[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]


 
                ENHANCING SOCIAL SECUIRTY NUMBER PRIVACY

=======================================================================

                                HEARING

                               before the

                    SUBCOMMITTEE ON SOCIAL SECURITY

                                 of the

                      COMMITTEE ON WAYS AND MEANS
                     U.S. HOUSE OF REPRESENTATIVES

                      ONE HUNDRED EIGHTH CONGRESS

                             SECOND SESSION

                               __________

                             JUNE 15, 2004

                               __________

                           Serial No. 108-59

                               __________

         Printed for the use of the Committee on Ways and Means






                 U.S. GOVERNMENT PRINTING OFFICE

99-677                  WASHINGTON : 2005
_________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government 
Printing  Office Internet: bookstore.gpo.gov  Phone: toll free 
(866) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2250 Mail:
Stop SSOP, Washington, DC 20402-0001






                      COMMITTEE ON WAYS AND MEANS

                   BILL THOMAS, California, Chairman

PHILIP M. CRANE, Illinois            CHARLES B. RANGEL, New York
E. CLAY SHAW, JR., Florida           FORTNEY PETE STARK, California
NANCY L. JOHNSON, Connecticut        ROBERT T. MATSUI, California
AMO HOUGHTON, New York               SANDER M. LEVIN, Michigan
WALLY HERGER, California             BENJAMIN L. Cardin, Maryland
JIM MCCRERY, Louisiana               JIM MCDERMOTT, Washington
DAVE CAMP, Michigan                  GERALD D. KLECZKA, Wisconsin
JIM RAMSTAD, Minnesota               JOHN LEWIS, Georgia
JIM NUSSLE, Iowa                     RICHARD E. NEAL, Massachusetts
SAM JOHNSON, Texas                   MICHAEL R. MCNULTY, New York
JENNIFER DUNN, Washington            WILLIAM J. JEFFERSON, Louisiana
MAC COLLINS, Georgia                 JOHN S. TANNER, Tennessee
ROB PORTMAN, Ohio                    XAVIER BECERRA, California
PHIL ENGLISH, Pennsylvania           LLOYD DOGGETT, Texas
J.D. HAYWORTH, Arizona               EARL POMEROY, North Dakota
JERRY WELLER, Illinois               MAX SANDLIN, Texas
KENNY C. HULSHOF, Missouri           STEPHANIE TUBBS JONES, Ohio
SCOTT MCINNIS, Colorado
RON LEWIS, Kentucky
MARK FOLEY, Florida
KEVIN BRADY, Texas
PAUL RYAN, Wisconsin
ERIC CANTOR, Virginia

                    Allison H. Giles, Chief of Staff

                  Janice Mays, Minority Chief Counsel

                                 ______

                    SUBCOMMITTEE ON SOCIAL SECURITY

                  E. CLAY SHAW, JR., Florida, Chairman

SAM JOHNSON, Texas                   ROBERT T. MATSUI, California
MAC COLLINS, Georgia                 BENJAMIN L. Cardin, Maryland
J.D. HAYWORTH, Arizona               EARL POMEROY, North Dakota
KENNY C. HULSHOF, Missouri           XAVIER BECERRA, California
RON LEWIS, Kentucky                  STEPHANIE TUBBS JONES, Ohio
KEVIN BRADY, Texas
PAUL RYAN, Wisconsin

Pursuant to clause 2(e)(4) of Rule XI of the Rules of the House, public 
hearing records of the Committee on Ways and Means are also published 
in electronic form. The printed hearing record remains the official 
version. Because electronic submissions are used to prepare both 
printed and electronic versions of the hearing record, the process of 
converting between various electronic formats may introduce 
unintentional errors or omissions. Such occurrences are inherent in the 
current publication process and should diminish as the process is 
further refined.



                            C O N T E N T S

                               __________
                                                                   Page

Advisories of June 8, 2004 and June 14, 2004 announcing the 
  hearing........................................................     2

                               WITNESSES

Federal Trade Commission, J. Howard Beales, III, Director, Bureau 
  of Consumer Protection.........................................     7
SSA, Patrick P. O'Carroll, Acting Inspector General..............    15
 U.S. General Accounting Office, Barbara D. Bovbjerg, Director, 
  Education, Workforce, and Income Security Issues...............    22
U.S. Postal Inspection Service, Lawrence E. Maxwell, Assistant 
  Chief Inspector, Investigations and Security...................    34

                                 ______

Applied Cybersecurity Research, University of Indiana-
  Bloomington, Fred H. Cate......................................    89
Conference of State Court Administrators, Michael L. Buenger.....    83
Electronic Privacy Information Center, Chris Jay Hoofnagle.......    69
Foss, Patricia, Elkton, Maryland.................................    61
National Council of Investigation and Security Services, Brian P. 
  McGuinness.....................................................    77
Privacy/Access Workgroup, Property Records Industry Association, 
  Mark Ladd......................................................    64
U.S. Public Interest Research Group, Edmund Mierzwinski..........    95

                       SUBMISSIONS FOR THE RECORD

American Benefits Council, Jim Klein; American Society of Pension 
  Actuaries, Brian Graff; College and University Professional 
  Association for Human Resources, Tony Lee; The ERISA Industry 
  Committee, Janice Gregory; Financial Executives International's 
  Committee on Benefits Finance, Bob Shepler; National 
  Association of State Retirement Administrators, Jeannine Markoe 
  Raymond; National Council on Teacher Retirement, Cindie Moore; 
  National Rural Electric Cooperative Association, Chris Stephen; 
  Profit Sharing/401(k) Council of America, Ed Ferrigno; Society 
  for Human Resource Management, Mary Huttlinger; joint letter...   125
First Data Corp., Englewood, CO, Joe Samuel, letter..............   127
Professional Investigators and Security Association, Vienna, VA, 
  Stephen B. Copeland, statement.................................   128


                ENHANCING SOCIAL SECURITY NUMBER PRIVACY

                              ----------                              


                         Tuesday June, 15, 2004

             U.S. House of Representatives,
                       Committee on Ways and Means,
                           Subcommittee on Social Security,
                                                    Washington, DC.
    The Subcommittee met, pursuant to notice, at 11:00 a.m., in 
room B-318, Rayburn House Office Building, Hon. E. Clay Shaw, 
Jr. (Chairman of the Subcommittee) presiding.
    [The advisory and revised advisory announcing the hearing 
follow:]

ADVISORY

FROM THE 
COMMITTEE
 ON WAYS 
AND 
MEANS

                    SUBCOMMITTEE ON SOCIAL SECURITY

                                                CONTACT: (202) 225-9263
FOR IMMEDIATE RELEASE
June 08, 2004

   Shaw Announces Hearing on Enhancing Social Security Number Privacy

    Congressman E. Clay Shaw, Jr. (R-FL), Chairman, Subcommittee on 
Social Security of the Committee on Ways and Means, today announced 
that the Subcommittee will hold a hearing on enhancing Social Security 
number (SSN) privacy. The hearing will take place on Tuesday, June 15, 
2004, in room B-318 Rayburn House Office Building, beginning at 10:00 
a.m.
      
    In view of the limited time available to hear witnesses, oral 
testimony at this hearing will be from invited witnesses only. However, 
any individual or organization not scheduled for an oral appearance may 
submit a written statement for consideration by the Subcommittee and 
for inclusion in the printed record of the hearing.

BACKGROUND:

    Identity theft is one of the fastest growing white-collar crimes, 
and it wreaks havoc with individuals' lives. Identity theft occurs when 
someone uses a victim's personal information--SSN, credit card number, 
or other identifying information--to commit fraud or other crimes.

    According to a Federal Trade Commission-sponsored survey, almost 10 
million people discovered they were victims of identity theft in 2002. 
On average, victims spent $500 and took 30 hours clearing their names 
and restoring their credit. In the interim, many may have lost job 
opportunities, had loans refused, or even gotten arrested for crimes 
they didn't commit.

    One reason identity thieves prize SSNs is because they are central 
to many business transactions. While SSNs were originally created in 
1936 to track earnings for Social Security eligibility and benefit 
purposes, today SSNs are widely used in the public and private sectors 
as account numbers, to verify identity, and to compile information 
across databases for use in everything from tracking down criminals to 
issuing credit. Despite SSNs' integral role in all sorts of 
transactions, their confidentiality is not well protected. SSNs are 
often on display to the general public on employee badges, licenses, in 
court documents, or on the Internet.

    In order to protect the privacy of SSNs, Subcommittee on Social 
Security Chairman E. Clay Shaw, Jr. introduced bipartisan legislation, 
the Social Security Number Privacy and Identity Theft Prevention Act of 
2003 (H.R. 2971). The bill would prohibit the sale, purchase, and 
display to the general public of SSNs in the public and private 
sectors, with certain exceptions for law enforcement, national 
security, public health, and other specified circumstances. The 
legislation also prevents consumer reporting agencies from releasing 
SSN information other than in a full consumer report, and prevents 
businesses from denying products or services if an individual refuses 
to divulge his or her SSN.

    In addition, the bill would require improvements in the process of 
issuing SSNs, and would create new criminal and civil penalties for 
those who misuse SSNs--for example, those who sell another individual's 
SSN or counterfeit SSNs; or those who violate the bill's prohibitions 
on sale, purchase, and display to the general public.

    In announcing the hearing, Chairman Shaw stated: ``We can no longer 
ignore the role SSNs play in facilitating identity theft. My bill is 
designed to protect SSN privacy while preserving its vital use in our 
society and economy, by ensuring SSNs are assigned accurately, 
exchanged only when necessary, and protected from indiscriminant 
disclosure.''

FOCUS OF THE HEARING:

    The Subcommittee will examine how criminals use SSNs to commit 
identity theft, the impact on victims, and will receive feedback from 
consumer advocates and representatives from the public and private 
sector regarding the Social Security Number Privacy and Identity Theft 
Prevention Act of 2003.

DETAILS FOR SUBMISSION OF WRITTEN COMMENTS:

    Please Note: Any person(s) and/or organization(s) wishing to submit 
for the hearing record must follow the appropriate link on the hearing 
page of the Committee website and complete the informational forms. 
From the Committee homepage, http://waysandmeans.house.gov, select 
``108th Congress'' from the menu entitled, ``Hearing Archives'' (http:/
/waysandmeans.house.gov/Hearings.asp?congress=16). Select the hearing 
for which you would like to submit, and click on the link entitled, 
``Click here to provide a submission for the record.'' Once you have 
followed the online instructions, completing all informational forms 
and clicking ``submit'' on the final page, an email will be sent to the 
address which you supply confirming your interest in providing a 
submission for the record. You MUST REPLY to the email and ATTACH your 
submission as a Word or WordPerfect document, in compliance with the 
formatting requirements listed below, by close of business Tuesday, 
June 22, 2004. Finally, please note that due to the change in House 
mail policy, the U.S. Capitol Police will refuse sealed-package 
deliveries to all House Office Buildings. For questions, or if you 
encounter technical problems, please call (202) 225-1721.

FORMATTING REQUIREMENTS:

    The Committee relies on electronic submissions for printing the 
official hearing record. As always, submissions will be included in the 
record according to the discretion of the Committee. The Committee will 
not alter the content of your submission, but we reserve the right to 
format it according to our guidelines. Any submission provided to the 
Committee by a witness, any supplementary materials submitted for the 
printed record, and any written comments in response to a request for 
written comments must conform to the guidelines listed below. Any 
submission or supplementary item not in compliance with these 
guidelines will not be printed, but will be maintained in the Committee 
files for review and use by the Committee.
      
    1. All submissions and supplementary materials must be provided in 
Word or WordPerfect format and MUST NOT exceed a total of 10 pages, 
including attachments. Witnesses and submitters are advised that the 
Committee relies on electronic submissions for printing the official 
hearing record.
      
    2. Copies of whole documents submitted as exhibit material will not 
be accepted for printing. Instead, exhibit material should be 
referenced and quoted or paraphrased. All exhibit material not meeting 
these specifications will be maintained in the Committee files for 
review and use by the Committee.
      
    3. All submissions must include a list of all clients, persons, 
and/or organizations on whose behalf the witness appears. A 
supplemental sheet must accompany each submission listing the name, 
company, address, telephone and fax numbers of each witness.


    Note: All Committee advisories and news releases are available on 
the World Wide Web at http://waysandmeans.house.gov


    The Committee seeks to make its facilities accessible to persons 
with disabilities. If you are in need of special accommodations, please 
call 202-225-1721 or 202-226-3411 TTD/TTY in advance of the event (four 
business days notice is requested). Questions with regard to special 
accommodation needs in general (including availability of Committee 
materials in alternative formats) may be directed to the Committee as 
noted above.
                                 

ADVISORY

FROM THE 
COMMITTEE
 ON WAYS 
AND 
MEANS

                    SUBCOMMITTEE ON SOCIAL SECURITY

                                                CONTACT: (202) 225-9263
FOR IMMEDIATE RELEASE
June 14, 2004
SS-9--Revised

 Change in Time for Hearing on Enhancing Social Security Number Privacy

    Congressman E. Clay Shaw, Jr. (R-FL), Chairman, Subcommittee on 
Social Security of the Committee on Ways and Means, today announced 
that the Subcommittee hearing on enhancing Social Security number 
privacy, previously scheduled for Tuesday, June 15, 2004, at 10:00 
a.m., in room B-318 Rayburn House Office Building, will now be held at 
11:00 a.m.
    All other details for the hearing remain the same. (See 
Subcommittee Advisory No. SS-9, dated June 8, 2004

                                 

    Chairman SHAW. Good morning. Welcome to all our guests. We 
were up until midnight cranking out a tax bill last night. I 
appreciate, Ben, you and Sam being here. Today the Subcommittee 
will hear testimony about the growing threat of identity theft, 
the need to prevent identity theft and terrorists from stealing 
innocent Americans' Social Security numbers (SSNs), and my 
bipartisan, and I underscore bipartisan, ``Social Security 
Number Privacy and Identity Theft Prevention Act of 2003,'' 
H.R. 2971. I think you are a cosponsor of that.
    The SSN is woven into the fabric of many of our dealings 
with governments and businesses. They are widely used as 
personal identifiers even though the original purpose was 
simply to track earnings for determining eligibility and 
benefit amounts under Social Security. Some of the uses of the 
SSNs help us achieve important goals like reducing waste, fraud 
and abuse in government programs; enforcing child support; and 
aiding law enforcement. Unfortunately there is also wide use of 
SSNs for everyday business transactions. Concerns about 
identity theft are rapidly growing. According to the Federal 
Trade Commission (FTC), identity theft is the number one 
consumer complaint, amounting to 42 percent of complaints 
received in 2003. Americans are becoming more aware of the role 
of SSNs in identity theft thanks to the efforts of the SSA 
(SSA), the FTC, the U.S. Postal Inspection Service, and other 
agencies. Due to the increasing public pressure to act, 
businesses are starting to move away from using SSNs, and 
several States have passed legislation that does protect SSNs.
    While everybody recognizes the need to protect the SSNs, 
Federal laws do not do enough to prevent the unnecessary 
disclosure. As a result, SSNs are sought-after tools for 
identity theft; worse yet, terrorists use of SSN fraud and 
identity theft to assimilate themselves into our society. 
Identity theft continues to threaten our individual and 
national security. Clearly we need a comprehensive law to 
better protect the privacy of SSNs, and protect the American 
public from being victimized. That is why I, along with several 
Members of the Subcommittee, including the Ranking Member Mr. 
Matsui, introduced H.R. 2971, the ``Social Security Number 
Privacy and Identity Theft Prevention Act of 2003.'' This bill 
would restrict the sale and public display of SSNs, limit 
dissemination of SSNs by consumers reporting agencies, make it 
more difficult for businesses to deny services if a customer 
refuses to provide his or her SSN, and establish civil and 
criminal penalties for the violation.
    Providing for uses of SSNs that benefit the public while 
protecting their privacy is a very complex balancing act. This 
bill achieves that balance by ensuring SSNs are assigned 
accurately, exchanged only when necessary, and protected from 
the indiscriminate disclosure. This Subcommittee has been 
working on a bipartisan basis to protect the privacy of SSNs 
and prevent identity theft since the 106th Congress when it 
first approved the Social Security Number Privacy and Identity 
Theft Prevention Act of 2002. In the 107th Congress, I, along 
with Ranking Member Matsui and 80 other Members of Congress, 
sponsored a similar bill. Consideration of this legislation was 
rightly preempted by necessary congressional response to the 
September 11 attacks.
    My hope is that this hearing will serve as a catalyst 
toward action, first through markup in this Subcommittee and 
the full Committee, followed by similar action by other 
Committees of jurisdiction, so that we may bring this important 
legislation to the House. Again, I underscore that in going 
through my statement, you may wonder, well, if you have had all 
this time why haven't you done anything? The problem really 
lies in that there is so much jurisdiction throughout Capitol 
Hill, that has stalled us at many, many areas where we 
shouldn't have been stalled down. I look forward to hearing 
from each of our witnesses, and I thank each of you in advance 
for sharing with us your experience and your recommendations. I 
would now yield to the gentleman from Maryland, my friend Mr. 
Cardin.
    Mr. CARDIN. Thank you, Chairman Shaw. First let me thank 
you for conducting this hearing, and thank you for your 
leadership on this issue. It is a difficult matter, the proper 
use of SSNs and the misuse of SSNs and the role that people 
illegally obtaining SSNs have used in identity theft. So, these 
are issues that are of great concern to all of us in Congress.
    Mr. Chairman, if I am correct, I think this is the 11th 
hearing that our Subcommittee has held in the last 4 years on 
this general subject because of our concern, and I do applaud 
you for the introduction of H.R. 2971, the ``Social Security 
Number Privacy and Identity Theft Prevention Act of 2003''. You 
are correct. This enjoys strong bipartisan support. I am proud 
to be a cosponsor of that bill. I think it is absolutely 
essential that Congress act in this area to give the clear 
message about the seriousness of the misuse of SSNs.
    A SSN should be your identifying number for Social 
Security. It should not be used for every other purpose 
imaginable that is currently being used by society and by 
commerce, but it is being used for other purposes, and it 
presents a real dilemma for us as to how we reverse this use 
and how we can protect a person's privacy.
    It is a very serious issue, because what identity theft has 
meant to our Nation, the FTC has received more than a half 
million calls on the identity fraud line, and they have 
projected that about 5 percent, 5 percent of our adult 
population of the United States, some 10 million people, were 
victims of some kind of identity theft in just the last 12 
months. So, this is a huge issue that we need to deal with. We 
can't just be quiet on the subject by saying it is difficult in 
that so many people have our SSNs, and how are we ever going to 
be able to retrieve the privacy that was intended when the 
Social Security system was created.
    I look forward to hearing the testimony of our witnesses 
today as we try to develop a strategy to balance the needs of 
our society and the protection of our constituents. Mr. 
Chairman, I look forward to working with you and the other 
Members of the Committee as we attempt to get through the maze 
of the different jurisdictional problems in Congress and pass 
the necessary protective laws here in this body. Thank you.
    Chairman SHAW. Thank you, Mr. Cardin. I would like to yield 
at this time to Mr. Ryan, who is here and wants to introduce a 
member of the second panel, but he is concerned that his 
schedule might not allow him to be here, so I would yield to 
him for that introduction.
    Mr. RYAN. I thank the Chair. I have a bill coming to the 
floor momentarily, so I won't I be able to stay until that 
time, but I wanted to just take a couple of moments to 
introduce someone who is on the next panel who is a perfect 
person to have testifying with us today. That is Mark Ladd, who 
is the Register of Deeds for Racine County. Mark is very 
experienced, has been the Register of Deeds in Racine since 
1994. He is the past President of the Wisconsin Register of 
Deeds Association. He is also a member of the Board of 
Directors of the National Association of County Recorders and 
Election Clerks, and he is the Co-Chair of the Property Records 
Industry Association Technology Board, which is, I think, in 
that capacity where he is going to offer a lot of expertise. He 
is also a good friend of mine, and I am excited that Mark is 
here to testify in the next panel.
    I hope that I can make it. It is only when you have a bill 
coming to the floor, which I have on the Suspension Calendar, 
that it presents a very unpredictable schedule. So, I thank the 
Chair for indulging me to be able to introduce my friend and a 
good expert from Racine, Wisconsin, who will be testifying on 
the next panel. Thank you, and I yield.
    Chairman SHAW. Okay. The first panel, which is already 
assembled at the table, are also four perfect witnesses: Howard 
Beales, who is the Director of the Bureau of Consumer 
Protection in the FTC; Patrick O'Carroll, Acting Inspector 
General, SSA; Barbara Bovbjerg, who is Director of Education, 
Work force and Income Security; Lawrence Maxwell, Assistant 
Chief Inspector of the Investigations and Security. Welcome, 
all of you. We have each of your full statements that will be 
made a part of the record. You may proceed as you see fit, and 
if you could capsule your statement into 5 minutes, we would be 
most appreciative.

    STATEMENT OF J. HOWARD BEALES, III, DIRECTOR, BUREAU OF 
         CONSUMER PROTECTION, FEDERAL TRADE COMMISSION

    Mr. BEALES. Thank you, Mr. Chairman. I am Howard Beales. I 
am Director of the FTC's Bureau of Consumer Protection, and I 
am pleased to present the views of the Commission this morning. 
In a survey we conducted last year, the Commission learned some 
startling results about the incidence of identity theft and the 
impact of this crime on its victims. The data showed that 
within the 12 months preceding the survey, almost 3 and one-
fourth million persons discovered that an identity thief opened 
new accounts in their names. An additional 6.6 million people 
learned of the misuse of an existing account. Overall nearly 10 
million people, or 4.6 percent of the adult population, 
discovered that they were victims of some form of identity 
theft.
    These numbers translate to nearly $48 billion in losses to 
businesses, nearly $5 billion in losses to victims, and almost 
300 hours spent by victims to resolve their problems. Moreover, 
identity theft is a growing crime. The survey indicated a 
significant increase in the previous 2 to 3 years, nearly a 
doubling from one year to the next, although the research also 
showed that this increase has slowed recently. Notably the 
recent increase involved the misuse of existing accounts, which 
tends to cause less economic injury to victims and is generally 
easier for them to identify and to fix.
    Overall, the survey analysis puts the incident rates of 
identity theft into sharper focus and demonstrates the need for 
concerted action between the public and private sectors to act 
aggressively to reduce identity theft, SSNs play a pivotal role 
in identity theft. Thieves use the SSN as a key to access the 
financial benefits available to their victim. Preventing 
identity thieves from obtaining SSNs will help to protect 
consumers from this pernicious crime. The potential for misuse 
arises because SSNs are crucial to the proper functioning of 
our financial system. Socials are used to match consumers to 
their credit and other financial information. Without them, 
information may be attributed to the wrong consumers, and the 
accuracy of credit reports may be degraded. Enabling SSNs to be 
used appropriately will help to ensure that consumers continue 
to enjoy the benefits of our current credit system.
    The Commission is studying the efficacy of increasing the 
number of points of identifying information that a credit 
reporting agency is required to match to ensure that a consumer 
is the correct individual to whom a consumer report relates 
before releasing that report to a user. The study to be 
completed by this December should greatly increase our 
knowledge of the importance of SSNs in the matching process, 
and we look forward to reporting our findings.
    Socials are collected by public and private entities for 
various purposes, and several Federal and State laws restrict 
the use or disclosure of SSNs depending on the source. The 
nationwide credit bureaus are primary private sources of SSNs, 
collecting information from financial institutions for credit 
reporting purposes. This information typically includes the 
consumer's identifying information, such as name, address and 
SSN, as well as information relating to the consumer's credit 
accounts. The identifying information collected by the credit 
bureau is one of the most reliable and comprehensive sources of 
this information, because individuals tend to provide their 
financial institutions with accurate and up-to-date 
information. Moreover, credit bureau databases contain 
information for over 200 million consumers.
    The Gramm-Leach-Bliley Act (P.L. 106-102) imposes certain 
restrictions on the reuse and re-disclosure of the identifying 
information that is collected by credit bureaus as a general 
matter. The act prohibits financial institutions from 
disclosing nonpublic personal information to nonaffiliated 
third parties without first providing consumers with notice and 
the opportunity to opt out of such disclosure. This general 
restriction, however, is subject to certain exceptions. The 
information may flow from financial institutions to others for 
certain purposes specified in the statute and in the rule, 
including, for example, to process transactions or to report 
consumer information to credit bureaus. When information is 
disclosed under these exceptions, the recipient may not use or 
disclose that information except in the ordinary course of 
business to carry out the activity covered by the exception 
under which the information was received.
    The Fair and Accurate Credit Transactions (FACT) Act of 
2003 (P.L. 108-159) provides several new and important measures 
to prevent identity theft and facilitate victim recovery. One 
prominent benefit will be greater access to free consumer 
reports. Several other measures also act to prevent identity 
theft. The National Fraud Alert System will put potential 
creditors on notice that they must proceed with caution. The 
red flag rulemaking will require financial institutions and 
creditors to analyze patterns and take appropriate steps to 
prevent the crime. When fully implemented, these provisions 
should help to reduce the incidence of identity theft and to 
help victims recover when problems do occur.
    Identity theft places substantial costs on individuals and 
businesses. We look forward to working with businesses on 
better ways for them to protect the valuable information of the 
consumers with whom they do business as well as other means of 
preventing identity theft. We anticipate that Nation will help 
and reduce the impact on victims as well. Thank you, and as you 
know, Mr. Chairman, I have a prior obligation at noon, and I 
will stay as long as I can to answer questions. I would be 
happy to answer questions for the record, but I may have to 
leave early.
    [The prepared statement of Mr. Beales follows:]
   Statement of J. Howard Beales, III, Director, Bureau of Consumer 
                  Protection, Federal Trade Commission
I. INTRODUCTION
    Mr. Chairman, and members of the Subcommittee, I am J. Howard 
Beales, III, Director of the Bureau of Consumer Protection, Federal 
Trade Commission (``FTC'' or ``Commission'').\1\ I appreciate the 
opportunity to present the Commission's views on identity theft and 
Social Security numbers. The Federal Trade Commission has a broad 
mandate to protect consumers, and controlling identity theft is an 
important issue of concern to all consumers. Through this testimony, 
the Commission will describe the results of a recent survey on the 
prevalence and impact of identity theft, the ways in which Social 
Security numbers are collected and used, new protections for consumers 
and identity theft victims, and the Commission's identity theft 
program.
---------------------------------------------------------------------------
    \1\ The views expressed in this statement represent the views of 
the Commission. My oral presentation and responses to questions are my 
own and do not necessarily represent the views of the Commission or any 
Commissioner.
---------------------------------------------------------------------------
II. UNDERSTANDING THE IMPACT OF IDENTITY THEFT
     On November 1, 1999, the Commission began collecting identity 
theft complaints from consumers in its national database, the Identity 
Theft Data Clearinghouse (the ``Clearinghouse'').\2\ Every year since 
has seen an increase in complaints.\3\ The Clearinghouse now contains 
over 600,000 identity theft complaints taken from victims across the 
country. By itself, though, these self-reported data do not currently 
allow the FTC to draw any firm conclusions about the incidence of 
identity theft in the general population. To address this important 
issue, the FTC commissioned a survey last year to gain a better picture 
of the incidence of identity theft and the impact of the crime on its 
victims.\4\ The results were startling. The data showed that within the 
12 months preceding the survey, 3.23 million persons discovered that an 
identity thief opened new accounts in their names. An additional 6.6 
million consumers learned of the misuse of an existing account. 
Overall, nearly 10 million people--or 4.6 percent of the adult 
population--discovered that they were victims of some form of identity 
theft. These numbers translate to nearly $48 billion in losses to 
businesses, nearly $5 billion in losses to individual victims, and 
almost 300 million hours spent by victims trying to resolve their 
problems.
---------------------------------------------------------------------------
    \2\ See infra Section V for a discussion of the Commission's 
mandate to maintain an identity theft complaint database pursuant to 
the 1998 Identity Theft Assumption and Deterrence Act.
    \3\ Charts that summarize data from the Clearinghouse can be found 
at http://www.consumer.gov/idtheft/stats.html and http://
www.consumer.gov/sentinel/index.html.
    \4\ The research took place during March and April 2003. It was 
conducted by Synovate, a private research firm, and involved a random 
sample telephone survey of over 4,000 U.S. adults. The full report of 
the survey can be found at http://www.consumer.gov/idtheft/stats.html.
---------------------------------------------------------------------------
    Moreover, identity theft is a growing crime. The survey indicated a 
significant increase in the previous 2-3 years--nearly a doubling from 
one year to the next, although the research showed that this increase 
has recently slowed. Notably, this recent increase primarily involved 
the misuse of an existing account, which tends to cause less economic 
injury to victims and is generally easier for them to identify and fix. 
Overall, the 2003 survey analysis puts the incidence rates of identity 
theft into sharper focus, and demonstrates the need for a concerted 
effort between the public and private sectors to act aggressively to 
reduce identity theft.
III. SOCIAL SECURITY NUMBER USES AND IDENTITY THEFT
    Social Security numbers play a pivotal role in identity theft. 
Identity thieves use the Social Security number as a key to access the 
financial benefits available to their victims. Preventing identity 
thieves from obtaining Social Security numbers will help to protect 
consumers from this pernicious crime. The potential for misuse arises 
because Social Security numbers are crucial to the proper functioning 
of our financial system. Social Security numbers are used to match 
consumers to their credit and other financial information. Without 
them, information may be attributed to the wrong consumer, and the 
accuracy of credit reports may be degraded. Enabling Social Security 
numbers to be used appropriately will help to ensure that consumers 
continue to enjoy the benefits of our current credit system. The 
Commission is studying ``the efficacy of increasing the number of 
points of identifying information that a credit reporting agency is 
required to match to ensure that a consumer is the correct individual 
to whom a consumer report relates before releasing a consumer report to 
a user'' as required by the Fair and Accurate Credit Transactions Act 
of 2003.\5\ This study, to be completed by December, 2004, should 
greatly increase our knowledge of the importance of Social Security 
numbers in the matching process. The Commission looks forward to 
reporting its findings to Congress.
---------------------------------------------------------------------------
    \5\ Pub. L. No. 108-396,  318 (2003).
---------------------------------------------------------------------------
    Social Security numbers are collected by public and private 
entities for various purposes, and several federal and state laws 
restrict the use or disclosure of Social Security numbers, depending on 
the source.\6\ The nationwide credit bureaus are primary private 
sources of Social Security numbers, collecting information from 
financial institutions for credit reporting purposes. This information 
typically includes a consumer's identifying information--such as name, 
address, and Social Security number--as well as information related to 
the consumer's credit accounts. The identifying information collected 
by the credit bureaus is one of the most reliable and comprehensive 
sources of this information, because individuals tend to provide their 
financial institutions with accurate and up-to-date identifying 
information and the credit bureau databases contain information for 
over 200 million consumers.\7\
---------------------------------------------------------------------------
    \6\ As GAO has reported, government and commercial entities use 
social security numbers for a number of different purposes, including 
to verify the eligibility of applicants, manage records, and conduct 
research. U.S. General Accounting Office, Social Security: Government 
and Commercial Use of the Social Security Number is Widespread, GAO/
HEHS-99-28 (Washington, D.C.: Feb 16, 1999) and Social Security 
Numbers: Government Benefits from SSN Use but Could Provide Better 
Safeguards, GAO-02-352 (Washington, D.C.: May 31, 2002). As examined in 
detail in GAO's January 2004 report, private sector entities 
(information resellers, consumer reporting agencies, health care 
organizations) obtain social security numbers both directly from 
consumers and other businesses, and the entities use them for a variety 
of purposes, including identification and to match the consumer to 
information stored in the consumer's credit report. See U.S. General 
Accounting Office, Social Security Numbers: Private Sector Entities 
Routinely Obtain and Use SSNs and Laws Limit the Disclosure of This 
Information, GAO-04-11 (Washington, D.C.: Jan. 22, 2004).
    \7\ See Consumer Data Industry Association's Web site, available at 
http://www.cdiaonline.org/about.cfm.
---------------------------------------------------------------------------
    The Gramm-Leach-Bliley Act (``GLBA'')\8\ imposes certain 
restrictions on the reuse and redisclosure of the identifying 
information--including Social Security numbers--that is collected by 
credit bureaus from financial institutions.\9\ As a general matter, the 
GLBA prohibits financial institutions from disclosing nonpublic 
personal information (``NPI'') to nonaffiliated third parties without 
first providing consumers with notice and the opportunity to opt out of 
such disclosure. This general restriction, however, is subject to 
certain exceptions. The information may flow from financial 
institutions to others for certain purposes specified in the statute 
and rule, including, for example, to process transactions or to report 
consumer information to credit bureaus.\10\ When information is 
disclosed under these GLBA exceptions, the recipient may not use or 
disclose that NPI except ``in the ordinary course of business to carry 
out the activity covered by the exception under which . . . the 
information [was received].''\11\
---------------------------------------------------------------------------
    \8\ Subtitle A of Title 5 of the GLBA, 15 U.S.C.  6801-6809.
    \9\ The GLBA applies to any ``nonpublic personal information'' 
(``NPI'') that a financial institution collects about an individual in 
connection with providing a financial product or service to an 
individual, unless that information is otherwise publicly available. 
This includes basic identifying information about individuals, such as 
name, Social Security number, address, telephone number, mother's 
maiden name, and prior addresses. See, e.g., 65 Fed. Reg. 33,646, 33680 
(May 24, 2000) (the FTC's Privacy Rule). This identifying information 
generally is not covered by the Fair Credit Reporting Act. See FTC v. 
Trans Union, Dkt. 9255, Op. of the Commission at pp. 30-31 (Mar. 1, 
2000) (holding that consumer name, Social Security number, address, 
telephone number, and mother's maiden name do not constitute a consumer 
report under the FCRA).
    \10\ These exceptions are found in  502(e) of the GLBA, and in  
313.14 and 313.15 of the FTC's privacy rule. The other GLBA privacy 
rules contain substantially similar provisions. The  313.14 exceptions 
relate to the processing and servicing of transactions at the 
consumer's request, and the  313.15 exceptions contain a broad range 
of unrelated exceptions, such as preventing fraud, assisting law 
enforcement, complying with subpoenas, and reporting to credit bureaus. 
Section 313.13 also contains an exception to the notice and opt out 
requirement, but that section is not relevant here because it relates 
to contractual arrangements with service providers and joint marketers.
    \11\ 16 C.F.R. 313.11(a)(1)(iii), (c)(3) (2000).
---------------------------------------------------------------------------
IV. NEW PROTECTIONS FOR IDENTITY THEFT VICTIMS
    On December 4, 2003, the Fair and Accurate Credit Transactions Act 
of 2003 (``FACTA'') was enacted.\12\ Many of the provisions amend the 
Fair Credit Reporting Act (``FCRA''),\13\ and provide new and important 
measures to prevent identity theft and facilitate identity theft 
victims' recovery. Some of these measures will take effect this 
year.\14\ They will codify many of the voluntary measures initiated by 
the private sector and improve other recovery procedures already in 
place.
---------------------------------------------------------------------------
    \12\ Pub. L. No. 108-396 (2003) (codified at 15 U.S.C.  1681 et 
seq.).
    \13\ 15 U.S.C.  1681 et seq.
    \14\ The statute set effective dates for certain sections and 
required the Commission and the Federal Reserve Board jointly to set 
effective dates for the remaining sections. See Effective Dates for the 
Fair and Accurate Credit Transactions Act of 2003, 16 C.F.R.  602.1 
(2004).
---------------------------------------------------------------------------
    One prominent benefit of these amendments to the FCRA is the 
greater access to free consumer reports.\15\ Previously under the FCRA, 
consumers were entitled to a free consumer report only under limited 
circumstances.\16\ Beginning in December of this year with a regional 
rollout, nationwide and nationwide specialty consumer reporting 
agencies\17\ must provide free credit reports to consumers once 
annually, upon request.\18\ Free reports will enhance consumers' 
ability to discover and correct errors, thereby improving the accuracy 
of the system, and also enable consumers to detect identity theft 
early.
---------------------------------------------------------------------------
    \15\ Pub. L. No. 108-396,  211 (2003).
    \16\ Previously, free reports were available only pursuant to the 
FCRA when the consumer suffered adverse action, believed that 
fraudulent information may be in his or her credit file, was 
unemployed, or was on welfare. Absent one of these exceptions, 
consumers had to pay a statutory ``reasonable charge'' for a file 
disclosure; this fee is set each year by the Commission and is 
currently $9. See 15 U.S.C.  1681j. In addition, a small number of 
states required the CRAs to provide free annual reports to consumers at 
their request.
    \17\ Section 603(w) of the FCRA defines a ``nationwide specialty 
consumer reporting agency'' as a consumer reporting agency that 
compiles and maintains files on consumers relating to medical records 
or payments, residential or tenant history, check writing history, 
employment history, or insurance claims, on a nationwide basis. 15 
U.S.C.  1681a(w).
    \18\ See Free Annual File Disclosures, 16 C.F.R.  610.1 and 698.1 
(2004).
---------------------------------------------------------------------------
    Other measures that act to prevent identity theft include:

      National fraud alert system:\19\ Consumers who reasonably 
suspect they have been or may be victimized by identity theft, or who 
are military personnel on active duty away from home,\20\ can place an 
alert on their credit files. The alert will put potential creditors on 
notice that they must proceed with caution when granting credit in the 
consumer's name. The provision also codified and standardized the 
``joint fraud alert'' initiative administered by the three major credit 
reporting agencies. After receiving a request from an identity theft 
victim for the placement of a fraud alert on his or her consumer report 
and for a copy of that report, each credit reporting agency now shares 
that request with the other two nationwide credit reporting agencies, 
thereby eliminating the need for the victim to contact each of the 
three agencies separately.
---------------------------------------------------------------------------
    \19\ Pub. L. No. 108-396,  112 (2003).
    \20\ The Commission is developing a rule on the duration of this 
active duty alert. See Related Identity Theft Definitions, Duration of 
Active Duty Alerts, and Appropriate Proof of Identity Under the Fair 
Credit Reporting Act, 69 Fed. Reg. 23370, 23372 (April 28, 2004) (to be 
codified at 16 C.F.R. pt. 613).
---------------------------------------------------------------------------
      Truncation of credit and debit card receipts:\21\ In some 
instances, identity theft results from thieves obtaining access to 
account numbers on credit card receipts. FACTA seeks to reduce this 
source of fraud by requiring merchants to truncate the full card number 
on electronic receipts. The use of truncation technology is becoming 
widespread, and some card issuers already require merchants to 
truncate.\22\
---------------------------------------------------------------------------
    \21\ Pub. L. No. 108-396,  113 (2003).
    \22\ FACTA creates a phase-in period to allow for the replacement 
of existing equipment.
---------------------------------------------------------------------------
      ``Red flag'' indicators of identity theft:\23\ The 
banking regulators and the FTC will jointly develop a rule to identify 
and maintain a list of ``red flag'' indicators of identity theft. The 
goal of this provision is for financial institutions and creditors to 
analyze identity theft patterns and practices so that they can take 
appropriate action to prevent this crime.
---------------------------------------------------------------------------
    \23\ Id.  114.
---------------------------------------------------------------------------
      Disposal of Consumer Report Information and Records:\24\ 
The banking regulators and the FTC are coordinating a rulemaking to 
require proper disposal of consumer information derived from consumer 
reports.\25\ This requirement will help to ensure that sensitive 
consumer information, including Social Security numbers, is not simply 
left in a trash dumpster, for instance, once a business no longer needs 
the information.\26\
---------------------------------------------------------------------------
    \24\ Id.  216.
    \25\ Disposal of Consumer Report Information and Records, 69 Fed. 
Reg. 21388 (April 20, 2004) (to be codified at 16 C.F.R. pt. 682).
    \26\ In its outreach materials, the FTC also advises consumers to 
shred any sensitive information before disposing of it.

    FACTA also includes measures that will assist victims with their 
---------------------------------------------------------------------------
recovery. These provisions include:

      Identity theft account blocking:\27\ This provision 
requires credit reporting agencies immediately to cease reporting, or 
block, allegedly fraudulent account information on consumer reports 
when the consumer submits an identity theft report,\28\ unless there is 
reason to believe the report is false. Blocking would mitigate the harm 
to consumers' credit records that can result from identity theft. 
Credit reporting agencies must also notify information furnishers who 
must then cease furnishing the fraudulent information and may not sell, 
transfer, or place for collection the debt resulting from the identity 
theft.
---------------------------------------------------------------------------
    \27\ Pub. L. No. 108-396,  152 (2003).
    \28\ The Commission is developing a rule to define the term 
``identity theft report.'' See Related Identity Theft Definitions, 
Duration of Active Duty Alerts, and Appropriate Proof of Identity Under 
the Fair Credit Reporting Act, 69 Fed. Reg. 23370, 23371 (April 28, 
2004) (to be codified at 16 C.F.R. pt. 603).
---------------------------------------------------------------------------
      Information available to victims:\29\ A creditor or other 
business must give victims copies of applications and business records 
relating to the theft of their identity at the victim's request. This 
information can assist victims in proving that they are, in fact, 
victims. For example, they may be better able to prove that the 
signature on the application is not their signature.
---------------------------------------------------------------------------
    \29\ Pub. L. No. 108-396,  151 (2003).
---------------------------------------------------------------------------
      Prevention of re-reporting fraudulent information:\30\ 
Consumers can provide identity theft reports directly to creditors or 
other information furnishers to prevent them from continuing to furnish 
fraudulent information resulting from identity theft to the credit 
reporting agencies.
---------------------------------------------------------------------------
    \30\ Id.  154.

    When fully implemented, these provisions should help to reduce the 
incidence of identity theft, and help victims recover when the problem 
does occur.
V. THE FEDERAL TRADE COMMISSION'S ROLE IN COMBATING IDENTITY THEFT
    The FTC's role in combating identity theft derives from the 1998 
Identity Theft Assumption and Deterrence Act (``the Identity Theft 
Act'' or ``the Act'').\31\ The Identity Theft Act strengthened the 
criminal laws governing identity theft\32\ and focused on consumers as 
victims.\33\ The Act directed the Federal Trade Commission to establish 
the federal government's central repository for identity theft 
complaints, to make available and to refer these complaints to law 
enforcement for their investigations, and to provide victim assistance 
and consumer education. Thus, the FTC's role under the Act is primarily 
one of facilitating information sharing among public and private 
entities.\34\
---------------------------------------------------------------------------
    \31\ Pub. L. No. 105-318, 112 Stat. 3007 (1998) (codified at 18 
U.S.C.   1028).
    \32\ 18 U.S.C.  1028(a)(7) made identity theft a crime by focusing 
on the unlawful use of an individual's ``means of identification,'' 
which broadly includes ``any name or number that may be used, alone or 
in conjunction with any other information, to identify a specific 
individual,'' including, among other things, name, address, social 
security number, driver's license number, biometric data, access 
devices (i.e., credit cards), electronic identification number or 
routing code, and telecommunication identifying information.
    \33\ Because individual consumers' financial liability is often 
limited, prior to the passage of the Act, financial institutions, 
rather than individuals, tended to be viewed as the primary victims of 
identity theft. Setting up an assistance process for consumer victims 
is consistent with one of the Act's stated goals: to recognize the 
individual victims of identity theft. See S. Rep. No. 105-274, at 4 
(1998).
    \34\ Most identity theft cases are best addressed through criminal 
prosecution. The FTC itself has no direct criminal law enforcement 
authority. Under its civil law enforcement authority provided by 
Section 5 of the FTC Act, the Commission may, in appropriate cases, 
bring actions to stop practices that involve or facilitate identity 
theft. See, e.g., FTC v. Corporate Marketing Solutions, Inc., CIV--02 
1256 PHX RCB (D. Ariz Feb. 3, 2003) (final order) (defendants 
``pretexted'' personal information from consumers and engaged in 
unauthorized billing of consumers' credit cards) and FTC v. C.J., CIV--
03 5275 GHK (RZx) (C. D. Cal. July 24, 2003) (final order); FTC v. 
Hill, CV-H-03-5537 (S.D. Tex. Dec. 3, 2003) (final order); and FTC v. 
M.M., CV-04-2086 (E.D. NY May 18, 2004) (final order) (defendants sent 
``phishing'' spam purporting to come from AOL or Paypal and created 
look-alike websites to obtain credit card numbers and other financial 
data from consumers that defendants used for unauthorized online 
purchases.). In addition, the FTC brought six complaints against 
marketers for purporting to sell international driver's permits that 
could be used to facilitate identity theft. Press Release, Federal 
Trade Commission, FTC Targets Sellers Who Deceptively Marketed 
International Driver's Permits over the Internet and via Spam (Jan. 16, 
2003) (at http://www.ftc.gov/opa/2003/01/idpfinal.htm).
---------------------------------------------------------------------------
    To fulfill the Act's mandate, the Commission implemented a program 
that focuses on three principal components: (1) collecting complaints 
and providing victim assistance through a telephone hotline and a 
dedicated website, (2) maintaining and promoting the Clearinghouse, a 
centralized database of victim complaints that serves as an 
investigative tool for law enforcement, and (3) outreach and education 
to consumers, law enforcement, and private industry.
A. Assisting Identity Theft Victims
    The Commission takes complaints from victims through a toll-free 
hotline, 1-877-ID THEFT (438-4338),\35\ and a secure online complaint 
form on its website, www.consumer.gov/idtheft. In addition, the FTC 
provides advice on recovery from identity theft. Callers to the hotline 
receive telephone counseling from specially trained personnel who 
provide general information about identity theft and help guide victims 
through the steps needed to resolve the problems resulting from the 
misuse of their identities.\36\ Victims are currently advised to:\37\ 
(1) obtain copies of their credit reports from the three national 
consumer reporting agencies and have a fraud alert placed on their 
credit reports;\38\ (2) contact each of the creditors or service 
providers where the identity thief has established or accessed an 
account, to request that the account be closed and to dispute any 
associated charges; and (3) report the identity theft to the police and 
get a police report, which is very helpful in demonstrating to would-be 
creditors and debt collectors that the consumers are genuine victims of 
identity theft.
---------------------------------------------------------------------------
    \35\ The Commission has a separate toll-free line (877-FTC-HELP) to 
serve those with general consumer protection complaints.
    \36\ Spanish speaking counselors are available for callers who 
select the Spanish-language option on the toll-free line.
    \37\ As the relevant provisions of FACTA become effective, the 
Commission will update its advice to victims on their new rights and 
procedures for recovery.
    \38\ These fraud alerts indicate that the consumer is to be 
contacted before new credit is issued in that consumer's name.
---------------------------------------------------------------------------
    Counselors also advise victims having particular problems about 
their rights under relevant consumer credit laws including the 
FCRA,\39\ the Fair Credit Billing Act,\40\ the Truth in Lending 
Act,\41\ and the Fair Debt Collection Practices Act.\42\ If another 
federal agency can assist victims because the nature of the victims' 
identity theft falls within such agency's jurisdiction, callers also 
are referred to those agencies.
---------------------------------------------------------------------------
    \39\ 15 U.S.C.  1681 et seq.
    \40\ Id.  1666. The Fair Credit Billing Act generally applies to 
``open end'' credit accounts, such as credit cards, revolving charge 
accounts, and overdraft checking accounts. It does not cover 
installment contracts, such as loans or extensions of credit that are 
repaid on a fixed schedule.
    \41\ Id.  1601 et seq.
    \42\ Id.  1692 et seq.
---------------------------------------------------------------------------
    The FTC's identity theft website, located at www.consumer.gov/
idtheft, provides equivalent service for those who prefer the immediacy 
of an online interaction. The site contains a secure complaint form, 
which allows victims to enter their identity theft information into the 
Clearinghouse. Victims also immediately can read and download all of 
the resources necessary for reclaiming their credit record and good 
name, including the FTC's tremendously successful consumer education 
booklet, Identity Theft: When Bad Things Happen to Your Good Name.\43\ 
The 26-page booklet, now in its fourth edition, comprehensively covers 
a range of topics, including the first steps to take for victims and 
how to correct more intensive credit-related problems that may result 
from identity theft. It also describes other federal and state 
resources that are available to victims who may be having particular 
problems as a result of the identity theft. The FTC alone has 
distributed more than 1.3 million copies of the booklet since its 
release in February 2000, and recorded over 1.4 million visits to the 
Web version.\44\
---------------------------------------------------------------------------
    \43\ Identity Theft: When Bad Things Happen to Your Good Name and 
the secure complaint form are available in Spanish.
    \44\ Other government agencies, including the Social Security 
Administration, the SEC, and the FDIC also have printed and distributed 
copies of Identity Theft: When Bad Things Happen to Your Good Name.
---------------------------------------------------------------------------
B. The Identity Theft Data Clearinghouse
    One of the primary purposes of the Identity Theft Act was to enable 
criminal law enforcement agencies to use a single database of victim 
complaints to support their investigations. To ensure that the database 
operates as a national clearinghouse for complaints, the FTC accepts 
complaints from external sources such as other state or federal 
agencies as well as directly from consumers through its call center and 
online complaint form. For example, in February 2001, the Social 
Security Administration Office of Inspector General (SSA-OIG) began 
providing the FTC with complaints from its fraud hotline, significantly 
enriching the FTC's database.
    The Clearinghouse provides a picture of the nature, prevalence, and 
trends of the identity theft victims who submit complaints. The 
Commission publishes annual charts showing the prevalence of identity 
theft complaints by states and by cities.\45\ Law enforcement and 
policy makers at all levels of government use these reports to better 
understand the challenges identity theft presents.
---------------------------------------------------------------------------
    \45\ Charts that summarize data from the Clearinghouse can be found 
at http://www.consumer.gov/idtheft/stats.html and http://
www.consumer.gov/sentinel/index.html.
---------------------------------------------------------------------------
    Since the inception of the Clearinghouse in July of 2000, more than 
970 law enforcement agencies, from the federal to the local level, have 
signed up for secure online access to the database. Individual 
investigators within those agencies have the ability to access the 
system from their desktop computers 24 hours a day, seven days a week.
    The Commission actively encourages even greater use of the 
Clearinghouse. Beginning in 2002, in an effort to further expand the 
use of the Clearinghouse among law enforcement, the FTC, in cooperation 
with the Department of Justice, the United States Postal Inspection 
Service, and the United States Secret Service, initiated full day 
identity theft training seminars for state and local law enforcement 
officers. To date, seminars have been held in Washington, D.C., Des 
Moines, Chicago, San Francisco, Las Vegas, Dallas, Phoenix, New York 
City, Seattle, San Antonio, Orlando, and Raleigh. The FTC also helped 
the Kansas and Missouri offices of the U.S. Attorney and State Attorney 
General conduct a training seminar in Kansas City. More than 1500 
officers have attended these seminars, representing more than 600 
different agencies. Future seminars are being planned for additional 
cities.
     The FTC staff also developed an identity theft case referral 
program.\46\ The staff creates preliminary investigative reports by 
examining significant patterns of identity theft activity in the 
Clearinghouse and refining the data through the use of additional 
investigative resources. Then the staff refers the investigative 
reports to appropriate Financial Crimes Task Forces and other law 
enforcers throughout the country for further investigation and 
potential prosecution. The FTC is aided in this work by its federal law 
enforcement partners including the United States Secret Service, the 
Federal Bureau of Investigation, and the United States Postal 
Inspection Service who provide staff and other resources. Recently, an 
FBI analyst has worked intensively with the Clearinghouse complaints, 
using sophisticated analytical software to find related complaints and 
combine the information with other data sources available to the FBI.
---------------------------------------------------------------------------
    \46\ The referral program complements the regular use of the 
database by all law enforcers from their desktop computers.
---------------------------------------------------------------------------
C. Outreach and Education
    The Identity Theft Act also directed the FTC to educate consumers 
about identity theft. Recognizing that law enforcement and private 
industry each play an important role in helping consumers both to 
minimize their risk and to recover from identity theft, the FTC 
expanded its outreach and education mission to include these sectors.

          (1) Consumers: The FTC has taken the lead in the development 
        and dissemination of comprehensive consumer education materials 
        for victims of identity theft and those concerned with 
        preventing this crime. The FTC's extensive consumer and 
        business education campaign includes print and online 
        materials, media mailings, and radio and television interviews. 
        The FTC also maintains the identity theft website, 
        www.consumer.gov/idtheft, which includes the publications and 
        links to testimony, reports, press releases, identity theft-
        related state laws, and other resources.
          To increase awareness for the average consumer and provide 
        tips for minimizing the risk of identity theft, the FTC 
        developed a new primer on identity theft, ID Theft: What's It 
        All About?.\47\ Taken together with the detailed victim 
        recovery guide, Identity Theft: When Bad Things Happen to Your 
        Good Name, the two publications help to educate consumers.
---------------------------------------------------------------------------
    \47\ Since its release in May 2003, the FTC has distributed almost 
554,000 paper copies and over 75,000 web versions, and developed a 
Spanish version.
---------------------------------------------------------------------------
          (2) Law Enforcement: Because law enforcement at the state and 
        local level can provide significant practical assistance to 
        victims, the FTC places a premium on outreach to such agencies. 
        In addition to the training described previously (see infra 
        Section V.B), the staff joined with North Carolina's Attorney 
        General Roy Cooper to send letters to every other Attorney 
        General about the FTC's identity theft program and how each 
        Attorney General could use the resources of the program to 
        better assist residents of his or her state. Other outreach 
        initiatives include: (i) Participation in a ``Roll Call'' video 
        produced by the Secret Service, which has been sent to 
        thousands of law enforcement departments across the country to 
        instruct officers on identity theft, investigative resources, 
        and assisting victims; and (ii) the redesign of the FTC's 
        website to include a section for law enforcement with tips on 
        how to help victims as well as resources for investigations.
          (3) Industry: The private sector can help with the problem of 
        identity theft in several ways. From prevention through better 
        security and authentication, to helping victims recover, 
        businesses play a key role in reducing the impact of identity 
        theft.
        (a) Information Security Breaches: The FTC works with 
            institutions that maintain personal information to identify 
            ways to help keep that information safe from identity 
            theft.\48\ In 2002, the FTC invited representatives from 
            financial institutions, credit issuers, universities, and 
            retailers to an informal roundtable discussion of how to 
            prevent unauthorized access to personal information in 
            employee and customer records.
---------------------------------------------------------------------------
    \48\ The Commission also has law enforcement authority relating to 
information security. In addition to developing the Disposal Rule 
pursuant to FACTA, see supra Section IV, the Commission also is 
responsible for enforcing its GLBA Safeguards Rule, which requires 
financial institutions under the FTC's jurisdiction to develop and 
implement appropriate physical, technical, and procedural safeguards to 
protect customer information. FTC Safeguards Rule, 16 C.F.R.  314.1 
(2002). In brief, the Safeguards Rule requires financial institutions 
to develop a written information security plan that includes certain 
elements that are basic to security.
    In the past few years, the FTC has also brought enforcement actions 
against four companies that the Commission alleged made false promises 
about securing sensitive consumer information, in violation of Section 
5 of the FTC Act. 15 U.S.C.  45(a) These actions resulted in 
settlements with those companies that collected sensitive information 
from consumers while making such promises. Those actions arise out of 
the Commission's finding that these companies' security measures were 
inadequate and their information security claims therefore were 
deceptive. See, e.g., In re Microsoft Corp., FTC Dkt. C-4069, Final 
Decision and Order available at http://www.ftc.gov/os/2002/12/
microsoftdecision.pdf (Dec. 20, 2002).
---------------------------------------------------------------------------
        As awareness of the FTC's role in identity theft has grown, 
            businesses and organizations that have suffered compromises 
            of personal information have begun to contact the FTC for 
            assistance.\49\ To provide standardized assistance in these 
            types of cases, the FTC developed a kit, Information 
            Compromise and the Risk of Identity Theft: Guidance for 
            Your Business, that is available on the identity theft 
            website.The kit provides advice on contacting consumers, 
            law enforcement agencies, business contact information for 
            the three major credit reporting agencies, information 
            about contacting the FTC for assistance, and a detailed 
            explanation of what information individuals need to know to 
            protect themselves from identity theft.
---------------------------------------------------------------------------
    \49\ See, e.g. the incidents involving TriWest (Adam Clymer, 
Officials Say Troops Risk Identity Theft After Burglary, N.Y. Times, 
Jan. 12, 2003,  1 (Late Edition), at 12) and Ford/Experian (Kathy M. 
Kristof and John J. Goldman, 3 Charged in Identity Theft Case, LA 
Times, Nov. 6, 2002, Main News, Part 1 (Home Edition), at 1).
---------------------------------------------------------------------------
        (b) Victim Assistance: Identity theft victims may spend 
            substantial time and effort restoring their good names and 
            financial records. As a result, the FTC devotes substantial 
            resources to conducting outreach with the private sector on 
            ways to improve victim assistance procedures. One such 
            initiative arose from the burdensome requirement that 
            victims complete a different fraud affidavit for each 
            different creditor with whom the identity thief had opened 
            an account.\50\ To reduce that burden, the FTC worked with 
            industry and consumer advocates to create a standard form 
            for victims to use in resolving identity theft debts. From 
            its release in August 2001 through April 2004, the FTC has 
            distributed more than 293,000 print copies of the ID Theft 
            Affidavit. There have also been nearly 557,000 hits to the 
            Web version. The affidavit is available in both English and 
            Spanish.
---------------------------------------------------------------------------
    \50\ See ID Theft: When Bad Things Happen to Your Good Name: 
Hearing Before the Subcomm. on Technology, Terrorism and Government 
Information of the Senate Judiciary Comm. 106th Cong. (2000) 
(statement of Mrs. Maureen Mitchell, Identity Theft Victim).
---------------------------------------------------------------------------
VI. CONCLUSION
    Identity theft places substantial costs on individuals and 
businesses. The Commission looks forward to working with businesses on 
better ways for them to protect the valuable information of consumers 
with which they are entrusted as well as other means of preventing 
identity theft. The Commission anticipates that as the new provisions 
of FACTA take effect, they will further help to reduce identity theft 
as well as its impact on victims.

