[Senate Hearing 107-900]
[From the U.S. Government Publishing Office]
S. Hrg. 107-900
IDENTITY THEFT
=======================================================================
HEARINGS
before the
SUBCOMMITTEE ON TECHNOLOGY, TERRORISM,
AND GOVERNMENT INFORMATION
of the
COMMITTEE ON THE JUDICIARY
UNITED STATES SENATE
ONE HUNDRED SEVENTH CONGRESS
SECOND SESSION
__________
MARCH 20 AND JULY 9, 2002
__________
Serial No. J-107-68
__________
Printed for the use of the Committee on the Judiciary
U. S. GOVERNMENT PRINTING OFFICE
85-794 WASHINGTON : 2003
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512-1800
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001
COMMITTEE ON THE JUDICIARY
PATRICK J. LEAHY, Vermont, Chairman
EDWARD M. KENNEDY, Massachusetts ORRIN G. HATCH, Utah
JOSEPH R. BIDEN, Jr., Delaware STROM THURMOND, South Carolina
HERBERT KOHL, Wisconsin CHARLES E. GRASSLEY, Iowa
DIANNE FEINSTEIN, California ARLEN SPECTER, Pennsylvania
RUSSELL D. FEINGOLD, Wisconsin JON KYL, Arizona
CHARLES E. SCHUMER, New York MIKE DeWINE, Ohio
RICHARD J. DURBIN, Illinois JEFF SESSIONS, Alabama
MARIA CANTWELL, Washington SAM BROWNBACK, Kansas
JOHN EDWARDS, North Carolina MITCH McCONNELL, Kentucky
Bruce A. Cohen, Majority Chief Counsel and Staff Director
Sharon Prost, Minority Chief Counsel
Makan Delrahim, Minority Staff Director
------
Subcommittee on Technology, Terrorism, and Government Information
DIANNE FEINSTEIN, California, Chairwoman
JOSEPH R. BIDEN, Jr., Delaware JON KYL, Arizona
HERBERT KOHL, Wisconsin MIKE DeWINE, Ohio
MARIA CANTWELL, Washington JEFF SESSIONS, Alabama
JOHN EDWARDS, North Carolina MITCH McCONNELL, Kentucky
David Hantman, Majority Chief Counsel
Stephen Higgins, Minority Chief Counsel
C O N T E N T S
----------
MARCH 20, 2002
STATEMENTS OF COMMITTEE MEMBERS
Page
Cantwell, Hon. Maria, a U.S. Senator from the State of Washington 3
Feinstein, Hon. Dianne, a U.S. Senator from the State of
California..................................................... 1
Grassley, Hon. Charles E., a U.S. Senator from the State of Iowa. 56
Hatch, Hon. Orrin G., a U.S. Senator from the State of Utah...... 57
Kyl, Hon. Jon, a U.S. Senator from the State of Arizona.......... 19
Sessions, Hon. Jeff, a U.S. Senator from the State of Alabama.... 13
Thurmond, Hon. Strom, a U.S. Senator from the State of South
Carolina....................................................... 62
WITNESSES
Beales, Howard, Director, Bureau of Consumer Protection, Federal
Trade Commission, Washington, D.C.............................. 6
Cannon, Louis P., President, District of Columbia Lodge, Grand
Lodge, Fraternal Order of Police, Washington, D.C.............. 28
Foley, Linda, Executive Director, Identity Theft Resource Center,
San Diego, California.......................................... 34
Gregoire, Christine O., Attorney General, State of Washington,
Olympia, Washington............................................ 20
Twentyman, Sallie, Falls Church, Virginia........................ 24
SUBMISSIONS FOR THE RECORD
California Department of Consumer Affairs, Sacramento,
California, statement.......................................... 58
LexisNexis, Norman Willcox, Chief Officer for Privacy, Industry
and Regulatory Affairs, Washington, D.C., letter and attachment 67
JULY 9, 2002
STATEMENTS OF COMMITTEE MEMBERS
Feinstein, Hon. Dianne, a U.S. Senator from the State of
California..................................................... 81
Hatch, Hon. Orrin G., a U.S. Senator from the State of Utah...... 103
Kyl, Hon. Jon, a U.S. Senator form the State of Arizona.......... 95
Thurmond, Hon. Strom, a U.S. Senator from the State of South
Carolina....................................................... 104
WITNESSES
Beales, Howard, Director, Bureau of Consumer Protection, Federal
Trade Commission, Washington, D.C.............................. 90
Collins, Daniel P., Associate Deputy Attorney General and Chief
Privacy Officer, Department of Justice, Washington, D.C........ 83
Lormel, Dennis M., Chief, Terrorist Financial Review Group,
Federal Bureau of Investigation, Washington, D.C............... 87
IDENTITY THEFT: RESTORING YOUR GOOD NAME
----------
WEDNESDAY, MARCH 20, 2002
U.S. Senate,
Subcommittee on Technology, Terrorism,
and Government Information,
Committee on the Judiciary,
Washington, DC.
The subcommittee met, pursuant to notice, at 10:05 a.m., in
room SD-226, Dirksen Senate Office Building, Hon. Dianne
Feinstein (chairman of the subcommittee) presiding.
Also present: Senators Feinstein, Cantwell, Kyl, and
Sessions.
STATEMENT OF HON. DIANNE FEINSTEIN, A U.S. SENATOR FROM THE
STATE OF CALIFORNIA
Chairperson Feinstein. I would like to call this hearing to
order and welcome our witnesses and also the people in the
audience. The ranking member, Senator Kyl, is delayed. He will
be here shortly, but I thought because we all have a busy day
that we might just begin the hearing.
This hearing is on ``Identity Theft: Restoring Your Good
Name.'' What is identity theft? Identity theft occurs when a
criminal assumes the identity of another person for illicit
gain. Often, a thief will steal another person's Social
Security number, birth date, driver's license, or other
identifying information to obtain credit cards, car loans,
phone plans, or other services in the victim's name.
In 1998, Congress took an important first step in curbing
identity theft by passing the Identity Theft Assumption and
Deterrence Act, which made identity theft a Federal crime. But
the deterrence provided in the 1998 law is really only one
piece of the puzzle.I21For the last two years, I have urged
Congress to enact measures to prevent identity theft. Our laws
need not only to punish identity thieves who are caught, but
also make it more difficult to commit this crime. We haven't
done that so far. It is far too easy for identity thieves to
capture another person's identity and ruin their good name.
Just two weeks ago, the General Accounting Office reported
that identity theft cases continue to surge. One of the three
national credit card agencies reported a 53-percent increase in
identity theft alerts. Allegations of Social Security number
fraud have increased by 500 percent in the past several years,
from 11,000 in 1998 to 65,000 in fiscal year 2001. In prior
hearings, we have had the Social Security Administration
testify and indicate that they have been amazed, truly amazed,
at the number of these thefts. Fraud losses at financial
institutions are running now well over $1 billion a year.
In order to cut down on identity theft, we must plug the
loopholes in our financial services system that allow identity
thieves to thrive. To this end, I have introduced the Identity
Theft Prevention Act with my ranking member, Senator Kyl, and
Senator Grassley of this committee.
The bill directs banks, credit bureaus, and other financial
institutions to take some practical steps to protect sensitive
personal information. This would require credit bureaus to
inform credit issuers if a credit card applicant has a
different address than the address on file with the credit
bureau. Variations in address are tell-tale indicators of
identity theft.
Secondly, we would impose fines against credit card vendors
who issue new credit cards to identity thieves even after a
fraud alert is placed on the identity theft victim's credit
report.
Finally, we would require machines that print out credit
card receipts to print out only the last five numbers of the
credit card on the receipt. California has enacted this law and
it makes very good sense. There is no reason to display a full
credit card number on a receipt. The owner of the card already
knows his or her number. Moreover, thieves can steal the credit
card number when the consumer tosses the receipt out or by
stealing the store receipt, and this happens extraordinarily
often.
We can make it more difficult for thieves to take over
credit card accounts. One common practice is for a thief to
steal your credit card number and then ask that a new credit
card be sent to his address. To stop this scheme, the bill
requires a credit card company to notify consumers at both
their old and new address when an additional credit card is
requested on an existing credit account within 30 days of an
address change request.
These measures are pretty simple, but they are really very
necessary. It is really time, I think, for the financial
services industry to take some affirmative measures to protect
the sensitive information consumers entrust to them.
I have another bill, a big bill, which we heard about at
the last hearing a few weeks ago, which is an opt-in/opt-out
bill which says it would be illegal for Social Security numbers
to be displayed or sold to the public. That is not what the
Social Security number was designed to do in the first place.
Secondly, for other personal financial data, the company would
have to get your permission to use that material.
Frankly, I don't want anybody to sell my personal
identification, my personal financial data, or my personal
health data without my permission and I think most Americans
feel exactly the same way.
Someone who has been a big leader in this area and has a
bill that we are going to be discussing today is Senator
Cantwell, and I am delighted she is here. She has a bill that
is the subject of this hearing and I am going defer to her at
this time and ask her if she would like to make some opening
comments and talk about her bill, and then we will begin the
testimony.
STATEMENT OF HON. MARIA CANTWELL, A U.S. SENATOR FROM THE STATE
OF WASHINGTON
Senator Cantwell. Thank you, Madam Chairman.
I want to thank Senator Feinstein for calling this hearing
today and commend her for her hard work on this particular
issue of identity theft and the larger issue of protecting
personal privacy. I know that she and Senator Kyl have held
many hearings on this issue and I want to thank them for
drawing attention to the problem of identity theft.
I also want to welcome Attorney General Christine Gregoire,
from my home State of Washington, who is going to be on the
second panel. Her leadership in the State of Washington has
been instrumental in fighting identity theft and we look
forward to hearing her remarks today.
With over 500,000 victims last year alone, identity theft
is one of the fastest growing crimes in America. One in five
American families have been victimized by identity theft. This
simple fact alone underscores why Senators Feinstein, Kyl and I
have all introduced legislation to help prevent identity theft,
and we are looking forward to hearing today's testimony.
My bill, based on Washington State law, puts identity theft
victims' rights first by empowering them to reclaim their
identity. It also makes common-sense revisions to the statute
of limitations on victims' ability to sue in an identity theft
case so that the clock starts ticking when the victim learns of
misrepresentation, not when it occurs. Finally, it increases
information flow among local law enforcement and State and
Federal agencies fighting identity theft, especially when
issues of theft related to terrorism might be involved.
Today, in this country, victims of identity theft often
must become their own private investigators to clear their
names, and typically they do so without the help of the
information that they need most. That is why this legislation
would require businesses to give victims of identity theft the
records they need to back up their good name. This is already
required in Washington State and California. Now, we need to
take this good idea and move it to a national level and make it
work on behalf of others.
Think about it. When your TV is stolen or your car is
stolen, it is right out of your home or in front of your home.
But when your identity is stolen, it could be stolen from
anywhere. A consumer shopping online in Seattle may purchase
golf shoes from a manufacturer in San Diego and have her
identity stolen by someone hacking into the system in
Washington, D.C. The implication is crystal clear: We need a
stronger Federal role in protecting consumers from identity
theft.
This legislation also restores a sensible rule on the
limits of consumers' rights to sue under the Fair Credit
Reporting Act. Last year, the Supreme Court ruled that a
California woman, a victim of identity theft, couldn't sue a
credit reporting agency because she filed her case more than
two years after the agency has reported to others fraudulent
information about her. This legislation makes common sense
prevail, ensuring that the clock on the statute of limitations
doesn't begin ticking until the victim knows that they have
been harmed.
Finally, with the war on terrorism and the concern about
the ability of terrorists to possibly steal passport or visa or
other identification information, we have become painfully
aware that identity theft can threaten more than our
pocketbooks. This bill requires the Federal coordinating
committee that monitors Federal identity theft enforcement to
find ways that the Federal Government can help State and local
enforcement address identity theft, especially when the
identity theft may be related to terrorism. By giving consumers
and law enforcement additional tools to fight identity theft,
this bill will make it harder for terrorists to steal
identities and to hide their true identity.
Before we begin the testimony, Madam Chairman, I want to
thank Linda Foley, who has been a tireless advocate for
identity theft victims and a driving force behind the Identity
Theft Resource Center. I also appreciate the support of Mr.
Cannon's Fraternal Order of Police and their testimony today,
and the Consumers Union, the Police Executive Research Forum,
the Privacy Rights Clearinghouse, and others who are providing
important information at today's hearing. I look forward to
hearing the testimony.
Thank you, Madam Chairman.
[The prepared statement of Senator Cantwell follows:]
March 13, 2002.
Help Victims of Identity Theft Restore Their Good Name
Dear Colleagues:
Identity theft is the fastest growing crime in America and its
victims need our help.
The Reclaim Your Identity Act of 2001 establishes a process for
victims of identity theft to reclaim their identity and gather evidence
to assist law enforcement to apprehend the identity thieves.
Although Congress has provided for penalties for identity theft, we
have done little to help victims reclaim their identity. Identity theft
can wreak havoc on a victim's life that can take an extreme financial
and emotional toll. Victims usually have to become their own sleuth to
clear their names. It takes a victim an average of 175 hours and over
$800 of out-of-pocket expenses to clear their names. We need to provide
consumers and businesses alike with a clear process to help victims of
identity theft recover their good name and good credit, and reduce
identity theft fraud.
The Reclaim Your Identity Act of 2001 creates a simple
process that allows a victim and law enforcement access to business
records that relate to the identity theft fraud.
The bill also requires consumer credit reporting agencies
to block bad credit reports that result from identity theft.
The bill clarifies that the two-year statute of
limitations on Fair Credit Reporting Act actions would not begin until
the victim discovers the fraud.
Most identity theft law enforcement is undertaken at the
state and local level. The bill requires the federal government to
examine how it can better help state and local law enforcement through
appropriate federal resources and better information sharing between
federal and state or local agencies.
The Consumers Union, Fraternal Order of Police, Police Executive
Research Forum, Identity Theft Resource Center, Privacy Rights
Clearinghouse, U.S. Public Interest Research Group all support this
bill. The National Association of Attorneys General supports federal
identity theft legislation. If you are interested in cosponsoring the
Reclaim Your Identity Act of 2001 or have any questions about this
legislation, please have your staff contact Stacy Baird at 224-3441.
Sincerely,
Maria Cantwell,
U.S. Senator.
Reclaim Your Identity Act of 2001
senator maria cantwell
The Reclaim Your Identity Act establishes a nation-wide process for
victims of identity theft to obtain the evidence to reclaim their
identity and assist law enforcement to find the identity thieves,
requires consumer credit reporting agencies to block reporting of bad
credit that arises from identity theft and extends the statute of
limitations for the Fair Credit Reporting Act to two years after the
consumer discovers the misrepresentation. The Act:
(1) LEmpowers consumers to reclaim their identity: The Reclaim
Your Identity Act provides that where (a) a victim of identity
theft requests of a business (including telecommunications and
utilities companies) that has records related to a fraud based
on an identity theft (such as applications or bills), and (b)
submits to the business, any of the following as the business
requires, a copy of the police report, the Federal Trade
Commission standardized Identity Theft Affidavit or any other
affidavit of fact of the business' choosing, the business must
provide, at no charge, copies of those business records to the
victim or a law enforcement agency or officer designated by the
victim within 10 days of the victim's request. The business may
decline to disclose records where it believes, in the exercise
of good faith and reasonable judgment, the request is based on
a misrepresentation of facts. Further, a business is exempt
from liability for any disclosure undertaken in good faith to
further a prosecution of identity theft or assist the victim.
(2) LProtects consumers' good name from bad credit generated by
fraud: The Reclaim Your Identity Act amends the Fair Credit
Reporting Act to require consumer credit reporting agencies to
block information that appears on a victim's credit report as a
result of identity theft provided the victim did not knowingly
obtain goods, services or money as a result of the blocked
transaction.
(3) LEnhances multi-jurisdiction enforcement: The Reclaim Your
Identity Act amends the Internet False Identification
Prevention Act to expand the jurisdiction and membership of the
coordinating committee currently studying enforcement of
federal identity theft law to examine state and local
enforcement problems and identify ways the federal government
can assist state and local law enforcement in addressing
identity theft and related crimes.
(4) LIncreases information flow to aid anti-terrorist
activities: The Reclaim Your Identity Act also amends the
Internet False Identification Prevention Act to expand the
jurisdiction of the coordinating committee to address how the
federal government can best provide timely and current
information regarding terrorists or terrorist activity as such
information relates to identity theft.
(5) LGives businesses new tools to pursue identity thieves: The
Reclaim Your Identity Act gives businesses a new avenue to
pursue perpetrators of identity theft fraud by amending Title
18 to make identity theft under state law a predicate for
federal RICO violation.
(6) LPreserves consumer rights to claim damages: In response to
the Supreme Court decision in TRW v. Andrews, the Reclaim Your
Identity Act amends the Fair Credit Reporting Act to provide
that the two-year statute of limitations for a claim starts
when the consumer discovers a misrepresentation has been
committed.
(7) LGives State Attorneys General additional legal tools: The
Reclaim Your Identity Act provides that State Attorneys General
may bring a suit in federal court on behalf of state citizens
for violation of the Act.
Chairperson Feinstein. Thanks very much, Senator, and thank
you for your leadership.
I will introduce you now, Mr. Beales, and then when Senator
Kyl comes we will hear his statement. I hope that is all right.
Howard Beales is the Director of the Bureau of Consumer
Protection at the Federal Trade Commission. Mr. Beales began
his career at the FTC in 1977 as an economist specializing in
consumer protection problems. Now, as Director, he oversees the
work of some 152 lawyers and a $77 million budget. His major
areas of expertise and interest include law and economics, and
aspects of government regulation of the economy.
Mr. Beales, may I ask you this, if you could summarize your
testimony and take about five minutes and then we will put the
bulk of your testimony in the record, and then we will have an
opportunity to ask you questions prior to the next panel.
STATEMENT OF HOWARD BEALES, DIRECTOR, BUREAU OF CONSUMER
PROTECTION, FEDERAL TRADE COMMISSION, WASHINGTON, DC
Mr. Beales. Sure, that would be fine.
Chairperson Feinstein. Thanks very much.
Mr. Beales. Madam Chairman and members of the committee,
thank you very much for the opportunity to appear here today.
The Commission has had the privilege of testifying before
this subcommittee several times in the past, each time updating
you on our activities under the 1998 Identity Theft Act and
highlighting what we are learning from the data we collect.
We all know that identity theft is a major problem. Each
week, we receive almost 3,000 phone calls from consumers. It is
a crime that seriously harms its victims and injures our
financial system. And until the passage of the 1998 act, it all
too often flew under the radar of law enforcement.
Today, I will describe the Commission's recent efforts to
assist consumers, support law enforcement, and coordinate with
industry in this troubling area. First, let me start with our
consumer efforts.
In 2000, this committee heard from Maureen Mitchell, a
victim of identity theft. In her testimony, she provided a list
of suggestions on how the system could be improved. One of her
ideas was to create a single form to dispute charges and
fraudulent accounts. This would eliminate the burden of filling
out a separate lengthy form for each creditor or business where
the identity thief struck.
We therefore began the process of developing a standard
fraud affidavit, working closely with financial institutions,
the consumer reporting agencies, consumer advocates, and
others. We completed this project several months ago and now
identity theft victims have a single form to use in disputing
fraudulent accounts. That is the front page over here, and this
is sort of the whole form and the instructions.
Already, the three major consumer reporting agencies--Chase
Manhattan, the Bank of America, AT&T--and about 40 other
businesses and groups have formally endorsed the affidavit and
have agreed to accept it in lieu of their own forms. We believe
that many more creditors and businesses accept the form as a
matter of course. In fact, we haven't heard about anybody yet
that has refused it.
Our next major initiative will be to try to streamline the
fraud alert process. Because there are three major credit
reporting agencies, consumers must make three separate phone
calls to lock down their credit if they are victims. We are now
discussing a project to transmit from our hotline the
consumer's request for a fraud alert directly to the credit
reporting agencies. This would eliminate three phone calls from
the victim's ``to do'' list. There are many technical
challenges to this project, but we are hopeful that at the end
of the day we will be able to further lighten the burden on
identity theft victims.
Another recent FTC initiative recognizes that identity
thieves strike all segments of the population, including non-
English speakers. We therefore released ``Robo de Identidad,''
a Spanish version of our booklet ``When Bad Things Happen to
Your Good Name.'' We also released the uniform affidavit in
Spanish as well.
One of the ways we work with our colleagues in the criminal
enforcement field is through our I.D. Theft Data Clearinghouse.
The clearinghouse receives complaints from consumers who reach
us through our toll-free number, our online complaint form, and
through the mail.
Our interaction with consumers is a two-way street. Our
phone counselors give them information that they need to repair
their finances. The consumers as crime victims provide us with
information about the theft of their identity. This information
is accessible by more than 270 law enforcement agencies around
the country through the clearinghouse.
What makes the system work is the fact that the
clearinghouse provides a single nationwide repository of
identity theft complaints. The 1998 Act, spearheaded by this
subcommittee, recognized that consolidation of complaint data
offered the most efficient and effective means to support law
enforcement across local, State and Federal levels.
The increase in our call volume shows that consumers are
increasingly aware that the FTC is the place for victims to
turn. We are going to continue build on our outreach efforts to
grow the clearinghouse and increase its value to law
enforcement.
In order to increase law enforcement's use of the data, we
have a new project to develop preliminary investigative reports
and send them to the Secret Service's financial crime task
forces around the country. The investigative reports identify
particularly egregious episodes of identity theft. Our staff
then builds out the cases with intelligence from a number of
other sources.
We have been greatly assisted in this effort by a special
agent from the Secret Service who has been detailed full-time
to work with our identity theft team. The project is in its
infancy, but we are hopeful that it will encourage and support
prosecution of identity theft.
We also want to be sure that criminal law enforcement
agencies are aware of our database and how it can be used to
help investigate and prosecute these cases. We have therefore
just kicked off an I.D. theft training program to enable
detectives, cops on the beat, and investigators to identify and
pursue cases of identity theft. Our first session in Washington
last week attracted more than 100 law enforcement officers. We
are following with training in Chicago, Dallas and San
Francisco in the next few months.
Another critical area is coordination with industry. I have
mentioned one area, the affidavit, and the one-call fraud
alert. Our next effort is focused on prevention. We are hosting
a conference to look at industry best practices for preventing
I.D. theft to encourage the spread of those best practices
among other businesses. How do businesses successfully protect
themselves and their customers? We think we can learn a lot
from that.
There is much to be done in educating consumers and
increasing the law enforcement response and in focusing
industry, but we are pleased that we have found a willingness
to help and cooperate.
I would be pleased to answer your questions.
[The prepared statement of Mr. Beales follows:]
Prepared Statement of the Federal Trade Commission on Identity Theft:
the FTC's Response
i. introduction
Madam Chairman, and members of the Committee, I am Howard Beales,
Director of the Bureau of Consumer Protection, Federal Trade Commission
(``FTC'' or ``Commission'').\1\ I appreciate the opportunity to present
the Commission's views on one of the most serious consequences that can
result from the misuse of consumers' personal information: identity
theft.
---------------------------------------------------------------------------
\1\ The views expressed in this statement represent the views of
the Commission. My oral presentation and responses to questions are my
own and do not necessarily represent the views of the Commission or any
Commissioner. The statistical information summarized in this statement
covers the period of time from January 1 through December 31, 2001.
---------------------------------------------------------------------------
The passage of the Identity Theft and Assumption Deterrence Act of
1998 (``Identity Theft Act'') \2\ brought identity theft to the
forefront of the public's attention. Media attention and high profile
cases \3\ have heightened concerns about the serious injury caused by
identity theft.
---------------------------------------------------------------------------
\2\ Pub. L. No. 105-318, 112 Stat. 3010 (1998).
\3\ Celebrities including Ted Turner, Martha Stewart and Oprah
Winfrey have been reported in the press as being victims of identity
theft. Jenny Lynn Bader, Paranoid Lately? You May Have Good Reason,
N.Y. Times, March 25, 2001, at 4, Section 4.
---------------------------------------------------------------------------
In particular, the specter of identity theft has focused consumers'
concern about the misuse of their personally identifying information.
There is good reason for this concern. Identity theft can result in
temporary and sometimes permanent financial loss when wages are
garnished, tax refunds are withheld, or liens are placed on victims'
property as a result of someone else's criminal use of their identity.
Beyond direct financial loss, consumers report being denied employment,
credit, loans (including mortgages and student loans), government
benefits, utility and telecommunications services, and apartment leases
when credit reports and background checks are littered with the
fraudulently incurred debts or wrongful criminal records of an identity
thief.
The 1998 legislation positioned the FTC to play a key role in the
national dialogue on identity theft. The FTC enforces a number of laws
that address consumers' privacy,\4\ and intends to increase
substantially the resources devoted to privacy protection. The FTD's
identity theft program is an important part of that initiative.
Consumer and victim assistance, data sharing with law enforcement and
financial institutions, and cooperative efforts with the private sector
are among the most visible examples of the FTC's efforts.\5\ Recent FTC
initiatives, including a Spanish language version of our consumer
brochure, law enforcement training, and a standard Identity Theft
Affidavit, complement the measures we have already undertaken to
fulfill our mandate under the 1998 Act.
---------------------------------------------------------------------------
\4\ See, e.g., Federal Trade Commission Act, 15 U.S.C. Sec. 41 et
seq. (prohibiting deceptive or unfair acts or practices, including
violations of stated privacy policies); Fair Credit Reporting Act, 15
U.S.C. Sec. 1681 et seq. (addressing the accuracy, dissemination, and
integrity of consumer reports); Telemarketing and Consumer Fraud and
Abuse Prevention Act, 15 U.S.C. Sec. 6101 et seq. (including the
Telemarketing Sales Rule, 16 C.F.R. Part 310) (prohibiting
telemarketers from calling at odd hours;, engaging in harassing patters
of calls, and failing to disclose the identity of the seller and
purpose of the call); Children's Online Privacy Protection Act, 15
U.S.C. Sec. 6501 et seq. (prohibiting the collection of personally
identifiable information from young children without their parents'
consent); Identify Theft and Assumption Deterrence Act of 1998, 18
U.S.C. Sec. 1028 (directing the FTC to collect identity theft
complaints, refer them to the appropriate credit bureaus and law
enforcement agencies, and provide victim assistance); Gramm-Leach-
Bliley Act, 15 U.S.C. Sec. 6801 et seq. (requiring financial
institutions to provide notices to consumers and allowing consumers
(with some exceptions) to choose whether their financial institutions
may share their information with third parties).
\5\ Most identity theft cases are best addressed through criminal
prosecution. The FTC itself has no direct criminal law enforcement
authority.
---------------------------------------------------------------------------
ii. the ftc's response to the identity theft act
The Identity Theft Act directed the Commission to establish
procedures to: log the receipt of complaints by victims of identity
theft; provide identity theft victims with informational materials; and
refer complaints to appropriate entities, including the major national
consumer reporting agencies and law enforcement agencies.\6\ To fulfill
the purposes of the Act, the Commission implemented a plan with three
principal components: a toll-free telephone hotline, a datebase of
identity theft complaints, and consumer and business education.
---------------------------------------------------------------------------
\6\ Pub. L. No. 105-318, 112 Stat. 3010 (1998)(Codified at 18
U.S.C. Sec. 1028(a) note).
---------------------------------------------------------------------------
(1) Toll Free Hotline. The Commission established its toll-free
telephone number (the ``hotline''), 1-877-ID-THEFT (438-4338) in
November 1999. The hotline now responds to an average of over 3000
calls per week. When consumers call to report identity theft, the
hotline counselors enter information from their complaints into the
Identity Theft Data Clearinghouse (the ``Clearinghouse'')--a
centralized database used to aid law enforcement and track trends
involving identity theft.
The counselors advise the callers to contact the credit reporting
agencies and the entities where the fraudulent accounts were opened in
order to place a fraud alert on their credit files and shut down the
fraudulent accounts, respectively. They also encourage consumers to
contact their local police departments to file a police report, both
because local law enforcement may be in the best position to catch and
prosecute identity thieves and because a police report helps consumers
demonstrate to creditors and debt collectors that they are in fact
genuine victims of identity theft. Forty-seven states have enacted
their own identity theft laws and the FTC hotline phone counselors, in
appropriate circumstances, will refer consumers to otherstate and local
authorities. Lastly, when another federal agency has a program in place
to assist consumers, callers are referred to that agency.\7\
---------------------------------------------------------------------------
\7\ For example, we may refer consumers to the Social Security
Administration or their state department of motor vehicles.
---------------------------------------------------------------------------
Of the callers to our hotline, thirty-four percent are seeking
information about how to guard against identity theft.\8\ The phone
counselors provide suggestions on steps they should take to minimize
their risk.
---------------------------------------------------------------------------
\8\ This statistic reflects the experience only of the consumers
who contacted the FTC directly, and does not reflect data contributed
by the Social Security Administration, Office of Inspector General
(``SSA-OIG''). See infra at 4. While the SSA-OIG collects many of the
same fields of data, they do not collect identical data. Unless
otherwise noted, as in Section IV, the statistics used in this
testimony include data from FTC and SSA-OIG.
---------------------------------------------------------------------------
(2) Identity theft complaint database. The information that the
consumers share with the phone counselors can provide the foundation
for investigation. The telephone counselors enter the complaints
received by the FTC through the hotline, by mail, and through the FTC's
secure on-line theft complaint form into the FTC's Clearinghouse
database. In addition, the Social Security Administration's Office of
Inspector General transfers into the Clearinghouse complaints of
identity theft received by its consumer hotline.
The Clearinghouse is the federal government's centralized
repository of consumer identity theft complaint information. It
contains detailed information regarding the identity theft victim, the
suspect, and the ways the identity thief misused the victim's personal
information. More than 270 law enforcement agencies nationwide have
signed confidentiality agreements that grant them membership and access
to the Identity Theft Data Clearinghouse. The Clearinghouse information
is available directly on members' desktop PCs via the FTC's secure law
enforcement Web site, Consumer Sentinel. Access to the Clearinghouse
information supports law enforcement agencies' efforts to combat
identity theft by providing a range of complaints from which to augment
their ongoing investigations and spot new patterns of illegal activity.
