[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]
ASSESSING DATA SECURITY:
PREVENTING BREACHES AND
PROTECTING SENSITIVE INFORMATION
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON FINANCIAL SERVICES
U.S. HOUSE OF REPRESENTATIVES
ONE HUNDRED NINTH CONGRESS
FIRST SESSION
__________
MAY 4, 2005
__________
Printed for the use of the Committee on Financial Services
Serial No. 109-23
U.S. GOVERNMENT PRINTING OFFICE
24-091 WASHINGTON : 2005
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800
Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001
HOUSE COMMITTEE ON FINANCIAL SERVICES
MICHAEL G. OXLEY, Ohio, Chairman
JAMES A. LEACH, Iowa BARNEY FRANK, Massachusetts
RICHARD H. BAKER, Louisiana PAUL E. KANJORSKI, Pennsylvania
DEBORAH PRYCE, Ohio MAXINE WATERS, California
SPENCER BACHUS, Alabama CAROLYN B. MALONEY, New York
MICHAEL N. CASTLE, Delaware LUIS V. GUTIERREZ, Illinois
PETER T. KING, New York NYDIA M. VELAZQUEZ, New York
EDWARD R. ROYCE, California MELVIN L. WATT, North Carolina
FRANK D. LUCAS, Oklahoma GARY L. ACKERMAN, New York
ROBERT W. NEY, Ohio DARLENE HOOLEY, Oregon
SUE W. KELLY, New York, Vice Chair JULIA CARSON, Indiana
RON PAUL, Texas BRAD SHERMAN, California
PAUL E. GILLMOR, Ohio GREGORY W. MEEKS, New York
JIM RYUN, Kansas BARBARA LEE, California
STEVEN C. LaTOURETTE, Ohio DENNIS MOORE, Kansas
DONALD A. MANZULLO, Illinois MICHAEL E. CAPUANO, Massachusetts
WALTER B. JONES, Jr., North HAROLD E. FORD, Jr., Tennessee
Carolina RUBEN HINOJOSA, Texas
JUDY BIGGERT, Illinois JOSEPH CROWLEY, New York
CHRISTOPHER SHAYS, Connecticut WM. LACY CLAY, Missouri
VITO FOSSELLA, New York STEVE ISRAEL, New York
GARY G. MILLER, California CAROLYN McCARTHY, New York
PATRICK J. TIBERI, Ohio JOE BACA, California
MARK R. KENNEDY, Minnesota JIM MATHESON, Utah
TOM FEENEY, Florida STEPHEN F. LYNCH, Massachusetts
JEB HENSARLING, Texas BRAD MILLER, North Carolina
SCOTT GARRETT, New Jersey DAVID SCOTT, Georgia
GINNY BROWN-WAITE, Florida ARTUR DAVIS, Alabama
J. GRESHAM BARRETT, South Carolina AL GREEN, Texas
KATHERINE HARRIS, Florida EMANUEL CLEAVER, Missouri
RICK RENZI, Arizona MELISSA L. BEAN, Illinois
JIM GERLACH, Pennsylvania DEBBIE WASSERMAN SCHULTZ, Florida
STEVAN PEARCE, New Mexico GWEN MOORE, Wisconsin,
RANDY NEUGEBAUER, Texas
TOM PRICE, Georgia BERNARD SANDERS, Vermont
MICHAEL G. FITZPATRICK,
Pennsylvania
GEOFF DAVIS, Kentucky
PATRICK T. McHENRY, North Carolina
Robert U. Foster, III, Staff Director
C O N T E N T S
----------
Page
Hearing held on:
May 4, 2005.................................................. 1
Appendix:
May 4, 2005.................................................. 55
WITNESSES
Wednesday, May 4, 2005
Desoer, Barbara, Executive of Global Technology, Service and
Fulfillment, Bank of America Corporation....................... 7
Foley, Eugene, President and CEO, Harvard University Employees
Credit Union................................................... 9
McGuffey, Don, Senior Vice President, Data Acquisition,
Choicepoint Inc................................................ 11
Sanford, Kurt, President and CEO, U.S. Corporate and Federal
Markets, Lexisnexis............................................ 13
Ward, Bestor, President, Safe Archives-Safe Shredding, LLC....... 15
APPENDIX
Prepared statements:
Oxley, Hon. Michael G........................................ 56
Castle, Hon. Michael N....................................... 58
Hinojosa, Hon. Ruben......................................... 59
LaTourette, Hon. Steven C.................................... 63
Desoer, Barbara.............................................. 64
Foley, Eugene................................................ 69
McGuffey, Don................................................ 73
Sanford, Kurt................................................ 79
Ward, Bestor................................................. 92
Additional Material Submitted for the Record
Paul, Hon. Ron:
Written letter with attachments to Hon. Michael G. Oxley..... 105
ASSESSING DATA SECURITY:
PREVENTING BREACHES AND
PROTECTING SENSITIVE INFORMATION
----------
Wednesday, May 4, 2005
U.S. House of Representatives,
Committee on Financial Services,
Washington, D.C.
The committee met, pursuant to call, at 10:03 a.m., in Room
2128, Rayburn House Office Building, Hon. Michael Oxley
[chairman of the committee] presiding.
Present: Representatives Oxley, Bachus, Castle, Kelly,
Gillmor, Biggert, Tiberi, Kennedy, Hensarling, Brown-Waite,
Harris, Renzi, Pearce, Price, Davis of Kentucky, McHenry,
Frank, Maloney, Velazquez, Watt, Hooley, Carson, Sherman, Lee,
Moore of Kansas, Crowley, Clay, Israel, McCarthy, Matheson,
Lynch, Scott, Green, Cleaver, Bean, Wasserman Schultz, and
Moore of Wisconsin.
The Chairman. The committee will come to order.
This morning the committee meets to consider a topic we
have been hearing about on an almost daily basis during the
past few months: data security and its connection to the crime
of identity theft.
Several recent high-profile security breaches have focused
public attention as never before on the vulnerabilities of
companies' data security systems. Congress now has to ask: Are
we doing enough to protect against the theft and misuse of
sensitive commercial information on consumers?
Protecting sensitive information is an issue of great
importance for all Americans. In recent years, criminals in the
United States and abroad have become increasingly inventive in
finding ways to access and exploit information systems in order
to commit identity theft.
According to a Federal Trade Commission estimate, over 10
million Americans are victimized by identity thieves each year,
costing consumers and businesses over $55 billion per year, not
counting the estimated 300 million hours spent by victims
trying to repair damaged credit records.
The financial costs are staggering, with over $10,000
stolen in the average fraud.
The Financial Services Committee has worked tirelessly over
the past several Congresses to identify and enact solutions to
this destructive crime.
During the 108th Congress, over 100 witnesses came before
this committee to testify on the reauthorization of the Fair
Credit Reporting Act. Through that process, under the
leadership of the gentleman from Alabama, Mr. Bachus, the
committee developed an exhaustive record on the need to
increase safeguards designed to protect consumers and
businesses alike from identity theft.
Through bipartisan cooperation on this committee, we
ultimately produced strong consumer protection in anti-identity
theft legislation known as the Fair and Accurate Credit
Transactions Act, or FACT Act.
The FACT Act places new obligations on financial
institutions to prevent identity theft, entitles consumers to a
free annual credit report from each of the three major credit
bureaus and creates a national fraud alert system to simplify a
consumer's ability to detect and report fraudulent activity.
The FACT Act was signed into law on December 4, 2003, and
is currently in the process of being fully implemented by
federal regulators in the financial services industry.
The federal banking regulators have also been hard at work
on other initiatives to protect sensitive information.
On March 29, 2005, the Federal Reserve, FDIC, OCC and OTS
issued final data security standards for depository
institutions that are required in Title 5 of Gramm-Leach-
Bliley. The standards call for every financial institution to
implement a response program to address incidents of
unauthorized access to consumer information maintained by the
institution and to notify the affected customer as soon as
possible.
In light of continuing guidance from the regulators, it is
my hope that we can focus today on the broader issue of data
security and how best to protect sensitive information from
being improperly accessed, and ensure that consumers receive
prompt and effective notice when sensitive information has been
compromised and is likely to have been misused.
One of my concerns in this regard is that given the
dramatic rise in recent reports on data breaches, there will be
a headlong rush toward notification in every instance.
When no evidence surfaces to indicate that their
information has been misused, consumers may begin to ignore
these notices as just that many more pieces of unsolicited junk
mail.
California recently enacted legislation requiring
disclosure of any data security breach to any state resident
whose unencrypted personal information was or is reasonably
believed to have been acquired by an unauthorized person. Only
a small percentage of these cases, however, have actually
resulted in any fraudulent activity.
Other states are considering legislation similar to
California's. It is important that this committee take a look
at what is being contemplated in the States and consider
whether a national breach notification standard will work best
for American consumers.
I would like to welcome our witnesses to today's hearing,
and I look forward to hearing your testimony and working with
you to find ways to prevent future data security breaches and
continue our efforts to combat identity theft.
The Chair's time has expired. I now yield to the gentleman
from Massachusetts and the Ranking Member.
Mr. Frank. Thank you, Mr. Chairman.
Before I yield my time to the gentlewoman from Illinois,
Ms. Bean, who has been a very energetic person involved in
this, I did want to note: I was somewhat pleased to hear you
say that there was some concern, and I assume the industry
shares this concern, on too much unsolicited junk mail going to
individuals.
If they, in fact, the industry is worried about, the
financial services industry, about too much unsolicited junk
mail going to individuals in this instance, it is a
breakthrough, because I have not found them in the past to be
terribly sensitive to that. At least my mailbox will welcome
this new sensitivity. And I hope it spreads from just
notification here to maybe some other areas.
And with that I want to yield to the gentlewoman from
Illinois, who has been a real leader in this in her very first
few months here.
Ms. Bean. Thank you, Mr. Frank. I appreciate the
opportunity to speak today.
First, I would like to thank you and Chairman Oxley for
your leadership on this very important issue of consumer data
security.
The recent high-profile data security breaches at
ChoicePoint, Bank of America and LexisNexis have continued to
fuel ongoing concerns about the safety and security of
Americans' personal financial data. These concerns have forced
Congress to once again examine how industry and government can
work together to better ensure that an individual's private
personal information is adequately protected.
As a new Member of Congress and a new member of this
committee, I am honored to join in this endeavor. I know that
many of my colleagues, particularly Representative Hooley, have
worked hard on this issue for many years, and I look forward to
working with them as we move forward.
In March, Americans were shocked to learn that the private
data--including Social Security numbers, credit files and
personal health information--of nearly 150,000 Americans were
sold by ChoicePoint to fraud artists posing as legitimate
businesses. However, as illustrated by the subsequent data
breaches nationwide, the ChoicePoint case was not an isolated
incident. In fact, according to the privacy right center, up to
10 million Americans are victims of I.D. theft each year, and
these numbers are on the rise.
Even though victims do not usually end up paying their
imposters' bills, they are often left with a bad credit report
and must spend months and even years regaining their financial
health.
In a recent profile of an individual who fell victim to
identity theft, the Chicago Tribune explained that these
victims often learn the hard way that the crime is like a
chronic disease that goes into remission only to stir up again
when least expected.
It is not uncommon that for years after an identity theft,
victims have difficulty getting credit, obtaining loans,
renting apartments and even getting hired by employers.
As the volume of personal data held by corporations, data
brokers and business continues to increase, the issue of
securing this data and protecting one's privacy takes on
particular importance.
To begin addressing this issue, in early March I joined
with Representative Maloney and Representative Gutierrez in
introducing H.R. 1069, the Notification of Risk to Personal
Data Act, or H.R. 1069. It is the companion bill to legislation
introduced by Senator Feinstein and is based on the California
notification law, with which I am sure you are familiar.
I believe this bill is a good first step and is based upon
sound principles. However, I am mindful that even legislation
with the best intentions can create unnecessary and unforeseen
burdens. We must find a solution that provides consumer
protection but is viable and meaningful in its execution.
I am optimistic that this can be done, because I know both
consumers, business and Congress sharing a common goal: to keep
Americans' personal information secure.
I thank the witnesses for testifying before the committee
today, and I appreciate your taking the time to share your
thoughts.
I am particularly interested in your testimony as it
relates to notification and triggering of notification.
I yield back the balance of my time.
The Chairman. The gentlelady's time has expired.
The gentleman from Alabama, Mr. Bachus?
Mr. Bachus. I thank the Chairman.
I think this is a very important issue, and I think the
thing, as we go forward, we ought to remember is that there are
different kinds of data or different documents. There are
financial documents, there are personal documents, there is
credit card information, there is even health records--and all
of those can be used to some extent to perpetrate identity
theft.
Also, that data, sometimes it is stored, sometimes it is
disposed of, sometimes the problems are the security in how it
is stored, sometimes the problems are how it is disposed of.
And there are different institutions that have it, and
different laws that apply to that data storage. The FACT Act
sets up one standard, Gramm-Leach-Bliley sets up another
standard, HIPAA sets up another standard.
I think, as a result of the high degree of I.D. theft that
we have and the different statutes we have, sometimes there are
gaps in the statutes where they may or may not cover certain
documents.
We do need a national standard. And we need a national
standard on notification.
If we do not have that, it is going to be simply impossible
for businesses to know what to do or how to comply or know what
standard.
I would think that one thing this committee ought to do is
look at the existing law. When we come up with legislation, we
ought to at least allow the regulators, the FTC, as they have
done in the disposal rules, to fashion some parameters and try
not to get too immersed in the finite details as we do this.
I want to commend Mr. Castle and Ms. Pryce and others on
the other side for pushing this issue.
And I would like to yield the balance of my time to Mr.
Castle, who has been a leader in this effort.
Mr. Castle. I thank the gentleman very much for yielding
and, of course, for all his work in this and many other areas
in banking.
It is clear that we do live in a world that is becoming
increasingly complicated in relying on technology and dependent
on data for instant decisions. Therefore, I believe, Mr.
Chairman, it is worthwhile for us to explore the practicality
of requiring data base security and safeguards for most of the
public and private sectors, while our financial institutions,
as defined by Gramm-Leach-Bliley, are already required to
secure their sensitive data. It may be that we should do
likewise across other sectors.
In the coming weeks, we are planning to introduce a
comprehensive bill that in part requires many more databases to
have a standard level of protection.
In addition, we will define what constitutes a breach so
that affected entities, regulators and consumers can be
notified when appropriate and in a coordinated manner.
I am also pleased to be working with the gentlewoman from
Ohio, Ms. Pryce, on this legislation that is intended to adjust
a number of these and other concerns.
And finally, I am interested in hearing from our panelists
about steps they took to ensure the future safety of the
breached parties' sensitive information. Some companies have
provided free credit monitoring for all those that were subject
to the breach. I think this is an enormously positive step that
helps consumers and restores confidence and peace of mind to
many.
So we appreciate you being here.
And I appreciate, again, the gentleman yielding.
I yield back to the gentleman from Alabama.
The Chairman. The gentleman yields back.
The gentlelady from Oregon, Ms. Hooley?
Ms. Hooley. Thank you, Chairman Oxley and Ranking Member
Frank, for convening this hearing today.
In my opinion, data security is one of the most important
issues that will be brought before this committee in the 109th
Congress. Its impact is immense. Consumers, businesses, local
and federal law enforcement all have a stake in the manner in
which we solve the problem created by data security breaches.
I look forward to all of the members that have taken an
interest in this, particularly Representative Bean.
I look forward to continuing in a bipartisan manner in
which this committee has operated in recent past to build a
broad consensus for an effective solution.
Identity theft represents a fundamental threat to e-
commerce, our economy, as well as our homeland security. No
longer are we facing just hobbyist hackers creating a nuisance.
Increasingly these attacks are driven by skilled criminals.
Identity theft is big business. The Federal Trade
Commission estimates that 9 million to 10 million Americans are
victims of identity theft every year to a total cost to
business and consumers approaching $50 billion. For that
reason, it is imperative that Congress and the private sector
work together to make certain that sensitive personal
information is protected by adequate safeguards.
The committee made progress in this respect in the 108th
Congress with the passage of the FACT Act, and now we have to
build on that success.
This will not be easy. There are many tough questions that
need to be answered.
First and foremost among them will be how we notify
consumers whose information has been compromised. Under what
circumstances should they be notified about a breach? When a
notice of breach is issued, what information should that notice
include? What form should a uniform notice of breach take?