                                 

    Chairman SHAW. Thank you, Mr. Beales, and we appreciate 
your time that you are able to spend with us. Mr. O'Carroll.

 STATEMENT OF PATRICK P. O'CARROLL, ACTING INSPECTOR GENERAL, 
                 SOCIAL SECURITY ADMINISTRATION

    Mr. O'CARROLL. Good morning, Mr. Chairman, Mr. Cardin, and 
Members of this Committee. Thank you for inviting me here today 
to discuss SSN misuse and H.R. 2971. As we were all paying our 
respects to President Ronald Reagan last week, I couldn't help 
recalling that his signing of the Inspector General Act made 
our work possible.
    It is because the SSN is so heavily relied upon as an 
identifier, it is a valuable commodity for lawbreakers. I will 
focus today on SSN misuse, homeland security and identity 
theft, and what more needs to be done to insure the integrity 
of the SSN. While financial crimes involving SSN misuse are 
more numerous than terrorism-related crimes, the potential 
threat to homeland security nevertheless justifies intense 
concern. Our primary mission is to protect the integrity of SSA 
programs and operations, and because of that we focus 
investigative efforts on cases affecting SSN integrity. We 
investigate and arrest suspects for fraud against Social 
Security programs and crimes involving SSN misuse.
    In our homeland security and identity theft responsibility, 
we work closely with other Federal agencies participating in 63 
joint terrorism task forces and 29 antiterrorism advisory 
councils. We recently met with the U.S. Department of Homeland 
Security to discuss methods in which we could work together to 
address the SSN's critical role at critical infrastructure 
sites. We have begun staffing an SSN Integrity Protection Team 
that combines the talents of auditors, investigators and 
attorneys.
    My office is working closely with this Subcommittee and the 
SSA to strengthen controls over enumeration, to ensure the 
integrity of identification documents and to make SSN fraud as 
difficult as possible. Together with you and with SSA, we have 
made important strides in reducing enumeration vulnerabilities. 
Still, we believe the SSA should implement the following 
changes: establish a reasonable threshold for the number of 
replacement SSN cards an individual may obtain during a year 
and over a lifetime to continue to address identified 
weaknesses within the information security environment; verify 
birth records before issuing SSNs to citizens under the age of 
1; and to incorporate additional controls in the SSA's 
Enumeration-at-Birth process.
    We have conducted numerous audits and made extensive 
recommendations to the SSA to improve the SSN misuse problem in 
the earnings reporting area, and, most importantly, to improve 
controls over SSN misuse as it pertains to homeland security. 
We believe SSA and lawmakers should examine the feasibility of 
the following initiatives: to limit public SSN availability to 
the greatest extent practicable without unduly limiting 
commerce; to enact strong enforcement mechanisms and stiffer 
penalties for SSN misuse; cross-verify legitimate databases 
that use the SSA as a key data element; and review the 
implications of releasing information on deceased individuals.
    We believe new legislation should prohibit the sale of 
SSNs, including one's own, on the open markets; to limit the 
use of the SSN to appropriate and legitimate transactions; and 
to prohibit using SSNs as student or patient identification 
numbers or as part of car rental contracts or video rentals; 
and to enhance penalties for those few SSA employees who assist 
criminals in obtaining SSNs. We support legislation such as 
H.R. 2971, which severely limits the sale, purchase, and 
display of SSNs to the general public. We also believe 
legislation such as H.R. 1731, the Identity Theft Penalty 
Enhancement Act, is a significant step toward holding 
accountable individuals who misuse SSNs to commit egregious 
crimes. Over the past years we have made progress protecting 
SSN integrity. We stand ready to do more. I would now be happy 
to answer any questions you may have. Thank you.
    [The prepared statement of Mr. O'Carroll follows:]
  Statement of Patrick P. O'Carroll, Acting Inspector General, Social 
                        Security Administration
    Good Morning, Mr. Chairman, Mr. Matsui, and members of the 
Subcommittee. Let me first thank you for the invitation to be here 
today for this important hearing to discuss the pervasive problem of 
Social Security number (SSN) misuse and the Committee's proposed 
legislation to protect the privacy of SSNs, the Social Security Number 
Privacy and Identity Theft Prevention Act of 2003 (H.R. 2971).
The SSN as a National Identifier
    I would like to begin my testimony today with a simple declaration: 
The SSN is a national identifier. In past years, many would challenge 
that statement. Today, we live in a changed world, and the SSN's role 
as a national identifier is a recognized fact. Unfortunately, with that 
knowledge, we must also accept that because the SSN is so heavily 
relied upon as an identifier, it is a valuable commodity for 
lawbreakers. Given the importance of this unique, nine-digit number and 
the tremendous risk associated with its misuse, one of the most 
important responsibilities my office undertakes each day is oversight 
of SSN integrity. Today I would like to focus my testimony on how the 
SSN is misused to commit crimes, my office's role in addressing 
homeland security and identity theft and what more needs to be done to 
ensure the integrity of the SSN.
Misuse of the SSN to Commit Crimes
    While financial crimes involving SSN misuse are more numerous than 
terrorism-related crimes, the potential threat to homeland security 
nevertheless justifies intense concern. An SSN allows an individual to 
assimilate themselves into U.S. society. SSNs, therefore, become 
valuable tools for terrorists or others who wish to live in the United 
States and operate under the ``radar screen.'' Such individuals may 
obtain SSNs by purchasing them, creating them, stealing them, utilizing 
the SSN of a deceased individual or obtaining them from SSA directly 
through the use of falsified documents. Once an individual has an SSN, 
he has the ability to work, buy a home, and engage in a wide range of 
financial transactions including the raising and transferring of funds.
    I am also concerned about the escalating occurrences of identity 
theft, which is the fastest-growing form of white-collar crime in the 
United States. In September 2003, the Federal Trade Commission (FTC) 
released a survey showing that 27.3 million Americans were victims of 
identity theft between 1998 and 2003--including 9.9 million people in 
the study's final year. FTC also reported that during the study's final 
year, losses to businesses and financial institutions totaled nearly 
$48 billion and consumer victims reported $5 billion in out-of-pocket 
expenses. Clearly, this is an epidemic that must be brought under 
control.
    Identity theft is an ``enabling'' crime, one that facilitates other 
types of crime, ranging from passing bad checks and defrauding credit 
card companies to committing acts of terrorism. Additionally, criminals 
use identity theft to defraud Federal agencies and programs of millions 
of dollars.
    For example, based on an investigation conducted by our Atlanta 
Field Division, a St. Petersburg, Florida resident was recently 
sentenced to 27 months of incarceration and ordered to make restitution 
to SSA for over $79,000 in survivors benefits she received for herself 
and three nonexistent children. To perpetrate this scheme, the 
individual assumed the identity of a former acquaintance by obtaining a 
North Carolina identification card in her friend's name. With this new 
identity, she used fraudulent birth certificates to apply for SSNs on 
behalf of two fictitious children. She also altered court marriage and 
divorce documents, falsely claiming that a known deceased man was her 
ex-husband and the fictitious children's father. She perpetrated this 
elaborate scheme so that she could apply for and receive Social 
Security survivors benefits for the fictitious children--and, until 
caught, was successful in doing so. Further investigation revealed that 
she had previously committed a similar crime resulting in additional 
survivors benefits for herself and another fictitious child.
    Other Federal agencies such as the Department of Housing and Urban 
Development (HUD) have also experienced a significant increase in the 
number of identity theft occurrences in their programs. Within programs 
administered by HUD, identity thieves are using someone else's SSN to 
obtain and then default on home mortgages--leaving taxpayers to pay 
their bills.
    For those with an illicit motive, an SSN can be obtained in many 
ways:

      Presenting false documentation to SSA.
      Stealing another person's SSN.
      Purchasing an SSN on the black market.
      Using the SSN of a deceased individual.
      Creating a nine-digit number out of thin air.

    Although SSA may never be able to completely prevent individuals 
from purchasing an SSN on the black market or stealing the SSN of 
another, we are proud that our efforts are making it more difficult to 
do so.
Our Role in Addressing Homeland Security and Identity Theft
    Recognizing the importance of SSNs to terrorists and identity 
thieves, SSA and the OIG take very seriously our responsibility to 
ensure that these numbers are only issued to those with a legal reason 
for having one. As such, we continuously seek innovative ways to 
prevent SSN misuse and create collaborative partnerships with other 
Federal, State, and local entities to address both homeland security 
and identity theft concerns.
OIG Homeland Security Activities:
    Our active involvement in addressing homeland security began on 
September 11, 2001, with our agents assisting in rescue efforts and 
site security at the World Trade Center. We immediately assigned 
supervisors and agents to the FBI Command Centers in New York City and 
New Jersey to process information and investigate leads. The Inspector 
General ordered all Field Divisions to assist in Joint Terrorism Task 
Forces (JTTF) and Anti-Terrorism Task Forces (ATTF) around the 
country--in fact, we are now active participants in 63 Joint Terrorism 
Task Forces and 29 Anti-Terrorism Task Forces, as well as the Foreign 
Terrorist Tracking Task Force.
    While participating in these task forces, our agents have assisted 
in better securing many of our Nation's airports and nuclear facilities 
by ensuring that employees and individuals having access to secure 
areas within these locations are working under their true names and 
SSNs. Further, as part of its anti-terrorism activities in the Buffalo 
area, our New York Field Division investigated six men from neighboring 
Lackawanna suspected of terrorist-related activities. Our investigators 
determined the identities of the ``Lackawanna Six'' and their 
attendance and participation in an al Qaeda terrorist training camp in 
Afghanistan. One suspect had two Social Security cards in his 
possession at the time of his arrest. All six suspects pleaded guilty 
to providing material support or resources to designated foreign 
terrorist organizations and received sentences of 7 to 10 years in 
prison.
    In carrying out our homeland security responsibility, we coordinate 
closely with other Federal agencies. For example, we recently met with 
representatives of the Department of Homeland Security (DHS) to discuss 
methods in which we could work together to address the SSN's role in 
homeland security. We welcome this opportunity and believe cooperative 
ventures such as these are imperative to ensure that all of the links 
in the homeland security chain stay connected. Based on our initial 
discussions, we plan to work with DHS to explore possible data matching 
and cross-verification opportunities--those that are currently provided 
for under law and those for which additional legislation may be 
required.
OIG Identity Theft Activities:
    By law and by mission, our office has a narrow but important role 
in the overall effort to address identity theft. Much of the Federal 
government's response to identity theft issues rightly belongs to the 
FTC. State and local law enforcement agencies and financial 
institutions also have critical roles to play.
    Because our primary mission is to protect the integrity of SSA's 
programs and operations, in the majority of our identity theft 
investigations, we continue to focus investigative efforts on cases 
that affect SSN integrity. For example, our Chicago Field Division took 
part in a 3-day inter-agency undercover operation that resulted in the 
arrest of 12 suspects dealing in fraudulently obtained Social Security 
cards, State driver's licenses, and U.S. passports. Our investigators 
determined that the group's leader and 11 others took part in an 
elaborate document-counterfeiting scheme to obtain valid SSNs for non-
existent children. The names belonged to undocumented noncitizens who 
paid up to $5,000 each for valid documents. Members of the group were 
sentenced to up to 2 years in prison or given immunity from prosecution 
for their cooperation in the undercover sting.
    To maximize our investigative resources, we dedicate agents that 
work on task forces with other law enforcement agencies nationwide to 
investigate identity crimes. We also work closely with prosecutors to 
bundle SSN misuse cases that, when presented separately, may not have 
been accepted for prosecution.
    We are also continuing our efforts to identify opportunities for 
SSA to further strengthen the integrity of the SSN. One of my major 
concerns has been the use of fraudulent documents to obtain SSNs. In an 
August 2002 audit, we estimated that during FY 2000, SSA assigned at 
least 63,000 SSNs to noncitizens based on invalid immigration documents 
that SSA processes did not detect. Based on our recommendation, SSA 
improved its controls in this area and now verifies all immigration 
documents presented by noncitizens with the issuing agency before 
assigning an SSN. We believe SSA's decision to adopt our recommendation 
was laudable and significantly reduced the circumstances under which an 
unauthorized noncitizen may obtain a legitimate SSN from the Agency. We 
are currently examining the Agency's compliance with this and other 
enumeration controls. Additionally, we continue to explore and 
recommend further controls the Agency can implement to strengthen SSA's 
important responsibility of assigning SSNs.
SSN Integrity Protection Team:
    Protecting the integrity of the SSN has become a major part of the 
work we do. The President's Fiscal Year 2004 Budget enabled us to begin 
staffing our SSN Integrity Protection Team to combat SSN misuse and 
identity theft. The Team is an integrated model that combines the 
talents of auditors, investigators and attorneys in a comprehensive 
approach, allowing SSA and OIG to:

      Support Homeland Security.
      Identify patterns and trends of SSN misuse.
      Locate systemic weaknesses that contribute to SSN misuse 
such as in the enumeration and earnings related processes.
      Recommend legislative or other corrective actions to 
enhance the SSN's integrity.
      Pursue criminal and civil enforcement provisions for 
individuals misusing SSNs.

    Our SSN Integrity Protection Team will enable us to better target 
audit and investigative work. The Team will participate with other 
Federal, State and local entities to collaborate on potential SSN 
misuse activities. It is critical that we continue to receive funding 
in future budgets for this important initiative.
SSA Initiatives to Address SSN Integrity:
    SSA has made significant progress in strengthening the defenses of 
the SSN, implementing important suggestions our office has made, and 
working with us to find solutions. In November 2001, the Commissioner 
of Social Security established an Enumeration Response Team (ERT) 
comprised of executives across the Agency, including representatives 
from the OIG. The Commissioner charged this group with identifying 
steps the Agency could take to improve the enumeration process and to 
enhance the integrity of the SSN. Since that time, the Commissioner and 
the ERT have implemented numerous policies and procedures designed to 
better ensure that only individuals authorized to do so, receive an 
SSN. For example, the ERT recommended, and SSA adopted, more stringent 
circumstances under which an individual may obtain a nonwork SSN. We 
are proud to serve on workgroups such as these and applaud the 
Commissioner and SSA for its strong commitment to improving SSN 
integrity.
    Prior to the ERT, the Agency implemented other initiatives such as 
the Comprehensive Integrity Review Process (CIRP) and Enumeration at 
Entry process. The CIRP system identifies vulnerabilities in the 
enumeration process and issues alerts to SSA's field offices (FO) to 
develop and certify. The FO reviewer, usually a manager or supervisor, 
performs an enumeration integrity review of each alert. If the reviewer 
determines that there is a possibility of fraud, the alert is forwarded 
to the OIG for development and disposition.
    The Enumeration at Entry initiative is a collaboration with the 
Department of Homeland Security (DHS) and the Department of State (DOS) 
to not only facilitate issuance of SSNs to legally admitted aliens 
whose immigration status permits such issuance, but it ensures through 
DHS and DOS certifications that the identity and immigration status of 
the alien is what is purported.
What Actions Still Need to Be Taken to Address SSN Misuse
    Despite the significant progress SSA and Congress have made in 
recent years to address SSN misuse, we believe SSN integrity and 
protection still need improvement at three stages: at issuance, during 
the life of the number-holder, and following the number-holder's death.
    At Stage One (issuance of the SSN), my office is doing more work 
than ever, working closely with this Subcommittee and SSA to strengthen 
controls over the enumeration process, ensure the integrity of 
identification documents, and make it as difficult as possible to 
fraudulently obtain an SSN from the Federal government. Together with 
you and with SSA, we have made important strides in reducing 
enumeration vulnerabilities, and that effort continues. Still, to 
strengthen our defenses even further, we believe SSA should implement 
the following changes.

      Establish a reasonable threshold for the number of 
replacement SSN cards an individual may obtain during a year and over a 
lifetime.
      Continue to address identified weaknesses within the 
enumeration process to better safeguard SSNs.
      Verify the validity of birth records with the issuing 
State before issuing an SSN to U.S. citizens under age 1.
      Work with State Bureaus of Vital Statistics to 
incorporate additional controls in SSA's Enumeration-at-Birth program, 
such as periodically reconciling the number of SSNs assigned through 
the program to the number of births reported by participating 
hospitals.

    It is at Stages Two (during the life of the number holder) and 
Three (after the number holder's death) where we have focused the 
majority of our efforts, and where we have made the most progress. In 
the last several years, we have conducted numerous audits and made 
extensive recommendations to SSA to improve the SSN misuse problem in 
the earnings reporting process, and most importantly, to improve 
controls over SSN misuse as it pertains specifically to Homeland 
Security. Nevertheless, to more completely address SSN integrity during 
the life of the number holder and following that number holder's death, 
we believe SSA and lawmakers should examine the feasibility of the 
following initiatives.

      Limiting the SSN's public availability to the greatest 
extent practicable, without unduly limiting commerce.
      Prohibiting the sale of SSNs, prohibiting their display 
on public records, and limiting their use to legitimate transactions.
      Enacting strong enforcement mechanisms and stiffer 
penalties to further discourage SSN misuse.
      Cross-verifying all legitimate databases that use the SSN 
as a key data element.
      Review the implications of releasing information on 
deceased individuals.
Limiting the SSN's Public Availability and Sale of the SSN
    Perhaps the most important step we can take in preventing SSN 
misuse is to limit the SSN's easy availability. We believe legislation 
designed to protect the SSN must strictly limit the number's 
availability on public documents. As long as criminals can walk into 
the records room of a courthouse or local government building and walk 
out with names and SSNs culled from public records, it will be 
extremely difficult to reverse the trend. We believe effective 
legislation should also specifically prohibit the sale of SSNs--
including one's own SSN--on the open market. As long as criminals can 
buy a list of names and SSNs through an Internet auction, we will 
continue to be plagued by the consequences.
    To be fully effective, we also believe legislation must limit the 
use of the SSN to appropriate and valid transactions. The financial 
industry relies on the SSN, and no one is suggesting that we change the 
way legitimate business is conducted in the United States. But the use 
of the SSN as a student or patient identification number, as part of a 
car rental contract or to rent a video, must be curtailed.
    Congress enacted the Identity Theft and Assumption Deterrence Act 
in 1998, responding to the growing epidemic of identity thefts by 
imposing criminal sanctions for those who create a false identity or 
misappropriate someone else's. The Internet False Identification 
Prevention Act, adopted in 2000, closed a loophole left by the earlier 
legislation, enabling our office and other law enforcement 
organizations to pursue vendors who previously could sell counterfeit 
Social Security cards legally by maintaining the fiction that such 
cards were ``novelties'' rather than counterfeit documents. More 
legislative tools are needed, and we have worked with Congress to 
identify legislation necessary to protect the integrity of the SSN. For 
example, the House is now considering H.R. 2971, the Social Security 
Number Privacy and Identity Theft Prevention Act of 2003, which would 
seriously restrict the use of SSNs in the private and public sector, 
and criminalize the sale of SSNs.
Penalties
    The Identity Theft legislation I discussed earlier provides 
criminal penalties, but those penalties were designed for broader 
crimes involving Social Security cards and/or SSNs, not for SSN misuse 
itself. We believe legislation should not only provide criminal 
penalties in the Social Security Act, but also enhance penalties for 
those few SSA employees who betray the public trust and assist 
criminals in obtaining SSNs.
    For example, a former SSA Service Representative was sentenced to 3 
years probation and community service after pleading guilty to a 
bribery charge in connection with issuing 100 to 200 Social Security 
cards to illegal aliens. She received between $50 and $150 for each 
card. We believe it is critically important to send a strong message to 
SSA employees tempted to facilitate crimes against Agency programs by 
pursuing the maximum sentence possible.
    The House Committee on the Judiciary recently approved H.R. 1731, 
the Identity Theft Penalty Enhancement Act, which established enhanced 
penalties for aggravated identity theft. While increased criminal 
penalties are a welcomed addition to the arsenal available for use in 
combating identity theft, we also believe legislation should provide an 
administrative safety net in the form of Civil Monetary Penalties to 
allow for some form of relief when criminal prosecution is not 
available for SSN misuse and other Social Security-related crimes.
Cross-verification
    Additionally, we strongly support cross-verification of SSNs 
through both governmental and private sector systems of records to 
identify and address inaccuracies. Our experience has shown that cross-
verification can combat and limit the spread of false identification 
and SSN misuse. Further, we believe all law enforcement agencies should 
be provided the same SSN cross-verification capabilities currently 
granted to employers. In doing so, the law enforcement community would 
use data already available to the Federal, State and local governments 
and the financial sector.
    Potentially, the rewards of cross-verification can be great, yet it 
would not require major expenditures of money or the creation of new 
offices or agencies. We believe legislation is needed to require 
mandatory cross-verification of identification data between 
governmental, financial and commercial holders of records and the SSA 
on a recurring basis. To offset SSA's cost for providing such services, 
the Agency could charge a modest fee to commercial and financial 
entities. The technology to accomplish these data matches and 
verifications exists now. Coupled with steps already underway by SSA to 
strengthen the integrity of its enumeration business process, cross-
verification, once initiated, would be a critical step in combating the 
spread of identity fraud.
    Let me give you an example of an identity theft case in which 
cross-verification may have prevented a crime against a Federal 
government program, saving taxpayers $62,000. A Salt Lake City 
grandmother learned last year from one of my Denver Field Division 
agents that her SSN was used to purchase a $146,000 HUD home. This 
identity theft went undiscovered until the home went into foreclosure 
because the criminals used this grandmother's SSN, but another name to 
purchase the home. Had HUD been allowed to verify the accuracy of the 
borrower's name and SSN with SSA, HUD would have recognized the 
discrepancy and denied the loan. In this one case alone, the Government 
would have saved the thousands of program dollars HUD had to pay to 
foreclose and resell the property. Additionally, this elderly Salt Lake 
City grandmother would have been spared the time and expense of 
repairing her credit record.
    We believe cross-verification is one of the most important tools 
the Government and private sector can employ to reduce the instances of 
identity theft. We understand the important issue of consumer privacy 
that must be considered by Congress and others before allowing such 
data integrity matches. However, our ability to prevent these egregious 
crimes would be enhanced by additional legislation balancing the need 
for consumer privacy with the need for accurate identifying 
information.
Conclusion
    We always appreciate the invitation to speak with this committee 
and the very important work you do to help ensure the integrity of SSA 
programs and the SSN. We are very pleased with the progress Congress 
and SSA have made in addressing the issue of SSN integrity over the 
last several years. However, we reiterate our concern that more must be 
done to ensure that only those individuals authorized to have an SSN 
receive one and that anyone who fraudulently obtains and misuses an SSN 
is adequately penalized. As such, we support legislation such as H.R. 
2971, the Social Security Number Privacy and Identity Theft Prevention 
Act of 2003, which severely limits the sale, purchase and display of 
SSNs to the general public. We also believe legislation such as H.R. 
1731, the Identity Theft Penalty Enhancement Act, is a significant step 
toward holding accountable individuals who misuse SSNs to commit 
egregious crimes. We encourage this Committee and others in Congress to 
stay firm in your resolve to enact these two bills.
    We also ask that Congress consider other measures such as increased 
cross-verification among Government and private sector entities, Civil 
Monetary Penalties for SSN misuse and other Social Security-related 
crimes when criminal prosecution is not available, and stronger 
penalties for those few SSA employees that betray the public trust by 
selling SSNs. We will certainly continue our vigilance in addressing 
these issues and stand ready to do more to enhance the safety and well-
being of all Americans. I would now be happy to answer any questions 
you may have.

                                 

    Chairman SHAW. Thank you. Ms. Bovbjerg.

   STATEMENT OF BARBARA D. BOVBJERG, DIRECTOR OF EDUCATION, 
WORKFORCE, AND INCOME SECURITY ISSUES, U.S. GENERAL ACCOUNTING 
                             OFFICE

    Ms. BOVBJERG. Thank you. Mr. Chairman, Members of the 
Subcommittee, good morning. I am pleased to be here today once 
again to discuss issues associated with the use and misuse of 
the SSN. The wide use of SSNs for non-Social Security purposes 
causes concern because these numbers, as these gentlemen have 
noted, are among the personal identifiers most often sought by 
identity thieves.
    Today I will present results of our completed and ongoing 
work on a variety of issues associated with the SSN. I would 
like to focus first on the private sector use of the SSN and 
the protections that companies apply, and then second on public 
sector uses and protections. My testimony is based on reports 
we have prepared for you over the last several years, and on 
ongoing work that focuses more specifically on SSNs in public 
records.
    Let me speak first about the SSN in the private sector. We 
reported to you in January that companies use the SSN for a 
variety of purposes, only some of which are restricted by law. 
Consumer reporting agencies and health care organizations have 
come to rely on the SSN as an identifier in the course of doing 
their business, like assessing credit risk or tracking patient 
care. These businesses often obtain SSNs from the individuals 
seeking their services, and the re-disclosure of these SSNs to 
others is restricted by Federal law.
    Some businesses that function as information resellers 
aggregate information, including SSNs, from various sources for 
resale. They obtain data from public records like bankruptcy 
proceedings, tax liens and voter registration rolls, and from 
private compilations like phone books. These businesses then 
resell this information to a variety of customers. The 
resellers we contacted told us that they generally limit their 
services to customers who establish accounts with them and with 
whom they have contracts that restrict the extent to which the 
data purchased can be re-disclosed. Many also say they truncate 
the SSN if they provide it at all. Indeed, Federal and State 
laws have apparently helped to control business display and 
distribution of personal information.
    At the Federal level, the Fair Credit Reporting Act (P.L. 
91-508), Gramm-Leach-Bliley, Health Insurance Portability and 
Accountability Act 1996 (HIPAA) (P.L. 104-191), among others, 
have controlled use, distribution and display of the SSN in 
specific industries. Several States, most notably California, 
have enacted laws restricting display and use of SSNs, and 
although limited to a particular State, these restrictions have 
caused private companies to alter their policies, in some cases 
nationwide. No law, however, restricts use and display of the 
SSN in all industries, in all locations, leaving the potential 
for misuse where protections are inadequate.
    Let me now turn to the public sector. As we have reported 
previously, Federal, States and county government agencies rely 
extensively on the SSN to maintain records with unique 
identifiers and to maintain program integrity. Although 
government agencies told us of various steps they take to 
safeguard the SSNs they use, we found that key protections are 
not uniformly in place, and that individual SSNs are still 
displayed on key public documents such as the Medicare card. We 
also found that some Federal agencies and many State and county 
agencies maintain public records that contain SSNs. Public 
records are documents routinely made available to the public 
for inspection, such as marriage licenses and property 
transactions.
    When we examined this issue 2 years ago, some public 
officials told us they were considering making such records 
available on their Web sites to enhance customer service. We 
expressed our concern then that such actions would create new 
opportunities for identity thieves to gather SSNs on a broad 
scale. We are currently conducting work for the Subcommittee to 
determine where and how SSNs most regularly appear in public 
records. Preliminary data suggest that SSNs most frequently 
appear in court records, land records, uniform commercial code 
filings, and professional licensing records. We are still 
analyzing the extent to which these records are available 
electronically. Interestingly, some of the government agencies 
we surveyed reported that although SSNs appeared in the public 
records they retain, they had no specific use for them.
    In conclusion, although SSNs are used for many beneficial 
purposes, the widespread use and retention of them in both the 
public and private sectors creates opportunities for identity 
theft. Although both government and private companies have 
strengthened their protections of personal data and have indeed 
reduced display of this information in the last several years, 
these actions are far from uniform and still leave troubling 
gaps.
    Reducing Americans' vulnerability to SSN misuse will 
require finding the balance between the benefits of SSN use and 
the costs of improved and more consistent protection. We look 
forward to continuing to work with this Subcommittee to 
identify vulnerabilities and to devise adequate and cost-
effective protections, and hope that these will serve the 
millions of Americans with SSNs. Thank you.
    [The prepared statement of Ms. Bovbjerg follows:]
Statement of Barbara D. Bovbjerg, Director of Education, Workforce, and 
         Income Security Issues, U.S. General Accounting Office
    Mr. Chairman and Members of the Subcommittee:
    I am pleased to be here today to discuss private and public sector 
entities' use of Social Security numbers (SSNs). Although the Social 
Security Administration (SSA) originally created SSNs as a means to 
track workers' earnings and eligibility for Social Security benefits, 
over time the SSN has come to be used for a myriad of purposes; 
individuals are frequently asked to supply personal information, 
including their SSNs, to both public and private sector entities. In 
addition, individuals' SSNs can be found in a number of public sources 
such as records displayed to the public. Given the uniqueness and broad 
applicability of the SSN, many private and public sector entities rely 
extensively on the SSN sometimes as a way to accumulate and identify 
information for their databases, sometimes to comply with federal 
regulations, and other times for various business purposes. The 
potential for misuse of the SSN has raised questions about how private 
and public sector entities obtain, use, and protect SSNs.
    Although Congress has passed a number of laws to protect the 
security of personal information, the continued use of and reliance on 
SSNs by both private and public sector entities underscores the 
importance of determining if appropriate safeguards are in place to 
protect individuals' private information or if enhanced protection of 
individuals' personal information is needed. Accordingly, you asked us 
to talk about how certain types of private and public sector entities 
obtain SSNs and what protections, if any, exist to govern their use. My 
remarks today will focus on describing (1) how private sector entities 
obtain, use, and protect SSNs and (2) public sector uses and 
protections.
    To determine how private sector entities obtain, use, and protect 
SSNs, we relied on our previous work that looked at how private sector 
entities obtain and use SSNs and the laws that limit disclosure of this 
use.\1\ To determine how the public sector uses and protects SSNs, we 
also relied on our previous work that looked at the government's use 
and protection of SSNs.\2\ We are currently conducting a survey of 
state and local agencies to determine the extent to which SSNs are 
displayed in public records, the types of records they are displayed 
in, and how those records are maintained. In addition, we are 
conducting structured interviews of federal agencies concerning the 
display of SSNs.
---------------------------------------------------------------------------
    \1\ U.S. General Accounting Office, Social Security Numbers: 
Private Sector Entities Routinely Obtain and Use SSNs, and Laws Limit 
the Disclosure of This Information, GAO-04-11 (Washington D.C.: January 
22, 2004).
    \2\ See U.S. General Accounting Office, Social Security Numbers: 
Government Benefits from SSN Use but Could Provide Better Safeguards, 
GAO-02-352 (Washington, D.C.: May 31, 2002).
---------------------------------------------------------------------------
    In summary, entities such as information resellers, consumer 
reporting agencies (CRAs), and health care organizations routinely 
obtain SSNs from their business clients and from public sources, such 
as marriage licenses, paternity determinations, and professional 
licenses. Businesses use SSNs for various purposes, such as to build 
databases, verify individuals' identities, or match existing 
records.\3\ Given the various types of services these companies offer, 
we found that all of these entities have come to rely on the SSN as an 
identifier, which they say helps them determine a person's identity for 
the purpose of providing the services they offer. However, certain 
federal laws have helped to limit the disclosures of personal 
information these private sector entities are allowed to make to their 
customers. Private sector entities are either subject to the laws 
directly, given the nature of their business, or indirectly, through 
their business clients who are subject to these laws. Some states have 
also enacted laws to restrict the private sector's use of SSNs. 
However, such restrictions vary by state.
---------------------------------------------------------------------------
    \3\ GAO-04-11 (Washington D.C.: January 2004).
---------------------------------------------------------------------------
    Public sector entities also rely extensively on SSNs. These 
agencies often obtain SSNs for compliance with federal laws and 
regulations and for their own agencies' purposes. We found that 
federal, state, and county government agencies rely extensively on the 
SSN to manage records, verify benefit eligibility, collect outstanding 
debt, conduct research and program evaluations, and verify information 
provided to state drivers' licensing agencies.\4\ Given that SSNs are 
often the identifier of choice among individuals seeking to create 
false identities, these agencies are taking steps to safeguard SSNs. 
Yet despite these actions, SSNs appear in records displayed to the 
public such as documents that record financial transactions or court 
documents. In our current work for this Subcommittee, we are looking at 
the storage, display, and protection of SSNs in public records. Our 
preliminary survey data show that the types of records mostly likely to 
contain SSNs and be made available to the general public by state 
government entities are court records, death records, Uniform 
Commercial Code (UCC) filings, and professional licensing records. In 
addition, our preliminary results show responding state offices 
reported over 35 instances where they had no specific use for 
collecting SSNs. In a previous report, we proposed that Congress 
consider developing a unified approach to safeguarding SSNs used in all 
levels of government and particularly those displayed in public 
records, and we continue to believe that this approach has merit.\5\
---------------------------------------------------------------------------
    \4\ GAO-02-352 (Washington D.C.: May 2002).
    \5\ GAO-02-352 (Washington D.C.: May 2002).
---------------------------------------------------------------------------
Background
    The Social Security Act of 1935 authorized SSA to establish a 
record-keeping system to help manage the Social Security program, and 
this resulted in the creation of the SSN. Through a process known as 
enumeration, unique numbers are created for every person as a work and 
retirement benefit record for the Social Security program. SSA 
generally issues SSNs to most U.S. citizens, and SSNs are also 
available to noncitizens lawfully admitted to the United States with 
permission to work. SSA estimates that approximately 277 million 
individuals currently have SSNs. The SSN has become the identifier of 
choice for government agencies and private businesses, and thus it is 
used for a myriad of non-Social Security purposes.
    The growth in the use of SSNs is important to individual SSN 
holders because these numbers, along with names and birth certificates, 
are among the three personal identifiers most often sought by identity 
thieves.\6\ In addition, SSNs are used as breeder information to create 
additional false identification documents, such as drivers' licenses. 
Recent statistics collected by federal agencies and CRAs indicate that 
the incidence of identity theft appears to be growing.\7\ The Federal 
Trade Commission (FTC), the agency responsible for tracking identity 
theft, reported that consumer fraud and identity theft complaints grew 
from 404,000 in 2002 to 516,740 in 2003. In 2003, consumers also 
reported losses from fraud of more than $437 million, up from $343 
million in 2002. In addition, identity crime account for over 80 
percent of SSN misuse allegations according to the SSA. Also, officials 
from two of the three national CRAs report an increase in the number of 
7-year fraud alerts placed on consumer credit files, which they 
consider to be reliable indicators of the incidence of identity 
theft.\8\ Law enforcement entities report that identity theft is almost 
always a component of other crimes, such as bank fraud or credit card 
fraud, and may be prosecuted under the statutes covering those crimes.
---------------------------------------------------------------------------
    \6\  United States Sentencing Commission, Identity Theft Final 
Alert (Washington, D.C.: Dec. 15, 1999).
    \7\ U.S. General Accounting Office, Identity Theft: Prevalence and 
Cost Appear to be Growing, GAO-02-363 (Washington, D.C.: Mar. 1, 2002).
    \8\ A fraud alert is a warning that someone may be using the 
consumer's personal information to fraudulently obtain credit. When a 
fraud alert is placed on a consumer's credit card file, it advises 
credit grantors to conduct additional identity verification before 
granting credit. The three consumer reporting agencies offers fraud 
alerts that can vary from 2 to 7 years at the discretion of the 
individual.
---------------------------------------------------------------------------
Private Sector entities Routinely Obtain and Use SSNs, and Certain Laws 
        Affect The Disclosure of This Information
    Private sector entities such as information resellers, CRAs, and 
health care organizations routinely obtain and use SSNs.\9\ Such 
entities obtain the SSNs from various public sources and their business 
clients wishing to use their services. We found that these entities 
usually use SSNs for various purposes, such as to build tools that 
verify an individual's identity or match existing records. Certain 
federal laws have limited the disclosures private sector entities are 
allowed to make to their customers, and some states have also enacted 
laws to restrict the private sector's use of SSNs.
---------------------------------------------------------------------------
    \9\ Information resellers, sometimes referred to as information 
brokers, are businesses that specialize in amassing consumer 
information that includes SSNs for informational services. CRAs, also 
known as credit bureaus, are agencies that collect and sell information 
about the creditworthiness of individuals. Health care organizations 
generally deliver their services through a coordinated system that 
includes health care providers and health plans, also referred to as 
health care insurers.
---------------------------------------------------------------------------
Private Sector Entities Obtain SSNs from Public and Private Sources and 
        Use SSNs for Various Purposes
    Private sector entities such as information resellers, CRAs, and 
health care organizations generally obtain SSNs from various public and 
private sources and use SSNs to help identify individuals. Of the 
various public sources available, large information resellers told us 
they obtain SSNs from various records displayed to the public such as 
records of bankruptcies, tax liens, civil judgments, criminal 
histories, deaths, real estate ownership, driving histories, voter 
registrations, and professional licenses. Large information resellers 
said that they try to obtain SSNs from public sources where possible, 
and to the extent public record information is provided on the 
Internet, they are likely to obtain it from such sources. Some of these 
officials also told us that they have people that go to courthouses or 
other repositories to obtain hard copies of public records. 
Additionally, they obtain batch files of electronic copies of all 
public records from some jurisdictions.
    Given the varied nature of SSN data found in public records, some 
reseller officials said they are more likely to rely on receiving SSNs 
from their business clients than they are from obtaining SSNs from 
public records. These entities obtain SSNs from their business clients, 
who provide SSNs in order to obtain a reseller's services or products, 
such as background checks, employee screening, determining criminal 
histories, or searching for individuals. Large information resellers 
also obtain SSN information from private sources. In many cases such 
information was obtained through review of data where a customer has 
voluntarily supplied information resellers with information about 
himself or herself. In addition, large reseller officials said they 
also use their clients' records in instances where the client has 
provided them with information.
    We also found that Internet-based resellers rely extensively on 
public sources and records displayed to the public. These resellers 
listed on their Web sites public information sources, such as 
newspapers, and various kinds of public record sources at the county, 
state, and national levels. During our investigation, we determined 
that once Internet-based resellers obtained an individual's SSN they 
relied on information in public records to help verify the individual's 
identity and amass information around the individual's SSN.
    Like information resellers, CRAs also obtain SSNs from public and 
private sources as well as from their customers or the businesses that 
furnish data to them. CRA officials said that they obtain SSNs from 
public sources, such as bankruptcy records, a fact that is especially 
important in terms of determining that the correct individual has 
declared bankruptcy. CRA officials also told us that they obtain SSNs 
from other information resellers, especially those that specialize in 
obtaining information from public records. However, SSNs are more 
likely to be obtained from businesses that subscribe to their services, 
such as banks, insurance companies, mortgage companies, debt collection 
agencies, child support enforcement agencies, credit grantors, and 
employment screening companies. Individuals provide these businesses 
with their SSNs for reasons such as applying for credit, and these 
businesses voluntarily report consumers' charge and payment 
transactions, accompanied by SSNs, to CRAs.
    We found that health care organizations were less likely to rely on 
public sources for SSN data. Health care organizations obtain SSNs from 
individuals themselves and from companies that offer health care plans. 
For example, subscribers or policyholders provide health care plans 
with their SSNs through their company or employer group when they 
enroll in health care plans. In addition to health care plans, health 
care organizations include health care providers, such as hospitals. 
Such entities often collect SSNs as part of the process of obtaining 
information on insured people. However, health care officials said 
that, particularly with hospitals, the medical record number rather 
than the SSN is the primary identifier.
    Information resellers, CRAs, and health care organization officials 
all said that they use SSNs to verify an individual's identity. Most of 
the officials we spoke to said that the SSN is the single most 
important identifier available, mainly because it is truly unique to an 
individual, unlike an individual's name and address, which can often 
change over an individual's lifetime. Large information resellers said 
that they generally use the SSN as an identity verification tool. Some 
of these entities have incorporated SSNs into their information 
technology, while others have incorporated SSNs into their clients' 
databases used for identity verification. For example, one large 
information reseller that specializes in information technology 
solutions has developed a customer verification data model that aids 
financial institutions in their compliance with some federal laws 
regarding ``knowing your customer.'' We also found that Internet-based 
information resellers use the SSN as a factor in determining an 
individual's identity. We found these types of resellers to be more 
dependent on SSNs than the large information resellers, primarily 
because their focus is more related to providing investigative or 
background-type services to anyone willing to pay a fee. Most of the 
large information resellers officials we spoke to said that although 
they obtain the SSN from their business clients, the information they 
provide back to their customers rarely contains the SSN. Almost all of 
the officials we spoke to said that they provide their clients with a 
truncated SSN, an example of which would be xxx-xx-6789.
    CRAs use SSNs as the primary identifier of individuals, which 
enables them to match the information they receive from their business 
clients with the information stored in their databases on 
individuals.\10\ Because these companies have various commercial, 
financial, and government agencies furnishing data to them, the SSN is 
the primary factor that ensures that incoming data is matched correctly 
with an individual's information on file. For example, CRA officials 
said they use several factors to match incoming data with existing 
data, such as name, address, and financial account information. If all 
of the incoming data, except the SSN, match with existing data, then 
the SSN will determine the correct person's credit file. Given that 
people move, get married, and open new financial accounts, these 
officials said that it is hard to distinguish among individuals. 
Because the SSN is the one piece of information that remains constant, 
they said that it is the primary identifier that they use to match 
data.
---------------------------------------------------------------------------
    \10\ We found that CRAs and information resellers can sometimes be 
the same entity, a fact that blurs the distinction between the two 
types of businesses but does not affect the use of SSNs by these 
entities. Five of the six large information resellers we spoke to said 
they were also CRAs. Some CRA officials said that information reselling 
constituted as much as 40 percent of CRAs' business.
---------------------------------------------------------------------------
    Health care organizations also use the SSN to help verify the 
identity of individuals. These organizations use SSNs, along with other 
information, such as name, address, and date of birth, as a factor in 
determining a member's identity. Health care officials said that health 
care plans, in particular, use the SSN as the primary identifier of an 
individual, and it often becomes the customer's insurance number. 
Health care officials said that they use SSNs for identification 
purposes, such as linking an individual's name to an SSN to determine 
if premium payments have been made. They also use the SSN as an online 
services identifier, as an alternative policy identifier, and for 
phone-in identity verification. Health care organizations also use SSNs 
to tie family members together where family coverage is used,\11\ to 
coordinate member benefits, and as a cross-check for pharmacy 
transactions. Health care industry association officials also said that 
SSNs are used for claims processing, especially with regard to 
Medicare. According to these officials, under some Medicare programs, 
SSNs are how Medicare identifies benefits provided to an individual.
---------------------------------------------------------------------------
    \11\ During the enrollment process, subscribers have a number of 
options, one of which is decided whether they would like single or 
family coverage. In cases where family coverage is chosen, the SSN is 
the key piece of information generally allowing the family members to 
be linked.
---------------------------------------------------------------------------
Certain Laws Limit the Private Sectors' Disclosure of Personal 
        Information That Includes SSNs
    Certain federal and state laws have placed restrictions on certain 
private sector entities use and disclosure of consumers' personal 
information that includes SSNs. Such laws include the Fair Credit 
Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA), the Drivers 
Privacy Protection Act (DPPA), and the Health Insurance Portability and 
Accountability Act (HIPAA). As shown in table 1, the laws either 
restrict the disclosures that entities such as information resellers, 
CRAs, and health care organizations are allowed to make to specific 
purposes or restrict whom they are allowed to give the information to. 
Moreover, as shown in table 1, these laws focus on limiting or 
restricting access to certain personal information and are not 
specifically focused on information resellers. See appendix I for more 
information on these laws.

 Table 1: Aspects of Federal Laws That Affect Private Sector Disclosure
                         of Personal Information
------------------------------------------------------------------------
               Federal Laws                         Restrictions
------------------------------------------------------------------------
Fair Credit Reporting Act                   Limits access to credit data
                                             that includes SSNs to those
                                             who have a permissible
                                             purpose under the law.
Gramm-Leach-Bliley Act                      Creates a new definition of
                                             personal information that
                                             includes SSNs and limits
                                             when financial institutions
                                             may disclose the
                                             information to non-
                                             affiliated third parties.
Drivers Privacy Protection Act              Prohibits obtaining and
                                             disclosing SSNs and other
                                             personal information from a
                                             motor vehicle record except
                                             as expressly permitted
                                             under the law.
Health Insurance Portability and            Protects the privacy of
 Accountability Act                          health information that
                                             identifies an individual
                                             (including by SSNs) and
                                             restricts health care
                                             organizations from
                                             disclosing such information
                                             to others without the
                                             patient's consent.
------------------------------------------------------------------------
Source: GAO analysis.

    We reviewed selected legislative documents of 18 states and found 
that at least 6 states have enacted their own legislation to restrict 
either the display or use of SSNs by the private sector.\12\ Notably, 
in 2001, California enacted Senate Bill (SB) 168, restricting private 
sector use of SSNs. Specifically, this law generally prohibits 
companies and persons from certain uses such as, posting or publicly 
displaying SSNs and printing SSNs on cards required to access the 
company's products or services. Furthermore, in 2002, shortly after the 
enactment of SB 168, California's Office of Privacy Protection 
published recommended practices for protecting the confidentiality of 
SSNs. These practices were to serve as guidelines to assist private and 
public sector organizations in handling SSNs.
---------------------------------------------------------------------------
    \12\ On the basis of our interviews with private sector businesses 
and organizations, contacts with some state offices of attorney 
general, and identified state laws and legislative initiatives related 
to the use of SSNs, we did a legislative review of 18 states that were 
identified as having laws or proposed laws governing SSN use. In the 18 
states we researched, we reviewed more than 40 legislative documents, 
including relevant laws, proposed laws, legislative summaries, and 
other related documents, such as state regulations, executive orders, 
and referendums.
---------------------------------------------------------------------------
    Similar to California's law, Missouri's law (2003 Mo. SB 61), which 
is not effective until July 1, 2006, bars companies from requiring 
individuals to transmit SSNs over the Internet without certain safety 
measures, such as encryption and passwords. However, while SB 61 
prohibits a person or private entity from publicly posting or 
displaying an individual's SSN ``in any manner,'' unlike California's 
law, it does not specifically prohibit printing the SSN on cards 
required to gain access to products or services. In addition, Arizona's 
law (2003 Ariz. Sess. Laws 137), effective January 1, 2005, restricts 
the use of SSNs in ways very similar to California's law. However, in 
addition to the private sector restrictions, it adds certain 
restrictions for state agencies and political subdivisions.\13\ For 
example, state agencies and political subdivisions are prohibited from 
printing an individual's SSN on cards and certain mailings to the 
individual. Last, Texas prohibits the display of SSNs on all cards, 
while Georgia and Utah's laws are directed at health insurers and, 
therefore, pertain primarily to insurance identification cards.\14\ 
None of these three laws contain the provisions mentioned above 
relating to Internet safety measures and mailing restrictions. Table 2 
lists states that have enacted legislation and related provisions.
---------------------------------------------------------------------------
    \13\ Political subdivisions would include counties, cities, and 
towns.
    \14\ Georgia's law (O.C.G.A.  33-24-57.1(f)) and Utah's law (Utah 
Code Ann.  31-22-634) are both effective July 1, 2004. However, Utah's 
law provides certain extensions until March 1, 2005. Texas' law (2003 
Tex. Gen. Laws 341) is effective March 1, 2005.

      Table 2: Provisions Included in Enacted Legislation Reviewed
------------------------------------------------------------------------
                                              States Where Provision or
                 Provision                       Restriction Enacted
------------------------------------------------------------------------
Specifically prohibits display on cards     AZ, CA, GA, TX, UT
Requires Internet safety measures           AZ, CA, MO
Restricts mailing of SSNs                   AZ, CA
------------------------------------------------------------------------
Source: GAO analysis.

Public Sector Entities Also Use SSNs and Some Agencies Limit Their Use 
        and Display Even Though SSNs are Displayed in Some Public 
        Records
    Agencies at all levels of government frequently obtain and use 
SSNs. A number of federal laws require government agencies to obtain 
SSNs, and these agencies use SSNs to administer their programs, verify 
applicants' eligibility for services and benefits, and do research and 
evaluation. Given the potential for misuse, some government agencies 
are taking steps to limit their use and display of SSNs and prevent the 
proliferation of false identities. However, given the open nature of 
certain government records, SSNs appear in some records displayed to 
the public. Our ongoing work is looking at the storage, display, and 
protection of SSNs in records displayed to the public.
Public Sector Entities Are Required by Laws and Regulations to Obtain 
        SSNs for Various Purposes
    Government agencies obtain SSNs because a number of federal laws 
and regulations require certain programs and federally funded 
activities to use the SSN for administrative purposes.\15\ Such laws 
and regulations require the use of the SSN as an individual's 
identifier to facilitate automated exchanges that help administrators 
enforce compliance with federal laws, determine eligibility for 
benefits, or both. For example, the Internal Revenue Code and 
regulations, which govern the administration of the federal personal 
income tax program, require that individuals' SSNs serve as taxpayer 
identification numbers.\16\ A number of other federal laws require 
program administrators to use SSNs in determining applicants' 
eligibility for federally funded benefits. The Social Security Act 
requires individuals to provide their SSNs in order to receive benefits 
under the SSI, Food Stamp, Temporary Assistance for Needy Families, and 
Medicaid programs.\17\ In addition, the Commercial Motor Vehicle Safety 
Act of 1986 requires the use of SSNs to identify individuals and 
established the Commercial Driver's License Information System, a 
nationwide database where states may use individuals' SSNs to search 
the database for other state-issued licenses commercial drivers may 
hold.\18\ Federal law also requires the use of SSNs in state child 
support programs to help states locate noncustodial parents, establish 
and enforce support orders, and recoup state welfare payments from 
parents.\19\ The law also allows states to record SSNs on many other 
state documents, such as professional, occupational, and marriage 
licenses; divorce decrees; paternity determinations; and death 
certificates, and to make SSNs associated with these documents 
available for state child support agencies to use in locating and 
obtaining child support payments from noncustodial parents.
---------------------------------------------------------------------------
    \15\ U.S. General Accounting Office, Social Security Numbers: 
Government and Commercial Use of the Social Security Number is 
Widespread, GAO/HEHS-99-28 (Washington D.C.: February 1999).
    \16\ This means that employers and others making payments to 
individuals must include the individuals' SSNs in reporting to IRS many 
of these payments. In addition, the Code and regulations require 
individuals filing personal income tax returns to include their SSNs as 
their taxpayer identification number, the SSNs of people whom they 
claim as dependents, and the SSNs of spouses to whom they paid alimony.
    \17\ Applicants give program administrators information on their 
income and resources, and program administrators use applicants' SSNs 
to match records with those of other organizations.
    \18\ States may also use SSNs to search another database, the 
National Driver's Registry, to determine whether an applicant's license 
has been cancelled, suspended, or revoked by another state. In these 
situations, the states use SSNs to limit the possibility of 
inappropriately licensing applicants.
    \19\ The law requires states to maintain records that include (1) 
SSNs for individuals who owe or are owed support for cases in which the 
state has ordered child support payments to be made, the state is 
providing support, or both, and (2) employers' records of new hires 
identified by SSN.
---------------------------------------------------------------------------
    Government agencies use SSNs for a variety of reasons. We found 
that most of these agencies use SSNs to administer their programs, such 
as to identify, retrieve, and update their records. In addition, many 
agencies also use SSNs to share information with other entities to 
bolster the integrity of the programs they administer. As unique 
identifiers, SSNs help ensure that the agency is obtaining or matching 
information on the correct person.
    Government agencies also share information containing SSNs for the 
purpose of verifying an applicant's eligibility for services or 
benefits, such as matching records with state and local correctional 
facilities to identify individuals for whom the agency should terminate 
benefit payments. SSNs are also used to ensure program integrity. 
Agencies use SSNs to collect delinquent debts and even share 
information for this purpose. In addition, SSNs are used for 
statistics, research, and evaluation. Agencies responsible for 
collecting and maintaining data for statistical programs that are 
required by statute, make use of SSNs. In some cases, these data are 
compiled using information provided for another purpose. For example, 
the Bureau of the Census prepares annual population estimates for 
states and counties using individual income tax return data linked over 
time by SSN to determine immigration rates between localities.\20\ SSNs 
also provide government agencies and others with an effective mechanism 
for linking data on program participation with data from other sources 
to help evaluate the outcomes or effectiveness of government programs. 
In some cases, records containing SSNs are sometimes matched across 
multiple agency or program databases.\21\
---------------------------------------------------------------------------
    \20\ The Bureau of the Census is authorized by statute to collect a 
variety of information, and the Bureau is also prohibited from making 
it available, except in certain circumstances.
    \21\ The statistical and research communities refer to the process 
of matching records containing SSNs for statistical or research 
purposes as ``record linkage.'' See U.S. General Accounting Office, 
Record Linkage and Privacy: Issues in Creating New Federal Research and 
Statistical Information, GAO-01-126SP (Washington, D.C.: Apr. 2001).
---------------------------------------------------------------------------
    Finally, government agencies use employees' SSNs to fulfill some of 
their responsibilities as employers. For example, personnel departments 
of these agencies use SSNs to help them maintain internal records and 
provide employee benefits. In addition, employers are required by law 
to use employees' SSNs when reporting wages. Wages are reported to SSA, 
and the agency uses this information to update earnings records it 
maintains for each individual. The Internal Revenue Service (IRS) also 
uses SSNs to match the employer wage reports with amounts individuals 
report on personal income tax returns. Federal law also requires that 
states maintain employers' reports of newly hired employees, identified 
by SSNs. States must forward this information to a national database 
that is used by state child support agencies to locate parents who are 
delinquent in child support payments.
Government Agencies Are Taking Steps to Limit the Use and Display of 
        SSNs
    Despite the widespread use of SSNs at all levels of government, not 
all agencies use SSNs. We found that some agencies do not obtain, 
receive, or use SSNs of program participants, service recipients, or 
individual embers of the public.\22\ Moreover, not all agencies use the 
SSN as their primary identification number for record-keeping purposes. 
These agencies maintain an alternative number that is used in addition 
to or in lieu of SSNs for certain activities.
---------------------------------------------------------------------------
    \22\ GAO-02-352 (Washington D.C.: May 2002).
---------------------------------------------------------------------------
    Some agencies are also taking steps to limit SSNs displayed on 
documents that may be viewed by others who may not have a need to view 
this personal information. For example, the Social Security 
Administration has truncated individuals' SSNs that appear on the 
approximately 120 million benefits statements it mails each year. Some 
states have also passed laws prohibiting the use of SSNs as a student 
identification number. Almost all states have modified their policies 
on placing SSNs on state drivers' licenses.
    At the federal level, SSA has taken steps in its enumeration 
process and verification service to help prevent SSNs from being used 
to proliferate false identities. SSA has formed a task force to address 
weaknesses in its enumeration process and has (1) increased document 
verifications and developed new initiatives to prevent the 
inappropriate assignment of SSNs to noncitizens, and (2) undertaken 
initiatives to shift the burden of processing noncitizen applications 
from its field offices. \23\ SSA also helps prevent the proliferation 
of false identities through its verification service, which allows 
state driver licensing agencies to verify the SSN, name, and date of 
birth of customers with SSA's master file of Social Security 
records.\24\ Finally, SSA has also acted to correct deficiencies in its 
information systems' internal controls. These changes were made in 
response to the findings of an independent audit that found that SSA's 
systems were exposed to both internal and external intrusion, 
increasing the possibility that sensitive information such as SSNs 
could be subject to unauthorized access, modification, and disclosure, 
as well as the risk of fraud.
---------------------------------------------------------------------------
    \23\ See U.S. General Accounting Office, Social Security 
Administration: Actions Taken to Strengthen Procedures for Issuing 
Social Security Numbers to Noncitizens but Some Weakness Remain, GAO-
04-12 (Washington D.C.: October 15, 2003). See U.S. General Accounting 
Office, Social Security Numbers: Improved SSN Verification and Exchange 
of States' Driver Records Would Enhance Identity Verification, GAO-03-
920 (Washington D.C.: September 15, 2003).
    \24\ GAO-03-920 (Washington D.C.: September 2003).
---------------------------------------------------------------------------
Public Records Can Also Be a Source of SSNs
    Given the open nature of certain government records, SSNs appear in 
these records for a number of reasons. For example, SSNs may already be 
a part of a document that is submitted to a recorder for official 
preservation, such as veterans' discharge papers. Documents that record 
financial transactions, such as tax liens and property settlements, 
also contain SSNs to help identify the correct individual. As 
previously stated, government officials are required by law to collect 
SSNs in numerous instances. Moreover, some state laws allow government 
entities to collect SSNs on voter registries to help avoid duplicate 
registrations.
    Courts at all three levels of government also collect and maintain 
records that are routinely made available to the public. Court records 
overall are presumed to be public. However, each court may have its own 
rules or practices governing the release of information. SSNs appear in 
court documents for a variety of reasons. In many cases, SSNs are 
already a part of documents that are submitted by attorneys or 
individuals. These documents could be submitted as part of the evidence 
for a proceeding or could be included as part of a petition for an 
action, such as a judgment or a divorce. In other cases, courts include 
SSNs on documents they and other government officials create, such as 
criminal summonses, arrest warrants, and judgments, to increase the 
likelihood that the correct individual is affected (i.e., to avoid 
arresting the wrong John Smith). Again, in some cases, federal law 
requires that SSNs be placed in certain records that courts maintain, 
such as child support orders.
    In our prior report, we looked at the extent and nature of federal, 
state, and county governments' use of SSNs when they are contained in 
public records, and the options available to better safeguard SSNs that 
are found in these public records.\25\ Our findings led us to suggest 
that Congress consider addressing SSN security and display issues in 
state and local government and in public records, including those 
maintained by the judicial branch of government at all levels. We 
proposed that Congress convene a representative group of officials from 
all levels of government to develop a unified approach to safeguard 
SSNs used in all levels of government and particularly those displayed 
in public records.
---------------------------------------------------------------------------
    \25\ GAO-02-352 (Washington D.C.: May 2002)
---------------------------------------------------------------------------
    At the request of this subcommittee, GAO was asked what types of 
public records SSNs are stored in, how are those records maintained, 
and to what extent SSNs are displayed inside those records. To do this 
work, we are surveying over 2,500 officials in state and local 
government agencies, including officials in all 50 states and the 
District of Columbia, and are conducting structured interviews of 
federal agencies. Our preliminary survey data show that the types of 
records most likely to contain SSNs and be made available to the 
general public by state government entities are court records, death 
records, UCC filings, and professional licensing records. At the local 
level, court records and land records are those most often cited as 
containing SSNs and being available to the general public. Preliminary 
data analysis indicates that identity verification is the most 
frequently given reason by both state and local respondents for 
collecting or using SSNs that are in records available to the public. 
Data matching and complying with state laws or regulations are also 
frequently cited as reasons for the collection or use of the SSN. 
However, responding state offices reported over 35 instances where they 
had no specific use for collecting SSNs.
Conclusions
    Public and private entities use SSNs for many legitimate and 
publicly beneficial purposes. However, the more frequently SSNs are 
obtained and used, the more likely they are to be misused. As we 
continue to learn more about the entities that obtain SSNs and the 
purposes for which they obtain them, Congress and state legislatures 
will be able to determine if there are ways to limit access to this 
valuable piece of information and prevent it from being misused. 
However, restrictions on access or use may make it more difficult for 
businesses and government agencies to verify an individual's identity. 
Accordingly, policy makers will have to balance restrictions on the use 
of SSNs on the one hand with legitimate needs for the use of SSNs on 
the other.
    Although individuals may choose to provide their SSNs to public and 
private sector entities to obtain their services, individuals are often 
required to have their SSNs in records that may ultimately be displayed 
to the public. Such public display of personal information can create 
opportunities for identity crimes. Safeguarding SSNs in records 
displayed to the public offers an additional challenge because of the 
inherent tension between the nature of public records, that is, the 
need for transparency in government activities, and the need to protect 
individuals' privacy. For this reason, in prior work, we recommended 
that Congress convene a representative group of officials to develop a 
unified approach to safeguard SSNs used in all levels of government and 
particularly those displayed in public records. We continue to believe 
that this would be a useful step toward preventing SSN misuse while 
acknowledging the needs of various levels of government.
    At this subcommittee's request, we are continuing work on SSNs and 
their presence in public records and look forward to supporting 
continuing congressional consideration of these important policy 
issues. That concludes my testimony, and I would be pleased to respond 
to any questions the subcommittee has.
Contacts and Acknowledgments
    For further information regarding this testimony, please contact 
Barbara D. Bovbjerg, Director; Tamara Cross, Assistant Director; or 
Alicia Cackley, Assistant Director of Education, Workforce, and Income 
Security Issues at (202) 512-7215. Individuals making key contributions 
to this testimony include Melinda Bowman, Raun Lazier, Joel Marus, and 
Caroline Sallee.
                                 ______
                                 
    Appendix I: Federal Laws Affecting Information Resellers, CRAs, and 
Health Care Organizations:
Gramm-Leach-Bliley Act (GLBA):
    GLBA requires companies to give consumers privacy notices that 
explain the institutions' information-sharing practices. In turn, 
consumers have the right to limit some, but not all, sharing of their 
nonpublic personal information. Financial institutions are permitted to 
disclose consumers' nonpublic personal information without offering 
them an opt-out right in the following circumstances:

      to effect a transaction requested by the consumer in 
connection with a financial product or service requested by the 
consumer; maintaining or servicing the consumer's account with the 
financial institution or another entity as part of a private label 
credit card program or other extension of credit; or a proposed or 
actual securitization, secondary market sale, or similar transaction;
      with the consent or at the direction of the consumer;
      to protect the confidentiality or security of the 
consumer's records; to prevent actual or potential fraud, for required 
institutional risk control or for resolving customer disputes or 
inquiries, to persons holding a legal or beneficial interest relating 
to the consumer, or to the consumer's fiduciary;
      to provide information to insurance rate advisory 
organizations, guaranty funds or agencies, rating agencies, industry 
standards agencies, and the institution's attorneys, accountants, and 
auditors;
      to the extent specifically permitted or required under 
other provisions of law and in accordance with the Right to Financial 
Privacy Act of 1978, to law enforcement agencies, self-regulatory 
organizations, or for an investigation on a matter related to public 
safety;
      to a consumer reporting agency in accordance with the 
Fair Credit Reporting Act or from a consumer report reported by a 
consumer reporting agency;
      in connection with a proposed or actual sale, merger, 
transfer, or exchange of all or a portion of a business if the 
disclosure concerns solely consumers of such business;
      to comply with federal, state, or local laws; an 
investigation or subpoena; or to respond to judicial process or 
government regulatory authorities.

