[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]




 
                        ENHANCING DATA SECURITY:
                      THE REGULATORS' PERSPECTIVE

=======================================================================

                                HEARING

                               BEFORE THE

                            SUBCOMMITTEE ON
               FINANCIAL INSTITUTIONS AND CONSUMER CREDIT

                                 OF THE

                    COMMITTEE ON FINANCIAL SERVICES

                     U.S. HOUSE OF REPRESENTATIVES

                       ONE HUNDRED NINTH CONGRESS

                             FIRST SESSION

                               __________

                              MAY 18, 2005

                               __________

       Printed for the use of the Committee on Financial Services

                           Serial No. 109-31


                    U.S. GOVERNMENT PRINTING OFFICE
25-573                      WASHINGTON : 2006
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½090001


                 HOUSE COMMITTEE ON FINANCIAL SERVICES

                    MICHAEL G. OXLEY, Ohio, Chairman

JAMES A. LEACH, Iowa                 BARNEY FRANK, Massachusetts
RICHARD H. BAKER, Louisiana          PAUL E. KANJORSKI, Pennsylvania
DEBORAH PRYCE, Ohio                  MAXINE WATERS, California
SPENCER BACHUS, Alabama              CAROLYN B. MALONEY, New York
MICHAEL N. CASTLE, Delaware          LUIS V. GUTIERREZ, Illinois
PETER T. KING, New York              NYDIA M. VELAZQUEZ, New York
EDWARD R. ROYCE, California          MELVIN L. WATT, North Carolina
FRANK D. LUCAS, Oklahoma             GARY L. ACKERMAN, New York
ROBERT W. NEY, Ohio                  DARLENE HOOLEY, Oregon
SUE W. KELLY, New York, Vice Chair   JULIA CARSON, Indiana
RON PAUL, Texas                      BRAD SHERMAN, California
PAUL E. GILLMOR, Ohio                GREGORY W. MEEKS, New York
JIM RYUN, Kansas                     BARBARA LEE, California
STEVEN C. LaTOURETTE, Ohio           DENNIS MOORE, Kansas
DONALD A. MANZULLO, Illinois         MICHAEL E. CAPUANO, Massachusetts
WALTER B. JONES, Jr., North          HAROLD E. FORD, Jr., Tennessee
    Carolina                         RUBEN HINOJOSA, Texas
JUDY BIGGERT, Illinois               JOSEPH CROWLEY, New York
CHRISTOPHER SHAYS, Connecticut       WM. LACY CLAY, Missouri
VITO FOSSELLA, New York              STEVE ISRAEL, New York
GARY G. MILLER, California           CAROLYN McCARTHY, New York
PATRICK J. TIBERI, Ohio              JOE BACA, California
MARK R. KENNEDY, Minnesota           JIM MATHESON, Utah
TOM FEENEY, Florida                  STEPHEN F. LYNCH, Massachusetts
JEB HENSARLING, Texas                BRAD MILLER, North Carolina
SCOTT GARRETT, New Jersey            DAVID SCOTT, Georgia
GINNY BROWN-WAITE, Florida           ARTUR DAVIS, Alabama
J. GRESHAM BARRETT, South Carolina   AL GREEN, Texas
KATHERINE HARRIS, Florida            EMANUEL CLEAVER, Missouri
RICK RENZI, Arizona                  MELISSA L. BEAN, Illinois
JIM GERLACH, Pennsylvania            DEBBIE WASSERMAN SCHULTZ, Florida
STEVAN PEARCE, New Mexico            GWEN MOORE, Wisconsin,
RANDY NEUGEBAUER, Texas               
TOM PRICE, Georgia                   BERNARD SANDERS, Vermont
MICHAEL G. FITZPATRICK, 
    Pennsylvania
GEOFF DAVIS, Kentucky
PATRICK T. McHENRY, North Carolina

                 Robert U. Foster, III, Staff Director
       Subcommittee on Financial Institutions and Consumer Credit

