill will be able to set the kind of basis for greater
attention to it.
Senator Kyl?
Senator Kyl. Thank you, Madam Chairman.
With regard to that last question, it is interesting, and
one thing I have been kind of curious about is whether, after
we passed the law, you could identify any change in the
statistics or the behavior in terms of quantification. Have you
been able to factor in, as a result of greater public awareness
or we hope greater public awareness, have you been able to
factor in any effect of that in the crimes reported or the
incidences of theft?
Mr. Stana. The number of crimes reported to the FTC has
increased from about 450 in 1999 when they set up the
clearinghouse to about 3,000 a week now. So you can see that
the public is becoming aware of the FTC being one shop to call
to report identity theft.
The other side of that, though, is that not much seems to
be made of that data. There is some data mining going on by one
Secret Service agent to try to identify trends and put together
rings to help investigate the crime, but not much more than
that.
Senator Kyl. One thing at least that I had hoped we would
do is to create some kind of a matrix, which is probably the
wrong word, but a profile, in effect. Do you have any idea
whether work has been done to determine whether the bulk of
this is just single-shot criminals, whether it is terrorists,
whether it is organized crime or what the matrix of the people
committing this fraud looks like?
Mr. Stana. Well, we know some data and we know some
information about this crime. For example, most victims are of
a certain age. Thirty, I think, is the average age. I think 75
percent fall between 18 and 59. Ron, do you have other
information that you might share with us?
Mr. Salo. Regarding the specific question you had, who are
these perpetrators, there is no data out there to tell us
whether the majority are organized crime rings, ethnic groups,
or whether they are individuals operating as loaners. The
problem in answering that question is you first need good
information and then you need good analysis of that
information. If the analysis is not being done, then individual
victims who call in are not being analyzed in a way so that you
can identify one perpetrator or gang that is actually
victimizing many people who are calling in.
Senator Kyl. You all may not be the best ones to answer
this question, but obviously, given the fact that we found
information tying terrorists to this crime as a way of funding
some of their activities, A) has work been done to try to track
that down and identify the size and scope of that problem, and
B) do you know of anything that has been done to, in effect,
isolate those particular cases?
Mr. Salo. We have one piece of information from the U.S.
Sentencing Commission, a very excellent report on identity
theft. It was performed before September 11 on conviction data
from the courts, so we have solid information, and that report
indicated that one out of three identity theft victim
convictions was from a foreigner, not from an American citizen.
The distribution of countries that made up this sample of
foreign convicted identity thieves is very long, mostly one
from one country, one from another country. There were only two
countries that seemed to be a little bit of a bubble, where
there were more convictions, and that was, firstly, Mexico, and
then Nigeria. After that, it was mostly one each. There was
some distribution that indicated wide dispersion of countries
being represented.
Senator Kyl. Now, were these foreigners in the United
States legally, or do you have any way of knowing that?
Mr. Salo. The information in the report did not reveal
whether they were or not.
Mr. Stana. I might add, though, that INS has a tremendous
problem dealing with illegal aliens using false identities to
seek work authorization documents and so on. So I suspect,
being most of them from Mexico and Nigeria, they were probably
work-related rather than terrorist related.
Senator Kyl. One of the questions we have had, too, relates
to the disparity in the numbers between the reporting from
credit bureaus and the like and your reporting. I did not know
this number. This is what staff wrote down, that you indicated
there were about 750,000 victims, I guess is what the number
ties to. Could you repeat that for me again? I am sorry I was
not here.
Mr. Stana. Let me clarify that. You could probably look at
this as a very conservative figure, a mid-range figure, and a
very high figure. I think the 750,000 would probably be at the
upper end of victims. At the lower end, you would have a range
of 250,000 to 300,000, and then a mid-range of 400,000 to
500,000, and it really depends which data you put into this
estimate and what assumptions you make. The most conservative
is the data available and things you can actually count rather
than estimate, and that is the lower end, 250,000 to 300,000.
Senator Kyl. My red light is on, but I do want to get into
that in just a little bit more detail when we come back.
Chairperson Feinstein. Thanks, Senator Kyl.
Senator Cantwell?
Senator Cantwell. Thank you, Madam Chairman.
Mr. Stana, I know your report covers many things in looking
at this from a perspective of how individuals are being
impacted. Did you get a sense of how long the average identity
theft investigation takes?
Mr. Stana. I do not have that information. I know that the
identity theft victims take between 150 and 200 days to unwind
their case, and I know that sometimes these cases can go on for
months and months and months. I do not have an average figure.
Senator Cantwell. But it is safe to say the maximum length
of the investigation is quite some time?
Mr. Stana. It can be quite some time, and that is because
these cases are not easy to investigate and it is because the
financial transactions that are done illegally often are very
intricate.
Senator Cantwell. So that issue with the statute of
limitations not occurring until--basically occurring at the
time of the crime as opposed to the time that an individual
finds out is a major issue?
Mr. Stana. Well, it is a major issue. Unlike so many other
crimes, by the time the victim knows they have been victimized,
it could be months later and the trail is cold.
Senator Cantwell. I know that this was not the scope of
your report, but through your research, did you get a sense of
how many years after the fact that people are then burdened
with this? I think some people think you might clean this up by
making a few phone calls.
Mr. Stana. We were talking with a victim this morning, in
fact, who told us that her identity was stolen and she did not
know how, but 1 year after her identity was stolen, she was
contacted by a collection agency on a $22,000 cellular phone
bill that she had no idea how it got there and it took many
calls, much effort. She said it probably took in the
neighborhood of 300 days to get this straightened out.
Incidentally, at the time, she was purchasing a house and she
was afraid that the adverse credit rating may sneak into that
transaction, but fortunately, the credit bureaus had put the
flag on things and straightened that out.
Senator Cantwell. So you did not have any information about
what kind of permanent or long-term damage to individuals'
records might--
Mr. Stana. It is interesting. In some cases, there is long-
term damage. In other cases, there is not. We came across four
cases, and it was incredible to listen to the stories, but four
cases where the person whose identity was stolen actually had
to go to jail for some time for the crime until the crime was
unwound.
Senator Cantwell. One of the reasons why I introduced
legislation was because there was someone in our State who had
been convicted of a crime that they did not commit, either,
because of identity theft.
In the process of gathering information for the study, did
you get any sense of the percentage of identity theft crimes
that are State or local investigations or prosecutions as
opposed to Federal investigations, because obviously this is
not exactly a crime that you call 911 about. Oftentimes, it is
very confusing. I know that we have made some changes there and
have a Federal agency involved with a number that people can
call. But did you get any, if not empirical, just a sense of
the magnitude of where the enforcement focus needs to be?
Mr. Stana. When a person's identity is stolen, they are
supposed to do four things. First, they are supposed to call
the credit bureaus to put a flag on their account. Then they
are supposed to call the bank or the vendor and notify them
that their identity is stolen. Third, they are supposed to call
the local police department, not the Federal but the local
police. And finally, they are supposed to call the FTC. So you
are exactly right that this is more of a State and local than a
national crime.
That being the case, despite our efforts, we could not
locate any data which told us the extent of the crime, how much
of it was federally reported and investigated, how much locally
reported and investigated. But there is a frustration among
people who do report locally and that is oftentimes local and
State police departments are not well equipped to handle or to
investigate this crime.
Senator Cantwell. So that would be an important step in the
next process, right?
Mr. Stana. Yes, I think it would, in enforcement. I think
you have to separate what is needed into two buckets, what is
needed from a prevention standpoint and what is needed from an
enforcement standpoint, and certainly the State and locals
factor heavily into what is needed from an enforcement
standpoint.
Senator Cantwell. Giving information to both the victims
and to law enforcement at the local level.
Mr. Stana. Well, and having local police have an
understanding of what to do with the allegation. I think they
full well know how to handle, say, a murder or how to handle
traffic violations. How to handle a financial crime is often
beyond their capability.
Senator Cantwell. Did you hear--
Mr. Stana. Another factor there is, too, you may live in
one jurisdiction and the crime is reported or happens in
another jurisdiction and you get into jurisdictional boundary
issues.
Senator Cantwell. That is another thing that we try to
address in my legislation.
I know my time is in the yellow here, but I wanted to
followup on that in the sense that local law enforcement and
the individual victims need access to the information, and
oftentimes, what I think you are saying verifies this, what
happens is the victim finds out that something is amiss, calls
the credit bureaus to flag something, but then no more
information is given to them or to the crime unit to be able to
prosecute or move on that identity theft.
Mr. Stana. What a victim of identity theft should be sure
to do is every call that is made to a credit bureau or to the
financial institution that may be carrying the card or the
merchant is to ask them to forward to the victim whatever
information they have available in their files, so that in the
course of the investigation if other information is needed or
information that the victim can supply would be helpful, they
would have that information at hand.
Senator Cantwell. Well, I think what happens oftentimes is
calling some of these people that, I think, have been a victim
of any theft, they are not sure who is now the victim. Is it
the person that is calling or the person that created the
transaction? I know our State of Washington and other States
have taken the measure to try to give a document to the person
whose identity has been violated that they can use in
communicating with law enforcement and others to verify that
information. So an actual verification that they are, in fact,
the victim and not somebody who is perpetrating a crime.
Mr. Stana. It would be useful to have a checklist for the
victim. They can go down and say, yes, I contacted this, I
asked for this document, they are going to help me, this office
is going to do this. I ought to caution, though, that there is
not much investigation going on with the credit bureaus on
these individual allegations. So the kinds of information you
are likely to get from a credit bureau or even from a credit
card company or other financial institution is simply the date
of a transaction, where the transaction was made, and for the
amount. You probably would not get much of a description, if
any, of the perpetrator.
Senator Cantwell. Not at this point.
Mr. Stana. Not at this point, but those leads may be useful
for law enforcement.
Senator Cantwell. Thank you. I know my time is expired.
Chairperson Feinstein. Thanks, Senator.
I would like to enter into the record the statement of
Senator Hatch on this issue, without objection.
Senator Kyl, you had other questions?
Senator Kyl. I just had one last question and then we want
to get on to the next panel. I would like to have you help us
resolve the discrepancy between the figures that you have come
up with and figures from the credit industry. I think maybe the
best way to do that is you are probably aware of the figures
they have, but we can give you that information and maybe just
have you write us a note on what your analysis of that is and
why the discrepancy and so on. But I would appreciate hearing
anything you have to say right now.
Mr. Stana. We can quickly walk you through how we get to
the low end, the mid-range, and the high end.
Senator Kyl. Please do, and then if you would just also
look at what their data is and drop us a note about why you
think your data is more reflective of the correct situation
than theirs, or whether theirs is, or whatever you have to say
about it.
Mr. Stana. I think we would be more comfortable saying what
the assumptions and the data were to get it to one level, the
next level, and the next level.
Senator Kyl. All right.
Mr. Stana. Given that the data is very uncertain and given
that there is so much that is not recorded here, it is really
hard to say that this is the correct level or that is the
correct level.
Mr. Salo. As Mr. Stana is saying, the key to this whole
discrepancy issue is the recognition that there is no one place
to go to get a comprehensive statistic on the prevalence of
identity theft. This was true 2 years ago when we were doing
our work on identity theft. It is true today, even though there
is an FTC Identity Theft Data Clearinghouse that is available
to victims to call in.
To explain how we came up--
Senator Kyl. Excuse me 1 second. In that clearinghouse, is
there not a checklist? Senator Cantwell was right on in terms
of a checklist, but is there not some kind of a checklist in
that particular site, the FTC site?
Mr. Salo. There is, and as a matter of fact, the points--
for example, on their webpage, the things that an identity
theft victim should do are actually listed out on the webpage
and Mr. Stana has already articulated those, basically the four
points. We would certainly agree that those are the proper
steps that any identity theft victim ought to take.
Senator Kyl. OK, and one other thing. We have that on my
Senate website and I think what we ought to do is maybe send a
``Dear Colleague'' to our colleagues and suggest that they put
it on their own website or get it out any other way that would
be useful to folks.
Mr. Salo. There are many ways to be useful, not to avoid
the question. I will get exactly to your question. But one
thing that we were looking at very recently was whether the
Social Security Administration in their annual notices to
people about their benefits has anything on identity theft and
I was surprised to notice that on the very top of every notice,
it says that this is an alert to be aware of a misuse of your
Social Security number and there is a report that the Social
Security Administration cites that you could get which, again,
tells you how you can minimize the vulnerability you have to
becoming an identity theft victim.
But coming back again to your original question, how do we
come up with a number, given that we have a patchwork of
sources, we looked at the credit bureaus and we looked at the
FTC Data Clearinghouse and we looked at the Social Security
Administration as three early warning bells up front where
prevalent statistics might be present.
We talked to the three national credit bureaus and asked
them about the telephone hotline statistics that they have and
they more or less came up with a consensus that we agreed with
that a solid figure, a reliable figure would represent fraud
alerts. Fraud alerts represent a notice on individuals'
accounts, basically alerting anyone who is in a retail outlet
who is receiving an application for new credit, that person
would be alerted that perhaps this person is a potential victim
to identity theft and let us call the person at home and make
sure that this is, in fact, not the case.
Fraud alerts look like a good mechanism. The reason why
they thought it would be reliable is because there are people
who call in perhaps to get a free credit report and they may
not, in fact, be a victim and it is a way of culling out--
reducing the statistics down to a reliable number of people who
definitely say, yes, I am an identity theft victim and I want a
fraud alert on my account.
The only drawback of that is that the three credit bureaus
have different business processes for getting to that 7-year--
that is how long the fraud alerts are--seven-year fraud alert
flag, and in the more complicated processes, you start to lose
people as you call through. Our range was 30,000, approximately
30,000 to 178,000. One explanation for that disparity is the
higher number represents the one-time call. The lower number
represents two calls and additional documentation to be
provided to the credit bureau.
Now, who are people calling credit bureaus? They are people
who have either been harassed by a collection agency and been
alerted that there is an expense that they were not aware of
and they are afraid that it might be affecting their
creditworthiness, or they may, in fact, get a bill that they do
not recognize and they want to dispute it and, in fact, it may
be because they were victimized.
But there is a third group out there of people who would
rather be safe than sorry. This historically has always been
part of the statistics built into the credit bureaus'
reporting. In one credit bureau, that proportion of those who
would rather be safe than sorry versus victims has grown over
time from what used to be one out of three calls to now
approximately one out of two calls. We regard that as an
indication that the education and awareness of the consumer is
finally getting out, that people recognize the risk of identity
theft and they are calling in to put on fraud alerts because
they would rather be safe than sorry.
However, not everyone does call a credit bureau.
Consequently, we looked at the sources of data and asked
ourselves, which ones appear not to be duplicative? Could we
then add them up? and I can run down the list very quickly
right now.
The FTC, based on the fact that they are telling us
approximately 3,000 victims call in to their clearinghouse
every week, if we were to annualize that, it would come out to
about 150,000 victims. Additionally, the Social Security
Administration's hotline, Office of Inspector General Hotline,
receives SSN misuse allegations and those are, to a large
degree, not the same people because there is a memorandum of
understanding between the FTC and the SSA OIG to have that
information shared. So the 56,000 calls now that come into
the--on SSN misuse could be added to the 150,000 from the FTC.
Chairperson Feinstein. I would like to move on, if that is
all right.
Senator Kyl. Yes, please.
Chairperson Feinstein. Gentlemen, I would like to move on,
but thank you very much. I just want to add one thing for the
record. For the 23-month period from its establishment in
November 1999 to September 2001, the FTC Identity Theft Data
Clearinghouse received 94,100 complaints. Of these, nearly
1,300 complaints, identity theft victims alleged they had been
subject to criminal investigation, arrest, or conviction. So I
would like the record to reflect that.
Thank you very much, gentlemen. We appreciate it.
If we could call the next panel, please. The next panel
consists of Susan Fisher of the Doris Tate Crime Victims
Bureau, Doug Comer of Intel, and John Avila of the Walt Disney
Company.
Susan Fisher comes to us from my State, from Carlsbad,
California. She is the Executive Director and Vice Chairwoman
of the Doris Tate Crime Victims Bureau. In 1987, her brother
was killed, as I said, by his ex-girlfriend who stalked him by
obtaining his credit card information, phone records, and other
personal information. Since her brother's murder, Susan has
been a relentless advocate for victims' rights. Under her
leadership, the Doris Tate Crime Victims Bureau has received
the San Diego District Attorney's Award for Service to Crime
Victims and she has twice been the recipient of a certificate
of appreciation from the Department of Justice for service to
victims of crime.
