[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]





                       FIGHTING FRAUD: IMPROVING

                          INFORMATION SECURITY

=======================================================================

                             JOINT HEARING

                               BEFORE THE

                            SUBCOMMITTEE ON
               FINANCIAL INSTITUTIONS AND CONSUMER CREDIT

                                AND THE

                            SUBCOMMITTEE ON
                      OVERSIGHT AND INVESTIGATIONS

                                 OF THE

                    COMMITTEE ON FINANCIAL SERVICES

                     U.S. HOUSE OF REPRESENTATIVES

                      ONE HUNDRED EIGHTH CONGRESS

                             FIRST SESSION

                               __________

                             APRIL 3, 2003

                               __________

       Printed for the use of the Committee on Financial Services

                           Serial No. 108-19



89-407              U.S. GOVERNMENT PRINTING OFFICE
                            WASHINGTON : 2003
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½090001

                 HOUSE COMMITTEE ON FINANCIAL SERVICES

                    MICHAEL G. OXLEY, Ohio, Chairman

JAMES A. LEACH, Iowa                 BARNEY FRANK, Massachusetts
DOUG BEREUTER, Nebraska              PAUL E. KANJORSKI, Pennsylvania
RICHARD H. BAKER, Louisiana          MAXINE WATERS, California
SPENCER BACHUS, Alabama              CAROLYN B. MALONEY, New York
MICHAEL N. CASTLE, Delaware          LUIS V. GUTIERREZ, Illinois
PETER T. KING, New York              NYDIA M. VELAZQUEZ, New York
EDWARD R. ROYCE, California          MELVIN L. WATT, North Carolina
FRANK D. LUCAS, Oklahoma             GARY L. ACKERMAN, New York
ROBERT W. NEY, Ohio                  DARLENE HOOLEY, Oregon
SUE W. KELLY, New York, Vice         JULIA CARSON, Indiana
    Chairman                         BRAD SHERMAN, California
RON PAUL, Texas                      GREGORY W. MEEKS, New York
PAUL E. GILLMOR, Ohio                BARBARA LEE, California
JIM RYUN, Kansas                     JAY INSLEE, Washington
STEVEN C. LaTOURETTE, Ohio           DENNIS MOORE, Kansas
DONALD A. MANZULLO, Illinois         CHARLES A. GONZALEZ, Texas
WALTER B. JONES, Jr., North          MICHAEL E. CAPUANO, Massachusetts
    Carolina                         HAROLD E. FORD, Jr., Tennessee
DOUG OSE, California                 RUBEN HINOJOSA, Texas
JUDY BIGGERT, Illinois               KEN LUCAS, Kentucky
MARK GREEN, Wisconsin                JOSEPH CROWLEY, New York
PATRICK J. TOOMEY, Pennsylvania      WM. LACY CLAY, Missouri
CHRISTOPHER SHAYS, Connecticut       STEVE ISRAEL, New York
JOHN B. SHADEGG, Arizona             MIKE ROSS, Arkansas
VITO FOSELLA, New York               CAROLYN McCARTHY, New York
GARY G. MILLER, California           JOE BACA, California
MELISSA A. HART, Pennsylvania        JIM MATHESON, Utah
SHELLEY MOORE CAPITO, West Virginia  STEPHEN F. LYNCH, Massachusetts
PATRICK J. TIBERI, Ohio              BRAD MILLER, North Carolina
MARK R. KENNEDY, Minnesota           RAHM EMANUEL, Illinois
TOM FEENEY, Florida                  DAVID SCOTT, Georgia
JEB HENSARLING, Texas                ARTUR DAVIS, Alabama
SCOTT GARRETT, New Jersey             
TIM MURPHY, Pennsylvania             BERNARD SANDERS, Vermont
GINNY BROWN-WAITE, Florida
J. GRESHAM BARRETT, South Carolina
KATHERINE HARRIS, Florida
RICK RENZI, Arizona

                 Robert U. Foster, III, Staff Director
       Subcommittee on Financial Institutions and Consumer Credit

                   SPENCER BACHUS, Alabama, Chairman

STEVEN C. LaTOURETTE, Ohio,          BERNARD SANDERS, Vermont
Vice Chairman                        CAROLYN B. MALONEY, New York
DOUG BEREUTER, Nebraska              MELVIN L. WATT, North Carolina
RICHARD H. BAKER, Louisiana          GARY L. ACKERMAN, New York
MICHAEL N. CASTLE, Delaware          BRAD SHERMAN, California
EDWARD R. ROYCE, California          GREGORY W. MEEKS, New York
FRANK D. LUCAS, Oklahoma             LUIS V. GUTIERREZ, Illinois
SUE W. KELLY, New York               DENNIS MOORE, Kansas
PAUL E. GILLMOR, Ohio                CHARLES A. GONZALEZ, Texas
JIM RYUN, Kansas                     PAUL E. KANJORSKI, Pennsylvania
WALTER B. JONES, Jr., North          MAXINE WATERS, California
    Carolina                         NYDIA M. VELAZQUEZ, New York
JUDY BIGGERT, Illinois               DARLENE HOOLEY, Oregon
PATRICK J. TOOMEY, Pennsylvania      JULIA CARSON, Indiana
VITO FOSSELLA, New York              HAROLD E. FORD, Jr., Tennessee
MELISSA A. HART, Pennsylvania        RUBEN HINOJOSA, Texas
SHELLEY MOORE CAPITO, West Virginia  KEN LUCAS, Kentucky
PATRICK J. TIBERI, Ohio              JOSEPH CROWLEY, New York
MARK R. KENNEDY, Minnesota           STEVE ISRAEL, New York
TOM FEENEY, Florida                  MIKE ROSS, Arkansas
JEB HENSARLING, Texas                CAROLYN McCARTHY, New York
SCOTT GARRETT, New Jersey            ARTUR DAVIS, Alabama
TIM MURPHY, Pennsylvania
GINNY BROWN-WAITE, Florida
J. GRESHAM BARRETT, South Carolina
RICK RENZI, Arizona

              Subcommittee on Oversight and Investigations

                     SUE W. KELLY, New York, Chair

RON PAUL, Texas, Vice Chairman       LUIS V. GUTIERREZ, Illinois
STEVEN C. LaTOURETTE, Ohio           JAY INSLEE, Washington
MARK GREEN, Wisconsin                DENNIS MOORE, Kansas
JOHN B. SHADEGG, Arizona             JOSEPH CROWLEY, New York
VITO FOSSELLA, New York              CAROLYN B. MALONEY, New York
JEB HENSARLING, Texas                CHARLES A. GONZALEZ, Texas
SCOTT GARRETT, New Jersey            RUBEN HINOJOSA, Texas
TIM MURPHY, Pennsylvania             JIM MATHESON, Utah
GINNY BROWN-WAITE, Florida           STEPHEN F. LYNCH, Massachusetts
J. GRESHAM BARRETT, South Carolina


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on:
    April 3, 2003................................................     1

Appendix:
    April 3, 2003................................................    53

                               WITNESSES
                        Thursday, April 3, 2003

Beales, J. Howard III, Director, Bureau of Consumer Protection, 
  Federal Trade Commission.......................................    11
Brady, John J., Vice President, Merchant Fraud Control, 
  MasterCard International.......................................    33
Caddigan, Tim, Special Agent in Charge, Financial Crimes 
  Division, United States Secret Service, accompanied by Robert 
  Weaver, Deputy Special Agent in Charge, New York Field Office..     8
Farnan, James E., Deputy Assistant Director, Cyber Division, FBI.    10
Hendricks, Evan, Editor and Publisher, ``Privacy Times''.........    34
McIntyre, David J. Jr., President and CEO, TriWest Healthcare 
  Alliance.......................................................    25
Mitnick, Kevin D., President and Co-founder, Defensive Thinking..    27
Pratt, Stuart, President, Consumer Data Industry Association.....    31

                                APPENDIX

Prepared statements:
    Bachus, Hon. Spencer.........................................    54
    Kelly, Hon. Sue W............................................    56
    Oxley, Hon. Michael G........................................    58
    Gillmor, Hon. Paul E.........................................    60
    Hinojosa, Hon. Ruben.........................................    61
    Paul, Hon. Ron...............................................    63
    Shadegg, Hon. John B.........................................    65
    Beales, Howard...............................................    67
    Brady, John J................................................    86
    Caddigan, Timothy............................................    92
    Farnan, James E..............................................    98
    Hendricks, Evan..............................................   105
    McIntyre, David J. Jr........................................   114
    Mitnick, Kevin...............................................   124
    Pratt, Stuart K. (with attachments)..........................   130
    Weaver, Bob..................................................   141

              Additional Material Submitted for the Record

Assistant Secretary of Defense, William Winkenwerder, Jr., 
  prepared statement.............................................   145
Farnan, James E.:
    Written response to questions from Hon. Sue W. Kelly.........   150
Hendricks, Evan:
    Written response to questions from Hon. Sue W. Kelly.........   151
McIntyre, David J. Jr.:
    Written response to questions from Hon. Sue W. Kelly.........   153
Mitnick, Kevin:
    Written response to questions from Hon. Sue W. Kelly.........   156