These are just a couple of the questions that we are going to
have to answer.
I am confident that by working together we can find
practical solutions that will provide consumers with landmark
protections while also avoiding an undue burden on enterprises
who possess, for legitimate purposes, very personal
information.
I thank you and yield back the remainder of my time.
The Chairman. The gentlelady yields back.
We now turn to our distinguished panel.
The first witness is Ms. Barbara Desoer, Global Technology,
Service and Fulfillment executive from Bank of America followed
by Mr. Eugene Foley, president and CEO of Harvard University
Employees Credit Union; Mr. Don McGuffey, senior vice president
for Data Acquisition and Strategy at ChoicePoint; Mr. Kurt P.
Sanford, president and CEO of U.S. Corporate and Federal
Government Markets at LexisNexis; and Mr. Bestor Ward,
president of Safe Archives-Safe Shredding LLC--which I
understand has some Alabama connections, is that right, Mr.
Bachus?
Mr. Bachus. Yes. In fact, Mr. Chairman, I would like to
commend Mr. Ward for his testimony. I have read his testimony.
He represents the NAID and their membership. They are experts
and committed to the proper destruction of paper records and
other media containing sensitive information financial or
personal nature that is often misused by identity thieves.
Sometimes we sort of focus on people breaking into data
storage, but there is a tremendous need for, as these records
are disposed of, to have them properly shredded. And we
actually, today, have people that actually dive into the
dumpsters and get this information and cause a lot of
destruction and pain.
I commend Mr. Ward. He is quite an expert on this.
He also is on the board of directors of one of the largest
banks in the United States and has counseled them and has
become an expert in this field.
Thank you.
The Chairman. The gentleman from Massachusetts is going to
introduce one of our witnesses.
Mr. Frank. Thank you, Mr. Chairman.
I am very pleased to have Eugene Foley, who is the
president and CEO of the Harvard University Employees Credit
Union.
The credit union had been speaking with me about problems
they have had with regard to breaches of security and the
difficult position they have sometimes been put in, vis-a-vis
the people who are their credit card holders. They have been
caught, I think unfairly, in the middle on some of these cases.
So I would particularly even have them talk about
addressing this.
I appreciate Mr. Foley's willingness to accommodate this.
The credit union movement in our state as elsewhere, is a very
highly regarded one. He speaks for a very important credit
union on an issue that I think is clearly of relevance to all
financial institutions, not just the credit unions.
The Chairman. The gentleman from Georgia, Mr. Scott?
Mr. Scott. Thank you very much, Mr. Chairman.
I certainly want to take this opportunity to welcome
ChoicePoint, Mr. Don McGuffey, for your testimony on this, this
morning.
As every member of this committee, we have all been
following the challenges at ChoicePoint. I certainly want to
take this opportunity to commend ChoicePoint for responding to
this challenge. It is a difficult one.
We certainly want to welcome you here today and certainly
look forward to your testimony. Thank you.
Thank you, Mr. Chairman.
The Chairman. And the gentleman from Georgia as well, Dr.
Price?
Mr. Price. Thank you, Mr. Chairman.
I wish to associate my comments with Mr. Scott regarding
ChoicePoint. They are located in my district. They have been a
wonderful corporate citizen, extremely responsible in dealing
with the matters that they have been confronted with. I commend
them for that and look forward to their testimony.
The Chairman. We now turn to our distinguished panel--and I
probably butchered your name. Is it Desoer?
Welcome to the committee.
STATEMENT OF BARBARA DESOER, EXECUTIVE OF GLOBAL TECHNOLOGY,
SERVICE AND FULFILLMENT, BANK OF AMERICA CORPORATION
Ms. Desoer. Thank you very much.
Chairman Oxley, Congressman Frank, committee members, good
morning.
I am Barbara Desoer, Global Technology Service and
Fulfillment executive for Bank of America. I am a member of
Chairman and CEO Ken Lewis's direct executive leadership team.
On behalf of leadership of our company and all Bank of
America associates, thank you for the opportunity to appear
here today before this committee to provide our perspective on
the loss of computer backup data storage tapes that were
reported by Bank of America earlier this year.
I would like to express how deeply all of us at Bank of
America regret this incident.
We pursue our professional mission by helping people manage
their financial lives. This work rests on a strong foundation
of trust. One of our highest priorities, therefore, is building
and maintaining a track record of responsible stewardship of
customer information that inspires our customers' confidence
and provides them peace of mind.
On February 25, 2005, Bank of America began proactively
communicating to the United States General Services
Administration SmartPay charge cardholders that computer data
backup tapes were lost during transport to a backup data
center.
The missing tapes contained customer and account
information for approximately 1.2 million government charge
cardholders. The actual data on the tapes varied by cardholder
and may have included name, address, account number and Social
Security number.
Now, backup tapes such as these are created and stored at
remote locations as a routine industry contingency practice in
the case of any event that might interrupt our ability to
service our customers.
After the tapes were reported missing, Bank of America
notified the GSA, and also engaged the Secret Service, which
began a thorough investigation into the matter, working closely
with our corporate information team internally.
Federal law enforcement initially directed that, to
preserve the integrity of the investigation, no communication
could take place to the public or the cardholders. While the
investigation was moving ahead, we put in place a system to
monitor the affected accounts and researched account activity
retroactively to the date of the data shipment to identify any
unusual or potentially fraudulent activity in the accounts.
The Secret Service advised GSA management and us that their
investigation revealed no evidence to indicate that the tapes
were wrongfully accessed or their content compromised.
In mid-February, law enforcement authorities advised that
communication to our customers would no longer adversely impact
the investigation.
Following our initial cardholder notifications, we
continued to communicate with our customers to ensure that they
understood the additional steps we were taking to help protect
their personal information and to assist them with any
questions they might have.
We established a toll-free number that government charge
cardholders could use to call with questions or request
additional assistance.
We offered credit reports and enhanced fraud-monitoring
services to cardholders at our expense.
Government cardholder accounts included on the data tapes
have been and will continue to be monitored by Bank of America,
and cardholders will be contacted should any unusual activity
be detected.
According to standard Bank of America policy, these
cardholders will not be held liable for any unauthorized use of
their cards.
The incident was unfortunate and regrettable. That said, we
feel that it has shed helpful light on a critical element of
the industry's practices for data transport. We view this as an
opportunity to learn and to lead the industry to better answers
that will give our customers the confidence and the security
that they deserve.
Our recent actions demonstrate our belief that our
customers have a right to know when there is reason to conclude
that their information may have been compromised and that
timely notification in the appropriate circumstances could help
to minimize any associated risks.
Furthermore, our approach and existing polices and
practices also are in accordance with the recently issued
Interagency Guidance. We believe this guidance strikes the
correct balance with respect to when notification is
appropriate and what steps should be taken when a security
breach has put a customer's personal information at risk.
In our experience, the best solutions often arise out of
the work we do together, implemented through the voluntary
cooperation of private sector organizations.
The information security environment, by its very nature,
is fluid and rapidly evolving, and demands solutions and
counter-measures that can evolve and advance with speed and
flexibility.
We look forward to helping promote that speed and
flexibility and to taking part in the ensuing legislative
dialogue.
Members of the committee, I can assure you that all of us
at Bank of America will do everything that we can to ensure
that our customers can manage their financial lives, secure in
the knowledge that their personal information will be respected
and protected by the institutions in which they place their
trust.
This concludes my prepared testimony. I look forward to
answer any questions.
[The prepared statement of Barbara Desoer can be found on
page 64 in the appendix.]
The Chairman. Thank you, Ms. Desoer.
Mr. Foley?
STATEMENT OF EUGENE FOLEY, PRESIDENT AND CEO, HARVARD
UNIVERSITY EMPLOYEES CREDIT UNION
Mr. Foley. Chairman Oxley, Ranking Member Frank, members of
the committee, I would first like to thank you for providing
this opportunity for me to speak about the impact of data
security breaches on the small-community institutions that
issue credit and debit cards.
Harvard University Credit Union is a $200 million
organization located in Cambridge, Massachusetts.
Currently there are about 4,600 card-issuing credit unions
in this country, supporting over 12.5 million accounts for our
members.
I have experience with this issue not only as the CEO of a
credit union that had about 700 of our 10,000 card accounts
compromised in just one incident last year but also as a recent
victim of identity theft myself.
While I was sitting in my office with my own debit card
securely in my wallet, my checking account was cleaned out by a
series of transactions that happened 3,000 miles away.
Although I had other sources of funds to draw on throughout
the process of reestablishing my account balance, this is often
not the case for many credit union members and small-bank
customers who are living paycheck to paycheck. They cannot
afford any interruption in their cash flow.
Given my position, I am particularly responsive in
protecting my own sensitive information. But this caution is
meaningless when entities that have captured and retained the
data contained on the card stripe are careless or not compliant
with security standards.
The frequency of large-scale data compromises is
increasing, and the smaller card-issuing institutions are
struggling to keep up the constant vigilance it takes to
immediately react in notifying and crediting our cardholders
for their losses.
Within the past 2 weeks alone, we have read of three major
breaches which have compromised the accounts of millions of
American consumers.
The first large security breach to have an impact on small
banks and credit unions came to light last year as a result of
hackers stealing a large amount of consumer information from
the retailer, BJ's Wholesale Club. This case exemplifies the
merchant in direct violation of card association rules and
regulations.
While card issuers are required to fastidiously comply with
protecting sensitive account data, the resources they expend in
this effort are squandered if merchants are not held to the
same standard.
A recent article in the Wall Street Journal cited a $5.7
million lawsuit filed last month against BJ's Wholesale Club by
CUNA Mutual Insurance Corporation on behalf of 163 credit union
bondholders.
Individual banks have also brought suit for their losses.
These costs include not only the amounts lost to fraud, but
also the costs for reissuing and blocking cards, for notifying
cardholders and monitoring accounts.
There are card association rules in place regulating how
the consumer information, which is imbedded on the magnetic
stripe on the back of each card, should be handled. But these
rules have proven to both insufficient and laxly enforced.
Absent card association enforcement or legislative redress,
banks and credit unions have had to resort to litigation in
order to find a remedy for their losses.
The surest way to limit the potential damage when a
merchant's files are hacked and a large base of card
information is stolen is to cancel the existing cards and
reissue new cards. As small banks and credit unions hold a
close relationship with their cardholders, this is most often
the action that they take. It is costly, time consuming and
puts a significant strain on the scarce resources we have.
Unfortunately, our best effort to protect our members and
customers is often met with another penalty by causing the
consumer to question the safety and security of the card issuer
rather than the merchant who has inadequately safeguarded their
personal information.
This means that in addition to the significant monetary
losses, small banks and credit unions are also unfairly exposed
to reputation risk as a result of this problem.
Even after a breach has been identified by the merchant,
issuing institutions cannot count on getting accurate and
timely notification to pass along to the consumer. Most times,
the issuer is relying on reports in the media to determine the
nature of the breach.
Without accurate information, it is impossible to
appropriately inform our members as to how their information
was stolen, and they are often left with the impression that
the bank or credit union is at fault.
While we have had the benefit of seeing the California law
requiring disclosure of security breaches in action for nearly
2 years, and their experience offers us some guidance, there is
room for improvement.
It is our hope that the committee will put its authority
and energy behind initiatives that will require the major card
companies to notify financial institutions immediately in a
format that is usable for the affected issuer. That information
should include: when a breach occurred, which merchant is
responsible for that breach and what accounts are affected.
It should also detail what type of personal information was
compromised.
Specifically, any new statute would benefit from explicit
definitions. For example, clarity with regard to which
businesses would be covered, along with what constitutes
personal information, are areas where the California statute
has been questioned.
A particular concern is an exclusion that the California
law provides for encrypted data. Unfortunately, advances in
hacking seem to match advances in encryption, and those that
can breach credit files are quite likely to be able to gain
access to decryption technology.
In addition, to ensure that all consumers have the utmost
protection from this insidious threat, we believe that as a
best practice all issuers should be required at a minimum to
inform consumers when their account has become compromised and
their personal financial information has been stolen. These
consumers should then have the right to determine if they wish
to have their cards canceled and reissued in a timely fashion
at no cost to them.
Mr. Chairman and members of the committee, thank you for
affording me this opportunity.
[The prepared statement of Eugene Foley can be found on
page 69 in the appendix.]
The Chairman. Thank you, Mr. Foley.
Mr. McGuffey?
STATEMENT OF DON MCGUFFEY, SENIOR VICE PRESIDENT, DATA
ACQUISITION, CHOICEPOINT INC.
Mr. McGuffey. Chairman Oxley, Ranking Member Frank and
members of the committee, good morning.
I am Don McGuffey, senior vice president for Data
Acquisition and Strategy of ChoicePoint. I have been with the
company since its inception in 1997.
ChoicePoint has previously provided Congress with testimony
about the recent improper data access and the criminals who
perpetrated this fraud, the steps we are taking to protect
affected consumers and the measures that we are taking to
prevent similar violations from occurring in the future.
While I have described the company's actions in my written
statement to the committee, I would like to specifically offer
a sincere apology on behalf of ChoicePoint to those consumers
whose information may have been accessed by the criminals who
perpetrated this fraud.
What I hope you see in ChoicePoint is a company that has
listened to consumers, privacy experts and government
officials, and learned from this experience. Accordingly, we
have responded rapidly and in fundamental ways.
We have provided benefits to potential affected consumers
that no other information company had done before and that
several companies have since emulated, including voluntary
nationwide notification, dedicated call centers and Web sites,
free three-bureau credit reports and 1 year of credit
monitoring at our cost.
We learned that there are few places for consumers to turn
for help if their identity is stolen. This alone increases the
fear and the anxiety associated with identity theft. For this
reason, we have recently formed a partnership with the Identify
Theft Resource Center, a leading and well-respected nonprofit
organization dedicated exclusively to assisting identity theft
victims.
Most importantly, we have shifted our focus to ensure our
products and services provide a direct benefit to consumers or
to society as a whole. While this has meant exiting an entire
market, we decided that consumers' interests must come first.
We have already made broad changes to our products,
limiting access to personal identifiable information, and more
changes are under development.
Mr. Chairman, before delving into the specifics of various
policy proposals, as my letter I had requested, perhaps it
would be helpful if I give members of the committee a brief
overview of our company, the products we provide and some
insight as to how we currently are regulated.
The majority of transactions our business supports are
limited and initiated by consumers. Last year we helped more
than 100 million people obtain fairly priced home and auto
insurance. More than 7 million Americans get jobs through our
pre-employment screening services, and we helped more than 1
million consumers obtain expedited copies of their families'
vital records: birth, death and marriage certificates.
These transactions were started by consumers with their
permission, and they provide a clear, direct benefit to
consumers.
Not all of our other work is as obvious, but the value of
it is. At a time when the news is filled with crimes committed
against children, we are helping our nation's religious
institutions and youth-serving organizations protect those in
our society who are least able to protect themselves.
Our products or services have identified 11,000 undisclosed
felons among those volunteering or seeking to volunteer with
children, 1,055 with convictions for crimes against children,
42 of those felons were registered sex offenders.
Consumers, business and nonprofits are not the only ones
that rely on ChoicePoint. In fact, government officials have
recently testified to Congress that they could not fulfill
their mission of protecting our country and its citizens
without the help of ChoicePoint and others in our industry.
Last month, ChoicePoint supported the U.S. Marshal Service
in Opertion Falcon, which served approximately 10,000 warrants
in a single day for crimes ranging from murder to white collar
fraud.
Mr. Chairman, apart from what we do, I also understand that
the committee is interested in how our business is regulated at
both the Federal and State levels.
The majority of our products are already governed by the
FCRA and other Federal and State laws, including the recently
enacted companion FACT Act, the Gramm-Leach-Bliley Act and the
Drivers Privacy Protection Act, as well State and Federal do-
not-call and do-not-mail legislation. We believe consumers
benefit from these regulations.
While a small percentage of our business is not subject to
the same level of regulation, we believe additional regulation
will give consumers greater protections.
And finally, I want to state for the record ChoicePoint's
position on future regulation of our industry.
We support independent oversight and increased
accountability for those who handle personally identifiable
information, including public records. This oversight should
extend to all entities, including public sector, academic and
other private sector organizations that handle such data.