    Financial institutions are required by GLBA to disclose to 
consumers at the initiation of a customer relationship, and annually 
thereafter, their privacy policies, including their policies with 
respect to sharing information with affiliates and non-affiliated third 
parties.
    Provisions under GLBA place limitations on financial institutions 
disclosure of customer data, thus affecting some CRAs and information 
resellers. We found that some CRAs consider themselves to be financial 
institutions under GLBA.\26\ These entities are therefore directly 
governed by GLBA's restrictions on disclosing nonpublic personal 
information to non-affiliated third parties. We also found that some of 
the information resellers we spoke to did not consider their companies 
to be financial institutions under GLBA. However, because they have 
financial institutions as their business clients, they complied with 
GLBA's provisions in order to better serve their clients and ensure 
that their clients are in accordance with GLBA. For example, if 
information resellers received information from financial institutions, 
they could resell the information only to the extent that they were 
consistent with the privacy policy of the originating financial 
institution.
---------------------------------------------------------------------------
    \26\ Under GLBA, the term financial institution is defined as ``any 
institution the business of which is engaging in financial activities 
as described in section 4(k) of the Bank Holding Company Act of 1956,'' 
which goes into more detail about what are ``activities that are 
financial in nature.'' These generally include banking, insurance, and 
investment industries.
---------------------------------------------------------------------------
    Information resellers and CRAs also said that they protect the use 
of non-public personal information and do not provide such information 
to individuals or unauthorized third parties. In addition to imposing 
obligations with respect to the disclosures of personal information, 
GLBA also requires federal agencies responsible for financial 
institutions to adopt appropriate standards for financial institutions 
relating to safeguarding customer records and information. Information 
resellers and CRA officials said that they adhere to GLBA's standards 
in order to secure financial institutions' information.
Drivers Privacy Protection Act (DPPA):
    The DPPA specifies a list of exceptions when personal information 
contained in a state motor vehicle record may be obtained and used (18 
U.S.C.  2721(b)). These permissible uses include:
for use by any government agency in carrying out its functions;
for use in connection with matters of motor vehicle or driver safety 
and theft; motor vehicle emissions; motor vehicle product alterations, 
recalls, or advisories; motor vehicle market research activities, 
including survey research;
for use in the normal course of business by a legitimate business, but 
only to verify the accuracy of personal information submitted by the 
individual to the business and, if such information is not correct, to 
obtain the correct information but only for purposes of preventing 
fraud by pursuing legal remedies against, or recovering on a debt or 
security interest against, the individual;

      for use in connection with any civil, criminal, 
administrative, or arbitral proceeding in any federal, state, or local 
court or agency;
      for use in research activities;
      for use by any insurer or insurance support organization 
in connection with claims investigation activities;
      for use in providing notice to the owners of towed or 
impounded vehicles;
      for use by a private investigative agency for any purpose 
permitted under the DPPA;
      for use by an employer or its agent or insurer to obtain 
information relating to the holder of a commercial driver's license;
      for use in connection with the operation of private toll 
transportation facilities;
      for any other use, if the state has obtained the express 
consent of the person to whom a request for personal information 
pertains;
      for bulk distribution of surveys, marketing, or 
solicitations, if the state has obtained the express consent of the 
person to whom such personal information pertains;
      for use by any requester, if the requester demonstrates 
that it has obtained the written consent of the individual to whom the 
information pertains;
      for any other use specifically authorized under a state 
law, if such use is related to the operation of a motor vehicle or 
public safety.

    As a result of DPPA, information resellers said they were 
restricted in their ability to obtain SSNs and other driver license 
information from state motor vehicle offices unless they were doing so 
for a permissible purpose under the law. These officials also said that 
information obtained from a consumer's motor vehicle record has to be 
in compliance with DPPA's permissible purposes, thereby restricting 
their ability to resell motor vehicle information to individuals or 
entities not allowed to receive such information under the law. 
Furthermore, because DPPA restricts state motor vehicle offices' 
ability to disclose driver license information, which includes SSN 
data, information resellers said they no longer try to obtain SSNs from 
state motor vehicle offices, except for permissible purposes.
Health Insurance Portability and Accountability Act (HIPAA):
    The HIPAA privacy rule also defines some rights and obligations for 
both covered entities and individual patients and health plan members. 
Some of the highlights are:

      Individuals must give specific authorization before 
health care providers can use or disclose protected information in most 
nonroutine circumstances, such as releasing information to an employer 
or for use in marketing activities.
      Covered entities will need to provide individuals with 
written notice of their privacy practices and patients' privacy rights. 
The notice will contain information that could be useful to individuals 
choosing a health plan, doctor, or other service provided. Patients 
will be generally asked to sign or otherwise acknowledge receipt of the 
privacy notice.

    Covered entities must obtain an individual's specific authorization 
before sending them marketing materials.
    Health care organizations, including health care providers and 
health plan insurers, are subject to HIPAA's requirements. In addition 
to providing individuals with privacy practices and notices, health 
care organizations are also restricted from disclosing a patient's 
health information without the patient's consent, except for purposes 
of treatment, payment, or other health care operations. Information 
resellers and CRAs did not consider themselves to be ``covered 
entities'' under HIPAA, although some information resellers said that 
their customers are considered to be business associates under HIPAA. 
As a result, they said they are obligated to operate under HIPAA's 
standards for privacy protection, and therefore could not resell 
medical information without having made sure HIPAA's privacy standards 
were met.
Fair Credit Reporting Act (FCRA);
    Congress has limited the use of consumer reports to protect 
consumers' privacy. All users must have a permissible purpose under the 
FCRA to obtain a consumer report (15 USC 1681b). These permissible 
purposes are:

      as ordered by a court or a federal grand jury subpoena;
      as instructed by the consumer in writing;
      for the extension of credit as a result of an application 
from a consumer or the review or collection of a consumer's account;
      for employment purposes, including hiring and promotion 
decisions, where the consumer has given written permission;
      for the underwriting of insurance as a result of an 
application from a consumer;
      when there is a legitimate business need, in connection 
with a business transaction that is initiated by the consumer;
      to review a consumer's account to determine whether the 
consumer continues to meet the terms of the account;
      to determine a consumer's eligibility for a license or 
other benefit granted by a governmental instrumentality required by law 
to consider an applicant's financial responsibility or status;
      for use by a potential investor or servicer or current 
insurer in a valuation or assessment of the credit or prepayment risks 
associated with an existing credit obligation; and
      for use by state and local officials in connection with 
the determination of child support payments, or modifications and 
enforcement thereof.

    Under FCRA, Congress has limited the use of consumer reports\27\ to 
protect consumers' privacy and limits access to credit data to those 
who have a legally permissible purpose for using the data, such as the 
extension of credit, employment purposes, or underwriting insurance. 
However, these limits are not specific to SSNs. All of the CRAs that we 
spoke to said that they are considered consumer reporting agencies 
under FCRA. In addition, some of the information resellers we spoke to 
who handle or maintain consumer reports are classified as CRAs under 
FCRA. Both CRAs and information resellers said that as a result of 
FCRAs restrictions they are limited to providing credit data to their 
customers that have a permissible purpose under FCRA. Consequently, 
they are restricted by law from providing such information to the 
general public.
---------------------------------------------------------------------------
    \27\ The FTC has determined that certain types of information, 
including SSNs, do not constitute as consumer report under FCRA because 
they are not factors in determining credit eligibility.

---------------------------------------------------------------------------
                                 

    Chairman SHAW. Thank you very much. Mr. Maxwell.

 STATEMENT OF LAWRENCE E. MAXWELL, ASSISTANT CHIEF INSPECTOR, 
 INVESTIGATIONS AND SECURITY, UNITED STATES POSTAL INSPECTION 
                            SERVICE

    Mr. MAXWELL. Thank you, Mr. Chairman and Members of the 
Committee. I really appreciate your having us here today and 
your focus on this very important issue. As a way of 
background, myself and others in the Postal Inspection Service 
have reviewed the provisions in the new legislation, and we are 
very enthusiastic. I have had 27 years in law enforcement, most 
of which has been in mail fraud investigations, and I truly 
welcome a lot of the provisions here, particularly the 
preventive and the enhanced penalty methods.
    One of the things, for those who aren't familiar with the 
Postal Inspection Service, we date ourselves as the oldest 
Federal law enforcement agency, going back to Ben Franklin and 
the statute, mail fraud, was enacted in 1870s, and it makes it 
the oldest and the first consumer protection law on the books, 
arguably the best. I still think it is the best. One may ask, 
well, how did somebody who is in the hand delivery business get 
propelled into identity theft in the electronic communications 
age? Well, I will bring you up to that in a second how the tie-
in is.
    The Postal Inspection Service covers Maine to Guam. There 
is roughly 2,000 of us, making us a very small agency. 
Approximately 300 inspectors are devoted to mail fraud, and we 
pride ourselves primarily on consumer fraud. As stated earlier, 
identity theft remains a vexing problem, insidious in nature, 
and clearly a predator on those unsuspecting. It totally 
devastates your life. It takes months, years to put it back 
together again afterward. So, clearly it is something that we 
have been living with for some time, and we are aggressively 
pursuing and should.
    From our experience, mail itself, based on an FTC study 
recently, only represents about 4 percent of identity crimes; 4 
percent, that is, in stolen mail, information obtained from 
mail that has been stolen. We used to think it was worse. In 
fact, a lot of our prevention messages cued in on that, to 
protect your mail from theft. However, we have since learned 
that really it comes more from the after fact, the use of mails 
to file applications, credit information and so forth. However, 
that doesn't stop us from taking assertive actions on mail 
theft programs.
    In the mail fraud area, primarily what we have seen in both 
arrest statistics, a combination of arrests from mail theft and 
fraud, totals 3,000 of our 10,000 arrests each year. As you can 
conclude, that is a very substantial number of our activities 
in the criminal area. What we have found as a strategy, and 
that is really what we are here to address today, outreaching 
is extremely important. Ourselves and the FTC have been 
partners for some time. We have had a formal memorandum of 
understanding. We share data, fraud data, and we do a number of 
prevention and educational campaigns together.
    Clearly the events of 2 years ago propelled all of us in 
the law enforcement community to work better together, and 
although the Postal Inspection Service only has 200 statutes 
which it has to worry about, still we find a lot of the 
overlaps in areas where we can fill in the gaps and help out. 
For example, we are on a number of financial crimes 
investigative task forces around the country. We are also part 
of the National Joint Terrorism Task Force and the Joint 
Terrorism Task Force primarily focusing on mail information and 
financial information, again relating back to what we are 
talking about today.
    Finally, one of the major initiatives is with the credit 
card industry itself with a group called the Financial Crimes 
Task Force. We have been together since the middle of the 
nineties, and that is the industry involved in credit cards and 
the Postal Service inspectors dealing on ways to share best 
practices and enforcement. That has worked out very well. In 
fact, we have come out with a publication which I have made 
available to all of you called Fighting Identity Theft, and in 
there it actually highlights the use of the importance of SSNs 
by minimizing the use of SSNs on page nine, if you care to look 
at that at some time.
    Another portion of our focus would be on deterrence. Of 
course, as a law enforcement officer I would be remiss not 
saying how important it is to arrest those responsible for 
committing crimes. Deterrence serves a big purpose particularly 
when it is a high-profile case. Last year, for example, there 
was a case involving Carlos Lomax in Pittsburgh. He stole the 
identity of none other than Will Smith, the actor, obviously a 
prominent name, and he was doing quite well. In his guilty 
plea, and his cooperation, he agreed to film a video which we 
have available which he discusses some of the techniques he 
uses in identity theft.
    Finally, the strategy I most favor is prevention. We have a 
number of prevention campaigns, and to just spin the old adage, 
crime does not pay, we have used it to pay. We have had a 
couple of U.S. attorneys in the U.S. Department of Justice 
support us in putting asset forfeiture money and fine money 
into a fund called the Consumer Protection Fund. We have used 
that fund to conduct massive educational campaigns, joint 
campaigns.
    To my left, your right, is a poster where we had a 
partnership with Showtime where they made two feature films on 
postal inspector cases. For years we were known as ``the silent 
service,'' and we are finding now in prevention and getting the 
word out we can't be silent. They made a movie in the second of 
a series on identity theft specifically to dramatize the issue. 
On the right is a poster from the identity theft campaign which 
we conducted last September. In that campaign we had a massive 
outreach of mailings. We produced a mini-drama which is on 
digital video disk, which I have also made available highlights 
how identity theft occurs and how it is reported and how it is 
enforced. Then, at the very end, and, I think, in dramatic 
fashion, it gives you tips on what to do to prevent identity 
theft. We also did a saturation mailing and produced this 
brochure, which I think is very valuable. In closing, I would 
just reiterate the importance of that strategy using deterrence 
and prevention and primarily education, because fraud is a 
crime where people can prevent it. They don't have to 
participate if they know what to do. Thank you for your time.
    [The prepared statement of Mr. Maxwell follows:]
     Statement of Lawrence E. Maxwell, Assistant Chief Inspector, 
  Investigations and Security, United States Postal Inspection Service
    Good morning, Mr. Chairman, members of the subcommittee. On behalf 
of the United States Postal Inspection Service, thank you for holding 
this hearing and giving me the opportunity to discuss the subject of 
identity crimes and the significant role Postal Inspectors play in 
combating it.
    I'm Lawrence E. Maxwell, Assistant Chief Inspector, Investigations 
and Security, for the U.S. Postal Inspection Service.
Role of the Postal Inspection Service
    The U.S. Postal Service delivers more than 200 billion pieces of 
mail a year, containing money, messages, and merchandise, to 138 
million addresses at some of the most affordable postage rates in the 
world. U. S. Postal Inspectors are mandated to safeguard all of it--
including the people who move it and the customers who use it.
    Congress empowered the Postal Service ``to investigate postal 
offenses and civil matters relating to the Postal Service.'' Through 
its security and enforcement functions, the Postal Inspection Service 
provides assurance to American businesses for the safe exchange of 
funds and securities through the U.S. Mail; to postal customers of the 
``sanctity of the seal'' in transmitting correspondence and messages; 
and to postal employees of a safe work environment.
    As one of our country's oldest federal law enforcement agencies, 
founded by Benjamin Franklin, the United States Postal Inspection 
Service has a long, proud and successful history of fighting criminals 
who attack our nation's postal system and misuse it to defraud, 
endanger, or otherwise threaten the American public.
    Postal Inspectors work closely with U.S. Attorneys, other law 
enforcement agencies, and local prosecutors to investigate postal cases 
and prepare them for court. There are approximately 1,900 Postal 
Inspectors stationed throughout the United States who enforce roughly 
200 federal laws covering investigations of crimes that adversely 
affect or fraudulently use the U.S. mail and postal system.
    Last year, U.S. Postal Inspectors made more than 11,000 arrests. Of 
those, over 6,000 were related to mail theft. One-third of those 
involved identity theft. In the first eight months of our 2004 fiscal 
year, we exceeded the number of identity theft arrests made throughout 
all of last year.
What is Identity Theft?
    Identity theft occurs when a thief steals key pieces of someone's 
identifying information, such as name, date of birth, and Social 
Security number, and uses the information to fraudulently apply for 
credit or to take over a victim's credit or bank accounts. Identity 
theft occurs in a variety of ways. Those that involve the use of the 
mail receive swift and aggressive action by Postal Inspectors. We 
ensure that consumers are being protected. In addition, we work with 
the mailing industry to develop best practices on how best to design 
mailing pieces to prevent identity theft. Our collaboration with the 
mailing industry is another example of how the industry as a whole is 
serious about the issue and working to stay ontop of it for the benefit 
of consumers. Mail is important to consumers who receive itand to the 
businesses that send it.
Tactics Used by Identity Thieves
    In the past, pre-screened credit offers were more vulnerable to 
identity theft because they simply required the customer to sign the 
solicitation and return it. But now credit card companies have begun 
automatically discarding applications when they are returned with a 
change of address. Actions by the industry have made these mailings 
less attractive to would-be identity thieves.
    Identity theft is continuing to evolve with the expansion of the 
Internet and other electronic means. The mail is no more vulnerable 
than other sources of personal information, such as corporate and 
government records and computer databases. Financial institutions have 
implemented many safeguards to reduce the likelihood that personal 
financial information found within the mail can be stolen. The Postal 
Service is continually working to improve the security of the mail, and 
Postal Inspectors are making great strides in apprehending those who 
would use the mail to further their crimes.
    Identity fraud is digging deep into consumer's pockets--millions of 
dollars were lost in the past year by financial institutions and 
victims across the country. Thieves use a variety of tactics to drain a 
victim's finances, including stealing mail; posing as a loan officer 
and ordering a victim's credit report (which lists account numbers); 
``shoulder surfing'' at the ATM or phone booth to get a victim's PIN 
code; and ``dumpster diving'' in trash bins looking for credit 
applications, canceled checks or other bank records.
    Until a few years ago, a thief could submit an address change to 
divert customers' mail without their knowledge. Usually, redirected 
mail is sent to a commercial mail receiving agency in an attempt to 
insure the perpetrator's anonymity. In response to recommendations by 
the Chief Postal Inspector, a prevention measure that addresses 
fraudulent change-of-address orders was adopted by the U.S. Postal 
Service. Post Offices now send a ``Move Validation Letter'' to both the 
old and new address when a change is filed. The letter instructs an 
individual to call an ``800'' number if a change was not filed. This 
simple measure has virtually eliminated false changes-of-address 
submitted to the Postal Service as an avenue for committing identity 
theft.
Impact on Victims
    One of the most insidious aspects of identity theft is the length 
of time the scheme is carried out before it comes to anyone's 
attention. It may be months before a victim realizes they've been 
targeted. It's not until a consumer gets turned down for credit, a car 
loan, or a mortgage on a dream house because of a bad credit rating--
knowing they've paid their bills--do they begin to realize what has 
taken place. Most victims do not learn about the theft of their 
identity until 14 months after it has occurred. More than half of the 
victims we interviewed report their cases have been open, on average, 
44 months. They also reported that, as victims, they spent, on average, 
175 hours actively trying to restore their credit and ``to clear their 
good name.''
    Identity theft can do more than ruin a person's credit; it can 
cause more serious damage. Identity theft hurts a victim in two ways. 
First a victim must deal with the obvious financial issues. Second, a 
victim must contend with privacy and practical issues such as 
overcoming a credit history that isn't theirs. The problem doesn't go 
away with a few phone calls--it can stick with a victim for a long 
time. That's why it's such a serious issue. Victims run the gamut of 
society, they're wealthy, they're poor, they're old, and they're young. 
Anyone can become a victim.
    In a recent Postal Inspection Service investigation based in 
Chicago, Illinois, the destructive activities of an identity thief 
resulted in the loss of thousands of dollars and the death of a primary 
victim. The scheme began in July 1999 when the identity thief began 
dating the estranged wife of a Chicago resident. Without the victim's 
knowledge, the wife assisted the thief in stealing her former spouse's 
identity by providing the thief with the spouse's personal information.
    In January 2000, the spouse filed a complaint with the Chicago 
Police Department after realizing that he was a victim of identity 
theft with losses over $200,000. In February, the spouse received a 
package from the thief wrapped as a FedEx delivery. After holding the 
package for several days, the spouse received a voice mail message from 
the thief indicating the package was a gift. As he sat in his living 
room, he opened the package, which exploded, killing him instantly.
    Last year a colleague of mine learned about identity theft the hard 
way. His bank called and asked if he had authorized a $4,500 cash 
advance on his credit card in Miami, Florida that day.
    He was stunned. The bank had called only hours after the withdrawal 
was made, following an alert initiated because certain account 
parameters indicated something might be wrong. Luckily for him, the 
bank simply asked that he sign an affidavit that he had not been in 
Miami and hadn't made the withdrawal. He wasn't held liable for the 
money. And he never found out what ID the thief had used to get access 
to his account.
    Unfortunately, my colleague's ordeal wasn't over. He received a 
call a few months later from a cellular phone company, asking if he'd 
opened an account with them in Miami. Someone had racked up $1,800 in 
calling charges under his name and then disappeared. Once again, he 
signed an affidavit disclaiming knowledge of the charges, and the 
account was cleared. This time, he called the three main credit bureaus 
and reported the fraud.
    My colleague is just one of hundreds of thousands of individuals 
who are victimized each year. The culprits may be found among employees 
(or patrons) of mailrooms, airlines, hotels or personnel offices--
anyone who has access to a person's financial information. They can use 
your credit card or instead use encoding equipment, sold by business 
supply companies, and blank cards with magnetic strips on the back, to 
encode your account number onto a counterfeit card with a different 
name. Thieves sometimes seek jobs specifically to get access to 
financial information; alternately, they may bribe employees in such 
positions to supply them with the data they want.
    The problem is compounded by the ease with which a phony ID can be 
obtained. On the Web are scores of sites with complete instructions on 
creating a ``new you.'' Personal computers, ``scanners'' and color 
printers (or copiers), all facilitate creating false identification 
documents.
Commitment of Resources Jurisdiction
    Because identity theft crimes can involve the use of the mail, the 
U.S. Postal Inspection Service has become a lead agency in 
investigating these crimes. Even in cases where the original theft does 
not involve the mail, the mails may used to send the credit cards to a 
commercial mail receiving agency or alternate address. That's why 
Postal Inspectors are involved in investigating this crime and take it 
so seriously.
    Each of the Inspection Service's 18 field divisions investigates 
identity theft within their respective boundaries. Identity theft 
investigations are reported, categorized, and tracked in an Inspection 
Service national database used by management to coordinate the 
appropriate investigative response. During the past few years, 
Inspection Service resources devoted to identity theft investigations 
have increased significantly--by 38 per cent.
Identity Theft Investigations
    In a typical case last year, Postal Inspectors arrested eight West 
African nationals who were operating a multimillion-dollar counterfeit 
and stolen credit card enterprise nationwide. And Postal Inspectors in 
New York arrested 16 members of a gang that ran a passport photo 
business, supplying false identifications for cashing checks stolen 
from the mail.
    Last year Postal Inspectors announced the results of a round-up of 
103 mail thieves throughout the western United States. A multi-agency 
task force comprising U.S. Postal Inspectors, members of the U.S. 
Marshals Fugitive Apprehension Strike Task Force, U.S. Secret Service, 
state and local police, and the Northern California Identity Theft Task 
Force targeted mail thieves in California and Nevada. Similar 
operations took place in Arizona, Hawaii, Utah and New Mexico. Federal 
and state prosecutors supported the work of the task force by 
aggressively prosecuting individuals involved in mail and identity 
theft.
    Here are a few more examples of identity theft cases investigated 
by Postal Inspectors in the past year. In Detroit, Postal Inspectors 
investigated a gang of mail theft recidivists who were recruiting 
street people, called ``runners,'' to obtain cash advances from banks 
and casinos via credit cards. Inspectors executed a search warrant at 
the residence of a suspect and recovered more than 180 documents 
listing victims' personal IDs. Inspectors and agents from the Detroit 
Metro Identity Theft Task Force identified and arrested the ringleader 
of the group who, at the time of his arrest, had more than 700 car 
rental applications with names, dates of birth, Social Security 
numbers, and credit card accounts of potential victims. The ringleader 
and a cohort reportedly called credit card issuers, purporting to be 
the true account holders, and requested that replacement credit cards 
be mailed to them. The car rental manager who supplied the rental 
applications and an employee who worked at a health plan office were 
later indicted for providing documents to the gang. Total fraud losses 
exceeded $700,000.
    An Illinois man was sentenced to 25 months in prison and ordered to 
forfeit $590,000 in assets to banks after pleading guilty to the 
unlawful possession of an access device, mail fraud, and bank fraud. A 
joint investigation by Postal Inspectors and special agents of the 
Social Security Administration determined he had fraudulently applied 
for more than 200 credit cards using numerous victim IDs.
    Postal Inspectors in Jacksonville, Florida, arrested six people 
believed to be running a major identity theft ring. The arrests were 
the result of a joint investigation by the Northeast Florida High Tech 
Task Force, which includes Postal Inspectors, members of the 
Jacksonville Sheriff's Office, and several other federal, state, and 
local law enforcement agencies. Victims of the ring included employees 
of the Winn-Dixie Corporation and Hollywood, Florida, police and fire 
departments. The six suspects were charged with 44 counts of violations 
related to the Racketeering Influenced Corrupt Organization (RICO) Act, 
including criminal use of personal information, grand theft, organized 
fraud, and manufacturing fraudulent IDs. One of the suspects has 
already pled guilty to RICO violations and related charges.
    Las Vegas police arrested a man for ``driving under the influence'' 
and later discovered he had an outstanding arrest warrant for identity 
theft in Arizona. Phoenix Postal Inspectors reported he stole a 
person's Social Security number, applied for numerous credit cards in 
the victim's name, and had the cards mailed to a box he rented at a 
commercial mail receiving agency. Postal Inspectors and Secret Service 
agents searched the man's business and discovered numerous fraudulent 
documents.
Statutes Used in Identity Theft Cases
    A number of statutes enable us to take action against identity 
theft involving the use of the mail. Under Title 18, U.S. Code, Section 
1708, Postal Inspectors may arrest individuals for the possession of 
stolen mail or filing a false change-of-address order; the penalty is a 
$2,000 fine or up to five years' imprisonment, or both. In 1998, the 
Identity Theft and Assumption Deterrence Act of 1998, was signed into 
law. This law expanded the scope of the identity fraud statute (18 
U.S.C.  1028), and made it a federal crime for the unauthorized use of 
personal identification in the commission of any federal law (felony or 
misdemeanor), or a state or local felony.
    But one of our top weapons in the fight against identity theft is a 
statute originally enacted over 125 years ago: the criminal mail fraud 
statute. If someone applies for a credit card in your name, 
perpetrators may be prosecuted under Title 18, USC 1341. The penalty is 
a $1,000 fine or up to five years' imprisonment, or both--unless a 
financial institution is affected, in which case the fine may be raised 
to $1 million and imprisonment for up to 30 years. The public policy 
that underlies this statute remains valid today: The postal system 
created by Congress to serve the American public should not be used to 
conduct schemes that seek to cheat the public.
    Our experience demonstrates that enforcement laws and mechanisms, 
coupled with an aggressive education campaign and enforcement efforts 
described below, are invaluable tools in the arsenal of law 
enforcement.
Interagency and Industry Cooperation
    To address the fundamentals of identity theft, the Postal 
Inspection Service works diligently with the credit card industry, 
financial institutions and other law enforcement and regulatory 
agencies. In 1992, the Postal Inspection Service sponsored its first 
Credit Card Mail Security Initiative meeting in Washington, DC. We 
continue to promote and host these semi-annual meetings.
    Many of the preventive strategies discussed at our meetings have 
been implemented by our financial industry partners, and have resulted 
in reduced losses attributed to mail theft and the subsequent identity 
theft that occurs from it. The now-common concept of credit card 
activation was first proposed by a Postal Inspector and was promoted 
through the Credit Card Mail Security Initiative meetings. The industry 
embraced and implemented this prevention strategy, which resulted in 
the reduction of significant industry fraud losses over the past 
decade.
    In addition, working in conjunction with industry partners, Postal 
Inspectors analyze information from credit card thefts to identify 
``Hot Spots'' for investigative attention. The Postal Inspection 
Service notifies the financial industry of zip code areas suffering 
abnormal losses, so they can take extra precautions when mailing to 
those areas.
    Thanks to the collaborative efforts between the Postal Inspection 
Service and its working-group partners, we are beginning to see the 
results of this and many other fraud prevention initiatives. In 
addition to modifying industry practices, our collaboration has 
produced a number of fraud prevention guides, including the Fraud 
Detection and Reference Guide; Account Takeover Prevention Guide; and 
Detecting and Preventing Credit Application Fraud.
    The working group was also responsible for the Identity Theft 
Consumer Awareness video and the Identity Theft brochure. At the 
conclusion of my testimony, I have included prevention tips prepared by 
the Postal Inspection Service in collaboration with its working 
partners.
    In 2003, the Postal Inspection Service decided to broaden the scope 
of the Credit Card Mail Security meetings to include presentations on 
money laundering, Internet fraud, and bank fraud schemes. As the focus 
has expanded, the name of our working group has changed to the 
Financial Industry Mail Security Initiative (FIMSI). The initiative has 
decided to capture many of the best practices developed over the years 
and share them with industry and law enforcement in the form of a 50-
page document, reporting upon identity theft problems and issuing 
recommendations directed towards credit card companies and credit 
lenders for reducing or preventing it. One of those recommendations 
dealt specifically with limiting the use or display of social security 
numbers in sensitive records and mailings.
    To manage the vast data associated with these crimes, the Postal 
Inspection Service has developed a new financial crimes database. This 
computer application compiles a myriad of intelligence data relating to 
financial crimes, and provides Postal Inspectors with information that 
assists in identifying trends, criminal hotspots, and the scope of 
identity theft activity. Information for this database is provided by 
credit card issuers, other financial institutions, mail order 
companies, Postal Inspection Service investigations, and the victims 
themselves.
    According to a report released by the FTC this past September, mail 
theft as a source for identity theft happened in only 4% of the cases 
surveyed. As we have made it more difficult for mail theft to be a 
component of identity theft, criminals have turned to other means, 
oftentimes recruiting the assistance of insiders, in other words 
``employees,'' who have access to the personal information, especially 
the social security numbers, of clients or other employees. Personal 
information like social security numbers contained in corporate and 
government records and computer databases is a fertile area for 
dishonest employees working in conjunction with identity thieves.
    This is why we support H.R. 2971, the Social Security Number 
Privacy and Identity Theft Prevention Act, and welcome the additional 
consumer protection provisions it will provide. It is important to do 
whatever we can to keep identity theft from happening in the first 
place
Task Force Efforts
    In addition to partnering with members of the financial and mailing 
industry, task force efforts by law enforcement have been a successful 
approach to the identity theft issue. Postal Inspectors are active 
participants on financial crimes task forces throughout the nation. In 
Pittsburgh, Pennsylvania, the Postal Inspection Service leads the 
Financial Crimes Task Force of Southwestern Pennsylvania. This task 
force began operation on January 17, 1995, and is housed at the 
Pittsburgh office of the Postal Inspection Service. Originally, this 
task force was formed to target major credit card fraud in the 
Pittsburgh area. However, with the increased number of instances of 
identity theft spreading rapidly throughout America, this taskforce has 
directed most of its resources toward identity theft investigations.
    One of the recent cases involved actor Will Smith as a victim of 
identity theft. When Smith played Agent J in the movie Men in Black 
that was showbiz. But when convicted felon Carlos Lomax impersonated 
actor Will Smith, that was identity theft. Will Smith never knew his 
identity had been stolen until he attempted to purchase a new home and 
found his credit had been compromised. Postal Inspectors and the 
Financial Crimes Task Force of Southwestern Pennsylvania arrested Lomax 
for identity theft, and Lomax was sentenced to serve 37 months in jail 
and pay $64,000 in restitution.
    The Minnesota Financial Crimes Task Force, which includes Postal 
Inspectors, Secret Service agents, and local law enforcement officers, 
last year arrested a Nigerian national for a $1 million account-
takeover scheme. Postal Inspectors executed a federal search warrant at 
the suspect's residence and recovered approximately $16,000 in cash, 
three vehicles, artwork, electronics equipment, and merchandise derived 
from the scheme. An investigation revealed the man used bank employees 
to identify high-dollar, dormant accounts with balances of $100,000 or 
greater for his scheme, and shipped the fraudulently obtained 
merchandise to his home in Nigeria.
Public Awareness and Education Efforts
    Over 2,000 of our 6,000 mail theft arrests last year involved 
identity theft--and it's getting worse. But arrests are not the only 
solution. That is why the Postal Inspection Service addresses the 
identity theft issue on two levels--aggressive investigative efforts 
and creating prevention and awareness programs.
    While the Postal Inspection Service works hard to identify and 
prosecute identity crimes, we also recognize our ability to lessen the 
impact of this crime upon the public through various prevention 
campaigns. Postal Inspection Service efforts to prevent identity theft 
target the public and business communities to educate them about these 
schemes, and the problems associated with them. These efforts have 
included the publication of a brochure titled, Identity Theft, 
Safeguard Your Personal Information, and the March 2000 release of the 
Showtime movie, The Inspectors 2, based on Postal Inspection Service 
files relating to identity theft investigations.
    In an effort to educate consumers about this fast-growing crime, 
the Postal Inspection Service created an informational video titled 
Identity Theft: The Game of the Name. Also, the Postal Inspection 
Service and thePostal Service's Consumer Advocate Office partnered 
during last year's National Consumer Protection Week, from February 3 
through 8. The week's theme was ``Identity theft, the No.1 consumer 
fraud in the nation.''
    In 1999, Postal Inspectors along with partner organizations 
undertook Project kNOw Fraud, which was the largest consumer awareness 
campaign undertaken in this country. Through a mailing to 123 million 
addresses we warned the public of the dangers of telemarketing fraud. 
The successful campaign was followed up with the National Fraud Against 
Seniors Awareness Week in August of 2002. In September of last year 
Postal Inspectors unveiled another national awareness campaign. Last 
year's topic was identity theft.
    Actor Jerry Orbach, who also was a victim of identity theft, was 
the campaign's spokesman. This awareness campaign featured a two-
pronged approach, providing prevention and awareness information to 
consumers and addressing businesses on the need to safeguard their 
files and databases of customers' personal information. The campaign 
included:

      A house-to-house mailing to residences in ten states 
identified by the FTC as reporting the most identity theft complaints. 
The ten states were California, New York, Texas, Florida, Illinois, 
Pennsylvania, Georgia, Michigan, New Jersey, and Arkansas. The mailing 
was made in September, 2003, in conjunction with a press conference.
      Distribution of an updated brochure on identity theft. 
The brochure was distributed in connection with identity theft 
presentations made by Postal Inspectors to consumer groups.
      Production and release of a Public Service Announcement 
(PSA) featuring actor Jerry Orbach. This thirty-second PSA was released 
in September in conjunction with the press conference.
      An identity theft insert outlining prevention tips that 
was included with monthly financial industry statements and with all 
Stamps by Mail orders placed during the months of September, October, 
and November 2003.
      Production of an identity theft poster that includes 
prevention tips that was displayed in all Postal Service retail 
lobbies, numerous credit unions, financial institutions, and police 
departments in September.
      Production of an identity theft informational video and 
articles on identity theft prevention that was published in internal 
and external publications as well as newspaper ads in the same ten 
states that were identified as reporting the most complaints.

    The Mullen agency of Pittsburgh provided support for our Identity 
Theft campaign on a pro bono basis. But what really made this campaign 
unique is the funding source. We've all heard the saying, ``crime 
doesn't pay.'' In the case of this awareness campaign, it does pay. 
This campaign was funded through fines and forfeitures paid by 
criminals in a past fraud case.
Prevention Tips
    In numerous formats, including our website at www.usps.com/
postalinspectors, we provide the following recommendations to the 
public:

      Deposit your outgoing mail in a blue Postal Service 
collection box and promptly remove mail from your mailbox after 
delivery.
      Shred unneeded documents that contain personal 
information before discarding them.
      Order credit reports every year from each of the three 
major credit reporting agencies and thoroughly review them for 
accuracy.
      Never give personal or financial information over the 
telephone or the Internet unless you initiated the contact and trust 
them.
      Report lost or stolen credit cards immediately.
      If you applied for a credit card and didn't receive it 
when expected, call the financial institution.
      Sign new credit cards immediately--before someone else 
does.
      Memorize your Social Security number and passwords. Don't 
use your date of birth as your password and don't record passwords on 
papers you carry with you.
      Never leave transaction receipts at ATM machines, on 
counters at financial institutions, or at gasoline pumps.
      Don't carry your Social Security card or birth 
certificate; leave them in a secure location.
      Don't disclose credit card or other financial account 
numbers on a Web site unless the site offers a secure transaction.
      Closely monitor the expiration dates on your credit cards 
and contact the issuer if you don't receive a replacement prior to the 
expiration date.
      Beware of mail or telephone solicitations that offer 
prizes or awards--especially if the offer asks you for personal 
information or financial account numbers.
      Match your credit card receipts against your monthly 
bills and check your monthly financial statements for accuracy.
      Watch for your monthly financial statements and bills. If 
you don't get them when expected, contact the sender.

    For victims of identity theft, we recommend the following initial 
steps to begin the long and arduous task of responding to the crime:

    1.  If the crime involved the U.S. Mail, contact your nearest U.S. 
Postal Inspection Service office and report it.
    2.  Call the fraud units of the three major credit bureaus and 
request a ``fraud alert'' be placed on your credit file. Check your 
monthly financial statements for accuracy.
    3.  Order copies of your credit report from the credit bureaus to 
check whether any fraudulent accounts were opened without your 
knowledge or consent.
    4.  Contact your banks and creditors, by phone and in writing, and 
report the crime. You may be advised to close some or all of your 
accounts. At the least, change your PIN codes and passwords 
immediately.
    5.  Record the names and phone numbers of people with whom you 
discussed your case and retain all original reports and supporting 
documents. Keeping accurate and complete records are a big step toward 
helping you resolve your problem.
    6.  Contact your financial institutions and request they flag your 
accounts. Instruct them to contact you immediately if there is unusual 
activity on your accounts.
    7.  File your complaint online with the Federal Trade Commission, 
or call their Identity Theft Hotline at 1-877-IDTHEFT. The FTC has 
counselors to assist identity theft victims with resolving financial 
and other problems that can result from this crime.

    Educating the public and working to reduce the opportunities where 
the U.S. Postal Service can be used for illegal purposes are crucial 
elements in our fight against identity theft crimes. As always, we will 
do our part to remove criminals from society. We appreciate your 
recognition of the importance of this issue.

                                 

    Chairman SHAW. Thank you, Mr. Maxwell. I thank all the 
witnesses. Mr. Johnson.
    Mr. JOHNSON. Thank you, Mr. Chairman. Mr. O'Carroll, in 
your testimony you mentioned cross-verification with numerous 
agencies. Is the U.S. Department of Veteran Affairs one of 
those?
    Mr. O'CARROLL. Yes, it is, Mr. Johnson.
    Mr. JOHNSON. How do you deal with them directly? A lot of 
my buddies got listed as being dead, and they couldn't get 
their status reinstated because of a lack of identification, as 
you might imagine. How do you address that issue?
    Mr. O'CARROLL. Yes, Mr. Johnson. We have a matching 
agreement with the Veterans Administration where the SSA 
matches the SSNs of veterans against our databases for 
validity. There have been instances in the past, we have done 
an audit on it. Inadvertently the SSA listed people as deceased 
when they aren't deceased. We have brought that to the SSAs 
attention.
    Mr. JOHNSON. How does that happen in the system?
    Mr. O'CARROLL. Well, many of the death reportings are 
voluntary from a lot of different sources. Occasionally when a 
source indicates that a person is deceased, and it is entered 
into the records, before it is verified by another party on it, 
that information is recorded. What we are recommending is a 
second verification on it so that that doesn't happen anymore.
    Mr. JOHNSON. Are those numbers reissued?
    Mr. O'CARROLL. No, they are not reissued then. Once you get 
an SSN, sir, that is yours for life and forever. They don't 
reissue SSNs.
    Mr. JOHNSON. If the guy is dead, and you resurrect him, do 
you give him his SSN back again?
    Mr. O'CARROLL. Yes. He does. He or she will get it back.
    Mr. JOHNSON. Okay. Second, do you issue Social Security 
cards to students who are here on student visas who do not 
work?
    Mr. O'CARROLL. In actuality, they are not supposed to be 
issued to non-work students. The SSN is issued to students if 
they can show documentation from Immigration showing that they 
are authorized to work, at which time they will be given an 
SSN.
    Mr. JOHNSON. This is if they are authorized; but what if 
they are not working at all and never intend to? A lot of them 
do come here and are under their--they are supported by their 
home county. They don't pay any income tax. They don't pay a 
thing us to, not a nickel, but they go to school, and they have 
a student visa. Now, how do you differentiate?
    Mr. O'CARROLL. Well, the student visa is not reason to be 
issued an SSN. It has to be issued for work purposes. We have 
done audits where some schools have issued--or have issued 
letters saying that a student is working, when, in fact, they 
haven't been working, and that way was a way that they bypassed 
the rules and regulations in order to get an SSN. It is 
something that is recognized, and it is something that we have 
been working very closely with SSA doing studies of 
universities and making sure that they are, in fact, following 
the laws and using the actual document to show that a person is 
working. It is a loophole that has been out there, and it is 
being closed as we speak.
    Mr. JOHNSON. Do you have employers, when they hire 
somebody, theoretically they are supposed to check their 
status, and theoretically you are supposed to have the computer 
capability to have somebody call you and say, hey, is this a 
valid number and name, and you are supposed to be able to say 
yes or no immediately. Is that in operation right now?
    Mr. O'CARROLL. Correct. The SSA does have that.
    Mr. JOHNSON. You do have that. I understand that a lot of 
businesses are not taking advantage of that; is that true?
    Mr. O'CARROLL. That is correct, sir.
    Mr. JOHNSON. How do we rectify that?
    Mr. O'CARROLL. Well, one of the portions of the support of 
Congress is to make it mandatory that employers do check that 
each time. As it stands in the past, SSA now has ways of doing 
it where it can be done electronically, it can be done on the 
telephone, it can be done in person. What we are hoping for in 
the future is to have electronic means for verifying all 
employees. We have got different public outreaches to encourage 
employers to do it, and we are hoping for Congress to encourage 
employers also to make it mandatory that they do it in the 
future.
    Mr. JOHNSON. One further question for anybody that wants to 
answer it: Are we still failing to go after people who sell or 
tell you that they have lost their identification and come back 
for another one, because last time our testimony indicated that 
there was upward of 80 or more before you even looked at it.
    Mr. O'CARROLL. Those are two of the provisions in this law 
is one to take a look at the people asking for numerous 
replacement Social Security cards.
    Mr. JOHNSON. Well, how about one? If you have got the 
computer system to do it, why can't do you it after one?
    Mr. O'CARROLL. Well, there are legitimate reasons why 
people lose their Social Security card. Quite frankly, what we 
have been saying within the Office of the Inspector General is 
it is the number, not the card that is the problem to society.
    Mr. JOHNSON. Well, I understand that, but they still sell 
them, don't they?
    Mr. O'CARROLL. That is a major concern of ours is that when 
they get replacement cards, that they could be sold again, and 
that is why we are asking to tighten up on it.
    Mr. JOHNSON. Just one follow-up. Are you still waiting to 
80 before you check them out?
    Mr. O'CARROLL. Yes. The number has dropped considerably on 
the number of replacements. It is not up to 80. What we are 
looking for is 20 in the lifetime. We still think that is a 
large number to be asking for, and we are asking to have that 
number reduced.
    Mr. JOHNSON. I will bet the Postal Service doesn't wait 
that long. You guys do a good job, by the way. They briefed us 
well in Texas. Thank you. Thank you, Mr. Chairman.
    Chairman SHAW. Thank you. I still have my original Social 
Security card.
    Mr. JOHNSON. So do I.
    Chairman SHAW. Let me do a follow-up of what Sam was asking 
you with regard to students. If a student wants to open a bank 
account, and he doesn't work, and it is an interest-bearing 
account, he would need an SSN, wouldn't he?
    Mr. O'CARROLL. If you remember, Mr. Chairman, there was the 
hearing that we had with the use of the tax identification 
number, so that is a way in order to report.
    Chairman SHAW. Oh, I see.
    Mr. O'CARROLL. Taxable information without using an SSN.
    Chairman SHAW. That is right. Thank you for refreshing me 
on that. Mr. Cardin.
    Mr. CARDIN. Thank you, Mr. Chairman. I want to follow up on 
the private sector and the cooperation we are receiving from 
the private sector as it relates to theft, identity theft, SSNs 
and related issues, including the issue that Mr. Johnson 
raised. It seems to me that we are having a difficult time 
passing new laws here because of the wide use of SSNs by 
commerce, which we all understand. It seems to me that the 
private sector, private employers and private companies have a 
great deal at stake here, and I am curious as to whether you 
think they are doing enough to assist us in identity theft, at 
least initially. Second, after a person has found their 
identity has been stolen, and they have gone through this 
difficult issue, it has been reported to us that the theft 
continues, and there is still a difficult time in getting the 
private sector to work with us to make sure that the person who 
has been victimized is no longer victimized. So, I would be 
interested in your response as to whether you think the private 
sector, private employers, private financial companies, private 
companies generally are doing enough to help us and assist us 
to develop a strategy to minimize identity theft in this 
Nation.
    Mr. BEALES. Congressman, I think by and large the private 
sector has been very cooperative and very responsive. What has 
tended to happen in this area is identity thieves exploit a 
particular source of information or a particular channel to get 
credit. It takes some period of time to recognize that channel 
and recognize that problem. Once it is recognized, there are 
some fairly strong incentives to put measures in place to shut 
down that particular channel. Unfortunately it is an ongoing 
process because identity thieves work very hard to find a new 
way to do that.
    Mr. CARDIN. Can I just challenge you on that for one 
moment? If I make a small mistake on the use of my credit card, 
it seems to me it gets bounced the next time I try to use it 
pretty quickly. It seems like the credit industry knows how to 
get things into the computer pretty quickly to respond to what 
they believe is important. I don't see the same zeal, the same 
commitment as it relates to identity theft. Am I wrong?
    Mr. BEALES. Well, I think it has varied. I think the most 
common form of identity theft is credit card misuse, and I 
think the things you are pointing to are in place and address 
that form of identity theft and have really improved 
tremendously over time as people have used pattern recognition 
kinds of software and kinds of technologies to identify 
problems before there is too much charged on existing credit 
card accounts. So, I think there is a lot of that. There is no 
doubt that there is more that can be done in many areas, and 
that there is an ongoing need to recognize new threats as they 
emerge and to put measures in place to address them.
    Mr. CARDIN. The victim finds that his or her credit is 
affected. There are so many different avenues in which this 
information travels. It would seem to me that the private 
sector could develop the type of software response that could 
try to help the victim, and I haven't seen that.
    Mr. BEALES. Well, I think the key to helping the victim, 
once there has been an identity theft victim, is now in place 
by statute under Nation that was passed last year, and that is 
the system for placing fraud alerts has been codified in that 
statute. You can do it with one call to any one of the three 
credit bureaus and place the fraud alert for all three. With an 
identity theft report, like a police report, you can block 
fraudulent information that would appear on the credit report 
and keep it from being re-reported, and those measures we are 
in the process of rulemaking now and will be in place shortly.
    Mr. CARDIN. Yes. I think the frustrating part is that you 
can find a person's credit destroyed very quickly because the 
system is in place to identify individuals who are believed to 
have had a credit problem, even if it is a theft situation, but 
to rehabilitate it seems like to takes a lot longer to be able 
to work through the system. I just question whether we have the 
same commitment in the private sector to deal with the victims 
as it is to in some cases over respond and take away a person's 
good credit who doesn't deserve to have that credit taken away. 
Just my own observation.
    Mr. MAXWELL. May I add to that?
    Mr. CARDIN. Sure.
    Mr. MAXWELL. The initial part of your question, if I 
understood it correctly, was about the cooperation with 
industry. In our experience I have been encouraged, but the 
dichotomy you have, you have the business interest wanting to 
serve the customer to keep them as customers, but then they 
also have their competition with their other associated 
industries for the credit card group. I mentioned earlier for 
example, they are competing factions. We have a mail order task 
force. They are competing factions. So, sometimes it is hard to 
get them to cobble together like a shared database or best 
practices. They seem reluctant, which I understand why.
    Where I have seen and been encouraged is we tried--when we 
started this campaign, we reached out to the credit card 
companies to partner with us and actually put an identity theft 
warning on their statements. We never took that full measure 
because we couldn't get every company to agree to it. Their 
counsels, independent counsels, had some problems with it; 
however, some unilaterally did it on their own. So, I was 
encouraged by that, but I think the problem we will still have 
to overcome is that issue of competition and in the fact that 
we will give a little, but it is a constant balance. I think 
that more and more there is a benefit seen at the end by having 
the customers happy, satisfied and protected. Ultimately that 
is the case, and that is what we found in the Postal Service, I 
know. You can cut a lot of measures. We tried changing the 
commercial mail-receiving agency rules, and that was a very 
tough row to hoe. Again, you have a lot of industry you have to 
consider, but I am encouraged. We have come a long way.
    Chairman SHAW. Mr. Hulshof.
    Mr. HULSHOF. Thank you, Mr. Chairman. Let me start, Mr. 
Maxwell, by echoing what Mr. Johnson said. The Saint Louis 
Postal Inspector's Office had the opportunity to brief me in 
the Saint Louis office. This was right in the aftermath of the 
mailbox pipe bombs in the Midwest, and so I really got a good 
glimpse of what it is that you all do. I will have to admit 
that the day was capped off by allowing me to participate in 
the computer-simulated firearms training, which was a lot of 
fun, and I didn't maim too many innocent people.
    So, Ms. Bovbjerg, let me get to really the subject of 
today's hearing. I am sorry about the microphone here, Mr. 
Chairman. It seems to be in and out. We have talked about the 
private sector, Ms. Bovbjerg. What I want to talk about, 
because I know coming up in a later panel is what is happening 
in the public sector, and as you point out, and we are going to 
hear from a witness in the second panel, Federal law requires 
the use or the collection of SSNs for various reasons related 
to tracking deadbeat parents. The SSNs must appear on the 
pleadings in court orders related to child support. In fact, 
the Code of Federal Regulations requires that the SSN appear on 
garnishment orders involving postal employees as well as, and 
not to resurrect, Mr. Becerra, our discussion and debate last 
night in the full Committee, but SSNs are used to collect 
fines, crime victim restitution and beyond.
    So, I know you recognize in your statement that there is a 
survey of State and local agencies to determine the extent to 
which SSNs are displayed in public records. When might that 
survey be completed, and what can you tell us about it?
    Ms. BOVBJERG. Well, mine is not working either. We are due 
to report out to Chairman Shaw in September on this work, and 
it is a really complex survey, and so we have some things. Like 
we know that some States have the SSN in public records, but 
they don't need it, and they are not really sure why it is 
there. We can't tell you what the incidence of that is yet 
because we don't have all of our surveys back.
    What we are looking at is really what kind of records does 
the SSN appear in. We are trying to be able to say how many 
people this might affect by the way that we structured our 
survey. It is a little different than some things we have done 
for you in the past. We are also looking at what format is it 
in, because 2 years ago when we did this work, we were all, I 
think, pretty alarmed when we heard that these things were all 
going to be electronic, and this was going to be a boon to 
customer service. We are looking at, well, just how electronic 
is it going to be?
    I think that what we are hearing anecdotally and the people 
that we talk with about these things is there is just a greater 
sensitivity to this issue in no small thanks to this 
Subcommittee work. We have seen a dramatic shift in the public 
record world in the kinds of things that people are concerned 
about now. They are a lot less concerned about the speed of 
customer service and a lot more concerned about how do we make 
sure that we have only the data we need, how do we make sure 
that it is not going to the wrong place. There is a lot more of 
that.
    So, we will be reporting both survey results and results of 
our interviews. I think you know largely the early returns is 
there are some good news. There are some things that are being 
done. The good news at the Federal level, just by the way, is 
that the Privacy Act works, but when you get into State and 
local governments, it is not uniform, there isn't a single law 
that affects them. We continue to believe that the government, 
the Federal government, should consider working with State and 
local governments to develop something that is more uniform, 
more uniform protections, but at the same time consider that 
there are some very important uses to which the governments put 
the SSN, one of them being child support enforcement, tax 
enforcement, and program integrity at SSA. Just a few.
    Mr. HULSHOF. Well, and certainly as a supporter of the 
Chairman's bill, I wasn't aware until really preparing for this 
hearing that the Code of Federal Regulations in some instances 
insists that the SSN be recorded, and so I see that we are at a 
conflict here obviously. The other concern that I would expect 
would be that any new legislation that would be introduced and 
hopefully pass, Mr. Chairman, your bill, would certainly be 
prospective. Again, I will just relate that in the State of 
Missouri, our State Court Administrator who is set to testify, 
a lot of our courts in rural areas are finally now getting 
online as far as providing those court documents. So, in other 
words, going back retroactively to somehow close these records 
would just really be an extraordinarily difficult task, but 
look forward to the survey and any recommendations that maybe 
come along with that study. So, thank you.
    Ms. BOVBJERG. Well, one thing I do want to encourage you to 
think about is there is use and there is protection, and that 
you can require use, but you don't have to display it while you 
are using it. I think that is one of the things you are seeing 
that the Federal courts are starting to try to deal with.
    Mr. HULSHOF. Thank you.
    Chairman SHAW. Mr. Hulshof, the bill that you are cosponsor 
of that you refer to as my bill, but it is our bill, is 
prospective, and there is a 2-year period for implementation, 
so I think we have covered that base. I hope so.
    Mr. HULSHOF. Good.
    Chairman SHAW. Mr. Becerra.
    Mr. BECERRA. Thank you Mr. Chairman, and let me also say, 
as my colleagues have said, thank you very much for pursuing 
this so diligently. I hope that we are able to move forward 
your bipartisan legislation soon because it is better to get 
what is good out of the bill now versus wait until we perfect 
it later. Thank you all for your testimony. Let me ask a couple 
of quick questions, see how much I can get through in 5 
minutes.
    What can we do, and I open this to any of you who wish to 
comment. What can we do to help victims of identity theft to 
restore their good name and credit and to retain and restore 
again also their privacy? We are dealing with trying to prevent 
it. We know that in millions of cases we are too late. The talk 
of prevention is not going to help them because they have 
already had their identity stolen. Now they are facing the 
consequences of months, maybe years, of reclaiming their good 
name and credit. What can we do? Can you think of anything we 
can do legislatively to try to help victims who are currently 
in the process of trying to restore their good name and credit?
    Mr. MAXWELL. There may be a possibility to enact some form 
of, for lack of a better word, Committee, but group, working 
group, task force group that is tasked primarily with 
expediting consumers' restoration, if you will. To me it seems 
like most consumers, particularly the elderly, become 
frustrated with the system, whether it be complaining about 
fraud or the health care problem or just going to get help. 
When they are faced with a myriad of phone calls and letters to 
write, it kills them.
    Mr. BECERRA. Other than having a group that can advise, let 
me give you a quick example. Should we, for example, pass a law 
that says that a private entity that has used a SSN for 
whatever purpose, a bank, a credit agency, if, indeed that 
agency uses SSNs, it must treat as priority status an 
individual's claim that his or her identity was misused, and 
therefore has to clear that record so that when you as a 
private entity get that type of request by an individual, you 
must give it priority status? You can't just put it at the end 
of the list of complaints and work that you would have to deal 
with in the course of your business dealings.
    Mr. MAXWELL. That would be an excellent first step. 
Definitely an excellent first step, and I think, as a follow-
up, if there could be some body created to help expedite that, 
too. That first step would be putting the onus on the firm, the 
most responsible.
    Mr. BECERRA. Anyone who wants to use a SSN understands they 
have got an obligation to help a victim of identity theft clear 
it up quickly. If you are going to use the card, or the number, 
understand that some people will be victims; not perhaps of 
your own doing, but because you are a user of the card, you 
then are obligated to help victims who had their number used 
inappropriately resolve that issue as quickly as possible.
    Mr. MAXWELL. That sounds promising to me.
    Mr. O'CARROLL. Mr. Becerra, two things that are of interest 
to us. One is our major concern is the integrity of the SSN in 
relation to Social Security programs. However, what we have 
been big on encouraging is cross-verification, so that any 
Social Security that is numbered that is out there either in 
the Federal government or in commerce is being verified to know 
whether it is a valid number or not, and that kind of leads 
into what you were saying, is that way we can through 
verification, we can identify the misuse that is out there, and 
hopefully someday by government matching agreements, there will 
only be one person with one SSN of record in the Federal 
government. So, that is an issue with us on trying to prevent 
it.
    Mr. BECERRA. That is still more on the preventative side, 
which I think that is really where we have to go, because we 
don't want to have victims. To some degree I think there is 
still some help we can provide. If you have a good verification 
system, that makes it easier for those who didn't abuse their 
use of the card help that victim restore his or her good name 
and credit. So, if I am a bank and I wasn't at fault, and some 
other entity allowed the number to be misused, at least I can 
help verify quickly the claim of that individual that indeed he 
or she is that person and not the other individual.
    One quick question for Mr. O'Carroll. My understanding is 
that your current policy is to allow 52 replacement cards per 
year--is for Social Security to allow 52 replacement cards per 
year. Why the heck are we at such a high number? It used to be 
80-something, as I think Mr. Johnson said. Why the heck are we 
still at--why would anyone need more than one? I never pull out 
my Social Security card itself as an identifier; it is just a 
number. So, why would anyone need to request a card, even if 
you have lost the card itself? You know what your number is, or 
someone else does. Why would you need to request replacement 
cards?
    Mr. O'CARROLL. I think the logic that you are getting at 
and everyone else is, and as Mr. Johnson brought up, is 
probably for resale of that number or giving that card to 
somebody else, which is a concern on a fraudulent basis. One of 
the issues that the Agency looked at and we were a part of was 
taking a look, instead of having that card, is maybe making it 
a certificate or something larger than a card that would be put 
away and wouldn't be out in the common commerce on it. As with 
anyone, when you start thinking about if we came up with a new 
format for a Social Security card, everybody in the United 
States would want a new one and you can imagine the 
implications that would be. So, from looking at it from, I 
guess, the mechanical side of it, yes, the card is really the 
number and not the card.
    Mr. BECERRA. Unlike a diploma you hang up on your wall, you 
are not going to put a SSN up on your wall. Once you have it, 
you want to store it away and hide it as best you can. So, let 
me ask you a real quick question. Do we ask for some form of 
certification or verification as to why you are requesting 
another card? Do we say to you, prove to me that you need it or 
why you need it?
    Mr. O'CARROLL. No. At this point, no, sir.
    Mr. BECERRA. So, Mr. Chairman, this to me seems like an 
area where we could immediately address this. Once you have got 
your card obviously we hope the people can be diligent in 
safekeeping their number. To have the SSA continue to allow 
people to get replacement cards, which could really only be 
used for purposes of resale or for fraudulent purposes, this is 
something that----
    Mrs. TUBBS JONES. Will the gentleman yield?
    [The opening statement of Ms. Tubbs Jones follows:]
      Opening Statement of The Honorable Stephanie Tubbs Jones, a 
           Representative in Congress from the State of Ohio
    Mr. Chairman,
    Allow me to commend you on both your timing and your topic for this 
morning's hearing. As national legislators we must tackle what is 
becoming the fastest growing national crime trend in modern history: 
Identity theft! As so often happens with modern technology and high 
tech innovations, the use of technological advancement far out paces 
the public policy, protection measures and regulations governing the 
administration of technological advancement.
    While identity theft is on the rise and the social security number 
(ssn) is but one avenue to affect the crime, the prolific and generally 
accepted practice of use of the social security number as an identifier 
makes it a prime target. It is fitting that we, as Members of the 
Social Security Subcommittee, address the issue in an open forum. As 
Americans get older and increase the number of retirement/entitlement 
programs for which they are eligible--the use of the social security 
number becomes the number one identifier for all types of service 
providers. As we launch this massive and still yet confusing voluntary 
national prescription drug program--we are once again offering to new 
and established entities the privilege to use the social security 
number as an identifier.
    The public and private sector have recognized and dialogued about 
the balance between the privacy issues and the protection of open 
commerce. Entities from the mortgage bankers, to national credit 
bureaus, to municipal records keepers and credit card companies--up to 
and including the U.S. government--have all come together in one forum 
or another to address the issue. Before us today, we also have H.R. 
2971--of which I am a co-sponsor--``The Social Security Number Privacy 
and Identity Theft Prevention Act of 2003. This is clearly a step in 
the right direction.
    Mr. Chairman, according to Federal Trade Commission (FTC) data 
(2002 is the most recent data available) my home state of Ohio ranks 
30th in the nation in identity theft cases and CLEVELAND, in my 
Congressional District, is number one in the state. I have provided 
copies of the FTC information as a part of my statement today and would 
like to have it included in the record of today's proceedings. Local 
jurisdictions have highlighted the issue: the Associated Press reported 
how Hamilton County in the State of Ohio will hear recommendations from 
their task force to limit/restrict the amount of information--including 
the SSN from the county clerks' Web site; NBC reported just last week 
on how blood donors at the UCLA Blood and Platelet Center may be 
unwitting victims of identity theft as a result of a misplaced laptop 
with all of their personal data--including the SSN! This follows the 
alleged theft of another UCLA laptop from their financial office that 
contained similar personal information that could put even more people 
at risk. The need for increased laptop security notwithstanding, 
perhaps we need to somehow limit both the demand for and the use of the 
SSN.
    In 1935, with the passage of the Social Security Act, every 
employee covered by the social security program had to have an 
identifying number. Since then, the Civil Service Commission; the 
Internal Revenue Service; the Treasury Department; The Veteran's 
Administration; The Department of Defense--just to name a few 
government entities--have all made disclosure and use of the SSN an 
almost prerequisite identifier. We in Congress have made several 
attempts to monitor and regulate the use of this number. Mr. Chairman, 
I look forward to hearing from the witnesses this morning as they lend 
their expertise and personal experiences to our effort to lend some 
clarity and protection to the public.