(3) Consumer and business education. The FTC has taken the lead in
coordinating with other government agencies and organizations to
develop and disseminate comprehensive consumer education materials for
victims of identity theft and those concerned with preventing this
crime. For example, in collaboration with other federal agencies, the
FTC published a comprehensive informational booklet, Identity Theft:
When Bad Things Happen to Your Good Name, in February 2000. Since its
publication through February 2002, the FTC has distributed more than
600,000 hard copies of the booklet and recorded over 609,500 visits to
our Web version. Other federal agencies have also printed and
distributed this publication.
Consumers can also find comprehensive information about preventing
and recovering from identify theft at the FTC's identity theft Web
site, www.consumer.gov/idtheft. The site also links to a secure Web-
based complaint form, allowing consumers to send complaints directly to
the Clearinghouse. The FTC now receives an average of 400 complaints
per week via the Internet; overall, more than 18,000 victims filed
their identity theft complaints online as of the end of December 2001.
The FTC's identity theft Web site had more than 699,000 hits since it
was launched in February 2000.
To expand the reach of our consumer education message, the FTC has
begun an outreach effort to Spanish-speaking victims of identity theft.
Just last month, we released a Spanish version of the Identity Theft
booklet (Robo de Identidad: Algo malo puede pasarle a su buen nombre)
and the ID Theft Affidavit (discussed below in Section III). In
addition, we have added Spanish-speaking phone counselors to our
hotline staff. We will soon launch a Spanish version of our online
complaint form.
iii. the ftc's recent collaborative and outreach efforts
Over the past year, the Commission has worked closely with other
government agencies and private entities to encourage the investigation
and prosecution of identity theft cases, and help consumers resolve
identity theft problems.
(1) Law Enforcement. One of our goals is to provide support for
identity theft prosecutions nationwide. In the past year, the
Commission launched an identity theft case referral program in
coordination with the United States Secret Service, which assigned a
special agent on a full-time basis to the Commission to assist with
identity theft issues.\9\ The identity theft team, assisted by the
special agent, develops case leads by examining significant patterns of
identity theft activity in the database and by refining the data
through the use of additional investigative resources. Then, the team
refers the case leads to one of the Financial Crimes Task Forces
located throughout the country for further investigation and potential
prosecution.
---------------------------------------------------------------------------
\9\ The referral program complements the regular use of the
database by all law enforcers from their desk top computers.
---------------------------------------------------------------------------
We provide support for law enforcement in other ways as well. Just
last week, the FTC, in cooperation with the Department of Justice and
the United States Secret Service, initiated a full day identity theft
training seminar for state and local law enforcement officers. This
first session was held in Washington, D.C.; subsequent sessions are
planned in Chicago, Dallas, and San Francisco. The training seminar
provides officers with technical skills and resources to enhance their
efforts to combat identity theft, including strategies for both
traditional and high-tech investigations. The training also identifies
key components for successful actions by local, state, and federal
prosecutors, and identifies resources, such as the Clearinghouse
database, that are available to law enforcement when conducting
identity theft investigations. Our goal is to encourage the prosecution
of these cases at all levels of government.
(2) Private Industry. Identity theft victims spend significant time
and effort restoring their good name and financial histories. Such
burdens result, in part, from the need to complete a different fraud
affidavit for each different creditor where the identity thief opened
or used an account in their name.\10\ To reduce that burden, the FTC
worked to develop the ID Theft Affidavit (``Affidavit''). The Affidavit
was the culmination of an effort we coordinated with private industry
and consumer advocates to create a standard form for victims to use in
absolving identity theft debts with each of the creditors where
identity thieves opened accounts. The Affidavit is accepted by the
three major credit reporting agencies and many creditors. From its
release in August 2001 through February 2002, we have distributed more
than 112,000 print copies of the Affidavit. There have also been nearly
185,000 hits to the Web version.
---------------------------------------------------------------------------
\10\ See ID Theft: When Bad Things Happen to Your Good Name:
Hearing Before the Subcomm. on Technology, Terrorism, and Government
Information of the Senate Judiciary Comm. 106th Cong. (2000) (statement
of Mrs. Maureen Mitchell, Identity Theft Victim).
---------------------------------------------------------------------------
The FTC will continue working with private sector financial
institutions to find additional ways to assist consumers. For example,
we plan to work with businesses to highlight the importance of securing
business records containing personally identifying information from
would-be identity thieves, and providing consumers with notification in
the event that their business records are compromised.
The FTC is examining other ways to lessen the difficulties and
burdens faced by identity theft victims. One approach under
consideration is to develop a joint ``fraud alert initiative'' with the
three major credit reporting agencies (``CRAs''). This initiative would
allow the FTC to transmit regularly to the three major CRAs requests
from identity theft victims that fraud alerts be placed on their
consumer report and copies of their reports be sent to them. This would
eliminate the victim's need to contact each of the three major CRAs
separately.
The CRAs have also asked the FTC to help promote their recent
``police report initiative,'' which follows an earlier program
supported by the FTC. After learning from our first twelve months of
data that over 35% of victims contacting the FTC were not able to file
police reports on identity theft, the FTC began working with the
International Association of Chiefs of Police (``IACP'') to encourage
local police officers to write police reports for victims of identity
theft. In November 2000, the IACP passed a Resolution in support of
providing police reports to victims of identity theft and referring
victims to the FTC's hotline.\11\ In 2001, the consumers reporting to
the FTC that the police would not issue a report dropped to 18%.\12\
Under their new initiative, the CRAs have agreed to block inaccurate
information resulting from the identity thief's activities from a
victim's credit report if the victim provides the CRA with a police
report on the incident. This program further speeds the process of
rehabilitating the victim's good name.
---------------------------------------------------------------------------
\11\ While this resolution is not binding, it sends an important
message to the police around the country. The FTC has conveyed the same
message in numerous law enforcement conferences across the country.
\12\ Ninety-eight percent of victims reported whether they had been
able to file a police report. The statistics regarding filing police
reports reflect the experience only of the consumers who contacted the
FTC directly, and do not reflect data contributed by the SSA-OIG, which
does not collect such information. See supra at note 6.
---------------------------------------------------------------------------
iv. identity theft: how it happens
Access to someone's personal information, through legal or illegal
means, is the key to identity theft. Unlike most crimes where the
victim is immediately aware of the assault, identity theft is often
silent and invisible. Identity thieves do not need direct contact with
their victims. All they need is access to some key components of a
victim's personal information, which, for most Americans, may be
maintained and used by numerous different public and private entities.
Thus, it is hardly surprising that nearly 80% of the victims who report
identity theft to the FTC do not know how or where the identity thief
obtained their personal information.\13\
---------------------------------------------------------------------------
\13\ Nearly all of the statistics in Section IV reflect the
experience only of the consumers who contacted the FTC directly, and do
not reflect data contributed by the SSA-OIG. As indicated at note 6
supra, this is because the SSA-OIG data do not contain the same fields
as the FTC data. Again, these statistics cover calendar year 2001.
---------------------------------------------------------------------------
Some victims can recall an event or incident that they believe led
to the identity theft. Eight percent of the victims who contacted the
FTC had their wallet or purse lost or stolen. Three percent of the
victims discovered that their mail had been stolen or that a fraudulent
address change had been filed with a creditor. One percent of victims
contacting the FTC recalled giving out personal information in response
to a solicitation over the telephone or Internet, and another 1%
reported that their identification had been stolen from their residence
or car.\14\
---------------------------------------------------------------------------
\14\ Recent Internet scams reportedly have emerged that try to
trick consumers into revealing their information. For example,
consumers report receiving emails from an entity purporting to be their
Internet service provider, health insurer, or bank. The scammers
request personal information, to confirm the consumer's identity or
eligibility for a program. In reality, these are traps for unwary
consumers. We are looking for such scams and will take appropriate
action.
---------------------------------------------------------------------------
Notably, 13% of the victims who contact the FTC report that they
personally know the suspect. These relationships include family members
(6%), other personal relationships, such as friends (3%), neighbors
(2%), ``significant others'' or roommates (1%), or someone from the
victim's workplace (1%).
The FTC also receives reports of identity theft from victims who
learn of it only upon notification by their employer on an entity with
whom they do business that their employee or customer records were
stolen. This is called ``business record identity theft.'' Between
March 2000 through late December 2001, the Clearinghouse received
reports regarding thirty-five different companies or institutions in
which identity thieves stole records containing employees' or clients'
personal information. The institutions included hospitals, tax
preparers, municipalities and schools.\15\ In many of these instances
the records were stolen by insiders. Some of these thieves sold the
records, while others exploited the information themselves. Some of the
targeted companies sought our assistance in dealing with the aftermath
of the theft, and in other cases, we reached out to them to offer
assistance. When we provide assistance, we encourage the entities to
contact the persons whose records were compromised, notify them that
they were potential victims of identity theft, and advise them to
contact the FTC's hotline.
---------------------------------------------------------------------------
\15\ Jacob H. Fries, Worker Accused of Selling Colleagues' ID's
Online, N.Y. Times, March 2, 2002, at B2.
---------------------------------------------------------------------------
While most victims do not know how or where the identity thief
obtained their personal information, 68% of the complaints in the
Clearinghouse do contain some identifying information about the
suspect, such as a name, address, or phone number. This includes any
identifying information victims can provide about the suspect, which
might be gleaned from the bills, letters or phones calls of would-be
creditors and debt collectors, or from a victim's report. Such
information about suspects allows law enforcement investigators to link
seemingly unrelated complaints of identity theft to a common
suspect.\16\
---------------------------------------------------------------------------
\16\ Suspect identifying information is collected both by FTC and
SSA-OIG. This statistic includes data contributed by the SSA-OIG to the
Clearinghouse.
---------------------------------------------------------------------------
v. summary of database information
The Clearinghouse database has been in operation for more than two
years.\17\ For calendar year 2001, the Clearinghouse database contains
over 86,000 complaints from ID theft victims. It also contains over
31,000 inquiries from consumers concerned about becoming victims of
identity theft. These figures include contacts made directly to the FTC
and data contributed by SSA-OIG.
---------------------------------------------------------------------------
\17\ The Clearinghouse was established in November 1999. Because it
is relatively new, the information in the database may be influenced by
geographical differences in consumer awareness of the FTC's identity
theft hotline and database.
---------------------------------------------------------------------------
While not comprehensive, information from the database can reveal
information about the nature of identity theft activity. For example,
the data show that California has the greatest overall number of
victims in the FTC's database, followed by New York, Texas, Florida,
and Illinois. On a per capita basis, per 100,000 citizens, the District
of Columbia ranks first, followed by California, Nevada, Maryland and
New York. The cities with the highest numbers of victims reporting to
the database are New York, Chicago, Los Angeles, Houston and Miami.
Eighty-eight percent of victims reporting to the FTC provide their
age.\18\ The largest number of these victims (28%) were in their
thirties. The next largest group includes consumers from age eighteen
to twenty-nine (26%), followed by consumers in their forties (22%).
Consumers in their fifties comprised 13%, and those age 60 and over
comprised 9%, of the victims. Minors under 18 years of age comprised 2%
of the victims.
---------------------------------------------------------------------------
\18\ The statistics regarding consumers' age reflect the experience
only of the consumers who contacted the FTC directly, and do not
reflect data contributed by the SSA-OIG, which does not collect
information about the victim's age. See supra at note 6.
---------------------------------------------------------------------------
As noted above, consumers often do not become aware of the crime
for some time. Forty-four percent of victims who contact the FTC
provide information on when the identity theft occurred and when they
discovered it. The majority of these victims (69%) reported discovering
the identity theft within 6 months of its first occurrence.\19\ In
fact, 44% noticed the identity theft within one month of its
occurrence. However, 5% were unaware of the theft for longer than five
years. On average, 12 months elapsed between the date the identity
theft occurred and when the victim discovered it.
---------------------------------------------------------------------------
\19\ The statistics regarding when victims discover the crime and
what entities they have notified reflect the experience only of the
consumers who contacted the FTC directly, and do not reflect data
contributed by the SSA-OIG, which does not collect such information.
See supra at note 6.
---------------------------------------------------------------------------
Thirty-five percent of the victims had not yet notified any credit
bureau at the time they contacted the FTC,\20\ 46% had not yet notified
any of the financial institutions involved.\21\ Fifty-four percent of
the victims had not yet notified their local police department of the
identity theft. By advising the callers to take these critical steps,
we enable many victims to get through the recovery process more
efficiently and effectively.
---------------------------------------------------------------------------
\20\ Ninety-five percent of victims reported whether they had
contacted any credit bureaus.
\21\ Sixty-three percent of victims reported whether they had
notified any financial institutions.
---------------------------------------------------------------------------
The Clearinghouse data, which represents complaints received by
both the FTC and the SSA-OIG, also reveal how the thieves use the
stolen identifying information. This data, summarized below, help
provide a broad picture of the forms identity theft can take.\22\
---------------------------------------------------------------------------
\22\ Many consumers experience more than one form of identity
theft. Therefore, the percentages represent the number of consumers
whose information was used for each various illegal purpose.
---------------------------------------------------------------------------
Credit Card Fraud: Forty-two percent of the victims in the
Clearinghouse report credit card fraud. Sixty-two percent of these
victims indicate that one or more new credit cards were opened in the
victims' name. Twenty-four percent of these victims indicate that
unauthorized charges were made on an existing credit card. Thirteen
percent of the credit card fraud victims were not specific as to new or
existing credit.
Unauthorized Telecommunications or Utility Services:
Twenty percent of the victims in the Clearinghouse report that the
identity thief obtained unauthorized telecommunications or utility
equipment or services in their name. New wireless telecommunications
equipment and service comprised 48% of these complaints, new land line
telephone service or equipment comprised 26%, new utilities such as
electric or cable service comprised 12%, 11% of these complaints were
not specific, and 2% comprised unauthorized charges to the victims'
existing telecommunications or utility accounts.
Bank Fraud: Thirteen percent of the victims report fraud
on their demand deposit (checking or savings) accounts. Forty-seven
percent of these victims report fraudulent checks written on their
existing account, 20% report a new bank account opened in their name,
15% report unauthorized electronic withdrawals from their account, and
18% of these complaints were not specific.
Employment: Nine percent of the victims in the database
report that the identity thief used their personal information for
employment purposes.
Fraudulent Loans: Seven percent of the victims report that
the identity thief obtained a loan in their name. Fifty-three percent
of these complaints relate to a personal, student, or business loan,
28% concern auto loans or leases, 10% concern real estate loans, and 9%
are unspecified.
Government Documents or Benefits: Six percent of the
victims report that the identity thief obtained government benefits or
forged government documents in their name. Forty-four percent of these
victims report a false driver's license, 11% report a false social
security card, and 4% report the falsification of other government
documents. Thirty-one percent report fraudulent claims for tax returns,
6% report fraudulent claims for government benefits, and 3% of these
victims were not specific.
Other Identity Theft: Nineteen percent of the victims in
the database reported various other types of identity theft. Nine
percent of these victims report that the thief assumed their identity
to evade legal sanctions and criminal records (thus leaving the victim
with a wrongful criminal or other legal record), 9% report that the
thief obtained medical services, 6% report that the thief opened or
accessed Internet accounts, 5% report that the thief leased a
residence, 2% report that the thief declared bankruptcy in their name,
1% report that the thief purchased or traded in securities and
investments, and 69% of these complaints were miscellaneous or
unspecified.
Multiple Types: Twenty percent of the victims in the
database reported experiencing more than one of the above types of
identity theft.
vi. conclusion
Identity theft, once an unknown term, is now the subject of day
time talk shows. The economic and non-economic injury caused by the
misuse of consumers' personal information is significant. But there are
real and positive steps we can take to alleviate the harm to consumers,
and reduce the incidence of this crime. We are committed to working
with our partners in the public and private sectors and will continue
to forge a comprehensive approach to this challenge. I would be pleased
to answer any questions you may have.
Chairperson Feinstein. Thanks very much, Mr. Beales. I know
we do have questions, but I would really like to thank you for
the work of your agency. You are right. Your agency has
testified before us before, and I just want you to know how
much we appreciate your cooperation.
We are joined by Senator Sessions and I am delighted that
he is here and has an interest in this subject.
Senator, would you like to make a statement?
STATEMENT OF HON. JEFF SESSIONS, A U.S. SENATOR FROM THE STATE
OF ALABAMA
Senator Sessions. Just briefly, as a Federal prosecutor for
a number of years, we were involved in matters involving
fraudulent use of identification, particularly to defraud
banks, as usually one thing goes to another, or individuals.
When you look at what really happens and what really needs
to occur to have a surge in prosecutions and identification of
people who do these things, it has got to be a partnership
between the lowest level of the Federal, State and local
officials and those who are most involved in seeing the
fraudulent activity.
When they work together--and we created such a task force
in my district--the prosecutions surge, and many of them were
small cases that Federal officials say, well, you don't want to
fool with. But they go from State to State; they rip off 50
people at $1,000, $2,000 each, and it is disrupting their lives
in a substantial way.
So I think it is a bigger problem than people realize and
it is easier to deal with if we come up with the right
solution, because there are not that many people doing it and
if the word gets out that you are going to get caught and get
whacked if you do it, you can stop it. If the word gets out
that you can do these kinds of non-violent crimes and you don't
run up too much money and nobody cares, you will see more of
that crime.
That is all I would want to add, and thank you for your
leadership in trying to focus our attention on it. It is an
important matter. It disrupts the lives of people
substantially.
Chairperson Feinstein. Well, thank you very much.
I held a hearing actually in Los Angeles in the last
session of the Congress on the subject, and the sheriff of Los
Angeles County, which, of course, is the biggest county in
America--it is such a problem that he has set up a special
unit. Interestingly enough, the average identity theft loss in
the Nation is $18,000. That is a lot of money.
Senator Sessions. That is more than I thought.
Chairperson Feinstein. Yes, because they pick their people.
The other thing is the average time it takes for an individual
to regain their identity is, I think, 18 months, which is a
long time when you have lost your identity and you are
struggling to get it back.
Mr. Beales, let me begin. I want to ask you a question
about truncation--I hate the word--of credit card numbers.
Printed store receipts are real assets for identity thefts
because they often contain a card-holder's entire credit card
number.
I have introduced legislation prohibiting companies from
printing more than the last five digits of any credit card on
any receipt provided by the card-holder. The State of
California, with the support of the Better Business Bureau, has
just established a similar truncation law.
Do you know how it is working, and what the FTC's view of
such a truncation requirement is?
Mr. Beales. Well, I have to say that the views that I am
giving today are my own views and not the Commission's. The
prepared statement is obviously the Commission's views, but my
comments are my own.
We, too, find that credit card receipts are an important
source of information for identity thieves, and we urge in our
consumer education materials for consumers to be careful with
those receipts and not to leave them behind and not to leave
them where other people can get a hold of them.
Truncation is a way to protect consumers from their own
mistakes, if you will, that we are seeing increasingly happen
in the private sector on a voluntary basis. I know a lot of the
receipts I get these days seem to display just the truncated
credit card number, and that is a great idea.
We don't really know how much of an impact it would have on
the prevalence of identity theft, in part because most of the
time our main source of information, which is the victim,
doesn't know how the thief got their information. That is just
hard for consumers to tell. As long as it is phased in in a way
that accommodates the life of the equipment and as long as it
is done in a way that makes it easy for small businesses that
are still using manual systems, it seems like an excellent
idea.
Chairperson Feinstein. When you are at a restaurant and you
give your credit card and you get back the little ticket that
you sign, and it sometimes has a duplicate, I mean I was told
several times ``we don't furnish duplicates.'' Well, it is not
really the consumer's fault if you are told that. Let's say you
do and the waiter may have taken the second receipt. He has got
the number, he has got your signature. Or if you don't tear it
up in small enough pieces, somebody picks up the pieces and
they have got it, or it falls out of your purse or your pocket,
for example.
It is really a very important document, and I think you are
right in warning people and trying to get people adjusted to
it. On the other hand, the truncation of a credit card number
really stops a thief cold. So I am going to try to find out how
California is doing with that.
Let me ask you about the fraud alert. One of the witnesses
on our second panel, Sallie Twentyman, is a victim of identity
theft. Using her name and Social Security number, a thief took
her credit card account and obtained $13,000 in cash advances.
Even after she placed a fraud alert on her account, two credit
cards were subsequently issued to the identity thief.
Now, in your view, how effective is the current voluntary
fraud alert system? Should fraud alerts be codified and subject
to FTC supervision?
Mr. Beales. Well, I think we are frankly puzzled by fraud
alerts that get ignored, and don't completely understand how or
why that happens. One possibility is simply people making
mistakes. That certainly will happen in some cases in the best
of circumstances.
A potential fear--and we don't know to what extent this is
an issue now, but there are some people who encourage fraud
alerts where there is no fraud, and that unfortunately has the
other effect of encouraging people to ignore fraud alerts when
there is fraud. A fraud alert needs to identify fraud and the
financial institutions looking at whether to issue credit or
not need to take that seriously.
Chairperson Feinstein. Well, would the FTC consider fining
a merchant who ignored a fraud alert and issued another credit
card to the thief?
Mr. Beales. Well, we would have to find either a deceptive
practice or an unfair practice in what the creditor was doing.
Chairperson Feinstein. Absolutely.
Mr. Beales. And the difficulty is this is an area where
there is in many cases, or can be in many cases a benefit to
the consumer of being able to get credit immediately, where the
fraud alert might get in the way.
For example, as a hypothetical that somebody on my staff
told me about happening to them, somebody puts on a fraud
alert. It is two years later. They have forgotten about the
fraud alert. They haven't had problems in the meantime and they
go to establish instant credit somewhere again. With
identification, maybe they can talk the merchant into issuing
credit immediately. There is a real benefit to the consumer in
that sort of circumstance.
Chairperson Feinstein. Well, that is right. Thank you.
Senator Sessions, do you have questions?
Senator Sessions. Under the Uniform Commercial Code, if a
retailer ignores a fraud alert, are they, rather than the
person whose identity is stolen, ultimately liable for the
purchases? Is the customer not required to pay? It doesn't
always get decided promptly, leaving the victim in a lot of
uncertainty, but isn't that the way it is supposed to work?
Isn't that a penalty against them?
Mr. Beales. That is ordinarily the case. It is the credit
issuer that is ultimately liable for fraudulent credit and the
consumer isn't going to have to pay. But it does take some time
and effort and it is a substantial inconvenience, at the very
least, to the consumer.
Senator Sessions. You mentioned a task force or team you
are putting together involving the Secret Service. Would you
tell me a little bit more about what that is about?
Mr. Beales. Well, there are a series of task forces around
the country that involve us and the Secret Service, the Justice
Department, and State and local prosecutors.
Senator Sessions. At what level is that? Is this county,
city level, or is it regional or what?
Mr. Beales. It is regional, but it includes State and local
officials. I mean, it is not simply the Federal agencies on a
regional basis. It tries to bring in the State and local
prosecutors, as well, because they are an important part of
this puzzle. I think you are right.
Senator Sessions. Well, just for example, we had an
innovative Secret Service agent in Mobile, the head of the
Secret Service, and he had monthly luncheons that I frequently
attended. We had a committed Assistant United States Attorney,
and maybe 7 or 8 Federal investigators and probably 10, 15
local, and many more really because the local police are the
ones who are hearing about this first usually. It worked
exceedingly well. Prosecutions went up, and once we learned how
to prosecute the cases and how to identify cases that needed to
be prosecuted, things went, I thought, very well.
I believe that more times than you would think, Madam
Chairman, the people that were caught had done it in New
Orleans or Atlanta or Memphis, and things got hot there and
they just left and came to the next town. They would live there
and run up $100,000 or more.
At first, it would take some time to identify this person,
and then a lot of Federal prosecutors seem to believe that if
it is not $100,000 in fraud, they shouldn't investigate it.
Sometimes, we haven't gotten it down to the level that we need
to have it operate at.
I just believe, as a practical matter, we could do a lot
better job. I think United States Attorneys need to know that
they need to prosecute some of these cases. The actual amount
in that district that is fraudulent may not meet the highest
standards that they normally would look at, but you have to
realize they may go to the next town, the next town and the
next town, and they need to be stopped. So I just believe you
are on the right track with that.
Madam Chairman, I thank you for your leadership. I look
forward to studying your legislation in more detail, but you
are clearly stepping out in the right direction and I thank
you.
Chairperson Feinstein. Thanks, Senator, very much.
Senator Cantwell?
Senator Cantwell. Thank you, Madam Chairman.
Again, Mr. Beales, thank you for being here this morning. I
appreciate the hard work that the agency has done in trying to
fight identity theft and provide information on a national
basis. I would like to follow on some of the questions that
Senator Feinstein asked in the sense of where do we go from
here, given that this crime is continuing to be one of the
fastest growing in the country.
I guess first I would like to start with this issue on the
statute of limitations. I know that your agency can't by your
own actions change that, but what is your thought on that
particular challenge that we face? Do you believe that we
should change the statute of limitations?
Mr. Beales. Well, I think there are pros and cons, and I
don't have a clear view of what would be the best solution
here. I can appreciate the difficulties that a discovery rule
creates for people who have to maintain records to address
possible problems that may have occurred well in the past. And
that is particularly true in the credit reporting agency, where
the data sort of expires after seven years under the Fair
Credit Reporting Act, but the statute of limitations may not if
it is strictly discovery-based.
Most consumers in our data, about 70 percent, discover the
identity theft within the first 6 months, but there is a tale
of about 5 percent of cases where it is more than 5 years
before the crime was discovered. What we are doing is try to
look more closely at those cases that take a long time to
discover to see if there is anything about those cases that
might let you shape a statute of limitations change that would
target them without affecting the vast majority of cases where
consumers find out quickly. At this point, we don't know
anything about that, but we are going to try to look at those
cases to see what they look like.
Senator Cantwell. The other issue that obviously has a lot
of concern is the 30-day compliance time frame by which
information should be corrected. Do you get a lot of complaints
at the FTC about that?
Mr. Beales. We do get complaints about the time and how
long it takes in a number of instances.
Senator Cantwell. And most instances aren't resolved in 30
days?
Mr. Beales. Well, I think most instances are resolved
within 30 days. We do get complaints of cases where it hasn't
happened, but we don't have any firm data on what the averages
are like. We are working with credit reporting agencies to try
to figure out what goes wrong in those cases where it takes
longer and try to get those particular problems fixed as
quickly as possible because that is clearly what is in the best
interest of consumers.
Senator Cantwell. In general, you have indicated 42 percent
of the victims reporting to the clearinghouse and 20 percent
report unauthorized telecommunications or utility services.
What else could be done to address some of these most targeted
industries, the credit card issuers in utilities, to encourage
cooperation with the victims?
Mr. Beales. Well, that is one of the things we want to
explore in the best practices workshop. I mean, I think the
financial institutions have faced this problem longer and more
clearly and probably with larger losses than utilities and
telecommunications folks, and have a better sense of ways to
prevent those losses, and at the same time prevent the injury
to victims. What we would like to do is to identify some of
those best practices and see if they can't be transferred to
businesses in other sectors to reduce losses there as well.
Senator Cantwell. Thank you. Thank you, Madam Chairman.
Chairperson Feinstein. Thank you very much.
Thanks very much, Mr. Beales. We are delighted to have you
and I think we will move on with the second panel now.
I would like to enter into the record a statement by
Senator Grassley, Senator Hatch; also, a statement and paper by
Normal Wilcox. The record will remain open for additional
statements.
Mr. Beales. Thank you for the opportunity to be here.
Chairperson Feinstein. Thank you very much, Mr. Beales.
If the next panel will come forward, please?
I would like to defer to my colleague, Senator Cantwell,
for her introduction of the Attorney General of the State of
Washington.
Senator Cantwell. Well, thank you, Madam Chair. We are very
excited to have Attorney General Christine Gregoire joining us
today. She has, as I mentioned in my opening comments, played
an important leadership role in this important issue in my
State and has lent her expertise to the Senate on numerous
occasions, testifying just recently on the impact of the Enron
collapse on State pension funds. So we very much appreciate
that she is here with us today.
Obviously, some people may remember her from her work on
the tobacco settlement and her leadership role on behalf of the
AGs on that issue. But she has been a leader in this fight
against identity theft in our State, which is one of the top
ten States hardest hit by identity theft, and she helped draft
and pass the legislation that we are going to be hearing about
today that is the basis for the Reclaim Your Identity Act that
is before us today.
So I want to introduce and thank our Attorney General for
being here.
Chairperson Feinstein. Thanks very much, Senator.
Madam Attorney General, we have just been joined by Senator
Kyl, the ranking member of the subcommittee, also the main
cosponsor of my bill on identity theft.
Senator Kyl, would you like to make a statement now and
then I will introduce the other witnesses?
Senator Sessions. Madam Chairman, could I just express a
word of greeting to my former colleague, Christine Gregoire?
Chairperson Feinstein. Of course.
Senator Sessions. I appreciate her leadership in the
Attorney Generals Association for many years. She is one of the
more outstanding spokesmen for issues important to the
attorneys general in the country and has been a leader in the
association.
We are glad to have you, Christine.
Ms. Gregoire. Thank you, Senator.
Chairperson Feinstein. Thanks, Senator.
Senator Kyl.
STATEMENT OF HON. JON KYL, A U.S. SENATOR FROM THE STATE OF
ARIZONA
Senator Kyl. Madam Chairman, I will simply put my statement
in the record, but note my appreciation both for this panel and
the other panel. We have been working on this at least since
1998, and I think this latest GAO study that we requested
demonstrates that the problem is as big as ever, if not getting
worse. Therefore, everything we can do to try to deal with it
will be progress.
So I appreciate the fact that you have scheduled this
hearing and I appreciate the testimony of the witnesses, and
everything else I have to say will be in writing.