 
                       FIGHTING FRAUD: IMPROVING
                          INFORMATION SECURITY

                              ----------                              


                        Thursday, April 3, 2003

             U.S. House of Representatives,
             Subcommittee on Financial Institutions
                               and Consumer Credit,
                     Joint with the Subcommittee on
                      Oversight and Investigations,
                           Committee on Financial Services,
                                                   Washington, D.C.
    The subcommittee met, pursuant to call, at 10:07 a.m., in 
Room 2128, Rayburn House Office Building, Hon. Sue W. Kelly 
[chairwoman of the Subcommittee on Oversight and 
Investigations] presiding.
    Present: Representatives Bachus, Kelly, Shadegg, Fossella, 
Capito, Tiberi, Feeney, Hensarling, Murphy, Barrett, Renzi, 
Maloney, Gutierrez, Hooley, Carson, Sherman, Inslee, Moore, 
Ford, Lucas of Kentucky, McCarthy, and Matheson.
    Chairwoman Kelly.  The Committee on Oversight is pleased to 
be able to have this hearing today.
    Personal information has to be safeguarded throughout our 
national credit system. Just as consumers shred their unwanted 
mail and take care with their receipts, financial institutions 
have to develop and upgrade their information security 
procedures to protect consumers. Financial records such as 
credit card numbers are combined with other pieces of personal 
information, and they are the first targets of identity 
thieves. Years of work are often necessary for both consumer 
and business victims to correct damaged credit histories and 
restore access to credit.
    Today two subcommittees will hear from the witnesses on 
three specific case studies to review current industry 
practices and to ensure that proper security procedures and 
protocols are in place or are being implemented.
    Teledata Communications is a company in my home State of 
New York that enables businesses to access credit bureau 
information so they can grant credit to consumers. An employee 
inside the company allegedly stole and sold passwords and codes 
for accessing credit reports for thousands of people. According 
to law enforcement, his actions resulted in millions of dollars 
of financial theft.
    TriWest Healthcare, an important health care provider for 
our active duty military personnel, honored veterans and their 
dependents, suffered the physical theft of its computer 
hardware. The equipment stored personal information about many 
of our heroes now involved in the war to liberate Iraq, 
including the Chairman of the Joint Chiefs of Staff, General 
Richard Myers. Fortunately, quick action by the company and the 
credit bureaus appears thus far to have prevented misuse of the 
information.
    Another company, Data Processing International, in Nebraska 
saw its database of millions of credit card numbers hacked from 
the outside. It again appears that rapid action this time by 
the company and the credit card companies have prevented 
improper use of the numbers to date.
    Through the examination of these cases the subcommittee 
will review how credit issuers, third party vendors that 
process transaction, credit bureaus and law enforcement 
agencies coordinate efforts to limit harm to consumers when 
data security is breached. Among our witnesses are officials of 
the law enforcement and regulatory agencies involved with these 
and other such cases, representatives of the companies 
involved, one of the most notorious computer hackers in the 
world, who is now a consultant, I am happy to report, and an 
expert in privacy.
    I want to thank my distinguished colleague, Representative 
Spencer Bachus, the chairman of the Subcommittee on Financial 
Institutions and Consumer Credit, for joining us in holding 
this important hearing of our subcommittees. I also want to 
congratulate him for his leadership in the bipartisan passage 
of H.R. 522, the Federal Deposit Insurance Reform Act of 2003, 
by the full House yesterday.
    With that, I turn to Mr. Gutierrez.
    [The prepared statement of Hon. Sue W. Kelly can be found 
on page 56 in the appendix.]
    Mr. Gutierrez. Good morning, Chairs Kelly and Bachus, and 
members of the committee. Today more than ever identity theft 
takes myriad forms. Modern thieves are using massive digitized 
databases to access and steal consumers' personal information. 
As too many people are learning the hard way, identity thieves 
steal Social Security, bank account, and credit card numbers 
and use them to commit fraud, very often destroying the credit 
rating and financial future of their victims. Every year 
thousands of these victims are left financially ruined, often 
with severe credit problems and even false criminal records 
that they must spend years working to erase. Even in minor 
cases victims spend endless hours.
    So we are gathered here today to discuss ways to help 
consumers by increasing the security of data that contains our 
personal information and to understand some of the possible 
loopholes that have enabled these cases to occur in the first 
place, to hear about data security efforts undertaken by the 
companies that hold our private information, and look for ways 
to help consumers have quick and better access to their 
personal records when identity theft incidents occur. One of 
the most fundamental problems is consumers are often left out 
of the loop after their information has been stolen and this is 
unacceptable.
    In one of the cases that will be discussed today a former 
employee of Teledata is being charged with the biggest identity 
theft fraud in U.S. history. One of the most outrageous aspects 
of this specific case is that in March of 2000 the alleged 
perpetrator quit his job, but that didn't even slow down his 
scheme. He only worked there for 10 months but the scam 
continued for 3 years. The company security codes he allegedly 
stolen still worked and were accessible right up to the moment 
of his arrest. In the meantime 30,000 people had their 
identities stolen and financial losses reached more than $2.7 
million.
    How could personal data be so easily accessible? What kinds 
of safeguards do companies have in place to deter these 
practices? I hope that this hearing will serve as an 
opportunity to answer these questions and others. I thank you 
for holding the hearing, and I look forward to the testimony, 
and I ask unanimous consent that my complete opening statement 
be submitted for the records.
    Chairwoman Kelly.  Thank you very much, Mr. Gutierrez. Mr. 
Bachus.
    Mr. Bachus. Thank you, Chairman Kelly, for telling me my 
mike wasn't on, that is very important, and also for convening 
this joint hearing of our two subcommittees to review issues 
relating to the security of personal information. This is an 
issue of critical importance to the financial service industry 
and I believe this hearing is a timely one, and it is actually 
one of a series of hearings that Chairwoman Kelly has been 
holding over the past year or two on this issue.
    This hearing, which is titled ``Fighting Fraud: Improving 
Information Security,'' is one of many hearings that will be 
held by the Subcommittee on Financial Institutions and Consumer 
Credit regarding the security of personal information. I expect 
that at some point our efforts will culminate in comprehensive 
legislation addressing the broad issue of how secure consumers 
feel with respect to their personal information.
    Today's hearing will focus on three cases where sensitive 
personal information was compromised through hacking or 
physical theft of computer databases. Each case that we will 
hear about today is illustrative of a different type of 
security breach: An outside computer hacker, employee 
misconduct, and a garden variety burglary. Using these cases, 
we will review how credit issuers, third party vendors that 
process transactions, credit bureaus, and law enforcement 
coordinate efforts to limit harm to consumers when data 
security is breached.
    Fighting fraud and protecting the security of personal 
information is a topic that unites financial institutions and 
consumers. Each group is harmed by the fraudulent use of 
personal information. Financial institutions are the victims of 
fraud because the financial institution is usually liable for 
any losses suffered as a result of that fraud. Consumers 
obviously suffer unnecessary inconvenience and insecurity as a 
result of fraud and they can be exposed to additional crimes 
such as identify theft. Furthermore, at least a portion of 
financial institutions' fraud losses can be expected to be 
passed on to consumers in the form of higher prices. There can 
be no doubt that when fraud is committed everyone loses.
    For obvious reasons financial institutions take precautions 
to prevent fraud, including precautions to protect the security 
of personal information. In addition to the self-interest 
financial institutions have in minimizing their fraud losses, 
Congress has required financial institutions to maintain 
appropriate standards relating to information security, 
including standards to protect against unauthorized access to a 
financial institution's customer records as part of the Gramm-
Leach-Bliley Act. The requirements as adopted by the Federal 
banking agencies also require financial institutions to oversee 
their relationship with third party service providers, 
including having the service providers agree by contract to 
implement a comparable information security program. It is my 
understanding that the Federal banking agencies have been 
examining financial institutions with respect to their 
compliance with these requirements.
    However, I remain interested in learning more about the 
role service providers play with respect to information 
practices and the ability to maintain appropriate information 
security programs. It is my understanding that the Bank Service 
Company Act gives the bank regulators broad authority to 
examine third party providers. Two of the cases today 
illustrate that greater oversight of these entities may be 
necessary.
    As part of Gramm-Leach-Bliley, Congress also enacted stiff 
prohibitions against a practice known as pretext calling, which 
is a fraudulent means of obtaining an individual's personal 
information. Pretext callers contact a financial institution's 
employees and attempt to obtain customer information usually 
while posing as a customer whose information they are trying to 
collect. This is a serious issue and one that both 
Subcommittees--actually the Oversight Committee has held 
several hearings previously. I am interested in learning more 
about efforts to enforce this prohibition and the Federal Trade 
Commission's advice on the amount of resources devoted to 
fighting this fraudulent practice.
    We will also hear this morning from Federal law enforcement 
agencies about their approach to countering those who would 
compromise the security of personal information. It has always 
been my experience that law enforcement and the financial 
services industry works well together with respect to pursuing 
those who attempt to commit crimes against consumers and 
financial institutions. I look forward to hearing about law 
enforcement's perspective on this important topic, especially 
with respect to representatives from the FBI, Secret Service 
and FTC.
    In short, financial institutions, Congress, the banking 
agencies, and law enforcement have been working to address 
information security and fraud prevention issues. Regardless of 
the great pains taken by all these parties to protect the 
security of personal information, the chance remains that a 
breach may occur. Therefore, Congress must remain vigilant to 
ensure that existing regulations are implemented appropriately 
and examine whether new safeguards are necessary. Furthermore, 
it is just as important for financial institutions to have 
mitigation plans in place in the event that their information 
security program is hacked or otherwise compromised.
    In conclusion, let me say I am pleased that we will hear 
from several witnesses today who will describe how various 
parties took action to address recent breaches and prevent 
subsequent fraud. Before we proceed I believe it is important 
to mention to the entire panel that although this hearing is a 
public forum, we should avoid discussing specific details which 
may give criminals ideas or even a road map for doing further 
harm.
    Let me close by thanking Chairman Oxley for recognizing the 
importance of improving the security of personal information 
and scheduling this hearing. We must continue to work to 
improve security and protect sensitive data to ensure the 
consumers continue to have confidence in our nationwide credit 
system as well as our financial services system in general. I 
look forward to working with the chairman, Mrs. Kelly, and 
other colleagues as we continue to examine this complicated 
issue.
    [The prepared statement of Hon. Spencer Bachus can be found 
on page 54 in the appendix.]
    Chairwoman Kelly.  Thank you. Mrs. McCarthy, do you have an 
opening statement?
    Mrs. McCarthy. Thank you. I will wait for the testimony.
    Chairwoman Kelly.  Mr. Moore.
    Mr. Moore. Thank you, Madam chair and Congressman Bachus. I 
appreciate both of you convening this hearing. I appreciate the 
witnesses being present. I want to reiterate, I won't say it 
all, what Congressman Bachus and Congresswoman Kelly said 
before, and that is this is a very important area. As a 
district attorney for 12 years I worked closely with people in 
fraud cases and a lot of the things--this was back in the 1970s 
and 1980s, so a lot of the things we are talking about here 
today weren't relevant then, weren't even around then. As the 
Internet has expanded and accessibility of the Internet is used 
not only by individuals but by financial institutions and other 
organizations and private and important individual data is 
contained in databases, I think it is very, very important that 
we protect that information. I think individuals who have 
private important information stored in those databases have a 
right to expect that companies and institutions will take 
adequate measures to protect that information. Obviously, theft 
of that information, identity theft and theft of financial 
information about an individual can cause great harm to a 
person and to their family, and it ends up costing all the 
consumers I think a lot of extra money.
    So I am interested to hear what the witnesses have to say 
and very much appreciate you being here.
    Thank you.
    Chairwoman Kelly. Thank you very much.
    Mr. Shadegg.
    Mr. Shadegg. Thank you, Chairwoman Kelly. I want to begin 
by thanking you and Chairman Bachus for holding this important 
hearing on information security. I also want to begin by 
thanking one of my constituents, David McIntyre, president and 
CEO of TriWest Healthcare Alliance, for agreeing to be here and 
testify today.
    My personal interest in identity theft and information 
security began about 5 years ago when two of my constituents, 
Bob and Joanne Hartle of Phoenix, Arizona were victims of 
identity theft. My constituents, following their victimization, 
were instrumental in securing the passage of the first State 
law in the Nation criminalizing identity theft. Mr. and Mrs. 
Hartle suffered the devastation of identity theft when a 
convicted felon took Mr. Hartle's identity and made purchases 
totaling over $100,000. In addition, this individual purchased 
handguns using Mr. Hartle's clean record to get around the 
Brady law. Finally and shockingly in this day of terrorism, 
this individual also used Mr. Hartle's clean record and 
military record to obtain security clearance to secure areas of 
Phoenix Sky Harbor International Airport. As a result of this 
victimization at a time when there were no State laws and no 
Federal laws penalizing identity theft, Mr. and Mrs. Hartle 
were forced to spend more than 4 years of their life and more 
than $15,000 of their own money seeking to restore their 
credit.
    Their case led me to introduce legislation to criminalize 
identity theft at the Federal level. The Identity Theft and 
Assumption Deterrence Act of 1998 was signed into law by 
President Clinton on October 30th, 1998. It gives for the first 
time Federal law enforcement agencies, including those who are 
represented before us here today, the authority to investigate 
and prosecute identity theft.
    But following the passage of that law, I found there was 
more that needed to be done. We began to notice that the 
Federal agencies with this new authority were unfamiliar with 
it and did not have a habit of coordinating with local law 
enforcement on these issues. So we began a series of meetings 
that lasted over a year in Phoenix, Arizona between Federal law 
enforcement agencies, including the FBI and others here today 
and State and local law enforcement agencies, to try to resolve 
the tough issues of who should act and what they should do in 
the interplay between Federal and State laws and in the 
interplay of these crimes where someone is victimized in one 
place but lives many States away, thousands of miles away.
    Mr. and Mrs. Hartle also turned their unfortunate 
circumstance into something very positive. They established a 
nonprofit organization to assist other victims of identity 
theft. Their Web site, www.idfraud.net, is available to provide 
guidance to any identity theft victims across the Nation, and 
they have devoted themselves to this task.
    Identity theft ranges from individual instances like the 
Hartles involving small or large amounts to large organized 
professional crime rings. In fact TriWest Healthcare Alliance 
may well have been the victim of a professional identity theft 
operation. Like the Hartles, Mr. McIntyre, my constituent, and 
his company took an unfortunate circumstance, a burglary of 
their computer in which data was stolen, and turned into a 
positive model for other companies to follow.
    Following the break-in of their Phoenix office and the 
theft of computer hard drives containing their clients' 
sensitive personally identifiable information, Mr. McIntyre and 
TriWest Healthcare Alliance embarked upon an aggressive effort 
to notify all 562,000 affected customers of the theft. The 
stolen data included personally identifiable information such 
as Social Security numbers, birth dates and addresses for 
military personnel, one quarter of whom were on active duty at 
the time, retirees and family members, all whom are served by 
TriWest under a contract with the Department of Defense.
    TriWest immediately reported the theft to the police, 
notified the Department of Defense officials and launched a 30-
hour data run to determine what files were stolen. In addition, 
the company established a dedicated e-mail address and set up 
toll free telephone lines with a three-tier response network so 
that customers would not experience long delays in trying to 
find out information about the theft and about how it might 
affect them. TriWest mailed letters notifying victims of theft 
and provided guidance on steps they could take to protect their 
credit. TriWest also posted a $100,000 reward for leading to 
the conviction of those responsible for the theft.
    In all, TriWest undertook great efforts to notify victims 
of the theft at great financial expense to the company. But due 
to their extraordinary efforts to date no information from the 
stolen computer files has yet led to a single instance of 
identity theft.
    The nature of identity theft has changed and the threat is 
more likely than ever to come from breaches of data security, 
which is why I think this hearing is most appropriate. 
According to an identity fraud manager at the Federal Trade 
Commission, there is a shift by identity thieves from going 
after single individuals to going after mass information. Law 
enforcement experts now estimate that half of all cases come 
from thefts of business data banks as more and more information 
is stored in databases which are vulnerable to attack from 
hackers.
    The Identity Theft and Assumption Deterrence Act of 1998 
was an important first step in the road to crack down on 
identity theft crimes. However, more legislation is needed to 
protect people from these thieves and from easily obtaining 
Social Security and credit card numbers, to provide better 
coordination between victims and credit reporting bureaus, to 
establish procedures for businesses to follow in the event of a 
data security breach like we will discuss today, and provide 
stiffer penalties for those who steal and use other persons' 
ID.
    I look forward to the testimony of the witnesses and help 
to identify areas in which a legislative response may be 
needed. I yield back.
    [The prepared statement of Hon. John B. Shadegg can be 
found on page 65 in the appendix.]
    Chairwoman Kelly. Ms. Hooley.
    Ms. Hooley. Thank you, Madam Chairwoman and Mr. Chairman. I 
appreciate the Chairs and ranking members of both subcommittees 
in putting together today's hearing and look forward to hearing 
more about our Nation's data protection. This is an important 
hearing and hopefully it will be the first of many hearings on 
the issue of identity theft. It is the fastest growing crime in 
the United States. I know through these and other hearings we 
will not only learn about the challenges in fighting identity 
theft, but also hear unique and effective suggestions on how we 
in Congress can better protect our consumers and financial 
institutions from this crime.
    I know I can speak for everyone on the Financial Services 
Subcommittee when I say we are hear to listen with open minds 
and to put whatever work is necessary into solving this 
problem. This truly is a bipartisan issue, and in that regard I 
would like to thank Mr. LaTourette from Ohio for working so 
closely with me on legislation on identity theft that is nearly 
ready for induction. I would also like to thank Mr. Frank and 
all the members of the Democratic Task Force on Identity Theft 
for pledging to work together on this issue.
    In order to protect both consumers and industry, we all 
certainly have our work cut out for us. But if the cooperation 
and dedication of people like Mr. LaTourette and Mr. Frank and 
the members of both subcommittees are any indication, we on the 
Financial Services Committee are up to the challenge.
    Thank you again, and I look forward to today's proceedings 
and look forward to hearing from the panelists. Thank you.
    Chairwoman Kelly. Mr. Hensarling. Mrs. Maloney just left. 
Mr. Matheson. Mr. Barrett. Mr. Ford left. Mr. Lucas. Mr. 
Tiberi. Mr. Feeney.
    I will introduce our first panel: Mr. Tim Caddigan, the 
Special Agent in Charge of the Financial Crimes Division of the 
United States Secret Service, accompanied by Robert Weaver, 
Deputy Special Agent in Charge of the New York Field Office; 
James Farnan, Deputy Assistant Director of the Cyber Division 
in the FBI; and Mr. J. Howard Beales, III, Director of the 
Bureau of Consumer Protection in the Federal Trade Commission.
    We look forward to having you here today, and we look 
forward to your testimony. We will begin with you, Mr. 
Caddigan.

 STATEMENT OF TIM CADDIGAN, SPECIAL AGENT IN CHARGE, FINANCIAL 
 CRIMES DIVISION, UNITED STATES SECRET SERVICE, ACCOMPANIED BY 
 ROBERT WEAVER, DEPUTY SPECIAL AGENT IN CHARGE, NEW YORK FIELD 
                             OFFICE

    Mr. Caddigan. Thank you. Chairman Bachus, Chairwoman Kelly, 
Congressman Sanders, Congressman Gutierrez and members of both 
subcommittees, thank you for inviting me to be part of this 
distinguished panel and the opportunity to address the 
committee regarding the Secret Service efforts to protect our 
Nation's financial and critical infrastructures. Let me also 
take the opportunity to thank Chairman Oxley, Congressman Frank 
and all the members of the full committee for their long-
standing support of the Secret Service and the interest this 
committee has conveyed in our mission, our programs and our 
employees.
    With me today is Mr. Bob Weaver, Deputy Special Agent in 
Charge of the Secret Service's New York Field Office and head 
of the New York Electronic Crimes Task Force. I am also pleased 
to be here with my colleagues and partners in fighting identity 
crimes and related computer crimes from the Federal Trade 
Commission and the FBI.
    In my full statement for the record I provided an overview 
of the Secret Service's investigative mission and our historic 
responsibility for safeguarding our currency and financial 
infrastructure. The Secret Service has statutory jurisdiction 
to investigate a wide range of technology based crime, 
including credit and debit card fraud, identity theft, false 
identification fraud, counterfeit currency and checks, 
financial institution fraud and telecommunications fraud. These 
investigations are pursued through our 134 domestic offices 
with additional support from our 20 foreign offices.
    There is no shortage of information, testimony or anecdotal 
evidence, regarding the nature and variety of cyber based 
threats to our banking and financial sectors and the need to 
create effective solutions. There is, however, a scarcity of 
information regarding successful models to combat such crime in 
today's high tech environment. One such successful model is the 
New York Electronic Crime Task Force and the valuable formula 
this task force has developed and applied to the prevention and 
detection of computer based crimes.
    Our New York task force has brought together 50 different 
Federal, State and local law enforcement agencies as well as 
prosecutors, academic leaders and over 100 different private 
sector corporations. The task force investigates substantial 
electronic criminal activity involving e-commerce frauds, 
identity crimes, telecommunications fraud, and a variety of 
computer intrusion crimes which affect a number of 
infrastructures.
    Since 1995, the New York task force has charged over 1,000 
individuals with electronic crimes and the loss to Social 
Security exceeding $1 billion. It has trained over 60,000 law 
enforcement personnel, prosecutors and private industry 
representatives in the criminal abuses of technology and how to 
prevent them. The task force has identified tools and 
methodologies that can be employed by our partners to eliminate 
potential threats to their information systems.
    We consider the New York task force to be the 21st century 
law enforcement model that modernizes criminal justice and 
incorporates partnership and information sharing within its 
core competencies. Accordingly, Congress authorized the Secret 
Service in the U.S.A. PATRIOT Act of 2001 to expand our task 
force initiative to cities and regions across the country. We 
have since established electronic crimes task forces in Los 
Angeles, San Francisco, Chicago, Boston, Charlotte, Miami, Las 
Vegas and Washington, D.C..
    Our task force model stresses prevention through 
partnership. We focus on the mitigation of damage and the quick 
repair of any damage or destruction to get the system 
operational as soon as possible after an intrusion occurs.
    Let me mention one critical point about our partnerships 
with other law enforcement agencies, academia and private 
sector. Partnerships cannot be legislated, regulated nor 
stipulated. Partnerships are voluntarily built between people 
and organizations that raise the value in joint collaboration 
towards a common end. They are fragile entities which need to 
be established and maintained by all participants and built on 
a foundation of trust. I cannot overstate the significance of 
these trusted partnerships to the success of our task force 
model.
    Let me share with you some insights regarding a recent 
ongoing case which our Omaha office is investigating in 
conjunction with our Chicago, New York, and San Francisco task 
forces. The case which came to our attention early February 
through our contacts in the credit card industry involves an 
unlawful intrusion into the computer system of a third party 
credit card processor, the companies responsible for processing 
credit card transactions of companies such as Visa, Master 
Card, American Express and Discovery. We believe that multiple 
machines combined to attack this processor's computer system 
and unlawfully seized millions of credit card numbers along 
with expiration dates from the company's filings. Our 
investigation with the FBI determined that these multiple 
servers were located both within and outside the United States. 
The Secret Service is completing electronic forensic 
examinations and is working with foreign authorities in 
gathering further evidence concerning this attack.
    I want to conclude my statement by again thanking the 
members of both subcommittees and the full committee for their 
strong support of the Secret Service and our investigative 
mission.
    [The prepared statement of Tim Caddigan can be found on 
page 92 in the appendix.]
    Chairwoman Kelly. Thank you very much, Mr. Caddigan. Mr. 
Farnan.

  STATEMENT OF JAMES FARNAN, DEPUTY ASSISTANT DIRECTOR, CYBER 
                         DIVISION, FBI

    Mr. Farnan. Good morning. I would like to thank the Chairs 
of both subcommittees as well as the other members for their 
opportunity to testify today. Holding this hearing demonstrates 
your commitment to improving the security of our Nation's 
information systems and this committee's leadership on this 
issue.
    My testimony today will address the activities of the FBI's 
Cyber Division as they relate to a broad spectrum of cyber 
criminal acts.
    Last week a headline in the Atlanta Journal Constitution 
announced Hackers Strike Georgia Tech Computer, Gain Credit 
Card Data. The article goes on to discuss the information on 
57,000 people that was available to the hackers, including 
about 38,000 credit card numbers. The university had moved the 
database from one system to another but it failed to put up a 
fire wall to protect the data.
    Incidents like this happen every week, even to 
organizations at technology's leading edge like Georgia Tech. 
American consumers and businesses are increasingly relying on 
the Internet. E-commerce is growing in all sectors of the U.S. 
economy. Although most e-commerce transactions are business to 
business, e-commerce retail sales in the United States reached 
$46 billion last year, up from $36 billion in 2001.
    When Internet users, be they businesses or consumers, are 
impacted by Internet crime, the viability of e-commerce is 
compromised. When a cyber crime is committed, the FBI is in a 
unique position to respond because it is the only Federal 
agency that has the statutory authority, expertise and ability 
to combine the counterterrorism, counterintelligence and 
criminal resources needed to effectively neutralize, mitigate 
and destruct illegal computer supported operations.
    The FBI's reorganization of the last 2 years included the 
goal of making our cyber investigative resources more 
effective. In 2002 the reorganization resulted in the creation 
of the Cyber Division where we have taken a two-tracked 
approach to the problem. One avenue is identified as 
traditional criminal activity that has migrated to the 
Internet, such as Internet fraud, online identity theft, 
Internet child pornography, theft of trade secrets and other 
similar crimes.
    The other nontraditional approach consists of Internet 
facilitated activity that did not exist prior to the 
establishment of computers, networks and the World Wide Web. 
This encompasses cyber terrorism, terrorist threats, foreign 
intelligence operations, and criminal activity precipitated by 
illegal computer intrusions into U.S. computer networks, 
including the disruption of computer supported operations and 
the theft of sensitive data by way of the Internet.
    The FBI assesses the cyber threat to be rapidly expanding 
as the number of actors with the ability to utilize computers 
for illegal harmful and positively devastating purposes is on 
the rise. A typical case will come to the FBI through the 
Internet Fraud Complaint Center, which later this year will be 
renamed as the Internet Crime Complaint Center to more 
accurately reflect its mission. In its fourth year of operation 
the Center has proven to be a very successful clearinghouse, 
receiving over 75,000 complaints last year on crimes ranging 
from identity theft and computer intrusions to child 
pornography.
    If the Center, for example, received an intrusion report 
from a company in, say, Birmingham, Alabama, we would first 
attempt to locate where the intrusion took place. That same 
company may have its servers in Minneapolis while the intruder 
is routing through California and Europe. If the servers in 
Minneapolis were hacked, the Minneapolis Cyber Crime Task Force 
would be assigned to lead the case. The leads in California 
could end up in Eastern Europe, Nigeria or even back in 
Birmingham if an insider were involved. One of the FBI's 
response teams would be called upon to preserve evidence and 
that evidence would be forwarded to one of our new regional 
computer forensic laboratories now located in Chicago, Dallas, 
and San Diego. Simultaneously other FBI computer experts would 
determine the extent and duration of the intrusion and whether 
the attacker came from inside or outside the company. Depending 
on the sophistication of the intruder, the case may be solved 
in a few days or it may take years.
    Cases are routinely complex and often involve international 
connections. Cyber crime continues to grow at an alarming rate 
and security vulnerabilities contribute to the problem. We will 
soon begin staffing a public-private alliance unit within the 
FBI which will work with administrators and security 
professionals to reduce opportunities for criminals by 
employing best practices and patching vulnerabilities before 
they can be exploited. Through that unit's efforts combined 
with the efforts of those in this committee problems like the 
hacking experience by Georgia Tech will happen much less 
frequently. The FBI will continue to pursue cyber criminals as 
we try to stay one step ahead of them in the cyber crime 
technology race.
    I thank you for your invitation to speak today. I on behalf 
of the FBI look forward to working with you on this very 
important topic.
    [The prepared statement of James E. Farnan can be found on 
page 98 in the appendix.]
    Chairwoman Kelly. Mr. Beales.