                                 

    Mr. BECERRA. Certainly.
    Mr. JONES. I have a son who had to get a replacement card 
in order to get a passport or something. There was some other 
agency that would not accept that he did not have an SSN, and 
so it was a requirement that he needed to get a replacement.
    Mr. BECERRA. I think there is a perfectly good explanation, 
and therefore you could have some certification under penalty 
of perjury or something that says, I need this card because 
this agency is requesting it, and there you have then something 
that gives you some sense of comfort that the person is 
requesting it for a purpose other than just because they want 
another card.
    Mr. JOHNSON. Yes, but not 80 of them.
    Mr. BECERRA. That is exactly it, and the way technology and 
automation works today, chances are that we should be able to 
have the U.S. Department of State or the agency that issues 
passports talk directly to the Social Security agency, Federal 
government to Federal government, on whether or not this person 
has this number and it belongs to him or her.
    Mr. O'CARROLL. Social Security, the answer to that part of 
it, is working very closely with the U.S. Department of State, 
Immigration and Naturalization Servies, and U.S. Department of 
Homeland Security, on that type of a match for verifying that 
information.
    The other part of it, though, is you were saying on these 
replacement cards, and not to steal the thunder of your 
Committee, your Subcommittee on this thing that is one of the 
provisions of this thing, is to look at the issuance of the 
replacement cards, and it is part of the study that is being 
recommended. Quite frankly, we feel that that is a fraudulent 
loophole, the number of replacement cards that are out there. 
It is a throwback to days when all the SSN was used for was 
tracking wages. Everyone was happy to give out numerous Social 
Security cards at the time because it was for the purpose of 
tracking wages, not as it is today where it is becoming a----
    Mr. BECERRA. You don't have to go to the SSA. I can tell 
you down at some streets in Los Angeles. where you can get the 
same card without having to ask the SSA to send you one. So, it 
is not as if there is some particular value in getting this 
replacement.
    Mr. O'CARROLL. Hopefully we are buying cards from that 
person and arresting them.
    Ms. BOVBJERG. Could I just jump in on this issue for just 5 
seconds? Last year this Subcommittee had a hearing on some of 
these issues where the Commissioner was here where I testified, 
and we recommended that we not give out 52 replacement cards a 
year, that we at least reduce the number. There are some 
legitimate reasons to need replacement cards, but very few of 
them would require 52. At that time, SSA said that they had in 
front of Office of Management of Budget a proposal to reduce 
the number of cards per year and lifetime. That was a year ago. 
So, I don't know what has happened to that proposal, but that 
is a recommendation that we have made as well to SSA. So, we 
share your concern.
    Chairman SHAW. I will inquire of the Commissioner and place 
that information in the record.
    [The information follows:]

                                                      June 22, 2004
Hon. Jo Anne B. Barnhart
Commissioner of Social Security
500 E Street, SW
Washington, D.C. 20254

    Dear Commissioner Barnhart:

    We wanted to bring to your attention the issue of Social Security 
number (SSN) replacement cards, which was discussed extensively at our 
Subcommittee hearing on enhancing SSN privacy held on June 15, 2004.
    As you know, the Subcommittee had been informed previously that 
some unscrupulous individuals may sell their legitimate SSN cards to 
others, thereby enabling them to work under an SSN that is not their 
own and to commit other forms of identity fraud. Both a witness from 
the General Accounting Office (GAO) and the SSA Acting Inspector 
General were asked whether the agency had changed its policies to 
restrict the number of SSN replacement cards. Each replied that under 
the SSA's current policies, individuals may obtain an unlimited number 
of replacement cards.
    To ensure the public record on this issue is accurate, please 
provide your current policies with respect to the issuance of 
replacement cards and whether any change to those policies is 
anticipated.
    Also, as you may know, a provision to limit the number of 
replacement cards has been included in the Social Security Number 
Privacy and Identity Theft Prevention Act of 2003 (H.R. 2971). Your 
comments on this provision would be welcomed by the Subcommittee.
    Your reply by July 9, 2004 is most appreciated. Should you have 
further questions, please contact the Subcommittee Staff Director, Kim 
Hildred, at (202) 225-9263.
            Sincerely,
                                                  E. Clay Shaw, Jr.
                                                           Chairman
                                 ______
                                 
                                                     August 2, 2004
Hon. E. Clay Shaw, Jr.
House of Representatives
Washington, D.C. 20515

    Dear Mr. Chairman:

    Thank you for your letter dated June 22, 2004, regarding the SSA's 
(SSA) policies related to the issuance of replacement Social Security 
number (SSN) cards. You asked us to provide our policy on issuing 
replacement cards, and whether we anticipate changes in that policy. 
You also asked for our comments on a provision in H.R. 2971, the Social 
Security Number Privacy and Identity Theft Prevention Act, that would 
limit the issuance of replacement SSN cards.
    SSA currently has no limitation on the number of replacement SSN 
cards an individual may be issued (either over the course of a year or 
a lifetime), other than a protocol in its electronic processes that 
prevents the issuance of a replacement card within 7 days of a previous 
card issuance. Section 204 of H.R. 2971 would restrict the issuance of 
multiple replacement cards, specifying both yearly and lifetime limits.
    I, too, am concerned that issuing unlimited replacement cards may 
contribute to identity fraud. We are exploring ways to prevent 
individuals from obtaining replacement cards to facilitate someone else 
committing identity fraud. For example, I have instructed my staff to 
develop procedures that will identify instances where requests for 
replacement cards rise above a reasonable threshold. If fraud is 
suspected, SSA staff will follow established protocols and refer the 
matter to our Office of the Inspector General for appropriate action.
    We will keep you apprised of our activities in this area and would 
welcome the opportunity to continue to work with you to find an 
appropriate balance between our responsibility to provide the American 
people with the service they expect and deserve, and our commitment to 
deter SSN fraud.
    Thank you for bringing this issue to my attention. If I can be of 
further assistance, please do not hesitate to contact me or have your 
staff contact Mr. Robert M. Wilson, Deputy Commissioner for Legislation 
and Congressional Affairs, at (202) 358-6030.
            Sincerely,
                                                Jo Anne B. Barnhart
                                                       Commissioner
                                 

    Chairman SHAW. I want all of you to know that you have 
witnessed a very historic moment where Mr. Johnson and Mr. 
Becerra are in full agreement.
    Mr. JOHNSON. That is California and Texas.
    Mr. BECERRA. Mr. Chairman, that is worth putting on our 
wall as some kind of diploma.
    Chairman SHAW. I have made note of it. Ms. Tubbs Jones.
    Mrs. TUBBS JONES. Thank you, Mr. Chairman. Good afternoon 
to the witnesses. I want to pick up on one of the questions 
that was asked. My staffer Melvena says: how do private sector 
entities gain access to our Federal verifying mechanisms in 
order to use Social Security as an identifier?
    Ms. BOVBJERG. I can talk about the employer side. I can 
talk about the motor vehicle side. They can do it in several 
different ways. It depends on how many records they want to 
verify. They can do it by phone, they can do it online. As a 
practical matter, though, employers don't do this. They don't 
verify. We are doing work right now for this Subcommittee that 
is due out in the winter on the effect that this has. 
Specifically, on the records that Social Security doesn't know 
what to do with because the name, date of birth, and the number 
don't match, and these records are coming from employers.
    Mrs. TUBBS JONES. For example, my automatic teller machine 
card, if I go on line or call a number, 1-800, whatever it is, 
I call and I say I want to access my checking account. Then 
they ask me for my SSN to be put into the system in order to 
access my checking account. Then they ask me for a 4-digit pin 
number, which is also part of my SSN, to get to my checking 
account. What kind of regulation do we have on that?
    Ms. BOVBJERG. The reason they have your number is because 
financial institutions are required to have that information 
for tax purposes.
    Mrs. TUBBS JONES. Okay. So, that then allows them an option 
to go wherever else they want to go with it, because they have 
access to the number in that way.
    Ms. BOVBJERG. Well, I would like to think that they are not 
only asking you for your number but for something like your 
mother's maiden name or something like that, because just 
having the number, if someone were to.
    Mrs. TUBBS JONES. That might be private too, though. I'm 
kidding, go on.
    Ms. BOVBJERG. You want something that if someone has your 
SSN, they couldn't go back to the bank.
    Mrs. TUBBS JONES. I understand, but what I am saying the 
import of it is, is that they are using this number that 
supposedly was supposed to be sanctimonious or sanctified; it 
would never be able to be used for any other purpose very 
easily in the process. I think I would agree with my colleague 
here, that maybe what we need to do is to put some imposition 
or some requirement on those that use it to be able to provide 
some protection for the public when they choose to use it in a 
way that benefits their particular process.
    Let me go to the gentleman from the Inspector General's 
Office. I come from Cleveland, Cuyahoga County, former District 
Attorney in Cuyahoga County. So, we did a lot of work with 
postal inspectors. One of the most difficult things about 
prosecuting much of the theft, or identity theft in many of the 
areas, is that very few people want to really do white-collar 
crime. It takes a lot of work, it takes a lot of money, it 
takes a lot of time to invest in that type of work. What has 
been your success with, once you get a document or have done 
your research, gotten it together--prosecution of identity 
theft?
    Mr. MAXWELL. I mentioned earlier that of our 10,000 arrests 
for all crimes last year, 3,000 were identity theft, which is a 
very large proportion. That tells me--plus, of the cases I have 
read and been briefed about, we have a very good track record 
that way. There are cases that aren't as attractive enough to 
prosecute, but if you have generally more than one complaint or 
if one victim has a large loss and it is a complex matter, 
generally the U.S. Attorney will be more than happy to devote 
resources to it. If it is not a large loss, if there are very 
few victims, generally the climate--and that is true 
universally for fraud cases.
    Mrs. TUBBS JONES. Coming from the State prosecutor's 
office, we always go back and forth as to whether the States 
and the Feds really pay attention to what cases. Just for the 
record, Mr. Chairman, I would like to submit something from the 
FTC that shows figures and trends in Ohio.
    [The information follows:]
    [GRAPHIC] [TIFF OMITTED] 99677A.001
    
    [GRAPHIC] [TIFF OMITTED] 99677A.002
    
    [GRAPHIC] [TIFF OMITTED] 99677A.003
    
    [GRAPHIC] [TIFF OMITTED] 99677A.004
    
    [GRAPHIC] [TIFF OMITTED] 99677A.005
    
    [GRAPHIC] [TIFF OMITTED] 99677A.006
    
    [GRAPHIC] [TIFF OMITTED] 99677A.007
    
    Mrs. TUBBS JONES. It shows that Ohio is 30th in the country 
in number of States with regard to identity theft. 
Unfortunately, it shows that the city of Cleveland, which is my 
congressional district, is number one in the city in the State 
of Ohio with identity theft issues. I am standing up for all 
those great people from the city of Cleveland and greater 
Cleveland.
    I am encouraged that we are holding this hearing, Mr. 
Chairman, and I am looking forward to having the opportunity to 
work with you to deal with the issue of identity theft because 
it becomes very, very important, particularly when we begin to 
talk about those senior citizens who have to go through a long 
process in order to get through. They are having a hard enough 
time getting prescription drug discount cards right now, to 
have to go through this and do anything else. I thank you, Mr. 
Chairman, and I don't have any time to yield back.
    Chairman SHAW. Thank you. Mr. Brady.
    Mr. BRADY. Thank you, Mr. Chairman, for holding this 
hearing, this important issue. Although I will confess there 
are days as a Member of Congress when I would pay someone to 
steal my identity, so you would have to take all that goes with 
it, but you can have it. I want to talk to Ms. Bovbjerg, if I 
could, about the enforcement issue so we can get a little 
better picture. We talk about this at each of the hearings, but 
who is responsible for ensuring that businesses and those to 
whom they sell SSNs only disclose according to law? Who 
monitors the day-to-day release? Who prosecutes them, and how 
many businesses, I don't need the number, but how often do we 
really go after those who are breaking the law in this matter 
and what kind of penalties do they get?
    Ms. BOVBJERG. With regard to the private sector, I want to 
be careful with how I talk about this. The business that is 
collecting the number, the consumer reporting agency, there are 
rules about how they can disclose and what they can do with the 
other entity with whom they are doing business.
    What happens after it goes to the other entity, who knows? 
It seems like something of an honor system where, if it happens 
to you or to me that our identity is stolen, we might 
ultimately track it back to that entity and we would file a 
complaint and there would be Federal law enforcement involved. 
I am a little bit concerned that it seems very indirect. Our 
sense is that the collecting entity is complying with the law. 
They seem concerned about that; they have made changes to their 
systems to do that, but once they have that contract with the 
other entity, that the other entity signs and says we know we 
are not supposed to disclose and we are not going to do it, who 
knows what happens after that? It is sort of a very trusting 
kind of a system.
    Mr. BRADY. So, do we often catch bad actors violating the 
law?
    Ms. BOVBJERG. With that, I would have to turn to the law 
enforcement folks at the table. It is too bad the FTC person 
isn't still here.
    Mr. BRADY. Jump in.
    Mr. MAXWELL. As I keep alluding to the numbers, it is one 
of our largest proportion of criminal prosecutions in our 
cases; of 10,000 arrests, we arrest 3,000 for identity theft 
alone, not to mention the number of investigations that we 
conduct just involving identity theft. The fact that it is so 
widespread, the fact that the Internet has generated vast 
numbers of opportunities for these people to conduct the fraud 
in combination with the mail really enhances our field for it. 
However, as your colleague alluded to before, depending on the 
district, the prosecutions may differ. There may be higher 
guidelines for prosecution than in others.
    We do take our cases to the State offices as well if we 
can't get prosecution Federally and we think it is a very good 
case but resources do not permit, or other reasons. Sometimes 
we have had luck there. I don't have the numbers in my head 
from that, but I could provide those if that would be a benefit 
to anyone here.
    Mr. BRADY. What kind of penalties do the businesses face if 
they release unauthorized numbers?
    Mr. MAXWELL. That I would have to refer to probably be more 
of a----
    Mr. O'CARROLL. That is really outside of our purview on the 
information that businesses release. The FTC probably would 
have been the best to speak on that, Mr. Brady.
    Mr. BRADY. So, you do the prosecutions, you do the 
investigations, but you don't track what the ultimate outcome 
is?
    Mr. MAXWELL. Oh, yes. No, we do in our cases. We take a 
case from opening to closing. If we have a complaint or if we 
identify a situation, we will investigate it, we will follow it 
through, we will present it to the U.S. Attorney, and we will 
sit at the table with them if there is a trial. We don't close 
the case until there is a conviction and a termination.
    Mr. BRADY. What kind of penalty? What would be an average? 
What happens?
    Mr. MAXWELL. It depends on the statute that is used. 
Sometimes it is 1029, which is the access device. That is 
primarily a Secret Service jurisdiction. Our favorite and the 
one that we hold claim to is mail fraud. So, again, it could 
take penalties up through prison term over 5 years, depending 
on what is adjudicated based on the guidelines, the sentencing 
guidelines, and moneys can be up to 10,000 or more depending on 
the severity.
    Mr. BRADY. What is the most common case? Someone who has a 
pattern and has done a number of these fraudulently, for a 
first offense, what are they going to get?
    Mr. MAXWELL. The first offense. I would suspect again, I 
cited the Carl Lomax case in Pittsburgh last year, and he took 
the identity of several celebrities, notably Will Smith, the 
actor. I forget what he was sentenced to exactly, but it was 
several years in prison, probably under f5, with penalty, but 
he agreed to cooperate with us. There is often an incentive 
there for them to cooperate. He produced a video telling the 
different techniques he has, so we can use that for our 
training, but the average, it would be hard for me to say 
without averaging it, taking a look.
    Mr. BRADY. Do we need stronger oversight and stronger 
penalties?
    Mr. MAXWELL. I am more of a fan of the prevention ends. I 
think our criminal statutes, Congress has definitely equipped 
us well. It is a matter of getting access to information, it is 
a matter of people knowing who to report it to. It is a matter, 
as earlier discussed, of cooperation with the private sector, 
with the companies which we address through different task 
forces. Any encouragement coming from the Federal Government 
certainly helps. I think as far as the statutes that are now on 
the books, I think we are fine. We are happy with mail fraud 
and 1029.
    Mr. BRADY. I guess my thought, and I will wrap it up with 
this, Mr. Chairman, is that I think there are a lot of things 
we can do on prevention. I worry that the horse is out of the 
barn on SSNs; that one of the things we can do is to try and 
discourage bad actors from using them in fraudulent ways. The 
way you do that is to make it pretty tough on those who do and 
introduce some element of you may well get caught in doing this 
even on a smaller scale. That always means more resource and 
different approaches, but prevention we have got to do much 
more there. We talk about it a lot, but, I think we also, 
whatever we can do on enforcement I think may help the numbers 
that are already floating out there, which is probably everyone 
in this room, by the way.
    Mr. MAXWELL. One of the things that I often refer to in a 
strategy is, you can work a number of cases and that looks 
good, but if you work several with some notable names, that 
brings it to the forefront in the media, like this Will Smith 
case. We also used Jerry Orbeck in that campaign over there, 
where he was a victim of identity theft and he talked 
specifically of his individual case. The public often can 
recognize an affinity with that celebrity. So, that helps, too. 
So, yes, you are right. Deterrence, the arrests, but also get 
it out in the media, get it out, announced, and talk about it.
    Mr. BRADY. Thank you, panel. Thank you, Mr. Chairman.
    Chairman SHAW. I thank all of you. Mr. Pomeroy tells me 
that his questions have been answered by the witnesses. So, 
this panel is dismissed with our appreciation. Thank you very 
much. The current status of the Committee is that the bells 
that you heard have been calling us to the floor. We have been 
told that there are going to be four votes. That takes a little 
while, but what I would like to do is to introduce the second 
panel, and then we will recess until approximately 1:00 pm. 
That will give everyone a chance to taste the wonderful food we 
have here in the Capitol. You have eaten here before, huh?
    The next panel will be made up of Patricia Foss, from 
Elkton, Maryland. Mark Ladd, who has already been introduced as 
the Public Sector Co-Chairman of Privacy/Access Workgroup 
(PRIA) from Wisconsin. Chris Hoofnagle, Associate Director of 
the Electronic Privacy Information Center (EPIC). Brian 
McGuinness, who is the First Vice President of the National 
Council of Investigation and Security Services (NCISS). He is 
from my State in Miami, Florida. Mike Buenger, who is the 
President of the Conference of State Court Administrators 
(COSCA), Jefferson City, Missouri. Mr. Hulshof wants to 
introduce him, so I will yield to Mr. Hulshof at this time.
    Mr. HULSHOF. As I referenced earlier and had a chance to 
chat with Mike, it is great to have him here. Not only is he 
our State Court Administrator, but he is the President of the 
national organization. We are honored to have him here today, 
Mr. Chairman.
    Chairman SHAW. Thank you. We also have Fred Cate, who is 
Professor of Law at the University of Indiana, and Edmund 
Mierzwinski, who is the Consumer Program Director of the U.S. 
Public Interest Research group (PIRG). We welcome all of you, 
and we look forward to seeing you at 1:00 p.m.. We will stand 
in recess.
    [Recess.]
    Chairman SHAW. If the witnesses will take their seats, we 
will resume the hearing. Thank you for tolerating our schedule, 
which is always somewhat unpredictable. Ms. Foss, you are going 
to lead off, please.

STATEMENT OF PATRICIA FOSS, ELKTON, MARYLAND

    Ms. FOSS. Thank you, Mr. Chairman, for the opportunity to 
talk about my experience as an identity theft victim and also 
know that I, as a victim, applaud you all for looking at this 
serious issue. Like millions of Americans, my experience began 
when I was notified by my bank that my credit had been 
suspended due to nonpayment. After contacting the bank, I 
learned to my surprise another woman had received thousands of 
dollars of credit using my name and my Social Security card. 
She had my birth date off by 1 day. I was stunned to learn that 
she had gotten a home improvement loan from one bank and an 
automobile loan from another bank. I am not sure about the car, 
but we know she did not have a home. My SSN virtually gave her 
everything she needed to steal my good name and my good credit.
    That was the day I received an introduction to the crime of 
identity theft and how easy it was to be a victim, even when 
people like me are extremely careful of their personal 
information. I was fortunate enough when I was talking to the 
bank to receive good advice from them about what I had to do 
next and who to contact and what agencies I needed to talk to. 
That was when the real work began. I understand that an average 
identity theft victim spends over 30 hours trying to clear 
their name and prove their innocence. I can tell you I 
definitely exceeded that, especially if you count the nights 
when I laid awake and wondered what was going to happen next.
    At the time that this happened to me, it was back in 1999 
and it really wasn't a common thing at the time, so I and 
countless other people hadn't even heard of what it was. It 
took a lot of my time, my life away from me. This is the 
example of the file that I kept for a year of trying to get all 
the paperwork done that was required of me to prove that I was 
indeed who I am. It was, seriously, like having another job. I 
had to send to each credit bureau as well as countless banks 
that the other me had used notarized letters and documents like 
my birth certificate and my driver's license and including my 
SSN. It was kind of ironic, because I felt more vulnerable 
having all that information now out there for countless other 
strangers in trying to prove my innocence than I had ever done 
before the crime happened in the first place.
    I spent hours on hold, and I spent hours in transfer hell. 
I had to take time off of work to visit my own bank and get 
things notarized pretty much on a daily basis at least for the 
first couple of months, and it really took me over a year of 
dealing with at least 20 different organizations to completely 
clear the credit reports and prove that I was the victim and 
not the criminal. I still check my credit reports at least 
biannually for fear that either this woman or somebody else is 
going to use my identity again.
    In hindsight, I was really one of the lucky people. Unlike 
many cases, the police actually arrested the woman who was 
impersonating me. She was, ironically, an acting student. I 
thought that there was some humor in that. I was told that she 
walked in one of the banks that I had reported the crime to and 
was leisurely making another withdrawal out of an account that 
she had in my name. After she was caught, I was afraid that she 
also had my home address and there would be repercussions once 
she found out that I had turned her in, and so I spent a few 
nights in fear over that. I completed a form to be notified as 
to what had happened in her trial, and the next I heard was 
last week when I was asked if I could testify before this 
Committee. I know since my experience numerous State and 
Federal laws have been passed to criminalize identity theft, 
and I think it is better than it was when this happened to me, 
but I would say that much more still needs to be done, because 
the number of identity theft victims continue to increase every 
year.
    Chairman Shaw, I applaud your efforts to restrict the 
dissemination of SSNs. To this day, I still don't know how this 
woman got mine. No one does, and she didn't admit anything when 
she was prosecuted, apparently. As you go through your 
deliberations I guess I would ask you to consider the following 
things: I believe that credit grantors are a big part of the 
problem. I don't understand why they don't check more into 
people's credentials before they hand them money. If they don't 
follow those kind of procedures, shouldn't they be somehow 
accountable in some ways? I can't understand that kind of 
carelessness as what happened with me.
    Also, I guess I would ask, where is the funding for 
enforcement? I know that there are punishment penalties in the 
bill. If there is not money for enforcement, I can't imagine 
that many of these people are going to be caught. Truly, the 
heroes in my story were the police, one bank's fraud officer, 
the postal inspectors and the special agents in the Social 
Security Office of the Inspector General, but I was one of the 
lucky ones. Last, I feel that I would like to see more funding 
for agencies like the SSA or some agency so that people like me 
could have a central point of contact and somebody to help them 
through the mass of paperwork that is required of them. Thank 
you again for letting me tell my story.
    Chairman SHAW. Thank you. If I may, just out of curiosity, 
was she found guilty and what was her penalty?
    Ms. FOSS. I just found that out yesterday, which was 
interesting. She was prosecuted. She was found guilty. The 
sentence was, I believe, 6 months; and she was required to pay 
back $69,000 in restitution to the organizations that had given 
her the money.
    Chairman SHAW. So, the system worked in your case.
    Ms. FOSS. The system worked in my case, but it sure took a 
long time.
    [The prepared statement of Ms. Foss follows:]
              Statement of Patricia Foss, Elkton, Maryland
    Chairman Shaw and members of the committee, thank you for the 
opportunity to talk about my experiences as a victim of identity theft. 
I'm grateful to you for addressing this critical issue.
    Like millions of other Americans, my experience began when I was 
notified by my bank that my credit had been suspended because of non-
payment. After contacting the bank, I learned to my surprise that 
another woman had received thousands of dollars of credit using my name 
and my perfect credit history. I was stunned to learn that she had 
obtained a home improvement loan at one bank, and an automobile loan 
from another. My social security number had provided her with the 
access she needed to damage my good name and credit.
    That was the day I received an introduction to the crime of 
identity theft, and how easy it was to become a victim, even when 
you're careful about your personal information.
    I was fortunate enough to receive good advice from my bank, MBNA, 
and was provided information on how to respond. But that was where the 
real work to prove my innocence began. I understand that on average an 
identity theft victim spends over 30 hours proving their innocence. I'm 
sure I exceeded that number, especially if you count the nights I lay 
awake wondering where she would strike next. She not only stole my 
identity, she took weeks of my life away from me.
    I had to send each credit bureau, as well as the countless banks 
the other ``me'' had used, notarized letters and copies of documents 
like driver's license and birth certificate. I spend hours on hold and 
in transfer hell. I had to take time off of work to visit my own bank, 
and had to deal daily with proving I was the real Patricia Foss. It was 
truly like having a second job.
    It took me almost a full year of dealing with over 20 different 
organizations to completely clear my credit reports and prove that I 
was the victim, and not the criminal. I still check my credit reports 
biannually with the fear that sooner or later, this woman, or someone 
else, will use my identity again.
    In hindsight, I was one of the lucky ones. Unlike many cases, the 
police actually arrested the woman who stole my identity. She was 
appropriately, an acting student. I was told that she walked into one 
of the banks to which I'd reported the crime and was leisurely making 
another withdrawal. After she was caught, I was afraid that she also 
had access to my home address and would threaten my safety once she 
realized that I'd reported her crime. I had completed a form to request 
that I be notified of the outcome of her trial. That was the last I 
heard until last week when I was contacted about testifying before this 
subcommittee.
    I know that since my experience, numerous state and federal laws 
have been passed to criminalize identity theft. More obviously needs to 
be done as the number of identity theft victims continues to increase 
every year.
    Chairman Shaw and members of the subcommittee, as a victim, I 
applaud your efforts to restrict the dissemination of social security 
numbers. To this day, I still do not know how this woman impersonating 
me obtained mine. As you go through your deliberations, I would also 
ask you to consider the following;

      Credit grantors continue to be a part of the problem. 
Shouldn't banks and other credit grantors be required by law to conduct 
a more complete check of credentials before handing people money? If 
they don't follow such procedures, shouldn't they be held accountable 
in some way? I do not understand how they can afford to be so careless.
      Where is funding for enforcement? I was pleased with the 
provisions to add more criminal penalties to punish identity theft 
criminals. But if there isn't money for enforcement, they won't be 
caught in the first place. The heroes in my story were the police, one 
bank's fraud officer, and the postal inspectors. But then, I was lucky.
      More funding is needed for agencies like the Social 
Security Administration to help victims have a central point of contact 
and assistance negotiating the mass of paperwork required to clear 
their name.

    Thank you for the opportunity to speak with you about my 
experience.

                                 

    Chairman SHAW. Yes. Mr. Ladd.

STATEMENT OF MARK LADD, PUBLIC SECTOR CO-CHAIR, PRIVACY/ACCESS 
   WORKGROUP, PROPERTY RECORDS INDUSTRY ASSOCIATION, RACINE, 
                           WISCONSIN

    Mr. LADD. Good afternoon, Mr. Chairman. Again, I am Mark 
Ladd. I am the Register of Deeds for Racine County, Wisconsin; 
and I am the Public Sector Co-Chair for the PRIA's Privacy/
Access Workgroup. I appreciate the opportunity to come and 
speak regarding H.R. 2971 and its impact on land records 
custodians. The collateralization of real property is a 
fundamental part of our economy. Leveraging real property is 
possible because of the publicly available information 
regarding a specific parcel of land. Our Nation's private 
ownership of land is based on a necessary access to publicly 
recorded land information.
    On the other hand, citizens are concerned that personal 
information is sometimes contained in these real property 
records and can be used for identity theft. By example, SSNs 
are often included in mortgage documents, tax liens, divorce 
decrees and other documents that convey real property. However, 
for land records custodians, there is little legal purpose for 
having that number included in the record.
    The PRIA hosted a roundtable forum on this topic back in 
February of 2003. We had 25 different roundtable participants 
with a broad range of industry expertise: State, local 
government, Federal government representatives, land records 
officials, trade associations from the real estate industry, as 
well as a couple of organizations dedicated to consumer 
privacy. At the conclusion of the roundtable, we actually spun 
up a Privacy/Access listserve, an e-mail discussion to continue 
to foster additional conversation on the topic. That list serve 
discussion was followed up by 2 days of facilitated educational 
discussions during our winter conference earlier this year. In 
the discussions, we reviewed the historical foundations of 
American's land records system and our public records laws and 
then we debated several suggestions for model legislation.
    It is with this background in mind that I would like to 
offer our comments regarding H.R. 2971. Section 101 of the bill 
prohibits the display to the general public of a SSN and then 
goes on to define ``display'' as posting on a website. Well, 
the Internet has become an important tool for many land records 
custodians to publish records. More and more counties are 
developing Internet-based sites designed so that citizens can 
conduct business with government when it is convenient for the 
citizens, and these sites often include data as well as images 
of documents.
    Now, again, our discussions show that few occurrences of 
the SSN land records are required by government agencies or 
required by land record agencies, but, rather, they may be 
required by the Internal Revenue Service or State taxing 
authorities. A lot of times SSNs appear in a document, and they 
are placed there by the document preparer for the benefit of 
their business process or the business process of one of their 
partners. However, we have no statutory authority under current 
law to refuse to enter these documents into the public record. 
In its current form, this bill would prohibit us from using the 
Internet to post our records, and this removes an important 
tool from our use. Another thing to note is, even with this 
provision, SSNs can still become part of the public record and 
an individual's privacies are at risk in the courthouse 
because, again, these are public records that anyone can come 
and obtain. We would think that there are several elements that 
need to be addressed in any type of legislation to deal with 
this issue.
    First, we applaud this provision of H.R. 2971 in that this 
needs to be on a day forward basis. Redaction and the expunging 
of the records is physically difficult, if not impossible. The 
prohibition should be on putting the SSN in any document that 
will become part of the public record, and this should also 
include the authority to public records officials to reject the 
recording. However, that authority needs to be permissive, 
rather than prescriptive. Prescriptive authority is impossible 
for us to manage. The sheer volume of documents to check for 
that SSN in a 27-page mortgage, in an office of my size only 
300 documents a day, in larger offices thousands of documents a 
day, it is just impossible to manage.
    If a document contains a SSN, after this law is adopted, we 
would suggest that land records officials be empowered to 
redact the number. That is an important provision for an 
administrative function that we provide. Providing certified 
copies of documents requires us to provide an exact copy of the 
document that was presented to us. Without that type of 
authority, we can't fulfill that role. Again, we recognize that 
it is an impossible task for land records officials to manage. 
We are poor gatekeepers, just due to the size of the task, but 
we believe that our recommendations can provide the goal of 
protecting SSNs without jeopardizing the flow of commerce or 
placing an unbearable burden on the shoulders of local 
government. I look forward to answering further questions as 
the hearing continues. Thank you.
    [The prepared statement of Mr. Ladd follows:]
    Statement of Mark Ladd, Public Sector Co-Chair, Privacy/Access 
  Workgroup, Property Records Industry Association, Racine, Wisconsin
    Good morning Mr. Chairman and members of the Committee:
    My name is Mark Ladd. I am the Register of Deeds for Racine County, 
WI, and I am the Public Sector Co-Chair of the Property Records 
Industry Association (PRIA) Privacy/Access workgroup. I appreciate the 
opportunity to speak to you today regarding personal information and 
privacy issues as it relates to the land records industry.
    The PRIA is a public/private partnership and its mission is to work 
together to identify issues, define problems and develop solutions to 
bring consistency to the property records industry. The PRIA membership 
includes over 260 land records officials and 105 private sector 
partners. The PRIA has completed projects such as developing a 
document-formatting white paper, notary essentials white paper and 
created the model statute for Military Discharge (DD214s) documents and 
developed the Military Discharge DD214 Tangible Interest form. The PRIA 
currently has several projects in development including, Electronic 
Recording Standards in alliance with the Mortgage Bankers Association; 
Archival Back-up and Disaster Recovery; Parcel Code Review; 
1st Page Indexing Requirements and the Records Access Policy 
Advisory Committee.
    The collateralization of real property, often taken for granted, is 
a fundamental part of our economy. Leveraging real property is possible 
because of the public availability of information regarding a specific 
parcel. Our nation's private land ownership is based on necessary 
access to publicly recorded real property information. For many 
reasons, the property record system requires that the general public 
have a right to know who owns or has certain interests in real 
property. Two of these reasons, for example, are:
    (1) to protect the investors lien rights, and
    (2) to assure fair assessment and taxation of like properties.
    On the other hand, citizens are concerned that personal or 
sensitive information is sometimes contained in real property records 
and may be used for criminal intent, such as identity theft. An example 
of sensitive information with little legal purpose to protect investor 
lien rights, yet quite useful to identity thieves, is a Social Security 
number. Social Security numbers can appear in some mortgage documents, 
tax liens, or even a divorce decree that conveys real property.
    Privacy interests and the interest for disclosure of land records 
information often appear at odds with each other. This poses a dilemma 
for land records officials attempting to balance these two points of 
view. This is perhaps one of the greatest public policy questions faced 
in recent years. The PRIA is convinced that a workable balance can, and 
in fact, must be reached on this issue. That balance should protect 
personal privacy without impeding commerce or overburdening land 
records offices.
    Realizing there was little or no communication between various 
groups within the United States regarding Privacy and Access issues, 
the PRIA convened the nation's first roundtable forum in WashingtonD.C. 
on February 26, 2003 to discuss this issue.
    The 25 roundtable participants covered a broad range of industry 
representatives including representatives of the federal government 
(IRS and GAO), state and federal court systems, Land Records Officials, 
national associations in the real estate industry including the 
National Association of County Recorders, Election Official and Clerks, 
the International Association of County Recorders Election Officials 
and Treasurers, the American Land Title Association, the American 
Escrow Association, the National Public Records Research Association, 
the Mortgage Bankers Association, the Appraisal Institute, American Bar 
Association, national credit bureaus, as well as two of the most 
influential organizations dedicated to consumer privacy issues. In 
addition, there were 150 registered observers, representing a broad 
spectrum of the industry.
    Several topics were covered during the roundtable in a lively, 
thought provoking, daylong discussion. The PRIA has minutes and created 
a CD, both are available on the PRIA website located at www.pria.us
    At the conclusion of this meeting the PRIA formed a committee to 
continue to advance this issue. A Privacy/Access listserve was 
established as a forum to foster additional discussion on the topic of 
personally identifiable information contained in public records. The 
listserve activity included a discussion of:
    (1) what information is required for the conduct of commerce?
    (2) could rules relating to document creation address the needs of 
all interested parties? and
    (3) should we consider restricting access to certain types of 
records?
    The list serve discussion was followed by two days of facilitated 
educational discussions during our 2004 Winter Conference in Washington 
D.C. During these discussions PRIA members reviewed the historical 
foundations of American public records and then addressed the policy 
issue by debating several suggestions for model legislation.
    It is with this background in mind that we offer the following 
comments relating to HR 2971.
    Section 101 of the proposal contains a prohibition of the ``display 
to the general public'' of a Social Security number (Page 3, Lines 18 
&19). ``Display'' is later clarified as ``to intentionally place such 
number in a viewable manner on an Internet site.''
    The Internet has become an important tool for many land records 
custodians to publish records. More and more counties are developing 
what is being called a ``virtual courthouse.'' These Internet based 
sites are designed so that citizens can conduct business with 
government when it is convenient for the citizen and these sites can 
include data as well as images of documents.
    The PRIA discussions reveal that few occurrences of the Social 
Security number in land records are required by any government agency 
with the exception of the IRS and state taxing authorities. For non-
taxation documents, the Social Security number is normally included by 
the document preparer for the benefit of their business practices or 
that of a business partner. While the problems associated with this 
practice may seem obvious to us, this is a standard practice with a 
number of financial institutions. Land records officials have no 
statutory authority under current law to refuse to record such 
documents.
    In the bill's current form, this provision would prevent land 
records custodians from posting currently recorded land records on the 
Internet, thus removing an important tool from our use.
    Another provision of Section 101 further defines a Social Security 
number as ``any derivative of such number'' (Page 5, Lines 20 & 21).
    Some land records officials have had conversations with the IRS 
regarding removing the Social Security number from Federal Tax Liens. 
One solution often repeated by the IRS is including only the last four 
digits of the Social Security number. This would appear to be a 
violation of this provision. Since Federal Tax Liens attach to an 
individual and not a specific parcel of real property, it will become 
very difficult for title searchers to determine the applicability of 
these liens.
    Section 102 requires the Attorney General to consider the cost or 
burden to local governments of complying with the restrictions imposed 
by any rules to be adopted under this bill (Page 8, Lines 1-7).
    This clause is helpful, as the task of assuring that documents, 
some of which may be quite voluminous, do not contain Social Security 
numbers, represents a Herculean undertaking on a daily basis, even in 
the smallest of jurisdictions.
    Using Racine County as an example. Racine County has a population 
of 190,000--a medium sized county. In 2003 Racine County recorded just 
under 80,000 documents that contained approximately 400,000 total 
pages. That equates to 1600 pages that must be reviewed by a staff of 
6, every business day. During most of 2003 the office was operating 
with a backlog of 2-3 weeks, without any requirement to search for 
Social Security numbers in the documents.
    Most of the review that staff performs on real estate documents is 
done by checking the first and last pages of a document. If we were 
required to check for the inclusion of a Social Security number, which 
could be anywhere in the document, it would more than double the task 
of reviewing documents.
    From a national perspective there were approximately 125 million 
real property documents recorded in 2003.
    Section 201 moves to another area that local government offices 
administer, specifically, birth records. This section contains a 
requirement to independently verify any birth record provided in 
support of the application process (Page 20, Lines 21-23).
    The PRIA would like clarification of this provision's intent and 
impact. Our concern is that vital record offices issue certified copies 
of birth records that contain a certification statement that includes 
the issuing officer's signature and the department seal. Most states 
have adopted (or will soon be adopting) standards for security paper to 
be used for these certificates. These standards include features that 
make the paper tamper evident. Independent verification from State and 
local offices would only be necessary when a certificate appears to 
have been altered or is not on security paper.
    The financial burden to state and local governments in implementing 
any aspect of this provision should be addressed as well.
    Section 201 goes on to require a feasibility study, which includes 
the costs of electronic third party verification of identity documents 
(Page 21, Lines 16-21).
    Most state and local offices are only beginning to investigate the 
costs of developing such systems. We cannot overstate the fact that the 
current fiscal environment faced by most state and local governments 
makes this type of development a challenge even when policy makers 
support the goals and benefits of such an undertaking.
    In Wisconsin, I serve on the committee that has been assembled by 
the Department of Health and Family Services Vital Records Bureau to 
develop the specifications for such a system. My optimistic estimates 
are that this project could be minimally operational in two to four 
years with a mature system being six or more years down the road.
    As I stated in my introductory remarks, the Property Records 
Industry Association has had extensive discussions regarding this topic 
and I would now like to offer our suggestions as to elements that this 
type of legislation should encompass.
    1. Legislation should be effective on a ``day-forward'' basis. It 
should not require redaction or expungment in records already filed or 
recorded.
    2. Consider prohibiting the inclusion of Social Security numbers on 
documents that will become part of the public record. This could 
include providing land records officials the authority to reject a 
document for filing/recording that includes a Social Security number. 
Practically speaking however, rejection authority needs to be 
permissive rather than prescriptive. As I described earlier, the shear 
volume of documents and the number of pages involved will make 
prescriptive authority difficult to manage.
    3. Next we suggest that if a document recorded after the effective 
date of the legislation contains a Social Security number, the land 
records official should have the authority to redact the Social 
Security number from the document.
    This is an important provision for an important ministerial 
function--that of providing certified copies of records in our offices. 
Our certification statement requires that we provide an exact copy of a 
recorded document. We need to be explicitly empowered to redact the 
Social Security number without compromising the integrity of future 
certified copies we issue.
    4. The PRIA acknowledges the nearly impossible task faced by land 
records officials in attempting to keep Social Security numbers out of 
the public record and it believes this responsibility is more properly 
placed on document preparers and individual consumers. Accordingly, 
PRIA believes that, for any law prohibiting a Social Security number in 
land records, land records officials should be immune from suit 
relating to documents filed/recorded that include Social Security 
numbers.
    While land records officials will assist when and where they can, 
the scope of the task of checking every page of every document for 
Social Security numbers is simply beyond their ability to perform. The 
time to prevent Social Security numbers from becoming part of the 
public record is when the document is created--before the parties 
execute them, not when they are presented for recording.
    There is simply too much dependence in today's marketplace on the 
social security number. The PRIA believes education is a major 
component in developing solutions to this problem. Already we are 
seeing insurance companies and others using an alternative ID number on 
insurance cards rather than the social security number.
    Utilizing existing associations such as the PRIA, Mortgage Bankers 
Association, Fannie Mae, Freddie Mac, American Land Title Association, 
American Escrow Association, etc. and with the help of the federal 
government, this problem can be drastically reduced if not eliminated.
    Thank you for giving the PRIA the opportunity to address this 
important public policy issue. Our discussions and policy debates 
instruct us that the time to address this problem is during the 
drafting of the documents. We believe that our recommendations can 
achieve the goal of protecting Social Security numbers in regards to 
the public record without jeopardizing the flow of commerce or placing 
an unbearable burden on the shoulders of local government.

                                 

    Chairman SHAW. Thank you, Mr. Ladd. It sounds like you may 
need a State statute. Mr. Hoofnagle.