[The prepared statement of Senator Kyl follows:]
Opening Statement of Senator Jon Kyl
I would like to begin by thanking Senator Feinstein for chairing
this important hearing on identity theft and how its victims can regain
control of their good names, and their lives. We have been concerned
with the issue of identity theft for many years. I sponsored the
Identity Theft Assumption Act of 1998, which focused the public's
attention on this form of crime. That law made it illegal to transfer
or use another person's name or any identifier that is used to identify
a specific individual without that person's consent.
Senator Feinstein and I have worked together to devise
congressional legislation that will protect the public from the growing
problem of identity theft. A recently released General Accounting
Office report that Senators Grassley, Feinstein, and I requested
indicates that incidents of identity theft have continued to rise and
that it is the number one concern of consumers. Although it is
difficult to get concrete numbers on the prevalence of identity theft
because no one specific database exists to accurately quantify it, the
overall statistics are troubling.
The Federal Trade Commission's Identity Theft Data Clearinghouse
received approximately 94,000 complaints from victims from November
1999 through September 2001. The Social Security Administration's
Office of the Inspector General has reported that, since its Fraud
Hotline was established in 1998, until the fiscal year 2001,
allegations of misuse of Social Security numbers have increased
fivefold. The Inspector General indicates that 81 percent of all
allegations of Social Security Number misuse relate directly to
identity theft.
Those are staggering statistics; however, we must remember that
each statistic represents an individual who is a real victim of
identity theft. That individual faces not only monetary harm but
emotional and other nonmonetary injury. Many victims may only suffer
small monetary losses; however, many hours are expended attempting to
reestablish their credit records and good names. In addition, a victims
often have a lingering fear that information about them can still be
used to create debt and otherwise besmirch their reputation. These
crimes are also financially burdensome to private industry and law
enforcement. The Management and Organizational Division of the United
States Secret Service has estimated that a financial crime
investigation costs, on the average, $15,000.
I am aware that these statistical increases are partially the
result of the public being better informed about identity theft, and
reporting it more, and also the government agencies being more
aggressive in assisting the victims of this crime. Even with that
recognition, I know we can and should do more legislatively to combat
identity theft. It is important that access to personal information be
restricted, that members of the public be educated on how best to
protect themselves, that law enforcement at the local, state, and
federal levels work together, and finally, that private industry take a
proactive part in preventing the theft of citizens' identities.
Senator Feinstein has brought together a group of witnesses that I
believe can help us better understand the problem of identity theft
and, more importantly, can assist this subcommittee and the Congress in
crafting laws to lessen the incidence of identity theft.
I am interested in hearing how we can limit the unnecessary use of
Social Security numbers and how we can make the system of
reestablishing a victim's identity more efficient and less time-
consuming. At the same time, I do recognize that, in today's society,
private industry, the government, and law enforcement must rely on
Social Security numbers to provide valuable services to the public.
This is a delicate balance that requires all interested parties to work
together.
I anticipate that today's law enforcement and State Attorney
General witnesses can shed some light on the problems they face on a
daily basis. Since this is a crime that is not limited to a geographic
region, I would like to hear their opinions on what can be done to
assist the victims and the law enforcement community.
Finally, Senator Feinstein and I have introduced the Identity Theft
Prevention Act of 2001. The legislation will, among other things, seek
to cut back on needless access to public information about citizens,
will require additional notifications to consumers, and will require
changes to the fraud-alert system. I look forward to your comments on
this legislation.
In closing, again I would like to express my thanks for Senator
Feinstein's dedication and assistance in helping to wage this difficult
battle against the crime of identity theft. It is a complex issue and,
as always, I look forward to working more with her on it.
Chairperson Feinstein. Thank you very much.
I will quickly introduce the other witnesses. The second
person testifying will be Sallie Twentyman. She is a high
school teacher and also the victim of identity theft. The crime
occurred in late 1999 and Ms. Twentyman is still feeling the
repercussions from it.
Linda Foley is the founder and executive director of the
Identity Theft Resource Center. That is a non-profit victim
advocacy and consumer education program located in San Diego,
California. She is terrific. This victims center was
established in 1999 in response to the growing need for victim
assistance and public empowerment caused by the rise of
identity theft. She is a former victim herself and so she is
really uniquely suited to understand some of the problems.
Finally, Inspector Lou Cannon is the president of the
District of Columbia Chapter of the Fraternal Order of Police,
the largest law enforcement organization in the country. Few
could fit that position better, as Inspector Cannon was a
member of the Metropolitan Police Department for 22 years. He
has also served with the Library of Congress Police Department
at the United States Mint.
Ladies and gentlemen, we welcome you, and we will begin
with the Attorney General.
STATEMENT OF CHRISTINE O. GREGOIRE, ATTORNEY GENERAL, STATE OF
WASHINGTON, OLYMPIA, WASHINGTON
Ms. Gregoire. Well, good morning, and thank you, Madam
Chair and members of the committee. It is a delight for me to
be here and testify on this very important issue with you
today.
I really do appreciate your interest in helping to protect
citizens from what has become one of the fastest growing and
most expensive consumer frauds in America. Identity thieves
don't just steal victims' money; they rob them of their time,
they rob them of their credit, and they rob them of their
reputation.
In January 2000, identity theft reports were arriving at
the FTC at the rate of 300 per week. Just one year later, the
rate had grown ten-fold to 3,000 per week. As the GAO report on
identity theft issued this month indicates, the true incidence
of this crime is very difficult to measure, but in the five
minutes that I speak to you, an estimated five more Americans
will have their identities stolen. Those five people will spend
nearly $6,000 in notary fees, copying charges, and legal fees
to clear their names. That doesn't count their lost wages or
their lost credit.
It takes time, too. Those five victims will spend somewhere
in the neighborhood of 875 hours, or nearly 22 work weeks,
dealing with the impact of the theft over the next 2 years. One
or two of them might even become the subject of a criminal
investigation, or even become the victim of an arrest because
someone has fraudulently stolen their identity. Businesses will
pay, too. Those five identity thefts that occur as I speak will
cost business somewhere in the neighborhood of $33,000. Over
the course of a year, it adds up to an estimated $3.5 billion.
Those are just the numbers, averages that help describe the
problem on a national scale. But to really understand it, I
think you need to look at what identity theft does to an
innocent individual like Jenni D'Avis, from my State, who
brought this to my attention.
Jenni thought there had been some type of simple error when
she got two bills for maxed-out credit cards she didn't have.
Then she got a phone call from the General Motors Acceptance
Corporation asking why she was late on her payment on her Chevy
Suburban. She wasn't making payments because she had never
purchased the vehicle. Someone else had done so using her I.D.
Piecing it together, she discovered that a thief had
obtained her Social Security number from a student roster at
her community college. The thief used the Social Security
number to get a State identification card, then launched a
spending spree. By the time she realized what was going on, the
thief had run up $72,000 worth of charges on 13 credit
accounts, 9 cellular phone accounts, and 6 checking accounts.
Jenni didn't get stuck with those bills, but she learned
that she would quickly get stuck with some very nasty marks on
her credit. GMAC told her that they would list the stolen Chevy
Suburban as a ``repossession'' on her credit report and that
she would have to clear it up sometime later. In three weeks,
Jenni's sterling credit was horribly tarnished. She was forced
to sue her creditors and her credit reporting agencies to
finally clear her name. It took her more than two years.
Unfortunately, her story is not unique. My State has the
dubious distinction of being among the top ten in the Nation
per capita as victims of this crime. That is why we passed our
identity theft law last year.
First, we wanted to ensure that the criminal justice system
recognized this for what it was, a crime against individuals of
a very costly nature, not just in money. But even more
importantly, we wanted to give the victims the tools to get
their good name and reputation back timely and without having
to spend a lot of their own money.
But our law simply isn't enough. Identity theft is a crime
that does not respect State or regional boundaries. A Social
Security number stolen in Washington can be used to obtain a
credit card in Delaware that is being used to get a cash
advance in Ohio. That is why we do need work on the Federal
level.
In December, our National Association of Attorneys General
passed a resolution calling for Federal legislation to address
this growing crime. This resolution supports legislation to
both prevent identity theft and to make it easier for victims
of identity theft to recover their reputations.
So I am very pleased that you are tackling this most
difficult problem in two ways. Senator Kyl and Senator
Feinstein, your bill will help prevent identity theft by
decreasing thieves' access to our personally identifiable
information, and that is very important.
Let me tell you about another woman in my State, Berniece
Phelps. Ms. Phelps discovered her identity had been stolen in
August, shortly after our State law had come into effect. She
made the discovery because credit card companies called to ask
her if she had moved to Florida. By calling to verify the
change in the address, which would be a requirement under your
bill, the companies helped Ms. Phelps stop the damage to her
credit. Your bill will address prevention in a very needed way.
We also need to recognize, however, that these thieves are
very persistent, as Senator Sessions has indicated. We are not
going to be able to stop all of them, and that is why I am also
here to support very strongly Senator Cantwell's bill, the
Reclaim Your Identity Act.
As I mentioned, Berniece Phelps' identity was stolen just
two months after our State law went into effect, and the
difference between her experience and that of Jenni D'Avis'
experience is stark. Ms. Phelps used our new law to get help
from businesses and credit agencies. She did not have to sue
them. She was able to get her credit report corrected quickly
and easily. These are key components of our new law. Senator
Cantwell's proposed bill will make sure victims across the
country have the same resources and that kind of experience and
not the nightmare of Jenni D'Avis and what she went through.
It adds some significant features beyond those found in
Washington State's law. Under existing law, as a result of our
Supreme Court ruling, as you just mentioned, the two-year
statute of limitations for filing suit can expire before an
identity theft victim even becomes aware that a crime has been
committed. But under this new bill, the statute of limitations
clock does not start running until the consumer knows, or
reasonably should have known, that their identity had been
stolen. The bill provides another means to go after identity
thieves by making a conviction under State law a crime that can
be pursued by a Federal racketeering violation.
Since our law went into effect last July, people in my
State have had help in restoring their good names and their
good reputations. I see no reason why residents in other States
should not have the same protection from identity theft that
our State citizens now enjoy. The Reclaim Your Identity Act
will help ensure that an identity victim in Phoenix, Raleigh or
Frankfort will have the same protections as an identity victim
in Seattle, and it will give victims, regardless of where they
call home, a fighting chance at getting their credit repaired
and their lives back on track.
Again, thank you, Madam Chair and members of the committee,
for your interest in this issue and your willingness to take
this most pressing problem up with the American people.
[The prepared statement of Ms. Gregoire follows:]
Statement of Christine O. Gregoire, Attorney General of Washington
State
Good morning.
Thank you Senator Feinstein and members of the committee for the
opportunity to testify here today.
I appreciate your interest in helping to protect citizens from what
has become one of the fastest growing and most expensive consumer
frauds in America.
Identity thieves don't just steal victims' money. They rob them of
their time, credit and reputation.
In January 2000, identity theft reports were arriving at the FTC at
a rate of 300 per week.
Just one year later, the rate had grown tenfold, to 3,000 reports a
week.
As the GAO report on identity theft issued this month indicates,
the true incidence of this crime is difficult to measure.
But in the five minutes I speak to you, an estimated five more
Americans will have their identities stolen.
Those five people will spend nearly $6,000 in notary fees, copying
charges and legal fees to clear their names.
That doesn't count any lost wages or lost credit.
It takes time, too. Those five victims will spend 875 hours--or
nearly 22 workweeks--dealing with the impacts of the theft over the
next two years.
One or two of them might even become the subject of a criminal
investigation or even arrest because of someone's fraudulent use of
their identity.
Businesses will pay, too.
Those five identity thefts that occur as I speak will cost
businesses $33,500. Over the course of a year, it adds up to an
estimated $3.5 billion.
Those are just numbers, averages that help describe the problem on
a national scale.
But to really understand it, I think you need to look at what
identity theft does to innocent individuals like Jenni D'Avis from my
state.
Jenni thought there had been some type of simple error when she got
two bills for maxed out credit cards she didn't even have.
Then she got a call from the General Motors Acceptance Corporation
asking why she was late on payments for her Chevy Suburban.
She wasn't making payments because she had never purchased the SUV.
Someone else did, using Jenni's I.D.
Piecing it together, Jenni discovered that a thief had obtained her
Social Security number from a student roster at the community college
she attended.
The thief used the Social Security number to get a state I.D. card,
then launched a fraudulent spending spree.
By the time Jenni realized what was going on, the thief had run up
$72,000 worth of charges on 13 credit accounts, nine cellular phone
accounts and six checking accounts.
Jenni didn't get stuck with those bills, but she learned that she
would get stuck with some very nasty marks on her credit record.
GMAC told her they would list the stolen Chevy Suburban as a
``repossession'' on her credit report and that she would have to clear
it up later.
In three weeks, Jenni's sterling credit was horribly tarnished. She
was forced to sue her creditors and credit reporting agencies to
finally clear her name. It took her more than two years.
Unfortunately, Jenni's story isn't unique.
My state has the dubious distinction of being in the top ten states
for identity thefts per capita.
That's why Washington passed a new identity theft law last year.
We wanted to ensure the criminal recognized the gravity of the
crime. But even more importantly, we wanted to give victims the tools
to get their good names and reputations back quickly and without having
to spend a lot of their own money.
But one law isn't enough.
Identity theft is a crime that does not respect state or regional
boundaries.
A Social Security number stolen in Washington can be used to obtain
a credit card in Delaware that is then used to get a cash advance in
Ohio.
That's why citizens need help at the federal level.
In December, the National Association of Attorneys General passed a
resolution calling for federal legislation to address this growing
crime.
The resolution supports legislation to both prevent identity theft
and to make it easier for victims of identity theft to recover their
reputations.
So I am pleased to see you tackling this difficult problem in two
ways.
Senator Feinstein, your bill to help prevent identity theft by
decreasing thieves' access to our personal identifying information is
very important.
Let me tell you about another woman in my state, Berniece Phelps.
Mrs. Phelps discovered her identity had been stolen in August, shortly
after our state law had taken effect.
She made the discovery because credit card companies called her to
ask if she had moved to Florida.
By calling to verify the change in address, which would be a
requirement under Senator Feinstein's bill, the companies helped Mrs.
Phelps stop the damage to her credit.
Senator Feinstein's bill addresses prevention very well.
But we also need to recognize that these thieves are persistent and
we won't be able to stop all of them.
And that's why I also support, very strongly, Senator Cantwell's
``Reclaim Your Identity Act.''
As I mentioned, Berniece Phelps' identity was stolen just two
months after our state law went into effect.
And the difference between her experience and Jenni D'Avis'
experience is stark.
Mrs. Phelps used the new law to get help she got from businesses
and credit agencies.
She was able to get her credit report corrected quickly and easily.
These are key components of our new state law.
Senator Cantwell's proposed bill will make sure victims across the
country have the same resources so they can have that kind of
experience and not the nightmare that Jenni D'Avis went through.
And it adds some significant features beyond those found in
Washington's law.
Under existing law, as a result of the Supreme Court ruling in TRW
v. Andrews, the two-year statute of limitations for filing suit can
expire before an identity theft victim even becomes aware of the crime.
But under Senator Cantwell's bill, the statute of limitations clock
doesn't start running until the consumer knows, or reasonably should
know their identity has been stolen.
And the bill provides another means to go after identity thieves by
making a conviction under state law a crime that can then be pursued as
a federal racketeering violation.
Since our law went into effect last July people in my state have
had help in restoring their good names.
I see no reason why residents in other states should not have the
same protections from identity theft that our state's citizens now
enjoy.
The ``Reclaim Your Identity Act'' will help ensure that an identity
theft victim in Phoenix, Raleigh or Frankfort will have the same
protections as a victim in Seattle.
And it will give victims--regardless of where they call home--a
fighting chance at getting their credit repaired and their lives back
on track.
Thank you.
Chairperson Feinstein. Thank you very much, Attorney
General. That was excellent testimony and very helpful.
Sallie Twentyman, we welcome you and would love to hear
your story.
STATEMENT OF SALLIE TWENTYMAN, FALLS CHURCH, VIRGINIA
Ms. Twentyman. Thank you. I do appreciate this opportunity
to appear today to tell you about some of my experiences as a
victim of identity theft.
On September 14, 1999, I received a credit card bill that
changed my life, a bill that included charges of one
convenience check for $9,500, three other cash advances
totalling about $2,500, and a payment of $8,300. I was in
shock, wanting to believe that there was an easy explanation
for the bill, that the credit card company had sent me somebody
else's bill by mistake or that someone had keyed in numbers
incorrectly.
But when I called the bank to report the error, I found out
that the charges were very real. Someone had stolen my renewal
credit card from the mail before it reached me and had
immediately called the credit card company with a change of
address. During the conversation, this person also obtained
information about other credit card accounts I held at that
same bank and, using my Social Security number, convinced the
customer service representative to open more accounts in my
name.
The only error with the bill was that it had been mailed to
me at my old address instead of to the thief at the new
address. Today, I am thankful for that error, as I found out
earlier that I had become yet another victim of identity theft,
a crime I heard of at the time but had never thought of as
happening to anybody I knew, and certainly myself.
I spent the next few months of my life immersed in
restoring my good credit and trying to educate those around me
about how to lower the risk of it happening to them. Over a
period of six months, my credit report showed that I moved
almost every month to four different new addresses, from Falls
Church, Virginia, to Brooklyn, New York, to Seapointe, Georgia,
to Chicago, Illinois, and Pleasanton, California. These reports
also showed me attempting and succeeding at opening several new
credit card and bank accounts, and this was all after I had
placed a fraud alert on my name file.
During the six months, I experienced many frustrations.
There was no one there to help, and the people who were there I
didn't know about. Since the crimes all occurred in different
States and jurisdictions from my residence, law enforcement
agencies didn't help. Banks conducted investigations, but they
usually didn't begin the investigations until four months to a
year after the crimes occurred.
Banks kept making mistakes and no one seemed accountable
for their mistakes. Once, a bank FedEx'ed a card to the
fraudulent address after I had notified them of the fraud. On
another occasion, the thief convinced the bank that I was a
thief--this was the original bank where it started--even though
I had lived at my address for 12 years and the thief had only
been at her address for 2 weeks.
I felt that no matter how hard I tried, I was always a step
behind. The only information I could receive about my crime I
gleaned from credit reports. And my thief was smart. By the
time that new information addresses were posted to the reports,
the thief or thieves had already moved on to another location.
Banks refused to give me information about activity in my
name. The bill that I actually received was the only specific
information that I ever received about amounts, the kinds of
purchases, et cetera, in my name. Banks refused to give me
information, since the cases were under investigation, and I
found this one of the most frustrating things.
I am grateful to hear your discussion today about the
Feinstein-Kyl bill and the Cantwell bill. There are provisions
of these bills that I feel would have helped me if they had
been in place at the time and will certainly help future
identity theft victims.
Granting the FTC authority to fine the merchants for
ignoring fraud alerts might make merchants more careful about
checking credit bureau files before issuing instant credit. It
would certainly make them more accountable for the mistakes
they make.
Three of the provisions would let victims know of their
identity theft early and let them correct information with
merchants before negative information is sent to the credit
bureaus. They are: the requirement that credit card companies
notify consumers when additional cards are requested on an
existing account within 30 days of a change of address request,
a requirement for notification to be sent to both the new
address and the former address, and the requirement that the
FTC issue rules requiring credit bureaus to investigate
discrepancies between a credit card applicant's address and the
records in its files. My address kept changing every month
after the fraud alert and I never heard about it until I got
copies of the credit report.
The requirement that businesses give identity theft victims
a copy of any documents, such as credit card applications
related to an identity theft, will make it easier for the
victim to protect themselves, or at least to feel like they are
doing something that would help.
I will never forget the confusion and frustration I felt
that day and have felt to some extent everyday since the day I
received the bill, the day I learned I was the victim of a
crime that feels in many ways like financial cancer. Today, as
far as I know, I am in remission from the cancer, but I cannot
be sure that I will ever be completely cured.
The thief is probably still out there, unapprehended, with
enough of my personal information in hand to destroy my credit
all over again at any time. And other potential thieves can
easily access this information from Internet sites that sell
personal information, including Social Security numbers. In my
case, I never learned who the thief was. What was more
disturbing to me was that I don't believe anyone ever really
tried to find the thief.
I applaud your efforts and urge your continued efforts to
protect victims of identity theft. I am also grateful to the
Government agencies, such as the FTC and the U.S. Postal
Inspection Service, and to the media for workingtogether to
educate citizens about how to reduce their risk of becoming
victims and how to restore their credit if it should happen to
them.
Thank you.
[The prepared statement of Ms. Twentyman follows:]
Statement of Sallie Twentyman
I appreciate the opportunity to appear here today to tell you about
some of my experiences as a victim of identity theft.
On September 14, 1999, I received a credit card bill that changed
my life--a bill that included charges for one convenience check for
$9600, three other cash advances totaling about $2500, and a payment of
$8300. I was in shock, wanting to believe that there was an easy
explanation for this bill--that the credit card company had sent me
someone else's bill by mistake, or that someone had keyed in some
numbers incorrectly.
But when I called the bank to report ``the error'', I found out
that the charges were very real. Someone had stolen my renewal credit
card from the mail before it reached me and had immediately called the
credit card company with a change of address. During the conversation,
this person also obtained information about other credit card accounts
that I held at that same bank, and, using my social security number,
convinced the customer service representative to open more accounts in
my name. The only error with this bill was that it had been mailed to
me at the ``old'' address instead of to the thief at the ``new''
address.
Today, I'm thankful for this error, as I found out early that I had
become yet another victim of identity theft, a crime I had heard of but
never thought of as happening to anyone I knew. I spent the next few
months of my life, immersed in restoring my good credit and tying to
educate those around me about how to lower the risk of this happening
to them.
Over a period of six months, my credit reports showed that I moved
almost every month, to four different ``new'' addresses--from Falls
Church, VA to Brooklyn, NY to Seapointe, GA to Chicago, IL and
Pleasanton, CA. The reports also showed me attempting and succeeding at
opening several new credit card and bank accounts. And this was all
AFTER I had placed a fraud alert on my file.
During those six months, I experienced many frustrations.
There was no one there to help. Since the crimes all
occurred in different states and jurisdictions from my
residence, law enforcement agencies didn't help. Banks
conducted investigations, but they didn't usually begin their
investigations until four months to a year after the crimes
occurred.
Banks kept making mistakes, and no one seemed
accountable for their actions. Once, a bank FedEx'ed a card to
the fraudulent address after I had notified them of the fraud.
On another occasion, the thief convinced a bank that I was the
thief, even though I had lived at my address for 12 years and
the thief had only been at her address for two weeks.
I felt that, no matter how hard I tried, I was always
a step behind. The only information I could receive about my
crime I gleaned from my credit reports. And my thief was smart.
By the time that new information and addresses were posted to
my reports, the thief (or thieves) had already moved on to
another location.
Banks refused to give me information about activity in
my name. The bill that I actually received was the only
specific information that I ever received about amounts, the
kinds of purchases, etc. in my name. Banks refused to give me
information since the cases were ``under investigation''.
I am grateful to hear of your discussions today about Senator
Feinstein's bill (S. 1399) and Senator Cantwell's bill (S. 1742). There
are provisions in these bills that I feel will help future identity
theft victims:
Granting the FTC authority to fine merchants for
ignoring the fraud alert might make merchants be more careful
about checking credit bureau files before issuing instant
credit. It would certainly make them more accountable for the
mistakes they make.
Three of the provisions would let victims know of
their identity theft early, and let them correct information
with merchants before negative information is sent to the
credit bureaus. There are (1) the requirement that credit card
companies notify consumers when additional cards are requested
on an existing account within 30 days of a change of address
request, (2) the requirement for notification to be sent to
both the new address and the former address, and (3) the
requirement that the FTC issue rules requiring credit bureaus
to investigate discrepancies between the credit card
applicant's address and the records in its files.
The requirement that businesses give identity theft
victims copies of any documents (such as credit card
applications) related to an identity theft would make it easier
for a victim to protect himself.
I'll never forget the confusion and frustration I felt that day and
have felt, to some extent, every day since the day I received that
bill, the day I learned that I was a victim of a crime that feels, in
many ways, like ``financial cancer''. Today, as far as I know, I'm ``in
remission'' from this ``cancer'', but I cannot be sure that I'll ever
be completely cured. The thief is probably still out there,
unapprehended, with enough of my personal information in hand to
destroy my credit all over again, at any time. And other potential
thieves can easily access this information from Internet sites that
sell personal information, including social security numbers.
In my case, I never learned who the thief was. What was more
disturbing to me was that I don't believe anyone ever really tried to
find the thief.
I applaud your efforts and urge your continued efforts to protect
victims of identity theft. I am also grateful to the government
agencies such as the FTC and the US Postal Inspection Service and to
the media for working together to help educate citizens about how to
reduce their risk of becoming victims and how to restore their credit
if it should happen to them.
Chairperson Feinstein. Thank you very much.
Inspector Cannon.
STATEMENT OF LOUIS P. CANNON, PRESIDENT, DISTRICT OF COLUMBIA
LODGE, GRAND LODGE, FRATERNAL ORDER OF POLICE, WASHINGTON, DC
Mr. Cannon. Good morning, Madam Chairman, distinguished
members of the Senate Subcommittee on Technology, Terrorism,
and Government Information. My name is Lou Cannon. I am a 30-
year veteran of law enforcement, currently with the Department
of Treasury, U.S. Mint.
The FOP is the Nation's largest law enforcement labor
organization, representing more than 300,000 rank-and-file law
enforcement officers in every region of the country. I am here
this morning at the request of Steve Young, National President
of the FOP, to discuss our support of two pieces of
legislation: S. 1399, the Feinstein-Kyl bill, the Identity
Theft Protection Act, introduced by you, Madam Chairman, and
Mr. Kyl, and S. 1742, the Restore Your Identity Act, introduced
by Senator Maria Cantwell.
The technology of information age has allowed criminals to
commit traditional crimes in new ways. Identity theft is one
such example. A criminal who obtains key pieces of personal
information--and at this time, Madam Chairman, I would like to
thank you for providing me with the information that I needed
to obtain a credit card.
Chairperson Feinstein. I provided that?
Mr. Cannon. Yes, ma'am. I will give it to you after the
hearing.
Chairperson Feinstein. Oh, that is our Web site.
Senator Cantwell. I think what he means, Madam Chairman, is
that it is so simple----
Mr. Cannon. The technology is there and you can provide it
if you know what you are doing.
Chairperson Feinstein. Oh, I see what you are saying.
Mr. Cannon. You didn't give it to me, but I got it.
Chairperson Feinstein. Thank you. I got worried for a
minute.
Mr. Cannon. No, you didn't give it to me. I got it from
you.
Chairperson Feinstein. Oh, all right.
Mr. Cannon. Let me finish and you will see.
Chairperson Feinstein. Uh-oh, trouble. [Laughter.]
Mr. Cannon. They can then commit fraud and other crimes by
purchasing credit, merchandise, and services in the name of the
victim. In 2001, an estimated 700,000 consumers became victims
of identity theft. Reports of these crimes have doubled in many
jurisdictions and there is no reason to believe that this trend
will not continue.
The cost of these crimes is high. The U.S. Secret Service
estimates that in 1997 consumers lost more than $740 million as
a result of identity theft. Victims find their entire credit
histories ruined, affecting their ability to obtain future
credit, good interest rates, loans to buy homes or businesses
or pay college tuition, or obtain security clearances.
According to a report issued by the California Public
Interest Research Group and the Privacy Rights Clearinghouse,
it takes a victim an average of 175 hours and more than $800 to
destroy the damage done to their credit rating by these
criminals.
These crimes are often ones of opportunity. For the
criminal, the risk is relatively low. It was for me; I just sat
at my computer. The potential profit is relatively high.
Furthermore, the nature of the crimes makes it difficult for
local and State law enforcement to investigate these crimes
effectively or even take a report.
For example, a victim in South Carolina has his identity
stolen while on vacation in Florida and the information is used
to buy merchandise in New Jersey. Where was the crime
committed? South Carolina, where the victim resides, in Florida
where the information was stolen, or the point of purchase in
New Jersey? What if the fraudulent purchase was made online?
The investigation of these crimes presents a very real
challenge for law enforcement. At present, we lack the tools to
effectively investigate these crimes. I do not have any
official statistics at this time, but anecdotally I estimate
that the clearance rate for such cases--that is, those cases in
which an arrest is made--is less than 10 percent.
The legislation that this subcommittee is considering
today, Madam Chairman, aims to make it more difficult for
criminals to obtain the sensitive personal data used to
perpetrate identity crimes, restoring and preventing the damage
done by such crimes, and to enhance the ability of law
enforcement to investigate and prosecute these types of
offenses.
For example, 1399, the Feinstein-Kyl bill, would require a
credit card company to notify the card-holder whenever they
receive a request for a new card or a change of address. An
alert consumer will be able to tell immediately that someone is
attempting to steal their identity. Credit card companies would
also be required to disclose discrepancies to consumer credit
reporting agencies, better enabling the victims of identity
theft to retain their good credit rating.
The legislation would also require new credit card machines
that print receipts to truncate all but the last five digits of
the card, frustrating attempts to steal this information.
Remember, identity theft is a crime of opportunity. The more
difficult it is for criminals to obtain this information, the
fewer instances of these crimes will occur.
This bill also codifies the current industry practice of
issuing fraud alerts and provides for rulemaking by the FTC to
require credit card reporting agencies to investigate
discrepancies between credit applications and credit reports,
as well as to develop procedures for referral of consumer
complaints about identity theft and fraud alerts between
consumer reporting agencies. In addition to helping victims of
identity theft, these changes will better enable law
enforcement to gather information about these crimes and
improve our ability to investigate open cases.
The second piece of legislation being considered by the
subcommittee is S. 1742, Senator Cantwell's bill. The FOP
believes this bill will enhance the ability of law enforcement
to gather evidence while investigating these crimes.