                   SPENCER BACHUS, Alabama, Chairman

WALTER B. JONES, Jr., North          BERNARD SANDERS, Vermont
    Carolina, Vice Chairman          CAROLYN B. MALONEY, New York
RICHARD H. BAKER, Louisiana          MELVIN L. WATT, North Carolina
MICHAEL N. CASTLE, Delaware          GARY L. ACKERMAN, New York
EDWARD R. ROYCE, California          BRAD SHERMAN, California
FRANK D. LUCAS, Oklahoma             GREGORY W. MEEKS, New York
SUE W. KELLY, New York               LUIS V. GUTIERREZ, Illinois
RON PAUL, Texas                      DENNIS MOORE, Kansas
PAUL E. GILLMOR, Ohio                PAUL E. KANJORSKI, Pennsylvania
JIM RYUN, Kansas                     MAXINE WATERS, California
STEVEN C. LaTOURETTE, Ohio           DARLENE HOOLEY, Oregon
JUDY BIGGERT, Illinois               JULIA CARSON, Indiana
VITO FOSSELLA, New York              HAROLD E. FORD, Jr., Tennessee
GARY G. MILLER, California           RUBEN HINOJOSA, Texas
PATRICK J. TIBERI, Ohio              JOSEPH CROWLEY, New York
TOM FEENEY, Florida                  STEVE ISRAEL, New York
JEB HENSARLING, Texas                CAROLYN McCARTHY, New York
SCOTT GARRETT, New Jersey            JOE BACA, California
GINNY BROWN-WAITE, Florida           AL GREEN, Texas
J. GRESHAM BARRETT, South Carolina   GWEN MOORE, Wisconsin
RICK RENZI, Arizona                  WM. LACY CLAY, Missouri
STEVAN PEARCE, New Mexico            JIM MATHESON, Utah
RANDY NEUGEBAUER, Texas              BARNEY FRANK, Massachusetts
TOM PRICE, Georgia
PATRICK T. McHENRY, North Carolina
MICHAEL G. OXLEY, Ohio


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on:
    May 18, 2005.................................................     1
Appendix:
    May 18, 2005.................................................    29

                               WITNESSES
                        Wednesday, May 18, 2005

Fenner, Robert M., General Counsel, National Credit Union 
  Administraton..................................................     7
Parnes, Lydia B., Director, Bureau of Consumer Protection, 
  Federal Trade Commission.......................................     4
Thompson, Sandra, Deputy Director, Division of Supervision and 
  Consumer Protection, Federal Deposit Insurance Corporation.....     5

                                APPENDIX

Prepared statements:
    Oxley, Hon. Michael G........................................    30
    Bachus, Hon. Spencer.........................................    34
    Hinojosa, Hon. Ruben.........................................    37
    Sanders, Hon. Bernard........................................    40
    Fenner, Robert M.............................................    44
    Parnes, Lydia B..............................................    63
    Thompson, Sandra.............................................    84

              Additional Material Submitted for the Record

Hinojosa, Hon. Ruben:
    Letter from Consumers Union, May 17, 2005....................   103
Fenner, Robert M.:
    Written response to question from Hon. Sue W. Kelly..........   106
Parnes, Lydia B.:
    Written response to question from Hon. Sue W. Kelly..........   108
Thompson, Sandra:
    Written response to question from Hon. Sue W. Kelly..........   110
Consumers Union, prepared statement..............................   112