     STATEMENT OF CHRIS JAY HOOFNAGLE, ASSOCIATE DIRECTOR, 
             ELECTRONIC PRIVACY INFORMATION CENTER

    Mr. HOOFNAGLE. Thank you, Chairman Shaw, for holding this 
hearing today and for continuing to build a rich legislative 
history on why Congress needs to act to enhance the privacy and 
integrity of SSNs. My name is Chris Hoofnagle. I am Associate 
Director with the EPIC. We have been involved with SSN 
regulation for many years and also in litigation. We filed an 
amicus brief in a very important case known as the Amy Boyer 
case where a woman was located and essentially stalked through 
the help of a data broker and a private investigator. We have 
submitted detailed written testimony for the record today. I 
just want to highlight some of the points we make in this 
written testimony, and I look forward to your questions 
afterward.
    As you are well aware, today the SSN plays an unparalleled 
role in identification, authentication and tracking of 
Americans. Its use in the public and private sector heightens 
the risk of identity theft and abuse because institutions use 
the SSN both to identify people but also to authenticate them. 
So, Representative Tubbs Jones was bringing up this issue 
earlier, the same number you use to identify a credit file is 
often used to authenticate or to verify the identity of 
someone; and from a security standpoint, that is a major risk. 
It is not unlike choosing an e-mail address and using your e-
mail address as the password, the exact same series of letters.
    The other issue I wanted to highlight from our testimony is 
the role that public records play in providing personal 
information to commercial data brokers and to others who are 
amassing personal information about individuals. Oftentimes we 
are compelled by law or compelled from wanting to enjoy the 
rights and benefits of our society into providing personal 
information that ends up in a public register; and once your 
SSN or other information ends up in a marriage license or a 
land record, anyone can come along and use that personal 
information for any purpose. So, we do think that it is 
important in your legislation to include strong language 
keeping the SSN, and keeping certain personal identifiers out 
of public records before they reach the general public.
    There are several parts of H.R. 2971 that we think are very 
strong, and they belong in any SSN privacy bill. The first is 
the provision on coercive disclosure. We think it is very 
important that businesses not be able to withhold a product or 
service when they ask for a SSN without authority to do so, and 
I think that your legislation is well crafted in section 109 
because businesses that actually have a legal right to the 
identifier will still be able to request the SSN. We think it 
is very important that Section 108 be included in any 
legislation that moves to the full House. section 108 would 
move the SSN below the credit header line and require 
individuals who are trying to buy SSNs to have a permissible 
purpose under the Fair Credit Reporting Act before getting 
access to the identifier. I think that is a very important 
protection, and we commend you for including it in the 
legislation.
    Finally, we think it is very important that States be 
discouraged from placing the SSN on drivers' licenses and other 
identifiers provided to individuals. We would recommend one 
enhancement to the legislation in this regard. We have become 
aware that some States do not put the SSN on the actual card. 
They don't publish it on the card, but they embed it into the 
bar code or into the magnetic strip, and then businesses or 
other individuals can swipe the driver's license and collect 
the SSN from individuals. I think it is important that 
prohibitions recognize the risk of automated data collection 
from drivers' licenses and how SSNs might be swept in that 
equation.
    We also encourage you to look to the leadership of the 
States in developing SSN legislation. A number of States have 
passed very strong regulations that deal with use of SSN in the 
private sector, the use of the SSN in the context of colleges 
and universities and with regards to course of disclosure; and 
their leadership should be emulated at the Federal level.
    As I am running out of time, let me highlight what Ms. Foss 
said earlier about the role of credit granting and identity 
theft. In our written testimony we have given numerous examples 
of cases where victims had their identities stolen and it would 
not have occurred but for the presence of the SSN. The identity 
thief filled out an application to get credit. Oftentimes, the 
date of birth was wrong, the name was wrong, address was wrong. 
The SSN was right, and so the SSN was a key to identity theft 
in all of those cases, and it sounds as though those cases are 
similar to yours, Ms. Foss. So, we encourage an examination of 
credit granting practices as well, it appears as though they 
are contributing to the identity theft problem. Thank you, Mr. 
Chairman. I look forward to your questions.
    [The prepared statement of Mr. Hoofnagle follows:]
   Statement of Chris Jay Hoofnagle, Associate Director, Electronic 
                       Privacy Information Center
Introduction
    Chairman Shaw, Ranking Member Matsui, and Members of the 
Subcommittee, thank you for extending the opportunity to testify 
enhancing the privacy and integrity of Social Security Numbers.
    My name is Chris Hoofnagle and I am associate director with the 
Electronic Privacy Information Center (EPIC), a not-for-profit research 
organization based in Washington, D.C. Founded in 1994, EPIC has 
participated in cases involving the privacy of the Social Security 
Number (SSN) before federal courts and, most recently, before the 
Supreme Court of New Hampshire.\1\ EPIC has also taken a leading role 
in campaigns against the use of globally unique identifiers (GUIDs) 
involving the Intel Processor Serial Number and the Microsoft 
Corporation's Passport identification and authentication system. EPIC 
maintains an archive of information about the SSN online at http://
www.epic.org/privacy/ssn/.
---------------------------------------------------------------------------
    \1\ Estate of Helen Remsburg v. Docusearch, Inc., et al, C-00-211-B 
(N.H. 2002). In Remsburg, the ``Amy Boyer'' case, Liam Youens was able 
to locate and eventually murder Amy Boyer through hiring private 
investigators who tracked her by her date of birth, Social Security 
Number, and by pretexting. EPIC maintains information about the Amy 
Boyer case online at http://www.epic.org/privacy/boyer/.
---------------------------------------------------------------------------
    In previous testimony to this Subcommittee, EPIC has recommended a 
strong framework of Fair Information Practices to create rights and 
responsibilities for individuals and collectors of the SSN. In 2001, 
EPIC Executive Director Marc Rotenberg traced the history of the SSN as 
an identifier, highlighted the use of the SSN in the financial services 
sector, and raised privacy issues associated with the Social Security 
Administration's Death Master File.\2\ In 2002, EPIC testified that the 
problem of identity theft had grown worse, that the states were acting 
to limit collection and disclosure of the SSN, and that 107 H.R. 2036, 
the Social Security Number Privacy and Identity Theft Protection Act of 
2001 could limit misuse of the SSN.\3\ In 2003, EPIC appeared again to 
testify in favor of privacy protections, highlighting recent abuses, 
the continuing unnecessary use of the SSN as an identifier by both 
private and public sector entities, and the developing trends of state 
legislation crafted to limit collection and use of the identifier.\4\
---------------------------------------------------------------------------
    \2\ Social Security Numbers and Identity Theft, Joint Hearing 
Before the House Financial Services Subcommittee on Oversight and 
Investigations and the House Ways and Means Subcommittee on Social 
Security, Nov. 8, 2001 (testimony of Marc Rotenberg, Executive 
Director, EPIC), available at http://www.epic.org/privacy/ssn/
testimony_11_08_2001.html.
    \3\ Hearing on Preserving the Integrity of Social Security Numbers 
and Preventing Their Misuse by Terrorists and Identity Thieves, Joint 
Hearing Before the House Ways and Means Subcommittee on Social Security 
and the House Judiciary Subcommittee on Immigration, Border Security, 
and Claims, Sept. 19, 2002 (testimony of Chris Jay Hoofnagle, 
Legislative Counsel, EPIC), available at http://www.epic.org/privacy/
ssn/ssntestimony9.19.02.html.
    \4\ Hearing on Use and Misuse of the Social Security Number, 
Hearing Before the House Ways and Means Subcommittee on Social 
Security, July 10, 2003 (testimony of Chris Jay Hoofnagle, Deputy 
Counsel, EPIC), available at http://www.epic.org/privacy/ssn/
testimony7.10.03.html.
---------------------------------------------------------------------------
    Chairman Shaw, we commend you for developing a rich legislative 
record on the need to protect the SSN and to combat identity theft. In 
today's testimony, we wish to continue to contribute to the record and 
make a recommendation that you advance legislation to secure the SSN 
and protect Americans from identity theft. First, we provide an 
overview and recommendations for 108 H.R. 2971, the Social Security 
Number Privacy and Identity Theft Prevention Act of 2003. Second, we 
highlight examples of state SSN regulation that could be adopted at the 
federal level to provide an umbrella of protections for the SSN. In the 
third section, we argue that identity theft is caused by excessive 
reliance on the SSN and by lax credit granting practices.
I. Recommendations for 108 H.R. 2971, the Social Security Number 
        Privacy and Identity Theft Prevention Act of 2003
    Introduced in July 2003, H.R. 2971 is the latest of a series of 
bills designed to enhance protections for the SSN and to promote the 
integrity of the identifier. It enjoys bipartisan support in the House 
of Representatives.
    Title I of the bill sets forth limitations on government disclosure 
of SSNs. Broadly put, this title would prohibit executive, legislative, 
or judicial entities from disclosing the SSN, subject to certain 
exceptions.
    We think it important to limit the exceptions for governmental sale 
of the SSN. Specifically, we recommend that subsection (V), which 
allows unlimited sale of SSNs to thousands of credit reporting agencies 
(CRAs), be removed from the bill. This exception is too broad and 
allows unrestricted transfers of government records containing social 
security numbers to CRAs, possibly for purposes unrelated to credit 
reporting, including direct marketing.
    It is not the role of government to collect SSNs from citizens, who 
are often under legal compulsion to provide the identifier, and then 
release the SSNs to the private sector for the purpose of compiling 
dossiers. Professor Daniel Solove has fully articulated how this model 
of information flow is unfair to individuals and privacy invasive:

       Imagine that the government had the power to compel individuals 
to reveal a vast amount of personal information about themselves--where 
they live, their phone numbers, their physical description, their 
photograph, their age, their medical problems, all of their legal 
transgressions throughout their lifetimes whether serious crimes or 
minor infractions, the names of their parents, children, and spouses, 
their political party affiliations, where they work and what they do, 
the property that they own and its value, and sometimes even their 
psychotherapists' notes, doctors' records, and financial information.
       Then imagine that the government routinely poured this 
information into the public domain--by posting it on the Internet where 
it could be accessed from all over the world, by giving it away to any 
individual or company that asked for it, or even by providing entire 
databases of personal information upon request. In an increasingly 
``wired'' society, with technology such as sophisticated computers to 
store, transfer, search, and sort through all this information, imagine 
the way that the information could be combined or used to obtain even 
more personal information.\5\
---------------------------------------------------------------------------
    \5\ Professor Daniel Solove describes this problem in Access and 
Aggregation: Public Records, Privacy, and the Constitution, 86 
Minnesota Law Review 1137 (2002), available at http://papers.ssrn.com/
sol3/papers.cfm?abstract_id=283924.

    If this exception remains in the legislation, we recommend that it 
be narrowed. Currently, the exception allows disclosure of the SSN to 
CRAs without any limitation on use of the identifier. A narrower 
exception would allow disclosure but limit use of the identifier for 
``credit reporting practices consistent with the Fair Credit Reporting 
Act, 15 U.S.C. 1681.''
    In section 101, we recommend harmonizing the definition of ``sale'' 
with other references to the term that appear in the legislation. The 
definition appearing in section 107, which defines sell as ``to obtain, 
directly or indirectly, anything of value in exchange for such 
number,'' is more appropriate.
    Section 102 specifies the authority of the Attorney General to 
create exemptions to the general prohibition on government disclosure 
of the SSN. We agree with the standard set forth by the legislation--
that SSNs should not be disclosed absent a compelling interest that 
cannot be served through the employment of alternative measures. We are 
concerned, however, that the Attorney General will still approve of 
privacy-invasive transfers of the SSN despite this high standard. In 
documents obtained under the Freedom of Information Act, EPIC has shown 
that private-sector commercial data brokers (CDBs) play a large role in 
collecting SSNs and other information for sale to law enforcement.\6\ 
Simply put, there is a risk that the Attorney General will act in self-
interest, and approve broad disclosures of SSNs to CDBs that then 
resell the identifier back to law enforcement or other entities.
---------------------------------------------------------------------------
    \6\ See e.g. Electronic Privacy Information Center, ChoicePoint, 
available at http://epic.org/privacy/choicepoint/; Chris Jay Hoofnagle, 
Big Brother's Little Helpers: How ChoicePoint and Other Commercial Data 
Brokers Collect, Process, and Package Your Data for Law Enforcement, 
University of North Carolina Journal of International Law & Commercial 
Regulation (Spring 2004).
---------------------------------------------------------------------------
    We recommend several substantive safeguards against permissive 
regulations that would allow broad disclosure of the SSN. First, the 
rulemaking should be open to public comment. Public polling shows that 
individuals are concerned about increasing use of the SSN; allowing 
public comment will effectively express popular opposition to expanding 
use of the identifier.
    Second, we think that the qualifier ``undue'' should be removed 
from the standard articulated in Section 101 (a)(I)(ii)(II), and that 
identity theft be added as one of the risks to be considered by the 
rulemakers. As currently drafted with ``undue'' as a qualifier and 
without the special recognition of identity theft as a risk of SSN 
disclosure, the language will tilt the balance in favor of expanding 
disclosure of the SSN. A more appropriate balance would be struck with 
language specifying, ``it is reasonably certain that the social 
security numbers will not be used to commit or facilitate fraud, 
identity theft, or bodily, emotional, or financial harm.''
    Third, we think that exceptions to the general prohibition should 
be limited in duration. A time limit will encourage users of the SSN to 
transition to alternative identifiers. Exceptions that are not time 
limited will ensure that SSN users never transition to alternative 
measures.
    Last, entities receiving SSNs should be held to technical 
safeguards to shield the identifier from employee misuse or theft. We 
recommend that the following factor be added to the rulemaking: ``(III) 
the social security numbers sold, purchased or displayed will be 
protected by adequate safeguards, including but not limited to 
encryption measures and regular auditing of SSN access and 
disclosure.''
    Section 103 would codify an important safeguard--a prohibition of 
printing SSNs on checks issued by governments. This is a common sense 
protection against identity theft. It is necessary because a standard 
check with a SSN contains all the personal information necessary for 
commission of identity theft.
    Section 104 would prohibit states from displaying the SSN on 
driver's licenses. Again, this is a common sense approach to preventing 
identity theft. Indeed, many states already incorporate a ban on 
printing the SSN on driver's licenses.\7\ Such a prohibition makes it 
more likely that the SSN will not appear in the wallet of individuals, 
thus reducing the risk that a lost or stolen wallet will provide the 
personal information necessary to commit identity theft.
---------------------------------------------------------------------------
    \7\ See Ariz. Rev. Stat.  28-3158; C.R.S.  42-2-107; C.R.S.  42-
3-302; D.C. Code Ann.  50-402; O.C.G.A.  40-3-23; HRS  286-109; HRS 
 286-239; Idaho Code  49-306; Idaho Code  49-2444; Ky. Rev. Stat. 
Ann. 186.412; Mont. Code Ann.  61-5-111(2)(b); Nev. Rev. Stat. Ann.  
483.345;.N.H. Rev. Stat. Ann.  263:40-a; N.D. Cent. Code 39-06-14; 
Ohio Rev. Code Ann.  4501.31; Okla. Stat. Ann. tit. 47,  6-106 
(2002); Pa. Cons. Stat. Ann.  1510; Tenn Code Ann.  55-50-331; Tex. 
Trans.  521.044; Va. Code Ann.  46.2-342; Wash. Rev. Code Ann.  
26.23.150.
---------------------------------------------------------------------------
    We recommend that section 104 also prohibit states from encoding 
the SSN on magnetic strips, barcodes, or smartcards on the driver's 
license, as we are aware that while some states do not print the SSN on 
the card, they may embed the identifier digitally on the card.\8\ 
Anyone with a card reader can swipe the card and capture the 
identifier. Increasingly, businesses are capturing patrons' personal 
data from driver's licenses.\9\ Removing the SSN from encoded portions 
of driver's licenses will cut down on unnecessary collection of the 
identifier.\10\
---------------------------------------------------------------------------
    \8\ Beatriz da Costa, Jamie Schulte and Brooke Singer, Who is 
Swiping?, n.d., available at http://www.we-swipe.us/research.html.
    \9\ See e.g. Jennifer 8. Lee, Finding Pay Dirt in Scannable 
Driver's Licenses, New York Times, March 21, 2002.
    \10\ Louisiana has already prohibited embedding the SSN into a 
driver's license. La. R.S.  32:410. West Virginia has attempted to 
address this problem of license swiping by allowing the use of license 
scanners for age verification purposes but prohibiting the recording of 
SSNs in the process. W. Va. Code Ann.  60-2-22.
---------------------------------------------------------------------------
    Section 106 would prohibit government entities from allowing 
prisoners to have access to the SSN. We think that this too is a common 
sense protection, in light of the Metromail case, where a company 
employed prisoners to enter personal information from surveys into 
computers. This resulted in a stalking case where a prisoner harassed a 
woman based on information she submitted on a survey. The woman 
received mail from a convicted rapist and burglar who knew everything 
about her--including her preferences for bath soap and magazines. The 
woman sued and as a result of a class-action suit, Metromail may no 
longer use prisoners to process personal information.\11\ Nevertheless, 
a general prohibition on inmate access to SSNs is appropriate, and 
California and Kentucky already have passed legislation to keep SSNs 
out of the hands of prisoners.\12\
---------------------------------------------------------------------------
    \11\ During litigation, Metromail claimed that they had not 
violated the woman's privacy, that they had no duty to inform 
individuals that prisoners were processing their personal data, and 
that the data processed was not highly intimate or embarrassing. 
Beverly Dennis, et al. v. Metromail, et al., No. 96-04451, Travis 
County, Texas.
    \12\ Cal Pen Code  4017.1,  5071; Cal Wel & Inst Code  219.5; 
Ky. Rev. Stat. Ann.  131.191.
---------------------------------------------------------------------------
    Section 107 generally prohibits disclosure of the SSN in the 
private sector, subject to exceptions. We think it important to limit 
exceptions to the general prohibition in order to curb private sector 
use of the SSN. First, the exception for public health purposes should 
be limited to ``emergency public health purposes.'' In its current 
articulation, this exception could allow medical providers and 
insurance companies to continue to rely upon the SSN in normal 
operations. Limiting the exception will encourage the industry to shift 
away from the identifier. We note that Empire Blue Cross is 
transitioning its 4.8 million customers away from the SSN as an 
identifier, demonstrating that it is possible for large health care 
operations to use an alternative identifier.\13\
---------------------------------------------------------------------------
    \13\ Empire Blue Cross Will End Use Of SSNs, Use Alternate Number 
System, Privacy and Security Law Report (Jun. 7, 2004) at 666.
---------------------------------------------------------------------------
    Section 107 contains an exception for SSNs of the deceased, meaning 
that they could be freely traded on the market. We think there are 
important public policy reasons to place some protections on SSNs of 
the deceased. SSNs of deceased individuals should receive protection 
for the same reasons that justify protections for living individuals; 
those reasons include preventing fraud and identity theft. 
Additionally, criminals are known to assume the identities of deceased 
individuals in order to engage in criminal acts and to avoid law 
enforcement. Some protection for these identifiers is justified.
    Section 108 codifies a much-needed protection for the SSN. Prior to 
the implementation of the Gramm-Leach-Bliley Act, CRAs and other 
entities sold SSNs in credit headers to individuals outside Fair Credit 
Reporting Act regulation. We understand that some businesses are still 
selling SSNs from credit headers that were collected before 
implementation of Gramm-Leach-Bliley. Section 108 would eliminate this 
unregulated sale of SSNs by tying the identifier to the credit report, 
and thus to protections in the Fair Credit Reporting Act.
    Section 109 contains important protections against the practice of 
``coercive disclosure,'' a practice where an entity conditions 
provision of a product or service based on disclosure of the SSN. 
Maine, New Mexico, and Rhode Island have established protections 
against coercive disclosure, and we think it a good idea to federalize 
this important right to enhance privacy of the SSN.\14\
---------------------------------------------------------------------------
    \14\ 2003 Me. ALS 512; N.M. Stat. Ann.  57-12B-3; R.I. Gen Laws  
6-13-17.
---------------------------------------------------------------------------
    Title II contains measures to help protect the integrity of the 
SSN. Section 202, which addresses enumeration at birth, provides an 
excellent opportunity to address objections to SSN issuance to children 
that many Americans posses based on political or religious beliefs. In 
Bowen v. Roy, 476 U.S. 693 (1986), better known as the ``Little Bird of 
the Snow'' case, a family that applied for child welfare benefits sued 
the Department of Health and Human Services for requiring that a SSN be 
issued to their indigent child. The family alleged that enumeration 
violated their religious beliefs and that the conditioning of benefits 
on issuance of the SSN violated the Free Exercise Clause. The Supreme 
Court disagreed, holding that the government could require the child to 
obtain a SSN in order to receive benefits.
    In that case, the trial court found that the government could, in 
fact, administer child welfare programs without enumeration. This bill 
allows Congress to revisit the issue and provide an alternative for 
those having a religious or ethical objection to permanent enumeration. 
Alternatives could include a tax-identification number that expires at 
the age of eighteen, when the child can more fully consider whether to 
obtain a SSN. Another could specify heightened security requirements or 
anti-fraud measures to administer benefits to those objecting to 
enumeration. The study to be performed by the Commissioner of Social 
Security should require consideration of these issues.
    Title III of the legislation creates new criminal penalties for 
misuse of the SSN. Section 302 prohibits individuals from knowingly 
providing a false SSN to another person. We think that there should be 
an exception to this rule for cases where an individual provides a 
false SSN without any intent to commit fraud. For instance, in 
situations where an entity demands a SSN without justification, 
individuals should be able to fabricate one if they are not engaged in 
fraud and are simply attempting to protect their privacy. We think the 
following language should be added to Section 302 (in the provision 
amending Section 1129(a) of the Social Security Act to create a new 
provision at 1129(a)(3)(B)): ``Notwithstanding the previous sentence, 
an individual is permitted to represent a number to be the social 
security number assigned by the Commissioner of Social Security to 
another so long as the individual does not do so with the intent to 
engage in fraud or other criminal activity.''
II. States Have Innovated Clever Protections for the SSN; Congress 
        Should Consider Incorporating Them in 108 H.R. 2971
    In recent years, state legislatures have functioned in their 
traditional roles as ``laboratories of democracy,'' creating new 
approaches to enhancing the privacy of SSNs. These privacy protections 
demonstrate that major government and private-sector entities can still 
operate in environments where disclosure and use of the SSN is limited. 
They also provide examples of protections that should be considered at 
the federal level.
Some States Have Placed Broad Prohibitions on Disclosure and Use by 
        Government and Private Entities
    Two weeks ago, Colorado Governor Bill Owens signed H.B. 1311, 
legislation that creates important new protections for the SSN that 
will take effect later this summer. The new law will limit the 
collection of the SSN and its incorporation in licenses, permits, 
passes, or certificates issued by the state. The law requires the 
establishment of policies for safe destruction of documents containing 
the SSN. Insurance companies operating in the state must remove the SSN 
from consumers' identification cards. Finally, the legislation creates 
new penalties for individuals who use others' personal information to 
injure or defraud another person.
    A law taking effect in January 2005 in Arizona prohibits the 
disclosure of the SSN to the general public, the printing of the 
identifier on government and private-sector identification cards, and 
establishes technical protection requirements for online transmission 
of SSNs.\15\ The new law also prohibits printing the SSN on materials 
mailed to residents of Arizona. Exceptions to the new protections are 
limited--companies that wish to continue to use the SSN must do so 
continuously, must disclose the use of the SSN annually to consumers, 
and must afford consumers a right to opt-out of continued employment of 
the SSN. Arizona's new law is based on California Civil Code  1798.85.
---------------------------------------------------------------------------
    \15\ Ariz. Rev. Stat.  44-1373.
---------------------------------------------------------------------------
Special Protections Have Been Crafted for Students
    A number of states have passed legislation limiting colleges and 
universities from employing the SSN as a student identifier. Limiting 
use of the SSN in this context reduces the risk of identity theft, as 
databases of student information, student identity cards, and even 
posting of grades sometimes contain SSNs.
    In Arizona, major universities can no longer use the SSN as the 
student identifier.\16\ In Colorado, as of July 2003, public and 
private postsecondary institutions were required to establish 
protections for the SSN and discontinue its use as the primary student 
identifier.\17\ New York and West Virginia prohibit all public and 
private schools from using the SSN as a primary identifier.\18\ 
Kentucky law allows students to opt-out of use of the SSN as student 
identifier.\19\
---------------------------------------------------------------------------
    \16\ Ariz. Rev. Stat.  15-1823. Rhode Island and Wisconsin have 
similar protections. R.I. Gen. Laws  16-38-5.1; Wis. Stat. Ann.  
36.11(35).
    \17\ C.R.S.  23-5-127.
    \18\ N.Y. Educ. Law  2-b; W. Va. Code Ann.  18-2-5f.
    \19\ Ky. Rev. Stat. Ann.156.160. See also Ky. Rev. Stat. 
Ann.197.120.
---------------------------------------------------------------------------
Protections Crafted for Public, Vital, and Death Records
    Commercial data brokers obtain SSNs from a number of sources, 
including public records that individuals are required to file in order 
to enjoy important rights and privileges offered by society. For 
instance, marriage licenses have been a source for SSNs and a number of 
states, including Arizona, California, Indiana, Iowa, Kentucky, 
Louisiana, Maine, Montana, Ohio, and Michigan, have enacted legislative 
protections to prevent their disclosure.\20\
---------------------------------------------------------------------------
    \20\ Ariz. Rev. Stat.  25-121; Cal Fam Code  2024.5; Burns Ind. 
Code Ann.  31-11-4-4; Iowa Code  595.4; Ky. Rev. Stat. Ann. 402.100; 
La. R.S. 9:224; 19-A M.R.S.  651; MCL  333.2813; Mont. Code Ann.  
40-1-107; Ohio Rev. Code Ann.  3101.05.
---------------------------------------------------------------------------
    Birth and death records are rich in personal information, and 
states have acted to shield SSNs collected in these life events against 
disclosures. Arizona, California, Illinois, Kansas, Maine, Maryland, 
Massachusetts, Minnesota, Mississippi, Missouri, New Hampshire, and 
other states limit the appearance of the parents' SSN on birth 
records.\21\ Similarly, several states restrict disclosure of the SSN 
in records associated with death.\22\
---------------------------------------------------------------------------
    \21\ See Ariz. Rev. Stat.  36-322; Cal Health & Saf Code  102425; 
410 ILCS 535/11; K.S.A.  65-2409a; 22 M.R.S.  2761; Md. Ann. Code  
4-208; ALM GL ch. 111,  24B; Minn. Stat.  144.215; Miss. Code Ann.  
41-57-14; Mo. Rev. Stat.  193.075; Mo. Rev. Stat.  454.440; N.H. Rev. 
Stat. Ann.  5-C:10.
    \22\ See Ariz. Rev. Stat.  16-165; Cal Health & Saf Code  102231; 
Idaho Code  67-3007; Burns Ind. Code Ann.  16-37-3-9; La R.S.  
23:1671; N.D. Cent. Code  23-02.1-28.
---------------------------------------------------------------------------
Protections Against Pretexting Should Be Considered
    We wish to raise one additional concern here--even legitimate 
collection of the SSN contributes to unauthorized access to the 
identifier. That is, we are increasingly aware of manuals for private 
investigators and other materials suggesting that SSNs can be obtained 
from motor vehicle departments, applications for professional licenses, 
and even tax returns.\23\ In these cases, the investigator probably 
obtains the identifier through a friend or contact working at the 
institution with a SSN. Alternatively, the manuals suggest the use of 
``pretexting,'' a practice where an investigator requests personal 
information from an entity while pretending to be another person or 
while pretending to have a legitimate reason for access to the 
information. The Gramm-Leach-Bliley Act prohibits pretexting with 
respect to financial, securities, and insurance companies, but the law 
doesn't apply to pretexting targeted at employers, utility companies, 
or other entities that have SSNs. The Subcommittee should consider 
whether expanding protections against pretexting would enhance the 
privacy of the SSN.
---------------------------------------------------------------------------
    \23\ See e.g. Lee Lapin, How to Get Anything on Anybody 533-543 
(Intelligence Here, 3d ed. 2003) (section titled ``How to Find Anyone's 
Social Security Number'' suggests thirty sources for the SSN, including 
driver's license applications, bankruptcy filings, court records, bank 
files, utility records, professional and recreational licenses, and 
employment files).
---------------------------------------------------------------------------
III. Excessive Reliance on the Social Security Number and Lax Credit 
        Granting Practices Are Exacerbating the Identity Theft Problem
    News media stories abound on the plight of the victim of identity 
theft. No one is safe from the crime--impostors have been able to 
obtain credit in the names of young children and even babies.\24\ While 
Congress has heightened penalties for identity theft, we recommend that 
further attempts to fight the crime be centered on the credit granting 
process, and in particular, the practice of granting credit only on a 
SSN match.
---------------------------------------------------------------------------
    \24\ 24]Identity Theft Resource Center, Fact Sheet 120: Identity 
Theft and Children, available at http://www.idtheftcenter.org/
vg120.shtml.
---------------------------------------------------------------------------
    Identity thieves can rely on aspects of the instant credit granting 
system to commit fraud. The first weakness in the system flows from 
extreme competition to acquire new customers. This has resulted in 
grantors flooding the market with ``pre-screened'' credit offers, pre-
approved solicitations of credit made to individuals who meet certain 
criteria. These offers are sent in the mail, giving thieves the 
opportunity to intercept them and accept credit in the victim's 
name.\25\ Once credit is granted, the thief changes the address on the 
account in order to obtain the physical card and to prevent the victim 
from learning of the fraud.\26\ The industry sends out billions of 
these pre-screened offers a year. It 1998, it was reported that 3.4 
billion were sent.\27\ In 2003, the estimate increased to 5 billion 
sent.\28\
---------------------------------------------------------------------------
    \25\ Identity crises--millions of Americans paying price, Chi. 
Tribune, Sept. 11, 2003, p2.
    \26\ Id.
    \27\ Identity Theft: How It Happens, Its Impact on Victims, and 
Legislative Solutions, Hearing Before the Senate Judiciary Subcommittee 
on Technology, Terrorism, and Government Information, Jul. 12, 2000 
(testimony of Beth Givens, Director, Privacy Rights Clearinghouse) 
(citing Edmund Sanders, Charges are flying over credit card pitches, 
L.A. Times, Jun. 15, 1999, p. D-1), available at http://
www.privacyrights.org/ar/id_theft.htm.
    \28\ Rob Reuteman, Statistics Sum Up Our Past, Augur Our Future, 
Rocky Mountain News, Sept. 27, 2003, p 2C; Robert O'Harrow, Identity 
Crisis; Meet Michael Berry: political activist, cancer survivor, 
creditor's dream. Meet Michael Berry: scam artist, killer, the real 
Michael Berry's worst nightmare, Wash. Post Mag., Aug. 10, 2003, p W14.
---------------------------------------------------------------------------
    Competition also drives grantors to quickly extend credit. Once a 
consumer (or impostor) expresses acceptance of a credit offer, issuers 
approve the transaction with great speed. Experian, one of the ``big 
three'' credit reporting agencies, performs in this task in a ``magic 
two seconds.''\29\ In a scenario published in an Experian white paper 
on ``Customer Data Integration,'' an individual receives a line of 
credit in two seconds after only supplying his name and address.\30\ 
Such a quick response heightens the damage to business and victims 
alike, because thieves will generally make many applications for new 
credit in hopes that a fraction of them will be granted.
---------------------------------------------------------------------------
    \29\ Experian, Inc., Customer Data Integration: The essential link 
for Customer Relationship Management White paper 15, 2000, available at 
http://www.experian.com/whitepapers/cdi_white_paper.pdf.
    \30\ Id.
---------------------------------------------------------------------------
    The second factor that makes identity theft easy to commit is that 
credit grantors do not have adequate standards for verifying the true 
identity of credit applicants. Credit issuers sometimes open tradelines 
to individuals who leave obvious errors on the application, such as 
incorrect dates of birth or even the incorrect name. Identity theft 
expert Beth Givens has argued that many incidences of identity theft 
could be prevented by simply requiring grantors to more carefully 
review credit applications for obviously incorrect personal 
information.\31\
---------------------------------------------------------------------------
    \31\ Legislative Hearing on H.R. 2622, The Fair and Accurate Credit 
Transactions Act of 2003, Before the Committee on Financial Services, 
Jul. 9, 2003 (testimony of Chris Jay Hoofnagle, Deputy Counsel, 
Electronic Privacy Information Center).
---------------------------------------------------------------------------
    TRW Inc. v. Andrews illustrates the problems with poor standards 
for customer identification.\32\ In that case, Adelaide Andrews visited 
a doctor's office in Santa Monica, California, and completed a new 
patient's information form that requested her name, birth date, and 
SSN.\33\ The doctor's receptionist, an unrelated woman named Andrea 
Andrews, copied the information and used Adelaide's Social Security 
Number and her own name to apply for credit in Las Vegas, Nevada. On 
four occasions, Trans Union released Adelaide's credit report because 
the SSN, last name, and first initial matched. Once Trans Union 
released the credit reports, it made it possible for creditors to issue 
new tradelines. Three of the four creditors that obtained a credit 
report issued tradelines to the impostor based on Adelaide's file, 
despite the fact that the first name, birth date, and address did not 
match.\34\
---------------------------------------------------------------------------
    \32\ 534 U.S. 19 (2001); Erin Shoudt, Comment. Identity theft: 
victims ``cry out'' for reform, 52 Am. U. L. Rev. 339, 346-7 (2002).
    \33\ Id. at 23-25.
    \34\ Id.
---------------------------------------------------------------------------
    A survey of other prominent identity theft litigation shows 
numerous cases where credit was granted as a result of a SSN match 
despite other obvious inaccuracies. For instance, in Aylward v. Fleet 
Bank, 122 F.3d 616 (8th Cir. 1997), Fleet Bank of Albany, New York, 
issued two credit cards to ``Ronald Aylward,'' allegedly of East 
Moriches, New York, who used both the victim's name and SSN in applying 
for the cards. The victim, however, lived in Missouri all of his life.
    In United States v. Peyton, 353 F.3d 1080 (9th Cir. 2003), 
impostors obtained American Express cards using the victims' correct 
names and SSNs but directed all the cards to be sent to the impostors' 
home. In Vazquez-Garcia v. Trans Union De P.R., Inc., 222 F. Supp. 2d 
150 (D. P.R. 2002), a resident of Puerto Rico who was born in 1962 
learned that Sears had issued a credit card to a resident of Nevada who 
was born in 1960. The impostor had falsely used the victim's SSN to 
apply for credit cards in his own name and succeeded in getting credit 
despite the mismatch on age and location. In Dimezza v. First USA Bank, 
Inc., 103 F. Supp. 2d 1296 (D. N.M. 2000), an impostor obtained credit 
using the victim's SSN but a different name and address.
    And finally, those who attempt to assign liability for negligent 
credit granting have not been successful in the courts. In Huggins v. 
Citibank, 355 S.C. 329 (S.C. 2003), a plaintiff-victim alleged that 
banks should be liable when they negligently extend credit in a 
victim's name to an impostor.\35\ The defendants argued that no duty 
existed because the victim was not actually a customer of the bank. In 
August 2003, the South Carolina Supreme Court rejected the proposed 
cause of action. Although it expressed concern about the rampant growth 
of identity theft, the court found that the relationship between credit 
card issuers and potential victims of identity theft was ``far too 
attenuated to rise to the level of a duty between them.''
---------------------------------------------------------------------------
    \35\ See also Garay v. U.S. Bancorp, 2004 U.S. Dist. LEXIS 1331 
(E.D.N.Y. 2004); Smith v. Citibank, 2001 U.S. Dist. LEXIS 25047, (W.D. 
Mo. 2001); Polzer v. TRW, Inc., 256 A.D.2d 248 (N.Y. App. Div. 1998).
---------------------------------------------------------------------------
    These cases show that excessive reliance on the SSN can contribute 
to identity theft. California has attempted to address this problem by 
requiring certain credit grantors to comply with heightened 
authentication procedures. California Civil Code  1785.14 requires 
credit grantors to actually match identifying information on the credit 
application to the report held at the credit reporting agency. Credit 
cannot be granted unless three identifiers from the application match 
those on file at the credit bureau. The categories to be matched 
include ``first and last name, month and date of birth, driver's 
license number, place of employment, current residence address, 
previous residence address, or social security number.''\36\ Simply 
requiring credit grantors to look beyond the SSN as a customer 
identifier and authenticator will begin to address a wide range of 
identity theft.
---------------------------------------------------------------------------
    \36\ Id.
---------------------------------------------------------------------------
Conclusion
    Thank you, Chairman Shaw, for continuing to develop a rich 
legislative record supporting greater privacy for the SSN. We think 
that the privacy and integrity of SSNs could be enhanced through the 
passage of federal legislation that limits the collection and approved 
uses of the identifier. We urge the Subcommittee to examine state laws 
that have created new, clever protections for the SSN. We also urge the 
Subcommittee to consider that excessive reliance on the SSN contributes 
to identity theft. We look forward to continuing to work with the 
Subcommittee on this and other privacy matters.

                                 

    Chairman SHAW. Thank you. Mr. McGuinness.

    STATEMENT OF BRIAN P. MCGUINNESS, FIRST VICE PRESIDENT, 
NATIONAL COUNCIL OF INVESTIGATION AND SECURITY SERVICES, MIAMI, 
                            FLORIDA

    Mr. MCGUINNESS. Good afternoon, Mr. Chairman, Members of 
the Committee, wherever you may be. My name is Brian 
McGuinness. I am appearing today on behalf of the NCISS as its 
first Vice President. I am past President of the Florida 
Association of Licensed Investigators, and I have been a 
licensed investigator for over 20 years. Before that, I was a 
criminal investigator for 7 years with the Miami Dade County 
Public Defenders Office. I really appreciate the opportunity to 
comment on H.R. 2971 today. Our profession has been trying to 
help identity theft victims for years.
    Much of H.R. 2971 seems to be on the right track. 
Publication of SSNs to the general public can only lead to 
improper use, including theft, fraud, even potential physical 
harm. We support legislation that will curtail such information 
being offered for sale over the Internet to the general public, 
but we are very concerned about sections 107 and 108, which 
will in fact hinder relief for victims and cause many 
unintended consequences.
    A number of years ago, the FTC entered into a consent 
agreement whereby the identifying information that precedes a 
credit report was deemed not part of the report and therefore 
not covered by the Fair Credit Reporting Act. The ``header'' 
information does not contain any financial data and has been an 
invaluable resource to employ in all manner of investigations. 
Header information is only available through vetted contracts 
with major credit bureaus by legitimate businesses and law 
enforcement agencies. We are unaware that credit headers are 
being used by identity thieves. The crooks know where their 
victims are. They don't need to locate them.
    Section 108 would deal a blow to both the civil and 
criminal justice systems by effectively eliminating the access 
to credit header information for the purpose of locating 
suspects and witnesses. Locating females after a marriage or a 
divorce is particularly difficult without using the SSN 
identifier. There are over 43,000 Robert Joneses in the United 
States. Many of them have the same or similar dates of birth. 
Investigators need to be able to positively differentiate 
between subjects when rendering reports that would be used for 
many purposes, including evidence in court proceedings.
    Law enforcement agencies have many means at their disposal 
and are generally exempt from legislation restricting access to 
information, but even law enforcement Members admit that 
restricting access to credit headers will tip the scales of 
justice in favor of the prosecution and will decrease the 
defendant's ability to receive a fair trial. At a time when our 
justice system is being criticized for errors proven by DNA 
evidence, we find it hard to believe that Congress would 
attempt to take away the defendants primary means of locating 
witnesses.
    Let me tell you all of an example from my own experience 
attempting to assist a domestic maid whose son had been 
kidnapped by her husband 5 years previously. In her 5-year 
search she had mounted a letter-writing campaign which yielded 
a 2-inch stack of letters similar to yours, Ms. Foss, from 
apathetic police officers and politicians expressing their 
regret but providing no real assistance. I entered her 
husband's SSN in a database and learned about a West Palm Beach 
address he had used when applying for credit. I checked 
directory assistance and confirmed there was a non-published 
telephone number in his name at that address. A 5-year journey 
of desperation, anguish and frustration was ended in 5 minutes 
by simply having access to header information.
    A New York investigator was retained by the courts in a 
guardianship proceeding to recover over $300,000 in assets 
stolen from a 97-year-old retiree by a neighborhood care giver. 
Using credit headers he determined identities and locations of 
the wrongdoer's relatives and eventually their assets that had 
been taken away from the victim. The victim's assets had been 
used to purchase real property, expensive automobiles and to 
increase the thief's bank account balances. The suspect pled 
guilty and was sentenced to 3 to 9 years in State prison for 
second degree grand larceny and ordered to pay $360,000 in 
restitution to the victim's estate.
    With few exceptions, law enforcement does not have the 
resources to assist identity theft victims. As pointed out in 
my prior written testimony, victims are often told their losses 
are below the threshold required before agencies will 
investigate. In fact, many victim turn to licensed private 
investigators for assistance. We, therefore, ask that all of 
Section 108 be deleted. We routinely provide our clients with 
documents and reports containing necessary identifying 
information. section 107 would effectively deny us the ability 
to obtain or provide our clients with such information. There 
is an exemption for law enforcement and collection of child 
support, but the exemption should also include reports prepared 
in connection with litigation, service of process, due 
diligence investigation of insurance claims, civil and criminal 
fraud, criminal defense, identity fraud and stalking or any 
other violations of law.
    Although H.R. 2971 provides the Attorney General with the 
ability, I am sorry, with the authority, rather, to provide 
additional exemptions, we believe it is critical for Congress 
to spell them out in advance. The bill as introduced would have 
a substantially deleterious impact on the court system and 
individual victims of crime. Such major issues should be 
resolved by elected officials and not delegated to the 
Department of Justice. Congress should proceed very carefully. 
Taking away the tools from investigators serving the justice 
system is not the way to go about resolving identity theft. I 
would be pleased to answer any questions that you may have.
    [The prepared statement of Mr. McGuinness follows:]
   Statement of Brian P. McGuinness, First Vice President, National 
     Council of Investigation and Security Services, Miami, Florida
    Good morning Mr. Chairman and members of the Committee. My name is 
Brian P. McGuinness and I am appearing today on behalf of the National 
Council of Investigation and Security Services. I am first vice 
president of NCISS and past president of the Florida Association of 
Licensed Investigators. I have been a licensed private investigator in 
Florida for twenty years and before that I was a criminal investigator 
for seven years with the Dade County Public Defenders Office.
    I appreciate the opportunity to comment on H.R. 2971, the Social 
Security Number and Identity Theft Prevention Act of 2003. You have 
asked us to address the uses private investigators currently make of 
Social Security numbers and other personally identifiable information 
and for our views on specific provisions of this bill that would affect 
the private investigator community.
    As a profession that has been trying to help victims through the 
identity theft maze for years, we applaud Congress' efforts to finally 
put laws on the books that will bring victims some relief. Although a 
percentage of identity thieves no doubt gather their victim's 
identities from the Internet, our experience is that most such thefts 
result from the purloining of documents, files, charge slips, credit 
cards, and wallets from restaurants, stores, trash bins, the mails and 
private property.
    Much of HR 2971 seems to be on the right track, but we are very 
concerned about Sections 107 and 108, which will, in fact, hinder 
relief for victims and cause many unintended consequences.
    A number of years ago, the Federal Trade Commission entered into a 
consent agreement whereby the identifying information that precedes a 
credit report, which is called ``header'' information, was deemed not 
part of the credit report and therefore not covered by the Fair Credit 
Reporting Act as a Consumer Report. The ``header'' report does not 
contain any financial information. This information has been an 
invaluable resource for investigators to locate witnesses, heirs, 
debtors, and to employ in all manner of fraud and theft investigations.
    We are unaware of any evidence that credit headers are being used 
by identity thieves for any purpose. Licensed investigators and police 
use credit headers to locate witnesses and suspects. Identity thieves 
know where their victims are; they don't need to find them.
    Header information is only available through vetted contracts with 
major credit bureaus by legitimate businesses and law enforcement 
agencies. These information providers audit the users of such data, 
including the use of ``stings'' to assure compliance with contract 
provisions.
    Because the FTC has ruled that investigators rendering reports in 
connection with employment or credit are themselves consumer reporting 
agencies, the language in Section 108 of HR 2971 appears to eliminate 
the use of credit headers for most legitimate purposes. It will make it 
impossible for civilian investigators to obtain or report information 
necessary to identify suspects and exonerate the innocent without first 
obtaining the written permission of a suspect as required by the FCRA. 
Section 108 has an unintended consequence which would deal a blow to 
both the civil and criminal justice systems by effectively eliminating 
access to credit header information for the purpose of locating 
suspects and witnesses.
    Law enforcement agencies have NCIC and many other means at their 
disposal, and are always exempted from legislation restricting access 
to the same information sources that HR 2971 would deny private 
investigators. As a matter of fairness, even law enforcement members 
admit that restricting access to credit headers will tip the scales of 
justice in favor of the prosecution and augurs against the defendant's 
ability to receive a fair trial. At a time when our justice system is 
being criticized for errors proven by DNA evidence, we find it hard to 
believe that Congress would intend to take away a defendant's primary 
means of locating witnesses.
    The header search is by far the most important search currently 
used by investigators when locating female witnesses. Since women often 
change surnames over the course of their lives due to marriage or 
divorce, it makes it even more critical to be able to identify them by 
their SSN. The SSN does not change and allows us to locate these 
otherwise difficult to find witnesses.
    In past hearings, Lexis Nexis has testified that there are 46,000 
men in America named Bill Jones. Many of them have the same or similar 
dates of birth. Licensed private investigators need to be able to 
positively differentiate between subjects when rendering reports which 
will be used for many purposes including evidence in court proceedings.
    We hope you are also aware that with few exceptions, law 
enforcement does not have the resources to successfully assist identity 
theft victims. In fact, many victims turn to licensed private 
investigators for assistance. We therefore ask that all of Section 108 
be deleted.
    Most states have legal jurisdiction over private investigative and 
security firms. They undergo fingerprint-based criminal background 
checks, are regulated, are tested and for the most part receive 
training and often continuing education. We believe that regulated 
licensed private investigators and security firms should be allowed 
continued access to header information. Many of the reports that 
private investigators prepare containing the personally identifiable 
information that this committee seeks to protect are privileged 
attorney work product.
    We abhor scam fraud artists and rogue information brokers who 
advertise on the Internet to the general public that they will provide 
information on anybody to anybody for a price no matter who the 
customer. Publication of personally identifiable information to the 
general public can only continue to lead to improper use, theft, fraud 
and even potential physical harm. We support efforts to limit access to 
such data to the general public. We also support any legislation that 
will curtail such information being offered for sale over the Internet 
to the general public.
Section 107
    Private investigators, for a fee, as a regular part of their 
routine, ascertain, collect, assemble, evaluate and provide their 
clients documents and reports containing personally identifiable 
information. Such information often includes the Social Security 
numbers of individuals. Section 107 of HR 2971 would effectively deny 
us the ability to provide our clients with such information. The 
section provides an exemption for law enforcement and the collection of 
child support.
    But, the exemption should also includeproviders of reports prepared 
in connection with litigation, in anticipation of litigation, due 
diligence, investigation of insurance claims, civil and criminal fraud, 
criminal defense, identity fraud, and stalking or any other violations 
of law.
    There are appropriate uses for such information which is not only 
critical for private investigators but for attorneys, journalists, 
medical researchers, insurance companies, self regulatory bodies, as 
well as government and law enforcement agencies. Licensed private 
investigators use the information in fraud prevention, child support 
enforcement, uniting separated families, locating heirs to estates, 
locating pension fund beneficiaries, locating organ and bone marrow 
donors, to assist those engaged in significant journalistic endeavors, 
apprehending criminals, aiding citizens in obtaining access to public 
record information and in assisting the very individuals that this 
legislation seeks to protect.
    Although HR 2971 provides the Attorney General with the authority 
to provide additional exemptions, we believe it is critical for 
Congress to spell them out in advance. The bill, as introduced, would 
have a substantial deleterious impact on the court system and 
individual victims of crime. Such major issues should be resolved by 
elected officials and not delegated to the Department of Justice.
    There are a number of bills before Congress which would ban the use 
of the Social Security number for any but its intended purpose. Many of 
these bills do not take into consideration the effect of removing the 
social security number as an identifier. We fully appreciate the 
incredible burdens faced by victims of identity theft. Many of us have 
had to face these victims. When all other avenues of redress have 
fallen upon deaf ears and often as a last resort, identity fraud 
victims have turned to private investigators to redeem their name and 
restore their good reputation. In fact, many of us have assisted these 
victims for little or no remuneration.
    The National Council of Investigation and Security Services holds 
the position that anyone who uses personally identifiable information 
or financial information for illegal purposes be subject to criminal 
sanctions and heavy fines. We favor the implementation of assessing 
enhanced penalties for aggravated cases, actual damages for willful 
violations, and additional damages allowed by the court for commercial 
purposes, disgorgement of profits, attorney's fees and costs, and 
additional sanctions upon the receiver of information that is obtained 
for unlawful purposes.
    Taking away the tools from the civilian crime fighters and 
investigators serving the justice system is not the way to go about 
resolving identity theft. Congress needs to ensure that exemptions are 
provided for licensed private investigators on legitimate business. Our 
members have provided leads concerning rogue information providers to 
the FTC in the past. We would also like to see the FTC set up a formal 
liaison with our profession which would allow us to provide evidence on 
those who commit fraud and who tarnish our reputation.
    Concerning this and similar legislation, we in the past surveyed 
our membership about how they have been able to assist victims of 
identity theft. The following examples demonstrate the benefits of 
permitting licensed private investigators to access essential 
information from ``credit headers.'' HR 2971 would deny us this 
critical tool. These anecdotes should give this Committee some idea of 
the types of cases that require this information:
    A past president of NCISS was retained by the New York courts in a 
guardianship proceeding to recover over $300,000 in assets stolen from 
a ninety-seven year-old retired Army officer by a neighbor caregiver. 
Through the use of credit headers he was immediately able to determine 
the identities and locations of the wrongdoer's relatives, properties 
and eventually their assets that had been taken from the victim. It was 
the initial header check on the suspect that uncovered a Myrtle Beach, 
South Carolina address for him. That information developed leads that 
the victim's assets had been used to purchase real property in South 
Carolina, expensive automobiles and increased the bank account balances 
of the subject under the guise that the 97-year-old victim, who was 
suffering from dementia, had given his life savings as gifts to the 
suspect. The suspect was to eventually plead guilty and was sentenced 
to three to nine years in state prison for second-degree grand larceny 
and ordered to pay $360,000 in restitution to the estate of the victim, 
who died a month before sentencing of the defendant.
    In Coronado, California, an elderly woman whose apartment building 
had just been renovated suddenly began receiving bills for a credit 
card that she never used and kept in a desk drawer. When she complained 
to the contractor, he realized there were four possible suspect workers 
and hired a private investigator. The investigator verified the credit 
card was used by a man and wife fitting the description and in the 
neighborhood of one of the workers. The suspect was terminated while 
the other three were cleared and their jobs and reputations saved. No 
prosecution resulted.
    In Tennessee, a show dog breeder was being stalked and threatened 
by e-mail from an unknown harasser. She was terrified because she had 
no idea what the suspect looked like and she was often exposed in 
public arenas. The police could not help without some identification. 
Using credit headers and other sources, the private investigator found 
addresses for the suspect who was using four names, four different 
social security numbers and who had a criminal record. The 
investigator's report was provided to the police. The same investigator 
reports she recently located and served process on a dead-beat dad and 
could not have located him without using credit headers.
    In New York, a public utility hired our member to conduct a pre-
employment background investigation for a high level position. A credit 
report, obtained under the FCRA contained two different social security 
numbers. Running a credit header check on the second number revealed a 
different name and addresses and the investigator discovered his true 
identity. The applicant had adopted the identity of one of his former 
college professors to keep his own less desirable background secret.
    In Atlanta, Georgia, an auto dealership asked our investigator to 
help an applicant who claimed his identity had been stolen. An imposter 
had stolen this man's social security number and date of birth as well 
as the identity of four other people. His criminal record included nine 
felonies in Georgia and other multi-state offenses. The applicant 
couldn't understand why he had been turned down for several jobs until 
one potential employer leveled with him and he realized his identity 
had been stolen. Numerous law enforcement agencies told him they 
couldn't help him. Our investigator arranged for the applicant to be 
fingerprinted and the Georgia Bureau of Investigation issued him a 
certificate stating he was not the same person as the imposter. He then 
carried the certificate to the three major credit bureaus to clear his 
name in their files.
    The investigator says had he not helped the victim through this 
maze, he would surely have been arrested in Georgia or Florida where 
warrants had been issued.
    An investigation in California found a middle-aged suspect had 
returned home after years away and stolen his elderly father's 
identity. He went on a spending spree in Oregon and California and was 
not called to answer before both his parents passed away. A private 
investigator was hired by the estate to try to apprehend the thief and 
obtain restitution. Most of his leads involve the use of credit header 
information.
    A former Dallas police sergeant, now a private investigator, 
reported he was pursuing a physician who filed bankruptcy following 
loss of suit for a wrongful death. The doctor divorced her husband 
before the bankruptcy and is now remarried to a man with a similar name 
and date of birth and social security number. The suspicion is that 
this maneuver served to hide assets due to the victim's survivors.
    In San Francisco, an investigator reports working a case for a 
successful business owner who started getting statements in the mail 
saying he owed tens of thousands of dollars on computers and other 
purchases, none of which he knew anything about. He found someone had 
hijacked his identity, opened credit card and store accounts in his 
name and had even opened a web page mirroring his web page and had an 
email address similar to his. The San Francisco Police said they would 
take a report, but would not investigate and suggested he go to the 
Secret Service. Although losses approached $80,000, the Secret Service 
said they would not handle the case until at least $100,000 is lost. 
The victim had a suspicion it was an ex-employee who lived in Salt Lake 
City and called the investigator. The agency used credit header 
information to learn that the ex-employee has three names, three or 
four social security numbers, and three different dates of birth on 
file.
    Here is an investigator's story from Toledo, Ohio, in his own 
words, about how credit header information is used to locate lost 
heirs:
    ``One of my cases involved a woman whose name was Terri. She was 
left a sizeable inheritance by her uncle in the form of a trust. The 
family had not had any contact with her for a number of years, so the 
attorney handling the trust asked for my assistance. By using header 
information, I was able to eventually determine that Terri was recently 
married and was living someplace in Utah. I was able to locate her 
husband's relatives and learned that Terri and her husband were 
destitute and were living out of a pick-up truck either in Utah or 
Oregon. I sent the requisite documentation to Terri in care of her 
husband's relatives and she rightfully obtained her substantial 
inheritance. Without access to header information, I would not have 
been able to locate her.''
    The need for the continuation of the investigative profession's 
access to the SSN header search can be clearly seen from the following 
example. This example is from my own experience as a licensed private 
investigator attempting to assist a domestic maid whose son had been 
kidnapped by her husband. She had not seen her son in five years and 
had never contemplated hiring an investigator.
    What she did do was mount a letter writing campaign which yielded 
many letters from various empathetic police officials and politicians 
expressing their regret but providing no real answers or concrete 
assistance. She showed me a stack two inches thick of such letters, 
including one to the president of the United States, her Congressman, 
county sheriff, local municipal police chief, etc.
    When she told me that in addition to having her husband's date of 
birth, she also had his social security number, I became optimistic. I 
entered the SSN into my TransUnion database and immediately learned 
that the husband had used a West Palm Beach address within the previous 
six months when applying for credit. I checked directory assistance and 
they confirmed that there was a non-published telephone number in his 
name at that address. A five year journey of desperation, anguish and 
frustration was rewarded with success within a five minute period by 
simply having access to header information in the form of an 
inexpensive database search.
    We believe that the identity theft laws recently enacted will help 
law enforcement to prosecute perpetrators once apprehended. But 
Congress should be aware that public law enforcement resources are 
stretched and crimes of this nature are not now a high priority. The 
losses, though devastating to the victims, are usually beneath the 
dollar threshold that many departments follow. And the mental toll on 
the victims is unquantifiable. The private sector will have to continue 
to augment public law enforcement. And it should be noted that the 
hapless victims of this crime often have very limited resources.
    To the extent HR 2971 makes it easier for victims of identity theft 
to clear their credit files and restore their reputation, we commend 
it. But Congress should proceed very carefully before eliminating the 
very tools used to apprehend the stealers of the identities of others 
or the perpetrators of other criminal acts.

                                 

    Chairman SHAW. Thank you. Mr. Buenger.

STATEMENT OF MICHAEL L. BUENGER, PRESIDENT, CONFERENCE OF STATE 
         COURT ADMINISTRATORS, JEFFERSON CITY, MISSOURI

    Mr. BUENGER. Thank you, Mr. Chairman. My name is Mike 
Buenger. I am the President of the national COSCA, and also the 
State Court Administrator for the State of Missouri. The COSCA 
represents the principal court administrative officers in each 
of the 50 States, the District of Columbia, the Commonwealth of 
Puerto Rico, the Commonwealth of the Northern Mariana Islands 
and the Territories of American Samoa, Guam and the Virgin 
Islands. I am pleased to present testimony to you today as this 
Subcommittee examines and struggles with the issue of 
protecting privacy and preventing the misuse of SSNs.
    Mr. Chairman, State courts handle 97 percent of all 
judicial proceedings in this country. Over 96 million cases are 
filed annually. I give you this statistic to frame the 
magnitude of the work of the State courts of our Nation and so 
that you can frame the impact of legislation such as H.R. 2971 
on the courts. For the past several years, we have grappled 
with the issue of protecting privacy and private information as 
it relates to court documents. Although the immediate issue 
before the Subcommittee is protecting privacy of SSNs, privacy 
protection for information and court documents is part of a 
broader issue that involves balancing public access to 
government records and the openness of our courts with the 
legitimate privacy interest of citizens and, I might add, the 
capacity of courts to operationally accommodate both privacy 
and access concerns.
    We have sought to provide guidance to the State court 
community through a project entitled Public Access to Court 
Records, both the Conference of Chief Justices and COSCA having 
issued guidelines for policy development by State courts. This 
guidance outlines the issues that courts should address in 
developing rules and policies governing access to court 
documents. It provides but one approach. However, Mr. Chairman, 
there is no doubt that SSNs are contained in many court 
documents and frequently as mandated by Federal and State law.
    For example, Federal law requires us to collect SSNs to 
track deadbeat parents. Court orders and pleadings involving 
child support must bear the parties' SSNs, again a requirement 
of Federal law. Federal regulations require that garnishment 
orders for Federal postal employees bear the SSN of the 
garnishee. State courts use SSNs to identify parties to a case, 
to collect fines and crime victim restitution and to report 
criminal history to central repositories. Frequently, they are 
found in documents filed with the court for safekeeping, such 
as discovery documents and deposition testimony. They are, as 
noted, frequently used and for good reason. They are a needed 
and unique identifier used by virtually every member of the 
justice community and the law enforcement community, not just 
the courts.
    The most important message I can deliver to you today, Mr. 
Chairman, is that COSCA stands ready to work with you in 
crafting solutions to address the problem of identity theft. I 
think it is also important to understand that this is not a 
problem that can be resolved through a mandate. It is complex 
not only in terms of your responsibility to establish balanced 
public policy but also in terms of the ability of the States 
and in this particular case the State courts to actually 
implement that policy. The threat of identity theft is real, 
and we want to do our part to eliminate it.
    Section 102 of H.R. 2917 is of particular concern to us 
because it would effectively require courts to redact or 
otherwise prevent the display of SSNs from most court 
documents. This section has serious implications for State 
courts in a variety of contexts. Given the volume of cases 
filed annually in the State courts, the task of redacting SSNs 
from existing documents or those to be filed would be daunting. 
In some circumstances, it puts us at odds with established 
Federal and State law.
    The SSN may appear in a variety of documents, including 
financial documents that are filed with the court, for example, 
tax returns and child support cases, or are appended to 
official court documents such as motions for summary judgment. 
Restricting access to SSNs in such documents is difficult 
because often such information can be buried in a stack of 
documents generally not reviewed by the court or its clerks 
until the case is actually heard.
    In conclusion, Mr. Chairman, we recognize the serious role 
of SSNs in incidents of identity theft and the fact that such 
information is readily available in a host of public records. 
The current state of affairs with regards to the treatment of 
SSNs provides lawbreakers a continuing opportunity to exploit 
the current system at the expense of ordinary Americans. 
However, there is no simple solution and certainly no cheap 
solution to this problem. Even the public policy coming from 
Congress evidences the complexity of the issue by requiring the 
collection, use and availability of such information and even 
its display on one hand, and then seeking to restrict its 
access in others.
    We hope that you will also assist the State courts in 
dealing with the unfunded mandates that H.R. 2971 will present 
to us. I thank you for offering us the opportunity to offer our 
opinion on this important matter. As I said, COSCA stands ready 
to work with you collaboratively and cooperatively in crafting 
a solution. Thank you, sir.
    [The prepared statement of Mr. Buenger follows:]
  Statement of Mike L. Buenger, President, Conference of State Court 
                Administrators, Jefferson City, Missouri
    Mr. Chairman and Members of the Subcommittee,
    The Conference of State Court Administrators (COSCA) is pleased to 
present testimony on today's hearing ``Enhancing Social Security Number 
Privacy'' as the subcommittee examines the issue of protecting privacy 
and preventing the misuse of Social Security Numbers (SSNs).