Susan Fisher, we welcome you, and if you would like to
proceed. We are going to limit your statement to 5 minutes so
we have some time for questions.
STATEMENT OF SUSAN FISHER, EXECUTIVE DIRECTOR, DORIS TATE CRIME
VICTIMS BUREAU, CARLSBAD, CALIFORNIA
Ms. Fisher. I would like to talk about the crime of
stalking in general and specifically use some examples from the
case that I know best, which was my brother's murder.
Ron, my brother, was murdered after being stalked for over
a year by Linda Ricchio, who was a former girlfriend who had
become obsessed with him. They had actually stopped dating a
few years before the stalking began, but he had had difficulty
extricating himself from the relationship with Ricchio because
his attempts to leave would always be followed by her
manipulation of him with things like staged suicide attempts,
public scenes that were meant to embarrass him, and threats of
violence against his friends and family members, which are all
very typical of stalkers.
From the moment that Ron ended their relationship, she
began to access personal information about him in order to
track his whereabouts and know who he talked to and who he
spent time with. She was easily able to get copies of phone
bills and utility bills. She was able to trace his fiancee and
his fiancee's mother by accessing DMV information.
Since 1987 when that was happening, Congress has passed
legislation to protect drivers' license information, but there
are still some loopholes in the current law and Senator
Feinstein's bill would mandate that you give consent before
your driver's license information could be sold and we feel
that that is a very important piece of legislation to have in
place.
In 1987, in my brother's case, Ricchio quit her job and
stopped going to school in order to stalk my brother, Ron, on a
full-time basis. She actually stalked him so relentlessly that
she locked up her house, left her cats to die of starvation,
and spent every day, all day, stalking him.
In November of that year, he was compelled to get a
restraining order in order to try to protect himself and also
to protect his job. The San Diego County judge who issued the
restraining order at that time told him that he should be
flattered by the attention. Obviously, the crime of stalking is
getting a little more attention now and is being taken a little
more seriously. After being told that he should be flattered by
the attention and really kind of supporting her position in the
case as just attention to an ex-boyfriend, Ricchio left the
courthouse in San Marcus, California, legally bought a gun
after having the restraining order filed against her.
In November, the daily contact stopped. We learned later
that Ricchio had gone to San Francisco during that period to
visit her brother and to enlist his help in developing over 200
surveillance photos that she had taken of my brother. During
that time, my brother moved for the third time that year. He
was trying to buy a little time, trying to decide what to do,
and rapidly coming to the conclusion that there was really
nothing that he could do if she decided to become violent. With
her ability to track him down, he was convinced that even if he
left the State, she would eventually find him using phone
records or one of the other kinds of trails that we all just
leave just by existing in this world.
On December 9, after once again tracing his whereabouts,
she rented the apartment next door to him without his
knowledge. The two-story apartments that he lived in were
separated by--the two apartments, I beg your pardon, were
separated by a privacy wall. Hers was at the back of the
balcony and his was at the front.
On Monday evening on December 14, he came home from work.
He had actually asked to come home a little bit late because it
was getting dark early and his lights in his parking lot did
not come on until about 5:30, so it was about 5:30 in the
evening. He came up the stairs carrying a bag of groceries in
his left arm and his checkbook and his keys in his right hand.
He turned his back to the privacy wall, bent over to put the
key in the door, and at that point, Ricchio stepped out from
behind the wall and she fired a shot into his back. She shot
him twice, once as he ran down the stairs away from her in the
dark.
At the time that Ron was killed, there were no stalking
laws in California. In fact, they did not even use the word
``stalking.'' It was considered harassment or domestic
violence. California was actually the first State to pass
stalking legislation, and in the years since my brother's
murder, I have been very involved in working on anti-stalking
legislation in California and working directly with stalking
victims. In fact, most stalking victims in many parts of
California end up coming to the bureau for the very reason that
we have done so much work on legislation on stalking.
While many things have changed, both in the criminal
justice system and in the way that we view stalkers, since my
brother was murdered in 1987, the pathology of stalking remains
the same. We recently have seen an increased use of Internet
venues, particularly by domestic violence-type stalkers, to
contact and harass their victims. and while we have been able
to legislate many safeguards into avenues of access that
stalkers once used, new avenues are opening up all the time.
Stalkers who often are sociopathic and have borderline
personalities have the intelligence and the drive necessary to
access any information available in order to track their victim
and would most certainly be willing to purchase the
information. Information on the Internet that is not
safeguarded is fair game.
I have a little bit of information here that I actually
found on the airplane on my way here that talks about some
websites that are out there now. There are websites such as one
that is called ``Spy for You'' that sell unlisted phone numbers
and bank account numbers and trace pager numbers to home
addresses. There is a company called DBT Online, which would
match a name with a Social Security number, date of birth, and
telephone number for a small fee. Also, unprofessional private
investigators would have very easy access to this kind of
information through the Internet and many stalkers would be
more than willing to pay them for that information.
We just feel that it is important to mandate the kind of
protection that having to give permission for that information
to be sold is very important and that is why I am here today.
Thank you.
Chairperson Feinstein. Thanks very much. I appreciate your
testimony, Susan Fisher.
[The prepared statement of Ms. Fisher follows:]
Statement of Susan Fisher, Executive Director and Executive Vice-
Chairman, Doris Tate Crime Victims Bureau, Carlsbad, California
In December of 1987, just a days before Christmas, my 28 year-old
brother Ron Ruse was ambushed & shot in the back outside of his
apartment in Carlsbad, CA.
Ron was murdered after being stalked for over a year by Linda
Ricchio, a woman who had become obsessed with him. Ron had stopped
dating Ricchio a few years before the stalking began. He had difficulty
extricating himself from the relationship with Ricchio because his
attempts to leave would always be followed by her manipulation of him
with staged suicide attempts, public scenes meant to embarrass him and
threats of violence against him and his friends and family. From the
moment that Ron ended their relationship, Ricchio began to access
personal information about him in order to track his whereabouts and to
know who he talked to and who he spent time with.
She was easily able to get copies of phone bills and utility bills.
She was able to trace Ron's fiancee and his fiancee' s mother by
accessing DMV information. Since that time, Congress has passed
legislation to protect driver's license information. There are
loopholes in the current law a that still leave people vulnerable.
Senator Feinstein's bill mandates that you must give consent before the
information on your diver's license can be sold.
In mid-1987, Ricchio quit her job and stopped going to school in
order to pursue Ron on a fulltime basis. She stalked him so
relentlessly that she neglected everything else in her life; even
letting her cats die of starvation inside her apartment. In November,
Ron was compelled to get a restraining order in an attempt to protect
himself and save his job. The San Diego County judge who issued the
restraining order told him that he should be flattered by the
attention. Ricchio's response to the order was to legally purchase a
gun and to become proficient in its use, shooting at the head and
crotch of a silhouette target.
In late November the daily contacts stopped. We learned later that
Linda Ricchio had gone to San Francisco during that period, to visit
her brother and to enlist his help in developing over 200 surveillance
photos that she had taken of Ron. During that time Ron moved for the
third time in 1987. He was trying to buy a little time, trying to
decide what to do, and rapidly coming to the conclusion that there was
really nothing that he could do if she decided to become violent. With
her ability to track him down, he was convinced that even if he left
the state, she would eventually find him using phone records or one of
the other kinds of trails that we leave simply by living in the world.
On December 9th, after once again tracing his whereabouts, Ricchio
rented the apartment next door to Ron without his knowledge. The two
second-story apartments were separated by a privacy wall, Linda's at
the back of the balcony and Ron's at the front by the stairs. On
Monday, December 14th Ron went home from work in the dark, carrying a
bag of groceries, keys and a checkbook. He turned his back to the
privacy wall and bent over to put his key in the door. At this point,
Ricchio stepped out from behind the wall and shot Ron in the back two
times, killing him.
At the time that my brother was killed there were no stalking laws
in California. It was not new behavior by any stretch of the
imagination; it was simply referred to as harassment or domestic
violence. California was the first state to pass a law that
specifically made stalking a crime. In the years following my brother's
murder, I have been very involved in advocating anti-stalking
legislation in California and in working directly with stalking
victims; in fact most stalking victims in San Diego County eventually
find their way to the Crime Victims Bureau through referrals from law
enforcement, DA's and counselors. While many things have changed, both
in the criminal justice system and in the way that we view stalkers
since my brother's murder in 1987, the pathology of stalking remains
the same. We have recently an increased use of internet venues being
used, particularly by domestic violence type stalkers to contact and
harrass their victims.
And while we have been able to legislate safeguards into many of
the avenues of access that stalkers once used to obtain personal
information about their victims, new avenues are opening up all the
time. Stalkers often have a narcissistic, sociopathithc, borderline
personality. This type of person has the intelligence and the drive
necessary to access any information available in order to track their
victim, and would most certainly be willing to purchase information.
Information on the internet that is not safeguarded is fair game.
Everyone should have the ability to protect themselves by
protecting personal information about themselves. Senator Feinstein's
Privacy Act of 2001 mandates the kind of informed consent necessary to
do just that by providing that first, you must be notified if a company
intends to sell your personal information, then it provides an avenue
for you to stop that sale and it permits you to sue any company that
misuses your social security number. This legislation gives individuals
increased ability to protect themselves from those who would seek to
harm them
Chairperson Feinstein. And now, Doug Comer of Intel. Mr.
Comer is the Director of Legal Affairs and Technology Policy
for Intel Corporation. He works with the Washington, D.C.
Government Affairs Office on issues of legal reform and
technology policy. Prior to this time, he served as Deputy and
Acting Commissioner of the Patent and Trademark Office for the
Department of Commerce. He has also served as Chief Counsel to
the Senate Judiciary Subcommittee on Courts, where he was
responsible for managing patent, copyright, and trademark
legislation during the chairmanship of the Honorable Robert
Dole, the former Senator from the State of Kansas.
We welcome you, Mr. Comer.
STATEMENT OF DOUGLAS B. COMER, DIRECTOR OF LEGAL AFFAIRS AND
TECHNOLOGY POLICY, INTEL CORPORATION, WASHINGTON, D.C.
Mr. Comer. Thank you, Madam Chairman. I thank you for the
opportunity to testify today.
For over three decades, Intel Corporation has been at the
forefront of the technology revolution. Intel introduced the
world's first microprocessor in 1971 and today we supply the
chips, the boards, the systems, the software, network, and
communications equipment that comprise the ingredients of
computer architecture and the Internet.
We have heard a lot today about a very important subject,
identity theft, and it is precisely because identity theft is
closely related to the proper uses of the Internet and of the
data that is collected through the Internet that I am here
today to express our very strong support for Title I of your
bill, which deals with consumer privacy on the Internet.
Our own experience with privacy concerns for consumers
really began for us in about 1998 with an experience with a
product feature which we introduced in the Pentium III called
the processor serial number, which we saw as a simple,
effective tool by which a network manager could closely track
the performance of computers on a network system. The processor
serial number sent an electronic tag along with any
communication by the computer in a network identifying the
specific machine that that communication was tagged to.
Unfortunately, that feature came to be viewed with great
alarm by many in the public sector at large over the
possibility that it could be used to assess or facilitate the
tracking of the use of computers by the average consumer. We
went through a lot of effort to satisfy the concerns of
consumers about our desire to protect their privacy and
ultimately designed into this processor serial number a feature
by which the consumer could turn it off, and ultimately, this
was phased out of our products.
But going to your point expressed earlier about the proper
balance between privacy and security after the events of 9/11,
we were approached by law enforcement authorities who were very
interested in the possibility of reviving the processor serial
number feature for the very reasons that I have mentioned,
because of the ability to tag specific communications to
specific computers. We are not going to do that, but the whole
experience of the processor serial number drilled a very high
awareness at Intel of the importance of respecting consumer
privacy for users of the Internet, and out of that experience
came a very well-developed program at Intel for managing our
own privacy policy, ensuring compliance to fair privacy
practices, and working with our vendors and suppliers to do the
same.
So identity theft, because of the utility of the Internet,
perhaps the most powerful tool for the collection and
dissemination ever developed, obviously has fed consumer
concerns. The health of the Internet is a core issue for our
company and for the entire information technology industry. We
believe that these consumer concerns surrounding the safety of
online transactions are impeding the growth of e-commerce. We
all hear a lot about how the Internet has grown and e-commerce
has grown and that is true, but we do not hear about how much
more it could grow and be even a more powerful tool of
productivity growth in our economy were it not for these
concerns.
There is a Gartner survey from about a year ago that shows
of 7,000 consumers, 60 percent surveyed said that security and
privacy concerns keep them from doing business online. Now, in
order to ensure that the Internet continues to grow as a tool
of commerce and a driver for productivity, businesses large and
small need to recognize these concerns and respond to them.
So our company has come to the view that Federal privacy
legislation is needed not only to address these concerns and to
provide a stable playing field for businesses, but also to
create an environment where the Internet and the use of the
Internet for proper purposes can continue to develop apace.
We think that legislation would clarify the rights for all
consumers. It would educate and direct businesses toward the
adoption of fair privacy practices. It would create a stable
legal structure for businesses to operate in. It would
strengthen the U.S. industry position in the ongoing
negotiations over the safe harbor agreement with Europe. and it
would encourage businesses to migrate into self-regulatory
organizations, which are proving to be effective tools for
guiding and strengthening businesses in respecting privacy
rights of users of the Internet.
It is important, we think, though, that privacy legislation
should embrace the following principles which have been
subscribed to by all of our major industry associations, such
as AEA, ITI, and the Computer Systems Policy Project and
others: Mandating notice, ensuring consumer choice, the ability
to opt-out of the use of or disclosure of personally
identifiable information for purposes unrelated to the
transaction for which it is provided, a focus on market
solutions--this is where the self-regulatory organizations come
in, and providing a national and uniform standard for privacy
protection.
A Federal Internet privacy policy should be national in
scope and preempt State laws in order to avoid the confusion
that would result for users and for website operators by widely
disparate local laws. It should, as well, ensure that national
standards are not undercut by private litigation case decisions
and enforcement, in our view, should be in the Federal courts,
subject to FTC supervision. And finally, we think that these
principles of legislation should apply to offline data
collection, as well.
In Intel--
Chairperson Feinstein. Would you repeat that last sentence?
Mr. Comer. These principles should apply to offline data
collection, as well. In our view, this can be done efficiently
if data collection materials such as warranty cards and the
like are designed properly. All of this data is ultimately
reduced to electronic form and there is really no reason for
differentiation between online collection and offline
collection.
So taking all of these principles into consideration, we at
Intel commend you, Senator Feinstein, for you focus on the need
for a comprehensive, systematic, national approach to
protecting privacy and we strongly support the provisions of
Title I of your bill addressing consumer privacy on the
Internet because it reflects these principles.
Because we share your objective of comprehensive protection
for the Internet user, we believe that the rules set forth in
S. 1055 should also apply to public sector websites, as well.
We have seen cases where data collected from the public by
government agencies has been transferred without the consent of
the parties supplying the data to private sector entities for
commercial purposes. Again, a consumer should be protected no
matter what websites or type of websites they are going to.
I would like to take this opportunity to submit for the
subcommittee's consideration a letter signed by Mr. Bill
Archey, President of the American Electronic Association, in
support of Title I of your bill and I provided that to your
staff and to the committee, and also ask for inclusion in the
record of a statement of Mr. Jeff Nicol, our Privacy Program
Manager, which was prepared for the original scheduling of this
hearing back last fall.
Chairperson Feinstein. They will be added to the record.
Mr. Comer. Thank you.
In sum, we believe that the continuing viability of the
Internet marketplace depends upon good rules, good practices,
and good policing. Congress should lay down the rules, depend
upon the self-regulatory tools now in the marketplace to
advance the adoption of fair privacy practices, and give
responsibility for the enforcement of these rules to the FTC
and the State attorneys general. In this way, we think that bad
actors will, over time, be driven out of the marketplace and
consumer acceptance of the Internet as a safe place to do
business will be secured. The Internet will then flourish as
one of the most efficient, if not the most efficient, market
tools ever developed.
That concludes my remarks and I will be pleased to answer
questions.
Chairperson Feinstein. Thanks very much, Mr. Comer.