    STATEMENT OF J. HOWARD BEALES, III, DIRECTOR, BUREAU OF 
         CONSUMER PROTECTION, FEDERAL TRADE COMMISSION

    Mr. Beales. Thank you, Chairman Kelly and members of the 
committee. I am Howard Beales, Director of the Federal Trade 
Commission's Bureau of Consumer Protection. I am pleased to 
present the views of the Commission this morning.
    The Federal Trade Commission works to prevent and protect 
information security on a number of fronts. We take law 
enforcement actions, we provide victim assistance when security 
breaches result in identity theft. We educate both consumers 
and business and we hold public workshops to examine emerging 
issues.
    In our traditional role as a law enforcement agency the FTC 
has brought civil actions to enforce privacy promises, 
including cases where companies failed to take adequate 
security precautions with consumers' personal information. When 
an information breach is reported, the FTC staff activates our 
protocol for triaging the breach. We evaluate the incident on a 
number of levels, including the extent of the breach and the 
type of information that was exposed. We also analyze any 
jurisdictional issues. We do not have jurisdiction over banks 
and common carriers, for example. In addition, we determine 
whether there is an ongoing criminal investigation, given that 
the breach may involve an underlying theft of information. We 
coordinate any FTC investigation with criminal authorities 
because we don't want to get in the way of an ongoing criminal 
investigation.
    When the Commission determines that law enforcement action 
is appropriate we have two valuable tools to work with. First, 
section 5 of the FTC Act, which prohibits unfair deceptive acts 
or practices such as misleading promises about information 
security; second, starting in May of this year, the Commission 
will enforce the Gramm-Leach-Bliley Act safeguards rule for the 
financial institutions within our jurisdiction.
    Last August the Commission announced a settlement with 
Microsoft regarding misleading claims about the information 
collected from consumers through its passport services. The 
Commission's complaint alleged that Microsoft misrepresented 
the privacy afforded by these services, including the extent to 
which Microsoft kept the information secure.
    Microsoft is an important case because it involved alleged 
misstatements about the security provided for millions of 
consumers' sensitive information. In addition, it held 
Microsoft to its security promises even in the absence of a 
known breach of the system. Thus, the Commission found even the 
potential for injury actionable when sensitive information and 
security promises were involved and when the potential for 
injury was significant.
    The Microsoft case was followed by the Commission's case 
against Eli Lilly. The Lilly case involved alleged 
misrepresentation regarding the security provided for important 
information. Like Microsoft, Lilly made claims that it had 
security measures in place to protect the information collected 
from consumers on its Web site. As in Microsoft, the Commission 
charged Lilly with failing to have reasonable measures in place 
to protect the information. The order in the Lilly case 
prohibits the misrepresentations and as in Microsoft it 
requires Lilly to implement a comprehensive information 
security program.
    It is important to note that the Commission is not simply 
saying gotcha for security breaches. Although a breach may 
indicate a problem with a company's security, breaches can 
happen even when a company takes all reasonable precautions. In 
such instances the breach does not violate the laws that the 
FTC enforces. Instead, the Commission recognizes that security 
is an ongoing process using reasonable and appropriate measures 
in light of the circumstances. That is the approach the mission 
took in these cases and in its Gramm-Leach-Bliley Act 
safeguards rule, and it is the approach we will continue to 
take.
    As I mentioned earlier, in May the Commission's Gramm-
Leach-Bliley Act safeguards rule takes effect. The rule 
requires financial institutions under our jurisdiction to 
develop and implement appropriate physical and procedural 
safeguards to protect customer information. The rule takes a 
flexible approach, requiring greater security measures for the 
most sensitive consumer information. It requires companies to 
assess the risks they face, take reasonable and appropriate 
steps to reduce those risks. Companies must also monitor their 
security performance and adjust their programs as the risks 
they face change over time.
    The FTC also plays a role in improving information security 
and in reducing risks to personal information by fostering 
dialogue and educating the public on security issues. For 
example, the Commission held a workshop last May to examine the 
security of consumer information, both as maintained by 
consumers on their own computers and by businesses on their 
systems. In May and June of this year the Commission will host 
workshops that focus on the role of technology again for both 
consumers and businesses.
    The cases of TriWest and Teledata communications Inc., in 
which massive numbers of individuals' personal information was 
taken are good examples of where the Commission carried out its 
traditional education and assistance role. The staff provided 
advice to those companies on how to notify the affected 
individuals and what steps those consumers should take to 
protect themselves.
    From these experiences and others the FTC has developed a 
response kit for businesses which have suffered information 
security breaches. The kit tells businesses what steps to take 
to respond to a breach and includes a form letter for notifying 
the individuals whose information has been taken. These kinds 
of information security breaches place substantial costs on 
individuals and businesses. The Commission is committed to 
reducing these breaches as much as possible through its civil 
law enforcement authority and its education and assistance 
programs.
    Thank you for holding this hearing, and I look forward to 
your questions.
    Chairwoman Kelly. Thank you, Mr. Beales. I also want to 
note that we invited Dr. William Winkenwerder, the Assistant 
Secretary of Defense for Health Affairs at the Defense 
Department to discuss the DOD's role in mitigating the impacts 
of a theft at TriWest. Unfortunately, he had already accepted 
an invitation to testify about this before the Senate Finance 
Committee right now and his deputy is on travel.
    Dr. Winkenwerder submitted a statement for the record and 
with the members' unanimous consent I want to enter it into the 
record at this time.
    [The prepared statement of William Winkenwerder can be 
found on page 145 in the appendix.]
    Chairwoman Kelly. We thank all of you and I would like to 
begin with you, Mr. Caddigan, asking you a couple of questions. 
We commend the entire Secret Service and especially the agents 
in the New York Field Office for your truly dedicated and 
outstanding service to this country. We in New York are 
understandably very proud of the tenacity of the New York Field 
Office as it recovered from the destruction of its offices at 7 
World Trade Center.
    I would like to ask if your task force and the stronger 
emphasis on information security since 9/11 has led to law 
enforcement successes?
    Mr. Caddigan. Madam Chairwoman, I think it is safe to say 
yes, the proactive approach that the task force model in New 
York takes with regard to partnering with businesses, it gets 
on the front end of an issue. We help establish self-assessment 
vulnerabilities in a particular entity. We can help mitigate 
those on the front end. We can help develop a response plan for 
that business should they be victimized. So do those actions 
prevent activity or help mitigate that in the long run? Yes, 
ma'am, I would say that it does.
    Chairwoman Kelly. That is very good to hear.
    Mr. Farnan, your testimony discusses two cases in which the 
hacker was arrested overseas. How often are hacking cases 
originated from an overseas point? Do you want to answer that?
    Mr. Farnan. Much more frequently than we might care to 
think about. What we have learned and the model we come from in 
law enforcement is to typically think along State jurisdiction 
lines and the FBI, of course we think when violations may cross 
State jurisdictional lines. With the advent of the Internet and 
the World Wide Web, we have to completely reevaluate those 
jurisdictional lines. We now have to think of the entire planet 
as a ground or platform from which perpetrators can act, and so 
we do see a lot of activity from persons based in overseas 
countries or outside the United States.
    Chairwoman Kelly. Mr. Caddigan, do you want to address 
that?
    Mr. Caddigan. I think crime has become global in nature, 
especially with the onset of the Internet and computer. What 
can take place in a criminal activity in California can almost 
instantaneously have the victim be victimized in Asia, for 
example. So we do look at things as a borderless society with 
regard to fighting crime. We do partner not only domestically 
with business and law enforcement, but I think it is also as 
critical to partner in the foreign arena with foreign 
businesses, foreign law enforcement and governments.
    Chairwoman Kelly. Mr. Farnan, is the FBI concerned that 
large scale hacks or the denial of service attacks might be an 
instrument of international terrorism?
    Mr. Farnan. We are definitely concerned about that. In the 
Cyber Division what we have done is aligned our priorities 
along with those of the FBI. So counterterrorism is our number 
one priority and our number one focus followed by 
counterintelligence matters and then criminal matters in terms 
of our third priority. So we are definitely concerned about 
that. And we have seen, for example, terrorists who are 
interested in communicating by way of the Internet, like in 
many cases we all are. So we pay special attention to that 
arena.
    There are two other sort of elements that help us focus on 
that. One is that in the international arena especially. We 
have our legal attache program that is located in about 46 
countries, I believe it is, and we are going to start in the 
Cyber Division an Internet, or we have started an international 
investigative support unit to work with our legal attaches to 
make sure that we are addressing that very issue.
    Chairwoman Kelly. Good. Thank you, Mr. Farnan.
    Mr. Beales, can you give me more details? You mentioned 
that you have taken some specific measures with the FTC to--
what measures, specifically, did you take with respect to the 
three cases to help the victims?
    Mr. Beales. Well, what we did was to discuss with the 
companies the kind of a letter they might send and make 
discussions about the letter. We have a booklet that is 
consumer information about identity theft that is called 
Identity Theft: When Bad Things Happen to Your Good Name. And 
we make that booklet available and encourage companies to 
provide that booklet to consumers in need of information about 
what they should do next.
    Chairwoman Kelly. Thank you. I am about out of time.
    Mr. Farnan and Mr. Caddigan, I want to be sure, we want to 
be sure, we need to be sure that there is no unnecessary 
overlap or redundancy between the two of your agencies. I 
wonder if you would be willing to clarify your authority over 
cyber intrusions.
    Mr. Farnan. Again we have our--well, the fact that Mr. 
Caddigan and I are sitting next to each other and Dennis Holly, 
who is sitting next to me is an agent actually assigned to FBI 
Headquarters, resources permitting, I want to assign an FBI 
agent to Secret Service Headquarters, I think we are working in 
an extremely cooperative and complementary fashion. There is 
enough crime, as I think you can sort of define from the 
testimony today, to go around. There is plenty of work to do. 
And with that, I think that our efforts complement each other. 
We have specific mechanisms in place to make sure that happens, 
including the sharing of personnel back and forth.
    When it comes to intrusions, the one unique thing that we 
may bring is the fact that if it is a State-sponsored or 
foreign government who is trying to break into or hack into a 
system in the U.S., it is one kind of unique area that the FBI 
may bring to that. What we have done successfully is work on a 
case-by-case basis at the field level all the way through the 
headquarters level to make sure we are not duplicating and 
complementing efforts.
    Chairwoman Kelly. Mr. Caddigan, are you satisfied with that 
answer?
    Mr. Caddigan. I would concur completely. We recognize that 
any single entity can't handle this problem alone. By working 
together, combining our resources, combining our approach 
methodologies, we do provide a better product to the public we 
serve.
    Chairwoman Kelly. So you feel that there is not a problem 
with overlap there?
    Mr. Caddigan. I think, as Mr. Farnan mentioned, we detailed 
an Assistant Section Chief to the Cyber Division in 
headquarters, so conflict is not an issue. We do coordinate at 
the local level with our task forces. The Bureau has 
representation and membership in each of our electronic crimes 
initiatives throughout the country and, conversely, in smaller 
environments where we are not present we have membership in 
their initiatives.
    So I would suggest to the panel that the cooperation does 
exist at the highest level and although there maybe some 
appearance of overlap it does mesh well together.
    Chairwoman Kelly. Thank you. I am out of time. Mr. 
Gutierrez.
    Mr. Gutierrez. Thank you very much. First of all, I want to 
thank Mr. Weaver and Mr. Caddigan and Mr. Farnan and all of 
those that work with you at the FBI and Secret Service for the 
work that you do.
    I would like to ask Mr. Beales, I guess my concern is what 
are the responsibilities of financial institutions that suffer 
from intrusions to their client base in terms of information 
from them? Is there a 48-hour, 72-hour window, a week, 30 days? 
Is there something that says you must do this by the FBI's 
call, the Secret Service knows, they are investigating how long 
does it take and is there anything that says they have to do it 
in a specific amount of time?
    Mr. Beales. There is no specific requirement either to give 
notice or to give notice within a certain period of time. 
Notice is clearly appropriate in many circumstances and is 
clearly the best practice and was what we have generally seen 
in most cases that involve breaches. There are some cases 
though where notice may not be as useful. And I think in the 
case of the credit card hack that got the information about 
credit cards, providing that information to the financial 
institution so they could block fraudulent activity on those 
cards is a more effective way to address the problem and 
considerably reduces the need for notice to consumers.
    Mr. Gutierrez. So I guess then what you are saying is we 
have to rely on the credit card companies and the service that 
is provided to protect the consumer but we are not--we don't 
necessarily inform the consumer so that he can help protect 
himself and you think there might be just best practices where 
the consumer is left totally out of the picture and unaware? It 
seems to me the credit and the reputation belongs to the 
consumer and that credit and reputation is I trust--I entrust 
it to the financial institution, to my credit card company, my 
mortgage company and that they have a responsibility to me to 
alert me. I mean, if my bank didn't call me because somebody 
ripped off my money from my checking or bank account 
immediately, I think I would get pretty angry about it. I guess 
my question is don't you think there should be some best 
practices established so that consumers can help themselves?
    A booklet is nice and I am very happy that you issue that 
booklet, but at what point do we trust the consumer to engage 
and to cooperate with the Secret Service, with the FBI, with 
the District Attorney's office or whatever it is that is 
prosecuting the case. What do you think?
    Mr. Beales. I completely agree with you that consumers need 
to find out in most of these cases. And we have--in the 
particular cases that are at issue here we have strongly 
encouraged the companies to provide information to consumers 
and try to make it easier for them to do that. I think there is 
no question that is the best practice in most cases.
    Mr. Gutierrez. So the best practice is trust the companies 
to figure out when they should inform the consumer that their 
credit has been somehow hurt or compromised and that somebody 
has access to their information; we should just trust the 
companies to do this?
    Mr. Beales. We don't have regulatory authority.
    Mr. Gutierrez. Who does?
    Mr. Beales. I am not sure that there is any agency that has 
authority to.
    Mr. Gutierrez. So there is no authority that you understand 
that anyone has?
    Mr. Beales. There is authority and there are regulations 
both by us and the bank regulatory agencies that govern the 
front end, that require financial institutions to have in place 
measures to prevent breaches of information security and to 
take appropriate steps in order to keep that from happening in 
the first place.
    Mr. Gutierrez. I understand that. And I guess then that 
maybe we should look at how it is ultimately the House of 
Representatives or legislatively we deal with the issue given 
that it is your testimony that there is no best practice other 
than let the companies figure out how it is they should deal 
with the consumers, but there is no 72 hours, 48 hours. So we 
probably may need some best practices established to protect 
the consumer because in the end that is who we have to protect 
and that is who is most hurt in this situation.
    Again, I want to thank the members of the Secret Service 
and the FBI for their work because I know they have a lot of 
work, especially after September 11th. I want to thank them for 
all the hard work that they do. I want to thank folks at the 
Federal Trade Commission, too. You do a great job there, too.
    I wanted to see if we could figure out what we might need 
to do, this committee and other committees. Thank you all so 
much for your testimony this morning.
    Chairwoman Kelly. Thank you, Mr. Gutierrez.
    Mr. Bachus.
    Mr. Bachus. Thank you. Mr. Beales, will the FTC be taking a 
closer look at banks' third party providers with respect to the 
service providers information security programs?
    Mr. Beales. It is something that we are very interested in, 
in looking at security cases and information security cases in 
general. It is an area where the bank regulators also under 
their safeguards rules also have authority and it is a place 
where we would want to coordinate with the bank regulatory 
agency as to who was in the best position to address any 
particular case.
    Mr. Bachus. Are you already doing that? Are you already 
looking at these?
    Mr. Beales. We talk to the bank regulatory agencies on a 
very regular basis about a host of issues, including this.
    Mr. Bachus. How about the bank's third party providers? Are 
you all in contact with them or are you reviewing their 
information security programs?
    Mr. Beales. Well, we have--under the FTC rules we can't 
talk about particular investigations. They are not public.
    Mr. Bachus. I don't want specifics, but is it a part of 
your general procedure? Do you----
    Mr. Beales. Well, in our general procedures we are sort of 
looking for cases everywhere. They may come from reports in the 
media and they may come from complaints. They may come from 
referrals from other law enforcement agencies, and if they are 
in our jurisdiction and third party service providers, we would 
be very interested in pursuing.
    Mr. Bachus. Banks' third party service providers are within 
your jurisdiction, aren't they, as far as their information 
security?
    Mr. Beales. Yes, I believe they are. They are also subject 
to the bank's----
    Mr. Bachus. I understand that. But I am just talking about 
for a minute--without being specific, have you taken a closer 
look at any of their information security programs?
    Mr. Beales. We do not have any--we haven't done anything 
that was specifically targeted to bank third party.
    Mr. Bachus. I understand that. I am not talking about 
target. I am just saying are there instances when you have 
reviewed their information security programs?
    Mr. Beales. If we review information, it would be in the 
context of a particular investigation of a particular company.
    Mr. Bachus. I understand that. I am not talking about 
particulars, but have you done that? I know you have the right 
to do it, and you might do it, but have you done it?
    I am not going to ask specifics about companies, but I want 
to know if that is part of your jurisdiction?
    Mr. Beales. It is part of our jurisdiction.
    Mr. Bachus.  My question is, are you all taking advantage 
of it? Are you all doing that? Are you reviewing or have you 
reviewed any?
    Mr. Beales. We have reviewed cases as they have come to our 
attention.
    Mr. Bachus. Banks, third-party providers?
    Mr. Beales. Yes, sir.
    Mr. Bachus. Okay. You know, on the DPI case, this 
information was looked at, but it wasn't actually taken, is my 
understanding.
    Mr. Beales. I am not--I don't know that for sure.
    Mr. Bachus.  Okay. All right.
    Are you aware of any identity theft cases that resulted 
from the DPI hack?
    Mr. Beales. I am not.
    Mr. Bachus.  How many personnel are dedicated to 
investigating pretext calls at your agency?
    Mr. Beales.  There probably isn't anyone that is completely 
dedicated. We are a small agency and people multi-task, but 
there are--there are four or five staff members who have been 
involved in pre-texting investigations.
    Mr. Bachus. Let me ask the Secret Service, either one of 
you gentlemen, Mr. Weaver or Caddigan, in your experience how 
responsive have credit card issuers and processors been in 
notifying the Secret Service of data penetrations or other 
hacking events.
    Mr. Caddigan. I think, as a general statement, it is safe 
to say that they have been very responsive. We have ongoing and 
longstanding relationships with the credit card companies 
individually, the banks that they represent, and on occasion 
the third-party processors as it becomes important for us to 
deal with them.
    Mr. Bachus. You have been in a position to know whether 
they are cooperative, and they are?
    Mr. Caddigan. Yes, sir. They are very cooperative.
    Mr. Bachus. To Mr. Farnan, do you work closely with the 
private sector in monitoring data penetrations?
    Mr. Farnan. Well, one thing to keep in mind here is that 
what has happened at the FBI is the former National 
Infrastructure Protection Center has now migrated to the 
Department of Homeland Security.
    So what is happening is on the vulnerability side of the 
house, the Department of Homeland Security is really assuming 
that responsibility. And to focus our limited resources the 
best we can, we are focusing more on the threat side of the 
house. By that I mean, who is it out there that is causing the 
problem.
    So to answer your question, we are not directly monitoring.
    Mr. Bachus. You are focusing on the perpetrators?
    Mr. Farnan. Yes, sir.
    Mr. Bachus. In our second panel, we are going to talk about 
TriWest, what happened there. Now, you know, this hearing has 
sort of focused on penetrations of data systems, hacking, that 
nature. But in that case, someone either on the inside, it is 
an ongoing investigation, or on the outside just walked in and 
walked away with hard drives containing information on half a 
million people.
    Which obviously, if you had a preference for what you would 
do, is, you know, go in and try to grab stuff. If you could 
just walk in and take the hard drives out or the disk out, you 
know, that would be the preferred method I would think for 
thieves.
    I read the testimony of TriWest's CEO, and it was 2 days 
before they discovered this theft. From a law enforcement 
agency perspective, what do you advise corporations that have 
these large databases of how to protect them from a security 
standpoint? Not someone hacking, but someone walking in or 
somebody walking out, whether they walked in or not.
    Mr. Farnan. One of the things that we tend to see is 
sometimes we do tend to think of these cases as extremely 
complex, because once when we get into the world of electrons 
and what is happening in cyberspace, things can get complicated 
pretty quickly. But in doing that, sometimes we forget the 
fundamentals, sometimes we forget to lock the door.
    So there are times when you have to look at, where does any 
company or university or institution keep its servers, where do 
they keep their mainframes, what kind of security, in terms of 
locked doors, places in the building that kind of equipment is 
kept. Is it kept on site in the same place as the corporate 
headquarters or is it secured in an alternate location.
    So sometimes even though we get into lots of victims 
involved in these crimes, and the crimes can be really 
worldwide in nature, sometimes we forget the very fundamentals. 
And that is really, probably, the place to start with security 
matters.
    Mr. Bachus. I totally agree with you. I would think 
fundamentally you worry about sophisticated--through the 
network, but you obviously shouldn't--you should just protect 
the front door.
    How about the Secret Service? Any comments you would make?
    Mr. Caddigan. I would concur.
    I think in a proactive approach to information assurance or 
information security, a company, an organization, an entity 
needs to be concerned dually, both physical and cyber.
    And when you look at vulnerability assessment, an 
organization can be guided to conduct their own self-
assessment, I think you do--those things rise right to the top. 
I don't know the particulars on this case, but as you describe 
them you would ask the simple questions on the front end, is 
there a lock on the door, is there protection on the hard 
drive, what schedule do you use in order to verify that 
information has not be compromised.
    And again, not having any knowledge of this case, 
protecting your cyber elements again is just as critical as 
your physical elements. So it is easy to critique on the back 
side, but the proactive approach I think might have determined 
that vulnerability on the front side.
    Mr. Bachus.  Thank you.
    Chairwoman Kelly. Mr. Caddigan, I want to follow up.
    Just one quick question to Mr. Bachus's question, and that 
is, about the way that the computers contain the information. 
If people are lifting the hard drives, then it seems to me that 
containing information that separates numbers from names and 
Social Security numbers from addresses, things like that can be 
done. Are you overseeing things like that? Are you looking at 
things like that, or recommending things like that to 
companies?
    Mr. Caddigan. Yes, ma'am. Recommending would be the proper 
word. We do have issues with regard to--these companies are 
private sector. We can't mandate, we can't legislate, but we 
certainly can recommend security mindedness. Those would be 
exactly the type of things that we would ask you to consider in 
how you collect and keep your data.
    Chairwoman Kelly. Thank you. Ms. Hooley.
    Ms. Hooley. Thank you. I am going to direct most of my 
questions to Mr. Beales, but if any of you would like to jump 
in, please feel free to do so.
    I know you are to provide victims assistance and consumer 
education.
    Can you highlight, beyond your testimony specifically, 
specific steps the FTC has taken in regard to consumer 
education and victims assistance? Let me explain what I am 
looking for.
    I know in regard to victims assistance you have a 
centralized database to aid law enforcement. Are there any 
programs in place specifically to help victims of ID theft 
clean up their credit, which as many of you know can be a long 
and expensive process? And do you have any suggestions for new 
ways to help in this regard? That is the first part of my 
question.
    The second part is, you have to finalize rules which 
require financial institutions under FTC's jurisdiction to 
develop and implement appropriate physical, technical and 
procedural safeguards to protect consumer information.
    Can you tell me which financial institutions might be 
subject to this rule? Would the 400 companies which are 
sponsored by financial institutions to process credit card 
payments, such as DPI, be subject to the rule?
    Then the third part of my question is, I know your--you 
have been traveling around the country to educate local law 
enforcement. I would like to know how well that has gone.
    Can you tell us a little bit about the seminars, how many 
cities have you traveled to, how often are they held, and what 
might be coming next. And is there anything we can do to help 
you with that?
    I know I have used your brochures extensively for the 
education piece. Thanks.
    Mr. Beales.  When consumers call our hotline for identity 
theft to report a problem, the phones are answered by trained 
counselors who will try to talk them through what they need to 
do next.
    Our role is to provide advice to consumers about the steps 
that they need to take. We do that to the best of our ability, 
but it is really up to consumers to do that.
    There are private programs that will help consumers 
individually on a one-on-one basis, go through the process of 
cleaning up their credit. It is not something that we do or 
would have the resources to do for the complaints we get. We 
get--last year we had approximately 161,000 victims who 
contacted our clearinghouse for information and assistance.
    Ms. Hooley. Let me ask you, are there any other things? I 
mean, I know what the directions are that you give victims, and 
it can take 3 or 4 years. I mean, I think the average time is 
an enormous amount of time to clear up their credit.
    Do you have suggestions or ideas, any of you, about how we 
can make that happen in a much quicker, less costly, less time 
consuming, less frustrating way?
    Mr. Beales.  We are constantly looking for better ways to 
do it, to make it simpler. We have--I mean that led us last 
year to put out a uniform affidavit. So consumers could report 
the fraud on one form and then submit copies to different 
financial institutions, as one way to try to simplify the 
process.
    We are working--we have been working with the credit 
reporting agencies to initiate a pilot program that would let 
consumers just make one call to contact all three credit 
recording agencies and establish a fraud alert. We expect that 
program to go into place later this month.
    We are continually looking as well for things that Congress 
might do to make this simpler. At this point we don't have any 
specific suggestions. But, it is something that we are very 
much alert to, and looking for ways that we or you or anyone 
else could make this process less of a hassle for the people 
who are victims.
    As to our Safeguards Rule, there are a wide variety of 
firms that you wouldn't think of as financial institutions that 
are or may be financial institutions under the Gramm-Leach-
Bliley Act rules that are subject to our jurisdiction and that 
would be subject to the Safeguards Rule.
    Accounting firms that do tax preparation and the like, for 
example, may well be subject to the rules. Auto companies that 
provide credit or dealers that provide credit or financial 
institutions are subject to the rules.
    The third parties that provide services, to banks or anyone 
else, that involve handling sensitive information would likely 
be financial institutions and subject to our rules.
    It is a hodgepodge of who it is, there is no easy way to 
describe the universe. But, our jurisdiction is basically any 
financial institution, except banks or financial institutions 
that are specifically regulated by some other regulator.
    As to the law enforcement training, I believe we did five--
--
    Ms. Hooley. Let me finish up that. The companies that are 
sponsored by financial institutions, like DPI, are they under 
your jurisdiction?
    Mr. Beales.  I believe they are, yes.
    Ms. Hooley. Okay.
    Mr. Beales.  As to the law enforcement training, I believe 
we did five cities last year. We did training programs in five 
cities last year. We thought it was successful and useful.
    We did those training programs in conjunction with the 
Justice Department and with the Secret Service and the Postal 
Inspection Service. We tried to bring in local officials, as 
well, in each one.
    This year we have five more planned in different cities 
around the country, and we are continuing to pursue that 
activity.
    Ms. Hooley. How can we help you in increasing those numbers 
for law enforcement, because I think that is a really important 
piece, the law enforcement piece of identity theft.
    Mr. Beales.  Well, the--the piece that, I mean, the 
training piece I mean is simply limited by resources. It is--it 
is--it takes staff, time and effort. And we have tried very 
hard to work with the other law enforcement agencies involved 
to extend our resources and leverage them as much as possible.
    Ms. Hooley. Thank you.
    By the way, thank you for the booklets. We do send out a 
gazillion of them.
    Mr. Beales.  I am glad to hear that.
    Chairwoman Kelly. Mr. Shadegg.
    Mr. Shadegg. I am going to pass.
    Chairwoman Kelly. Mr. Renzi.
    Mr. Renzi. Thank you, Madam Chairwoman.
    Just two real quick questions, so then we can go vote.
    I am really interested in the who behind all of this. You 
know, we have heard that there are hackers involved and 
terrorists involved, organized crime involved, and even 
insiders. And I know the FBI and the Secret Service has done a 
wonderful job in foiling some attempts. What can you share with 
me as far as the who behind this.
    I've got a little follow-up question. Thank you.
    Mr. Farnan. First, our experience and our investigative 
activity to date suggests one thing that really kind of stands 
out. And that is, that the highest, the person that we are most 
concerned about is, in fact, the insider as opposed to an 
outsider. That person poses the most significant threat.
    Secondly, what we focused on and what we are concerned 
about are organized groups that may be attempting to obtain, 
penetrate machines and obtain large amounts of data. And we are 
very concerned, also, about the threats that are posed from 
foreign countries, frankly.
    But, one important point, I think, to emphasize is the fact 
that it is the insiders. It is the people who have access to 
the machines and to the data that really pose a significant 
threat, which raises the question, who watches the watchers?
    Mr. Renzi. Well said.
    Congressman Shadegg and I share a real concern living in 
Arizona with the border. We are reminded weekly of the threat, 
particularly as it relates to terrorism. We recently just had 
an Iraqi arrested down in the Tucson area. That goes to my 
follow-up question, which is the market, the black market.
    We have probably a sophisticated black market as it relates 
to credit cards, as it relates to Arizona, drivers' licenses, 
passports. Los Angeles has a whole market that is even bigger 
than ours, because of the immigrants that move through our area 
looking for identification and also the terrorists, I think, 
that are also looking for that new identity.
    Could you talk real quickly then about the driving force of 
once the insiders or whoever have stolen this information, who 
they are selling it to, where is the purchasing, the fencers, I 
guess, is what I am talking about?
    Mr. Caddigan. The insider threat is--the correlation of the 
insider is permeated through many of the cases that we have.
    The hacking community, the groups out there that do hacking 
for a pastime, we think they fall maybe into three categories.
    One is those doing it for the challenge. They want to show 
that they can tap into your vulnerability and exploit you.
    The second is political, which means they get into 
websites. They deface them. They put a statement, a logo, 
again, sometimes just for encouragement.
    The other is for profit. So they are the ones that I think 
we are all concerned about in law enforcement, those that are 
getting in there and stealing information. We find, in many 
cases, they make that information available in chat rooms on 
the webpage.
    They indiscriminately make it available to anyone willing 
to pay for it. Thus, it is hard to track where the sources are 
going to, because they are everything and anything.
    Mr. Renzi. Your answer leads me to believe that there is 
not an absolute purchaser. There is not an absolute market that 
you have been able to identify, indiscriminate purchasers?
    Mr. Caddigan. There is not an absolute market. I think that 
is safe to say.
    With regard to terrorism and the like, we do find--with 
illegal immigrants, terrorists, those that are truly trying to 
hide their identify, aren't using it to gain credit or to have 
purchasing power, they are using it to be able to live and 
exist with a different name that doesn't draw attention to 
them.
    Mr. Renzi. You are able to set up an electronic fencing 
operation, a pseudo fencing operation, where you look on the 
Internet and purchase that information and then go after that 
individual, just like you would----
    Mr. Caddigan. That does occur.
    We have always had sting operations with regard to, as your 
concern expressed, the immigrants. We have had some terrorism 
links to those that are just trying to have different breeder 
documents, and what they can get out of the breeder documents, 
meaning passports, driver's license and the like. It is just 
strictly to have a change of a named identity that they can use 
at will. So it does run the gamut in that regard.
    Mr. Renzi. Let me just thank you all of you for your 
testimony today, and especially at this time in our Nation's 
history for the work you are doing.
    I know we are talking about incidents that have already 
occurred today. I can't imagine the amount of incidents that 
you have foiled. So thank you for that.
    Chairwoman Kelly. Thank you very much.
    We have just been called for two votes on the floor. So I 
will eventually deal with that, but I want to note that some of 
the Members may have additional questions for this panel, that 
they may wish to submit those questions in writing.
    So, without objection, the written hearing record will 
remain open for 30 days for members to submit written questions 
and to place responses in the record.
    This panel is excused with our great thanks. We appreciate 
the fact that you gave us so much of your time, and we look 
forward to being in continual contact with you, because this is 
quite a thorny issue. Thank you very much.
    In light of the vote, I am going to recess this committee 
for 20 minutes, and we will reconvene in 20 minutes for our 
second panel. Thank you very much, gentlemen.
    [Recess.]
    Chairwoman Kelly. As the second panel takes their seats at 
the witness table, and with the agreement of Members, I want to 
recognize the gentleman from Arizona, Mr. Shadegg, for the 
purpose of introducing our first witness before I proceed with 
the rest of the introductions.
    Mr. Shadegg. Thank you, Madam Chairwoman.
    As I mentioned in my opening statement, I have the 
privilege of having a constituent on this panel.
    Mr. David McIntyre is here to testify about the burglary of 
his company's office located in my Congressional district, the 
burglary that occurred on the morning of December 14th, 2002, 
and about the response by his company to that burglary.
    Mr. McIntyre is president and CEO of TriWest Healthcare 
Alliance, which is a private corporation that administers the 
Department of Defense's TRICARE Program in a 16-State region in 
the central United States. TriWest is the largest Department of 
Defense contractor in Arizona.
    Mr. McIntyre has more than 18 years of experience in 
healthcare and healthcare policy and in the healthcare 
business. He was previously Vice President of Blue Cross Blue 
Shield of Arizona, which is where I met him.
    For our purposes, Madam Chairman, he has 9 years of 
experience serving on the staff of Senator John McCain. So he 
is somewhat familiar with the hearing process.
    As I mentioned in my opening statement, in the wake of the 
burglary of TriWest's offices in Phoenix, Mr. McIntyre's 
company aggressively responded.
    Mr. McIntyre personally oversaw and took part in the plan 
to notify customers about the stolen information and personally 
telephoned a number of those whose credit card information was 
stolen.
    Mr. McIntyre has turned that negative experience, the 
burglary of his company's offices, into a positive model for 
other companies across the country who are victims of 
information theft.
    I appreciate him being here to testify, and I look forward, 
as I am sure the rest of the panel does to his testimony.
    Chairwoman Kelly. Thank you, Mr. Shadegg.
    Our remaining witnesses on the second panel are Mr. Kevin 
D. Mitnick, President and Co-founder of Defensive Thinking and 
a computer hacking expert. Stuart Pratt, President of the 
Consumer Data Industry Association. Mr. John Brady, Vice 
President for Merchant Fraud Control of MasterCard 
International, and Evan Hendricks, Editor and Publisher of 
Privacy Times. We welcome you all. We thank each of you for 
testifying here today.
    Without objection, your written statements will be made a 
part of the record. You will each be recognized for 5 minutes, 
and if you don't know the color codes on the lights in front of 
you, the green light is all go, and as soon as you see the 
yellow light it means it is time to sum up because the red 
light will come on. We all know what that means.
    With that we will start with you, with Mr. McIntyre.