                                SUMMARY

    Mr. Chairman and members of the subcommittee, for the past several 
years the state court community has been grappling with the issue of 
protecting privacy, and private information, as it relates to court 
records. Although the immediate issue for the committee is protecting 
the privacy of SSNs, privacy protection for information in court 
records is actually a much broader issue. The use of Social Security 
Numbers in court records is, thus, a subset of much larger issues that 
involve balancing public access to government records with the 
legitimate privacy interests of citizens with actual capacity of courts 
to operationally accommodate privacy and public access concerns. To 
this end, we helped develop guidance for state courts through a project 
entitled ``Public Access to Court Records: CCJ/COSCA Guidelines for 
Policy Development by State Courts.'' This guidance outlines the issues 
that courts must address in developing rules and policies governing 
access to court records. The Guidelines touch on the use of SSNs in 
court records and other private information. The text of the Guidelines 
can be found at http://www.courtaccess.org/modelpolicy/
18Oct2002FinalReport.pdf. Both the Conference of Chief Justices and 
COSCA adopted a resolution endorsing the Guidelines and urged the 
states to use them in developing their own standards, rules, and 
policies.
    Mr. Chairman, SSNs are pervasive in state court documents, 
frequently as mandated by state and federal law. For example, federal 
law requires us to collect SSNs for various reasons related to tracking 
deadbeat parents. By federal law, SSNs must appear on pleadings and 
court orders related to child support. Even federal regulations require 
that a SSN must appear on garnishment orders involving postal 
employees. See, 39 CFR 491.3Along with other identifiers, courts use 
SSNs to associate parties to a case, i.e. to determine whether John 
Smith 1 is different from John Smith 2. We use SSNs to collect fines 
and crime victim restitution, to report criminal records to central 
repositories, and to aid in the enforcement and collection of child 
support. In addition, many SSNs appear in the public record in many 
types of court cases including, but not limited to, bankruptcy, 
divorce, paternity, and child support determination.
    Mr. Chairman, the most important message I can deliver to you today 
is that the Conference stands ready to work with you in crafting 
solutions to address the problem of identity theft. But I think it is 
also important for the sub-committee and the Congress to understand 
that this is not a problem that can be solved through a simple mandate. 
It is complex not only in terms of your responsibility to establish 
consistent public policy but also in terms of the ability of states, 
and in this case state courts, to actually implement that policy. The 
threat of identity theft is real and we want to do our part to 
eliminate it. We are at the same time concerned about the effort to 
require us to redact or expunge SSNs that appear in public records. We 
feel that this type of requirement could impose an incalculable burden 
on the state courts in this country, both with respect to resources and 
funding to achieve that goal. The cost to fulfill this requirement 
would be high because many SSNs appear in paper documents as well as 
other hard-to-redact microfilm/microfiche.

                              ABOUT COSCA

    Before I begin my remarks, I would like to provide some background 
on our group and our membership. I submit this testimony as the 
President of the Conference of State Court Administrators (COSCA). 
COSCA was organized in 1955 and is dedicated to the improvement of 
state court systems. Its membership consists of the principal court 
administrative officer in each of the fifty states, the District of 
Columbia, the Commonwealth of Puerto Rico, the Commonwealth of the 
Northern Mariana Islands, and the Territories of American Samoa, Guam, 
and the Virgin Islands. A state court administrator implements policy 
and programs for a statewide judicial system. COSCA is a nonprofit 
corporation endeavoring to increase the efficiency and fairness of the 
nation's state court systems. State courts handle 97% of all judicial 
proceedings in the country, over 96 million cases annually. The 
purposes of COSCA are:

      To encourage the formulation of fundamental policies, 
principles, and standards for state court administration;
      To facilitate cooperation, consultation, and exchange of 
information by and among national, state, and local offices and 
organizations directly concerned with court administration;
      To foster the utilization of the principles and 
techniques of modern management in the field of judicial 
administration; and
      To improve administrative practices and procedures and to 
increase the efficiency and effectiveness of all courts.

    Although I do not speak for them, I also would like to tell you 
about the Conference of Chief Justices (CCJ), a national organization 
that represents the top judicial officers of the 58 states, 
commonwealths, and territories of the United States. Founded in 1949, 
CCJ is the primary voice for state courts before the federal 
legislative and executive branches and works to promote current legal 
reforms and improvements in state court administration. COSCA works 
very closely with CCJ on policy development and administration of 
justice issues.

   NATIONAL EFFORT TO CRAFT PUBLIC ACCESS GUIDELINES TO COURT RECORDS

    Our project entitled, ``Public Access to Court Records: CCJ/COSCA 
Guidelines for Policy Development by State Courts'' was a joint effort 
of CCJ and COSCA to give state court systems and local trial courts 
assistance in establishing policies and procedures that balance the 
concerns of personal privacy, public access and public safety.
    The State Justice Institute (SJI) funded this project in 2001 and 
the project was staffed by the National Center for State Courts (NCSC) 
and Justice Management Institute (JMI). The project received testimony, 
guidance and comments from a broad-based national committee that 
included representatives from courts (judges, court administrators, and 
clerks), law enforcement, privacy advocates, the media, and secondary 
users of court information.
    The Guidelines recommend the issues that a court must address in 
developing its own rules and policies governing public access to its 
records. The Guidelines are based on the following premises:

      Retention of the traditional policy that court records 
are presumptively open to public access
      The criteria for access should be the same regardless of 
the form of the record (paper or electronic), although the manner of 
access may vary
      The nature of certain information in some court records 
is such that remote public access to the information in electronic form 
may be inappropriate, even though public access at the courthouse is 
maintained
      The nature of the information in some records is such 
that all public access to the information should be precluded, unless 
authorized by a judge
      Access policies should be clear, consistently applied, 
and not subject to interpretation by individual courts or court 
personnel

    The Guidelines Committee examined the use of SSNs in current court 
practices. They looked at the inclusion of SSNs in bulk distribution of 
court records, and information in other documents besides SSNs that 
courts traditionally protect, such as addresses, phone numbers, 
photographs, medical records, family law proceedings, and financial 
account numbers. Finally, the Committee examined various federal laws 
and requirements governing SSN display and distribution by state and 
local entities.
    On August 1, 2002, CCJ and COSCA endorsed and commended ``the 
Guidelines to each state as a starting point and means to assist local 
officials as they develop policies and procedures for their own 
jurisdictions.''

 STATE COURTS' INTEREST IN COLLECTING AND USING SOCIAL SECURITY NUMBERS

    Why is this question of concern to state courts? Why do state 
courts need to require parties to provide their SSNs in the course of 
state court litigation?
    Identification of parties. A growing number of court systems are 
using case management information systems in which an individual's 
name, address, and telephone number are entered once, regardless of the 
number of cases in which the person is a party. Such ``party based'' 
systems are rapidly replacing ``case based'' systems. The advantage of 
these systems is multifold: they enable courts to update an address or 
telephone number for all cases in which the person is a party by a 
single computer entry, they provide judges and court personnel with a 
fuller array of justice information, and they allow for cleaner 
information sharing with other justice community participants such as 
law enforcement, prosecutors, probation systems, and the like. Absent 
the use of unique identifiers such as SSNs, the entire justice 
community would come to a grinding halt and be unable to meet many 
state and federal mandates. SSNs provide a unique identifier by which 
court personnel can determine whether the current ``John Smith'' is the 
same person as a previous ``John Smith'' who appeared in an earlier 
case and whether this was the same ``John Smith'' reported to the 
central criminal records repository.
    The need for SSNs in the future may be substantially reduced by the 
use of other ``unique'' identifiers, e.g., biometric identifiers in 
criminal cases. Moreover, the ability to mask SSNs becomes easier as 
state courts implement sophisticated case management systems. Certainly 
the move to ``automate'' state courts with high-end technology allowing 
such services as electronic filing can provide opportunities for 
greatly limiting access to personal information such as SSNs. However, 
the time and costs of moving to such systems necessarily means that the 
ability to mask or redact such information is, for many courts, a 
future event not something that can or will be done overnight simply 
because there is federal mandate to do so.
    Collection of fees, fines and restitution by courts. SSNs are the 
universal personal identifier for credit references, tax collection, 
and commercial transactions.
    When courts give a criminal defendant an opportunity to pay an 
assessment resulting from a criminal infraction in periodic payments, 
the court needs to be able to function as a collection agency. Having 
the convicted person's social security number is necessary for use of 
state tax intercept programs (in which a debt to the state is deducted 
from a taxpayer's state income tax refund) and other collection 
activities. Moreover, SSNs are often used for purposes such as 
enforcing criminal fines and restitution orders or denying of motor 
vehicle registration.
    Creation of jury pools and payment of jurors. SSNs are a necessary 
part of identifying eligible jurors through a process by which multiple 
lists (for instance, registered voters and registered drivers) are 
merged to eliminate duplicate records for individual citizens in 
creating a master source list for the random selection of jurors. 
Duplicate records double an individual's chance of being called for 
jury duty and reduce the representativeness of jury panels. Some courts 
use SSNs to pay jurors as well.
    Making payments to vendors. SSNs are used as vendor identification 
numbers to keep track of individuals providing services to courts and 
to report their income to state and federal taxing authorities.
    Facilitating the collection of judgments by creditors and 
government agencies. Courts are not the only entities that need to 
collect judgements. Judgment creditors need SSNs to locate a judgment 
debtor's assets to levy upon them. Courts often require that the 
judgment debtor make this information available without requiring 
separate discovery proceedings that lengthen the collection process and 
increase its costs. Federal law now requires state courts to place the 
parties' SSNs in the records relating to divorce decrees, child support 
orders, and paternity determinations or acknowledgements in order to 
facilitate the collection of child support. On October 1, 1999, that 
requirement was extended to include the SSNs of all children to whom 
support is required to be paid.
    Notification to the Social Security Administration of the names of 
incarcerated and absconded persons. The Social Security Administration 
cuts-off all payments to persons incarcerated in federal, state or 
local prisons or jails, and to persons who are currently fugitives from 
justice. The savings to the federal budget from this provision are 
substantial. To implement this process, Social Security Administration 
needs to identify persons who have been sentenced to jail or prison and 
persons for whom warrants have been issued. The agency has 
traditionally obtained this information from state and local 
correctional agencies. See 42 USC  402(x)(3). The state courts of 
Maryland are involved in an experimental program to provide such 
information directly from court records. The Maryland program has two 
additional future advantages for state courts. First, the program 
offers the possibility of obtaining better addresses for many court 
records; social security and other welfare agencies have the very best 
address records because of beneficiaries' obvious interest in 
maintaining their accuracy. Second, cutting off benefits may provide a 
useful incentive to those persons subject to outstanding warrants 
without requiring law enforcement to expend resources to find and serve 
such persons.
    Transmitting information to other agencies. In addition to the 
Social Security Administration, many states provide information from 
court records to other state agencies. A frequently occurring example 
is the Motor Vehicle Department, to which courts send records of 
traffic violations for enforcement of administrative driver's license 
revocation processes. These transfers of information often rely upon 
SSNs to ensure that new citations are entered into the correct driver 
record.

                          PROPOSED LEGISLATION

    Mr. Chairman, your legislation, H.R. 2971, the Social Security 
Number Privacy and Identity Theft Prevention Act of 2003, contains the 
following provision:
    SEC. 102. RESTRICTIONS ON THE SALE OR DISPLAY TO THE GENERAL PUBLIC 
OF SOCIAL SECURITY ACCOUNT NUMBERS BY GOVERNMENTAL AGENCIES
    ``(x)(I) An executive, legislative, or judicial agency or 
instrumentality of the Federal Government or of a State or political 
subdivision thereof or trustee appointed in a case under title II, 
United States Code (or person acting as an agent of such an agency or 
instrumentality or trustee) in possession of any individual's social 
security account number may not sell or display to the general public 
such number.''
    This section has serious implications for state courts in a variety 
of contexts.
    For example, federal law requires courts to enter SSNs on court 
orders granting divorces or child support or determining paternity. 
Some states' laws contain similar requirements in other types of cases. 
As noted previously, given that over 96 million cases are filed 
annually in state courts, the task of redacting SSNs from existing 
documents is not only daunting, it may actually violate federal law in 
some cases and certainly violates many state ``sunshine laws'' to the 
extent that access to documents is required.
    SSNs appear in many financial documents, such as tax returns, which 
are required to be filed in court (e.g., for child support 
determinations) or are appended to official court documents, such as 
motions for summary judgments. Restricting access to SSNs in such 
documents is difficult because often such information can be buried in 
a stack of documents, which are generally not reviewed by courts or 
clerks until the case is actually heard.
    Courts will have substantial increased labor costs in staff time to 
redact or strike the appearance of SSNs in paper records or in 
microfilm/microfiche if the above requirement is imposed.
    In addition, we are unclear whether H.R. 2971 applies to newly made 
court records or all records in a court's inventory. Obviously, asking 
courts to retroactively expunge or redact social security from all 
court records would be time consuming and expensive. Given the 
extensive records retention policies applicable to court filings, 
retroactive redaction or masking could be an impossible task in some 
states.
    Finally, in an effort to make courts and court records more open, 
many courts are now beginning to make available many public records on 
the internet either as text/character documents or by scanning and 
placing them online through imaging software (PDF files). While the 
removal of SSNs in text/character documents may be relatively easy in 
some computer generated records (XML), other scanned records, such as 
PDF files, will be harder to change necessitating more staff and an 
increase in labor costs.

                         COSCA RECOMMENDATIONS

    We have recommended that state courts adopt the following policies, 
unless state law directs them otherwise:
    Official court files. State courts should not attempt to expunge or 
redact SSNs that appear in documents that are public records, and 
certainly this should not be required on a retroactive basis. As was 
mentioned earlier, federal law requires state courts to place the 
parties' SSNs in the records relating to divorce decrees, child support 
orders, and paternity determinations or acknowledgement in order to 
facilitate the collection of child support. The purpose of placing that 
data on judgments is not just to provide it to child support 
enforcement agencies; it is also to provide it to the parties 
themselves for their own private enforcement efforts. Any other 
approach puts the courts in an untenable position--having an 
affirmative obligation to provide judgments in one form to parties and 
child support enforcement agencies and in another form to all other 
persons.
    This same reasoning applies to income tax returns or other 
documents containing SSNs filed in court. It would be unreasonable, and 
expensive, to expect courts to search every document filed for the 
existence of SSNs. Further, court staff has no business altering 
documents filed in a case; the SSN may have evidentiary value in the 
case--at the very least to confirm the identity of the purported income 
tax filer.
    Case management information databases. Data in automated 
information systems raises more privacy concerns than information in 
paper files. Automated data can be gathered quickly and in bulk, can be 
manipulated easily, and can be correlated easily with other personal 
data in electronic form. Data in an automated database can also be 
protected more easily from unauthorized access than data in paper 
files. It is feasible to restrict access to individual fields in a 
database altogether or to limit access to specific persons or to 
specific categories of persons. Consequently, state courts should take 
steps to restrict access to SSNs appearing in court databases. They 
should not be available to public inquirers. Access to them should be 
restricted to court staff and to other specifically authorized persons 
(such as child support enforcement agencies) for whose use the 
information has been gathered.
    Staff response to queries from the public. When court automated 
records include SSNs for purposes of identifying parties, court staff 
should be trained not to provide those numbers to persons who inquire 
at the public counter or by telephone. However, staff may confirm that 
the party to a case is the person with a particular SSN when the 
inquirer already has the number and provides it to the court staff 
member.
    In short, staff may not read out a SSN but may listen to the number 
and confirm that the party in the court's records is the person with 
that number. This is the same distinction applied to automated data 
base searches. This distinction is one commonly followed in federal and 
state courts.

                               CONCLUSION

    Mr. Chairman, we recognize the serious role of SSNs in incidences 
of identity theft and the fact that such information is readily 
available in a host of public records. The current state of affairs 
with regard to the treatment of SSNs provides lawbreakers the continued 
opportunity to exploit the current system at the expense of ordinary 
Americans. The threat of identity theft is real and we want to do our 
part to eliminate it. However, as previously noted, there is no simple 
solution and certainly no cheap solution to this problem. Even the 
public policy coming from Congress evidences the complexity of the 
issue by requiring the collection, use and availability of such 
information on one hand and then seeking to restrict access to its use 
on the other. We also hope that you assist the state courts in dealing 
with the unfunded mandate H.R. 2971 presents.
    I have presented several ways our courts utilize SSNs and finding 
solutions to protect an individual's privacy will be complex and 
difficult. Many state courts are already taking steps to fashion 
solutions in response to the problem. Washington state, for example, is 
pioneering an innovative solution where they are creating two sets of 
court records: a public and a private one. Other states are 
experimenting with different approaches.

                                 

    Chairman SHAW. Thank you for your testimony. Mr. Cate.

  STATEMENT OF FRED H. CATE, PROFESSOR OF LAW, UNIVERSITY OF 
           INDIANA-BLOOMINGTON, BLOOMINGTON, INDIANA

    Mr. CATE. Thank you very much, Mr. Chairman. I want to join 
the chorus of those thanking you for your steadfastness in 
having pursued both efforts to improve the integrity of the 
Social Security system and to fight identity theft. We are 
well-served by those efforts and well-served by this hearing 
today.
    As you well know, SSNs are used throughout both the public 
and private sectors for two very important and closely linked 
roles. One is to accurately link information, if you will, 
connect information to the file. Maybe one example will be 
sufficient to suggest the daunting task this really is. In the 
credit reporting industry in this country, 3 major national 
credit reporting agencies process 2 billion pieces of personal 
data on 180 million active consumers every month. Getting the 
right data in the right file is a considerable challenge.
    The second role is, of course, to facilitate identification 
of individuals; and, again, credit reporting may be a useful 
example. The 3 credit reporting bureaus generate 600 million 
credit reports, and one of the uses of SSNs is to link the 
individual to the file so that it is then possible for the 
retailer or lender or whoever is requesting that file to 
actually determine that the individual is who he or she claims 
to be. This system of ubiquitous, widely available national 
SSNs has yielded many benefits, and you have heard of many of 
these over the past years. These are not merely commercial, 
although the commercial ones are certainly quite important.
    I would just take a moment to say we often think of the 
commercial benefits in negative terms, identifying people who 
have defaulted on loans or filed for bankruptcy, but the 
commercial benefits are also quite positive by allowing 
individuals to benefit from their own positive behavior, their 
good credit records, and it is protecting those good credit 
records that SSNs play a key role in, which are particularly 
important in helping to reduce frauds by linking the individual 
to the file so that it is possible to verify their identity.
    We have already heard about the use for location. I would 
refer you to testimony before this Subcommittee 3 years ago in 
which you heard about the impact on pension beneficiaries, that 
the addition of the SSN to name and address information 
increased the likelihood of finding a pension beneficiary from 
8 percent to 85 percent, a more than tenfold increase by virtue 
of having access to the SSN. Law enforcement, of course, for 
years has had access and made use of SSNs; and in the days and 
months since 9/11 we have discovered new security uses and 
available benefits that SSNs generate.
    Let me be clear: when we think about the programs that 
Congress and the Administration have put in place or are 
considering for border security, for airline security and other 
forms of national security, the question of SSN availability is 
only goes to the question of making those programs more 
accurate. It may very well be that you do not wish those 
programs to go forward, but whether or not they go forward it 
is clear we want them to be as accurate as possible, and that, 
of course, is what SSNs help make possible.
    This, then, reflects a problem with the current bill. Let 
me say there are many aspects of the current bill that are very 
desirable, very laudable: efforts to increase the penalties for 
the misuse of SSNs, to enhance the efficiency and oversight 
over the assignment of SSNs, to get SSNs off of identity 
documents where they do not belong. Nevertheless, the effort to 
restrict disclosure subject to certain exceptions in an effort 
to protect against identity theft, all of my research suggests 
will be not only ineffective but counterproductive. There are a 
number of reasons for this, and I will conclude by touching on 
those.
    First, the issue is not just use of SSNs. It is fine to say 
that the Attorney General can adopt exceptions so that SSNs can 
be used in national security matters. However, of course, what 
most matters is that the SSNs were available when the data were 
collected so that the data were properly placed in the correct 
file. Second, the two-tier system seems unlikely to work. 
Maintaining records, whether in the public sector or private, 
in which SSNs are reflected in one version of the records but 
not in the others creates an extraordinary burden.
    Third, it is not clear that most cases of identity theft 
would be in any way affected by this bill. The FTC's September 
2003, study on identity theft indicated that 76 percent of 
identity theft cases involved a friend, family Member, 
coworker, neighbor or an employee of somebody who has lawful 
access to the SSN. Restricting the further transmission or the 
display of the SSN would not be relevant in those cases, the 
vast majority of cases.
    Finally, there are far more important steps, far more 
urgent steps, that Congress could and should take to help 
protect against identity theft and to reduce the role of SSNs 
in identity theft. I would point, for example, to Ms. Foss's 
three suggestions, which strike me as excellent, that those who 
are responsible for identifying people in connection with their 
credit reports should be given incentives to make more certain 
identification, increased funding for enforcement, more funding 
for agencies like the SSA. At the end of the day, while 
Congress is concerned with passage of the FACT Act, about 
accuracy of credit reports and other databases and ensuring 
that those are used and applied as accurately as possible, 
restricting access to SSNs is likely to have the opposite 
effect. Thank you.
    [The prepared statement of Mr. Cate follows:]
  Statement of Fred H. Cate, Professor of Law, University of Indiana-
                   Bloomington, Bloomington, Indiana
    My name is Fred Cate, and I am a Distinguished Professor and 
director of the Center for Applied Cybersecurity Research at 
IndianaUniversity, and a senior policy advisor at the Center for 
Information Policy Leadership at Hunton & Williams. For the past 15 
years, I have researched, written, and taught about information laws 
issues generally, and privacy law issues specifically. I directed the 
Electronic Information Privacy and Commerce Study for the Brookings 
Institution, was a member of the Federal Trade Commission's Advisory 
Committee on Online Access and Security, and served as reporter for the 
recent Department of Defense Technology and Privacy Advisory Committee. 
A brief biographical statement is attached.
    I appreciate the opportunity to testify today, and I am doing so on 
my own behalf. My views should not be attributed to Indiana University 
or to any other institution or person.
The Essential Role of Social Security Numbers
    My research on information flows in both public and private 
sectors, and all of the other research in this field with which I am 
familiar, highlights the need for, and difficulty of, accurately 
identifying individuals and attributing information about them. At 
first glance, these may seem like straightforward activities, but they 
have proved exceptionally difficult. How do I know that the person 
presenting himself--to apply for instant credit, seek a government 
benefit, or board an aircraft--is who he claims to be? And how do I 
know that the data I have about him is correctly associated with the 
right person?
    One example may suffice to suggest the magnitude of this challenge. 
The three national consumer reporting agencies process two billion 
pieces of personal data on 180 million active consumers every month to 
generate 600 million credit reports a year. Making certain that each of 
those two billion pieces of data is placed in the right one of 180 
million files and that each file is provided only in connection with 
the individual it concerns is a daunting task.
    The challenge is exacerbated by many factors, including:

      The frequency of common names (e.g., there are more than 
60,000 John Smiths in the United States alone), and the fact that names 
are not constant, thanks in part to 2.3 million marriages and 1.1 
million divorces every year.\1\
---------------------------------------------------------------------------
    \1\ National Center for Health Statistics, National Vital 
Statistics Reports, vol. 51, no. 8, May 19, 2003, at 1, table A.
---------------------------------------------------------------------------
      The variety of addresses available to many people (e.g., 
home, office, vacation home, Post Office box), the fact that several 
people may share the same address, and the speed with which addresses 
and telephone numbers change: according to the U.S. Postal Service, 
approximately 17 percent of the U.S. population--about 43 million 
Americans--changes addresses every year; 2.6 million businesses file 
change-of-address forms every year.\2\
---------------------------------------------------------------------------
    \2\ United States Postal Service Department of Public Affairs and 
Communications, Latest Facts Update, June 24, 2002.
---------------------------------------------------------------------------
      The inconsistencies with which we record names (e.g., J. 
Smith, J.Q. Smith, John Q. Smith) and addresses (e.g., ``123 Main,'' 
``123 Main Street,'' ``123 Main St.,'' ``123 S. Main Street,'' ``123 
Main Street, Apt. B'').
      The spread of first telephone and then Internet 
technologies, the increased mobility of the population, and the 
development of truly national competition mean that fewer transactions 
are conducted face-to-face, much less with people we know.

    As a result of these and other factors, the need for a unique, 
ubiquitous, national, constant, and authoritative identifier has become 
inescapable. Many activities in which we engage in both public and 
private sectors are impossible or impractical without it. That is why 
the Social Security Number has evolved to fill this role: modern 
government and business activities required it to identify individuals, 
and ensure that information about one individual is not erroneously 
attributed to another individual. These two functions are often 
interrelated.
    The identification function is often misunderstood. Obviously, the 
fact that an individual presents a Social Security Number does not 
prove that he or she is the person that the Social Security Number 
identifies. Rather, the Social Security Number provides an efficient, 
reliable way of locating a credit report or other record containing 
information that can then be used to verify the identity of a person. 
So, for example, if I apply for instant credit at a retailer, the 
retailer may ask for my Social Security Number as a way of locating a 
summary credit report about me. That credit report will list, among 
other things, my name, address, phone number, past addresses, and other 
identifying information. The retailer can then compare the information 
I have put on the instant credit application with the information 
contained in the credit report to determine if I am who I claim to be.
    Two points are critical here: First, knowing my Social Security 
Number alone does not get me credit; it is merely a quick way of 
locating reliable information about me that then can be used to verify 
my identity. If you don't believe me, walk in to any Target or Wal-mart 
or other retailer and try to obtain instant credit by presenting your 
Social Security Number alone.
    The second critical point is that the underlying data store must be 
accurate and reliable. Social Security Numbers play an essential role 
here as well by helping to ensure that data are linked to the right 
individuals and that subsequent users of those data have confidence in 
the accuracy and completeness of the data. When you apply for instant 
credit or an auto loan or a mortgage the lender wants to know that it 
is seeing an accurate and complete picture of your creditworthiness and 
that there will be reliable, affordable ways of determining if you 
declare bankruptcy or overextend yourself on credit in the future. 
Social Security Numbers facilitate the databases that do this.
Benefits of Ubiquitous Social Security Numbers
    The availability and reliability of Social Security Numbers makes 
possible accurate and efficient national credit reporting and directly 
contributes to greater consumer choice, lower prices and interest 
rates, more widespread and affordable home ownership, and other 
benefits. Social Security Numbers facilitate commerce in other ways, 
for example, by making it easier to identify consumers remotely, 
thereby enhancing lender and seller confidence and reducing fraud.
    The benefits of accessible Social Security Numbers are not limited 
to commerce. Social Security Numbers also play critical roles in 
identifying and locating missing family members, owners of lost or 
stolen property, heirs, pension beneficiaries, organ and tissue donors, 
suspects, witnesses in criminal and civil matters, tax evaders, and 
parents who are delinquent in child support payments. Just as with 
credit reporting, Social Security Numbers--often combined with other 
information, such as name--make it possible to construct accurate, 
comprehensive public record and third-party databases and search them 
quickly and reliably. Paula LeRoy from Pension Benefit Information 
testified before this subcommittee in 2001 that the presence of a 
Social Security Number increases the chance of locating a pension 
beneficiary from less than 8 percent to more than 85 percent--a greater 
than ten-fold increase.\3\ Moreover, Social Security Numbers can 
overcome inconsistencies in names or address or errors in the way this 
information is recorded.
---------------------------------------------------------------------------
    \3\ Hearing on Protecting Privacy and Preventing Misuse of Social 
Security Numbers before the Subcom.on Social Security of the House 
Comm. on Ways and Means, May 22, 2001 (statement of Paula Leroy).
---------------------------------------------------------------------------
    Social Security Numbers are critical to identity verification and 
background checks required for airline employees, school bus drivers, 
child care workers, Defense Department and intelligence agency 
employees, and congressional staff. Post-September 11 programs for 
enhanced border, critical infrastructure, and passenger facility 
security all depend on being able to identify individuals and asses the 
risk they present by quickly connecting to accurate information about 
them. This is a substantial challenge, as stressed by the recent final 
report of the Department of Defense's Technology and Privacy Advisory 
Committee.\4\ Social Security Numbers are essential to this task.
---------------------------------------------------------------------------
    \4\ U.S. Department of Defense, Technology and Privacy Advisory 
Committee, Safeguarding Privacy in the Fight Against Terrorism 36-38 
(2004).
---------------------------------------------------------------------------
    The essential roles played by Social Security Numbers highlight the 
importance of today's hearing and of your longstanding efforts, Mr. 
Chairman, and those of this subcommittee to ensure the integrity and 
security of Social Security Numbers and to protect against their 
misuse. We must ensure that Social Security Numbers are accurate, 
unique, and available for responsible use. H.R. 2971 takes some 
important steps in this direction, for example, by getting Social 
Security Numbers off of identification cards and checks where they do 
not need to be displayed, and enhancing protections within the Social 
Security Administration for ensuring that Social Security Numbers are 
issued appropriately and securely. However, the breadth and importance 
of the roles played by Social Security Numbers raise concerns about 
some of the restrictions posed by H.R. 2971.
The Problem of Restricting Access Except for Specified Uses
    H.R. 2971 would broadly restrict the ``sale, purchase or display'' 
of Social Security Numbers, subject to exceptions for certain uses--for 
example, credit reporting and national security. I applaud your 
attention to these critical needs. The problem, however, is that Social 
Security Numbers need to be associated with the underlying data from 
the start to ensure that they are included in appropriate databases and 
made part of the right files. So, for example, provisions authorizing 
the Attorney General to permit certain uses for national security 
purposes are important, but almost certain to be ineffective, because 
national security and law enforcement officials need--and regularly 
use--databases constructed for other purposes to access routine 
innocuous data to determine the risk that an individual may present. It 
is fine for the Attorney General to require that an individual entering 
a government facility or boarding an aircraft present a Social Security 
Number, but it will not matter at all if those numbers cannot be used 
to access properly segregated data in existing databases.
    The FBI and other law enforcement agencies, for example, routinely 
access aggregate data collected and stored by Acxiom, ChoicePoint, 
LexisNexis, and other providers for many commercial uses. Allowing the 
FBI to use Social Security Numbers is important, but for the data to be 
reliable, the providers must have been permitted to use Social Security 
Numbers all along, and the government and private entities that 
supplied data to them must also have used them. Focusing only on the 
end user is inadequate.
    The focus on use also ignores the fact that national security and 
law enforcement uses of Social Security Numbers frequently involve 
databases created for other purposes. Those other purposes subsidize 
the national security and law enforcement uses that the bill is likely 
to permit; if Social Security Numbers cannot be provided for those 
other purposes, they will not be available for the national security 
and law enforcement uses either.
    The limitation of the display restriction to ``the general public'' 
is unlikely to ameliorate this risk, because of the breadth, vagueness, 
and circularity of the definition given the phrase ``display to the 
general public'': ``to make such number available in any other manner 
intended to provide access to the general public.'' Moreover, as the 
General Accounting Office noted in its 1999 report to you, it is 
difficult to imagine that many data providers will undertake the cost 
and effort of maintaining two sets of data--one without Social Security 
Numbers for display to the general public and one without for other 
uses--or that data from which Social Security Numbers have been removed 
or obscured can be maintained, aggregated, and filed accurately.\5\ In 
addition, because violation of this provision is made a crime, subject 
to five years imprisonment, it seems likely that most businesses will 
steer clear of any activity that might be considered ``display to the 
general public,'' even if that means no longer providing valuable 
services that may very well continue to be legal.
---------------------------------------------------------------------------
    \5\ General Accounting Office, Social Security: Government and 
Commercial Use of the Social Security Number is Widespread (GAO/HEHS-
99-28) (1999).
---------------------------------------------------------------------------
    The history of information flows is one of constantly evolving new 
and valuable uses. If those uses have to be approved one at a time 
through a legislative or regulatory process, they are less likely to 
evolve as quickly or to be as affordable when they do. Regulatory 
barriers might very well have restricted the unanticipated use of 
commercial records for locating parents delinquent with child support 
payments or retirees entitled to pension benefits. These uses were not 
anticipated when the databases on which they rely were first created, 
but they are valuable and important today.
Rulemaking Authority and Lack of Preemption
    The many and vital benefits that the public enjoys as a result of 
ubiquitous Social Security Numbers are also threatened by the broad 
discretion given the Attorney General as to whether, and if so how, he 
might create exceptions to the bill's restrictions. As we have seen, 
any meaningful exception would likely result in undercutting 
significant portions of the bill. Narrower exceptions run the risk of 
not achieving the goals they are designed to serve and/or placing 
private--and public-sector custodians in the untenable position of 
maintaining duplicate databases or supplying data that may not be 
accurate or complete. The broad discretion given the Attorney General 
also creates a new regulator, parallel with the FTC which has long had 
authority in this area.
    What is most surprising, however, in view of the need for a truly 
national identifier for national security, law enforcement, and 
commercial purposes is that the bill does not appear to expressly 
preempt state laws and regulations concerning the disclosure and use of 
Social Security Numbers. As Congress acknowledged last year with 
passage of the Fair and Accurate Credit Transactions Act, it is 
difficult to imagine anything more intrinsically national in scope than 
the creation of accurate, complete databases necessary to support 
national commerce, national security, nationwide law enforcement, and 
the fight against identity theft.
Incentives for Inaccuracy
    Social Security Numbers are critical for maintaining data about 
individuals accurately. H.R. 2971, by restricting the use of Social 
Security Numbers, threatens to make databases less accurate. This is 
especially likely in the face of the proposed restriction on uses of 
credit header information, which is often the source of accurate, up-
to-date data necessary to identify and locate individuals and which is 
already the subject of existing financial privacy law.
    Nowhere is H.R. 2971's threat to accuracy more clear than in the 
provision prohibiting a person from doing business with an individual 
who will not provide a Social Security Number, unless federal law 
requires disclosure of the Social Security Number. The federal 
government has repeatedly acknowledged that it cannot maintain accurate 
records without access to Social Security Numbers; that is why the 
government requires them in such a wide range of settings even where no 
question of Social Security benefits is involved. But under this 
provision, the law would refuse to acknowledge that businesses face the 
same need; a business cannot refuse to provide a product or service to 
an individual who refuses to disclose his Social Security Number, even 
if that number is necessary to provide the product or service. The net 
result is certain to be data less able to be linked accurately with the 
individual it concerns--an ironic outcome at the same time as Congress 
has mandated the FTC and other regulators explore ways of improving 
accuracy in credit reports and other databases.
Social Security Numbers and Identity Theft
    The motivation behind proposed new restrictions on the use and 
availability of Social Security Numbers is preventing identity theft. 
Identity theft is a growing scourge of modern life. It takes a toll not 
only on the economy and businesses, who bear the lion's share of 
economic loss associated with the crime, but also on individuals who 
struggle sometimes for years to correct false information--information 
wrongly placed--in their commercial or government records. It is 
certain that much more needs to be done to address the rising tide of 
identity theft; my research suggests that restricting Social Security 
Numbers in government and commercial records is not the right step.
    While we do not know as much as we need to about identity theft, 
thanks to the efforts of FTC and others, one important fact we are 
learning is that much--perhaps most--identity theft is not committed by 
a stranger, but by a family member, friend, or co-worker. According to 
the FTC's Synovate study of identity theft, published in September 2003 
and based on more than 4,000 interviews, of the one-quarter of identity 
theft cases in which the victim knew the identity the perpetrator, 35 
percent involved a ``family member or relative'' and another 18 percent 
involved a friend or neighbor. Another 23 percent of cases involved 
someone who worked at a company or financial institution that held the 
victim's financial information.\6\ Taken together, 76 percent of cases 
in which the perpetrator did identify the thief did not involve access 
to third-party data (e.g., commercial or public records) that appears 
to be the target of H.R. 2971.
---------------------------------------------------------------------------
    \6\ Federal Trade Commission, Identity Theft Survey Report at 28-29 
(2003).
---------------------------------------------------------------------------
    In the remaining 24 percent of cases that might be affected by H.R. 
2971, the role played by Social Security Numbers in identity theft is 
apparently the same as that played in other settings--namely, to link 
an individual to a database file (most often a credit report). Given 
the many valuable uses of Social Security Numbers and the many ways in 
which those numbers are available, it would be far more efficient, as 
well as more broadly effective, to focus on ways for improving the 
identification of the person with his file, rather than attempting to 
restrict access to the Social Security Number in the first place. So, 
for example, the law might creative incentives for credit grantors to 
take additional steps to ensure that the person is who he claims to be. 
This would held deter not only the 24 percent of identity theft cases 
that involve a stranger, but the other 76 percent that involve a 
friend, family member, or employee of a business with whom the victim 
has a relationship.
     While our knowledge about identity theft is still developing, we 
do know that accurate Social Security Number information, attached to 
all financial information, is critical to fighting identity theft and 
to remedying it when it does happen. Social Security Numbers--if unique 
and reliable--are critical to preventing the granting of credit in 
somebody else's name. They are critical to keeping bad data out of 
innocent people's files. They are critical to identifying identity 
theft when it occurs and notifying victims. Yet H.R. 2971 seems 
intended and likely to diminish their availability.
    The FTC study reports that businesses lost $47.6 billion due to 
identity theft.\7\ We should certainly be hesitant before imposing 
restrictions on Social Security Numbers that could add to that cost, 
especially if we cannot identify clear specific benefits from those 
restrictions. In addition, countless hearings, interviews with identity 
theft victims, and studies have shown that the greatest burden most 
identity theft victims face is clearing their good names. We should be 
hesitant before doing anything that would make that already difficult 
process any harder.
---------------------------------------------------------------------------
    \7\ Id. at 7, table 2.
---------------------------------------------------------------------------
    Finally, I would just note there is some risk of getting caught in 
an unending cycle. The need for a ubiquitous, reliable, unique 
identifier is not going to go away. If legislation makes Social 
Security Numbers unavailable, government and industry will devise 
another system of numbers. If Social Security Numbers today play a 
significant role in identity theft--and I have not seen evidence that 
they do--what leads us to think that the identifying number of the next 
decade won't play that same role?
Conclusion
    Ubiquitous Social Security Numbers help identify people and ensure 
that information is associated with the correct person. These two 
critical roles are essential to many valuable activities--from 
facilitating national competition to locating heirs and missing 
children to enhancing national security. Accessible Social Security 
Numbers are also critical to preventing, detecting, and remedying 
identity theft, yet they appear to play little if any role in 
contributing to most cases of identity theft. This subcommittee would 
be well advised to continue its careful study of these issues; to 
enlist the FTC, the Social Security Administration, and other 
appropriate agencies in carrying out the research identified in H.R. 
2971; to enact those measures necessary to enhance the integrity of the 
systems by which Social Security Numbers are created and assigned; to 
strengthen criminal penalties against the deceptive or fraudulent use 
of Social Security Numbers; and to identify and adopt specific measures 
to help victims of identity theft reclaim their good names easily and 
quickly. But I would urge the greatest caution before proceeding with 
any restrictions on the productive and value uses of Social Security 
Numbers necessary to the benefits consumers enjoy today, our economic 
resiliency, the prevention and detection of crime, and our national 
security.

                                 

    Chairman SHAW. Thank you. Mr. Mierzwinski.

  STATEMENT OF EDMUND MIERZWINSKI, CONSUMER PROGRAM DIRECTOR, 
              U.S. PUBLIC INTEREST RESEARCH GROUP

    Mr. MIERZWINSKI. Thank you, Mr. Chairman. It is a pleasure 
to be back before the Committee. On behalf of the State PIRG. I 
would like to offer our views on SSN privacy, identity theft, 
and related matters. Again, I also thank you for your long-time 
leadership on keeping these issues before Capitol Hill. I 
realize it is complex to enact a bill that has the 
jurisdictional breadth of your bill, but we think it is 
important, and we encourage you to keep going forward.
    I want to make three points today, first on identity theft, 
then on Nation and its inadequacies and, third, on the need for 
your bill. Identity theft is not rocket science. Everyone 
agrees that anybody with no criminal skill and little physical 
risk, if any at all, can commit identity theft because of two 
factors, in my opinion, my professional opinion, I think that 
are agreed on by most experts in the field. The first factor is 
the ubiquitousness of the SSN. Your financial DNA is easily 
available out there.
    The second factor is the sloppy practices of credit 
reporting agencies and creditors when they issue credit. They 
issue credit not based on a number of matching points of 
identity. As Mr. Beales pointed out the FTC will be looking at 
ways to increase the number of matches that are required as 
part of a study under Nation based, by the way, on California 
law, but because the instant credit context often involves 
merely a name and a social. They don't check for an extra 
address or whether the address matches or a previous address, 
and it is just very simple to obtain instant credit with a 
name, a social and any other address that you might have.
    In our first studies done 8 or 9 years ago, we had no data 
on how extensive the problem was, but we did know that the 
problem was serious for consumers. We found in the year 2000, 
based on a survey, that consumers spent 175 hours clearing 
$17,000 worth of fraudulent credit off of their accounts and 
spent over $800 in out-of-pocket expenses trying to clear their 
names. That, of course, doesn't begin to measure the emotional 
distress.
    So, the victims routinely tell us that they don't often 
know how the identity theft occurred. Some of them, to be sure, 
it happened because of a relative. Increasingly, identity 
theft, because it is such a simple crime, is being taught in 
the prison yards. I have been told recently that it is a 
business model for methamphetamine gangs. They like to stay up 
at night, as you might guess, and they often go dumpster diving 
and collecting financial DNA and other information.
    Identity thieves also often take jobs--as part of gangs 
again, not relatives or brothers or friends. They will often 
take jobs as temporary administrative employees solely to 
harvest SSNs. So, the ubiquity of the SSN is out there. It is a 
big problem, and all the police that we have interviewed for 
our most recent reports, again, agree that the availability of 
the SSN is a significant problem. So, I would respectfully 
disagree with Professor Cate that the report suggests that it 
is not a problem. It is. The flaws in Nation, it is preemptive. 
We opposed final passage because it took away the laboratories 
of democracy, all the good ideas in fact that came from State 
law, yet Nation takes away the right of the States to enact 
most State laws.
    Second, there is no private right of action in Nation for 
many of the new rights that consumers have gained. Third, some 
of the rights in Nation to restore and clear your name are only 
possible if you file a police report. Many police don't take 
police reports. So, additional action is needed at the State 
level to give victims more ability to take advantage of Nation. 
Finally, the FACT Act doesn't protect SSNs; and that is why we 
need your bill. We need your bill to protect SSNs.
    Also, I would disagree with the notion that we need credit 
headers in society today. We think section 108 banning credit 
headers is a very important section. I have outlined in my 
testimony in detail why we think that the credit bureaus are 
now using the notice and opt-out privileges or conditions of 
Gramm-Leach-Bliley to collect SSNs from individuals, because, 
in fact, our reading of Trans Union II, a case upheld by the 
D.C. Circuit Court, is that credit bureaus can no longer use 
SSNs in credit headers. They can use the old ones they 
previously collected, but unless they provide notice and opt 
out they cannot. So, we think that your bill will perpetuate 
and narrow even further what the agencies have done in the 
Gramm-Leach-Bliley rules which were upheld in that court 
decision.
    The last point I want to make, I want to echo Mr. 
Hoofnagle's remarks on the refusal to do business provision. I 
know you have long stated that a video store should not be able 
to ask you for your SSN as a condition of renting a video. We 
agree, and we think that that is one of the most important 
sections of your bill. I think that if you tell the average 
American that you are going to put their SSN back in the box 
that Congress originally intended it to be in, that it can only 
be used for Social Security purposes, Medicaid purposes, tax 
purposes, they will be very happy with your legislation. Thank 
you.
    [The prepared statement of Mr. Mierzwinski follows:]
Statement of Edmund Mierzwinski, Consumer Program Director, U.S. Public 
                        Interest Research Group
    Chairman Shaw, Rep. Matsui and members of the committee: We are 
pleased to again present the views of the U.S. Public Interest Research 
Group on ways to improve citizen and consumer privacy by protecting the 
Social Security Number from misuse and misappropriation for fraudulent 
purposes, including but not limited to, identity theft. As you know, 
U.S. PIRG serves as the national lobbying office for state Public 
Interest Research Groups, which are non-profit and non-partisan public 
interest advocacy groups active around the country.
Summary
    U.S. PIRG believes that the widespread availability of the Social 
Security Number (SSN), the key to your financial identity, contributes 
to identity theft,\1\ which is one of the nation's fastest growing 
white-collar crimes. According to a 2003 survey by the Federal Trade 
Commission (FTC), nearly ten million Americans in the past year and one 
in eight adult Americans in the last five years has been a victim of 
identity theft.\2\ While the 2003 enactment of the Fair and Accurate 
Credit Transactions Act (FACT Act)\3\ may reduce some of the sloppy 
credit bureau and creditor practices\4\ that make it easy to open a 
fraudulent account in someone else's name, it is still incumbent on 
this committee to take additional steps to protect the Social Security 
Number. If the SSN is available in fewer places, on fewer documents and 
used for fewer commercial transactions or database identifiers when it 
shouldn't be, identity thieves as well as stalkers\5\ and even 
terrorists\6\ will be less able to harvest it for misuse. It is well-
documented, for example, that identity thieves will often seek 
employment as temporary office employees, solely to harvest SSN and 
other bits of ``financial DNA.'' Identity theft is a serious crime. It 
costs the economy billions and wreaks untold havoc on the lives of 
hard-working Americans who face the emotional distress and nightmare of 
clearing their names.
---------------------------------------------------------------------------
    \1\ The state PIRGs have studied credit reporting and identity 
theft for fifteen years. See, for example, ``Nowhere To Turn'', Benner, 
Givens and Mierzwinski, CALPIRG and Privacy Rights Clearinghouse, 1 May 
2000 at http://calpirg.org/CA.asp?id2=3683&id3=CA& We have released two 
previous reports on identity theft ``Theft of Identity: The Consumer X-
Files'', CALPIRG and US PIRG, 1996 and ``Theft of Identity II: Return 
to the Consumer X-Files'', CALPIRG and US PIRG, 1997, as well as four 
reports on errors by credit reporting agencies since 1991, most 
recently ``Mistakes Do Happen,'' 1998. For additional details, see 
testimony of Edmund Mierzwinski before the Senate Banking Committee, 31 
July 2003, at http://www.pirg.org/consumer/pdfs/
consumer31julymierzwinski.PDF
    \2\ See Federal Trade Commission ``Identity Theft Report,'' 
released 3 September 2003, prepared by Synovate at http://www.ftc.gov/
opa/2003/09/idtheft.htm
    \3\ The identity theft epidemic was not the spark that kindled 
passage of the FACT Act. Congress had ignored identity theft for years 
Expiration of certain time-limited restrictions on state authority to 
enact stronger credit and privacy laws drove industry to support 
permanent extension of the preemption of state laws. Although the new 
law includes several elements of PIRG's long-sought reform platform, 
the bill's price was unacceptable, since Congress permanently 
restricted most state rights to enact stronger laws, even though the 
best parts of the law are based on recent state laws. Both the Fair and 
Accurate Credit Transactions Act of 2003 (PL 108-159, 12/04/03) and the 
FCRA as amended are available at the FTC website at http://www.ftc.gov/
os/statutes/fcrajump.htm PIRG maintains an archive of FACT Act 
documents at http://www.pirg.org/consumer/fcra.htm
    \4\ Financial identity theft requires little criminal skill and no 
physical risk. Identity thieves armed with only your name and SSN 
exploit the creditor/credit bureau practice--extremely prevalent in the 
``instant credit'' context, of matching only these two identifiers in 
the credit granting process. Conversely, since consumers are not 
trusted users, as are creditors, a credit bureau requires a consumer, 
to obtain his or her own credit report, to provide a full name, an SSN, 
an address, previous addresses for the past five year and, often, a 
xerox copy of a drivers' license or utility bill showing that same 
address. Of course, identity thieves are not seeking to obtain your 
credit report, merely to obtain credit in your name at their address. 
While certain FACT Act provisions are designed to increase creditor and 
credit bureau verification before account opening, limiting the 
availability of the SSN will make it harder to obtain your ``financial 
DNA'' and use it.
    \5\ Amy Boyer was the first known victim of an Internet stalker. A 
man named Youens tracked her with confidential information, including 
her Social Security Number, allegedly obtained through an Internet 
information broker. EPIC maintains an Amy Boyer archive at http://
www.epic.org/privacy/boyer/ See PIRG's archived fact sheet at http://
www.pirg.org/consumer/trojanhorseboyer.pdf
    \6\ According to recent news reports, a Kansas City man found out 
when he tried to purchase a car that his Social Security Number had 
been used by one of the suspected 9/11 hijackers' associates still at 
large. ``Man Trying To Buy Car Finds Out 9/11 Terrorist Took ID,'' 
Omaha News Channel, 21 April 2004, last accessed at http://
www.theomahachannel.com/news/3026399/detail.html on 13 June 2004. 
Further, one of the associates of the 9/11 hijackers, Lofti Raissi, had 
been reported to be using the Social Security Number of a long-dead New 
Jersey woman, suggesting one reason that the bill's protections for the 
SSNs of the deceased should be increased [See Title I, Section 101, 
exception VII of HR 2971 and Section 107(c)(2) of HR 2971]. Of course, 
nearly all the hijackers had one or more valid or invalid SSNs. See 
testimony of Social Security Administration Inspector General James 
Huse before the House Judiciary Committee, 25 June 2002, at http://
www.house.gov/judiciary/huse062502.htm Also see the 8 November 2001 
Joint Hearing on the Social Security Administration Death Master File 
of the Ways and Means Committee Subcommittee on Social Security and the 
Financial Services Oversight and Investigations Subcommittee archived 
at http://financialservices.house.gov/
hearings.asp?formmode=detail&hearing=83
---------------------------------------------------------------------------
    In addition, limiting the sale, purchase and display of the SSN in 
the private sector extends important privacy principles of the U.S. 
Privacy Act that have generally operated to protect privacy in 
government uses of information to also protect privacy in commercial 
uses of information, where consumers have generally only been protected 
by a patchwork of modest safeguards. As a result of the permissive 
availability of SSNs for use in the private sector, the SSN has leaked 
into use in all aspects of commercial transactions.
    Your bill contains two important provisions we have long supported. 
First, it extends a strong anti-coercion provision that will limit 
private sector use of the Social Security Number by making it an unfair 
trade practice to refuse to do business with a consumer who refuses to 
provide an SSN. Second, your bill fully closes the court-narrowed 
credit header loophole, which has allowed secondary sale and use of 
Social Security Numbers without consent by credit bureaus, outside of 
the protections of the Fair Credit Reporting Act (FCRA).
    In addition, your bill imposes important restrictions on the sale, 
display and use of the Social Security Number. For example the bill 
bans display on government-issued checks, on government or private 
sector employee and benefit ID cards and on drivers' licenses. It 
generally bans display, purchase or sale in the private sector. Your 
bill restricts use of SSNs by prison labor, following the well-
publicized Metromail scandal involving a convicted felon who stalked a 
grandmother by telephone. It also adds new safeguards when obtaining a 
Social Security Card, to prevent fraudulent use and protect the 
integrity of the Social Security Number system. Your bill also 
increasing criminal penalties for misuse of the SSN. We offer 
suggestions below to narrow the exceptions provided in the bill to 
better achieve its purpose.
    Any legislation enacted should be simple, based on Fair Information 
Practices,\7\ and contain as few loopholes and exceptions as possible. 
It is critical that new legislation not preempt or roll back existing 
privacy protection under either the Gramm-Leach-Bliley Act (GLBA) 
regulations\8\ or the Shelby drivers' privacy amendments.\9\ We urge 
you to resist business demands for exceptions and loopholes. You should 
especially challenge their specious arguments that so-called business-
to-business uses will not pose privacy risks.
---------------------------------------------------------------------------
    \7\ Fair Information Practices are discussed in numerous contexts 
in the Congress today. Unfortunately, many industry-supported bills and 
nearly all industry ``studies'' seek to dumb-down the comprehensive 
Fair Information Practices to unacceptable levels. As originally 
outlined by a Health, Education and Welfare (HEW) task force in 1973, 
then codified in U.S. statutory law in the 1974 Privacy Act and 
articulated internationally in the 1980 Organization of Economic 
Cooperation and Development (OECD) Guidelines, information use should 
be subject to Fair Information Practices. Noted privacy expert Beth 
Givens of the Privacy Rights Clearinghouse has compiled an excellent 
review of the development of FIPs, ``A Review of the Fair Information 
Principles: The Foundation of Privacy Public Policy.'' October 1997. 
http://www.privacyrights.org/AR/fairinfo.html The document cites the 
version of FIPs in the original HEW guidelines, as well as other 
versions.
    \8\ The GLBA created a category of protected ``non-public personal 
information.'' The final GLBA financial privacy rules issued by 7 
federal financial agencies defined Social Security Numbers as non-
public personal information (NPPI). A key provision is that the 
transfer of Social Security Numbers from financial institutions to 
credit bureaus is only allowed for regulated Fair Credit Reporting Act 
purposes (eg, for use in a credit report) but not for unregulated 
purposes, where the credit bureau would be considered a non-affiliated 
third party. The agencies correctly interpreted the law to prevent the 
sharing of Social Security Numbers unless consumers are given notice of 
the practice and a right to opt-out.
    \9\ Senator Shelby's 2000 amendments to the Driver's Privacy 
Protection Act were incorporated as Section 309 of the Transportation 
Appropriations bill (PL 106-346) signed by the President 23 October 
2000. The amendment requires states to obtain express consent of 
drivers before the sharing or selling of a driver's ``highly sensitive 
personal information,'' including Social Security Number, photograph, 
image, or medical or disability information. In 1999, Shelby had 
incorporated these provisions into law as part of the Appropriations 
bill, but only for one year, while the 2000 amendment amends the DPPA 
itself. In 2000, the Supreme Court upheld the constitutionality of the 
DPPA in Reno vs. Condon.
---------------------------------------------------------------------------
    Unless credit bureaus and others are weaned from their over-
reliance on the Social Security Number as a unique identifier, we will 
not succeed in protecting the SSN from misuse.
    In addition to the problems created by theft of the SSN, its use in 
the credit system as a supposed unique identifier is flawed and leads 
to inaccuracy in credit reporting due to errors in data entry. Unlike 
credit card numbers, which contain a check-sum digit reducing data 
entry error rates, SSNs can be easily entered with transposed digits or 
other errors. Mistakes in credit reports lead to consumers either being 
denied credit or paying too much for credit.
(1) Principles of Social Security Number Protection: Simplicity, With 
        Few, If Any Exceptions and Loopholes
    Privacy expert Robert Ellis Smith, the publisher of Privacy Journal 
and author of ``Social Security Numbers: Uses and Abuses'' (May 2001) 
has proposed a simple Social Security Number protection scheme.\10\ 
Your bill tracks much of it closely. Here is Smith's proposal, with his 
explanations in brackets:
---------------------------------------------------------------------------
    \10\ See the Privacy Journal website for more information. Smith's 
latest book is ``Ben Franklin's Web Site: Privacy And Curiosity From 
Plymouth Rock To The Internet'' http://www.privacyjournal.net/