[The prepared statement of Mr. Comer follows:]
Statement of Douglas B. Comer, Director, Legal Affairs and Technology
Policy, Intel Corporation
I thank the Chair for the opportunity to testify this afternoon. My
name is Doug Comer and I am Director of Legal Affairs and technology
policy for Intel Corporation. For over three decades, Intel Corporation
has been at the forefront of the technology revolution. Intel
introduced the world's first microprocessor in 1971. Today, Intel
supplies chips, boards, systems, software, networking and
communications equipment that comprise the ``ingredients'' of computer
architecture and the Internet. The health of the Internet is a core
issue for our company and for the entire Information Technology
industry.
Intel believes that consumer concerns surrounding the safety of
online transactions are impeding the growth of e-commerce. For example,
a Gartner survey of 7,000 consumers found that 60% say that security
and privacy concerns keep them from doing business online.\1\ In order
to ensure that the Internet continues to grow as a tool of commerce and
a driver for productivity in our economy, businesses large and small
need to recognize these concerns and respond to them.
---------------------------------------------------------------------------
\1\ Jeff Sweat, ``Privacy--Can Businesses Build Trust and Exploit
Opportunity?--As the opportunities to use personal data for marketing
grow, companies search for how to strike the right balance between
delivering the service customers want and the privacy they expect,''
Information Week (August 20, 2001) 30.
---------------------------------------------------------------------------
Our company has come to the view that federal privacy legislation
is needed to address these concerns, and provide a stable legal playing
field for business. We believe that such legislation should embrace the
following principles, which have been subscribed to by all of our major
industry associations:
Mandate notice--Websites that collect personally identifiable
information should provide clear and conspicuous notice of their
practices at the time of information collection.
Ensure consumer choice--Internet users should have the ability to
opt-out of the use or disclosure of their personally identifiable
information for purposes unrelated to the transaction for which it is
provided.
Focus on market solutions--Legislation should build upon existing
self-regulatory mechanisms, and back those mechanisms with the
enforcement clout of the Federal Trade Commission.
Provide a national, uniform standard for privacy protection--A
federal Internet privacy policy should be national in scope, and
preempt state laws in order to avoid the confusion that would result
for users and for website operators by widely disparate local laws. It
should, as well, ensure that the national standards are not undercut by
private litigation case decisions. The enforcement should be in federal
court, subject to FTC supervision.
Apply the same principles to Offline data collection--The same
privacy principles should apply regardless of whether the transaction
was conducted online or offline. In Intel's view, this can be done
efficiently if data collection materials--such as warranty cards,
etc.--are designed properly.
We at Intel commend you, Senator Feinstein, for your focus on the
need for a comprehensive, systematic, and national approach to
protecting privacy. We strongly support the provisions of Title I of
your bill, which addresses consumer privacy on the Internet, because it
reflects these principles.
Because we share your objective of comprehensive protection for the
Internet user, we believe that the rules set forth in S. 1055 should
apply to public sector websites as well. We have seen cases where data
collected from the public by government agencies has been transferred,
without the consent of the parties supplying the data, to private
sector entities for commercial purposes.
I would take this opportunity to submit for the Subcommittee's
consideration a letter signed by Mr. Bill Archey, President and CEO of
the American Electronics Association, that expresses the positive views
of that very important organization on the provisions of Title I of
your bill. I also ask for inclusion in the record of the testimony of
Mr. Jeff Nicol, Customer Privacy Manager at Intel, which was previously
provided to the Committee and which I have appended to my statement.
That concludes my remarks. I will be glad to answer any questions
the members of the Subcommittee may have.
Chairperson Feinstein. I would like to introduce John
Avila. Mr. Avila serves as the Executive Counsel for Walt
Disney Company in Burbank, California. His responsibilities
include data privacy law counseling for the domestic and
international operations of Disney's offline and online
businesses. Prior to his time at Disney, Mr. Avila served as
Chief Privacy Officer of a venture capital-funded Internet
company and as litigation counsel to CBS Broadcasting. Mr.
Avila has spoken publicly numerous times on the subjects of
data privacy and First Amendment rights.
Mr. Avila, welcome.
STATEMENT OF JONATHAN D. AVILA, EXECUTIVE COUNSEL, WALT DISNEY
COMPANY, BURBANK, CALIFORNIA
Mr. Avila. Thank you very much, Senator. I am pleased to
appear here today on behalf of the Walt Disney Company to
testify in support of S. 1055, the Privacy Act of 2001.
Protecting the privacy and security of personally identifiable
information is a critical national and international concern
and a matter of high priority at Disney. As one of the most
trusted names in American business, it is vital to us at Disney
that our guests and customers know that we are concerned about
the privacy of the information they give us and that we will
treat their information appropriately.
As a result, we are developing our own statement of privacy
principles, which are largely similar to those set forth in the
Privacy Act of 2001 and which will apply to both our online and
offline activities. Because our primary business is not health
care or finance, my comments today, however, are restricted to
the matters addressed in Title I of the proposed statute and
our suggestion that a provision relating to the security of
consumer data be added to Title I of the statute.
With respect to the matter of notice, we support the
principle found in Section 101(b) that adequate notice requires
a disclosure of the type of information being sought, the
purpose for which the information will be used, and with whom,
if anyone, the information may be shared. We agree, of course,
that to be meaningful, any notice must be clear and
understandable to the consumer and must be given prior to any
marketing use or sharing of the consumer's data.
With respect to the matter of choice, a substantial
argument can be made that consumers should affirmatively give
permission for any use of personally identifiable information,
that is a so-called opt-in consent.
Nonetheless, we believe the bill draws a reasonable
distinction between general information and matters such as
Social Security numbers and information held by financial
institutions and health care providers. These latter types of
information are so sensitive that appropriate protection of
personal privacy requires that the individual providing the
information affirmatively express a willingness to have the
information disclosed to others.
Although there may well be other categories of information
that also deserve this special type of protection, the same
degree of sensitivity is generally not present in the
information sought in a typical commercial transaction and,
hence, an opt-out provision may be sufficient.
Because we believe our guests should have the right to opt-
out of receiving marketing materials from Disney, as well as
having us not share their information with third parties, our
privacy principles will provide multiple choices for our
guests. Thus, a guest may elect to receive marketing or other
information from Disney but opt-out of our sharing of any of
the guest data with third parties. Or the guest may simply opt
not to receive any marketing information at all from Disney and
our related companies.
In this regard, let me now voice some concern about the
scope of Section 101(a) of the Act. There, the Act proposes to
limit its coverage to, one, disclosure of personally
identifiable information to non-affiliated third parties for
marketing purposes, and two, sale of such information to non-
affiliated third parties.
In keeping with our view of consumer privacy, we believe
this subsection should be modified to extend the Act's purview
to all commercial sharing of personally identifiable
information with non-affiliated third parties. In turn, the
exception provided by Subsection (a)(2) should be broadened to
track in appropriately modified form the exceptions provided by
Section 502 of the Gramm-Leach-Bliley Act.
In this manner, consumers would be protected against all
improper and unauthorized disclosure of their personal
information to non-affiliated third parties. At the same time,
non-financial businesses would have the same flexibility that
financial institutions enjoy to disclose information for
legitimate purposes, such as to prevent fraudulent
transactions, comply with governmental regulatory requirements,
and outsource marketing and fulfillment functions to entities
that are contractually obligated to respect the confidentiality
of their customers' data.
Turning to the matter of security, we at Disney believe
that the privacy of personal information is only as strong as
the security measures that protect that information. We
therefore suggest adding to the bill a requirement that
entities that collect consumers' personal information maintain
reasonable security measures to safeguard the confidentiality
of that information. Of course, for general consumer
information, such as that covered by Title I of this
legislation, those security measures need not be as elaborate
as the measures that apply to the sensitive data held by
financial institutions and health care providers.
Perhaps the most important provision of this measure is
Section 105, which provides for preemption of State, common,
and statutory law. Broad Federal preemption is critical to this
or any similar legislation. As we all know, the Internet has
shrunken our world further than we could ever have imagined. As
a result, information given in one jurisdiction can appear in
another in a nanosecond.
While the international implications of this fact are
themselves daunting, the prospect of the several States acting
to address these issues in varying and perhaps conflicting ways
is horrifying. One of the great strengths of our country lies
in the integration of our national economy under Federal
control over interstate commerce. Without broad Federal
preemption in this area, the inevitable patchwork of State laws
will present a formidable barrier to commerce and will, in
essence, cede what should be a Federal mandate to the parochial
interests of the various States.
American business simply cannot operate efficiently under a
myriad of conflicting rules governing national economic
activity. Thus, it is vital that, at least for the United
States, there be a single set of rules on this subject mandated
through Federal legislation and preemption.
In closing, we at the Walt Disney Company congratulate you,
Senator Feinstein, on the bill's approach to balancing the need
for governmental regulation with responsible action through
FTC-approved safe harbor programs. Indeed, as I mentioned at
the outset, we soon will be backing our commitment to our guest
privacy with the adoption of our own voluntary privacy
principles.
Thank you. I would be pleased to answer any questions the
subcommittee may have.
Chairperson Feinstein. We will have some, and thank you
very much.
[The prepared statement of Mr. Avila follows:]
Statement of Jonathan D. Avila, Executive Counsel, The Walt Disney
Company
Good afternoon. My name is Jonathan Avila and I am pleased to
appear here today on behalf of The Walt Disney Company to testify in
support of Senate Bill 1055, the ``Privacy Act of 2001.''
Protecting the privacy and security of personally identifiable
information is a critical national and international concern, and a
matter of high priority at Disney. As one of the most trusted names in
American business, it is vital to us at Disney that our guests and
customers know that we are concerned about the privacy of the
information they give us and that we will treat their information
appropriately.
As a result, we are developing our own Statement of Privacy
Principles, which are largely similar to those set forth in the Privacy
Act of 2001 and which will apply to both our online and offline
activities. Because our primary business is not healthcare or finance,
my comments today, however, are restricted to the matters addressed in
Title I of the proposed statute, and our suggestion that a provision
relating to the security of consumer data be added to Title I of the
statute.
Notice
With respect to the matter of notice, we support the principle
found in Section 101(b) that adequate notice requires a disclosure of
the type of information being sought, the purposes for which the
information will be used and with whom, if anyone, the information may
be shared. We agree, of course, that, to be meaningful, any notice must
be clear and understandable to the consumer, and must be given prior to
any marketing use or sharing of the consumer' s data.
Choice
With respect to the matter of choice, a substantial argument can be
made that consumers should affirmatively give permission for any use of
personally identifiable information (that is, a so-called ``opt-in''
consent). Nonetheless, we believe the Bill draws a reasonable
distinction between general information, and matters such as social
security numbers and information held by financial institutions and
health care providers. These latter types of information are so
sensitive that appropriate protection of personal privacy requires that
the individual providing the information affirmatively express a
willingness to have the information disclosed to others.
Although there may well be other categories of information that
also deserve this special type of protection, the same degree of
sensitivity is generally not present in the information sought in a
typical commercial transaction and hence an opt-out provision may be
sufficient.
Because we believe our guests should have the right to opt out of
receiving marketing materials from Disney, as well as having us not
share their information with third parties, our Privacy Principles will
provide multiple choices for our guests. Thus, a guest may elect to
receive marketing or other information from Disney, but opt out of our
sharing any of the guest's data with third parties. Or, the guest may
simply opt not to receive any marketing information at all from Disney
and our related companies.
In this regard, let me now voice some concern about the scope of
Section 101 (a) of the Act. There, the Act proposes to limit its
coverage to: (1) disclosure of personally identifiable information to
nonaffiliated third parties for marketing purposes; and, (2) sale of
such information to nonaffiliated third parties. In keeping with our
view of consumer privacy, we believe this subsection should be modified
to extend the Act's purview to all commercial sharing of personally
identifiable information with nonaffiliated third parties. In turn, the
exception provided by Subsection (a) (2) should be broadened to track,
in appropriately modified form, the exceptions provided by Section 502
of the Gramm-Leach-Bliley Act. In this manner, consumers would be
protected against all improper and unauthorized disclosure of their
personal information to nonaffiliated third parties. At the same time,
non-financial businesses would have the same flexibility that financial
institutions enjoy to disclose information for legitimate purposes,
such as to prevent fraudulent transactions, comply with governmental
regulatory requirements, and outsource marketing and fulfillment
functions to entities that are contractually obligated to respect the
confidentiality of their customers' data.
Security
Turning to the matter of security, we at Disney believe that the
privacy of personal information is only as strong as the security
measures that protect that information. We therefore suggest adding to
the Bill a requirement that entities that collect consumers' personal
information maintain reasonable security measures to safeguard the
confidentiality of that information. Of course, for general consumer
information, such as that covered by Title I of this legislation, those
security measures need not be as elaborate as the measures that apply
to the sensitive data held by financial institutions and health care
providers.
Preemption
Perhaps the most important provision of this measure is Section
105, which provides for preemption of state common and statutory law.
Broad federal preemption is critical to this or any similar
legislation. As we all know, the Internet has shrunken our world
further than we could ever have imagined. As a result, information
given in one jurisdiction can appear in another in a nanosecond. While
the international implications of this fact are themselves daunting,
the prospect of the several States acting to address these issues in
varying and perhaps conflicting ways is horrifying.
One of the great strengths of our country lies in the integration
of our national economy under federal control over interstate commerce.
Without broad federal preemption in this area, the inevitable patchwork
of state laws will present a formidable barrier to commerce and will,
in essence, cede what should be a federal mandate to the parochial
interests of the various States. American business simply cannot
operate efficiently under a myriad of conflicting rules governing
national economic activity. Thus, it is vital that, at least for the
United States, there be a single set of rules on this subject mandated
through federal legislation and preemption.
In closing, we at The Walt Disney Company congratulate Senator
Feinstein on the Bill's approach to balancing the need for governmental
regulation with responsible private action through FTC-approved Safe
Harbor programs. Indeed, as I mentioned at the outset, we soon will be
backing our commitment to our guests' privacy with the adoption of our
own voluntary Privacy Principles.
Thank you. I would be pleased to answer any questions the sub-
committee may have.
Chairperson Feinstein. Senator Kyl, I understand there is
going to be a vote at 4:20. My suggestion is that we go and
hear Mr. Torres and then we can decide whether we spell each
other or take a recess.
Mr. Torres is the Legislative Counsel in Washington for the
Consumers Union. He is responsible for advocating for consumers
before Congressional agencies and the Federal Reserve Board on
issues related to financial services. Mr. Torres's area of
expertise includes privacy, electronic commerce, and consumer
credit.
We welcome you, Mr. Torres.
STATEMENT OF FRANK TORRES, LEGISLATIVE COUNSEL, CONSUMERS
UNION, WASHINGTON, D.C.
Mr. Torres. Thank you, Madam Chairwoman and Senator Kyl. It
is a pleasure to be here and we appreciate the opportunity to
testify before the committee today and are grateful that you
have once again turned your attention to the serious topic of
consumer privacy.
Before I get into my testimony in earnest, though, I wanted
to respond to an earlier question about where consumers can go,
where can victims of identity theft go for help. In addition to
Consumer Reports magazine, which has written through the years
on the topic of identity theft and how consumers can protect
their privacy, Beth Givens at the Privacy Rights Clearinghouse
is a tremendous source of information for victims of identity
theft and how consumers can prevent it. Her website is at
www.privacyrights.org and she actually has a fact sheet,
``Identity Theft: What To Do If It Happens To You,'' that goes
step by step of all the different areas, all the different
places that you should think about contacting if you are the
victim of identity theft, from the credit bureaus on down.
In addition, I believe that the FTC's website has a new
feature and that is an affidavit, a model affidavit that
consumers can use to submit to the different credit bureaus and
creditors if they are victims of identity theft.
S. 1055 will protect security numbers, prevent identity
theft, and maybe put an end to some of the tragic stories we
have heard here today. Given the severity of identity theft and
its cost to both business and consumers, it is crucial that the
selling and sharing of Social Security numbers be curbed. I
would like to focus my testimony today, however, on some of the
other privacy aspects of this bill. How times have changed when
we have got forward-thinking companies advocating Federal
privacy laws, and we have two of them here today and we
appreciate their efforts on moving the debate on privacy
forward.
Consumers Union has advocated in favor of strong privacy
protections. With other consumer and privacy advocates, we have
pushed for privacy amendments to the Gramm-Leach-Bliley Act. We
fought for strong medical privacy regulations and are part of a
broad coalition that supports online privacy protections. Here
are some of the reasons we believe this bill is good.
