[House Hearing, 108 Congress] [From the U.S. Government Publishing Office] ENHANCING SOCIAL SECUIRTY NUMBER PRIVACY ======================================================================= HEARING before the SUBCOMMITTEE ON SOCIAL SECURITY of the COMMITTEE ON WAYS AND MEANS U.S. HOUSE OF REPRESENTATIVES ONE HUNDRED EIGHTH CONGRESS SECOND SESSION __________ JUNE 15, 2004 __________ Serial No. 108-59 __________ Printed for the use of the Committee on Ways and Means U.S. GOVERNMENT PRINTING OFFICE 99-677 WASHINGTON : 2005 _________________________________________________________________ For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 COMMITTEE ON WAYS AND MEANS BILL THOMAS, California, Chairman PHILIP M. CRANE, Illinois CHARLES B. RANGEL, New York E. CLAY SHAW, JR., Florida FORTNEY PETE STARK, California NANCY L. JOHNSON, Connecticut ROBERT T. MATSUI, California AMO HOUGHTON, New York SANDER M. LEVIN, Michigan WALLY HERGER, California BENJAMIN L. Cardin, Maryland JIM MCCRERY, Louisiana JIM MCDERMOTT, Washington DAVE CAMP, Michigan GERALD D. KLECZKA, Wisconsin JIM RAMSTAD, Minnesota JOHN LEWIS, Georgia JIM NUSSLE, Iowa RICHARD E. NEAL, Massachusetts SAM JOHNSON, Texas MICHAEL R. MCNULTY, New York JENNIFER DUNN, Washington WILLIAM J. JEFFERSON, Louisiana MAC COLLINS, Georgia JOHN S. TANNER, Tennessee ROB PORTMAN, Ohio XAVIER BECERRA, California PHIL ENGLISH, Pennsylvania LLOYD DOGGETT, Texas J.D. HAYWORTH, Arizona EARL POMEROY, North Dakota JERRY WELLER, Illinois MAX SANDLIN, Texas KENNY C. HULSHOF, Missouri STEPHANIE TUBBS JONES, Ohio SCOTT MCINNIS, Colorado RON LEWIS, Kentucky MARK FOLEY, Florida KEVIN BRADY, Texas PAUL RYAN, Wisconsin ERIC CANTOR, Virginia Allison H. Giles, Chief of Staff Janice Mays, Minority Chief Counsel ______ SUBCOMMITTEE ON SOCIAL SECURITY E. CLAY SHAW, JR., Florida, Chairman SAM JOHNSON, Texas ROBERT T. MATSUI, California MAC COLLINS, Georgia BENJAMIN L. Cardin, Maryland J.D. HAYWORTH, Arizona EARL POMEROY, North Dakota KENNY C. HULSHOF, Missouri XAVIER BECERRA, California RON LEWIS, Kentucky STEPHANIE TUBBS JONES, Ohio KEVIN BRADY, Texas PAUL RYAN, Wisconsin Pursuant to clause 2(e)(4) of Rule XI of the Rules of the House, public hearing records of the Committee on Ways and Means are also published in electronic form. The printed hearing record remains the official version. Because electronic submissions are used to prepare both printed and electronic versions of the hearing record, the process of converting between various electronic formats may introduce unintentional errors or omissions. Such occurrences are inherent in the current publication process and should diminish as the process is further refined. C O N T E N T S __________ Page Advisories of June 8, 2004 and June 14, 2004 announcing the hearing........................................................ 2 WITNESSES Federal Trade Commission, J. Howard Beales, III, Director, Bureau of Consumer Protection......................................... 7 SSA, Patrick P. O'Carroll, Acting Inspector General.............. 15 U.S. General Accounting Office, Barbara D. Bovbjerg, Director, Education, Workforce, and Income Security Issues............... 22 U.S. Postal Inspection Service, Lawrence E. Maxwell, Assistant Chief Inspector, Investigations and Security................... 34 ______ Applied Cybersecurity Research, University of Indiana- Bloomington, Fred H. Cate...................................... 89 Conference of State Court Administrators, Michael L. Buenger..... 83 Electronic Privacy Information Center, Chris Jay Hoofnagle....... 69 Foss, Patricia, Elkton, Maryland................................. 61 National Council of Investigation and Security Services, Brian P. McGuinness..................................................... 77 Privacy/Access Workgroup, Property Records Industry Association, Mark Ladd...................................................... 64 U.S. Public Interest Research Group, Edmund Mierzwinski.......... 95 SUBMISSIONS FOR THE RECORD American Benefits Council, Jim Klein; American Society of Pension Actuaries, Brian Graff; College and University Professional Association for Human Resources, Tony Lee; The ERISA Industry Committee, Janice Gregory; Financial Executives International's Committee on Benefits Finance, Bob Shepler; National Association of State Retirement Administrators, Jeannine Markoe Raymond; National Council on Teacher Retirement, Cindie Moore; National Rural Electric Cooperative Association, Chris Stephen; Profit Sharing/401(k) Council of America, Ed Ferrigno; Society for Human Resource Management, Mary Huttlinger; joint letter... 125 First Data Corp., Englewood, CO, Joe Samuel, letter.............. 127 Professional Investigators and Security Association, Vienna, VA, Stephen B. Copeland, statement................................. 128 ENHANCING SOCIAL SECURITY NUMBER PRIVACY ---------- Tuesday June, 15, 2004 U.S. House of Representatives, Committee on Ways and Means, Subcommittee on Social Security, Washington, DC. The Subcommittee met, pursuant to notice, at 11:00 a.m., in room B-318, Rayburn House Office Building, Hon. E. Clay Shaw, Jr. (Chairman of the Subcommittee) presiding. [The advisory and revised advisory announcing the hearing follow:] ADVISORY FROM THE COMMITTEE ON WAYS AND MEANS SUBCOMMITTEE ON SOCIAL SECURITY CONTACT: (202) 225-9263 FOR IMMEDIATE RELEASE June 08, 2004 Shaw Announces Hearing on Enhancing Social Security Number Privacy Congressman E. Clay Shaw, Jr. (R-FL), Chairman, Subcommittee on Social Security of the Committee on Ways and Means, today announced that the Subcommittee will hold a hearing on enhancing Social Security number (SSN) privacy. The hearing will take place on Tuesday, June 15, 2004, in room B-318 Rayburn House Office Building, beginning at 10:00 a.m. In view of the limited time available to hear witnesses, oral testimony at this hearing will be from invited witnesses only. However, any individual or organization not scheduled for an oral appearance may submit a written statement for consideration by the Subcommittee and for inclusion in the printed record of the hearing. BACKGROUND: Identity theft is one of the fastest growing white-collar crimes, and it wreaks havoc with individuals' lives. Identity theft occurs when someone uses a victim's personal information--SSN, credit card number, or other identifying information--to commit fraud or other crimes. According to a Federal Trade Commission-sponsored survey, almost 10 million people discovered they were victims of identity theft in 2002. On average, victims spent $500 and took 30 hours clearing their names and restoring their credit. In the interim, many may have lost job opportunities, had loans refused, or even gotten arrested for crimes they didn't commit. One reason identity thieves prize SSNs is because they are central to many business transactions. While SSNs were originally created in 1936 to track earnings for Social Security eligibility and benefit purposes, today SSNs are widely used in the public and private sectors as account numbers, to verify identity, and to compile information across databases for use in everything from tracking down criminals to issuing credit. Despite SSNs' integral role in all sorts of transactions, their confidentiality is not well protected. SSNs are often on display to the general public on employee badges, licenses, in court documents, or on the Internet. In order to protect the privacy of SSNs, Subcommittee on Social Security Chairman E. Clay Shaw, Jr. introduced bipartisan legislation, the Social Security Number Privacy and Identity Theft Prevention Act of 2003 (H.R. 2971). The bill would prohibit the sale, purchase, and display to the general public of SSNs in the public and private sectors, with certain exceptions for law enforcement, national security, public health, and other specified circumstances. The legislation also prevents consumer reporting agencies from releasing SSN information other than in a full consumer report, and prevents businesses from denying products or services if an individual refuses to divulge his or her SSN. In addition, the bill would require improvements in the process of issuing SSNs, and would create new criminal and civil penalties for those who misuse SSNs--for example, those who sell another individual's SSN or counterfeit SSNs; or those who violate the bill's prohibitions on sale, purchase, and display to the general public. In announcing the hearing, Chairman Shaw stated: ``We can no longer ignore the role SSNs play in facilitating identity theft. My bill is designed to protect SSN privacy while preserving its vital use in our society and economy, by ensuring SSNs are assigned accurately, exchanged only when necessary, and protected from indiscriminant disclosure.'' FOCUS OF THE HEARING: The Subcommittee will examine how criminals use SSNs to commit identity theft, the impact on victims, and will receive feedback from consumer advocates and representatives from the public and private sector regarding the Social Security Number Privacy and Identity Theft Prevention Act of 2003. DETAILS FOR SUBMISSION OF WRITTEN COMMENTS: Please Note: Any person(s) and/or organization(s) wishing to submit for the hearing record must follow the appropriate link on the hearing page of the Committee website and complete the informational forms. From the Committee homepage, http://waysandmeans.house.gov, select ``108th Congress'' from the menu entitled, ``Hearing Archives'' (http:/ /waysandmeans.house.gov/Hearings.asp?congress=16). Select the hearing for which you would like to submit, and click on the link entitled, ``Click here to provide a submission for the record.'' Once you have followed the online instructions, completing all informational forms and clicking ``submit'' on the final page, an email will be sent to the address which you supply confirming your interest in providing a submission for the record. You MUST REPLY to the email and ATTACH your submission as a Word or WordPerfect document, in compliance with the formatting requirements listed below, by close of business Tuesday, June 22, 2004. Finally, please note that due to the change in House mail policy, the U.S. Capitol Police will refuse sealed-package deliveries to all House Office Buildings. For questions, or if you encounter technical problems, please call (202) 225-1721. FORMATTING REQUIREMENTS: The Committee relies on electronic submissions for printing the official hearing record. As always, submissions will be included in the record according to the discretion of the Committee. The Committee will not alter the content of your submission, but we reserve the right to format it according to our guidelines. Any submission provided to the Committee by a witness, any supplementary materials submitted for the printed record, and any written comments in response to a request for written comments must conform to the guidelines listed below. Any submission or supplementary item not in compliance with these guidelines will not be printed, but will be maintained in the Committee files for review and use by the Committee. 1. All submissions and supplementary materials must be provided in Word or WordPerfect format and MUST NOT exceed a total of 10 pages, including attachments. Witnesses and submitters are advised that the Committee relies on electronic submissions for printing the official hearing record. 2. Copies of whole documents submitted as exhibit material will not be accepted for printing. Instead, exhibit material should be referenced and quoted or paraphrased. All exhibit material not meeting these specifications will be maintained in the Committee files for review and use by the Committee. 3. All submissions must include a list of all clients, persons, and/or organizations on whose behalf the witness appears. A supplemental sheet must accompany each submission listing the name, company, address, telephone and fax numbers of each witness. Note: All Committee advisories and news releases are available on the World Wide Web at http://waysandmeans.house.gov The Committee seeks to make its facilities accessible to persons with disabilities. If you are in need of special accommodations, please call 202-225-1721 or 202-226-3411 TTD/TTY in advance of the event (four business days notice is requested). Questions with regard to special accommodation needs in general (including availability of Committee materials in alternative formats) may be directed to the Committee as noted above.ADVISORY FROM THE COMMITTEE ON WAYS AND MEANS SUBCOMMITTEE ON SOCIAL SECURITY CONTACT: (202) 225-9263 FOR IMMEDIATE RELEASE June 14, 2004 SS-9--Revised Change in Time for Hearing on Enhancing Social Security Number Privacy Congressman E. Clay Shaw, Jr. (R-FL), Chairman, Subcommittee on Social Security of the Committee on Ways and Means, today announced that the Subcommittee hearing on enhancing Social Security number privacy, previously scheduled for Tuesday, June 15, 2004, at 10:00 a.m., in room B-318 Rayburn House Office Building, will now be held at 11:00 a.m. All other details for the hearing remain the same. (See Subcommittee Advisory No. SS-9, dated June 8, 2004 Chairman SHAW. Good morning. Welcome to all our guests. We were up until midnight cranking out a tax bill last night. I appreciate, Ben, you and Sam being here. Today the Subcommittee will hear testimony about the growing threat of identity theft, the need to prevent identity theft and terrorists from stealing innocent Americans' Social Security numbers (SSNs), and my bipartisan, and I underscore bipartisan, ``Social Security Number Privacy and Identity Theft Prevention Act of 2003,'' H.R. 2971. I think you are a cosponsor of that. The SSN is woven into the fabric of many of our dealings with governments and businesses. They are widely used as personal identifiers even though the original purpose was simply to track earnings for determining eligibility and benefit amounts under Social Security. Some of the uses of the SSNs help us achieve important goals like reducing waste, fraud and abuse in government programs; enforcing child support; and aiding law enforcement. Unfortunately there is also wide use of SSNs for everyday business transactions. Concerns about identity theft are rapidly growing. According to the Federal Trade Commission (FTC), identity theft is the number one consumer complaint, amounting to 42 percent of complaints received in 2003. Americans are becoming more aware of the role of SSNs in identity theft thanks to the efforts of the SSA (SSA), the FTC, the U.S. Postal Inspection Service, and other agencies. Due to the increasing public pressure to act, businesses are starting to move away from using SSNs, and several States have passed legislation that does protect SSNs. While everybody recognizes the need to protect the SSNs, Federal laws do not do enough to prevent the unnecessary disclosure. As a result, SSNs are sought-after tools for identity theft; worse yet, terrorists use of SSN fraud and identity theft to assimilate themselves into our society. Identity theft continues to threaten our individual and national security. Clearly we need a comprehensive law to better protect the privacy of SSNs, and protect the American public from being victimized. That is why I, along with several Members of the Subcommittee, including the Ranking Member Mr. Matsui, introduced H.R. 2971, the ``Social Security Number Privacy and Identity Theft Prevention Act of 2003.'' This bill would restrict the sale and public display of SSNs, limit dissemination of SSNs by consumers reporting agencies, make it more difficult for businesses to deny services if a customer refuses to provide his or her SSN, and establish civil and criminal penalties for the violation. Providing for uses of SSNs that benefit the public while protecting their privacy is a very complex balancing act. This bill achieves that balance by ensuring SSNs are assigned accurately, exchanged only when necessary, and protected from the indiscriminate disclosure. This Subcommittee has been working on a bipartisan basis to protect the privacy of SSNs and prevent identity theft since the 106th Congress when it first approved the Social Security Number Privacy and Identity Theft Prevention Act of 2002. In the 107th Congress, I, along with Ranking Member Matsui and 80 other Members of Congress, sponsored a similar bill. Consideration of this legislation was rightly preempted by necessary congressional response to the September 11 attacks. My hope is that this hearing will serve as a catalyst toward action, first through markup in this Subcommittee and the full Committee, followed by similar action by other Committees of jurisdiction, so that we may bring this important legislation to the House. Again, I underscore that in going through my statement, you may wonder, well, if you have had all this time why haven't you done anything? The problem really lies in that there is so much jurisdiction throughout Capitol Hill, that has stalled us at many, many areas where we shouldn't have been stalled down. I look forward to hearing from each of our witnesses, and I thank each of you in advance for sharing with us your experience and your recommendations. I would now yield to the gentleman from Maryland, my friend Mr. Cardin. Mr. CARDIN. Thank you, Chairman Shaw. First let me thank you for conducting this hearing, and thank you for your leadership on this issue. It is a difficult matter, the proper use of SSNs and the misuse of SSNs and the role that people illegally obtaining SSNs have used in identity theft. So, these are issues that are of great concern to all of us in Congress. Mr. Chairman, if I am correct, I think this is the 11th hearing that our Subcommittee has held in the last 4 years on this general subject because of our concern, and I do applaud you for the introduction of H.R. 2971, the ``Social Security Number Privacy and Identity Theft Prevention Act of 2003''. You are correct. This enjoys strong bipartisan support. I am proud to be a cosponsor of that bill. I think it is absolutely essential that Congress act in this area to give the clear message about the seriousness of the misuse of SSNs. A SSN should be your identifying number for Social Security. It should not be used for every other purpose imaginable that is currently being used by society and by commerce, but it is being used for other purposes, and it presents a real dilemma for us as to how we reverse this use and how we can protect a person's privacy. It is a very serious issue, because what identity theft has meant to our Nation, the FTC has received more than a half million calls on the identity fraud line, and they have projected that about 5 percent, 5 percent of our adult population of the United States, some 10 million people, were victims of some kind of identity theft in just the last 12 months. So, this is a huge issue that we need to deal with. We can't just be quiet on the subject by saying it is difficult in that so many people have our SSNs, and how are we ever going to be able to retrieve the privacy that was intended when the Social Security system was created. I look forward to hearing the testimony of our witnesses today as we try to develop a strategy to balance the needs of our society and the protection of our constituents. Mr. Chairman, I look forward to working with you and the other Members of the Committee as we attempt to get through the maze of the different jurisdictional problems in Congress and pass the necessary protective laws here in this body. Thank you. Chairman SHAW. Thank you, Mr. Cardin. I would like to yield at this time to Mr. Ryan, who is here and wants to introduce a member of the second panel, but he is concerned that his schedule might not allow him to be here, so I would yield to him for that introduction. Mr. RYAN. I thank the Chair. I have a bill coming to the floor momentarily, so I won't I be able to stay until that time, but I wanted to just take a couple of moments to introduce someone who is on the next panel who is a perfect person to have testifying with us today. That is Mark Ladd, who is the Register of Deeds for Racine County. Mark is very experienced, has been the Register of Deeds in Racine since 1994. He is the past President of the Wisconsin Register of Deeds Association. He is also a member of the Board of Directors of the National Association of County Recorders and Election Clerks, and he is the Co-Chair of the Property Records Industry Association Technology Board, which is, I think, in that capacity where he is going to offer a lot of expertise. He is also a good friend of mine, and I am excited that Mark is here to testify in the next panel. I hope that I can make it. It is only when you have a bill coming to the floor, which I have on the Suspension Calendar, that it presents a very unpredictable schedule. So, I thank the Chair for indulging me to be able to introduce my friend and a good expert from Racine, Wisconsin, who will be testifying on the next panel. Thank you, and I yield. Chairman SHAW. Okay. The first panel, which is already assembled at the table, are also four perfect witnesses: Howard Beales, who is the Director of the Bureau of Consumer Protection in the FTC; Patrick O'Carroll, Acting Inspector General, SSA; Barbara Bovbjerg, who is Director of Education, Work force and Income Security; Lawrence Maxwell, Assistant Chief Inspector of the Investigations and Security. Welcome, all of you. We have each of your full statements that will be made a part of the record. You may proceed as you see fit, and if you could capsule your statement into 5 minutes, we would be most appreciative. STATEMENT OF J. HOWARD BEALES, III, DIRECTOR, BUREAU OF CONSUMER PROTECTION, FEDERAL TRADE COMMISSION Mr. BEALES. Thank you, Mr. Chairman. I am Howard Beales. I am Director of the FTC's Bureau of Consumer Protection, and I am pleased to present the views of the Commission this morning. In a survey we conducted last year, the Commission learned some startling results about the incidence of identity theft and the impact of this crime on its victims. The data showed that within the 12 months preceding the survey, almost 3 and one- fourth million persons discovered that an identity thief opened new accounts in their names. An additional 6.6 million people learned of the misuse of an existing account. Overall nearly 10 million people, or 4.6 percent of the adult population, discovered that they were victims of some form of identity theft. These numbers translate to nearly $48 billion in losses to businesses, nearly $5 billion in losses to victims, and almost 300 hours spent by victims to resolve their problems. Moreover, identity theft is a growing crime. The survey indicated a significant increase in the previous 2 to 3 years, nearly a doubling from one year to the next, although the research also showed that this increase has slowed recently. Notably the recent increase involved the misuse of existing accounts, which tends to cause less economic injury to victims and is generally easier for them to identify and to fix. Overall, the survey analysis puts the incident rates of identity theft into sharper focus and demonstrates the need for concerted action between the public and private sectors to act aggressively to reduce identity theft, SSNs play a pivotal role in identity theft. Thieves use the SSN as a key to access the financial benefits available to their victim. Preventing identity thieves from obtaining SSNs will help to protect consumers from this pernicious crime. The potential for misuse arises because SSNs are crucial to the proper functioning of our financial system. Socials are used to match consumers to their credit and other financial information. Without them, information may be attributed to the wrong consumers, and the accuracy of credit reports may be degraded. Enabling SSNs to be used appropriately will help to ensure that consumers continue to enjoy the benefits of our current credit system. The Commission is studying the efficacy of increasing the number of points of identifying information that a credit reporting agency is required to match to ensure that a consumer is the correct individual to whom a consumer report relates before releasing that report to a user. The study to be completed by this December should greatly increase our knowledge of the importance of SSNs in the matching process, and we look forward to reporting our findings. Socials are collected by public and private entities for various purposes, and several Federal and State laws restrict the use or disclosure of SSNs depending on the source. The nationwide credit bureaus are primary private sources of SSNs, collecting information from financial institutions for credit reporting purposes. This information typically includes the consumer's identifying information, such as name, address and SSN, as well as information relating to the consumer's credit accounts. The identifying information collected by the credit bureau is one of the most reliable and comprehensive sources of this information, because individuals tend to provide their financial institutions with accurate and up-to-date information. Moreover, credit bureau databases contain information for over 200 million consumers. The Gramm-Leach-Bliley Act (P.L. 106-102) imposes certain restrictions on the reuse and re-disclosure of the identifying information that is collected by credit bureaus as a general matter. The act prohibits financial institutions from disclosing nonpublic personal information to nonaffiliated third parties without first providing consumers with notice and the opportunity to opt out of such disclosure. This general restriction, however, is subject to certain exceptions. The information may flow from financial institutions to others for certain purposes specified in the statute and in the rule, including, for example, to process transactions or to report consumer information to credit bureaus. When information is disclosed under these exceptions, the recipient may not use or disclose that information except in the ordinary course of business to carry out the activity covered by the exception under which the information was received. The Fair and Accurate Credit Transactions (FACT) Act of 2003 (P.L. 108-159) provides several new and important measures to prevent identity theft and facilitate victim recovery. One prominent benefit will be greater access to free consumer reports. Several other measures also act to prevent identity theft. The National Fraud Alert System will put potential creditors on notice that they must proceed with caution. The red flag rulemaking will require financial institutions and creditors to analyze patterns and take appropriate steps to prevent the crime. When fully implemented, these provisions should help to reduce the incidence of identity theft and to help victims recover when problems do occur. Identity theft places substantial costs on individuals and businesses. We look forward to working with businesses on better ways for them to protect the valuable information of the consumers with whom they do business as well as other means of preventing identity theft. We anticipate that Nation will help and reduce the impact on victims as well. Thank you, and as you know, Mr. Chairman, I have a prior obligation at noon, and I will stay as long as I can to answer questions. I would be happy to answer questions for the record, but I may have to leave early. [The prepared statement of Mr. Beales follows:] Statement of J. Howard Beales, III, Director, Bureau of Consumer Protection, Federal Trade Commission I. INTRODUCTION Mr. Chairman, and members of the Subcommittee, I am J. Howard Beales, III, Director of the Bureau of Consumer Protection, Federal Trade Commission (``FTC'' or ``Commission'').\1\ I appreciate the opportunity to present the Commission's views on identity theft and Social Security numbers. The Federal Trade Commission has a broad mandate to protect consumers, and controlling identity theft is an important issue of concern to all consumers. Through this testimony, the Commission will describe the results of a recent survey on the prevalence and impact of identity theft, the ways in which Social Security numbers are collected and used, new protections for consumers and identity theft victims, and the Commission's identity theft program. --------------------------------------------------------------------------- \1\ The views expressed in this statement represent the views of the Commission. My oral presentation and responses to questions are my own and do not necessarily represent the views of the Commission or any Commissioner. --------------------------------------------------------------------------- II. UNDERSTANDING THE IMPACT OF IDENTITY THEFT On November 1, 1999, the Commission began collecting identity theft complaints from consumers in its national database, the Identity Theft Data Clearinghouse (the ``Clearinghouse'').\2\ Every year since has seen an increase in complaints.\3\ The Clearinghouse now contains over 600,000 identity theft complaints taken from victims across the country. By itself, though, these self-reported data do not currently allow the FTC to draw any firm conclusions about the incidence of identity theft in the general population. To address this important issue, the FTC commissioned a survey last year to gain a better picture of the incidence of identity theft and the impact of the crime on its victims.\4\ The results were startling. The data showed that within the 12 months preceding the survey, 3.23 million persons discovered that an identity thief opened new accounts in their names. An additional 6.6 million consumers learned of the misuse of an existing account. Overall, nearly 10 million people--or 4.6 percent of the adult population--discovered that they were victims of some form of identity theft. These numbers translate to nearly $48 billion in losses to businesses, nearly $5 billion in losses to individual victims, and almost 300 million hours spent by victims trying to resolve their problems. --------------------------------------------------------------------------- \2\ See infra Section V for a discussion of the Commission's mandate to maintain an identity theft complaint database pursuant to the 1998 Identity Theft Assumption and Deterrence Act. \3\ Charts that summarize data from the Clearinghouse can be found at http://www.consumer.gov/idtheft/stats.html and http:// www.consumer.gov/sentinel/index.html. \4\ The research took place during March and April 2003. It was conducted by Synovate, a private research firm, and involved a random sample telephone survey of over 4,000 U.S. adults. The full report of the survey can be found at http://www.consumer.gov/idtheft/stats.html. --------------------------------------------------------------------------- Moreover, identity theft is a growing crime. The survey indicated a significant increase in the previous 2-3 years--nearly a doubling from one year to the next, although the research showed that this increase has recently slowed. Notably, this recent increase primarily involved the misuse of an existing account, which tends to cause less economic injury to victims and is generally easier for them to identify and fix. Overall, the 2003 survey analysis puts the incidence rates of identity theft into sharper focus, and demonstrates the need for a concerted effort between the public and private sectors to act aggressively to reduce identity theft. III. SOCIAL SECURITY NUMBER USES AND IDENTITY THEFT Social Security numbers play a pivotal role in identity theft. Identity thieves use the Social Security number as a key to access the financial benefits available to their victims. Preventing identity thieves from obtaining Social Security numbers will help to protect consumers from this pernicious crime. The potential for misuse arises because Social Security numbers are crucial to the proper functioning of our financial system. Social Security numbers are used to match consumers to their credit and other financial information. Without them, information may be attributed to the wrong consumer, and the accuracy of credit reports may be degraded. Enabling Social Security numbers to be used appropriately will help to ensure that consumers continue to enjoy the benefits of our current credit system. The Commission is studying ``the efficacy of increasing the number of points of identifying information that a credit reporting agency is required to match to ensure that a consumer is the correct individual to whom a consumer report relates before releasing a consumer report to a user'' as required by the Fair and Accurate Credit Transactions Act of 2003.\5\ This study, to be completed by December, 2004, should greatly increase our knowledge of the importance of Social Security numbers in the matching process. The Commission looks forward to reporting its findings to Congress. --------------------------------------------------------------------------- \5\ Pub. L. No. 108-396, 318 (2003). --------------------------------------------------------------------------- Social Security numbers are collected by public and private entities for various purposes, and several federal and state laws restrict the use or disclosure of Social Security numbers, depending on the source.\6\ The nationwide credit bureaus are primary private sources of Social Security numbers, collecting information from financial institutions for credit reporting purposes. This information typically includes a consumer's identifying information--such as name, address, and Social Security number--as well as information related to the consumer's credit accounts. The identifying information collected by the credit bureaus is one of the most reliable and comprehensive sources of this information, because individuals tend to provide their financial institutions with accurate and up-to-date identifying information and the credit bureau databases contain information for over 200 million consumers.\7\ --------------------------------------------------------------------------- \6\ As GAO has reported, government and commercial entities use social security numbers for a number of different purposes, including to verify the eligibility of applicants, manage records, and conduct research. U.S. General Accounting Office, Social Security: Government and Commercial Use of the Social Security Number is Widespread, GAO/ HEHS-99-28 (Washington, D.C.: Feb 16, 1999) and Social Security Numbers: Government Benefits from SSN Use but Could Provide Better Safeguards, GAO-02-352 (Washington, D.C.: May 31, 2002). As examined in detail in GAO's January 2004 report, private sector entities (information resellers, consumer reporting agencies, health care organizations) obtain social security numbers both directly from consumers and other businesses, and the entities use them for a variety of purposes, including identification and to match the consumer to information stored in the consumer's credit report. See U.S. General Accounting Office, Social Security Numbers: Private Sector Entities Routinely Obtain and Use SSNs and Laws Limit the Disclosure of This Information, GAO-04-11 (Washington, D.C.: Jan. 22, 2004). \7\ See Consumer Data Industry Association's Web site, available at http://www.cdiaonline.org/about.cfm. --------------------------------------------------------------------------- The Gramm-Leach-Bliley Act (``GLBA'')\8\ imposes certain restrictions on the reuse and redisclosure of the identifying information--including Social Security numbers--that is collected by credit bureaus from financial institutions.\9\ As a general matter, the GLBA prohibits financial institutions from disclosing nonpublic personal information (``NPI'') to nonaffiliated third parties without first providing consumers with notice and the opportunity to opt out of such disclosure. This general restriction, however, is subject to certain exceptions. The information may flow from financial institutions to others for certain purposes specified in the statute and rule, including, for example, to process transactions or to report consumer information to credit bureaus.\10\ When information is disclosed under these GLBA exceptions, the recipient may not use or disclose that NPI except ``in the ordinary course of business to carry out the activity covered by the exception under which . . . the information [was received].''\11\ --------------------------------------------------------------------------- \8\ Subtitle A of Title 5 of the GLBA, 15 U.S.C. 6801-6809. \9\ The GLBA applies to any ``nonpublic personal information'' (``NPI'') that a financial institution collects about an individual in connection with providing a financial product or service to an individual, unless that information is otherwise publicly available. This includes basic identifying information about individuals, such as name, Social Security number, address, telephone number, mother's maiden name, and prior addresses. See, e.g., 65 Fed. Reg. 33,646, 33680 (May 24, 2000) (the FTC's Privacy Rule). This identifying information generally is not covered by the Fair Credit Reporting Act. See FTC v. Trans Union, Dkt. 9255, Op. of the Commission at pp. 30-31 (Mar. 1, 2000) (holding that consumer name, Social Security number, address, telephone number, and mother's maiden name do not constitute a consumer report under the FCRA). \10\ These exceptions are found in 502(e) of the GLBA, and in 313.14 and 313.15 of the FTC's privacy rule. The other GLBA privacy rules contain substantially similar provisions. The 313.14 exceptions relate to the processing and servicing of transactions at the consumer's request, and the 313.15 exceptions contain a broad range of unrelated exceptions, such as preventing fraud, assisting law enforcement, complying with subpoenas, and reporting to credit bureaus. Section 313.13 also contains an exception to the notice and opt out requirement, but that section is not relevant here because it relates to contractual arrangements with service providers and joint marketers. \11\ 16 C.F.R. 313.11(a)(1)(iii), (c)(3) (2000). --------------------------------------------------------------------------- IV. NEW PROTECTIONS FOR IDENTITY THEFT VICTIMS On December 4, 2003, the Fair and Accurate Credit Transactions Act of 2003 (``FACTA'') was enacted.\12\ Many of the provisions amend the Fair Credit Reporting Act (``FCRA''),\13\ and provide new and important measures to prevent identity theft and facilitate identity theft victims' recovery. Some of these measures will take effect this year.\14\ They will codify many of the voluntary measures initiated by the private sector and improve other recovery procedures already in place. --------------------------------------------------------------------------- \12\ Pub. L. No. 108-396 (2003) (codified at 15 U.S.C. 1681 et seq.). \13\ 15 U.S.C. 1681 et seq. \14\ The statute set effective dates for certain sections and required the Commission and the Federal Reserve Board jointly to set effective dates for the remaining sections. See Effective Dates for the Fair and Accurate Credit Transactions Act of 2003, 16 C.F.R. 602.1 (2004). --------------------------------------------------------------------------- One prominent benefit of these amendments to the FCRA is the greater access to free consumer reports.\15\ Previously under the FCRA, consumers were entitled to a free consumer report only under limited circumstances.\16\ Beginning in December of this year with a regional rollout, nationwide and nationwide specialty consumer reporting agencies\17\ must provide free credit reports to consumers once annually, upon request.\18\ Free reports will enhance consumers' ability to discover and correct errors, thereby improving the accuracy of the system, and also enable consumers to detect identity theft early. --------------------------------------------------------------------------- \15\ Pub. L. No. 108-396, 211 (2003). \16\ Previously, free reports were available only pursuant to the FCRA when the consumer suffered adverse action, believed that fraudulent information may be in his or her credit file, was unemployed, or was on welfare. Absent one of these exceptions, consumers had to pay a statutory ``reasonable charge'' for a file disclosure; this fee is set each year by the Commission and is currently $9. See 15 U.S.C. 1681j. In addition, a small number of states required the CRAs to provide free annual reports to consumers at their request. \17\ Section 603(w) of the FCRA defines a ``nationwide specialty consumer reporting agency'' as a consumer reporting agency that compiles and maintains files on consumers relating to medical records or payments, residential or tenant history, check writing history, employment history, or insurance claims, on a nationwide basis. 15 U.S.C. 1681a(w). \18\ See Free Annual File Disclosures, 16 C.F.R. 610.1 and 698.1 (2004). --------------------------------------------------------------------------- Other measures that act to prevent identity theft include: National fraud alert system:\19\ Consumers who reasonably suspect they have been or may be victimized by identity theft, or who are military personnel on active duty away from home,\20\ can place an alert on their credit files. The alert will put potential creditors on notice that they must proceed with caution when granting credit in the consumer's name. The provision also codified and standardized the ``joint fraud alert'' initiative administered by the three major credit reporting agencies. After receiving a request from an identity theft victim for the placement of a fraud alert on his or her consumer report and for a copy of that report, each credit reporting agency now shares that request with the other two nationwide credit reporting agencies, thereby eliminating the need for the victim to contact each of the three agencies separately. --------------------------------------------------------------------------- \19\ Pub. L. No. 108-396, 112 (2003). \20\ The Commission is developing a rule on the duration of this active duty alert. See Related Identity Theft Definitions, Duration of Active Duty Alerts, and Appropriate Proof of Identity Under the Fair Credit Reporting Act, 69 Fed. Reg. 23370, 23372 (April 28, 2004) (to be codified at 16 C.F.R. pt. 613). --------------------------------------------------------------------------- Truncation of credit and debit card receipts:\21\ In some instances, identity theft results from thieves obtaining access to account numbers on credit card receipts. FACTA seeks to reduce this source of fraud by requiring merchants to truncate the full card number on electronic receipts. The use of truncation technology is becoming widespread, and some card issuers already require merchants to truncate.\22\ --------------------------------------------------------------------------- \21\ Pub. L. No. 108-396, 113 (2003). \22\ FACTA creates a phase-in period to allow for the replacement of existing equipment. --------------------------------------------------------------------------- ``Red flag'' indicators of identity theft:\23\ The banking regulators and the FTC will jointly develop a rule to identify and maintain a list of ``red flag'' indicators of identity theft. The goal of this provision is for financial institutions and creditors to analyze identity theft patterns and practices so that they can take appropriate action to prevent this crime. --------------------------------------------------------------------------- \23\ Id. 114. --------------------------------------------------------------------------- Disposal of Consumer Report Information and Records:\24\ The banking regulators and the FTC are coordinating a rulemaking to require proper disposal of consumer information derived from consumer reports.\25\ This requirement will help to ensure that sensitive consumer information, including Social Security numbers, is not simply left in a trash dumpster, for instance, once a business no longer needs the information.\26\ --------------------------------------------------------------------------- \24\ Id. 216. \25\ Disposal of Consumer Report Information and Records, 69 Fed. Reg. 21388 (April 20, 2004) (to be codified at 16 C.F.R. pt. 682). \26\ In its outreach materials, the FTC also advises consumers to shred any sensitive information before disposing of it. FACTA also includes measures that will assist victims with their --------------------------------------------------------------------------- recovery. These provisions include: Identity theft account blocking:\27\ This provision requires credit reporting agencies immediately to cease reporting, or block, allegedly fraudulent account information on consumer reports when the consumer submits an identity theft report,\28\ unless there is reason to believe the report is false. Blocking would mitigate the harm to consumers' credit records that can result from identity theft. Credit reporting agencies must also notify information furnishers who must then cease furnishing the fraudulent information and may not sell, transfer, or place for collection the debt resulting from the identity theft. --------------------------------------------------------------------------- \27\ Pub. L. No. 108-396, 152 (2003). \28\ The Commission is developing a rule to define the term ``identity theft report.'' See Related Identity Theft Definitions, Duration of Active Duty Alerts, and Appropriate Proof of Identity Under the Fair Credit Reporting Act, 69 Fed. Reg. 23370, 23371 (April 28, 2004) (to be codified at 16 C.F.R. pt. 603). --------------------------------------------------------------------------- Information available to victims:\29\ A creditor or other business must give victims copies of applications and business records relating to the theft of their identity at the victim's request. This information can assist victims in proving that they are, in fact, victims. For example, they may be better able to prove that the signature on the application is not their signature. --------------------------------------------------------------------------- \29\ Pub. L. No. 108-396, 151 (2003). --------------------------------------------------------------------------- Prevention of re-reporting fraudulent information:\30\ Consumers can provide identity theft reports directly to creditors or other information furnishers to prevent them from continuing to furnish fraudulent information resulting from identity theft to the credit reporting agencies. --------------------------------------------------------------------------- \30\ Id. 154. When fully implemented, these provisions should help to reduce the incidence of identity theft, and help victims recover when the problem does occur. V. THE FEDERAL TRADE COMMISSION'S ROLE IN COMBATING IDENTITY THEFT The FTC's role in combating identity theft derives from the 1998 Identity Theft Assumption and Deterrence Act (``the Identity Theft Act'' or ``the Act'').\31\ The Identity Theft Act strengthened the criminal laws governing identity theft\32\ and focused on consumers as victims.\33\ The Act directed the Federal Trade Commission to establish the federal government's central repository for identity theft complaints, to make available and to refer these complaints to law enforcement for their investigations, and to provide victim assistance and consumer education. Thus, the FTC's role under the Act is primarily one of facilitating information sharing among public and private entities.\34\ --------------------------------------------------------------------------- \31\ Pub. L. No. 105-318, 112 Stat. 3007 (1998) (codified at 18 U.S.C. 1028). \32\ 18 U.S.C. 1028(a)(7) made identity theft a crime by focusing on the unlawful use of an individual's ``means of identification,'' which broadly includes ``any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual,'' including, among other things, name, address, social security number, driver's license number, biometric data, access devices (i.e., credit cards), electronic identification number or routing code, and telecommunication identifying information. \33\ Because individual consumers' financial liability is often limited, prior to the passage of the Act, financial institutions, rather than individuals, tended to be viewed as the primary victims of identity theft. Setting up an assistance process for consumer victims is consistent with one of the Act's stated goals: to recognize the individual victims of identity theft. See S. Rep. No. 105-274, at 4 (1998). \34\ Most identity theft cases are best addressed through criminal prosecution. The FTC itself has no direct criminal law enforcement authority. Under its civil law enforcement authority provided by Section 5 of the FTC Act, the Commission may, in appropriate cases, bring actions to stop practices that involve or facilitate identity theft. See, e.g., FTC v. Corporate Marketing Solutions, Inc., CIV--02 1256 PHX RCB (D. Ariz Feb. 3, 2003) (final order) (defendants ``pretexted'' personal information from consumers and engaged in unauthorized billing of consumers' credit cards) and FTC v. C.J., CIV-- 03 5275 GHK (RZx) (C. D. Cal. July 24, 2003) (final order); FTC v. Hill, CV-H-03-5537 (S.D. Tex. Dec. 3, 2003) (final order); and FTC v. M.M., CV-04-2086 (E.D. NY May 18, 2004) (final order) (defendants sent ``phishing'' spam purporting to come from AOL or Paypal and created look-alike websites to obtain credit card numbers and other financial data from consumers that defendants used for unauthorized online purchases.). In addition, the FTC brought six complaints against marketers for purporting to sell international driver's permits that could be used to facilitate identity theft. Press Release, Federal Trade Commission, FTC Targets Sellers Who Deceptively Marketed International Driver's Permits over the Internet and via Spam (Jan. 16, 2003) (at http://www.ftc.gov/opa/2003/01/idpfinal.htm). --------------------------------------------------------------------------- To fulfill the Act's mandate, the Commission implemented a program that focuses on three principal components: (1) collecting complaints and providing victim assistance through a telephone hotline and a dedicated website, (2) maintaining and promoting the Clearinghouse, a centralized database of victim complaints that serves as an investigative tool for law enforcement, and (3) outreach and education to consumers, law enforcement, and private industry. A. Assisting Identity Theft Victims The Commission takes complaints from victims through a toll-free hotline, 1-877-ID THEFT (438-4338),\35\ and a secure online complaint form on its website, www.consumer.gov/idtheft. In addition, the FTC provides advice on recovery from identity theft. Callers to the hotline receive telephone counseling from specially trained personnel who provide general information about identity theft and help guide victims through the steps needed to resolve the problems resulting from the misuse of their identities.\36\ Victims are currently advised to:\37\ (1) obtain copies of their credit reports from the three national consumer reporting agencies and have a fraud alert placed on their credit reports;\38\ (2) contact each of the creditors or service providers where the identity thief has established or accessed an account, to request that the account be closed and to dispute any associated charges; and (3) report the identity theft to the police and get a police report, which is very helpful in demonstrating to would-be creditors and debt collectors that the consumers are genuine victims of identity theft. --------------------------------------------------------------------------- \35\ The Commission has a separate toll-free line (877-FTC-HELP) to serve those with general consumer protection complaints. \36\ Spanish speaking counselors are available for callers who select the Spanish-language option on the toll-free line. \37\ As the relevant provisions of FACTA become effective, the Commission will update its advice to victims on their new rights and procedures for recovery. \38\ These fraud alerts indicate that the consumer is to be contacted before new credit is issued in that consumer's name. --------------------------------------------------------------------------- Counselors also advise victims having particular problems about their rights under relevant consumer credit laws including the FCRA,\39\ the Fair Credit Billing Act,\40\ the Truth in Lending Act,\41\ and the Fair Debt Collection Practices Act.\42\ If another federal agency can assist victims because the nature of the victims' identity theft falls within such agency's jurisdiction, callers also are referred to those agencies. --------------------------------------------------------------------------- \39\ 15 U.S.C. 1681 et seq. \40\ Id. 1666. The Fair Credit Billing Act generally applies to ``open end'' credit accounts, such as credit cards, revolving charge accounts, and overdraft checking accounts. It does not cover installment contracts, such as loans or extensions of credit that are repaid on a fixed schedule. \41\ Id. 1601 et seq. \42\ Id. 1692 et seq. --------------------------------------------------------------------------- The FTC's identity theft website, located at www.consumer.gov/ idtheft, provides equivalent service for those who prefer the immediacy of an online interaction. The site contains a secure complaint form, which allows victims to enter their identity theft information into the Clearinghouse. Victims also immediately can read and download all of the resources necessary for reclaiming their credit record and good name, including the FTC's tremendously successful consumer education booklet, Identity Theft: When Bad Things Happen to Your Good Name.\43\ The 26-page booklet, now in its fourth edition, comprehensively covers a range of topics, including the first steps to take for victims and how to correct more intensive credit-related problems that may result from identity theft. It also describes other federal and state resources that are available to victims who may be having particular problems as a result of the identity theft. The FTC alone has distributed more than 1.3 million copies of the booklet since its release in February 2000, and recorded over 1.4 million visits to the Web version.\44\ --------------------------------------------------------------------------- \43\ Identity Theft: When Bad Things Happen to Your Good Name and the secure complaint form are available in Spanish. \44\ Other government agencies, including the Social Security Administration, the SEC, and the FDIC also have printed and distributed copies of Identity Theft: When Bad Things Happen to Your Good Name. --------------------------------------------------------------------------- B. The Identity Theft Data Clearinghouse One of the primary purposes of the Identity Theft Act was to enable criminal law enforcement agencies to use a single database of victim complaints to support their investigations. To ensure that the database operates as a national clearinghouse for complaints, the FTC accepts complaints from external sources such as other state or federal agencies as well as directly from consumers through its call center and online complaint form. For example, in February 2001, the Social Security Administration Office of Inspector General (SSA-OIG) began providing the FTC with complaints from its fraud hotline, significantly enriching the FTC's database. The Clearinghouse provides a picture of the nature, prevalence, and trends of the identity theft victims who submit complaints. The Commission publishes annual charts showing the prevalence of identity theft complaints by states and by cities.\45\ Law enforcement and policy makers at all levels of government use these reports to better understand the challenges identity theft presents. --------------------------------------------------------------------------- \45\ Charts that summarize data from the Clearinghouse can be found at http://www.consumer.gov/idtheft/stats.html and http:// www.consumer.gov/sentinel/index.html. --------------------------------------------------------------------------- Since the inception of the Clearinghouse in July of 2000, more than 970 law enforcement agencies, from the federal to the local level, have signed up for secure online access to the database. Individual investigators within those agencies have the ability to access the system from their desktop computers 24 hours a day, seven days a week. The Commission actively encourages even greater use of the Clearinghouse. Beginning in 2002, in an effort to further expand the use of the Clearinghouse among law enforcement, the FTC, in cooperation with the Department of Justice, the United States Postal Inspection Service, and the United States Secret Service, initiated full day identity theft training seminars for state and local law enforcement officers. To date, seminars have been held in Washington, D.C., Des Moines, Chicago, San Francisco, Las Vegas, Dallas, Phoenix, New York City, Seattle, San Antonio, Orlando, and Raleigh. The FTC also helped the Kansas and Missouri offices of the U.S. Attorney and State Attorney General conduct a training seminar in Kansas City. More than 1500 officers have attended these seminars, representing more than 600 different agencies. Future seminars are being planned for additional cities. The FTC staff also developed an identity theft case referral program.\46\ The staff creates preliminary investigative reports by examining significant patterns of identity theft activity in the Clearinghouse and refining the data through the use of additional investigative resources. Then the staff refers the investigative reports to appropriate Financial Crimes Task Forces and other law enforcers throughout the country for further investigation and potential prosecution. The FTC is aided in this work by its federal law enforcement partners including the United States Secret Service, the Federal Bureau of Investigation, and the United States Postal Inspection Service who provide staff and other resources. Recently, an FBI analyst has worked intensively with the Clearinghouse complaints, using sophisticated analytical software to find related complaints and combine the information with other data sources available to the FBI. --------------------------------------------------------------------------- \46\ The referral program complements the regular use of the database by all law enforcers from their desktop computers. --------------------------------------------------------------------------- C. Outreach and Education The Identity Theft Act also directed the FTC to educate consumers about identity theft. Recognizing that law enforcement and private industry each play an important role in helping consumers both to minimize their risk and to recover from identity theft, the FTC expanded its outreach and education mission to include these sectors. (1) Consumers: The FTC has taken the lead in the development and dissemination of comprehensive consumer education materials for victims of identity theft and those concerned with preventing this crime. The FTC's extensive consumer and business education campaign includes print and online materials, media mailings, and radio and television interviews. The FTC also maintains the identity theft website, www.consumer.gov/idtheft, which includes the publications and links to testimony, reports, press releases, identity theft- related state laws, and other resources. To increase awareness for the average consumer and provide tips for minimizing the risk of identity theft, the FTC developed a new primer on identity theft, ID Theft: What's It All About?.\47\ Taken together with the detailed victim recovery guide, Identity Theft: When Bad Things Happen to Your Good Name, the two publications help to educate consumers. --------------------------------------------------------------------------- \47\ Since its release in May 2003, the FTC has distributed almost 554,000 paper copies and over 75,000 web versions, and developed a Spanish version. --------------------------------------------------------------------------- (2) Law Enforcement: Because law enforcement at the state and local level can provide significant practical assistance to victims, the FTC places a premium on outreach to such agencies. In addition to the training described previously (see infra Section V.B), the staff joined with North Carolina's Attorney General Roy Cooper to send letters to every other Attorney General about the FTC's identity theft program and how each Attorney General could use the resources of the program to better assist residents of his or her state. Other outreach initiatives include: (i) Participation in a ``Roll Call'' video produced by the Secret Service, which has been sent to thousands of law enforcement departments across the country to instruct officers on identity theft, investigative resources, and assisting victims; and (ii) the redesign of the FTC's website to include a section for law enforcement with tips on how to help victims as well as resources for investigations. (3) Industry: The private sector can help with the problem of identity theft in several ways. From prevention through better security and authentication, to helping victims recover, businesses play a key role in reducing the impact of identity theft. (a) Information Security Breaches: The FTC works with institutions that maintain personal information to identify ways to help keep that information safe from identity theft.\48\ In 2002, the FTC invited representatives from financial institutions, credit issuers, universities, and retailers to an informal roundtable discussion of how to prevent unauthorized access to personal information in employee and customer records. --------------------------------------------------------------------------- \48\ The Commission also has law enforcement authority relating to information security. In addition to developing the Disposal Rule pursuant to FACTA, see supra Section IV, the Commission also is responsible for enforcing its GLBA Safeguards Rule, which requires financial institutions under the FTC's jurisdiction to develop and implement appropriate physical, technical, and procedural safeguards to protect customer information. FTC Safeguards Rule, 16 C.F.R. 314.1 (2002). In brief, the Safeguards Rule requires financial institutions to develop a written information security plan that includes certain elements that are basic to security. In the past few years, the FTC has also brought enforcement actions against four companies that the Commission alleged made false promises about securing sensitive consumer information, in violation of Section 5 of the FTC Act. 15 U.S.C. 45(a) These actions resulted in settlements with those companies that collected sensitive information from consumers while making such promises. Those actions arise out of the Commission's finding that these companies' security measures were inadequate and their information security claims therefore were deceptive. See, e.g., In re Microsoft Corp., FTC Dkt. C-4069, Final Decision and Order available at http://www.ftc.gov/os/2002/12/ microsoftdecision.pdf (Dec. 20, 2002). --------------------------------------------------------------------------- As awareness of the FTC's role in identity theft has grown, businesses and organizations that have suffered compromises of personal information have begun to contact the FTC for assistance.\49\ To provide standardized assistance in these types of cases, the FTC developed a kit, Information Compromise and the Risk of Identity Theft: Guidance for Your Business, that is available on the identity theft website.The kit provides advice on contacting consumers, law enforcement agencies, business contact information for the three major credit reporting agencies, information about contacting the FTC for assistance, and a detailed explanation of what information individuals need to know to protect themselves from identity theft. --------------------------------------------------------------------------- \49\ See, e.g. the incidents involving TriWest (Adam Clymer, Officials Say Troops Risk Identity Theft After Burglary, N.Y. Times, Jan. 12, 2003, 1 (Late Edition), at 12) and Ford/Experian (Kathy M. Kristof and John J. Goldman, 3 Charged in Identity Theft Case, LA Times, Nov. 6, 2002, Main News, Part 1 (Home Edition), at 1). --------------------------------------------------------------------------- (b) Victim Assistance: Identity theft victims may spend substantial time and effort restoring their good names and financial records. As a result, the FTC devotes substantial resources to conducting outreach with the private sector on ways to improve victim assistance procedures. One such initiative arose from the burdensome requirement that victims complete a different fraud affidavit for each different creditor with whom the identity thief had opened an account.