    1.  ``It shall be illegal to buy or sell the Social Security number 
of a person.'' [This is the source of much identity theft; it is always 
a secondary use of the SSN; and it is inconsistent with using the SSN 
as an AUTHENTICATOR of personal identity.]
    2.  ``No person shall be required to provide a Social Security 
number on an application for credit or on a request for a copy of one's 
own credit report under the Fair Credit Reporting Act.'' [The FCRA 
merely requires satisfactory proof of identity to see one's own credit 
file. Use of SSNs to make a match between a requested credit report (by 
a credit grantor) and a credit report in a credit bureau's system has 
been the cause of confusion for credit grantors, nightmares for 
consumers, and identity theft. If credit bureaus did not rely on SSNs 
to make a match, 80 percent of identity theft would cease. There is a 
long list of case law to support the need for this provision.]
    3.  ``No person shall be compelled or coerced into providing a 
Social Security number for any transaction unless there are income-tax 
consequences in the transaction or there is relevance to Social 
Security, Medicare, or Medicaid benefits. No person shall be compelled 
or coerced into providing a Social Security number on an application of 
employment until there has been a firm offer of employment. Any 
application for employment shall state that the request for the Social 
Security number prior to a firm offer of employment is voluntary.'' 
[This would essentially freeze demands for Social Security numbers in a 
way least disruptive to organizations currently relying on SSNs. It 
would tie demands for Social Security numbers to the two original 
purposes (SSA administration and federal taxes) two uses that are at 
least anchored in long-standing law. Placing SSNs on job-application 
forms increases the risk of exposing them to fraudulent users of SSNs.]
    4.  ``No institution of higher education or elementary or secondary 
school shall use a student's Social Security number as a student 
identification number.'' [An alarmingly high number of identity theft 
frauds originated from SSNs taken from universities. Deterring school 
systems from using the SSNs as a student ID number will permit parents 
to delay labeling their children with numerical IDs.]
(2) Principles of Social Security Number Protection And Analysis of HR 
        2971
    U.S. PIRG concurs with the detailed testimony today from the 
Electronic Privacy Information Center (EPIC). We believe that the most 
effective way to protect Social Security Numbers would be to enact 
simple, straightforward legislation that reins in the widespread non-
statutory uses of the Social Security Number as an identifier in the 
private sector.\11\
---------------------------------------------------------------------------
    \11\ Ideally, such a bill would also narrow many of the government 
use exceptions that have been established over the years allowing the 
Social Security Number to be used as an identifier and matching element 
for secondary purposes unrelated to Social Security.
---------------------------------------------------------------------------
(A) Principal One: No Coercion By Businesses
    The Social Security Number was originally intended for Social 
Security purposes. Its federal government uses have been expanded to 
tax and Medicaid purposes. No private sector business should be able to 
insist that a consumer provide an SSN as a condition of doing business, 
unless that firm is required to collect the SSN for official government 
purposes. Your bill (Section 109) makes coerced demand (refusal to do 
business) of a consumer's Social Security Number an unfair trade 
practice under Section 5 of the Federal Trade Commission Act. No one 
should have to give up his or her SSN to rent a video, as you have long 
pointed out.\12\
---------------------------------------------------------------------------
    \12\ This is essentially extending Section 7 of the Privacy Act of 
1974, Public Law 93-579 (which protects the Social Security Number in 
government uses with an anti-coercion provision) to the private sector.
---------------------------------------------------------------------------
(B) Principal Two: Close The Credit Header Loophole
    Your bill (section 108) also incorporates provisions long 
championed by its co-sponsor Rep. Kleczka closing the so-called credit 
header loophole. Under an egregious 1994 decision of the Federal Trade 
Commission, consumer reporting agencies (credit bureaus) had developed 
a thriving business selling Social Security Numbers outside the Fair 
Credit Reporting Act\13\ (FCRA), without consumer consent.
---------------------------------------------------------------------------
    \13\ 15 USC 1681 et seq. See the FTC's version of the FCRA as 
amended by the FACT Act at http://www.ftc.gov/os/statutes/fcrajump.htm
---------------------------------------------------------------------------
    Credit headers include information ostensibly not bearing on 
creditworthiness and therefore not part of the information collected or 
sold as a consumer credit report. The sale of credit headers involved 
stripping a consumer's name, address, Social Security Number and date 
of birth from the remainder of his credit report and selling it outside 
of the FCRA's consumer protections. Although the information, marketing 
and locater industries contend that header information is derived from 
numerous other sources, in reality, the best source of credit header 
data is likely financial institution information, which is updated 
regularly.
    While the DC Circuit, U.S. Court of Appeals, has upheld the Gramm-
Leach-Bliley Act privacy regulations\14\ and thereby narrowed the 
credit header loophole,\15\ more needs to be done. The regulations do 
however allow the harvesting of SSNs for secondary purposes if the 
law's notice and opt-out provision is complied with. A recent 
Washington Post\16\ story notes that the credit bureaus are now adding 
a boilerplate notice to requests for credit reports or subscriptions to 
their over-priced credit monitoring services, which could allow them to 
bypass the court restrictions:
---------------------------------------------------------------------------
    \14\ On 16 July 2002, the DC Circuit of the U.S. Court of Appeals, 
Case No. 01-5202 [See http://laws.findlaw.com/dc/015202a.html] upheld 
an April 2001 U.S. Court DC District ruling (Trans Union LLC v. Federal 
Trade Commission, Civil Action No. 00-2087, see http://
www.dcd.uscourts.gov/00-2087.pdf) (the case now known as Trans Union 
II, consolidating Trans Union vs. FTC and IRSG vs. FTC) that the 
privacy rules issued under GLB are constitutional. [In Trans Union I 
vs. FTC the DC Circuit had upheld at FTC order that unregulated credit 
headers could not include dates of birth because of their use in credit 
scoring models and therefore, in credit decision-making. That case also 
upheld the constitutionality of the FCRA and that privacy protection 
serves an important government purpose. See (No. 00-1141, 13 April 
2001, (cert denied, 10 June 2002 by Supreme Court), Trans Union I vs. 
FTC, http://laws.findlaw.com/dc/001141a.html
    \15\ For a discussion of the credit header loophole and the 
treatment of the SSN as protected non public personal information, see 
the GLBA Privacy Rule at pages 80-83, Federal Trade Commission, 16 CFR 
Part 313, Privacy Of Consumer Financial Information, Final Rule, 
available at http://www.ftc.gov/os/2000/05/glb000512.pdf
    \16\ See Oldenburg, Don, ``Free Credit Reports That Cost You Your 
Privacy'', The Washington Post, 17 Feb 04.
---------------------------------------------------------------------------
    ``And the other ``gotcha:'' ``There is an even higher price,'' the 
    reader says. ``Reading the privacy disclosure information, I was 
    surprised that you were agreeing to let them use everything in your 
    credit report for marketing--by them, by their affiliated companies 
    and by others.''
    Bad enough that many privacy policies state that they're going to 
    share your name, address, phone, Social Security number, birth 
    date, even credit-card number for marketing purposes--resulting in 
    more junk mail, spam and telemarketing calls (yes, even if you 
    signed on to the federal Do Not Call Registry, because now you have 
    a business relationship).
    In 1994, the Federal Trade Commission had granted an exemption to 
the definition of credit report when it modified a consent decree with 
TRW (now Experian). The FTC said that certain information would not be 
regulated under the Fair Credit Reporting Act. The so-called credit 
header loophole allows credit bureaus to separate a consumer's so-
called header or identifying information from the balance of an 
otherwise strictly regulated credit report and sell it to anyone for 
any purpose.
(C) Principal Three: Restrict The Sale, Purchase and Display of the SSN
    Your bill imposes important restrictions on the sale, display and 
use of the Social Security Number. For example the bill bans display on 
government-issued checks, on government or private sector employee and 
benefits ID cards and on drivers' licenses, and generally bans display, 
purchase or sale in the private sector. Your bill restricts disclosure 
to and use of SSNs by prison labor, following the well-publicized 
Metromail scandal. It also adds new safeguards when obtaining a Social 
Security Card, to prevent fraudulent use and protect the integrity of 
the Social Security Number system. Your bill also increases criminal 
penalties for its misuse.
(D) Principal Four: Not All Social Security Number Bills Are Created 
        Equal
    In previous Congresses, many worthy bills, in addition to your own, 
most recently HR 4857 (106th) and HR 2036 
(107th), have been proposed by privacy champions. In the 
107th Congress, meritorious proposals included HR 1478 (Kleczka), HR 
220 (Paul) and S 324 (Shelby) to protect Social Security Numbers. Among 
other Social Security Number bills with positive features in the 106th 
Congress was a proposal by Rep. Markey (HR 4611).
    However it is important to note that some well-intentioned privacy 
bills may actually increase the risk of sale or display of Social 
Security Numbers. For example, in the 106th Congress, the 
most prominent Senate proposal to ostensibly protect Social Security 
Numbers actually would have expanded commercial availability of Social 
Security Numbers. Originally intended to serve as a legacy for Amy 
Boyer, the first known victim of an Internet stalker, the Amy Boyer 
Law,\17\ as very nearly enacted into law,\18\ was actually a Trojan 
Horse and would have expanded commercial loopholes for obtaining Social 
Security Numbers, failed to protect Social Security Numbers on public 
documents and also would have preempted stronger state privacy laws. 
Subsequent proposals from the Amy Boyer Law's chief sponsor, Senator 
Gregg, and Senator Feinstein, have been better, but still deficient 
compared to your approach.\19\
---------------------------------------------------------------------------
    \17\ See PIRG's archived fact sheet at http://www.pirg.org/
consumer/trojanhorseboyer.pdf
    \18\ The Amy Boyer Law, introduced as S. 2554, (Gregg, 106th) was 
incorporated as Section 626 into the Commerce-Justice-State 
Appropriations (HR 4690 RS) and passed into law as Section 635 of HR 
5548, which was included in HR 4492 as sent to the President, but then 
was rescinded on the same day by language reversing its effect included 
in the Conference Report on HR 4577, the Consolidated Appropriations 
Act, (Labor-HHS Approps). Section 213 of HR 4577 amends HR 5548 by 
deleting a number of sections of HR 5548. Section 213(a)(6) of HR 4577 
strikes the Amy Boyer Law (Section 635 of HR 5548). See page H12261 of 
the Congressional Record for 15 Dec 00.
    \19\ For example, under the law enforcement exception in S 848 
(Feinstein, 107th) collection of delinquent child support 
would be a ``law enforcement'' purpose. Does that extend the exception 
to allow any private firm collecting child support to take advantage of 
the exception? It appeared to do so, despite well-documented 
circumstances where some private child support collection firms have 
abused debt collection laws. See ``Problems At Child Support, Inc., 
Complaints Increase For Specialized Collection Firms'' 18 May 2000, 
Washington Post, Caroline E. Mayer and Jacqueline Salmon.
---------------------------------------------------------------------------
(3) Suggestions To Improve HR 2971:
    We concur with EPIC's detailed recommendations to strengthen the 
bill and narrow its exceptions. In particular, we agree that the 
Congress should limit the Title I exceptions for governmental sale of 
the SSN. Specifically, we recommend that subsection (V), which allows 
unlimited sale of SSNs to thousands of credit reporting agencies 
(CRAs), be removed from the bill. This exception is too broad and 
allows unrestricted transfers of government records containing social 
security numbers to CRAs, possibly for purposes unrelated to regulated 
credit reporting, including direct marketing. If it remains, it should 
be re-drafted in the manner of the credit header section, Section 109, 
which would only allow the use of the SSNs so provided for provision in 
a regulated credit report, not for any other purpose.
    Second, as EPIC describes, additional procedural safeguards should 
be added to restrict the Attorney General's Section 102 prerogatives in 
granting additional sale and display exceptions. These include addition 
of a public comment period to the rulemaking, eliminating the ``undue'' 
qualifier and adding the crime of identity theft as a risk factor, and 
requiring any entity that gains use of the SSN through an exception to 
use technical means, such as encryption, to protect the SSN.
    We also concur with EPIC that section 104 should also prohibit 
states from encoding the SSN on magnetic strips, barcodes, or smart 
cards on the driver's license, as we are aware that while some states 
do not print the SSN on the card, they may embed the identifier 
digitally on the card.
    In addition, as we have pointed out above, unless steps are taken 
to wean the private sector of its over-reliance on the SSN, it will 
continue to use it. Therefore, we concur with EPIC that exceptions 
should be for limited and specific time durations. If the committee 
believes it is necessary to extend any exceptions at all allowing 
continued non-statutory collection of Social Security Numbers by the 
private sector, which has unfortunately come to depend on the Social 
Security Number as a crutch, then the committee should include 
technology-forcing time limits on private uses so that firms are forced 
to develop more accurate alternatives that do not pose the secondary 
use problems of continued use of the Social Security Number, which was 
originally intended only for Social Security and certain tax purposes. 
Expect the business community to argue that business-to-business uses 
are both necessary and protective of the SSN. Neither claim is true.
Conclusion
    We want to thank you, Mr. Chairman, for your leadership on these 
issues and for offering us the opportunity to present our views on the 
need for strong privacy protections to protect Social Security Numbers 
from misuse. We look forward to working with you on this and other 
matters to guarantee the privacy of American citizens. Restricting the 
widespread availability of Social Security Numbers is one of the most 
important solutions to the identity theft epidemic. It also brings the 
use of SSNs more closely under the limited use principles embodied in 
the Fair Information Principles.

                                 

    Chairman SHAW. Thank you. It wasn't too long ago this 
Committee had a hearing, and a military officer had undergone 
the same problem. The identity thief had taken his identity and 
SSN and purchased a Jeep. On further reflection, he all of a 
sudden realized that, also, his Social Security was his serial 
number that was required on the back of the check at the PX. 
So, you never know how many hands these things are going to go 
through; and, Mr. Ladd, we have got a lag time in the bill of 2 
years in order to get to conformity. As long as public 
documents are public documents, and, of course, these court 
files have to stay open to the public and particularly land 
records.
    I practiced law for many years before coming to Congress. I 
can't remember a single time except in an estate situation 
where I had to inquire of the client of his SSN. Twenty some 
years can fog your memory, but I can't remember back then we 
ever needed them or wanted them, and that is back when we 
tracked land titles with abstracts instead of doing it online. 
We didn't know what online meant.
    Mr. LADD. We would concur with that, that there is little 
purpose from the land records custodian's point of view for the 
inclusion of the SSN. However, because of some of the 
difficulties of identifying the correct Robert Jones, and in 
the land title business as well, that has become added to the 
record more and more frequently. We object to it, but we have 
no authority to refuse the record.
    Chairman SHAW. My brother's name is John Shaw. Clay Shaw is 
not a very common name, unless you go to New Orleans. John Shaw 
is a common name. We own property together, and every time 
there is a title search his name pops up with about six 
judgments against it, which we cure with affidavits. We don't 
seem to have a problem with that because, of course, he doesn't 
have any judgments against him, but it is a common name. Still 
we have always done it without putting any SSNs on the record; 
and, quite frankly, I am not sure that would separate him from 
someone with a similar name because I don't recall the SSN ever 
being on a final judgment that was put on record.
    Mr. LADD. Will that vary from jurisdiction to jurisdiction 
and then from financial institution to financial institution.
    Chairman SHAW. You do have a problem as far as your State 
law is concerned? I think Mr. Cate, you spoke or one of you 
spoke about State rights. Either Buenger or Cate, I can't 
remember which one. The SSN is a Federal number issued by the 
Federal Government, and I don't see any States' rights problem 
in limiting the display of that. Ms. Foss, I wanted to go just 
a little further into your case. You certainly went through a 
nightmare; and, fortunately, the perpetrator showed up and was 
prosecuted and now is, I assume, still serving time in jail.
    Ms. FOSS. The special agent with the Social Security 
Inspectors Office said that they couldn't track whether or not 
she was still in jail. So, they didn't know at this point in 
time.
    Chairman SHAW. Well, we don't lose people in jail. Even in 
Baghdad we know who is in the can. I would think somebody could 
track that down. Was it in a Federal penitentiary? Or was it 
State?
    Ms. FOSS. She was working out of Mail Boxes, Etc. on 
Wisconsin Avenue in D.C., so I believe it was the D.C. District 
Court that handled it.
    Chairman SHAW. Do you live here in the District?
    Ms. FOSS. I never lived in the District. I have lived in 
Maryland. At the time this happened to me, I was in 
Pennsylvania; and I never had anything stolen that I know of.
    Chairman SHAW. How long ago was it?
    Ms. FOSS. It was 1999 when I discovered it, and she had 
been going at it for about 6 months.
    Chairman SHAW. Yes, I guess she is probably out. I hope she 
didn't write it down somewhere.
    Ms. FOSS. I hope she forgets everything.
    Chairman SHAW. You are smart to keep track of your record, 
because that stuff can pop up again. One of the terrible things 
with identity theft is once you get into that cycle you are 
very liable to get hit again. So, it is very important. I can 
see that you all disagree in a much more civil manner than we 
do here in the Congress, and I congratulate you. We very much 
appreciate your point of view. I am going to give the other 
Members of this Committee an opportunity to submit some 
questions which I intend to also submit to you in writing, and 
we would appreciate your answering those questions, and we will 
make that part of this record. Thank you so much for your time. 
The problem with the Members not being here is that the hearing 
went actually longer than we thought, plus we had an 
interruption of almost an hour in the middle of it, which got 
schedules all off kilter. Thank you. This hearing is adjourned.
    [Whereupon, at 1:54 p.m., the hearing was adjourned.]
    [Questions submitted from Chairman Shaw to Mr. Beales, Mr. 
O'Carroll, Ms. Bovbjerg, Mr. Maxwell, Mr. Ladd, Mr. Hoofnagle, 
Mr. Mierziwinski, Mr. McGuinness, Mr. Buenger, Mr. Cate, and 
their responses follow:]

  Questions from Chairman E. Clay Shaw, Jr. to Mr. Howard Beales, III

    Question: You mentioned that the Gramm-Leach-Bliley Act (GLBA) 
restricts financial institutions from sharing SSNs with unaffiliated 
businesses. When the FTC issued the final rule on privacy under GLBA, 
did you anticipate a greater level of protection for SSNs than has 
actually occurred, especially with regard to SSNs in credit headers? 
How has actual practice differed from what the FTC envisioned at that 
time? Would you agree we need stronger protection for SSNs? 
    Answer: When considering the need for greater protections for SSNs, 
it is important to keep in mind the reason that SSNs are valuable to 
identity thieves. SSNs are crucial to the proper functioning of our 
financial system. In particular, they are used by credit bureaus to 
match consumers to the appropriate credit information and are widely 
used by businesses to identify consumers. Thus, in a real sense, access 
to SSNs by legitimate users is an important tool in combatting identity 
theft. In my view, any restrictions on SSNs should be carefully 
tailored to balance the need to keep SSNs out of the hands of those who 
might use the information fraudulently with the need for businesses to 
have sufficient information--including SSNs--to spot fraud and 
attribute information to the right person. The best approach to 
achieving this balance is to limit access to SSNs to those purposes 
that are legitimate. This is the model used in other successful federal 
privacy laws, such as the Fair Credit Reporting Act, which allows 
information to flow without restriction to credit bureaus, who then may 
only disclose a credit report for a ``permissible purpose'' as 
specified in the FCRA. Any further regulation of SSNs should follow 
this same model.
    With respect to the Gramm-Leach-Bliley Act, as discussed in the 
Commission's testimony, the GLBA Privacy Rule imposes certain 
restrictions on the disclosure of information collected by credit 
bureaus from financial institutions, including SSNs and other 
identifying information about consumers (sometimes called ``credit 
header'' information). Prior to the GLBA's passage in 1999, the 
disclosure of this information was not regulated under Federal law 
(including the Fair Credit Reporting Act, which generally does not 
cover identifying information). Although I was not at the Commission 
when the GLBA Privacy Rule was enacted, it was likely anticipated that 
the disclosure of SSNs would be restricted under GLBA to a greater 
extent than existed prior to its passage. At the same time, it was 
recognized that GLBA did not place comprehensive restrictions on the 
sharing of SSNs. For example, GLBA covers only nonpublic personal 
information obtained from financial institutions, and is not 
retroactive (and therefore does not limit the sharing of information, 
including SSNs, that were collected prior to July 1, 2001).
    With certain exceptions, such as for credit reporting, fraud 
prevention, and law enforcement, GLBA prohibits sharing of information 
to nonaffiliated third parties unless the consumer has been given a 
chance to ``opt out.'' The Privacy Rule prohibits redisclosure of 
information received under an exception for purposes other than to 
carry out the activity covered by the exception. In practice, it 
appears that credit bureaus are redisclosing credit header 
information--including SSNs--for credit reporting purposes as well as 
for other purposes listed under certain GLBA exceptions, such as fraud 
prevention or law enforcement. See 16 C.F.R.  313.14-.15 (2000). In my 
view, the Rule seems to assume that information will be disclosed for 
one purpose, but nothing in the rule expressly prohibits sharing 
information for more than one purpose, and it is unclear whether there 
is a statutory basis for such a prohibition. This broader 
interpretation has the result in many cases of furthering important 
policy goals, such as combating fraud, assisting law enforcement, 
ensuring public safety, and complying with judicial process. At the 
same time, it is important that the credit bureaus take care not to 
redisclose credit header information beyond the bounds of the GLBA 
exceptions.
    Question: Do you agree with Mr. Fred Cate's interpretation of the 
FTC-sponsored Synovate survey's results, indicating the statistics 
prove commercial or public records are not the primary sources identity 
thieves use to obtain SSNs? 
    Answer: The Synovate survey indicated that the largest category of 
identity-related crimes within the preceding year involved the misuse 
of existing credit cards, which most likely can be committed without 
the victim's SSN. In those crimes where it is more likely that SSNs are 
used, such as when new accounts are opened or other frauds committed in 
the victim's name, it is difficult for victims of identity theft to 
know exactly when, where, how and by whom their personal information 
was compromised. Thus, the survey found that only 34 percent of victims 
who had new accounts opened in their name or whose information was used 
to commit other frauds (``Victims of New Accounts & Other Frauds' ID 
Theft'') knew who had misused their personal information. Of these 34 
percent who knew the identity of the thief, 53 percent said it was a 
family Member or relative; 12 percent said it was someone who worked at 
a company or financial institution who had access to the victim's 
personal information; and 10 percent of victims who could identify the 
culprit said it was a friend, neighbor, or in-home employee.
    Further, the survey found that 58 percent of all victims of ``New 
Accounts & Other Frauds'' ID Theft indicated they knew how the identity 
thief obtained their personal information. Of that 58 percent, about 35 
percent said their information was lost or stolen; 19 percent of those 
said their personal information was obtained during a transaction, such 
as a purchase; and 46 percent of those who knew how the information was 
obtained said the thief used ``other'' means of access (e.g., access 
via a family Member or from printed checks or bills.
    Not surprisingly, it is difficult to assess from these findings how 
and from where SSNs are obtained. Some of the information may have come 
from commercial records, or when the thief works for a company with the 
information, or in the course of a transaction. The survey results do 
not identify public records as a major source of information, but it is 
important to keep in mind that about 40 percent of victims of the most 
serious form of identity theft, the opening of new accounts, simply do 
not know how the thief obtained the information. Thus, the survey does 
not allow us to draw firm conclusions about the sources of SSNs for 
identity thieves.
    Question: The Salt Lake Tribune reported this month that identity 
thieves are increasingly using their own names and somebody else's SSN 
to obtain credit. Can you confirm this? If yes, how could it happen? 
Don't credit bureaus check to see whether an individual's name and SSN 
match and refuse credit if it doesn't? The article also mentioned that 
if the name and SSN do not match, the credit bureau creates a 
``subfile.'' The subfile affects the victim's credit, but the victim 
cannot obtain a copy of the subfile when they request a copy of their 
credit report, so they cannot clear up the identity theft. Is this 
true? 
    Answer: The FTC staff is currently attempting to gain a fuller 
understanding of the facts and circumstances underlying the article's 
allegations. To that end, FTC staff is following up with the government 
officials mentioned in the article to learn more about this issue. We 
have no information on the prevalence of this type of identity theft or 
whether it is increasing. The article does not disclose, and it may not 
be possible to determine, how the illegally used SSNs were obtained.
    With respect to the types of information used by credit reporting 
agencies in their matching processes and information provided to 
creditors and consumers, Nation requires the FTC to study the methods 
and efficacy of credit reporting agency efforts in matching information 
to ensure that a consumer is the correct individual to whom a consumer 
report relates before releasing a consumer report to a user of that 
report. See Pub. L. No. 108-396,  318 (2003). I anticipate that we 
will learn more about this issue in the course of our work on this 
study, which is to be completed by December, 2004. At this time, we do 
not know of any way that a ``subfile'' could impact a consumer's credit 
report or credit score without also being disclosed to the consumer 
upon request.
    Question: This Subcommittee has heard from a number of victims of 
identity theft. A common, and frustrating, theme is that after 
individuals discover the theft and report it to credit bureaus and 
financial institutions, they continue to be victimized by identity 
theft. How can this continue to occur, given the anti-fraud programs 
the industry cites? In your judgment, is the private sector doing 
enough to combat identity theft and assist its victims? Are there more 
effective ways to assist victims of identity theft to correct their 
credit histories? 
    Answer: Victims of identity theft often must navigate through 
various bureaucratic procedures to recover from the crime. Nation has 
established a number of measures designed to simplify this process and 
reduce the incidence of identity theft. Identity theft account blocking 
will give victims certain rights to ensure that fraudulent information 
gets removed promptly from their credit reports, thereby preventing 
distortion of their credit records. Creditors or other businesses must 
give victims copies of applications and business records relating to 
the theft of their identity, which can assist victims in proving that 
they are, in fact, victims.
    Other measures are designed to prevent or mitigate identity theft. 
The national fraud alert system will require creditors to take certain 
steps to verify the identities of consumers who have placed fraud 
alerts on their consumer reports before granting credit in the 
consumer's name. By means of the ``Red Flag'' rulemaking, financial 
institutions and creditors will have to analyze identity theft patterns 
and practices so that they can take appropriate action to prevent the 
crime. The Disposal of Consumer Report Information and Records rule 
will help to ensure that sensitive consumer information derived from 
consumer reports, including Social Security numbers, is disposed of 
properly.
    We expect that these provisions should significantly improve 
victims' ability to recover from their identity theft with a minimum of 
trouble and help to reduce the occurrence of identity theft. It should 
be noted that the majority of these provisions will not take effect 
until December 1, 2004. At that time, we will be able to begin 
assessing their impact.
    Generally, the private sector has been responsive in addressing 
particular problems in the system that can facilitate identity theft as 
those problems come to light. Combating this crime requires an ongoing 
effort by both the public and private sectors to identify new 
vulnerabilities and to implement new measures to protect thieves from 
exploiting them.
    Question: If a private entity--for example, a consumer reporting 
agency, health care organization, or information reseller--has an 
individual's SSN in its possession, and this information is used in an 
identity theft or fraud, should that entity be held strictly liable for 
any harm done? Please comment on the advantages or disadvantages of 
this idea, as well as its feasibility and potential effectiveness in 
combating identity theft.
    Answer: As demonstrated by the Synovate survey (see Q. 2 above), it 
is not often evident to victims how identity thieves obtain SSNs. Thus, 
a strict liability standard may not be the most appropriate means of 
curbing misuse of SSNs. A number of Federal laws mandate significant 
information security practices, which can protect SSNs from improper 
disclosure and use. Among these laws, the FCRA requires that consumer 
reporting agencies not disseminate consumer reports to entities unless 
they meet a statutorily permissible purpose to use the report. Nation 
amendments also require anyone with consumer information derived from 
consumer reports to dispose of that information properly. GLBA requires 
that financial institutions develop a program for taking reasonable 
steps to protect sensitive customer information and ensure that the 
program evolves to keep pace with new fraud trends. HIPAA and the 
Driver's Privacy Protection Act also require protection of sensitive 
information. I appreciate that certain entities or consumers are not 
covered by these laws (e.g., retail customers, employers). The 
Commission, however, can and has brought enforcement actions for 
security breaches or potential security breaches under section 5 of the 
FTC Act (i.e., In the matter of Guess?, Inc. and Guess.com, Inc., 
http://www.ftc.gov/os/2003/06/guessagree.htm and In the matter of 
Microsoft Corp., http://www.ftc.gov/os/2002/12/microsoftdecision.pdf).

   Questions from Chairman E. Clay Shaw, Jr. to Mr. Patrick O'Carroll

    Question: You mentioned that one terrorist suspect in a case your 
agents helped investigate had two Social Security cards in his 
possession at the time of his arrest. Were they SSNs he obtained from 
the SSA using fraudulent documentation? Were they fake SSN cards? Were 
they cards he obtained or stole from somebody else? 
    Answer: At the time of his arrest, the subject had two genuine 
Social Security cards in his possession; one belonged to the subject, 
and the other belonged to the brother of the subject. The investigation 
revealed that both individuals were born in the United States. The 
SSNs/cards were legitimately obtained from SSA, and both the subject 
and his brother were properly enumerated.
    Question: Are there other provisions you recommend for inclusion in 
the Social Security Number Privacy and Identity Theft Prevention Act of 
2003, H.R. 2971, to further prevent terrorists from obtaining or using 
SSNs to abet their heinous crimes?
    Answer: We recommend reviewing the implications of releasing 
information on deceased individuals and also recommend examining the 
potential for increased protection of this information.
    The SSA should be permitted to cross-verify Social Security numbers 
against government and private databases to identify and fix 
inaccuracies which would limit the spread of false identification and 
SSN misuse. We also encourage more data matching opportunities under 
longer term agreements, some of which may require a change in the 
current legislation.
    Question: You mentioned a couple of cases where SSNs were 
fraudulently obtained for nonexistent children. How did this happen? 
    Answer: The one case mentioned involved an elaborate conspiracy 
that included one man and eleven women. The women would visit Chicago 
and surrounding suburban area Social Security offices to apply for 
Social Security numbers for their supposedly newborn children. These 
individuals applied for the SSNs using counterfeit Illinois birth 
certificates, Department of Health immunization records and bogus 
employment identifications provided to them by the ringleader.
    The names used on all the Social Security applications belonged to 
undocumented Nigerian citizens who paid the ringleader up to $5,000 
each for a valid Social Security number, Illinois driver's license and 
U.S. Passport. The suspects would then visit local Social Security 
offices a month or two later with a second counterfeit Illinois birth 
certificate and their new identification to request a correction of 
their date of birth on Social Security records.
    Question: Are the provisions in H.R. 2971 that your office 
recommended, which would require independent verification of all birth 
documents and improvements in the enumeration-at-birth process, 
sufficient to help prevent this from happening?
    Answer: We believe that provisions 201 and 202 of HR 2971 will 
reduce the ease with which criminals may fraudulently obtain SSNs for 
non-existent children. A recent audit and numerous investigations 
indicate that because SSA does not verify birth records for children 
under the age of 1, criminals have inappropriately obtained SSNs for 
nonexistent children using invalid birth records. Accordingly, we 
recommended that the Agency close this loophole by verifying the 
authenticity of birth records presented by all U.S. citizens applying 
for original SSNs. We are currently awaiting the Agency's response to 
our recommendation. However, we commend the Subcommittee for taking 
proactive measures by including provision 201 in the proposed 
legislation--making it essential that SSA ensure the legitimacy of 
birth records submitted with original SSN applications.
    Regarding section 202 of HR 2971, related to SSA's enumeration at 
birth program, we support the Committee's proposal that SSA tighten 
controls within this program. While our 2001 report Audit of the 
Enumeration at Birth Program (A-08-00-10047) concluded that generally 
the program was providing accurate and reliable data for SSA's 
enumeration of newborns, we recommended that the Agency implement 
additional controls to prevent those with criminal motives from 
submitting SSN applications for nonexistent children. The Agency has 
explored this idea and taken some action on our recommendations. 
However, we believe the provisions outlined in section 202 of the 
Social Security Number Privacy and Identity Theft Prevention Act of 
2003 would provide further incentive for the Agency and participating 
hospitals and States to implement our proposed corrective actions.
    Question: You mentioned a case involving fraudulent acquisition of 
SSNs for unauthorized immigrants. Do you know what the unauthorized 
immigrants were doing with the fraudulently obtained SSNs? You stated 
the penalty some members of the scheme received was 2 years in prison.
    Answer: Actually, certain subjects in the case mentioned above 
(Question 2) were given 2 year sentences. Other subjects in this case, 
who conspired to traffic in unauthorized immigrants, were sentenced as 
much as 71 months in prison. The fraudulent SSNs that were received by 
illegal immigrants were used to obtain employment, as well as for 
obtaining driver's licenses, credit cards, mortgage loans, and so 
forth.
    Question: You have recommended new and enhanced penalties for 
fraudulently obtaining SSNs or SSN misuse which we have included in 
H.R. 2971. Are there others that are needed? 
    Answer: The OIG supports SSA's proposal requesting that the United 
States Sentencing Commission review and amend Federal sentencing 
guidelines to provide an appropriate penalty for any offense under 
sections 208, 811, or 1632 of the Social Security Act or any offense 
under 18 USC 1001 with respect to the Social Security, Special 
Veterans' Benefits, and the Supplemental Security Income programs. A 
primary purpose of sentencing guidelines is to reduce the disparity in 
sentencing between defendants who commit similar crimes. section 304 of 
H.R. 2971 proposes to amend sections 208, 811, and 1632 in order to 
obtain enhanced penalties, in cases of terrorism, drug trafficking, 
crimes of violence, or prior offenses, but it does not specifically 
direct the U.S. Sentencing Commission to consider amending Federal 
sentencing guidelines regarding these sections. In addition, the 
inclusion of the increased the penalties imposed for SSA employees who 
are convicted of selling SSNs will be a good deterrent in this area.
    Question: You stated that you support cross-verification of SSNs 
through both governmental and private sector systems of records to 
identify and address inaccuracies. You said that all law enforcement 
agencies should be provided the same SSN verification services granted 
to employers. What does the SSA say regarding the proposal? 
    Answer: The SSA has not yet officially responded to this OIG 
proposal, and therefore we will defer to SSA to present its position.
    Question: Why isn't information available from financial 
institutions, credit bureaus, and information resellers sufficient to 
prevent cases like the fraudulent home loan case you mentioned?
    Answer: Although we believe that representatives from financial 
institutions, credit bureaus and information resellers may be in a 
better position to respond to this question, we will provide the 
Committee with one possible reason if their information is not 
sufficient to prevent cases like the fraudulent home loan incident. 
Specifically, most of these organizations currently do not have the 
ability to verify the accuracy of customer SSNs and names with SSA, the 
actual issuer of the number. Historically, the Agency has limited its 
verification services to employers.
    Over the past several years, our organization has been a strong 
proponent of expanding SSA's authority to perform cross verifications 
service. Because the SSN has become a national identifier, we firmly 
believe that if the number is to be used as such, users should have 
correct information. For example, the Department of Housing and Urban 
Development had the ability to verify the name of SSN of the loan 
applicant, it would have discovered that an individual was using an 
incorrect SSN (one belonging to someone else) to obtain the loan.
    Question: One of the witnesses at the hearing, Mr. Fred Cate, said 
that if we limit sale, purchase, and display of SSNs that it will 
affect the availability and reliability of data for law enforcement and 
other vital purposes. Do you agree or disagree, and why?
    Answer: We believe there are alternative and reliable sources of 
data involving SSNs for law enforcement. For example, there are legal 
provisions that allow the sharing of SSN information among law 
enforcement agencies in appropriate circumstances. In addition, H.R. 
2971 makes appropriate exceptions for law enforcement officials in the 
provisions that prohibit the sale, purchase or display to the general 
public of SSNs.
    Question: If a private entity--for example, a consumer reporting 
agency, health care organization, or information reseller--has an 
individual's SSN in its possession, and this information is used in an 
identity theft or fraud, should that entity be held strictly liable for 
any harm done? Please comment on the advantages or disadvantages of 
this idea, as well as its feasibility and potential effectiveness in 
combating identity theft.
    Answer: The concept of strict liability would confer liability on 
the consumer reporting agency, health care organization, or information 
reseller not based on actual negligence or intent to harm, but instead 
on the breach of an absolute duty to protect SSNs in its possession. 
This strict liability would benefit fraud victims. With the risk of 
this increased liability, there would likely be more motivations for 
these organizations to better protect SSNs. At the same time, the 
adoption of strict liability may be criticized by private industry for 
not considering the intent of these organizations or whether these 
organizations acted negligently.
    This hypothetical illustrates the need for H.R. 2971 for those 
organizations not exempt from the H.R. 2971 limitations, such as the 
private resellers of information. The H.R. 2971 approach would limit 
the availability of SSNs to such entities, thus reducing the likelihood 
of their fraudulent use. A more feasible alternative might be the 
creation of a private cause of action on the part of victims against an 
individual or organization that did not exercise due diligence in the 
handling of their personal information.

   Questions from Chairman E. Clay Shaw, Jr. to Ms. Barbara Bovbjerg

    Question: You mentioned during your testimony that monitoring of 
the day-to-day release of information under the restrictions imposed by 
the Gramm-Leach-Bliley Act (GLBA) is essentially an ``honor system.'' 
Could you elaborate on how it works? What is known about the degree to 
which businesses comply with the privacy requirements under the GLBA? 
    Answer: In my testimony, I observed that generally Federal laws 
have controlled the use and disclosure of the SSN in specific 
industries, but that secondary disclosure by clients of these firms is 
generally not closely monitored. GLBA is one of the laws that restrict 
disclosure and is illustrative of the point that businesses that are 
indirectly governed by these privacy laws are expected to adhere to 
them, but are not necessarily monitored for compliance. For example, 
GLBA restrictions apply to institutions that are considered to be 
financial institutions under GLBA, which covers a broad range of 
financial institutions. In addition, entities that receive consumers' 
financial information from a financial institution under GLBA are also 
subjected to GLBA's restrictions. However, companies such as some 
information resellers that fall outside of the purview of Federal 
regulators may or may not adhere to GLBA. However, Federal regulators 
enforcing GLBA compliance are not required to monitor entities that are 
not directly under their jurisdiction.
    In our work for this Subcommittee, we found that some CRAs consider 
themselves to be financial institutions under GLBA. These entities are 
therefore directly governed by GLBA's restrictions on disclosing 
nonpublic personal information to non-affiliated third parties. We also 
found that some of the information resellers we spoke to did not 
consider their companies to be financial institutions under GLBA. 
However, because they have financial institutions as their business 
clients, they complied with GLBA's provisions in order to better serve 
their clients and ensure that their clients are in accordance with 
GLBA.
    FTC staff told us that GLBA also includes certain broad exceptions 
that are unspecific. For example, FTC officials said that they receive 
many inquiries from CRAs and information resellers concerning the 
application of GLBA's exceptions, such as whether the exceptions apply 
to certain circumstances. As a result, FTC officials said it is 
difficult to determine how and whether certain entities, such as 
information resellers, are appropriately interpreting the exceptions.
    Question: You stated that court records are among those most often 
cited as containing SSNs in your survey on how government entities 
collect and store SSNs. Do you have any information on the percent 
containing SSNs because Federal, state, or local laws and regulations 
require them? 
    Answer: We cannot accurately calculate such a percentage until we 
have complied and verified all survey data from our ongoing work on 
SSNs in public records. Our work will be completed in September 2004.
    Question: Some of the witnesses at the hearing asked for specific 
statutory exemptions from the restrictions contained in sections 101 
and 107 of H.R. 2971, rather than relying on the Attorney General's 
regulatory authority provided in section 102. In your view, is the 
authority provided in the bill to the Attorney General sufficient to 
address these concerns?
    Answer: H.R. 2971 would give the Attorney General discretionary 
authority to determine which entities could be exempted from the 
prohibition of engaging in the sale, purchase, or display of SSNs to 
the general public. As written, the bill provides for flexibility in 
determining which if any entities would be exempted, and offers a means 
to address concerns with such a prohibition once the law is passed that 
might not have been envisioned at the time it was drafted. Such an 
approach seems designed to address changing circumstances rather than 
addressing existing concerns of specific entities.
    If present concerns are deemed valid, the only way to assure that 
those concerns are addressed is to write them into the bill prior to 
passage, although such exemptions would still be subject to 
interpretation by courts.
    Question: A witness representing the National Council of 
Investigation and Security Services requested the deletion of section 
108 of H.R. 2971, citing the usefulness of credit headers in locating 
witnesses, criminal suspects, estate beneficiaries, and others. What 
other sources of information could be used to locate such persons if 
section 108 of H.R. 2971 were enacted into law? 
    Answer: Credit header information matches a persons' identifying 
information to their address, which is useful for purposes such as 
locating individuals. However, information is clearly available from 
other sources as well. Our current work shows that identifying 
information, such as name, addresses, and SSNs, can be found in public 
records and other publicly available information such as newspapers. In 
addition, entities willing to pay a fee can purchase such data from 
information resellers who specialize in amassing personal information.
    Question: If a private entity--for example, a consumer reporting 
agency, health care organization, or information reseller--has an 
individual's SSN in its possession, and this information is used
    Answer: Currently, identity theft victims are fully responsible for 
correcting problems caused by identity thieves. For example, victims 
must contact the major CRAs to have a fraud alert placed on their 
credit, file a report with the appropriate law enforcement entities, 
and if credit card misuse is involved they must report the misuse to 
their credit card company. Although private sector entities and the FTC 
have worked to lessen the burden on identity theft victims, identity 
theft victims can spend an average of 60 hours trying to resolve their 
problems.
    Results from a recent FTC survey show that identity theft victims 
feel that the financial community could do more to help resolve their 
problems. Many identity theft victims reported that improved follow-up 
and assistance by the financial community, as they attempted to repair 
their records, would be beneficial. Identity theft victims also 
reported that financial institutions, including CRAs, could make 
greater efforts to monitor consumers' account activity and notify them 
when unusual transactions occur. They also reported some degrees of 
dissatisfaction with the way CRA's and credit card companies have 
handled their identity theft related reports. For example, 31% of 
victims were dissatisfied with all of the CRAs they contacted while 18% 
were dissatisfied with all of the credit card companies to whom they 
reported misuse of their credit cards.
    CRAs, credit card companies and others are in a unique position to 
help identity theft victims resolve their problems. To the extent that 
these companies are made liable for losses, it is likely that more 
actions will be taken to protect SSNs and other personal information 
companies maintain. However, the benefits of assigning such liability 
to these companies must be balanced against the difficulty that these 
companies are likely to have in monitoring millions of individuals' 
accounts. In addition, holding companies responsible for identity theft 
victims' financial losses may not reduce the amount of time these 
victims spend trying to resolve their problems.

   Questions from Chairman E. Clay Shaw, Jr. to Mr. Lawerance Maxwell

    Question: You mentioned the Financial Industry Mail Security 
Initiative (FIMSI). Could you elaborate on who participates in the 
working group and the recommendations specifically made with regard to 
preventing use of SSNs? Why did the group believe a recommendation 
specifically dealing with SSNs was necessary?
    Answer: The U.S. Postal Inspection Service sponsored the Credit 
Card Mail Security Initiative starting in 1993 in response to a 
dramatic spike in the theft of credit cards. Representatives from the 
credit card and retail Industries attended these meetings which were 
held on a quarterly basis in WashingtonDC.
    The Postal Inspection Service decided in 2003 to expand the focus 
of the meetings to include presentations on money laundering, Internet 
fraud and bank fraud schemes. The attendee list was expanded to include 
both state and Federal prosecutors, investigators from local banks and 
credit unions, Federal and state law enforcement. Working groups 
include the Non Received Credit Card Working Group, the Bust-Outs 
Working Group, the Bank Fraud Working Group, and the Identity Theft 
Working Group. This new expanded group meets on a semi-annual basis. 
One of the more noteworthy accomplishments stemming from the credit 
card initiative was the credit card activation ``800'' number which has 
become an industry standard for security.
    The Identity Theft Working Group made recommendations dealing 
specifically with social security numbers (SSN's) in their consumer 
awareness campaign. Since the SSN is used as a personal identifier, it 
is the key piece of information needed to conducting Identity Theft. 
These recommendations included memorizing your SSN and passwords rather 
than carrying the cards with you; and, if possible, do not use your SSN 
as your identifying number on your driver's license.
    Question: You mentioned cases involving rings of identity thieves, 
who obtained lists with the victims' names, dates of birth, SSNs, and 
other information. How easy would it be for these criminals to steal an 
individual's identity without the SSN?
    Answer: The SSN is currently used as a personal identifier; this 
was never the intent when it was created. Without the SSN it would be 
much more difficult to take over an individual's identity. They would 
not be able to access or open financial accounts, instant credit 
accounts, or even cellular telephone accounts. The SSN is the key 
component to access and individuals credit history.

       Questions from Chairman E. Clay Shaw, Jr. to Mr. Mark Ladd

    Question: You mentioned the Property Records Industry Association's 
participation in the Records Access Policy Advisory Committee. What 
recommendations do you anticipate the Committee will make with respect 
to access to SSNs in public records? 
    Answer: The final four points outlined in the written testimony 
that we submitted comprise our recommendations to date. I do not 
anticipate any major changes in these recommendations.
    Question: You suggested that the legislation be effective on a 
``day-forward-basis.'' This recommendation has been made before and was 
incorporated into the current bill's language, which establishes a 
timeframe of 2 years from the date of enactment for those who maintain 
public records to comply with the law. Is this enough time?
    Answer: If documents that are on file with our office prior to the 
effective date of this legislation can be posted on our websites, even 
if they contain SSNs, then 2 years is more than enough time for 
compliance. Under this scenario, three to 6 months would be a 
sufficient grace period.
    If, however, records that are already on file with our offices must 
have SSNs removed before they can be posted on our websites, then no 
length of time will suffice for most counties. A few large counties may 
be able to afford the cost of compliance, but most will not. Only 
documents presented after the effective date of this legislation could 
be posted on county websites under this scenario.
    Question: You suggested giving public record keepers the authority 
to prohibit the filing of documents with SSNs, without requiring them 
to do so. Why is this important in your view, and would public records 
keepers implement such authority? 
    Answer: As I noted in my written and oral testimony, the shear 
volume of documents and the number of pages involved make prescriptive 
rejection authority extremely difficult to manage. However, permissive 
authority provides land records custodians the necessary tool to help 
protect the privacy concerns of the public if we discover a SSN 
included in a document during our normal review process.
    Our members object to rejection authority being prescriptive, as do 
our commercial customers (title companies, abstract companies and 
attorneys). However, permissive authority empowers us to assist the 
public in protecting their privacy concerns without placing an 
impossible task on our shoulders.
    It is my belief that most land records custodians would utilize 
permissive authority to protect the interests of their constituents.
    Question: You said that given the hundreds of thousands of pages of 
documents a jurisdiction may receive in a year, and that the SSN could 
be placed anywhere on a document submitted by the parties involved, 
that responsibility for SSN removal is more properly placed on document 
preparers and individual customers. If the bill were modified so that 
public record keepers were required to remove the SSN on forms they 
require (or block it from display if it is collected), but the 
responsibility and liability for removing SSNs on all other materials 
submitted to the court rested on those who file the papers, would that 
enable you to support this bill?
    Answer: Your proposal on this point is the most workable compromise 
that I have heard between agencies that require the SSN of necessity 
(such as the Court Administrators testified) and those of us who 
receive the SSN without any desire or necessity for it.
    Court Administrators who require SSNs could likely adopt rules 
regarding how documents are constructed that would make day-forward 
redaction manageable. By specifying a predetermined location that SSNs 
are listed in documents, they could reduce the effort required to 
redact. On the other hand, the burden to remove SSNs from documents 
that do not require them is correctly placed on document drafters.
    I think PRIA members would support this proposal.

Questions from Chairman E. Clay Shaw, Jr. to Mr. Jay Hoofnagle and Mr. 
                           Edmund Mierzwinski