First, the comprehensive approach of S. 1055 will provide
both consumers and businesses with clear expectations of how
information will be treated, when it can be shared, and how the
flow of information can be controlled. Those protections will
be in place wherever information is gathered. Whether privacy
is lost because a website places a cookie on a personal
computer or because information is obtained from a warranty
card does not really make a difference to the consumer. Both
are troubling invasions of privacy.
Applying privacy protections in both online and offline
settings is a fresh approach. Up to now, privacy has been
addressed sector by sector. Often, we hear complaints from
businesses that one sector is being treated differently from
another. S. 1055 responds to those concerns.
Second, S. 1055 advances the privacy debate by recognizing
the distinction between sensitive and non-sensitive data. We
have commented that more sensitive personal data, like
financial and medical information, warrant the strongest
possible protections. A business should first obtain a
consumer's consent before collecting or sharing that
information. Where data is used solely for marketing purposes,
a less rigorous approach may be enough. We encourage providing
specific, uniform, and up-front mechanisms for exercising this
opt-out, especially after seeing what happened with the notices
required under the Gramm-Leach-Bliley Act. We also support the
bill's prohibition on denying service to consumers refusing to
grant consent to data sharing.
Third, S. 1055 offers a substantial improvement over the
privacy provisions of the Gramm-Leach-Bliley Act by providing
that financial information cannot be shared with third parties
without express consent of consumers. This discussion about
privacy should also consider other areas.
Consumers Union believes that it is critical to seek input
from the States before deciding to preempt State privacy
efforts. We would not support legislation preempting State laws
where the Federal law is weak. States like California are
moving forward with strong privacy bills similar to some of the
provisions in S. 1055. While Congressional efforts may lag
these State initiatives, sponsors of those bills should take
note that they are on target with Federal proposals.
It should also be clear that S. 1055 will not roll back
existing laws, such as the consumer privacy protections in the
Communications Act. Just yesterday, Comcast, one of the largest
cable TV providers in the country, abandoned collecting data
from their subscribers. This collecting was done in violation
of the law in which Congress placed a high priority on
protecting customer viewing habits.
We also support other efforts to curb identity theft and
assist victims, like the Reclaim Your Identity Act recently
introduced by Senator Cantwell.
Last but not least, the selling and sharing of Social
Security numbers between businesses warrants scrutiny. In some
cases, it may open the door to abuses.
In summary, S. 1055 does not ban the collection and use of
personal data. It merely gives consumers control over their own
information and it places a burden on businesses that want
information to convince consumers to share it. That sounds like
how the marketplace should be working.
Thank you, and I would be happy to answer any questions.
Chairperson Feinstein. Thank you very much, Mr. Torres.
[The prepared statement of Mr. Torres follows:]
Statement of Frank Torres, Legislative Counsel for Consumers Union
Consumers Union \1\ appreciates the opportunity to present this
testimony on the Privacy Act of 2001, S. 1055. This hearing provides a
forum to discuss why American consumers need meaningful and
comprehensive privacy protections.
---------------------------------------------------------------------------
\1\ Consumers Union is a nonprofit membership organization
chartered in 1936 under the laws of the State of New York to provide
consumers with information, education and counsel about goods,
services, health, and personal finance; and to initiate and cooperate
with individual and group efforts to maintain and enhance the quality
of life for consumers. Consumers Union's income is solely derived from
the sale of Consumer Reports, its other publications and from
noncommercial contributions, grants and fees. In addition to reports on
Consumers Union's own product testing, Consumer Reports with
approximately 4.5 million paid circulation, regularly, carries articles
on health, product safety, marketplace economics and legislative,
judicial and regularly, carries articles on health, product safety,
marketplace economics and legislative, judicial and regulatory actions
which affect consumer welfare. Consumers Union's publications carry no
advertising and receive no commercial support.
---------------------------------------------------------------------------
Consumers Union has long been an advocate for strong privacy
protections. Along with other consumer and privacy advocates we pushed
for amendments to the Gramm-Leach-Bliley Act to try to provide
consumers control over how their personal financial information is
collected and whether it could be shared. We fought for strong medical
privacy regulations and continue to push for privacy related to health
like genetic information. Consumers Union is also part of a broad
privacy coalition that has supported online privacy protections.
Stronger laws are needed to give consumers control over the
collection and use of their personal information. Legislative efforts,
such as S. 1055 will help ensure that consumers are told about how and
why information is collected and used, provided access to that data,
and given the ability to choose who gets access to their most intimate
personal data.
There are a number of elements of privacy protection that have
become clearer over the course of our involvement in the privacy debate
which are reflected in S. 1055:
A comprehensive approach to privacy protection, like S.
1055, is warranted. For consumers, the comprehensive approach of S.
1055 has advantages clear expectations of how their information will be
treated, when it can be shared and how the flow of information can be
controlled. The distinctions between privacy intrusions are sometimes
lost on consumers. Whether privacy is lost because of a cookie placed
on a personal computer after visiting a website or because information
obtained from a warranty card is collected and sold it really does not
make a difference. Applying privacy protections in both online and
offline settings is a fresh approach that has merit considering how the
privacy debate has developed. Up to now the approach to privacy has
been sector by sector. There are bills on financial privacy, medical
privacy and online privacy. Often we hear complaints that one sector is
being treated differently than another. S. 1055's comprehensive
approach addresses those concerns. If industry wants fair and clear
rules that treats everyone the same, they should be supportive of S.
1055's comprehensive approach.
A distinction can be made between sensitive and non-
sensitive information. S. 1055 advances the privacy debate by
recognizing the distinction between sensitive and non-sensitive data.
We have commented that more sensitive personal data, like financial and
medical information, warrant the strongest possible protections. For
this type of data we favor an approach that requires a business to
obtain the consumer's consent prior to sharing that data.
Provided other data collected is used solely for marketing
purposes a lessor standard may be appropriate. We support this approach
only if clear notice is given to the consumer prior to the collection
of the data and that the consumer is given the opportunity up front to
choose not to have his or her information shared with others. We
encourage providing specific and uniform mechanisms for exercising an
opt-out. Several states are implementing ``do-not-call'' lists. Even
the Direct Marketing Association maintains such a list. A one-stop
universal opt-out would be a useful tool for consumers. The Federal
Trade Commission has recently published a proposed rule for a national
do-not-call list.
Consumers need a stronger law to protect their personal
financial information. S. 1055 offers a substantial improvement over
the privacy provision of the Gramm-Leach-Bliley Act by providing that
financial information cannot be shared with third parties without the
express consent of the consumers. The Gramm-Leach-Bliley Act falls far
short of providing meaningful privacy protections in the financial
setting. Loopholes in the law and in this draft rule allow personal
financial information to be shared among affiliated companies without
the consumer's consent. In many instances, personal information can
also be shared between financial institutions and unaffiliated third
parties, including marketers, without the consumers consent. Consumers
across the country are receiving privacy notices from their financial
institutions. Unfortunately these opt outs, in reality, will do little
or nothing to prevent the sharing of personal information with others.
Other loopholes allow institutions to avoid having to disclose all of
their information sharing practices to consumers. In addition, the GLB
does not allow consumers to access to the information about them that
an institution collects. While states were given the ability to enact
stronger protections, those efforts have met fierce resistance by the
financial services industry.
Consumers' health information should not be shared without
their express consent. S. 1055 protects personal health information
across the board under the bill health information cannot be shared
without the prior consent of the consumer.
The sale of social security numbers to the public should
be banned. Public disclosure of social security numbers should be
limited. Businesses should be prohibited from denying services if a
consumer does not wish to provide a social security number in certain
circumstances. S. 1055 shuts down many avenues that lead to the release
of social security numbers.
Commercial entities that collect personal information
should be responsible for providing notice to consumers if they intend
to share personal data with others and allow consumers to opt-out of
such data collection and sharing third parties. S. 1055 requires notice
and consent prior to the sharing of personal information with a non-
affiliated entity.
Sound and comprehensive privacy laws will help increase consumer
trust and confidence in the marketplace and also serve to level the
playing field. These laws do not have to ban the collection and use of
personal data, merely give the consumer control over their own
information.
The remainder of these comments provide greater detail on privacy
issues related to marketing, financial data, health data, and identity
theft.
Marketing
Consumers face aggressive intrusions on their private lives. Often
a consumer is forced to provide personal information to obtain products
or services. Many times information that has been provided for one
purpose is then used for another reason, unbeknownst to the consumer.
Financial institutions, Internet companies health providers and
marketers have been caught crossing that line. Meanwhile, identity
theft is at an all time high.
Increasingly, consumers want to choose who does and does not have
access to their medical, financial and other personal information.\2\
If access is needed consumers want to be able to specify for what
purposes and to what extent access will be granted. Consumers want
assurances that the information they consider sensitive will be kept
private by the businesses they use. Often, consumers have no choice in
whether or not information is collected and no choice in how it is
used. Today, any information provided by a consumer for one reason,
such as getting a loan at a bank, can be used for any other purposes
with virtually no restrictions.
---------------------------------------------------------------------------
\2\ Consumers continue to care about their privacy. A recent survey
by Forester Research found that 72% of consumers participating in the
study said that it was an extreme violation of their privacy for
businesses to collect and then supply data about them to other
companies. Another survey by Public Opinion Strategies found that
strengthening privacy laws to assure that medical, financial, or
personal records are kept private is one of the highest-rated issues of
concern to consumers nationwide.
S. 1055 will allow consumers to opt-out of sharing of
information with third parties for marketing purposes. This requirement
should be easy to implement, in most cases consumer choice can be
provided at the point where the information is collected. Consumers are
sometimes given that choice today in both online and offline settings.
The opt-out for marketing purposes is distinguishable from
a stricter regime for the collection and use of sensitive financial and
health information. So long as the information collected is used solely
for marketing purposes, an opt-out approach may be adequate provided
notice and choice is provided up front, prior to the collection of the
data, and that the notice and choice is clear and in plain English. The
opt-out must be easy for consumers, unlike the opt-out under the Gramm-
Leach Bliley Act. The opt-out provided by most financial institutions
have proven difficult for consumers to understand and hard to exercise.
If properly provided the notice and opt-out contemplated in this
legislation could result into a system where consumers may indicate
that they want no calls, then individually choose, on a case-by-case,
merchant -by-merchant basis, to consent to information collection and
use by parties they trust or believe will provide some benefit.
Exceptions to the opt-out requirement should be minimal.
The exceptions provided in the legislation appear to be reasonable and
should not be expanded.
It is appropriate to allow the Federal Trade Commission to
have enforcement authority. The FTC has taken a leadership role in
protecting consumer privacy. The agency was given specific authority
under the GLB to implement those privacy provisions. In addition it has
held numerous workshops and convened advisory committees on the issue
of privacy.
The use of seal programs to provide for a safe harbor
needs strict scrutiny and oversight. Consumers Union, and many other
advocacy organizations remain skeptical of the ability of industry
groups to self-regulate. Seal programs are often dependent on the very
firms they are supposed to scrutinize. If a safe harbor remains in the
bill, there should also be a mechanism to evaluate whether the program
is effective and ensure that the requirements of the program are as
strict as the protections contained in the bill.
Consumers Union believes that it is critical to seek the
input from the states, including state attorneys general and
legislators, before deciding to preempt state privacy efforts.
Financial Privacy
Consumers have reason to be concerned about how their private
financial information is being collected, used, shared and sold. Under
the GLB there are no limits on the ability of a financial institution
to share information about consumers' transactions, including account
balances, who they write checks to, where they use a credit card and
what they purchase, within a financial conglomerate. Because of
loopholes in GLB, in most cases sharing a consumer's sensitive
information with a third party is allowed too. All the exceptions
created by GLB make it difficult to come up with a list of
circumstances where personal financial information cannot be shared.
Financial institutions promised that in exchange for a virtually
unfettered ability to collect and share consumers' personal
information, that consumers would get better quality products and
services and lower prices. This is why, they claimed, consumers
shouldn't have strong privacy protections like the ability to stop the
sharing of their information among affiliates, or access to that
information to make sure its accurate.
Bank fees for many consumers continue to rise. Information about
financial health may actually be used to the consumer's determent if it
is perceived that the consumer will not be as profitable as other
customers. Both Freddie Mac and Fannie Mae say between 30 and 50% of
consumers who get subprime loans, actually qualify for more
conventional products, despite all the information that is available to
lenders today. Credit card issuers continue to issue credit cards to
imposters, thus perpetuating identity theft, even when it seems like a
simple verification of the victim's last known address should be a
warning. Instead of offering affordable loans, banks are partnering
with payday lenders. And when do some lenders choose not to share
information? When sharing that information will benefit the consumer--
like good credit histories that would likely mean less costly loans.
Chase Manhattan Bank, one of the largest financial institutions in
the United States, settled charges brought by the New York attorney
general for sharing sensitive financial information with out-side
marketers in violation of its own privacy policy. In Minnesota, U.S.
Bancorp ended its sales of information about its customers' checking
and credit card information to outside marketing firms. Both of these
were of questionable benefit for the bank's customers. Other
institutions sold data to felons or got caught charging consumers for
products that were never ordered.
Consumers should have the right to be fully and meaningfully
informed about an institution's practices. Consumers should be able to
choose to say ``no'' to the sharing or use of their information for
purposes other than for what the information was originally provided.
Consumers should have access to the information collected about them
and be given a reasonable opportunity to correct it if it is wrong. In
addition to full notice, access, and control, a strong enforcement
provision is needed to ensure that privacy protections are provided.
S. 1055 requires that consumers opt-in before financial
information can be shared with third parties.
S. 1055 also provides that a consumer cannot be denied
service for refusing to consent to the sharing of his or her
information.
The exceptions contained in S. 1055 are limited to
reasonable expectations related to the primary use of personal data.
Legislative efforts in this body, like S. 1055, send a
strong message to those in the states pursuing similar privacy
protections. It is clear that states, like California, are on the right
tract in pushing forward with bills like California Senate Bill 773,
which will provide strong financial privacy protections in that state.
While congressional efforts may lag these state initiatives, sponsors
of those bills should take note that they are on target with what
federal legislators are considering.
Medical Privacy
Medical information has been used for inappropriate purposes. The
medial privacy rule promulgated by the Department of Health and Human
Services highlighted a number of cases where private medical
information was released for profit and marketing purposes completely
unrelated to the treatment of those patients. A USA Today editorial
earlier this year highlighted the consequences of a failure to protect
medical privacy. The editorial cited various privacy intrusions an
employer firing an employee when they got the results of a genetic
test; release of medical records to attack political opponents; and
hackers getting access to health records from a major University
medical center (USA Today, March 20, 2001).
Patients should not be put in the position of withholding
information or even lying about their medical conditions to preserve
their privacy. Those seeking medical treatment are most vulnerable and
should be allowed to focus on their treatment or the treatment of their
loved ones, rather than on trying to maintain their privacy. It is
unfair that those citizens must be concerned that information about
their medical condition could be provided to others who have no
legitimate need to see that information.
S. 1055 requires a customer's affirmative consent before
individually identifiable health information can be shared across the
board. The bill extends the protections of the HHS rules to cover any
setting across the board.
Identity Theft
Beth Givens of the Privacy Rights Clearinghouse estimates that
there were 500,000 to 700,000 victims of identity theft last year. The
number of complaints to the FTC almost doubled from March to December
2001. It is very easy to obtain social security numbers. Non-social
security administration uses of social security numbers have not been
prohibited. As a result, social security numbers are used as
identification and account numbers by many entities.
The Internet provides an easy and cheap way to get personal
information. Web sites sell individuals' social security numbers, some
for as little as $20. Self-regulatory efforts by information brokers
has been in effective in restriction the sale of sensitive personal
information to the general public.
Other elements to consider are the practices of the credit and
credit reporting industries. They must also work to prevent fraud and
help victims recover from identity theft. Many consumers have no idea
how they become victims of identify theft. Often, they do not find out
their personal information has been misused for more than a year, and
sometimes as long as five years. Victims must spend significant amounts
of time contacting creditors and credit reporting agencies in order to
repair the damage done to their credit histories. In the meantime, they
are often unable to obtain credit and financial services,
telecommunication and utility services, and sometimes employment.
The expanded use of the SSN as a national identifier has given rise
to individuals using counterfeit SSNs and SSNs belonging to others for
illegal purposes. Stolen SSNs have been used to gain employment,
establish credit, obtain benefits and services, and hide identity to
commit crimes.