\50\ To reduce that burden, the FTC worked with industry and consumer advocates to create a standard form for victims to use in resolving identity theft debts. From its release in August 2001 through April 2004, the FTC has distributed more than 293,000 print copies of the ID Theft Affidavit. There have also been nearly 557,000 hits to the Web version. The affidavit is available in both English and Spanish. --------------------------------------------------------------------------- \50\ See ID Theft: When Bad Things Happen to Your Good Name: Hearing Before the Subcomm. on Technology, Terrorism and Government Information of the Senate Judiciary Comm. 106th Cong. (2000) (statement of Mrs. Maureen Mitchell, Identity Theft Victim). --------------------------------------------------------------------------- VI. CONCLUSION Identity theft places substantial costs on individuals and businesses. The Commission looks forward to working with businesses on better ways for them to protect the valuable information of consumers with which they are entrusted as well as other means of preventing identity theft. The Commission anticipates that as the new provisions of FACTA take effect, they will further help to reduce identity theft as well as its impact on victims. Chairman SHAW. Thank you, Mr. Beales, and we appreciate your time that you are able to spend with us. Mr. O'Carroll. STATEMENT OF PATRICK P. O'CARROLL, ACTING INSPECTOR GENERAL, SOCIAL SECURITY ADMINISTRATION Mr. O'CARROLL. Good morning, Mr. Chairman, Mr. Cardin, and Members of this Committee. Thank you for inviting me here today to discuss SSN misuse and H.R. 2971. As we were all paying our respects to President Ronald Reagan last week, I couldn't help recalling that his signing of the Inspector General Act made our work possible. It is because the SSN is so heavily relied upon as an identifier, it is a valuable commodity for lawbreakers. I will focus today on SSN misuse, homeland security and identity theft, and what more needs to be done to insure the integrity of the SSN. While financial crimes involving SSN misuse are more numerous than terrorism-related crimes, the potential threat to homeland security nevertheless justifies intense concern. Our primary mission is to protect the integrity of SSA programs and operations, and because of that we focus investigative efforts on cases affecting SSN integrity. We investigate and arrest suspects for fraud against Social Security programs and crimes involving SSN misuse. In our homeland security and identity theft responsibility, we work closely with other Federal agencies participating in 63 joint terrorism task forces and 29 antiterrorism advisory councils. We recently met with the U.S. Department of Homeland Security to discuss methods in which we could work together to address the SSN's critical role at critical infrastructure sites. We have begun staffing an SSN Integrity Protection Team that combines the talents of auditors, investigators and attorneys. My office is working closely with this Subcommittee and the SSA to strengthen controls over enumeration, to ensure the integrity of identification documents and to make SSN fraud as difficult as possible. Together with you and with SSA, we have made important strides in reducing enumeration vulnerabilities. Still, we believe the SSA should implement the following changes: establish a reasonable threshold for the number of replacement SSN cards an individual may obtain during a year and over a lifetime to continue to address identified weaknesses within the information security environment; verify birth records before issuing SSNs to citizens under the age of 1; and to incorporate additional controls in the SSA's Enumeration-at-Birth process. We have conducted numerous audits and made extensive recommendations to the SSA to improve the SSN misuse problem in the earnings reporting area, and, most importantly, to improve controls over SSN misuse as it pertains to homeland security. We believe SSA and lawmakers should examine the feasibility of the following initiatives: to limit public SSN availability to the greatest extent practicable without unduly limiting commerce; to enact strong enforcement mechanisms and stiffer penalties for SSN misuse; cross-verify legitimate databases that use the SSA as a key data element; and review the implications of releasing information on deceased individuals. We believe new legislation should prohibit the sale of SSNs, including one's own, on the open markets; to limit the use of the SSN to appropriate and legitimate transactions; and to prohibit using SSNs as student or patient identification numbers or as part of car rental contracts or video rentals; and to enhance penalties for those few SSA employees who assist criminals in obtaining SSNs. We support legislation such as H.R. 2971, which severely limits the sale, purchase, and display of SSNs to the general public. We also believe legislation such as H.R. 1731, the Identity Theft Penalty Enhancement Act, is a significant step toward holding accountable individuals who misuse SSNs to commit egregious crimes. Over the past years we have made progress protecting SSN integrity. We stand ready to do more. I would now be happy to answer any questions you may have. Thank you. [The prepared statement of Mr. O'Carroll follows:] Statement of Patrick P. O'Carroll, Acting Inspector General, Social Security Administration Good Morning, Mr. Chairman, Mr. Matsui, and members of the Subcommittee. Let me first thank you for the invitation to be here today for this important hearing to discuss the pervasive problem of Social Security number (SSN) misuse and the Committee's proposed legislation to protect the privacy of SSNs, the Social Security Number Privacy and Identity Theft Prevention Act of 2003 (H.R. 2971). The SSN as a National Identifier I would like to begin my testimony today with a simple declaration: The SSN is a national identifier. In past years, many would challenge that statement. Today, we live in a changed world, and the SSN's role as a national identifier is a recognized fact. Unfortunately, with that knowledge, we must also accept that because the SSN is so heavily relied upon as an identifier, it is a valuable commodity for lawbreakers. Given the importance of this unique, nine-digit number and the tremendous risk associated with its misuse, one of the most important responsibilities my office undertakes each day is oversight of SSN integrity. Today I would like to focus my testimony on how the SSN is misused to commit crimes, my office's role in addressing homeland security and identity theft and what more needs to be done to ensure the integrity of the SSN. Misuse of the SSN to Commit Crimes While financial crimes involving SSN misuse are more numerous than terrorism-related crimes, the potential threat to homeland security nevertheless justifies intense concern. An SSN allows an individual to assimilate themselves into U.S. society. SSNs, therefore, become valuable tools for terrorists or others who wish to live in the United States and operate under the ``radar screen.'' Such individuals may obtain SSNs by purchasing them, creating them, stealing them, utilizing the SSN of a deceased individual or obtaining them from SSA directly through the use of falsified documents. Once an individual has an SSN, he has the ability to work, buy a home, and engage in a wide range of financial transactions including the raising and transferring of funds. I am also concerned about the escalating occurrences of identity theft, which is the fastest-growing form of white-collar crime in the United States. In September 2003, the Federal Trade Commission (FTC) released a survey showing that 27.3 million Americans were victims of identity theft between 1998 and 2003--including 9.9 million people in the study's final year. FTC also reported that during the study's final year, losses to businesses and financial institutions totaled nearly $48 billion and consumer victims reported $5 billion in out-of-pocket expenses. Clearly, this is an epidemic that must be brought under control. Identity theft is an ``enabling'' crime, one that facilitates other types of crime, ranging from passing bad checks and defrauding credit card companies to committing acts of terrorism. Additionally, criminals use identity theft to defraud Federal agencies and programs of millions of dollars. For example, based on an investigation conducted by our Atlanta Field Division, a St. Petersburg, Florida resident was recently sentenced to 27 months of incarceration and ordered to make restitution to SSA for over $79,000 in survivors benefits she received for herself and three nonexistent children. To perpetrate this scheme, the individual assumed the identity of a former acquaintance by obtaining a North Carolina identification card in her friend's name. With this new identity, she used fraudulent birth certificates to apply for SSNs on behalf of two fictitious children. She also altered court marriage and divorce documents, falsely claiming that a known deceased man was her ex-husband and the fictitious children's father. She perpetrated this elaborate scheme so that she could apply for and receive Social Security survivors benefits for the fictitious children--and, until caught, was successful in doing so. Further investigation revealed that she had previously committed a similar crime resulting in additional survivors benefits for herself and another fictitious child. Other Federal agencies such as the Department of Housing and Urban Development (HUD) have also experienced a significant increase in the number of identity theft occurrences in their programs. Within programs administered by HUD, identity thieves are using someone else's SSN to obtain and then default on home mortgages--leaving taxpayers to pay their bills. For those with an illicit motive, an SSN can be obtained in many ways: Presenting false documentation to SSA. Stealing another person's SSN. Purchasing an SSN on the black market. Using the SSN of a deceased individual. Creating a nine-digit number out of thin air. Although SSA may never be able to completely prevent individuals from purchasing an SSN on the black market or stealing the SSN of another, we are proud that our efforts are making it more difficult to do so. Our Role in Addressing Homeland Security and Identity Theft Recognizing the importance of SSNs to terrorists and identity thieves, SSA and the OIG take very seriously our responsibility to ensure that these numbers are only issued to those with a legal reason for having one. As such, we continuously seek innovative ways to prevent SSN misuse and create collaborative partnerships with other Federal, State, and local entities to address both homeland security and identity theft concerns. OIG Homeland Security Activities: Our active involvement in addressing homeland security began on September 11, 2001, with our agents assisting in rescue efforts and site security at the World Trade Center. We immediately assigned supervisors and agents to the FBI Command Centers in New York City and New Jersey to process information and investigate leads. The Inspector General ordered all Field Divisions to assist in Joint Terrorism Task Forces (JTTF) and Anti-Terrorism Task Forces (ATTF) around the country--in fact, we are now active participants in 63 Joint Terrorism Task Forces and 29 Anti-Terrorism Task Forces, as well as the Foreign Terrorist Tracking Task Force. While participating in these task forces, our agents have assisted in better securing many of our Nation's airports and nuclear facilities by ensuring that employees and individuals having access to secure areas within these locations are working under their true names and SSNs. Further, as part of its anti-terrorism activities in the Buffalo area, our New York Field Division investigated six men from neighboring Lackawanna suspected of terrorist-related activities. Our investigators determined the identities of the ``Lackawanna Six'' and their attendance and participation in an al Qaeda terrorist training camp in Afghanistan. One suspect had two Social Security cards in his possession at the time of his arrest. All six suspects pleaded guilty to providing material support or resources to designated foreign terrorist organizations and received sentences of 7 to 10 years in prison. In carrying out our homeland security responsibility, we coordinate closely with other Federal agencies. For example, we recently met with representatives of the Department of Homeland Security (DHS) to discuss methods in which we could work together to address the SSN's role in homeland security. We welcome this opportunity and believe cooperative ventures such as these are imperative to ensure that all of the links in the homeland security chain stay connected. Based on our initial discussions, we plan to work with DHS to explore possible data matching and cross-verification opportunities--those that are currently provided for under law and those for which additional legislation may be required. OIG Identity Theft Activities: By law and by mission, our office has a narrow but important role in the overall effort to address identity theft. Much of the Federal government's response to identity theft issues rightly belongs to the FTC. State and local law enforcement agencies and financial institutions also have critical roles to play. Because our primary mission is to protect the integrity of SSA's programs and operations, in the majority of our identity theft investigations, we continue to focus investigative efforts on cases that affect SSN integrity. For example, our Chicago Field Division took part in a 3-day inter-agency undercover operation that resulted in the arrest of 12 suspects dealing in fraudulently obtained Social Security cards, State driver's licenses, and U.S. passports. Our investigators determined that the group's leader and 11 others took part in an elaborate document-counterfeiting scheme to obtain valid SSNs for non- existent children. The names belonged to undocumented noncitizens who paid up to $5,000 each for valid documents. Members of the group were sentenced to up to 2 years in prison or given immunity from prosecution for their cooperation in the undercover sting. To maximize our investigative resources, we dedicate agents that work on task forces with other law enforcement agencies nationwide to investigate identity crimes. We also work closely with prosecutors to bundle SSN misuse cases that, when presented separately, may not have been accepted for prosecution. We are also continuing our efforts to identify opportunities for SSA to further strengthen the integrity of the SSN. One of my major concerns has been the use of fraudulent documents to obtain SSNs. In an August 2002 audit, we estimated that during FY 2000, SSA assigned at least 63,000 SSNs to noncitizens based on invalid immigration documents that SSA processes did not detect. Based on our recommendation, SSA improved its controls in this area and now verifies all immigration documents presented by noncitizens with the issuing agency before assigning an SSN. We believe SSA's decision to adopt our recommendation was laudable and significantly reduced the circumstances under which an unauthorized noncitizen may obtain a legitimate SSN from the Agency. We are currently examining the Agency's compliance with this and other enumeration controls. Additionally, we continue to explore and recommend further controls the Agency can implement to strengthen SSA's important responsibility of assigning SSNs. SSN Integrity Protection Team: Protecting the integrity of the SSN has become a major part of the work we do. The President's Fiscal Year 2004 Budget enabled us to begin staffing our SSN Integrity Protection Team to combat SSN misuse and identity theft. The Team is an integrated model that combines the talents of auditors, investigators and attorneys in a comprehensive approach, allowing SSA and OIG to: Support Homeland Security. Identify patterns and trends of SSN misuse. Locate systemic weaknesses that contribute to SSN misuse such as in the enumeration and earnings related processes. Recommend legislative or other corrective actions to enhance the SSN's integrity. Pursue criminal and civil enforcement provisions for individuals misusing SSNs. Our SSN Integrity Protection Team will enable us to better target audit and investigative work. The Team will participate with other Federal, State and local entities to collaborate on potential SSN misuse activities. It is critical that we continue to receive funding in future budgets for this important initiative. SSA Initiatives to Address SSN Integrity: SSA has made significant progress in strengthening the defenses of the SSN, implementing important suggestions our office has made, and working with us to find solutions. In November 2001, the Commissioner of Social Security established an Enumeration Response Team (ERT) comprised of executives across the Agency, including representatives from the OIG. The Commissioner charged this group with identifying steps the Agency could take to improve the enumeration process and to enhance the integrity of the SSN. Since that time, the Commissioner and the ERT have implemented numerous policies and procedures designed to better ensure that only individuals authorized to do so, receive an SSN. For example, the ERT recommended, and SSA adopted, more stringent circumstances under which an individual may obtain a nonwork SSN. We are proud to serve on workgroups such as these and applaud the Commissioner and SSA for its strong commitment to improving SSN integrity. Prior to the ERT, the Agency implemented other initiatives such as the Comprehensive Integrity Review Process (CIRP) and Enumeration at Entry process. The CIRP system identifies vulnerabilities in the enumeration process and issues alerts to SSA's field offices (FO) to develop and certify. The FO reviewer, usually a manager or supervisor, performs an enumeration integrity review of each alert. If the reviewer determines that there is a possibility of fraud, the alert is forwarded to the OIG for development and disposition. The Enumeration at Entry initiative is a collaboration with the Department of Homeland Security (DHS) and the Department of State (DOS) to not only facilitate issuance of SSNs to legally admitted aliens whose immigration status permits such issuance, but it ensures through DHS and DOS certifications that the identity and immigration status of the alien is what is purported. What Actions Still Need to Be Taken to Address SSN Misuse Despite the significant progress SSA and Congress have made in recent years to address SSN misuse, we believe SSN integrity and protection still need improvement at three stages: at issuance, during the life of the number-holder, and following the number-holder's death. At Stage One (issuance of the SSN), my office is doing more work than ever, working closely with this Subcommittee and SSA to strengthen controls over the enumeration process, ensure the integrity of identification documents, and make it as difficult as possible to fraudulently obtain an SSN from the Federal government. Together with you and with SSA, we have made important strides in reducing enumeration vulnerabilities, and that effort continues. Still, to strengthen our defenses even further, we believe SSA should implement the following changes. Establish a reasonable threshold for the number of replacement SSN cards an individual may obtain during a year and over a lifetime. Continue to address identified weaknesses within the enumeration process to better safeguard SSNs. Verify the validity of birth records with the issuing State before issuing an SSN to U.S. citizens under age 1. Work with State Bureaus of Vital Statistics to incorporate additional controls in SSA's Enumeration-at-Birth program, such as periodically reconciling the number of SSNs assigned through the program to the number of births reported by participating hospitals. It is at Stages Two (during the life of the number holder) and Three (after the number holder's death) where we have focused the majority of our efforts, and where we have made the most progress. In the last several years, we have conducted numerous audits and made extensive recommendations to SSA to improve the SSN misuse problem in the earnings reporting process, and most importantly, to improve controls over SSN misuse as it pertains specifically to Homeland Security. Nevertheless, to more completely address SSN integrity during the life of the number holder and following that number holder's death, we believe SSA and lawmakers should examine the feasibility of the following initiatives. Limiting the SSN's public availability to the greatest extent practicable, without unduly limiting commerce. Prohibiting the sale of SSNs, prohibiting their display on public records, and limiting their use to legitimate transactions. Enacting strong enforcement mechanisms and stiffer penalties to further discourage SSN misuse. Cross-verifying all legitimate databases that use the SSN as a key data element. Review the implications of releasing information on deceased individuals. Limiting the SSN's Public Availability and Sale of the SSN Perhaps the most important step we can take in preventing SSN misuse is to limit the SSN's easy availability. We believe legislation designed to protect the SSN must strictly limit the number's availability on public documents. As long as criminals can walk into the records room of a courthouse or local government building and walk out with names and SSNs culled from public records, it will be extremely difficult to reverse the trend. We believe effective legislation should also specifically prohibit the sale of SSNs-- including one's own SSN--on the open market. As long as criminals can buy a list of names and SSNs through an Internet auction, we will continue to be plagued by the consequences. To be fully effective, we also believe legislation must limit the use of the SSN to appropriate and valid transactions. The financial industry relies on the SSN, and no one is suggesting that we change the way legitimate business is conducted in the United States. But the use of the SSN as a student or patient identification number, as part of a car rental contract or to rent a video, must be curtailed. Congress enacted the Identity Theft and Assumption Deterrence Act in 1998, responding to the growing epidemic of identity thefts by imposing criminal sanctions for those who create a false identity or misappropriate someone else's. The Internet False Identification Prevention Act, adopted in 2000, closed a loophole left by the earlier legislation, enabling our office and other law enforcement organizations to pursue vendors who previously could sell counterfeit Social Security cards legally by maintaining the fiction that such cards were ``novelties'' rather than counterfeit documents. More legislative tools are needed, and we have worked with Congress to identify legislation necessary to protect the integrity of the SSN. For example, the House is now considering H.R. 2971, the Social Security Number Privacy and Identity Theft Prevention Act of 2003, which would seriously restrict the use of SSNs in the private and public sector, and criminalize the sale of SSNs. Penalties The Identity Theft legislation I discussed earlier provides criminal penalties, but those penalties were designed for broader crimes involving Social Security cards and/or SSNs, not for SSN misuse itself. We believe legislation should not only provide criminal penalties in the Social Security Act, but also enhance penalties for those few SSA employees who betray the public trust and assist criminals in obtaining SSNs. For example, a former SSA Service Representative was sentenced to 3 years probation and community service after pleading guilty to a bribery charge in connection with issuing 100 to 200 Social Security cards to illegal aliens. She received between $50 and $150 for each card. We believe it is critically important to send a strong message to SSA employees tempted to facilitate crimes against Agency programs by pursuing the maximum sentence possible. The House Committee on the Judiciary recently approved H.R. 1731, the Identity Theft Penalty Enhancement Act, which established enhanced penalties for aggravated identity theft. While increased criminal penalties are a welcomed addition to the arsenal available for use in combating identity theft, we also believe legislation should provide an administrative safety net in the form of Civil Monetary Penalties to allow for some form of relief when criminal prosecution is not available for SSN misuse and other Social Security-related crimes. Cross-verification Additionally, we strongly support cross-verification of SSNs through both governmental and private sector systems of records to identify and address inaccuracies. Our experience has shown that cross- verification can combat and limit the spread of false identification and SSN misuse. Further, we believe all law enforcement agencies should be provided the same SSN cross-verification capabilities currently granted to employers. In doing so, the law enforcement community would use data already available to the Federal, State and local governments and the financial sector. Potentially, the rewards of cross-verification can be great, yet it would not require major expenditures of money or the creation of new offices or agencies. We believe legislation is needed to require mandatory cross-verification of identification data between governmental, financial and commercial holders of records and the SSA on a recurring basis. To offset SSA's cost for providing such services, the Agency could charge a modest fee to commercial and financial entities. The technology to accomplish these data matches and verifications exists now. Coupled with steps already underway by SSA to strengthen the integrity of its enumeration business process, cross- verification, once initiated, would be a critical step in combating the spread of identity fraud. Let me give you an example of an identity theft case in which cross-verification may have prevented a crime against a Federal government program, saving taxpayers $62,000. A Salt Lake City grandmother learned last year from one of my Denver Field Division agents that her SSN was used to purchase a $146,000 HUD home. This identity theft went undiscovered until the home went into foreclosure because the criminals used this grandmother's SSN, but another name to purchase the home. Had HUD been allowed to verify the accuracy of the borrower's name and SSN with SSA, HUD would have recognized the discrepancy and denied the loan. In this one case alone, the Government would have saved the thousands of program dollars HUD had to pay to foreclose and resell the property. Additionally, this elderly Salt Lake City grandmother would have been spared the time and expense of repairing her credit record. We believe cross-verification is one of the most important tools the Government and private sector can employ to reduce the instances of identity theft. We understand the important issue of consumer privacy that must be considered by Congress and others before allowing such data integrity matches. However, our ability to prevent these egregious crimes would be enhanced by additional legislation balancing the need for consumer privacy with the need for accurate identifying information. Conclusion We always appreciate the invitation to speak with this committee and the very important work you do to help ensure the integrity of SSA programs and the SSN. We are very pleased with the progress Congress and SSA have made in addressing the issue of SSN integrity over the last several years. However, we reiterate our concern that more must be done to ensure that only those individuals authorized to have an SSN receive one and that anyone who fraudulently obtains and misuses an SSN is adequately penalized. As such, we support legislation such as H.R. 2971, the Social Security Number Privacy and Identity Theft Prevention Act of 2003, which severely limits the sale, purchase and display of SSNs to the general public. We also believe legislation such as H.R. 1731, the Identity Theft Penalty Enhancement Act, is a significant step toward holding accountable individuals who misuse SSNs to commit egregious crimes. We encourage this Committee and others in Congress to stay firm in your resolve to enact these two bills. We also ask that Congress consider other measures such as increased cross-verification among Government and private sector entities, Civil Monetary Penalties for SSN misuse and other Social Security-related crimes when criminal prosecution is not available, and stronger penalties for those few SSA employees that betray the public trust by selling SSNs. We will certainly continue our vigilance in addressing these issues and stand ready to do more to enhance the safety and well- being of all Americans. I would now be happy to answer any questions you may have. Chairman SHAW. Thank you. Ms. Bovbjerg. STATEMENT OF BARBARA D. BOVBJERG, DIRECTOR OF EDUCATION, WORKFORCE, AND INCOME SECURITY ISSUES, U.S. GENERAL ACCOUNTING OFFICE Ms. BOVBJERG. Thank you. Mr. Chairman, Members of the Subcommittee, good morning. I am pleased to be here today once again to discuss issues associated with the use and misuse of the SSN. The wide use of SSNs for non-Social Security purposes causes concern because these numbers, as these gentlemen have noted, are among the personal identifiers most often sought by identity thieves. Today I will present results of our completed and ongoing work on a variety of issues associated with the SSN. I would like to focus first on the private sector use of the SSN and the protections that companies apply, and then second on public sector uses and protections. My testimony is based on reports we have prepared for you over the last several years, and on ongoing work that focuses more specifically on SSNs in public records. Let me speak first about the SSN in the private sector. We reported to you in January that companies use the SSN for a variety of purposes, only some of which are restricted by law. Consumer reporting agencies and health care organizations have come to rely on the SSN as an identifier in the course of doing their business, like assessing credit risk or tracking patient care. These businesses often obtain SSNs from the individuals seeking their services, and the re-disclosure of these SSNs to others is restricted by Federal law. Some businesses that function as information resellers aggregate information, including SSNs, from various sources for resale. They obtain data from public records like bankruptcy proceedings, tax liens and voter registration rolls, and from private compilations like phone books. These businesses then resell this information to a variety of customers. The resellers we contacted told us that they generally limit their services to customers who establish accounts with them and with whom they have contracts that restrict the extent to which the data purchased can be re-disclosed. Many also say they truncate the SSN if they provide it at all. Indeed, Federal and State laws have apparently helped to control business display and distribution of personal information. At the Federal level, the Fair Credit Reporting Act (P.L. 91-508), Gramm-Leach-Bliley, Health Insurance Portability and Accountability Act 1996 (HIPAA) (P.L. 104-191), among others, have controlled use, distribution and display of the SSN in specific industries. Several States, most notably California, have enacted laws restricting display and use of SSNs, and although limited to a particular State, these restrictions have caused private companies to alter their policies, in some cases nationwide. No law, however, restricts use and display of the SSN in all industries, in all locations, leaving the potential for misuse where protections are inadequate. Let me now turn to the public sector. As we have reported previously, Federal, States and county government agencies rely extensively on the SSN to maintain records with unique identifiers and to maintain program integrity. Although government agencies told us of various steps they take to safeguard the SSNs they use, we found that key protections are not uniformly in place, and that individual SSNs are still displayed on key public documents such as the Medicare card. We also found that some Federal agencies and many State and county agencies maintain public records that contain SSNs. Public records are documents routinely made available to the public for inspection, such as marriage licenses and property transactions. When we examined this issue 2 years ago, some public officials told us they were considering making such records available on their Web sites to enhance customer service. We expressed our concern then that such actions would create new opportunities for identity thieves to gather SSNs on a broad scale. We are currently conducting work for the Subcommittee to determine where and how SSNs most regularly appear in public records. Preliminary data suggest that SSNs most frequently appear in court records, land records, uniform commercial code filings, and professional licensing records. We are still analyzing the extent to which these records are available electronically. Interestingly, some of the government agencies we surveyed reported that although SSNs appeared in the public records they retain, they had no specific use for them. In conclusion, although SSNs are used for many beneficial purposes, the widespread use and retention of them in both the public and private sectors creates opportunities for identity theft. Although both government and private companies have strengthened their protections of personal data and have indeed reduced display of this information in the last several years, these actions are far from uniform and still leave troubling gaps. Reducing Americans' vulnerability to SSN misuse will require finding the balance between the benefits of SSN use and the costs of improved and more consistent protection. We look forward to continuing to work with this Subcommittee to identify vulnerabilities and to devise adequate and cost- effective protections, and hope that these will serve the millions of Americans with SSNs. Thank you. [The prepared statement of Ms. Bovbjerg follows:] Statement of Barbara D. Bovbjerg, Director of Education, Workforce, and Income Security Issues, U.S. General Accounting Office Mr. Chairman and Members of the Subcommittee: I am pleased to be here today to discuss private and public sector entities' use of Social Security numbers (SSNs). Although the Social Security Administration (SSA) originally created SSNs as a means to track workers' earnings and eligibility for Social Security benefits, over time the SSN has come to be used for a myriad of purposes; individuals are frequently asked to supply personal information, including their SSNs, to both public and private sector entities. In addition, individuals' SSNs can be found in a number of public sources such as records displayed to the public. Given the uniqueness and broad applicability of the SSN, many private and public sector entities rely extensively on the SSN sometimes as a way to accumulate and identify information for their databases, sometimes to comply with federal regulations, and other times for various business purposes. The potential for misuse of the SSN has raised questions about how private and public sector entities obtain, use, and protect SSNs. Although Congress has passed a number of laws to protect the security of personal information, the continued use of and reliance on SSNs by both private and public sector entities underscores the importance of determining if appropriate safeguards are in place to protect individuals' private information or if enhanced protection of individuals' personal information is needed. Accordingly, you asked us to talk about how certain types of private and public sector entities obtain SSNs and what protections, if any, exist to govern their use. My remarks today will focus on describing (1) how private sector entities obtain, use, and protect SSNs and (2) public sector uses and protections. To determine how private sector entities obtain, use, and protect SSNs, we relied on our previous work that looked at how private sector entities obtain and use SSNs and the laws that limit disclosure of this use.\1\ To determine how the public sector uses and protects SSNs, we also relied on our previous work that looked at the government's use and protection of SSNs.\2\ We are currently conducting a survey of state and local agencies to determine the extent to which SSNs are displayed in public records, the types of records they are displayed in, and how those records are maintained. In addition, we are conducting structured interviews of federal agencies concerning the display of SSNs. --------------------------------------------------------------------------- \1\ U.S. General Accounting Office, Social Security Numbers: Private Sector Entities Routinely Obtain and Use SSNs, and Laws Limit the Disclosure of This Information, GAO-04-11 (Washington D.C.: January 22, 2004). \2\ See U.S. General Accounting Office, Social Security Numbers: Government Benefits from SSN Use but Could Provide Better Safeguards, GAO-02-352 (Washington, D.C.: May 31, 2002). --------------------------------------------------------------------------- In summary, entities such as information resellers, consumer reporting agencies (CRAs), and health care organizations routinely obtain SSNs from their business clients and from public sources, such as marriage licenses, paternity determinations, and professional licenses. Businesses use SSNs for various purposes, such as to build databases, verify individuals' identities, or match existing records.\3\ Given the various types of services these companies offer, we found that all of these entities have come to rely on the SSN as an identifier, which they say helps them determine a person's identity for the purpose of providing the services they offer. However, certain federal laws have helped to limit the disclosures of personal information these private sector entities are allowed to make to their customers. Private sector entities are either subject to the laws directly, given the nature of their business, or indirectly, through their business clients who are subject to these laws. Some states have also enacted laws to restrict the private sector's use of SSNs. However, such restrictions vary by state. --------------------------------------------------------------------------- \3\ GAO-04-11 (Washington D.C.: January 2004). --------------------------------------------------------------------------- Public sector entities also rely extensively on SSNs. These agencies often obtain SSNs for compliance with federal laws and regulations and for their own agencies' purposes. We found that federal, state, and county government agencies rely extensively on the SSN to manage records, verify benefit eligibility, collect outstanding debt, conduct research and program evaluations, and verify information provided to state drivers' licensing agencies.\4\ Given that SSNs are often the identifier of choice among individuals seeking to create false identities, these agencies are taking steps to safeguard SSNs. Yet despite these actions, SSNs appear in records displayed to the public such as documents that record financial transactions or court documents. In our current work for this Subcommittee, we are looking at the storage, display, and protection of SSNs in public records. Our preliminary survey data show that the types of records mostly likely to contain SSNs and be made available to the general public by state government entities are court records, death records, Uniform Commercial Code (UCC) filings, and professional licensing records. In addition, our preliminary results show responding state offices reported over 35 instances where they had no specific use for collecting SSNs. In a previous report, we proposed that Congress consider developing a unified approach to safeguarding SSNs used in all levels of government and particularly those displayed in public records, and we continue to believe that this approach has merit.\5\ --------------------------------------------------------------------------- \4\ GAO-02-352 (Washington D.C.: May 2002). \5\ GAO-02-352 (Washington D.C.: May 2002). --------------------------------------------------------------------------- Background The Social Security Act of 1935 authorized SSA to establish a record-keeping system to help manage the Social Security program, and this resulted in the creation of the SSN. Through a process known as enumeration, unique numbers are created for every person as a work and retirement benefit record for the Social Security program. SSA generally issues SSNs to most U.S. citizens, and SSNs are also available to noncitizens lawfully admitted to the United States with permission to work. SSA estimates that approximately 277 million individuals currently have SSNs. The SSN has become the identifier of choice for government agencies and private businesses, and thus it is used for a myriad of non-Social Security purposes. The growth in the use of SSNs is important to individual SSN holders because these numbers, along with names and birth certificates, are among the three personal identifiers most often sought by identity thieves.\6\ In addition, SSNs are used as breeder information to create additional false identification documents, such as drivers' licenses. Recent statistics collected by federal agencies and CRAs indicate that the incidence of identity theft appears to be growing.\7\ The Federal Trade Commission (FTC), the agency responsible for tracking identity theft, reported that consumer fraud and identity theft complaints grew from 404,000 in 2002 to 516,740 in 2003. In 2003, consumers also reported losses from fraud of more than $437 million, up from $343 million in 2002. In addition, identity crime account for over 80 percent of SSN misuse allegations according to the SSA. Also, officials from two of the three national CRAs report an increase in the number of 7-year fraud alerts placed on consumer credit files, which they consider to be reliable indicators of the incidence of identity theft.\8\ Law enforcement entities report that identity theft is almost always a component of other crimes, such as bank fraud or credit card fraud, and may be prosecuted under the statutes covering those crimes. --------------------------------------------------------------------------- \6\ United States Sentencing Commission, Identity Theft Final Alert (Washington, D.C.: Dec. 15, 1999). \7\ U.S. General Accounting Office, Identity Theft: Prevalence and Cost Appear to be Growing, GAO-02-363 (Washington, D.C.: Mar. 1, 2002). \8\ A fraud alert is a warning that someone may be using the consumer's personal information to fraudulently obtain credit. When a fraud alert is placed on a consumer's credit card file, it advises credit grantors to conduct additional identity verification before granting credit. The three consumer reporting agencies offers fraud alerts that can vary from 2 to 7 years at the discretion of the individual. --------------------------------------------------------------------------- Private Sector entities Routinely Obtain and Use SSNs, and Certain Laws Affect The Disclosure of This Information Private sector entities such as information resellers, CRAs, and health care organizations routinely obtain and use SSNs.\9\ Such entities obtain the SSNs from various public sources and their business clients wishing to use their services. We found that these entities usually use SSNs for various purposes, such as to build tools that verify an individual's identity or match existing records. Certain federal laws have limited the disclosures private sector entities are allowed to make to their customers, and some states have also enacted laws to restrict the private sector's use of SSNs. --------------------------------------------------------------------------- \9\ Information resellers, sometimes referred to as information brokers, are businesses that specialize in amassing consumer information that includes SSNs for informational services. CRAs, also known as credit bureaus, are agencies that collect and sell information about the creditworthiness of individuals. Health care organizations generally deliver their services through a coordinated system that includes health care providers and health plans, also referred to as health care insurers. --------------------------------------------------------------------------- Private Sector Entities Obtain SSNs from Public and Private Sources and Use SSNs for Various Purposes Private sector entities such as information resellers, CRAs, and health care organizations generally obtain SSNs from various public and private sources and use SSNs to help identify individuals. Of the various public sources available, large information resellers told us they obtain SSNs from various records displayed to the public such as records of bankruptcies, tax liens, civil judgments, criminal histories, deaths, real estate ownership, driving histories, voter registrations, and professional licenses. Large information resellers said that they try to obtain SSNs from public sources where possible, and to the extent public record information is provided on the Internet, they are likely to obtain it from such sources. Some of these officials also told us that they have people that go to courthouses or other repositories to obtain hard copies of public records. Additionally, they obtain batch files of electronic copies of all public records from some jurisdictions. Given the varied nature of SSN data found in public records, some reseller officials said they are more likely to rely on receiving SSNs from their business clients than they are from obtaining SSNs from public records. These entities obtain SSNs from their business clients, who provide SSNs in order to obtain a reseller's services or products, such as background checks, employee screening, determining criminal histories, or searching for individuals. Large information resellers also obtain SSN information from private sources. In many cases such information was obtained through review of data where a customer has voluntarily supplied information resellers with information about himself or herself. In addition, large reseller officials said they also use their clients' records in instances where the client has provided them with information. We also found that Internet-based resellers rely extensively on public sources and records displayed to the public. These resellers listed on their Web sites public information sources, such as newspapers, and various kinds of public record sources at the county, state, and national levels. During our investigation, we determined that once Internet-based resellers obtained an individual's SSN they relied on information in public records to help verify the individual's identity and amass information around the individual's SSN. Like information resellers, CRAs also obtain SSNs from public and private sources as well as from their customers or the businesses that furnish data to them. CRA officials said that they obtain SSNs from public sources, such as bankruptcy records, a fact that is especially important in terms of determining that the correct individual has declared bankruptcy. CRA officials also told us that they obtain SSNs from other information resellers, especially those that specialize in obtaining information from public records. However, SSNs are more likely to be obtained from businesses that subscribe to their services, such as banks, insurance companies, mortgage companies, debt collection agencies, child support enforcement agencies, credit grantors, and employment screening companies. Individuals provide these businesses with their SSNs for reasons such as applying for credit, and these businesses voluntarily report consumers' charge and payment transactions, accompanied by SSNs, to CRAs. We found that health care organizations were less likely to rely on public sources for SSN data. Health care organizations obtain SSNs from individuals themselves and from companies that offer health care plans. For example, subscribers or policyholders provide health care plans with their SSNs through their company or employer group when they enroll in health care plans. In addition to health care plans, health care organizations include health care providers, such as hospitals. Such entities often collect SSNs as part of the process of obtaining information on insured people. However, health care officials said that, particularly with hospitals, the medical record number rather than the SSN is the primary identifier. Information resellers, CRAs, and health care organization officials all said that they use SSNs to verify an individual's identity. Most of the officials we spoke to said that the SSN is the single most important identifier available, mainly because it is truly unique to an individual, unlike an individual's name and address, which can often change over an individual's lifetime. Large information resellers said that they generally use the SSN as an identity verification tool. Some of these entities have incorporated SSNs into their information technology, while others have incorporated SSNs into their clients' databases used for identity verification. For example, one large information reseller that specializes in information technology solutions has developed a customer verification data model that aids financial institutions in their compliance with some federal laws regarding ``knowing your customer.'' We also found that Internet-based information resellers use the SSN as a factor in determining an individual's identity. We found these types of resellers to be more dependent on SSNs than the large information resellers, primarily because their focus is more related to providing investigative or background-type services to anyone willing to pay a fee. Most of the large information resellers officials we spoke to said that although they obtain the SSN from their business clients, the information they provide back to their customers rarely contains the SSN. Almost all of the officials we spoke to said that they provide their clients with a truncated SSN, an example of which would be xxx-xx-6789. CRAs use SSNs as the primary identifier of individuals, which enables them to match the information they receive from their business clients with the information stored in their databases on individuals.\10\ Because these companies have various commercial, financial, and government agencies furnishing data to them, the SSN is the primary factor that ensures that incoming data is matched correctly with an individual's information on file. For example, CRA officials said they use several factors to match incoming data with existing data, such as name, address, and financial account information. If all of the incoming data, except the SSN, match with existing data, then the SSN will determine the correct person's credit file. Given that people move, get married, and open new financial accounts, these officials said that it is hard to distinguish among individuals. Because the SSN is the one piece of information that remains constant, they said that it is the primary identifier that they use to match data. --------------------------------------------------------------------------- \10\ We found that CRAs and information resellers can sometimes be the same entity, a fact that blurs the distinction between the two types of businesses but does not affect the use of SSNs by these entities. Five of the six large information resellers we spoke to said they were also CRAs. Some CRA officials said that information reselling constituted as much as 40 percent of CRAs' business. --------------------------------------------------------------------------- Health care organizations also use the SSN to help verify the identity of individuals. These organizations use SSNs, along with other information, such as name, address, and date of birth, as a factor in determining a member's identity. Health care officials said that health care plans, in particular, use the SSN as the primary identifier of an individual, and it often becomes the customer's insurance number. Health care officials said that they use SSNs for identification purposes, such as linking an individual's name to an SSN to determine if premium payments have been made. They also use the SSN as an online services identifier, as an alternative policy identifier, and for phone-in identity verification. Health care organizations also use SSNs to tie family members together where family coverage is used,\11\ to coordinate member benefits, and as a cross-check for pharmacy transactions. Health care industry association officials also said that SSNs are used for claims processing, especially with regard to Medicare. According to these officials, under some Medicare programs, SSNs are how Medicare identifies benefits provided to an individual. --------------------------------------------------------------------------- \11\ During the enrollment process, subscribers have a number of options, one of which is decided whether they would like single or family coverage. In cases where family coverage is chosen, the SSN is the key piece of information generally allowing the family members to be linked. --------------------------------------------------------------------------- Certain Laws Limit the Private Sectors' Disclosure of Personal Information That Includes SSNs Certain federal and state laws have placed restrictions on certain private sector entities use and disclosure of consumers' personal information that includes SSNs. Such laws include the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA), the Drivers Privacy Protection Act (DPPA), and the Health Insurance Portability and Accountability Act (HIPAA). As shown in table 1, the laws either restrict the disclosures that entities such as information resellers, CRAs, and health care organizations are allowed to make to specific purposes or restrict whom they are allowed to give the information to. Moreover, as shown in table 1, these laws focus on limiting or restricting access to certain personal information and are not specifically focused on information resellers. See appendix I for more information on these laws. Table 1: Aspects of Federal Laws That Affect Private Sector Disclosure of Personal Information ------------------------------------------------------------------------ Federal Laws Restrictions ------------------------------------------------------------------------ Fair Credit Reporting Act Limits access to credit data that includes SSNs to those who have a permissible purpose under the law. Gramm-Leach-Bliley Act Creates a new definition of personal information that includes SSNs and limits when financial institutions may disclose the information to non- affiliated third parties. Drivers Privacy Protection Act Prohibits obtaining and disclosing SSNs and other personal information from a motor vehicle record except as expressly permitted under the law. Health Insurance Portability and Protects the privacy of Accountability Act health information that identifies an individual (including by SSNs) and restricts health care organizations from disclosing such information to others without the patient's consent. ------------------------------------------------------------------------ Source: GAO analysis. We reviewed selected legislative documents of 18 states and found that at least 6 states have enacted their own legislation to restrict either the display or use of SSNs by the private sector.\12\ Notably, in 2001, California enacted Senate Bill (SB) 168, restricting private sector use of SSNs. Specifically, this law generally prohibits companies and persons from certain uses such as, posting or publicly displaying SSNs and printing SSNs on cards required to access the company's products or services. Furthermore, in 2002, shortly after the enactment of SB 168, California's Office of Privacy Protection published recommended practices for protecting the confidentiality of SSNs. These practices were to serve as guidelines to assist private and public sector organizations in handling SSNs. --------------------------------------------------------------------------- \12\ On the basis of our interviews with private sector businesses and organizations, contacts with some state offices of attorney general, and identified state laws and legislative initiatives related to the use of SSNs, we did a legislative review of 18 states that were identified as having laws or proposed laws governing SSN use. In the 18 states we researched, we reviewed more than 40 legislative documents, including relevant laws, proposed laws, legislative summaries, and other related documents, such as state regulations, executive orders, and referendums. --------------------------------------------------------------------------- Similar to California's law, Missouri's law (2003 Mo. SB 61), which is not effective until July 1, 2006, bars companies from requiring individuals to transmit SSNs over the Internet without certain safety measures, such as encryption and passwords. However, while SB 61 prohibits a person or private entity from publicly posting or displaying an individual's SSN ``in any manner,'' unlike California's law, it does not specifically prohibit printing the SSN on cards required to gain access to products or services. In addition, Arizona's law (2003 Ariz. Sess. Laws 137), effective January 1, 2005, restricts the use of SSNs in ways very similar to California's law. However, in addition to the private sector restrictions, it adds certain restrictions for state agencies and political subdivisions.\13\ For example, state agencies and political subdivisions are prohibited from printing an individual's SSN on cards and certain mailings to the individual. Last, Texas prohibits the display of SSNs on all cards, while Georgia and Utah's laws are directed at health insurers and, therefore, pertain primarily to insurance identification cards.\14\ None of these three laws contain the provisions mentioned above relating to Internet safety measures and mailing restrictions. Table 2 lists states that have enacted legislation and related provisions. --------------------------------------------------------------------------- \13\ Political subdivisions would include counties, cities, and towns. \14\ Georgia's law (O.C.G.A. 33-24-57.1(f)) and Utah's law (Utah Code Ann. 31-22-634) are both effective July 1, 2004. However, Utah's law provides certain extensions until March 1, 2005. Texas' law (2003 Tex. Gen. Laws 341) is effective March 1, 2005. Table 2: Provisions Included in Enacted Legislation Reviewed ------------------------------------------------------------------------ States Where Provision or Provision Restriction Enacted ------------------------------------------------------------------------ Specifically prohibits display on cards AZ, CA, GA, TX, UT Requires Internet safety measures AZ, CA, MO Restricts mailing of SSNs AZ, CA ------------------------------------------------------------------------ Source: GAO analysis. Public Sector Entities Also Use SSNs and Some Agencies Limit Their Use and Display Even Though SSNs are Displayed in Some Public Records Agencies at all levels of government frequently obtain and use SSNs. A number of federal laws require government agencies to obtain SSNs, and these agencies use SSNs to administer their programs, verify applicants' eligibility for services and benefits, and do research and evaluation. Given the potential for misuse, some government agencies are taking steps to limit their use and display of SSNs and prevent the proliferation of false identities. However, given the open nature of certain government records, SSNs appear in some records displayed to the public. Our ongoing work is looking at the storage, display, and protection of SSNs in records displayed to the public. Public Sector Entities Are Required by Laws and Regulations to Obtain SSNs for Various Purposes Government agencies obtain SSNs because a number of federal laws and regulations require certain programs and federally funded activities to use the SSN for administrative purposes.\15\ Such laws and regulations require the use of the SSN as an individual's identifier to facilitate automated exchanges that help administrators enforce compliance with federal laws, determine eligibility for benefits, or both. For example, the Internal Revenue Code and regulations, which govern the administration of the federal personal income tax program, require that individuals' SSNs serve as taxpayer identification numbers.\16\ A number of other federal laws require program administrators to use SSNs in determining applicants' eligibility for federally funded benefits. The Social Security Act requires individuals to provide their SSNs in order to receive benefits under the SSI, Food Stamp, Temporary Assistance for Needy Families, and Medicaid programs.\17\ In addition, the Commercial Motor Vehicle Safety Act of 1986 requires the use of SSNs to identify individuals and established the Commercial Driver's License Information System, a nationwide database where states may use individuals' SSNs to search the database for other state-issued licenses commercial drivers may hold.\18\ Federal law also requires the use of SSNs in state child support programs to help states locate noncustodial parents, establish and enforce support orders, and recoup state welfare payments from parents.\19\ The law also allows states to record SSNs on many other state documents, such as professional, occupational, and marriage licenses; divorce decrees; paternity determinations; and death certificates, and to make SSNs associated with these documents available for state child support agencies to use in locating and obtaining child support payments from noncustodial parents. --------------------------------------------------------------------------- \15\ U.S. General Accounting Office, Social Security Numbers: Government and Commercial Use of the Social Security Number is Widespread, GAO/HEHS-99-28 (Washington D.C.: February 1999). \16\ This means that employers and others making payments to individuals must include the individuals' SSNs in reporting to IRS many of these payments. In addition, the Code and regulations require individuals filing personal income tax returns to include their SSNs as their taxpayer identification number, the SSNs of people whom they claim as dependents, and the SSNs of spouses to whom they paid alimony. \17\ Applicants give program administrators information on their income and resources, and program administrators use applicants' SSNs to match records with those of other organizations. \18\ States may also use SSNs to search another database, the National Driver's Registry, to determine whether an applicant's license has been cancelled, suspended, or revoked by another state. In these situations, the states use SSNs to limit the possibility of inappropriately licensing applicants. \19\ The law requires states to maintain records that include (1) SSNs for individuals who owe or are owed support for cases in which the state has ordered child support payments to be made, the state is providing support, or both, and (2) employers' records of new hires identified by SSN. --------------------------------------------------------------------------- Government agencies use SSNs for a variety of reasons. We found that most of these agencies use SSNs to administer their programs, such as to identify, retrieve, and update their records. In addition, many agencies also use SSNs to share information with other entities to bolster the integrity of the programs they administer. As unique identifiers, SSNs help ensure that the agency is obtaining or matching information on the correct person. Government agencies also share information containing SSNs for the purpose of verifying an applicant's eligibility for services or benefits, such as matching records with state and local correctional facilities to identify individuals for whom the agency should terminate benefit payments. SSNs are also used to ensure program integrity. Agencies use SSNs to collect delinquent debts and even share information for this purpose. In addition, SSNs are used for statistics, research, and evaluation. Agencies responsible for collecting and maintaining data for statistical programs that are required by statute, make use of SSNs. In some cases, these data are compiled using information provided for another purpose. For example, the Bureau of the Census prepares annual population estimates for states and counties using individual income tax return data linked over time by SSN to determine immigration rates between localities.\20\ SSNs also provide government agencies and others with an effective mechanism for linking data on program participation with data from other sources to help evaluate the outcomes or effectiveness of government programs. In some cases, records containing SSNs are sometimes matched across multiple agency or program databases.\21\ --------------------------------------------------------------------------- \20\ The Bureau of the Census is authorized by statute to collect a variety of information, and the Bureau is also prohibited from making it available, except in certain circumstances. \21\ The statistical and research communities refer to the process of matching records containing SSNs for statistical or research purposes as ``record linkage.'' See U.S. General Accounting Office, Record Linkage and Privacy: Issues in Creating New Federal Research and Statistical Information, GAO-01-126SP (Washington, D.C.: Apr. 2001). --------------------------------------------------------------------------- Finally, government agencies use employees' SSNs to fulfill some of their responsibilities as employers. For example, personnel departments of these agencies use SSNs to help them maintain internal records and provide employee benefits. In addition, employers are required by law to use employees' SSNs when reporting wages. Wages are reported to SSA, and the agency uses this information to update earnings records it maintains for each individual. The Internal Revenue Service (IRS) also uses SSNs to match the employer wage reports with amounts individuals report on personal income tax returns. Federal law also requires that states maintain employers' reports of newly hired employees, identified by SSNs. States must forward this information to a national database that is used by state child support agencies to locate parents who are delinquent in child support payments. Government Agencies Are Taking Steps to Limit the Use and Display of SSNs Despite the widespread use of SSNs at all levels of government, not all agencies use SSNs. We found that some agencies do not obtain, receive, or use SSNs of program participants, service recipients, or individual embers of the public.\22\ Moreover, not all agencies use the SSN as their primary identification number for record-keeping purposes. These agencies maintain an alternative number that is used in addition to or in lieu of SSNs for certain activities. --------------------------------------------------------------------------- \22\ GAO-02-352 (Washington D.C.: May 2002). --------------------------------------------------------------------------- Some agencies are also taking steps to limit SSNs displayed on documents that may be viewed by others who may not have a need to view this personal information. For example, the Social Security Administration has truncated individuals' SSNs that appear on the approximately 120 million benefits statements it mails each year. Some states have also passed laws prohibiting the use of SSNs as a student identification number. Almost all states have modified their policies on placing SSNs on state drivers' licenses. At the federal level, SSA has taken steps in its enumeration process and verification service to help prevent SSNs from being used to proliferate false identities. SSA has formed a task force to address weaknesses in its enumeration process and has (1) increased document verifications and developed new initiatives to prevent the inappropriate assignment of SSNs to noncitizens, and (2) undertaken initiatives to shift the burden of processing noncitizen applications from its field offices. \23\ SSA also helps prevent the proliferation of false identities through its verification service, which allows state driver licensing agencies to verify the SSN, name, and date of birth of customers with SSA's master file of Social Security records.\24\ Finally, SSA has also acted to correct deficiencies in its information systems' internal controls. These changes were made in response to the findings of an independent audit that found that SSA's systems were exposed to both internal and external intrusion, increasing the possibility that sensitive information such as SSNs could be subject to unauthorized access, modification, and disclosure, as well as the risk of fraud. --------------------------------------------------------------------------- \23\ See U.S. General Accounting Office, Social Security Administration: Actions Taken to Strengthen Procedures for Issuing Social Security Numbers to Noncitizens but Some Weakness Remain, GAO- 04-12 (Washington D.C.: October 15, 2003). See U.S. General Accounting Office, Social Security Numbers: Improved SSN Verification and Exchange of States' Driver Records Would Enhance Identity Verification, GAO-03- 920 (Washington D.C.: September 15, 2003). \24\ GAO-03-920 (Washington D.C.: September 2003). --------------------------------------------------------------------------- Public Records Can Also Be a Source of SSNs Given the open nature of certain government records, SSNs appear in these records for a number of reasons. For example, SSNs may already be a part of a document that is submitted to a recorder for official preservation, such as veterans' discharge papers. Documents that record financial transactions, such as tax liens and property settlements, also contain SSNs to help identify the correct individual. As previously stated, government officials are required by law to collect SSNs in numerous instances. Moreover, some state laws allow government entities to collect SSNs on voter registries to help avoid duplicate registrations. Courts at all three levels of government also collect and maintain records that are routinely made available to the public. Court records overall are presumed to be public. However, each court may have its own rules or practices governing the release of information. SSNs appear in court documents for a variety of reasons. In many cases, SSNs are already a part of documents that are submitted by attorneys or individuals. These documents could be submitted as part of the evidence for a proceeding or could be included as part of a petition for an action, such as a judgment or a divorce. In other cases, courts include SSNs on documents they and other government officials create, such as criminal summonses, arrest warrants, and judgments, to increase the likelihood that the correct individual is affected (i.e., to avoid arresting the wrong John Smith). Again, in some cases, federal law requires that SSNs be placed in certain records that courts maintain, such as child support orders. In our prior report, we looked at the extent and nature of federal, state, and county governments' use of SSNs when they are contained in public records, and the options available to better safeguard SSNs that are found in these public records.