For instance, many creditors are unwilling to divulge
information about open accounts because of liability concerns
and a good-faith desire to protect the privacy rights of the
account-holder. Many will not release any information without a
court order or unless the victim agrees to claim responsibility
for the account, meaning the outstanding balances.
The sad fact of the matter is that law enforcement is
unable in the vast majority of cases to expend the resources
necessary to obtain a court order in this type of case without
additional evidence of criminal activity, making it a catch-22
of sorts.
In addition, the lack of timely information about the
fraudulent transaction delays the progress of the investigation
and the chances of closing the case. It also means that the
victim's name may be used again and again to perpetrate fraud.
Criminals who engage in identity theft count on the inability
of law enforcement to gather in a timely fashion the evidence
needed to find and convict them. It is one of the things that
makes this crime both low-risk and profitable.
Your bill would change this by mandating that a victim of
identity theft may request and receive relevant documentation
about questionable transactions from the business or service
possessing such information within ten days. The legislation
correctly insulates these businesses from liability with
respect to these disclosures, which could help both victims and
law enforcement get the information in a timely manner.
Now, how might his help in investigations? Let us say, for
example, that a criminal has obtained a credit card in someone
else's name and is using it to purchase merchandise. If law
enforcement receives the information from the credit card
company about the transactions within a few days, it might be
possible to contact the business and obtain a description of
the suspect, or even catch the suspect on a videotape. This is
very strong evidence that can help bring these criminals to
justice. Timely access to the information will greatly increase
the risk factor for those criminals who engage in this type of
crime.
S. 1742 would also amend the Internet False Identification
Prevention Act, and include State and local law enforcement in
the FTC study examining enforcement of identity theft laws,
improving communication and coordination in multiple
jurisdictions. This is very important because even though
identity theft is a Federal offense, State and local
authorities are most likely to take the initial report and
investigate the crime, as Senator Sessions has brought out. The
gathering and dissemination of information about these crimes
is critical to developing successful strategies to deal with
the growth of identity theft crimes.
The bill also allows for aggressive prosecution of
criminals engaged in fraud or identity theft crimes by making
the offense under State law a RICO case. The aspects of this
bill will greatly increase the penalties for those who engage
in identity theft and will reduce the profits available to
those persons trafficking in stolen identities in order to aid
others in perpetrating fraudulent transactions.
The reason that identity theft is on the rise is that it is
easy, profitable crime with a low risk of being caught. The FOP
believes that these two bills together will reduce the
opportunities of criminals or potential criminals from
obtaining the personal information that makes identity theft
possible.
Additionally, the bills aim to increase the risk of
discovery and arrest by making it easier to obtain evidence
against the perpetrators and enhancing the penalties for
committing these types of crimes. With the tools provided in
both of these pieces of legislation, you are providing victims
and law enforcement with the tools they need to protect
themselves and bring this new kind of criminal to justice.
I thank you for asking me here and giving me the
opportunity to testify. I would like to close with borrowing
just one little slogan: it is everywhere you want to be. Make
sure it is you who is there.
Chairperson Feinstein. Thanks very much, Inspector Cannon,
and tear up that piece of paper.
Mr. Cannon. I will be giving it to your staff afterwards.
[The prepared statement of Mr. Cannon follows:]
Statement of Louis P. Cannon, President, District of Columbia Lodge,
Grand Lodge, Fraternal Order of Police
Good Morning, Madam Chairman, Ranking Member Kyl, and distinguished
Members of the Subcommittee on Technology, Terrorism, and Government
Information. Thank you for giving me the opportunity to appear before
you today. My name is Lou Cannon, and I am the President of the
District of Columbia Lodge, and Chairman of the Federal Officers
Committee.
I am here this morning at the request of Steve Young, National
President of the Grand Lodge, Fraternal Order of Police, to speak in
support of S. 1399, the ``Identity Theft Prevention Act of 2001''
introduced by Chairman Feinstein and Senator Kyl, and S. 1742, the
``Restore Your Identity Act of 2001'' introduced by Senator Cantwell.
The F.O.P. is the largest law enforcement labor organization in the
United States, representing more than 300,000 members.
Identity theft occurs when a criminal obtains personal identifying
information, such as a social security number, date of birth, credit
card account number, or bank account information, and then fraudulently
uses this information for criminal purposes. Simply possessing personal
information is not considered a criminal act, but the use of it is.
Tracking and investigating identity theft crimes have proven dffficult
for law enforcement. In today's world, vast amounts of personal
information, once difficult to obtain, is now easily accessible to
anyone with access to the Internet. In addition, personal information
is being sold on the black market. For a price, criminals can access a
ready-made database of information without risk or effort of retrieval.
The sharp rise in identity theft crimes is of grave concern to the
law enforcement community. The Federal Trade Commission (FTC) announced
this January that identity theft was the top consumer fraud complaint
of 2001, garnering forty-two percent (42%) of the complaints entered
into the Consumer Sentinel database, with Internet auctions a distant
second at ten percent (10%). As you know, the Consumer Sentinel
database, which incorporates information submitted by law enforcement
agencies, is a clearinghouse of information collected by the FTC. It is
estimated that there were more than 700,000 victims of identity theft
in 2001, with a reported 2,000 calls a week to the FTC identity theft
hotline. A 1999 study commissioned by an identity theft prevention
service found that one out of five people or family members have been
victimized by identity theft. The cost to the victims, financial
institutions, and law enforcement is tremendous. In 1997, the Secret
Service estimated that victims lost an aggregate $745 million as a
result of identity theft, and this number is expected to rise.
Besides the financial losses associated with identity theft,
victims may also encounter additional hardships that are not
quantifiable. For example, victims might have difficulty securing
educational loans or qualifying for home mortgages. When a criminal has
compromised a victim's credit rating, their ability to rent an
apartment, open a bank account, or apply for store credit can be
irreparably damaged. Circumstances might even lead to permanent
consequences, such as a criminal record for the victim. Victims of
identity theft may even be denied employment for their lack of credit
worthiness. For example, as reported in a 1998 Washington Post article,
a victim had his wallet stolen, followed by his identity. After
committing several unrelated offenses, the identity thief was arrested.
Upon his apprehension, the criminal falsely identified himself as the
victim and produced corroborating identification. As a result, the
victim was burdened with a criminal record and was subsequently
rejected by several potential employers for this reason.
The crime of identity theft is repetitive in nature, for as long as
the criminal is in possession of the victim's personal information,
they can be re-victimized. Even if fraud insurance covers any financial
loss, the victim will continue to suffer a flawed credit history, and
will be forced to prove their innocence repeatedly to creditors, credit
bureaus, and debt collectors for an indefinite period of time.
According to the Identity Theft Resource Center, victims spend an
average of 175 hours and $808 in out-of-pocket expenses to restore
their credit and clear their names.
There are numerous means by which personal identifying information
can be obtained, but there are several ``tried and true'' methods
employed by identity thieves. These criminals often rummage through the
trash of a private residence or business, steal wallets containing
identification, or hijack bank and credit card statements or
applications from the mail. They may complete a change of address form
to direct mail to another address, use information provided on the
Internet, or buy personal identifiers through the black market. Once
the identity thief locates the personal identification, they have
unlimited power to wreak havoc on the unsuspecting victim. The
criminals may operate on a very basic level, or possess a certain
degree of sophistication when using the fraudulently obtained data.
Identity theft plots may be as simple as establishing new lines of
credit or utility service and failing to pay, writing bad checks or
counterfeit checks on a bank account in the victim's name, using the
victim's identification as an alias upon arrest by law enforcement; or
as complex as purchasing a home or car in the victim's name, or filing
for bankruptcy to avoid unpaid debts accrued by the thief.
There are measures an individual can take to safeguard their
personal information, like shredding bank statements, ripping up credit
card receipts with the account number printed on them, and destroying
expired credit cards in order to prevent criminals from collecting
information by rummaging through the trash. Yet, despite a
conscientious effort to protect personal information, potential victims
have no control over how their privacy is safeguarded by those who do
have access to their personal information.
For these reasons, the F.O.P. strongly supports S. 1399, the
``Identity Theft Prevention Act of 2001''. First, the bill mandates
notification to consumers when a credit card company receives a change
of address request for an existing account followed within thirty (30)
days by a request for a duplicate credit card. The intent of this
notification is to prevent a criminal from stealing the credit card
number and related personal identifying information. By arming victims
with this knowledge, they will be better able to defend against any
unauthorized activity and prevent any further damage from occurring. In
addition to this preventative measure, S. 1399 requires consumer
reporting agencies to disclose any anomalies in the victim's file as
they pertain to the address listed on the credit report to the company
making the request. Creditors are thereby warned of possible fraudulent
credit applications, frustrating criminal attempts to use this
information. The information needed to steal an identity is easy to
acquire--pilfering through garbage to obtain credit card account
information, diverting mail through a change of address, or
``skimming'' credit cards to record the personal data contained on the
magnetic strip. Identity thieves know that their risk of apprehension
is low, and even if they are convicted, the penalty for such illegal
activity is minimal. The proposed legislation appropriately addresses
the means by which to hold businesses and creditors accountable for the
mismanagement of private information.
Second, the legislation you have introduced also permits potential
victims to demand that consumer reporting agencies place a fraud alert
in their file, the purpose of which is to prevent the issuance of
credit without expressed permission. By definition, a fraud alert means
``a clear and conspicuous statement in the file of a consumer that
notifies all prospective users of a consumer report made with respect
to that consumer that the consumer does not authorize the issuance or
extension of credit in the name of the consumer'' unless by some
prearranged method mutually agreed upon between the consumer and
consumer reporting agency. Enforcement of this provision will make the
crime of identity theft more difficult to accomplish, and therefore
less attractive to the criminal element.
Third, this legislation promotes cooperation among the three major
credit bureaus through an FTC rulemaking to be conducted within 270
days after the enactment of S. 1399. Victims of identity theft will
benefit from the sharing of information between these agencies. For
example, as required by the rulemaking, the procedure for reporting
consumer complaints about identity theft and fraud alerts will be
streamlined so that victims will not have to report the same
information to each credit reporting agency, saving the victim valuable
time and effort. The rulemaking also requires investigation of
discrepancies between a victim's credit application and credit report,
should any such irregularities exist.
Finally, the bill requires all new credit card machines that print
receipts electronically to leave off the expiration date of the credit
card and all but the last five numbers of the account. Receipts thrown
away by potential victims often end up in the hands of an imposter who
uses the personal information on the receipt to make unauthorized
purchases and run up debt that the victim is unaware of. Truncation of
the credit card account number will effectively halt the practice of
stealing information from receipts, even if the receipt is disposed of
improperly. These preventative measures, combined with aggressive
enforcement of identity theft legislation, will enhance the campaign to
slow, and ultimately reverse, the growth of identity theft crimes.
The crime of identity theft presents a very real challenge to law
enforcement to investigate and prosecute the offenders, partly because
evidence of the crime is unavailable in a timely fashion. That is why
the F.O.P. is pleased to support S. 1742, introduced by Senator
Cantwell, which seeks to improve the cooperation among the credit
reporting agencies, businesses, victims, and law enforcement. This is a
critical first step to the successful investigation and prosecution of
identity theft crimes. First, this bill requires a business possessing
records related to an identity theft to furnish the relevant
documentation within 10 days of the request, provided that the identity
of the victim can be verified by the business. Many creditors have been
unwilling to divulge information about open accounts or recent
transactions because of liability concerns and a good faith desire to
protect the privacy rights of the consumer. S. 1742 addresses this
concern by exempting these businesses from liability with respect to
any disclosure made to further the investigation of identity theft or
assist the victim. The disclosure of evidence to the victim aids law
enforcement in pursuit of the thief. With an estimated 700,000
consumers falling prey to identity theft in 2001, and law enforcement
resources and manpower stretched to their limits, the cooperation of
the business community is essential to stopping these types of crimes.
Second, through an amendment to the Internet False Identification
Prevention Act, local and State law enforcement will be included in the
Federal Trade Commission Study examining the enforcement of identity
theft laws. This is important because these agencies, not Federal
authorities, are most likely to investigate these types of crimes,
despite the fact that identity theft is a Federal offense. Moreover,
because the stolen identities are frequently used to commit offenses in
multiple jurisdictions, State and local law enforcement from around the
United States may be called upon to investigate the same crime.
Therefore, it is imperative that information is quickly gathered and
shared, keeping the lines of communication open to effect a swift and
successful arrest and prosecution.
Third, the bill also allows for aggressive prosecution of criminals
engaged in fraud or identity theft crimes by making the offense under
State law a Federal Racketeer Influencing and Corrupt Organization
(RICO) predicate. Businesses will be better equipped to defend
themselves against such criminal activity, resulting in increased
penalties for those who engage in identity theft. Civil actions brought
by the State Attorneys General on behalf of victims in that State are
also permissible under Senator Cantwell's legislation. Whereas
prosecutors may be unable to prove criminal identity theft, the victims
could still see justice done through civil litigation.
Fourth, alternatives to criminal punishment, such as the filing of
civil suits in Federal court as set forth in S. 1742, increase the
opportunity to enforce identity theft laws and hold the imposters
accountable for their deception. This is a win-win situation for both
victims and law enforcement, since tough enforcement of the law
increases the risk of detection and thus deters crime.
Fifth, Senator Cantwell's legislation also amends the Fair Credit
Reporting Act, giving victims a greater chance of recovering their good
name, by providing that the two-year statute of limitations on an
identity theft-related claim begins after the victim discovers the
theft, not at the time the crime was actually perpetrated. Similarly,
the bill requires that harmful information resulting from identity
theft must be blocked from the victim's credit report, assuming the
victim did not participate in the crime itself or profit directly or
indirectly from it.
The reason that identity theft is on the rise is that it is an
easy, profitable crime, with a low risk of being caught. Anecdotal
evidence collected by Ventura County, California indicates that less
than ten percent (10%) of identity theft crimes result in an arrest and
conviction. The F.O.P. believes that these two bills together will
reduce the opportunities of criminals or potential criminals from
obtaining the personal information that makes identity theft possible.
Additionally, the bills aim to increase the risk of discovery and
arrest by making it easier to obtain evidence against the perpetrators
and enhance the penalty for committing these types of crimes.
Collectively, both pieces of legislation will frustrate purveyors of
identity theft and ultimately curb the rapid progression of this costly
offense.
I want to thank the Subcommittee for the opportunity to appear
before you here today. I would be pleased to answer any questions you
may have at this time.
Chairperson Feinstein. Linda Foley.
STATEMENT OF LINDA FOLEY, EXECUTIVE DIRECTOR, IDENTITY THEFT
RESOURCE CENTER, SAN DIEGO, CALIFORNIA
Ms. Foley. Thank you very much, Senator Feinstein and
members of the subcommittee. I thank you for having me here
today. It is an honor especially because I have had a chance to
work with both Senator Cantwell and Senator Feinstein in
helping to put some of these bills together.
By the way, our program has expanded. Besides victim
assistance, we are also serving as a resource and advisory
center for everyone involved in this crime, from legislators,
governmental agencies, law enforcement, businesses, consumers,
and victims.
In the interest of time, I did submit a detailed written
statement and I am just going to highlight a few points this
morning.
I believe both of these bills are desperately needed and
long overdue. The three points I would like to highlight today
are the mandatory observation of fraud alerts, the providing of
transaction and application information to victims and law
enforcement, and why we believe that these bills are smart
business, and it is a subject I don't think has yet been
addressed this morning.
The Identity Theft Resource Center communicates with
between 50 and 70 victims and consumers per week by e-mail or
by telephone. We get about 10,000 visits per month to our Web
site. These are people who are concerned that their information
may be in the hands of another or being used by another or
could be. They want to know how to prevent this person from
abusing that information, and are dismayed when they find out
that fraud alerts are advisory in nature only right now.
We have worked with victims who have also had their
identities stolen, as in Sallie's case, after fraud alerts have
been placed. I do understand why that is happening. I was part
of a panel a few weeks ago that talked about that and I will be
happy to address it a little later if you would like.
The Feinstein-Kyl bill helps to empower consumers who want
to regulate those who have the ability to open accounts in
their name. It stops criminals, who we know are repeat
offenders and are very good at their job, from taking advantage
of poor business practices, and ensures that all credit issuers
will be duly warned of possible dangerous situations which
could cause them severe economic loss.
One thing I would like to add that we have not yet
addressed is when someone places a fraud alert on their credit
report, right now it tends to be 90 days only. What happens is
consumers think they have placed a fraud alert and it
disappears. They don't understand that it also needs to be
applied for in writing so that it has a longer period of time
that it will last. They say, well, I placed a fraud alert, and
two months later or three months later it is gone. So that is
one of the things we keep talking about.
Chairperson Feinstein. Do you know why it is just 90 days,
what the rationale was?
Ms. Foley. Until they provide information in writing that
they would like this as a permanent alert, which means anywhere
from 3 to 7 years, they are putting it down as a 90-day alert
only, in the belief that maybe this is not a true case of
identity theft.
I am the victim of identity theft. My imposter was my
employer. She is still out there, she is on probation. As far
as I am concerned, I will have a fraud alert on my report the
rest of my life because she still has access to that
information. That means I have to take the time to re-put that
on there every 3 years to make sure it continues on.
The second area I would like to highlight is in Senator
Cantwell's bill, which I was very honored to be asked to
participate in, and that is to allow law enforcement and
victims access to the application and transaction information.
I will say from personal experience that is how I found out who
my imposter was.
Solving a case of identity theft is much like solving a
jigsaw puzzle. If you only see one small piece of the crime,
which is typically what corporate fraud investigators see, they
don't see the whole picture. When victims and law enforcement
can start putting together pieces from 10, 20, 30 accounts that
have been opened in their name, then we start to see the entire
picture.
This information can help a victim to identify an imposter.
It can provide evidence that helps to prove a victim's
innocence. It indicates trends, shipping information, possible
witnesses to a crime. It can establish if that identity is
being used by one or multiple impostors. It might even help to
establish how that information was originally obtained. It is a
good tool in crime prevention, and also in apprehension and
arrest.
It would seem logical to me that if an account is being
held in my name that I should have access to that information.
What I hear from businesses is they say you can't because once
you have said it is not your account, you become a third party
and there is a legal issue and a privacy issue that they are
concerned about. What your bill actually does is sort of takes
them off the hook. We have that law in California, as well, and
businesses are delighted to see it because it has sort of given
them that opportunity to say this is something we wanted to do;
we just weren't sure we could.
The burden of proving one's innocence rests solely on the
shoulders of the victim. Yet, the victim doesn't have access to
that information. It is interesting that in a court trial the
defendant has the ability to access information that is going
to be used against him. That is not true in identity theft. The
cards are held with the credit issuers and they don't want to
share anything with you. How do I prove that I am not that
person when I don't see what you have against me?
Finally, while at first glance both of these bills seem to
be consumer-oriented, I would like to also point out that I
believe they are smart business. I will take some numbers that
I know I have gotten from different sources.
We know there are between 500,000 and 1.1 million victims
annually. That is information I get from law enforcement, by
the way. A Florida grand jury was empaneled to study the
problem of identity theft. They just released their first
interim report and they came up with a number similar to what
we have heard and what you stated, $17,000 per average crime.
If you take a moderate number of 700,000 victims, times
$17,000, you are looking at $11.9 billion of economic loss to
the business community. By the way, the same report came out
that the average bank heist is $3,500. There is a considerable
difference here in risk, as well as in benefit.
That does not, by the way, include secondary losses, which
would be legal time, investigative time, and the fact that
consumers can go out and buy this merchandise that has been
gained by impostors from another source, which is a second loss
to those businesses because they are losing business.
We know that companies that practice good business
practices, that observe fraud alerts, that confirm address
changes, and that practice truncation are not as inviting to
impostors and they turn to more happy grounds to steal from. In
the end, I believe that the business community will realize an
economic gain, will be less vulnerable to identity theft, and
will demonstrate that they are looking out for the safety of
consumers.
I will be happy to talk about the truncation issue and why
fraud alerts are ignored. By the way, the Los Angeles Times
just came out with an article that said that the arrest rate
was about 5 percent.
I thank you very much, and I thank Senator Feinstein,
Senator Kyl and Senator Cantwell for introducing these bills.
[The prepared statement of Ms. Foley follows:]
Testimony Provided by: Linda Foley, Executive Director, Identity Theft
Resource Center
Senator Feinstein and the members of the committee: Thank you for
the opportunity to provide both written and oral testimony for your
committee today and for your interest in the topic of identity theft. I
feel strongly that these two valuable pieces of legislation will help
to combat identity theft, empower consumers and assist law enforcement
and business to reduce loss due to this crime.
The Identity Theft Resource Center's (ITRC's) mission is to
research, analyze and distribute information about the growing crime of
identity theft. It serves as a resource and advisory center for
consumers, victims, law enforcement, legislators, businesses, media and
governmental agencies.
In late 1999, I founded this San Diego-based nonprofit program
after becoming a victim of identity theft myself. In my case, the
perpetrator was my employer and my story is just one illustration of
why we need the legislation you are considering today. ITRC's work with
thousands of victims, law enforcement officers, governmental agencies
and business has taught us much. I hope to share some of what I have
learned with you today.
My written testimony will be divided into three parts:
The crime: What is identity theft, its prevalence, why
it is so popular among criminals
Senate Bill 1742: Why ITRC supports this bill and
believes it will assist victims, law enforcement and businesses
Senate Bill 1399: Why ITRC supports this proactive
identity theft protection act and believes it will prevent
additional crime.
The Crime of Identity Theft:
The Federal Trade Commission has declared that identity theft is
the fastest growing crime in our nation today, gathering speed and
popularity among the criminal element of our society. Experts estimate
that between 500,000 and 1.1 million people became victims in 2001.
Why? Because it is a high profit, low risk and low penalty crime.
There are three main forms of identity theft:
In financial identity theft the imposter uses personal
identifying information, primarily the Social Security number,
to establish new credit lines in the name of the victim. This
person may apply for telephone service, credit cards or loans,
buy merchandise, or lease cars and apartments. Subcategories of
this crime include credit and checking account fraud.
Criminal identity theft occurs when a criminal gives
another person's personal identifying information in place of
his or her own to law enforcement. For example, Susan is
stopped by the police for running a red light. She says she
does not have her license with her and gives her sister's
information in place of her own. This information is placed on
the citation. When Susan fails to appear in court, a warrant is
issued for her sister (the name on the ticket).
Identity cloning is the third category. This imposter
uses the victim's information to establish a new life. He or
she actually live and work as you. This crime may also involve
financial and criminal identity theft as well. Types of people
who may try this fraud include undocumented aliens, wanted
felons, people who do not want to be tracked (i.e., getting out
of paying child support or escaping from an abusive situation),
and those who wish to leave behind a poor work and financial
history and ``start over.''
As an aside, in view of the discussion about national ID cards or
national driver's licenses, we do not see these cards as a way to
address identity theft. More typically, those who would commit identity
theft will either use fraudulent ID cards or carry none at all. In my
opinion, a national ID program will create a larger black market for
the acquisition of documentation and cards than we currently have
today.
Identity theft is a dual crime and no one is immune, from birth to
beyond death. There are at least two sets of victims in each case: the
person whose information was used (consumer victim, to be referred to
as victim from this point forward) and the merchant who has lost
services or merchandise (commercial victim). Unfortunately, many
commercial victims do not report the crime to law enforcement, finding
it more fiscally advantageous to write off the loss.
Postage, telephone, travel, photocopying, time lost from work,
costs involved in getting police reports and fingerprints, and resource
materials. Some victims never truly regain their financial health and
find credit issuers and even employers reluctant to deal with someone
with ``baggage.''
The emotional impact of identity theft can be extremely traumatic
and prolonged due to the extensive amount of time it can take to clear
one's name. Some victims can be dealing with the crime for 3 to 7 years
after the moment of discovery. Last week I was contacted by someone who
also had been a victim of my imposter (my employer was a magazine
publisher). This woman had been an advertiser in the magazine and our
imposter used her credit card for other purchases. We believe that she
may have applied for secondary card use. We started to put together a
timeline. It appears that my employer started to use my information
just weeks after this woman closed down the violated credit account.
This woman and her uncle are still trying to clear records now 4 years
old. It took several days for me to recover from talking with her. Our
conversation brought back all the original feelings of violation and
betrayal.
The addendum at the end is a brief outline of potential victim
emotional reactions.
Identity Theft Is a High Profit Crime:
The report stated: ``The average loss to the financial industry is
approximately $17,000 per compromised identity. For criminals, identity
theft is an attractive crime. An identity thief can net $17,000 per
victim, and they can easily exploit numerous victims at one time, with
relatively little risk of harm. By comparison, the average bank robbery
nets $3,500 and the criminal faces greater risk of personal harm and
exposure to a more serious prison sanction if convicted.'' (reprinted
at ``http://www.idtheftcenter.org'' MACROBUTTON htmlResAnchor
www.idtheftcenter.org under Speeches)
Their number is for financial institutions only. VISA and
Mastercard also report the number to be lower. Part of the problem may
be that not all commercial victims report the crime, lowering the
number. In fact, many in law enforcement have expressed frustration
that businesses prefer just to write the loss off rather than to get
involved in an investigation. I also believe they have a vested
interest in underreporting the loss so as to retain consumer confidence
in their industry and to not encourage a greater number of fraudsters.
I have based my numbers on those given by law enforcement, the
Florida and PRC reports and victims--sources I believe are unbiased and
more complete.
Using the number of $17,000 per victim and the estimate of 700,000
victims, the economic loss could total $11.9 billion to merchants,
credit issuers and the financial industry in 1 year alone.
I would like to further add that that $11.9 billion loss is just
the beginning. You also have to add the cost of law enforcement and
criminal justice time, costs to victims (including expensive attorney
time) and secondary economic losses to merchants when merchandise
``bought'' by imposters is resold, resulting in a lessening of customer
trade. Finally, there is the cost of investigating and prosecuting
secondary illegal activities (drug trafficking, etc.) funded with the
money made by imposters or information brokers who sell the documents
used by some imposters and those wishing to identity clone.
Identity Theft Is a Low Risk and Low Penalty Crime:
Identity theft is a relatively easy crime to commit, often
involving little risk to the imposter. It is almost as if they wear a
``cloak of invisibility'' and are given permission, even encouragement,
to try.
First, the Internet and telecommunications have made it easy to not
only apply for credit but also to make purchases from a variety of
private and public locations. Even those who appear in person do so
with the relative assurance that by the time the crime is discovered,
they will not be remembered and any video surveillance will be long
gone. FTC statistics prove that while some crimes are discovered within
weeks of the first attempt, the average time between the beginning of
criminal activity and discovery is about 15 months. Identity criminals
are quite clever at finding ways to receive deliveries at locations
other than at home. Many use drop spots or private postal boxes,
switching from store to store frequently.
Second, we have a problem in that identity thieves take advantage
of a system that is basically flawed, often due to poor business
practices by credit issuers and merchants. Because the credit reporting
agencies are subscriber services, credit issuers and merchants buy
various levels of service. I have been told that not all see fraud
alerts or even statements that the consumer is a fraud victim. Others
simply choose to ignore the alert, balancing the potential risk vs the
financial gain of a sale and unwillingness to irritate a new customer.
Third, law enforcement often finds this a frustrating crime to
investigate. One financial crimes task force representative told me
that an easy case of identity theft may take about 100 hours of
investigative time, a difficult case can take in excess of 500 hours.
Why? There are many obstructions to investigating these crimes for
both victims and law enforcement. After reporting the crime to credit
issuers, victims frequently hear the comment: If you are not the person
who opened the account, we can't provide information to you. Yet, these
same victims are held financially responsible for the bill until they
prove their innocence.
These two pieces of legislation in front of you today will help
victims and law enforcement to more readily access information for
investigation, give consumers more control of when and how credit is
issued, make it more difficult to commit identity theft and help us to
better understand the nature of this crime.
While they both appear to be consumer-driven, I will also address
the benefits to taxpayers, businesses and the financial industries,
which I believe will be substantial.
Testimony in Support of S 1742 (Cantwell):
There are three sections of this bill I would like to address.
Section 5: Information Available to Victims
Section 5 of S 1742 provides investigating law enforcement and
verified identity theft victims with copies of application and
transaction information on accounts opened in their name and
identifying information.
It would seem logical that when an account is opened in your name
that both investigating law enforcement and the victim should be able
to access the information that is associated with that account.
However, many companies refuse to provide copies of application and
other documentation, claiming that it would be a violation of the
imposter's, or true card holder's, privacy. They claim that once a
victim says it is not their account, they lose all rights to
information about it and have claimed legal problems in releasing
information to law enforcement and victims. Yet, unless that person
proves his or her innocence, that victim is still held financially
responsible. How does one prove innocence when you don't know what is
being held against you? In a court trial, the defendant has the right
to view all evidence that will be used, but not in a case of identity
theft.
When I became a victim of identity theft (Sept. 1997), I was
fortunate in that the first credit card company I called shared the
application information with me. I was able to immediately identify my
imposter. It was my employer and she used her business address, which I
recognized, as the mailing address for the account. The second credit
card company provided me with a copy of the application which I turned
over to the police. Armed with evidence, the detective could then get a
search warrant that led to her conviction.
Unfortunately, even the companies that helped me have now adopted
policies that make it next to impossible for victims to gain access to
information on accounts opened in their names. I was told that there
was a legal issue involved. Credit card fraud investigators told me
that once I said it was not my account, they feared that they would be
in violation of the Fair Credit Reporting Act by disclosing information
to a ``third party,'' someone who is not the account holder. They
wanted to provide the information but their legal departments were
unsure of what to do. The reality is that once this account has been
established as fraudulent and that a crime has occurred, all rights to
privacy for the person who opened the account should be suspended.
Access to the information regarding the account should be freely given
to the victim and law enforcement investigating the crime. Based on the
reaction in California and Washington, both states with a law similar
to this one, I believe you will see a positive reaction from business
because this law will clarify their legal status in giving out
information.