One of the unfortunate results of the events of last September are
reports of identity theft scams. Criminals have tried to obtain data
from the unsuspecting families of victims of that tragedy. This should
remind creditors that they have a responsibility to verify the identity
of individuals prior to issuing lines of credit.
The FTC is taking steps to assist the victims of identity theft,
but it is also important to focus on preventing the theft in the first
place. As an FTC official recently stated, `` in this day of remote
transactions and greater access to publicly available information on
each of us, identity theft has never been easier to commit.''
S. 1055 helps take Social Security numbers out of
circulation. It would prohibit the commercial sale of SSNs. The bill
would also limit uses of SSN s by private sector entities and stop the
display of SSNs by government agencies.
S. 1055 provides civil penalties for misuse of SSNs. We
believe a private right of action provides consumers with a meaningful
safeguard against businesses who should be held accountable for the
misuse of SSNs.
The legislation is a useful step in protecting SSNs and
curbing identity theft. Given the severity of identity theft, and the
cost to both business and consumers, there remains a need to monitor
and assess the effectiveness of any legislation designed to prevent
this problem.
Chairperson Feinstein. I just want to enter into the record
that I am very pleased to also add to the support of this bill
eBay, NCR, the American Medical Association and Pacific Life
Insurance Company. I want to indicate that this bill did not
just emerge. It has been worked on over a substantial period of
time and I wanted to thank everybody at the table who has
helped us with this. It is a new area. I think it does provide
the national floor, so to speak. It preempts State law in that
sense. It does apply to online/offline.
I would like to begin my questions, if I can, with a
question of Mr. Avila because I did not quite understand. I am
reading Section 101 of my bill and also Section 502 of Gramm-
Leach-Bliley and I did not understand the point that you were
making.
Mr. Avila. We are concerned, Senator, that we believe that
privacy protection should be extended to all sharing,
commercial sharing of information with third parties, but if
that is done, then the exception in S. 1055 needs to be
broadened somewhat because it covers--it is now specific to the
limitations on sharing that are in the bill.
Chairperson Feinstein. How would you broaden it? What would
you add to it?
Mr. Avila. We would suggest not restricting the coverage to
sale of personal information to non-affiliated third parties
and leave the statute disclosure for marketing purposes. We
believe it should apply to any purpose for which personal
information is disclosed to a third party.
Chairperson Feinstein. That was the point you were making,
Mr. Comer, is that right?
Mr. Comer. My point was slightly different, which was I was
suggesting that the bill should apply, as well, to public
websites. Perhaps that is what you were thinking of when I was
talking about that there should not be--
Chairperson Feinstein. Right. Do you agree with the point
Mr. Avila is making?
Mr. Comer. I agree in the sense that we think that the
restrictions on disclosure or use or sale should all be
embraced or encompassed within the privacy protections that you
articulate. We can work with your staff on this if there is a
perceived gap.
Chairperson Feinstein. All right. We appreciate that.
Mr. Torres. Senator?
Chairperson Feinstein. Mr. Torres?
Mr. Torres. If I might, I have got some concerns about
extending the--including any more exceptions when we are
talking solely about the use of this information for marketing
purposes. Section 303 of S. 1055 does incorporate for purposes
of the sale of financial information and the use of financial
information the Section 502 exclusions under Gramm-Leach-Bliley
and some of those are reasonable in the context of servicing
accounts and making sure that the consumer is able to
correspond and those types of things.
So we would be happy to work with your staff as to whether
or not any of those types of exceptions might be reasonable,
but at this point, we would be skeptical about opening it up
for marketing, when you are talking about using information for
marketing purposes.
Chairperson Feinstein. Mr. Avila, I tend to come down on
Mr. Torres's side on that and I do not understand why you would
want this.
Mr. Avila. We simply believe that sharing should--that the
coverage of the statute should not be restricted to sharing
with third parties for marketing purposes but it should cover
any purpose for which information is shared.
Chairperson Feinstein. Like what?
Mr. Avila. Well, there may be other purposes that are not
specifically for marketing, but any commercial purpose.
Marketing seems to be, to us, too limited.
Chairperson Feinstein. You do not think that is the barn
door through which the Mack truck can be driven?
Mr. Avila. Well, Senator, we are proposing extending not
the exceptions but the coverage of the statute.
Chairperson Feinstein. Oh, I see. All right.
Mr. Avila. And then, as a consequence of that--
Chairperson Feinstein. I misunderstood, then. I thought you
were--
Mr. Avila. Yes.
Chairperson Feinstein. Then I think we are all on the same
wavelength--
Mr. Avila. Now, naturally--
Chairperson Feinstein [continuing]. So we ought to be able
to work that out.
Mr. Avila. Naturally, if the coverage were extended, the
exceptions would have to conform to the extension of the
coverage, so, for example, fraud prevention and other
reasonable exceptions should follow the extension of the
purview of the covered portions of the Act.
Chairperson Feinstein. Right. I think that is excellent. I
think we can work it out. Perhaps while you are all here, you
can sit down with the staff and do some wordsmithing.
I gather the safe harbor provisions that exempts businesses
with good privacy protections from government regulation, it is
my understanding that Disney is a member of the TRUSTe Privacy
Program, a seal program that sets minimum privacy standards. I
want to ask you, what are your views of the safe harbor
provisions of this bill? I want to ask also this question. Does
Disney regularly review its data collection operations to
ensure compliance with its own privacy standards?
Mr. Avila. As to your first question, Senator, we are
members of the TRUSTe seal program. We believe that TRUSTe has
made important strides in formulating a structure for
protecting consumers' online privacy. The gap in the protection
online is not for seal participants but rather for non-seal
participants, and since the TRUSTe program and the BBB Online
program are not compulsory, they do not cover the actions of
the so-called bad actors who choose not to participate in those
programs and who do not follow the regime of protection that
those programs mandate.
We believe that the safe harbor provisions of the Act are a
highly appropriate way of combining the flexibility of the seal
programs with a mandate that all entities that gather consumer
information must follow appropriate privacy protections and we
are highly supportive of the safe harbor provision.
Chairperson Feinstein. Mr. Comer?
Mr. Comer. I wonder if I might just respond to that, as
well.
Chairperson Feinstein. Certainly.
Mr. Comer. We are not only on the board of TRUSTe, but also
on the board of BBB Online, and so we have had a very strong
voice in working to bring these organizations into existence
and strengthen them over the last few years.
I would say we view the safe harbor provisions as not only
very well written, but extremely important to the whole schema
of the bill, and the reason for that is because you want an
incentive that will bring, if you will, the startups, the small
businesses, the others that are just learning about privacy
responsibility into the self-regulatory organizations because
they do an enforcement role which the FTC will never be able to
duplicate. They do random checks. They do periodic audits and
so forth and that enables the safe harbor programs, the seal
programs, excuse me, to be kind of an extended arm of
enforcement and compliance.
The way your bill is structured, we think the good players
will migrate naturally to those programs in order to benefit
from the safe harbor, and in that way, their privacy practices
will be sharpened, improved, and better supervised.
Chairperson Feinstein. Mr. Torres? Thank you.
Mr. Torres. Senator, consumer advocates in general are
somewhat wary of the industry's regulating itself. I know that
there are some seal programs that are out there today and they
were mentioned here today--
Chairperson Feinstein. It seems to me I have heard that
before.
Mr. Torres [continuing]. That are really trying to do the
right thing. We fear lack of enforcement as one thing. The
other thing is sometimes that you could have a seal program
that simply says, if you have a privacy policy, that is what we
require, and we know from experience that a company's privacy
policy can be fairly horrible and we just want to make sure
that those types of seal programs do not get included as part
of the program. We would be more than happy to work with your
staff on how to make sure there is some oversight, and I think
there is some provision for the FTC to take a look at the seal
programs that are kind of approved for this purpose.
Chairperson Feinstein. Good. Well, from this point on, I
would like to work together to see that the consumer interest
as well as the business interests are protected, because when
we started this, it was very difficult, as you know. Nobody
wanted opt-in in any way, any shape, or any form. So you
gentlemen in the business community are really in the forefront
of this and I really want to commend you. I am very grateful
for this support. I think it is very important that we work
together as we make any changes in this that need to be made. I
think we have got a pretty good bill that goes as far as it can
go.
In looking for points of controversy, one thing may be that
we allow for or provide for State enforcement, and one of my
reasons is it is the only way the bill is really going to get
enforced. You heard the testimony of the GAO, how little the
Federal aspect of this has to look into it. So I think the
State enforcement of it is extraordinarily important. Do any of
you have a view on that?
Mr. Comer. I agree with your view on that because you now
have the 50 State attorneys general who will be in a position
under this bill to carry forward, if you will, extend the reach
of the FTC's jurisdiction and I think the Commission is quite
comfortable with that kind of a model. It has been used in COPA
and in other pieces of legislation. Provided, as your text is
written, that this is subject to the, if you will, the rights
of intervenor of the FTC and FTC oversight, we are quite
comfortable with State enforcement in this context.
Chairperson Feinstein. Good. Good.
Mr. Comer. I would say it is an equally important part of
the preemption provisions that there is no new private right of
action created by your bill and that will help keep the law
uniform and straightforward with regard to consumer rights.
Chairperson Feinstein. Right. I understand that.
Mr. Avila, do you have a comment?
Mr. Avila. Yes. We would agree that it is very important
that there be a single uniform national standard. The vesting
authority in the FTC and in the attorneys general is a very
important way to achieve that uniformity.
Chairperson Feinstein. Thank you.
Mr. Torres. Senator?
Chairperson Feinstein. Certainly. Go ahead.
Mr. Torres. If I may, on the preemption question, as I said
in my testimony, it is crucial, then, that if there is
preemption, that the underlying bill be as strong as possible,
and your bill is fairly strong on a number of points. And so
that for us may be the tradeoff. We get preemption thrown at us
quite a bit. It undermines a lot of good State efforts in
various areas and so that is why I also said in my testimony
that we really need to consult with some of the States.
As far as the attorneys general having some enforcement
authority here, the attorneys general have done a tremendous
job on the issue of privacy both in California and in
Minnesota. It was one of the reasons why privacy became such an
important part of the Gramm-Leach-Bliley debate, because there
were abuses of personal financial information.
So those are just things that we need to be working on
through the discussion of this legislation.
Chairperson Feinstein. Thank you very much. I mean, there
is no way of doing a bill unless you have preemption because
you are going to have different laws in every State and how do
you follow that on an online community? You cannot, so it
becomes extraordinarily difficult to have any meaningful reform
unless you establish that national preemption.
In any event, I think we have done it today. Let me thank
you. Ms. Fisher, let me thank you so much for coming this
distance to testify and I hope you will work along with the
staff to see that victims' rights are protected as we move this
legislation along.
It is my intention to have another hearing, I think it is
on March 19, and we will consider Senator Cantwell's bill and
another bill that Senator Kyl and I have, and then hopefully,
if all goes well, maybe combine them into one bill so that we
can then move on to the full committee. I would hope that you
all would look at those bills, as well, and let us know if you
think they are mutually compatible. I appreciate that.
Mr. Comer. Senator, can I just--
Chairperson Feinstein. Senator Thurmond has a statement,
which I will put in the record.
We will enter Senator Grassley's statement in the record,
as well.
Mr. Comer, did you have a comment?
Mr. Comer. A final comment. I want to thank your staff for
their very fine work and working closely with us to polish some
of the provisions.
Chairperson Feinstein. Thank you very much.
Mr. Torres. I second that.
Chairperson Feinstein. And Senator, thank you very much,
and I particularly appreciate that. It has been a lot of work.
Let me thank the witnesses. The hearing is adjourned.
[Whereupon, at 4:38 p.m., the subcommittee was adjourned.]
[Submissions for the record follow.]
SUBMISSIONS FOR THE RECORD
American Electronics Association
Washington, D.C.20004
February 12, 2002
The Hon. Dianne Feinstein
U.S. Senate
331 Hart Building
Washington, DC 20510
Dear Senator Feinstein:
Thank you for your ongoing leadership on the very important issue
of privacy. AeA has a significant interest in ``The Privacy Act of
2001'' (S. 1055). I write in support of the essential elements of Title
I of this bill. While we have concerns about other titles of the bill,
we do want to express our commitment to work with you in your efforts
to strengthen protections for consumer privacy on the Internet
As you know, AeA is the largest high-technology trade .association
in America, representing over 3,500 companies that develop and
manufacture software, electronics, and high technology products. Our
member companies range from large, industry leaders to small and medium
sized high-technology start up ventures. As such, online consumer
confidence is of paramount concern to AeA members. Furthermore, many
AeA companies use information gathered from their customers to alert
them to new products and services that may be useful in their homes or
offices. The proper use of this information is essential to the growth
of the Internet economy. Therefore, any attempt to regulate information
practices must be approached with caution and only after careful
consideration of the potential unintended consequences of such
regulation.
It is important to emphasize that our current support for federal
preemption legislation is a direct response to the multiplicity of
state privacy initiatives that were considered during 2000 and 2001.
AeA believes that patchwork state regulation will reduce consumer
confidence online by presenting consumers with conflicting privacy
protections, as well as harm small and medium sized businesses by
forcing them to comply with a multiplicity of regulations. Also, we
continue to believe that industry self-regulatory efforts must play a
significant role in any federal proposals.
AeA's Board has approved principles for federal legislation that
are set forth at the end of this letter. Fundamental to these
principles are the benchmarks of notice, choice, and uniform federal
standards for privacy protection. We are very pleased that Title I of
your bill includes clear notice and choice provisions consistent with
our principles, as well as a strong federal preemption section that
would provide certainty for both consumers and businesses about their
respective rights and responsibilities. Importantly, your bill would
also apply these same requirements to offline data collection
activities. This is consistent with our principle that policy should
not discriminate between online and offline activities to the
disadvantage of e-commerce.
We stand ready to work productively with you to maintain the proper
balance between the need to strengthen protections for consumers while
avoiding unnecessary restrictions on the ability of businesses to
provide, through the Internet, the valuable products and services that
consumers demand.
Sincerely,
William T. Archey
President & CEO
AeA Principles for Internet Privacy Legislation
provide individuals with notice
Web sites that collect personally identifiable information should
provide individuals with clear and conspicuous notice of their
information practices at the time of information collection.
Individuals should be notified as to what type of information is
collected about them, how the information will be used, and whether the
information will be transferred to unrelated third parties.
ensure consumer choice
Consumers should have the opportunity to opt out of the use or
disclosure of their personally identifiable information for purposes
that are unrelated to the purpose for which it was originally
collected. Consumers should be allowed to receive benefits and services
from vendors in exchange for the use of information. It is important
that the consumer understands this use and be able to make an informed
choice to provide information in return for the benefit received.
leverage market solutions
Private sector privacy codes and seal programs are an effective
means of protecting individuals' privacy. Lawmakers should recognize
and build upon the self-regulatory mechanisms the private sector has
put in place and continues to build. These mechanisms are backed by the
enforcement authority of the Federal Trade Commission and state
attorneys general. Public policies also should allow organizations to
implement fair information practices flexibly across different mediums
and encourage innovation and privacy enhancing technologies.
ensure national standards
The Internet is a new and powerful tool of interstate commerce.
Public policies related to Internet privacy should be national in
scope, thus avoiding a patchwork of state and local mandates. This
uniform framework will promote the growth of interstate ecommerce,
minimize compliance burdens, sustain a national marketplace and make it
easier for consumers to protect their privacy.
protect consumers in the public and private arena
Government and non-profit organizations collect a tremendous amount
of personally identifiable information about citizens. The need to
foster consumer confidence applies to private and public sector
activities. Government agencies and non-profit organizations that
collect personally identifiable information should be required to
follow fair information practices imposed on the private sector by law
or regulation.
don't discriminate against the internet
Consumers should have confidence that their privacy will be
respected regardless of the medium used. Similar privacy principles
should apply online and offline. Public policy should not discriminate
against electronic commerce by placing unique regulatory burdens on
Internet-based activities.
utilize existing enforcement authority
With the imposition of notice requirements, the Federal Trade
Commission should use its existing authority to enforce the mandates of
federal legislation. Legislation should not create any new private
rights of action.
avoid conflicting or duplicative standards
In cases where more than one government agency seeks to regulate
the privacy practices of a particular organization or industry, those
agencies should offer a single coordinated set of standards.