\25\ Our findings led us to suggest that Congress consider addressing SSN security and display issues in state and local government and in public records, including those maintained by the judicial branch of government at all levels. We proposed that Congress convene a representative group of officials from all levels of government to develop a unified approach to safeguard SSNs used in all levels of government and particularly those displayed in public records. --------------------------------------------------------------------------- \25\ GAO-02-352 (Washington D.C.: May 2002) --------------------------------------------------------------------------- At the request of this subcommittee, GAO was asked what types of public records SSNs are stored in, how are those records maintained, and to what extent SSNs are displayed inside those records. To do this work, we are surveying over 2,500 officials in state and local government agencies, including officials in all 50 states and the District of Columbia, and are conducting structured interviews of federal agencies. Our preliminary survey data show that the types of records most likely to contain SSNs and be made available to the general public by state government entities are court records, death records, UCC filings, and professional licensing records. At the local level, court records and land records are those most often cited as containing SSNs and being available to the general public. Preliminary data analysis indicates that identity verification is the most frequently given reason by both state and local respondents for collecting or using SSNs that are in records available to the public. Data matching and complying with state laws or regulations are also frequently cited as reasons for the collection or use of the SSN. However, responding state offices reported over 35 instances where they had no specific use for collecting SSNs. Conclusions Public and private entities use SSNs for many legitimate and publicly beneficial purposes. However, the more frequently SSNs are obtained and used, the more likely they are to be misused. As we continue to learn more about the entities that obtain SSNs and the purposes for which they obtain them, Congress and state legislatures will be able to determine if there are ways to limit access to this valuable piece of information and prevent it from being misused. However, restrictions on access or use may make it more difficult for businesses and government agencies to verify an individual's identity. Accordingly, policy makers will have to balance restrictions on the use of SSNs on the one hand with legitimate needs for the use of SSNs on the other. Although individuals may choose to provide their SSNs to public and private sector entities to obtain their services, individuals are often required to have their SSNs in records that may ultimately be displayed to the public. Such public display of personal information can create opportunities for identity crimes. Safeguarding SSNs in records displayed to the public offers an additional challenge because of the inherent tension between the nature of public records, that is, the need for transparency in government activities, and the need to protect individuals' privacy. For this reason, in prior work, we recommended that Congress convene a representative group of officials to develop a unified approach to safeguard SSNs used in all levels of government and particularly those displayed in public records. We continue to believe that this would be a useful step toward preventing SSN misuse while acknowledging the needs of various levels of government. At this subcommittee's request, we are continuing work on SSNs and their presence in public records and look forward to supporting continuing congressional consideration of these important policy issues. That concludes my testimony, and I would be pleased to respond to any questions the subcommittee has. Contacts and Acknowledgments For further information regarding this testimony, please contact Barbara D. Bovbjerg, Director; Tamara Cross, Assistant Director; or Alicia Cackley, Assistant Director of Education, Workforce, and Income Security Issues at (202) 512-7215. Individuals making key contributions to this testimony include Melinda Bowman, Raun Lazier, Joel Marus, and Caroline Sallee. ______ Appendix I: Federal Laws Affecting Information Resellers, CRAs, and Health Care Organizations: Gramm-Leach-Bliley Act (GLBA): GLBA requires companies to give consumers privacy notices that explain the institutions' information-sharing practices. In turn, consumers have the right to limit some, but not all, sharing of their nonpublic personal information. Financial institutions are permitted to disclose consumers' nonpublic personal information without offering them an opt-out right in the following circumstances: to effect a transaction requested by the consumer in connection with a financial product or service requested by the consumer; maintaining or servicing the consumer's account with the financial institution or another entity as part of a private label credit card program or other extension of credit; or a proposed or actual securitization, secondary market sale, or similar transaction; with the consent or at the direction of the consumer; to protect the confidentiality or security of the consumer's records; to prevent actual or potential fraud, for required institutional risk control or for resolving customer disputes or inquiries, to persons holding a legal or beneficial interest relating to the consumer, or to the consumer's fiduciary; to provide information to insurance rate advisory organizations, guaranty funds or agencies, rating agencies, industry standards agencies, and the institution's attorneys, accountants, and auditors; to the extent specifically permitted or required under other provisions of law and in accordance with the Right to Financial Privacy Act of 1978, to law enforcement agencies, self-regulatory organizations, or for an investigation on a matter related to public safety; to a consumer reporting agency in accordance with the Fair Credit Reporting Act or from a consumer report reported by a consumer reporting agency; in connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business if the disclosure concerns solely consumers of such business; to comply with federal, state, or local laws; an investigation or subpoena; or to respond to judicial process or government regulatory authorities. Financial institutions are required by GLBA to disclose to consumers at the initiation of a customer relationship, and annually thereafter, their privacy policies, including their policies with respect to sharing information with affiliates and non-affiliated third parties. Provisions under GLBA place limitations on financial institutions disclosure of customer data, thus affecting some CRAs and information resellers. We found that some CRAs consider themselves to be financial institutions under GLBA.\26\ These entities are therefore directly governed by GLBA's restrictions on disclosing nonpublic personal information to non-affiliated third parties. We also found that some of the information resellers we spoke to did not consider their companies to be financial institutions under GLBA. However, because they have financial institutions as their business clients, they complied with GLBA's provisions in order to better serve their clients and ensure that their clients are in accordance with GLBA. For example, if information resellers received information from financial institutions, they could resell the information only to the extent that they were consistent with the privacy policy of the originating financial institution. --------------------------------------------------------------------------- \26\ Under GLBA, the term financial institution is defined as ``any institution the business of which is engaging in financial activities as described in section 4(k) of the Bank Holding Company Act of 1956,'' which goes into more detail about what are ``activities that are financial in nature.'' These generally include banking, insurance, and investment industries. --------------------------------------------------------------------------- Information resellers and CRAs also said that they protect the use of non-public personal information and do not provide such information to individuals or unauthorized third parties. In addition to imposing obligations with respect to the disclosures of personal information, GLBA also requires federal agencies responsible for financial institutions to adopt appropriate standards for financial institutions relating to safeguarding customer records and information. Information resellers and CRA officials said that they adhere to GLBA's standards in order to secure financial institutions' information. Drivers Privacy Protection Act (DPPA): The DPPA specifies a list of exceptions when personal information contained in a state motor vehicle record may be obtained and used (18 U.S.C. 2721(b)). These permissible uses include: for use by any government agency in carrying out its functions; for use in connection with matters of motor vehicle or driver safety and theft; motor vehicle emissions; motor vehicle product alterations, recalls, or advisories; motor vehicle market research activities, including survey research; for use in the normal course of business by a legitimate business, but only to verify the accuracy of personal information submitted by the individual to the business and, if such information is not correct, to obtain the correct information but only for purposes of preventing fraud by pursuing legal remedies against, or recovering on a debt or security interest against, the individual; for use in connection with any civil, criminal, administrative, or arbitral proceeding in any federal, state, or local court or agency; for use in research activities; for use by any insurer or insurance support organization in connection with claims investigation activities; for use in providing notice to the owners of towed or impounded vehicles; for use by a private investigative agency for any purpose permitted under the DPPA; for use by an employer or its agent or insurer to obtain information relating to the holder of a commercial driver's license; for use in connection with the operation of private toll transportation facilities; for any other use, if the state has obtained the express consent of the person to whom a request for personal information pertains; for bulk distribution of surveys, marketing, or solicitations, if the state has obtained the express consent of the person to whom such personal information pertains; for use by any requester, if the requester demonstrates that it has obtained the written consent of the individual to whom the information pertains; for any other use specifically authorized under a state law, if such use is related to the operation of a motor vehicle or public safety. As a result of DPPA, information resellers said they were restricted in their ability to obtain SSNs and other driver license information from state motor vehicle offices unless they were doing so for a permissible purpose under the law. These officials also said that information obtained from a consumer's motor vehicle record has to be in compliance with DPPA's permissible purposes, thereby restricting their ability to resell motor vehicle information to individuals or entities not allowed to receive such information under the law. Furthermore, because DPPA restricts state motor vehicle offices' ability to disclose driver license information, which includes SSN data, information resellers said they no longer try to obtain SSNs from state motor vehicle offices, except for permissible purposes. Health Insurance Portability and Accountability Act (HIPAA): The HIPAA privacy rule also defines some rights and obligations for both covered entities and individual patients and health plan members. Some of the highlights are: Individuals must give specific authorization before health care providers can use or disclose protected information in most nonroutine circumstances, such as releasing information to an employer or for use in marketing activities. Covered entities will need to provide individuals with written notice of their privacy practices and patients' privacy rights. The notice will contain information that could be useful to individuals choosing a health plan, doctor, or other service provided. Patients will be generally asked to sign or otherwise acknowledge receipt of the privacy notice. Covered entities must obtain an individual's specific authorization before sending them marketing materials. Health care organizations, including health care providers and health plan insurers, are subject to HIPAA's requirements. In addition to providing individuals with privacy practices and notices, health care organizations are also restricted from disclosing a patient's health information without the patient's consent, except for purposes of treatment, payment, or other health care operations. Information resellers and CRAs did not consider themselves to be ``covered entities'' under HIPAA, although some information resellers said that their customers are considered to be business associates under HIPAA. As a result, they said they are obligated to operate under HIPAA's standards for privacy protection, and therefore could not resell medical information without having made sure HIPAA's privacy standards were met. Fair Credit Reporting Act (FCRA); Congress has limited the use of consumer reports to protect consumers' privacy. All users must have a permissible purpose under the FCRA to obtain a consumer report (15 USC 1681b). These permissible purposes are: as ordered by a court or a federal grand jury subpoena; as instructed by the consumer in writing; for the extension of credit as a result of an application from a consumer or the review or collection of a consumer's account; for employment purposes, including hiring and promotion decisions, where the consumer has given written permission; for the underwriting of insurance as a result of an application from a consumer; when there is a legitimate business need, in connection with a business transaction that is initiated by the consumer; to review a consumer's account to determine whether the consumer continues to meet the terms of the account; to determine a consumer's eligibility for a license or other benefit granted by a governmental instrumentality required by law to consider an applicant's financial responsibility or status; for use by a potential investor or servicer or current insurer in a valuation or assessment of the credit or prepayment risks associated with an existing credit obligation; and for use by state and local officials in connection with the determination of child support payments, or modifications and enforcement thereof. Under FCRA, Congress has limited the use of consumer reports\27\ to protect consumers' privacy and limits access to credit data to those who have a legally permissible purpose for using the data, such as the extension of credit, employment purposes, or underwriting insurance. However, these limits are not specific to SSNs. All of the CRAs that we spoke to said that they are considered consumer reporting agencies under FCRA. In addition, some of the information resellers we spoke to who handle or maintain consumer reports are classified as CRAs under FCRA. Both CRAs and information resellers said that as a result of FCRAs restrictions they are limited to providing credit data to their customers that have a permissible purpose under FCRA. Consequently, they are restricted by law from providing such information to the general public. --------------------------------------------------------------------------- \27\ The FTC has determined that certain types of information, including SSNs, do not constitute as consumer report under FCRA because they are not factors in determining credit eligibility. --------------------------------------------------------------------------- Chairman SHAW. Thank you very much. Mr. Maxwell. STATEMENT OF LAWRENCE E. MAXWELL, ASSISTANT CHIEF INSPECTOR, INVESTIGATIONS AND SECURITY, UNITED STATES POSTAL INSPECTION SERVICE Mr. MAXWELL. Thank you, Mr. Chairman and Members of the Committee. I really appreciate your having us here today and your focus on this very important issue. As a way of background, myself and others in the Postal Inspection Service have reviewed the provisions in the new legislation, and we are very enthusiastic. I have had 27 years in law enforcement, most of which has been in mail fraud investigations, and I truly welcome a lot of the provisions here, particularly the preventive and the enhanced penalty methods. One of the things, for those who aren't familiar with the Postal Inspection Service, we date ourselves as the oldest Federal law enforcement agency, going back to Ben Franklin and the statute, mail fraud, was enacted in 1870s, and it makes it the oldest and the first consumer protection law on the books, arguably the best. I still think it is the best. One may ask, well, how did somebody who is in the hand delivery business get propelled into identity theft in the electronic communications age? Well, I will bring you up to that in a second how the tie- in is. The Postal Inspection Service covers Maine to Guam. There is roughly 2,000 of us, making us a very small agency. Approximately 300 inspectors are devoted to mail fraud, and we pride ourselves primarily on consumer fraud. As stated earlier, identity theft remains a vexing problem, insidious in nature, and clearly a predator on those unsuspecting. It totally devastates your life. It takes months, years to put it back together again afterward. So, clearly it is something that we have been living with for some time, and we are aggressively pursuing and should. From our experience, mail itself, based on an FTC study recently, only represents about 4 percent of identity crimes; 4 percent, that is, in stolen mail, information obtained from mail that has been stolen. We used to think it was worse. In fact, a lot of our prevention messages cued in on that, to protect your mail from theft. However, we have since learned that really it comes more from the after fact, the use of mails to file applications, credit information and so forth. However, that doesn't stop us from taking assertive actions on mail theft programs. In the mail fraud area, primarily what we have seen in both arrest statistics, a combination of arrests from mail theft and fraud, totals 3,000 of our 10,000 arrests each year. As you can conclude, that is a very substantial number of our activities in the criminal area. What we have found as a strategy, and that is really what we are here to address today, outreaching is extremely important. Ourselves and the FTC have been partners for some time. We have had a formal memorandum of understanding. We share data, fraud data, and we do a number of prevention and educational campaigns together. Clearly the events of 2 years ago propelled all of us in the law enforcement community to work better together, and although the Postal Inspection Service only has 200 statutes which it has to worry about, still we find a lot of the overlaps in areas where we can fill in the gaps and help out. For example, we are on a number of financial crimes investigative task forces around the country. We are also part of the National Joint Terrorism Task Force and the Joint Terrorism Task Force primarily focusing on mail information and financial information, again relating back to what we are talking about today. Finally, one of the major initiatives is with the credit card industry itself with a group called the Financial Crimes Task Force. We have been together since the middle of the nineties, and that is the industry involved in credit cards and the Postal Service inspectors dealing on ways to share best practices and enforcement. That has worked out very well. In fact, we have come out with a publication which I have made available to all of you called Fighting Identity Theft, and in there it actually highlights the use of the importance of SSNs by minimizing the use of SSNs on page nine, if you care to look at that at some time. Another portion of our focus would be on deterrence. Of course, as a law enforcement officer I would be remiss not saying how important it is to arrest those responsible for committing crimes. Deterrence serves a big purpose particularly when it is a high-profile case. Last year, for example, there was a case involving Carlos Lomax in Pittsburgh. He stole the identity of none other than Will Smith, the actor, obviously a prominent name, and he was doing quite well. In his guilty plea, and his cooperation, he agreed to film a video which we have available which he discusses some of the techniques he uses in identity theft. Finally, the strategy I most favor is prevention. We have a number of prevention campaigns, and to just spin the old adage, crime does not pay, we have used it to pay. We have had a couple of U.S. attorneys in the U.S. Department of Justice support us in putting asset forfeiture money and fine money into a fund called the Consumer Protection Fund. We have used that fund to conduct massive educational campaigns, joint campaigns. To my left, your right, is a poster where we had a partnership with Showtime where they made two feature films on postal inspector cases. For years we were known as ``the silent service,'' and we are finding now in prevention and getting the word out we can't be silent. They made a movie in the second of a series on identity theft specifically to dramatize the issue. On the right is a poster from the identity theft campaign which we conducted last September. In that campaign we had a massive outreach of mailings. We produced a mini-drama which is on digital video disk, which I have also made available highlights how identity theft occurs and how it is reported and how it is enforced. Then, at the very end, and, I think, in dramatic fashion, it gives you tips on what to do to prevent identity theft. We also did a saturation mailing and produced this brochure, which I think is very valuable. In closing, I would just reiterate the importance of that strategy using deterrence and prevention and primarily education, because fraud is a crime where people can prevent it. They don't have to participate if they know what to do. Thank you for your time. [The prepared statement of Mr. Maxwell follows:] Statement of Lawrence E. Maxwell, Assistant Chief Inspector, Investigations and Security, United States Postal Inspection Service Good morning, Mr. Chairman, members of the subcommittee. On behalf of the United States Postal Inspection Service, thank you for holding this hearing and giving me the opportunity to discuss the subject of identity crimes and the significant role Postal Inspectors play in combating it. I'm Lawrence E. Maxwell, Assistant Chief Inspector, Investigations and Security, for the U.S. Postal Inspection Service. Role of the Postal Inspection Service The U.S. Postal Service delivers more than 200 billion pieces of mail a year, containing money, messages, and merchandise, to 138 million addresses at some of the most affordable postage rates in the world. U. S. Postal Inspectors are mandated to safeguard all of it-- including the people who move it and the customers who use it. Congress empowered the Postal Service ``to investigate postal offenses and civil matters relating to the Postal Service.'' Through its security and enforcement functions, the Postal Inspection Service provides assurance to American businesses for the safe exchange of funds and securities through the U.S. Mail; to postal customers of the ``sanctity of the seal'' in transmitting correspondence and messages; and to postal employees of a safe work environment. As one of our country's oldest federal law enforcement agencies, founded by Benjamin Franklin, the United States Postal Inspection Service has a long, proud and successful history of fighting criminals who attack our nation's postal system and misuse it to defraud, endanger, or otherwise threaten the American public. Postal Inspectors work closely with U.S. Attorneys, other law enforcement agencies, and local prosecutors to investigate postal cases and prepare them for court. There are approximately 1,900 Postal Inspectors stationed throughout the United States who enforce roughly 200 federal laws covering investigations of crimes that adversely affect or fraudulently use the U.S. mail and postal system. Last year, U.S. Postal Inspectors made more than 11,000 arrests. Of those, over 6,000 were related to mail theft. One-third of those involved identity theft. In the first eight months of our 2004 fiscal year, we exceeded the number of identity theft arrests made throughout all of last year. What is Identity Theft? Identity theft occurs when a thief steals key pieces of someone's identifying information, such as name, date of birth, and Social Security number, and uses the information to fraudulently apply for credit or to take over a victim's credit or bank accounts. Identity theft occurs in a variety of ways. Those that involve the use of the mail receive swift and aggressive action by Postal Inspectors. We ensure that consumers are being protected. In addition, we work with the mailing industry to develop best practices on how best to design mailing pieces to prevent identity theft. Our collaboration with the mailing industry is another example of how the industry as a whole is serious about the issue and working to stay ontop of it for the benefit of consumers. Mail is important to consumers who receive itand to the businesses that send it. Tactics Used by Identity Thieves In the past, pre-screened credit offers were more vulnerable to identity theft because they simply required the customer to sign the solicitation and return it. But now credit card companies have begun automatically discarding applications when they are returned with a change of address. Actions by the industry have made these mailings less attractive to would-be identity thieves. Identity theft is continuing to evolve with the expansion of the Internet and other electronic means. The mail is no more vulnerable than other sources of personal information, such as corporate and government records and computer databases. Financial institutions have implemented many safeguards to reduce the likelihood that personal financial information found within the mail can be stolen. The Postal Service is continually working to improve the security of the mail, and Postal Inspectors are making great strides in apprehending those who would use the mail to further their crimes. Identity fraud is digging deep into consumer's pockets--millions of dollars were lost in the past year by financial institutions and victims across the country. Thieves use a variety of tactics to drain a victim's finances, including stealing mail; posing as a loan officer and ordering a victim's credit report (which lists account numbers); ``shoulder surfing'' at the ATM or phone booth to get a victim's PIN code; and ``dumpster diving'' in trash bins looking for credit applications, canceled checks or other bank records. Until a few years ago, a thief could submit an address change to divert customers' mail without their knowledge. Usually, redirected mail is sent to a commercial mail receiving agency in an attempt to insure the perpetrator's anonymity. In response to recommendations by the Chief Postal Inspector, a prevention measure that addresses fraudulent change-of-address orders was adopted by the U.S. Postal Service. Post Offices now send a ``Move Validation Letter'' to both the old and new address when a change is filed. The letter instructs an individual to call an ``800'' number if a change was not filed. This simple measure has virtually eliminated false changes-of-address submitted to the Postal Service as an avenue for committing identity theft. Impact on Victims One of the most insidious aspects of identity theft is the length of time the scheme is carried out before it comes to anyone's attention. It may be months before a victim realizes they've been targeted. It's not until a consumer gets turned down for credit, a car loan, or a mortgage on a dream house because of a bad credit rating-- knowing they've paid their bills--do they begin to realize what has taken place. Most victims do not learn about the theft of their identity until 14 months after it has occurred. More than half of the victims we interviewed report their cases have been open, on average, 44 months. They also reported that, as victims, they spent, on average, 175 hours actively trying to restore their credit and ``to clear their good name.'' Identity theft can do more than ruin a person's credit; it can cause more serious damage. Identity theft hurts a victim in two ways. First a victim must deal with the obvious financial issues. Second, a victim must contend with privacy and practical issues such as overcoming a credit history that isn't theirs. The problem doesn't go away with a few phone calls--it can stick with a victim for a long time. That's why it's such a serious issue. Victims run the gamut of society, they're wealthy, they're poor, they're old, and they're young. Anyone can become a victim. In a recent Postal Inspection Service investigation based in Chicago, Illinois, the destructive activities of an identity thief resulted in the loss of thousands of dollars and the death of a primary victim. The scheme began in July 1999 when the identity thief began dating the estranged wife of a Chicago resident. Without the victim's knowledge, the wife assisted the thief in stealing her former spouse's identity by providing the thief with the spouse's personal information. In January 2000, the spouse filed a complaint with the Chicago Police Department after realizing that he was a victim of identity theft with losses over $200,000. In February, the spouse received a package from the thief wrapped as a FedEx delivery. After holding the package for several days, the spouse received a voice mail message from the thief indicating the package was a gift. As he sat in his living room, he opened the package, which exploded, killing him instantly. Last year a colleague of mine learned about identity theft the hard way. His bank called and asked if he had authorized a $4,500 cash advance on his credit card in Miami, Florida that day. He was stunned. The bank had called only hours after the withdrawal was made, following an alert initiated because certain account parameters indicated something might be wrong. Luckily for him, the bank simply asked that he sign an affidavit that he had not been in Miami and hadn't made the withdrawal. He wasn't held liable for the money. And he never found out what ID the thief had used to get access to his account. Unfortunately, my colleague's ordeal wasn't over. He received a call a few months later from a cellular phone company, asking if he'd opened an account with them in Miami. Someone had racked up $1,800 in calling charges under his name and then disappeared. Once again, he signed an affidavit disclaiming knowledge of the charges, and the account was cleared. This time, he called the three main credit bureaus and reported the fraud. My colleague is just one of hundreds of thousands of individuals who are victimized each year. The culprits may be found among employees (or patrons) of mailrooms, airlines, hotels or personnel offices-- anyone who has access to a person's financial information. They can use your credit card or instead use encoding equipment, sold by business supply companies, and blank cards with magnetic strips on the back, to encode your account number onto a counterfeit card with a different name. Thieves sometimes seek jobs specifically to get access to financial information; alternately, they may bribe employees in such positions to supply them with the data they want. The problem is compounded by the ease with which a phony ID can be obtained. On the Web are scores of sites with complete instructions on creating a ``new you.'' Personal computers, ``scanners'' and color printers (or copiers), all facilitate creating false identification documents. Commitment of Resources Jurisdiction Because identity theft crimes can involve the use of the mail, the U.S. Postal Inspection Service has become a lead agency in investigating these crimes. Even in cases where the original theft does not involve the mail, the mails may used to send the credit cards to a commercial mail receiving agency or alternate address. That's why Postal Inspectors are involved in investigating this crime and take it so seriously. Each of the Inspection Service's 18 field divisions investigates identity theft within their respective boundaries. Identity theft investigations are reported, categorized, and tracked in an Inspection Service national database used by management to coordinate the appropriate investigative response. During the past few years, Inspection Service resources devoted to identity theft investigations have increased significantly--by 38 per cent. Identity Theft Investigations In a typical case last year, Postal Inspectors arrested eight West African nationals who were operating a multimillion-dollar counterfeit and stolen credit card enterprise nationwide. And Postal Inspectors in New York arrested 16 members of a gang that ran a passport photo business, supplying false identifications for cashing checks stolen from the mail. Last year Postal Inspectors announced the results of a round-up of 103 mail thieves throughout the western United States. A multi-agency task force comprising U.S. Postal Inspectors, members of the U.S. Marshals Fugitive Apprehension Strike Task Force, U.S. Secret Service, state and local police, and the Northern California Identity Theft Task Force targeted mail thieves in California and Nevada. Similar operations took place in Arizona, Hawaii, Utah and New Mexico. Federal and state prosecutors supported the work of the task force by aggressively prosecuting individuals involved in mail and identity theft. Here are a few more examples of identity theft cases investigated by Postal Inspectors in the past year. In Detroit, Postal Inspectors investigated a gang of mail theft recidivists who were recruiting street people, called ``runners,'' to obtain cash advances from banks and casinos via credit cards. Inspectors executed a search warrant at the residence of a suspect and recovered more than 180 documents listing victims' personal IDs. Inspectors and agents from the Detroit Metro Identity Theft Task Force identified and arrested the ringleader of the group who, at the time of his arrest, had more than 700 car rental applications with names, dates of birth, Social Security numbers, and credit card accounts of potential victims. The ringleader and a cohort reportedly called credit card issuers, purporting to be the true account holders, and requested that replacement credit cards be mailed to them. The car rental manager who supplied the rental applications and an employee who worked at a health plan office were later indicted for providing documents to the gang. Total fraud losses exceeded $700,000. An Illinois man was sentenced to 25 months in prison and ordered to forfeit $590,000 in assets to banks after pleading guilty to the unlawful possession of an access device, mail fraud, and bank fraud. A joint investigation by Postal Inspectors and special agents of the Social Security Administration determined he had fraudulently applied for more than 200 credit cards using numerous victim IDs. Postal Inspectors in Jacksonville, Florida, arrested six people believed to be running a major identity theft ring. The arrests were the result of a joint investigation by the Northeast Florida High Tech Task Force, which includes Postal Inspectors, members of the Jacksonville Sheriff's Office, and several other federal, state, and local law enforcement agencies. Victims of the ring included employees of the Winn-Dixie Corporation and Hollywood, Florida, police and fire departments. The six suspects were charged with 44 counts of violations related to the Racketeering Influenced Corrupt Organization (RICO) Act, including criminal use of personal information, grand theft, organized fraud, and manufacturing fraudulent IDs. One of the suspects has already pled guilty to RICO violations and related charges. Las Vegas police arrested a man for ``driving under the influence'' and later discovered he had an outstanding arrest warrant for identity theft in Arizona. Phoenix Postal Inspectors reported he stole a person's Social Security number, applied for numerous credit cards in the victim's name, and had the cards mailed to a box he rented at a commercial mail receiving agency. Postal Inspectors and Secret Service agents searched the man's business and discovered numerous fraudulent documents. Statutes Used in Identity Theft Cases A number of statutes enable us to take action against identity theft involving the use of the mail. Under Title 18, U.S. Code, Section 1708, Postal Inspectors may arrest individuals for the possession of stolen mail or filing a false change-of-address order; the penalty is a $2,000 fine or up to five years' imprisonment, or both. In 1998, the Identity Theft and Assumption Deterrence Act of 1998, was signed into law. This law expanded the scope of the identity fraud statute (18 U.S.C. 1028), and made it a federal crime for the unauthorized use of personal identification in the commission of any federal law (felony or misdemeanor), or a state or local felony. But one of our top weapons in the fight against identity theft is a statute originally enacted over 125 years ago: the criminal mail fraud statute. If someone applies for a credit card in your name, perpetrators may be prosecuted under Title 18, USC 1341. The penalty is a $1,000 fine or up to five years' imprisonment, or both--unless a financial institution is affected, in which case the fine may be raised to $1 million and imprisonment for up to 30 years. The public policy that underlies this statute remains valid today: The postal system created by Congress to serve the American public should not be used to conduct schemes that seek to cheat the public. Our experience demonstrates that enforcement laws and mechanisms, coupled with an aggressive education campaign and enforcement efforts described below, are invaluable tools in the arsenal of law enforcement. Interagency and Industry Cooperation To address the fundamentals of identity theft, the Postal Inspection Service works diligently with the credit card industry, financial institutions and other law enforcement and regulatory agencies. In 1992, the Postal Inspection Service sponsored its first Credit Card Mail Security Initiative meeting in Washington, DC. We continue to promote and host these semi-annual meetings. Many of the preventive strategies discussed at our meetings have been implemented by our financial industry partners, and have resulted in reduced losses attributed to mail theft and the subsequent identity theft that occurs from it. The now-common concept of credit card activation was first proposed by a Postal Inspector and was promoted through the Credit Card Mail Security Initiative meetings. The industry embraced and implemented this prevention strategy, which resulted in the reduction of significant industry fraud losses over the past decade. In addition, working in conjunction with industry partners, Postal Inspectors analyze information from credit card thefts to identify ``Hot Spots'' for investigative attention. The Postal Inspection Service notifies the financial industry of zip code areas suffering abnormal losses, so they can take extra precautions when mailing to those areas. Thanks to the collaborative efforts between the Postal Inspection Service and its working-group partners, we are beginning to see the results of this and many other fraud prevention initiatives. In addition to modifying industry practices, our collaboration has produced a number of fraud prevention guides, including the Fraud Detection and Reference Guide; Account Takeover Prevention Guide; and Detecting and Preventing Credit Application Fraud. The working group was also responsible for the Identity Theft Consumer Awareness video and the Identity Theft brochure. At the conclusion of my testimony, I have included prevention tips prepared by the Postal Inspection Service in collaboration with its working partners. In 2003, the Postal Inspection Service decided to broaden the scope of the Credit Card Mail Security meetings to include presentations on money laundering, Internet fraud, and bank fraud schemes. As the focus has expanded, the name of our working group has changed to the Financial Industry Mail Security Initiative (FIMSI). The initiative has decided to capture many of the best practices developed over the years and share them with industry and law enforcement in the form of a 50- page document, reporting upon identity theft problems and issuing recommendations directed towards credit card companies and credit lenders for reducing or preventing it. One of those recommendations dealt specifically with limiting the use or display of social security numbers in sensitive records and mailings. To manage the vast data associated with these crimes, the Postal Inspection Service has developed a new financial crimes database. This computer application compiles a myriad of intelligence data relating to financial crimes, and provides Postal Inspectors with information that assists in identifying trends, criminal hotspots, and the scope of identity theft activity. Information for this database is provided by credit card issuers, other financial institutions, mail order companies, Postal Inspection Service investigations, and the victims themselves. According to a report released by the FTC this past September, mail theft as a source for identity theft happened in only 4% of the cases surveyed. As we have made it more difficult for mail theft to be a component of identity theft, criminals have turned to other means, oftentimes recruiting the assistance of insiders, in other words ``employees,'' who have access to the personal information, especially the social security numbers, of clients or other employees. Personal information like social security numbers contained in corporate and government records and computer databases is a fertile area for dishonest employees working in conjunction with identity thieves. This is why we support H.R. 2971, the Social Security Number Privacy and Identity Theft Prevention Act, and welcome the additional consumer protection provisions it will provide. It is important to do whatever we can to keep identity theft from happening in the first place Task Force Efforts In addition to partnering with members of the financial and mailing industry, task force efforts by law enforcement have been a successful approach to the identity theft issue. Postal Inspectors are active participants on financial crimes task forces throughout the nation. In Pittsburgh, Pennsylvania, the Postal Inspection Service leads the Financial Crimes Task Force of Southwestern Pennsylvania. This task force began operation on January 17, 1995, and is housed at the Pittsburgh office of the Postal Inspection Service. Originally, this task force was formed to target major credit card fraud in the Pittsburgh area. However, with the increased number of instances of identity theft spreading rapidly throughout America, this taskforce has directed most of its resources toward identity theft investigations. One of the recent cases involved actor Will Smith as a victim of identity theft. When Smith played Agent J in the movie Men in Black that was showbiz. But when convicted felon Carlos Lomax impersonated actor Will Smith, that was identity theft. Will Smith never knew his identity had been stolen until he attempted to purchase a new home and found his credit had been compromised. Postal Inspectors and the Financial Crimes Task Force of Southwestern Pennsylvania arrested Lomax for identity theft, and Lomax was sentenced to serve 37 months in jail and pay $64,000 in restitution. The Minnesota Financial Crimes Task Force, which includes Postal Inspectors, Secret Service agents, and local law enforcement officers, last year arrested a Nigerian national for a $1 million account- takeover scheme. Postal Inspectors executed a federal search warrant at the suspect's residence and recovered approximately $16,000 in cash, three vehicles, artwork, electronics equipment, and merchandise derived from the scheme. An investigation revealed the man used bank employees to identify high-dollar, dormant accounts with balances of $100,000 or greater for his scheme, and shipped the fraudulently obtained merchandise to his home in Nigeria. Public Awareness and Education Efforts Over 2,000 of our 6,000 mail theft arrests last year involved identity theft--and it's getting worse. But arrests are not the only solution. That is why the Postal Inspection Service addresses the identity theft issue on two levels--aggressive investigative efforts and creating prevention and awareness programs. While the Postal Inspection Service works hard to identify and prosecute identity crimes, we also recognize our ability to lessen the impact of this crime upon the public through various prevention campaigns. Postal Inspection Service efforts to prevent identity theft target the public and business communities to educate them about these schemes, and the problems associated with them. These efforts have included the publication of a brochure titled, Identity Theft, Safeguard Your Personal Information, and the March 2000 release of the Showtime movie, The Inspectors 2, based on Postal Inspection Service files relating to identity theft investigations. In an effort to educate consumers about this fast-growing crime, the Postal Inspection Service created an informational video titled Identity Theft: The Game of the Name. Also, the Postal Inspection Service and thePostal Service's Consumer Advocate Office partnered during last year's National Consumer Protection Week, from February 3 through 8. The week's theme was ``Identity theft, the No.1 consumer fraud in the nation.'' In 1999, Postal Inspectors along with partner organizations undertook Project kNOw Fraud, which was the largest consumer awareness campaign undertaken in this country. Through a mailing to 123 million addresses we warned the public of the dangers of telemarketing fraud. The successful campaign was followed up with the National Fraud Against Seniors Awareness Week in August of 2002. In September of last year Postal Inspectors unveiled another national awareness campaign. Last year's topic was identity theft. Actor Jerry Orbach, who also was a victim of identity theft, was the campaign's spokesman. This awareness campaign featured a two- pronged approach, providing prevention and awareness information to consumers and addressing businesses on the need to safeguard their files and databases of customers' personal information. The campaign included: A house-to-house mailing to residences in ten states identified by the FTC as reporting the most identity theft complaints. The ten states were California, New York, Texas, Florida, Illinois, Pennsylvania, Georgia, Michigan, New Jersey, and Arkansas. The mailing was made in September, 2003, in conjunction with a press conference. Distribution of an updated brochure on identity theft. The brochure was distributed in connection with identity theft presentations made by Postal Inspectors to consumer groups. Production and release of a Public Service Announcement (PSA) featuring actor Jerry Orbach. This thirty-second PSA was released in September in conjunction with the press conference. An identity theft insert outlining prevention tips that was included with monthly financial industry statements and with all Stamps by Mail orders placed during the months of September, October, and November 2003. Production of an identity theft poster that includes prevention tips that was displayed in all Postal Service retail lobbies, numerous credit unions, financial institutions, and police departments in September. Production of an identity theft informational video and articles on identity theft prevention that was published in internal and external publications as well as newspaper ads in the same ten states that were identified as reporting the most complaints. The Mullen agency of Pittsburgh provided support for our Identity Theft campaign on a pro bono basis. But what really made this campaign unique is the funding source. We've all heard the saying, ``crime doesn't pay.'' In the case of this awareness campaign, it does pay. This campaign was funded through fines and forfeitures paid by criminals in a past fraud case. Prevention Tips In numerous formats, including our website at www.usps.com/ postalinspectors, we provide the following recommendations to the public: Deposit your outgoing mail in a blue Postal Service collection box and promptly remove mail from your mailbox after delivery. Shred unneeded documents that contain personal information before discarding them. Order credit reports every year from each of the three major credit reporting agencies and thoroughly review them for accuracy. Never give personal or financial information over the telephone or the Internet unless you initiated the contact and trust them. Report lost or stolen credit cards immediately. If you applied for a credit card and didn't receive it when expected, call the financial institution. Sign new credit cards immediately--before someone else does. Memorize your Social Security number and passwords. Don't use your date of birth as your password and don't record passwords on papers you carry with you. Never leave transaction receipts at ATM machines, on counters at financial institutions, or at gasoline pumps. Don't carry your Social Security card or birth certificate; leave them in a secure location. Don't disclose credit card or other financial account numbers on a Web site unless the site offers a secure transaction. Closely monitor the expiration dates on your credit cards and contact the issuer if you don't receive a replacement prior to the expiration date. Beware of mail or telephone solicitations that offer prizes or awards--especially if the offer asks you for personal information or financial account numbers. Match your credit card receipts against your monthly bills and check your monthly financial statements for accuracy. Watch for your monthly financial statements and bills. If you don't get them when expected, contact the sender. For victims of identity theft, we recommend the following initial steps to begin the long and arduous task of responding to the crime: 1. If the crime involved the U.S. Mail, contact your nearest U.S. Postal Inspection Service office and report it. 2. Call the fraud units of the three major credit bureaus and request a ``fraud alert'' be placed on your credit file. Check your monthly financial statements for accuracy. 3. Order copies of your credit report from the credit bureaus to check whether any fraudulent accounts were opened without your knowledge or consent. 4. Contact your banks and creditors, by phone and in writing, and report the crime. You may be advised to close some or all of your accounts. At the least, change your PIN codes and passwords immediately. 5. Record the names and phone numbers of people with whom you discussed your case and retain all original reports and supporting documents. Keeping accurate and complete records are a big step toward helping you resolve your problem. 6. Contact your financial institutions and request they flag your accounts. Instruct them to contact you immediately if there is unusual activity on your accounts. 7. File your complaint online with the Federal Trade Commission, or call their Identity Theft Hotline at 1-877-IDTHEFT. The FTC has counselors to assist identity theft victims with resolving financial and other problems that can result from this crime. Educating the public and working to reduce the opportunities where the U.S. Postal Service can be used for illegal purposes are crucial elements in our fight against identity theft crimes. As always, we will do our part to remove criminals from society. We appreciate your recognition of the importance of this issue. Chairman SHAW. Thank you, Mr. Maxwell. I thank all the witnesses. Mr. Johnson. Mr. JOHNSON. Thank you, Mr. Chairman. Mr. O'Carroll, in your testimony you mentioned cross-verification with numerous agencies. Is the U.S. Department of Veteran Affairs one of those? Mr. O'CARROLL. Yes, it is, Mr. Johnson. Mr. JOHNSON. How do you deal with them directly? A lot of my buddies got listed as being dead, and they couldn't get their status reinstated because of a lack of identification, as you might imagine. How do you address that issue? Mr. O'CARROLL. Yes, Mr. Johnson. We have a matching agreement with the Veterans Administration where the SSA matches the SSNs of veterans against our databases for validity. There have been instances in the past, we have done an audit on it. Inadvertently the SSA listed people as deceased when they aren't deceased. We have brought that to the SSAs attention. Mr. JOHNSON. How does that happen in the system? Mr. O'CARROLL. Well, many of the death reportings are voluntary from a lot of different sources. Occasionally when a source indicates that a person is deceased, and it is entered into the records, before it is verified by another party on it, that information is recorded. What we are recommending is a second verification on it so that that doesn't happen anymore. Mr. JOHNSON. Are those numbers reissued? Mr. O'CARROLL. No, they are not reissued then. Once you get an SSN, sir, that is yours for life and forever. They don't reissue SSNs. Mr. JOHNSON. If the guy is dead, and you resurrect him, do you give him his SSN back again? Mr. O'CARROLL. Yes. He does. He or she will get it back. Mr. JOHNSON. Okay. Second, do you issue Social Security cards to students who are here on student visas who do not work? Mr. O'CARROLL. In actuality, they are not supposed to be issued to non-work students. The SSN is issued to students if they can show documentation from Immigration showing that they are authorized to work, at which time they will be given an SSN. Mr. JOHNSON. This is if they are authorized; but what if they are not working at all and never intend to? A lot of them do come here and are under their--they are supported by their home county. They don't pay any income tax. They don't pay a thing us to, not a nickel, but they go to school, and they have a student visa. Now, how do you differentiate? Mr. O'CARROLL. Well, the student visa is not reason to be issued an SSN. It has to be issued for work purposes. We have done audits where some schools have issued--or have issued letters saying that a student is working, when, in fact, they haven't been working, and that way was a way that they bypassed the rules and regulations in order to get an SSN. It is something that is recognized, and it is something that we have been working very closely with SSA doing studies of universities and making sure that they are, in fact, following the laws and using the actual document to show that a person is working. It is a loophole that has been out there, and it is being closed as we speak. Mr. JOHNSON. Do you have employers, when they hire somebody, theoretically they are supposed to check their status, and theoretically you are supposed to have the computer capability to have somebody call you and say, hey, is this a valid number and name, and you are supposed to be able to say yes or no immediately. Is that in operation right now? Mr. O'CARROLL. Correct. The SSA does have that. Mr. JOHNSON. You do have that. I understand that a lot of businesses are not taking advantage of that; is that true? Mr. O'CARROLL. That is correct, sir. Mr. JOHNSON. How do we rectify that? Mr. O'CARROLL. Well, one of the portions of the support of Congress is to make it mandatory that employers do check that each time. As it stands in the past, SSA now has ways of doing it where it can be done electronically, it can be done on the telephone, it can be done in person. What we are hoping for in the future is to have electronic means for verifying all employees. We have got different public outreaches to encourage employers to do it, and we are hoping for Congress to encourage employers also to make it mandatory that they do it in the future. Mr. JOHNSON. One further question for anybody that wants to answer it: Are we still failing to go after people who sell or tell you that they have lost their identification and come back for another one, because last time our testimony indicated that there was upward of 80 or more before you even looked at it. Mr. O'CARROLL. Those are two of the provisions in this law is one to take a look at the people asking for numerous replacement Social Security cards. Mr. JOHNSON. Well, how about one? If you have got the computer system to do it, why can't do you it after one? Mr. O'CARROLL. Well, there are legitimate reasons why people lose their Social Security card. Quite frankly, what we have been saying within the Office of the Inspector General is it is the number, not the card that is the problem to society. Mr. JOHNSON. Well, I understand that, but they still sell them, don't they? Mr. O'CARROLL. That is a major concern of ours is that when they get replacement cards, that they could be sold again, and that is why we are asking to tighten up on it. Mr. JOHNSON. Just one follow-up. Are you still waiting to 80 before you check them out? Mr. O'CARROLL. Yes. The number has dropped considerably on the number of replacements. It is not up to 80. What we are looking for is 20 in the lifetime. We still think that is a large number to be asking for, and we are asking to have that number reduced. Mr. JOHNSON. I will bet the Postal Service doesn't wait that long. You guys do a good job, by the way. They briefed us well in Texas. Thank you. Thank you, Mr. Chairman. Chairman SHAW. Thank you. I still have my original Social Security card. Mr. JOHNSON. So do I. Chairman SHAW. Let me do a follow-up of what Sam was asking you with regard to students. If a student wants to open a bank account, and he doesn't work, and it is an interest-bearing account, he would need an SSN, wouldn't he? Mr. O'CARROLL. If you remember, Mr. Chairman, there was the hearing that we had with the use of the tax identification number, so that is a way in order to report. Chairman SHAW. Oh, I see. Mr. O'CARROLL. Taxable information without using an SSN. Chairman SHAW. That is right. Thank you for refreshing me on that. Mr. Cardin. Mr. CARDIN. Thank you, Mr. Chairman. I want to follow up on the private sector and the cooperation we are receiving from the private sector as it relates to theft, identity theft, SSNs and related issues, including the issue that Mr. Johnson raised. It seems to me that we are having a difficult time passing new laws here because of the wide use of SSNs by commerce, which we all understand. It seems to me that the private sector, private employers and private companies have a great deal at stake here, and I am curious as to whether you think they are doing enough to assist us in identity theft, at least initially. Second, after a person has found their identity has been stolen, and they have gone through this difficult issue, it has been reported to us that the theft continues, and there is still a difficult time in getting the private sector to work with us to make sure that the person who has been victimized is no longer victimized. So, I would be interested in your response as to whether you think the private sector, private employers, private financial companies, private companies generally are doing enough to help us and assist us to develop a strategy to minimize identity theft in this Nation. Mr. BEALES. Congressman, I think by and large the private sector has been very cooperative and very responsive. What has tended to happen in this area is identity thieves exploit a particular source of information or a particular channel to get credit. It takes some period of time to recognize that channel and recognize that problem. Once it is recognized, there are some fairly strong incentives to put measures in place to shut down that particular channel. Unfortunately it is an ongoing process because identity thieves work very hard to find a new way to do that. Mr. CARDIN. Can I just challenge you on that for one moment? If I make a small mistake on the use of my credit card, it seems to me it gets bounced the next time I try to use it pretty quickly. It seems like the credit industry knows how to get things into the computer pretty quickly to respond to what they believe is important. I don't see the same zeal, the same commitment as it relates to identity theft. Am I wrong? Mr. BEALES. Well, I think it has varied. I think the most common form of identity theft is credit card misuse, and I think the things you are pointing to are in place and address that form of identity theft and have really improved tremendously over time as people have used pattern recognition kinds of software and kinds of technologies to identify problems before there is too much charged on existing credit card accounts. So, I think there is a lot of that. There is no doubt that there is more that can be done in many areas, and that there is an ongoing need to recognize new threats as they emerge and to put measures in place to address them. Mr. CARDIN. The victim finds that his or her credit is affected. There are so many different avenues in which this information travels. It would seem to me that the private sector could develop the type of software response that could try to help the victim, and I haven't seen that. Mr. BEALES. Well, I think the key to helping the victim, once there has been an identity theft victim, is now in place by statute under Nation that was passed last year, and that is the system for placing fraud alerts has been codified in that statute. You can do it with one call to any one of the three credit bureaus and place the fraud alert for all three. With an identity theft report, like a police report, you can block fraudulent information that would appear on the credit report and keep it from being re-reported, and those measures we are in the process of rulemaking now and will be in place shortly. Mr. CARDIN. Yes. I think the frustrating part is that you can find a person's credit destroyed very quickly because the system is in place to identify individuals who are believed to have had a credit problem, even if it is a theft situation, but to rehabilitate it seems like to takes a lot longer to be able to work through the system. I just question whether we have the same commitment in the private sector to deal with the victims as it is to in some cases over respond and take away a person's good credit who doesn't deserve to have that credit taken away. Just my own observation. Mr. MAXWELL. May I add to that? Mr. CARDIN. Sure. Mr. MAXWELL. The initial part of your question, if I understood it correctly, was about the cooperation with industry. In our experience I have been encouraged, but the dichotomy you have, you have the business interest wanting to serve the customer to keep them as customers, but then they also have their competition with their other associated industries for the credit card group. I mentioned earlier for example, they are competing factions. We have a mail order task force. They are competing factions. So, sometimes it is hard to get them to cobble together like a shared database or best practices. They seem reluctant, which I understand why. Where I have seen and been encouraged is we tried--when we started this campaign, we reached out to the credit card companies to partner with us and actually put an identity theft warning on their statements. We never took that full measure because we couldn't get every company to agree to it. Their counsels, independent counsels, had some problems with it; however, some unilaterally did it on their own. So, I was encouraged by that, but I think the problem we will still have to overcome is that issue of competition and in the fact that we will give a little, but it is a constant balance. I think that more and more there is a benefit seen at the end by having the customers happy, satisfied and protected. Ultimately that is the case, and that is what we found in the Postal Service, I know. You can cut a lot of measures. We tried changing the commercial mail-receiving agency rules, and that was a very tough row to hoe. Again, you have a lot of industry you have to consider, but I am encouraged. We have come a long way. Chairman SHAW. Mr. Hulshof. Mr. HULSHOF. Thank you, Mr. Chairman. Let me start, Mr. Maxwell, by echoing what Mr. Johnson said. The Saint Louis Postal Inspector's Office had the opportunity to brief me in the Saint Louis office. This was right in the aftermath of the mailbox pipe bombs in the Midwest, and so I really got a good glimpse of what it is that you all do. I will have to admit that the day was capped off by allowing me to participate in the computer-simulated firearms training, which was a lot of fun, and I didn't maim too many innocent people. So, Ms. Bovbjerg, let me get to really the subject of today's hearing. I am sorry about the microphone here, Mr. Chairman. It seems to be in and out. We have talked about the private sector, Ms. Bovbjerg. What I want to talk about, because I know coming up in a later panel is what is happening in the public sector, and as you point out, and we are going to hear from a witness in the second panel, Federal law requires the use or the collection of SSNs for various reasons related to tracking deadbeat parents. The SSNs must appear on the pleadings in court orders related to child support. In fact, the Code of Federal Regulations requires that the SSN appear on garnishment orders involving postal employees as well as, and not to resurrect, Mr. Becerra, our discussion and debate last night in the full Committee, but SSNs are used to collect fines, crime victim restitution and beyond. So, I know you recognize in your statement that there is a survey of State and local agencies to determine the extent to which SSNs are displayed in public records. When might that survey be completed, and what can you tell us about it? Ms. BOVBJERG. Well, mine is not working either. We are due to report out to Chairman Shaw in September on this work, and it is a really complex survey, and so we have some things. Like we know that some States have the SSN in public records, but they don't need it, and they are not really sure why it is there. We can't tell you what the incidence of that is yet because we don't have all of our surveys back. What we are looking at is really what kind of records does the SSN appear in. We are trying to be able to say how many people this might affect by the way that we structured our survey. It is a little different than some things we have done for you in the past. We are also looking at what format is it in, because 2 years ago when we did this work, we were all, I think, pretty alarmed when we heard that these things were all going to be electronic, and this was going to be a boon to customer service. We are looking at, well, just how electronic is it going to be? I think that what we are hearing anecdotally and the people that we talk with about these things is there is just a greater sensitivity to this issue in no small thanks to this Subcommittee work. We have seen a dramatic shift in the public record world in the kinds of things that people are concerned about now. They are a lot less concerned about the speed of customer service and a lot more concerned about how do we make sure that we have only the data we need, how do we make sure that it is not going to the wrong place. There is a lot more of that. So, we will be reporting both survey results and results of our interviews. I think you know largely the early returns is there are some good news. There are some things that are being done. The good news at the Federal level, just by the way, is that the Privacy Act works, but when you get into State and local governments, it is not uniform, there isn't a single law that affects them. We continue to believe that the government, the Federal government, should consider working with State and local governments to develop something that is more uniform, more uniform protections, but at the same time consider that there are some very important uses to which the governments put the SSN, one of them being child support enforcement, tax enforcement, and program integrity at SSA. Just a few. Mr. HULSHOF. Well, and certainly as a supporter of the Chairman's bill, I wasn't aware until really preparing for this hearing that the Code of Federal Regulations in some instances insists that the SSN be recorded, and so I see that we are at a conflict here obviously. The other concern that I would expect would be that any new legislation that would be introduced and hopefully pass, Mr. Chairman, your bill, would certainly be prospective. Again, I will just relate that in the State of Missouri, our State Court Administrator who is set to testify, a lot of our courts in rural areas are finally now getting online as far as providing those court documents. So, in other words, going back retroactively to somehow close these records would just really be an extraordinarily difficult task, but look forward to the survey and any recommendations that maybe come along with that study. So, thank you. Ms. BOVBJERG. Well, one thing I do want to encourage you to think about is there is use and there is protection, and that you can require use, but you