We support a preemptive national law that would provide for
notification to consumers and to a single law enforcement point
of contact when personally identifiable information has fallen
into inappropriate hands, ensuring that the burden of notice
follows the responsibility for breach and that consumers do not
become desensitized to such notices.
ChoicePoint supports providing consumers with the right to
access and question the accuracy of public record information
used to make decisions about them consistent with the
principles of FCRA. There are technical and logistical issues
that we will need to solve, but they are solvable.
We have already taken steps to restrict the display of full
Social Security numbers and would support legislation to
restrict the display of full Social Security numbers modeling
existing law, including GLB and FCRA, which extending those
principles to public record information.
We have all witnessed the significant benefits to society
that can come with the proper use of information. But we have
been reminded, firsthand, the damage that can be caused when
people with ill intent access sensitive consumer data.
As a company, we have rededicated our efforts to creating a
safer, more secure society. We look forward to participating in
continued discussions of these issues and will be pleased to
answer any questions that you may have.
[The prepared statement of Don McGuffey can be found on
page 73 in the appendix.]
The Chairman. Thank you, Mr. McGuffey.
Mr. Sanford, welcome.
I might point out that Mr. Sanford's company is located in
Dayton, Ohio. Since we had several parochial interests
represented in the introductions, I thought I would add that as
well.
STATEMENT OF KURT SANFORD, PRESIDENT AND CEO, U.S. CORPORATE
AND FEDERAL MARKETS, LEXISNEXIS
Mr. Sanford. Thank you, Mr. Chairman.
Chairman Oxley, Ranking Member Frank and distinguished
members of the committee, good morning.
My name is Kurt Sanford. I am the president and chief
executive officer for corporate and federal markets at
LexisNexis.
I appreciate the opportunity to be here today to discuss
the important issues surrounding data security, privacy and the
protection of consumer information.
LexisNexis is a leading provider of authoritative legal,
public records and business information. We play a vital role
in supporting government, law enforcement and business
customers who use our information services for important uses,
including detecting and preventing identity theft and fraud,
locating suspects, preventing money laundering and finding
missing children.
LexisNexis products are used by financial institutions to
help address the growing problem of identity theft and fraud.
In 2004, 9.3 million consumers were victimized by identity
fraud. Credit card companies report $1 billion in losses each
year from credit card fraud. With the use LexisNexis, a major
bank-card issuer experienced a 77 percent reduction in the
dollar loses due to fraud associated with identity theft.
LexisNexis products are also used to help prevent money
laundering.
We have partnered with the American Bankers Association to
develop a tool used by banks and other financial institutions
to verify the identity of new customers to prevent money
laundering and other illegal transactions.
Finally, LexisNexis works closely with Federal, State and
local law enforcement agencies in a variety of criminal
investigations. For example, information provided by LexisNexis
was recently used to locate and apprehend an individual who
threatened a district court judge and his family in Louisiana.
These are just a few examples of some of the important ways
in which are products are used by our customers.
While we work hard to provide our customers with effective
products, we also recognize the importance of protecting the
privacy of the consumer information in our databases. We have
privacy policies, practices and procedures in place to protect
this information.
Our chief privacy officer and Privacy and Policy Review
Board work together to ensure that LexisNexis has strong
policies to help safeguard consumer privacy.
We also have multi-layered security processes and
procedures in place to protect our systems and the information
contained in our databases.
Maintaining security is not a static process. It requires
continuously evaluating and adjusting our security procedures
to address the new threats we face everyday.
Even with these safeguards, we discovered earlier this year
some security incidents at our Seisint business, which we
acquired last September.
In February 2005, a LexisNexis integration team became
aware of some billing irregularities and unusual usage patterns
with several customer accounts. Upon further investigation, we
discovered that unauthorized persons, using I.D.s and passwords
of legitimate Seisint customers, may have accessed personally
identifying information such as Social Security numbers and
driver's license numbers.
No personal financial, credit or medical information was
involved since LexisNexis and Seisint do not collect that type
of information.
In March, we notified approximately 30,000 individuals
whose personal identifying information may have been unlawfully
accessed.
Based on these incidents at Seisint, I ordered an extensive
review of data security activity going back to January 2003 at
our Seisint unit and across all LexisNexis databases that
contain personal identifying information. We completed that
review on April 11 and concluded that unauthorized persons,
primarily using I.D.s and passwords of legitimate Seisint
customers, may have accessed personal identifying information
on approximately 280,000 individuals.
At no point was LexisNexis or Seisint technology
infrastructure hacked into or penetrated, and no customer data
was accessed or compromised.
We sincerely regret these incidents and any adverse impact
they may have on the individuals whose information may have
been accessed. We took quick action to notify those
individuals. We are providing all individuals with a
consolidated credit report and credit-monitoring services.
For those individuals who do become victims of fraud, we
will provide counselors to help them clear their credit reports
of any information related to fraudulent activity.
We will also provide them with identity theft insurance to
cover expenses associated with restoring their identity and
repairing their credit reports.
We have learned a great deal from the security incidents at
Seisint and are making substantial changes in our business
practices and policies across all LexisNexis businesses to help
prevent any future incidents.
I have included details of these enhancements in my written
statement.
I would like to focus the remainder of my time on policy
issues being consider to further enhance data security and
address the growing problem of identity theft and fraud.
LexisNexis would support the following legislative
approaches.
First, we support requiring notification in the event of a
security breach where there is a significant risk of harm to
consumers. In addition, we believe that it is important any
such proposal contain Federal preemption.
Second, we would support the adoption of data security
safeguards modeled after the safeguard rules of GLBA.
Finally, it is important that any legislation strike the
right balance between protecting privacy and ensuring continued
access to critically important information.
Thank you again for the opportunity to be here today to
provide the committee with our company's perspective on these
important public policy issues. We look forward to working with
the committee as it considers these important issues.
[The prepared statement of Kurt Sanford can be found on
page 79 in the appendix.]
The Chairman. Thank you, Mr. Sanford.
Mr. Ward?
STATEMENT OF BESTOR WARD, PRESIDENT, SAFE ARCHIVES-SAFE
SHREDDING, LLC
Mr. Ward. Good morning. Thank you, Representive Bachus, for
your kind words.
Chairman Oxley, Ranking Member Frank and members of the
committee, it is a pleasure to be here.
My name is Bestor Ward. As Representative Bachus noted, I
am a member of the National Association for Information
Destruction, or NAID. I am also the president of Safe Archives-
Safe Shredding, a business that provides secure records
management, media storage and information destruction services
in Mobile, Alabama.
NAID is the international nonprofit trade association of
the information destruction industry. NAID's mission is to
champion the responsible destruction of confidential
information by promoting the highest standards and ethics in
the industry.
I am honored to appear before you today to discuss the
important role that proper information destruction plays in the
fight against identity theft.
NAID commends this committee for addressing this critical
issue.
As you know, much discussion has recently focused on
controlling or limiting the sale or transfer of confidential
information. Yet that type of control is undermined when
disposal of this information is left unregulated. It simply
does not make sense to implement information-transfer controls
without ensuring that the same sensitive information is not
left out on the curb for anyone to take.
Enormous costs, inconvenience and a sense of violation can
be avoided through proper disposal of all documents containing
sensitive consumer information.
There are number of laws that help fight identity theft,
including the Fair and Accurate Credit Transactions Act, or
FACT Act, the Gramm-Leach-Bliley Act, and the Health Insurance
Portability and Accountability Act.
However, the scope of these laws is limited to particular
industries and particularly records. For instance, the FACT Act
only covers consumer report information. But we know that many
other documents can be used to facilitate identity theft.
It is critical that we protect all sensitive consumer
information, including Social Security numbers, credit card and
bank information, telephone numbers and addresses maintained by
any business, whether it comes from a consumer report or
whether it comes from any other document.
Accordingly, NAID encourages the Congress to take further
steps to enact comprehensive legislation that covers all
sensitive consumer information in all industries.
Oftentimes, more regulation is not the answer to our
country's problems. However, in this context, NAID believes
that it is appropriate for two reasons.
First, the costs of identify theft are enormous. Beyond the
billions of dollars in losses to customers and businesses, it
is difficult and expensive to capture and prosecute
perpetrators of this crime. It is much easier to prevent those
crimes of opportunity in the first place by eliminating the
criminal opportunities, requiring proper methods of disposal as
a simple, low-cost means of prevention.
It makes far greater sense to enact strong laws that
prevent so-called ``Dumpster divers'' and other criminals from
accessing sensitive information than to impose a massive burden
on the law enforcement community to address a problem after
substantial losses have been incurred.
I would like to convey to my single point with an anecdote.
Shortly after Georgia enacted information destruction
legislation in May of 2003, NAID received a phone call from an
employee of a well-known corporation. The caller asked for a
list of Georgia companies that it could retain to shred
documents covered by the state's new disposal requirements.
The caller was located in the company's corporate
headquarters outside of the State of Georgia, and our NAID
representative offered to send a broader list of NAID member-
companies that operate in other states where the company does
business. The caller's response was, ``Well, no thanks. The
other states do not have these shredding laws.''
This response highlights the need for strong Federal
legislation that closes the gaps between existing laws by
requiring all businesses to properly dispose of sensitive
personal information that is subject to misuse.
This type of legislation is necessary to ensure that these
documents are destroyed before someone's identity is.
Mr. Chairman, thank you for inviting me to participate in
this hearing today. I am honored to be here, and I would be
delighted to answer any questions that you all may have.
[The prepared statement of Bestor Ward can be found on page
92 in the appendix.]
The Chairman. Thank you, Mr. Ward.
Thank you to all our panelists. It was I think educational
for all of our members, including the Chair.
Let me begin with Mr. Sanford, since you had specifically
talked about three tenets of Federal legislation. I wanted to
have you highlight that again.
As I understand, it was notification based on a federal
preemption; data security based on an amendment to Gramm-Leach-
Bliley, or an addition to Gramm-Leach-Bliley; and privacy
access balance.
If you could just briefly go over that proposal again.
And then I would like to ask each of the panelists to
respond to what Mr. Sanford has proposed.
Mr. Sanford. Mr. Chairman, on the security question, the
safeguards in GLBA, which apply to financial institutions, we
would recommend that those safeguards could be applied to the
information industry. Again, we are not a financial
institution, but we think if safeguards were modeled similarly
after the standards that were in GLBA, that would be a very
welcome measure for our industry.
The notification question is a much more complex matter.
There has been great debate on the trigger, but not much
debate, it appears, on whether notice should be made. I think
most people would agree that providing notice to individuals or
consumers where some sensitive financial, credit, medical or
personal identifying information is compromised is a good
thing.
The question is, what is the trigger? Do we do that when
there is just a breach in a system? Or do you need some
evidence that that breach could create some potential harm?
For example, let's say an employee in a company leaves the
company and conducts a search the next day. That is an
unauthorized access to a system. Should we send a letter to the
consumer to say that that employee who left that company
conducted a search that next day?
Sometimes people do searches on celebrities. Should we send
notices to celebrities each time there is a search done?
So we have recommended that where there is some evidence
that the nature of the breach could pose a risk of harm to
consumers, similar to what the consumer division in California
has talked about in their written guidance, we think that ought
to be the triggering event so we do not flood the market with a
lot of paper that is then dumped in a trash can.
The Chairman. Would it be based on a quantitative number of
consumers affected?
Mr. Sanford. I do not think it turns on whether or not
there is one consumer or 100 consumers. I think it turns on the
facts of the nature of the security breach itself, whether or
not--I will give you an example.
If you have a security breach for--somebody has hacked into
a system and downloaded records, that is probably indicative of
the information getting in the wrong hands.
If you have somebody accessing a system using an anonymizer
or a key-stroke virus to get information, that begins to
suggest that the reason why that information was obtained may
be for illicit purposes.
The Chairman. And a very sophisticated----
Mr. Sanford. And sophistication is growing in technology.
So on privacy, our comment on privacy was that this is not
about just unfettered access for corporations and institutions
to have information, personally identifying information. There
needs to be a balance, and we need to protect privacy. I mean,
I think that is clear. When GLBA was enacted, there was a
concern about protecting the privacy of information when we
brought financial and insurance institutions together, and we
think that balance has to be there.
Corporations like us should not have unfettered access. We
should have responsibilities to have safeguards on our data and
not be unconcerned about privacy, which, frankly, I think
LexisNexis has been very concerned about for many decades.
The Chairman. Thank you.
Let me, then, begin with Ms. Desoer and ask you to comment
about the suggestions that Mr. Sanford put forth.
Ms. Desoer. Thank you.
We do believe there should be a national approach. As a
financial services institution, we of course are subject to
Gramm-Leach-Bliley. And in addition, the new Interagency
Guidance that has been enacted, we believe embraces the
principles that are fairly consistent with what he just
described, and that is what we are operating under----
The Chairman. How many states do they operate in?
Ms. Desoer. Twenty-nine, plus the District of Columbia.
The Chairman. Thank you.
Mr. Foley?
Mr. Foley. I also concur that it is important, as
California has put out there, to have the disclosure. The only
addition that I would advise to the California statute is that
it does not cover encrypted data.
And from a notification standpoint, some sort of standard
in terms of which businesses are covered and what the standard
would be for notifying the consumer, once the definition of
that breach has been maintained.
The Chairman. Thank you.
Mr. McGuffey?
Mr. McGuffey. Yes. I had testified earlier that we would
agree with extending the principles of GLB to companies such as
ChoicePoint and others in our industry. Both Mr. Sanford and I
are in agreement on that matter in that GLB--we are not a
financial institution either, so those principles of security
are certainly appropriate.
As far as notice goes, we obviously gave nationwide notice.
And so a preemptive law from a nationwide standpoint would be
certainly appropriate from our view.
The one provision I think in California law that provides
for an exception for public record information should be
considered to not have an exception, because there is personal
identifiable information within public record information, and
we have elected, as a company, to not deliver the full Social
Security numbers out of public record information. So I think
that that exception should be reviewed and reconsidered.
As far as privacy goes, certainly we are supportive of the
privacy legislation associated with the consumer information.
The issue of use of personally identifiable information,
frankly, is also complicated because the absence of this
information oftentimes will give false positives.
So the ability to use that in proper markets and proper
business transactions is needed in order to assure that when an
individual is either signing up for an account or is trying to
be validated for access to rightful information, oftentimes
personally identifiable is the way in which we identify and
make sure that that is who they say they are. So that is also
an issue that needs to be considered, in my view, in your
legislative discussion.
The Chairman. In your experience, could you describe for
the committee an example of a false positive, how that
operates?
Mr. McGuffey. Certainly.
One example may be that in bankruptcy information now, the
Social Security numbers on bankruptcy data is truncated. And we
have a lot of common names in the United States. And we find
that it is difficult now to try to associate bankruptcy
information with the proper individual.
So in the event that a bankruptcy record is associated
improperly, then that may have, obviously, adverse implications
on the wrong party. So that may be one simple example.
The Chairman. Truncated in respect of just using the last
four digits of the Social Security number? Or----
Mr. McGuffey. Yes. There is actually a couple different
methodologies I think in different industries. And indeed,
federal bankruptcy is truncating the first five and displaying
the last four, which are a little bit more unique in that
number. And then there are other industries that are truncating
the last four and only delivering the first five.
The Chairman. So you would suggest that at some point we
try to have some uniformity in that.
Mr. McGuffey. I think uniformity is important. And I also
believe that there are markets and there are purposes for which
the full Social Security number should be used for matching
purposes and not necessarily display.
The Chairman. And should we mandate that?
Mr. McGuffey. We are, as a company, going through and
trying to operate in the current environment where we have
inconsistencies, and I think mandating an appropriate set of
rules is going to be good for the industry.
The Chairman. Thank you.
Mr. Ward?
Mr. Ward. Thank you, Mr. Chairman.
We are here on a little different mission today in that we
are talking about the ultimate disposal of the information.
Mr. Sanford's operation I think is--I think there are about
150,000 pieces of personal identification that were lost there.
Every day in the United States there are millions of pieces
of personal identification that have reached the end of their
useful life, and they are just simply disposed of, put in the
Dumpster, gotten rid of in an unregulated manner.
What you all did here in this committee you should be
commended for in the FACT Act. You all created a set of laws
that had in particular the disposal rules that are a great
model to use throughout the whole business world. If those
disposal rules could be mandated to be used across all
businesses for all types of personal information, a lot of the
Dumpster-diving issue would go away.
The Chairman. Thank you.
The Chair's time has expired.