Application and transaction information on fraudulent accounts
provides the following information that the victim and law enforcement
could use to establish the true holder of the account and/or prove
innocence. This documentation:
Can help the victim to identify the imposter,
especially if the suspect is someone personally known to the
victim, as in my case. In some cases, this information revealed
a family secret that led to counseling and expert help.
Can provide proof that the signature on the form is
not that of the victim.
Shows trends, valuable to police and to victims.
Shows names and addresses where merchandise is
shipped.
Indicates phone records or transactions that could
point to potential witnesses to the crime.
Can establish location of transactions--was the crime
local only or is the information being used by a number of
imposters at the same time?
Can establish method of theft?
Might point to information that establishes how
original information was obtained. For instance, a middle
initial that was used only on a cell phone application, a legal
name only used for payroll purposes, etc.
Might provide evidence of multiple fraudulent accounts
that could help to convince a bank or credit card company that
this is a genuine act of identity theft and not just a customer
finding a way to not pay a bill.
Solving a case of identity theft is much like putting together a
puzzle. Each credit issuer fraud detective only sees one or two pieces
of the puzzle. It isn't until the victim, or law enforcement, see many
pieces that the picture begins to form. If you can't get the pieces,
the case remains unsolved and even more frustrating for the victim, is
considered unsubstantiated by law enforcement.
We recently passed a bill similar to this in California, now Penal
Code 530.8 (SB 125, California Senator Dede Alpert, San Diego), enacted
January 2002. The ITRC was the sponsor of the bill and had the
opportunity to talk with many groups about the purpose of the
legislation and to listen to those who did not originally support it.
Some of those who opposed the bill feared we would create a
vigilante environment. Far from it. Victims of identity theft only want
to clear their name. They are more than willing to let law enforcement
take over in terms of criminal prosecution. Victims are well aware that
some imposters are on drugs or part of gangs and that even driving past
a known location could be dangerous.
This bill will also enable law enforcement to gather evidence in a
timely manner, saving critical staff time and taxpayer money. This bill
ultimately should result in getting larger numbers of these imposters
off the street and lead to minimizing the economic loss to business.
Sec. 6. Amendments to the Fair Credit Reporting Act
This section deals with two issues: the ability to block fraudulent
accounts on an individual's credit report and extension of the statute
of limitations from moment of occurrence to the moment of discovery.
Blocking: Fraudulent accounts can and are being used in assessing
credit scores and affect a consumer's purchasing power. If I am able to
show with some reliability that I was not the person who opened this
account it should not be held against me. Unfortunately, it may take
several months for a credit issuer or collection agency fraud
investigator to look into a case and make a determination--is this a
case of a deadbeat card holder who charged more than they realized or
is this a legitimate case of identity theft.
This section will enable victims to more quickly expedite their
recovery. This is vital especially since many victims hear about the
crime when applying for credit. They may be purchasing a house or a
car. Even a delay in a few weeks could affect the cost and availability
of the purchase item. One of ITRC's regional coordinators (from San
Francisco, CA) found out about her situation when trying to purchase a
house. It took 1\1/2\ years to finally clear her credit report to the
point that she could qualify for a mortgage again. Of course, housing
costs had significantly increased and the mortgage broker asked for a
higher interest rate.
I do have one problem with this section that will probably need to
be addressed in future legislation--the requirement of a police report.
According to the 2001 FTC report, 20% of all victims were unable to get
the police to take a report. (``http://www.consumer.gov/sentinel''
MACROBUTTON html ResAnchor www.consumer.gov/sentinel) My work with
victims indicates that number may be much higher, perhaps ranging
upwards to 50% or greater depending on the state and jurisdiction. At
this time, California is the only state that I am aware of that
mandates a police report must be taken, in this case in the
jurisdiction where the victim lives (California PC 530.6). We do need
to find a way to require local law enforcement to take police reports.
I have been informed that the credit reporting agencies may have a
new policy of blocking on the basis of a ``police report'' and they
believe section 6 is not necessary. As a consumer and victim advocate,
I would like the reassurance that this voluntary policy has been made
into a law, one that is not subject to change by the economic interests
of a company whose primary customers are not consumers but businesses.
I applaud their intent and do not understand their reluctance to back
it up with legislation.
Statute of Limitations: Identity theft is an unusual crime. Most
victims of other types of crime are involved from the moment the crime
began. If your car is stolen, your house is robbed or you are mugged
and your purse taken, you know about the crime almost immediately. This
is not true in identity theft. In three studies (FTC, Florida Grand
Jury, Privacy Rights Clearinghouse--all cited in footnotes below), the
average victim didn't find out until 13-16 months after the crime first
began. By law the clock started when the crime began, giving identity
theft victims only a few months to investigate, assess the damage and
find out how the crime may have begun. Many victims take a year or more
to get to this point.
It is illogical to hold an identity theft victim to moment of
occurrence. As in many cases of adultery, we are often the last to know
of the crime. The group that knows best when an identity theft crime
first occurs is the credit industry. They are the ones who know whether
each application item exactly matches the items on the existing credit
report. To date, consumers who place a fraud alert, requesting that no
credit be issued without their express permission, do so with the
understanding that credit issuers are not required to honor that
request. (to be addressed in S1399).
Sec. 7. Commission Study of Coordination between Federal, State,
and Local Authorities in Enforcing Identity Theft Laws
One of the biggest problems facing both law enforcement and victims
is that identity theft is a multi-jurisdictional crime. I live in San
Diego but the imposter may be opening accounts in Los Angeles, New York
and Dallas. The perpetrator may make purchases in various areas in one
county. The Los Angeles area has 46 different law enforcement agencies
in that one county alone. That does not include federal law
enforcement, DMV, military, post office, immigration, IRS or Inspector
General's Office of the Social Security Administration.
There are many questions that still need to be addressed.
Who should investigate the crime? Most often it falls
to local law enforcement to solve the crime. But which one? Is
it the agency where the consumer lives? Is it in the
jurisdiction where the biggest commercial victim is, assuming
that they filed a crime report which many do not? If the crime
is occurring in multiple areas, can one local agency afford to
investigate a crime that may cross the nation? Rarely.
Does this conflict contribute to the low arrest rate?
Probably. It definitely contributes to victim frustration as
they get passed from one agency to the next. In terms of
prosecution, we find the same confusion and eagerness to pass
the case to another location.
Why are businesses reluctant to report this crime to
law enforcement? Is there a way to encourage more active
reporting?
Is there a way to ease communications between
jurisdictions?
Where are these crimes going to be prosecuted? Is it
in the jurisdiction where the consumer lives or where the
largest economic loss to a commercial victim is located? Will
the crime be combined or is this person going to be tried
repeatedly, once in each location?
Clearly we need studies to make recommendation about this issue. I
hope one other recommendation will be to require the reporting of
identity theft crime by law enforcement, perhaps even including it on
the FBI Master Crime Index. Until we statistically know the extent of
the crime we can't combat it. I know that you have been also frustrated
by the varying statistics you have encountered. Of course, it raises
the issue of how to count identity theft crime. If one imposter uses
the information of 10 consumers to steal merchandise from 20 stores, is
this one crime, 10 crimes or 30 crimes?
Testimony in Support of S. 1399:
For years consumers have sought to have more effective control over
who can access credit lines in their names. We know that criminals have
taken full advantage of the reluctance of the credit industry to take
positive, proactive steps against identity theft. This bill takes vital
steps in empowering consumers and businesses to avoid identity theft
situations. Again, I will address the major three sections of this
bill.
Confirmation of Changes of Address--Account Takeover and Consumer
Reports
Account takeover has been a problem for many years. It is fairly
easy to find out the credit card number of an individual, through mail
interception, shoulder surfing, on register receipts and through scams
both by telephone and over the Internet.
The United States Postal Service introduced a successful program
that mirrors the one recommended in this legislation. It mandates that
when an address change is requested that a card be sent to the current
address on record and to the new address, informing the consumer of the
requested change. The card directs the consumer to notify a toll-free
hotline should they dispute the change of address request.
This bill would create a similar program providing a consumer a
proactive way to control changes on accounts already opened under his
or her name. It would prevent criminals from changing the billing
address on an account and then applying as a secondary card user. By
changing the address, it could take several months for the consumer to
realize another person had accessed the account, especially if this was
a card that was not used frequently.
The second part of this section addresses the problem in which a
person has requested a credit report relating to a consumer, and the
request includes an address for the consumer that is a different
location from the most recent address in the file of the consumer.
One problem area of identity theft is that many thieves use
addresses that are different from that of the original consumer. Each
time a perpetrator applies for credit the address on the application is
entered onto your credit report. These addresses may be drop spots at
postal box stores, apartments used for criminal purposes, the middle of
a lake, an empty lot or even the address of an innocent third party who
works between 8 am and 5 pm, the times that FedEx and UPS usually
deliver. The criminal picks up the package with the homeowner never
knowing that their address has been used to commit a crime.
Because of this, many consumers find any number of erroneous
addresses on their credit reports. In my work with victims I've seen
credit reports with up to 20 wrong addresses, all apparently currently
in use. The three major CRAs are all using automated systems now. When
a consumer requests a copy of a report, he or she must give the number
part of his/her residence, supposedly the last one on the report.
Again, it stands to reason that the credit reporting agencies need
to exercise due diligence in verifying that the credit report goes to
the right person.
If you will excuse my candor, both of these bill concepts are no-
brainers and should have been implemented voluntarily by industry years
ago.
Fraud Alerts
The ITRC receives at least 50 inquiries each week from consumers
who either are concerned about identity theft vulnerability or who fear
they may have already become a victim of identity theft. They contact
our offices asking about what actions they could take to prevent
identity theft and to make sure that no one can open credit lines
without permission. They want to be good consumers and wish to protect
their family and credit history.
A 1999 Lou Harris-IBM Consumer Privacy Survey reports that 94% of
Americans think personal information is vulnerable to misuse. I believe
that number has remained the same or even increased. We have all heard
media reports that explain that our information is handled by far too
many people on a daily basis. In an advertisement recommending
traveler's checks, American Express stated that a wallet is lost or
stolen every 10 minutes.
Current identity theft victims want to stop the perpetrator from
opening yet another account. Many fear with good reason that unless
they immediately lock the door to credit the perpetrator will continue
to attack them for years to come. Even if the imposter is arrested,
there is no guarantee that he or she will not sell the information to
another individual who in turn will try to open credit using the
consumer's information.
The only measure of control over the establishment of new credit
lines is through a fraud alert placed with the three major credit
reporting agencies. Unfortunately, at this time the notice of a fraud
alert--``Do not issue credit without my express permission. I may be
reached at 555-555-5555''--is advisory in nature only.
This bill addresses two vital issues. It will make sure that every
credit issuer sees and observes the words ``fraud alert'' or ``fraud
victim'' regardless of whether a full credit report, credit score, or
summary report is requested. This has been the bill that consumers have
wanted for years, the ability to lock the door before a theft occurs.
To not allow consumers to have this option is the same as saying--
``Yes, you may put a deadbolt lock on the door but you don't have
control over when it gets used.'' The measure of security that this
bill will provide is tremendous.
In your explorations of identity theft, you have probably learned
far more about your vulnerability than you used to know. Perhaps more
than you ever wanted to know. As someone who hears about the results of
this crime multiple times a day, I am all too aware of my exposure. I
am more than willing to forgo instant credit in exchange for the
knowledge that with a fraud alert, no one shall be able to get credit
in my name without my permission. The savings of 175 hours and $1,100
(victim costs to restore financial health) are small compared to the
emotional impact of this crime. I pray that none of you will experience
the problem of identity theft. This bill might help make that wish
possible.
Second, it establishes penalties for failure to observe these
preauthorization requests and alerts. This is essential. Without the
penalty part of this bill, I fear that the decision between ``should I
observe a fraud alert'' and ``the customer will take his or her
business elsewhere and I'll lose my $400 commission'' is too subject to
the whims of avarice.
It is impossible to state loudly or clearly enough how important
this section of S. 1399 is to consumers and in turn to the nation's
economy. If this bill is passed, the potential savings to credit
issuers, financial institutions and merchants could be in the billions
of dollars.
Truncation of Credit Card Account Numbers
This section requires that no person, firm, partnership,
association, corporation, or limited liability company that accepts
credit cards for the transaction of business shall print more than the
last 5 digits of the credit card account number or the expiration date
upon any receipt provided to the cardholder.
My comments on this shall be brief. Mary goes shopping. It's a busy
time, perhaps a white sale or during the holidays. As she wanders from
store to store, she doesn't notice the gray-haired woman walking behind
her. In fact, unless you are trained, you may not even notice that the
older woman has slipped her hand into Mary's purchase bag and pulled
out the receipt for the sweater she bought a few minutes ago. On this
receipt is Mary's credit card number. By the time Mary gets home a few
hours later, this woman (minus the wig) has hit two nearby shopping
centers and charged about $3,000 in merchandise to Mary's account.
California has already established a truncation law. At first,
stores were reluctant to embrace this law stating that it would cost
too much. Using an extended implementation date, similar to the one on
this bill, California merchants have been allowed the opportunity to
make computer changes in registers as they were replaced and didn't
require a quick overhaul of their entire system. Truncation is smart
business, both in showing that merchants are concerned about consumers'
economic safety and in terms of loss prevention. Even the California
Better Business Bureau is supporting this action in California (as
reported by the San Diego branch) and reminds businesses about
truncating whenever they find a receipt where the system has not yet
been changed.
Concluding Statements
Identity theft is a national crisis and the system allows, in fact
encourages, criminals to take advantage of sloppy and thoughtless
business practices. Media and community groups I speak with often asked
why the increase in this crime. The answer is simple--this crime is
almost irresistible. It has become ridiculously easy to commit this
crime. Criminals know victims will get bounced from one jurisdiction to
the other, often failing to find someone to investigate the crime.
They also know that most businesses will not file charges against
them. They count on the fact that in today's tight competitive market a
company's greed may overcome caution and that fraud alerts will be
ignored.
How does one combat a crime like identity theft given all these
issues? How do you finally start to control the crime rather the crime
controlling society?
We educate consumers and businesses. We give law enforcement the
budget, staff and training they need to investigate financial crime.
And finally, we do what I hope you will do as a result of today's
hearing. We pass laws that make it more difficult to commit the crime.
We pass laws that empower consumers and law enforcement to find these
criminals so they can't hide because of the system. We pass laws that
force reluctant businesses to do the right thing, despite the fact that
it may cost a few dollars up front. In the end, they will realize an
economic gain--in reducing investigative time of fraud investigators,
in loss of services and merchandise, in legal fees, restocking time and
costs, and in improved customer relations which draws people to their
front doors.
This bill is smart business and companies, credit issuers and
financial institutions should actively lobby for this bill. Companies
who carefully monitor the bottom line and observe fraud alerts, confirm
address changes and practice truncation are not as inviting to
imposters. I believe law enforcement when they tell me that imposters
trade information on easy targets and ways to commit identity theft.
The explosive growth of identity theft confirms this as well as the
number of repeat offenders. Like any other job, you improve with
experience. The imposters of today have turned their livelihoods into a
multi-billion dollar industry.
Your constituents deserve nothing less than the passage of these
two bills. To not pass them would be to enable criminals to continue to
attack and victimize consumers and businesses.
Thank you for your tine in considering my statements. If you have
any questions, I would be most willing to answer them. I may be reached
at
=``mailto:[email protected]''[email protected]
or during work hours at 858-693-7935. Please be persistent in calling.
Our lines get very busy with victim calls.
Linda Foley
Executive Director
Identity Theft Resource Center
Addendum from ITRC 5
Many victims compare identity theft to rape, others to a cancer
invading their lives. Many of the symptoms and reactions to identity
theft victimization parallel those of violent crime. The following
information is for understanding and, perhaps, to reassure victims that
what they are experiencing is not abnormal. The reaction to identity
theft can run the full spectrum from mild to severe. Clearly, the
complexity of the crime itself will also define the severity of the
import, as will any other traumatic events that may occur around that
same time frame.
Impact: The moment of discovery.
Can last from 2 hours to several days.
Reactions include shock, disbelief, denial,
inappropriate laughter, feeling defiled or dirty, shame or
embarrassment.
Recoil:
Can last for several weeks or months, especially as
other instances of theft are uncovered.
Physical and psychological symptoms may include: heart
palpitations, chest discomfort, breathing difficulties,
shortness of breath, hyperventilation, dizziness, clumsiness,
sweating, hot and cold flashes, elevated blood pressure,
feeling jumpy or jittery, shaking, diarrhea, easily fatigued,
muscle aches, dry mouth, lump in throat, pallor, heightened
sensory awareness, headaches, skin rashes, nausea, sexual
dysfunction, sleep disturbance.
It is not uncommon for victims to frequently search
through events trying to pinpoint what they did to contribute
to this crime.
Anger, rage, tearfulness, overwhelming sadness, loss
of sense of humor, an inability to concentrate, hyper-
protectiveness, and a deep need to withdraw are all part of the
psychological reactions to identity theft.
You may misplace anger on others, especially loved
ones causing family discord. Those who tend to lean on
unhealthy habits such as under or overeating, smoking, alcohol
or drugs may be drawn to those additions for comfort.
During Recoil, victims may experience a sensation of
grief. They may grieve the loss of: financial security, sense
of fairness, trust in the media, trust in people/humankind and
society, trust in law enforcement and criminal justice systems,
trust in employer (especially in workplace ID theft), trust in
caregivers and loved ones, faith, family equilibrium, sense of
invulnerability and sense of safety, hopes/dream and
aspirations for the future.
At one point or another, almost all victims will also
grieve a loss of innocence, sense of control, sense of
empowerment, sense of self and identity, and sense of self
worth.
Equilibrium/Balance/Recovery:
In identity theft, this phase may come as early as
several weeks after the crime and for others may take months or
years. It usually depends on how quickly the actions of the
imposter are resolved and cleared up.
For all victims, achieving balance and entering
recovery will take awareness and purposeful thought.
IDENTITY THEFT RESOURCE CENTER
2001 MILESTONES AND ACHIEVEMENTS
The level of activity in ITRC's office increased dramatically in
2001 as we assumed a larger role in the battle against identity theft.
In July, we increased our staffing level to two by adding a Director of
Consumer/Victim Services in response to the severity and volume of
victim cases we receive, up from 2-5 per week in 2000 to 60 requests
for help each week by email or phone by the end of 2001.
ITRC's web site,
=``http://
www.idtheftcenter.org''MACROBUTTONHtmlResAnchorwww.idtheftcenter.org,
which first appeared in March 2001 is one of the most comprehensive
sites on this topic today. It contains current information on
prevention, self help guides (self-advocacy encouraged), a
comprehensive reference library, fraud complaint forms, legislative
information resource links and access to help groups nationwide. It
averages 10,000 visits each month.
On the legislative front, ITRC is proud to announce that our first
recommendation for legislation in California, SB 125 (Alpert), was
signed and now is California Penal Code 530.8. This law gives victims
and law enforcement greater and easier access to information on
fraudulent accounts opened in a victim's name. By the end of 2001, ITRC
had been sought out by legislators throughout the country, requesting
support and guidance about state and federal legislation under
consideration, including 2 federal bills now under discussion.
Our volunteer staff, who give so graciously of their time, has also
increased. Our regional network has expanded and now includes
coordinators in San Francisco, Wine Country/No. Calif., Dallas, TX, New
Hampshire, Maryland, Olympia, WA, Atlanta, GA, Seattle, WA, Bridgeport,
CT, Southcentral/East Michigan, Chicago, Akron, OH, Milwaukee, WI, Los
Angeles and San Diego CA.
Besides being available to all media, ITRC is particularly proud of
the inclusion of an identity theft consumer education page in the
California 2001-2002 Pacific Bell white pages, recommended to the
company by Exec. Director Linda Foley and written by her. A letter by
Foley that appeared in the Aug. 12, 2001 Ann Landers column resulted in
more than 1,000 emails from victims and concerned consumers in a 4-week
period of time and an increase of more than 6,000 additional visits to
ITRC's web that month alone.
Presentations made to financial institutions and law enforcement
agencies have inspired identity theft awareness programs and enhanced
relationships with victims. Foley and ITRC is currently working with
the California Association of Collectors to put together an information
sheet and standardize practices by collection agencies dealing with
identity theft cases.
ITRC is now called regularly by law enforcement around the
country--to ask advice on how to handle a situation, for permission to
reprint self help guides for distribution and to refer difficult cases
for assistance. Exec. Director Foley spoke at the March 2001 CA Union
of Safety Employees, took an active role in the creation of the new FTC
Standard Fraud Form, served on the CA Dept. of Motor Vehicles' Anti-
Fraud Task Force, the CA Attorney General's Identity Theft Task Force
and acts as an advisor for the CA Department of Consumer Affairs,
Office of Privacy Protection, which included a training program for
their hotline counselors.
Finally, ITRC is proud to announce that our director, Linda Foley,
has received several citations for her exemplary work and is the
recipient of the Channel 10 Leadership of San Diego ``Individual Leader
of the Year'' Award for 2001, awarded by KGTV, the San Diego ABC
affiliate.
Chairperson Feinstein. Thanks very much, all of you, for
your testimony. It was very interesting.
Attorney General, let me begin with you. It is my
understanding that Washington State law, along the lines of
what Ms. Foley was saying, gives identity theft victims copies
of any documents the businesses have, such as credit card
applications related to identity theft. I am concerned about
the opportunity for a thief to exploit that. That is the only
downside that I can see to this.
Could you comment on what your experience has been with
this and what happens if a thief pretends to be a victim and
convinces a company to give him another person's credit
application?
Ms. Gregoire. Well, that was an issue that we dealt with
when we introduced the legislation. In the end, what business
and the credit card companies and we agreed to, though a bit
onerous on victims, but nonetheless addresses the concern you
just expressed, is that a victim of identity theft in the State
of Washington can request the information.
If the business is concerned at all about whether this
person is, in fact, a victim and the actual person, then they
go into the State Patrol of Washington State and are
fingerprinted and can prove they are who they say they are, the
result of which is the business must then produce the
information and is then held not liable for in good faith
responding to the request of the consumer.
Chairperson Feinstein. Does your law require that
fingerprinting identification?
Ms. Gregoire. Yes. If the business is unwilling to turn it
over, then in order to hold that business liable for refusing
to turn it over--if they do not turn it over at the request of
the consumer, the business is liable and can be held liable in
court. The business has the right to ask for that
fingerprinting through the State Patrol. Once that is done,
once that compliance is done by the victim, then the business
absolutely has to turn it over or be held accountable in court.
Chairperson Feinstein. Would you advise that in a Federal
law?
Ms. Gregoire. Well, you know, our concern about that is it
is onerous on victims. Our law has only been in place since
July. We have had about 20-plus, 22, who have actually had to
go down and get their fingerprints taken. I wish there was a
less onerous kind of thing that could be done by victims in
order to prove that, whether that is this document that can be
done maybe in a way that would be acceptable to businesses and
consumers equally. That may be the more appropriate vehicle. I
am very concerned about satisfying the needs of the business,
while at the same time not, in essence, revictimizing the
victim.
Chairperson Feinstein. Right, right.
Do you want to comment on that, Ms. Foley?
Ms. Foley. Yes, I would, because California also has a law.
It is Penal Code 530.8, and actually the Identity Resource
Center was the source of that bill. We helped to inspire that
when it was carried by California Senator Dede Alpert, whom I
know you know.
Chairperson Feinstein. Right.
Ms. Foley. The Department of Consumer Affairs' Office of
Privacy Protection is now working on a forum to help victims
work with this situation. What we have required is a police
report along with the affidavit of fraud, and that is submitted
to the businesses.
The problem with that is that while California has a law,
it says a police report must be taken in the jurisdiction where
the victim lives. That is not true in many States and we still
see a high number of victims who are not able to get police
reports to start with. Without a police report, the credit
issuers don't take you seriously. So we almost have to do
something simultaneously that says a police report must be
taken by local law enforcement to help that victim. The idea
behind that was if someone is willing to go to the police and
make a police report, they are less likely to be an imposter.
Chairperson Feinstein. Inspector Cannon, do you want to
comment on that?
Mr. Cannon. I would agree. By coming in and making a false
report, first of all, they are going to subject themselves to a
separate liability for the false report. Additionally, it would
be a problem in some areas, depending on what the current
statutes are, because if you go to the police and you say you
want to report an identity theft, if there is no crime there,
some agencies may have a problem taking the report because they
are not reporting a crime. So what do I take the report for?
The best thing that I could probably do in most
jurisdictions is take a miscellaneous report, which is going to
get filed in just a general field. If someone actually needs to
come back and research that, they are going to have trouble
locating that. So that would be a problem for the victim. Even
though they are making a report of identity theft, it is going
under miscellaneous. It is not a crime, it is an incidental.
Chairperson Feinstein. Do you happen to know, in every
State can a victim get a copy of a police report? I don't think
so, under present law.
Mr. Cannon. No. It would be difficult. Then again, it would
depend on the agency taking the report, too. For instance, we
had a case of identity theft at the U.S. Mint, where one of our
employees had her identity stolen. The report was made to us,
the U.S. Mint Police, not to the Metropolitan Police
Department. So this report was processed through the Department
of the Treasury and not through a local agency.
Chairperson Feinstein. So in other words, if we were going
to provide for that, we would have to provide that in these
cases a police report should be provided to the victim, which
might be difficult.
Ms. Foley. We also have another problem. There are still
five States within the United States that do not consider
identity theft a crime. I believe Alabama just finally added to
the group that does state that identity theft is a crime, but
we still have five States, including New York, which is one of
the top five States in the country in terms of number of
suspects and victims of identity theft.
Chairperson Feinstein. Of course, that is going to change.
One of the problems is going to be that every State is going to
have a different set of laws and it is going to make it very
difficult for businesses. There will be no common threshold for
businesses. I think as Inspector Cannon and others have pointed
out, one thief can touch a dozen or two dozen States easily, so
it becomes a difficult problem
Ms. Foley. You almost have to say the jurisdiction is where
the consumer lives. There are always two sets of victims in
this crime, the consumer victim and the commercial victim.
Chairperson Feinstein. Thank you.
Senator Kyl.
Senator Kyl. I will just ask one question and then I am
going to have to leave and I will figure out later here from
the staff exactly what else we need to do to hone in on this,
because we need to be aware of the very practical problems in
constructing this, and I know that is the intention of all of
us here.
When you say that there is no crime, Mr. Cannon, there is a
report that my identity might have been stolen and I want the
police to know about that. Is that what you mean, but you don't
necessarily have any tangible evidence that, in fact, that
happened?
Mr. Cannon. Let's say we do have tangible evidence. Law
enforcement operates on probable cause, the key foundation of
every case. Let's say that I do have probable cause that your
identity was stolen, but I don't have a law to back it up with.
That is the first problem, such as in the States that do not
have identity theft laws.
So then even though I may as a law enforcement officer have
probable cause to believe that your identity was stolen, if I
don't have a law that it violated, I have probable cause on
nothing.
Senator Kyl. I understand that, but if I call you up and
say my house was just broken into and they stole camera, well,
you don't know whether they stole my camera or not, but you
will still take a report on it, won't you?
Mr. Cannon. Absolutely, based on the law. There is a law
there.
Senator Kyl. I understand you have to have a law, but if I
come down and I say I believe that my identity has been stolen
and here is the information that leads me to that conclusion,
and there is a law in the State of Arizona that prohibits that,
then the officer needs to take that down in a police report,
right?
Mr. Cannon. Absolutely. The officer then has a foundation
to start on because you are providing him with some type of
avenue to start and to investigate based on the fact that you
may have the credit card receipts, you have different things
that you can produce. So he should take a report and the
investigation should start.
Senator Kyl. And then finally is there anything on the
police report that should render it unavailable to the
reporting victim?
Mr. Cannon. There is nothing that should. In many cases,
even if there is no provision, under a Freedom of Information
Act request you can normally get it.
Senator Kyl. So there is no particular reason why it
shouldn't be made available to the victim, in your opinion?
Mr. Cannon. That is correct.
Senator Kyl. Attorney General, do you agree with that?
Ms. Gregoire. Absolutely.
Senator Kyl. Okay, good, thanks, and I apologize for having
to leave.
Chairperson Feinstein. Thanks very much, Senator.
Senator Cantwell.
Senator Cantwell. Thank you, Madam Chairman. I want to go
back to a couple of points that are about the basic information
and access to information and how critical that is, and
coordination.
Mr. Cannon, you emphasized in your testimony how important
it was for law enforcement, not just the victims, but for law
enforcement to have access to this information. Oftentimes, it
is nearly impossible for you to follow up and do your job
because you don't have access to the information.
Mr. Cannon. That is correct. We have several active cases
that are being investigated right now. We have had problems
garnering information from the companies that we need to get it
from in regard to where property was shipped to or whatever
because they have liability concerns about who they are
violating.
We know that they are not violating the victim, but we
either have to go sometimes to a grand jury, grand jury
subpoenas for them to produce it, or we will have to take an
inordinate amount of time to get to the case source of what we
need. By the time we get to the base source, by the time we get
to that address, as you have heard, they have moved on to
another address. Therefore, we are back to starting all over
again. So quick access is a definite need for law enforcement.
Senator Cantwell. And if the process was expedited either
by an I.D. theft affidavit or some other process, then you
could become a participant in that investigation almost
immediately.
Mr. Cannon. Absolutely, we would be able to become a
participant. The other key thing there would be the fact that
we would be able to link hopefully with other law enforcement
agencies.
Let's say the identity has been stolen here in Washington,
but they purchased the property in Mobile. We want to be able
to contact a local law enforcement agency in Mobile. They also
may be violating additional local laws there as far as forgery
or other things that we could get them on. That would also
enable the local prosecutors to get involved.
As you have heard many times, there is a threshold that
people are looking for. Sometimes, Federal prosecutors are
reluctant to take it because it doesn't make that high
threshold, but there are many other local avenues that could be
pursued. We would like to see that be made available also.
There are different tiers that you could put it on, that
they could be handled locally up to this amount and then after
that it becomes Federal. There are any number of things that
you could do, but it has to be a joint team effort between
local, municipal, State and Federal to be able to have a good
loop, once you get this, that you can work with.