don't have to display it while you are using it. I think that is one of the things you are seeing that the Federal courts are starting to try to deal with. Mr. HULSHOF. Thank you. Chairman SHAW. Mr. Hulshof, the bill that you are cosponsor of that you refer to as my bill, but it is our bill, is prospective, and there is a 2-year period for implementation, so I think we have covered that base. I hope so. Mr. HULSHOF. Good. Chairman SHAW. Mr. Becerra. Mr. BECERRA. Thank you Mr. Chairman, and let me also say, as my colleagues have said, thank you very much for pursuing this so diligently. I hope that we are able to move forward your bipartisan legislation soon because it is better to get what is good out of the bill now versus wait until we perfect it later. Thank you all for your testimony. Let me ask a couple of quick questions, see how much I can get through in 5 minutes. What can we do, and I open this to any of you who wish to comment. What can we do to help victims of identity theft to restore their good name and credit and to retain and restore again also their privacy? We are dealing with trying to prevent it. We know that in millions of cases we are too late. The talk of prevention is not going to help them because they have already had their identity stolen. Now they are facing the consequences of months, maybe years, of reclaiming their good name and credit. What can we do? Can you think of anything we can do legislatively to try to help victims who are currently in the process of trying to restore their good name and credit? Mr. MAXWELL. There may be a possibility to enact some form of, for lack of a better word, Committee, but group, working group, task force group that is tasked primarily with expediting consumers' restoration, if you will. To me it seems like most consumers, particularly the elderly, become frustrated with the system, whether it be complaining about fraud or the health care problem or just going to get help. When they are faced with a myriad of phone calls and letters to write, it kills them. Mr. BECERRA. Other than having a group that can advise, let me give you a quick example. Should we, for example, pass a law that says that a private entity that has used a SSN for whatever purpose, a bank, a credit agency, if, indeed that agency uses SSNs, it must treat as priority status an individual's claim that his or her identity was misused, and therefore has to clear that record so that when you as a private entity get that type of request by an individual, you must give it priority status? You can't just put it at the end of the list of complaints and work that you would have to deal with in the course of your business dealings. Mr. MAXWELL. That would be an excellent first step. Definitely an excellent first step, and I think, as a follow- up, if there could be some body created to help expedite that, too. That first step would be putting the onus on the firm, the most responsible. Mr. BECERRA. Anyone who wants to use a SSN understands they have got an obligation to help a victim of identity theft clear it up quickly. If you are going to use the card, or the number, understand that some people will be victims; not perhaps of your own doing, but because you are a user of the card, you then are obligated to help victims who had their number used inappropriately resolve that issue as quickly as possible. Mr. MAXWELL. That sounds promising to me. Mr. O'CARROLL. Mr. Becerra, two things that are of interest to us. One is our major concern is the integrity of the SSN in relation to Social Security programs. However, what we have been big on encouraging is cross-verification, so that any Social Security that is numbered that is out there either in the Federal government or in commerce is being verified to know whether it is a valid number or not, and that kind of leads into what you were saying, is that way we can through verification, we can identify the misuse that is out there, and hopefully someday by government matching agreements, there will only be one person with one SSN of record in the Federal government. So, that is an issue with us on trying to prevent it. Mr. BECERRA. That is still more on the preventative side, which I think that is really where we have to go, because we don't want to have victims. To some degree I think there is still some help we can provide. If you have a good verification system, that makes it easier for those who didn't abuse their use of the card help that victim restore his or her good name and credit. So, if I am a bank and I wasn't at fault, and some other entity allowed the number to be misused, at least I can help verify quickly the claim of that individual that indeed he or she is that person and not the other individual. One quick question for Mr. O'Carroll. My understanding is that your current policy is to allow 52 replacement cards per year--is for Social Security to allow 52 replacement cards per year. Why the heck are we at such a high number? It used to be 80-something, as I think Mr. Johnson said. Why the heck are we still at--why would anyone need more than one? I never pull out my Social Security card itself as an identifier; it is just a number. So, why would anyone need to request a card, even if you have lost the card itself? You know what your number is, or someone else does. Why would you need to request replacement cards? Mr. O'CARROLL. I think the logic that you are getting at and everyone else is, and as Mr. Johnson brought up, is probably for resale of that number or giving that card to somebody else, which is a concern on a fraudulent basis. One of the issues that the Agency looked at and we were a part of was taking a look, instead of having that card, is maybe making it a certificate or something larger than a card that would be put away and wouldn't be out in the common commerce on it. As with anyone, when you start thinking about if we came up with a new format for a Social Security card, everybody in the United States would want a new one and you can imagine the implications that would be. So, from looking at it from, I guess, the mechanical side of it, yes, the card is really the number and not the card. Mr. BECERRA. Unlike a diploma you hang up on your wall, you are not going to put a SSN up on your wall. Once you have it, you want to store it away and hide it as best you can. So, let me ask you a real quick question. Do we ask for some form of certification or verification as to why you are requesting another card? Do we say to you, prove to me that you need it or why you need it? Mr. O'CARROLL. No. At this point, no, sir. Mr. BECERRA. So, Mr. Chairman, this to me seems like an area where we could immediately address this. Once you have got your card obviously we hope the people can be diligent in safekeeping their number. To have the SSA continue to allow people to get replacement cards, which could really only be used for purposes of resale or for fraudulent purposes, this is something that---- Mrs. TUBBS JONES. Will the gentleman yield? [The opening statement of Ms. Tubbs Jones follows:] Opening Statement of The Honorable Stephanie Tubbs Jones, a Representative in Congress from the State of Ohio Mr. Chairman, Allow me to commend you on both your timing and your topic for this morning's hearing. As national legislators we must tackle what is becoming the fastest growing national crime trend in modern history: Identity theft! As so often happens with modern technology and high tech innovations, the use of technological advancement far out paces the public policy, protection measures and regulations governing the administration of technological advancement. While identity theft is on the rise and the social security number (ssn) is but one avenue to affect the crime, the prolific and generally accepted practice of use of the social security number as an identifier makes it a prime target. It is fitting that we, as Members of the Social Security Subcommittee, address the issue in an open forum. As Americans get older and increase the number of retirement/entitlement programs for which they are eligible--the use of the social security number becomes the number one identifier for all types of service providers. As we launch this massive and still yet confusing voluntary national prescription drug program--we are once again offering to new and established entities the privilege to use the social security number as an identifier. The public and private sector have recognized and dialogued about the balance between the privacy issues and the protection of open commerce. Entities from the mortgage bankers, to national credit bureaus, to municipal records keepers and credit card companies--up to and including the U.S. government--have all come together in one forum or another to address the issue. Before us today, we also have H.R. 2971--of which I am a co-sponsor--``The Social Security Number Privacy and Identity Theft Prevention Act of 2003. This is clearly a step in the right direction. Mr. Chairman, according to Federal Trade Commission (FTC) data (2002 is the most recent data available) my home state of Ohio ranks 30th in the nation in identity theft cases and CLEVELAND, in my Congressional District, is number one in the state. I have provided copies of the FTC information as a part of my statement today and would like to have it included in the record of today's proceedings. Local jurisdictions have highlighted the issue: the Associated Press reported how Hamilton County in the State of Ohio will hear recommendations from their task force to limit/restrict the amount of information--including the SSN from the county clerks' Web site; NBC reported just last week on how blood donors at the UCLA Blood and Platelet Center may be unwitting victims of identity theft as a result of a misplaced laptop with all of their personal data--including the SSN! This follows the alleged theft of another UCLA laptop from their financial office that contained similar personal information that could put even more people at risk. The need for increased laptop security notwithstanding, perhaps we need to somehow limit both the demand for and the use of the SSN. In 1935, with the passage of the Social Security Act, every employee covered by the social security program had to have an identifying number. Since then, the Civil Service Commission; the Internal Revenue Service; the Treasury Department; The Veteran's Administration; The Department of Defense--just to name a few government entities--have all made disclosure and use of the SSN an almost prerequisite identifier. We in Congress have made several attempts to monitor and regulate the use of this number. Mr. Chairman, I look forward to hearing from the witnesses this morning as they lend their expertise and personal experiences to our effort to lend some clarity and protection to the public. Mr. BECERRA. Certainly. Mr. JONES. I have a son who had to get a replacement card in order to get a passport or something. There was some other agency that would not accept that he did not have an SSN, and so it was a requirement that he needed to get a replacement. Mr. BECERRA. I think there is a perfectly good explanation, and therefore you could have some certification under penalty of perjury or something that says, I need this card because this agency is requesting it, and there you have then something that gives you some sense of comfort that the person is requesting it for a purpose other than just because they want another card. Mr. JOHNSON. Yes, but not 80 of them. Mr. BECERRA. That is exactly it, and the way technology and automation works today, chances are that we should be able to have the U.S. Department of State or the agency that issues passports talk directly to the Social Security agency, Federal government to Federal government, on whether or not this person has this number and it belongs to him or her. Mr. O'CARROLL. Social Security, the answer to that part of it, is working very closely with the U.S. Department of State, Immigration and Naturalization Servies, and U.S. Department of Homeland Security, on that type of a match for verifying that information. The other part of it, though, is you were saying on these replacement cards, and not to steal the thunder of your Committee, your Subcommittee on this thing that is one of the provisions of this thing, is to look at the issuance of the replacement cards, and it is part of the study that is being recommended. Quite frankly, we feel that that is a fraudulent loophole, the number of replacement cards that are out there. It is a throwback to days when all the SSN was used for was tracking wages. Everyone was happy to give out numerous Social Security cards at the time because it was for the purpose of tracking wages, not as it is today where it is becoming a---- Mr. BECERRA. You don't have to go to the SSA. I can tell you down at some streets in Los Angeles. where you can get the same card without having to ask the SSA to send you one. So, it is not as if there is some particular value in getting this replacement. Mr. O'CARROLL. Hopefully we are buying cards from that person and arresting them. Ms. BOVBJERG. Could I just jump in on this issue for just 5 seconds? Last year this Subcommittee had a hearing on some of these issues where the Commissioner was here where I testified, and we recommended that we not give out 52 replacement cards a year, that we at least reduce the number. There are some legitimate reasons to need replacement cards, but very few of them would require 52. At that time, SSA said that they had in front of Office of Management of Budget a proposal to reduce the number of cards per year and lifetime. That was a year ago. So, I don't know what has happened to that proposal, but that is a recommendation that we have made as well to SSA. So, we share your concern. Chairman SHAW. I will inquire of the Commissioner and place that information in the record. [The information follows:] June 22, 2004 Hon. Jo Anne B. Barnhart Commissioner of Social Security 500 E Street, SW Washington, D.C. 20254 Dear Commissioner Barnhart: We wanted to bring to your attention the issue of Social Security number (SSN) replacement cards, which was discussed extensively at our Subcommittee hearing on enhancing SSN privacy held on June 15, 2004. As you know, the Subcommittee had been informed previously that some unscrupulous individuals may sell their legitimate SSN cards to others, thereby enabling them to work under an SSN that is not their own and to commit other forms of identity fraud. Both a witness from the General Accounting Office (GAO) and the SSA Acting Inspector General were asked whether the agency had changed its policies to restrict the number of SSN replacement cards. Each replied that under the SSA's current policies, individuals may obtain an unlimited number of replacement cards. To ensure the public record on this issue is accurate, please provide your current policies with respect to the issuance of replacement cards and whether any change to those policies is anticipated. Also, as you may know, a provision to limit the number of replacement cards has been included in the Social Security Number Privacy and Identity Theft Prevention Act of 2003 (H.R. 2971). Your comments on this provision would be welcomed by the Subcommittee. Your reply by July 9, 2004 is most appreciated. Should you have further questions, please contact the Subcommittee Staff Director, Kim Hildred, at (202) 225-9263. Sincerely, E. Clay Shaw, Jr. Chairman ______ August 2, 2004 Hon. E. Clay Shaw, Jr. House of Representatives Washington, D.C. 20515 Dear Mr. Chairman: Thank you for your letter dated June 22, 2004, regarding the SSA's (SSA) policies related to the issuance of replacement Social Security number (SSN) cards. You asked us to provide our policy on issuing replacement cards, and whether we anticipate changes in that policy. You also asked for our comments on a provision in H.R. 2971, the Social Security Number Privacy and Identity Theft Prevention Act, that would limit the issuance of replacement SSN cards. SSA currently has no limitation on the number of replacement SSN cards an individual may be issued (either over the course of a year or a lifetime), other than a protocol in its electronic processes that prevents the issuance of a replacement card within 7 days of a previous card issuance. Section 204 of H.R. 2971 would restrict the issuance of multiple replacement cards, specifying both yearly and lifetime limits. I, too, am concerned that issuing unlimited replacement cards may contribute to identity fraud. We are exploring ways to prevent individuals from obtaining replacement cards to facilitate someone else committing identity fraud. For example, I have instructed my staff to develop procedures that will identify instances where requests for replacement cards rise above a reasonable threshold. If fraud is suspected, SSA staff will follow established protocols and refer the matter to our Office of the Inspector General for appropriate action. We will keep you apprised of our activities in this area and would welcome the opportunity to continue to work with you to find an appropriate balance between our responsibility to provide the American people with the service they expect and deserve, and our commitment to deter SSN fraud. Thank you for bringing this issue to my attention. If I can be of further assistance, please do not hesitate to contact me or have your staff contact Mr. Robert M. Wilson, Deputy Commissioner for Legislation and Congressional Affairs, at (202) 358-6030. Sincerely, Jo Anne B. Barnhart Commissioner Chairman SHAW. I want all of you to know that you have witnessed a very historic moment where Mr. Johnson and Mr. Becerra are in full agreement. Mr. JOHNSON. That is California and Texas. Mr. BECERRA. Mr. Chairman, that is worth putting on our wall as some kind of diploma. Chairman SHAW. I have made note of it. Ms. Tubbs Jones. Mrs. TUBBS JONES. Thank you, Mr. Chairman. Good afternoon to the witnesses. I want to pick up on one of the questions that was asked. My staffer Melvena says: how do private sector entities gain access to our Federal verifying mechanisms in order to use Social Security as an identifier? Ms. BOVBJERG. I can talk about the employer side. I can talk about the motor vehicle side. They can do it in several different ways. It depends on how many records they want to verify. They can do it by phone, they can do it online. As a practical matter, though, employers don't do this. They don't verify. We are doing work right now for this Subcommittee that is due out in the winter on the effect that this has. Specifically, on the records that Social Security doesn't know what to do with because the name, date of birth, and the number don't match, and these records are coming from employers. Mrs. TUBBS JONES. For example, my automatic teller machine card, if I go on line or call a number, 1-800, whatever it is, I call and I say I want to access my checking account. Then they ask me for my SSN to be put into the system in order to access my checking account. Then they ask me for a 4-digit pin number, which is also part of my SSN, to get to my checking account. What kind of regulation do we have on that? Ms. BOVBJERG. The reason they have your number is because financial institutions are required to have that information for tax purposes. Mrs. TUBBS JONES. Okay. So, that then allows them an option to go wherever else they want to go with it, because they have access to the number in that way. Ms. BOVBJERG. Well, I would like to think that they are not only asking you for your number but for something like your mother's maiden name or something like that, because just having the number, if someone were to. Mrs. TUBBS JONES. That might be private too, though. I'm kidding, go on. Ms. BOVBJERG. You want something that if someone has your SSN, they couldn't go back to the bank. Mrs. TUBBS JONES. I understand, but what I am saying the import of it is, is that they are using this number that supposedly was supposed to be sanctimonious or sanctified; it would never be able to be used for any other purpose very easily in the process. I think I would agree with my colleague here, that maybe what we need to do is to put some imposition or some requirement on those that use it to be able to provide some protection for the public when they choose to use it in a way that benefits their particular process. Let me go to the gentleman from the Inspector General's Office. I come from Cleveland, Cuyahoga County, former District Attorney in Cuyahoga County. So, we did a lot of work with postal inspectors. One of the most difficult things about prosecuting much of the theft, or identity theft in many of the areas, is that very few people want to really do white-collar crime. It takes a lot of work, it takes a lot of money, it takes a lot of time to invest in that type of work. What has been your success with, once you get a document or have done your research, gotten it together--prosecution of identity theft? Mr. MAXWELL. I mentioned earlier that of our 10,000 arrests for all crimes last year, 3,000 were identity theft, which is a very large proportion. That tells me--plus, of the cases I have read and been briefed about, we have a very good track record that way. There are cases that aren't as attractive enough to prosecute, but if you have generally more than one complaint or if one victim has a large loss and it is a complex matter, generally the U.S. Attorney will be more than happy to devote resources to it. If it is not a large loss, if there are very few victims, generally the climate--and that is true universally for fraud cases. Mrs. TUBBS JONES. Coming from the State prosecutor's office, we always go back and forth as to whether the States and the Feds really pay attention to what cases. Just for the record, Mr. Chairman, I would like to submit something from the FTC that shows figures and trends in Ohio. [The information follows:] [GRAPHIC] [TIFF OMITTED] 99677A.001 [GRAPHIC] [TIFF OMITTED] 99677A.002 [GRAPHIC] [TIFF OMITTED] 99677A.003 [GRAPHIC] [TIFF OMITTED] 99677A.004 [GRAPHIC] [TIFF OMITTED] 99677A.005 [GRAPHIC] [TIFF OMITTED] 99677A.006 [GRAPHIC] [TIFF OMITTED] 99677A.007 Mrs. TUBBS JONES. It shows that Ohio is 30th in the country in number of States with regard to identity theft. Unfortunately, it shows that the city of Cleveland, which is my congressional district, is number one in the city in the State of Ohio with identity theft issues. I am standing up for all those great people from the city of Cleveland and greater Cleveland. I am encouraged that we are holding this hearing, Mr. Chairman, and I am looking forward to having the opportunity to work with you to deal with the issue of identity theft because it becomes very, very important, particularly when we begin to talk about those senior citizens who have to go through a long process in order to get through. They are having a hard enough time getting prescription drug discount cards right now, to have to go through this and do anything else. I thank you, Mr. Chairman, and I don't have any time to yield back. Chairman SHAW. Thank you. Mr. Brady. Mr. BRADY. Thank you, Mr. Chairman, for holding this hearing, this important issue. Although I will confess there are days as a Member of Congress when I would pay someone to steal my identity, so you would have to take all that goes with it, but you can have it. I want to talk to Ms. Bovbjerg, if I could, about the enforcement issue so we can get a little better picture. We talk about this at each of the hearings, but who is responsible for ensuring that businesses and those to whom they sell SSNs only disclose according to law? Who monitors the day-to-day release? Who prosecutes them, and how many businesses, I don't need the number, but how often do we really go after those who are breaking the law in this matter and what kind of penalties do they get? Ms. BOVBJERG. With regard to the private sector, I want to be careful with how I talk about this. The business that is collecting the number, the consumer reporting agency, there are rules about how they can disclose and what they can do with the other entity with whom they are doing business. What happens after it goes to the other entity, who knows? It seems like something of an honor system where, if it happens to you or to me that our identity is stolen, we might ultimately track it back to that entity and we would file a complaint and there would be Federal law enforcement involved. I am a little bit concerned that it seems very indirect. Our sense is that the collecting entity is complying with the law. They seem concerned about that; they have made changes to their systems to do that, but once they have that contract with the other entity, that the other entity signs and says we know we are not supposed to disclose and we are not going to do it, who knows what happens after that? It is sort of a very trusting kind of a system. Mr. BRADY. So, do we often catch bad actors violating the law? Ms. BOVBJERG. With that, I would have to turn to the law enforcement folks at the table. It is too bad the FTC person isn't still here. Mr. BRADY. Jump in. Mr. MAXWELL. As I keep alluding to the numbers, it is one of our largest proportion of criminal prosecutions in our cases; of 10,000 arrests, we arrest 3,000 for identity theft alone, not to mention the number of investigations that we conduct just involving identity theft. The fact that it is so widespread, the fact that the Internet has generated vast numbers of opportunities for these people to conduct the fraud in combination with the mail really enhances our field for it. However, as your colleague alluded to before, depending on the district, the prosecutions may differ. There may be higher guidelines for prosecution than in others. We do take our cases to the State offices as well if we can't get prosecution Federally and we think it is a very good case but resources do not permit, or other reasons. Sometimes we have had luck there. I don't have the numbers in my head from that, but I could provide those if that would be a benefit to anyone here. Mr. BRADY. What kind of penalties do the businesses face if they release unauthorized numbers? Mr. MAXWELL. That I would have to refer to probably be more of a---- Mr. O'CARROLL. That is really outside of our purview on the information that businesses release. The FTC probably would have been the best to speak on that, Mr. Brady. Mr. BRADY. So, you do the prosecutions, you do the investigations, but you don't track what the ultimate outcome is? Mr. MAXWELL. Oh, yes. No, we do in our cases. We take a case from opening to closing. If we have a complaint or if we identify a situation, we will investigate it, we will follow it through, we will present it to the U.S. Attorney, and we will sit at the table with them if there is a trial. We don't close the case until there is a conviction and a termination. Mr. BRADY. What kind of penalty? What would be an average? What happens? Mr. MAXWELL. It depends on the statute that is used. Sometimes it is 1029, which is the access device. That is primarily a Secret Service jurisdiction. Our favorite and the one that we hold claim to is mail fraud. So, again, it could take penalties up through prison term over 5 years, depending on what is adjudicated based on the guidelines, the sentencing guidelines, and moneys can be up to 10,000 or more depending on the severity. Mr. BRADY. What is the most common case? Someone who has a pattern and has done a number of these fraudulently, for a first offense, what are they going to get? Mr. MAXWELL. The first offense. I would suspect again, I cited the Carl Lomax case in Pittsburgh last year, and he took the identity of several celebrities, notably Will Smith, the actor. I forget what he was sentenced to exactly, but it was several years in prison, probably under f5, with penalty, but he agreed to cooperate with us. There is often an incentive there for them to cooperate. He produced a video telling the different techniques he has, so we can use that for our training, but the average, it would be hard for me to say without averaging it, taking a look. Mr. BRADY. Do we need stronger oversight and stronger penalties? Mr. MAXWELL. I am more of a fan of the prevention ends. I think our criminal statutes, Congress has definitely equipped us well. It is a matter of getting access to information, it is a matter of people knowing who to report it to. It is a matter, as earlier discussed, of cooperation with the private sector, with the companies which we address through different task forces. Any encouragement coming from the Federal Government certainly helps. I think as far as the statutes that are now on the books, I think we are fine. We are happy with mail fraud and 1029. Mr. BRADY. I guess my thought, and I will wrap it up with this, Mr. Chairman, is that I think there are a lot of things we can do on prevention. I worry that the horse is out of the barn on SSNs; that one of the things we can do is to try and discourage bad actors from using them in fraudulent ways. The way you do that is to make it pretty tough on those who do and introduce some element of you may well get caught in doing this even on a smaller scale. That always means more resource and different approaches, but prevention we have got to do much more there. We talk about it a lot, but, I think we also, whatever we can do on enforcement I think may help the numbers that are already floating out there, which is probably everyone in this room, by the way. Mr. MAXWELL. One of the things that I often refer to in a strategy is, you can work a number of cases and that looks good, but if you work several with some notable names, that brings it to the forefront in the media, like this Will Smith case. We also used Jerry Orbeck in that campaign over there, where he was a victim of identity theft and he talked specifically of his individual case. The public often can recognize an affinity with that celebrity. So, that helps, too. So, yes, you are right. Deterrence, the arrests, but also get it out in the media, get it out, announced, and talk about it. Mr. BRADY. Thank you, panel. Thank you, Mr. Chairman. Chairman SHAW. I thank all of you. Mr. Pomeroy tells me that his questions have been answered by the witnesses. So, this panel is dismissed with our appreciation. Thank you very much. The current status of the Committee is that the bells that you heard have been calling us to the floor. We have been told that there are going to be four votes. That takes a little while, but what I would like to do is to introduce the second panel, and then we will recess until approximately 1:00 pm. That will give everyone a chance to taste the wonderful food we have here in the Capitol. You have eaten here before, huh? The next panel will be made up of Patricia Foss, from Elkton, Maryland. Mark Ladd, who has already been introduced as the Public Sector Co-Chairman of Privacy/Access Workgroup (PRIA) from Wisconsin. Chris Hoofnagle, Associate Director of the Electronic Privacy Information Center (EPIC). Brian McGuinness, who is the First Vice President of the National Council of Investigation and Security Services (NCISS). He is from my State in Miami, Florida. Mike Buenger, who is the President of the Conference of State Court Administrators (COSCA), Jefferson City, Missouri. Mr. Hulshof wants to introduce him, so I will yield to Mr. Hulshof at this time. Mr. HULSHOF. As I referenced earlier and had a chance to chat with Mike, it is great to have him here. Not only is he our State Court Administrator, but he is the President of the national organization. We are honored to have him here today, Mr. Chairman. Chairman SHAW. Thank you. We also have Fred Cate, who is Professor of Law at the University of Indiana, and Edmund Mierzwinski, who is the Consumer Program Director of the U.S. Public Interest Research group (PIRG). We welcome all of you, and we look forward to seeing you at 1:00 p.m.. We will stand in recess. [Recess.] Chairman SHAW. If the witnesses will take their seats, we will resume the hearing. Thank you for tolerating our schedule, which is always somewhat unpredictable. Ms. Foss, you are going to lead off, please. STATEMENT OF PATRICIA FOSS, ELKTON, MARYLAND Ms. FOSS. Thank you, Mr. Chairman, for the opportunity to talk about my experience as an identity theft victim and also know that I, as a victim, applaud you all for looking at this serious issue. Like millions of Americans, my experience began when I was notified by my bank that my credit had been suspended due to nonpayment. After contacting the bank, I learned to my surprise another woman had received thousands of dollars of credit using my name and my Social Security card. She had my birth date off by 1 day. I was stunned to learn that she had gotten a home improvement loan from one bank and an automobile loan from another bank. I am not sure about the car, but we know she did not have a home. My SSN virtually gave her everything she needed to steal my good name and my good credit. That was the day I received an introduction to the crime of identity theft and how easy it was to be a victim, even when people like me are extremely careful of their personal information. I was fortunate enough when I was talking to the bank to receive good advice from them about what I had to do next and who to contact and what agencies I needed to talk to. That was when the real work began. I understand that an average identity theft victim spends over 30 hours trying to clear their name and prove their innocence. I can tell you I definitely exceeded that, especially if you count the nights when I laid awake and wondered what was going to happen next. At the time that this happened to me, it was back in 1999 and it really wasn't a common thing at the time, so I and countless other people hadn't even heard of what it was. It took a lot of my time, my life away from me. This is the example of the file that I kept for a year of trying to get all the paperwork done that was required of me to prove that I was indeed who I am. It was, seriously, like having another job. I had to send to each credit bureau as well as countless banks that the other me had used notarized letters and documents like my birth certificate and my driver's license and including my SSN. It was kind of ironic, because I felt more vulnerable having all that information now out there for countless other strangers in trying to prove my innocence than I had ever done before the crime happened in the first place. I spent hours on hold, and I spent hours in transfer hell. I had to take time off of work to visit my own bank and get things notarized pretty much on a daily basis at least for the first couple of months, and it really took me over a year of dealing with at least 20 different organizations to completely clear the credit reports and prove that I was the victim and not the criminal. I still check my credit reports at least biannually for fear that either this woman or somebody else is going to use my identity again. In hindsight, I was really one of the lucky people. Unlike many cases, the police actually arrested the woman who was impersonating me. She was, ironically, an acting student. I thought that there was some humor in that. I was told that she walked in one of the banks that I had reported the crime to and was leisurely making another withdrawal out of an account that she had in my name. After she was caught, I was afraid that she also had my home address and there would be repercussions once she found out that I had turned her in, and so I spent a few nights in fear over that. I completed a form to be notified as to what had happened in her trial, and the next I heard was last week when I was asked if I could testify before this Committee. I know since my experience numerous State and Federal laws have been passed to criminalize identity theft, and I think it is better than it was when this happened to me, but I would say that much more still needs to be done, because the number of identity theft victims continue to increase every year. Chairman Shaw, I applaud your efforts to restrict the dissemination of SSNs. To this day, I still don't know how this woman got mine. No one does, and she didn't admit anything when she was prosecuted, apparently. As you go through your deliberations I guess I would ask you to consider the following things: I believe that credit grantors are a big part of the problem. I don't understand why they don't check more into people's credentials before they hand them money. If they don't follow those kind of procedures, shouldn't they be somehow accountable in some ways? I can't understand that kind of carelessness as what happened with me. Also, I guess I would ask, where is the funding for enforcement? I know that there are punishment penalties in the bill. If there is not money for enforcement, I can't imagine that many of these people are going to be caught. Truly, the heroes in my story were the police, one bank's fraud officer, the postal inspectors and the special agents in the Social Security Office of the Inspector General, but I was one of the lucky ones. Last, I feel that I would like to see more funding for agencies like the SSA or some agency so that people like me could have a central point of contact and somebody to help them through the mass of paperwork that is required of them. Thank you again for letting me tell my story. Chairman SHAW. Thank you. If I may, just out of curiosity, was she found guilty and what was her penalty? Ms. FOSS. I just found that out yesterday, which was interesting. She was prosecuted. She was found guilty. The sentence was, I believe, 6 months; and she was required to pay back $69,000 in restitution to the organizations that had given her the money. Chairman SHAW. So, the system worked in your case. Ms. FOSS. The system worked in my case, but it sure took a long time. [The prepared statement of Ms. Foss follows:] Statement of Patricia Foss, Elkton, Maryland Chairman Shaw and members of the committee, thank you for the opportunity to talk about my experiences as a victim of identity theft. I'm grateful to you for addressing this critical issue. Like millions of other Americans, my experience began when I was notified by my bank that my credit had been suspended because of non- payment. After contacting the bank, I learned to my surprise that another woman had received thousands of dollars of credit using my name and my perfect credit history. I was stunned to learn that she had obtained a home improvement loan at one bank, and an automobile loan from another. My social security number had provided her with the access she needed to damage my good name and credit. That was the day I received an introduction to the crime of identity theft, and how easy it was to become a victim, even when you're careful about your personal information. I was fortunate enough to receive good advice from my bank, MBNA, and was provided information on how to respond. But that was where the real work to prove my innocence began. I understand that on average an identity theft victim spends over 30 hours proving their innocence. I'm sure I exceeded that number, especially if you count the nights I lay awake wondering where she would strike next. She not only stole my identity, she took weeks of my life away from me. I had to send each credit bureau, as well as the countless banks the other ``me'' had used, notarized letters and copies of documents like driver's license and birth certificate. I spend hours on hold and in transfer hell. I had to take time off of work to visit my own bank, and had to deal daily with proving I was the real Patricia Foss. It was truly like having a second job. It took me almost a full year of dealing with over 20 different organizations to completely clear my credit reports and prove that I was the victim, and not the criminal. I still check my credit reports biannually with the fear that sooner or later, this woman, or someone else, will use my identity again. In hindsight, I was one of the lucky ones. Unlike many cases, the police actually arrested the woman who stole my identity. She was appropriately, an acting student. I was told that she walked into one of the banks to which I'd reported the crime and was leisurely making another withdrawal. After she was caught, I was afraid that she also had access to my home address and would threaten my safety once she realized that I'd reported her crime. I had completed a form to request that I be notified of the outcome of her trial. That was the last I heard until last week when I was contacted about testifying before this subcommittee. I know that since my experience, numerous state and federal laws have been passed to criminalize identity theft. More obviously needs to be done as the number of identity theft victims continues to increase every year. Chairman Shaw and members of the subcommittee, as a victim, I applaud your efforts to restrict the dissemination of social security numbers. To this day, I still do not know how this woman impersonating me obtained mine. As you go through your deliberations, I would also ask you to consider the following; Credit grantors continue to be a part of the problem. Shouldn't banks and other credit grantors be required by law to conduct a more complete check of credentials before handing people money? If they don't follow such procedures, shouldn't they be held accountable in some way? I do not understand how they can afford to be so careless. Where is funding for enforcement? I was pleased with the provisions to add more criminal penalties to punish identity theft criminals. But if there isn't money for enforcement, they won't be caught in the first place. The heroes in my story were the police, one bank's fraud officer, and the postal inspectors. But then, I was lucky. More funding is needed for agencies like the Social Security Administration to help victims have a central point of contact and assistance negotiating the mass of paperwork required to clear their name. Thank you for the opportunity to speak with you about my experience. Chairman SHAW. Yes. Mr. Ladd. STATEMENT OF MARK LADD, PUBLIC SECTOR CO-CHAIR, PRIVACY/ACCESS WORKGROUP, PROPERTY RECORDS INDUSTRY ASSOCIATION, RACINE, WISCONSIN Mr. LADD. Good afternoon, Mr. Chairman. Again, I am Mark Ladd. I am the Register of Deeds for Racine County, Wisconsin; and I am the Public Sector Co-Chair for the PRIA's Privacy/ Access Workgroup. I appreciate the opportunity to come and speak regarding H.R. 2971 and its impact on land records custodians. The collateralization of real property is a fundamental part of our economy. Leveraging real property is possible because of the publicly available information regarding a specific parcel of land. Our Nation's private ownership of land is based on a necessary access to publicly recorded land information. On the other hand, citizens are concerned that personal information is sometimes contained in these real property records and can be used for identity theft. By example, SSNs are often included in mortgage documents, tax liens, divorce decrees and other documents that convey real property. However, for land records custodians, there is little legal purpose for having that number included in the record. The PRIA hosted a roundtable forum on this topic back in February of 2003. We had 25 different roundtable participants with a broad range of industry expertise: State, local government, Federal government representatives, land records officials, trade associations from the real estate industry, as well as a couple of organizations dedicated to consumer privacy. At the conclusion of the roundtable, we actually spun up a Privacy/Access listserve, an e-mail discussion to continue to foster additional conversation on the topic. That list serve discussion was followed up by 2 days of facilitated educational discussions during our winter conference earlier this year. In the discussions, we reviewed the historical foundations of American's land records system and our public records laws and then we debated several suggestions for model legislation. It is with this background in mind that I would like to offer our comments regarding H.R. 2971. Section 101 of the bill prohibits the display to the general public of a SSN and then goes on to define ``display'' as posting on a website. Well, the Internet has become an important tool for many land records custodians to publish records. More and more counties are developing Internet-based sites designed so that citizens can conduct business with government when it is convenient for the citizens, and these sites often include data as well as images of documents. Now, again, our discussions show that few occurrences of the SSN land records are required by government agencies or required by land record agencies, but, rather, they may be required by the Internal Revenue Service or State taxing authorities. A lot of times SSNs appear in a document, and they are placed there by the document preparer for the benefit of their business process or the business process of one of their partners. However, we have no statutory authority under current law to refuse to enter these documents into the public record. In its current form, this bill would prohibit us from using the Internet to post our records, and this removes an important tool from our use. Another thing to note is, even with this provision, SSNs can still become part of the public record and an individual's privacies are at risk in the courthouse because, again, these are public records that anyone can come and obtain. We would think that there are several elements that need to be addressed in any type of legislation to deal with this issue. First, we applaud this provision of H.R. 2971 in that this needs to be on a day forward basis. Redaction and the expunging of the records is physically difficult, if not impossible. The prohibition should be on putting the SSN in any document that will become part of the public record, and this should also include the authority to public records officials to reject the recording. However, that authority needs to be permissive, rather than prescriptive. Prescriptive authority is impossible for us to manage. The sheer volume of documents to check for that SSN in a 27-page mortgage, in an office of my size only 300 documents a day, in larger offices thousands of documents a day, it is just impossible to manage. If a document contains a SSN, after this law is adopted, we would suggest that land records officials be empowered to redact the number. That is an important provision for an administrative function that we provide. Providing certified copies of documents requires us to provide an exact copy of the document that was presented to us. Without that type of authority, we can't fulfill that role. Again, we recognize that it is an impossible task for land records officials to manage. We are poor gatekeepers, just due to the size of the task, but we believe that our recommendations can provide the goal of protecting SSNs without jeopardizing the flow of commerce or placing an unbearable burden on the shoulders of local government. I look forward to answering further questions as the hearing continues. Thank you. [The prepared statement of Mr. Ladd follows:] Statement of Mark Ladd, Public Sector Co-Chair, Privacy/Access Workgroup, Property Records Industry Association, Racine, Wisconsin Good morning Mr. Chairman and members of the Committee: My name is Mark Ladd. I am the Register of Deeds for Racine County, WI, and I am the Public Sector Co-Chair of the Property Records Industry Association (PRIA) Privacy/Access workgroup. I appreciate the opportunity to speak to you today regarding personal information and privacy issues as it relates to the land records industry. The PRIA is a public/private partnership and its mission is to work together to identify issues, define problems and develop solutions to bring consistency to the property records industry. The PRIA membership includes over 260 land records officials and 105 private sector partners. The PRIA has completed projects such as developing a document-formatting white paper, notary essentials white paper and created the model statute for Military Discharge (DD214s) documents and developed the Military Discharge DD214 Tangible Interest form. The PRIA currently has several projects in development including, Electronic Recording Standards in alliance with the Mortgage Bankers Association; Archival Back-up and Disaster Recovery; Parcel Code Review; 1st Page Indexing Requirements and the Records Access Policy Advisory Committee. The collateralization of real property, often taken for granted, is a fundamental part of our economy. Leveraging real property is possible because of the public availability of information regarding a specific parcel. Our nation's private land ownership is based on necessary access to publicly recorded real property information. For many reasons, the property record system requires that the general public have a right to know who owns or has certain interests in real property. Two of these reasons, for example, are: (1) to protect the investors lien rights, and (2) to assure fair assessment and taxation of like properties. On the other hand, citizens are concerned that personal or sensitive information is sometimes contained in real property records and may be used for criminal intent, such as identity theft. An example of sensitive information with little legal purpose to protect investor lien rights, yet quite useful to identity thieves, is a Social Security number. Social Security numbers can appear in some mortgage documents, tax liens, or even a divorce decree that conveys real property. Privacy interests and the interest for disclosure of land records information often appear at odds with each other. This poses a dilemma for land records officials attempting to balance these two points of view. This is perhaps one of the greatest public policy questions faced in recent years. The PRIA is convinced that a workable balance can, and in fact, must be reached on this issue. That balance should protect personal privacy without impeding commerce or overburdening land records offices. Realizing there was little or no communication between various groups within the United States regarding Privacy and Access issues, the PRIA convened the nation's first roundtable forum in WashingtonD.C. on February 26, 2003 to discuss this issue. The 25 roundtable participants covered a broad range of industry representatives including representatives of the federal government (IRS and GAO), state and federal court systems, Land Records Officials, national associations in the real estate industry including the National Association of County Recorders, Election Official and Clerks, the International Association of County Recorders Election Officials and Treasurers, the American Land Title Association, the American Escrow Association, the National Public Records Research Association, the Mortgage Bankers Association, the Appraisal Institute, American Bar Association, national credit bureaus, as well as two of the most influential organizations dedicated to consumer privacy issues. In addition, there were 150 registered observers, representing a broad spectrum of the industry. Several topics were covered during the roundtable in a lively, thought provoking, daylong discussion. The PRIA has minutes and created a CD, both are available on the PRIA website located at www.pria.us At the conclusion of this meeting the PRIA formed a committee to continue to advance this issue. A Privacy/Access listserve was established as a forum to foster additional discussion on the topic of personally identifiable information contained in public records. The listserve activity included a discussion of: (1) what information is required for the conduct of commerce? (2) could rules relating to document creation address the needs of all interested parties? and (3) should we consider restricting access to certain types of records? The list serve discussion was followed by two days of facilitated educational discussions during our 2004 Winter Conference in Washington D.C. During these discussions PRIA members reviewed the historical foundations of American public records and then addressed the policy issue by debating several suggestions for model legislation. It is with this background in mind that we offer the following comments relating to HR 2971. Section 101 of the proposal contains a prohibition of the ``display to the general public'' of a Social Security number (Page 3, Lines 18 &19). ``Display'' is later clarified as ``to intentionally place such number in a viewable manner on an Internet site.'' The Internet has become an important tool for many land records custodians to publish records. More and more counties are developing what is being called a ``virtual courthouse.'' These Internet based sites are designed so that citizens can conduct business with government when it is convenient for the citizen and these sites can include data as well as images of documents. The PRIA discussions reveal that few occurrences of the Social Security number in land records are required by any government agency with the exception of the IRS and state taxing authorities. For non- taxation documents, the Social Security number is normally included by the document preparer for the benefit of their business practices or that of a business partner. While the problems associated with this practice may seem obvious to us, this is a standard practice with a number of financial institutions. Land records officials have no statutory authority under current law to refuse to record such documents. In the bill's current form, this provision would prevent land records custodians from posting currently recorded land records on the Internet, thus removing an important tool from our use. Another provision of Section 101 further defines a Social Security number as ``any derivative of such number'' (Page 5, Lines 20 & 21). Some land records officials have had conversations with the IRS regarding removing the Social Security number from Federal Tax Liens. One solution often repeated by the IRS is including only the last four digits of the Social Security number. This would appear to be a violation of this provision. Since Federal Tax Liens attach to an individual and not a specific parcel of real property, it will become very difficult for title searchers to determine the applicability of these liens. Section 102 requires the Attorney General to consider the cost or burden to local governments of complying with the restrictions imposed by any rules to be adopted under this bill (Page 8, Lines 1-7). This clause is helpful, as the task of assuring that documents, some of which may be quite voluminous, do not contain Social Security numbers, represents a Herculean undertaking on a daily basis, even in the smallest of jurisdictions. Using Racine County as an example. Racine County has a population of 190,000--a medium sized county. In 2003 Racine County recorded just under 80,000 documents that contained approximately 400,000 total pages. That equates to 1600 pages that must be reviewed by a staff of 6, every business day. During most of 2003 the office was operating with a backlog of 2-3 weeks, without any requirement to search for Social Security numbers in the documents. Most of the review that staff performs on real estate documents is done by checking the first and last pages of a document. If we were required to check for the inclusion of a Social Security number, which could be anywhere in the document, it would more than double the task of reviewing documents. From a national perspective there were approximately 125 million real property documents recorded in 2003. Section 201 moves to another area that local government offices administer, specifically, birth records. This section contains a requirement to independently verify any birth record provided in support of the application process (Page 20, Lines 21-23). The PRIA would like clarification of this provision's intent and impact. Our concern is that vital record offices issue certified copies of birth records that contain a certification statement that includes the issuing officer's signature and the department seal. Most states have adopted (or will soon be adopting) standards for security paper to be used for these certificates. These standards include features that make the paper tamper evident. Independent verification from State and local offices would only be necessary when a certificate appears to have been altered or is not on security paper. The financial burden to state and local governments in implementing any aspect of this provision should be addressed as well. Section 201 goes on to require a feasibility study, which includes the costs of electronic third party verification of identity documents (Page 21, Lines 16-21). Most state and local offices are only beginning to investigate the costs of developing such systems. We cannot overstate the fact that the current fiscal environment faced by most state and local governments makes this type of development a challenge even when policy makers support the goals and benefits of such an undertaking. In Wisconsin, I serve on the committee that has been assembled by the Department of Health and Family Services Vital Records Bureau to develop the specifications for such a system. My optimistic estimates are that this project could be minimally operational in two to four years with a mature system being six or more years down the road. As I stated in my introductory remarks, the Property Records Industry Association has had extensive discussions regarding this topic and I would now like to offer our suggestions as to elements that this type of legislation should encompass. 1. Legislation should be effective on a ``day-forward'' basis. It should not require redaction or expungment in records already filed or recorded. 2. Consider prohibiting the inclusion of Social Security numbers on documents that will become part of the public record. This could include providing land records officials the authority to reject a document for filing/recording that includes a Social Security number. Practically speaking however, rejection authority needs to be permissive rather than prescriptive. As I described earlier, the shear volume of documents and the number of pages involved will make prescriptive authority difficult to manage. 3. Next we suggest that if a document recorded after the effective date of the legislation contains a Social Security number, the land records official should have the authority to redact the Social Security number from the document. This is an important provision for an important ministerial function--that of providing certified copies of records in our offices. Our certification statement requires that we provide an exact copy of a recorded document. We need to be explicitly empowered to redact the Social Security number without compromising the integrity of future certified copies we issue. 4. The PRIA acknowledges the nearly impossible task faced by land records officials in attempting to keep Social Security numbers out of the public record and it believes this responsibility is more properly placed on document preparers and individual consumers. Accordingly, PRIA believes that, for any law prohibiting a Social Security number in land records, land records officials should be immune from suit relating to documents filed/recorded that include Social Security numbers. While land records officials will assist when and where they can, the scope of the task of checking every page of every document for Social Security numbers is simply beyond their ability to perform. The time to prevent Social Security numbers from becoming part of the public record is when the document is created--before the parties execute them, not when they are presented for recording. There is simply too much dependence in today's marketplace on the social security number. The PRIA believes education is a major component in developing solutions to this problem. Already we are seeing insurance companies and others using an alternative ID number on insurance cards rather than the social security number. Utilizing existing associations such as the PRIA, Mortgage Bankers Association, Fannie Mae, Freddie Mac, American Land Title Association, American Escrow Association, etc. and with the help of the federal government, this problem can be drastically reduced if not eliminated. Thank you for giving the PRIA the opportunity to address this important public policy issue. Our discussions and policy debates instruct us that the time to address this problem is during the drafting of the documents. We believe that our recommendations can achieve the goal of protecting Social Security numbers in regards to the public record without jeopardizing the flow of commerce or placing an unbearable burden on the shoulders of local government. Chairman SHAW. Thank you, Mr. Ladd. It sounds like you may need a State statute. Mr. Hoofnagle. STATEMENT OF CHRIS JAY HOOFNAGLE, ASSOCIATE DIRECTOR, ELECTRONIC PRIVACY INFORMATION CENTER Mr. HOOFNAGLE. Thank you, Chairman Shaw, for holding this hearing today and for continuing to build a rich legislative history on why Congress needs to act to enhance the privacy and integrity of SSNs. My name is Chris Hoofnagle. I am Associate Director with the EPIC. We have been involved with SSN regulation for many years and also in litigation. We filed an amicus brief in a very important case known as the Amy Boyer case where a woman was located and essentially stalked through the help of a data broker and a private investigator. We have submitted detailed written testimony for the record today. I just want to highlight some of the points we make in this written testimony, and I look forward to your questions afterward. As you are well aware, today the SSN plays an unparalleled role in identification, authentication and tracking of Americans. Its use in the public and private sector heightens the risk of identity theft and abuse because institutions use the SSN both to identify people but also to authenticate them. So, Representative Tubbs Jones was bringing up this issue earlier, the same number you use to identify a credit file is often used to authenticate or to verify the identity of someone; and from a security standpoint, that is a major risk. It is not unlike choosing an e-mail address and using your e- mail address as the password, the exact same series of letters. The other issue I wanted to highlight from our testimony is the role that public records play in providing personal information to commercial data brokers and to others who are amassing personal information about individuals. Oftentimes we are compelled by law or compelled from wanting to enjoy the rights and benefits of our society into providing personal information that ends up in a public register; and once your SSN or other information ends up in a marriage license or a land record, anyone can come along and use that personal information for any purpose. So, we do think that it is important in your legislation to include strong language keeping the SSN, and keeping certain personal identifiers out of public records before they reach the general public. There are several parts of H.R. 2971 that we think are very strong, and they belong in any SSN privacy bill. The first is the provision on coercive disclosure. We think it is very important that businesses not be able to withhold a product or service when they ask for a SSN without authority to do so, and I think that your legislation is well crafted in section 109 because businesses that actually have a legal right to the identifier will still be able to request the SSN. We think it is very important that Section 108 be included in any legislation that moves to the full House. section 108 would move the SSN below the credit header line and require individuals who are trying to buy SSNs to have a permissible purpose under the Fair Credit Reporting Act before getting access to the identifier. I think that is a very important protection, and we commend you for including it in the legislation. Finally, we think it is very important that States be discouraged from placing the SSN on drivers' licenses and other identifiers provided to individuals. We would recommend one enhancement to the legislation in this regard. We have become aware that some States do not put the SSN on the actual card. They don't publish it on the card, but they embed it into the bar code or into the magnetic strip, and then businesses or other individuals can swipe the driver's license and collect the SSN from individuals. I think it is important that prohibitions recognize the risk of automated data collection from drivers' licenses and how SSNs might be swept in that equation. We also encourage you to look to the leadership of the States in developing SSN legislation. A number of States have passed very strong regulations that deal with use of SSN in the private sector, the use of the SSN in the context of colleges and universities and with regards to course of disclosure; and their leadership should be emulated at the Federal level. As I am running out of time, let me highlight what Ms. Foss said earlier about the role of credit granting and identity theft. In our written testimony we have given numerous examples of cases where victims had their identities stolen and it would not have occurred but for the presence of the SSN. The identity thief filled out an application to get credit. Oftentimes, the date of birth was wrong, the name was wrong, address was wrong. The SSN was right, and so the SSN was a key to identity theft in all of those cases, and it sounds as though those cases are similar to yours, Ms. Foss. So, we encourage an examination of credit granting practices as well, it appears as though they are contributing to the identity theft problem. Thank you, Mr. Chairman. I look forward to your questions. [The prepared statement of Mr. Hoofnagle follows:] Statement of Chris Jay Hoofnagle, Associate Director, Electronic Privacy Information Center Introduction Chairman Shaw, Ranking Member Matsui, and Members of the Subcommittee, thank you for extending the opportunity to testify enhancing the privacy and integrity of Social Security Numbers. My name is Chris Hoofnagle and I am associate director with the Electronic Privacy Information Center (EPIC), a not-for-profit research organization based in Washington, D.C. Founded in 1994, EPIC has participated in cases involving the privacy of the Social Security Number (SSN) before federal courts and, most recently, before the Supreme Court of New Hampshire.\1\ EPIC has also taken a leading role in campaigns against the use of globally unique identifiers (GUIDs) involving the Intel Processor Serial Number and the Microsoft Corporation's Passport identification and authentication system. EPIC maintains an archive of information about the SSN online at http:// www.epic.org/privacy/ssn/. --------------------------------------------------------------------------- \1\ Estate of Helen Remsburg v. Docusearch, Inc., et al, C-00-211-B (N.H. 2002). In Remsburg, the ``Amy Boyer'' case, Liam Youens was able to locate and eventually murder Amy Boyer through hiring private investigators who tracked her by her date of birth, Social Security Number, and by pretexting. EPIC maintains information about the Amy Boyer case online at http://www.epic.org/privacy/boyer/. --------------------------------------------------------------------------- In previous testimony to this Subcommittee, EPIC has recommended a strong framework of Fair Information Practices to create rights and responsibilities for individuals and collectors of the SSN. In 2001, EPIC Executive Director Marc Rotenberg traced the history of the SSN as an identifier, highlighted the use of the SSN in the financial services sector, and raised privacy issues associated with the Social Security Administration's Death Master File.\2\ In 2002, EPIC testified that the problem of identity theft had grown worse, that the states were acting to limit collection and disclosure of the SSN, and that 107 H.R. 2036, the Social Security Number Privacy and Identity Theft Protection Act of 2001 could limit misuse of the SSN.\3\ In 2003, EPIC appeared again to testify in favor of privacy protections, highlighting recent abuses, the continuing unnecessary use of the SSN as an identifier by both private and public sector entities, and the developing trends of state legislation crafted to limit collection and use of the identifier.