STATEMENT OF DAVID J. MCINTYRE, JR., PRESIDENT AND CEO, TRIWEST 
                      HEALTHCARE ALLIANCE

    Mr. McIntyre. Chairwomen Kelly and distinguished members of 
the Financial Services Committee, thank you for the invitation 
to appear before you today to discuss the important topic of 
identity theft.
    Congressman Shadegg, thank you for your overly generous and 
very kind remarks, and I appreciate your long interest, 
dedication and effective leadership on this critical consumer 
issue. It, in fact, is an issue that affects every consumer in 
America, probably a very unique one at that.
    As Congressman Shadegg said, my name is Dave McIntyre. I am 
the president and CEO of TriWest Health Care Alliance. We are a 
private corporation that delivers health care services to the 
Department of Defense and its beneficiaries in 16 states. We 
serve 1.1 million people.
    This was a very painful holiday period for me this last 
year, because like a number of organizations in this country, I 
have had the opportunity to learn firsthand about the 
information theft.
    What is most appalling to me, however, is that in many 
cases, it takes the individual who suffers the identity theft 
longer to clean up their credit report than is the jail term 
that is served by the criminal who actually perpetrated the 
act. As a consumer, as a business leader whose company suffered 
the theft of the personal information of its customers, I am 
grateful to you for your focus on this critical issue.
    On Saturday morning, December 14th, one of our offices was 
burglarized. Computer equipment and data files containing 
confidential and personal information of more than 570,000 
members of the military, their dependents and retirees was 
stolen.
    The information on the stolen hard drives included names, 
addresses and Social Security numbers, which we are required by 
the Federal Government to collect, along with other personal 
information. Fortunately, it only contained 23 credit card 
numbers.
    I was told by experts shortly after the theft that the most 
effective thing I could do was to get out in front of this 
issue and notify consumers as quickly as possible. So that is 
what we set out to do. We notified authorities on learning of 
the theft.
    Secondly, we contacted our DOD partners to jointly create 
and implement a comprehensive three-pronged action plan to 
protect our beneficiaries. We went to the media. Because many 
of these people were away from home during the holidays 
visiting their families. We wanted to make sure that we lost no 
time.
    The military worked through their chain of command and 
notified every installation worldwide, so that we would reach 
the leadership and all of the folks serving in the military.
    We sent the first of what will now be three letters to the 
individuals who were affected, to notify them of what had 
occurred, and give them advice based in part on the counsel of 
the FTC on what they could do to protect themselves.
    This has been a joint effort, working with Dr. 
Winkenwerder, the Assistant Secretary of Defense for Health 
Affairs, the Surgeon General of each service and all of the 
command structure in the military. It has been a fabulous 
partnership, albeit at a time when they didn't have time to 
spend on this issue.
    Third we posted a $100,000 reward to aid law enforcement in 
their efforts to try to detect who had done this. As you can 
imagine we were devastated by this event. However, we focused 
all of our energy on trying to do what we would want to have 
done were we the consumer who was sitting on the other side.
    Given the burden on the individual of placing a fraud flag 
with three different credit bureaus, we worked with the credit 
bureaus to develop a plan that has allowed us to request on the 
behalf of our customers, not forcing them to do it, the actual 
request of a fraud flag.
    To date, more than 63,000 of the people on that list have 
chosen that option, and we have done that work on their behalf.
    Through this experience, I have learned a lot. I never 
planned to become an expert or even close to someone who knew a 
lot about the issue of information theft. I am pleased to be 
joined by a number of other people who obviously know a lot 
about this topic as well.
    I have come to believe that the work that was done by 
Congressman Shadegg needs to be built on in a couple of ways.
    First, I think that every leader of any organization, 
whether it is public or private, has an absolute obligation to 
their customers, that when that information is compromised, 
they have an obligation to inform their customer of the fact 
that has happened. It is painful. It is awkward. It is 
embarrassing. It is expensive. But you know what, it is not our 
information, and unless you arm the consumer with that 
information, they cannot protect themselves.
    Second, as a consumer, I have observed the inconsistencies 
in the last 4 months with how my credit card information is 
handled. Half of the receipts from restaurants have the full 
credit card number and authorization date or expiration date 
posted on it. That is all you need and a name to go to the 
Internet and buy something.
    In addition, I still belong to the Senate Credit Union. I 
went to the credit union to find out what comes on your 
statement. Social Security numbers are printed on those 
documents if you go and ask for the balance on your account 
today. Same is true in the House Credit Union.
    So we need to work to look at when is it necessary to have 
the full Social Security number printed on the document, when 
is it necessary to have the full credit card number printed.
    I also think that penalties in this area for those who 
perpetrate such crimes need to be looked at and significantly 
enhanced.
    Fourth, I believe that credit bureaus should allow 
organizations to act on behalf of their customers, and that 
they should establish consistent timelines for the updating of 
fraud flags.
    Thanks for the invitation to be before you today. I hope 
that this is the year that you are able to take the incidents 
that we have all faced and use them as leverage to further 
protect consumers in this country. I look forward to answering 
any questions you may have.
    Thank you, ma'am.
    Chairwoman Kelly. Thank you.
    [The prepared statement of David J. McIntyre can be found 
on page 114 in the appendix.]
    Chairwoman Kelly. Mr. Mitnick.

   STATEMENT OF KEVIN D. MITNICK, PRESIDENT AND CO-FOUNDER, 
                       DEFENSIVE THINKING

    Mr. Mitnick. Good morning, Chairwoman Kelly, Chairman 
Bachus and distinguished members of the committee.
    My name is Kevin Mitnick. I appear before you today to 
discuss your efforts to review current industry practices 
concerning security procedures for the prevention of electronic 
theft of credit card information and identity theft.
    I am primarily self-taught. My hobby as an adolescent 
consisted of studying methods, tactics and strategies for 
circumventing computer security, and for learning more about 
how computer systems and telecommunications systems work.
    I have 15 years experience circumventing information 
security measures, and I can report that I have successfully 
compromised all systems that I targeted for unauthorized access 
except one.
    I also have 2 years experience as a private investigator 
with responsibilities that included locating people and assets 
using social engineering techniques. Social engineering is the 
same thing as pre-texting that Mr. Bachus spoke to earlier.
    I have gained unauthorized access to computer systems at 
some of the largest corporations on the planet and have 
successfully penetrated some of the most resilient computer 
systems ever developed. I use both technical and nontechnical 
means to obtain source code to various operating systems and 
telecommunication devices to study their vulnerabilities and 
their inner workings.
    Currently, I am the Co-founder of Defensive Thinking, a Los 
Angeles based information security firm. I recently co-authored 
with William Simon a book titled the ``Art of Deception,'' 
published by John Wiley and Sons, which has become an 
international best seller. The book details nontechnical 
methods and tactics, in essence pre-texting, that computer 
intruders use to compromise valuable information assets, 
including credit card information.
    Social engineering is a method where the intruder deceives 
his target into complying with the request based on false 
pretenses and psychological manipulation.
    It is important to understand, and all companies and their 
employees need to realize, that the most insidious 
vulnerability to information security are the well-meaning, 
hard-working folks that use, operate and maintain information 
systems.
    The prevention and detection of social engineering attacks 
should not be ignored or underestimated. In fact, the majority 
of scams involving identity theft and credit card fraud include 
social engineering on some level.
    In an attempt to deter carding, many retailers are now 
requiring an on-line customer to provide the three-digit CVC 
number that card issuers have begun to use.
    But the thieves also obtain the CVC number. With it, he is 
able to use the information to commit fraud against 
unsuspecting cardholders and merchants. I understand that the 
subcommittee will be examining three recent cases involving 
large-scale thefts of nonpublic, personal identifying 
information and credit card details.
    A major part of the problem is that the criminals only need 
to obtain information that is stored or processed in thousands 
of computers systems around the world. In February of 2003, 
DPI, a credit card processing services company, reported that 
an unknown intruder had compromised their network and gained 
access to a database that held over 8 million credit card 
accounts.
    DPI did not release any details describing how the breach 
occurred, citing cooperation with Federal law enforcement 
officials. The DPI case was widely reported in the press 
because of the astounding number of credit cards potentially 
compromised.
    But when examined closer, you will realize that these types 
of attacks happen all the time. In my opinion, the committee 
should not overlook that many similar attacks on networks 
containing financial information are not detected by the owner 
or operators. It is important to realize that many of these 
security incidents remain undetected because of poor security 
and auditing practices.
    DPI has publicly claimed that the intrusion occurred from 
the outside of the organization. Although, I do not like to 
hypothesize on facts and circumstances of an any attack without 
details, I would recommend that DPI consider the possibility 
that the attacker had assistance from the inside of the 
company.
    Every day the security community announces new 
vulnerabilities and operating systems in application software 
that have been identified. Vulnerabilities in software can be 
exploited to gain remote access to the target computer. Many 
system programs contain programming errors that enable the 
intruder to trick the software into behaving in a way other 
than which is intended in order to gain unauthorized access 
rights, even when the application is part of the operating 
system of the computer.
    Once a new vulnerability is recognized, the software 
developer releases a patch, a modification to the software that 
might be installed by individual companies, a process that may 
be overlooked for days, weeks, months, even years. Meanwhile 
companies using that software remain vulnerable or are forced 
to disable or block access to the vulnerable service until the 
patch becomes available.
    Even then in many cases this is not enough. There are a 
number of sophisticated hackers who are able to discover 
previously unrecognized security vulnerabilities and then use 
them to compromise global computer systems and networks.
    I agree that it is essential to implement security 
strategies to prevent, detect and respond to security threats 
and attacks, but it is too easy to look in the wrong direction 
for an answer. In my view, attempting to solve the complex 
problem by micromanaging every on-line site that accepts credit 
card transactions would turn out to be wasteful, inefficient 
and not a very successful exercise.
    Instead, I recommend that the committee look into a 
different direction. I recommend that you explore mitigation 
strategies which focus on improving the authentication of the 
credit card user. In any on-line credit card transaction, 
identity and authorization is based on the information a 
consumer provides to the merchant. This is no better than a 
static password.
    There is an old saying among hackers. You never know if 
someone else has your password. The reality is that a password 
or its equivalent is too easy to steal. A first step towards a 
solution would be to strip away the identity value of all 
personal information.
    If knowledge of a credit card number, expiration date and 
the corresponding customer name and address is without value, 
stealing this information would be a useless to an imposter.
    Unfortunately, authentication technology has not yet 
matured to the point of being able to provide an easy solution 
to the issue. If not being done already, I would recommend that 
the finance industry explore additional authentication methods 
that may include digital certificates, identification of the 
user's location based on IP address or telephone number, or 
verification of a PIN through a separate communications 
channel.
    For example, consider this scenario. You have just placed 
an Internet order for a new cell phone with a price tag of 
several hundred dollars, and placed an on-line order with your 
credit card information, but you were not required to give a 
PIN number. Instead, you next dial your credit card company, 
and when prompted you enter your card number. An automated 
system then reads off the details of the transaction. You are 
satisfied that the details are correct. The system tells you: 
To authorize this transaction, enter your PIN number.
    What would be the advantage of this approach? The thousands 
upon thousands of individual retailers would not have access to 
consumer PIN numbers. The fact that so many retailers store the 
credit card numbers of on-line customers gives rise to the kind 
of credit card theft that this hearing is addressing.
    If they also store the customer PINs, then there is no gain 
in security. The PIN becomes almost worthless as a security 
element. But under the approach I have suggested, only the bank 
would have access to the PIN number information. Under this 
arrangement, the theft of the card numbers would be of limited 
value.
    In another area, I would also recommend consumer-awareness 
training programs that educate people about the various scams 
being used to steal their credit card details and personal 
information, a practice that can prove highly valuable to 
effectively minimize identity theft and credit card fraud.
    I believe that all on-line retailers who accept credit 
cards should be encouraged or required to do the following:
    One, perform a regular, thorough risk assessment on their 
information assets, especially systems that process or store 
consumer financial and personal information.
    Two, implement policies, procedures, standards and 
guidelines as dictated by the results of the risk assessment.
    Three, create an audit and oversight program that measures 
compliance. The frequency of the audits ought to be determined 
consistent with the mission. The more valuable the data, the 
more frequent the audit process.
    Develop a process to ensure meaningful and effective patch 
management for all computer systems. Employ authentication 
methods that do not use nonpublic personal identification 
information, such as a mother's maiden name, birth date, birth 
place, driver's license number, address, phone number or Social 
Security number.
    Next, effective audit procedures implemented from the top 
down must be part of an appropriate system of rewards and 
consequences in order to motivate system administrators, 
personnel managers, and employees to maintain effective 
information security, consistent with the goals of this 
committee.
    Next, establish a security-awareness training program 
designed to educate their employees on the threats to 
information security and to change employee behavior to foster 
a secure environment. These would follow the security 
recommendations described in detail in my book, ``The Art of 
Deception.''
    In terms of legislation, I recommend that the subcommittee 
consider the following:
    One, legislation that prohibits merchants or credit card 
processors from electronically storing PINs or other types of 
verification credentials such as the CVC, unless it is 
essential to business needs.
    Two, the requiring of periodic security assessment and or 
penetration testing to evaluate the security posture of any 
business that stores or processes credit card transactions, to 
be performed by an independent information security consulting 
firm.
    Three, require encryption of stored financial or personal 
information. If this was done by TriWest or by DPI, then the 
information would not be accessible to the hackers.
    Finally, I want to offer what I have deemed the most 
important factor in security, the human factor. This is 
essential, underlying all security issues, whether it is from 
deceptive credit card thieves or terrorist operatives to blend 
into our communities.
    I believe it is essential to consider regulations that 
mandate security awareness training as part of an overall 
security program as required by HIPAA and the GLBA.
    Thank you.
    Chairwoman Kelly. Thank you very much, Mr. Mitnick.
    [The prepared statement of Kevin D. Mitnick can be found on 
page 124 in the appendix.]
    Chairwoman Kelly. Mr. Pratt.

  STATEMENT OF STUART PRATT, PRESIDENT CONSUMER DATA INDUSTRY 
                          ASSOCIATION

    Mr. Pratt. Chairwoman Kelly, Chairman Bachus, members of 
the committee, thank you for this opportunity to appear before 
you today.
    For the record, I am Stuart Pratt, president of the 
Consumer Data Industry Association, and we commend you for 
holding this hearing on the implications of breaches in 
information security in a number of different cases. In each of 
these cases, you have asked us to comment on the security 
breaches from the perspective of our members who operate as 
nationwide consumer reporting agencies.
    I will start with TCI Communications. Our members have no 
direct relationship with TCI Communications, and we learned--
our members report to us that they learned about access codes 
being compromised in particular through customer contacts with 
us.
    We work collaboratively with our customers. We worked 
collaboratively then with law enforcement to assist affected 
consumers. Let me just outline some of those steps.
    Consumers received notices from consumer reporting agencies 
as well as in partnership with our customers to make sure that 
they were aware of the breach that had occurred with regard to 
our information. Consumer's files were in some cases frozen 
temporarily while we could get those notices to them.
    Notification letters also then allowed consumers to take 
advantage of free file disclosures, free access to monitoring 
services that our members provide, as well as opting those 
consumers out of pre-screened offers of credit, and also adding 
fraud alerts to their files.
    Beyond the priority of assisting consumers, we also took 
proactive steps to ensure that the scope of the fraud was 
contained. We analyzed the patterns that we identified through 
the crime, and we then adjusted our pattern recognition tools 
and initiated reviews all of all third-party access codes where 
we had similar third parties having access to those. We began 
rotating access codes more aggressively. Our customers are more 
accepting of the rotation of those access codes today.
    So we actually have a task force continuing to analyze yet 
additional steps we can take to further remove access codes 
from employees who might otherwise take advantage of the access 
that they have.
    We had no real involvement with DPI Merchant Services to 
the extent that we have been able to ask our members that 
question.
    I will move on to TriWest. With TriWest, TriWest is not a 
customer, it was not our information involved in this case. 
TriWest, as they reported themselves, took very quick action. 
On behalf of TriWest, many consumers then contacted consumer 
reporting agencies. We provided them voluntarily with free file 
disclosures. We also took them off a pre-screened offers of 
credit again, added security alerts to their files.
    These are just some of the various initiatives that we have 
for assisting potential victims or real victims of identity 
theft. A summary is included with our full comments here for 
the record.
    TriWest then proactively contacted our members and 
coordinated an additional plan of work that would allow their 
customers to have an easier time of adding additional 
information to their files.
    We learned a number of things through this experience. One, 
criminal behavior by employees, we will never be rid of that 
completely. But, of course, thanks to Mr. Shadegg, we have the 
Identity Theft Assumption and Deterrence Act of 1998.
    Those employees who had access to those systems, in fact, 
violated that very law that you created in the first place. 
They also violated the Counterfeit Access Device and Consumer 
Fraud and Abuse Act of 1984. They violated the Fair Credit 
Reporting Act, amended in 1996, which also prohibited access 
and escalated criminal penalties as well as civil fines for 
perpetrating this type of crime. So we do have a number of 
different laws on the books today.
    That being said, obviously everything that we can do to vet 
employees who have access to sensitive information is a 
critical element going forward. We must begin to learn to 
measure the relative risks of various breaches. One of our 
concerns from our members is that if we were to encourage the 
entire Nation with every security breach to contact consumer 
reporting agencies, this would not be hundreds of thousands, 
but literally millions of contacts per year.
    One of our member companies estimates that it was, in 
servicing TriWest customers, which was the right thing to do, 
it was the right time to do it, we have no question about doing 
it, it cost one of our member companies $1.5 million in order 
to accomplish that goal.
    We obviously need to work with the Congress and work with 
this issue to make sure that we are not on our own handling the 
totality of that kind of cost. It would change and radically 
alter how we do business today.
    All of that being said, coordinating assistance for 
consumers is important, and that is what our initiatives do for 
victims of identity theft. We look forward to working with you 
and this committee in this process, doing everything possible 
for those consumers.
    Thank you.
    Chairwoman Kelly. I thank you, Mr. Pratt.
    [The prepared statement of Stuart Pratt can be found on 
page 130 in the appendix.]
    Chairwoman Kelly. It gives me great pleasure to now call on 
Mr. John Brady, who is a constituent of mine. And I am very 
pleased to have him be here to testify from MasterCard today.
    Mr. Brady.