    Question: Do you agree with Mr. Cate's statement at the hearing 
that knowing a Social Security number alone does not get an individual 
credit and that it is merely a quick way of locating reliable 
information about an individual that can be used to verify identity?
    Answer: Mr. Cate's statement perfectly illustrates the problem of 
the Social Security Number (SSN)--it is used both as an identifier and 
as an authenticator. That is, some businesses use it as a record 
locator, a master identifier to associate and reference records. Other 
businesses use it for authentication, a process where a person proves 
he is who he says he is. Serious security problems are raised in any 
system where a single device is used both as identifier and 
authenticator.\1\ It is not unlike using a password identical to a user 
name for signing into e-mail. Or like a bank routinely using the SSN as 
an account number and the last four digits of the SSN as a PIN for its 
automated teller machines.
---------------------------------------------------------------------------
    \1\ The driver's license is used as both identifier and 
authenticator, but it is a superior device because it includes a 
picture, address, signature, and basic physical information. It expires 
regularly and must also be renewed. A SSN lacks any of these additional 
features; see also Lynn M. LoPucki, Human Identification Theory and the 
Identity Theft Problemem, 80 Tex. L. Rev. 89, 100 (November 2001) (``In 
particular, Social Security numbers and mothers' maiden names are 
inherently poor passwords because they are widely known and difficult 
to change. Knowledge of a Social Security number supports only a weak 
inference that the knower is the person to whom that Social Security 
number was assigned.'').
---------------------------------------------------------------------------
    It is because the SSN is used as both identifier and authenticator 
that identity theft has increased in incidence and prevalence. Because 
the SSN is relied upon so heavily by business, it is the personal 
identifier that impostors seek in order to commit crime. Congress' goal 
in addressing identity theft and privacy should seek to limit 
availability of the SSN generally and to induce businesses to rely upon 
alternative identifiers.
    Question: Mr. Cate said that for data to be reliable, businesses 
and others must have been permitted to use SSNs all along, and that 
national security and law enforcement uses of SSNs frequently involve 
access to routine, innocuous data. Do you agree or disagree that 
prohibiting sale, purchase, and display of SSNs for unnecessary 
purposes would jeopardize use of SSNs for critical purposes?
    Answer: We disagree with the proposition that businesses have been 
permitted to use the SSN. While Congress has approved government uses 
of the SSN, the identifier has never been approved for general private-
sector use.
    Restricting the sale, purchase, and display of SSNs for unnecessary 
purposes preserves their utility for more critical purposes while 
decreasing opportunities for imposters to obtain identities to hide 
behind. Additionally, maintenance of dual identifiers, or transitions 
away from SSNs as identifiers, is a very feasible and desirable goal as 
demonstrated by Empire Blue Cross's transition (4.8M customers), and 
existing requirements in many states prohibiting use of SSNs for 
student, driver, and other identifiers.
    We also contest the notion that government uses of the SSNs 
frequently involve access to routine, innocuous data. The SSN plays an 
unparalleled role in aggregation of information, and thus information 
once thought to be innocuous can take on greater significance. For 
instance, a document EPIC obtained under the Freedom of Information Act 
from the United States Marshals Service highlights the amount of 
information that can be aggregated around identifiers:
    With as little as a first name or a partial address, you can obtain 
a comprehensive personal profile in minutes. The profile includes 
personal identifying information (name, alias name, date of birth, 
Social Security number), all known addresses, drivers license 
information, vehicle information. . . . telephone numbers, 
corporations, business affiliations, aircraft, boats, assets, 
professional licenses, concealed weapons permits, liens, judgments, 
lawsuits, marriages, worker compensation claims, etc.\2\
---------------------------------------------------------------------------
    \2\ Sole Source Justification for Autotrack (Database Technologies) 
(n.d.) (document obtained from the USMS), available at http://epic.org/
privacy/choicepoint/cpusms7.30.02j.pdf; see also Chris Jay Hoofnagle, 
Big Brother's Little Helpers: How ChoicePoint and Other Commercial Data 
Brokers Collect and Package Your Data for Law Enforcement, 29 N.C.J. 
Int'l L. & Com. Reg. 595 (Summer 2004).
---------------------------------------------------------------------------
    In many cases, collection of the SSN is not necessary, and Congress 
should act swiftly to curb these uses of the SSN. In January 2002, a 
statewide grand jury empanelled by the Florida Supreme Court found in 
its first report that:
    We have identified that the government and business take in much 
more information than necessary to conduct business. For example health 
clubs require members to disclose their Social Security numbers on 
applications for membership; video rental stores ask for social 
security numbers on applications; and life insurance companies ask for 
social security numbers of beneficiaries; local governments ask for 
Social Security numbers on routine transactions. We were distressed to 
learn from the Interim Project Report by the Committee on State 
Administration and Committee on Information Technology that 96.3% of 
state agencies do not even have a written policy relating to the 
collection of Social Security numbers. This same report indicates that 
63% of these agencies disclose Social Security numbers on some public 
record requests.
    Medical service providers and insurance companies routinely 
substitute Social Security numbers for patient or policy numbers, 
unnecessarily exposing this sensitive information to scrutiny on such 
documents as health and insurance cards. Unsecured mailboxes and trash 
containers provide thieves with easy access to this personal 
information.\3\
---------------------------------------------------------------------------
    \3\ Identity Theft in Florida, First Interim Report of the 
Sixteenth statewide Grand Jury, SC 01-1095 (Fla. Jan. 2002), available 
at http://myfloridalegal.com/pages.nsf/
4492d797dc0bd92f85256cb80055fb97/758eb848bc624a0385256cca0059f9dd!OpenDo
cument.
---------------------------------------------------------------------------
    The body found that personal information was being collected by 
government entities and disseminated in public records. It recommended 
that State law be amended to require consent of the citizen, a court 
order, or a compelling need before identifying information of citizens 
was included in the public record. It also found that the ``public and 
private sectors routinely use and rely on the consumer's Social 
Security number for use as an identifier and an account number.'' The 
body recommended that the State legislature ``prohibit the use of 
Social Security numbers for independently generated identifiers to 
track customers, patients, policies, and so forth., unless required by 
law.''\4\
---------------------------------------------------------------------------
    \4\ Id.
---------------------------------------------------------------------------
    Finally, we note that Mr. Cate's previous testimony supports limits 
on government collection of personal information.\5\ In testimony to 
the House Energy and Commerce Subcommittee on Consumer Protection, Mr. 
Cate wrote:
---------------------------------------------------------------------------
    \5\ Hearing on Privacy in the Commercial World, Committee on Energy 
and Commerce, Subcommittee on Commerce, Trade, and Consumer Protection, 
U.S. House of Representatives, Washington, D.C., Mar. 1, 2001 
(statement of Fred Cate), at http://www.law.indiana.edu/directory/
publications/fcate/cate010301.pdf.
---------------------------------------------------------------------------
    The government plays many critical roles in helping to protect 
individual privacy. One of the most important responsibilities of the 
government is assuring that its own house is in order. Only the 
government has the power to compel disclosure of personal information 
and only the government operates free from market competition and 
consumer preferences. As a result, the government has special 
obligations to ensure that it complies with the laws applicable to it; 
collects no more information than necessary from and about its 
citizens; employs consistent, prominent information policies through 
public agencies; and protects against unauthorized access to citizens' 
personal information by government employees and contractors. 
Similarly, there are many steps that only the government can take to 
protect citizens against privacy-related harms, such as identity theft: 
Make government-issued forms for identification harder to obtain; make 
the promise of centralized reporting of identity thefts a reality; make 
it easier to correct judicial and criminal records and to remove 
permanently from one individual's record references to acts committed 
by an identity thief. The government alone has this power.
    We agree that a large part of protecting privacy in the context of 
SSNs involves the government reducing the collection and disclosure of 
personal information. H.R. 2971 has many provisions that would promote 
these goals.
    Question: Some of the witnesses at the hearing asked for specific 
statutory exemptions from the restrictions contained in sections 101 
and 107 of H.R. 2971, rather than relying on the Attorney General's 
regulatory authority provided in section 102. In your view, is the 
authority provided in the bill to the Attorney General sufficient to 
address these concerns? 
    Answer: The authority provided to the Attorney General is 
sufficient, provided that the asked-for exceptions satisfy the 
statutory standard requiring a compelling interest that cannot be 
served through the employment of alternative measures. We think that 
this standard has enough flexibility to address legitimate needs for 
the SSN while avoiding the codification of exceptions. If exceptions 
are codified, it is unlikely that qualifying industries will ever 
transition to alternative identifiers. We therefore suggest that all 
exceptions sunset after a given number of years to encourage a 
transition to alternative identifiers.
    Question: This Subcommittee has heard from a number of victims of 
identity theft. A common, and frustrating, theme is that after 
individuals discover the theft and report it to credit bureaus and 
financial institutions, they continue to be victimized by identity 
theft. How can this continue to occur, given the anti-fraud programs 
the industry cites? In your judgment, is the private sector doing 
enough to combat identity theft and assist its victims? Are there more 
effective ways to assist victims of identity theft to correct their 
credit histories?
    Answer: We think that creditors, in order to obtain new accounts 
and compete vigorously, are employing lax identification and 
authentication procedures that make identity theft easy to commit.\6\ 
In a typical scenario, an impostor will gather personal information of 
the victim and apply repeatedly for credit until they get a ``hit.'' 
Impostors can rely upon a creditor's alacrity to open new accounts in 
victims' names.
---------------------------------------------------------------------------
    \6\ See e.g., Jeff Sovern, The Jewel Of Their Souls: Preventing 
Identity Theft Through Loss Allocation Rules, 24 U. Pitt. L. Rev. 343, 
358 (Winter 2003) (arguing that ``[g]reater vigilance on the part of 
the merchants involved would have prevented many identity frauds'').
---------------------------------------------------------------------------
    In passing the Fair Credit Reporting Act in 1970, one of Congress' 
prime goals was to place fairness and privacy duties on credit 
reporting agencies (CRAs). This was necessary because competition did 
not produce competent or even decent credit reporting activities.\7\ 
CRAs were not subject to adequate market pressure to ensure accuracy 
and fairness because the customers of CRAs are creditors, not 
individual members of the public. Congress thus created duties on the 
CRAs, users of credit reports, and furnishers of personal information. 
Those duties are now inadequate. For instance, under the FCRA, credit 
reporting agencies only are required to ``maintain reasonable 
procedures designed'' to prevent unauthorized release of consumer 
information.\8\ In practice, this means that credit reporting agencies 
must take some action to ensure that individuals with access to credit 
information use it only for permissible purposes enumerated in the Act. 
The FTC Commentary on the FCRA specifies that this standard can be met 
in some circumstances with a blanket certification from credit issuers 
that they will use reports legally.\9\
---------------------------------------------------------------------------
    \7\ Robert Ellis Smith, Ben Franklin's Web Site, Privacy and 
Curiosity from Plymouth Rock to the Internet (Privacy Journal, 2000).
    \8\ 15 U.S.C.  1681e(a).
    \9\ The FTC is statutorily barred from promulgating regulations on 
the FCRA. 15 U.S.C.  1681s(a)(4). The agency issues a non-binding 
commentary on the Act. Credit, Trade Practices, 16 CFR  600, 607 
(1995).
---------------------------------------------------------------------------
    This certification standard is too weak. It allows a vast network 
of companies to gain access to credit reports with little oversight. It 
treats credit issuers and other users of credit reports as trusted 
insiders, and their use of credit reports and ultimate extension of 
credit as legitimate.
    Even where fraud is suspected, creditors only have minimal 
authentication duties. Once the individual does suspect wrongdoing and 
triggers an alert, new protections in the Fair and Accurate Credit 
Transactions Act (FACTA) require that creditors use ``reasonable 
policies and procedures to form a reasonable belief that the user 
[creditor] knows the identity of the person making the request.''\10\ 
It is somewhat troubling that a tradeline can be extended without at 
least ``reasonable policies and procedures'' to verify the credit 
applicant's identity. It seems only reasonable that such protections be 
in place by default, rather than when fraud is actually expected.
---------------------------------------------------------------------------
    \10\ Pub. L. No. 108-159  112 (h)(1)(b)(i). FACTA amended the Fair 
Credit Reporting Act, 15 U.S.C.  1681.
---------------------------------------------------------------------------
    We think that more accountability could be encouraged in this area 
if creditors were held liable to victims for extending credit to 
impostors. However, courts have been reluctant to recognize a right of 
action for negligent extension of credit. Most recently, the South 
Carolina Supreme Court rejected the tort of ``negligent enablement of 
imposter fraud.''\11\ In that case, the plaintiff identity theft victim 
alleged that banks owe a duty to identity theft victims when they 
negligently extend credit in their name. The defendants argued that no 
such duty existed because the victim was not actually a customer of the 
bank. Focusing on the requirement that an actual relationship exist 
between victim and tortfeasor before a legal duty arises, the court 
rejected the proposed cause of action:
---------------------------------------------------------------------------
    \11\ Huggins v. Citibank, 585 S.E.2d 275 (S.C. 2003).
---------------------------------------------------------------------------
    ``We are greatly concerned about the rampant growth of identity 
theft and financial fraud in this country. Moreover, we are certain 
that some identity theft could be prevented if credit card issuers 
carefully scrutinized credit card applications. Nevertheless, we--
decline to recognize a legal duty of care between credit card issuers 
and those individuals whose identities may be stolen. The relationship, 
if any, between credit card issuers and potential victims of identity 
theft is far too attenuated to rise to the level of a duty between 
them.\12\
---------------------------------------------------------------------------
    \12\ Id. at 334.
---------------------------------------------------------------------------
    Congress could assist victims greatly by creating an enforceable 
duty so that creditors were more responsible with victims' credit.
    Question: We have heard a recommendation that Congress consider 
creating a nationwide system of cross-verification of SSNs among public 
agencies and private businesses. What is your view of this 
recommendation? Are there other ways to increase the security and 
integrity of the SSN that would not unnecessarily compromise privacy?
    Answer: In passing the Privacy Act 1974, Congress was specifically 
reacting to and rejecting calls for the creation of a similar idea, a 
one-stop ``federal data center'' for personal information. A 1977 
report issued as a result of the Privacy Act highlighted the dangers 
and transfers of power from individuals to the government that occur 
with centralization of personal information:
    In a larger context, Americans must also be concerned about the 
long-term effect recordkeeping practices can have not only on 
relationships between individuals and organizations, but also on the 
balance of power between government and the rest of society. 
Accumulations of information about individuals tend to enhance 
authority by making it easier for authority to reach individuals 
directly. Thus, growth in society's recordkeeping capability poses the 
risk that existing power balances will be upset.\13\
---------------------------------------------------------------------------
    \13\ Privacy Prot. Study Comm'n, Personal Privacy in an Information 
Society: The Report of the Privacy Protection Study Commission (1977), 
available at http://www.epic.org/privacy/ppsc1977report/c1.htm.
---------------------------------------------------------------------------
    Creation of a nationwide system of SSN verification across public 
agencies and private businesses will upset balances of power described 
in the 1977 report and reduce individuals' autonomy from both 
government and commercial entities.
    Promoting the use of the SSN also hardens the number as a de facto 
national identifier. The creation of a national ID runs counter to 
public sentiment and recent congressional action.\14\
---------------------------------------------------------------------------
    \14\ For instance, the Department of Homeland Security is expressly 
prohibited from developing National ID systems. 6 USCS  554 (2004).
---------------------------------------------------------------------------
    This concern is not new; it was voiced at the creation of the SSN 
and has since been raised repeatedly. The SSN was created in 1936 for 
the sole purpose of accurately recording individual worker's 
contributions to the Social Security fund. The public and legislators 
were immediately suspicious and distrustful of this tracking system 
fearing that the SSN would quickly become a system containing vast 
amounts of personal information, such as race, religion and family 
history, that could be used by the government to track down and control 
the action of citizens. Public concern over the potential for abuse 
inherent in the SSN tracking system was so high, that in an effort to 
dispel public concern the first regulation issued by the Social 
Security Board declared that the SSN was for the exclusive use of the 
Social Security system.
    The use of the SSN as the means of tracking every encounter between 
an individual and the government will expand the treasure trove of 
information accessible to the unscrupulous individual who has gotten 
hold of another's SSN. The use of the SSN as the mandatory national 
identifier will facilitate linkage between various systems of 
governmental and private sector records further eroding individual 
privacy and heightening surveillance of each American's life.
    There are ways to strengthen integrity of the SSN without 
implicating privacy. For instance, the format of the SSN could be 
changed to include a ``checksum,'' a formula that allows one to 
immediately verify whether the number has a proper form. Credit card 
numbers already are issued in this fashion so that they cannot be 
guessed or faked easily.
    Question: A witness representing the National Council of 
Investigation and Security Services requested the deletion of section 
108 of H.R. 2971, citing the usefulness of credit headers in locating 
witnesses, criminal suspects, estate beneficiaries, and others. Do you 
share this view? Are there other sources of information that could be 
used to locate such persons if section 108 of H.R. 2971 were enacted 
into law? 
    Answer: Under H.R. 2971, credit headers could still be accessed by 
private investigators where they have a ``permissible purpose'' under 
the FCRA. The FCRA would allow access where the private investigator 
had a court order, where it is used for employment purposes, or where 
it is used for collection of an account. In the contexts listed above, 
it seems that a court order would be readily obtainable, thus 
satisfying the FCRA requirement, as location of witnesses, criminal 
suspects, and estate beneficiaries are all activities likely to occur 
within the context of a court action. As a fairness measure, the law 
would require the CRA to note on the credit report that the information 
had been accessed by the private investigator. We think that this is an 
appropriate standard for access to credit headers, which contain all 
the personal identifiers necessary for the commission of fraud or 
harassment.
    Investigators did exist before the credit header system was 
created. They are resourceful and can call upon different resources to 
obtain personal information. The current system, where a network of 
private investigators can obtain credit headers on any person, is 
unfair and privacy invasive. Individuals do not even receive notice 
that their personal information has been obtained under the current 
framework. Furthermore, in some states, private investigators are not 
even licensed to practice. In others, licensure is merely a pro forma 
activity. Serious accountability concerns are present, most notably 
exemplified by the Amy Boyer case, where private investigators used 
credit headers and pretexting to locate a young woman for a stalker who 
killed her.\15\
---------------------------------------------------------------------------
    \15\ Electronic Privacy Information Center, Amy Boyer, available at 
http://www.epic.org/privacy/boyer/.
---------------------------------------------------------------------------
    We also suspect that the private investigators may be putting on 
``their best face'' for maintaining access to credit headers. No one 
wants to impede the function of a private investigator when they are 
finding individuals in order to give them inheritance from an estate. 
We question what percentage of credit header access is performed for 
this function.
    If Congress chooses to maintain access, it should limit the 
purposes for which investigators can obtain credit headers. When access 
is obtained, a notation should be entered onto the credit report so 
that the individual can find out who has been purchasing access to 
their personal information.
    Question: One witness at the hearing testified that an FTC study on 
identity theft indicated that the SSN does not play a major role in 
identity theft. Do you agree with this interpretation of the study? 
    Answer: We strongly disagree with the proposition advanced by Mr. 
Cate in oral and written testimony on June 15, 2004 that the Social 
Security Number (SSN) does not play a major role in identity theft. 
Common sense, the experience of identity theft clearinghouses, identity 
theft litigation, and the academic literature support the proposition 
that the SSN plays a primary role in identity theft. It is almost 
impossible to obtain credit without a SSN, making possession of the 
identifier a necessary condition for commission of identity theft. 
Under Federal law, states must collect SSNs in order to issue driver's 
licenses; therefore the identifier is always involved in cases where an 
impostor seeks credentials in a victim's name. Mr. Cate may be correct 
that the SSN is not a major factor in credit card fraud, but that form 
of identity theft is less serious from the victim's perspective, and 
legislative effort to prevent the crime should focus on impostors who 
obtain new accounts or credentials in the victim's name.
    This common-sense problem of SSN being linked to fraud was 
identified by a Florida statewide grand jury devoted to exploring 
problems of identity theft: One of the most valuable pieces of 
information that an identity thief is searching for is the Social 
Security number, because the American financial industry has placed 
great reliance on it as the primary means of identifying individuals. 
Universities identify students with it. Providers of medical care and 
insurance coverage use it to identify their patients and clients.\16\
---------------------------------------------------------------------------
    \16\ Identity Theft in Florida, Second Interim Report of the 
Sixteenth statewide Grand Jury, SC 01-1095 (Fla. Nov. 2002), available 
at http://myfloridalegal.com/pages.nsf/
4492d797dc0bd92f85256cb80055fb97/f6995a8304fb723685256cca0059975f!OpenDo
cument.
---------------------------------------------------------------------------
    The Florida grand jury made strong recommendations for limiting 
disclosure and use of the SSN in order to address identity theft . . . 
the sale of Social Security numbers must be stopped. The Federal 
proposals must be adopted and Florida must continue its efforts to 
enforce the recently enacted laws that make social security numbers 
confidential within public records and prohibit its release. Florida 
must also continue to minimize the requests for Social Security numbers 
to be included on documents that will become public record, where the 
number is of little relevance to the government function.\17\
---------------------------------------------------------------------------
    \17\ Id.
---------------------------------------------------------------------------
    The experience of the major identity theft clearinghouses point to 
the central role that the SSN plays in fraud. A visit to the Web site 
of the Privacy Rights Clearinghouse, a leading provider of direct 
assistance to identity theft victims, reveals a number of cases where 
SSNs were the key to fraud: It's just a number, a nine-digit sequence 
issued by the U.S. Government. Every American must have one. It becomes 
your identity for life.
    But most Americans take it for granted. I did--until my Social 
Security number, along with other personal information, fell into the 
wrong hands a couple of years ago. Since then, my number--my identity--
has been hijacked several times for use in stealing thousands of 
dollars in goods and cash. Each time, I'm left to sort out the mess--
Recently, I saw an entry blank for a drawing for a house. I stopped to 
look it over, but the instant I saw that the entry required disclosure 
of Social Security number, I threw it away. That number has become too 
precious.\18\
---------------------------------------------------------------------------
    \18\ Kerry Hill, It All Starts with the SSN: Your Social Security 
Number Provides Avenue for Thieves, Wisconsin State Journal, Sept. 13, 
1998, at 1B, available at http://privacyrights.org/cases/victim13.htm 
(accessed June 29, 2004).
---------------------------------------------------------------------------
    Individuals who serve in the military are at particular risk of 
identity theft, in part because of the government's use of the SSN as 
an identifier: I have been an identity theft victim for 1 year and I've 
yet to find an agency or organization that has brought any relief or 
words of comfort that can make this nightmare seem like it will have an 
end. I retired from the U.S. Army in 1999 after 20 years. July of 2001, 
Jerry Wayne Phillips, was able to get a military ID from Ft. Bragg, NC 
with my name and SSN. From there, you probably know the rest of the 
story. With that ID and my good credit history, he was able to buy 
cars, motorcycles, open credit card accounts, checking accounts, and 
get credit at virtually every department store that offers credit. I 
never came in contact with him, I didn't lose a credit card, and I 
wasn't careless with my Social Security number. The accounts he opened 
had no relationship to any of my accounts.\19\
---------------------------------------------------------------------------
    \19\ The Military ID Was too Easy to Get: System Failures Aided the 
Thief, at http://privacyrights.org/cases/victim22.htm (accessed June 
29, 2004).
---------------------------------------------------------------------------
    Another victim testified:
    How can this be possible? How can someone else actually open 
accounts or borrow money in your name? Well, it's quite easy, as we 
belatedly found out. All that person needs to do this is a close 
approximation of your first and last name and your SOCIAL SECURITY 
number. Spelling or accuracy doesn't matter. Nothing else about you is 
relevant. Different addresses various spouse names, birthday, any 
random place of employment, and spelling of this information is 
irrelevant. Age or any other personal information doesn't matter. All 
that is required is a first and last name that almost matches a Social 
Security number. The credit agencies readily verify an application if 
the Social Security number presented shows a good credit payment 
record. It doesn't matter if a different address, birthday, spouse's 
name or any variation to their recorded data is submitted with the 
application for their verification. The false data submitted by their 
customer now becomes your information. Again every transaction that 
involves your credit records is based on only one major piece of 
identification, your social security number.\20\
---------------------------------------------------------------------------
    \20\ Legislative Testimony of John and Jane Doe, available at 
http://privacyrights.org/cases/victim5.htm (accessed June 29, 2004)
---------------------------------------------------------------------------
    The Identity Theft Resource Center explains in a publication on the 
crime that: It is also clear that in the majority of identity theft 
situations victims were not responsible for the loss. Most of these 
situations started because a business or governmental entity allowed 
the thief access either directly or indirectly to personal identifying 
information. This includes databases, cards carried in wallets that 
included one's SSN or via items mailed to victims with account or SSN 
information (allowing access through mail theft, dumpster diving or 
theft), or unsafe information gathering or handling practices. The 
reality is there are only two things that a victim can do to directly 
facilitate identity theft: carry a Social Security card in one's wallet 
or fall victim to a telephone or Internet scam. In all other situations 
direct links to a business entity can be drawn.\21\
---------------------------------------------------------------------------
    \21\ Identity Theft Resource Center, Identity Theft: The Aftermath 
2003, at http://www.idtheftcenter.org/idaftermath.pdf
---------------------------------------------------------------------------
    Identity theft litigation also shows that the SSN is central to 
committing fraud. In our written testimony, we detailed several 
identity theft lawsuits where it is clear that the SSN was the key to 
the impostor's success in the commission of identity theft.\22\ In 
fact, the SSN plays such a central role in identification that there 
are numerous cases where impostors were able to obtain credit with 
their own name but a victim's SSN, and as a result, only the victim's 
credit was affected.\23\ Last month, the Salt Lake Tribune reported: 
``Making purchases on credit using your own name and someone else's 
Social Security number may sound difficult--even impossible--given the 
level of sophistication of the nation's financial services industry--
But investigators say it is happening with alarming frequency because 
businesses granting credit do little to ensure names and Social 
Security numbers match and credit bureaus allow perpetrators to 
establish credit files using other people's Social Security 
numbers.''\24\ The same article reports that Ron Ingleby, resident 
agent in charge of Utah, Montana and Wyoming for the SSA's Office of 
Inspector General, as stating that SSN-only fraud makes up the majority 
of cases of identity theft.\25\
---------------------------------------------------------------------------
    \22\ See e.g. Nelski v. Pelland, 2004 U.S. App. LEXIS 663 (6th Cir. 
2004) (phone company issued credit to impostor using victim's name but 
slightly different Social Security Number); United States v. Peyton, 
353 F.3d 1080 (9th Cir. 2003) (impostors obtained six American Express 
cards using correct name and Social Security Number but directed all 
six to be sent to the impostors' home); Aylward v. Fleet Bank, 122 F.3d 
616 (8th Cir. 1997) (bank issued two credit cards based on matching 
name and Social Security Number but incorrect address); Vazquez-Garcia 
v. Trans Union De P.R., Inc., 222 F. Supp. 2d 150 (D.P.R. 2002) 
(impostor successfully obtained credit with matching Social Security 
Number but incorrect date of birth and address); Dimezza v. First USA 
Bank, Inc., 103 F. Supp. 2d 1296 (D.N.M. 2000) (impostor obtained 
credit with Social Security Number match but incorrect address).
    \23\ See e.g. TRW Inc. v. Andrews 534 U.S. 19 (2001) (patient's 
data was stolen by receptionist who successfully applied for credit 
with a matching SSN but different addresses in a different state, a 
different first name, and different date of birth).
    \24\ Lesley Mitchell, New wrinkle in ID theft; Thieves pair your SS 
number with their name, buy with credit, never get caught; Social 
Security numbers a new tool for thieves, The Salt Lake Tribune, June 6, 
2004, at E1.
    \25\ Id.
---------------------------------------------------------------------------
    Because creditors will open new accounts based only on a SSN match, 
California has passed legislation requiring certain credit grantors to 
comply with heightened authentication procedures. California Civil Code 
 1785.14 requires credit grantors to actually match identifying 
information on the credit application to the report held at the CRA. 
Credit cannot be granted unless three identifiers from the application 
match those on file at the credit bureau.
    We are aware of no academic literature that supports Mr. Cate's 
position. Instead, even a cursory review of the identity theft academic 
literature reveals that the SSN is understood as a principal tool for 
fraud.\26\ In a recently published article, R. Bradley McMahon explains 
the key role that the SSN plays in identity theft:
---------------------------------------------------------------------------
    \26\ See e.g. Harry A. Valetk, Mastering the Dark Arts of 
Cyberspace: A Quest for Sound Internet Safety Policies, 2004 Stan. 
Tech. L. Rev. 2 (2004) (describing problems caused by the `` Nine-Digit 
Key to Identity Theft''); Peter C. Alexander, Identity Theft and 
Bankruptcy Expungement, 77 Am. Bankr. L.J. 409 (Fall 2003);Lynn M. 
LoPucki, Did Privacy Cause Identity Theft?, 54 Hastings L.J. 1277 
(April 2003) (noting that of the identifiers on a credit application, 
`` most important will be Consumer's Social Security number''); 
Christopher P. Couch, Forcing the Choice Between Commerce and 
Consumers: Application of the FCRA to Identity Theft, 52 Ala. L. Rev. 
583 (Winter 2002); Erin M. Shoudt, Identity Theft: Victims ``Cry Out'' 
For Reform, 52 Am. U.L. Rev. 339 (October 2002); Jerilyn Stanley, 
Crimes Identify Theft: Supporting Victims in Recovering From the Crime 
of the Information Age, 32 McGeorge L. Rev. 566 (Winter 2001); 
Stephanie Byers, The Internet: Privacy Lost, Identities Stolen, 40 
Brandeis L.J. 141 (Fall 2001); Kurt M. Saunders and Bruce Zucker, 
Counteracting Identity Fraud In The Information Age: The Identity Theft 
And Assumption Deterrence Act, 8 Cornell J. L. & Pub. Pol'y 661 (Spring 
1999); Kristen S. Provenza, Identity Theft: Prevention and Liabilityty, 
3 N.C. Banking Inst. 319 (April 1999).
---------------------------------------------------------------------------
    The easiest and most common way for a thief to steal someone's 
identity is by acquiring that person's Social Security number and other 
private information. Social Security numbers are attractive to identity 
thieves because the numbers are abundant and provide access to a 
victim's private information. Social Security numbers commonly are used 
as a national identifier for everything from car rentals to credit card 
applications. Often a thief needs only a name and a Social Security 
number to open up a credit card account or to access an existing 
account.
    A recent study reported that identity theft occurs mainly because 
information was either stolen or released from a company that compiles 
personal information. Over one thousand companies compile comprehensive 
databases of personal information and transfer this information every 5 
seconds. Two of the largest compilers of personal data are the health 
care and the financial industries. Often, thieves look to these two 
sources for obtaining personal information. The liberal sharing 
policies of companies allow personal information to flow far beyond 
primary compilers. Once a person's information is released to one of 
these central sources, the dissemination of the personal information is 
completely out of the person's control. The extent to which this 
information proliferates into third party networks is not known. The 
information shared by corporate America is one of the principal sources 
for identity theft.\27\
---------------------------------------------------------------------------
    \27\ R. Bradley McMahon, Note: After Billions Spent to Comply With 
HIPAA and GLBA Privacy Provisions, Why is Identity Theft the Most 
Prevalent Crime in America?, 49 Vill. L. Rev. 625, 627 (2004).
---------------------------------------------------------------------------
    Professor Daniel Solove of the George Washington Law School 
similarly argues that: SSNs are a key piece of information for identity 
theft. SSNs can unlock a wealth of other information held by the 
government and the private sector--SSNs are used as passwords to obtain 
access to a host of personal records from banks, investment companies, 
schools, hospitals, doctors, and so on. The SSN is a powerful number, 
for with it a person can open and close accounts, change addresses, 
obtain loans, access personal information, make financial transactions, 
and more----
    In short, the SSN functions as a magic key that can unlock vast 
stores of records as well as financial accounts. The SSN is the 
identity thief's best tool.\28\
---------------------------------------------------------------------------
    \28\ Daniel J. Solove, Identity Theft, Privacy, and the 
Architecture of Vulnerability, 54 Hastings L.J. 1227, 1252 (2003)
---------------------------------------------------------------------------
    The link between SSNs and identity theft is so well established 
that most academics include reference to the identifier when describing 
the crime:
    The cases described earlier in this article merely hint at the 
range of actions that may constitute bankruptcy-related identity theft. 
Forms of bankruptcy-related identity theft include, without 
limitation:n:
    Filing for bankruptcy using the name and/or SSN of another known 
person, such as a parent, sibling, child or other relative; a spouse, 
ex-spouse, ``significant other'' or ex-significant other; a current or 
former business partner, co-employee, cosigner on a debt, friend, 
neighbor or fellow student; or even a deceased person.
    Incurring debt under a false name and/or SSN and then filing for 
bankruptcy, using that name and/or number to discharge the debt. 
Sometimes this debt is owed to the government via a farm loan, small 
business loan, student loan or similar obligation.
    Transferring property into the name of a relative or friend, then 
filing for bankruptcy using that person's name and/or SSN to avoid 
foreclosure. Typically the transferee agrees to the transfer ``to help 
out,'' but does not understand the legal ramifications.
    Filing for bankruptcy using a false name and/or SSN that was 
apparently randomly chosen, because it does not belong to a person 
known to the perpetrator----
    Using a false SSN when identifying oneself as a bankruptcy petition 
preparer.\29\
---------------------------------------------------------------------------
    \29\ Jane E. Limprecht, Fresh Start or False Start? Dealing with 
Identity Theft in Bankruptcy Cases, American Bankruptcy Institute 
Journal, December 200, 2000 ABI JNL LEXIS 192.
---------------------------------------------------------------------------
    Finally, we take issue with Mr. Cate's characterization of the 
Identity Theft Survey Report that appears on page 6 of his testimony. 
On that page, Mr. Cate suggests that 76 percent of identity theft cases 
involved family members, friends, or financial institutions, and did 
not involve third party data. This is not a careful analysis of FTC's 
findings. Mr. Cate's 76 percent figure is not based on all identity 
theft victims. Instead, it is based on the minority of identity theft 
victims who knew the actual identity of the impostor (``in 26% of all 
cases, the victim knew who had misused their personal 
information'').\30\ The correct figure certainly is not 76 percent, as 
Mr. Cate suggests. Rather, the FTC very clearly wrote that:
---------------------------------------------------------------------------
    \30\ Federal Trade Commission, Identity Theft Survey Report 28, 
Sept. 2003, available at http://www.ftc.gov/os/2003/09/
synovatereport.pdf.
---------------------------------------------------------------------------
    ``35% of the 26% of victims who knew the identity (or, in other 
words, 9% of all victims) said a family member or relative was the 
person responsible for misusing their personal information--23% of the 
26% of all victims who knew the identity of the thief (or 6% of all 
victims) said the person responsible was someone who worked at a 
company or financial institution that had access to the victim's 
personal information--Of the 26% who knew the identity of the person 
who took their information, 18% said the thief was a friend, neighbor, 
or in-home employee, while 16% said the thief was a complete stranger, 
but the victim later became aware of the thief's identity. (These 
figures represent 5% and 4% of all victims respectively.)\31\
---------------------------------------------------------------------------
    \31\ Id. at 28-29.
---------------------------------------------------------------------------
    Mr. Cate would be correct in stating that in 25 percent of cases, 
the victim knew the impostor. However, that does not lead to the 
conclusion that H.R. 2971 or restrictions on third-party SSN sale is 
unjustified. H.R. 2971 could still reduce identity theft in cases where 
a friend, family member, company, or financial institution has access 
to SSNs. Instead of dumpster diving or stealing SSNs from computers, 
these impostors rely upon the appearance of the SSN in their 
acquaintances' mail or other personal belongings. For instance, in the 
college context, identity theft is facilitated by institutions that 
print the SSN directly on the student identity card. Accordingly, a 
roommate can very easily copy or take the victim's student identity 
card and then have the identifiers necessary to commit identity theft. 
Contrary to Mr. Cate's conclusion, H.R. 2971 would address these risks 
of identity theft. As SSNs are removed from checks, ID badges, and 
other materials, individuals will be less likely to be victimized by 
strangers or by their roommates, family members or friends.
    Question: If a private entity--for example, a consumer reporting 
agency, health care organization, or information reseller--has an 
individual's SSN in its possession, and this information is used in an 
identity theft or fraud, should that entity be held strictly liable for 
any harm done? Please comment on the advantages or disadvantages of 
this idea, as well as its feasibility and potential effectiveness in 
combating identity theft.
    Answer: EPIC has argued that collection of the SSN should be 
limited, but where it is allowed, it should be subject to a full set of 
``Fair Information Practices,'' rights and responsibilities in data 
that ensure accuracy, access, and accountability. As part of the 
accountability responsibility, a strict liability standard would 
encourage companies to avoid unsafe practices. In particular, when a 
safer alternative activity exists, strict liability encourages use of 
the safer alternative while negligence offers no such additional 
incentive.
    Social Security number usage is a good fit for this standard. There 
are clear and equally effective alternatives to SSN use (alternative 
identifiers, avoiding SSN use altogether if unnecessary, and so 
forth.), and there is a far greater interest in avoiding identity theft 
altogether rather than simply preventing any identity theft that is not 
cost-effective to prevent in the first place, which negligence 
provides.
    Also, given the relatively small number of SSN aggregators, it is 
likely to be more efficient and less expensive to provide insurance 
against identity theft for such aggregators, rather than for individual 
potential victims who are likely to be less able to gauge their 
relative risk. The main disadvantage to a strict liability standard is 
that it may impose damages for losses that are unforeseeable or that 
would be too costly to prevent. Additionally, liable entities may draw 
attention to particular cases where significant damages are imposed in 
the absence of obvious fault.
    By encouraging companies to avoid using SSNs at all, rather than 
simply providing certain protections for unnecessary SSN use, a strict 
liability standard would be more effective at combating identity theft 
by decreasing the availability of and dependence on SSNs.
    We also suggest that Congress consider as an accountability measure 
a ``security breach notification'' law. California enacted such a law 
that took effect in July 2003. It requires all entities to notify 
individuals when their unencrypted SSNs are acquired by an unauthorized 
person.\32\ Under current law, a company could suffer a severe security 
breach and not notify any individual affected (except Californians). We 
think that a notice requirement is a fair condition for continued use 
of the SSN.
---------------------------------------------------------------------------
    \32\ California Senate Bill 1386, available at http://
info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/
sb_1386_bill_20020926_chaptered.html.
---------------------------------------------------------------------------

  Questions from Chairman E. Clay Shaw, Jr. to Mr. Brian P. McGuinness

    Question: How many states do not have a specific licensing 
requirement for private investigators? For those states that do have 
licensing requirements, how uniform are those requirements? Describe 
the oversight performed of licensed investigators' activities? What 
would prevent an investigator from becoming licensed, or having a 
license renewed?
    Answer: There are currently seven states that do not require 
licensing of private investigators. In my state of Florida 
investigators are subject to extensive criminal history background 
checks. We are stringently regulated with requirements for records 
retention, insurance, training (if armed) and subject to disciplinary 
action. The Department of Agriculture and Consumer Services takes its 
job seriously. Requirements do vary among the states but include 
background checks. Details about the various requirements may be found 
through the website of the International Association of Security and 
Investigative Regulators at www.iasir.org. As in my state, 
investigators are subject to penalties including the loss or suspension 
of a license. Serious violations of state regulations would prevent an 
investigator from renewing a license. Mandatory background checks 
prevent unqualified applicants from obtaining one. Let me add that 
there are very few instances of private investigators misusing 
identifying data. As proposed, the restrictions on our ability to 
access critical information puts the public at far greater risk than do 
the handful of cases where an investigator may have inappropriately 
used the data.
    Question: You mentioned that information providers audit the users 
of the data to ensure compliance with their contract (i.e., that the 
data is being used only for purposes authorized under the law). Do both 
licensed and unlicensed private investigators have access to credit 
header data? What percent of transactions would you say information 
sellers audit? How many times have you been audited? What checks are 
there in the system to prevent a private investigator (licensed or 
unlicensed), or a member of the staff of a private investigator, from 
accessing credit header information for an unauthorized purpose?
    Answer: We are not aware that the bureaus publish the number or 
extent of their audits. I have never been audited personally, but some 
of our members have and report that TransUnion, for example, has 
conducted stings to verify our members comply with the requirements to 
know their client and verify the purpose for which a report is used.
    Question: You recommended deletion of section 108 of the bill, 
which would authorize the release of SSNs by credit bureaus only under 
the terms required for a full consumer report. That provision in the 
bill is not the jurisdiction of this Committee, but rather the 
Committee on Financial Services. However, we are interested in hearing 
your feedback about the provision. Since the bill's provision only 
restricts release of the SSN, why couldn't other parts of the credit 
header, like name, address, and telephone number still be used to 
locate witnesses? In what percent of cases overall is the SSN needed to 
help differentiate between records? Rather than eliminate the provision 
altogether, is it possible to modify it in a way that balances SSN 
privacy with necessary uses?
    Answer: With regard to jurisdiction, we realize that any changes to 
the FCRA would be done by the Financial Services Committee, however, 
though you are not representing that Committee, Chairman Shaw is the 
author of the bill and we presume would have the authority to make 
recommendations for amendments. Because HR 2971 has been referred to 
multiple committees we expect that the vehicle that will ultimately be 
considered on the floor would in all likelihood be the product of a 
negotiation among these committees and the House Rules Committee. 
Recommendations of the sponsor and the Ways and Means Committee will be 
important.
    Name and address information is not sufficient to assure that an 
individual is the person whom we are attempting to locate. The Social 
Security Number is essential for distinguishing among numerous people 
with the same name. In many instances we are seeking persons who share 
a name with thousands. Even if we had John Smith's birth date it 
wouldn't be sufficient because he would share it with many other John 
Smith's.
    There are two ways requests for credit header information are made:
    One is by submitting a social security number to the credit bureau 
provider. While that appears to be permissible under the current 
structure of section 108, under section 107 (a), it would be unlawful 
for an investigator acting as a Consumer Reporting Agency to submit a 
Social Security number to the provider or anyone. Under the Fair Credit 
Reporting Act, and pursuant to the FTC, investigators conducting 
investigations for a ``permissible purpose'' are considered to be 
Consumer Reporting Agencies. A substantial percentage of investigations 
by our members fall under the purview of the FCRA.
    It should also be pointed out that the credit bureaus only sell 
header information to entities with whom they have contracted and who 
have executed those contracts which contain detailed limitations on the 
way that information may be used. I am unaware that credit headers are 
being sold directly to the general public.c.
    Investigators are also required to indemnify the provider 
unconditionally for any liability incurred or alleged. The contracts 
spell out that the providers will conduct periodic reviews of 
``subscriber activity'' and random audits. Violators are subject to 
termination of the account, legal action and being reported to Federal 
and state regulatory agencies.
    The second way header information is requested is by submitting a 
name and date of birth to the provider. However, under section 107 
(b)(1), the provider would be prevented from providing the Social 
Security number to the investigator thereby preventing a positive 
identification cross check.
    With regard to modifying section 108, that could be done by 
inserting exemptions. However, we feel it should best be eliminated.
    Following are our suggestions for amending section 107:
    In section 107, after (c) strike (A) and insert the following new 
subsection:
     i.  to the extent necessary for law enforcement, including (but 
not limited to) the enforcement of a child support obligation, as 
determined under regulations of the Attorney General of the United 
States issued under section 205(c)(2)(I);
    ii.  if the display, sale, or purchase of the number is for a use 
occurring as a result of an interaction between businesses, 
governments, or business and government (regardless of which entity 
initiates the interaction), including, but not limited to----
    a.  For use in connection with any civil, criminal, administrative, 
or arbitral proceeding in any Federal, State, or local court or agency 
or before any self-regulatory body, including the service of process, 
investigation in anticipation of litigation, and the execution or 
enforcement of judgments and orders, or pursuant to an order of a 
Federal, State, or local court,
    b.  or the prevention of fraud (including fraud in protecting an 
employee's right to employment benefits);
    c.  the facilitation of credit checks or the facilitation of 
background checks of employees, prospective employees, or volunteers;
    d.  the retrieval of other information from other businesses, 
commercial enterprises, government entities, or private nonprofit 
organizations
    Question: You said you believe Congress should spell out all the 
appropriate uses of SSNs in the private sector, rather than allow the 
U.S. Attorney General to provide exceptions through regulations to the 
bill's prohibitions on sale, purchase, and display of SSNs to the 
general public, as H.R. 2971 requires. The activities you listed that 
private investigators provide are laudable. Why do you believe that you 
would not be able to convince the U.S. Attorney General during the 
process of developing and receiving comment on regulations that the SSN 
is needed for these purposes and that the costs do not outweigh the 
benefits?
    Answer: HR 2971 includes several exceptions to the restrictions on 
the use of SSNs in section 107. These include exceptions for law 
enforcement, child support, national security, public health, 
emergencies, research and where the Attorney General determines 
appropriate. We believe investigations in anticipation of litigation, 
due diligence, insurance claims, civil and criminal fraud, criminal 
defense, identity fraud, stalking and other violations of law are just 
as deserving of exception. Not clearly listing these investigations in 
the statute sends a message to the Department that they are of less 
concern to Congress. Our industry has had recent experience with 
administrative interpretations of statute. Until corrected by statute 
last year, the FTC had interpreted the Fair Credit Reporting Act to 
require the consent of employees suspected of workplace misconduct 
before we could institute an investigation! We want to avoid repeating 
that experience.
    The FTC is statutorily barred from promulgating regulations on the 
FCRA. 15 U.S.C.  1681s(a)(4). The agency issues a non-binding 
commentary on the Act. Credit, Trade Practices, 16 CFR  600, 607 
(1995).

    Questions from Chairman E. Clay Shaw, Jr. to Mr. Mike Buengerer

    Question: What did the guidelines developed by the Conference of 
Chief Justices and Conference of State Court Administrators recommend 
with regard to display of SSNs, particularly on the Internet? What were 
the considerations that went into that recommendation? Didn't the draft 
version of the guidelines recommend excluding all but the last four 
digits of the SSN from display to the general public? Why did the group 
back off that recommendation?
    Answer: With respect to the display of documents containing SSNs on 
the Internet or available electronically, the Guidelines recommended 
that courts consider whether those documents be accessible only on 
computer terminals within a court's facility. This proposal could be 
costly to implement as it would require court staff to examine 
documents to see if the contained SSNs and other sensitive information.
    The preeminent consideration in the development of this 
recommendation was addressing the twin goals of protecting an 
individual's privacy and maintaining public access to the courts, which 
includes access to court documents. Many state constitutions possess 
so-called ``open court'' provisions that have generally been 
interpreted to mean that not only the courthouse doors but also the 
records of the court must be made available to the public. Other 
factors included: costs (both staff time and technology expenses), 
future technological advances, differing resource levels from court to 
court, inconvenience to court customers, and measuring the 
effectiveness of this approach.
    Question: Court systems may sell copies of their records, 
individually or in a batch, to information resellers and others, 
correct? How does this process work? How much revenue is raised by such 
sales? Would information resellers seek to purchase those records as 
frequently or at the same price if they did not contain SSNs?
    The FTC is statutorily barred from promulgating regulations on the 
FCRA. 15 U.S.C.  1681s(a)(4). The agency issues a non-binding 
commentary on the Act. Credit, Trade Practices, 16 CFR  600, 607 
(1995).
    Answer: The interaction between information resellers and state 
courts vary widely from jurisdiction to jurisdiction. Generally, some 
resellers do pay for court records in bulk, especially in larger court 
systems, and these transactions are governed by court rules and 
procedures. In my experience, courts do not generally gain or make a 
``profit'' from the bulk sale of court data. The money generated from 
such transactions pays for staff time, computer equipment usage/
programming costs, paper, and cost of media. This is due in no small 
measure to the provisions of many state open record laws that allow 
state governments (including courts) to make public information 
available at cost but which generally limit the ability of state 
government entities to make information selling a ``profit center.'' 
Most court rules governing these transactions stipulate that courts can 
reject a request from a reseller if that interferes with their ability 
to effectively serve the public. I would be glad to share examples of 
those court rules with the Subcommittee.
    I have checked with the National Center for State Courts, the 
premier research institution dealing with state courts, and they report 
that there has not been a survey or study done on the amount of 
nationwide revenue generated by sales of bulk information to the 
courts.
    I would theorize that information resellers would still purchase 
those records in bulk if they did not contain SSNs. Zip code marketing, 
home mortgage sale information, addresses and phone numbers are some of 
the valuable commodities to resellers that can still be garnered from 
court records.

       Questions from Chairman E. Clay Shaw, Jr. to Mr. Fred Cate

    Question: You stated that SSNs help locate information that can be 
used to verify the identity of a person. Why then is identity theft 
increasing at such a rapid pace despite the fact that creditors and 
others can use SSNs to link to information that helps verify an 
individual's identity and when they have a financial incentive to do 
so?
    Answer:
    1.  As I testified, according to the most recent research conducted 
for the FTC, most identity theft is not committed by strangers, but 
rather by family members, friends, co-workers, and employees of 
organizations with whom the victim has contact. Social Security Numbers 
play a very limited role in these types of identity theft, and so the 
value of Social Security Numbers to help prevent identity theft and 
other frauds is limited.
    In other situations, where a stranger uses a Social Security Number 
as one tool to help open a fraudulent account in a third party's name, 
Social Security Numbers have been very effective in helping to deter 
many incidents of identity theft. They would be even more effective (a) 
if they were more widely used by retailers, credit grantors, and 
others, and (b) if those same parties were more diligent in matching 
the identifying information in the credit file which the Social 
Security Number references to the individual seeking credit. In their 
haste to provide speedy service to a customer, some retailer and credit 
grantor may appear not to be diligently matching address, telephone 
number, and other available information that could be used to better 
verify identity..
    Two caveats are important here. First, the problem of matching 
information is especially great in online and telephone commerce, where 
the applicant and credit grantor are not located in the same place. 
Nevertheless, many Internet and telephone businesses have been very 
successful in requiring extensive matching information and thereby 
holding down fraud. (Consider many airlines, for example, which require 
not only a valid credit card number, but also an address and telephone 
number that match the information in the credit card issuer's file.)
    Question: You have said that ubiquitous SSNs help identify people 
and ensure that information is associated with the correct person. Why 
then have the FTC, the SSA IG, and the Postal Inspection Service 
identified it as a prime tool for terrorists and identity thieves?
    Answer:
    2.  Social Security Numbers are a tool for many identity thieves 
for precisely the same reason that they are valuable to legitimate 
merchants, service providers, and consumers: they help provide a 
necessary link with a payment mechanism (e.g., whether a credit file 
that indicates likely ability to pay or a credit card). We cannot have 
the positive benefits of instant credit, national commerce, and 
Internet and telephone business, without also having the risk that the 
same tools that make that possible will be used for identity theft. 
None of the government authorities to which you refer in your question 
has to my knowledge voiced any contradictory conclusion.
    This is why I believe all of the available research suggests that 
the long-term solution to identity theft is not to restrict the use of 
Social Security Numbers, but to enhance their integrity and 
availability. If retailers and credit grantors were given greater 
incentives to check the file indicated by the Social Security Number 
presented by the customer and then match the information there with 
information presented by the customer, identity theft could be 
significantly reduced.
    However, again, it must be reiterated that such incentives will be 
far less effective if consumers, in turn, are not given incentives to 
protect their Social Security and credit card numbers, avoid disclosing 
PINs and passwords to colleagues and family members, and check their 
account statements regularly for irregularities. It is easy, and 
therefore tempting, to focus only on the business side of the equation, 
but many of the most critical steps to help guard against identity 
thieves are uniquely in the hands of consumers. Moreover, as the FTC's 
recent work in this area demonstrates, the speed with which incidents 
of identity theft are detected is critical to reducing the losses they 
cause, yet a third of all consumers studied by that report never 
informed anyone of the theft, even after they discovered them. This 
suggests that reports of identity theft are exaggerated or that 
consumers wren to doing there part to help protect themselves.
    Question: This Subcommittee has heard from a number of victims of 
identity theft. A common, and frustrating, theme is that after 
individuals discover the theft and report it to credit bureaus and 
financial institutions, they continue to be victimized by identity 
theft. How can this continue to occur, given the anti-fraud programs 
the industry cites? In your judgment, is the private sector doing 
enough to combat identity theft and assist its victims? Are there more 
effective ways to assist victims of identity theft to correct their 
credit histories? Should we require the credit industry to give 
priority status to help victims restore their records and good credit?
    Answer:
    3.  You highlight a critical issue: the difficulty consumers face 
in getting their reputations restored after they have been the victims 
of identify theft. This is the single most consistent refrain from 
virtually all identity theft victims. Interestingly, many victims 
report that their primary frustration is when dealing with the 
government (e.g., getting the police to even take a report of an 
incident of identity theft, clearly up arrest records and traffic 
offenses resulting from an identity theft, finding consistency across 
the jurisdictions in which an identity thief may operate). I would urge 
you to focus on the government first, because there is nothing the 
public can do if the government fails in its duty.
    The most recent research suggests that identity theft victims find 
it easier to deal with businesses, especially national credit bureaus 
and credit card issuers. Through measures adopted voluntarily by 
industry and those required by law, often facilitated by the FTC and 
other federal government agencies, it is getting easier to report 
identity theft and to get errors in financial records caused by 
identity thieves corrected. There is still more to be done. One measure 
that many industry representatives suggest would be useful would be a 
standardized identity theft police report, taken under oath, which 
could be made available electronically to retailers and credit 
grantors. It is important to remember that consumers often mislead 
businesses in an effort to avoid paying the debts that they have in 
fact incurred. Representatives of major credit card companies have long 
testified before Congress that many consumers--according to some 
companies, a majority--who call to object to a charge or other expense 
actually were responsible for it and either forgot it (or forgot 
lending their card to a family member or friend) or were deliberately 
trying to avoid paying it. It is not surprising that businesses might 
have some hesitation in accepting a consumer's word about an incident 
of identity theft in the absence of a police report.
    Finally, I would encourage the Subcommittee staff to be as precise 
as possible when categorizing the complaints of identity theft victims. 
My understanding is that of those consumers who do have complaints with 
businesses--as opposed to the government--most focus on credit 
grantors, not credit bureaus or other aggregators of information.
    Question: If a private entity--for example, a consumer reporting 
agency, health care organization, or information reseller--has an 
individual's SSN in its possession, and this information is used in an 
identity theft or fraud, should that entity be held strictly liable for 
any harm done? Please comment on the advantages or disadvantages of 
this idea, as well as its feasibility and potential effectiveness in 
combating identity theft.
    Answer:
    4.  The concept of liability for misuse of information by a third 
party has been discussed for some time, but so far avoided as a matter 
of law for what, I suspect, are good reasons. First, the proof problems 
are vast. How do we know where an identity thief got the information 
that he used in his crime? Second, causality is not at all clear. As I 
have noted before, the Social Security Number only provides a link to a 
credit or other file. It cannot--by itself--be used to commit identity 
theft.
    Third, and closely related, there are almost always critical 
intervening factors that are far more important than the Social 
Security Number. The merchant who fails to verify information presented 
by the customer with that in the credit file, the business who accepts 
fraudulent identification that the thief obtained from the government, 
the consumer who fails to review his credit card statement--how is the 
law to assign responsibility to the possessor of the Social Security 
Number as opposed to these other parties.
    Fourth, liability creates great risks for consumers--risks that 
merchants will be persuaded to invest in protecting Social Security 
Numbers at the expense of focusing scarce resources on other anti-
identity theft measures, and risks that the additional costs of 
defending against such liability will undercut valuable services, 
interfere with consumer convenience, and contribute to increasing 
prices. Let me be perfectly clear, as a matter of both law and 
economics, I believe that broad-based liability for Social Security 
Number misuse by a third party is wholly unworkable.
    That does not mean that there is no role for increased liability at 
all. When Congress limited consumer liability for credit card fraud to 
$50 (thereby effectively imposing that liability on merchants or card 
issuers, but without creating an invitation for expensive and wasteful 
class actions), it helped drive the greatest expansion of consumer 
credit the world has seen. There may be similar steps that Congress 
should be considering today--modest, targeted, highly focused efforts 
to create incentives for preventing and fighting identity theft. For 
example, Congress could provide that losses from identity theft will 
presumptively be the responsibility of any merchant whose failure to 
follow reasonable procedures to verify the identity of the customers is 
exploited by an identity thief.
    As I have indicated, I believe the Subcommittee should think about 
focusing any new liability not only on businesses, but also on 
individuals, who are often in the best place to prevent and detect 
identity theft. For example, if you legislated a uniform identity theft 
affidavit, subject to a civil or criminal penalty for anyone who 
knowingly lies when completing one, it would then be far more feasible 
to expect retailers and credit grantors to rely on it and to do so 
quickly.
    I would caution against too great of a focus on liability at this 
time, however. Congress has just put new tools into the hands of 
consumers and businesses that may prove very valuable in the fight 
against identity theft. Free credit reports, fraud flags, and other 
measures adopted last year as part of the Fair and Accurate Credit 
Transactions Act hold great promise. While the FTC is implementing 
those and we wait to see their impact, I would encourage you to focus 
on:
    a.  educating consumers about the new tools available to them to 
fight identity theft;
    b.  ensuring that government is doing its part in that fight by 
making incidents of identity theft easy to report, by improving the 
systems by which government records are cleansed of the deeds of 
identity thieves, and by improving the identity verification process 
that the government uses when issuing driver's licenses and other forms 
of identification on which we all rely; and
    c.  continue with those portions of the pending bill that would 
eliminate the wholly inappropriate use of Social Security Numbers (on 
envelopes and checks) and toughen penalties against providers of 
illicit Social Security Numbers and identification documents.
    [Submissions for the record follow:]
                                                      June 16, 2004
The Honorable Clay Shaw
Chairman, House Ways & Means Subcommittee on Social Security
B-316 Rayburn House Office Bldg.
Washington, DC 20515

    Dear Chairman Shaw and Ranking Member Matsui:

    The undersigned organizations applaud your efforts over the past 
several years to craft legislation that will ensure the integrity of 
the social security number (SSN) in the years ahead. We remain 
extremely concerned about the proliferation of identity theft and other 
financial crimes that exploit individual SSNs, and believe strong 
legislation should be enacted to combat such nefarious acts.
    As public and private employee benefit plan sponsors, we provided 
detailed analysis of possible legislative proposals on July 24, 2003, 
to address our concern that such legislation could unintentionally 
hinder the delivery of benefits from, and the efficient administration 
of these plans. In that testimony, we stated that in your bipartisan 
legislation introduced during the 107th Congress, the 
``Social Security Number Privacy and Identity Theft Prevention Act of 
2001,'' (H.R. 2036), the definitions and provisions relating to the 
``sale,'' ``purchase'' or ``display'' of a person's SSN could make it 
more difficult to deliver comprehensive health and retirement benefits 
to public and private employees alike.
    In working with you and your staff over the past year, much of this 
concern has subsided. We appreciate the bill you introduced in the 
108th Congress, H.R. 2971, the ``Social Security Number 
Privacy and Identity Theft Prevention Act of 2003.'' Although the bill 
treats public and private sector entities somewhat differently, it 
specifically recognizes the importance of voluntary employee benefit 
plans. Section 208A(a)(2)(B)(ii) (Section 107(a) of H.R. 2971) ensures 
that the provision of and administration of these plans will not be 
hindered by the legislation.
    As you know, public and private employee benefit plans generally 
use SSNs because they enable the accurate and timely administration of 
benefits for a highly mobile workforce, and because use of the SSN is 
mandated for tax reporting requirements. Plan administrators take 
seriously the responsibility that the use of SSNs requires, and they 
use the utmost caution and security when SSNs are used in plan 
administration and communications.
    Public and private sector defined benefit and defined contribution 
pension and savings plans, like 401(k), 403(b), and 457 plans, use SSNs 
to identify plan participants, account for employee contributions, 
implement the employee's investment directions, track ``rollovers'' 
from other plans, and allow employees to view their account activity or 
benefit accrual online (typically in conjunction with a secure 
``PIN''). We believe that Section 208A(a)(2)(B)(ii) would allow these 
important processes to continue as well.
    Also, SSNs are also used as the primary identifier in many medical 
and health benefit and prescription drug plans to coordinate 
communications between the doctor, the medical service provider, and 
the plan. Again, we believe this section, like the allowable legitimate 
uses of SSNs for national security, law enforcement, public health and 
advancing public knowledge purposes, permits this effective health 
process to continue.
    As further evidence of your intent to protect the employer-employee 
relationship, Section 109 of H.R. 2971 provides for the continued use 
of SSNs when expressly required under Federal law, such as for W-2 
income tax reporting. We applaud this effort as well.
    We look forward to continuing to work with you and the Committee to 
effectively address the problem of identity theft without creating 
unintentional barriers to the provision of public and private pension, 
health and other benefits to employees. To this end, we urge you to 
retain the important provisions described here without change as the 
Committee continues to examine legislative proposals. Please do not 
hesitate to contact us should you require additional information or 
wish to discuss this issue in more detail.
            Sincerely,
                                                          Jim Klein
                                          American Benefits Council
                                                        Brian Graff
                              American Society of Pension Actuaries
                                                           Tony Lee
College and University Professional Association for Human Resources
                                                     Janice Gregory
                                           ERISA Industry Committee
                                                        Bob Shepler
 Financial Executives International's Committee on Benefits Finance
                                            Jeannine Markoe Raymond
            National Association of State Retirement Administrators
                                                       Cindie Moore
                             National Council on Teacher Retirement
                                                      Chris Stephen
                    National Rural Electric Cooperative Association
                                                        Ed Ferrigno
                           Profit Sharing/401(k) Council of America
                                                    Mary Huttlinger
                              Society for Human Resource Management

                                 

                                             First Data Corporation
                                          Englewood, Colorado 80112
                                                      June 14, 2004
The Honorable Clay Shaw
Chairman, Subcommittee on Social Security
1102 Longworth House Office Building
Washington D.C. 20515

    Dear Chairman Shaw,

    On behalf of First Data Corporation, I am submitting this testimony 
for the record. Serving approximately 3.5 million merchant locations, 
1,400 card issuers and millions of consumers, First Data makes it easy, 
fast and secure for people and businesses to buy goods and services, 
using virtually any form of payment: credit, debit, smart card, stored-
value card or check at the point of sale, over the Internet or by money 
transfer. First Data believes that protecting consumers from the misuse 
of Social Security Numbers (SSN) is an important goal. However, it is 
equally important to ensure that restrictions on the use of SSNs do not 
disrupt financial activities that consumers expect to occur or increase 
fraud, identity theft, and other criminal activities. As a leader in 
the financial services industry, we offer the following perspective on 
the positive uses of Social Security Numbers and exemption language 
that we believe should be considered in any legislation restricting the 
use of SSNs.
    POSITIVE USES--While no one should profit from the display, sale or 
purchase of SSNs, restricting the use of the number may have the 
unintended consequence of increasing fraud and identity theft, making 
it harder for consumers to obtain the important services they have come 
to expect and rely upon from financial service companies, or increasing 
both the time and cost of obtaining such services. The following are 
examples of positive Social Security Number uses:

    1.  Authenticating individuals involved in financial accounts and 
transactions_Consumers engage in a wide variety of financial 
transactions and often have numerous financial accounts. Currently, the 
Social Security Number is the most reliable piece of personal 
information used to verify the identity of the consumer. Consumer 
names, addresses, phone numbers and account numbers often change over 
time. Both the date of birth and mother's maiden name are often easily 
accessible from public records. In contrast, a Social Security Number 
remains constant over time and is not, by itself, a public record.
    2.  Fraud and Identity Theft_Using a Social Security Number to 
authenticate a consumer is a valuable tool used by the business 
community to detect fraud and identity theft. Unfortunately, it is this 
same value that makes the Social Security Number such a precious 
commodity to criminals. The goal of any Social Security Number 
legislation should be to limit criminal access to Social Security 
Numbers while preserving its use to stop identity theft.

    PROPOSED EXEMPTIONS--We believe that legislation restricting the 
use of SSNs should include exemptions forthe collection or use of an 
individual's SSN in connection with the following activities:

    a.  To approve, guarantee, process, administer or enforce a 
financial account or transaction involving the individual, including 
authenticating the individual and any information provided by the 
individual in connection with the account or transaction.

    [For example, the SSN is used to ensure that a deceased 
individual's Social Security Number is not used for fraudulent purposes 
and that future communications addressed to the deceased can be 
stopped.]

    b.  To evaluate, detect or reduce risk, fraud, identity theft or 
possible criminal activities.

    [For example, the SSN is used to locate possible victims of such 
criminal activities.]

    c.  To report to or obtain information from a consumer reporting 
agency pursuant to the Federal Fair Credit Reporting Act (15 U.S.C.  
1681 et seq), or where the collection and use of the individual's SSN 
is required by any state or federal law, rule or regulation.

    [For example, the SSN is a critical element for creating accurate 
credit reports which allow consumers efficient access to credit and 
other financial transactions.]
            Sincerely,
                                                         Joe Samuel
                                   Director of Government Relations

                                 

   Statement of Stephen B. Copeland, Professional Investigators and 
                 Security Association, Vienna, Virginia
    Mr. Chairman and Members of the Subcommittee:
    My name is Stephen B. Copeland, and I am President of the 
Professional Investigators and Security Association (PISA). I want to 
thank you for the opportunity to submit testimony on the important 
issue of identity theft and how to effectively combat it. PISA was 
established in 1984 to represent the private investigation and security 
industries of the Commonwealth of Virginia. PISA's membership includes 
hundreds of professionals, many of which would be impacted by H.R. 
2971.
    In Virginia, these industries are regulated and monitored by the 
Private Security Services Section of the Commonwealth's Department of 
Criminal Justice Services. Extensive training, registration, 
certification and licensing requirements, coupled with criminal 
background checks, help ensure a high degree of competence and 
adherence to ethical standards. The Department of Criminal Justice 
Services also conducts investigations and audits of firms, individuals 
and training schools in the private security industry to ensure 
compliance with the requirements of Virginia law and regulations.
    PISA is supportive of federal legislative efforts to prevent 
identity theft and assist victims of this fast-growing crime. Many of 
our members have been on the front lines of the battle against identity 
theft, assisting companies and individual identity theft victims by 
investigating, documenting, and exposing identity theft and fraud. In 
these efforts, Social Security Numbers and credit header data are 
critical investigative tools when used appropriately by law enforcement 
and licensed private investigation and security businesses.
    Private investigation and security professionals use this data for 
a variety of other purposes as well, including child support 
enforcement, locating missing persons and heirs, fraud prevention, and 
employee background investigations.
    Currently, access to Social Security Number and credit header data 
is not limited to credentialed professionals, but is also being made 
available to the general public, especially through the Internet. This 
access creates many opportunities for abuse by potential identity 
thieves. However, as noted recently by the General Accounting Office, 
restricting legitimate use of identified data by businesses could hurt 
consumers and in fact make identity theft easier by making identity 
confirmation and background investigations more difficult.
    To best serve the interests of the public, Congress must balance 
restricting access to Social Security Numbers and credit header data 
with the legitimate needs of law enforcement, businesses, and 
investigation and security professionals. While the objectives of H.R. 
2971 are laudable, sections 107 and 108 would have a serious negative 
impact on the ability to investigate cases of identity theft and 
confirm the accuracy of background information provided by individuals.
    We urge Congress to help prevent and combat identity theft by 
ensuring that any additional limitations on access to Social Security 
Number and credit header data preserve appropriate access by 
credentialed private investigation and security professionals.

                                 