\4\ --------------------------------------------------------------------------- \2\ Social Security Numbers and Identity Theft, Joint Hearing Before the House Financial Services Subcommittee on Oversight and Investigations and the House Ways and Means Subcommittee on Social Security, Nov. 8, 2001 (testimony of Marc Rotenberg, Executive Director, EPIC), available at http://www.epic.org/privacy/ssn/ testimony_11_08_2001.html. \3\ Hearing on Preserving the Integrity of Social Security Numbers and Preventing Their Misuse by Terrorists and Identity Thieves, Joint Hearing Before the House Ways and Means Subcommittee on Social Security and the House Judiciary Subcommittee on Immigration, Border Security, and Claims, Sept. 19, 2002 (testimony of Chris Jay Hoofnagle, Legislative Counsel, EPIC), available at http://www.epic.org/privacy/ ssn/ssntestimony9.19.02.html. \4\ Hearing on Use and Misuse of the Social Security Number, Hearing Before the House Ways and Means Subcommittee on Social Security, July 10, 2003 (testimony of Chris Jay Hoofnagle, Deputy Counsel, EPIC), available at http://www.epic.org/privacy/ssn/ testimony7.10.03.html. --------------------------------------------------------------------------- Chairman Shaw, we commend you for developing a rich legislative record on the need to protect the SSN and to combat identity theft. In today's testimony, we wish to continue to contribute to the record and make a recommendation that you advance legislation to secure the SSN and protect Americans from identity theft. First, we provide an overview and recommendations for 108 H.R. 2971, the Social Security Number Privacy and Identity Theft Prevention Act of 2003. Second, we highlight examples of state SSN regulation that could be adopted at the federal level to provide an umbrella of protections for the SSN. In the third section, we argue that identity theft is caused by excessive reliance on the SSN and by lax credit granting practices. I. Recommendations for 108 H.R. 2971, the Social Security Number Privacy and Identity Theft Prevention Act of 2003 Introduced in July 2003, H.R. 2971 is the latest of a series of bills designed to enhance protections for the SSN and to promote the integrity of the identifier. It enjoys bipartisan support in the House of Representatives. Title I of the bill sets forth limitations on government disclosure of SSNs. Broadly put, this title would prohibit executive, legislative, or judicial entities from disclosing the SSN, subject to certain exceptions. We think it important to limit the exceptions for governmental sale of the SSN. Specifically, we recommend that subsection (V), which allows unlimited sale of SSNs to thousands of credit reporting agencies (CRAs), be removed from the bill. This exception is too broad and allows unrestricted transfers of government records containing social security numbers to CRAs, possibly for purposes unrelated to credit reporting, including direct marketing. It is not the role of government to collect SSNs from citizens, who are often under legal compulsion to provide the identifier, and then release the SSNs to the private sector for the purpose of compiling dossiers. Professor Daniel Solove has fully articulated how this model of information flow is unfair to individuals and privacy invasive: Imagine that the government had the power to compel individuals to reveal a vast amount of personal information about themselves--where they live, their phone numbers, their physical description, their photograph, their age, their medical problems, all of their legal transgressions throughout their lifetimes whether serious crimes or minor infractions, the names of their parents, children, and spouses, their political party affiliations, where they work and what they do, the property that they own and its value, and sometimes even their psychotherapists' notes, doctors' records, and financial information. Then imagine that the government routinely poured this information into the public domain--by posting it on the Internet where it could be accessed from all over the world, by giving it away to any individual or company that asked for it, or even by providing entire databases of personal information upon request. In an increasingly ``wired'' society, with technology such as sophisticated computers to store, transfer, search, and sort through all this information, imagine the way that the information could be combined or used to obtain even more personal information.\5\ --------------------------------------------------------------------------- \5\ Professor Daniel Solove describes this problem in Access and Aggregation: Public Records, Privacy, and the Constitution, 86 Minnesota Law Review 1137 (2002), available at http://papers.ssrn.com/ sol3/papers.cfm?abstract_id=283924. If this exception remains in the legislation, we recommend that it be narrowed. Currently, the exception allows disclosure of the SSN to CRAs without any limitation on use of the identifier. A narrower exception would allow disclosure but limit use of the identifier for ``credit reporting practices consistent with the Fair Credit Reporting Act, 15 U.S.C. 1681.'' In section 101, we recommend harmonizing the definition of ``sale'' with other references to the term that appear in the legislation. The definition appearing in section 107, which defines sell as ``to obtain, directly or indirectly, anything of value in exchange for such number,'' is more appropriate. Section 102 specifies the authority of the Attorney General to create exemptions to the general prohibition on government disclosure of the SSN. We agree with the standard set forth by the legislation-- that SSNs should not be disclosed absent a compelling interest that cannot be served through the employment of alternative measures. We are concerned, however, that the Attorney General will still approve of privacy-invasive transfers of the SSN despite this high standard. In documents obtained under the Freedom of Information Act, EPIC has shown that private-sector commercial data brokers (CDBs) play a large role in collecting SSNs and other information for sale to law enforcement.\6\ Simply put, there is a risk that the Attorney General will act in self- interest, and approve broad disclosures of SSNs to CDBs that then resell the identifier back to law enforcement or other entities. --------------------------------------------------------------------------- \6\ See e.g. Electronic Privacy Information Center, ChoicePoint, available at http://epic.org/privacy/choicepoint/; Chris Jay Hoofnagle, Big Brother's Little Helpers: How ChoicePoint and Other Commercial Data Brokers Collect, Process, and Package Your Data for Law Enforcement, University of North Carolina Journal of International Law & Commercial Regulation (Spring 2004). --------------------------------------------------------------------------- We recommend several substantive safeguards against permissive regulations that would allow broad disclosure of the SSN. First, the rulemaking should be open to public comment. Public polling shows that individuals are concerned about increasing use of the SSN; allowing public comment will effectively express popular opposition to expanding use of the identifier. Second, we think that the qualifier ``undue'' should be removed from the standard articulated in Section 101 (a)(I)(ii)(II), and that identity theft be added as one of the risks to be considered by the rulemakers. As currently drafted with ``undue'' as a qualifier and without the special recognition of identity theft as a risk of SSN disclosure, the language will tilt the balance in favor of expanding disclosure of the SSN. A more appropriate balance would be struck with language specifying, ``it is reasonably certain that the social security numbers will not be used to commit or facilitate fraud, identity theft, or bodily, emotional, or financial harm.'' Third, we think that exceptions to the general prohibition should be limited in duration. A time limit will encourage users of the SSN to transition to alternative identifiers. Exceptions that are not time limited will ensure that SSN users never transition to alternative measures. Last, entities receiving SSNs should be held to technical safeguards to shield the identifier from employee misuse or theft. We recommend that the following factor be added to the rulemaking: ``(III) the social security numbers sold, purchased or displayed will be protected by adequate safeguards, including but not limited to encryption measures and regular auditing of SSN access and disclosure.'' Section 103 would codify an important safeguard--a prohibition of printing SSNs on checks issued by governments. This is a common sense protection against identity theft. It is necessary because a standard check with a SSN contains all the personal information necessary for commission of identity theft. Section 104 would prohibit states from displaying the SSN on driver's licenses. Again, this is a common sense approach to preventing identity theft. Indeed, many states already incorporate a ban on printing the SSN on driver's licenses.\7\ Such a prohibition makes it more likely that the SSN will not appear in the wallet of individuals, thus reducing the risk that a lost or stolen wallet will provide the personal information necessary to commit identity theft. --------------------------------------------------------------------------- \7\ See Ariz. Rev. Stat. 28-3158; C.R.S. 42-2-107; C.R.S. 42- 3-302; D.C. Code Ann. 50-402; O.C.G.A. 40-3-23; HRS 286-109; HRS 286-239; Idaho Code 49-306; Idaho Code 49-2444; Ky. Rev. Stat. Ann. 186.412; Mont. Code Ann. 61-5-111(2)(b); Nev. Rev. Stat. Ann. 483.345;.N.H. Rev. Stat. Ann. 263:40-a; N.D. Cent. Code 39-06-14; Ohio Rev. Code Ann. 4501.31; Okla. Stat. Ann. tit. 47, 6-106 (2002); Pa. Cons. Stat. Ann. 1510; Tenn Code Ann. 55-50-331; Tex. Trans. 521.044; Va. Code Ann. 46.2-342; Wash. Rev. Code Ann. 26.23.150. --------------------------------------------------------------------------- We recommend that section 104 also prohibit states from encoding the SSN on magnetic strips, barcodes, or smartcards on the driver's license, as we are aware that while some states do not print the SSN on the card, they may embed the identifier digitally on the card.\8\ Anyone with a card reader can swipe the card and capture the identifier. Increasingly, businesses are capturing patrons' personal data from driver's licenses.\9\ Removing the SSN from encoded portions of driver's licenses will cut down on unnecessary collection of the identifier.\10\ --------------------------------------------------------------------------- \8\ Beatriz da Costa, Jamie Schulte and Brooke Singer, Who is Swiping?, n.d., available at http://www.we-swipe.us/research.html. \9\ See e.g. Jennifer 8. Lee, Finding Pay Dirt in Scannable Driver's Licenses, New York Times, March 21, 2002. \10\ Louisiana has already prohibited embedding the SSN into a driver's license. La. R.S. 32:410. West Virginia has attempted to address this problem of license swiping by allowing the use of license scanners for age verification purposes but prohibiting the recording of SSNs in the process. W. Va. Code Ann. 60-2-22. --------------------------------------------------------------------------- Section 106 would prohibit government entities from allowing prisoners to have access to the SSN. We think that this too is a common sense protection, in light of the Metromail case, where a company employed prisoners to enter personal information from surveys into computers. This resulted in a stalking case where a prisoner harassed a woman based on information she submitted on a survey. The woman received mail from a convicted rapist and burglar who knew everything about her--including her preferences for bath soap and magazines. The woman sued and as a result of a class-action suit, Metromail may no longer use prisoners to process personal information.\11\ Nevertheless, a general prohibition on inmate access to SSNs is appropriate, and California and Kentucky already have passed legislation to keep SSNs out of the hands of prisoners.\12\ --------------------------------------------------------------------------- \11\ During litigation, Metromail claimed that they had not violated the woman's privacy, that they had no duty to inform individuals that prisoners were processing their personal data, and that the data processed was not highly intimate or embarrassing. Beverly Dennis, et al. v. Metromail, et al., No. 96-04451, Travis County, Texas. \12\ Cal Pen Code 4017.1, 5071; Cal Wel & Inst Code 219.5; Ky. Rev. Stat. Ann. 131.191. --------------------------------------------------------------------------- Section 107 generally prohibits disclosure of the SSN in the private sector, subject to exceptions. We think it important to limit exceptions to the general prohibition in order to curb private sector use of the SSN. First, the exception for public health purposes should be limited to ``emergency public health purposes.'' In its current articulation, this exception could allow medical providers and insurance companies to continue to rely upon the SSN in normal operations. Limiting the exception will encourage the industry to shift away from the identifier. We note that Empire Blue Cross is transitioning its 4.8 million customers away from the SSN as an identifier, demonstrating that it is possible for large health care operations to use an alternative identifier.\13\ --------------------------------------------------------------------------- \13\ Empire Blue Cross Will End Use Of SSNs, Use Alternate Number System, Privacy and Security Law Report (Jun. 7, 2004) at 666. --------------------------------------------------------------------------- Section 107 contains an exception for SSNs of the deceased, meaning that they could be freely traded on the market. We think there are important public policy reasons to place some protections on SSNs of the deceased. SSNs of deceased individuals should receive protection for the same reasons that justify protections for living individuals; those reasons include preventing fraud and identity theft. Additionally, criminals are known to assume the identities of deceased individuals in order to engage in criminal acts and to avoid law enforcement. Some protection for these identifiers is justified. Section 108 codifies a much-needed protection for the SSN. Prior to the implementation of the Gramm-Leach-Bliley Act, CRAs and other entities sold SSNs in credit headers to individuals outside Fair Credit Reporting Act regulation. We understand that some businesses are still selling SSNs from credit headers that were collected before implementation of Gramm-Leach-Bliley. Section 108 would eliminate this unregulated sale of SSNs by tying the identifier to the credit report, and thus to protections in the Fair Credit Reporting Act. Section 109 contains important protections against the practice of ``coercive disclosure,'' a practice where an entity conditions provision of a product or service based on disclosure of the SSN. Maine, New Mexico, and Rhode Island have established protections against coercive disclosure, and we think it a good idea to federalize this important right to enhance privacy of the SSN.\14\ --------------------------------------------------------------------------- \14\ 2003 Me. ALS 512; N.M. Stat. Ann. 57-12B-3; R.I. Gen Laws 6-13-17. --------------------------------------------------------------------------- Title II contains measures to help protect the integrity of the SSN. Section 202, which addresses enumeration at birth, provides an excellent opportunity to address objections to SSN issuance to children that many Americans posses based on political or religious beliefs. In Bowen v. Roy, 476 U.S. 693 (1986), better known as the ``Little Bird of the Snow'' case, a family that applied for child welfare benefits sued the Department of Health and Human Services for requiring that a SSN be issued to their indigent child. The family alleged that enumeration violated their religious beliefs and that the conditioning of benefits on issuance of the SSN violated the Free Exercise Clause. The Supreme Court disagreed, holding that the government could require the child to obtain a SSN in order to receive benefits. In that case, the trial court found that the government could, in fact, administer child welfare programs without enumeration. This bill allows Congress to revisit the issue and provide an alternative for those having a religious or ethical objection to permanent enumeration. Alternatives could include a tax-identification number that expires at the age of eighteen, when the child can more fully consider whether to obtain a SSN. Another could specify heightened security requirements or anti-fraud measures to administer benefits to those objecting to enumeration. The study to be performed by the Commissioner of Social Security should require consideration of these issues. Title III of the legislation creates new criminal penalties for misuse of the SSN. Section 302 prohibits individuals from knowingly providing a false SSN to another person. We think that there should be an exception to this rule for cases where an individual provides a false SSN without any intent to commit fraud. For instance, in situations where an entity demands a SSN without justification, individuals should be able to fabricate one if they are not engaged in fraud and are simply attempting to protect their privacy. We think the following language should be added to Section 302 (in the provision amending Section 1129(a) of the Social Security Act to create a new provision at 1129(a)(3)(B)): ``Notwithstanding the previous sentence, an individual is permitted to represent a number to be the social security number assigned by the Commissioner of Social Security to another so long as the individual does not do so with the intent to engage in fraud or other criminal activity.'' II. States Have Innovated Clever Protections for the SSN; Congress Should Consider Incorporating Them in 108 H.R. 2971 In recent years, state legislatures have functioned in their traditional roles as ``laboratories of democracy,'' creating new approaches to enhancing the privacy of SSNs. These privacy protections demonstrate that major government and private-sector entities can still operate in environments where disclosure and use of the SSN is limited. They also provide examples of protections that should be considered at the federal level. Some States Have Placed Broad Prohibitions on Disclosure and Use by Government and Private Entities Two weeks ago, Colorado Governor Bill Owens signed H.B. 1311, legislation that creates important new protections for the SSN that will take effect later this summer. The new law will limit the collection of the SSN and its incorporation in licenses, permits, passes, or certificates issued by the state. The law requires the establishment of policies for safe destruction of documents containing the SSN. Insurance companies operating in the state must remove the SSN from consumers' identification cards. Finally, the legislation creates new penalties for individuals who use others' personal information to injure or defraud another person. A law taking effect in January 2005 in Arizona prohibits the disclosure of the SSN to the general public, the printing of the identifier on government and private-sector identification cards, and establishes technical protection requirements for online transmission of SSNs.\15\ The new law also prohibits printing the SSN on materials mailed to residents of Arizona. Exceptions to the new protections are limited--companies that wish to continue to use the SSN must do so continuously, must disclose the use of the SSN annually to consumers, and must afford consumers a right to opt-out of continued employment of the SSN. Arizona's new law is based on California Civil Code 1798.85. --------------------------------------------------------------------------- \15\ Ariz. Rev. Stat. 44-1373. --------------------------------------------------------------------------- Special Protections Have Been Crafted for Students A number of states have passed legislation limiting colleges and universities from employing the SSN as a student identifier. Limiting use of the SSN in this context reduces the risk of identity theft, as databases of student information, student identity cards, and even posting of grades sometimes contain SSNs. In Arizona, major universities can no longer use the SSN as the student identifier.\16\ In Colorado, as of July 2003, public and private postsecondary institutions were required to establish protections for the SSN and discontinue its use as the primary student identifier.\17\ New York and West Virginia prohibit all public and private schools from using the SSN as a primary identifier.\18\ Kentucky law allows students to opt-out of use of the SSN as student identifier.\19\ --------------------------------------------------------------------------- \16\ Ariz. Rev. Stat. 15-1823. Rhode Island and Wisconsin have similar protections. R.I. Gen. Laws 16-38-5.1; Wis. Stat. Ann. 36.11(35). \17\ C.R.S. 23-5-127. \18\ N.Y. Educ. Law 2-b; W. Va. Code Ann. 18-2-5f. \19\ Ky. Rev. Stat. Ann.156.160. See also Ky. Rev. Stat. Ann.197.120. --------------------------------------------------------------------------- Protections Crafted for Public, Vital, and Death Records Commercial data brokers obtain SSNs from a number of sources, including public records that individuals are required to file in order to enjoy important rights and privileges offered by society. For instance, marriage licenses have been a source for SSNs and a number of states, including Arizona, California, Indiana, Iowa, Kentucky, Louisiana, Maine, Montana, Ohio, and Michigan, have enacted legislative protections to prevent their disclosure.\20\ --------------------------------------------------------------------------- \20\ Ariz. Rev. Stat. 25-121; Cal Fam Code 2024.5; Burns Ind. Code Ann. 31-11-4-4; Iowa Code 595.4; Ky. Rev. Stat. Ann. 402.100; La. R.S. 9:224; 19-A M.R.S. 651; MCL 333.2813; Mont. Code Ann. 40-1-107; Ohio Rev. Code Ann. 3101.05. --------------------------------------------------------------------------- Birth and death records are rich in personal information, and states have acted to shield SSNs collected in these life events against disclosures. Arizona, California, Illinois, Kansas, Maine, Maryland, Massachusetts, Minnesota, Mississippi, Missouri, New Hampshire, and other states limit the appearance of the parents' SSN on birth records.\21\ Similarly, several states restrict disclosure of the SSN in records associated with death.\22\ --------------------------------------------------------------------------- \21\ See Ariz. Rev. Stat. 36-322; Cal Health & Saf Code 102425; 410 ILCS 535/11; K.S.A. 65-2409a; 22 M.R.S. 2761; Md. Ann. Code 4-208; ALM GL ch. 111, 24B; Minn. Stat. 144.215; Miss. Code Ann. 41-57-14; Mo. Rev. Stat. 193.075; Mo. Rev. Stat. 454.440; N.H. Rev. Stat. Ann. 5-C:10. \22\ See Ariz. Rev. Stat. 16-165; Cal Health & Saf Code 102231; Idaho Code 67-3007; Burns Ind. Code Ann. 16-37-3-9; La R.S. 23:1671; N.D. Cent. Code 23-02.1-28. --------------------------------------------------------------------------- Protections Against Pretexting Should Be Considered We wish to raise one additional concern here--even legitimate collection of the SSN contributes to unauthorized access to the identifier. That is, we are increasingly aware of manuals for private investigators and other materials suggesting that SSNs can be obtained from motor vehicle departments, applications for professional licenses, and even tax returns.\23\ In these cases, the investigator probably obtains the identifier through a friend or contact working at the institution with a SSN. Alternatively, the manuals suggest the use of ``pretexting,'' a practice where an investigator requests personal information from an entity while pretending to be another person or while pretending to have a legitimate reason for access to the information. The Gramm-Leach-Bliley Act prohibits pretexting with respect to financial, securities, and insurance companies, but the law doesn't apply to pretexting targeted at employers, utility companies, or other entities that have SSNs. The Subcommittee should consider whether expanding protections against pretexting would enhance the privacy of the SSN. --------------------------------------------------------------------------- \23\ See e.g. Lee Lapin, How to Get Anything on Anybody 533-543 (Intelligence Here, 3d ed. 2003) (section titled ``How to Find Anyone's Social Security Number'' suggests thirty sources for the SSN, including driver's license applications, bankruptcy filings, court records, bank files, utility records, professional and recreational licenses, and employment files). --------------------------------------------------------------------------- III. Excessive Reliance on the Social Security Number and Lax Credit Granting Practices Are Exacerbating the Identity Theft Problem News media stories abound on the plight of the victim of identity theft. No one is safe from the crime--impostors have been able to obtain credit in the names of young children and even babies.\24\ While Congress has heightened penalties for identity theft, we recommend that further attempts to fight the crime be centered on the credit granting process, and in particular, the practice of granting credit only on a SSN match. --------------------------------------------------------------------------- \24\ 24]Identity Theft Resource Center, Fact Sheet 120: Identity Theft and Children, available at http://www.idtheftcenter.org/ vg120.shtml. --------------------------------------------------------------------------- Identity thieves can rely on aspects of the instant credit granting system to commit fraud. The first weakness in the system flows from extreme competition to acquire new customers. This has resulted in grantors flooding the market with ``pre-screened'' credit offers, pre- approved solicitations of credit made to individuals who meet certain criteria. These offers are sent in the mail, giving thieves the opportunity to intercept them and accept credit in the victim's name.\25\ Once credit is granted, the thief changes the address on the account in order to obtain the physical card and to prevent the victim from learning of the fraud.\26\ The industry sends out billions of these pre-screened offers a year. It 1998, it was reported that 3.4 billion were sent.\27\ In 2003, the estimate increased to 5 billion sent.\28\ --------------------------------------------------------------------------- \25\ Identity crises--millions of Americans paying price, Chi. Tribune, Sept. 11, 2003, p2. \26\ Id. \27\ Identity Theft: How It Happens, Its Impact on Victims, and Legislative Solutions, Hearing Before the Senate Judiciary Subcommittee on Technology, Terrorism, and Government Information, Jul. 12, 2000 (testimony of Beth Givens, Director, Privacy Rights Clearinghouse) (citing Edmund Sanders, Charges are flying over credit card pitches, L.A. Times, Jun. 15, 1999, p. D-1), available at http:// www.privacyrights.org/ar/id_theft.htm. \28\ Rob Reuteman, Statistics Sum Up Our Past, Augur Our Future, Rocky Mountain News, Sept. 27, 2003, p 2C; Robert O'Harrow, Identity Crisis; Meet Michael Berry: political activist, cancer survivor, creditor's dream. Meet Michael Berry: scam artist, killer, the real Michael Berry's worst nightmare, Wash. Post Mag., Aug. 10, 2003, p W14. --------------------------------------------------------------------------- Competition also drives grantors to quickly extend credit. Once a consumer (or impostor) expresses acceptance of a credit offer, issuers approve the transaction with great speed. Experian, one of the ``big three'' credit reporting agencies, performs in this task in a ``magic two seconds.''\29\ In a scenario published in an Experian white paper on ``Customer Data Integration,'' an individual receives a line of credit in two seconds after only supplying his name and address.\30\ Such a quick response heightens the damage to business and victims alike, because thieves will generally make many applications for new credit in hopes that a fraction of them will be granted. --------------------------------------------------------------------------- \29\ Experian, Inc., Customer Data Integration: The essential link for Customer Relationship Management White paper 15, 2000, available at http://www.experian.com/whitepapers/cdi_white_paper.pdf. \30\ Id. --------------------------------------------------------------------------- The second factor that makes identity theft easy to commit is that credit grantors do not have adequate standards for verifying the true identity of credit applicants. Credit issuers sometimes open tradelines to individuals who leave obvious errors on the application, such as incorrect dates of birth or even the incorrect name. Identity theft expert Beth Givens has argued that many incidences of identity theft could be prevented by simply requiring grantors to more carefully review credit applications for obviously incorrect personal information.\31\ --------------------------------------------------------------------------- \31\ Legislative Hearing on H.R. 2622, The Fair and Accurate Credit Transactions Act of 2003, Before the Committee on Financial Services, Jul. 9, 2003 (testimony of Chris Jay Hoofnagle, Deputy Counsel, Electronic Privacy Information Center). --------------------------------------------------------------------------- TRW Inc. v. Andrews illustrates the problems with poor standards for customer identification.\32\ In that case, Adelaide Andrews visited a doctor's office in Santa Monica, California, and completed a new patient's information form that requested her name, birth date, and SSN.\33\ The doctor's receptionist, an unrelated woman named Andrea Andrews, copied the information and used Adelaide's Social Security Number and her own name to apply for credit in Las Vegas, Nevada. On four occasions, Trans Union released Adelaide's credit report because the SSN, last name, and first initial matched. Once Trans Union released the credit reports, it made it possible for creditors to issue new tradelines. Three of the four creditors that obtained a credit report issued tradelines to the impostor based on Adelaide's file, despite the fact that the first name, birth date, and address did not match.\34\ --------------------------------------------------------------------------- \32\ 534 U.S. 19 (2001); Erin Shoudt, Comment. Identity theft: victims ``cry out'' for reform, 52 Am. U. L. Rev. 339, 346-7 (2002). \33\ Id. at 23-25. \34\ Id. --------------------------------------------------------------------------- A survey of other prominent identity theft litigation shows numerous cases where credit was granted as a result of a SSN match despite other obvious inaccuracies. For instance, in Aylward v. Fleet Bank, 122 F.3d 616 (8th Cir. 1997), Fleet Bank of Albany, New York, issued two credit cards to ``Ronald Aylward,'' allegedly of East Moriches, New York, who used both the victim's name and SSN in applying for the cards. The victim, however, lived in Missouri all of his life. In United States v. Peyton, 353 F.3d 1080 (9th Cir. 2003), impostors obtained American Express cards using the victims' correct names and SSNs but directed all the cards to be sent to the impostors' home. In Vazquez-Garcia v. Trans Union De P.R., Inc., 222 F. Supp. 2d 150 (D. P.R. 2002), a resident of Puerto Rico who was born in 1962 learned that Sears had issued a credit card to a resident of Nevada who was born in 1960. The impostor had falsely used the victim's SSN to apply for credit cards in his own name and succeeded in getting credit despite the mismatch on age and location. In Dimezza v. First USA Bank, Inc., 103 F. Supp. 2d 1296 (D. N.M. 2000), an impostor obtained credit using the victim's SSN but a different name and address. And finally, those who attempt to assign liability for negligent credit granting have not been successful in the courts. In Huggins v. Citibank, 355 S.C. 329 (S.C. 2003), a plaintiff-victim alleged that banks should be liable when they negligently extend credit in a victim's name to an impostor.\35\ The defendants argued that no duty existed because the victim was not actually a customer of the bank. In August 2003, the South Carolina Supreme Court rejected the proposed cause of action. Although it expressed concern about the rampant growth of identity theft, the court found that the relationship between credit card issuers and potential victims of identity theft was ``far too attenuated to rise to the level of a duty between them.'' --------------------------------------------------------------------------- \35\ See also Garay v. U.S. Bancorp, 2004 U.S. Dist. LEXIS 1331 (E.D.N.Y. 2004); Smith v. Citibank, 2001 U.S. Dist. LEXIS 25047, (W.D. Mo. 2001); Polzer v. TRW, Inc., 256 A.D.2d 248 (N.Y. App. Div. 1998). --------------------------------------------------------------------------- These cases show that excessive reliance on the SSN can contribute to identity theft. California has attempted to address this problem by requiring certain credit grantors to comply with heightened authentication procedures. California Civil Code 1785.14 requires credit grantors to actually match identifying information on the credit application to the report held at the credit reporting agency. Credit cannot be granted unless three identifiers from the application match those on file at the credit bureau. The categories to be matched include ``first and last name, month and date of birth, driver's license number, place of employment, current residence address, previous residence address, or social security number.''\36\ Simply requiring credit grantors to look beyond the SSN as a customer identifier and authenticator will begin to address a wide range of identity theft. --------------------------------------------------------------------------- \36\ Id. --------------------------------------------------------------------------- Conclusion Thank you, Chairman Shaw, for continuing to develop a rich legislative record supporting greater privacy for the SSN. We think that the privacy and integrity of SSNs could be enhanced through the passage of federal legislation that limits the collection and approved uses of the identifier. We urge the Subcommittee to examine state laws that have created new, clever protections for the SSN. We also urge the Subcommittee to consider that excessive reliance on the SSN contributes to identity theft. We look forward to continuing to work with the Subcommittee on this and other privacy matters. Chairman SHAW. Thank you. Mr. McGuinness. STATEMENT OF BRIAN P. MCGUINNESS, FIRST VICE PRESIDENT, NATIONAL COUNCIL OF INVESTIGATION AND SECURITY SERVICES, MIAMI, FLORIDA Mr. MCGUINNESS. Good afternoon, Mr. Chairman, Members of the Committee, wherever you may be. My name is Brian McGuinness. I am appearing today on behalf of the NCISS as its first Vice President. I am past President of the Florida Association of Licensed Investigators, and I have been a licensed investigator for over 20 years. Before that, I was a criminal investigator for 7 years with the Miami Dade County Public Defenders Office. I really appreciate the opportunity to comment on H.R. 2971 today. Our profession has been trying to help identity theft victims for years. Much of H.R. 2971 seems to be on the right track. Publication of SSNs to the general public can only lead to improper use, including theft, fraud, even potential physical harm. We support legislation that will curtail such information being offered for sale over the Internet to the general public, but we are very concerned about sections 107 and 108, which will in fact hinder relief for victims and cause many unintended consequences. A number of years ago, the FTC entered into a consent agreement whereby the identifying information that precedes a credit report was deemed not part of the report and therefore not covered by the Fair Credit Reporting Act. The ``header'' information does not contain any financial data and has been an invaluable resource to employ in all manner of investigations. Header information is only available through vetted contracts with major credit bureaus by legitimate businesses and law enforcement agencies. We are unaware that credit headers are being used by identity thieves. The crooks know where their victims are. They don't need to locate them. Section 108 would deal a blow to both the civil and criminal justice systems by effectively eliminating the access to credit header information for the purpose of locating suspects and witnesses. Locating females after a marriage or a divorce is particularly difficult without using the SSN identifier. There are over 43,000 Robert Joneses in the United States. Many of them have the same or similar dates of birth. Investigators need to be able to positively differentiate between subjects when rendering reports that would be used for many purposes, including evidence in court proceedings. Law enforcement agencies have many means at their disposal and are generally exempt from legislation restricting access to information, but even law enforcement Members admit that restricting access to credit headers will tip the scales of justice in favor of the prosecution and will decrease the defendant's ability to receive a fair trial. At a time when our justice system is being criticized for errors proven by DNA evidence, we find it hard to believe that Congress would attempt to take away the defendants primary means of locating witnesses. Let me tell you all of an example from my own experience attempting to assist a domestic maid whose son had been kidnapped by her husband 5 years previously. In her 5-year search she had mounted a letter-writing campaign which yielded a 2-inch stack of letters similar to yours, Ms. Foss, from apathetic police officers and politicians expressing their regret but providing no real assistance. I entered her husband's SSN in a database and learned about a West Palm Beach address he had used when applying for credit. I checked directory assistance and confirmed there was a non-published telephone number in his name at that address. A 5-year journey of desperation, anguish and frustration was ended in 5 minutes by simply having access to header information. A New York investigator was retained by the courts in a guardianship proceeding to recover over $300,000 in assets stolen from a 97-year-old retiree by a neighborhood care giver. Using credit headers he determined identities and locations of the wrongdoer's relatives and eventually their assets that had been taken away from the victim. The victim's assets had been used to purchase real property, expensive automobiles and to increase the thief's bank account balances. The suspect pled guilty and was sentenced to 3 to 9 years in State prison for second degree grand larceny and ordered to pay $360,000 in restitution to the victim's estate. With few exceptions, law enforcement does not have the resources to assist identity theft victims. As pointed out in my prior written testimony, victims are often told their losses are below the threshold required before agencies will investigate. In fact, many victim turn to licensed private investigators for assistance. We, therefore, ask that all of Section 108 be deleted. We routinely provide our clients with documents and reports containing necessary identifying information. section 107 would effectively deny us the ability to obtain or provide our clients with such information. There is an exemption for law enforcement and collection of child support, but the exemption should also include reports prepared in connection with litigation, service of process, due diligence investigation of insurance claims, civil and criminal fraud, criminal defense, identity fraud and stalking or any other violations of law. Although H.R. 2971 provides the Attorney General with the ability, I am sorry, with the authority, rather, to provide additional exemptions, we believe it is critical for Congress to spell them out in advance. The bill as introduced would have a substantially deleterious impact on the court system and individual victims of crime. Such major issues should be resolved by elected officials and not delegated to the Department of Justice. Congress should proceed very carefully. Taking away the tools from investigators serving the justice system is not the way to go about resolving identity theft. I would be pleased to answer any questions that you may have. [The prepared statement of Mr. McGuinness follows:] Statement of Brian P. McGuinness, First Vice President, National Council of Investigation and Security Services, Miami, Florida Good morning Mr. Chairman and members of the Committee. My name is Brian P. McGuinness and I am appearing today on behalf of the National Council of Investigation and Security Services. I am first vice president of NCISS and past president of the Florida Association of Licensed Investigators. I have been a licensed private investigator in Florida for twenty years and before that I was a criminal investigator for seven years with the Dade County Public Defenders Office. I appreciate the opportunity to comment on H.R. 2971, the Social Security Number and Identity Theft Prevention Act of 2003. You have asked us to address the uses private investigators currently make of Social Security numbers and other personally identifiable information and for our views on specific provisions of this bill that would affect the private investigator community. As a profession that has been trying to help victims through the identity theft maze for years, we applaud Congress' efforts to finally put laws on the books that will bring victims some relief. Although a percentage of identity thieves no doubt gather their victim's identities from the Internet, our experience is that most such thefts result from the purloining of documents, files, charge slips, credit cards, and wallets from restaurants, stores, trash bins, the mails and private property. Much of HR 2971 seems to be on the right track, but we are very concerned about Sections 107 and 108, which will, in fact, hinder relief for victims and cause many unintended consequences. A number of years ago, the Federal Trade Commission entered into a consent agreement whereby the identifying information that precedes a credit report, which is called ``header'' information, was deemed not part of the credit report and therefore not covered by the Fair Credit Reporting Act as a Consumer Report. The ``header'' report does not contain any financial information. This information has been an invaluable resource for investigators to locate witnesses, heirs, debtors, and to employ in all manner of fraud and theft investigations. We are unaware of any evidence that credit headers are being used by identity thieves for any purpose. Licensed investigators and police use credit headers to locate witnesses and suspects. Identity thieves know where their victims are; they don't need to find them. Header information is only available through vetted contracts with major credit bureaus by legitimate businesses and law enforcement agencies. These information providers audit the users of such data, including the use of ``stings'' to assure compliance with contract provisions. Because the FTC has ruled that investigators rendering reports in connection with employment or credit are themselves consumer reporting agencies, the language in Section 108 of HR 2971 appears to eliminate the use of credit headers for most legitimate purposes. It will make it impossible for civilian investigators to obtain or report information necessary to identify suspects and exonerate the innocent without first obtaining the written permission of a suspect as required by the FCRA. Section 108 has an unintended consequence which would deal a blow to both the civil and criminal justice systems by effectively eliminating access to credit header information for the purpose of locating suspects and witnesses. Law enforcement agencies have NCIC and many other means at their disposal, and are always exempted from legislation restricting access to the same information sources that HR 2971 would deny private investigators. As a matter of fairness, even law enforcement members admit that restricting access to credit headers will tip the scales of justice in favor of the prosecution and augurs against the defendant's ability to receive a fair trial. At a time when our justice system is being criticized for errors proven by DNA evidence, we find it hard to believe that Congress would intend to take away a defendant's primary means of locating witnesses. The header search is by far the most important search currently used by investigators when locating female witnesses. Since women often change surnames over the course of their lives due to marriage or divorce, it makes it even more critical to be able to identify them by their SSN. The SSN does not change and allows us to locate these otherwise difficult to find witnesses. In past hearings, Lexis Nexis has testified that there are 46,000 men in America named Bill Jones. Many of them have the same or similar dates of birth. Licensed private investigators need to be able to positively differentiate between subjects when rendering reports which will be used for many purposes including evidence in court proceedings. We hope you are also aware that with few exceptions, law enforcement does not have the resources to successfully assist identity theft victims. In fact, many victims turn to licensed private investigators for assistance. We therefore ask that all of Section 108 be deleted. Most states have legal jurisdiction over private investigative and security firms. They undergo fingerprint-based criminal background checks, are regulated, are tested and for the most part receive training and often continuing education. We believe that regulated licensed private investigators and security firms should be allowed continued access to header information. Many of the reports that private investigators prepare containing the personally identifiable information that this committee seeks to protect are privileged attorney work product. We abhor scam fraud artists and rogue information brokers who advertise on the Internet to the general public that they will provide information on anybody to anybody for a price no matter who the customer. Publication of personally identifiable information to the general public can only continue to lead to improper use, theft, fraud and even potential physical harm. We support efforts to limit access to such data to the general public. We also support any legislation that will curtail such information being offered for sale over the Internet to the general public. Section 107 Private investigators, for a fee, as a regular part of their routine, ascertain, collect, assemble, evaluate and provide their clients documents and reports containing personally identifiable information. Such information often includes the Social Security numbers of individuals. Section 107 of HR 2971 would effectively deny us the ability to provide our clients with such information. The section provides an exemption for law enforcement and the collection of child support. But, the exemption should also includeproviders of reports prepared in connection with litigation, in anticipation of litigation, due diligence, investigation of insurance claims, civil and criminal fraud, criminal defense, identity fraud, and stalking or any other violations of law. There are appropriate uses for such information which is not only critical for private investigators but for attorneys, journalists, medical researchers, insurance companies, self regulatory bodies, as well as government and law enforcement agencies. Licensed private investigators use the information in fraud prevention, child support enforcement, uniting separated families, locating heirs to estates, locating pension fund beneficiaries, locating organ and bone marrow donors, to assist those engaged in significant journalistic endeavors, apprehending criminals, aiding citizens in obtaining access to public record information and in assisting the very individuals that this legislation seeks to protect. Although HR 2971 provides the Attorney General with the authority to provide additional exemptions, we believe it is critical for Congress to spell them out in advance. The bill, as introduced, would have a substantial deleterious impact on the court system and individual victims of crime. Such major issues should be resolved by elected officials and not delegated to the Department of Justice. There are a number of bills before Congress which would ban the use of the Social Security number for any but its intended purpose. Many of these bills do not take into consideration the effect of removing the social security number as an identifier. We fully appreciate the incredible burdens faced by victims of identity theft. Many of us have had to face these victims. When all other avenues of redress have fallen upon deaf ears and often as a last resort, identity fraud victims have turned to private investigators to redeem their name and restore their good reputation. In fact, many of us have assisted these victims for little or no remuneration. The National Council of Investigation and Security Services holds the position that anyone who uses personally identifiable information or financial information for illegal purposes be subject to criminal sanctions and heavy fines. We favor the implementation of assessing enhanced penalties for aggravated cases, actual damages for willful violations, and additional damages allowed by the court for commercial purposes, disgorgement of profits, attorney's fees and costs, and additional sanctions upon the receiver of information that is obtained for unlawful purposes. Taking away the tools from the civilian crime fighters and investigators serving the justice system is not the way to go about resolving identity theft. Congress needs to ensure that exemptions are provided for licensed private investigators on legitimate business. Our members have provided leads concerning rogue information providers to the FTC in the past. We would also like to see the FTC set up a formal liaison with our profession which would allow us to provide evidence on those who commit fraud and who tarnish our reputation. Concerning this and similar legislation, we in the past surveyed our membership about how they have been able to assist victims of identity theft. The following examples demonstrate the benefits of permitting licensed private investigators to access essential information from ``credit headers.'' HR 2971 would deny us this critical tool. These anecdotes should give this Committee some idea of the types of cases that require this information: A past president of NCISS was retained by the New York courts in a guardianship proceeding to recover over $300,000 in assets stolen from a ninety-seven year-old retired Army officer by a neighbor caregiver. Through the use of credit headers he was immediately able to determine the identities and locations of the wrongdoer's relatives, properties and eventually their assets that had been taken from the victim. It was the initial header check on the suspect that uncovered a Myrtle Beach, South Carolina address for him. That information developed leads that the victim's assets had been used to purchase real property in South Carolina, expensive automobiles and increased the bank account balances of the subject under the guise that the 97-year-old victim, who was suffering from dementia, had given his life savings as gifts to the suspect. The suspect was to eventually plead guilty and was sentenced to three to nine years in state prison for second-degree grand larceny and ordered to pay $360,000 in restitution to the estate of the victim, who died a month before sentencing of the defendant. In Coronado, California, an elderly woman whose apartment building had just been renovated suddenly began receiving bills for a credit card that she never used and kept in a desk drawer. When she complained to the contractor, he realized there were four possible suspect workers and hired a private investigator. The investigator verified the credit card was used by a man and wife fitting the description and in the neighborhood of one of the workers. The suspect was terminated while the other three were cleared and their jobs and reputations saved. No prosecution resulted. In Tennessee, a show dog breeder was being stalked and threatened by e-mail from an unknown harasser. She was terrified because she had no idea what the suspect looked like and she was often exposed in public arenas. The police could not help without some identification. Using credit headers and other sources, the private investigator found addresses for the suspect who was using four names, four different social security numbers and who had a criminal record. The investigator's report was provided to the police. The same investigator reports she recently located and served process on a dead-beat dad and could not have located him without using credit headers. In New York, a public utility hired our member to conduct a pre- employment background investigation for a high level position. A credit report, obtained under the FCRA contained two different social security numbers. Running a credit header check on the second number revealed a different name and addresses and the investigator discovered his true identity. The applicant had adopted the identity of one of his former college professors to keep his own less desirable background secret. In Atlanta, Georgia, an auto dealership asked our investigator to help an applicant who claimed his identity had been stolen. An imposter had stolen this man's social security number and date of birth as well as the identity of four other people. His criminal record included nine felonies in Georgia and other multi-state offenses. The applicant couldn't understand why he had been turned down for several jobs until one potential employer leveled with him and he realized his identity had been stolen. Numerous law enforcement agencies told him they couldn't help him. Our investigator arranged for the applicant to be fingerprinted and the Georgia Bureau of Investigation issued him a certificate stating he was not the same person as the imposter. He then carried the certificate to the three major credit bureaus to clear his name in their files. The investigator says had he not helped the victim through this maze, he would surely have been arrested in Georgia or Florida where warrants had been issued. An investigation in California found a middle-aged suspect had returned home after years away and stolen his elderly father's identity. He went on a spending spree in Oregon and California and was not called to answer before both his parents passed away. A private investigator was hired by the estate to try to apprehend the thief and obtain restitution. Most of his leads involve the use of credit header information. A former Dallas police sergeant, now a private investigator, reported he was pursuing a physician who filed bankruptcy following loss of suit for a wrongful death. The doctor divorced her husband before the bankruptcy and is now remarried to a man with a similar name and date of birth and social security number. The suspicion is that this maneuver served to hide assets due to the victim's survivors. In San Francisco, an investigator reports working a case for a successful business owner who started getting statements in the mail saying he owed tens of thousands of dollars on computers and other purchases, none of which he knew anything about. He found someone had hijacked his identity, opened credit card and store accounts in his name and had even opened a web page mirroring his web page and had an email address similar to his. The San Francisco Police said they would take a report, but would not investigate and suggested he go to the Secret Service. Although losses approached $80,000, the Secret Service said they would not handle the case until at least $100,000 is lost. The victim had a suspicion it was an ex-employee who lived in Salt Lake City and called the investigator. The agency used credit header information to learn that the ex-employee has three names, three or four social security numbers, and three different dates of birth on file. Here is an investigator's story from Toledo, Ohio, in his own words, about how credit header information is used to locate lost heirs: ``One of my cases involved a woman whose name was Terri. She was left a sizeable inheritance by her uncle in the form of a trust. The family had not had any contact with her for a number of years, so the attorney handling the trust asked for my assistance. By using header information, I was able to eventually determine that Terri was recently married and was living someplace in Utah. I was able to locate her husband's relatives and learned that Terri and her husband were destitute and were living out of a pick-up truck either in Utah or Oregon. I sent the requisite documentation to Terri in care of her husband's relatives and she rightfully obtained her substantial inheritance. Without access to header information, I would not have been able to locate her.'' The need for the continuation of the investigative profession's access to the SSN header search can be clearly seen from the following example. This example is from my own experience as a licensed private investigator attempting to assist a domestic maid whose son had been kidnapped by her husband. She had not seen her son in five years and had never contemplated hiring an investigator. What she did do was mount a letter writing campaign which yielded many letters from various empathetic police officials and politicians expressing their regret but providing no real answers or concrete assistance. She showed me a stack two inches thick of such letters, including one to the president of the United States, her Congressman, county sheriff, local municipal police chief, etc. When she told me that in addition to having her husband's date of birth, she also had his social security number, I became optimistic. I entered the SSN into my TransUnion database and immediately learned that the husband had used a West Palm Beach address within the previous six months when applying for credit. I checked directory assistance and they confirmed that there was a non-published telephone number in his name at that address. A five year journey of desperation, anguish and frustration was rewarded with success within a five minute period by simply having access to header information in the form of an inexpensive database search. We believe that the identity theft laws recently enacted will help law enforcement to prosecute perpetrators once apprehended. But Congress should be aware that public law enforcement resources are stretched and crimes of this nature are not now a high priority. The losses, though devastating to the victims, are usually beneath the dollar threshold that many departments follow. And the mental toll on the victims is unquantifiable. The private sector will have to continue to augment public law enforcement. And it should be noted that the hapless victims of this crime often have very limited resources. To the extent HR 2971 makes it easier for victims of identity theft to clear their credit files and restore their reputation, we commend it. But Congress should proceed very carefully before eliminating the very tools used to apprehend the stealers of the identities of others or the perpetrators of other criminal acts. Chairman SHAW. Thank you. Mr. Buenger. STATEMENT OF MICHAEL L. BUENGER, PRESIDENT, CONFERENCE OF STATE COURT ADMINISTRATORS, JEFFERSON CITY, MISSOURI Mr. BUENGER. Thank you, Mr. Chairman. My name is Mike Buenger. I am the President of the national COSCA, and also the State Court Administrator for the State of Missouri. The COSCA represents the principal court administrative officers in each of the 50 States, the District of Columbia, the Commonwealth of Puerto Rico, the Commonwealth of the Northern Mariana Islands and the Territories of American Samoa, Guam and the Virgin Islands. I am pleased to present testimony to you today as this Subcommittee examines and struggles with the issue of protecting privacy and preventing the misuse of SSNs. Mr. Chairman, State courts handle 97 percent of all judicial proceedings in this country. Over 96 million cases are filed annually. I give you this statistic to frame the magnitude of the work of the State courts of our Nation and so that you can frame the impact of legislation such as H.R. 2971 on the courts. For the past several years, we have grappled with the issue of protecting privacy and private information as it relates to court documents. Although the immediate issue before the Subcommittee is protecting privacy of SSNs, privacy protection for information and court documents is part of a broader issue that involves balancing public access to government records and the openness of our courts with the legitimate privacy interest of citizens and, I might add, the capacity of courts to operationally accommodate both privacy and access concerns. We have sought to provide guidance to the State court community through a project entitled Public Access to Court Records, both the Conference of Chief Justices and COSCA having issued guidelines for policy development by State courts. This guidance outlines the issues that courts should address in developing rules and policies governing access to court documents. It provides but one approach. However, Mr. Chairman, there is no doubt that SSNs are contained in many court documents and frequently as mandated by Federal and State law. For example, Federal law requires us to collect SSNs to track deadbeat parents. Court orders and pleadings involving child support must bear the parties' SSNs, again a requirement of Federal law. Federal regulations require that garnishment orders for Federal postal employees bear the SSN of the garnishee. State courts use SSNs to identify parties to a case, to collect fines and crime victim restitution and to report criminal history to central repositories. Frequently, they are found in documents filed with the court for safekeeping, such as discovery documents and deposition testimony. They are, as noted, frequently used and for good reason. They are a needed and unique identifier used by virtually every member of the justice community and the law enforcement community, not just the courts. The most important message I can deliver to you today, Mr. Chairman, is that COSCA stands ready to work with you in crafting solutions to address the problem of identity theft. I think it is also important to understand that this is not a problem that can be resolved through a mandate. It is complex not only in terms of your responsibility to establish balanced public policy but also in terms of the ability of the States and in this particular case the State courts to actually implement that policy. The threat of identity theft is real, and we want to do our part to eliminate it. Section 102 of H.R. 2917 is of particular concern to us because it would effectively require courts to redact or otherwise prevent the display of SSNs from most court documents. This section has serious implications for State courts in a variety of contexts. Given the volume of cases filed annually in the State courts, the task of redacting SSNs from existing documents or those to be filed would be daunting. In some circumstances, it puts us at odds with established Federal and State law. The SSN may appear in a variety of documents, including financial documents that are filed with the court, for example, tax returns and child support cases, or are appended to official court documents such as motions for summary judgment. Restricting access to SSNs in such documents is difficult because often such information can be buried in a stack of documents generally not reviewed by the court or its clerks until the case is actually heard. In conclusion, Mr. Chairman, we recognize the serious role of SSNs in incidents of identity theft and the fact that such information is readily available in a host of public records. The current state of affairs with regards to the treatment of SSNs provides lawbreakers a continuing opportunity to exploit the current system at the expense of ordinary Americans. However, there is no simple solution and certainly no cheap solution to this problem. Even the public policy coming from Congress evidences the complexity of the issue by requiring the collection, use and availability of such information and even its display on one hand, and then seeking to restrict its access in others. We hope that you will also assist the State courts in dealing with the unfunded mandates that H.R. 2971 will present to us. I thank you for offering us the opportunity to offer our opinion on this important matter. As I said, COSCA stands ready to work with you collaboratively and cooperatively in crafting a solution. Thank you, sir. [The prepared statement of Mr. Buenger follows:] Statement of Mike L. Buenger, President, Conference of State Court Administrators, Jefferson City, Missouri Mr. Chairman and Members of the Subcommittee, The Conference of State Court Administrators (COSCA) is pleased to present testimony on today's hearing ``Enhancing Social Security Number Privacy'' as the subcommittee examines the issue of protecting privacy and preventing the misuse of Social Security Numbers (SSNs). SUMMARY Mr. Chairman and members of the subcommittee, for the past several years the state court community has been grappling with the issue of protecting privacy, and private information, as it relates to court records. Although the immediate issue for the committee is protecting the privacy of SSNs, privacy protection for information in court records is actually a much broader issue. The use of Social Security Numbers in court records is, thus, a subset of much larger issues that involve balancing public access to government records with the legitimate privacy interests of citizens with actual capacity of courts to operationally accommodate privacy and public access concerns. To this end, we helped develop guidance for state courts through a project entitled ``Public Access to Court Records: CCJ/COSCA Guidelines for Policy Development by State Courts.'' This guidance outlines the issues that courts must address in developing rules and policies governing access to court records. The Guidelines touch on the use of SSNs in court records and other private information. The text of the Guidelines can be found at http://www.courtaccess.org/modelpolicy/ 18Oct2002FinalReport.pdf. Both the Conference of Chief Justices and COSCA adopted a resolution endorsing the Guidelines and urged the states to use them in developing their own standards, rules, and policies. Mr. Chairman, SSNs are pervasive in state court documents, frequently as mandated by state and federal law. For example, federal law requires us to collect SSNs for various reasons related to tracking deadbeat parents. By federal law, SSNs must appear on pleadings and court orders related to child support. Even federal regulations require that a SSN must appear on garnishment orders involving postal employees. See, 39 CFR 491.3Along with other identifiers, courts use SSNs to associate parties to a case, i.e. to determine whether John Smith 1 is different from John Smith 2. We use SSNs to collect fines and crime victim restitution, to report criminal records to central repositories, and to aid in the enforcement and collection of child support. In addition, many SSNs appear in the public record in many types of court cases including, but not limited to, bankruptcy, divorce, paternity, and child support determination. Mr. Chairman, the most important message I can deliver to you today is that the Conference stands ready to work with you in crafting solutions to address the problem of identity theft. But I think it is also important for the sub-committee and the Congress to understand that this is not a problem that can be solved through a simple mandate. It is complex not only in terms of your responsibility to establish consistent public policy but also in terms of the ability of states, and in this case state courts, to actually implement that policy. The threat of identity theft is real and we want to do our part to eliminate it. We are at the same time concerned about the effort to require us to redact or expunge SSNs that appear in public records. We feel that this type of requirement could impose an incalculable burden on the state courts in this country, both with respect to resources and funding to achieve that goal. The cost to fulfill this requirement would be high because many SSNs appear in paper documents as well as other hard-to-redact microfilm/microfiche. ABOUT COSCA