The gentlelady from New York, Ms. Maloney?
Mrs. Maloney. I am going to yield to Ms. Velzaquez.
The Chairman. The gentlelady from New York, Ms. Velazquez?
Ms. Velazquez. Thank you, Mr. Chairman.
Mr. McGuffey, how many individuals were affected by the
theft of personal information that occurred at ChoicePoint?
Mr. McGuffey. Congresswoman, we notified approximately
145,000 individuals.
We have been working with law enforcement in California in
order to continue the investigation. We are not aware today of
exactly how many individuals have been the subject of actual
identity theft.
Ms. Velazquez. Yesterday the Wall Street Journal reported
that the Los Angeles County sheriff reported that data on
millions of people have been downloaded. How do you reconcile
your number and that number?
Mr. McGuffey. The comments in the testimony, I think, that
the Wall Street Journal reflected on for Detective Decker were
comments that were made in the very initial stages of the
investigation. They were around the time of the arraignment and
the arrest of the individual.
The investigation, having now proceeded over several
months, has clarified the view, and it is my understanding
after having even discussions yesterday with our
representative, Robert McConnell, that Detective Decker's view
is that the number that we have noticed is consistent with his
expectation and understanding of the investigation today.
Ms. Velazquez. Does your company plan to employ, in the
future, a way to readily track data that is compromised due to
data breaches?
Mr. McGuffey. We do have, today, methods--there are billing
logs and transaction logs that we in fact used in the latter
part of 2004 and into January to recreate all the various,
different searches that the accounts that we identified as
being fraudulent.
So we do have methods today. We are looking at our
technology in order to try to enable ourselves to be more
responsive.
Ms. Velazquez. Sir, do you believe that companies in this
industry should be subject to the highest standard of data
security so that we can assure that you are a step ahead of
thieves, not a step behind.
Mr. McGuffey. Yes, Congresswoman, we are, ourselves,
rededicating our efforts, and we have continuously improved our
processes, because as you mentioned, we are trying to stay
ahead of the criminals.
Ms. Velazquez. So you believe that you should be subjected
to a high standard?
Mr. McGuffey. Yes.
Ms. Velazquez. Mr. Sanford?
Mr. Sanford. Well, we certainly think we need to enhance
our security based on what we learned at this company that we
acquired.
As I indicated in my opening remarks and my written
testimony, we certainly would support the safeguard rules
modeled after GLBA. I think that that is the right approach. It
imposes a framework that says: Apply your security based on the
context and circumstances of what business you are engaging in.
The more we have learned about this, the more we spent time
with law enforcement, the more sophisticated we are getting and
understanding what the threats are.
Ms. Velazquez. Mr. Ward?
Mr. Ward. Absolutely, Congresswoman, we do believe in that.
Our association has endeavored to try to set itself at the
highest standard. We have a certification process that our
shredders have to go through, and it is a pretty rigorous set
of parameters that we have to go through. I think that as the
future unfolds, we will continue to add to that.
Ms. Velazquez. Thank you, Mr. Chairman.
The Chairman. I thank you.
Mr. Bachus is recognized for 5 minutes.
Mr. Bachus. I thank the Chairman.
First of all, Mr. McGuffey, is ChoicePoint covered by
Gramm-Leach-Bliley, or any of your subsidiaries today? Are they
under the data security requirements of that act?
Mr. McGuffey. We are regulated in certain aspects of our
company associated with GLB. While we are not a financial
institution, to the extent that some of that data is controlled
by GLB, then we are required to comply.
Mr. Bachus. How about the FACT Act or Fair Credit Reporting
Act? Are you subject to those data security requirements?
Mr. McGuffey. Yes, Congressman, we are. The majority of our
business is governed by the FCRA and also the FACTA.
Mr. Bachus. How about LexisNexis, Mr. Sanford?
Mr. Sanford. Congressman, under GLBA, as a recipient of
data from a financial institution or a consumer reporting
agency, we are subject to the privacy provisions. But as we are
not a financial institution, we are not subject to the security
provisions. That is why we suggested modeling that.
We have a very small part of our business that is governed
by FCRA, for example, some of the employment screening. And
that obviously is covered by FACT Act as well.
Mr. Bachus. And I am not sure, Mr. McGuffey, that
ChoicePoint was under the data security requirements of Gramm-
Leach-Bliley.
Mr. McGuffey. As not being a financial institution, we are
not under the data security, but we----
Mr. Bachus. Which in--yes, okay.
And I will say this. Right now banks have heavy financial
security regulations imposed on them right now. So I think when
we engage in this debate or discussion, we have to realize that
financial institutions are already under heavy financial data
security requirements.
In fact, if you visit a large bank, you see that several of
them have $50 million and $60 million facilities that operate
24 hours a day. They are constantly--and it is very interesting
that constantly they are interdicting attempts to break into
the system almost on an hourly basis. It is incredible to sit
there and watch people try to hack into the system.
It is very sophisticated.
I will yield the balance of my time to Mr. Castle.
Mr. Castle. [Presiding.] Let me ask one question now, and I
will have my own time here in a moment.
But just I guess, Mr. McGuffey and Mr. Sanford, and I think
I understood the whole panel basically indicating that we have
to go more universal in this and that probably doing it at a
national level is the way to go. And I think there is probably
general agreement on this.
And by the way, this is legislation which I think we will
not have a great political divide on it. It is a question of
getting the right language. This is not Republican-or Democrat-
type legislation. So hopefully we can work this out.
I have several concerns about the extent of where we should
go, and one of them is how wide should the range of businesses
be.
Clearly, we have to go beyond the financial institutions. I
do not think anybody disagrees with that. I am not sure anybody
here has any disagreement with their own business necessarily
being included.
But I think of various things that have happened. For
instance, I do not know the whole details of--I think it was a
GM card where HSBC gave notice and others did not give notice,
and the Polo clothing chains were involved in this. I do not
know how far we should go with all of this.
Do you have any thoughts about where this should cut off,
if at all?
There is just so much data out there and so many different
entities have access to it that I just--you know, it is
difficult to conceive exactly where you end all of this--for
those of you, particularly Mr. McGuffey and Mr. Sanford, who
are not banks at the time and not regulated at this time.
Mr. Sanford. Our experience and our focus has obviously
been on our own industry. And if we look at what California
legislation--which I believe got all of this notification
started--it is specifically an identity theft piece of
legislation.
And clearly, if there is personal identifying information
that is subject to a compromise--whether that is information
that I might have in my business, or another organization, a
government agency, an institution has--clearly where there is a
risk of harm, I think you would want to say that notification
should be made.
Now, when you have medical records, which is personally
sensitive information, that there is no risk for identity
theft, that may a different issue from a policy standpoint
whether you are going to provide notice, where someone wants to
know that their personal medical information.
But I think if you have financial information, credit
information or personal identifying information that poses a
risk for identity theft, I would cast a broader net.
Mr. Castle. I guess the problem comes in trying to write
this and put it into legislative language.
Do you have any comments, Mr. McGuffey?
Mr. McGuffey. Yes. I would concur that if it is personally
identifiable information, Social Security numbers, driver's
license numbers, that are full numbers, and an entity, whether
it is public sector, academic, or even other businesses in the
private sector, retail or otherwise, if they are handling that
kind of information and allow that information to get into
hands that are inappropriate, then that is where we ought to be
evaluating legislation to make sure that there are proper
controls in place.
As we have already stated here, a lot of the security under
GLB does not extend there. We obviously, when using that data,
have obligations under GLB for proper, permissible use of it.
But the handling of that data by many organizations is no
different from a threat standpoint, in my view.
Mr. Castle. Thank you.
Ms. Maloney is recognized for 5 minutes.
Mrs. Maloney. First of all, I want to thank the Chairman
and Ranking Member for calling this hearing. It appears we
truly do have an epidemic of security breaches.
I just want to give one example: MSNBC reported that from
mid-February through April, data breaches exposed over 2
million Americans to credit card fraud and identity theft,
which is a huge exposure.
From your testimony, it is clear that it is a large range
of entities, from banks to universities to retailers, and I
would say a very wide range of consequences.
Mr. Bachus pointed out that many financial institutions are
already covered under Gramm-Leach-Bliley and the FACT Act. But
I would like to ask the panelists if you could clarify further
on Mr. Castle's question on how big should the covered universe
be, and should the same standards apply?
For example, financial institutions have access to more
sensitive data than other entities may have--and your comments
on that and how do we define it, the extent of it.
I would also like to ask about the need for an objective
bright-line standard for notification, particularly when there
is personal identifiable financial information--and if you
would like to comment on whether you think all entities should
have a bright-line standard or only certain ones.
And I welcome anyone's comment.
Mr. McGuffey. Well, as I think most of us have testified
here and indeed my view is that I do not see a great deal of
difference between an academic organization or a private sector
organization when the information is the same. When you have a
full Social Security number that is allowed to be accessed
inappropriately, the impact, it seems to me, would be the same.
So I would support and our testimony is that it is not the
organization; it is the information and then it is how or the
danger that is caused as a result of that.
Mrs. Maloney. Any other comments?
Mr. Ward. Yes, Representative, I would like to respond to
your question.
There is a tremendous amount of information. Everybody
knows that. And it is so extensive and there is so much of it
that it needs to be properly disposed of.
For example, if you had come to work for me in my
organization in your previous life, under our guidelines and
under our certification process, I would have a human resources
file on you that would have your drug test, would have your
criminal background checks, would have all kinds of personal
information.
And then at such time as you ran for Congress and were
elected, I may not have a particular need for that file and it
had outlived its usefulness, I could simply throw in the trash
can, with no guidelines. And that information would be out for
any Dumpster-diver to find. So it is a very broad issue.
We think that each company should have some type of
employee or customer-consumer disclosure that outlines exactly
what information it has and how it should be disposed of.
Mrs. Maloney. Thank you.
I would like to hear the views of Ms. Desoer and Mr.
Sanford on the need for a consistent standard of data
protection.
Ms. Desoer. Yes. Being a financial services institution, we
do have a consistent national standard in the Interagency
Guidance and in all of the regulations that were referenced,
and we believe that is appropriate.
I would like to reinforce that, again, I think the place
that it should start is what personal information is being
collected and being used as the criteria for who should be
subject to some kind of a national standard.
Mrs. Maloney. Mr. Sanford?
Mr. Sanford. On data security provisions, what we think is
workable, again, are the safeguards that are under GLBA.
And the reason why I think they are more workable than a
specific standard is, I think when regulation attempts to
prescribe for each and every business exactly how their
security should be deployed, it does not take into account
differences in technology, it does not take into account
different applications and uses.
And the GLB safeguards put the burden on the corporation to
continued to enhance the security of their business as new
threats emerge. It is not a static set of standards, and
instead it is a set of standards that you have to continually
publish, upgrade and monitor to face new threats.
Mrs. Maloney. My time is up. Thank you.
Mr. Castle. Thank you, Ms. Maloney.
I will yield myself 5 minutes.
Let me start with something that has been touched on.
Actually, this is a useful hearing because we are really trying
to develop legislation, and your input is very, very important
to that.
And I think, Mr. Sanford, I will ask you the discussion,
because you mentioned in one of your answers to one of the
questions about the significance of security breaches.
And I think there are levels of breaches, obviously. I
mean, I am not an expert on this. But clearly there are levels
by numbers, there are levels by the extent of what is in the
information that is breached and a whole variety of probably
other things I have not even thought of.
But my question to you is: Do you believe that we should be
trying to put in legislation the different level of breaches
that would indeed trigger notice or whatever the remedies may
be--as one part of the question.
And the other part of the question is: If not, who will do
that? Should that be left up to the individual entities who are
dealing with it, be it LexisNexis or Bank of America or anybody
else?
Exactly how should that whole business of what triggers the
various breaches and the measure of the breaches be handled?
Mr. Sanford. Congressman, where I start my thinking on this
is: What is the intent of providing a notice in the first
place? So if I got a letter in the mail, like my sister did,
from my company, what do I do with this? Why did I get this?
And the reason why she got that, along with the other
people we sent notices to, is because we said there is some
risk of harm and you need to take corrective measures. You need
to look at your credit reports, you need to take advantage of
these services, et cetera.
So when I think about what triggers, when you talk about a
level of notice, to me it turns on whether or not there is a
risk of harm--again, I am talking about identity theft-based
legislation, not security-breach legislation; that is, to me, a
different issue--is if there is a risk of identity theft
because of a security breach in a business, where that
information--financial information, credit information,
personally identifying information--would enable that
information in the wrong hands to put somebody at risk for
identity theft or fraud associated with that, then I think
there should be notification.
I think it should be national. If you think about the
mobility of our society and how frequently people move, and you
can see down the road where we may have 5, 10, 15, 20, 25
different state standards coming out, and different triggers,
different forms of notice, different remedies, and you get
people moving around, my guess is we are going to confuse most
Americans if they are getting these notices in the mail that
tell them they need to take appropriate action.
Mr. Castle. Thank you.
Ms. Desoer, sort of a follow-up on that question, and
instead of dealing with this issue and this problem of
preparing legislation, we have heard from a number of financial
institutions on how they believe notification should be
structured when a breach is outside of their scope. Some want
the opportunity to inform their customers while others believe
it should be the responsibility of the breaching entity. What
are your thoughts about this?
And I recognize the fact that this is extraordinarily
expensive, and you sort of put your name on the line to a
degree. So this to me is not a simple decision that you have to
make or that we have to make in terms of preparing legislation.
Ms. Desoer. And I think that is key. It is not a simple
situation, and it is a very dynamic environment in which we
operate, in which lots of pieces of it are evolving.
So the approach that we have taken is really to evaluate
each event separately and to work to get all of the facts
together and the right people engaged, and then whether that is
a merchants association, the financial services institution,
whether it is directly between us and our direct customer, each
one is slightly different and needs to be evaluated in a
context, starting with, at the end of the day, our brand and
what our customers look for in the brand is for Bank of America
to be a trustworthy, secure financial services institution.
It is what is in the best interest of our customer, so that
you have the spectrum of some of what you just heard, you do
not overly confuse the customer, the ultimate consumer, and it
is easy for them to know what it is is in their control and
they can do to the other end of the spectrum where it is very
specific and explicit and it is step one, two and three.
And so each one does need to be evaluated, and that is why
we believe that the Interagency Guidance that financial
services institutions do operate under, there is some wording
in there that directs us to evaluation of event that could
reasonably lead to the misuse of the information. And we think
that is an important part of whatever we do.
Mr. Castle. Well, my time is up. But what you say makes it
difficult for us, as you can imagine. Because if we legislate
in this area--and I believe with of all of you, I think all of
you are saying, and that is, we need to approach this in a
national manner or we are going to have tremendous problems,
State by State.
But in doing so, to draft the kind of language that will
have applicability beyond financial institutions to other
entities dealing with data as well, and to try to determine the
manner of breach, the remedy of the breach, all these kinds of
things, is going to be extremely difficult.
So I would just hope you would encourage everybody who is
interested in this to get in touch with all of our offices and
let us know what your thoughts on it, because this is not going
to be that easy to do.
I yield 5 minutes to Mr. Frank.
Mr. Frank. Thank you, Mr. Chairman. I apologize for being
in and out, but I had to go name a post office--an important
part of our duty. Actually, this kind of an important one.
I want to first say that, with regard to Ms. Desoer, I
thought the Bank of America's response was a very good one. And
I think we are sometimes critical when institutions do not do
what we think meets their responsibilities. In this case, Bank
of America stepped up and did more than they were legally
required to do. That is important.
I have to say to people in the business community in
general, the financial institution, we are sometimes told two
contradictory things: One is, ``Don't legislate right up to the
very edge. Leave us some discretion. Don't overdo the
legislation. Put some general laws in there but trust us to be
sensible.''
But then we run into situations where something is not done
that we think should have been done, or something is done that
we thought should not have been done, we think it did not
really fully treat the customers in the right way and we are
told, ``Well, we complied with the law.''
In other words, sometimes we are told, ``Don't push the law
too far.'' But then, the kind of catch-22 is, people say,
``Well, we did not have to.''
And people should understand that, that if the institutions
are going to be very literal and insisting that they will do
what the law requires and nothing more, then they should not be
surprised when the law may in fact go further than they want to
do.
In this case, Bank of America reached out and did more than
the law required, and I think that was very useful.