  STATEMENT OF JOHN J. BRADY, VICE PRESIDENT, MERCHANT FRAUD 
               CONTROL, MASTERCARD INTERNATIONAL

    Mr. Brady. Good afternoon, Chairwoman Kelly, Mr. Bachus, 
Mr. Sanders, Mr. Gutierrez, and members of the subcommittee.
    My name is John Brady. I am the Vice President for merchant 
fraud control for MasterCard International in Purchase, New 
York.
    It is my pleasure to appear before you this afternoon to 
discuss the important topic of fighting fraud and safeguarding 
financial information. MasterCard takes its obligations to 
safeguard financial information and protect consumers extremely 
seriously. This issue is top priority for MasterCard.
    We have a team of experts devoted to working with law 
enforcement and maintaining the integrity and security of our 
payment systems. Our success in protecting consumers and 
preventing fraud is due in part to the constant efforts we 
undertake to keep our network secure.
    The MasterCard Information Security Program is 
comprehensive, and we continually update it to ensure that it 
provides strong protections. Our member financial institutions 
also have information security protections in place, including 
those required under the applicable banking law.
    Also, MasterCard's bylaws and rules require each member and 
any third party acting on behalf of a member to safeguard the 
transaction and account information. Our bylaws and rules also 
require any merchant that accepts a MasterCard branded payment 
device to prevent unauthorized access to the information.
    In addition, MasterCard has a variety of consumer 
protections and antifraud tools. For example, MasterCard has 
voluntarily implemented a zero-liability policy with respect to 
unauthorized use of U.S. issued MasterCard consumer cards. 
Under this rule, a cardholder victimized by unauthorized use 
generally will not be liable for any loss at all.
    In addition, MasterCard has developed programs to protect 
against unauthorized use of the MasterCard payment cards. These 
include enhanced security features on the card, the MasterCard 
address verification system, and our proprietary fraud 
reporting system which helps identify fraud at merchant 
locations and allows us to better focus our global merchant 
auditing programs.
    We also offer a program to our issuers called Risk Finder, 
which assists issuers in proactively identifying fraud. These 
and other MasterCard tools have proven extremely effective in 
protecting cardholders and the security of our systems.
    I would now like to discuss a recent example of how we 
addressed a problem when it occurred. There was a recent 
incident involving a data processor called DPI, Data Processing 
International, who was acting as a service provider to a 
MasterCard member bank in Ohio, which, in turn, was providing 
bank card processing services for merchants.
    Earlier this year DPI detected that someone had obtained 
unauthorized access to its system. Although it is not clear at 
this point how much data the hacker successfully exported from 
DPI's system, we do know the hacker potentially had access to 
approximately 10 million Visa, Discover, American Express and 
MasterCard payment card account numbers.
    Once DPI detected the problem, they took action, and 
quickly notified the Secret Service and FBI as well as affected 
payment card companies. MasterCard immediately took decisive 
action to protect its systems, its members, and most 
importantly MasterCard cardholders from fraudulent activity 
related to this breach.
    MasterCard interviewed the appropriate people at DPI in 
order to determine the nature and scope of the breach. 
MasterCard gathered the payment card account numbers and 
forwarded them to the appropriate issuers via our MasterCard 
alert system.
    MasterCard hired a third-party forensic firm to act on 
MasterCard's behalf during the investigation. MasterCard 
remains in ongoing contact with issuers of the card numbers 
that were involved. I am pleased to say that it does not appear 
that these numbers have been involved with unusual activity as 
a result of the DPI breach.
    As a final point, I would like to note that law enforcement 
agencies have done a commendable job in investigating this 
breach. MasterCard works closely with these organizations and 
greatly appreciates their efforts to resolve this issue.
    MasterCard continually strives to provide its members and 
MasterCard cardholders with strong protections. And we will 
continue to develop new strategies and tools to prevent those 
who seek to do harm from succeeding.
    I would like to thank the subcommittee for inviting me to 
discuss these issues, and I would be pleased to answer any 
questions you may have.
    Chairwoman Kelly. Thank you, Mr. Brady.
    [The prepared statement of John J. Brady can be found on 
page 86 in the appendix.]
    Chairwoman Kelly. Mr. Hendricks.

 STATEMENT OF EVAN HENDRICKS, EDITOR AND PUBLISHER, ``PRIVACY 
                            TIMES''