Statement of American Medical Association
The American Medical Association (AMA) and its physician and
medical student members appreciate the opportunity to present
information to this Subcommittee on the important issue of patient
privacy and the confidentiality of medical records. The AMA believes
that patient privacy is fundamental to the physician-patient
relationship and is a right long advocated by the AMA.
We would like to commend Chairman Feinstein for introducing S.
1055, the ``Privacy Act of 2001.'' Title IV of S. 1055 would
significantly improve the current framework of federal privacy
protections for all of America's patients.
Background on Federal Privacy Protections
The Department of Health and Human Services (HHS) published on
December 28, 2000, a final rule establishing standards for the privacy
of individually identifiable health information (``Standards for
Privacy of Individually Identifiable Health Information'' 65 Fed. Reg.
82462) (the ``Final Privacy Rule ''). Congress did not pass privacy
legislation by the August of 1999 deadline set by the Health Insurance
Portability and Accountability Act of 1996 (HIPAA). Therefore, the
Secretary of HHS issued privacy standards as directed by HIPAA.
The AMA applauds HHS for the tremendous effort it took to write the
Final Privacy Rule. After years of contentious debate in Congress it
became clear to all involved that drafting federal privacy standards
would be no easy task. Overall, the AMA is pleased with many provisions
of the Final Privacy Rule. However, we also have many serious concerns.
During a public comment period in March of 2001, the AMA submitted
extensive comments on the Final Privacy Rule. Among many significant
issues, we expressed concern over the marketing provisions. We also
expressed concern that, even with potential future improvements, the
Final Privacy Rule would not adequately protect patients because it
only applies to certain ``covered entities.'' We firmly believe that
Congress must act to extend privacy requirements to all entities that
maintain patient information.
Because HIPAA limited the Secretary's regulatory authority to
health care providers, health plans, and health data clearinghouses,
these are the only entities covered under the Final Privacy Rule. All
other users of individually identifiable health information
(``protected health information '') are not regulated by the Final
Privacy Rule. Yet, protected health information is received by many
other entities such as schools and universities, public and private
agencies that oversee health care treatment and payment, law
enforcement officials, and public health departments. These entities
include, but are not limited to, state insurance commissioners, state
health professional licensure agencies, the Office of Inspectors
General of federal agencies, the Department of Justice, State Medicaid
fraud units, Defense Criminal Investigative Services, the Pension and
Welfare Benefit Administration, the HHS Office for Civil Rights, the
Food and Drug Administration, the Social Security Administration, the
Department of Education, the Occupational Health and Safety
Administration, and the Environmental Protection Agency.
Other persons or entities may also receive protected health
information in the normal course of business such as lawyers,
accountants, consultants, etc. The Final Privacy Rule identifies such
secondary users of protected health information as ``business
associates'' of physicians and other covered entities. The Final
Privacy Rule requires that the confidentiality standards of the rule be
applied to these business associates through contracts with covered
entities.
The AMA objects to the business associate provisions because they
present the potential for significant liability for physicians even
when the physicians themselves are in compliance with the Final Privacy
Rule. Covered entities are subject to enforcement and sanctions under
the Final Privacy Rule for acts of their business associates, while
business associates at most may lose their contract with the covered
entity and incur possible damages if the covered entity files a
subsequent civil suit. In addition, covered entities will have a duty
to mitigate any known harmful effects of a violation of the rule by a
business associate.
As currently written, the business associate requirement will
subject physicians and covered entities to an array of both foreseeable
and unforeseeable compliance costs. All existing contracts with each
business associate will need to be rewritten and renegotiated. Every
single interaction physicians have that might involve the disclosure of
protected health information will require analysis. For example, state
and county medical associations that assist physicians with specific
compliance, patient care and billing issues, as well as private
accreditation and certification agencies, will now be required to have
business associate contracts.
The AMA acknowledges the limitations inherent in the Congressional
grant of authority under HIPAA that constrain the Secretary from
directly regulating secondary or ``downstream'' users of protected
health information. However, covered entities should not be held
responsible for actions taken or inaction by these separate entities
simply because Congress did not include them in the legislative
directive to HHS. As a matter of fairness, these users of protected
health information should also be brought under the terms of
comprehensive privacy laws.
Fortunately, Chairman Feinstein has taken a first step to address
these concerns.
Title IV of S. 1055 would prohibit the unauthorized sale of
protected health information by entities that maintain protected health
information but are not ``covered entities'' under the privacy
regulation. S. 1055 would also remove harmful marketing loopholes from
the Final Privacy Rule. These are two much needed improvements to
federal privacy protections.
The Sale of Health Information
The AMA is pleased that Title IV of S. 1055 would expand federal
privacy protections for patients by establishing some conditions on the
disclosure of protected health information received and maintained by
entities that are not covered under the Final Privacy Rule. Title IV
would prohibit these ``non-covered entities'' from selling protected
health information without an authorization by the patient. ``Non-
covered entities'' under S. 1055 would include all public or private
entities such as health researchers, schools and universities, life
insurers, property and casualty insurers, employers, public health
authorities, health oversight agencies, law enforcement officials, and
any person acting as an agent of such entities.
In addition, S. 1055 would ensure that patients are adequately
informed before they authorize the sale of their protected health
information. Authorizations would need to be in writing, explain the
purpose for which the information would be sold, identify in a specific
and meaningful manner what information would be sold, the persons who
would be selling the information, and the persons who would receive the
information. Individuals would also have the right to revoke an
authorization and entities would not be permitted to condition the
purchase of a product or service on an individual signing an
authorization.
We would like to voice one cautionary note, however, regarding the
definition of ``sale.'' Because it could, and should, be interpreted
very broadly, the definition of ``sale'' might lead to the unintended
consequence of prohibiting important research, particularly research
published in medical journals. Without a clarification, we are
concerned that the use of protected health information for analysis and
research that is later published might be considered to be an
``indirect'' sale of protected health information under Title IV of S.
1055. We would like to propose a rule of construction for addition to
the language of the bill that would address this matter.
Marketing
In the Final Privacy Rule, marketing is defined very broadly as
``mak[ing] a communication about a product or service a purpose of
which is to encourage recipients of the communication to purchase or
use the product or service.'' There is a ``carve out'' for certain oral
communications and written communications if the covered entity does
not receive remuneration from a third party for making such a
communication. These communications are not considered marketing if
they are made by a health care provider and tailored to a particular
patient as part of treatment, or made by a provider or plan to manage
treatment of a patient or recommend alternative therapies, providers,
or settings of care. S. 1055 maintains this appropriate definition.
The proposed privacy rule included a general prohibition against
the use of protected health information for marketing without a patient
authorization and would have prohibited the disclosure of such health
information for sale, rental or barter without patient authorization.
However, these prohibitions were weakened in the final rule. The Final
Privacy Rule removed altogether the prohibition against disclosure of
protected health information for sale, rental or barter without patient
authorization. And, although patient authorization for marketing of
protected health information is still required, there are several
exceptions that effectively remove this protection in many
circumstances. (Section 164.514(e)(1)) This is unacceptable to the AMA.
Under the Final Privacy Rule, the marketing communications that are
exempt from the authorization requirement fall under the definition of
``health care operations.'' Health care providers are required to
obtain patient consent before protected health information can be used
or disclosed for health care operations under the Final Privacy Rule.
But, for health plans, this is a major loophole because they do not
need to obtain patient consent to conduct health care operations under
the Final Privacy Rule. This means health plans can use or disclose
protected health information for various marketing purposes without any
type of permission from the patient.
The Final Privacy Rule exempts from the authorization requirement
communications that occur in a face-to-face encounter with the
individual but it is not limited to those between physicians and
patients. Therefore, any face to face encounter on behalf of a covered
entity is excluded from the authorization requirement. This could
potentially include telemarketing, or door to door marketing of items
or services unrelated to health care.
The Final Privacy Rule also exempts from the authorization
requirement items and services of nominal value. This overly broad
exception is unacceptable to the AMA. ``Nominal value'' a vague term
that could include all kinds of marketing communications to patients.
This exception also allows the use of protected health information
without patient authorization for marketing items or services that are
not even health related.
Another exception under the Final Privacy Rule permits marketing of
health-related items and services on behalf of third parties (pursuant
to a business associate contract). The marketing communication must
identify the covered entity as the party making the communication,
state whether any remuneration was received, and allow the patient to
opt-out from future communications. Therefore, a health plan or
pharmacy can sell a patient list without the patients' authorization to
a pharmaceutical company or pharmaceutical benefits manager (PBM) as
long as a business associate contract is in place. The pharmaceutical
company or PBM can then send the patients information about
prescription drugs that are alternatives to their current
prescriptions. This will offend many patients as an unwanted intrusion
into their personal health. The AMA has heard that many patients are
already complaining to their physicians about receiving such marketing
communications at home.
The opt-out requirement in the Final Privacy Rule is also weak and
full of loopholes. No opt-out procedure is specified in the rule and
covered entities must only make ``reasonable efforts'' to ensure that
those individuals who opt-out from future marketing communications do
not receive another such communication. Therefore any type of opt-out
process is permitted, even one that is extremely inconvenient to the
patient. There is no opt-out requirement when the marketing
communication is sent to a broad cross-section of patients or
enrollees.
We strongly support the provisions of Title IV of S. 1055 that
would eliminate these harmful marketing exceptions from the Final
Privacy Rule. In addition, Title IV of S. 1055 would expand the
protections in the Final Privacy Rule by extending the prohibition from
using, disclosing, or selling protected health information for
marketing without patient authorization to non-covered entities as
well. These are two much needed improvements to federal privacy
protections.
Conclusion
The AMA commends Chairman Feinstein for including Title IV in S.
1055, the ``Privacy Act of 2001.'' The provisions of Title IV would
strengthen the Final Privacy Rule by removing harmful marketing
loopholes and would extend federal privacy protections beyond the
coverage of the Final Privacy Rule by prohibiting all entities that
maintain protected health information from selling or marketing such
information without the approval of the patient.
The AMA strongly supports Title IV of S. 1055 as a step in the
right direction for America's patients. We also encourage Congress to
consider additional legislation to further improve the Final Privacy
Rule and to further extend the coverage of privacy protections to all
entities that maintain health information. As the President
acknowledged on Monday during remarks to physicians in Wisconsin:
``personal medical information must always be strictly confidential. A
patient's right to privacy must be protected.'' [Emphasis added.]
We look forward to working with the Subcommittee on this and other
important privacy legislation.
Statement of Hon. Charles E. Grassley, a U.S. Senator from the State of
Iowa
Madam Chairwoman and Senator Kyl, thank you for allowing me to make
a few comments on this important matter. As you know, I'm no longer a
member of this Subcommittee, but I remain very interested in making
sure that we eradicate identity theft. So I thank the Chair for her
indulgence.
The dangers to our society and its citizens that result from the
misuse of personal information are significant. Social Security Number
misuse is a subset of identity theft. This pervasive use of SSNs
coupled with the advent of the Internet has opened up new opportunities
for wrongdoers to create false identities. And we've all seen that when
a person's name and other identifying information is stolen to commit
theft or fraud, or to access confidential information, there can be
devastating results. The Inspector General of the Social Security
Administration reported that, ``The tragedies of [September 11]
demonstrate that SSN misuse and identity theft are breeder' offenses
with the ability to facilitate crimes beyond our imagination.'' We now
know that identity theft was a prime modus operandi of the terrorists.
The hijackers and their suspected accomplices committed identity theft,
including at least one documented case of using a false Social Security
Number, to infiltrate American society while planning these attacks.
Congress can help make it a lot harder for these criminals to get
this sensitive information. There are a number of bills currently
pending in Congress that try to do just that. I've joined with Senators
Feinstein and Kyl in sponsoring ``The Identity Theft Prevention Act of
2001'' to make it more difficult to steal someone's identity, and to
impose additional duties on credit issuers and credit bureaus to ensure
the accuracy of information in credit applications.
Let me say just a few words about some relevant data that my
Finance Committee investigative staff has found with respect to the
safeguarding of SSNs by the Social Security Administration and the
Department of Veterans Affairs. The Inspector General of the Social
Security Administration reported that SSA has no programs designed to
uncover illegal activity or to assist in the detection of terrorist
activity. According to the Inspector General, ``Once an individual
obtains an SSN, either through proper or improper means, the Agency has
little ability to control the use of that, number.'' SSA controls to
detect or prevent undocumented immigrants from obtaining a false or
stolen SSN ``do not always work as intended and are not always used.''
This is not good enough. Knowing what we know now about the 9-11
terrorists, the Social Security Administration's safeguarding of Social
Security Numbers must be among its highest priorities.
The Department of Veterans Affairs didn't fare much better in terms
of improper access to and theft of Social Security Numbers. I asked the
Inspector General to examine cases involving identity theft by VA
employees, patients or visitors. The Inspector General found losses to
the VA to include:
$11.5 million in improper benefit payments;
$52,000 in fraudulent credit card charges; and
$159,000 worth of medical treatment.
This supports the Inspector General's finding that, ``VA programs
and operations have identified a continuing vulnerability to
destruction, manipulation, use, and inappropriate disclosure of
sensitive veteran identifier information.'' Although there are levels
of access, once employee access is assigned, ``restrictions have not
been implemented to prevent full access to all veterans'' information
in that group.'' That information may include Social Security Numbers
and :medical histories of psychosis or other mental ailments. I think
this is very troubling.
Clearly, these agencies, as well as other federal agencies, need to
reform their programs to identify and combat Social Security Number
misuse, and I intend to help them with this effort. But the federal
agencies cannot do it alone. As people increasingly rely on credit
cards for electronic commerce and daily business transactions, industry
needs to step up to the plate to protect consumers' sensitive
information. And Congress can enact tougher laws that make it harder
for these criminals to obtain access to this information, and that
severely penalize identity thieves. I hope we can minimize
opportunities for invasions of privacy in the form of identity theft
through legislative and oversight initiatives. The American people
deserve no less than knowing that their identities are protected.
Statement of Hon. Orrin G. Hatch, a U.S. Senator from the State of Utah
Madame Chairwoman, I want to thank you for holding this important
hearing. As we recently have been made acutely aware, identity theft
has become one of the most critical tools of the criminal trade of
terrorists as well as other criminals. In this information age,
identity theft is one of the fastest growing crimes in the United
States. Of the 204,000 consumer fraud complaints compiled by the
Federal Trade Commission last year, 42% involved identity theft. Recent
news reports suggest that as many as 750,000 identities are stolen each
year.
This Subcommittee is well aware of how criminals appropriate
personally identifiable information, including Social Security numbers,
to steal money, credit records, victims' good names, and, in some
cases, to commit violent crimes. As a result, victims incur substantial
harms, including financial losses, damaged credit histories, and legal
problems, which take long periods of time to rectify.
In 1997, Senator Kyl introduced ``The Identity Theft and Assumption
Deterrence Act.'' Together we worked with our House counterparts to
enact this bill into law. Among other things, the Act made it a crime
to transfer or use, without lawful authority, a person's means of
identification, including a Social Security number, with the intent to
commit a violation of Federal law, or a felony under State or local
law.
``The Identity Theft and Assumption Deterrence Act'' represented an
essential first step in our effort to curb identity theft. But we can,
and should, consider additional preventive measures to reduce this
pervasive problem. In so doing, however, we must be careful to ensure
that such legal reforms do not unduly restrict businesses and financial
institutions in their legitimate commercial dealings.
I applaud Senator Feinstein's effort to develop legislation that
attempts to balance the privacy rights of consumers with the needs of
this nation's businesses, and I am committed to working with her and
this Subcommittee to strike the proper balance between these important
interests. I look forward to hearing from our distinguished witnesses.
Statement of Jeff P. Nicol, Customer Privacy Manager, e-Business Group,
Intel Corporation
Intel Privacy Perspective
Thank you for giving me the opportunity to speak before you today.
My name is Jeff Nicol and I manage the Privacy Compliance Team at Intel
Corporation. Intel supplies computer chips, boards, systems, software,
networking and communications equipment, and services that comprise the
``ingredients'' of computer architecture and the Internet. Intel's
mission is to be the preeminent building block supplier to the
worldwide Internet economy.
Let me give you some background on how Intel got so involved in the
privacy debate. In late 1998, we disclosed our plans to include a
serial number feature in the next version of our flagship
microprocessor. Almost immediately, some end users and privacy
advocates told us that such a feature was a threat to their privacy.
Our intention in developing the feature had been to find a simple
technical solution to our clients' request to provide greater security
for private information through stronger identification tools.