Another point, I notice there has been some reference to
people saying, ``Well, you do not want us to have to notify you
every time there is a breach because we will be flooding people
with paper.''
I said that before, I must tell you, particularly to my
friends in the financial community, you are not credible when
you say you do not want to send us unsolicited mail. No one
sends me more unsolicited mail. I have constituents who do not
write me as often as you do, and they have a better claim on
me.
So that, I have to say, when people give me a reason that I
do not believe, then I have to wonder what the real reason is.
And I do not think it is an aversion to sending out unsolicited
mail that is involved.
So if there is some problem that is triggered by your
having to notify every time there is a breach--and I have to
say, I do not know what standard you could come up with that
would say, ``We are only going to tell you about a breach if we
think it is likely to cause a problem.'' We are not going to
know in all the cases what happened.
I suppose if it was purely accidental, you might say there
was no likelihood, but we do not know what will show up.
The other--and I was very pleased Mr. Foley testified. In
fact, I was hoping that we could get someone to ask him to do
this.
I must say that when we dealt with the extension of credit,
I was disappointed with the response from the retail industry.
At the time what we were talking about was how do you resolve a
dispute if you are told by the credit-rating agency, ``Well,
you did not pay this bill,'' and you say, ``Hey, I never bought
that thing. That was not me,'' or, ``Yeah, I bought it and I
returned it, it was defective,'' or, ``I paid for it.''
The retail industry was very resistant to having any
obligation to go back and check as to whether or not there was
substantive mistake. Their position was that the most they
should have to do would be to check the paperwork.
And in fact, we had studies that showed they did about, I
do not know, 40 of those an hour, that there was no way the
consumer could get some kind of independent investigation. Now,
we moved a little bit towards that.
But now, again, I find the retail industry in some ways
being resistant. I am told that they said, by credit unions in
Massachusetts, that when BJ's, I guess it was, had the--what is
BJ's? I do not want to--albeit, I am immune from liable suits,
I do not want to abuse the privilege.
But BJ's was responsible for breaching security of data,
and the institutions that issued the cards, as Mr. Foley has
indicated, had to tell the cardholder, ``Well, your data has
been breached, but I do not know who did it and I cannot tell
you who did it.'' My sense is that most of them did not believe
you. They thought you did know and did not want to tell them.
That just seems to me unacceptable, especially since the
general rule in our legal system is: You ought to put the most
responsibility on the people who have the ability to prevent
the abuse.
Now, the people who have the best chance to prevent the
abuse of data are the people who are handling the data. And it
just seems to me an elementary example of basic logic: Whoever
was the one entity that was responsible for the breach ought to
have to be identified.
That in and of itself, it would seem to me, if we just did
that legislatively we would be doing a great deal I believe to
reduce breaches. We would then greatly ratchet up the
importance of reducing breaches in people's minds.
So I know what Mr. Foley thinks. I wonder if any of the
others have any comment on requiring, whether it is the
retailer or anybody else, to the extent that we know who is
responsible making that public.
Let's start with Ms. Desoer.
Ms. Desoer. I do not have any issue with that. I think some
of the issues between the retailer or the merchant and the
financial services institution is confidentiality of a client
relationship and the priority that that takes in terms----
Mr. Frank. What kind of--I mean, what, the people did not
know--there is no--what we are here talking about is that
somebody has a credit card that you issued and they used it at
a particular merchant. There is no confidentiality there.
Ms. Desoer. No, but if retailer X, for example, has a
banking relationship with Bank of America, our relationship
with them does not enable us to talk publicly that we have a
relationship with them.
Mr. Frank. Well, then we ought to change that law.
In other words, if you are saying that because I got an
account in your bank, if I screw up in another way, the bank
cannot identify me. That just seems to me unnecessary.
Ms. Desoer. No, that--and that is not what I am implying.
It is, again, going back to the ultimate consumer who is, in
this case, our credit card customer and our communication to
them. I hear you relative----
Mr. Frank. Yes, what I am saying is----
Ms. Desoer.----excusing as to who is at fault----
Mr. Frank. You do not have to do--if the retailer messed up
on the data, that does not mean you give a list of all the
retailers' confidential financial information, but identifying
that that is where the breach came. I do not see how that is a
problem with your confidentiality.
Ms. Desoer. I particularly aligned with what you said,
which is the responsibility of whomever is collecting and
managing that information should be the one accountable.
Mr. Frank. If others want to do a quickie, my time is up, I
will just listen.
Mr. McGuffey. We at ChoicePoint agree that ensuring that
the burden of notice follows responsibility for breach is
appropriate.
Mr. Frank. Thank you.
Mr. Sanford. Congressman, we are not a financial
institution, we do not have retail, but in our security
breaches, the breaches occurred in our customer environments
where their password and I.D.s were compromised through a
variety of methods, and we saw it as our responsibility as the
party who maintained the databases where the breaches occurred
to make the notice.
Mr. Frank. Mr. Ward?
Mr. Ward. I am not sure that I have a particular comment in
respect to that question.
Mr. Frank. Well, if you are not sure, nobody else could be
either.
[Laughter.]
So I guess that is one uncertainty that will go unresolved.
Mr. Ward. We are not in the retailing business and we do
not deal with any particular dynamics.
Mr. Frank. Okay, thank you, then, that is very responsive.
Mr. Price. [Presiding.] Thank you, Mr. Frank.
Mr. Castle and Mr. Bachus, we have the FDIC bill on the
floor currently, and so they apologize for not being able to
remain for this portion of the hearing.
Mr. McHenry from North Carolina is recognized.
Mr. McHenry. Thank you, Mr. Chairman. It is pretty nice to
hear a freshman as a chairman of such a big committee.
Thank you all for testifying here today.
And my question is, just generally speaking, really to
ChoicePoint and Bank of America mainly: Is there currently not
a marketplace incentive for data security? Do you not see an
economic incentive in terms of your communication to the
customer?
I live in the suburbs of Charlotte, and really just right
close to your headquarters of Bank of America, and I certainly
understand the advertising that you currently have about the
secure network that you do have in place, the fact that you do
not have errors when it comes to check processing, things of
that sort. And there is an economic incentive I see to that
marketplace on security. I was wondering if you all could
address that.
Ms. Desoer. Yes. As I said in my testimony, what customers
come to us for is trust and security, and we take that
extremely seriously. And the stewardship of customer
information and their privacy and all that goes along with it
is, at the end of the day, what our brand stands for.
So it always starts with what is in that customer's best
interest. We firmly believe that our ability to earn that trust
and to demonstrate our ability to manage that trust over the
lifetime of a relationship is what differentiates us in the
competitive marketplace, yes.
Mr. Foley. I would say that in looking at the issue to
remember that the security is only going to be good as the
weakest link in the fence. So as we are looking at these
issues, there is no current economic benefit to many of the
parties that touch that data, to protect that data.
Mr. McHenry. Do you want to further elaborate?
Mr. Foley. In particular, my own experience, when we are
talking about the large-card associations, mostly Visa and
MasterCards, regulations on the merchant versus the card-
issuer, between Gramm-Leach-Bliley and all the other
regulations that the issuer has on them, no matter how much
they protect them, if the same standard is not dealt with in
particular merchant, then whatever effort and resources the
issuer is putting behind the security is meaningless, because
there is no incentive for that merchant to do anything other
than to get that payment through their system as quickly as
they possibly can.
Mr. McHenry. Are you not fearful of lawsuits and
repercussions because of lax security?
Mr. Foley. Well, that is right now what the remedy is. And
as I had said in my testimony, in the case of BJ's Wholesale
Club, there were 40,000 cards that were compromised within
about a 2-week period. Credit unions have brought suit and
individual banks in Massachusetts have brought suit. And right
now that is the only remedy.
Mr. McHenry. Really, the question goes to the heart of, is
there not an incentive in the marketplace to do this without
governmental intervention?
Mr. Foley. If the lawsuit comes out favorably for us, yes.
Mr. McHenry. All right. Well, thank you for your testimony.
Mr. Price. Thank you.
It is my pleasure to recognize the gentleman from Georgia,
Mr. Scott.
Mr. Scott. Thank you very much.
Mr. McGuffey, let me start with you, if I may.
Going back to this winter, February, when the news came out
about the identity thefts, ChoicePoint was immediately hit with
an order by our insurance commissioner to give you 90 days to
put some things in motion to correct the situation. I would
like to ask you just a line of questioning on how you have
fared with that.
One of those points was that you had to provide immediate
notification. Can you tell us how well you have done that so
far?
Mr. McGuffey. Yes, Congressman, we have provided notice.
And indeed, we are I believe in process of and if not having
already made notice to California at the time when that request
had been made.
Mr. Scott. So that point has been satisfied to the
satisfaction of the insurance commissioner in Georgia.
Mr. McGuffey. I believe so.
Mr. Scott. That is very important, because there is a part
of that he said if not in 90 days you will be barred from doing
any business in Georgia with insurance companies.
The second point was that you had to establish a rapid
response system. Have you done that?
Mr. McGuffey. I believe that we have formed a team to be
able to respond to that. The details of that, today, I am not
prepared to speak to, but I would be more than happy to provide
it to you and your office.
Mr. Scott. Okay. And the third item that he said you had to
do within 90 days was to perform a system-wide audit with an
independent security firm. Has that been put into place?
Mr. McGuffey. We have retained the services of an
independent firm. I am not sure as of this date as to whether
it has been completed or not. But if it has not been completed,
we are in process to be able to achieve that objective.
Mr. Scott. Has the insurance commissioner been made aware
of the level of progress that you have made, that you have
expressed here, to this point?
Mr. McGuffey. I am not aware of the details of what we
communicated back to the insurance commissioner at this date.
Mr. Scott. Do you have concerns that you may not be able to
make this 90-day period? This occurred in February. It is now
May. Time is running out. Do you feel any concern that you
might not be able to make the 90-day deadline?
Mr. McGuffey. I have not heard of a concern that we would
not be able to meet those requirements.
Mr. Scott. Let me ask you another question. Let's get our
hands around this issue. There has been some discrepancy
pointed out as to the extent of this problem.
By last estimates and your most accurate accounting, I
believe it has been 145,000 records that were stolen. Has that
changed any, particularly in view of the light of the
discrepancy that was brought to our attention from California
by Detective Decker, that you had estimated at 17,000, and he
said it was more like 4 million. That is a huge difference.
Mr. McGuffey. Yes, Congressman. I think the comments that
were in the Wall Street Journal yesterday--which we tried to
get a good insight on, having seen that yesterday for the first
time--those comments by Detective Decker were made in the very
early stages of his investigation. In fact, as I understand it,
from what I have been told, those comments were made at the
arraignment of the individual who was arrested.
At that time we had not completed our investigation and
rebuilt all of the searches that had been run--there were over
17,000 searches that had been run on our systems--nor had the
sheriff's department completed their investigation.
Now that we have progressed in the investigation to this
date, we have been informed by Detective Decker that he is in
agreement with those numbers and believes that our notice was
appropriate and consistent with his review of the records.
Mr. Scott. All right. Let me ask you one other issue before
my time runs out, because one of the very, very important areas
that this committee deals with is in the financing of
terrorism.
ChoicePoint has developed an excellent reputation of
assisting in that fight against terrorism. Would you care to
share with this committee some examples of the effectiveness of
ChoicePoint in our war against terrorism?
Mr. McGuffey. Thank you, Congressman.
We are obviously very proud of our opportunity to work with
Homeland Security and other law enforcement agencies to pursue
the--of making sure that our country is safe.
We have products and services out of our--on data services
that are in Homeland Security that enable our law enforcement
to investigate rings and investigate terrorists. We have
examples there, although oftentimes since I am not--have a
security clearance, I will not hear about them all.
But that is one example where we are delivering a
technology into Homeland Security. We have on a daily basis the
various, different agencies--FBI as well as sub-agencies of
FBI--use our services in order to investigate leads that they
may get.
We have built specialized systems for them at their
request, to their requirements, in order to support those
organizations, and we are proud to be able to do that.
Mr. Scott. Thank you.
Thank you very much, Chairman.
Mr. Price. The gentleman's time has expired.
The gentleman from New Mexico, Mr. Pearce, is recognized.
Mr. Pearce. Thank you, Mr. Chairman.
Ms. Desoer, is there any resolution to the case where you
lost the five tapes?
Ms. Desoer. No, there is no resolution. The investigation
is still ongoing. We have continuously monitored those 1.2
million customer accounts, and there is no evidence that the
information----
Mr. Pearce. Have you had any other losses of significant
size of identity theft, just people getting information?
Ms. Desoer.----lost tapes or that sort of thing? No. I
mean, the retailer situations, the merchant situations that
have been referenced, we have a significant cardholder customer
base. So----
Mr. Pearce. Mr. Sanford, has LexisNexis ever experienced
any losses of information? On page 2, you describe the enormity
of the situation: 9.3 million cases. Have you had any losses of
information through your system?
Mr. Sanford. In my testimony I indicated what we discovered
in the investigation that we did.
Mr. Pearce. And how easy is it to get convictions on any of
these things? How easy is it to track down the people who are
doing it and then to get convictions?
Mr. Sanford. Well, I have been working with the U.S. Secret
Service since the end of February, and we get regular
briefings. And it is extraordinarily difficult, with their
resources, to gather sufficient evidence for the warrants and
the manpower to then chase down.
It is a whole level of sophistication in the underground
economy that is trafficking in this information. And I frankly
believe that we are out-manned in law enforcement. I think it
is very, very difficult. They have had some successes that have
been very public.
But I think until the penalties on identity theft are much
bigger than the value of the theft, I think that you are going
to continue to see rampant identity theft--the old-fashioned
way too. Most of it is still your friends and your family and
your neighbors committing this.
Mr. Pearce. How easy would it be to close the opportunity,
the window of opportunity, between the time something happens
and the time we actually then get it closed down--Ms. Desoer,
if you could address that?
Ms. Desoer. Yes. Immediately upon discovery, we start
monitoring accounts. And so while an investigation is ongoing,
we will know if there is unusual activity. And customer by
customer, we can handle that immediately to either reassure a
customer's card or take whatever action is required to protect
them.
Mr. Pearce. But the losses are still enormous, I mean,
billions even in that narrow window. Is it possible to close
the window even tighter?
Ms. Desoer. That is what we are working very hard to be
able to do, to provide that protection of the customer and then
also protect the financial loss.
Mr. Pearce. Who determines when a customer should be
notified and who has the authority to do that?
Ms. Desoer. Within Bank of America, we are subject to the
Interagency Guidance and the federal regulations that guidance
talks to when there is information that could reasonably lead
to the misuse of the information.
We have the equivalent of a rapid response team that
evaluates each situation and makes the judgment call, taking
into consideration the best interest of our customers.
Mr. Pearce. The recent case in my hometown, someone's
identity was stolen by a group of people in prison. They were
simply sitting there using their time either constructively or
destructively, depending on which point of view. And literally,
the law enforcement officer said that no action was available,
they are already in jail, they are already criminals.
And so I suspect if you have recommendations on ways that
we can change the laws, that we would be open to that.
Mr. McGuffey, do you think you are going to get any
resolution? Do you think you will get a conviction out of any
of the things that you all face?
Mr. McGuffey. Fortunately, we have had two convictions.
Unfortunately, I believe the first conviction was only, like,
16 or 18 months in jail, which we wished were longer. The
second one I think was a five-and-a-half-year sentence.
Mr. Pearce. How easy is it--I think I would go back to you,
Ms. Desoer--how easy is it when someone actually comes up with
information, they get a card number, a Social Security number,
how easy is it for them to use that information, like Mr. Foley
experienced? Is it easy: Or is somewhat difficult?
Ms. Desoer. I think each circumstance is very different,
depending on what the sophistication level is of the
individual, whether they are operating independently or part of
a group. It varies across the board.
Unfortunately, as someone mentioned, it depends on where
there are weaknesses anywhere in the system that impact--they
are not as strong potentially as they should be relative to
authentication or identification of a customer where they could
sort of infiltrate and as a result get access to the funds in
the account or something like that.
So it can be quite easy if there are weaknesses in the
system and someone is sophisticated about knowing how to
identify those weaknesses and penetrate them.
Mr. Pearce. Mr. Foley, my time is expired, but you are more
than welcome to answer.
Mr. Foley. I was just going to say that on the mag stripe
is now a three-digit algorithm that relates to the PIN number
on the front of the card, if that algorithm is captured, that
card can be remanufactured and used regardless of the name or
any other information associated with that account.