Before I begin my remarks, I would like to provide some background on our group and our membership. I submit this testimony as the President of the Conference of State Court Administrators (COSCA). COSCA was organized in 1955 and is dedicated to the improvement of state court systems. Its membership consists of the principal court administrative officer in each of the fifty states, the District of Columbia, the Commonwealth of Puerto Rico, the Commonwealth of the Northern Mariana Islands, and the Territories of American Samoa, Guam, and the Virgin Islands. A state court administrator implements policy and programs for a statewide judicial system. COSCA is a nonprofit corporation endeavoring to increase the efficiency and fairness of the nation's state court systems. State courts handle 97% of all judicial proceedings in the country, over 96 million cases annually. The purposes of COSCA are: To encourage the formulation of fundamental policies, principles, and standards for state court administration; To facilitate cooperation, consultation, and exchange of information by and among national, state, and local offices and organizations directly concerned with court administration; To foster the utilization of the principles and techniques of modern management in the field of judicial administration; and To improve administrative practices and procedures and to increase the efficiency and effectiveness of all courts. Although I do not speak for them, I also would like to tell you about the Conference of Chief Justices (CCJ), a national organization that represents the top judicial officers of the 58 states, commonwealths, and territories of the United States. Founded in 1949, CCJ is the primary voice for state courts before the federal legislative and executive branches and works to promote current legal reforms and improvements in state court administration. COSCA works very closely with CCJ on policy development and administration of justice issues. NATIONAL EFFORT TO CRAFT PUBLIC ACCESS GUIDELINES TO COURT RECORDS Our project entitled, ``Public Access to Court Records: CCJ/COSCA Guidelines for Policy Development by State Courts'' was a joint effort of CCJ and COSCA to give state court systems and local trial courts assistance in establishing policies and procedures that balance the concerns of personal privacy, public access and public safety. The State Justice Institute (SJI) funded this project in 2001 and the project was staffed by the National Center for State Courts (NCSC) and Justice Management Institute (JMI). The project received testimony, guidance and comments from a broad-based national committee that included representatives from courts (judges, court administrators, and clerks), law enforcement, privacy advocates, the media, and secondary users of court information. The Guidelines recommend the issues that a court must address in developing its own rules and policies governing public access to its records. The Guidelines are based on the following premises: Retention of the traditional policy that court records are presumptively open to public access The criteria for access should be the same regardless of the form of the record (paper or electronic), although the manner of access may vary The nature of certain information in some court records is such that remote public access to the information in electronic form may be inappropriate, even though public access at the courthouse is maintained The nature of the information in some records is such that all public access to the information should be precluded, unless authorized by a judge Access policies should be clear, consistently applied, and not subject to interpretation by individual courts or court personnel The Guidelines Committee examined the use of SSNs in current court practices. They looked at the inclusion of SSNs in bulk distribution of court records, and information in other documents besides SSNs that courts traditionally protect, such as addresses, phone numbers, photographs, medical records, family law proceedings, and financial account numbers. Finally, the Committee examined various federal laws and requirements governing SSN display and distribution by state and local entities. On August 1, 2002, CCJ and COSCA endorsed and commended ``the Guidelines to each state as a starting point and means to assist local officials as they develop policies and procedures for their own jurisdictions.'' STATE COURTS' INTEREST IN COLLECTING AND USING SOCIAL SECURITY NUMBERS Why is this question of concern to state courts? Why do state courts need to require parties to provide their SSNs in the course of state court litigation? Identification of parties. A growing number of court systems are using case management information systems in which an individual's name, address, and telephone number are entered once, regardless of the number of cases in which the person is a party. Such ``party based'' systems are rapidly replacing ``case based'' systems. The advantage of these systems is multifold: they enable courts to update an address or telephone number for all cases in which the person is a party by a single computer entry, they provide judges and court personnel with a fuller array of justice information, and they allow for cleaner information sharing with other justice community participants such as law enforcement, prosecutors, probation systems, and the like. Absent the use of unique identifiers such as SSNs, the entire justice community would come to a grinding halt and be unable to meet many state and federal mandates. SSNs provide a unique identifier by which court personnel can determine whether the current ``John Smith'' is the same person as a previous ``John Smith'' who appeared in an earlier case and whether this was the same ``John Smith'' reported to the central criminal records repository. The need for SSNs in the future may be substantially reduced by the use of other ``unique'' identifiers, e.g., biometric identifiers in criminal cases. Moreover, the ability to mask SSNs becomes easier as state courts implement sophisticated case management systems. Certainly the move to ``automate'' state courts with high-end technology allowing such services as electronic filing can provide opportunities for greatly limiting access to personal information such as SSNs. However, the time and costs of moving to such systems necessarily means that the ability to mask or redact such information is, for many courts, a future event not something that can or will be done overnight simply because there is federal mandate to do so. Collection of fees, fines and restitution by courts. SSNs are the universal personal identifier for credit references, tax collection, and commercial transactions. When courts give a criminal defendant an opportunity to pay an assessment resulting from a criminal infraction in periodic payments, the court needs to be able to function as a collection agency. Having the convicted person's social security number is necessary for use of state tax intercept programs (in which a debt to the state is deducted from a taxpayer's state income tax refund) and other collection activities. Moreover, SSNs are often used for purposes such as enforcing criminal fines and restitution orders or denying of motor vehicle registration. Creation of jury pools and payment of jurors. SSNs are a necessary part of identifying eligible jurors through a process by which multiple lists (for instance, registered voters and registered drivers) are merged to eliminate duplicate records for individual citizens in creating a master source list for the random selection of jurors. Duplicate records double an individual's chance of being called for jury duty and reduce the representativeness of jury panels. Some courts use SSNs to pay jurors as well. Making payments to vendors. SSNs are used as vendor identification numbers to keep track of individuals providing services to courts and to report their income to state and federal taxing authorities. Facilitating the collection of judgments by creditors and government agencies. Courts are not the only entities that need to collect judgements. Judgment creditors need SSNs to locate a judgment debtor's assets to levy upon them. Courts often require that the judgment debtor make this information available without requiring separate discovery proceedings that lengthen the collection process and increase its costs. Federal law now requires state courts to place the parties' SSNs in the records relating to divorce decrees, child support orders, and paternity determinations or acknowledgements in order to facilitate the collection of child support. On October 1, 1999, that requirement was extended to include the SSNs of all children to whom support is required to be paid. Notification to the Social Security Administration of the names of incarcerated and absconded persons. The Social Security Administration cuts-off all payments to persons incarcerated in federal, state or local prisons or jails, and to persons who are currently fugitives from justice. The savings to the federal budget from this provision are substantial. To implement this process, Social Security Administration needs to identify persons who have been sentenced to jail or prison and persons for whom warrants have been issued. The agency has traditionally obtained this information from state and local correctional agencies. See 42 USC 402(x)(3). The state courts of Maryland are involved in an experimental program to provide such information directly from court records. The Maryland program has two additional future advantages for state courts. First, the program offers the possibility of obtaining better addresses for many court records; social security and other welfare agencies have the very best address records because of beneficiaries' obvious interest in maintaining their accuracy. Second, cutting off benefits may provide a useful incentive to those persons subject to outstanding warrants without requiring law enforcement to expend resources to find and serve such persons. Transmitting information to other agencies. In addition to the Social Security Administration, many states provide information from court records to other state agencies. A frequently occurring example is the Motor Vehicle Department, to which courts send records of traffic violations for enforcement of administrative driver's license revocation processes. These transfers of information often rely upon SSNs to ensure that new citations are entered into the correct driver record. PROPOSED LEGISLATION Mr. Chairman, your legislation, H.R. 2971, the Social Security Number Privacy and Identity Theft Prevention Act of 2003, contains the following provision: SEC. 102. RESTRICTIONS ON THE SALE OR DISPLAY TO THE GENERAL PUBLIC OF SOCIAL SECURITY ACCOUNT NUMBERS BY GOVERNMENTAL AGENCIES ``(x)(I) An executive, legislative, or judicial agency or instrumentality of the Federal Government or of a State or political subdivision thereof or trustee appointed in a case under title II, United States Code (or person acting as an agent of such an agency or instrumentality or trustee) in possession of any individual's social security account number may not sell or display to the general public such number.'' This section has serious implications for state courts in a variety of contexts. For example, federal law requires courts to enter SSNs on court orders granting divorces or child support or determining paternity. Some states' laws contain similar requirements in other types of cases. As noted previously, given that over 96 million cases are filed annually in state courts, the task of redacting SSNs from existing documents is not only daunting, it may actually violate federal law in some cases and certainly violates many state ``sunshine laws'' to the extent that access to documents is required. SSNs appear in many financial documents, such as tax returns, which are required to be filed in court (e.g., for child support determinations) or are appended to official court documents, such as motions for summary judgments. Restricting access to SSNs in such documents is difficult because often such information can be buried in a stack of documents, which are generally not reviewed by courts or clerks until the case is actually heard. Courts will have substantial increased labor costs in staff time to redact or strike the appearance of SSNs in paper records or in microfilm/microfiche if the above requirement is imposed. In addition, we are unclear whether H.R. 2971 applies to newly made court records or all records in a court's inventory. Obviously, asking courts to retroactively expunge or redact social security from all court records would be time consuming and expensive. Given the extensive records retention policies applicable to court filings, retroactive redaction or masking could be an impossible task in some states. Finally, in an effort to make courts and court records more open, many courts are now beginning to make available many public records on the internet either as text/character documents or by scanning and placing them online through imaging software (PDF files). While the removal of SSNs in text/character documents may be relatively easy in some computer generated records (XML), other scanned records, such as PDF files, will be harder to change necessitating more staff and an increase in labor costs. COSCA RECOMMENDATIONS We have recommended that state courts adopt the following policies, unless state law directs them otherwise: Official court files. State courts should not attempt to expunge or redact SSNs that appear in documents that are public records, and certainly this should not be required on a retroactive basis. As was mentioned earlier, federal law requires state courts to place the parties' SSNs in the records relating to divorce decrees, child support orders, and paternity determinations or acknowledgement in order to facilitate the collection of child support. The purpose of placing that data on judgments is not just to provide it to child support enforcement agencies; it is also to provide it to the parties themselves for their own private enforcement efforts. Any other approach puts the courts in an untenable position--having an affirmative obligation to provide judgments in one form to parties and child support enforcement agencies and in another form to all other persons. This same reasoning applies to income tax returns or other documents containing SSNs filed in court. It would be unreasonable, and expensive, to expect courts to search every document filed for the existence of SSNs. Further, court staff has no business altering documents filed in a case; the SSN may have evidentiary value in the case--at the very least to confirm the identity of the purported income tax filer. Case management information databases. Data in automated information systems raises more privacy concerns than information in paper files. Automated data can be gathered quickly and in bulk, can be manipulated easily, and can be correlated easily with other personal data in electronic form. Data in an automated database can also be protected more easily from unauthorized access than data in paper files. It is feasible to restrict access to individual fields in a database altogether or to limit access to specific persons or to specific categories of persons. Consequently, state courts should take steps to restrict access to SSNs appearing in court databases. They should not be available to public inquirers. Access to them should be restricted to court staff and to other specifically authorized persons (such as child support enforcement agencies) for whose use the information has been gathered. Staff response to queries from the public. When court automated records include SSNs for purposes of identifying parties, court staff should be trained not to provide those numbers to persons who inquire at the public counter or by telephone. However, staff may confirm that the party to a case is the person with a particular SSN when the inquirer already has the number and provides it to the court staff member. In short, staff may not read out a SSN but may listen to the number and confirm that the party in the court's records is the person with that number. This is the same distinction applied to automated data base searches. This distinction is one commonly followed in federal and state courts. CONCLUSION Mr. Chairman, we recognize the serious role of SSNs in incidences of identity theft and the fact that such information is readily available in a host of public records. The current state of affairs with regard to the treatment of SSNs provides lawbreakers the continued opportunity to exploit the current system at the expense of ordinary Americans. The threat of identity theft is real and we want to do our part to eliminate it. However, as previously noted, there is no simple solution and certainly no cheap solution to this problem. Even the public policy coming from Congress evidences the complexity of the issue by requiring the collection, use and availability of such information on one hand and then seeking to restrict access to its use on the other. We also hope that you assist the state courts in dealing with the unfunded mandate H.R. 2971 presents. I have presented several ways our courts utilize SSNs and finding solutions to protect an individual's privacy will be complex and difficult. Many state courts are already taking steps to fashion solutions in response to the problem. Washington state, for example, is pioneering an innovative solution where they are creating two sets of court records: a public and a private one. Other states are experimenting with different approaches. Chairman SHAW. Thank you for your testimony. Mr. Cate. STATEMENT OF FRED H. CATE, PROFESSOR OF LAW, UNIVERSITY OF INDIANA-BLOOMINGTON, BLOOMINGTON, INDIANA Mr. CATE. Thank you very much, Mr. Chairman. I want to join the chorus of those thanking you for your steadfastness in having pursued both efforts to improve the integrity of the Social Security system and to fight identity theft. We are well-served by those efforts and well-served by this hearing today. As you well know, SSNs are used throughout both the public and private sectors for two very important and closely linked roles. One is to accurately link information, if you will, connect information to the file. Maybe one example will be sufficient to suggest the daunting task this really is. In the credit reporting industry in this country, 3 major national credit reporting agencies process 2 billion pieces of personal data on 180 million active consumers every month. Getting the right data in the right file is a considerable challenge. The second role is, of course, to facilitate identification of individuals; and, again, credit reporting may be a useful example. The 3 credit reporting bureaus generate 600 million credit reports, and one of the uses of SSNs is to link the individual to the file so that it is then possible for the retailer or lender or whoever is requesting that file to actually determine that the individual is who he or she claims to be. This system of ubiquitous, widely available national SSNs has yielded many benefits, and you have heard of many of these over the past years. These are not merely commercial, although the commercial ones are certainly quite important. I would just take a moment to say we often think of the commercial benefits in negative terms, identifying people who have defaulted on loans or filed for bankruptcy, but the commercial benefits are also quite positive by allowing individuals to benefit from their own positive behavior, their good credit records, and it is protecting those good credit records that SSNs play a key role in, which are particularly important in helping to reduce frauds by linking the individual to the file so that it is possible to verify their identity. We have already heard about the use for location. I would refer you to testimony before this Subcommittee 3 years ago in which you heard about the impact on pension beneficiaries, that the addition of the SSN to name and address information increased the likelihood of finding a pension beneficiary from 8 percent to 85 percent, a more than tenfold increase by virtue of having access to the SSN. Law enforcement, of course, for years has had access and made use of SSNs; and in the days and months since 9/11 we have discovered new security uses and available benefits that SSNs generate. Let me be clear: when we think about the programs that Congress and the Administration have put in place or are considering for border security, for airline security and other forms of national security, the question of SSN availability is only goes to the question of making those programs more accurate. It may very well be that you do not wish those programs to go forward, but whether or not they go forward it is clear we want them to be as accurate as possible, and that, of course, is what SSNs help make possible. This, then, reflects a problem with the current bill. Let me say there are many aspects of the current bill that are very desirable, very laudable: efforts to increase the penalties for the misuse of SSNs, to enhance the efficiency and oversight over the assignment of SSNs, to get SSNs off of identity documents where they do not belong. Nevertheless, the effort to restrict disclosure subject to certain exceptions in an effort to protect against identity theft, all of my research suggests will be not only ineffective but counterproductive. There are a number of reasons for this, and I will conclude by touching on those. First, the issue is not just use of SSNs. It is fine to say that the Attorney General can adopt exceptions so that SSNs can be used in national security matters. However, of course, what most matters is that the SSNs were available when the data were collected so that the data were properly placed in the correct file. Second, the two-tier system seems unlikely to work. Maintaining records, whether in the public sector or private, in which SSNs are reflected in one version of the records but not in the others creates an extraordinary burden. Third, it is not clear that most cases of identity theft would be in any way affected by this bill. The FTC's September 2003, study on identity theft indicated that 76 percent of identity theft cases involved a friend, family Member, coworker, neighbor or an employee of somebody who has lawful access to the SSN. Restricting the further transmission or the display of the SSN would not be relevant in those cases, the vast majority of cases. Finally, there are far more important steps, far more urgent steps, that Congress could and should take to help protect against identity theft and to reduce the role of SSNs in identity theft. I would point, for example, to Ms. Foss's three suggestions, which strike me as excellent, that those who are responsible for identifying people in connection with their credit reports should be given incentives to make more certain identification, increased funding for enforcement, more funding for agencies like the SSA. At the end of the day, while Congress is concerned with passage of the FACT Act, about accuracy of credit reports and other databases and ensuring that those are used and applied as accurately as possible, restricting access to SSNs is likely to have the opposite effect. Thank you. [The prepared statement of Mr. Cate follows:] Statement of Fred H. Cate, Professor of Law, University of Indiana- Bloomington, Bloomington, Indiana My name is Fred Cate, and I am a Distinguished Professor and director of the Center for Applied Cybersecurity Research at IndianaUniversity, and a senior policy advisor at the Center for Information Policy Leadership at Hunton & Williams. For the past 15 years, I have researched, written, and taught about information laws issues generally, and privacy law issues specifically. I directed the Electronic Information Privacy and Commerce Study for the Brookings Institution, was a member of the Federal Trade Commission's Advisory Committee on Online Access and Security, and served as reporter for the recent Department of Defense Technology and Privacy Advisory Committee. A brief biographical statement is attached. I appreciate the opportunity to testify today, and I am doing so on my own behalf. My views should not be attributed to Indiana University or to any other institution or person. The Essential Role of Social Security Numbers My research on information flows in both public and private sectors, and all of the other research in this field with which I am familiar, highlights the need for, and difficulty of, accurately identifying individuals and attributing information about them. At first glance, these may seem like straightforward activities, but they have proved exceptionally difficult. How do I know that the person presenting himself--to apply for instant credit, seek a government benefit, or board an aircraft--is who he claims to be? And how do I know that the data I have about him is correctly associated with the right person? One example may suffice to suggest the magnitude of this challenge. The three national consumer reporting agencies process two billion pieces of personal data on 180 million active consumers every month to generate 600 million credit reports a year. Making certain that each of those two billion pieces of data is placed in the right one of 180 million files and that each file is provided only in connection with the individual it concerns is a daunting task. The challenge is exacerbated by many factors, including: The frequency of common names (e.g., there are more than 60,000 John Smiths in the United States alone), and the fact that names are not constant, thanks in part to 2.3 million marriages and 1.1 million divorces every year.\1\ --------------------------------------------------------------------------- \1\ National Center for Health Statistics, National Vital Statistics Reports, vol. 51, no. 8, May 19, 2003, at 1, table A. --------------------------------------------------------------------------- The variety of addresses available to many people (e.g., home, office, vacation home, Post Office box), the fact that several people may share the same address, and the speed with which addresses and telephone numbers change: according to the U.S. Postal Service, approximately 17 percent of the U.S. population--about 43 million Americans--changes addresses every year; 2.6 million businesses file change-of-address forms every year.\2\ --------------------------------------------------------------------------- \2\ United States Postal Service Department of Public Affairs and Communications, Latest Facts Update, June 24, 2002. --------------------------------------------------------------------------- The inconsistencies with which we record names (e.g., J. Smith, J.Q. Smith, John Q. Smith) and addresses (e.g., ``123 Main,'' ``123 Main Street,'' ``123 Main St.,'' ``123 S. Main Street,'' ``123 Main Street, Apt. B''). The spread of first telephone and then Internet technologies, the increased mobility of the population, and the development of truly national competition mean that fewer transactions are conducted face-to-face, much less with people we know. As a result of these and other factors, the need for a unique, ubiquitous, national, constant, and authoritative identifier has become inescapable. Many activities in which we engage in both public and private sectors are impossible or impractical without it. That is why the Social Security Number has evolved to fill this role: modern government and business activities required it to identify individuals, and ensure that information about one individual is not erroneously attributed to another individual. These two functions are often interrelated. The identification function is often misunderstood. Obviously, the fact that an individual presents a Social Security Number does not prove that he or she is the person that the Social Security Number identifies. Rather, the Social Security Number provides an efficient, reliable way of locating a credit report or other record containing information that can then be used to verify the identity of a person. So, for example, if I apply for instant credit at a retailer, the retailer may ask for my Social Security Number as a way of locating a summary credit report about me. That credit report will list, among other things, my name, address, phone number, past addresses, and other identifying information. The retailer can then compare the information I have put on the instant credit application with the information contained in the credit report to determine if I am who I claim to be. Two points are critical here: First, knowing my Social Security Number alone does not get me credit; it is merely a quick way of locating reliable information about me that then can be used to verify my identity. If you don't believe me, walk in to any Target or Wal-mart or other retailer and try to obtain instant credit by presenting your Social Security Number alone. The second critical point is that the underlying data store must be accurate and reliable. Social Security Numbers play an essential role here as well by helping to ensure that data are linked to the right individuals and that subsequent users of those data have confidence in the accuracy and completeness of the data. When you apply for instant credit or an auto loan or a mortgage the lender wants to know that it is seeing an accurate and complete picture of your creditworthiness and that there will be reliable, affordable ways of determining if you declare bankruptcy or overextend yourself on credit in the future. Social Security Numbers facilitate the databases that do this. Benefits of Ubiquitous Social Security Numbers The availability and reliability of Social Security Numbers makes possible accurate and efficient national credit reporting and directly contributes to greater consumer choice, lower prices and interest rates, more widespread and affordable home ownership, and other benefits. Social Security Numbers facilitate commerce in other ways, for example, by making it easier to identify consumers remotely, thereby enhancing lender and seller confidence and reducing fraud. The benefits of accessible Social Security Numbers are not limited to commerce. Social Security Numbers also play critical roles in identifying and locating missing family members, owners of lost or stolen property, heirs, pension beneficiaries, organ and tissue donors, suspects, witnesses in criminal and civil matters, tax evaders, and parents who are delinquent in child support payments. Just as with credit reporting, Social Security Numbers--often combined with other information, such as name--make it possible to construct accurate, comprehensive public record and third-party databases and search them quickly and reliably. Paula LeRoy from Pension Benefit Information testified before this subcommittee in 2001 that the presence of a Social Security Number increases the chance of locating a pension beneficiary from less than 8 percent to more than 85 percent--a greater than ten-fold increase.\3\ Moreover, Social Security Numbers can overcome inconsistencies in names or address or errors in the way this information is recorded. --------------------------------------------------------------------------- \3\ Hearing on Protecting Privacy and Preventing Misuse of Social Security Numbers before the Subcom.on Social Security of the House Comm. on Ways and Means, May 22, 2001 (statement of Paula Leroy). --------------------------------------------------------------------------- Social Security Numbers are critical to identity verification and background checks required for airline employees, school bus drivers, child care workers, Defense Department and intelligence agency employees, and congressional staff. Post-September 11 programs for enhanced border, critical infrastructure, and passenger facility security all depend on being able to identify individuals and asses the risk they present by quickly connecting to accurate information about them. This is a substantial challenge, as stressed by the recent final report of the Department of Defense's Technology and Privacy Advisory Committee.\4\ Social Security Numbers are essential to this task. --------------------------------------------------------------------------- \4\ U.S. Department of Defense, Technology and Privacy Advisory Committee, Safeguarding Privacy in the Fight Against Terrorism 36-38 (2004). --------------------------------------------------------------------------- The essential roles played by Social Security Numbers highlight the importance of today's hearing and of your longstanding efforts, Mr. Chairman, and those of this subcommittee to ensure the integrity and security of Social Security Numbers and to protect against their misuse. We must ensure that Social Security Numbers are accurate, unique, and available for responsible use. H.R. 2971 takes some important steps in this direction, for example, by getting Social Security Numbers off of identification cards and checks where they do not need to be displayed, and enhancing protections within the Social Security Administration for ensuring that Social Security Numbers are issued appropriately and securely. However, the breadth and importance of the roles played by Social Security Numbers raise concerns about some of the restrictions posed by H.R. 2971. The Problem of Restricting Access Except for Specified Uses H.R. 2971 would broadly restrict the ``sale, purchase or display'' of Social Security Numbers, subject to exceptions for certain uses--for example, credit reporting and national security. I applaud your attention to these critical needs. The problem, however, is that Social Security Numbers need to be associated with the underlying data from the start to ensure that they are included in appropriate databases and made part of the right files. So, for example, provisions authorizing the Attorney General to permit certain uses for national security purposes are important, but almost certain to be ineffective, because national security and law enforcement officials need--and regularly use--databases constructed for other purposes to access routine innocuous data to determine the risk that an individual may present. It is fine for the Attorney General to require that an individual entering a government facility or boarding an aircraft present a Social Security Number, but it will not matter at all if those numbers cannot be used to access properly segregated data in existing databases. The FBI and other law enforcement agencies, for example, routinely access aggregate data collected and stored by Acxiom, ChoicePoint, LexisNexis, and other providers for many commercial uses. Allowing the FBI to use Social Security Numbers is important, but for the data to be reliable, the providers must have been permitted to use Social Security Numbers all along, and the government and private entities that supplied data to them must also have used them. Focusing only on the end user is inadequate. The focus on use also ignores the fact that national security and law enforcement uses of Social Security Numbers frequently involve databases created for other purposes. Those other purposes subsidize the national security and law enforcement uses that the bill is likely to permit; if Social Security Numbers cannot be provided for those other purposes, they will not be available for the national security and law enforcement uses either. The limitation of the display restriction to ``the general public'' is unlikely to ameliorate this risk, because of the breadth, vagueness, and circularity of the definition given the phrase ``display to the general public'': ``to make such number available in any other manner intended to provide access to the general public.'' Moreover, as the General Accounting Office noted in its 1999 report to you, it is difficult to imagine that many data providers will undertake the cost and effort of maintaining two sets of data--one without Social Security Numbers for display to the general public and one without for other uses--or that data from which Social Security Numbers have been removed or obscured can be maintained, aggregated, and filed accurately.\5\ In addition, because violation of this provision is made a crime, subject to five years imprisonment, it seems likely that most businesses will steer clear of any activity that might be considered ``display to the general public,'' even if that means no longer providing valuable services that may very well continue to be legal. --------------------------------------------------------------------------- \5\ General Accounting Office, Social Security: Government and Commercial Use of the Social Security Number is Widespread (GAO/HEHS- 99-28) (1999). --------------------------------------------------------------------------- The history of information flows is one of constantly evolving new and valuable uses. If those uses have to be approved one at a time through a legislative or regulatory process, they are less likely to evolve as quickly or to be as affordable when they do. Regulatory barriers might very well have restricted the unanticipated use of commercial records for locating parents delinquent with child support payments or retirees entitled to pension benefits. These uses were not anticipated when the databases on which they rely were first created, but they are valuable and important today. Rulemaking Authority and Lack of Preemption The many and vital benefits that the public enjoys as a result of ubiquitous Social Security Numbers are also threatened by the broad discretion given the Attorney General as to whether, and if so how, he might create exceptions to the bill's restrictions. As we have seen, any meaningful exception would likely result in undercutting significant portions of the bill. Narrower exceptions run the risk of not achieving the goals they are designed to serve and/or placing private--and public-sector custodians in the untenable position of maintaining duplicate databases or supplying data that may not be accurate or complete. The broad discretion given the Attorney General also creates a new regulator, parallel with the FTC which has long had authority in this area. What is most surprising, however, in view of the need for a truly national identifier for national security, law enforcement, and commercial purposes is that the bill does not appear to expressly preempt state laws and regulations concerning the disclosure and use of Social Security Numbers. As Congress acknowledged last year with passage of the Fair and Accurate Credit Transactions Act, it is difficult to imagine anything more intrinsically national in scope than the creation of accurate, complete databases necessary to support national commerce, national security, nationwide law enforcement, and the fight against identity theft. Incentives for Inaccuracy Social Security Numbers are critical for maintaining data about individuals accurately. H.R. 2971, by restricting the use of Social Security Numbers, threatens to make databases less accurate. This is especially likely in the face of the proposed restriction on uses of credit header information, which is often the source of accurate, up- to-date data necessary to identify and locate individuals and which is already the subject of existing financial privacy law. Nowhere is H.R. 2971's threat to accuracy more clear than in the provision prohibiting a person from doing business with an individual who will not provide a Social Security Number, unless federal law requires disclosure of the Social Security Number. The federal government has repeatedly acknowledged that it cannot maintain accurate records without access to Social Security Numbers; that is why the government requires them in such a wide range of settings even where no question of Social Security benefits is involved. But under this provision, the law would refuse to acknowledge that businesses face the same need; a business cannot refuse to provide a product or service to an individual who refuses to disclose his Social Security Number, even if that number is necessary to provide the product or service. The net result is certain to be data less able to be linked accurately with the individual it concerns--an ironic outcome at the same time as Congress has mandated the FTC and other regulators explore ways of improving accuracy in credit reports and other databases. Social Security Numbers and Identity Theft The motivation behind proposed new restrictions on the use and availability of Social Security Numbers is preventing identity theft. Identity theft is a growing scourge of modern life. It takes a toll not only on the economy and businesses, who bear the lion's share of economic loss associated with the crime, but also on individuals who struggle sometimes for years to correct false information--information wrongly placed--in their commercial or government records. It is certain that much more needs to be done to address the rising tide of identity theft; my research suggests that restricting Social Security Numbers in government and commercial records is not the right step. While we do not know as much as we need to about identity theft, thanks to the efforts of FTC and others, one important fact we are learning is that much--perhaps most--identity theft is not committed by a stranger, but by a family member, friend, or co-worker. According to the FTC's Synovate study of identity theft, published in September 2003 and based on more than 4,000 interviews, of the one-quarter of identity theft cases in which the victim knew the identity the perpetrator, 35 percent involved a ``family member or relative'' and another 18 percent involved a friend or neighbor. Another 23 percent of cases involved someone who worked at a company or financial institution that held the victim's financial information.\6\ Taken together, 76 percent of cases in which the perpetrator did identify the thief did not involve access to third-party data (e.g., commercial or public records) that appears to be the target of H.R. 2971. --------------------------------------------------------------------------- \6\ Federal Trade Commission, Identity Theft Survey Report at 28-29 (2003). --------------------------------------------------------------------------- In the remaining 24 percent of cases that might be affected by H.R. 2971, the role played by Social Security Numbers in identity theft is apparently the same as that played in other settings--namely, to link an individual to a database file (most often a credit report). Given the many valuable uses of Social Security Numbers and the many ways in which those numbers are available, it would be far more efficient, as well as more broadly effective, to focus on ways for improving the identification of the person with his file, rather than attempting to restrict access to the Social Security Number in the first place. So, for example, the law might creative incentives for credit grantors to take additional steps to ensure that the person is who he claims to be. This would held deter not only the 24 percent of identity theft cases that involve a stranger, but the other 76 percent that involve a friend, family member, or employee of a business with whom the victim has a relationship. While our knowledge about identity theft is still developing, we do know that accurate Social Security Number information, attached to all financial information, is critical to fighting identity theft and to remedying it when it does happen. Social Security Numbers--if unique and reliable--are critical to preventing the granting of credit in somebody else's name. They are critical to keeping bad data out of innocent people's files. They are critical to identifying identity theft when it occurs and notifying victims. Yet H.R. 2971 seems intended and likely to diminish their availability. The FTC study reports that businesses lost $47.6 billion due to identity theft.\7\ We should certainly be hesitant before imposing restrictions on Social Security Numbers that could add to that cost, especially if we cannot identify clear specific benefits from those restrictions. In addition, countless hearings, interviews with identity theft victims, and studies have shown that the greatest burden most identity theft victims face is clearing their good names. We should be hesitant before doing anything that would make that already difficult process any harder. --------------------------------------------------------------------------- \7\ Id. at 7, table 2. --------------------------------------------------------------------------- Finally, I would just note there is some risk of getting caught in an unending cycle. The need for a ubiquitous, reliable, unique identifier is not going to go away. If legislation makes Social Security Numbers unavailable, government and industry will devise another system of numbers. If Social Security Numbers today play a significant role in identity theft--and I have not seen evidence that they do--what leads us to think that the identifying number of the next decade won't play that same role? Conclusion Ubiquitous Social Security Numbers help identify people and ensure that information is associated with the correct person. These two critical roles are essential to many valuable activities--from facilitating national competition to locating heirs and missing children to enhancing national security. Accessible Social Security Numbers are also critical to preventing, detecting, and remedying identity theft, yet they appear to play little if any role in contributing to most cases of identity theft. This subcommittee would be well advised to continue its careful study of these issues; to enlist the FTC, the Social Security Administration, and other appropriate agencies in carrying out the research identified in H.R. 2971; to enact those measures necessary to enhance the integrity of the systems by which Social Security Numbers are created and assigned; to strengthen criminal penalties against the deceptive or fraudulent use of Social Security Numbers; and to identify and adopt specific measures to help victims of identity theft reclaim their good names easily and quickly. But I would urge the greatest caution before proceeding with any restrictions on the productive and value uses of Social Security Numbers necessary to the benefits consumers enjoy today, our economic resiliency, the prevention and detection of crime, and our national security. Chairman SHAW. Thank you. Mr. Mierzwinski. STATEMENT OF EDMUND MIERZWINSKI, CONSUMER PROGRAM DIRECTOR, U.S. PUBLIC INTEREST RESEARCH GROUP Mr. MIERZWINSKI. Thank you, Mr. Chairman. It is a pleasure to be back before the Committee. On behalf of the State PIRG. I would like to offer our views on SSN privacy, identity theft, and related matters. Again, I also thank you for your long-time leadership on keeping these issues before Capitol Hill. I realize it is complex to enact a bill that has the jurisdictional breadth of your bill, but we think it is important, and we encourage you to keep going forward. I want to make three points today, first on identity theft, then on Nation and its inadequacies and, third, on the need for your bill. Identity theft is not rocket science. Everyone agrees that anybody with no criminal skill and little physical risk, if any at all, can commit identity theft because of two factors, in my opinion, my professional opinion, I think that are agreed on by most experts in the field. The first factor is the ubiquitousness of the SSN. Your financial DNA is easily available out there. The second factor is the sloppy practices of credit reporting agencies and creditors when they issue credit. They issue credit not based on a number of matching points of identity. As Mr. Beales pointed out the FTC will be looking at ways to increase the number of matches that are required as part of a study under Nation based, by the way, on California law, but because the instant credit context often involves merely a name and a social. They don't check for an extra address or whether the address matches or a previous address, and it is just very simple to obtain instant credit with a name, a social and any other address that you might have. In our first studies done 8 or 9 years ago, we had no data on how extensive the problem was, but we did know that the problem was serious for consumers. We found in the year 2000, based on a survey, that consumers spent 175 hours clearing $17,000 worth of fraudulent credit off of their accounts and spent over $800 in out-of-pocket expenses trying to clear their names. That, of course, doesn't begin to measure the emotional distress. So, the victims routinely tell us that they don't often know how the identity theft occurred. Some of them, to be sure, it happened because of a relative. Increasingly, identity theft, because it is such a simple crime, is being taught in the prison yards. I have been told recently that it is a business model for methamphetamine gangs. They like to stay up at night, as you might guess, and they often go dumpster diving and collecting financial DNA and other information. Identity thieves also often take jobs--as part of gangs again, not relatives or brothers or friends. They will often take jobs as temporary administrative employees solely to harvest SSNs. So, the ubiquity of the SSN is out there. It is a big problem, and all the police that we have interviewed for our most recent reports, again, agree that the availability of the SSN is a significant problem. So, I would respectfully disagree with Professor Cate that the report suggests that it is not a problem. It is. The flaws in Nation, it is preemptive. We opposed final passage because it took away the laboratories of democracy, all the good ideas in fact that came from State law, yet Nation takes away the right of the States to enact most State laws. Second, there is no private right of action in Nation for many of the new rights that consumers have gained. Third, some of the rights in Nation to restore and clear your name are only possible if you file a police report. Many police don't take police reports. So, additional action is needed at the State level to give victims more ability to take advantage of Nation. Finally, the FACT Act doesn't protect SSNs; and that is why we need your bill. We need your bill to protect SSNs. Also, I would disagree with the notion that we need credit headers in society today. We think section 108 banning credit headers is a very important section. I have outlined in my testimony in detail why we think that the credit bureaus are now using the notice and opt-out privileges or conditions of Gramm-Leach-Bliley to collect SSNs from individuals, because, in fact, our reading of Trans Union II, a case upheld by the D.C. Circuit Court, is that credit bureaus can no longer use SSNs in credit headers. They can use the old ones they previously collected, but unless they provide notice and opt out they cannot. So, we think that your bill will perpetuate and narrow even further what the agencies have done in the Gramm-Leach-Bliley rules which were upheld in that court decision. The last point I want to make, I want to echo Mr. Hoofnagle's remarks on the refusal to do business provision. I know you have long stated that a video store should not be able to ask you for your SSN as a condition of renting a video. We agree, and we think that that is one of the most important sections of your bill. I think that if you tell the average American that you are going to put their SSN back in the box that Congress originally intended it to be in, that it can only be used for Social Security purposes, Medicaid purposes, tax purposes, they will be very happy with your legislation. Thank you. [The prepared statement of Mr. Mierzwinski follows:] Statement of Edmund Mierzwinski, Consumer Program Director, U.S. Public Interest Research Group Chairman Shaw, Rep. Matsui and members of the committee: We are pleased to again present the views of the U.S. Public Interest Research Group on ways to improve citizen and consumer privacy by protecting the Social Security Number from misuse and misappropriation for fraudulent purposes, including but not limited to, identity theft. As you know, U.S. PIRG serves as the national lobbying office for state Public Interest Research Groups, which are non-profit and non-partisan public interest advocacy groups active around the country. Summary U.S. PIRG believes that the widespread availability of the Social Security Number (SSN), the key to your financial identity, contributes to identity theft,\1\ which is one of the nation's fastest growing white-collar crimes. According to a 2003 survey by the Federal Trade Commission (FTC), nearly ten million Americans in the past year and one in eight adult Americans in the last five years has been a victim of identity theft.\2\ While the 2003 enactment of the Fair and Accurate Credit Transactions Act (FACT Act)\3\ may reduce some of the sloppy credit bureau and creditor practices\4\ that make it easy to open a fraudulent account in someone else's name, it is still incumbent on this committee to take additional steps to protect the Social Security Number. If the SSN is available in fewer places, on fewer documents and used for fewer commercial transactions or database identifiers when it shouldn't be, identity thieves as well as stalkers\5\ and even terrorists\6\ will be less able to harvest it for misuse. It is well- documented, for example, that identity thieves will often seek employment as temporary office employees, solely to harvest SSN and other bits of ``financial DNA.'' Identity theft is a serious crime. It costs the economy billions and wreaks untold havoc on the lives of hard-working Americans who face the emotional distress and nightmare of clearing their names. --------------------------------------------------------------------------- \1\ The state PIRGs have studied credit reporting and identity theft for fifteen years. See, for example, ``Nowhere To Turn'', Benner, Givens and Mierzwinski, CALPIRG and Privacy Rights Clearinghouse, 1 May 2000 at http://calpirg.org/CA.asp?id2=3683&id3=CA& We have released two previous reports on identity theft ``Theft of Identity: The Consumer X- Files'', CALPIRG and US PIRG, 1996 and ``Theft of Identity II: Return to the Consumer X-Files'', CALPIRG and US PIRG, 1997, as well as four reports on errors by credit reporting agencies since 1991, most recently ``Mistakes Do Happen,'' 1998. For additional details, see testimony of Edmund Mierzwinski before the Senate Banking Committee, 31 July 2003, at http://www.pirg.org/consumer/pdfs/ consumer31julymierzwinski.PDF \2\ See Federal Trade Commission ``Identity Theft Report,'' released 3 September 2003, prepared by Synovate at http://www.ftc.gov/ opa/2003/09/idtheft.htm \3\ The identity theft epidemic was not the spark that kindled passage of the FACT Act. Congress had ignored identity theft for years Expiration of certain time-limited restrictions on state authority to enact stronger credit and privacy laws drove industry to support permanent extension of the preemption of state laws. Although the new law includes several elements of PIRG's long-sought reform platform, the bill's price was unacceptable, since Congress permanently restricted most state rights to enact stronger laws, even though the best parts of the law are based on recent state laws. Both the Fair and Accurate Credit Transactions Act of 2003 (PL 108-159, 12/04/03) and the FCRA as amended are available at the FTC website at http://www.ftc.gov/ os/statutes/fcrajump.htm PIRG maintains an archive of FACT Act documents at http://www.pirg.org/consumer/fcra.htm \4\ Financial identity theft requires little criminal skill and no physical risk. Identity thieves armed with only your name and SSN exploit the creditor/credit bureau practice--extremely prevalent in the ``instant credit'' context, of matching only these two identifiers in the credit granting process. Conversely, since consumers are not trusted users, as are creditors, a credit bureau requires a consumer, to obtain his or her own credit report, to provide a full name, an SSN, an address, previous addresses for the past five year and, often, a xerox copy of a drivers' license or utility bill showing that same address. Of course, identity thieves are not seeking to obtain your credit report, merely to obtain credit in your name at their address. While certain FACT Act provisions are designed to increase creditor and credit bureau verification before account opening, limiting the availability of the SSN will make it harder to obtain your ``financial DNA'' and use it. \5\ Amy Boyer was the first known victim of an Internet stalker. A man named Youens tracked her with confidential information, including her Social Security Number, allegedly obtained through an Internet information broker. EPIC maintains an Amy Boyer archive at http:// www.epic.org/privacy/boyer/ See PIRG's archived fact sheet at http:// www.pirg.org/consumer/trojanhorseboyer.pdf \6\ According to recent news reports, a Kansas City man found out when he tried to purchase a car that his Social Security Number had been used by one of the suspected 9/11 hijackers' associates still at large. ``Man Trying To Buy Car Finds Out 9/11 Terrorist Took ID,'' Omaha News Channel, 21 April 2004, last accessed at http:// www.theomahachannel.com/news/3026399/detail.html on 13 June 2004. Further, one of the associates of the 9/11 hijackers, Lofti Raissi, had been reported to be using the Social Security Number of a long-dead New Jersey woman, suggesting one reason that the bill's protections for the SSNs of the deceased should be increased [See Title I, Section 101, exception VII of HR 2971 and Section 107(c)(2) of HR 2971]. Of course, nearly all the hijackers had one or more valid or invalid SSNs. See testimony of Social Security Administration Inspector General James Huse before the House Judiciary Committee, 25 June 2002, at http:// www.house.gov/judiciary/huse062502.htm Also see the 8 November 2001 Joint Hearing on the Social Security Administration Death Master File of the Ways and Means Committee Subcommittee on Social Security and the Financial Services Oversight and Investigations Subcommittee archived at http://financialservices.house.gov/ hearings.asp?formmode=detail&hearing=83 --------------------------------------------------------------------------- In addition, limiting the sale, purchase and display of the SSN in the private sector extends important privacy principles of the U.S. Privacy Act that have generally operated to protect privacy in government uses of information to also protect privacy in commercial uses of information, where consumers have generally only been protected by a patchwork of modest safeguards. As a result of the permissive availability of SSNs for use in the private sector, the SSN has leaked into use in all aspects of commercial transactions. Your bill contains two important provisions we have long supported. First, it extends a strong anti-coercion provision that will limit private sector use of the Social Security Number by making it an unfair trade practice to refuse to do business with a consumer who refuses to provide an SSN. Second, your bill fully closes the court-narrowed credit header loophole, which has allowed secondary sale and use of Social Security Numbers without consent by credit bureaus, outside of the protections of the Fair Credit Reporting Act (FCRA). In addition, your bill imposes important restrictions on the sale, display and use of the Social Security Number. For example the bill bans display on government-issued checks, on government or private sector employee and benefit ID cards and on drivers' licenses. It generally bans display, purchase or sale in the private sector. Your bill restricts use of SSNs by prison labor, following the well- publicized Metromail scandal involving a convicted felon who stalked a grandmother by telephone. It also adds new safeguards when obtaining a Social Security Card, to prevent fraudulent use and protect the integrity of the Social Security Number system. Your bill also increasing criminal penalties for misuse of the SSN. We offer suggestions below to narrow the exceptions provided in the bill to better achieve its purpose. Any legislation enacted should be simple, based on Fair Information Practices,\7\ and contain as few loopholes and exceptions as possible. It is critical that new legislation not preempt or roll back existing privacy protection under either the Gramm-Leach-Bliley Act (GLBA) regulations\8\ or the Shelby drivers' privacy amendments.\9\ We urge you to resist business demands for exceptions and loopholes. You should especially challenge their specious arguments that so-called business- to-business uses will not pose privacy risks. --------------------------------------------------------------------------- \7\ Fair Information Practices are discussed in numerous contexts in the Congress today. Unfortunately, many industry-supported bills and nearly all industry ``studies'' seek to dumb-down the comprehensive Fair Information Practices to unacceptable levels. As originally outlined by a Health, Education and Welfare (HEW) task force in 1973, then codified in U.S. statutory law in the 1974 Privacy Act and articulated internationally in the 1980 Organization of Economic Cooperation and Development (OECD) Guidelines, information use should be subject to Fair Information Practices. Noted privacy expert Beth Givens of the Privacy Rights Clearinghouse has compiled an excellent review of the development of FIPs, ``A Review of the Fair Information Principles: The Foundation of Privacy Public Policy.'' October 1997. http://www.privacyrights.org/AR/fairinfo.html The document cites the version of FIPs in the original HEW guidelines, as well as other versions. \8\ The GLBA created a category of protected ``non-public personal information.'' The final GLBA financial privacy rules issued by 7 federal financial agencies defined Social Security Numbers as non- public personal information (NPPI). A key provision is that the transfer of Social Security Numbers from financial institutions to credit bureaus is only allowed for regulated Fair Credit Reporting Act purposes (eg, for use in a credit report) but not for unregulated purposes, where the credit bureau would be considered a non-affiliated third party. The agencies correctly interpreted the law to prevent the sharing of Social Security Numbers unless consumers are given notice of the practice and a right to opt-out. \9\ Senator Shelby's 2000 amendments to the Driver's Privacy Protection Act were incorporated as Section 309 of the Transportation Appropriations bill (PL 106-346) signed by the President 23 October 2000. The amendment requires states to obtain express consent of drivers before the sharing or selling of a driver's ``highly sensitive personal information,'' including Social Security Number, photograph, image, or medical or disability information. In 1999, Shelby had incorporated these provisions into law as part of the Appropriations bill, but only for one year, while the 2000 amendment amends the DPPA itself. In 2000, the Supreme Court upheld the constitutionality of the DPPA in Reno vs. Condon. --------------------------------------------------------------------------- Unless credit bureaus and others are weaned from their over- reliance on the Social Security Number as a unique identifier, we will not succeed in protecting the SSN from misuse. In addition to the problems created by theft of the SSN, its use in the credit system as a supposed unique identifier is flawed and leads to inaccuracy in credit reporting due to errors in data entry. Unlike credit card numbers, which contain a check-sum digit reducing data entry error rates, SSNs can be easily entered with transposed digits or other errors. Mistakes in credit reports lead to consumers either being denied credit or paying too much for credit. (1) Principles of Social Security Number Protection: Simplicity, With Few, If Any Exceptions and Loopholes Privacy expert Robert Ellis Smith, the publisher of Privacy Journal and author of ``Social Security Numbers: Uses and Abuses'' (May 2001) has proposed a simple Social Security Number protection scheme.\10\ Your bill tracks much of it closely. Here is Smith's proposal, with his explanations in brackets: --------------------------------------------------------------------------- \10\ See the Privacy Journal website for more information. Smith's latest book is ``Ben Franklin's Web Site: Privacy And Curiosity From Plymouth Rock To The Internet'' http://www.privacyjournal.net/ 1. ``It shall be illegal to buy or sell the Social Security number of a person.'' [This is the source of much identity theft; it is always a secondary use of the SSN; and it is inconsistent with using the SSN as an AUTHENTICATOR of personal identity.] 2. ``No person shall be required to provide a Social Security number on an application for credit or on a request for a copy of one's own credit report under the Fair Credit Reporting Act.'' [The FCRA merely requires satisfactory proof of identity to see one's own credit file. Use of SSNs to make a match between a requested credit report (by a credit grantor) and a credit report in a credit bureau's system has been the cause of confusion for credit grantors, nightmares for consumers, and identity theft. If credit bureaus did not rely on SSNs to make a match, 80 percent of identity theft would cease. There is a long list of case law to support the need for this provision.] 3. ``No person shall be compelled or coerced into providing a Social Security number for any transaction unless there are income-tax consequences in the transaction or there is relevance to Social Security, Medicare, or Medicaid benefits. No person shall be compelled or coerced into providing a Social Security number on an application of employment until there has been a firm offer of employment. Any application for employment shall state that the request for the Social Security number prior to a firm offer of employment is voluntary.'' [This would essentially freeze demands for Social Security numbers in a way least disruptive to organizations currently relying on SSNs. It would tie demands for Social Security numbers to the two original purposes (SSA administration and federal taxes) two uses that are at least anchored in long-standing law. Placing SSNs on job-application forms increases the risk of exposing them to fraudulent users of SSNs.] 4. ``No institution of higher education or elementary or secondary school shall use a student's Social Security number as a student identification number.'' [An alarmingly high number of identity theft frauds originated from SSNs taken from universities. Deterring school systems from using the SSNs as a student ID number will permit parents to delay labeling their children with numerical IDs.] (2) Principles of Social Security Number Protection And Analysis of HR 2971 U.S. PIRG concurs with the detailed testimony today from the Electronic Privacy Information Center (EPIC). We believe that the most effective way to protect Social Security Numbers would be to enact simple, straightforward legislation that reins in the widespread non- statutory uses of the Social Security Number as an identifier in the private sector.\11\ --------------------------------------------------------------------------- \11\ Ideally, such a bill would also narrow many of the government use exceptions that have been established over the years allowing the Social Security Number to be used as an identifier and matching element for secondary purposes unrelated to Social Security. --------------------------------------------------------------------------- (A) Principal One: No Coercion By Businesses The Social Security Number was originally intended for Social Security purposes. Its federal government uses have been expanded to tax and Medicaid purposes. No private sector business should be able to insist that a consumer provide an SSN as a condition of doing business, unless that firm is required to collect the SSN for official government purposes. Your bill (Section 109) makes coerced demand (refusal to do business) of a consumer's Social Security Number an unfair trade practice under Section 5 of the Federal Trade Commission Act. No one should have to give up his or her SSN to rent a video, as you have long pointed out.