Unfortunately, what we perceived to be a technical issue raised privacy
concerns for many end users. We quickly took steps to provide greater
control of this feature for users. We realized that the best way to
satisfy consumer concerns in an environment of heightened anxieties is
to clearly disclose your personal information collection & handling
practices and offer people the ability to exercise choices regarding
those practices.
Our privacy program has come a long way since its rough and tumble
beginning. We established a three-tiered organization structure to
manage our privacy programs. At the top is an executive staff led
Management Review Committee. Management Review Committee membership
includes our General Counsel, Chief Information Officer, and the Vice
President of Marketing. This senior management backing gives our
program top-down support as well as bottoms-up visibility. Next, we
have the Privacy Compliance Core Team (which I lead). My team deals
with the day-to-day responsibilities of setting, implementing, and
enforcing our policies. This takes the fulltime efforts of four of us,
plus we receive a tremendous amount of support from employees across
the corporation. Lastly, we have the Privacy Review Board. The Privacy
Review Board is a cross-functional team comprised of the Privacy
Compliance Core Team, plus subject area experts in fields such as Law,
Information Security, Human Resources, Information Technology, Customer
Support, and other disciplines. The Privacy Review Board is a balanced
forum in which employees may raise questions related to the privacy
implications of new technologies and services or interpretation of
existing privacy policies.
In addition to our internal compliance efforts, we have many
externally visible accomplishments. In the self-regulatory space, we
are founding sponsors of both BBBOnLine and TRUSTe, and are proud
holders of their respective privacy seals. We continue to actively
support these groups, especially in the area of helping them expand
their programs internationally. Continuing with the international
theme, Intel filed for Safe Harbor Certification with the US Department
of Commerce in June. This certification provides us with a uniform
mechanism for compliance with the European Union (EU) Data Protection
Directive for our online and offline customer data. Lastly, on the
technology front, we have been working with the World Wide Web
Consortium (W3C) on rolling out the Platform for Privacy Preferences
(P3P) technology. P3P provides an automated way for users to gain more
control over the use of personal information on Web sites they visit.
Intel sites will all be P3P compliant.
While some privacy technologies (like P3P) are promising, they only
offer part of a solution and are not a substitute for federal privacy
legislation. Members of this Committee may be aware that Intel has
taken a proactive stance within our industry associations, such as AEA,
CompTIA, and ITI, in favor of the passage of federal Internet privacy
legislation. I will touch on the principles that should guide such
legislation in a moment, but first I would like to comment on the
reasons why we believe Congressional ground rules are required.
Why Congressional Guidance is Necessary
First, we are persuaded that there is a general level of
uncertainty on the part of consumers regarding the safety of doing
business on the Internet that has been a major factor restraining the
growth of consumer commercial transactions. While the general public
has embraced the Net as a ready source of information and a tool for
communications, and businesses are aggressively adopting e-business
models, the average consumer is reluctant to purchase products or
services through the Internet. A recent Gartner survey of 7,000
consumers showed that 60% say security and privacy concerns keep them
from doing business online.1In our judgment, privacy is one of the key
consumer concerns that hold that percentage down. Congressionally
mandated ``ground rules'' will go a long way toward alleviating these
concerns. Consumers need to have confidence no matter what state they
live in. They should not be left guessing to what degree they are
protected when they move from state to state.
Second, there is the need to educate businesses. Intel has been
proactive in the Privacy Leadership Initiative (PLI), which has
ardently advocated the adoption of fair privacy practices by firms
doing business on the Internet. The adoption of fair privacy practices
is well advanced in the community of large, Fortune 500 level business
entities; but in the world of start-ups, new entrants to the Internet
space, and small business in general, the record is not as good. There
are problems with awareness of best industry practices, compliance with
articulated policies when dealing with outside parties, and responsible
internal management of data. Again, we think that federally mandated
rules on basics such as notice and choice would focus business
attention at all levels and raise the level of consumer protection.
Third, there is the issue of doing business in Europe. As members
may be aware, the U.S. and the European Union reached a landmark
agreement in calendar year 2000, commonly known as the ``Safe Harbor''
agreement. This agreement, negotiated by the U.S. Department of
Commerce, provides framework through which U.S. companies may certify
compliance to European data privacy and security requirements and
collect data from consumers in EU countries with a presumption of
compliance with European directives governing the collection and use of
information. During negotiations, European negotiators raised strong
concerns regarding the availability of enforcement tools in U.S. law.
In response to those concerns, the agreement's drafters referenced
provisions of the Federal Trade laws that grant the Federal Trade
Commission (FTC) the power to regulate, and punish, companies for
making misleading, false or fraudulent statements to consumers in
connection with the sale of goods and services. While the EU has
accepted for now that existing FTC powers provide a ``floor'' level of
enforcement authority, the continued viability of this agreement may in
large part be dependent on whether the U.S. moves, over time, to
strengthen consumer rights and the oversight role of federal
authorities. The EU Safe Harbor agreement is critical to the stability
and predictability of the Internet business environment in Europe.
Finally, if one concludes as we at Intel have that strengthening
consumer rights is necessary, it is apparent that those rights, as well
as the rights and responsibilities of businesses, should not vary from
state to state. Our Chairman, Dr. Andy Grove, believes personal data
has value and therefore, consumers have legitimate property rights
regarding their personally identifiable information. Over time,
legislatures will act to define and recognize the legal status of those
property rights. Today, there are numerous bills pending in state
legislatures all over the United States most actively in California,
Delaware, Massachusetts, and New York that would mandate specific
practices with respect to the handling of consumer data or the design
and management of websites. A scenario where those rights and
responsibilities varied from state to state would sow confusion, uneven
enforcement of rights, and a threat of legal liability in multiple
states under multiple standards. Such an environment would retard the
growth of e-commerce in the consumer space for years to come.
Principles that should Guide Congress
For all of these reasons, we believe that the time has come for
Congress to act. Now I would like to comment specifically on what we
believe Congress can, and should, do that will enhance consumer rights,
help build the Internet into a powerful tool of interstate commerce for
consumers, and provide guidance for industry regarding privacy policy.
All of the major high-tech industry associations to which we belong
have articulated core principles that should guide privacy legislation.
In sum, these principles though not detailed prescriptions of
legislative language provide a template for sound policy choices. I
will reference the statement of principles adopted in January of 2001
by the American Electronics Association (AeA) as perhaps the best
example of the thinking within our industry.
AeA guidelines, adopted to put ``flesh on the bones'' of a Board
resolution in favor of preemptive federal privacy legislation, address
seven substantive areas: notice, choice, the appropriate role of the
private sector, the need for national standards, application of those
standards to both public and private websites, treatment of off-line
data collection on the same basis as on-line collection activity,
appropriate enforcement mechanisms, and avoiding duplicative
requirements for specific industry sectors. The guidelines state as
follows:
aea guidelines regarding computer privacy
Provide Individuals with Notice
Web sites that collect personally identifiable information should
provide individuals with clear and conspicuous notice of their
information practices at the time of information collection.
Individuals should be notified as to what type of information is
collected about them, how the information will be used, and whether the
information will be transferred to unrelated third parties.
Ensure Consumer Choice
Consumers should have the opportunity to opt-out of the use or
disclosure of their personally identifiable information for purposes
that are unrelated to the purpose for which it was originally
collected. Consumers should be allowed to receive benefits and services
from vendors in exchange for the use of information. It is important
that the consumer understands this use and is able to make an informed
choice to provide information in return for the benefit received.
Market Solutions
Private sector privacy codes and seal programs are an effective
means of protecting individuals' privacy. Lawmakers should recognize
and build upon the self-regulatory mechanisms the private sector has
put in place and continues to build. These mechanisms are backed by the
enforcement authority of the Federal Trade Commission and state
Attorneys General. Public policies also should allow organizations to
implement fair information practices flexibly across different mediums
and encourage innovation and privacy enhancing technologies.
Ensure National Standards
The Internet is a new and powerful tool of interstate commerce.
Public policies related to Internet privacy should be national in
scope, thus avoiding a patchwork of state and local mandates. This
uniform framework will promote the growth of interstate e-commerce,
minimize compliance burdens, sustain a national marketplace and make it
easier for consumers to protect their privacy.
Protect Consumers in the Public and Private Arena
Government and non-profit organizations collect a tremendous amount
of personally identifiable information about citizens. The need to
foster consumer confidence applies to private and public sector
activities. Government agencies and non-profit organizations that
collect personally identifiable information should be required to
follow fair information practices imposed on the private sector by law
or regulation.
Don't Discriminate Against the Internet
Consumers should have confidence that their privacy will be
respected regardless of the medium used. Similar privacy principles
should apply online and offline. Public policy should not discriminate
against electronic commerce by placing unique regulatory burdens on
Internet- based activities.
Utilize Existing Enforcement Authority
With the imposition of notice requirements, the Federal Trade
Commission should use its existing authority to enforce the mandates of
federal legislation. Legislation should not create any new private
rights of action.
Avoid Conflicting or Duplicative Standards
In cases where more than one government agency seeks to regulate
the privacy practices of a particular organization or industry, those
agencies should offer a single coordinated set of standards.
We believe these guidelines lay out a path for Congressional policy
that is coherent, logical and addresses the core concerns of consumers
and the needs of business for predictability and stability in the legal
environment.
Title I of S. 1055 Is Consonant with AeA Guidelines and Advances
Consumer Rights
S. 1055 is a comprehensive attempt to speak to a wide variety of
concerns regarding the proper collection and use of consumer
information in many different social contexts. While we will leave to
others the merits of specific provisions dealing with identity theft,
financial and health information, we applaud you, Chairman Feinstein,
for your efforts to focus Congress' attention on the need for a
systemic approach to the variety of privacy issues facing consumers.
With regard to Internet privacy--an area where we do have expertise I
am pleased to state that Intel strongly supports the provisions of
Title I of your bill. They would substantially strengthen the ability
of Internet users to protect their privacy in a manner consonant with
the industry guidelines that we support.
Ensuring that an Internet user has clear and conspicuous notice of
information collection and disclosure or sale practices, and the
opportunity to exercise choice regarding the collection and use of user
information, is the essential foundation of protecting privacy. Your
bill would achieve this, and it would moreover provide for effective
enforcement of such rights through the auspices of the FTC and state
Attorneys General. This federal/state enforcement structure will help
guarantee that the rights of users are the same no matter where the
user or the website is located, and it is supplemented by a strong
preemption provision that will guarantee uniformity of rights across
state boundaries. Uniformity of rights is accomplished by language in
your bill that clearly establishes the primary role of the FTC in
shaping implementation rules, forecloses conflicting state statutory
and regulatory law, and common law. It creates no new private right of
action which is a critical point for our industry and gives the FTC the
authority to intervene in enforcement actions brought by state
authorities. Consumers will have the benefit of uniform rules
throughout the nation, enforcement of those rules by federal and state
authorities, and businesses will have clear and straightforward
obligations established by one authority.
Equally important, however, are the safe harbor provisions of your
bill that will minimize legal uncertainties for businesses
participating in voluntary trust seal organizations such as BBBOnLine
and TRUSTe. These seal organizations serve the important function of
certifying member companies' adherence to fair privacy practices, and
their efforts to recruit participation of companies will also be
strengthened by your bill should it be enacted into law.
Title I of S. 1055 applies to both on-line and off-line data
collection activities, ensures segregation of general on-line standards
from requirements already established for health and financial data,
and establishes reasonable penalties for flagrant violations. We would
like to see the notice and choice requirements of S. 1055 extended
generally to public sector web sites, and we believe that a further
requirement of independent verification of compliance to policies
should be articulated in statute to provide stronger ``teeth'' for
self-regulatory efforts. We would be pleased to offer specific
legislative language suggestions to the Committee toward those ends if
desired.
In sum, we believe that the continuing viability of the Internet
marketplace depends upon good rules, good practices, and good policing.
Congress should lay down the rules, depend upon the self-regulatory
tools now in the marketplace to advance the adoption of fair privacy
practices, and give responsibility for the enforcement of those rules
to the FTC and state Attorneys General. In this way, bad actors will--
over time--be driven out of the marketplace and consumer acceptance of
the Internet as a safe place to do business will be secured. The
Internet will flourish as one of the most efficient, if not the most
efficient, market tools ever developed.
On behalf of the senior executives of Intel, and our entire privacy
team, I thank you Senator Feinstein for your leadership on the
important issue of Internet privacy. We pledge to work with you and
other members of the Congress to secure the privacy rights of Internet
users through balanced federal legislation such as Title I of S. 1055.
Thank you for your time. I will be pleased to answer any questions
you may have.
Statement of Laura Nyquist, Chief Privacy Officer, NCR Corporation
Chairwoman Feinstein, Senator Kyl, and members of the Subcommittee,
my name is Laura Nyquist, Chief Privacy Officer for NCR Corporation.
Thank you for the invitation to submit written testimony today before
your Subcommittee.
As the Chief Privacy Officer, I supervise compliance across all
NCR's businesses to the company's privacy policy and international
privacy laws, as well as oversee the company's privacy initiatives
implemented in the solutions we provide to our customers. As you may
know, NCR was an early leader in the privacy space as our Teradata
database was the first to incorporate consumer data protection.
NCR's heritage in providing solutions for the retail industry goes
back over 115 years when it was founded as the National Cash Register
Company in Dayton, Ohio. Now NCR Corporation is one of the world's
largest suppliers of solutions that facilitate and optimize
transactions between consumers and businesses, whether in stores,
through self-service equipment, or over the Internet. NCR currently
employs over 31,000 people globally.
Madame Chairwoman, the subject of today's hearing is important to
us all, as we are all consumers.
Businesses collecting information about their customers is not new.
Your grandmother's butcher probably knew not only her name and her
favorite cuts of meat, but how the children were doing in school as
well. We used to call it ``friendly, personal service'' at a time when
businessmen and their customers were also neighbors.
Today, technology makes it possible for companies thousands of
miles away to also serve their customers better by collecting and using
massive amounts of data. This explosive growth in data collecting is
fueling the global debate over privacy; creating a tension between
consumers' sharing of personal information and businesses attempting to
realize competitive advantage from gathering and analyzing personal
data to better and more efficiently serve them.
A division of NCR called Teradata provides data warehousing and
customer relationship management solutions to a wide range of
businesses and industries. Our Teradata customers include 20 of the
world's largest retailers, 19 of the world's largest banks, 10 of the
largest global telecommunications companies, 8 of the world's leading
airlines and 10 of the largest insurance companies. Simply stated, NCR
provides companies with the technology to strengthen their
relationships with customers in ways that protect their privacy and
earn their trust. Again, ensuring privacy is essential to building
trust that, in turn, is needed to build enduring customer relationships
and customer loyalty.
The benefits to consumers of targeted, one-to-one marketing and the
protection of their personal data are not incompatible; consumers
should and must have control over the use of their personal data.
Surveys show that consumers will gladly provide personal
information if they perceive a worthwhile benefit. A recent study shows
how American consumers view privacy on the Internet-54% of them
routinely give personal information to web sites and an additional 10%
would be willing to provide the same information under the right
circumstances.
Privacy, the protection and appropriate use of personal
information, is a growing concern for consumers and businesses. To
ensure continued business success and growth, it's important for
companies, big and small, to address privacy as an increasingly
important consumer expectation.
One fundamental necessity of commerce, both online and offline,
both traditional as well as e-commerce, is trust. Without trust,
businesses cannot survive. Businesses and, for that matter, government
entities--that do not heed the privacy concerns of their customers will
quickly lose trust, and ultimately their ongoing viability.
Customers in control of their data may freely choose release of
their personal information in return for better choices or services. I
would suspect that you as an airline passenger would not mind being
offered an upgrade at the gate because the airline agent knows you
experienced a flight cancellation days earlier.
Most companies are doing the right thing in providing privacy
options. But as long as there is potential short-term gain in abusing
personal information, can we count on company voluntarism to prevent
abuse? While many company executives shudder at the thought of more
regulation, their companies and customers alike will be better served
if industry and government work together toward rational and uniform
rules that are fair to all. NCR believes that reasonable legislation is
needed to ensure that there are universal controls on the collection
and use of personal data. The right legislation built on top of market-
driven solutions can assure that all companies provide this protection.
There are currently laws which impact specific industry sectors
such as telecommunications, financial services and healthcare.
Additionally, State legislatures are debating various privacy bills
that will further complicate this matter. But in the U.S. there is
currently no single, broad- based law that affects personal data
collection and use, which is why we are here today.