Mr. Pearce. Well, I thank you all for your leadership in
this very difficult area. I appreciate your testimony today.
Mr. Chairman, I yield back.
Mr. Price. Thank you, Mr. Pearce. The gentleman's time has
expired.
The gentleman from Kansas, Mr. Moore, is recognized for 5
minutes.
Mr. Moore of Kansas. Thank you, Mr. Chairman.
To all of the members of the panel, are there other
instances of personally identifiable information which have
been compromised--I mean, lost--by any of your organizations
that have not been identified in your testimony here this
morning or in your either written or oral testimony that you
have not disclosed?
I would like an answer, yes or no, from each of the
panelists, if you would, please.
Mr. Ward. No, sir, my company has not experienced----
Mr. Moore of Kansas. Mr. Ward--I am sorry, go ahead.
Mr. Ward. No, sir, my company has not experienced any
losses of that nature. In fact, our organization, the National
Association of Information Destruction, we have about 650
members in that organization, and we are not aware of any kind
of willful loss or anything of that type.
Mr. Moore of Kansas. Thank you, sir.
Mr. Sanford?
Mr. Sanford. We have disclosed in our testimony our
breaches that related to the risk that we thought----
Mr. Moore of Kansas. None other than what you have
disclosed.
Mr. Sanford. Well, you have situations where an employee of
the company might leave a company and continue to do a search
the next day. We did not make notice on those. As I indicated,
we made notice where we thought there was any evidence of any
possible risk of identity theft.
Mr. Moore of Kansas. Thank you.
Mr. McGuffey?
Mr. McGuffey. We have previously testified in front of this
committee, as well as others, that the Social Security numbers
and driver's license numbers were the personally identifiable
information that was disclosed.
Mr. Moore of Kansas. Thank you.
Mr. Foley?
Mr. Foley. My company has not had a breach. But as a matter
of course, on a routine basis, this is happening every day, not
only these large-scale breaches that you are hearing about but
identity theft is happening on a small scale simultaneously to
this.
Mr. Moore of Kansas. Ms. Desoer?
Ms. Desoer. We have had no other issues related to lost
tapes. We have had instances in the past where there have been
similar processes followed to identify losses of information in
addition to those that were referenced in my testimony, yes.
Mr. Moore of Kansas. Thank you.
To the panelists: Is there a state model?
Some of you have talked about ``we support''--in fact, I am
looking at Mr. McGuffey's written testimony: ``We support a
preemptive national law that would provide for notification to
consumers and to a single law enforcement point of contact when
personally identifiable information has fallen into
inappropriate hands.''
Is there a state model, a law, that you would recommend to
this committee that we look at and maybe follow in terms of
drafting legislation to protect consumers in this area?
Mr. McGuffey?
Mr. McGuffey. We modeled our nationwide notice after the
California law. We think that there are some provisions in that
law, however, that need to be reviewed and discussed and
debated. But we modeled ours after California, which I believe
was the first state to have such regulations.
Mr. Moore of Kansas. Mr. Foley, did you start to reach for
your button?
Mr. Foley. I did. I was going to say, also, as I agree with
Mr. McGuffey around the California law with some additional
definitions and provisions.
The other advantage to that legislation I personally feel
is that in terms of media accounts delineating the scope of
this issue, I believe it was really the California law's
requirement for disclosure that has helped flush this to light.
Mr. Moore of Kansas. Anybody else on the panel have
comments there? Mr. Ward?
Mr. Ward. Yes, sir. Actually, this committee, through the
FACT Act, has drafted some legislation with regard to the
disposal rules. They could serve as a model for any other
legislation.
The FACT Act drew a line around consumer report
information, and if those lines could be removed where it could
stretch across all businesses, that would serve as what we were
trying to accomplish.
Chairman Majoras at FTC has also discussed this----
Mr. Moore of Kansas. Thank you.
Mr. Sanford?
Mr. Sanford. Congressman, I applaud the intent, the
legislative intent, of the California statute. But I think the
drafting really does need quite a bit of work in terms of the
triggering events and the form of the notice.
The consumer division in California came behind that
legislation and provided some very, very helpful guidance, but
it is not binding, and it is not the law in California.
So I would encourage the committee to take a look at both
of those.
Mr. Moore of Kansas. When you mention triggering events, do
you have any specific recommendations with regard to what
triggering events should institute a procedure here?
Mr. Sanford. Well, I think, again, the California law does
provide some examples of very specific things that would be a
triggering event, if you had the loss of the physical custody
of data on, for example, a personal computer--well, excuse me,
I apologize. That is in the consumer division guidance where
they begin to really give examples.
But I think that the risk of being very specific is that
you will fail to then consider a breach that does not
specifically fit within one of those guidelines when a
reasonable person could conclude that a significant risk of
harm still existed to individuals and that notice should be
made.
So I think this reasonable standard and then specific
examples that say this per se requires notice of loss of
physical custody of data on a P.C. or on a tape--that should
trigger.
Mr. Moore of Kansas. I see I am out of time.
Thank you, Mr. Chairman.
Mr. Price. Thank you.
The gentlelady from Florida, Ms. Brown-Waite, is recognized
for 5 minutes.
Ms. Brown-Waite. Thank you, Mr. Chairman.
I have a bit of laryngitis, so I hope you all can hear me.
As some say, this is a husband's prayers answered. I am not
sure.
Some members, I have been told, are considering legislation
that would make it illegal to sell an individual's Social
Security number without permission. What effect do you think
that would have on the American economy and your business in
particular?
Do you want to start down there?
Mr. Ward. Yes, ma'am. Actually, a Social Security number
cannot be sold, but it could actually be thrown away. You can
dispose of it right now in the Dumpster, and that information
is not regulated once it goes into the Dumpster.
With the proper disposal rules, that would certainly go a
long way toward preventing some of the identity theft that is
occurring through that route.
Mr. Sanford. We use Social Security numbers in both public
records and nonpublic-record information to link disparate
pieces of data. I mean, there are 20,000 John Smiths or John
Williams out there. If you were to take away the unique
identifier of an SSN, then the ability to match disparate
pieces of data would defeat the tools that financial
institutions, law enforcement, Homeland Security and other
organizations use to make sure that they have the proper person
identified and verified that they are doing business with.
And in fact, in my opinion, you will then enable greater
identity theft, because you will take the tools out of the
hands of those institutions which are catching a lot of the
fraud that is happening.
Mr. McGuffey. Yes, we would concur that the use of Social
Security numbers for fraud and for proper identification of
individuals in validation of individuals who are seeking access
to either a system or other benefit that they may have need to.
We also have made some voluntary changes to our business
and are restricting, in certain markets under certain
circumstances, the distribution of full Social Security
numbers. But we still use Social Security numbers in order for
matching to make sure that we are associating the proper
records together.
Mr. Foley. Financial institutions have been protecting
Social Security numbers for some time now. I think that the
only application that I can think of where it is most prominent
is in IRS reporting data.
Ms. Desoer. I would concur with that and also what the
other gentlemen have said relative to ways of matching
customers for purposes of determining credit qualifications and
that sort of thing is highly dependent in this country on a
Social Security number.
Ms. Brown-Waite. Well, with a name like Virginia Brown, I
can just tell you that there are many, many Virginia Browns out
there, and I can relate to that.
Ms. Desoer, just a quick question: A constituent of mine
who used to use the online banking offered by, in this case it
happened to be your bank, but any of the banks that offer
online--or any of the financial institutions, this certainly
would apply. His comment was that with wireless and with
spyware, he no longer is comfortable using the online bill-
paying service.
What response would you have to that individual who felt
that his identity and information about his bank account would
be too easily available?
Ms. Desoer. I would need to understand the specific
circumstances of how he was accessing online banking. But we do
a tremendous amount, obviously, to protect the flow of customer
information from just about any device to our online banking
application. And it is a constantly evolving technology.
We also provide advice and counsel to our customers about
what type of protection they should employ to ensure that, on
the receiving end where they are, at work or at home, that they
are adequately secured as well.
But I would be happy to get a name from you and follow up
with that customer in particular.
Ms. Brown-Waite. Just one follow-up question: Do you advise
people on the use of wireless?
Ms. Desoer. I need to follow up with you on that question.
We do make suggestions about what the most secure ways are, but
relative to wireless and specifically in what we are telling
customers today, I would need to follow up with you. Thank you.
Mr. Price. The gentlelady yields back.
The gentlelady from Oregon, Ms. Hooley, is recognized for 5
minutes.
Ms. Hooley. Thank you.
I would like to ask all of you, the question is--one of the
things you can do is voluntarily provide access to credit-
monitoring services. How many of you have done that and for how
long? And do you do it for free?
Ms. Desoer. At Bank of America, in our particular case with
the lost tapes, we have offered the credit-monitoring services,
and we have offered them for I believe it is up to a year--it
is for a full year.
Ms. Hooley. Is that free?
Ms. Desoer. It is free of charge. It is at Bank of
America's expense, yes.
Mr. Foley. For most of the smaller financial institutions
in the country, they need to rely upon Equifax and the large
credit bureaus and the free credit reports that each customer
can get on their own. They do not have the resources to provide
that for them.
Mr. McGuffey. In ChoicePoint situations where--all of the
cases that we provided notice, we provided a 1-year monitoring
program at ChoicePoint's cost.
Mr. Sanford. We provided all of the services--the tri-
credit bureau, the monitoring, the counselors, the fraud
insurance--all of that at our cost.
Ms. Hooley. For how long?
Mr. Sanford. The credit monitoring is for 1 year, and then
if somebody is a victim of identity theft, we just evaluate
them on a case-by-case basis.
Mr. Ward. In our particular industry, we do not have any
access to credit information, but we do have some exposures and
liabilities for the loss if we were to lose something.
Everybody in our trade association is required to carry certain
amounts of insurance and subject it to all types of background
checks.
Ms. Hooley. I have worked for a long time with identity
theft, and one of the constants I hear at lots of my meetings
is a need for a second-factor authentication. What do you think
about that? Is there a need for a second piece to make sure the
people are who they say they are?
Mr. Sanford. I will go ahead and start.
I know some of the European banks, the financial
institutions, do use double factor, two-factor authentications.
Some use even a third layer.
That is something we are looking at. There are tokens and
smart cards available in the market today. They are not
inexpensive.
But we are evaluating that ourselves right now to see
whether or not we could deploy two-factor authentication for
certain of the accounts--because, remember, all of our accounts
do not access personally sensitive information--whether we
would be able to use two-factor authentication and would the
market accept that.
One of the members asked earlier: Is not there a
competitive advantage or an economic interest in doing that in
being the security company.
The reality is, is that to the extent that customers deem
it to be an inconvenience and they have 15 other organizations
they can get the same data from and not manage 20,000 tokens
for their users, we would probably be put at a significant
disadvantage.
So I am trying to figure out how we do this. I am not
suggesting that we should legislate it. But what I am saying
is, are there disincentives to us doing it and putting
ourselves out of businesses.
ChoicePoint and LexisNexis mask Social Security numbers and
driver's license-number data. Most of our competitors do not.
And so people who want that data just go to somebody else. We
do that voluntarily as a matter of policy.
Ms. Hooley. I mean, one of the things, identity theft is
costing all of us a ton of money, whether you have been an
actual victim or not. I mean, all of us end up paying for that
theft that occurs.
And how do we--I mean, what do we look at to help stop
identity theft?
And, again, it may be for someone else--and I would like to
hear from Bank of America, if you are looking at a second piece
of authentication.
Ms. Desoer. Yes. We are constantly evaluating, ensuring
that our authentication and identification processes are as
secure as they could be. We are testing in the online-banking
environment a second factor, and we have it operational in our
card environment today.
Ms. Hooley. Anyone else want to comment on that?
Mr. McGuffey. We are evaluating the tokens as well, and I
concur with Mr. Sanford's comments.
In addition we have offered some products and services that
are called ``smart questions,'' which enable institutions or
customers of ours to be able to not only just validate certain
pieces of information, such as the use of a name and a Social
or something of that nature, but also to go to a second step
where random questions about one's particular circumstance have
to be answered in order to validate that it is who they say
they are.
Mr. Sanford. The question that we wrestle with as we have
dealt with these security breaches is: Can we as a society--and
I am not talking about just LexisNexis; I am talking about
retail, financial institutions, data companies--can you stop
the theft of data? How sophisticated is the technology?
And I do not mean to downplay the importance of us getting
our security enhanced and being responsible, but if we think
about this more holistically and we recognize the level of
sophistication of technology and the criminal element, part of
the solution to stop the fraud when someone gets that data is
to begin to use stronger authentication before you issue credit
cards, before you open bank accounts, before you do online
transactions.
And it is not just my company. There are many companies
that provide these services. And there is significant evidence
that when those kinds of products are used, you can defeat a
significant amount of the fraud associated with identity theft.
You do not stop the data from getting in the wrong person's
hands, but you can then not enable them to profit by it.
Ms. Hooley. To use it, okay.
Mr. Price. The gentlelady's time----
Ms. Hooley. Thank you.
Mr. Price. Thank you. I will recognize myself for a period
of 5 minutes.
I want to thank the members of the panel and commend you
for the work that you do.
Also, since there is a great interest and many questions,
so I would ask unanimous consent to allow members of the
committee 14 days to submit questions for the record following
testimony today--without objection.
There is a bit of a somber tone here, and I want to
hopefully lift it up a little bit and congratulate each and
every one of you for the work that you do. There are lot of bad
guys out there. And you all I know are working hard to make it
so that bad guys are not getting the information that they want
to get.
Just to bring some light to that, I want to commend one of
the corporate citizens in my district, ChoicePoint, and just
highlight a couple of the items that were pointed out in Mr.
McGuffey's testimony.
I think it is important to recognize that when ChoicePoint
had the infraction and the breach that occurred that they
voluntarily acted, that they were the ones that told law
enforcement and that many changes were made, including a
voluntary nationwide notification, dedicated call centers and a
Web site, the free three-bureau credit reports and the 1 year
of credit monitoring--all at ChoicePoint's cost.
I also want to point out--I know that all of you are
assisting many authorities in stopping bad things from
happening. And a number of the things that ChoicePoint has done
is the Project Falcon that assisted in catching 10,000
criminals, including individuals convicted of murder; the I.D.
of over 11,000 undisclosed felons and stopping nearly 1,100
individuals--or finding 1,100 individuals who were convicted
for crimes against children. The Lord knows what kind of
assistance that could have been in terms of helping citizens
across our nation.
I also sense that there is a great enthusiasm among the
committee for a new law, and that should be greeted with I
think a sense of comfort on the one hand and a sense of
trepidation on the other. We get a knee-jerk reaction when we
identify a problem that there ought to be a new law.
So the law of unintended consequences is what I have a fear
about. As a physician I know that the HIPAA regulations, the
privacy regulations in HIPAA now make it so that your medical
information and my medical information are now less private
than they ever were, because what you do when you go into a
physician's office is now sign away every right to privacy that
you ever had.
So I would like to ask each of you if you have any thoughts
about how far is too far as we go through this phase of
attempting to write something that will help individuals in
their identity-theft problems.
But how far is too far for Congress to go, Ms. Desoer?
Ms. Desoer. In the financial services world, we do have the
recent Interagency Guidance, which I believe is a good model,
certainly one that is operational today for us, and I would
give that some time in the financial services industry to
mature so we can get learning that could help perhaps us to
changes that be made. But I would ask that that be looked at as
one possible solution from a regulatory specific, or a
legislative perspective.
Mr. Price. Thank you.
Mr. Foley. I echo Congressman Frank's concern around
notification and how efficacious it is. What we also find is,
even if we are doing notification today for a breach, that that
account is not actually--money is not stolen for 6 months, 9
months down the road.
So I am concerned about the constraints and timing of the
notification.
Mr. McGuffey. I believe that a couple of the comments by
Congressman Frank are also worth emphasizing, both ensuring the
burden of notice following responsibility for breach, being
one.
Number two, we also think that there is an issue that could
be a negative consequence, and this is desensitizing such
notices.
So having some sort of clearing house that would enable a
notice to be made only one time, as opposed to multiple times,
in the event that there are rings of I.D. thefts, individuals
out there that they may access more than one company or get
access to data in multiple instances about the same person,
that notices not be given more than one time.