    Mr. Hendricks. Thank you, Madam Chairwoman and Mr. 
Chairman.
    A lot of times in the privacy community, we like to talk 
about Supreme Court Justice Louis Brandeis, who wrote 
eloquently about the importance of privacy in a civilized 
society. But, he is also the one who wrote that sunshine is the 
best disinfectant, and one of the themes throughout my brief 
talk today is the importance of sunshine, that to improve 
privacy you need sunshine and transparency. Just by having this 
hearing today, you are bringing sunshine to a very important 
issue, and providing a vital public service. I really commend 
you for that. And again, thanks for the opportunity.
    A few fundamental observations. The problem that we are 
discussing today, of hacker access to sensitive data, data 
leakages and identity theft in general, is going to get worse 
before it gets better.
    There are several reasons. One, is that we have now in our 
society many databases filled with the personal data, and they, 
to me, are the electronic equivalent of swimming pools without 
fences around them. They are attractive nuisances.
    The reason they are attractive is because our personal data 
is worth a tremendous amount of money to many organizations, 
and the criminals have figured this out.
    The other thing is that identity theft losses are still a 
fraction of the overall revenue generated by the credit 
industry. So to this point, the Tower Group has just released a 
report saying that they don't expect any major changes in the 
practices of financial institutions because it can still be 
written off as a cost of doing business.
    I don't know if that is going to be very helpful to the 
people who would be the victims of identity theft, though. In 
addressing these problems, as I mentioned the lack of 
transparency is a major issue that comes from all of those 
cases. Thousands upon thousands of entities, large and small, 
have instant electronic access to very sensitive data on over 
200 million Americans.
    Consumers generally don't enjoy that same kind of instant 
electronic access to their own data. We must move toward a 
society in which they do, and I will explain why and how.
    Also, there is a lack of sunshine when things go wrong, and 
that is the issue of, are people going to be notified when 
their security is compromised. Currently there is not a 
requirement of that.
    I will talk about the culture of security that is really 
needed, and we must develop and advance. Also another problem 
that comes from all of these cases is the over reliance on the 
Social Security number.
    Now, in the Teledata Communications case, which I think is 
one of the more important cases we are discussing this morning, 
you see access as a vital part of the problem and the solution. 
If those 30,000 victims would have had instant electronic 
access or alert providing them that there had been activity on 
their credit report, and one of your constituents from New York 
or Alabama or Arizona saw there was an inquiry on their credit 
report from Texas Energy Supply, which is one of the 
institutions used for fraudulent access, then they would have 
known something was wrong.
    In fact, the credit bureaus have already started offering 
this service, and they have discovered it is a very good 
revenue stream. The problem is, they are charging as high as 
$79 per credit bureau to get a credit monitoring service. If 
you multiply that by all three credit bureaus, that can run 
over $200.
    It is a good business, if you can collect people's data and 
sell it back to them at that price. But we should remember that 
the Fair Credit Reporting Act gives you a right of access to 
your credit report, and caps how much they can charge for it. 
Yet, there is no cap for these sort of monitoring services I 
see moving toward a system where we are plugged into our 
personal data as being an important part of the solution.
    So we should encourage that and see the economies of scale 
and can make it a win-win for everyone. This is also a model 
for the financial world. There are going to be databases of 
sensitive financial information kept by financial institutions 
that could fall outside the Fair Credit Reporting Act. I think 
that access is going to be a very important issue to address 
those problems as well.
    Also, I was concerned in this case with the lack of 
security in the TCI case. Because most of the credit card 
companies, and Mr. Brady can probably speak a lot about this, 
have software that monitors our purchases and activities, so 
they can spot suspicious patterns of activities.
    To my experience, I have not seen evidence that the credit 
bureaus are using this, even though this was a case where there 
was suspicious activity over and over again.
    In the TriWest case, I think one of the most important 
lessons emerging is the fact that the Social Security number 
should not be used as an identifier, and really this is a 
societal problem and a Defense Department problem, that they 
require that the Social Security number as an identifier, and 
just proposed a new rule to make it the health identifier for 
soldiers.
    I really fear that we will have soldiers returning from the 
Gulf War to find that they are victims of identify theft, 
because of over reliance on the Social Security number. We can 
explore more of this later in questions if you like.
    In the DPI merchant services cases, I think what was most 
troubling was the secrecy that surrounded the problem. At first 
they only revealed that there was a hit of credit cards. They 
wouldn't disclose who--that DPI merchant services was the 
credit card processor. Then they disclosed that.
    DPI told the Detroit News that consumers who were concerned 
about this should contact their issuing banks. Yet than they 
declined to name which of the issuing banks were hit. There was 
no systematic way. Then Visa levied substantial fines in the 
matter, but wouldn't say who they levied the fines on or for 
what amount or for what purpose.
    So basically, this sort of secret society was saying, ``we 
will make sure that your personal information is corrected, but 
don't you worry your pretty little head about it.''
    I think the model for addressing this is California, which 
has passed a new statute, which takes effect July 1, which 
basically requires notification of individuals when their 
information is compromised in these sort of breaches.
    What I like about the law is the flexibility it includes, 
and I mentioned this in my testimony. The notice can be in 
writing, electronically, in accordance with the Federal E-
signature law.
    Mr. Hendricks. If the cost of notice were to exceed 
$250,000 or were over 500,000 people, you could do it through a 
combination of different ways and they list some of the ways 
you could do it. Whenever you have a privacy problem, 
reasonableness is the standard for the solution. Any solutions 
have to be reasonable given the context. It is really case-by-
case.
    The final thing is that when we have the issues of identity 
theft, as some of your witnesses have said, the main problem is 
the problem of cleaning up the polluted credit history. It is 
time-consuming, energy-consuming and very emotional and 
distressful. So the idea of having us plug into our credit 
reports and having a more instant means of communicating with 
our own data is an important part of the solution.
    Thanks.
    [The prepared statement of Evan Hendricks can be found on 
page 105 in the appendix.]
    Chairwoman Kelly. Thank you, Mr. Hendricks. I am going to 
ask you, Mr. Hendricks, a couple of things. Having had my 
credit card number stolen, my 95-year-old mother-in-law had her 
credit cards stolen last week, and she has called me and said I 
still have my credit card but the bank just called me and said 
that my credit card number has been stolen and they are going 
to give me a new credit card. She didn't really understand it. 
My point is MasterCard called me when my number was stolen. The 
issuing card company called my mother-in-law, the bank called 
my mother-in-law. Since this is already being done, I wonder if 
you have ever estimated the cost of what it would be for banks, 
people, anybody to have to notify their customers, since there 
are millions of us.
    And after you answer that question I am going to go to Mr. 
McIntyre and talk to him about his cost. So what do you think 
that cost is going to be?
    Mr. Hendricks. I don't know. I have not calculated the 
cost. I would love to raise the money to do a really 
authoritative study on that, because I think it is important. 
But that is why I agree that there are cases where you have--
your solution has to be reasonable to the problem. And if you 
don't see evidence of crime happening then you can find more 
general ways to try and issue notice. What I don't think is 
acceptable is that if you have a system where you know there 
has been a hit of 10 million numbers, if you simply can't even 
find out which banks--if you are trying to find out if my bank 
has been hit, you can't find that out, that is a lack of notice 
I think that is unacceptable.
    Chairwoman Kelly. Given the free market one would hope that 
the banks themselves would do some notification and do that 
pretty quickly. But you sat there and testified that you felt 
that the DOD should no longer use Social Security numbers as 
identifiers. I am wondering--what clicked immediately in my 
mind is how much is that going to cost?
    Mr. Hendricks. DOD, I am told by a fairly authoritative 
source, has a system--because a lot of soldiers do not have 
Social Security numbers or their dependents in the health care 
arena might not have Social Security numbers. So they already 
have a mechanism for generating another random number that can 
serve that identification purpose. We see this in a lot of 
other places. You go out there in the Department of Motor 
Vehicles in the District of Colombia and because of problems 
they had with Social Security numbers being compromised now for 
the last few years they will give you a randomly generated 
number for a driver's license number. If you want your Social 
Security number to be a driver's license number you have to 
request it.
    So I don't think there is a tremendous amount--in this case 
the benefits far outweigh the cost, considering how we are 
seeing these leakages and the rise in identity theft.
    Chairwoman Kelly. Well, as a Congressperson we have to be 
responsible for the way we spend the money. So we need to get 
some kind of cost estimate.
    Mr. McIntyre, I now would like to ask you a question about 
how much it cost your firm to do the notification that you did. 
You certainly acted responsively. I think you were a model in 
the industry to show how rapidly and how proficiently people 
could access the fact that their information had been stolen. 
You did a number of things that had to have a bottom line cost. 
What did it cost?
    Mr. McIntyre. We had a lot of people cooperating and 
helping us in that process and we are grateful to all of them, 
including our colleagues in the Department of Defense. We have 
spent about a million dollars to date. That is this real hard 
cost. That is not the cost of having people work around the 
clock in our company, which we did from the 23rd of December 
all the way through the 3rd of January. And their impacts to 
the individuals who were involved in the Defense Department as 
well. So our real actual financial out-of-pocket cost is now 
about a million. We are not done with this issue. We cannot 
take our eyes off this issue nor in my opinion should we take 
our eyes off this issue until either the perpetrator is caught 
or we and the Defense Department are collectively convinced and 
that is no more risk to the consumer from this information 
being potentially in someone's hands.
    Chairwoman Kelly. Mr. Mitnick, what is the single most 
important step that financial services companies can take to 
protect large consumer databases? Is there any one thing that 
you would point out?
    Mr. Mitnick. I wouldn't say there is one thing. It is 
really a mixture of people, security processes and technology, 
and developing an information security program, because the 
attacker or the bad guys are going to look for the weakest link 
in the security chain. If they can exploit physical security 
weaknesses like with TriWest or potentially technical 
weaknesses like DPI, the bad guys are going to get the 
information. And again, I look at the information that is out 
there like the Social Security number. Anybody with a credit 
card and access to the Internet can access a variety of online 
information broker Web sites and obtain anybody's Social 
Security number. It is out there for sale. So it is really a 
difficult issue when this information is readily available and 
this information could be used to apply for extensions of 
credit.
    Chairwoman Kelly. Thank you.
    Mr. Brady, I want to know what action you can take against 
a member bank that violates your safeguards. Have you ever 
taken action against--well, let me put it this way: Have you 
taken action against the member bank with regard to the DPI 
case?
    Mr. Brady. I would be happy to talk to you about the DPI 
case. I think the DPI case is an illustration of how the system 
works, how the rules work in this case, such as the immediate 
notification to us and our ability to protect the consumers by 
getting the card numbers out there. And I can tell you this: 
the DPI case with my input is being reviewed by senior 
management. What I can further tell you is we have some 
seriously big sticks that we can apply in this case. I think 
you will see something probably in the next couple of weeks in 
the public domain with exactly what our position is in the DPI 
case, what specifics. So I have input into it, but I don't want 
to go into great detail about it today other than to just let 
you know that it is being looked at, it has reached the most 
senior part of MasterCard and that we have definitive rules 
that can be applied in this case and will be applied.
    Chairwoman Kelly. Thank you. My time is up. Mr. Bachus.
    Mr. Bachus. Mr. McIntyre, you mentioned the truncating 
problem with merchants, people picking up the Social Security 
number and using that. And just on reading the paper, at least 
my impression is that a lot of identity theft and people using 
people's credit cards is someone at the merchants getting that 
information off the receipt. And Mr. Mitnick mentioned the fact 
if you truncate the credit card, you mentioned that too. And 
first of all, and I am sure--Mr. Brady, could you comment on 
this--it is my understanding that credit card companies are 
going to start requiring their merchants to do that in the very 
near future anyway. So I think that problem will be----
    Mr. Brady. If I could. That is absolutely true. That has 
been a practice with ATM receipts and receipts when you go to a 
gas station, truncation for years. But both card associations 
are moving to that. That will be happening within the next 2 
years, so you are absolutely correct. That has already been 
addressed.
    Mr. Bachus. Can you give us a target date on when that 
might happen?
    Mr. Brady. I can't give you the exact target date, but I 
believe it is 2005. But I will confirm that and get back to you 
on that.
    Mr. Bachus. See if it could be speeded along. Mr. McIntyre, 
you are talking about truncating and in the situation of a 
merchant, but let's go back to your situation. Did you truncate 
the Social Security numbers?
    Mr. McIntyre. No, sir. Currently we are required to use the 
Social Security number in its full breadth when we communicate 
certain information. That is a topic that is under discussion, 
and I will be making some recommendations to the Department of 
Defense for the health care system in that area. The important 
thing to understand, though, is we didn't e-mail the numbers 
out. They didn't get released on a paper. Someone stole the 
hard drives. And in doing it in the configuration that they 
were in at that time it was a database that allowed them to 
have access to the full Social Security number.
    Mr. Bachus. Aren't there programs where even when they go 
into your data base it can be programmed to where they can't 
pull that out?
    Mr. McIntyre. There is some amazing technology available in 
the marketplace that I have actually put in place in our 
organization over the last several months. The fact of the 
matter is, though, if you go to today's standard it is not good 
enough 6 months from now. And the challenge in this area is 
there is so much growth in technology and it is changing so 
rapidly. Those little Blackberries that we all carry, those 
weren't available a year ago. It is changing so rapidly that we 
have got--this is something that you constantly have to stay on 
top of.
    Mr. Bachus. Let me ask you this. The cost has been 
mentioned. You spent a million dollars but actually the credit 
bureaus--Mr. Pratt, I think he represents those companies--
didn't they spend about a million and a half a piece? Did you 
testify to that on TriWest's case?
    Mr. Pratt. One of our member companies did run the numbers 
and spent about a million five.
    Mr. Bachus. Who pays for that if we were to design 
something and requiring someone to?
    Mr. McIntyre. I pay for my own cost, which I assume is what 
that organization is going to do. One of the reasons why they 
were willing to move to a process by which we could assist them 
in filing the fraud flag is to reduce that expense. So we took 
on that burden, which we willingly do. I don't have any problem 
with the million dollars I spent. I want to state that very 
clearly.
    Mr. Bachus. What I am saying, Mr. McIntyre, information was 
stole from TriWest but it resulted in a million and a half to 
one of the credit bureaus.
    Mr. McIntyre. Actually the way it works, sir, when the 
information is compromised the most effective things the 
experts tell you that you can do if you have lost the type of 
information that was stolen from our organization is to get out 
in front of the issue as a consumer and file----
    Mr. Bachus. I am not arguing with the fact it was done. I 
am just pointing out----
    Mr. McIntyre. The only place you can go is to those credit 
bureaus.
    Mr. Bachus. It was great that they did it. I am just saying 
other people, as a result of that theft at TriWest, there were 
other companies that incurred expenses of--actually greater 
expenses than TriWest or comparable expenses.
    Mr. McIntyre. No question about that. That is why hopefully 
when they catch the person we can figure out how to be more 
creative than just use the maximum 5 years, $250,000 penalty.
    Mr. Bachus. Mr. Hendricks mentioned this. You know, as far 
as notice in all cases, when you say notice in all cases what 
if it interferes with a law enforcement investigation? What if 
the information that you get is not usable? I mean, I guess I 
am saying when you say notice in all cases, would you like to 
qualify that?
    Mr. McIntyre. One has to be very careful about under what 
situations you are deciding to provide notice. Where you end up 
in a case where the experts would tell you there is sufficient 
information to misuse it and obtain credit, that certainly is 
an area where you need to do notice. That is what happened in 
our case and what has happened in a series of cases.
    Mr. Bachus. I understand that. So actually notice in all 
cases really is notice in all cases where it would be 
reasonable to assume?
    Mr. McIntyre. Absolutely.
    Mr. Bachus. Not actually in a case where the information 
wasn't usable or there wouldn't be any reason to notify?
    Mr. McIntyre. And I think that California's standard is one 
that is worthy of looking at. They do talk about reasonable 
notice, reasonable timeliness under reasonable circumstances.
    Mr. Bachus. That is what--and rush to notify in all cases. 
I think, you know, there are times when it is not reasonable.
    Mr. McIntyre. Agreed.
    Mr. Hendricks. May I comment on that? First, you have a 
reasonableness standard. I think my point is that the default 
should be that there should be notice. The general rule should 
be the notice and you have to justify when and why there will 
not be a notice. What is also important here as we talk about 
costs is look at the costs we have identified already just from 
the lax security procedures, what the credit bureaus had to 
spend to give people this rush of access to their credit 
reports, to the notice that TriWest had to do to notify a 
million people. Please don't forget the cost to the individuals 
that then have to spend time and emotional energy working on 
that. These are very costly matters if we don't get them right.
    Mr. Bachus. If you all would like to respond. Do you have 
any comment on that?
    Mr. Pratt. Well, in terms of the broader discussion, we 
agree that, first of all, not every security breach ends up in 
large scale, for example, identity theft. Doesn't mean that 
some don't. An example is in California 200,000 state 
employees' records were ostensibly or allegedly stolen. Our 
member companies cooperated with that breach as well. So there 
are 200,000, there is 562,000 and the risk potentially of 10 
million over here. So you can see where the concern rests.
    We have tracked the 200,000 out of California and have not 
had a single incidence of identity theft related to that. Now 
does that mean we should do nothing? Of course not. But there 
is a lot of qualification that has to be gone through and 
deliberative process that we have to work our way through to 
make sure we are doing the right decision at the right time. In 
all of this obviously our members believe that if we have had 
our information breached it is a responsibility we have to take 
seriously, not just under fair credit but it is the right steps 
at the right time for the consumer, and, no differently than 
any other industry represented here at the table, we are going 
to take the right steps for the consumer.
    Mr. Bachus. I think you are in the better position in most 
cases than people who don't have all the facts.
    Mr. Brady, would you like to respond?
    Mr. Brady. I guess I would like to respond specifically to 
DPI and how it relates to this, because I think what you have 
to understand in the DPI case is that there has not been fraud 
on those accounts. And we notified the issuing banks promptly 
of the issue and the issuing banks in turn may notify their 
cardholders; in some cases they notified their cardholders. But 
the message I want to send here is one of let's not create 
panic here. You will read the headlines that something bad 
happened but the by-line on page 6 is that something good 
happened. And yes, something bad happened at DPI. But the 
message is that a lot of good things happen. There are a lot of 
people behind the scenes protecting the integrity of the 
process.
    Mr. Bachus. I think by talking about them to a certain 
extent allows people to--you know, Mr. McIntyre was telling me 
that happened to him, actually happened. There was a bank that 
had something very similar. Had he had notice of that, he 
probably could have avoided this entire incident. So I believe 
by highlighting this and taking steps that we are already 
preventing a lot of that and some of the proposals on the 
table.
    Mr. Mitnick. I have to ask a question of why would these 
companies not encrypt the credit card and financial information 
that is in their databases. Because if the bad guys are able to 
break into these systems the information is unintelligible. So 
maybe that is a standard that should be considered in the 
industry.
    Mr. Bachus. Certainly if that happens notifying people 
would actually--I think that would be a downside. That would be 
something you wouldn't want to do.
    Chairwoman Kelly. Mr. Mitnick, what would that cost?
    Mr. Mitnick. What would the notification cost or the 
encryption? Well, there are different cost factors. If you 
encrypt stored information it is relatively inexpensive. If you 
are encrypting data in real time it is expensive. The actual 
dollars and cents I don't have at my fingertips at the moment.
    Mr. Pratt. I can attest to that. We operate as an 
association information exchange at financial institutions. 
When we have to hire three different terms to management in 
description process and testing on a monthly basis for 
penetration, it is staff, it is outside resources, it is 
internalized resources, it is software programs. I think Mr. 
McIntyre said it just right in every 6 months you have to 
change everything because you have to ramp up to a whole new 
standard because the criminals are moving almost with you and 
keeping pace in a lot of cases.
    Mr. Mitnick. Not necessarily with the encryption as long as 
you are using an algorithm that has been widely accepted and 
you are changing keys on a frequent basis. So that is my 
comment for now. I had something, but it slipped my mind, that 
I was going to say.
    Chairwoman Kelly. Mr. Shadegg.
    Mr. Shadegg. Thank you. Let me begin, Mr. McIntyre, with 
you. Your testimony doesn't go into great detail about the 
break-in. I think it might be helpful if we heard a little bit 
more about how it was accomplished, how you discovered it.
    Mr. McIntyre. Yes, sir. I will be as detailed as I can be 
given the fact that it is still under Federal investigation 
with the FBI, the Defense Criminal Investigative Service, and a 
number of other entities, and hopefully they will crack it 
soon. But we suffered a theft following another theft, and what 
happened on this particular Saturday at a building where we 
have no signage on the doors on the building that we are there 
is that someone broke into the property management office for 
that site and stole the master electronic key in order to enter 
our suite. Totally undetected. Many of the offices around here 
have those proxy cards. It allows you to know who is going in 
and who is going out, what time they go in, what time they go 
out, and their identity. And so it was a fairly sophisticated 
job. Was it an insider job? We don't know. The authorities 
don't know. They visited with 150 different people. They 
polygraphed a lot of folks. They have caught other people who 
have been engaged in other similar crimes, but not ours in the 
process of this investigation. And we have a very serious 
problem in Arizona as it relates to this issue, as you well 
know.
    Mr. Shadegg. It has already been brought out in your 
initial testimony and questioning that you were required to 
maintain Social Security number information for these 
customers.
    Mr. McIntyre. Correct.
    Mr. Shadegg. It seems to me and, as you know, I have put a 
lot of time into the health care industry, are we 
disadvantaged, are we doing ourselves a disservice to require a 
single number like that and to have--and to, for example, 
require you to use it? I take it you use the Social Security 
number because of a DOD reg and DOD is using Social Security 
numbers by choice, presumably not by statute?
    Mr. McIntyre. Forty years ago they used to use an ID number 
and they switched to Social Security numbers. I am not an 
expert in why they switched and what the complications were 
that led to that. Probably somewhat trying to remember what all 
your different numbers are because I can't remember my pin 
number if I have been up all night. So there are different 
issues that would lead one to do that. My Blue Cross/Blue 
Shield card that I carry in my wallet has my Social Security 
number on it. So this is something that we all--I think you all 
need to take a look at. Where is that really necessary and what 
are the complications if you are going to move away from that? 
We are required to use them in our current contract.
    Mr. Shadegg. To that point I would like to ask any member 
of the panel that wants to make a comment. Do you think numbers 
should be further restricted, the use of Social Security 
numbers, and should the DOD be using a different number than 
their Social Security? When I was on active duty in the 
military they used four digits of my Social Security number and 
it seems to me it is too broadly used. Anybody have a comment?
    Mr. Hendricks. I would like to comment on that because I 
think, yes, pending a study of the costs, the actual real 
costs, they won't be hard to calculate, I think we should 
basically place a moratorium on further use of Social Security 
numbers. It is already required by banks and employers and we 
have passed laws and we have this. But it is such an instrument 
of choice by identity thieves and it increases the value of 
information and the incentive for stealing it. So I think that 
we should look toward having--especially in the health care 