Senator Cantwell. Can you or Attorney General Gregoire talk
about the RICO section of the legislation that I am proposing
because that obviously integrates at the Federal level? You
mentioned it in your testimony, as well, as an added tool that
you thought was beneficial.
Ms. Gregoire. I do, because you have got that it is a
predicate offense to the application of RICO, and RICO is
important to victims. If you are ultimately able to find the
perpetrator, then they can go after the assets. Otherwise, they
will forever struggle being able to get anything back, either
the business or the victim themselves getting anything back.
This particular provision, I think, is an important aspect of
being able to make whole the victims.
Senator Cantwell. So you are saying if somebody stole my
identity and went and purchased a new car or an expensive watch
or something of that nature, this would allow both the business
and the victim to have access to that asset as repayment?
Ms. Gregoire. Or to get at other assets that weren't even
fraudulently gotten by the perpetrator to get after that
individual's personal assets, which we think is important in
this area.
Mr. Cannon. It is a tactic that is used throughout law
enforcement when you seize the assets that are gained
throughout it either legally or illegally, and then those
assets can come back to the Federal Government or to the
victims. Part of it could be divided up into a victims witness
assistance fund, part of it to the business, part of it to fund
the Federal legislation, or even to fund homeland security if
you needed it.
Senator Cantwell. Thank you. I don't have a question as
much as a comment on your holding up Senator Feinstein's Web
site or page. It reminded me of several years ago, prior to my
being in the Senate, someone saying I can find out your credit
card information within 24 hours. And I said, well, okay, prove
it to me, and literally they did come back--I am not going to
tell you what Web site does this, but they came back with my
credit card information, everybody in my family's credit card
information, my former employer's credit card information, all
available in a report online.
So the issue here, Madam Chairman, is that the information
available online has brought an anxiety that somehow all of
these parts of our lives are somehow pieced together. Even the
basic information that can be provided online can then be
pieced together with other information to build this
background, making someone who wants to steal an identity very
enabled. That is why I believe that stronger laws and stronger
coordination are very important.
Mr. Cannon. Let me just add that I just picked Chairman
Feinstein's Web site. I could have picked anybody else's and
done all of you or whatever. I will be working with your staff.
There are just a couple of corrections we can make and your Web
site will be safe and secure. The information will be there,
but not in the manner that they can take it to use other
places.
Chairperson Feinstein. You are saying my Web site is such
that they can do that?
Mr. Cannon. I was able to obtain enough information off
your Web site to obtain a credit card.
Chairperson Feinstein. Really?
Mr. Cannon. Yes, ma'am.
Senator Cantwell. I just want to correct something. I meant
Social Security number. I am sure there are ways to get credit
card information. This was a report on Social Security numbers,
which then led to people to get other information about credit
cards.
Mr. Cannon. All you needed was the basic information. That
basic information gives you access to another site that you can
put the basic information that you got off the first site on
that will feed you the additional information so that you can
then get to your final destination.
I will meet with your staff afterwards.
Senator Cantwell. I am not saying that that kind of
information couldn't have been gathered in other ways, but some
piece might be at the courthouse about your property.
Mr. Cannon. Correct.
Senator Cantwell. And some might be somewhere else, and
what is happening is all of this can be more easily compiled.
That is why, again, better tools are needed.
Mr. Cannon. You are one hundred percent correct.
Senator Cantwell. Thank you, Madam Chair.
Chairperson Feinstein. Thanks, Senator.
Senator Sessions.
Senator Sessions. Thank you.
Senator Cantwell, I didn't mention your legislation, but I
like it, too. I think it has got a lot of issues in it that are
very important.
Attorney General Gregoire, you talked about getting your
records back. Let's just be frank. Isn't it true that there is
likely to be very little abuse, especially if you have to file
an affidavit like this? Criminals are not likely to use this
process to get someone's credit card number. They can get it in
so many other ways. It would be easier, I think.
I am inclined to think, Senator Feinstein, that the
language as you have it now is sufficient. I don't think we
will have a real abuse of it, and if we go too far
theoretically, trying to protect perfectly what could be an
abuse of rights, we may make it so difficult for victims that
we can't be successful.
Is that your best judgment on the matter?
Ms. Gregoire. Yes. We were so frustrated in our trying to
do our legislation. One of the pieces that we thought was
important that is in Senator Cantwell's bill is this issue of
blocking, so that if this victim knows that they have taken a
credit card and run up the bill, the practice of the credit
card companies now is they simply flag that. So I am the next
creditor and I look at it and I see she has been the victim;
that means she is susceptible and I am going to deny her
credit.
What we were trying to ensure is that be blocked so that
the next creditor doesn't even see that she has been the victim
of identity theft and thus become skeptical about her
creditworthiness. In order to do that, the negotiations with
business and the credit agencies--the only way we could get
them to do that, raising this issue of someone will come in and
take advantage and be fraudulent doesn't make a lot of sense to
me, we had to do this extra step to which I referred.
Senator Sessions. Who was raising that objection? Was it
the businesses or consumer groups raising the objection on the
potential privacy violation?
Ms. Gregoire. It was the credit card agencies.
Senator Sessions. Did they oppose the legislation?
Ms. Gregoire. They did, until we ultimately agreed to this
fingerprinting exercise. I think this is a much better tool, to
be honest with you----
Chairperson Feinstein. You mean an affidavit, a sworn
affidavit should do it.
Ms. Gregoire [continuing]. By the FTC, where you can track
nationally what is going on in the country. You can know
exactly how many incidents of identity theft. I mean, this
would be uniform throughout the country, rather than every
State having one way of doing it.
It would be, to me, better for consumers. I think this is a
much easier way for consumers. And yet it is exactly what you
say, Senator Sessions. To expect one of these thieves to go in
and further their crime by doing this I just don't think is
realistic.
Senator Sessions. Another matter you raised I think is very
critical, and that is the statute of limitations. Almost all
Federal statute of limitations are at least five years. I don't
know why they made this one two when these laws were passed,
but I would definitely believe that it should be consistent
with normal statute of limitations for $5,000 theft and
interstate shipment. Those are all five years. You could have
$50,000 through credit card fraud, so I really believe that
should be changed.
I am inclined to think, as an attorney general and
prosecutor, Ms. Gregoire, that historically we have gone from
the date of the crime. There are some date of discovery
statutes of limitations. My first impression is it might be
better just to go to a five-year standard statute of
limitations here rather than trying to go from the date of
discovery.
How does that strike you in terms of your overall approach
to criminal law?
Ms. Gregoire. What I know I am opposed to, Senator, is two
years. When I look at this crime, that is just revictimizing
the victim. I would be much more favorable to five years, but I
am in favor of what the Senator has put forward, which is date
of discovery, which, as you know, in civil cases is a typical
statute of limitations.
In criminal cases, yes, a five-year statute of limitations.
But this is in a civil case, and therefore I think----
Senator Sessions. For a civil case?
Ms. Gregoire. Yes, and I think date of discovery is the
preferable way to go.
Senator Sessions. For most of the predicate offenses for
identity fraud and credit card fraud, the statute is five, is
it not, on criminal cases?
Ms. Gregoire. Right.
Senator Sessions. Well, I may have less concern about that.
Inspector Cannon, you talked about actually making these
cases work and how to have it occur. My view is there is no
substitute for Federal and State investigators who have been
given special responsibility on identity theft cases meeting
regularly, sharing information on that.
Ms. Foley, you mentioned that businesses are concerned. I
mean, most of the time they end up paying the loss.
Ms. Foley. Actually, they don't.
Senator Sessions. They don't?
Ms. Foley. You and I do. They pass the costs along to
consumers. There is no business in the world that can afford to
absorb the types of losses we are talking about. We can get in
terms of higher merchandise costs, higher service costs,
financial charges, and any other way they can pass it along the
line. If we can minimize that bottom line in terms of loss, we
may even see prices rolled back a little bit.
Senator Sessions. I think that is a good observation, but
what I observed in our task force was that local financial
institutions had a self-interest in helping. If police officers
can't get the banks to give them the records for weeks and
weeks, so they have no interest in providing information or
working the alerts or getting the information out that their
tellers have identified--they stopped somebody or rejected a
fraudulent attempt--they may go right to the next bank and be
accepted at the next bank and end up with an individual victim
being stuck with a withdrawal from their account or an illegal
debt.
So I guess my question is do you have any ideas about how
we could further really intense cooperative efforts between
Federal, State and local investigators within our communities
throughout the country, and maybe even share the information in
one city with what is going on in other cities because the same
people tend to move around?
Mr. Cannon. There are any number of ways you could do it.
You already currently have several task forces in place. Right
now, because of 9/11, you have already enhanced coordination
and communication, which is the most important thing between
State, Federal and local people.
I would suggest or proffer to the committee that you could
utilize several task forces that are already in place for the
dissemination of information. There is currently the U.S.
Attorneys' terrorist task force. And let's face it, identity
theft is a form of terrorism. I think you would agree.
Also, I think that in many cases you probably would find
terrorists that are utilizing this to fund some of their
operations. So I think by utilizing the attorneys' terrorism
task force which is already in place with the U.S. Attorney's
office, you would find a mechanism that is already there. This
could just be one more subdivision that they have there as far
as dissemination and coordination.
Senator Sessions. I am not sure you want to burden that
task force. I think we need to focus on the routine con man who
is out there routinely day after day cheating people, causing
all kinds of havoc in the system, disrupting people's lives.
Mr. Cannon. That is correct. You could also utilize the
fraud network that is already in place that is linked through
most major police departments and States. I think just about
every State is linked through the fraud information unit.
Senator Sessions. Well, I won't pursue it any further, but
trust me, it is not at the level we need it to be. One of the
things that needs to be done is the Attorney General has simply
got to make clear to the Federal prosecutors and the Federal
investigators that this is an enterprise worthy of their time.
I know we have got to focus on terrorism and I know that is
going to drain some of the Department of Justice's resources.
But for most districts in America, they don't have active,
major, ongoing terrorist cases and they need to be affirmed in
the commitment to investigate financial crimes.
Also, of course, the Secret Service is a Department of the
Treasury agency. It has jurisdiction over these kinds of
crimes. I think that is an agency that could be empowered to be
more aggressive. As I said, the investigative team in Mobile
was led by the Secret Service and they really were successful.
At the time they started, we had very few of those cases.
After that, they were just routine monthly. Many of these were
repeat, dangerous con men, really. The rest of their lives,
they were going to cheat people. That is how they knew how to
live. So moving that up as a priority, even though the amount
of loss in any one district may not meet some Department of
Justice or U.S. Attorney's guideline, is the challenge for us.
I thank both of you for your leadership on this and I
appreciate it.
Ms. Foley, maybe you had a comment.
Ms. Foley. I was going to mention, very similar to what you
have done in Alabama, California has a number of regional task
forces that are involved in financial crimes and they have been
very successful. It has taken a definite effort in terms of
allowing larger budgets, staff and training for the specialized
type of investigation that is necessary, and there needs to be
greater communication. But California is working very hard on
that and putting together task forces that are going after it
with combinations of different groups of law enforcement.
Senator Sessions. I would just say this: When you raise
this with any agency, they always say they need more money. But
they have already got a lot of investigators. I mean, what do
they do everyday?
When we did the fraud task force, there was no extra money.
It was just that the police department had several skilled
investigators who tended to work those cases anyway. The FBI
had an investigator, the Secret Service led. I committed a
prosecutor. The State put a prosecutor in. The banks sent their
security people, who were often the first to spot the fraud. I
mean, we really didn't need a lot more money.
Now, we could put some money in to encourage this in some
fashion, but you can do that with guns. The Department wants
more money for gun prosecutions. Well, we can give them more
money for gun prosecutions, but they have already got Assistant
United States Attorneys doing something, I suppose. I hope they
are doing gun cases already. So I think that is the key to it.
How we energize that I don't know. We could give some sort
of financial incentive to task forces. We have done it by
paying overtime on drug task force matters.
Ms. Gregoire. I have been reluctant to say this. I have to
be honest with you. Your attitude is a welcome attitude, but
the victims out there are told when they report to local law
enforcement this is a paper crime. That is why they are not
taking the reports, that is why they are not following up, and
that is why these victims are the best cop on the beat and that
is why they took two years of their own lives. The one
individual I referred to earlier quit her job and for two years
was her own private investigator.
What you just expressed is an attitude, and what you all
are doing here is what we need to say to the Nation, that this
is a real crime with real victims and it isn't just money and
it is damage to business. As a Nation, we need to step up and
prioritize it and put together the kind of cooperative
relationship--local, State, Federal law enforcement--and make
it a priority so that we don't tell victims it is paper crime,
you are on your own.
Senator Sessions. Well, I think that is what I was trying
to say. It is a big deal. It is a huge crime that should not be
ignored. If it goes to the average police officer who does not
have expertise in the matter, they don't know how to maybe work
through all the system to solve it. It is a tragedy if we leave
it up to victims. We don't leave it up to victims to solve
armed robberies. Why should they have to solve these kinds of
cases?
Chairperson Feinstein. I would like to make a suggestion.
We actually have two very good bills here. What I would like to
recommend is that we put them together, that our staff and
Senator Kyl's and your staff work together in doing this, and
that we particularly take a look at the RICO part of it to use
the racketeering statute to really set a kind of Federal
threshold, at which point it becomes a Federal crime.
You can't have every small amount of identity theft
essentially a Federal crime, but once it becomes an issue of
RICO with a substantial amount and we know that they are moving
among the States doing that, then it seems to me it is a
justifiable RICO use.
In any event, I would like to put the two bills together,
have a markup as soon as we can and move it out to the full
committee. Any advice that any of our witnesses could bring
would be very useful. I think the point that the Attorney
General raised about using the FTC affidavit is an excellent
one and I think we ought to incorporate that in the
legislation.
One of my concerns is there are many of these which are
small, too, and a prosecutor on a State level, as well as on a
Federal level--we are told that Federal prosecutors won't take
these cases much under $25,000, and that becomes a real issue
out there that we have to work on. But where the prosecutions
can be State prosecutions, they should be, and where there are
State laws, they should be. But where there is a national
impact and a substantial amount of money lost, it seems to me
it ought to be a Federal crime, subject possibly to RICO.
Senator Sessions. I think we need to talk about whether we
want to make that a RICO crime, but I would be open to
discussion on that.
Chairperson Feinstein. Okay. Well, why don't we do that and
try to set a time limit that we do it in the next couple of
weeks? Then we will have a little markup.
Senator Cantwell, is that agreeable?
Senator Cantwell. Yes, Madam Chairman, I think that is a
good suggestion. I again want to show my appreciation for this
hearing today and discussion of this issue because I think it
is a very important issue.
When I think about what we have done here in discussing
larger privacy legislation, we have tried to get our arms
around the fact that we are at the tip of the iceberg of an
information age, and how do we protect citizens on privacy?
These two particular vehicles, I think, deal with what the
public sees as the most urgent issue; that is, the protection
of their identity from being stolen. I think it is something we
can get our arms around.
We have, because of Washington and California laws and the
testimony that we have had today, some good implementation and
expertise that I think gives us the basis for that. So I would
concur with your recommendations.
Chairperson Feinstein. Great. Then we will move in that
direction.
Let me thank all of you. If you could again take a look at
the bills with the idea of merging the two of them, and if you
have any other thoughts, please let us know. We very much
appreciate it. Thank you so much. It has been a very
interesting morning.
The record will remain open, and the hearing is adjourned.
[Whereupon, at 11:50 a.m., the subcommittee was adjourned.]
[Submissions for the record follow:]
[GRAPHIC] [TIFF OMITTED] 85794A.028
[GRAPHIC] [TIFF OMITTED] 85794A.029
[GRAPHIC] [TIFF OMITTED] 85794A.030
[GRAPHIC] [TIFF OMITTED] 85794A.031
[GRAPHIC] [TIFF OMITTED] 85794A.032
[GRAPHIC] [TIFF OMITTED] 85794A.033
[GRAPHIC] [TIFF OMITTED] 85794A.034
[GRAPHIC] [TIFF OMITTED] 85794A.035
[GRAPHIC] [TIFF OMITTED] 85794A.036
[GRAPHIC] [TIFF OMITTED] 85794A.037
[GRAPHIC] [TIFF OMITTED] 85794A.038
[GRAPHIC] [TIFF OMITTED] 85794A.039
[GRAPHIC] [TIFF OMITTED] 85794A.040
[GRAPHIC] [TIFF OMITTED] 85794A.041
[GRAPHIC] [TIFF OMITTED] 85794A.042
[GRAPHIC] [TIFF OMITTED] 85794A.043
[GRAPHIC] [TIFF OMITTED] 85794A.044
[GRAPHIC] [TIFF OMITTED] 85794A.045
[GRAPHIC] [TIFF OMITTED] 85794A.046
[GRAPHIC] [TIFF OMITTED] 85794A.047
[GRAPHIC] [TIFF OMITTED] 85794A.048
[GRAPHIC] [TIFF OMITTED] 85794A.049
[GRAPHIC] [TIFF OMITTED] 85794A.050
[GRAPHIC] [TIFF OMITTED] 85794A.051
[GRAPHIC] [TIFF OMITTED] 85794A.052
THE IDENTITY THEFT PENALTY ENHANCEMENT ACT
----------
TUESDAY, JULY 9, 2002
U.S. Senate,
Subcommittee on Technology,
Terrorism, and Government Information,
Committee on the Judiciary,
Washington, DC.
The subcommittee met, pursuant to notice, at 2:35 p.m., in
room SD-226, Dirksen Senate Office Building, Hon. Dianne
Feinstein (chairman of the subcommittee) presiding.
Also present: Senators Feinstein and Kyl.
STATEMENT OF HON. DIANNE FEINSTEIN, A U.S. SENATOR FROM THE
STATE OF CALIFORNIA
Chairperson Feinstein. I would like to begin this hearing
in the interest of time. I know Senator Kyl is on his way and
will be here shortly. Today's hearing is on the Identity Theft
Penalty Enhancement Act of 2002. I introduced this legislation
in May with the ranking member, Senator Kyl, and Senators
Sessions and Grassley, at the request of the Attorney General
and the Bush administration. And I am very pleased to have been
asked to do this.
Unfortunately, because of the proliferation of identity
theft and its use in other crimes, some extraordinarily
serious, the enhancement penalties have become, I think,
necessary and important.
For me, combating identity theft has been a top priority,
and I have worked closely in this committee with Senator Kyl
both to crack down on identity thieves and make such crimes
much more difficult to commit.
This legislation, we believe, will make it easier for
prosecutors to target those identity thieves who steal an
identity for the purpose of committing other serious crimes,
including murder and terrorism. Identity theft, in fact, is
often a precursor to other serious crimes, and I would like to
give just a few examples.
Lotfi Raissi, the 27-year-old Algerian pilot from London
who was believed to have trained four of the September 11th
suicide hijackers, was identified in British court papers as
having used the Social Security number of Dorothy Hanson, a
retired factory worker from New Jersey who died in 1991.
The Justice Department recently prosecuted an Algerian
national for stealing the identities of 21 members of a health
club in Cambridge, Massachusetts, and subsequently transferring
those identities to an individual convicted in the failed plot
to bomb Los Angeles International Airport in 1999.
An administrator of Kmart Corporation's stock option plan
is currently being prosecuted for stealing the identity of a
Kmart executive and exercising 176,000 options in his name.
And, in another case, a Chicago man allegedly killed a
homeless man to assume the victim's identity and avoid pending
criminal charges for counterfeiting.
So here we have examples involving terrorism, involving
murder, and involving major fraud, and identity theft became
the enabler for these crimes. And the stories go on and on, and
that is what makes this legislation so vital.
Now, what would the bill do? The bill would create a
separate crime of aggravate identity theft for any person who
uses the identity of another to commit certain serious Federal
crimes. Specifically, the legislation would provide for an
additional 2-year penalty for any individual convicted of
committing one of the following serious Federal crimes by using
the identity of another person, and the crimes are: illegally
obtaining citizenship in the United States; obtaining a
passport or visa; committing, bank, wire, or mail fraud; or
stealing from employee pension funds; and then committing a
variety of other serious Federal crimes, all of them felonies.
Secondly, the legislation would provide for an additional
5-year penalty for any individual who uses the stolen identity
of another person to commit any one of the enumerated Federal
terrorism crimes found in Title 18. These include: destruction
of an aircraft; assassination or kidnapping of high-level
Federal officials; bombings; hostage taking; and provide
material support to terrorist organizations.
Thirdly, the bill also strengthens the ability of law
enforcement to go after identity thieves and prove their case
by allowing law enforcement to target individuals who possess
the identity documents of another person with the intent to
commit a crime. Current Federal law prohibits the transfer or
use of false identity documents, but it doesn't specifically
ban the possession of those documents with the intent to commit
a crime. And, finally, increasing the maximum penalty for
identity theft under current law from 3 to 5 years.
The bill also clarifies that the current 25-year maximum
sentence for identity theft in facilitation of international
terrorism also applies to domestic terrorism.
Now, I don't think I need to go into the background of
identity theft. I think we have had a number of hearings in
this subcommittee. We know that the average loss of an identity
theft is now about $17,000. We know that fraud losses at
individual financial institutions are running well over $1
billion annually. And, on an average, it takes a full year and
a half for someone who has had their identity stolen to regain
it.
So we have a very impressive panel today, and I will
interrupt the testimony when Senator Kyl does come to receive
his comments. But in the interim we will proceed, and the first
one I would like to introduce is Mr. Dan Collins. Mr. Collins
is currently the Chief Privacy Officer and Associate Deputy
Attorney General at the Department of Justice. He previously
worked as a partner at the Los Angeles firm of Munger, Tolles &
Olson. From 1992 to 1996, he served as Assistant U.S. Attorney
in the Office of the U.S. Attorney in Los Angeles. He received
his law degree from a great school, Stanford, in 1988, and he
clerked for Supreme Court Justice Scalia.
If we could proceed with you, Mr. Collins, and then I will
introduce the others seriatim.
STATEMENT OF DANIEL P. COLLINS, ASSOCIATE DEPUTY ATTORNEY
GENERAL AND CHIEF PRIVACY OFFICER, U.S. DEPARTMENT OF JUSTICE
Mr. Collins. Thank you, Senator Feinstein. It is my
pleasure to be here today to testify on behalf of the Justice
Department in strong support of this legislation. As you have
remarked, the bill that is now before the subcommittee was
first unveiled at a joint press conference held by the Attorney
General and Senator Feinstein on May 2nd, at which the Attorney
General also announced a major nationwide crackdown that has
resulted in the prosecution of scores of identity thieves. On
behalf of the Attorney General, I wish to reiterate his sincere
appreciation for the invaluable leadership you have shown on
this important issue.
Identity theft is one of the fastest-growing crimes in the
United States. No matter how you look at it, the numbers are
very troubling. Estimates of one organization are that between
500,000 and 700,000 persons are victims of this crime every
year. One organization estimates that the number may be as high
as 1.1 million.
Criminals steal other person's identities in order to
facilitate the commission of a wide range of serious underlying
offenses that range from credit card fraud, bank fraud,
fraudulent loans, thefts of benefits, even murder. Identity
theft has also been used, as you have noted, in connection with
planned terrorist activities.
In 1998, Congress enacted important legislation prohibiting
a wide variety of identity theft offenses. The Department has
vigorously enforced these laws as evidenced by the nationwide
sweep announced by the Attorney General on May the 2nd. That
sweep resulted in 73 criminal prosecutions against 134
individuals in 24 judicial districts from coast to coast. The
underlying criminal violations involved in those cases ran the
gamut, again, from credit card fraud to theft of employee
benefits, to murder. These cases were the result of close and
ongoing cooperation among Federal, State, and local law
enforcement agencies, including the Federal Trade Commission,
the Secret Service, the Postal Inspection Service, the Federal
Bureau of Investigation, the Office of the Inspector General of
the Social Security Administration, and the IRS Criminal
Investigative Division, as well as State and local law
enforcement agencies.
The second initiative announced by the Attorney General and
yourself, Senator Feinstein, at the May 2nd press conference
was the bill that has become S. 2541. That legislation has a
number of important aspects.
First, the bill defines a new crime of aggravated identity
theft that includes the most serious and harmful forms of this
pernicious practice--and, again, working from the concept that
people don't steal other person's identities for the sheer
thrill of impersonation. They steal it to commit another crime.
The bill takes cognizance of the fact that there usually is an
underlying predicate felony. It identifies the most serious
forms of it and then says that if you commit that crime with
someone else's identity, you will be charged with a separate
crime and sentenced separately with an enhanced consecutive
penalty for that. It will be a 2-year penalty for the general
list of offenses that are established there and a 5-year
penalty on top of the already severe underlying penalty for any
terrorism offense.
In addition, the legislation makes a number of changes that
improve and strengthen the usefulness of the 1998 legislation.
In particular, the bill closes several gaps that have been
identified in the 1998 law. As you have noted, it will cover
possession and not just transfer and use of these documents,
and it will also increase the maximum penalties for simple
identity theft from 3 to 5 years. And then, building on the
changes made by the PATRIOT Act, which now has a definition of
domestic terrorism, the 25-year maximum for terrorism-related
offenses now incorporates that definition so that it is now
domestic and international terrorism.
These changes are important measures to make sure that
prosecutors have the full range of tools available in order to
combat this offense and to make sure that when Federal
resources are deployed as part of the effort against this
growing crime, that prosecutors are able to bring cases
expeditiously, efficiently, and receive appropriate severe
sentences for those serious crimes.
[The prepared statement of Mr. Collins follows:]
Testimony of Daniel P. Collins, Associate Deputy Attorney General and
Chief Privacy Officer, Department of Justice
Chairman Feinstein, Senator Kyl, and distinguished members of the
Subcommittee, I am pleased to testify on behalf of the Justice
Department in strong support of this important legislation. The bill
now before you was first unveiled at a joint press conference held by
the Attorney General and Chairman Feinstein on May 2nd, at which the
Attorney General also announced a major, nationwide crackdown that has
resulted in the prosecution of scores of identity thieves. On behalf of
the Attorney General, I wish to reiterate his sincere appreciation for
the invaluable leadership you have shown on this important issue.
Identity theft is one of the fastest growing crimes in the United
States today. The numbers tell the story. The Privacy Rights
Clearinghouse estimates that between 500,000 and 700,000 people each
year become victims of identity theft. Indeed, the Identity Theft
Resource Center estimates that the number may be as high as 1.1
million. The Federal Trade Commission (FTC) recently reported that a
whopping 42% of all of the consumer complaints it receives involve
incidents of identity theft. Each week, the FTC receives an average of
3,000 calls on its ID theft telephone hotline, and another 400
complaints of identity theft over the Internet. Additional data
recently gathered by the General Accounting Office (GAO) paint a
similar picture. In response to a request made by the Chair and the
Ranking Member of this Subcommittee--Senator Feinstein and Senator
Kyl--as well as by Senator Grassley, the Government Accounting Office
completed a report in March of this year in which it concluded that all
available sources of information confirm that ``the prevalence of
identity theft is growing'' and that the monetary losses to industry
from identity theft continue to mount.
Numbers, however, do not tell the whole story. Identity theft
inflicts substantial damage, not only on the economy, but also on
hardworking Americans, who must expend the effort to undo the damage
done to their credit records and their good names.
In order to respond to this growing problem, the Attorney General
announced on May 2nd a two-prong initiative to combat identity theft.
The first prong is a coordinated, nationwide ``sweep'' to prosecute
cases involving identity theft. This sweep resulted in 73 criminal
prosecutions against 134 individuals in 24 judicial districts. The
underlying criminal violations involved in these cases run the gamut
from credit card fraud to theft of employee benefits to murder. These
cases were the result of the close and ongoing cooperation among
federal, state, and local law enforcement agencies, including the
Federal Trade Commission (FTC), the Secret Service, the Postal
Inspection Service, the FBI, the Office of the Inspector General of the
Social Security Administration, the IRS's Criminal Investigation
Division, as well as a range of state and local agencies. Acting
through its Identity Theft Subcommittee, the Attorney General's White
Collar Crime Council has worked hard to coordinate enforcement efforts
in this area. The FTC, working with the Secret Service, has provided
invaluable assistance in developing an identity theft case referral
program that helps in identifying significant cases that warrant
further investigation.
The second prong of the initiative announced on May 2nd is the
development of new legislation to enhance significantly the penalties
for identity theft. The Attorney General and Chairman Feinstein at that
time jointly announced the outline of the legislation that is before
you today. S. 2541, the ``Identity Theft Penalty Enforcement Act,''
would greatly help to ensure that the Department has the tools it needs
to prosecute effectively, and punish appropriately, the most serious
forms of identity theft.
S. 2541 builds upon, and strengthens, the important identity theft
legislation enacted by the Congress in 1998. The current federal
identity theft statute (18 U.S.C. Sec. 1028(a)(7)) makes it unlawful to
``knowingly transfer[] or use[], without lawful authority, a means of
identification of another person with the intent to commit, or to aid
or abet, any unlawful activity that constitutes a violation of Federal
law, or that constitutes a felony under any applicable State or local
law,'' if the identification document in question was, or appears to
be, issued by the United States or the offense involved the use of the
mails or affected interstate or foreign commerce. The existing statute
has a sweeping substantive breadth that reaches all identity thefts
that have a federal interest--even those involving State law felonies.
This breadth makes it a valuable part of the federal criminal code and
an important part of the federal arsenal against crime. However,
precisely because of its breadth, the existing statute groups a large
and disparate class of behavior into a single category. For the same
reason, it also imposes across-the-board proof requirements that may
not make sense in certain cases.
Section 2 of S. 2541 addresses these concerns by proposing a new
section 1028A to the criminal code. Section 1028A would define a class
of ``aggravated identity theft'' that includes the most serious and
harmful forms of this pernicious practice. The penalties for this newly
defined crime of ``aggravated identity theft'' are significantly
enhanced as compared to existing law, and the proof requirements are
simplified.