Additionally, I think the final comment I would make is
with regard to the use of Social Security numbers is critical
for matching purposes to make sure that we do not have false
positives and to make sure that we are able to support the
appropriate transactions in business.
Mr. Price. Mr. Sanford?
Mr. Sanford. We are not suggesting that FCRA or FACT Act be
reopened. We are not suggesting that GLBA be reopened.
What we are saying is, we are facing probably a gauntlet of
state notice bills. I think there are something like 70 or 75
bills that have been introduced in states on either security
standards or on consumer notice. And if we are going to have
that kind of patchwork of legislation, that is where we would
support it more of a federal approach with preemption that
provided a standard.
Someone said to me, ``Well, you just want to avoid the cost
of having to comply with 20 or 15 different states.'' And I
said, yes, it is going to cost me, but at the same time, I am
not sure that the consumers who are going to get all these
different forms of notices as they move around are actually
going to understand, because each state is going to do it a
little bit differently.
So if we are going to have legislation on notice, then we
would think that a federal preemption would be appropriate.
Mr. Price. Thank you.
Mr. Ward, any quick comments?
Mr. Ward. Yes, sir, thank you.
We are all recognizing that the identity theft laws that
are already on the books are really good laws. We are not
suggesting in any way that any of those laws be rewritten or
reopened.
What we would suggest is that perhaps FACT Act, which is a
great law and has excellent disposal laws, allow those to be
broadened to cover more industries, cover all businesses.
In addition to that type of FACT Act guideline, our
recommendation would be to have a company disclosure in any
type of agreement stating what the company's responsibilities
are and what the company's method for disposal of all records
would be, so that anybody would see and understand what that
procedure is.
And then the last step would be to, under the sort of the
guidelines of perhaps Sarbanes-Oxley-type laws, where the
senior management has some accountability for setting up those
procedures and has some responsibility to see that those
disposal procedures are fulfilled.
Mr. Price. Thank you.
My time has expired. And I will have some other questions
that I look forward to submitting to you.
The gentlelady from New York, Ms. McCarthy, is recognized
for 5 minutes.
Mrs. McCarthy. Thank you, Mr. Chairman, I appreciate it.
I have to tell you, Mr. Ward, before I was appointed to
this committee, my son gave me a shredder. And I said, ``What
do I need this for?'' Since I have been on this committee, I
understand why I need it. It does take a little extra time, but
everything goes through the shredder now.
Mr. Sanford and Mr. Foley, both of you have had incidences
where you personally have had identity fraud, and your sister
has had identity fraud.
I was just curious: With your sister, on the notification
that she got, was it easy enough for her to follow the
instructions for what she needed to do? Or did she come to you
to ask how to do it?
Mr. Sanford. No, she actually called to give me a hard time
because she wanted to know why I did not personally sign the
letter. It is a serious matter. I mean, we sent this out to
some 300,000 people.
Very simple: It provides toll-free numbers, it names the
companies, it talks about the steps that you go through.
Again, whether she is the victim of identity fraud, we do
not know. Some people think if someone has potentially gained
access to data then you are a victim of identity theft or
fraud. She has not suffered any financial harm. She has not
detected any problem. She is taking advantage of the credit
services.
I told her to take the letter seriously and to take
advantage of the services.
Mrs. McCarthy. No, I am just curious, because, like
everyone else, we get a lot of mail. Is there anything on the
front envelope to notify the client that this is something they
should not just toss but open it up, because a lot of people do
just toss things without looking to see what is inside.
Mr. Sanford. We mailed 30,000 notices. One of the first
things we did when we discovered these breaches in this
business, we acquired, was we contacted the State attorney
generals' offices in all 50 states and the District of Columbia
and Puerto Rico and said, ``Here is what we intend to do. We
are going to make notice nationally. Here is how we are going
to do it.''
We talked to the Federal Trade Commission. We followed some
of the California guidance.
After we did the first round of mailing--we had this
ongoing investigation looking back at the records of this
company--some of the attorney generals said to us, ``Well, you
know, maybe some people just thought it was marketing and they
threw it in the trash can.'' So we said, ``What would you like
us to do?'' And they said, ``Well, would you put stamps on the
letters instead of using machine postage. Would you put
something conspicuous in your return address area that tells
them this is important information?''
So we did. We remailed all the letters, again, to the first
30,000, and we used that approach for the second group that we
mailed to.
Mrs. McCarthy. And was the response better?
Mr. Sanford. The response rate is marginally higher. It is
not significantly higher.
Mrs. McCarthy. What about, like, with the IRS ``tax
information enclosed.'' Everybody always opens that. How about
``credit information''?
Mr. Sanford. Well, I think this is where some of the
panelists and some of the members have talked about. If you had
a national clearing house where if letters came through that,
perhaps people would recognize that, ``Oh, this is an important
piece of information.''
I am sure there is a way to make the envelope even more
conspicuous so that people will recognize there is information.
At the same time, I have some attorney generals telling me
if I make it too conspicuous--since a lot of identity theft
happens by people stealing other people's mail--I am going to
turn around and give the bad guys information that is going to
allow them to gain access again to this person's account.
Because they will call up, they will purport to be who they
are, they will get free credit reports on this person. It is a
balancing act.
Mrs. McCarthy. Mr. Foley, how long did it take for you to
clear up the information that was stolen from you?
Mr. Foley. That process was pretty readily done. Within
Regulation E there is a 10-day window that the financial
institution has got to be able to make you whole in your
particular account.
In my case, the notification letter was received probably I
want to say 6 weeks prior to my account being cleaned out. And
the notification letter--I do not have it with me, but I kept--
did not give me any particular call to action in terms of what
I needed to do. It opened up a case number and said, ``Just
watch your account.''
In my own case, as I literally sat in my office looking
online at my account, I was watching myself buy a handbag in
California and some very nice women's shoes, and my account was
cleaned out probably about 6 weeks later.
I suspect, in terms of the notification itself, that it
would not compel someone necessarily to take any action in
particular.
As a credit union with a very close relationship with our
members, typically what happen is if we have enough suspicion
that the account may be breached, we just automatically do a
reissue to protect somebody in that case.
My account was with a large commercial bank. And when I did
contact them, they were very solicitous in terms of realizing
that the transactions were not my transactions. However, there
was no information provided as--I do not shop at BJ's--there
was no information provided as to how the breach happened,
where it happened and to what extent the breach is.
In a lot of financial institutions, you have got sweep
accounts, like a home equity credit account, that is tied into
your checking account or an overdraft account, and there was no
information given to me as to what the extent of the breach
was.
Mrs. McCarthy. We as a committee usually do work very well
together, but your input is going to be extremely important,
because we are going to have to find a fine balance. But the
more that you work with us--because a lot of us will come up
with ideas that we find out later are not actually enforceable.
I found out from a lot of lobbyists, they said, ``Well, we
did not want to say it was not enforceable.''
So it is important that you all work with us as we try and
do it. Because it is going to be good for the consumer, it is
going to be good for you. Because the more that we see this--
the consumer is going end up paying for it one way or the
other, in higher interest rates or any other thing.
I lost my wallet a couple of months ago, and being that I
know what I know from this committee, I immediately reached out
to everyone--because I keep photostatic copies of every charge
card. Everything I have in my life is in a backup.
But what I forget about was that it would take months for
someone to notify me, possibly, if something was being done. So
I signed up for one of those credit cards from the banks, you
know, for $10 a month they give me all the information I need.
To me, it is worth $100 a year just to have that.
Mr. Price. The gentlelady's time has expired.
Mrs. McCarthy. Thank you.
Mr. Price. Thank you.
The Chair recognizes the gentleman from Mississippi, Mr.
Lynch, for 5 minutes--Massachusetts, I am sorry.
Mr. Lynch. Yes, Massachusetts. You would know by the
accents.
[Laughter.]
Mr. Price. Well, I was going to say to Ms. McCarthy that a
lot of committee members will have ``idears'' and a lot of them
will have ``ideas.''
[Laughter.]
Mr. Lynch. First of all, I want to thank the panel for
helping the committee with its work.
Just as footnote to all of this, logistically, in our
congressional offices, we typically deal with Social Security
cases coming in the door, we deal with veterans' affairs and
veterans' benefits--those are cases that we see on a regular
bases. So we actually set our offices up to deal with, on a
routine basis, those cases.
And recently in my office we have had to add somebody--not
a full-time equivalency--but a person who is just designated to
handling identity theft cases because they so frequent now, and
we are seeing that played out in the press as well, but also
because they are so difficult.
Many of these cases have wiped out constituents in my
district completely, individuals, including businesses, and
oftentimes the theft occurs, the source of the theft is in
another state. In one of our examples that we have dealt with
there is a couple who own a business in Massachusetts who their
identity was stolen in Arizona. We had to get the FBI involved.
But just as sort of a notice to you that congressional
offices are becoming the repository of these cases. So I am
sure that Congress will deal with this in some form in the
immediate future.
Given the fact that these victims of identity theft--the
consumers are blameless. They are innocent of any wrongdoing
here. And yet, under the existing system, at least the cases
that I have seen, they are being asked to bear the brunt of the
burden of all of this.
It is their assets that are being stolen. These cases are
very activity-intensive on the part of the victim. They have to
go out there--it is a burdensome process to clean up identity
theft, especially when there may be several possible sources of
this, and they are getting very little help.
As I say, we have had to contact the FBI. We have had to
try to marshal resources at the federal level to deal with
this.
You know, I sort of got stuck on Mr. Foley's comments early
about there are very few incentives or benefits to merchants to
put the money in to properly protect that information.
And I am just thinking, this is getting worse. It is
actually beginning to shake the confidence of the American
consumer. And there might be a little bit of whistling to the
graveyard here and not fully recognizing the damage that that
would do if we shake consumer confidence to the level that
people do not want to engage in e-commerce, do not believe that
it is a safe transaction, many of the transactions they are
making with their credit cards, that could be a tremendous
damage to our economy.
So hearing all that, is there some way that we might bring
some--and I recognize the need for a federal response here and
perhaps federal preemption. Would you be willing to consider--
and this is for the entire panel--enhanced penalties here for
merchants who are reckless or negligent in handling personal
information?
Would you support measures that would compensate the
victims here for their loss, given the fact that they are not
culpable in any way, they are blameless.
And given the obstacles to prosecuting a case on behalf of
an individual, would you support a cause of action that would
allow a private right of action, with attorney's fees, for
consumers who are ripped off in this fashion?
Because I do not see a framework out there right now that
would allow the rights of individual consumers to be protected.
And we are seeing some huge numbers here in terms of identity
theft, and these tapes going missing and data files being
compromised.
It is a troubling situation, and we have to have some type
of response to this besides just a notice. We have to have some
recourse. And I think that that will put the fear of God into
some people about the importance of protecting individual
privacy rights.
I would like to hear from all of you. Thank you.
Ms. Desoer. At Bank of America, if I can start, a couple of
things:
Number one, we have introduce something we call ``total
security protection'' into all of our products so that our
customers who are a victim of fraud or unauthorized use of
their accounts, they are reimbursed for any of their expenses.
We have also worked to your point of the confusion and the
length of time of the situation to centralize the way we deal
with a customer and their relationship with us. And as members
of the Financial Services Roundtable, the industry has worked
to build that kind of centralized place where we can have
expertise at hand to deal with customers so it is sort of a
one-stop place that they can go to get as much of the hard work
that is involved in rectifying a situation done.
So for us, it is a combination of all the work that we have
in progress to attempt to reduce the risk to our consumers, and
then for consumers who are exposed to the risk to be able to
simplify the process that they follow in contacting us and us
working to help resolve the issues that are created by it.
And then, thirdly, there is no financial liability on any
of our products and services.
Mr. Foley. Having personally been victimized, Congressman,
I just hope that whatever we do applies retroactively so I
could collect some of the money I lost trying to reestablish my
own accounts and identity and the time that it took me to do
that.
I would also add that----
Mr. Lynch. Mr. Foley, on that point, I mean, you must have
explored that possibility, right?
I mean, I know that for many of these identity theft
victims, the only recourse that they have, generally, is to sue
the merchant based on the merchant's own privacy policy. That
seems to be the only common denominator. If it is cleverly
crafted, that may be, you know, an empty opportunity as well.
Mr. Foley. Yes. As an individual, I still do not know how
my information was breached, quite frankly. And I am very, very
protective, being in the business that I am in.
I would also say, I was expert in terms of getting remedy
and getting my funds back from the issuer as quickly as I
possibly could. I do not think that most consumers would have
that knowledge level that I had, to Congressman McCarthy's
question.
It was about, all in all, about a 1-month process for me to
complete all the paperwork and documentation to make sure that
all the transactions were refunded to me.
In response to your question, I do agree with it.
I would say that the other piece of this that needs to be
examined would be the people in the payment systems industry.
My personal experience is mostly with MasterCard and Visa.
My hope would be that the private sector would be able to
address this problem. And the credit union industry has had
ongoing talks with MasterCard and Visa.
There are card association rules, which I believe will levy
up to a $0.5 million penalty toward each merchant that was
noncompliant with the standards. However, as I had said in my
testimony, I have not seen much evidence of the card
associations bringing any sort of standard to bear on behalf of
the merchants.
So that I would just like to underscore, I think that as we
go through this process, there also needs to be some redress
for the people in the payment systems.
And also just to underscore, as a small issuer, the drain
that it is bringing on the payment systems. When one of my
member's accounts is cleaned out, they want their money back
immediately. In my own case, I have two people that support
10,000 cards. And when one of these large breaches happens, 700
cards are stolen, I have two people that are immediately trying
to deal with that issue, and every single one of those
cardholders' issues is more important than the guy next to
them.
So I think that it is important to also consider the whole
role the payment systems plays in this issue.
Mr. Price. The gentleman's time has expired.
Would the remaining panel members wish to respond very
briefly?
Mr. Sanford. We agree that the time and intrusion on
people's lives, if they are a victim, is significant. That is
why we arranged for those counselors, that is why we got them
insurance to compensate them for lost wages.
I think there is tort liability available for people. There
already is a cause of action if they suffer actual harm.
I am not familiar with the regulatory framework for
merchants, though, that might apply for these penalties.
Mr. Lynch. So do you support an enhanced cause of action
right now? It is very cumbersome for an individual to try to
bring a cause of action for identity theft.
Mr. Sanford. I actually did not know that it was difficult
for them to bring cause of action.
Mr. Price. Mr. Ward, did you have a comment?
Mr. Ward. Yes. Actually, the battle against identity theft
is really a two-prong battle. It is on the electronic side,
which is what all the gentlemen on this panel were talking
about. The other part of the battle is on the disposal side.
The disposal of information improperly accounts I have
heard numbers from anywhere from 5 percent to 35 percent of the
total identity theft problem.
If you can deal with that part of the issue--which can be
dealt with fairly easily, fairly inexpensively--under the
framework that you all have already established through the
FACT Act, you can deal with some significant portion of the
problem already.
Additionally, if you can put the management of these
companies on notice through some type of Sarbanes-Oxley-type
arrangement where they are held accountable and responsible for
the development of a proper disposal plan, then that will put
some teeth into it and should help alleviate some of the
disposal issues.
Mr. Lynch. Mr. McGuffey, should there be any--and I am just
trying to get the final answer from the panelists. I mean, is
there any value in holding these people accountable?
Mr. McGuffey. Well, I have a similar reaction. First of
all, we are not in the merchant business. And I would have
thought that there was tort liability.
But your point of the amount of time and effort that
individuals have to spend is one of the reasons that we funded
a nonprofit organization, the Identity Theft Center, in order
to help and provide assistance to where those who maybe do not
know how to take care of these matters or have assistance, and
it is expanding the victim assistance that that particular
nonprofit can deliver. It is launching consumer education and
developing a panel of experts to be able to continuously
improve the response and best practices associated with this.
So we recognize some of that, and we are trying to fund
that effort in order to help victims.
Mr. Price. The gentleman's time has expired.
Mr. Lynch. Thank you, Mr. Chairman.
Mr. Price. Thank you.
And I appreciate the indulgence of the committee members.
The Chair recognizes Ms. Wasserman Schultz from Florida for
5 minutes.
Ms. Wasserman Schultz. Thank you, Mr. Chairman. There is
something to be said to saving almost the best for last.
The question that I have is actually related to legislation
that you have referred to during your testimony that is being
found around the country and the States. And we also,
obviously, have four or five bills that I am aware of that have
been filed here.