field it is very problematic that the Social Security number is 
used.
    The last thing you should remember is you didn't have time 
to fit the most recent case onto your agenda. That is the 
University of Texas, who got hit by an outside hacker. He was 
hitting their system with random Social Security numbers and 
once he found one it would suck it out of the system and was 
able to get thousands and thousands of Social Security numbers 
through this program. The University of Texas official said 
this was a mistake. We should not have used the Social Security 
number. We are changing. So I think we should do this more 
systematically instead of lost and found, by trial and error.
    Mr. Shadegg. You said pending a study of cost. It looks to 
me there are costs everywhere here. We will have cost to notify 
everybody. Mr. McIntyre recommended that there should be an 
obligation to notify everybody. I think that ought to be 
universally true. But that is expensive. Mr. Mitnick commented 
about encryption and then we discovered you can encrypt stored 
data but not current data. It is the current data that is at 
least viable. So it seems to me we are going to face costs to 
secure these systems no matter what. Go ahead.
    Mr. Pratt. I thought I would set this into context a little 
bit. We do have a difficult time in our society today with 40 
million consumers moving every year, 3 million last names 
change due to marriage and divorce, about 6 million or 7 
million second homes in this country with a lot of folks who 
move in between those two homes. There is a lot of flux in the 
ways we think about identifying ourselves. When you and I think 
about ourselves and we look at our own mail coming in the door, 
we go I know who I am and I know what my information is. For a 
database like a consumer credit reporting database which must 
have reasonable procedures to assure maximum possible accuracy 
of the information in the file, that is what the Fair Credit 
Reporting Act tells us, it would be very hard for to us build 
an accurate database if we did not have the Social Security 
number at least for those internal accuracy purposes.
    I think one of the issues that we haven't framed the 
question quite this way is access by the general public to 
Social Security numbers different than the use of the Social 
Security number in certain matching processes internalized, 
which allows us to build more accurate databases.
    Mr. Shadegg. Mr. Mitnick.
    Mr. Mitnick. It is fine to use a Social Security number, 
but not to authenticate the person's identity. I think that is 
where the mistake is being made. I know it is a very expensive 
proposition, but the problem is people's Social Security 
numbers are readily available. There is--for example, the U.S. 
courts have PACER, public access court electronic records, and 
anybody that has had a bankruptcy, anyone could subscribe to 
the service and look at the party's Social Security numbers. 
They are there for anybody's viewing. Social Security numbers 
are easily obtainable and to use them as a means of 
identification I think is a mistake.
    Mr. Shadegg. Speaking of the government's complicity in 
this, Mr. McIntyre, isn't one of the cases that you have in 
this summary the result of the United States Senate publishing 
Social Security numbers?
    Mr. McIntyre. Yes, sir. I learned from a number of our 
Nation's distinguished general officers that they received 
training when they become a general officer on identity theft, 
and they receive that because there was a practice up until the 
late 1990s when on their confirmation in the Congressional 
Record their Social Security number and name was printed. 
Someone went out, published that on the Internet, it was taken, 
they ordered credit and abused the credit of those general 
officers. The striking thing to me was that criminal got only 2 
years and 9 months for that crime. And it takes longer for 
those people to clean up their credit records than it did for 
the penalty that the criminal got.
    Mr. Mitnick. One other case, I believe it was a New York 
busboy had obtained the personal identifying information of 
celebrities that were like the top 100 and started obtaining 
their identity credentials and applying for credit. That was a 
huge case out of New York that you might not be aware of.
    Mr. Pratt. If I could add one point, I have heard Mr. 
McIntyre say several times it takes longer for people to clear 
up their credit history than it does for the perpetrator to 
remain in jail. I appreciate his enthusiasm for quoting some of 
the consumer groups in terms of that statistic. We are 
processing consumers every day successfully through consumer 
dispute processes. We recently looked at 5,000 credit reports 
where security alerts have been added to see if additional 
activity occurred in those files. In one-half of 1 percent of 
the cases was there ever even a subsequent dispute relative to 
that set of 5,000 cases where we had added security alerts to 
the files.
    I have to resist the characterization of our entire 
industry of being slipshod and unable to keep information out 
of the file and unable to be responsive. What is happening, and 
this is why in our initiatives that you will see in our 
testimony, it is a longitudinal crime. It isn't like burglary. 
It is over a period of time. So in some cases we are able to 
correct the initial information in the file but there is still 
crime occurring or there is still more bad information on its 
way to the credit bureau file.
    So understandably from the consumer's perspective, that is 
all the same thing to me. But from our perspective we are 
wrestling with trying to keep the right information in the file 
for safety and soundness purposes, which is of course important 
to this committee, and at the same time to keep the fraudulent 
information out of the file, which is something that we believe 
is a top priority job, one for us just as it would be for 
anybody else.
    Mr. Shadegg. In defense of Mr. McIntyre and those consumer 
groups, I can tell you that my constituents who brought the 
first legislation to me they spent far longer than 2 years and 
9 months trying to clean their record up, indeed probably four 
or five times that length of time.
    I guess the problem I have is the reality that both 
summaries are wrong and really the real problem is how long it 
takes to apprehend them, because in most cases they are not 
apprehended at all.
    Before the earlier act passed the response of law 
enforcement--and I know this is not your responsibility--the 
response of law enforcement was to say this isn't a crime. They 
may have stolen your identity but until they use the credit and 
you can show me the credit then I have a credit card fraud 
case. And, by the way, I am only interested in that credit 
fraud case if you live here and the credit card was used here. 
If the credit card was used in Pennsylvania and you live in 
Phoenix, Arizona, I don't care. So we have a serious problem we 
have to address here.
    I want to conclude by asking Mr. McIntyre if you would 
describe how the fraud alert security mechanism works and what 
changes or improvements would you suggest making to it?
    Mr. McIntyre. I am very grateful to the credit bureau 
industry for what they have done. I am sorry that my remarks 
were misinterpreted, because I actually think that the Federal 
laws need to be enhanced and the penalties. I think the bureaus 
have done a good job of helping protect consumers wherein they 
have been notified and they are aware they can get that 
protection.
    What I was advised to do was to contact the consumers, let 
them know this had happened. Because the most effective thing 
you can do when this occurs and you have information in the 
public domain that could potentially be used to create credit 
and misuse it is to put a fraud flag on your file. What that 
does is it notifies those that may be interested in granting 
you credit or may be contacted to grant you credit that they 
need to verify you are who you say you are so your identity 
isn't misused and you end up with a subsequent problem. That is 
why we took that action. We were advised by the bureaus and the 
FTC that was the best thing to do in this case.
    What I have discovered, together with the bureaus, is that 
we do need a process by which corporations that are willing to 
do this on behalf of their customers can do it. It helps the 
bureaus reduce cost and it helps the customer reduce the 
hassle, because it was on average taking 3 hours for people to 
go through this process just because of the sheer weight of the 
volume that had been put onto the back of the credit bureaus.
    The second thing I discovered is that in order to keep 
people protected I now have to notify people every 90 days that 
they have to go out and update their fraud flag because each of 
the credit bureaus is on a different cycle. One of the credit 
bureaus requires an update every 90 days. One of the credits 
bureaus requires an update every 6 months. One of the credit 
bureaus requires an update everybody 12 months. I think it 
would be helpful for them and for us and for the customers to 
have that in alignment.
    The issue I face now is when I update people in the next 4 
weeks that unless the crime has been solved, and I will update 
them about that, but their information is potentially still at 
risk. Guess what, some of my customers are now deployed. Their 
fraud flags could drop if I don't make sure and the credit 
bureaus together with me don't make sure that stuff stays. So 
we are talking to the credit bureaus now and we are going to 
talk to the Defense Department and the lawyers to figure out 
how do we get around that problem.
    Mr. Pratt. In fact, every one of those consumers when they 
contacted the credit bureau can add a 7-year alert to their 
file. So that once you contact the bureau what we are talking 
about is two different things. The temporary alert is added by 
the credit bureau without a question. In other words, the 
consumer said I want you to believe me at least to a certain 
extent, I don't have to go through a bureaucracy just to get a 
fraud flag on the file. The key here is once the consumer 
receives his or her file disclosure and goes over the report at 
that time a 7-year alert can be added to the file and our 
member companies are consistent across the board in adding 7-
year alerts. So I think there is a difference in practice, or 
at least we need to clarify the practice here.
    Mr. McIntyre. I would suggest in cases where the crime may 
actually be solved because there is lots of focus of law 
enforcement on it that the hassle of having a long-term alert 
may not necessarily be the right action. But I am not an expert 
in this area.
    Mr. Pratt. Of course after a consumer discovers that he or 
she is safe we will voluntarily remove that alert any time 
during the 7-ear period.
    Mr. Shadegg. I know I have more questions, but my time has 
long since expired. I will yield back. If there is a second 
round, I will take advantage of it.
    Chairwoman Kelly. Mr. Renzi.
    Mr. Renzi. Thank you, Madam Chair. Appreciate your 
testimony and traveling all the way out here, especially from 
Arizona, and sharing with us the sophistication behind the 
theft operation and particularly that struck TriWest. Many of 
you know, particularly my friend from Arizona, I am the father 
of 12 children, 7 boys and 5 girls. I am particularly concerned 
about the niche as it relates to how we take care of the 
children's identity that has been stolen. If the identity of 
the parents had been stolen, name, address, phone numbers, 
everything, then obviously also the child's address. We go back 
to the days of those spy movies where they would take identity 
theft out of the obituaries. We now move forward into 
electronic theft, full and complete information provided not 
just on adults but on children. You can imagine a child of 5 or 
6, 7 years old having their identity stolen from them and then 
yet no flags go up until they are about 18 years old, 16 years 
old and all of a sudden for the last 10 years their identity 
has been stolen, their identity has been used.
    So I would ask what kind of remedies, and I know there is 
some talk in this area, what kind of remedies are you looking 
at, what kind of means are we putting together to help protect 
our children?
    Mr. McIntyre. I can't respond to that part of the question, 
but what I can tell you is we did many responses to that issue. 
We looked at that. We were concerned about that issue. I have 
three young kids, so it is the question of what impact is this 
going to have on them. The fact of the matter is that in our 
case all of the information, the breadth of it, on the people 
over 18 was not also on the database for the people under 18. 
In some cases it was just their name. In other cases there 
wasn't any information because they were--the primary sponsor 
was the one who was actually on the database.
    What we did was we talked to the FTC, we talked to the 
credit bureaus, we talked to others who were experts in the 
industry what do you do, how do you deal with this issue? What 
we did was set up a database. The database can be reviewed by 
the primary sponsor to determine what information was on the 
stolen hard drives to determine what secondary impact it may 
have on them or their families and then to advise them of the 
risks if you add a fraud flag for kids under 18 who have no 
credit record, and then how you would go about doing that so 
that they could make an informed decision on their own, and 
then we have offered to assist them in that way.
    Mr. Hendricks. I would like to respond to that because I am 
working with some folks on a case right now where a young man 
from Alabama was mixed up with an older person from Arizona 
actually. Just an old-fashioned mixed file case based on a 
similarity in Social Security numbers. They weren't the same 
but because the algorithms, if they are just one or two digits 
different they will merge the files. What is troubling in the 
case is the young man from Alabama is basically being assigned 
unpaid debts from when he was like 12, 13 and 14 years old. So 
you would think the system would identify that at his age he 
wouldn't have been able to incur those debts. But they don't 
seem to have a system in place. He has had a terrible time 
getting his files unmixed. His mother has gotten involved. So 
when he became of age and his rite of passage, when he got to 
apply for credit he was rejected. So there are some very old-
fashioned problems in this system.
    Mr. Mitnick. In certain States like California, Texas and 
Kentucky birth records are public record. You can go onto the 
Internet and look up anyone's birth record which gives 
criminals the ability to apply for that person's birth record 
because all they need to do is send a letter to the Department 
of Vital Statistics, give them the information on the birth 
certificate, they get a certified copy of the birth certificate 
back, and they become that child. They can get extensions of 
credit set up and the account at the credit bureau. So that is 
a problem that certain States have, birth records in the public 
domain.
    Mr. Renzi. Thank you. One of the things I know that is 
being kicked around as a remedy is the idea--Mr. McIntyre, I 
appreciate you mentioning it--is that those children who have 
had their identities stolen from them would have an alert or 
flag put on their credit. So that if anyone was checking their 
credit, if anyone was using their credit, even when that credit 
was being checked it would warn the person checking the credit 
that, hey, this is a stolen identity. Let's say a child goes 
through 10 years of that and then all of a sudden it is time 
for them to use their credit. What I worry about on the alert 
system is how do you then take it off? What detail is provided 
to show that child was innocent. So as we look at remedies we 
also not only impose the remedy to protect the child but then 
the release in order to have the child given back.
    Mr. McIntyre.
    Mr. McIntyre. That is exactly why I felt uncomfortable 
making the decision to advise people on what they ought to do 
and that it made more sense to lay out the facts so that every 
parent who might otherwise have someone on that list could look 
at the information that was there and make an informed decision 
on their own, and each parent needs to do that.
    Mr. Hendricks. I agree this fraud alert is kind of a 
sledgehammer. It is sort of all or nothing. And I think what is 
common if have you a problem, you say we don't want my 
information used for pre-screened offers, too. So you wipe 
yourself from all those. Obviously we need a finer tuned system 
so you can really sort of go in with the scalpel and fix 
problems. But that is what we have now. To me that is why it is 
very important to have instant access to your credit report so 
you can see what is on it and what activity has there been on 
it. That is the best way you can keep it accurate.
    Mr. Mitnick. How about developing a partnership with the 
Social Security Administration so these companies could 
determine the age of the person requesting the extension of 
credit, verify that the name really did match the Social 
Security number, because it would be kind of strange for a 16-
year-old to be applying for a MasterCard.
    Mr. Renzi. Well said. Creative idea. I serve on the 
Veterans' Affairs Committee. At this point in our Nation's 
history we have got women with children, men with children in 
America who are being kicked out of their homes because the 
checks, their military pay doesn't get home in time. And we are 
looking at legislation that is going to protect our veterans 
and servicemen and women so that you can't move them out of 
their dwellings, you can't take away their cars if they are 
late on a payment. I am thinking how this might tie in this 
piece of legislation that we are working on in that if a 
serviceman or woman was to have their identity stolen, and 
since we are barely paying them enough anyway, the cost for 
them to get their identification back is going to be enormous. 
And that cost or that loss of revenues could then impact their 
ability to house their family, to provide decent 
transportation.
    Is there an ability or would you be in agreement, 
particularly Mr. McIntyre given the fact that you helped the 
TRICARE portion and how it affects our servicemen and women, 
would there be an ability to protect our servicemen and women 
as it relates to identity theft?
    Mr. McIntyre. I would be more than willing to look at that 
with you. You have described exactly why I have no qualms nor 
does my board to spent the kind of money and effort that we 
have had to spend. The thing that concerned me greatly about 
the case that involves us and the theft that was perpetrated 
against us and the information involved is because we are 
talking about people who serve all of us who do not make a lot 
of money and a blight on their credit report can be the 
difference between having a car, renting an apartment or buying 
a house. And so we felt an absolute obligation to do what we 
did. But I would be glad to work with you, sir, in that area.
    Chairwoman Kelly. Thank you very much. We have just been 
called for another vote. In the interest of time I am going to 
call on Mr. Moore and I am going to call on Mr. Fossella. I 
would like everybody to keep their questions and answers within 
the 5-minute period, please.
    Mr. Moore. Thank you, Madam Chairman. I wanted to just ask 
you a couple of questions, Mr. McIntyre. We have talked before 
and I appreciate the actions that your company has taken since 
the theft, the burglary and the theft to try to--and your 
personal call to the people but I wanted to ask, obviously I 
think it is in everybody's best interest that not only do we 
punish somebody who has committed a crime like this but we try 
to prevent it in the future and that is the best way to protect 
people, I think. I was concerned in reading some of the 
materials, I think in your State, that I think it was 2 days 
after the incident until you even learned that there had been a 
theft.
    What kind of security precautions did you have or security 
systems did you have in place on the day of the incident? And 
apparently they failed.
    Mr. McIntyre. I have been asked by authorities not to 
address all the details of the security systems and the like 
because they are still attempting to catch who did it, and FBI 
agents have interviewed over 150 folks and polygraphed a number 
in this area. What I can tell you is that we were the subject 
of a secondary theft. Whoever was responsible for this broke 
into the property management office, the place where we had 
this secondary office. They then stole the electronic master 
key which allows you to get into a locked door undetected, 
although it would read as though you were the property manager, 
and enter our suite. And that is how the theft occurred. Thus 
we weren't aware--it happened on a Saturday. We didn't learn 
about it until first thing Monday morning when our folks when 
in to turn on the computer and found out that the computer 
system did not work.
    Mr. Moore. Obviously there are video monitor systems and 
security systems and other precautions that can be taken to 
notify somebody if there has been an entry even if it appears 
to be an authorized entry, because at some point they had to 
steel the electronic key, isn't that correct?
    Mr. McIntyre. Correct.
    Mr. Moore. From your materials in your statement it appears 
that you have and I hope that you are taking substantial 
strides in trying to correct the system so something like that 
doesn't happen again. If there is an unauthorized entry, you or 
somebody would be notified immediately.
    Mr. McIntyre. I will tell you that we have brought in 
security experts, we have partnered with the Department of 
Defense. They are now looking at their entire system worldwide. 
They found deficiencies in their areas. But you know what is 
interesting to me about this is that in Arizona 6 months prior 
to the theft in our building, five financial institutions were 
hit with a very similar crime. A bank in Tucson was hit 6 
months prior after hours. Penetrated all the security systems, 
got through, stole the hard drives, left the bank with that 
information. And so this is something that unfortunately, given 
the rise of the prevalence of information and the like, that we 
have a real serious problem with in this country. That is why I 
think when it does happen, even if they are able to get beyond 
the safeguards, that is when we have to look at where are the 
responsibilities for notification.
    Mr. Moore. Absolutely. How long after the incident was it 
that you notified the Department of Defense?
    Mr. McIntyre. I notified the Department of Defense 
immediately when I discovered there was a problem. They then 
ran the database and we contacted the senior management in the 
Department of Defense, not the operations people who we had 
contacted the first day that we discovered it. We contacted 
them once we had the database fully run and knew what the 
extent of the problem was.
    Mr. Moore. Thank you. I will conclude by saying when these 
large databases exist and if in fact hard drives are stolen, 
not just data or information from a computer system but hard 
drives and there has to be a physical entry and I hope that you 
have told me and I trust what you have said that your company 
is looking at this very seriously and making sure this doesn't 
happen in the future. I think financial institutions, anybody 
else who has databases like this needs to take similar 
precautions.
    Chairwoman Kelly. Mr. Fossella.
    Mr. Fossella. Thank you. I will just throw out two 
questions and the second is sort of two parts and allow you to 
answer in light of the time here.
    First, Mr. Brady, in light of your efforts at MasterCard I 
am sure you are doing what you think is providing the highest 
level of security on the network. In your mind--if it has been 
asked before I apologize--in your opinion what would be the 
best thing that could be done to provide incentives perhaps for 
other companies to do as you are doing and in providing the 
highest level of security? And secondly, I will throw this out 
to all of you. If you can answer me, great.
    Earlier the Secret Service testified and argued, it seems, 
for a better working relationship or continued working 
relationship among different agencies and academic institutions 
to prevent what has been alluded to a number of times here. In 
your experiences how have those relationships been working and 
what, if any, ways can those be improved? And the second part 
of that question is the cost of prosecution and whether local 
or State or Federal prosecutors are doing what they can given 
the resources they have.
    I will give you an example. It has been argued that perhaps 
a local district attorney, given the nature of this type of 
crime, will say, hey, I have a limited budget here; in my view, 
the cost of following through on prosecution to indict with a 
conviction is going to cost me X amount of dollars, which could 
be, you know, such a disproportionate share of my budget that I 
don't have those resources to follow through. So are there any 
ways to, A, if in your experience that is true, and, B, if so, 
are there any ways in which those situations could be addressed 
in order to prosecute those crimes as efficiently and as 
swiftly as possible?
    Mr. Brady. Yes. I would like briefly to talk on your point 
of security. MasterCard, without getting into too much data on 
our security network, has a very robust network. We do outside 
penetration testing on networks to ensure they are secure and 
they are. One of the things that I really want today to bring 
out here, and I alluded to it before, was there is no need for 
hysteria because MasterCard is vigilant behind the scenes. When 
there is a compromise and the DPI hack is one of those 
examples, We notify the issuers, we follow the protocol, we not 
only follow the protocol of MasterCard and working with law 
enforcement, but the entity that was breached follows the 
MasterCard protocol in place, the timely notification to us and 
also the timely notification to law enforcement. We have 
sufficient penalties in place so that if that didn't happen 
that they could be fined on a per day basis, a draconian amount 
of money.
    So I think the law enforcement gentleman brought up that 
these companies are coming forward, and part of that is because 
there are effective rules in place to bring them forward when 
something does happen. And the good news again with the DPI 
hack is we are not seeing general fraud. But everybody is being 
vigilant, looking at the account numbers, and monitoring the 
account numbers on a daily basis.
    And MasterCard has a wide array of fraud controls in place, 
I know we are short on time, but we have controls in place for 
auditing merchants, controlling fraud, and we have penalties 
and policies in place for the bad actors that are in the 
system.
    So your second point was on law enforcement and our 
relationships, and from where I sit we greatly value those 
relationships. The gentleman from the Secret Service that were 
here from this morning, the electronic crimes task forces that 
have been put together over the past several years, the effort 
is tremendous and it really fits a need out there. And I would 
just like to say that one thing that was brought up this 
morning about these hacks and what we find out from the hacks 
is that there is little fraud on the hacks. When you see 
account numbers that are being hacked we track it. There is 
little fraud on it. And you know what it is? A lot of them that 
are out there that are joy riding, that are stealing numbers, 
that are causing harm. And the question is what do we and the 
prosecutors that are out there, do with them not only in the 
Federal level but the State levels. I will wrap up. Sorry. And 
I think tougher penalties are important here because even 
though there is not fraud there is a lot of costs when these 
things happen.
    Chairwoman Kelly. Thank you very much. The Chair notes that 
some members may have additional questions for the panel. They 
may wish to submit those in writing. Without objection, the 
hearing record will remain open for 30 days for members to 
submit written questions to the witnesses.
    The second panel is excused with the committee's great 
appreciation for your time. Thank you. I want to thank all the 
members and staff for their assistance in making the hearing 
possible.
    This hearing is adjourned.
    [Whereupon, at 1:25 p.m., the joint subcommittee was 
adjourned.]