In defining ``aggravated identity theft,'' section 1028A--like the
existing statute--uses the concept of predicate offenses. That is,
identity theft generally is not committed for the sheer thrill of
impersonation; it is almost always done for the purpose of committing
another state or federal offense. Under S. 2541, the ``aggravated''
forms of identity theft are defined by the nature of the predicate
offense, and include all of the most frequently occurring and most
serious predicate offenses. See proposed section 1028A(a)(2), (c).
Thus, anyone who uses another person's identity to commit one of the
enumerated serious predicate offenses will be guilty of ``aggravated
identity theft.'' Because virtually all of the most serious forms of
identity theft involve predicate criminal activity (e.g., bank fraud,
wire fraud, mail fraud) that is covered by federal law, S. 2541 does
not include any State law predicate crimes in its definition of
``aggravated identity theft.'' Compared to the general federal identity
theft statute, S. 2541 applies to a focused and narrower set of
predicate offenses.
In prescribing the penalties for this new offense, S. 2541 does not
rely upon the Sentencing Commission or the Sentencing Guidelines. This
approach is the most sensible one in light of the unusual fact that
identity theft is an entirely derivative offense. That is, as explained
above, identity theft is virtually always committed in connection with
the commission of another offense. The Sentencing Guidelines, however,
are generally designed and intended to be ``charge-neutral:'' the
sentence depends on the underlying ``relevant conduct'' and not on the
particular offense charged in the indictment. Thus, the Guidelines will
generally ignore the fact that two offenses have been charged (a
derivative offense and a predicate offense); the same sentence would be
imposed in such a case as would be imposed even if only the predicate
offense had been charged. Consequently, application of the Guidelines
would mean that there would be virtually no practical advantage to
charging the derivative criminal offense. Prosecutors would have to
charge more and prove more without obtaining any additional punishment.
S. 2541 avoids this problem by fashioning a penalty scheme for the
derivative offense of aggravated identity theft by relying upon the
existing model that the criminal code itself provides for another
wholly derivative offense: 18 U.S.C. Sec. 924(c), Section 924(c) makes
it a federal offense to use or carry a firearm ``during or in relation
to'' a crime of violence or a drug trafficking crime. Because an
underlying predicate crime must be proved--either a crime of violence
or a drug trafficking crime--application of the guidelines would have
collapsed the sentencing for the Sec. 924(c) offense together with the
underlying predicate offense. Section Sec. 924(c) avoids this by
instead providing for an additional prescribed term of imprisonment
over and above that imposed on the underlying offense. Because
``aggravated identity theft'' is, like Sec. 924(c), an unusual
derivative offense, a similar approach makes sense here.
Accordingly, S. 2541 provides that, if a person commits aggravated
identity theft by stealing someone's identity in order to commit a
serious federal predicate offense, that person will be sentenced to an
additional two years' imprisonment over and above the sentence for the
underlying offense. See proposed section 1028A(a)(1), (b)(2). If the
predicate offense is a terrorism offense, the additional punishment is
increased to five years. See proposed section 1028A(a)(2), (b)(2). S.
2541, however, properly departs from the Sec. 924(c) model in one
critical respect. The Supreme Court has held that multiple counts under
Sec. 924(c) that are charged in the same indictment must run
consecutively to each other. Deal v. United States, 508 U.S. 129
(1993). This mandatory cumulative stacking of sentences, if applied
here, could result in unduly severe and inflexible sentences. S. 2541
thus leaves it to the discretion of the sentencing judge whether to run
consecutively or concurrently any multiple counts of aggravated
identity theft that are sentenced at the same time. See proposed
section 1028A(b)(4). In order to avoid unwarranted disparities in the
excuse of this discretion, the Sentencing Commission is explicitly
authorized to issue guidance concerning whether and to what extent such
multiple sentences would be concurrent or consecutive. Id.
S. 2541 would also substantially simplify the proof requirements
for ``aggravated identity theft.'' The existing identity theft statute
contains multiple mental-state elements. In addition to proving all of
the elements of the predicate crime (including the scienter element),
prosecutors also must establish that the defendant ``knowingly''
transferred or used the information ``with the intent to commit'' a
federal or state crime. S. 2541 would streamline the proof by requiring
proof of only that level of scienter that is already required by the
underlying predicate offense and the knowing use of another's identity.
Moreover, because ``aggravated identity theft'' is defined with
reference only to federal predicate offenses, there is no need for any
additional proof of a federal jurisdictional connection. Accordingly,
the additional federal jurisdictional showing required under
Sec. 1028(a)(7) is properly not carried over into this new offense.
This new offense defined by section 2, with its streamlined proof
requirements and its enhanced penalty structure, will provide
invaluable assistance to the Department in ensuring that significant
identity theft crimes can be effectively prosecuted and properly
punished.
In addition to enacting a new offense of ``aggravated identity
theft,'' S. 2541 strengthens the existing 1998 identity theft law in
multiple ways. Section 3 of the bill closes several gaps in the
coverage of the existing identity theft prohibition (18 U.S.C.
Sec. 1028(a)(7)) and increases the penalties for certain violations of
that section.
As currently drafted, section 1028(a)(7) punishes anyone who
``knowingly transfers or uses, without lawful authority, a means of
identification of another person with the intent to commit, or to aid
or abet'' any violation of Federal law or any State or local felony.
This bill would amend this provision to prohibit, not just the
``transfer or use'' of someone else's identity information, but also
the possession of such information with the requisite criminal intent.
The bill would also add language to this provision that would
extend its coverage to those criminals who steal someone's identity
``in connection with'' another crime.
The bill also amends section 1028(a)(7) to increase from three to
five years the maximum term of imprisonment for ordinary identity theft
and for possession of false identification documents.
Lastly, section 3 of the bill would amend section 1028(b)(4) to
impose a higher maximum penalty for identity theft used to facilitate
acts of domestic terrorism. In doing so, section 3 builds upon the USA
Patriot Act's new definition of ``domestic terrorism'' and authorizes a
25-year maximum penalty for identity theft committed to facilitate an
act of domestic terrorism.
Let me again extend the Department's gratitude to Chairman
Feinstein and Senator Kyl for your leadership on this issue and for
your prompt action on this legislation. We strongly support this bill
and urge its swift enactment.
That concludes my prepared remarks. At this time, I would be
pleased to answer any questions you may have.
Chairperson Feinstein. Thanks very much, Mr. Collins.
Next I am going to go to Dennis Lormel. He is the chief of
the Financial Crimes Section of the FBI. Actually, it's chief
of the Terrorist Financial Operations Section in the
Counterterrorism of the FBI--I will give you your full title--
which has responsibility for tracking, investigating, and
disrupting terrorist-related financial activity. Previously,
Mr. Lormel served as the chief of the Financial Crimes Section
in the Criminal Investigative Division at the FBI headquarters.
He has been a special agent with the FBI for 26 years and has
extensive experience with white-collar matters.
Mr. Lormel, welcome.
STATEMENT OF DENNIS M. LORMEL, CHIEF, TERRORIST FINANCIAL
REVIEW GROUP, FEDERAL BUREAU OF INVESTIGATION, WASHINGTON, D.C.
Mr. Lormel. Thank you, Senator, and like my colleagues, we
appreciate the opportunity to participate today and applaud
your efforts in this regard.
I have submitted a written statement for the record, and in
addition to that, I would like to make some comments.
As the Senator pointed out, prior to September 11th I was
the chief of the Financial Crimes Section of the FBI, and over
time we had recognized the increased articulation of identity
theft as a significant problem, and we participated in a number
of forums involving business and different segments of the
government and recognized that an initiative to address it was
certainly warranted, and this legislation would really vastly
aid that.
In that regard, just prior to September, we undertook an
investigative initiative involving all of our field divisions
to identify cases where identity theft played a collateral or
important role in facilitating other crimes ranging through the
whole white-collar gamut to include fugitives and other violent
crimes where we have seen some problems. And, unfortunately,
September 11th came and that particular project was held in
abeyance. And since September, I have served in another
capacity, as the chief now of the new section in the Terrorism
Division, specifically addressing terrorist financing. And an
area of concern to us is, as you pointed out with two of the
anecdotes that you had, there is the use of identity theft and
false identification in furtherance of terrorism, and that is
certainly a big concern to us.
We traditionally have not in the Bureau tracked identity
theft as a crime problem or as a classification. In August of
last year, we initiated a program to try to monitor or identify
cases where identity theft was an element, and in that regard,
we have identified 954 investigations that are pending with
elements of identity theft, which include 14 terrorism
investigations.
Chairperson Feinstein. Federal?
Mr. Lormel. Yes, ma'am, 14 Federal FBI-led terrorism
investigations are included in that amount, 6 of which are
intelligence-driven and 8 of which are criminal in nature. And
I think any one of those cases just heighten the significance
and dramatize the importance of your legislation.
Also, as a follow-up to your comments, the 19 hijackers of
the events of September 11th, it is important to recognize they
did not use identity theft in furtherance of their activities,
and that group is sort of an anomaly in terms of how terrorist
groups generally work in that many of the cells that we have
looked at or are currently investigating use the theft of
identity to facilitate other crimes or, more importantly, to
derive sources of funding for themselves. And an example of
that is a cell we are looking at in Spain, in Madrid. That
particular cell, which the Spanish authorities are working in
conjunction with us, demonstrates how the theft of credit cards
facilitates terrorist acts.
Yesterday, I met with representatives from Europol, and
they were concerned that in the U.K., for instance, the
identity theft involving credit cards, stolen credit cards, is
a significant problem. And it is starting to permeate
throughout the European Union. And in conjunction with that,
there were a number of passports, a significant number of
passports stolen in Brussels and, again, finding their way into
terrorist circles. And one of our concerns is the obvious
capability of the transient nature of some of these people to
come to the U.S. using that type of identity and certainly the
availability of the credit cards in furtherance of acts.
Here in the U.S. we have had demonstrated instances where
stolen credit cards have been used, and particularly the use of
telephone calling cards that have been stolen and used in false
identities. We have had a number of instances--and, in fact,
funding that the 19 hijackers did receive, the primary funds
that were transferred to the U.S. were done using aliases and
false identification from people facilitating their operations.
So that was certainly another area of concern for us.
We have got an ongoing project right now involving stolen
and the misuse of Social Security numbers, which is
significant. As an example, early after September we
established kind of a terrorism financial--terrorist--financing
database, and from that database we ran a sampling of Social
Security numbers. And we came up with over 400 Social Security
numbers that appeared to be misused, and it included two
individuals that were detained shortly after September, one of
which was charged down in Austin, Texas, on the Amtrak train.
Ayub Khan was one of them, and he had false identity that he
has been charged with, and I believe convicted of, if I am not
mistaken. Those are some examples of the problems we have
encountered.
So, again, Senator, we thank you for your efforts, and that
certainly will help provide deterrence that is sorely needed in
this area.
[The prepared statement of Mr. Lormel follows:]
Statement By Dennis M. Lormel, Chief, Terrorist Financial Review Group,
Federal Bureau of Investigation
Good afternoon Madam Chairman and members of the Subcommittee on
Technology, Terrorism and Government Information. On behalf of the
Federal Bureau of Investigation (FBI), I would like to express my
gratitude to the Subcommittee for affording us the opportunity to
participate in this forum and to provide comment to the Subcommittee
regarding the proposed legislation in S. 2541. The FBI is very
supportive of this bill which enhances the penalties for convictions on
certain felony violations where identify theft was used in relation to
the offenses and adds some wording to Section 1028 of Title 18, United
States Code.
As this Subcommittee is well aware, the FBI, along with other
federal law enforcement agencies, investigates and prosecutes
individuals who use the identities of others to carry out violations of
federal criminal law. These violations include bank fraud, credit card
fraud, wire fraud, mail fraud, money laundering, bankruptcy fraud,
computer crimes, and fugitive cases. These crimes carried out using a
stolen identity makes the investigation of the offenses much more
complicated. The use of stolen identity enhances the chances of success
in the commission of almost all financial crimes. The stolen identity
provides a cloak of anonymity for the subject while the groundwork is
laid to carry out the crime. This includes the rental of mail drops,
post office boxes, apartments, office space, vehicles, and storage
lockers as well as the activation of pagers, cellular telephones, and
various utility services.
Identity theft is not new to law enforcement. For decades fugitives
have changed identities to avoid capture and check forgers have assumed
the identity of others to negotiate stolen or counterfeit checks. What
is new today is the pervasiveness of the problem. The Federal Bureau of
Investigation does not view identity theft as a separate and distinct
crime problem. Rather, it sees identity theft as a component of many
types of crimes which we investigate.
Advances in computer hardware and software along with the growth of
the Internet has significantly increased the role that identity theft
plays in crime. For example, the skill and time needed to produce high-
quality counterfeit documents has been reduced to the point that nearly
anyone can be an expert. The same multimedia solfware used by
professional graphic artists is now being used by criminals. Today's
software allows novices to easily manipulate images and fonts, allowing
them to produce high-quality counterfeit documents. The tremendous
growth of the Internet and the accessibility it provides to such an
immense audience coupled with the anonymity it allows results in
otherwise traditional fraud schemes becoming magnified when the
Internet is utilized as part of the scheme. This is particularly true
with identity theft related crimes. Computer intrusions into the
databases of credit card companies, financial institutions, on-line
businesses, etc. to obtain credit card or other identification
information for individuals have launched countless identity theft
related crimes. This proposed legislation would act as a strong
deterrent to not only those committing the initial intrusion, but to
the vast potential users of that information who would utilize it to
commit their own criminal fraud schemes.
The impact is greater than just the loss of money or property. As
the victims of identity theft well know, it is a particularly invasive
crime that causes immeasurable damage to the victim's good name and
reputation in the community; damage that is not easily remedied. The
threat is made graver by the fact that terrorists have long utilized
identity theft as well as Social Security Number fraud to enable them
to obtain such things as cover employment and access to secure
locations. These and similar means can be utilized by terrorists to
obtain Driver's Licenses, and bank and credit card accounts through
which terrorism financing is facilitated. Terrorists and terrorist
groups require funding to perpetrate their terrorist agendas. The
methods used to finance terrorism range from the highly sophisticated
to the most basic. There is virtually no financing method that has not
at some level been exploited by these groups. Identity theft is a key
catalyst fueling many of these methods.
For example, an Al-Qaeda terrorist cell in Spain used stolen credit
cards in fictitious sales scams and for numerous other purchases for
the cell. They kept purchases below amounts where identification would
be presented. They also used stolen telephone and credit cards for
communications back to Pakistan, Afghanistan, Lebanon, etc. Extensive
use of false passports and travel documents was used to open bank
accounts where money for the mujahadin movement was sent to and from
countries such as Pakistan, Afghanistan, etc.
The FBI has implemented a number of initiatives to address the
various fraud schemes being utilized by terrorists to fund their
terrorist activities. One involves targeting fraud schemes being
committed by loosely organized groups to conduct criminal activity with
a nexus to terrorist financing. The FBI has identified a number of such
groups made up of members of varying ethnic backgrounds which are
engaged in widespread fraud activity. Members of these groups may not
themselves be terrorists, but proceeds from their criminal fraud
schemes have directly or indirectly been used to fund terrorist
activity and/or terrorist groups. By way of example, the terrorist
groups have siphoned off portions of proceeds being sent back to the
country from which members of the particular group emigrated. We
believe that targeting this type of activity and pursuing the links to
terrorist financing will likely result in the identification and
dismantlement of previously unknown terrorist cells. Prior to 9/11,
this type of terrorist financing often avoided law enforcement
scrutiny. No longer. The FBI will leave no stone unturned in our
mission to cut off the financial lifeblood of terrorists.
Another initiative has been the development of a multi-phase data
mining project that seeks to identify potential terrorist related
individuals through Social Security Number misusage analysis. The FBI,
through its Terrorist Financial Review Group, is taking SSNs identified
through past or ongoing terrorism investigations and providing them to
the Social Security Administration for authentification. Once the
validity or non-validity of the number has been established,
investigators look for misuse of the SSNs by checking immigration
records, Department of Motor Vehicles records, and other military,
government and fee-based data sources. Incidents of suspect SSN
misusage are then separated according to type. Predicated investigative
packages are then forwarded to the appropriate investigative and
prosecutive entity for follow-up.
Given the alarming nature of the threat posed by identity theft and
the potential nexus to terrorism, the FBI is grateful for the efforts
of Congress and this Subcommittee in pursuing this legislation which
will considerably aid law enforcement efforts to address the threat.
Enhancing the penalties for identity theft makes it clear that identity
theft is a serious crime with serious consequences. It will encourage
law enforcement to more aggressively investigate this type of crime and
for it to be prosecuted. All of which will likely serve as a deterrent
and slow the growth rate of identity theft related crimes. Thank you.
Chairperson Feinstein. Thank you very much, Mr. Lormel.
We have been joined by the distinguished ranking member,
Senator Kyl, who is the cosponsor of this legislation.
Senator we have heard from Mr. Collins and Mr. Lormel.
There is one more to go, but I would like, if you would like to
make a statement----
Senator Kyl. No, no. Please continue.
Chairperson Feinstein. All right. I will proceed then and
introduce Howard Beales III, the Director of the Bureau of
Consumer Protection at the Federal Trade Commission. Mr. Beales
began his career at the FTC in 1977 as an economist
specializing in consumer protection problems, and now as
director, he oversees the work of some 152 lawyers and a $77
million budget. His major areas of expertise and interest
include law and economics and aspects of Government regulation
of the economy.
Mr. Beales, welcome.
STATEMENT OF HOWARD BEALES, DIRECTOR, BUREAU OF CONSUMER
PROTECTION, FEDERAL TRADE COMMISSION
Mr. Beales. Thank you, Madam Chairman and Senator Kyl. I
really am pleased to be able to testify today and express the
Commission's support for S. 2541, the Identity Theft Penalty
Enhancement Act.
Every day, through our toll-free hotline and our online
complaint form, we are able to advise hundreds of people on how
to repair the damage to their credit and their reputations that
is caused by identity theft. As you know, we also collect data
from these consumers to share with law enforcement through our
Consumer Sentinel Network. These data support the prosecution
of ID theft by identifying suspects and helping to spot trends.
Measures like S. 2541 that deter and punish those who would
engage in identity theft thus serve our common goal of reducing
this pernicious crime.
Our partners in law enforcement tell us that identity theft
is often committed in furtherance of other crimes. This bill
would enhance the penalties when identity theft is committed in
furtherance of some of the most damaging and serious other
crimes, including those that facilitate domestic terrorism.
Specifically, the bill would impose greater penalties on
defendants who commit identity theft in order to obtain a
firearm, steal another employee's benefits, obtain
documentation of citizenship, or commit mail, wire, or bank
fraud, among other offenses.
The bill would also streamline proof requirements by
including the possession of identifying information with intent
to commit identity theft as an element of the crime.
These proposed improvements in the ID theft enforcement
scheme will make identity theft cases easier to investigate and
easier to prosecute successfully. Ultimately, the goal of the
bill is to develop more fruitful prosecutions. We, too, are
making efforts to encourage prosecutions under both Federal and
State identity theft laws. In March, we launched a nationwide
training program for investigating ID theft in cooperation with
the Secret Service, the Department of Justice, and with support
from the International Association of Chiefs of Police.
To date, we have trained more than 440 law enforcement
officers from over 100 local, State, and Federal agencies. We
have held sessions in D.C., Des Moines, Chicago, and San
Francisco, and have an upcoming training session scheduled for
Dallas in August.
The training includes presentations on how to use the
Consumer Sentinel ID Theft Clearinghouse, the value of
cooperative enforcement through regional task forces, and the
ins and outs of both high-tech and traditional identity theft.
We have been encouraged by the healthy turnout at the events
and plan to follow up with a program to train the trainers, if
you will. By reaching key officers, especially in areas with a
high prevalence of identity theft, we hope to enable even more
law enforcement agencies to join the fight against identity
theft.
I would like to briefly address what our data indicate
about some of the aggravated identity theft crimes that are the
subject of S. 2541. In 2001, our clearinghouse received just
over 86,000 identity theft complaints. The most common type of
identity theft involved fraudulently obtained credit. Forty-two
percent of the victims experienced this type of fraud. In most
cases, this involves activity that could be charged as mail,
bank, or wire fraud, depending on the facts of the particular
case. Thus, the most common forms of theft would be targeted by
the provisions of S. 2541.
One word of caution about this data. Because our
clearinghouse is based mostly on self-reported data, it
reflects what the victim knows. This may not fully reflect the
prevalence of some of the predicate felonies under the bill.
For example, credit fraud is often quickly apparent to the
victims through contact by the card-issuing bank or evidence of
fraudulent accounts on their credit reports.
That is not the case for other types of identity theft. For
example, only 6 percent of the complaints we received in
calendar year 2001 involved fraud with respect to Government
documents or benefits, and less than 3 percent reflected
falsely obtained driver's licenses. Does this mean there is not
much Government document fraud? Well, probably not. It is
simply less likely that the victim will learn about this type
of fraud. Indeed, the victim may never become aware that
someone obtained proof of citizenship or made a false statement
to obtain a firearm in their name. However, these types of
serious violations are often uncovered once investigators begin
a more detailed review of the suspect's conduct.
We are encouraged to see the aggressive steps taken by our
colleagues in criminal law enforcement to target ID theft. The
FTC will continue to do all it can to assist law enforcement
through our training programs and through the use of our
clearinghouse data. And we believe that the enhanced penalties
envisioned by S. 2541 will increase the likelihood that those
who exploit an innocent person's good name will receive
appropriate punishment.
Thank you, Madam Chairman, and I will be happy to answer
any questions.
[The prepared statement of Mr. Beales follows:]
Prepared Statement of the Federal Trade Commission on the Identity
Theft Penalty Enhancement Act of 2002
i. introduction
Madam Chairman and members of the Committee, I am Howard Beales,
Director of the Bureau of Consumer Protection, Federal Trade Commission
(``FTC'' or ``Commission'').\1\ I appreciate the opportunity to present
the Commission's views on the importance of strengthening the tools
available to law enforcement as a means to both prevent and deter the
crime of identity theft.
---------------------------------------------------------------------------
\1\ The views expressed in this statement represent the views of
the Commission. My oral presentation and responses to questions are my
own and do not necessarily represent the views of the Commission.
---------------------------------------------------------------------------
In March of this year, I had the opportunity to testify before the
Subcommittee on the serious consequences that can result from identity
theft.\2\ In that testimony, I described three main components of the
FTC's identity theft program: our Identity Theft Data Clearinghouse
(the ``Clearinghouse''); our consumer education and assistance
resources, including our toll-free hotline, website, and educational
brochures; and our collaborative and outreach efforts with law
enforcement and private industry. Today, I would like to focus on the
various ways the FTC works with law enforcement in order to facilitate
their investigation and prosecution of identity theft crimes, and to
express the Commission's support for the Identity Theft Penalty
Enhancement Act, which will help achieve that goal.
---------------------------------------------------------------------------
\2\ See Testimony of J. Howard Beales, Senate Judiciary Committee,
Subcommittee on Technology, Terrorism and Government Information (March
20, 2002).
---------------------------------------------------------------------------
The FTC has committed significant resources to assisting law
enforcement, and fully intends to continue to do so in the future.
Investigation and prosecution not only stop the offender from
destroying another person's financial well being, but can also deter
would be identity thieves from committing the crime.
ii. the identity theft penalty enhancement act--s. 2541
Since the enactment of the Identity Theft and Assumption Deterrence
Act of 1998 (``Identity Theft Act'') \3\, we have learned more about
how this pernicious crime works. Our colleagues in criminal law
enforcement have seen how identity theft can further many types of
financial fraud and even terrorism. The Identity Theft Penalty
Enhancement Act, S. 2541, provides for enhanced charging and sentencing
when identity theft occurs in connection with these other serious
crimes. The Commission supports S. 2541 and its goal of increasing
criminal penalties for the most damaging forms of identity theft.
---------------------------------------------------------------------------
\3\ Pub. L. No. 105-318, 112 Stat. 3010 (1998).
---------------------------------------------------------------------------
The sentencing enhancements that S. 2541 envisions would, if
enacted, step-up the penalties for the most serious forms of identity
theft, and strengthen prosecutors' ability to bring these cases. In
particular, the proposed legislation would define a new crime of
``aggravated identity theft'' that includes the most deleterious forms
of identity theft, and which would carry greater penalties. Many of the
predicate offenses that are included in the definition of
``aggravated'' identity theft, including identity theft for the purpose
of defrauding employee benefit plans or committing bank fraud, have
predictably serious consequences to both the individual and
institutional victims of the crime. Each of these would carry a two-
year consecutive enhancement to the sentence. Enhanced five-year
consecutive penalties would result if a terrorist or terrorist-related
offense is involved.
S. 2541 also streamlines proof requirements by including the
possession of identifying information with intent to commit identity
theft as an element of the crime. These provisions, together with the
enhanced sentences for aggravated identity theft, will make identity
theft cases easier to investigate and to prosecute successfully.
iii. the complaint clearinghouse
The Identity Theft Act directed the FTC to, among other things, log
the complaints from victims of identity theft and refer those
complaints to appropriate entities such as appropriate law enforcement
agencies. Before launching our complaint system, the Commission took a
number of steps to ensure that it would meet the needs of criminal law
enforcement. For example, in April 1999, representatives from ten
federal law enforcement agencies, five banking regulatory agencies, the
US Sentencing Commission, the National Association of Attorneys General
and the New York State Attorney General's Office met at the FTC to
share their thoughts on what the FTC's complaint database and
comprehensive consumer education booklet should contain. The roundtable
participants also established a working group that provided feedback
throughout the construction of the database. The FTC opened the
consumer hotline and began adding complaints to the resulting
Clearinghouse in November 1999. Law enforcement organizations
nationwide who were members of our Consumer Sentinel Network (the FTC's
universal fraud complaint database) gained access to the Clearinghouse
via our secure Web site in July of 2000.
To ensure that the database operates as a national clearinghouse
for complaints, the FTC has solicited complaint entry from other
critical sources. For example, in November 2000, the International
Association of Chiefs of Police (IACP) unanimously passed a resolution
in support of curbing identity theft that, among other things, calls
upon local police to refer identify theft victims to the FTC's hotline
so that their complaints will be available to law enforcement officers
nationwide through the Clearinghouse. In February 2001, the Social
Security Administration Office of Inspector General (SSA-OIG) began
providing the FTC complaints from its fraud hotline, significantly
enriching our database. As a result of these efforts, the Clearinghouse
has become a key element in identity theft investigations.
Many of the agencies that collaborated on the development of the
Clearinghouse also participate in the Attorney General's White Collar
Crime Task Force's Subcommittee on Identity Theft. Subcommittee members
and other Consumer Sentinel users have told the FTC that the
Clearinghouse is used primarily in two ways: to initiate new
investigations, and even more often, to identify additional victims,
suspects, addresses, phone numbers and criminal activities related to
an ongoing investigation.
The Clearinghouse provides a much fuller picture of the nature,
prevalence, and trends of identity theft than was previously
available.\4\ In 2000, our first full year of operation, we entered
more than 31,000 consumer complaints into the database. In 2001, that
number grew to 86,168. As of the end of May this year, only five months
into the calendar year 55,000 complaints have already been added to the
database. These numbers reflect complaints only, and do not include the
tens of thousands of consumers who contacted us with questions on how
to prevent identity theft or how to handle the loss or theft of a purse
or wallet. This growth means that the Clearinghouse will continue to
become a richer source of data for law enforcement, both in terms of
developing and enhancing cases, and in providing information about the
overall patterns and trends in identify theft.
---------------------------------------------------------------------------
\4\ Attached are charts that summarize 2001 data from the
Clearinghouse. These data are posted at www.consumer.gov/idtheft and
www.ftc.gov/sentinel.
---------------------------------------------------------------------------
Data from the Clearinghouse also assist law enforcement in other
important ways. FTC data analysts aggregate the data to develop
statistics about the nature and frequency of identity theft. Law
enforcement and other policy makers at all levels of government use
these reports to better understand the challenges identity theft
presents. For instance, we publish the charts showing the prevalence of
identity theft by states and by cities. The data also demonstrate
general trends. The first twelve months of data revealed that over
thirty-five percent of victims who called us reported that they had not
been able to file police reports. Following the November 2000 IACP
resolution that called upon local police to write reports for all
incidents of identity theft, the number of victims who were unable to
file a report fell by almost half to eighteen percent.
Since the inception of the Clearinghouse, forty-six separate
federal agencies and three hundred and six different state and local
agencies have signed up for access to the database. Among the agencies
represented are over half the state Attorneys General as well as law
enforcement from a number of major cities including Baltimore, Dallas,
Los Angeles, Miami, San Francisco, and Philadelphia. We want to
encourage even greater participation. To that end, since March of this
year, we have been conducting outreach and law enforcement training and
demonstrating the efficacy of the Clearinghouse at law enforcement
conferences around the country. We have seen positive results from
these efforts. For example, within three weeks after our training
seminar in Chicago, held this May, approximately a third of the
participating agencies without prior access to the Clearinghouse had
signed up, and we continue to receive applications. As a core component
of our program, we will continue to focus resources and to devise new
methods for expanding law enforcement access to the database.
iv. partnership with the secret service
The Clearinghouse is essentially a tool for criminal investigators
and prosecutors. The US Postal Inspection Service,\5\ the United States
Secret Service (the ``Secret Service'') the SSA-OIG, the Department of
Justice (DOJ), and the IACP, along with many other agencies, are
outstanding partners in this effort, consistently communicating the
availability and advantages of the Clearinghouse to their colleagues.
---------------------------------------------------------------------------
\5\ The Postal Inspection Service was the first agency to detail a
law enforcement officer to work with the FTC's data sharing program.
The Inspection Service detailed an inspector who, for over one year,
managed our Consumer Sentinel system. These partnerships allow us to
share expertise and also maintain open and ongoing communication.