I guess the concern that I have is not providing, since we
are talking about security, not providing consumers with a
false sense of it. Because much of what your companies are
doing, most people are not aware of. I mean, your processes by
their very nature are very internal.
So what do you think the best approach is to ensuring that
we are not regulating for regulations sake? I mean, you can
write a law that requires you to reveal a breach. But let's say
you do not. How are we going to ensure that we write a law that
actually ensures, I mean, the ease of enforcement?
All of you can respond.
Ms. Desoer. In the financial services business, again, with
the laws that do exist in the Interagency Guidelines, there is
the office of the controller of the currency, who is the next
line of defense to do that kind of audit to validate that we
are in compliance.
And so I would think there would need to be something
equivalent to that to ensure--I mean, we take the
responsibility and accountability on ourselves as the first
line of defense to comply, but there are second lines of
defense and third line of defense and the regulators that do
double check that we are compliant.
Ms. Wasserman Schultz. But there is also--just before the
rest of you answer--there is some moral obligation for you all
to have reported breaches that occurred, and at least some of
you waited a long time before you did that.
I mean, should there be a very significant--I mean, there
has to be something that pokes beyond your conscience.
I mean, I am concerned that we would, in the rush to
reassure our constituents that we are addressing this, that we
will pass a whole lot of legislation that really will not make
the situation better, because it will be extremely difficult to
enforce and there will still be much of the obligation on you
and that that is really the ultimate consumer protection.
Ms. Desoer. It really is. Because the first guiding
principle needs to be that anyone who is in the business of
collecting or storing or disposing of customer information
takes their responsibility for safeguard that information very
seriously.
If you do not start with that, you are right, you could get
a false sense of security.
Mr. Foley. My particular experience is fairly specific. The
credit and debit cards, in our case, quite frankly, because of
our limited resources, it is more expensive for us to monitor
accounts than it is just to automatically do a reissue and know
that there is not going to be a problem further down the line.
So that in our particular case, although we are doing the
notification, we are protecting the consumer by doing immediate
reissue of the account so that there is no question 6 months
down the line and we do not have the spend the resources for 6
months monitoring the account.
Like our counterparts in the commercial banking area, the
National Credit Union Administration does require security
audits, and most financial institutions, as a regulated
industry, would have to comply with those federal audits.
Mr. McGuffey. Earlier in the question and answer period
here there was a question about market forces. And we happen to
think that there are significant market forces that cause
companies to do the right thing in order to protect data, in
order to either notify, which as you know a number of us did,
without a regulation.
It is difficult occasionally to write regulation, it would
seem to me, and then also be able to deal with compliance
aspects of it.
Indeed, we already are finding, I think as testimony has
been given, that our law enforcement appears to somewhat
underfunded in the ability to go and execute against the
criminals who oftentimes appear to be winning.
So we have supported the law enforcement. We are in support
of funding additional in order to make sure that we are able as
a country and a society to catch the criminals, because
ultimately we have to get rid of them in order to fix part of
this problem.
Mr. Sanford. I think if you have a statute, like take
notice, clearly you have to put teeth into it to do your
investigations in an expedient and reasonable fashion. You need
to make notice in an expedient manner. I think the California
statute has that language.
Certainly for people that violate that, if there is a
penalty in the statute, I mean, that makes sense.
Less expedient--that is the question. Because every breach
is going to be different, depending upon the number of
individuals, the complexity of the breach, the sophistication
of the company. Was the technology designed for that company
such that it can recreate history to determine what happened?
So I think we are stuck with the fact that we have lots of
different businesses out there.
But I do not want to lose sight of the fact that my company
and every company in my industry is regulated by unfair and
deceptive business practice statutes at both the federal and
every state level. I mean, attorney generals in the States are
very active. People look at businesses like us, when we do
things voluntarily, to see whether or not we are being
responsible businesses.
I do not think we can legislate this morality into
businesses.
It is important to us, it is important to the 40,000 people
that are part of my company around the world, that my company,
when it faces adversity, shows its true character and does what
is responsible, whether there is a law or not.
And there are no laws guiding me in most of anything we
have done in this manner.
And so what I have said is, I certainly would welcome the
legislation if this committee deems it is appropriate, because
we are doing these things anyway.
Mr. Price. Mr. Ward?
Mr. Ward. The key to a company properly disposing of their
records is to do the due diligence with the contractor that
they choose to have destroy their financial records or personal
records.
Our industry has a voluntary self-imposed certification
process through our trade association where we have gone
through, and each company, member-company, is subject to an
annual audit. And the annual audit has a pretty lengthy series
of policies and procedures that if the company passes that
audit then the contracting company who hires the shredding
vendor should feel comfortable that that person is not going to
willfully steal any of the information.
I cannot speak to mistakes, because those things do happen
periodically.
But since our association has been formed 11 years ago, we
have about 650 members in the association, and we have had no
leaks of information under that process.
Mr. Price. The gentlelady's time is expired. Thank you.
The Chair recognizes the gentlelady from Wisconsin, Ms.
Moore.
Ms. Moore of Wisconsin. Well, thank you so much, Mr.
Chairman.
And thank you, panel, for your patience.
I have questions that all of you can answer, because all of
you seem to be very enamored with the idea of retaining the
national I.D. number, or Social Security numbers, for just to
have some sense of flow from one industry to the next.
It was 30 years ago, I knew people who were regarded as
marginally saying, who, you know, were prophetic about the use
of these Social Security numbers.
And, indeed, just a couple of weeks ago, a few weeks ago, I
was cutting up old cards that were no longer useful and
realizing that my health insurance card had my full Social
Security number on it. I had been walking around with it in my
pocketbook for 16 years. Both of my sons had one.
You know, every clerk, receptionist, temp worker that
ever--you know, I understand electronic problems and disposal
side problems.
But my Social Security number, the full Social Security
number, was used as my member I.D. number.
So I think that people who are not hackers have access--you
can barely check out of the hospital with a newborn without
having a Social Security number. Somebody is born, and they
have no way of protecting their identity.
Also, I guess this question is very directed toward Ms.
Desoer--I hope I am pronouncing that correctly--or to Mr.
Foley, who is with the Harvard University Employees Credit
Union.
I recall--and I hope I am not preaching our
confidentiality, Congresswoman Wasserman Schultz--as we were
agonizing over whether or not to vote for the bankruptcy bill,
trying to just view it as a way of controlling all the
slackers, that there absolutely was no protection, as has been
discussed, for people whose identity is stolen.
I mean, they are people who would not necessarily have
bankruptcy available to them, who are victims of identity
theft.
So I guess, before my time expires, I would really like you
guys to address those two things.
I mean, number one, you know, your Social Security number,
it is for the convenience I think of these industries, is used
everywhere, and we are required to carry these cards around in
our pockets. It does not matter--you know, I am sitting here
shredding it up after I have carried it in my wallet for 16
years, and my kids have lost them a thousand times.
And, also, why were you all so adamant about not protecting
people whose identities were stolen in new bankruptcy bill?
Thank you.
Ms. Desoer. Related to the Social Security number and its
use at Bank of America, we do use it as an identifying piece of
information in order to validate and authenticate and identify
the customer who is attempting to open a new account,
attempting to obtain credit et cetera.
And then once we have obtained it, again, we take our
responsibility to protect that information from getting in the
wrong hands the wrong way accordingly by truncating numbers and
other methods of protecting.
So we take that very seriously, and we believe we have the
right processes in place to protect it.
On your issue relative to Social Security number and
protections in bankruptcy, I need to get back to your office, I
am sorry, with an answer to that question.
Ms. Moore of Wisconsin. Okay, thanks.
And before my time expires, I do want to ask a very pointed
question to ChoicePoint: You said in your press release and in
your testimony today that ChoicePoint will discontinue the sale
of information products that contain sensitive consumer data,
including Social Security and driver's license numbers, except
where there is a specific consumer-driven transaction or
benefit or where the product support Federal, State or local
government and criminal justice purposes.
My God, what exception is that? Sounds like it is wide open
to me--that is in addition to the others I have asked.
Mr. Foley. I will just also echo that I am not as familiar
with the bankruptcy provision. I will have to follow up with
under what circumstances somebody would be able to be
considered. I believe there are exclusions, but I am not sure
of that.
In terms of financial institutions capturing and using the
Social Security number, again, there are requirements for us to
file information with the Internal Revenue Service, and we have
for quite some time been masking and protecting that, no longer
using that as part of the account number itself.
But at some point in that account opening, in order for us
to comply with IRS reporting, we do need to capture it.
Mr. McGuffey. Yes, we have had discussion around the use of
Social Security numbers, and I agree with you, they are
relatively prevalent and used as an I.D. oftentimes. Indeed,
even in my past, my health care card had an I.D. number that
was my Social Security number.
So Social Security numbers are used a great deal as an I.D.
And in fact, it is used as one of the key identifiers to help
make sure that we are associating a transaction or other
records with the right person, making sure that we are not
causing conflict with someone else because we are misusing a
particular record because we do not have a good identifier.
So it is important to use those Social Security numbers and
other identifiers to make sure that we are associating the
proper records together.
With regard to our business changes that we have made, the
business changes that we have made really isolate the use of
and the display and the delivery back to our customers in
situations where there is a consumer benefit.
Examples of that would be where an individual is seeking
insurance, and in that situation they may disclose their Social
Security number, we may need to be able to make sure that we
are associating the proper records together, where we are
actually providing to our customer the appropriate record so
they can proceed and underwrite the business.
Preemployment screening is another line of service that we
have that is covered by FCRA, as the insurance is, insurance
services are, and in that case we oftentimes have to use a
Social Security number to make sure that we are associating
proper records, whether they may be a credit report, whether it
may be a driver's license number in order to get a motor
vehicle record, or in some cases even to make sure that we can
identify the right person associated with a criminal record.
So there are a number of cases in our business that we will
continue to use Social Security numbers, and most of those are
transactions that are initiated by a consumer.
Mr. Sanford. Decades ago the Social Security number----
Ms. Moore of Wisconsin. Including the criminal, you know,
like the woman who just got a mortgage recently in this area,
stealing somebody's I.D. I mean, I walk in there with my health
care card with my Social Security number on it, and there is a
receptionist who can go file for a mortgage.
Mr. Price. The gentlelady's time has----
Ms. Moore of Wisconsin. That is a consumer--I am sorry, Mr.
Chair.
Mr. Price. It has expired. If you want to briefly answer,
Mr. Sanford, Mr. Ward?
Mr. Sanford. Yes, Mr. Chairman.
I mean, clearly, when Social Security numbers were
introduced decades and decades ago, they were not intended to
be national identification numbers. For good or bad, they are
now in the public domain.
There was a Wall Street Journal article a few weeks ago
that said you could do a Google search and pull up 70 million,
I think was the number, of Social Security numbers.
The reason why a Social Security number is out there, why
our industry is suggesting that we not limit access to it, is
because of that unique ability to match and link data. There
are people transacting today, doing business, using Social
Security numbers that have not even been issued yet. And if we
did not have SSNs, we could not match and link data to show
that.
We have people using SSNs that are other people's. We have
people using SSNs that do not match date of birth. We have
people using SSNs and providing addresses which are prisons and
hospitals, which are high-risk addresses, which indicate that
there is a potential fraud associated with this particular
individual. We have people using them on people who are
deceased.
And so what we are saying is, is that leave the SSNs
available to match and link data so we can stop the fraud. We
maybe can do a better job on display, on who really needs to
see it in the answer.
On bankruptcy, we did not weigh in on the debate on the
bankruptcy legislation, so I am not able to respond to your
question on that.
Mr. Price. Mr. Ward, briefly?
Mr. Ward. Thank you.
What your question points to is directly to the need for a
consumer disclosure statement. If you go into your doctor's
office and they ask for your health care card and it has your
Social Security number printed on it and they photocopy it and
later dispose of it, you have no clue or idea how that
information has been disposed of.
With a proper disclosure statement, then you know what that
company or doctor's office policy is toward disposal of that
information and you know what procedures they go through so you
can feel comfortable with releasing that.
Mr. Price. I want to thank the members of the panel for
your patience and for your information and would encourage you,
as others have, to continue to increase the communication with
this committee as we move forward.
This hearing stands adjourned.
[Whereupon, at 12:46 p.m., the committee was adjourned.]
A P P E N D I X
May 4, 2005
[GRAPHIC] [TIFF OMITTED] T4091.001
[GRAPHIC] [TIFF OMITTED] T4091.002
[GRAPHIC] [TIFF OMITTED] T4091.003
[GRAPHIC] [TIFF OMITTED] T4091.004
[GRAPHIC] [TIFF OMITTED] T4091.005
[GRAPHIC] [TIFF OMITTED] T4091.006
[GRAPHIC] [TIFF OMITTED] T4091.007
[GRAPHIC] [TIFF OMITTED] T4091.008
[GRAPHIC] [TIFF OMITTED] T4091.009
[GRAPHIC] [TIFF OMITTED] T4091.010
[GRAPHIC] [TIFF OMITTED] T4091.011
[GRAPHIC] [TIFF OMITTED] T4091.012
[GRAPHIC] [TIFF OMITTED] T4091.013
[GRAPHIC] [TIFF OMITTED] T4091.014
[GRAPHIC] [TIFF OMITTED] T4091.015
[GRAPHIC] [TIFF OMITTED] T4091.016
[GRAPHIC] [TIFF OMITTED] T4091.017
[GRAPHIC] [TIFF OMITTED] T4091.018
[GRAPHIC] [TIFF OMITTED] T4091.019
[GRAPHIC] [TIFF OMITTED] T4091.020
[GRAPHIC] [TIFF OMITTED] T4091.021
[GRAPHIC] [TIFF OMITTED] T4091.022
[GRAPHIC] [TIFF OMITTED] T4091.023
[GRAPHIC] [TIFF OMITTED] T4091.024
[GRAPHIC] [TIFF OMITTED] T4091.025
[GRAPHIC] [TIFF OMITTED] T4091.026
[GRAPHIC] [TIFF OMITTED] T4091.027
[GRAPHIC] [TIFF OMITTED] T4091.028
[GRAPHIC] [TIFF OMITTED] T4091.029
[GRAPHIC] [TIFF OMITTED] T4091.030
[GRAPHIC] [TIFF OMITTED] T4091.031
[GRAPHIC] [TIFF OMITTED] T4091.032
[GRAPHIC] [TIFF OMITTED] T4091.033
[GRAPHIC] [TIFF OMITTED] T4091.034
[GRAPHIC] [TIFF OMITTED] T4091.035
[GRAPHIC] [TIFF OMITTED] T4091.036
[GRAPHIC] [TIFF OMITTED] T4091.037
[GRAPHIC] [TIFF OMITTED] T4091.038
[GRAPHIC] [TIFF OMITTED] T4091.039
[GRAPHIC] [TIFF OMITTED] T4091.040
[GRAPHIC] [TIFF OMITTED] T4091.041
[GRAPHIC] [TIFF OMITTED] T4091.042
[GRAPHIC] [TIFF OMITTED] T4091.043
[GRAPHIC] [TIFF OMITTED] T4091.044
[GRAPHIC] [TIFF OMITTED] T4091.045
[GRAPHIC] [TIFF OMITTED] T4091.046
[GRAPHIC] [TIFF OMITTED] T4091.047
[GRAPHIC] [TIFF OMITTED] T4091.048
[GRAPHIC] [TIFF OMITTED] T4091.049
[GRAPHIC] [TIFF OMITTED] T4091.050
[GRAPHIC] [TIFF OMITTED] T4091.051
[GRAPHIC] [TIFF OMITTED] T4091.052
[GRAPHIC] [TIFF OMITTED] T4091.053
[GRAPHIC] [TIFF OMITTED] T4091.054
[GRAPHIC] [TIFF OMITTED] T4091.055
[GRAPHIC] [TIFF OMITTED] T4091.056
[GRAPHIC] [TIFF OMITTED] T4091.057
[GRAPHIC] [TIFF OMITTED] T4091.058
[GRAPHIC] [TIFF OMITTED] T4091.059
[GRAPHIC] [TIFF OMITTED] T4091.060
[GRAPHIC] [TIFF OMITTED] T4091.061
[GRAPHIC] [TIFF OMITTED] T4091.062
[GRAPHIC] [TIFF OMITTED] T4091.063