\12\ --------------------------------------------------------------------------- \12\ This is essentially extending Section 7 of the Privacy Act of 1974, Public Law 93-579 (which protects the Social Security Number in government uses with an anti-coercion provision) to the private sector. --------------------------------------------------------------------------- (B) Principal Two: Close The Credit Header Loophole Your bill (section 108) also incorporates provisions long championed by its co-sponsor Rep. Kleczka closing the so-called credit header loophole. Under an egregious 1994 decision of the Federal Trade Commission, consumer reporting agencies (credit bureaus) had developed a thriving business selling Social Security Numbers outside the Fair Credit Reporting Act\13\ (FCRA), without consumer consent. --------------------------------------------------------------------------- \13\ 15 USC 1681 et seq. See the FTC's version of the FCRA as amended by the FACT Act at http://www.ftc.gov/os/statutes/fcrajump.htm --------------------------------------------------------------------------- Credit headers include information ostensibly not bearing on creditworthiness and therefore not part of the information collected or sold as a consumer credit report. The sale of credit headers involved stripping a consumer's name, address, Social Security Number and date of birth from the remainder of his credit report and selling it outside of the FCRA's consumer protections. Although the information, marketing and locater industries contend that header information is derived from numerous other sources, in reality, the best source of credit header data is likely financial institution information, which is updated regularly. While the DC Circuit, U.S. Court of Appeals, has upheld the Gramm- Leach-Bliley Act privacy regulations\14\ and thereby narrowed the credit header loophole,\15\ more needs to be done. The regulations do however allow the harvesting of SSNs for secondary purposes if the law's notice and opt-out provision is complied with. A recent Washington Post\16\ story notes that the credit bureaus are now adding a boilerplate notice to requests for credit reports or subscriptions to their over-priced credit monitoring services, which could allow them to bypass the court restrictions: --------------------------------------------------------------------------- \14\ On 16 July 2002, the DC Circuit of the U.S. Court of Appeals, Case No. 01-5202 [See http://laws.findlaw.com/dc/015202a.html] upheld an April 2001 U.S. Court DC District ruling (Trans Union LLC v. Federal Trade Commission, Civil Action No. 00-2087, see http:// www.dcd.uscourts.gov/00-2087.pdf) (the case now known as Trans Union II, consolidating Trans Union vs. FTC and IRSG vs. FTC) that the privacy rules issued under GLB are constitutional. [In Trans Union I vs. FTC the DC Circuit had upheld at FTC order that unregulated credit headers could not include dates of birth because of their use in credit scoring models and therefore, in credit decision-making. That case also upheld the constitutionality of the FCRA and that privacy protection serves an important government purpose. See (No. 00-1141, 13 April 2001, (cert denied, 10 June 2002 by Supreme Court), Trans Union I vs. FTC, http://laws.findlaw.com/dc/001141a.html \15\ For a discussion of the credit header loophole and the treatment of the SSN as protected non public personal information, see the GLBA Privacy Rule at pages 80-83, Federal Trade Commission, 16 CFR Part 313, Privacy Of Consumer Financial Information, Final Rule, available at http://www.ftc.gov/os/2000/05/glb000512.pdf \16\ See Oldenburg, Don, ``Free Credit Reports That Cost You Your Privacy'', The Washington Post, 17 Feb 04. --------------------------------------------------------------------------- ``And the other ``gotcha:'' ``There is an even higher price,'' the reader says. ``Reading the privacy disclosure information, I was surprised that you were agreeing to let them use everything in your credit report for marketing--by them, by their affiliated companies and by others.'' Bad enough that many privacy policies state that they're going to share your name, address, phone, Social Security number, birth date, even credit-card number for marketing purposes--resulting in more junk mail, spam and telemarketing calls (yes, even if you signed on to the federal Do Not Call Registry, because now you have a business relationship). In 1994, the Federal Trade Commission had granted an exemption to the definition of credit report when it modified a consent decree with TRW (now Experian). The FTC said that certain information would not be regulated under the Fair Credit Reporting Act. The so-called credit header loophole allows credit bureaus to separate a consumer's so- called header or identifying information from the balance of an otherwise strictly regulated credit report and sell it to anyone for any purpose. (C) Principal Three: Restrict The Sale, Purchase and Display of the SSN Your bill imposes important restrictions on the sale, display and use of the Social Security Number. For example the bill bans display on government-issued checks, on government or private sector employee and benefits ID cards and on drivers' licenses, and generally bans display, purchase or sale in the private sector. Your bill restricts disclosure to and use of SSNs by prison labor, following the well-publicized Metromail scandal. It also adds new safeguards when obtaining a Social Security Card, to prevent fraudulent use and protect the integrity of the Social Security Number system. Your bill also increases criminal penalties for its misuse. (D) Principal Four: Not All Social Security Number Bills Are Created Equal In previous Congresses, many worthy bills, in addition to your own, most recently HR 4857 (106th) and HR 2036 (107th), have been proposed by privacy champions. In the 107th Congress, meritorious proposals included HR 1478 (Kleczka), HR 220 (Paul) and S 324 (Shelby) to protect Social Security Numbers. Among other Social Security Number bills with positive features in the 106th Congress was a proposal by Rep. Markey (HR 4611). However it is important to note that some well-intentioned privacy bills may actually increase the risk of sale or display of Social Security Numbers. For example, in the 106th Congress, the most prominent Senate proposal to ostensibly protect Social Security Numbers actually would have expanded commercial availability of Social Security Numbers. Originally intended to serve as a legacy for Amy Boyer, the first known victim of an Internet stalker, the Amy Boyer Law,\17\ as very nearly enacted into law,\18\ was actually a Trojan Horse and would have expanded commercial loopholes for obtaining Social Security Numbers, failed to protect Social Security Numbers on public documents and also would have preempted stronger state privacy laws. Subsequent proposals from the Amy Boyer Law's chief sponsor, Senator Gregg, and Senator Feinstein, have been better, but still deficient compared to your approach.\19\ --------------------------------------------------------------------------- \17\ See PIRG's archived fact sheet at http://www.pirg.org/ consumer/trojanhorseboyer.pdf \18\ The Amy Boyer Law, introduced as S. 2554, (Gregg, 106th) was incorporated as Section 626 into the Commerce-Justice-State Appropriations (HR 4690 RS) and passed into law as Section 635 of HR 5548, which was included in HR 4492 as sent to the President, but then was rescinded on the same day by language reversing its effect included in the Conference Report on HR 4577, the Consolidated Appropriations Act, (Labor-HHS Approps). Section 213 of HR 4577 amends HR 5548 by deleting a number of sections of HR 5548. Section 213(a)(6) of HR 4577 strikes the Amy Boyer Law (Section 635 of HR 5548). See page H12261 of the Congressional Record for 15 Dec 00. \19\ For example, under the law enforcement exception in S 848 (Feinstein, 107th) collection of delinquent child support would be a ``law enforcement'' purpose. Does that extend the exception to allow any private firm collecting child support to take advantage of the exception? It appeared to do so, despite well-documented circumstances where some private child support collection firms have abused debt collection laws. See ``Problems At Child Support, Inc., Complaints Increase For Specialized Collection Firms'' 18 May 2000, Washington Post, Caroline E. Mayer and Jacqueline Salmon. --------------------------------------------------------------------------- (3) Suggestions To Improve HR 2971: We concur with EPIC's detailed recommendations to strengthen the bill and narrow its exceptions. In particular, we agree that the Congress should limit the Title I exceptions for governmental sale of the SSN. Specifically, we recommend that subsection (V), which allows unlimited sale of SSNs to thousands of credit reporting agencies (CRAs), be removed from the bill. This exception is too broad and allows unrestricted transfers of government records containing social security numbers to CRAs, possibly for purposes unrelated to regulated credit reporting, including direct marketing. If it remains, it should be re-drafted in the manner of the credit header section, Section 109, which would only allow the use of the SSNs so provided for provision in a regulated credit report, not for any other purpose. Second, as EPIC describes, additional procedural safeguards should be added to restrict the Attorney General's Section 102 prerogatives in granting additional sale and display exceptions. These include addition of a public comment period to the rulemaking, eliminating the ``undue'' qualifier and adding the crime of identity theft as a risk factor, and requiring any entity that gains use of the SSN through an exception to use technical means, such as encryption, to protect the SSN. We also concur with EPIC that section 104 should also prohibit states from encoding the SSN on magnetic strips, barcodes, or smart cards on the driver's license, as we are aware that while some states do not print the SSN on the card, they may embed the identifier digitally on the card. In addition, as we have pointed out above, unless steps are taken to wean the private sector of its over-reliance on the SSN, it will continue to use it. Therefore, we concur with EPIC that exceptions should be for limited and specific time durations. If the committee believes it is necessary to extend any exceptions at all allowing continued non-statutory collection of Social Security Numbers by the private sector, which has unfortunately come to depend on the Social Security Number as a crutch, then the committee should include technology-forcing time limits on private uses so that firms are forced to develop more accurate alternatives that do not pose the secondary use problems of continued use of the Social Security Number, which was originally intended only for Social Security and certain tax purposes. Expect the business community to argue that business-to-business uses are both necessary and protective of the SSN. Neither claim is true. Conclusion We want to thank you, Mr. Chairman, for your leadership on these issues and for offering us the opportunity to present our views on the need for strong privacy protections to protect Social Security Numbers from misuse. We look forward to working with you on this and other matters to guarantee the privacy of American citizens. Restricting the widespread availability of Social Security Numbers is one of the most important solutions to the identity theft epidemic. It also brings the use of SSNs more closely under the limited use principles embodied in the Fair Information Principles. Chairman SHAW. Thank you. It wasn't too long ago this Committee had a hearing, and a military officer had undergone the same problem. The identity thief had taken his identity and SSN and purchased a Jeep. On further reflection, he all of a sudden realized that, also, his Social Security was his serial number that was required on the back of the check at the PX. So, you never know how many hands these things are going to go through; and, Mr. Ladd, we have got a lag time in the bill of 2 years in order to get to conformity. As long as public documents are public documents, and, of course, these court files have to stay open to the public and particularly land records. I practiced law for many years before coming to Congress. I can't remember a single time except in an estate situation where I had to inquire of the client of his SSN. Twenty some years can fog your memory, but I can't remember back then we ever needed them or wanted them, and that is back when we tracked land titles with abstracts instead of doing it online. We didn't know what online meant. Mr. LADD. We would concur with that, that there is little purpose from the land records custodian's point of view for the inclusion of the SSN. However, because of some of the difficulties of identifying the correct Robert Jones, and in the land title business as well, that has become added to the record more and more frequently. We object to it, but we have no authority to refuse the record. Chairman SHAW. My brother's name is John Shaw. Clay Shaw is not a very common name, unless you go to New Orleans. John Shaw is a common name. We own property together, and every time there is a title search his name pops up with about six judgments against it, which we cure with affidavits. We don't seem to have a problem with that because, of course, he doesn't have any judgments against him, but it is a common name. Still we have always done it without putting any SSNs on the record; and, quite frankly, I am not sure that would separate him from someone with a similar name because I don't recall the SSN ever being on a final judgment that was put on record. Mr. LADD. Will that vary from jurisdiction to jurisdiction and then from financial institution to financial institution. Chairman SHAW. You do have a problem as far as your State law is concerned? I think Mr. Cate, you spoke or one of you spoke about State rights. Either Buenger or Cate, I can't remember which one. The SSN is a Federal number issued by the Federal Government, and I don't see any States' rights problem in limiting the display of that. Ms. Foss, I wanted to go just a little further into your case. You certainly went through a nightmare; and, fortunately, the perpetrator showed up and was prosecuted and now is, I assume, still serving time in jail. Ms. FOSS. The special agent with the Social Security Inspectors Office said that they couldn't track whether or not she was still in jail. So, they didn't know at this point in time. Chairman SHAW. Well, we don't lose people in jail. Even in Baghdad we know who is in the can. I would think somebody could track that down. Was it in a Federal penitentiary? Or was it State? Ms. FOSS. She was working out of Mail Boxes, Etc. on Wisconsin Avenue in D.C., so I believe it was the D.C. District Court that handled it. Chairman SHAW. Do you live here in the District? Ms. FOSS. I never lived in the District. I have lived in Maryland. At the time this happened to me, I was in Pennsylvania; and I never had anything stolen that I know of. Chairman SHAW. How long ago was it? Ms. FOSS. It was 1999 when I discovered it, and she had been going at it for about 6 months. Chairman SHAW. Yes, I guess she is probably out. I hope she didn't write it down somewhere. Ms. FOSS. I hope she forgets everything. Chairman SHAW. You are smart to keep track of your record, because that stuff can pop up again. One of the terrible things with identity theft is once you get into that cycle you are very liable to get hit again. So, it is very important. I can see that you all disagree in a much more civil manner than we do here in the Congress, and I congratulate you. We very much appreciate your point of view. I am going to give the other Members of this Committee an opportunity to submit some questions which I intend to also submit to you in writing, and we would appreciate your answering those questions, and we will make that part of this record. Thank you so much for your time. The problem with the Members not being here is that the hearing went actually longer than we thought, plus we had an interruption of almost an hour in the middle of it, which got schedules all off kilter. Thank you. This hearing is adjourned. [Whereupon, at 1:54 p.m., the hearing was adjourned.] [Questions submitted from Chairman Shaw to Mr. Beales, Mr. O'Carroll, Ms. Bovbjerg, Mr. Maxwell, Mr. Ladd, Mr. Hoofnagle, Mr. Mierziwinski, Mr. McGuinness, Mr. Buenger, Mr. Cate, and their responses follow:] Questions from Chairman E. Clay Shaw, Jr. to Mr. Howard Beales, III Question: You mentioned that the Gramm-Leach-Bliley Act (GLBA) restricts financial institutions from sharing SSNs with unaffiliated businesses. When the FTC issued the final rule on privacy under GLBA, did you anticipate a greater level of protection for SSNs than has actually occurred, especially with regard to SSNs in credit headers? How has actual practice differed from what the FTC envisioned at that time? Would you agree we need stronger protection for SSNs? Answer: When considering the need for greater protections for SSNs, it is important to keep in mind the reason that SSNs are valuable to identity thieves. SSNs are crucial to the proper functioning of our financial system. In particular, they are used by credit bureaus to match consumers to the appropriate credit information and are widely used by businesses to identify consumers. Thus, in a real sense, access to SSNs by legitimate users is an important tool in combatting identity theft. In my view, any restrictions on SSNs should be carefully tailored to balance the need to keep SSNs out of the hands of those who might use the information fraudulently with the need for businesses to have sufficient information--including SSNs--to spot fraud and attribute information to the right person. The best approach to achieving this balance is to limit access to SSNs to those purposes that are legitimate. This is the model used in other successful federal privacy laws, such as the Fair Credit Reporting Act, which allows information to flow without restriction to credit bureaus, who then may only disclose a credit report for a ``permissible purpose'' as specified in the FCRA. Any further regulation of SSNs should follow this same model. With respect to the Gramm-Leach-Bliley Act, as discussed in the Commission's testimony, the GLBA Privacy Rule imposes certain restrictions on the disclosure of information collected by credit bureaus from financial institutions, including SSNs and other identifying information about consumers (sometimes called ``credit header'' information). Prior to the GLBA's passage in 1999, the disclosure of this information was not regulated under Federal law (including the Fair Credit Reporting Act, which generally does not cover identifying information). Although I was not at the Commission when the GLBA Privacy Rule was enacted, it was likely anticipated that the disclosure of SSNs would be restricted under GLBA to a greater extent than existed prior to its passage. At the same time, it was recognized that GLBA did not place comprehensive restrictions on the sharing of SSNs. For example, GLBA covers only nonpublic personal information obtained from financial institutions, and is not retroactive (and therefore does not limit the sharing of information, including SSNs, that were collected prior to July 1, 2001). With certain exceptions, such as for credit reporting, fraud prevention, and law enforcement, GLBA prohibits sharing of information to nonaffiliated third parties unless the consumer has been given a chance to ``opt out.'' The Privacy Rule prohibits redisclosure of information received under an exception for purposes other than to carry out the activity covered by the exception. In practice, it appears that credit bureaus are redisclosing credit header information--including SSNs--for credit reporting purposes as well as for other purposes listed under certain GLBA exceptions, such as fraud prevention or law enforcement. See 16 C.F.R. 313.14-.15 (2000). In my view, the Rule seems to assume that information will be disclosed for one purpose, but nothing in the rule expressly prohibits sharing information for more than one purpose, and it is unclear whether there is a statutory basis for such a prohibition. This broader interpretation has the result in many cases of furthering important policy goals, such as combating fraud, assisting law enforcement, ensuring public safety, and complying with judicial process. At the same time, it is important that the credit bureaus take care not to redisclose credit header information beyond the bounds of the GLBA exceptions. Question: Do you agree with Mr. Fred Cate's interpretation of the FTC-sponsored Synovate survey's results, indicating the statistics prove commercial or public records are not the primary sources identity thieves use to obtain SSNs? Answer: The Synovate survey indicated that the largest category of identity-related crimes within the preceding year involved the misuse of existing credit cards, which most likely can be committed without the victim's SSN. In those crimes where it is more likely that SSNs are used, such as when new accounts are opened or other frauds committed in the victim's name, it is difficult for victims of identity theft to know exactly when, where, how and by whom their personal information was compromised. Thus, the survey found that only 34 percent of victims who had new accounts opened in their name or whose information was used to commit other frauds (``Victims of New Accounts & Other Frauds' ID Theft'') knew who had misused their personal information. Of these 34 percent who knew the identity of the thief, 53 percent said it was a family Member or relative; 12 percent said it was someone who worked at a company or financial institution who had access to the victim's personal information; and 10 percent of victims who could identify the culprit said it was a friend, neighbor, or in-home employee. Further, the survey found that 58 percent of all victims of ``New Accounts & Other Frauds'' ID Theft indicated they knew how the identity thief obtained their personal information. Of that 58 percent, about 35 percent said their information was lost or stolen; 19 percent of those said their personal information was obtained during a transaction, such as a purchase; and 46 percent of those who knew how the information was obtained said the thief used ``other'' means of access (e.g., access via a family Member or from printed checks or bills. Not surprisingly, it is difficult to assess from these findings how and from where SSNs are obtained. Some of the information may have come from commercial records, or when the thief works for a company with the information, or in the course of a transaction. The survey results do not identify public records as a major source of information, but it is important to keep in mind that about 40 percent of victims of the most serious form of identity theft, the opening of new accounts, simply do not know how the thief obtained the information. Thus, the survey does not allow us to draw firm conclusions about the sources of SSNs for identity thieves. Question: The Salt Lake Tribune reported this month that identity thieves are increasingly using their own names and somebody else's SSN to obtain credit. Can you confirm this? If yes, how could it happen? Don't credit bureaus check to see whether an individual's name and SSN match and refuse credit if it doesn't? The article also mentioned that if the name and SSN do not match, the credit bureau creates a ``subfile.'' The subfile affects the victim's credit, but the victim cannot obtain a copy of the subfile when they request a copy of their credit report, so they cannot clear up the identity theft. Is this true? Answer: The FTC staff is currently attempting to gain a fuller understanding of the facts and circumstances underlying the article's allegations. To that end, FTC staff is following up with the government officials mentioned in the article to learn more about this issue. We have no information on the prevalence of this type of identity theft or whether it is increasing. The article does not disclose, and it may not be possible to determine, how the illegally used SSNs were obtained. With respect to the types of information used by credit reporting agencies in their matching processes and information provided to creditors and consumers, Nation requires the FTC to study the methods and efficacy of credit reporting agency efforts in matching information to ensure that a consumer is the correct individual to whom a consumer report relates before releasing a consumer report to a user of that report. See Pub. L. No. 108-396, 318 (2003). I anticipate that we will learn more about this issue in the course of our work on this study, which is to be completed by December, 2004. At this time, we do not know of any way that a ``subfile'' could impact a consumer's credit report or credit score without also being disclosed to the consumer upon request. Question: This Subcommittee has heard from a number of victims of identity theft. A common, and frustrating, theme is that after individuals discover the theft and report it to credit bureaus and financial institutions, they continue to be victimized by identity theft. How can this continue to occur, given the anti-fraud programs the industry cites? In your judgment, is the private sector doing enough to combat identity theft and assist its victims? Are there more effective ways to assist victims of identity theft to correct their credit histories? Answer: Victims of identity theft often must navigate through various bureaucratic procedures to recover from the crime. Nation has established a number of measures designed to simplify this process and reduce the incidence of identity theft. Identity theft account blocking will give victims certain rights to ensure that fraudulent information gets removed promptly from their credit reports, thereby preventing distortion of their credit records. Creditors or other businesses must give victims copies of applications and business records relating to the theft of their identity, which can assist victims in proving that they are, in fact, victims. Other measures are designed to prevent or mitigate identity theft. The national fraud alert system will require creditors to take certain steps to verify the identities of consumers who have placed fraud alerts on their consumer reports before granting credit in the consumer's name. By means of the ``Red Flag'' rulemaking, financial institutions and creditors will have to analyze identity theft patterns and practices so that they can take appropriate action to prevent the crime. The Disposal of Consumer Report Information and Records rule will help to ensure that sensitive consumer information derived from consumer reports, including Social Security numbers, is disposed of properly. We expect that these provisions should significantly improve victims' ability to recover from their identity theft with a minimum of trouble and help to reduce the occurrence of identity theft. It should be noted that the majority of these provisions will not take effect until December 1, 2004. At that time, we will be able to begin assessing their impact. Generally, the private sector has been responsive in addressing particular problems in the system that can facilitate identity theft as those problems come to light. Combating this crime requires an ongoing effort by both the public and private sectors to identify new vulnerabilities and to implement new measures to protect thieves from exploiting them. Question: If a private entity--for example, a consumer reporting agency, health care organization, or information reseller--has an individual's SSN in its possession, and this information is used in an identity theft or fraud, should that entity be held strictly liable for any harm done? Please comment on the advantages or disadvantages of this idea, as well as its feasibility and potential effectiveness in combating identity theft. Answer: As demonstrated by the Synovate survey (see Q. 2 above), it is not often evident to victims how identity thieves obtain SSNs. Thus, a strict liability standard may not be the most appropriate means of curbing misuse of SSNs. A number of Federal laws mandate significant information security practices, which can protect SSNs from improper disclosure and use. Among these laws, the FCRA requires that consumer reporting agencies not disseminate consumer reports to entities unless they meet a statutorily permissible purpose to use the report. Nation amendments also require anyone with consumer information derived from consumer reports to dispose of that information properly. GLBA requires that financial institutions develop a program for taking reasonable steps to protect sensitive customer information and ensure that the program evolves to keep pace with new fraud trends. HIPAA and the Driver's Privacy Protection Act also require protection of sensitive information. I appreciate that certain entities or consumers are not covered by these laws (e.g., retail customers, employers). The Commission, however, can and has brought enforcement actions for security breaches or potential security breaches under section 5 of the FTC Act (i.e., In the matter of Guess?, Inc. and Guess.com, Inc., http://www.ftc.gov/os/2003/06/guessagree.htm and In the matter of Microsoft Corp., http://www.ftc.gov/os/2002/12/microsoftdecision.pdf). Questions from Chairman E. Clay Shaw, Jr. to Mr. Patrick O'Carroll Question: You mentioned that one terrorist suspect in a case your agents helped investigate had two Social Security cards in his possession at the time of his arrest. Were they SSNs he obtained from the SSA using fraudulent documentation? Were they fake SSN cards? Were they cards he obtained or stole from somebody else? Answer: At the time of his arrest, the subject had two genuine Social Security cards in his possession; one belonged to the subject, and the other belonged to the brother of the subject. The investigation revealed that both individuals were born in the United States. The SSNs/cards were legitimately obtained from SSA, and both the subject and his brother were properly enumerated. Question: Are there other provisions you recommend for inclusion in the Social Security Number Privacy and Identity Theft Prevention Act of 2003, H.R. 2971, to further prevent terrorists from obtaining or using SSNs to abet their heinous crimes? Answer: We recommend reviewing the implications of releasing information on deceased individuals and also recommend examining the potential for increased protection of this information. The SSA should be permitted to cross-verify Social Security numbers against government and private databases to identify and fix inaccuracies which would limit the spread of false identification and SSN misuse. We also encourage more data matching opportunities under longer term agreements, some of which may require a change in the current legislation. Question: You mentioned a couple of cases where SSNs were fraudulently obtained for nonexistent children. How did this happen? Answer: The one case mentioned involved an elaborate conspiracy that included one man and eleven women. The women would visit Chicago and surrounding suburban area Social Security offices to apply for Social Security numbers for their supposedly newborn children. These individuals applied for the SSNs using counterfeit Illinois birth certificates, Department of Health immunization records and bogus employment identifications provided to them by the ringleader. The names used on all the Social Security applications belonged to undocumented Nigerian citizens who paid the ringleader up to $5,000 each for a valid Social Security number, Illinois driver's license and U.S. Passport. The suspects would then visit local Social Security offices a month or two later with a second counterfeit Illinois birth certificate and their new identification to request a correction of their date of birth on Social Security records. Question: Are the provisions in H.R. 2971 that your office recommended, which would require independent verification of all birth documents and improvements in the enumeration-at-birth process, sufficient to help prevent this from happening? Answer: We believe that provisions 201 and 202 of HR 2971 will reduce the ease with which criminals may fraudulently obtain SSNs for non-existent children. A recent audit and numerous investigations indicate that because SSA does not verify birth records for children under the age of 1, criminals have inappropriately obtained SSNs for nonexistent children using invalid birth records. Accordingly, we recommended that the Agency close this loophole by verifying the authenticity of birth records presented by all U.S. citizens applying for original SSNs. We are currently awaiting the Agency's response to our recommendation. However, we commend the Subcommittee for taking proactive measures by including provision 201 in the proposed legislation--making it essential that SSA ensure the legitimacy of birth records submitted with original SSN applications. Regarding section 202 of HR 2971, related to SSA's enumeration at birth program, we support the Committee's proposal that SSA tighten controls within this program. While our 2001 report Audit of the Enumeration at Birth Program (A-08-00-10047) concluded that generally the program was providing accurate and reliable data for SSA's enumeration of newborns, we recommended that the Agency implement additional controls to prevent those with criminal motives from submitting SSN applications for nonexistent children. The Agency has explored this idea and taken some action on our recommendations. However, we believe the provisions outlined in section 202 of the Social Security Number Privacy and Identity Theft Prevention Act of 2003 would provide further incentive for the Agency and participating hospitals and States to implement our proposed corrective actions. Question: You mentioned a case involving fraudulent acquisition of SSNs for unauthorized immigrants. Do you know what the unauthorized immigrants were doing with the fraudulently obtained SSNs? You stated the penalty some members of the scheme received was 2 years in prison. Answer: Actually, certain subjects in the case mentioned above (Question 2) were given 2 year sentences. Other subjects in this case, who conspired to traffic in unauthorized immigrants, were sentenced as much as 71 months in prison. The fraudulent SSNs that were received by illegal immigrants were used to obtain employment, as well as for obtaining driver's licenses, credit cards, mortgage loans, and so forth. Question: You have recommended new and enhanced penalties for fraudulently obtaining SSNs or SSN misuse which we have included in H.R. 2971. Are there others that are needed? Answer: The OIG supports SSA's proposal requesting that the United States Sentencing Commission review and amend Federal sentencing guidelines to provide an appropriate penalty for any offense under sections 208, 811, or 1632 of the Social Security Act or any offense under 18 USC 1001 with respect to the Social Security, Special Veterans' Benefits, and the Supplemental Security Income programs. A primary purpose of sentencing guidelines is to reduce the disparity in sentencing between defendants who commit similar crimes. section 304 of H.R. 2971 proposes to amend sections 208, 811, and 1632 in order to obtain enhanced penalties, in cases of terrorism, drug trafficking, crimes of violence, or prior offenses, but it does not specifically direct the U.S. Sentencing Commission to consider amending Federal sentencing guidelines regarding these sections. In addition, the inclusion of the increased the penalties imposed for SSA employees who are convicted of selling SSNs will be a good deterrent in this area. Question: You stated that you support cross-verification of SSNs through both governmental and private sector systems of records to identify and address inaccuracies. You said that all law enforcement agencies should be provided the same SSN verification services granted to employers. What does the SSA say regarding the proposal? Answer: The SSA has not yet officially responded to this OIG proposal, and therefore we will defer to SSA to present its position. Question: Why isn't information available from financial institutions, credit bureaus, and information resellers sufficient to prevent cases like the fraudulent home loan case you mentioned? Answer: Although we believe that representatives from financial institutions, credit bureaus and information resellers may be in a better position to respond to this question, we will provide the Committee with one possible reason if their information is not sufficient to prevent cases like the fraudulent home loan incident. Specifically, most of these organizations currently do not have the ability to verify the accuracy of customer SSNs and names with SSA, the actual issuer of the number. Historically, the Agency has limited its verification services to employers. Over the past several years, our organization has been a strong proponent of expanding SSA's authority to perform cross verifications service. Because the SSN has become a national identifier, we firmly believe that if the number is to be used as such, users should have correct information. For example, the Department of Housing and Urban Development had the ability to verify the name of SSN of the loan applicant, it would have discovered that an individual was using an incorrect SSN (one belonging to someone else) to obtain the loan. Question: One of the witnesses at the hearing, Mr. Fred Cate, said that if we limit sale, purchase, and display of SSNs that it will affect the availability and reliability of data for law enforcement and other vital purposes. Do you agree or disagree, and why? Answer: We believe there are alternative and reliable sources of data involving SSNs for law enforcement. For example, there are legal provisions that allow the sharing of SSN information among law enforcement agencies in appropriate circumstances. In addition, H.R. 2971 makes appropriate exceptions for law enforcement officials in the provisions that prohibit the sale, purchase or display to the general public of SSNs. Question: If a private entity--for example, a consumer reporting agency, health care organization, or information reseller--has an individual's SSN in its possession, and this information is used in an identity theft or fraud, should that entity be held strictly liable for any harm done? Please comment on the advantages or disadvantages of this idea, as well as its feasibility and potential effectiveness in combating identity theft. Answer: The concept of strict liability would confer liability on the consumer reporting agency, health care organization, or information reseller not based on actual negligence or intent to harm, but instead on the breach of an absolute duty to protect SSNs in its possession. This strict liability would benefit fraud victims. With the risk of this increased liability, there would likely be more motivations for these organizations to better protect SSNs. At the same time, the adoption of strict liability may be criticized by private industry for not considering the intent of these organizations or whether these organizations acted negligently. This hypothetical illustrates the need for H.R. 2971 for those organizations not exempt from the H.R. 2971 limitations, such as the private resellers of information. The H.R. 2971 approach would limit the availability of SSNs to such entities, thus reducing the likelihood of their fraudulent use. A more feasible alternative might be the creation of a private cause of action on the part of victims against an individual or organization that did not exercise due diligence in the handling of their personal information. Questions from Chairman E. Clay Shaw, Jr. to Ms. Barbara Bovbjerg Question: You mentioned during your testimony that monitoring of the day-to-day release of information under the restrictions imposed by the Gramm-Leach-Bliley Act (GLBA) is essentially an ``honor system.'' Could you elaborate on how it works? What is known about the degree to which businesses comply with the privacy requirements under the GLBA? Answer: In my testimony, I observed that generally Federal laws have controlled the use and disclosure of the SSN in specific industries, but that secondary disclosure by clients of these firms is generally not closely monitored. GLBA is one of the laws that restrict disclosure and is illustrative of the point that businesses that are indirectly governed by these privacy laws are expected to adhere to them, but are not necessarily monitored for compliance. For example, GLBA restrictions apply to institutions that are considered to be financial institutions under GLBA, which covers a broad range of financial institutions. In addition, entities that receive consumers' financial information from a financial institution under GLBA are also subjected to GLBA's restrictions. However, companies such as some information resellers that fall outside of the purview of Federal regulators may or may not adhere to GLBA. However, Federal regulators enforcing GLBA compliance are not required to monitor entities that are not directly under their jurisdiction. In our work for this Subcommittee, we found that some CRAs consider themselves to be financial institutions under GLBA. These entities are therefore directly governed by GLBA's restrictions on disclosing nonpublic personal information to non-affiliated third parties. We also found that some of the information resellers we spoke to did not consider their companies to be financial institutions under GLBA. However, because they have financial institutions as their business clients, they complied with GLBA's provisions in order to better serve their clients and ensure that their clients are in accordance with GLBA. FTC staff told us that GLBA also includes certain broad exceptions that are unspecific. For example, FTC officials said that they receive many inquiries from CRAs and information resellers concerning the application of GLBA's exceptions, such as whether the exceptions apply to certain circumstances. As a result, FTC officials said it is difficult to determine how and whether certain entities, such as information resellers, are appropriately interpreting the exceptions. Question: You stated that court records are among those most often cited as containing SSNs in your survey on how government entities collect and store SSNs. Do you have any information on the percent containing SSNs because Federal, state, or local laws and regulations require them? Answer: We cannot accurately calculate such a percentage until we have complied and verified all survey data from our ongoing work on SSNs in public records. Our work will be completed in September 2004. Question: Some of the witnesses at the hearing asked for specific statutory exemptions from the restrictions contained in sections 101 and 107 of H.R. 2971, rather than relying on the Attorney General's regulatory authority provided in section 102. In your view, is the authority provided in the bill to the Attorney General sufficient to address these concerns? Answer: H.R. 2971 would give the Attorney General discretionary authority to determine which entities could be exempted from the prohibition of engaging in the sale, purchase, or display of SSNs to the general public. As written, the bill provides for flexibility in determining which if any entities would be exempted, and offers a means to address concerns with such a prohibition once the law is passed that might not have been envisioned at the time it was drafted. Such an approach seems designed to address changing circumstances rather than addressing existing concerns of specific entities. If present concerns are deemed valid, the only way to assure that those concerns are addressed is to write them into the bill prior to passage, although such exemptions would still be subject to interpretation by courts. Question: A witness representing the National Council of Investigation and Security Services requested the deletion of section 108 of H.R. 2971, citing the usefulness of credit headers in locating witnesses, criminal suspects, estate beneficiaries, and others. What other sources of information could be used to locate such persons if section 108 of H.R. 2971 were enacted into law? Answer: Credit header information matches a persons' identifying information to their address, which is useful for purposes such as locating individuals. However, information is clearly available from other sources as well. Our current work shows that identifying information, such as name, addresses, and SSNs, can be found in public records and other publicly available information such as newspapers. In addition, entities willing to pay a fee can purchase such data from information resellers who specialize in amassing personal information. Question: If a private entity--for example, a consumer reporting agency, health care organization, or information reseller--has an individual's SSN in its possession, and this information is used Answer: Currently, identity theft victims are fully responsible for correcting problems caused by identity thieves. For example, victims must contact the major CRAs to have a fraud alert placed on their credit, file a report with the appropriate law enforcement entities, and if credit card misuse is involved they must report the misuse to their credit card company. Although private sector entities and the FTC have worked to lessen the burden on identity theft victims, identity theft victims can spend an average of 60 hours trying to resolve their problems. Results from a recent FTC survey show that identity theft victims feel that the financial community could do more to help resolve their problems. Many identity theft victims reported that improved follow-up and assistance by the financial community, as they attempted to repair their records, would be beneficial. Identity theft victims also reported that financial institutions, including CRAs, could make greater efforts to monitor consumers' account activity and notify them when unusual transactions occur. They also reported some degrees of dissatisfaction with the way CRA's and credit card companies have handled their identity theft related reports. For example, 31% of victims were dissatisfied with all of the CRAs they contacted while 18% were dissatisfied with all of the credit card companies to whom they reported misuse of their credit cards. CRAs, credit card companies and others are in a unique position to help identity theft victims resolve their problems. To the extent that these companies are made liable for losses, it is likely that more actions will be taken to protect SSNs and other personal information companies maintain. However, the benefits of assigning such liability to these companies must be balanced against the difficulty that these companies are likely to have in monitoring millions of individuals' accounts. In addition, holding companies responsible for identity theft victims' financial losses may not reduce the amount of time these victims spend trying to resolve their problems. Questions from Chairman E. Clay Shaw, Jr. to Mr. Lawerance Maxwell Question: You mentioned the Financial Industry Mail Security Initiative (FIMSI). Could you elaborate on who participates in the working group and the recommendations specifically made with regard to preventing use of SSNs? Why did the group believe a recommendation specifically dealing with SSNs was necessary? Answer: The U.S. Postal Inspection Service sponsored the Credit Card Mail Security Initiative starting in 1993 in response to a dramatic spike in the theft of credit cards. Representatives from the credit card and retail Industries attended these meetings which were held on a quarterly basis in WashingtonDC. The Postal Inspection Service decided in 2003 to expand the focus of the meetings to include presentations on money laundering, Internet fraud and bank fraud schemes. The attendee list was expanded to include both state and Federal prosecutors, investigators from local banks and credit unions, Federal and state law enforcement. Working groups include the Non Received Credit Card Working Group, the Bust-Outs Working Group, the Bank Fraud Working Group, and the Identity Theft Working Group. This new expanded group meets on a semi-annual basis. One of the more noteworthy accomplishments stemming from the credit card initiative was the credit card activation ``800'' number which has become an industry standard for security. The Identity Theft Working Group made recommendations dealing specifically with social security numbers (SSN's) in their consumer awareness campaign. Since the SSN is used as a personal identifier, it is the key piece of information needed to conducting Identity Theft. These recommendations included memorizing your SSN and passwords rather than carrying the cards with you; and, if possible, do not use your SSN as your identifying number on your driver's license. Question: You mentioned cases involving rings of identity thieves, who obtained lists with the victims' names, dates of birth, SSNs, and other information. How easy would it be for these criminals to steal an individual's identity without the SSN? Answer: The SSN is currently used as a personal identifier; this was never the intent when it was created. Without the SSN it would be much more difficult to take over an individual's identity. They would not be able to access or open financial accounts, instant credit accounts, or even cellular telephone accounts. The SSN is the key component to access and individuals credit history. Questions from Chairman E. Clay Shaw, Jr. to Mr. Mark Ladd Question: You mentioned the Property Records Industry Association's participation in the Records Access Policy Advisory Committee. What recommendations do you anticipate the Committee will make with respect to access to SSNs in public records? Answer: The final four points outlined in the written testimony that we submitted comprise our recommendations to date. I do not anticipate any major changes in these recommendations. Question: You suggested that the legislation be effective on a ``day-forward-basis.'' This recommendation has been made before and was incorporated into the current bill's language, which establishes a timeframe of 2 years from the date of enactment for those who maintain public records to comply with the law. Is this enough time? Answer: If documents that are on file with our office prior to the effective date of this legislation can be posted on our websites, even if they contain SSNs, then 2 years is more than enough time for compliance. Under this scenario, three to 6 months would be a sufficient grace period. If, however, records that are already on file with our offices must have SSNs removed before they can be posted on our websites, then no length of time will suffice for most counties. A few large counties may be able to afford the cost of compliance, but most will not. Only documents presented after the effective date of this legislation could be posted on county websites under this scenario. Question: You suggested giving public record keepers the authority to prohibit the filing of documents with SSNs, without requiring them to do so. Why is this important in your view, and would public records keepers implement such authority? Answer: As I noted in my written and oral testimony, the shear volume of documents and the number of pages involved make prescriptive rejection authority extremely difficult to manage. However, permissive authority provides land records custodians the necessary tool to help protect the privacy concerns of the public if we discover a SSN included in a document during our normal review process. Our members object to rejection authority being prescriptive, as do our commercial customers (title companies, abstract companies and attorneys). However, permissive authority empowers us to assist the public in protecting their privacy concerns without placing an impossible task on our shoulders. It is my belief that most land records custodians would utilize permissive authority to protect the interests of their constituents. Question: You said that given the hundreds of thousands of pages of documents a jurisdiction may receive in a year, and that the SSN could be placed anywhere on a document submitted by the parties involved, that responsibility for SSN removal is more properly placed on document preparers and individual customers. If the bill were modified so that public record keepers were required to remove the SSN on forms they require (or block it from display if it is collected), but the responsibility and liability for removing SSNs on all other materials submitted to the court rested on those who file the papers, would that enable you to support this bill? Answer: Your proposal on this point is the most workable compromise that I have heard between agencies that require the SSN of necessity (such as the Court Administrators testified) and those of us who receive the SSN without any desire or necessity for it. Court Administrators who require SSNs could likely adopt rules regarding how documents are constructed that would make day-forward redaction manageable. By specifying a predetermined location that SSNs are listed in documents, they could reduce the effort required to redact. On the other hand, the burden to remove SSNs from documents that do not require them is correctly placed on document drafters. I think PRIA members would support this proposal. Questions from Chairman E. Clay Shaw, Jr. to Mr. Jay Hoofnagle and Mr. Edmund Mierzwinski Question: Do you agree with Mr. Cate's statement at the hearing that knowing a Social Security number alone does not get an individual credit and that it is merely a quick way of locating reliable information about an individual that can be used to verify identity? Answer: Mr. Cate's statement perfectly illustrates the problem of the Social Security Number (SSN)--it is used both as an identifier and as an authenticator. That is, some businesses use it as a record locator, a master identifier to associate and reference records. Other businesses use it for authentication, a process where a person proves he is who he says he is. Serious security problems are raised in any system where a single device is used both as identifier and authenticator.\1\ It is not unlike using a password identical to a user name for signing into e-mail. Or like a bank routinely using the SSN as an account number and the last four digits of the SSN as a PIN for its automated teller machines. --------------------------------------------------------------------------- \1\ The driver's license is used as both identifier and authenticator, but it is a superior device because it includes a picture, address, signature, and basic physical information. It expires regularly and must also be renewed. A SSN lacks any of these additional features; see also Lynn M. LoPucki, Human Identification Theory and the Identity Theft Problemem, 80 Tex. L. Rev. 89, 100 (November 2001) (``In particular, Social Security numbers and mothers' maiden names are inherently poor passwords because they are widely known and difficult to change. Knowledge of a Social Security number supports only a weak inference that the knower is the person to whom that Social Security number was assigned.''). --------------------------------------------------------------------------- It is because the SSN is used as both identifier and authenticator that identity theft has increased in incidence and prevalence. Because the SSN is relied upon so heavily by business, it is the personal identifier that impostors seek in order to commit crime. Congress' goal in addressing identity theft and privacy should seek to limit availability of the SSN generally and to induce businesses to rely upon alternative identifiers. Question: Mr. Cate said that for data to be reliable, businesses and others must have been permitted to use SSNs all along, and that national security and law enforcement uses of SSNs frequently involve access to routine, innocuous data. Do you agree or disagree that prohibiting sale, purchase, and display of SSNs for unnecessary purposes would jeopardize use of SSNs for critical purposes? Answer: We disagree with the proposition that businesses have been permitted to use the SSN. While Congress has approved government uses of the SSN, the identifier has never been approved for general private- sector use. Restricting the sale, purchase, and display of SSNs for unnecessary purposes preserves their utility for more critical purposes while decreasing opportunities for imposters to obtain identities to hide behind. Additionally, maintenance of dual identifiers, or transitions away from SSNs as identifiers, is a very feasible and desirable goal as demonstrated by Empire Blue Cross's transition (4.8M customers), and existing requirements in many states prohibiting use of SSNs for student, driver, and other identifiers. We also contest the notion that government uses of the SSNs frequently involve access to routine, innocuous data. The SSN plays an unparalleled role in aggregation of information, and thus information once thought to be innocuous can take on greater significance. For instance, a document EPIC obtained under the Freedom of Information Act from the United States Marshals Service highlights the amount of information that can be aggregated around identifiers: With as little as a first name or a partial address, you can obtain a comprehensive personal profile in minutes. The profile includes personal identifying information (name, alias name, date of birth, Social Security number), all known addresses, drivers license information, vehicle information. . . . telephone numbers, corporations, business affiliations, aircraft, boats, assets, professional licenses, concealed weapons permits, liens, judgments, lawsuits, marriages, worker compensation claims, etc.\2\ --------------------------------------------------------------------------- \2\ Sole Source Justification for Autotrack (Database Technologies) (n.d.) (document obtained from the USMS), available at http://epic.org/ privacy/choicepoint/cpusms7.30.02j.pdf; see also Chris Jay Hoofnagle, Big Brother's Little Helpers: How ChoicePoint and Other Commercial Data Brokers Collect and Package Your Data for Law Enforcement, 29 N.C.J. Int'l L. & Com. Reg. 595 (Summer 2004). --------------------------------------------------------------------------- In many cases, collection of the SSN is not necessary, and Congress should act swiftly to curb these uses of the SSN. In January 2002, a statewide grand jury empanelled by the Florida Supreme Court found in its first report that: We have identified that the government and business take in much more information than necessary to conduct business. For example health clubs require members to disclose their Social Security numbers on applications for membership; video rental stores ask for social security numbers on applications; and life insurance companies ask for social security numbers of beneficiaries; local governments ask for Social Security numbers on routine transactions. We were distressed to learn from the Interim Project Report by the Committee on State Administration and Committee on Information Technology that 96.3% of state agencies do not even have a written policy relating to the collection of Social Security numbers. This same report indicates that 63% of these agencies disclose Social Security numbers on some public record requests. Medical service providers and insurance companies routinely substitute Social Security numbers for patient or policy numbers, unnecessarily exposing this sensitive information to scrutiny on such documents as health and insurance cards. Unsecured mailboxes and trash containers provide thieves with easy access to this personal information.\3\ --------------------------------------------------------------------------- \3\ Identity Theft in Florida, First Interim Report of the Sixteenth statewide Grand Jury, SC 01-1095 (Fla. Jan. 2002), available at http://myfloridalegal.com/pages.nsf/ 4492d797dc0bd92f85256cb80055fb97/758eb848bc624a0385256cca0059f9dd!OpenDo cument. --------------------------------------------------------------------------- The body found that personal information was being collected by government entities and disseminated in public records. It recommended that State law be amended to require consent of the citizen, a court order, or a compelling need before identifying information of citizens was included in the public record. It also found that the ``public and private sectors routinely use and rely on the consumer's Social Security number for use as an identifier and an account number.'' The body recommended that the State legislature ``prohibit the use of Social Security numbers for independently generated identifiers to track customers, patients, policies, and so forth., unless required by law.''\4\ --------------------------------------------------------------------------- \4\ Id. --------------------------------------------------------------------------- Finally, we note that Mr. Cate's previous testimony supports limits on government collection of personal information.\5\ In testimony to the House Energy and Commerce Subcommittee on Consumer Protection, Mr. Cate wrote: --------------------------------------------------------------------------- \5\ Hearing on Privacy in the Commercial World, Committee on Energy and Commerce, Subcommittee on Commerce, Trade, and Consumer Protection, U.S. House of Representatives, Washington, D.C., Mar. 1, 2001 (statement of Fred Cate), at http://www.law.indiana.edu/directory/ publications/fcate/cate010301.pdf. --------------------------------------------------------------------------- The government plays many critical roles in helping to protect individual privacy. One of the most important responsibilities of the government is assuring that its own house is in order. Only the government has the power to compel disclosure of personal information and only the government operates free from market competition and consumer preferences. As a result, the government has special obligations to ensure that it complies with the laws applicable to it; collects no more information than necessary from and about its citizens; employs consistent, prominent information policies through public agencies; and protects against unauthorized access to citizens' personal information by government employees and contractors. Similarly, there are many steps that only the government can take to protect citizens against privacy-related harms, such as identity theft: Make government-issued forms for identification harder to obtain; make the promise of centralized reporting of identity thefts a reality; make it easier to correct judicial and criminal records and to remove permanently from one individual's record references to acts committed by an identity thief. The government alone has this power. We agree that a large part of protecting privacy in the context of SSNs involves the government reducing the collection and disclosure of personal information. H.R. 2971 has many provisions that would promote these goals. Question: Some of the witnesses at the hearing asked for specific statutory exemptions from the restrictions contained in sections 101 and 107 of H.R. 2971, rather than relying on the Attorney General's regulatory authority provided in section 102. In your view, is the authority provided in the bill to the Attorney General sufficient to address these concerns? Answer: The authority provided to the Attorney General is sufficient, provided that the asked-for exceptions satisfy the statutory standard requiring a compelling interest that cannot be served through the employment of alternative measures. We think that this standard has enough flexibility to address legitimate needs for the SSN while avoiding the codification of exceptions. If exceptions are codified, it is unlikely that qualifying industries will ever transition to alternative identifiers. We therefore suggest that all exceptions sunset after a given number of years to encourage a transition to alternative identifiers. Question: This Subcommittee has heard from a number of victims of identity theft. A common, and frustrating, theme is that after individuals discover the theft and report it to credit bureaus and financial institutions, they continue to be victimized by identity theft. How can this continue to occur, given the anti-fraud programs the industry cites? In your judgment, is the private sector doing enough to combat identity theft and assist its victims? Are there more effective ways to assist victims of identity theft to correct their credit histories? Answer: We think that creditors, in order to obtain new accounts and compete vigorously, are employing lax identification and authentication procedures that make identity theft easy to commit.\6\ In a typical scenario, an impostor will gather personal information of the victim and apply repeatedly for credit until they get a ``hit.'' Impostors can rely upon a creditor's alacrity to open new accounts in victims' names. --------------------------------------------------------------------------- \6\ See e.g., Jeff Sovern, The Jewel Of Their Souls: Preventing Identity Theft Through Loss Allocation Rules, 24 U. Pitt. L. Rev. 343, 358 (Winter 2003) (arguing that ``[g]reater vigilance on the part of the merchants involved would have prevented many identity frauds''). --------------------------------------------------------------------------- In passing the Fair Credit Reporting Act in 1970, one of Congress' prime goals was to place fairness and privacy duties on credit reporting agencies (CRAs). This was necessary because competition did not produce competent or even decent credit reporting activities.\7\ CRAs were not subject to adequate market pressure to ensure accuracy and fairness because the customers of CRAs are creditors, not individual members of the public. Congress thus created duties on the CRAs, users of credit reports, and furnishers of personal information. Those duties are now inadequate. For instance, under the FCRA, credit reporting agencies only are required to ``maintain reasonable procedures designed'' to prevent unauthorized release of consumer information.\8\ In practice, this means that credit reporting agencies must take some action to ensure that individuals with access to credit information use it only for permissible purposes enumerated in the Act. The FTC Commentary on the FCRA specifies that this standard can be met in some circumstances with a blanket certification from credit issuers that they will use reports legally.\9\ --------------------------------------------------------------------------- \7\ Robert Ellis Smith, Ben Franklin's Web Site, Privacy and Curiosity from Plymouth Rock to the Internet (Privacy Journal, 2000). \8\ 15 U.S.C. 1681e(a). \9\ The FTC is statutorily barred from promulgating regulations on the FCRA. 15 U.S.C. 1681s(a)(4). The agency issues a non-binding commentary on the Act. Credit, Trade Practices, 16 CFR 600, 607 (1995). --------------------------------------------------------------------------- This certification standard is too weak. It allows a vast network of companies to gain access to credit reports with little oversight. It treats credit issuers and other users of credit reports as trusted insiders, and their use of credit reports and ultimate extension of credit as legitimate. Even where fraud is suspected, creditors only have minimal authentication duties. Once the individual does suspect wrongdoing and triggers an alert, new protections in the Fair and Accurate Credit Transactions Act (FACTA) require that creditors use ``reasonable policies and procedures to form a reasonable belief that the user [creditor] knows the identity of the person making the request.''\10\ It is somewhat troubling that a tradeline can be extended without at least ``reasonable policies and procedures'' to verify the credit applicant's identity. It seems only reasonable that such protections be in place by default, rather than when fraud is actually expected. --------------------------------------------------------------------------- \10\ Pub. L. No. 108-159 112 (h)(1)(b)(i). FACTA amended the Fair Credit Reporting Act, 15 U.S.C. 1681. --------------------------------------------------------------------------- We think that more accountability could be encouraged in this area if creditors were held liable to victims for extending credit to impostors. However, courts have been reluctant to recognize a right of action for negligent extension of credit. Most recently, the South Carolina Supreme Court rejected the tort of ``negligent enablement of imposter fraud.''