                            A P P E N D I X



                             April 3, 2003


[GRAPHIC] [TIFF OMITTED] T9407.001

[GRAPHIC] [TIFF OMITTED] T9407.002

[GRAPHIC] [TIFF OMITTED] T9407.003

[GRAPHIC] [TIFF OMITTED] T9407.004

[GRAPHIC] [TIFF OMITTED] T9407.005

[GRAPHIC] [TIFF OMITTED] T9407.006

[GRAPHIC] [TIFF OMITTED] T9407.007

[GRAPHIC] [TIFF OMITTED] T9407.008

[GRAPHIC] [TIFF OMITTED] T9407.009

[GRAPHIC] [TIFF OMITTED] T9407.010

[GRAPHIC] [TIFF OMITTED] T9407.011

[GRAPHIC] [TIFF OMITTED] T9407.012

[GRAPHIC] [TIFF OMITTED] T9407.013

[GRAPHIC] [TIFF OMITTED] T9407.014

[GRAPHIC] [TIFF OMITTED] T9407.015

[GRAPHIC] [TIFF OMITTED] T9407.016

[GRAPHIC] [TIFF OMITTED] T9407.017

[GRAPHIC] [TIFF OMITTED] T9407.018

[GRAPHIC] [TIFF OMITTED] T9407.019

[GRAPHIC] [TIFF OMITTED] T9407.020

[GRAPHIC] [TIFF OMITTED] T9407.021

[GRAPHIC] [TIFF OMITTED] T9407.022

[GRAPHIC] [TIFF OMITTED] T9407.023

[GRAPHIC] [TIFF OMITTED] T9407.024

[GRAPHIC] [TIFF OMITTED] T9407.025

[GRAPHIC] [TIFF OMITTED] T9407.026

[GRAPHIC] [TIFF OMITTED] T9407.027

[GRAPHIC] [TIFF OMITTED] T9407.028

[GRAPHIC] [TIFF OMITTED] T9407.029

[GRAPHIC] [TIFF OMITTED] T9407.030

[GRAPHIC] [TIFF OMITTED] T9407.031

[GRAPHIC] [TIFF OMITTED] T9407.032

[GRAPHIC] [TIFF OMITTED] T9407.033

[GRAPHIC] [TIFF OMITTED] T9407.034

[GRAPHIC] [TIFF OMITTED] T9407.035

[GRAPHIC] [TIFF OMITTED] T9407.036

[GRAPHIC] [TIFF OMITTED] T9407.037

[GRAPHIC] [TIFF OMITTED] T9407.038

[GRAPHIC] [TIFF OMITTED] T9407.039

[GRAPHIC] [TIFF OMITTED] T9407.040

[GRAPHIC] [TIFF OMITTED] T9407.041

[GRAPHIC] [TIFF OMITTED] T9407.042

[GRAPHIC] [TIFF OMITTED] T9407.043

[GRAPHIC] [TIFF OMITTED] T9407.044

[GRAPHIC] [TIFF OMITTED] T9407.045

[GRAPHIC] [TIFF OMITTED] T9407.046

[GRAPHIC] [TIFF OMITTED] T9407.047

[GRAPHIC] [TIFF OMITTED] T9407.048

[GRAPHIC] [TIFF OMITTED] T9407.049

[GRAPHIC] [TIFF OMITTED] T9407.050

[GRAPHIC] [TIFF OMITTED] T9407.051

[GRAPHIC] [TIFF OMITTED] T9407.052

[GRAPHIC] [TIFF OMITTED] T9407.053

[GRAPHIC] [TIFF OMITTED] T9407.054

[GRAPHIC] [TIFF OMITTED] T9407.055

[GRAPHIC] [TIFF OMITTED] T9407.056

[GRAPHIC] [TIFF OMITTED] T9407.057

[GRAPHIC] [TIFF OMITTED] T9407.058

[GRAPHIC] [TIFF OMITTED] T9407.059

[GRAPHIC] [TIFF OMITTED] T9407.060

[GRAPHIC] [TIFF OMITTED] T9407.061

[GRAPHIC] [TIFF OMITTED] T9407.062

[GRAPHIC] [TIFF OMITTED] T9407.063

[GRAPHIC] [TIFF OMITTED] T9407.064

[GRAPHIC] [TIFF OMITTED] T9407.065

[GRAPHIC] [TIFF OMITTED] T9407.066

[GRAPHIC] [TIFF OMITTED] T9407.067

[GRAPHIC] [TIFF OMITTED] T9407.068

[GRAPHIC] [TIFF OMITTED] T9407.069

[GRAPHIC] [TIFF OMITTED] T9407.070

[GRAPHIC] [TIFF OMITTED] T9407.071

[GRAPHIC] [TIFF OMITTED] T9407.072

[GRAPHIC] [TIFF OMITTED] T9407.073

[GRAPHIC] [TIFF OMITTED] T9407.074

[GRAPHIC] [TIFF OMITTED] T9407.075

[GRAPHIC] [TIFF OMITTED] T9407.076

[GRAPHIC] [TIFF OMITTED] T9407.077

[GRAPHIC] [TIFF OMITTED] T9407.078

[GRAPHIC] [TIFF OMITTED] T9407.079

[GRAPHIC] [TIFF OMITTED] T9407.080

[GRAPHIC] [TIFF OMITTED] T9407.081

[GRAPHIC] [TIFF OMITTED] T9407.082

[GRAPHIC] [TIFF OMITTED] T9407.083

[GRAPHIC] [TIFF OMITTED] T9407.084

[GRAPHIC] [TIFF OMITTED] T9407.085

[GRAPHIC] [TIFF OMITTED] T9407.086

[GRAPHIC] [TIFF OMITTED] T9407.087

[GRAPHIC] [TIFF OMITTED] T9407.088

[GRAPHIC] [TIFF OMITTED] T9407.089

[GRAPHIC] [TIFF OMITTED] T9407.090

[GRAPHIC] [TIFF OMITTED] T9407.091

[GRAPHIC] [TIFF OMITTED] T9407.092

[GRAPHIC] [TIFF OMITTED] T9407.093

[GRAPHIC] [TIFF OMITTED] T9407.094

[GRAPHIC] [TIFF OMITTED] T9407.095

[GRAPHIC] [TIFF OMITTED] T9407.096

[GRAPHIC] [TIFF OMITTED] T9407.097

[GRAPHIC] [TIFF OMITTED] T9407.098

[GRAPHIC] [TIFF OMITTED] T9407.099

[GRAPHIC] [TIFF OMITTED] T9407.100

[GRAPHIC] [TIFF OMITTED] T9407.101

[GRAPHIC] [TIFF OMITTED] T9407.102

[GRAPHIC] [TIFF OMITTED] T9407.103

[GRAPHIC] [TIFF OMITTED] T9407.104

[GRAPHIC] [TIFF OMITTED] T9407.105