---------------------------------------------------------------------------
The Secret Service has made a particularly strong commitment to
making the Clearinghouse the centralized investigatory tool for
identity theft crimes nationwide. The Secret Service has just begun its
second year of detailing a Special Agent to the FTC's identity theft
program. This partnership has provided numerous benefits. In addition
to the day-to-day assistance of an experienced law enforcement officer
with expertise in investigating identity theft crimes, the Secret
Service has also provided the FTC with access to powerful data mining
and clustering software tools, the research capabilities provided by
its financial crimes analysts, and its network of task forces
throughout the country.
A. Investigative Referrals
The Clearinghouse, which now contains over 170,000 victim
complaints, can be searched with more precision using the Secret
Service's data mining and clustering software tools. Taking the results
of a search, the Special Agent works with FTC staff to develop the most
significant case leads into full investigative reports. As part of that
effort, the Secret Service runs the leads through the additional
intelligence databases it uses in its own criminal investigations.
Since last June, we have been referring the investigative reports to
Financial Crimes Task Forces or other appropriate law enforcement
entities. In other instances, law enforcement agents from around the
country directly contact the FTC with requests for an enhanced database
search on a lead they currently have under investigation.
B. Law Enforcement Training
Recognizing that investigating identity theft often presents unique
challenges, the FTC in conjunction with the Secret Service, DOJ, and
IACP planned and directed training seminars for state and local law
enforcement around the country in Washington, DC, Des Moines, Iowa,
Chicago, Illinois, and in San Francisco. More than 440 people from over
100 different government departments and agencies have attended these
seminars since we began them in March. Over three-quarters of the
attendees were from state and local law enforcement and prosecuting
authorities. An additional training program is planned for Dallas,
Texas on August 14.
The training is designed to provide officers with technical skills
and resources to enhance their efforts to combat identity theft. The
training draws on the talent of local police and prosecutors, in
addition to the core training staff from the FTC, DOJ and the Secret
Service. While particular details may vary between venues, we stress
two basic elements in the first half of the day: the value of Task
Forces and the utility of the Clearinghouse to build and augment cases.
The training also touches on the consumer educational and informational
aspects of the FTC's identity theft program, because many law
enforcement departments use our booklet, When Bad Things Happen To Your
Good Name, as part of their victim assistance effort.
The training then moves to segments providing practical advice and
demonstrating hands-on tools to help improve investigational
strategies. In addition, presentations are geared towards familiarizing
the attendees with the many different resources available to them from
the federal, state and local government, and also from private
industry, for investigating identity theft. Local prosecutors identify
the key components they are looking for to bring successful identity
theft actions. The feedback we have received has been very positive,
and has enabled us to fine-tune each subsequent seminar.
v. conclusion
The Commission supports S. 2541, the Identity Theft Penalty
Enhancement Act of 2002, and embraces its goal of increasing the
prosecution and criminal penalties when the identity theft facilitates
particularly pernicious crimes. When these crimes are committed under
someone else's identity, it stigmatizes an innocent person who must
struggle to clear his or her name from association with an
exceptionally horrific misdeed. It is only just that such a crime
should carry an additional penalty. The FTC will continue to do its
part to support the prevention, investigation, prosecution and
mitigation of identity theft by providing law enforcement with
education, training, access to the Clearinghouse, and case referrals.
Chairperson Feinstein. Thank you very much. That completes
our testimony.
Senator do you wish to make a statement?
STATEMENT OF HON. JON KYL, A U.S. SENATOR FROM THE STATE OF
ARIZONA
Senator Kyl. Yes, thank you, Madam Chair. I will simply say
that it has been a pleasure to work with you in developing this
legislation, and to make the point that we have all been
increasingly frustrated by the fact that we have now acted
twice, and this will be the third time we have affirmatively
taken action to try to deal with this problem of identity theft
and have dealt with it, and yet it continues apace. And until
we are so serious about it that there is a real threat to the
people that are committing it, it is going to continue. And
that is why the enhanced penalties in here I think make a great
deal of sense.
I am going to have a couple of questions that deal with the
elements of it that I will ask when my turn comes here, but I
thank the three of you for being here to help us understand
what we need to do, and I really appreciate your commitment in
helping to crack down on identity theft.
Thank you.
Senator Feinstein. Thanks, Senator.
Mr. Collins, my first question is of you. According to the
FTC, the average identity theft case reported to the
clearinghouse involved about $8,000 in losses. That is average.
However, many Federal prosecutors require a minimum theft
amount of $25,000 before they will investigate a case. We have
found this true in California, too.
Given that many identity theft crimes don't reach that
threshold, what recommendations would you have to encourage
Federal prosecution in these cases? I think that would go a
long way to sending a clear signal.
Mr. Collins. Well, I think there are two points to make in
that regard, and one relates specifically to the legislation.
But before I get to that, first, the Attorney General and
working through the Attorney General's Subcommittee on Identity
Theft, which is an interagency task force that works as a
coordinating clearinghouse for State and local task forces and
other organizations, has worked throughout the country to get
information out to make available the FTC Consumer Sentinel, to
make people aware of that resource, and they are engaged in
activities to educate U.S. Attorney's Offices about the
importance of this crime.
For example, last fall, in October, they sent a package of
materials to every U.S. Attorney's Office in the country with a
model indictment and model jury instructions on the existing
law.
The Attorney General has also by his actions in May
indicated that this is a priority for the Department and is of
importance. So I think that that message is getting out there.
We have had receptivity from the U.S. Attorney's Offices.
Now, clearly, given the kinds of numbers of victims that we
have mentioned and that have appeared in both the GAO studies,
the FTC reports, you are talking about a very large number of
victims. Now, clearly, that is a number of cases that could not
be handled by Federal law enforcement alone. They have to work
in partnership with coordinating activities with State and
local task forces, and they are doing that.
But when a case is taken federally, it is important that it
be one where the penalty is going to be commensurate with the
fact that it warrants Federal resources, and that is where this
legislation comes in, because this says, if a case is going to
be taken federally, if you are committing a serious Federal
felony and stealing someone's identity in doing it, you are
going to get a sufficiently severe sentence. You are going to
get this penalty you would have gotten under the underlying
predicate crime plus 2 years, mandatory, no fiddling with the
underlying sentence to offset it, 2 years tacked right onto it.
That is a substantial uptick if you look at the Sentencing
Guidelines and how they score white-collar offenses.
Chairperson Feinstein. Let me be more precise. I question
an office having a $25,000 threshold. I don't know what Mr.
Raissi in Great Britain--the level of his theft, but it could
well be under $25,000. And so it seems to me that really a
theft level isn't appropriate, but the magnitude of the kind of
crimes that surround it might be better taken.
Mr. Collins. Well, my experience when I was an AUSA in Los
Angeles is that the approach to guidelines, the smart approach
to guidelines, is to use it as a guide and not as an inflexible
rule.
Chairperson Feinstein. Is it today a guideline, $25,000?
Mr. Collins. I don't know--different districts have
different judgments as to when they think a case should or
should not be taken federally. My experience was that we used
guidelines to tell us when a case was likely to warrant Federal
attention. If it was below the guidelines but there were other
countervailing Federal interests that warranted taking that
case, that was something that we would look at.
That is the kind of approach. Obviously, if someone is
committing serious identity fraud in connection with what may
be some serious terrorist activity, some other thing where
there is a clear Federal interest, the fact that it is below a
particular dollar amount should not cause someone to decline
what would otherwise be an appropriate Federal case.
Senator Feinstein. One last quick question, and then I want
to turn to Senator Kyl, on the possession language. I think I
mentioned that current law prohibits the transfer of false
identity documents, but doesn't specifically ban the
possession. And our bill would prohibit possession of these
documents so that if a law enforcement officer were to discover
a stash of false identity documents and can prove that the
individual who possesses those documents intended to use them
for, let's say, a terrorist act, that individual would be
subject to prosecution simply for possession.
To what extent has the lack of a penalty for possession up
to this point been a problem?
Mr. Collins. It takes away flexibility, Senator, under
1028(a)(3), if you had possession of five or more
identification documents, which is much more narrowly defined
than ``means of identification,'' which was the key term that
was inserted in the 1998 legislation that enacted the current
ID theft provision at 1028(a)(7); (a)(7), though, only says
transfer or use. So you get the broader definition of means of
identification, and now with S. 2541, you would have
possession. That gives you the flexibility. It adds another
arrow to the quiver, that if there is a serious case where this
is an element of the criminal conduct, that that is something
that you can now charge. And when we were sort of assessing,
looking at where there were gaps and consulting with the
identity theft task force to see where we were getting feedback
that there were areas that could be covered, this was
identified as one area where there could be supplementation
made to the 1998 legislation to strengthen it and give
additional flexibility to prosecutors.
Chairperson Feinstein. Now I am more confused because I
have the actual statute. 1028(a)(4) says ``knowingly possesses
an identification document (other than one issued lawfully for
the use of the possessor) with the intent such document be used
to defraud the United States.'' I guess what we are doing here
is we are broadening it.
Mr. Collins. The current provision has sort of a patchwork.
Possession is only covered in limited cases.
Chairperson Feinstein. Right.
Mr. Collins. It is covered if it is Government fraud. It is
covered if it is five or more. What your legislation would do
is say it is covered, period, and that is really where we
should be.
Chairperson Feinstein. Right.
Mr. Collins. Provided there is an appropriate Federal
jurisdictional nexus. That is already in the existing law and
is incorporated.
Chairperson Feinstein. I understand. Thank you.
Senator Kyl.
Mr. Lormel. Excuse me, Senator?
Chairperson Feinstein. Yes, please.
Mr. Lormel. May I make an observation? Since September, we
have found that the U.S. Attorney's Offices have been much more
flexible so the timing of your legislation is tremendous
because it certainly does add additional backing to
prosecutors. But, clearly, where these cases were really never
addressed because of resource constraints, the U.S. Attorney's
Offices have been much more sensitive to them.
Chairperson Feinstein. I am delighted to hear that. I think
that is extraordinarily important because prior to that, I know
we were having troubles, particularly in California, getting
some of this addressed. So I am delighted to hear it.
Senator Kyl.
Senator Kyl. Thank you, Senator Feinstein, and the reason
for that, I presume, is because of the degree to which this
kind of crime is being used in connection terrorism, as you
pointed out in your testimony.
Mr. Lormel. Yes. In part, Senator, Yes.
Senator Kyl. One of my two areas of inquiry is a direct
follow-up on Senator Feinstein's question regarding possession.
This is a little bit like the cell phone cloning bill that we
did several years ago where there was absolutely no legitimate
purpose for having a cloned--the equipment to make a cloned
cell phone. Unless you were the phone company, you were a crook
if you had it. And so you didn't have to use it. All we had to
do is find it in your possession, and we did that, and it has
worked out, I think.
Here it is the same thing, is it not? You have got in your
possession these falsified documents which serve no earthly
purpose except to then commit a fraud if you sell them to
somebody and then that person commits the fraud directly. So I
think that is the rationale for this.
My question here goes directly to whether or not there are
instances, cases, and I will ask you, Mr. Collins, where had
you had this broader definition of mere possession rather than
transfer or sale, you could have made the case or solved the
crime or charged the person, whereas with the existing statute
it just wasn't possible to do that. Are there actually cases
where that is so?
Mr. Collins. I am sure that there have been. I don't have
cases at my fingertips that fell in this particular crack, but
I know that when we were looking at the issue of identity theft
and where there were gaps in the law, this was one that was
reported back that, look, we really should have the flexibility
to be able to charge a possession, so long as we can show the
requisite intent and that is preserved. But that should really
be part of the package of tools that are available, but I don't
have a particular case at this moment.
Senator Kyl. Okay. Well, just on to the point that somebody
might raise that we are just being too liberal here in the
expansion of language that you merely have to possess rather
than actually transfer the documents, what would your response
to that be as a practical matter with respect to the state of
mind of the individual and the potential for the commission of
a crime?
Mr. Collins. There are a variety of other offenses in other
contexts, for example, in the Immigration and Nationality Act,
where there is regulation of possession of false documents
already. Why the particular limitations that we see in 1028(a)
are there, that it is covered here a little bit and there a
little bit, I am not quite sure.
But the direct answer is that we still have to prove under
the law as amended by S. 2541 that they possessed the
identification with the intent to commit or to aid or abet any
unlawful activity that constitutes a violation of Federal law
or a felony under State law. So this is not someone who is
saving the, you know, driver's license of their late mother as
a memento. This is someone we find who has a collection and
stash of identification documents or even has just one
particular document that reflects that they have opened an
account but they haven't yet acted on the account. We don't
need to wait for that. They are guilty just based on the
possession of that false document, so long as we can show
beyond a reasonable doubt that it is done with that intent.
Senator Kyl. Now, is the intent what is known in law as the
scienter requirement?
Mr. Collins. Yes.
Senator Kyl. And that is the ability to prove that there
was a knowing intent to--or a knowledge of and knowing intent
to commit the crime?
Mr. Collins. That is correct.
Senator Kyl. Or to commit a crime.
In your testimony, you talk about the fact that, in
addition to proving all of the elements of the predicate crime,
including scienter, prosecutors must also establish that the
defendant knowingly transferred or used the identification with
the intent to commit a Federal or State crime, and that S. 2541
would streamline the proof by requiring proof of only that
level of scienter that is already required by the underlying
predicate offense and the knowing use of another's identity.
So is that what you are talking about here with respect to
having to prove scienter even though there hasn't been a
transfer or a sale?
Mr. Collins. The potentially multiple layers of scienter
that are in the existing law come from the fact that if you
look at 1028(a)(7) is says ``knowingly transfer,'' and now that
would be ``transfer or possess or use,'' and then ``with the
intent to commit,'' and then it is a further violation. And
then we actually sat down and wrote out the jury instructions,
it becomes apparent because the first element is knowingly;
second is with intent to commit; and then you have to give all
the elements of the underlying offense, which may itself have a
scienter.
Now, you don't have to prove the underlying offense. It is
intent to commit. But, nonetheless, we are potentially at three
levels of scienter depending on what kind of predicate is used.
Now, having this broad a statute is clearly very valuable,
and we have gotten very good feedback on this. But that is the
idea behind the aggravated identity theft, is let's pick out
the most serious forms, let's streamline this, the proof
requirements, so that it is basically knowing possession,
underlying offense, and we are done and then clarify the
penalty structure as well.
Senator Kyl. And can you describe any cases that you may be
familiar with, or either of the other witnesses here, to
illustrate this point to us? It is unfair to ask you, I know. I
didn't ask you to bring the cases when you came to the hearing.
Mr. Collins. The Attorney General at his press conference
identified a number of different cases that were part of the
sweep. One of them involved someone who was attempting to avoid
a Federal prosecution by attempting to murder someone else and
then assume his identity.
Now, actually that is sufficiently infrequent that murder
is not one of the underlying aggravated predicates. What is
more common is someone steals mail--and there were several
cases announced by the Attorney General that fit within this
pattern that is actually a distressingly common pattern,
someone steals an item of mail that contains a Social Security
number or credit card information, opens an account, and then
begins siphoning off money from the person.
We had the case involving the exercise of stock options. We
had another case from Texas that involved two individuals who
attempted to loot several persons of almost a quarter of a
million dollars. So there were significant dollar amounts on
some of these offenses, but they go the full range of the
creativity of the criminal mind.
Senator Kyl. Well, thank you, and what I was trying to do
was obviously bring this right home to people so they can see
practically why we are trying to do this. And your point also
is that this is not unprecedented. What we are doing here fits
in with some other statutes, and that essentially we are taking
a variety of provisions and conforming them to one standard
which will be useful in the prosecution of these crimes.
I am appreciative of the Justice Department and the other
agencies' support, but also helping us identify those areas of
the statute that we need to clean up. And I have said this to
FTC representatives in the past, since probably you are on the
front line and you are going to get more initial contact,
whatever you see in the way of events occurring that would
suggest changes, either in statutes or other things that we
need to do, whether it is the Justice Department or anybody
else or FTC, we want to hear about that so we can continue to
try to stay a step ahead of these people, because right now it
appears like they are a step ahead of us.
Thank you.
Chairperson Feinstein. Thanks, Senator Kyl.
I have just got a couple of questions. The first is to Mr.
Lormel. If I understand it right, 6 of the 19 hijackers from
September 11th were using Social Security numbers illegally. Do
you know how they got them?
Mr. Lormel. No, ma'am, actually, they didn't use Social
Security numbers. They made up numbers for account purposes
when they were filling out bank applications. So, in actuality,
they had no intent--I don't think they understood the system,
those particular people. So they just filled in numbers.
Chairperson Feinstein. So they just made them up?
Mr. Lormel. Yes.
Chairperson Feinstein. And that went through?
Mr. Lormel. Yes.
Chairperson Feinstein. Wow. How does that happen? Nobody
checks?
Mr. Lormel. I think from the standpoint of lessons learned,
that was a valuable lesson that has been learned. But I also
think that those instances were very limited, and I think
people took too much for granted in the application process
prior to September 11th.
Chairperson Feinstein. Now, banks now know that?
Mr. Lormel. Oh, yes, ma'am. We have had an aggressive
outreach program, and we have ongoing dialogue with a number of
the major banks, and they are well aware of some of the
problems.
Chairperson Feinstein. Do they then report to you made-up
Social Security numbers?
Mr. Lormel. That would be reported through the suspicious
activity reports to FinCEN, and I am sure there is a better
vigilance there.
Chairperson Feinstein. The interesting thing of this is
that at least we have been led to believe that there was very
little communication among the 19 hijackers. Therefore, having
six of them doing the same thing would indicate to me that
there may well be others doing the same thing.
Mr. Lormel. The 19 hijackers, in that regard, though, you
may have had a few of them who were the leaders. They basically
would typically, if they were going to open up bank accounts or
things, go in groups where perhaps one of them acted as a
leader for three or four. So those----
Chairperson Feinstein. Do you know that for a fact?
Because--question: Do you know that for a fact?
Mr. Lormel. Yes, ma'am. We had indications that they were
acting in certain regards in groups, if I understand your----
Chairperson Feinstein. In other words, that they met or
communicated--I am talking about the 19 specific people.
Mr. Lormel. Right. They were kind of compartmentalized and
three or four of them acted together, would travel together.
Chairperson Feinstein. But this is six.
Mr. Lormel. Right, but--I am not sure if I have followed
what you were saying, but they----
Chairperson Feinstein. No. What we have been led to
believe--and I think, you know, this has been in the public
press--is that one of the reasons the operation was what it was
is because they didn't really know each other for the most
part. They lived all--maybe two together, but separately. There
was no communication among them.
Mr. Lormel. That is kind of complex in the sense that they
were in kind of four groups. So I think it is a matter of
semantics, yes and no, and I don't mean to be evasive on that.
But there was a certain level of communication, and, you know,
they acted--even though they were compartmentalized in
individual, but you had like your flight teams, so you had--the
way I look at it from a financial viewpoint--and, you know, I
don't mean to speak out of school with the terrorism side. But
from our financial standpoint, we kind of lumped them into four
groups, and from a financial transactional standpoint, I could
link them together differently. And in opening the bank
accounts and just following the financial flows, you could see
that one led three or four.
Now, I don't know what the direct level of communication
between them was other than, you know, following the financial
activity, so to speak.
I have just confused you more.
Chairperson Feinstein. No, you haven't. For me, what you
said was rather significant. We will have to take that up at
another place and another time.
Mr. Lormel. Yes, definitely. I think what you need to do in
this regard--and I don't mean to get far from what your intent
here is. What we are doing from a financial investigative
standpoint is collateral to and in support of the terrorism
investigation. So we kind of overlap the terrorism side. So I
think it would be important then to sit with the folks who
conducted the actual terrorist side of the investigation with
our financial investigators. I think our terminologies conflict
a little bit, even though we are saying the same thing.
Chairperson Feinstein. All right. Let me ask just one other
quick question, and then I am through, and that is on the
subject of jurisdictional issues. Supposing somebody steals
your financial information in Las Vegas and then opens
fraudulent accounts in San Francisco, Chicago, and Boston. What
problems do multi-jurisdictional crimes pose? Who would take
the lead in this kind of case?
Mr. Collins. That is the kind of issue where, number one,
there have been some complaints in the past even about State
and locals refusing to take police reports. Now, the statistics
from the Federal Trade Commission show that in the year from
2000 to 2001 there was a 50-percent reduction in that
noncompliance rate, shall we say, of State and locals. Now,
that may be in part due to the fact that we have seen a growing
increase at the State level of enactment of laws on identity
theft so that we now have over 44 States that have laws. So now
there is a crime at the State level at which the local police
can take a report.
But that is where you need the sort of flexible
coordination that comes from the Identity Theft Subcommittee
and from the task forces that the Secret Service works with
because they have the primary enforcement jurisdiction for many
of these offenses. And it would just be an evaluation, you
know, of which of the particular--if it was going to be taken
federally--which U.S. Attorney's Office was best positioned to
bring that prosecution and take the lead and move forward with
it. If it was thought that that was something that could be
done more effectively at the local level, then whatever
assistance was necessary would be provided.
But that is why what we currently have now is a relatively
flexible, informal structure in the Identity Theft Subcommittee
in order to serve a coordinating and supportive role and not a
directing role that attempts to manage what is really a
significant amount of coordination from Washington.
Chairperson Feinstein. But who would make that decision?
Mr. Collins. I don't know that there would be a single
person or a committee. It is not that formalized. Obviously, if
a crime comes up in a particular area and, you know, there are
a number of different task forces or jurisdictions that would
be involved in a particular case, then the representatives of
those particular agencies would obviously have to communicate
with one another to make that decision.
So, again, it is hard to say that there is a particular
process. The process that we have set up with the Identity
Theft Subcommittee emphasizes informality and flexibility
because, again, most of these prosecutions are going to be at
the State and local level.
Chairperson Feinstein. Thank you.
I would just like to put a couple of statements in the
record. The ranking member of the full committee, Senator
Hatch, has a statement, and Senator Cantwell would like to
submit a statement to the record, also some questions. So the
record will remain open for one week.
Chairperson Feinstein. Senator Kyl?
Senator Kyl. I have just one last question. I sort of said
we want to continue to hear from everybody if you have
suggestions, but specifically to you, Mr. Beales, is there
anything at this time that the FTC would like to recommend,
since I think your office probably receives the most number of
direct communications regarding the level of identity theft
violations around the country and gives out the 1-800 numbers
and so on. Is there anything else that we should be focused on
right now that you can think of?
Mr. Beales. I don't think there are other things that we
have seen that have pointed to a specific need for legislation
or that we have seen as identifying a specific need for
legislation. We are monitoring on a pretty continuous basis the
kinds of complaints we are getting and trying to watch the
trends. And if we see changes that we think suggest that
legislative solutions would be useful, we would certainly bring
them to your attention.
Senator Kyl. Great. Okay. I appreciate that. Again, I thank
all of the witnesses.
Chairperson Feinstein. Yes, thank you all very, very much.
This was very helpful, and it was short so we both appreciate
that.
Thank you very much, and the hearing is adjourned.
[Whereupon, at 3:30 a.m., the subcommittee was adjourned.]
[Submissions for the record follow:]
Statement of Senator Orrin G. Hatch, Ranking Republican Member
Madame Chairwoman, I want to commend you once again for holding
another hearing on this critical topic. We are all aware that identity
theft is one of the fastest growing and most sinister crimes in
America. Rarely do criminals appropriate personally identifiable
information for the sole purpose of impersonating another; rather, such
information is often used to commit a wide range of other, often
serious, crimes. Recently, we learned that an Algerian national
allegedly stole the identities of health club members and sold to an
Algerian who was convicted in a failed 1999 plan to bomb the Los
Angeles International Airport.
This year to date this Subcommittee has focused its attention on
legislative proposals that would assist victims in clearing their good
names and reduce the prevalence of social security numbers and other
sensitive personal information. To stem the growth of identity theft,
however, we need to attack the problem on all fronts. Strengthening the
tools of our criminal justice system is an essential part of this
process.
Senators Feinstein and Kyl have both been champions of legislative
reforms in this area. In 1997, Senator Kyl authored a bill that
eventually became ``The Identity Theft and Assumption Deterrence Act''.
While this act represented an important step in our effort to curb
identity theft, we must continue to refine and supplement our criminal
enforcement tools in this area.
The ``Identity Theft Penalty Enhancement Act'', S. 2541, which
Senators Feinstein, Kyl, Sessions and Grassley introduced last year,
with the support of the Administration, does just that. Most
significantly, S. 2541 creates a class of ``aggravated'' identity theft
offenses that includes the most serious forms of identity theft; such
offenses would be subject to stiff mandatory penalties and simplified
proof requirements. The bill also increases the maximum penalties that
would apply to a variety of identity fraud offenses, I support such
provisions, and I look forward to hearing what our distinguished
witnesses have to say about the particular crimes that are listed in S.
2541 as predicate offenses, as well as the simplified proof
requirements that apply to such offenses.
I also invite our distinguished witnesses to share their views
regarding additional criminal measures we should consider to stem the
disturbing trend of identity theft. In particular, I am interested in
whether we should amend 18 U.S.C. Sec. 1028(b) to include mandatory
penalties that would apply to those who traffic fraudulent or stolen
identification documents in large numbers. I am also interested in
whether we should expand 18 U.S.C. Sec. 1028(a) to apply to those who
``procure, obtain or receive'' identification documents and to those
who ``seek, cause or direct'' the unlawful production of identification
documents.
I am committed to strengthening our criminal statutes and penalties
to ensure that the perpetrators of identity theft crimes are adequately
deterred and punished. I look forward to working with members of the
Judiciary Committee and the full Senate, on a bi-partisan basis, to
accomplish this worthy goal during this Congress.
Statement by Senator Strom Thurmond
Madame Chairman: Thank you for holding this hearing today regarding
S. 2541, the Identity Theft Penalty Enhancement Act. I am pleased that
we are addressing the growing problem of identity theft, and I commend
both you and Senator Kyl for your leadership in this area.
The crime of identity theft is a growing national problem.
According to a March, 2002, report by the General Accounting Office,
the prevalence of identity theft is increasing. The GAO identified
several disturbing trends over the past few years. For example, in
March of 2001, the Federal Trade Commission's Identity Theft
Clearinghouse received just over 2,000 complaints of identity fraud per
week. By December of that same year, the number of complaints and
skyrocketed to 3,000 per week. The Social Security Administration also
reported an increase in the number of identity theft-related calls to
its Fraud Hotline. The number of calls alleging the misuse of Social
Security numbers increased from 11,000 in Fiscal Year 1998 to 65,000 in
Fiscal Year 2001.
The two major credit card associations, MasterCard and Visa, have
reported increased losses due to fraud. According to the GAO, losses
increased from $700 million in 1996 to approximately $1.0 billion in
2000, representing in increase of about 45%.
However, the big losers are the individual victims themselves, who
often face a difficult and arduous process of cleaning up their credit
records. According to a 2000 survey conducted by the California Public
Interest Research Group and the Privacy Rights Clearinghouse, vicitims
of identity theft spent an average of 175 hours attempting to clear
their credit and prove their good names.
I am pleased that the Bush Administration has made a commitment to
stemming the tide of identity theft crimes. The Attorney General has
announced an increased emphasis on the prosecution of these crimes and
has actively pursued a coordinated approach between Federal and state
law enforcement agencies. With this renewed commitment to prosecuting
identity thieves, it is important that the Congress provide the
Department of Justice with improved criminal statutes that will allow
for the appropriate prosecution and punishment of lawbreakers.
The Identity Theft Penalty Enhancement Act of 2002 is a significant
step in the right direction. This bill would create the crime of
aggravated identity theft and would provide for enhanced penalties.
Aggravated identity theft would be defined as the unlawful and knowing
transfer, possession, or use of a means of identification of another
person while in the course of specific felony violations. These
felonies would include, among others, theft from employee benefit
plans, bank fraud, and fraud relating to passports and visas.
Due to the nature of the most damaging identity theft crimes, the
creation of a new offense of aggravated identity theft would be
sensible. Because a person's identity is often stolen in connection
with another crime, prosecutors would only be required to prove that a
thief knowingly stole an identity during the commission of the
underlying, or predicate, crime. Therefore, criminal intent would only
have to be proved for the predicate crime, which would streamline the
jobs of prosecutors in bringing these criminals to justice.
In addition to the creation of the new offense of aggravated
identity theft, the bill would also increase the maximum term for
ordinary identity theft and for identity theft committed in the course
of an act of domestic terrorism. Furthermore, the bill would also make
an important change in the statute by making it unlawful to merely
posses a means of identification, such as a Social Security number,
with the intent to commit a crime. Current law only makes the transfer
or sale of a means of identification unlawful, but not the possession.
I am encouraged by the goals of the Identity Theft Penalty
Enhancement Act. I agree that we would punish those who commit identity
theft with enhanced sentences. However, I have concerns about the
particular sentencing requirements of this bill. As written, S. 2541
would require an additional two-year term of imprisonment for the
commission of identity theft in the course of other specified felonies.
This kind of approach, if adopted on a widespread basis, could begin to
erode the structure and purpose of the Federal Sentencing Guidelines.
Instead of allowing a judge to enhance a sentence based on the
particular circumstances of the case, the bill would impose a rigid
two-year requirement for all categories of cases. In many
circumstances, the additional penalty of two years may be too low. I
hope that this Committee will carefully consider the implications of
the sentencing provisions of this bill. The Sentencing Guidelines have
been very successful, and the approach incorporated into this bill has
the potential to interfere with the proper operation of the guidelines.
This problem could be addressed by imposing a maximum penalty for
the offense of aggravated identity theft. Then, the Sentencing
Commission would incorporate the new crime into the guidelines as is
done with most other Federal offenses. In order to make sure that the
identity theft results in an enhanced sentence over the predicate
crime, the bill could also direct the Sentencing Commission to
structure the guidelines in this manner.
Madame Chairman, thank you again for holding this hearing on the
critical issue of identity theft. Congress must provide new tools to
law enhancement if we are to stop this growing problem. The Identity
Theft Penalty Enhancement Act is an important step in the right
direction. I look forward to working with you on this bill, and I
welcome our witnesses here today.