But what type of legislation can work? First, it must be
comprehensive and apply the same privacy requirements to all personal
data, whether collected online, over the telephone or in face-to-face
commercial transactions. It would be misleading to American consumers
to enact legislation that applies only to online activities. As a
supplier of business intelligence solutions, NCR knows that click-and-
mortar firms do not distinguish between personal data obtained through
different channels. Online transactions account for only a small
fraction of consumer transactions. Last year, online sales accounted
for less than one percent of all retail business. Further, the movement
of the Internet to the wireless world, the integration of Internet
sales channels with Customer Call Centers, and voice-actuated Internet
services are blurring the distinction between on-line and off-line.
Obviously, any law that addresses only online transactions limits
the benefit to the consumers compared to one that equally addresses
online and offline activities. Simply put, data is data.
Madame Chairwoman, I am proud to say that your bill, S. 1055
accomplishes this goal. It accurately addresses the needs of consumers
and businesses. S. 1055 ensures that clear and conspicuous disclosures
are made about privacy practices and enables individuals to make
informed choices about sharing their personal information. Title I of
your bill addresses personal data protection in commercial transactions
and is written in a comprehensive and effective manner.
During NCR's long business history, a lot of things have changed,
but its philosophy has not if you want your customers' trust, you have
to respect your customers' privacy. In summary, NCR is pro-privacy. S.
1055 is a step in the right direction and I look forward to working
with the members of this Subcommittee on enacting good privacy
legislation. The business of privacy is quite simply, good business.
Madame Chairwoman, thank you for holding this hearing today and
thank you for your hard work on drafting S. 1055. This is a very
complicated and difficult issue and you are to be commended for your
interest in moving this important matter forward.
Statement of Evan Hendricks, Editor/Publisher, Privacy Times,
Washington, D.C.
Madame Chairwoman, thank you for the opportunity to testify before
the Subcommittee. My name is Evan Hendricks, Editor & Publisher of
Privacy Times, a Washington newsletter since 1981. For the past 24
years, I have studied, reported on and published a wide range of
privacy issues, including credit, medical, employment, Internet,
communications and government records. I have authored books about
privacy and the Freedom of Information Act. I have been qualified by
the Federal courts as an expert in Fair Credit Reporting Act and
identity theft litigation. I have served as an expert consultant for
government agencies and corporations. I am also a founding member of
the Privacy Coalition, which consists of the nation's leading consumer
and privacy advocates.
Madame Chairwoman, from the outset, I want to express support in
the strongest possible terms for your leadership. To the best of my
knowledge, you have taken one of the most comprehensive approaches to
privacy of any Member of Congress. This is crucial because privacy is a
far-reaching issue, one that touches all aspects of our society. Only a
comprehensive approach will begin to confront the challenge of
protecting privacy in 21st Century America. In supporting the
comprehensive approach, you are ``moving the bar higher'' for this
Congress. You are also offering hope to the millions of Americans who
want stronger legal protection for their personal data.
In addition to protecting the personal data of all Americans, a
strong national privacy policy advances several societal interests. By
ensuring that personal information is only used in a fair manner,
citizens can more securely participate in economic, community and
political activities. Clearly, consumer privacy concerns proved to be a
major impediment to e-commerce. What many people failed to realize was
that a ``privacy-first'' policy was fundamental to the health of e-
commerce, not a detriment to it.
Moreover, we must put in place a privacy-first policy if we are to
enjoy the benefits--and the potentially tremendous cost savings--of the
electronic age. Nearly all governmental and corporate organizations can
dramatically reduce their costs and provide more efficient service if
they can move from a paper environment to an electronic one. But
consumers will not participate widely in electronic environments until
they are convinced their privacy will be respected, and protected. In
other words, we cannot afford not to adopt a comprehensive privacy
policy.
When it comes to privacy legislation, specifics and details are
paramount. I, and other members of the Privacy Coalition, look forward
to working with you and the Subcommittee to ensure that the specific
provisions of S. 1055 stay true to its purpose of comprehensive privacy
protection. Many coalition members, including the Privacy Rights
Clearinghouse, Electronic Privacy Information Center, Consumers Union
and U.S. PIRG will be able to provide specific recommendations for
making your bill even more effective at protecting Americans' cherished
right to privacy.
Why Legislation Is Urgently Needed
A brief look at history helps explain why there is such a large gap
between the comprehensive privacy protection we should have and the
inadequate system currently in place.
Because of the Fourth Amendment of the U.S. Constitution, which
guaranteed Americans that they would be secure in their personal
papers, the United States emerged as a world leader in privacy. At the
beginning, most personal data were kept at home in desks or lock boxes.
In the 20th Century, however, a vast system of third-party record
keeping arose. Personal information was collected and maintained by
banks, doctors and hospitals, credit reporting agencies, pharmacies,
utilities, insurers, employers and government agencies.
In 1976, the U.S. Supreme Court, in U.S. v. Miller, ruled that
Americans did not have a Constitutional right to privacy in personal
data held by third parties. It reasoned that when you open a bank
account, you surrender your data to the flow of commerce. Absent
statutory protection, the bank is more or less free to give your
financial data to whomever it pleases. The bottom line was even though
the information was about you, those that collected it and kept it,
owned it. The Supreme Court ultimately extended this reasoning to
telephone records and to the garbage.
One year later, in 1977, a bipartisan commission created by
President Ford and Congress when it enacted the Privacy Act,
recommended a comprehensive legislative package, concluding that
protections were needed in such areas as financial, medical,
communications and government records and Social Security numbers. It
also recommended what every other Western country now has: a national
office to oversee and enforce privacy policy. Unfortunately, most of
the recommendations were not carried out.
Since then, Congress generally has responded to ``narrow'' privacy-
related problems or anecdotes with narrow solutions. The result has
been a hit-or-miss patchwork of laws that have left huge gaps. As I was
the first to point out in 1990, America was the only nation with a law
to protect the privacy of video rental records, but without a law to
protect medical records. Such gaps, and the lack of a reliable
enforcement mechanism, are key reasons why the European Union is
concerned about the adequacy of U.S. privacy law and may someday have
to restrict the flow of personal data about European citizens to the
U.S.
Problems Mounting, Higher & Deeper
In the first debates of the late 1970s, opponents argued that
privacy legislation was not necessary because there was ``no evidence
of harm.'' Now, evidence of harm abounds.
Identity theft is said to be the fastest growing crime, climbing
from a handful of cases in the early 1990s to 500,000 cases per year
now. ID thieves bribe clerks, steal from mailboxes, filch data from
computers and from the garbage and raid personnel files.
The underworld of ``carders,'' that is, hackers, who specialize in
stealing and selling credit card numbers, is steadily growing. Some are
connected to organized crime groups in Russia, Eastern Europe and
Nigeria. Victimized Web sites include Western Union, Egghead, CD
Universe and CreditCards.com. Sources say that only a fraction of
carder successes are known to the public. (see Bob Sullivan's excellent
reporting at MSNBC.com)
Identity thieves are using stolen credit card numbers to buy names,
addresses and SSNs from legitimate information brokers, and then use
the fraudulently-purchased identifiers to commit identity theft. (see
Washington Post, May 31, 2001)
Financial institutions basically have ignored federal regulators'
recommendation that they guard against would-be privacy invaders by
asking customers for PINs or passwords before giving out their personal
data. (see Washington Post, July 23, 2001)
A computer hacker or hackers compromised the customer records of
more than 100 online banks by attacking the servers of the S1 Corp.,
which serviced the online banks. The S1 Corp. declined to confirm which
banks were compromised, and it's not clear how many of the banks
informed their customers. An expert said the S1 case was ``only a drop
in the bucket.'' (see Privacy Times, July 23 & Securityfocus.com, July
6, 2001)
A pornographic Web site operator in California made $38 million by
purchasing 800,000 credit card numbers, ostensibly for account
verification, and then using the numbers to charge cardholders $19.95
for visiting his Web site. In 1999, a convicted felon similarly bought
credit card numbers from Charter Pacific Bank.
Financial institutions continue to participate in telemarketing
schemes in which customers are solicited for 30-day free trials and
memberships, and then the telemarketer either charges it to the
customer's credit card or adds a monthly charge to his or her mortgage
statement.
Growing Public Support For Protection
Opinion polls have shown consistent support for privacy
legislation, and steady concern that privacy is not adequately
protected.
A 2001 Forrester Research survey found that 70% of the respondents
were either ``extremely'' or ``very'' interested in seeing Congress
pass Internet privacy legislation.
A June 2001 poll conducted by the Gallup organization has
found that 66% of Internet users think that the government should pass
laws protecting privacy. The poll also found that frequent Internet
users and individuals under the age of 50 were among the strongest
supporters of such laws.
In August 2000, Pew Internet & American Life Project found
two major points of consistency: Internet users want a guarantee of
privacy when they go online and many consumers are unaware of how
privacy invasions take place and are consequently unable to take
advantage of available privacy-enhancing technologies. Another finding
of the report is that 86% of Internet users surveyed support an opt- in
standard for the collection of personal information. (``Trust and
privacy online: Why Americans want to rewrite the rules'')
A series of opinion polls conducted by Alan Westin, of
Privacy & American Business, showed high consumer concern. For
instance, a December 1998 survey found that 82% of consumers say they
have lost all control over how personal information is used by
companies (with 50% agreeing ``strongly '') and 61% do not believe that
their rights to privacy as a consumer are adequately protected by law
or business practices.
Several members of the Al-Qaeda terrorist network
supported their operations through identity theft, credit fraud and
skimming. In fact, Al-Qaeda had a top-level committee devoted to
identity theft, chiefly for passport fraud.
S 1055
S 1055 is an excellent starting point because 1) it takes one of
the most comprehensive approaches to date; 2) it is largely based upon
the standard which must drive all privacy law: affirmative, informed
consent and 3) it requires, at a minimum, notice and opt-out for
personal data that are not currently protected by federal law.
The strength of the bill is its creation of a strong privacy
standard for information that most Americans feel is private and should
not be used for secondary purpose without their consent: financial,
medical, drivers and SSNs. Also attractive is the private right of
action for SSNs, which I favor being expanded to other parts of the
bill. A private right of action (PROA) is vital because it is not
practical for one entity to enforce privacy law in each and every case;
individuals must be empowered to defend their own rights. A PROA
accomplishes this, and has proven effective in the Fair Credit
Reporting Act and the Telephone Consumer Protection Act.
The bill appropriately envisions enforcement roles for the Federal
Trade Commission and the State Attorneys General.
Social Security Numbers (SSNs)
The bill should establish that only those entities currently and
specifically authorized by law to collect SSNs may continue to demand
consumers' SSNs, and that those entities not specifically authorized
may not demand an individual's SSN.
Secondly, the bill should have an ``anti-coercion'' provision so
that there are penalties for attempting to condition the use of goods
or services on the basis of the individual providing an SSN.
Limit Exceptions for Law Enforcement
The bill includes too many exceptions for law enforcement access to
personal data without notice to the individual. On this issue, it would
be preferable to follow the model of the Right to Financial Privacy Act
of 1978.
Independent Privacy Office
In keeping with the bill's comprehensive approach, however, I
strongly recommend that it be amended to create an independent national
privacy office that can oversee the bill, investigate complaints and
serve as a resource for the public and for the Congress. Every other
Western nation has such an office; Canada has both a Federal Privacy
Commissioner and Privacy Commissioners in each Province. These offices
are usually small; for many years they had little or no regulatory
authority. But the public gets tremendous value from them, in part
because of their ability to shine the public light on questionable
practices. Not having such an office has somewhat excluded the United
States from the international privacy community. Members of Congress
would find such an office increasingly valuable as constituents'
complaints about privacy continue to mount. Such an office was proposed
in legislation (S 1735) introduced in the 103rd Congress by
Sen. Paul Simon.
Preemption of State Law
A major issue in privacy debates is preemption of State law. I
believe strongly that a strong, comprehensive national privacy law is
the best, indeed the only, anecdote to a hodge-podge of inconsistent
State laws. Passing good privacy laws in the States is not easy.
Adoption of a strong national law would free the States to devote more
time to other pressing issues. But until Washington can prove it is up
to the job, it's premature to talk about prohibiting States from
protecting the privacy rights of their citizens.
More importantly, we must engage a process in which State
officials, including the State Attorneys General, governors,
legislators and citizens groups, can evaluate whether a Federal
proposal is satisfactory. If it is, the States voluntarily might commit
to the Federal proposal. But presently, it would be profoundly
undemocratic for Washington to dictate privacy policy to the States.
Access
A fundamental aspect of privacy is guaranteeing individuals access
to their personal data. This is a right already granted with respect to
credit reports under the Fair Credit Reporting Act. We need to extend
this right to all personal records and to exploit electronic technology
to the benefit of consumers. Ensuring that consumers are ``plugged
into'' their personal records is an important solution in the
electronic age, particularly considering the need to regularly monitor
your own profiles for unauthorized activity in order to prevent fraud
or identity theft.
Again, thank you for this opportunity. I would be happy to answer
any questions.
Statement of Hon. Strom Thurmond, a U.S. Senator from the State of
South Carolina
Madame Chairwoman:
I am pleased that you are holding this hearing on the protection of
private.information and the enormous problems associated with identity
theft. Privacy of personal information is important to all Americans,
especially in an age when details of financial transactions can be sent
all over the world in an instant. It is important that Congress enact
legislation that will protect personal identifiers, but at the same
time will allow for the legitimate conduct of the business community
and government agencies. I hope to work with my colleagues to develop a
comprehensive and reasonable piece of legislation that will deter
identity theft by eliminating.the unauthorized access of personal
information.
Identity theft occurs when an individual obtains the personal
information of a victim, such as a social security number or a date of
birth, and uses that information to open accounts and establish lines
of credit. In effect, a person with access to another's social security
number can pretend to be a different person. Usually, the victim does
not discover the fraud-before the identity thief has substantially
damaged the victim's credit. The victim must then go through a long and
arduous process to correct the situation.
Unfortunately, the crime of identity theft appears to be on the
rise. According to the testimony of Consumers Union, there were 500,000
to 700,000 victims of identity theft last year. Moreover, the number of
complaints received by the Federal Trade Commission in December of 2001
was almost double the complaints received in March of the same year.
The increasing prevalence of this crime is unacceptable.
Congress has addressed this issue in the past. The Identity Theft
Act of 1998 established identity theft as a distinct crime and provided
for punishment of fines and jail time. This Act gave law enforcement an
important tool in the prosecution of identity theft. While the 1998 Act
was a momentous step, we must do more than prosecute the thieves. We
must also make it more difficult for these lawbreakers to. access
personal information. Without access to personal information, there
would be no identity theft, and thousands of Americans would no longer
be victimized.
One of the primary ways in which identities are stolen is by use of
the social security number. Unfortunately, the social security number
is ubiquitous and is used for many purposes other than its originally
intended use. It is routinely used as an identification number by
health care professionals, educational institutions, and many private
businesses. People are often pressured into providing this very
sensitive number, never knowing who may ultimately be given access to
their personal information.
I am therefore strongly in support of several of the Chairwoman's
proposals regarding social security numbers. For example, one proposal
would prohibit companies from selling social security numbers to the
public. Congress should close all avenues to the sale of social
security numbers and conduct appropriate oversight to ensure that
violators are prosecuted. Another good proposal would require Social
Security numbers to be redacted from public documents. Where feasible,
Congress should cut off the public access of social security numbers.
Yet another suggested reform would prohibit private companies from
denying.service to individuals who refuse to provide social security
numbers, with specific exceptions for transactions such as those that-
involve credit checks. Most businesses have no legitimate need for
social security numbers. Rather, the numbers are used for purposes such
as identification and filing. Surely, there are other identification
methods that could be developed easily, ensuring that social security
numbers are not available to persons who would misuse them.
Many victims do not know how a social security number was stolen. I
believe that Congress should respond by limiting the public use of this
number. While no law will eliminate all instances of identity theft,
Congress can and should make it more difficult for thieves to obtain an
individual's personal information.
Madame Chairwoman, I am very interested in the bill introduced. I
will carefully consider your the witnesses today in hopes of action. I
will also on identity theft that will future. We should do all we can
to limit the use of personal identifiers so that the growing problem of
identity theft will be extinguished. I thank the Chairwoman for taking
an interest in this important matter, that you have proposals and the
testimony of determining the best course closely examine the GAO report
be released in the near and I look forward to working with you.
-