\11\ In that case, the plaintiff identity theft victim alleged that banks owe a duty to identity theft victims when they negligently extend credit in their name. The defendants argued that no such duty existed because the victim was not actually a customer of the bank. Focusing on the requirement that an actual relationship exist between victim and tortfeasor before a legal duty arises, the court rejected the proposed cause of action: --------------------------------------------------------------------------- \11\ Huggins v. Citibank, 585 S.E.2d 275 (S.C. 2003). --------------------------------------------------------------------------- ``We are greatly concerned about the rampant growth of identity theft and financial fraud in this country. Moreover, we are certain that some identity theft could be prevented if credit card issuers carefully scrutinized credit card applications. Nevertheless, we-- decline to recognize a legal duty of care between credit card issuers and those individuals whose identities may be stolen. The relationship, if any, between credit card issuers and potential victims of identity theft is far too attenuated to rise to the level of a duty between them.\12\ --------------------------------------------------------------------------- \12\ Id. at 334. --------------------------------------------------------------------------- Congress could assist victims greatly by creating an enforceable duty so that creditors were more responsible with victims' credit. Question: We have heard a recommendation that Congress consider creating a nationwide system of cross-verification of SSNs among public agencies and private businesses. What is your view of this recommendation? Are there other ways to increase the security and integrity of the SSN that would not unnecessarily compromise privacy? Answer: In passing the Privacy Act 1974, Congress was specifically reacting to and rejecting calls for the creation of a similar idea, a one-stop ``federal data center'' for personal information. A 1977 report issued as a result of the Privacy Act highlighted the dangers and transfers of power from individuals to the government that occur with centralization of personal information: In a larger context, Americans must also be concerned about the long-term effect recordkeeping practices can have not only on relationships between individuals and organizations, but also on the balance of power between government and the rest of society. Accumulations of information about individuals tend to enhance authority by making it easier for authority to reach individuals directly. Thus, growth in society's recordkeeping capability poses the risk that existing power balances will be upset.\13\ --------------------------------------------------------------------------- \13\ Privacy Prot. Study Comm'n, Personal Privacy in an Information Society: The Report of the Privacy Protection Study Commission (1977), available at http://www.epic.org/privacy/ppsc1977report/c1.htm. --------------------------------------------------------------------------- Creation of a nationwide system of SSN verification across public agencies and private businesses will upset balances of power described in the 1977 report and reduce individuals' autonomy from both government and commercial entities. Promoting the use of the SSN also hardens the number as a de facto national identifier. The creation of a national ID runs counter to public sentiment and recent congressional action.\14\ --------------------------------------------------------------------------- \14\ For instance, the Department of Homeland Security is expressly prohibited from developing National ID systems. 6 USCS 554 (2004). --------------------------------------------------------------------------- This concern is not new; it was voiced at the creation of the SSN and has since been raised repeatedly. The SSN was created in 1936 for the sole purpose of accurately recording individual worker's contributions to the Social Security fund. The public and legislators were immediately suspicious and distrustful of this tracking system fearing that the SSN would quickly become a system containing vast amounts of personal information, such as race, religion and family history, that could be used by the government to track down and control the action of citizens. Public concern over the potential for abuse inherent in the SSN tracking system was so high, that in an effort to dispel public concern the first regulation issued by the Social Security Board declared that the SSN was for the exclusive use of the Social Security system. The use of the SSN as the means of tracking every encounter between an individual and the government will expand the treasure trove of information accessible to the unscrupulous individual who has gotten hold of another's SSN. The use of the SSN as the mandatory national identifier will facilitate linkage between various systems of governmental and private sector records further eroding individual privacy and heightening surveillance of each American's life. There are ways to strengthen integrity of the SSN without implicating privacy. For instance, the format of the SSN could be changed to include a ``checksum,'' a formula that allows one to immediately verify whether the number has a proper form. Credit card numbers already are issued in this fashion so that they cannot be guessed or faked easily. Question: A witness representing the National Council of Investigation and Security Services requested the deletion of section 108 of H.R. 2971, citing the usefulness of credit headers in locating witnesses, criminal suspects, estate beneficiaries, and others. Do you share this view? Are there other sources of information that could be used to locate such persons if section 108 of H.R. 2971 were enacted into law? Answer: Under H.R. 2971, credit headers could still be accessed by private investigators where they have a ``permissible purpose'' under the FCRA. The FCRA would allow access where the private investigator had a court order, where it is used for employment purposes, or where it is used for collection of an account. In the contexts listed above, it seems that a court order would be readily obtainable, thus satisfying the FCRA requirement, as location of witnesses, criminal suspects, and estate beneficiaries are all activities likely to occur within the context of a court action. As a fairness measure, the law would require the CRA to note on the credit report that the information had been accessed by the private investigator. We think that this is an appropriate standard for access to credit headers, which contain all the personal identifiers necessary for the commission of fraud or harassment. Investigators did exist before the credit header system was created. They are resourceful and can call upon different resources to obtain personal information. The current system, where a network of private investigators can obtain credit headers on any person, is unfair and privacy invasive. Individuals do not even receive notice that their personal information has been obtained under the current framework. Furthermore, in some states, private investigators are not even licensed to practice. In others, licensure is merely a pro forma activity. Serious accountability concerns are present, most notably exemplified by the Amy Boyer case, where private investigators used credit headers and pretexting to locate a young woman for a stalker who killed her.\15\ --------------------------------------------------------------------------- \15\ Electronic Privacy Information Center, Amy Boyer, available at http://www.epic.org/privacy/boyer/. --------------------------------------------------------------------------- We also suspect that the private investigators may be putting on ``their best face'' for maintaining access to credit headers. No one wants to impede the function of a private investigator when they are finding individuals in order to give them inheritance from an estate. We question what percentage of credit header access is performed for this function. If Congress chooses to maintain access, it should limit the purposes for which investigators can obtain credit headers. When access is obtained, a notation should be entered onto the credit report so that the individual can find out who has been purchasing access to their personal information. Question: One witness at the hearing testified that an FTC study on identity theft indicated that the SSN does not play a major role in identity theft. Do you agree with this interpretation of the study? Answer: We strongly disagree with the proposition advanced by Mr. Cate in oral and written testimony on June 15, 2004 that the Social Security Number (SSN) does not play a major role in identity theft. Common sense, the experience of identity theft clearinghouses, identity theft litigation, and the academic literature support the proposition that the SSN plays a primary role in identity theft. It is almost impossible to obtain credit without a SSN, making possession of the identifier a necessary condition for commission of identity theft. Under Federal law, states must collect SSNs in order to issue driver's licenses; therefore the identifier is always involved in cases where an impostor seeks credentials in a victim's name. Mr. Cate may be correct that the SSN is not a major factor in credit card fraud, but that form of identity theft is less serious from the victim's perspective, and legislative effort to prevent the crime should focus on impostors who obtain new accounts or credentials in the victim's name. This common-sense problem of SSN being linked to fraud was identified by a Florida statewide grand jury devoted to exploring problems of identity theft: One of the most valuable pieces of information that an identity thief is searching for is the Social Security number, because the American financial industry has placed great reliance on it as the primary means of identifying individuals. Universities identify students with it. Providers of medical care and insurance coverage use it to identify their patients and clients.\16\ --------------------------------------------------------------------------- \16\ Identity Theft in Florida, Second Interim Report of the Sixteenth statewide Grand Jury, SC 01-1095 (Fla. Nov. 2002), available at http://myfloridalegal.com/pages.nsf/ 4492d797dc0bd92f85256cb80055fb97/f6995a8304fb723685256cca0059975f!OpenDo cument. --------------------------------------------------------------------------- The Florida grand jury made strong recommendations for limiting disclosure and use of the SSN in order to address identity theft . . . the sale of Social Security numbers must be stopped. The Federal proposals must be adopted and Florida must continue its efforts to enforce the recently enacted laws that make social security numbers confidential within public records and prohibit its release. Florida must also continue to minimize the requests for Social Security numbers to be included on documents that will become public record, where the number is of little relevance to the government function.\17\ --------------------------------------------------------------------------- \17\ Id. --------------------------------------------------------------------------- The experience of the major identity theft clearinghouses point to the central role that the SSN plays in fraud. A visit to the Web site of the Privacy Rights Clearinghouse, a leading provider of direct assistance to identity theft victims, reveals a number of cases where SSNs were the key to fraud: It's just a number, a nine-digit sequence issued by the U.S. Government. Every American must have one. It becomes your identity for life. But most Americans take it for granted. I did--until my Social Security number, along with other personal information, fell into the wrong hands a couple of years ago. Since then, my number--my identity-- has been hijacked several times for use in stealing thousands of dollars in goods and cash. Each time, I'm left to sort out the mess-- Recently, I saw an entry blank for a drawing for a house. I stopped to look it over, but the instant I saw that the entry required disclosure of Social Security number, I threw it away. That number has become too precious.\18\ --------------------------------------------------------------------------- \18\ Kerry Hill, It All Starts with the SSN: Your Social Security Number Provides Avenue for Thieves, Wisconsin State Journal, Sept. 13, 1998, at 1B, available at http://privacyrights.org/cases/victim13.htm (accessed June 29, 2004). --------------------------------------------------------------------------- Individuals who serve in the military are at particular risk of identity theft, in part because of the government's use of the SSN as an identifier: I have been an identity theft victim for 1 year and I've yet to find an agency or organization that has brought any relief or words of comfort that can make this nightmare seem like it will have an end. I retired from the U.S. Army in 1999 after 20 years. July of 2001, Jerry Wayne Phillips, was able to get a military ID from Ft. Bragg, NC with my name and SSN. From there, you probably know the rest of the story. With that ID and my good credit history, he was able to buy cars, motorcycles, open credit card accounts, checking accounts, and get credit at virtually every department store that offers credit. I never came in contact with him, I didn't lose a credit card, and I wasn't careless with my Social Security number. The accounts he opened had no relationship to any of my accounts.\19\ --------------------------------------------------------------------------- \19\ The Military ID Was too Easy to Get: System Failures Aided the Thief, at http://privacyrights.org/cases/victim22.htm (accessed June 29, 2004). --------------------------------------------------------------------------- Another victim testified: How can this be possible? How can someone else actually open accounts or borrow money in your name? Well, it's quite easy, as we belatedly found out. All that person needs to do this is a close approximation of your first and last name and your SOCIAL SECURITY number. Spelling or accuracy doesn't matter. Nothing else about you is relevant. Different addresses various spouse names, birthday, any random place of employment, and spelling of this information is irrelevant. Age or any other personal information doesn't matter. All that is required is a first and last name that almost matches a Social Security number. The credit agencies readily verify an application if the Social Security number presented shows a good credit payment record. It doesn't matter if a different address, birthday, spouse's name or any variation to their recorded data is submitted with the application for their verification. The false data submitted by their customer now becomes your information. Again every transaction that involves your credit records is based on only one major piece of identification, your social security number.\20\ --------------------------------------------------------------------------- \20\ Legislative Testimony of John and Jane Doe, available at http://privacyrights.org/cases/victim5.htm (accessed June 29, 2004) --------------------------------------------------------------------------- The Identity Theft Resource Center explains in a publication on the crime that: It is also clear that in the majority of identity theft situations victims were not responsible for the loss. Most of these situations started because a business or governmental entity allowed the thief access either directly or indirectly to personal identifying information. This includes databases, cards carried in wallets that included one's SSN or via items mailed to victims with account or SSN information (allowing access through mail theft, dumpster diving or theft), or unsafe information gathering or handling practices. The reality is there are only two things that a victim can do to directly facilitate identity theft: carry a Social Security card in one's wallet or fall victim to a telephone or Internet scam. In all other situations direct links to a business entity can be drawn.\21\ --------------------------------------------------------------------------- \21\ Identity Theft Resource Center, Identity Theft: The Aftermath 2003, at http://www.idtheftcenter.org/idaftermath.pdf --------------------------------------------------------------------------- Identity theft litigation also shows that the SSN is central to committing fraud. In our written testimony, we detailed several identity theft lawsuits where it is clear that the SSN was the key to the impostor's success in the commission of identity theft.\22\ In fact, the SSN plays such a central role in identification that there are numerous cases where impostors were able to obtain credit with their own name but a victim's SSN, and as a result, only the victim's credit was affected.\23\ Last month, the Salt Lake Tribune reported: ``Making purchases on credit using your own name and someone else's Social Security number may sound difficult--even impossible--given the level of sophistication of the nation's financial services industry-- But investigators say it is happening with alarming frequency because businesses granting credit do little to ensure names and Social Security numbers match and credit bureaus allow perpetrators to establish credit files using other people's Social Security numbers.''\24\ The same article reports that Ron Ingleby, resident agent in charge of Utah, Montana and Wyoming for the SSA's Office of Inspector General, as stating that SSN-only fraud makes up the majority of cases of identity theft.\25\ --------------------------------------------------------------------------- \22\ See e.g. Nelski v. Pelland, 2004 U.S. App. LEXIS 663 (6th Cir. 2004) (phone company issued credit to impostor using victim's name but slightly different Social Security Number); United States v. Peyton, 353 F.3d 1080 (9th Cir. 2003) (impostors obtained six American Express cards using correct name and Social Security Number but directed all six to be sent to the impostors' home); Aylward v. Fleet Bank, 122 F.3d 616 (8th Cir. 1997) (bank issued two credit cards based on matching name and Social Security Number but incorrect address); Vazquez-Garcia v. Trans Union De P.R., Inc., 222 F. Supp. 2d 150 (D.P.R. 2002) (impostor successfully obtained credit with matching Social Security Number but incorrect date of birth and address); Dimezza v. First USA Bank, Inc., 103 F. Supp. 2d 1296 (D.N.M. 2000) (impostor obtained credit with Social Security Number match but incorrect address). \23\ See e.g. TRW Inc. v. Andrews 534 U.S. 19 (2001) (patient's data was stolen by receptionist who successfully applied for credit with a matching SSN but different addresses in a different state, a different first name, and different date of birth). \24\ Lesley Mitchell, New wrinkle in ID theft; Thieves pair your SS number with their name, buy with credit, never get caught; Social Security numbers a new tool for thieves, The Salt Lake Tribune, June 6, 2004, at E1. \25\ Id. --------------------------------------------------------------------------- Because creditors will open new accounts based only on a SSN match, California has passed legislation requiring certain credit grantors to comply with heightened authentication procedures. California Civil Code 1785.14 requires credit grantors to actually match identifying information on the credit application to the report held at the CRA. Credit cannot be granted unless three identifiers from the application match those on file at the credit bureau. We are aware of no academic literature that supports Mr. Cate's position. Instead, even a cursory review of the identity theft academic literature reveals that the SSN is understood as a principal tool for fraud.\26\ In a recently published article, R. Bradley McMahon explains the key role that the SSN plays in identity theft: --------------------------------------------------------------------------- \26\ See e.g. Harry A. Valetk, Mastering the Dark Arts of Cyberspace: A Quest for Sound Internet Safety Policies, 2004 Stan. Tech. L. Rev. 2 (2004) (describing problems caused by the `` Nine-Digit Key to Identity Theft''); Peter C. Alexander, Identity Theft and Bankruptcy Expungement, 77 Am. Bankr. L.J. 409 (Fall 2003);Lynn M. LoPucki, Did Privacy Cause Identity Theft?, 54 Hastings L.J. 1277 (April 2003) (noting that of the identifiers on a credit application, `` most important will be Consumer's Social Security number''); Christopher P. Couch, Forcing the Choice Between Commerce and Consumers: Application of the FCRA to Identity Theft, 52 Ala. L. Rev. 583 (Winter 2002); Erin M. Shoudt, Identity Theft: Victims ``Cry Out'' For Reform, 52 Am. U.L. Rev. 339 (October 2002); Jerilyn Stanley, Crimes Identify Theft: Supporting Victims in Recovering From the Crime of the Information Age, 32 McGeorge L. Rev. 566 (Winter 2001); Stephanie Byers, The Internet: Privacy Lost, Identities Stolen, 40 Brandeis L.J. 141 (Fall 2001); Kurt M. Saunders and Bruce Zucker, Counteracting Identity Fraud In The Information Age: The Identity Theft And Assumption Deterrence Act, 8 Cornell J. L. & Pub. Pol'y 661 (Spring 1999); Kristen S. Provenza, Identity Theft: Prevention and Liabilityty, 3 N.C. Banking Inst. 319 (April 1999). --------------------------------------------------------------------------- The easiest and most common way for a thief to steal someone's identity is by acquiring that person's Social Security number and other private information. Social Security numbers are attractive to identity thieves because the numbers are abundant and provide access to a victim's private information. Social Security numbers commonly are used as a national identifier for everything from car rentals to credit card applications. Often a thief needs only a name and a Social Security number to open up a credit card account or to access an existing account. A recent study reported that identity theft occurs mainly because information was either stolen or released from a company that compiles personal information. Over one thousand companies compile comprehensive databases of personal information and transfer this information every 5 seconds. Two of the largest compilers of personal data are the health care and the financial industries. Often, thieves look to these two sources for obtaining personal information. The liberal sharing policies of companies allow personal information to flow far beyond primary compilers. Once a person's information is released to one of these central sources, the dissemination of the personal information is completely out of the person's control. The extent to which this information proliferates into third party networks is not known. The information shared by corporate America is one of the principal sources for identity theft.\27\ --------------------------------------------------------------------------- \27\ R. Bradley McMahon, Note: After Billions Spent to Comply With HIPAA and GLBA Privacy Provisions, Why is Identity Theft the Most Prevalent Crime in America?, 49 Vill. L. Rev. 625, 627 (2004). --------------------------------------------------------------------------- Professor Daniel Solove of the George Washington Law School similarly argues that: SSNs are a key piece of information for identity theft. SSNs can unlock a wealth of other information held by the government and the private sector--SSNs are used as passwords to obtain access to a host of personal records from banks, investment companies, schools, hospitals, doctors, and so on. The SSN is a powerful number, for with it a person can open and close accounts, change addresses, obtain loans, access personal information, make financial transactions, and more---- In short, the SSN functions as a magic key that can unlock vast stores of records as well as financial accounts. The SSN is the identity thief's best tool.\28\ --------------------------------------------------------------------------- \28\ Daniel J. Solove, Identity Theft, Privacy, and the Architecture of Vulnerability, 54 Hastings L.J. 1227, 1252 (2003) --------------------------------------------------------------------------- The link between SSNs and identity theft is so well established that most academics include reference to the identifier when describing the crime: The cases described earlier in this article merely hint at the range of actions that may constitute bankruptcy-related identity theft. Forms of bankruptcy-related identity theft include, without limitation:n: Filing for bankruptcy using the name and/or SSN of another known person, such as a parent, sibling, child or other relative; a spouse, ex-spouse, ``significant other'' or ex-significant other; a current or former business partner, co-employee, cosigner on a debt, friend, neighbor or fellow student; or even a deceased person. Incurring debt under a false name and/or SSN and then filing for bankruptcy, using that name and/or number to discharge the debt. Sometimes this debt is owed to the government via a farm loan, small business loan, student loan or similar obligation. Transferring property into the name of a relative or friend, then filing for bankruptcy using that person's name and/or SSN to avoid foreclosure. Typically the transferee agrees to the transfer ``to help out,'' but does not understand the legal ramifications. Filing for bankruptcy using a false name and/or SSN that was apparently randomly chosen, because it does not belong to a person known to the perpetrator---- Using a false SSN when identifying oneself as a bankruptcy petition preparer.\29\ --------------------------------------------------------------------------- \29\ Jane E. Limprecht, Fresh Start or False Start? Dealing with Identity Theft in Bankruptcy Cases, American Bankruptcy Institute Journal, December 200, 2000 ABI JNL LEXIS 192. --------------------------------------------------------------------------- Finally, we take issue with Mr. Cate's characterization of the Identity Theft Survey Report that appears on page 6 of his testimony. On that page, Mr. Cate suggests that 76 percent of identity theft cases involved family members, friends, or financial institutions, and did not involve third party data. This is not a careful analysis of FTC's findings. Mr. Cate's 76 percent figure is not based on all identity theft victims. Instead, it is based on the minority of identity theft victims who knew the actual identity of the impostor (``in 26% of all cases, the victim knew who had misused their personal information'').\30\ The correct figure certainly is not 76 percent, as Mr. Cate suggests. Rather, the FTC very clearly wrote that: --------------------------------------------------------------------------- \30\ Federal Trade Commission, Identity Theft Survey Report 28, Sept. 2003, available at http://www.ftc.gov/os/2003/09/ synovatereport.pdf. --------------------------------------------------------------------------- ``35% of the 26% of victims who knew the identity (or, in other words, 9% of all victims) said a family member or relative was the person responsible for misusing their personal information--23% of the 26% of all victims who knew the identity of the thief (or 6% of all victims) said the person responsible was someone who worked at a company or financial institution that had access to the victim's personal information--Of the 26% who knew the identity of the person who took their information, 18% said the thief was a friend, neighbor, or in-home employee, while 16% said the thief was a complete stranger, but the victim later became aware of the thief's identity. (These figures represent 5% and 4% of all victims respectively.)\31\ --------------------------------------------------------------------------- \31\ Id. at 28-29. --------------------------------------------------------------------------- Mr. Cate would be correct in stating that in 25 percent of cases, the victim knew the impostor. However, that does not lead to the conclusion that H.R. 2971 or restrictions on third-party SSN sale is unjustified. H.R. 2971 could still reduce identity theft in cases where a friend, family member, company, or financial institution has access to SSNs. Instead of dumpster diving or stealing SSNs from computers, these impostors rely upon the appearance of the SSN in their acquaintances' mail or other personal belongings. For instance, in the college context, identity theft is facilitated by institutions that print the SSN directly on the student identity card. Accordingly, a roommate can very easily copy or take the victim's student identity card and then have the identifiers necessary to commit identity theft. Contrary to Mr. Cate's conclusion, H.R. 2971 would address these risks of identity theft. As SSNs are removed from checks, ID badges, and other materials, individuals will be less likely to be victimized by strangers or by their roommates, family members or friends. Question: If a private entity--for example, a consumer reporting agency, health care organization, or information reseller--has an individual's SSN in its possession, and this information is used in an identity theft or fraud, should that entity be held strictly liable for any harm done? Please comment on the advantages or disadvantages of this idea, as well as its feasibility and potential effectiveness in combating identity theft. Answer: EPIC has argued that collection of the SSN should be limited, but where it is allowed, it should be subject to a full set of ``Fair Information Practices,'' rights and responsibilities in data that ensure accuracy, access, and accountability. As part of the accountability responsibility, a strict liability standard would encourage companies to avoid unsafe practices. In particular, when a safer alternative activity exists, strict liability encourages use of the safer alternative while negligence offers no such additional incentive. Social Security number usage is a good fit for this standard. There are clear and equally effective alternatives to SSN use (alternative identifiers, avoiding SSN use altogether if unnecessary, and so forth.), and there is a far greater interest in avoiding identity theft altogether rather than simply preventing any identity theft that is not cost-effective to prevent in the first place, which negligence provides. Also, given the relatively small number of SSN aggregators, it is likely to be more efficient and less expensive to provide insurance against identity theft for such aggregators, rather than for individual potential victims who are likely to be less able to gauge their relative risk. The main disadvantage to a strict liability standard is that it may impose damages for losses that are unforeseeable or that would be too costly to prevent. Additionally, liable entities may draw attention to particular cases where significant damages are imposed in the absence of obvious fault. By encouraging companies to avoid using SSNs at all, rather than simply providing certain protections for unnecessary SSN use, a strict liability standard would be more effective at combating identity theft by decreasing the availability of and dependence on SSNs. We also suggest that Congress consider as an accountability measure a ``security breach notification'' law. California enacted such a law that took effect in July 2003. It requires all entities to notify individuals when their unencrypted SSNs are acquired by an unauthorized person.\32\ Under current law, a company could suffer a severe security breach and not notify any individual affected (except Californians). We think that a notice requirement is a fair condition for continued use of the SSN. --------------------------------------------------------------------------- \32\ California Senate Bill 1386, available at http:// info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/ sb_1386_bill_20020926_chaptered.html. --------------------------------------------------------------------------- Questions from Chairman E. Clay Shaw, Jr. to Mr. Brian P. McGuinness Question: How many states do not have a specific licensing requirement for private investigators? For those states that do have licensing requirements, how uniform are those requirements? Describe the oversight performed of licensed investigators' activities? What would prevent an investigator from becoming licensed, or having a license renewed? Answer: There are currently seven states that do not require licensing of private investigators. In my state of Florida investigators are subject to extensive criminal history background checks. We are stringently regulated with requirements for records retention, insurance, training (if armed) and subject to disciplinary action. The Department of Agriculture and Consumer Services takes its job seriously. Requirements do vary among the states but include background checks. Details about the various requirements may be found through the website of the International Association of Security and Investigative Regulators at www.iasir.org. As in my state, investigators are subject to penalties including the loss or suspension of a license. Serious violations of state regulations would prevent an investigator from renewing a license. Mandatory background checks prevent unqualified applicants from obtaining one. Let me add that there are very few instances of private investigators misusing identifying data. As proposed, the restrictions on our ability to access critical information puts the public at far greater risk than do the handful of cases where an investigator may have inappropriately used the data. Question: You mentioned that information providers audit the users of the data to ensure compliance with their contract (i.e., that the data is being used only for purposes authorized under the law). Do both licensed and unlicensed private investigators have access to credit header data? What percent of transactions would you say information sellers audit? How many times have you been audited? What checks are there in the system to prevent a private investigator (licensed or unlicensed), or a member of the staff of a private investigator, from accessing credit header information for an unauthorized purpose? Answer: We are not aware that the bureaus publish the number or extent of their audits. I have never been audited personally, but some of our members have and report that TransUnion, for example, has conducted stings to verify our members comply with the requirements to know their client and verify the purpose for which a report is used. Question: You recommended deletion of section 108 of the bill, which would authorize the release of SSNs by credit bureaus only under the terms required for a full consumer report. That provision in the bill is not the jurisdiction of this Committee, but rather the Committee on Financial Services. However, we are interested in hearing your feedback about the provision. Since the bill's provision only restricts release of the SSN, why couldn't other parts of the credit header, like name, address, and telephone number still be used to locate witnesses? In what percent of cases overall is the SSN needed to help differentiate between records? Rather than eliminate the provision altogether, is it possible to modify it in a way that balances SSN privacy with necessary uses? Answer: With regard to jurisdiction, we realize that any changes to the FCRA would be done by the Financial Services Committee, however, though you are not representing that Committee, Chairman Shaw is the author of the bill and we presume would have the authority to make recommendations for amendments. Because HR 2971 has been referred to multiple committees we expect that the vehicle that will ultimately be considered on the floor would in all likelihood be the product of a negotiation among these committees and the House Rules Committee. Recommendations of the sponsor and the Ways and Means Committee will be important. Name and address information is not sufficient to assure that an individual is the person whom we are attempting to locate. The Social Security Number is essential for distinguishing among numerous people with the same name. In many instances we are seeking persons who share a name with thousands. Even if we had John Smith's birth date it wouldn't be sufficient because he would share it with many other John Smith's. There are two ways requests for credit header information are made: One is by submitting a social security number to the credit bureau provider. While that appears to be permissible under the current structure of section 108, under section 107 (a), it would be unlawful for an investigator acting as a Consumer Reporting Agency to submit a Social Security number to the provider or anyone. Under the Fair Credit Reporting Act, and pursuant to the FTC, investigators conducting investigations for a ``permissible purpose'' are considered to be Consumer Reporting Agencies. A substantial percentage of investigations by our members fall under the purview of the FCRA. It should also be pointed out that the credit bureaus only sell header information to entities with whom they have contracted and who have executed those contracts which contain detailed limitations on the way that information may be used. I am unaware that credit headers are being sold directly to the general public.c. Investigators are also required to indemnify the provider unconditionally for any liability incurred or alleged. The contracts spell out that the providers will conduct periodic reviews of ``subscriber activity'' and random audits. Violators are subject to termination of the account, legal action and being reported to Federal and state regulatory agencies. The second way header information is requested is by submitting a name and date of birth to the provider. However, under section 107 (b)(1), the provider would be prevented from providing the Social Security number to the investigator thereby preventing a positive identification cross check. With regard to modifying section 108, that could be done by inserting exemptions. However, we feel it should best be eliminated. Following are our suggestions for amending section 107: In section 107, after (c) strike (A) and insert the following new subsection: i. to the extent necessary for law enforcement, including (but not limited to) the enforcement of a child support obligation, as determined under regulations of the Attorney General of the United States issued under section 205(c)(2)(I); ii. if the display, sale, or purchase of the number is for a use occurring as a result of an interaction between businesses, governments, or business and government (regardless of which entity initiates the interaction), including, but not limited to---- a. For use in connection with any civil, criminal, administrative, or arbitral proceeding in any Federal, State, or local court or agency or before any self-regulatory body, including the service of process, investigation in anticipation of litigation, and the execution or enforcement of judgments and orders, or pursuant to an order of a Federal, State, or local court, b. or the prevention of fraud (including fraud in protecting an employee's right to employment benefits); c. the facilitation of credit checks or the facilitation of background checks of employees, prospective employees, or volunteers; d. the retrieval of other information from other businesses, commercial enterprises, government entities, or private nonprofit organizations Question: You said you believe Congress should spell out all the appropriate uses of SSNs in the private sector, rather than allow the U.S. Attorney General to provide exceptions through regulations to the bill's prohibitions on sale, purchase, and display of SSNs to the general public, as H.R. 2971 requires. The activities you listed that private investigators provide are laudable. Why do you believe that you would not be able to convince the U.S. Attorney General during the process of developing and receiving comment on regulations that the SSN is needed for these purposes and that the costs do not outweigh the benefits? Answer: HR 2971 includes several exceptions to the restrictions on the use of SSNs in section 107. These include exceptions for law enforcement, child support, national security, public health, emergencies, research and where the Attorney General determines appropriate. We believe investigations in anticipation of litigation, due diligence, insurance claims, civil and criminal fraud, criminal defense, identity fraud, stalking and other violations of law are just as deserving of exception. Not clearly listing these investigations in the statute sends a message to the Department that they are of less concern to Congress. Our industry has had recent experience with administrative interpretations of statute. Until corrected by statute last year, the FTC had interpreted the Fair Credit Reporting Act to require the consent of employees suspected of workplace misconduct before we could institute an investigation! We want to avoid repeating that experience. The FTC is statutorily barred from promulgating regulations on the FCRA. 15 U.S.C. 1681s(a)(4). The agency issues a non-binding commentary on the Act. Credit, Trade Practices, 16 CFR 600, 607 (1995). Questions from Chairman E. Clay Shaw, Jr. to Mr. Mike Buengerer Question: What did the guidelines developed by the Conference of Chief Justices and Conference of State Court Administrators recommend with regard to display of SSNs, particularly on the Internet? What were the considerations that went into that recommendation? Didn't the draft version of the guidelines recommend excluding all but the last four digits of the SSN from display to the general public? Why did the group back off that recommendation? Answer: With respect to the display of documents containing SSNs on the Internet or available electronically, the Guidelines recommended that courts consider whether those documents be accessible only on computer terminals within a court's facility. This proposal could be costly to implement as it would require court staff to examine documents to see if the contained SSNs and other sensitive information. The preeminent consideration in the development of this recommendation was addressing the twin goals of protecting an individual's privacy and maintaining public access to the courts, which includes access to court documents. Many state constitutions possess so-called ``open court'' provisions that have generally been interpreted to mean that not only the courthouse doors but also the records of the court must be made available to the public. Other factors included: costs (both staff time and technology expenses), future technological advances, differing resource levels from court to court, inconvenience to court customers, and measuring the effectiveness of this approach. Question: Court systems may sell copies of their records, individually or in a batch, to information resellers and others, correct? How does this process work? How much revenue is raised by such sales? Would information resellers seek to purchase those records as frequently or at the same price if they did not contain SSNs? The FTC is statutorily barred from promulgating regulations on the FCRA. 15 U.S.C. 1681s(a)(4). The agency issues a non-binding commentary on the Act. Credit, Trade Practices, 16 CFR 600, 607 (1995). Answer: The interaction between information resellers and state courts vary widely from jurisdiction to jurisdiction. Generally, some resellers do pay for court records in bulk, especially in larger court systems, and these transactions are governed by court rules and procedures. In my experience, courts do not generally gain or make a ``profit'' from the bulk sale of court data. The money generated from such transactions pays for staff time, computer equipment usage/ programming costs, paper, and cost of media. This is due in no small measure to the provisions of many state open record laws that allow state governments (including courts) to make public information available at cost but which generally limit the ability of state government entities to make information selling a ``profit center.'' Most court rules governing these transactions stipulate that courts can reject a request from a reseller if that interferes with their ability to effectively serve the public. I would be glad to share examples of those court rules with the Subcommittee. I have checked with the National Center for State Courts, the premier research institution dealing with state courts, and they report that there has not been a survey or study done on the amount of nationwide revenue generated by sales of bulk information to the courts. I would theorize that information resellers would still purchase those records in bulk if they did not contain SSNs. Zip code marketing, home mortgage sale information, addresses and phone numbers are some of the valuable commodities to resellers that can still be garnered from court records. Questions from Chairman E. Clay Shaw, Jr. to Mr. Fred Cate Question: You stated that SSNs help locate information that can be used to verify the identity of a person. Why then is identity theft increasing at such a rapid pace despite the fact that creditors and others can use SSNs to link to information that helps verify an individual's identity and when they have a financial incentive to do so? Answer: 1. As I testified, according to the most recent research conducted for the FTC, most identity theft is not committed by strangers, but rather by family members, friends, co-workers, and employees of organizations with whom the victim has contact. Social Security Numbers play a very limited role in these types of identity theft, and so the value of Social Security Numbers to help prevent identity theft and other frauds is limited. In other situations, where a stranger uses a Social Security Number as one tool to help open a fraudulent account in a third party's name, Social Security Numbers have been very effective in helping to deter many incidents of identity theft. They would be even more effective (a) if they were more widely used by retailers, credit grantors, and others, and (b) if those same parties were more diligent in matching the identifying information in the credit file which the Social Security Number references to the individual seeking credit. In their haste to provide speedy service to a customer, some retailer and credit grantor may appear not to be diligently matching address, telephone number, and other available information that could be used to better verify identity.. Two caveats are important here. First, the problem of matching information is especially great in online and telephone commerce, where the applicant and credit grantor are not located in the same place. Nevertheless, many Internet and telephone businesses have been very successful in requiring extensive matching information and thereby holding down fraud. (Consider many airlines, for example, which require not only a valid credit card number, but also an address and telephone number that match the information in the credit card issuer's file.) Question: You have said that ubiquitous SSNs help identify people and ensure that information is associated with the correct person. Why then have the FTC, the SSA IG, and the Postal Inspection Service identified it as a prime tool for terrorists and identity thieves? Answer: 2. Social Security Numbers are a tool for many identity thieves for precisely the same reason that they are valuable to legitimate merchants, service providers, and consumers: they help provide a necessary link with a payment mechanism (e.g., whether a credit file that indicates likely ability to pay or a credit card). We cannot have the positive benefits of instant credit, national commerce, and Internet and telephone business, without also having the risk that the same tools that make that possible will be used for identity theft. None of the government authorities to which you refer in your question has to my knowledge voiced any contradictory conclusion. This is why I believe all of the available research suggests that the long-term solution to identity theft is not to restrict the use of Social Security Numbers, but to enhance their integrity and availability. If retailers and credit grantors were given greater incentives to check the file indicated by the Social Security Number presented by the customer and then match the information there with information presented by the customer, identity theft could be significantly reduced. However, again, it must be reiterated that such incentives will be far less effective if consumers, in turn, are not given incentives to protect their Social Security and credit card numbers, avoid disclosing PINs and passwords to colleagues and family members, and check their account statements regularly for irregularities. It is easy, and therefore tempting, to focus only on the business side of the equation, but many of the most critical steps to help guard against identity thieves are uniquely in the hands of consumers. Moreover, as the FTC's recent work in this area demonstrates, the speed with which incidents of identity theft are detected is critical to reducing the losses they cause, yet a third of all consumers studied by that report never informed anyone of the theft, even after they discovered them. This suggests that reports of identity theft are exaggerated or that consumers wren to doing there part to help protect themselves. Question: This Subcommittee has heard from a number of victims of identity theft. A common, and frustrating, theme is that after individuals discover the theft and report it to credit bureaus and financial institutions, they continue to be victimized by identity theft. How can this continue to occur, given the anti-fraud programs the industry cites? In your judgment, is the private sector doing enough to combat identity theft and assist its victims? Are there more effective ways to assist victims of identity theft to correct their credit histories? Should we require the credit industry to give priority status to help victims restore their records and good credit? Answer: 3. You highlight a critical issue: the difficulty consumers face in getting their reputations restored after they have been the victims of identify theft. This is the single most consistent refrain from virtually all identity theft victims. Interestingly, many victims report that their primary frustration is when dealing with the government (e.g., getting the police to even take a report of an incident of identity theft, clearly up arrest records and traffic offenses resulting from an identity theft, finding consistency across the jurisdictions in which an identity thief may operate). I would urge you to focus on the government first, because there is nothing the public can do if the government fails in its duty. The most recent research suggests that identity theft victims find it easier to deal with businesses, especially national credit bureaus and credit card issuers. Through measures adopted voluntarily by industry and those required by law, often facilitated by the FTC and other federal government agencies, it is getting easier to report identity theft and to get errors in financial records caused by identity thieves corrected. There is still more to be done. One measure that many industry representatives suggest would be useful would be a standardized identity theft police report, taken under oath, which could be made available electronically to retailers and credit grantors. It is important to remember that consumers often mislead businesses in an effort to avoid paying the debts that they have in fact incurred. Representatives of major credit card companies have long testified before Congress that many consumers--according to some companies, a majority--who call to object to a charge or other expense actually were responsible for it and either forgot it (or forgot lending their card to a family member or friend) or were deliberately trying to avoid paying it. It is not surprising that businesses might have some hesitation in accepting a consumer's word about an incident of identity theft in the absence of a police report. Finally, I would encourage the Subcommittee staff to be as precise as possible when categorizing the complaints of identity theft victims. My understanding is that of those consumers who do have complaints with businesses--as opposed to the government--most focus on credit grantors, not credit bureaus or other aggregators of information. Question: If a private entity--for example, a consumer reporting agency, health care organization, or information reseller--has an individual's SSN in its possession, and this information is used in an identity theft or fraud, should that entity be held strictly liable for any harm done? Please comment on the advantages or disadvantages of this idea, as well as its feasibility and potential effectiveness in combating identity theft. Answer: 4. The concept of liability for misuse of information by a third party has been discussed for some time, but so far avoided as a matter of law for what, I suspect, are good reasons. First, the proof problems are vast. How do we know where an identity thief got the information that he used in his crime? Second, causality is not at all clear. As I have noted before, the Social Security Number only provides a link to a credit or other file. It cannot--by itself--be used to commit identity theft. Third, and closely related, there are almost always critical intervening factors that are far more important than the Social Security Number. The merchant who fails to verify information presented by the customer with that in the credit file, the business who accepts fraudulent identification that the thief obtained from the government, the consumer who fails to review his credit card statement--how is the law to assign responsibility to the possessor of the Social Security Number as opposed to these other parties. Fourth, liability creates great risks for consumers--risks that merchants will be persuaded to invest in protecting Social Security Numbers at the expense of focusing scarce resources on other anti- identity theft measures, and risks that the additional costs of defending against such liability will undercut valuable services, interfere with consumer convenience, and contribute to increasing prices. Let me be perfectly clear, as a matter of both law and economics, I believe that broad-based liability for Social Security Number misuse by a third party is wholly unworkable. That does not mean that there is no role for increased liability at all. When Congress limited consumer liability for credit card fraud to $50 (thereby effectively imposing that liability on merchants or card issuers, but without creating an invitation for expensive and wasteful class actions), it helped drive the greatest expansion of consumer credit the world has seen. There may be similar steps that Congress should be considering today--modest, targeted, highly focused efforts to create incentives for preventing and fighting identity theft. For example, Congress could provide that losses from identity theft will presumptively be the responsibility of any merchant whose failure to follow reasonable procedures to verify the identity of the customers is exploited by an identity thief. As I have indicated, I believe the Subcommittee should think about focusing any new liability not only on businesses, but also on individuals, who are often in the best place to prevent and detect identity theft. For example, if you legislated a uniform identity theft affidavit, subject to a civil or criminal penalty for anyone who knowingly lies when completing one, it would then be far more feasible to expect retailers and credit grantors to rely on it and to do so quickly. I would caution against too great of a focus on liability at this time, however. Congress has just put new tools into the hands of consumers and businesses that may prove very valuable in the fight against identity theft. Free credit reports, fraud flags, and other measures adopted last year as part of the Fair and Accurate Credit Transactions Act hold great promise. While the FTC is implementing those and we wait to see their impact, I would encourage you to focus on: a. educating consumers about the new tools available to them to fight identity theft; b. ensuring that government is doing its part in that fight by making incidents of identity theft easy to report, by improving the systems by which government records are cleansed of the deeds of identity thieves, and by improving the identity verification process that the government uses when issuing driver's licenses and other forms of identification on which we all rely; and c. continue with those portions of the pending bill that would eliminate the wholly inappropriate use of Social Security Numbers (on envelopes and checks) and toughen penalties against providers of illicit Social Security Numbers and identification documents. [Submissions for the record follow:] June 16, 2004 The Honorable Clay Shaw Chairman, House Ways & Means Subcommittee on Social Security B-316 Rayburn House Office Bldg. Washington, DC 20515 Dear Chairman Shaw and Ranking Member Matsui: The undersigned organizations applaud your efforts over the past several years to craft legislation that will ensure the integrity of the social security number (SSN) in the years ahead. We remain extremely concerned about the proliferation of identity theft and other financial crimes that exploit individual SSNs, and believe strong legislation should be enacted to combat such nefarious acts. As public and private employee benefit plan sponsors, we provided detailed analysis of possible legislative proposals on July 24, 2003, to address our concern that such legislation could unintentionally hinder the delivery of benefits from, and the efficient administration of these plans. In that testimony, we stated that in your bipartisan legislation introduced during the 107th Congress, the ``Social Security Number Privacy and Identity Theft Prevention Act of 2001,'' (H.R. 2036), the definitions and provisions relating to the ``sale,'' ``purchase'' or ``display'' of a person's SSN could make it more difficult to deliver comprehensive health and retirement benefits to public and private employees alike. In working with you and your staff over the past year, much of this concern has subsided. We appreciate the bill you introduced in the 108th Congress, H.R. 2971, the ``Social Security Number Privacy and Identity Theft Prevention Act of 2003.'' Although the bill treats public and private sector entities somewhat differently, it specifically recognizes the importance of voluntary employee benefit plans. Section 208A(a)(2)(B)(ii) (Section 107(a) of H.R. 2971) ensures that the provision of and administration of these plans will not be hindered by the legislation. As you know, public and private employee benefit plans generally use SSNs because they enable the accurate and timely administration of benefits for a highly mobile workforce, and because use of the SSN is mandated for tax reporting requirements. Plan administrators take seriously the responsibility that the use of SSNs requires, and they use the utmost caution and security when SSNs are used in plan administration and communications. Public and private sector defined benefit and defined contribution pension and savings plans, like 401(k), 403(b), and 457 plans, use SSNs to identify plan participants, account for employee contributions, implement the employee's investment directions, track ``rollovers'' from other plans, and allow employees to view their account activity or benefit accrual online (typically in conjunction with a secure ``PIN''). We believe that Section 208A(a)(2)(B)(ii) would allow these important processes to continue as well. Also, SSNs are also used as the primary identifier in many medical and health benefit and prescription drug plans to coordinate communications between the doctor, the medical service provider, and the plan. Again, we believe this section, like the allowable legitimate uses of SSNs for national security, law enforcement, public health and advancing public knowledge purposes, permits this effective health process to continue. As further evidence of your intent to protect the employer-employee relationship, Section 109 of H.R. 2971 provides for the continued use of SSNs when expressly required under Federal law, such as for W-2 income tax reporting. We applaud this effort as well. We look forward to continuing to work with you and the Committee to effectively address the problem of identity theft without creating unintentional barriers to the provision of public and private pension, health and other benefits to employees. To this end, we urge you to retain the important provisions described here without change as the Committee continues to examine legislative proposals. Please do not hesitate to contact us should you require additional information or wish to discuss this issue in more detail. Sincerely, Jim Klein American Benefits Council Brian Graff American Society of Pension Actuaries Tony Lee College and University Professional Association for Human Resources Janice Gregory ERISA Industry Committee Bob Shepler Financial Executives International's Committee on Benefits Finance Jeannine Markoe Raymond National Association of State Retirement Administrators Cindie Moore National Council on Teacher Retirement Chris Stephen National Rural Electric Cooperative Association Ed Ferrigno Profit Sharing/401(k) Council of America Mary Huttlinger Society for Human Resource Management First Data Corporation Englewood, Colorado 80112 June 14, 2004 The Honorable Clay Shaw Chairman, Subcommittee on Social Security 1102 Longworth House Office Building Washington D.C. 20515 Dear Chairman Shaw, On behalf of First Data Corporation, I am submitting this testimony for the record. Serving approximately 3.5 million merchant locations, 1,400 card issuers and millions of consumers, First Data makes it easy, fast and secure for people and businesses to buy goods and services, using virtually any form of payment: credit, debit, smart card, stored- value card or check at the point of sale, over the Internet or by money transfer. First Data believes that protecting consumers from the misuse of Social Security Numbers (SSN) is an important goal. However, it is equally important to ensure that restrictions on the use of SSNs do not disrupt financial activities that consumers expect to occur or increase fraud, identity theft, and other criminal activities. As a leader in the financial services industry, we offer the following perspective on the positive uses of Social Security Numbers and exemption language that we believe should be considered in any legislation restricting the use of SSNs. POSITIVE USES--While no one should profit from the display, sale or purchase of SSNs, restricting the use of the number may have the unintended consequence of increasing fraud and identity theft, making it harder for consumers to obtain the important services they have come to expect and rely upon from financial service companies, or increasing both the time and cost of obtaining such services. The following are examples of positive Social Security Number uses: 1. Authenticating individuals involved in financial accounts and transactions_Consumers engage in a wide variety of financial transactions and often have numerous financial accounts. Currently, the Social Security Number is the most reliable piece of personal information used to verify the identity of the consumer. Consumer names, addresses, phone numbers and account numbers often change over time. Both the date of birth and mother's maiden name are often easily accessible from public records. In contrast, a Social Security Number remains constant over time and is not, by itself, a public record. 2. Fraud and Identity Theft_Using a Social Security Number to authenticate a consumer is a valuable tool used by the business community to detect fraud and identity theft. Unfortunately, it is this same value that makes the Social Security Number such a precious commodity to criminals. The goal of any Social Security Number legislation should be to limit criminal access to Social Security Numbers while preserving its use to stop identity theft. PROPOSED EXEMPTIONS--We believe that legislation restricting the use of SSNs should include exemptions forthe collection or use of an individual's SSN in connection with the following activities: a. To approve, guarantee, process, administer or enforce a financial account or transaction involving the individual, including authenticating the individual and any information provided by the individual in connection with the account or transaction. [For example, the SSN is used to ensure that a deceased individual's Social Security Number is not used for fraudulent purposes and that future communications addressed to the deceased can be stopped.] b. To evaluate, detect or reduce risk, fraud, identity theft or possible criminal activities. [For example, the SSN is used to locate possible victims of such criminal activities.] c. To report to or obtain information from a consumer reporting agency pursuant to the Federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq), or where the collection and use of the individual's SSN is required by any state or federal law, rule or regulation. [For example, the SSN is a critical element for creating accurate credit reports which allow consumers efficient access to credit and other financial transactions.] Sincerely, Joe Samuel Director of Government Relations Statement of Stephen B. Copeland, Professional Investigators and Security Association, Vienna, Virginia Mr. Chairman and Members of the Subcommittee: My name is Stephen B. Copeland, and I am President of the Professional Investigators and Security Association (PISA). I want to thank you for the opportunity to submit testimony on the important issue of identity theft and how to effectively combat it. PISA was established in 1984 to represent the private investigation and security industries of the Commonwealth of Virginia. PISA's membership includes hundreds of professionals, many of which would be impacted by H.R. 2971. In Virginia, these industries are regulated and monitored by the Private Security Services Section of the Commonwealth's Department of Criminal Justice Services. Extensive training, registration, certification and licensing requirements, coupled with criminal background checks, help ensure a high degree of competence and adherence to ethical standards. The Department of Criminal Justice Services also conducts investigations and audits of firms, individuals and training schools in the private security industry to ensure compliance with the requirements of Virginia law and regulations. PISA is supportive of federal legislative efforts to prevent identity theft and assist victims of this fast-growing crime. Many of our members have been on the front lines of the battle against identity theft, assisting companies and individual identity theft victims by investigating, documenting, and exposing identity theft and fraud. In these efforts, Social Security Numbers and credit header data are critical investigative tools when used appropriately by law enforcement and licensed private investigation and security businesses. Private investigation and security professionals use this data for a variety of other purposes as well, including child support enforcement, locating missing persons and heirs, fraud prevention, and employee background investigations. Currently, access to Social Security Number and credit header data is not limited to credentialed professionals, but is also being made available to the general public, especially through the Internet. This access creates many opportunities for abuse by potential identity thieves. However, as noted recently by the General Accounting Office, restricting legitimate use of identified data by businesses could hurt consumers and in fact make identity theft easier by making identity confirmation and background investigations more difficult. To best serve the interests of the public, Congress must balance restricting access to Social Security Numbers and credit header data with the legitimate needs of law enforcement, businesses, and investigation and security professionals. While the objectives of H.R. 2971 are laudable, sections 107 and 108 would have a serious negative impact on the ability to investigate cases of identity theft and confirm the accuracy of background information provided by individuals. We urge Congress to help prevent and combat identity theft by ensuring that any additional limitations on access to Social Security Number and credit header data preserve appropriate access by credentialed private investigation and security professionals.