                        ENHANCING DATA SECURITY:
                      THE REGULATORS' PERSPECTIVE

                              ----------                              


                        Wednesday, May 18, 2005

             U.S. House of Representatives,
             Subcommittee on Financial Institutions
                               and Consumer Credit,
                           Committee on Financial Services,
                                                   Washington, D.C.
    The subcommittee met, pursuant to call, at 10:04 a.m., in 
Room 2128, Rayburn House Office Building, Hon. Spencer Bachus 
[chairman of the subcommittee] Presiding.
    Present: Representatives Bachus, Kelly, Hensarling, Pearce, 
Neugebauer, McHenry, Sanders, Maloney, Sherman, Moore, Frank, 
Carson, Baca, Green, Moore, Clay, and Matheson.
    Chairman Bachus. Good morning. The Subcommittee on 
Financial Institutions and Consumer Credit will come to order. 
This morning the subcommittee is continuing its hearings on 
data security breaches.
    In the past few months there has been widely reported 
breaches of security at financial institutions and other stores 
of data about security breaches, and the subject of these 
hearings is whether or not there ought to be a standard notice 
when that occurs, what the standard of care ought to be for 
those who maintain consumers' personal information, and whether 
or not the current legislation both in Gramm-Leach-Bliley and 
the FACT Act and the guidance from the regulators is sufficient 
or whether we need to go further, whether consumers, in 
addition to notice, ought to have other rights or ought to be 
empowered further. I think the standards were just issued in 
March under Gramm-Leach-Bliley for the notifications, so it may 
be a little premature to make a final decision at this time.
    We have several members that are working on legislation, I 
know Chairman Castle and Chairman Price are working on 
legislation establishing a standard. I also know Mr. LaTourette 
is working on legislation which would give consumers the right 
to freeze their credit information in the event that they felt 
like it was being fraudulently used as a result of a data 
breach.
    The witnesses here today have only been given about a week 
to prepare for their testimony today, which is about half the 
time we normally like to give our witnesses, so I do apologize 
for that. And at this time I am going to take the opportunity 
to introduce our witnesses, and then I am going to yield to Mr. 
Sanders for an opening statement. I am going to introduce my 
entire opening statement for the record, but in the interest of 
going ahead and expediting the hearing, hearing from our 
witnesses, I will abbreviate my opening statement.
    But we have with us today the FTC Director of the Bureau of 
Consumer Protection, Lydia Parnes.
    Ms. Parnes. Parnes.
    Chairman Bachus. Thank you.
    FDIC Deputy Director of the Division of Supervision and 
Consumer Protection, Sandra Thompson. We welcome you, Ms. 
Thompson. And Ms. Parnes, am I getting it right now?
    Ms. Parnes. Yes, you are.
    Chairman Bachus. Thank you. And I should have asked before 
the hearing. I apologize.
    And NCUA General Counsel Robert Fenner. Thank you.
    We look forward to hearing from the witnesses and thank 
them for taking time from their schedules to join us. And if 
you all would move the mikes up pretty close to you.
    And at this time I will yield to Mr. Sanders for an opening 
statement.
    [The prepared statement of Hon. Spencer Bachus can be found 
on page 34 in the appendix.]
    Mr. Sanders. Thank you very much, Mr. Chairman. And thank 
you very much to our panelists who are here today.
    This is clearly an important issue. Identity theft and 
breach in security at some of our Nation's largest companies 
are huge issues that this committee has got to address, and I 
am glad that we are holding this hearing today.
    According to the Federal Trade Commission, 27.3 million 
Americans have been victims of identity theft in the past 5 
years--that is a huge number of people--costing businesses and 
financial institutions some 48 billion and consumers $5 
billion. Victims of identity theft pay an average of about 
$1,400, not including attorney fees, and spend an average of 
600 hours to clear their credit reports. So we are dealing with 
an issue of real concern to the American people.
    In addition, Mr. Chairman, since 2003, there have been a 
number of security breaches at some of the biggest companies in 
this country, threatening the financial privacy of millions of 
Americans. The largest one became public in February of 2003 
when the FBI announced a nationwide investigation of a computer 
database security breach containing roughly 8 million Visa, 
MasterCard, and American Express credit card numbers. This 
breach forced many financial institutions to reissue thousands 
of Visa and MasterCards as a precaution against potential 
fraud.
    But we are not just talking about credit card companies; we 
are talking about TimeWarner, Lowe's stores, T-Mobile USA, 
ChoicePoint, Lexus Nexus, Wells Fargo, Bank of America, Chevy 
Chase, and SunTrust. The list goes on and on.
    For a variety of reasons, Social Security numbers, debit 
and check card information, driver's license numbers, e-mails, 
personal computer files, and information about student loans 
and mortgages are being stolen by computer hackers and other 
scam artists. Mr. Chairman, this has got to stop. We must make 
sure that identity thieves are prosecuted to the fullest extent 
of the law, but we must also make sure that the largest, the 
most profitable multinational companies in this country do 
everything they can to make sure that these scam artists don't 
succeed in the first place.
    In addition, Mr. Chairman, this committee must focus on how 
the outsourcing of financial service jobs to China, India, and 
other low-wage countries are threatening the privacy of our 
citizens. That is an issue I think that we can no longer 
ignore.
    According to a study published by the consulting firm A.T. 
Kearney, more than 500,000 financial service jobs in the United 
States, representing 8 percent of all jobs in banking, 
brokerage, and insurance firms, will move offshore in the next 
5 years, saving these companies some $30 billion. Now that is 
an issue unto itself from a worker perspective, but it is also 
a major issue in terms of the privacy issue that we are dealing 
with today.
    It seems that no financial service firms or credit bureau 
agency is immune to overseas outsourcing, and we are the 
biggest ones doing that. One example of the troubling trend in 
outsourcing is occurring at TransUnion. According to David 
Emory, executive vice president and chief financial officer of 
TransUnion, quote, 100 percent of our mail regarding customer 
disputes is going to India at some point, end of quote.
    And according to a report in the San Francisco chronicle, 
quote, two of the three major credit reporting agencies, each 
holding detailed files on about 220 million U.S. consumers, are 
in the process of outsourcing sensitive operations abroad, and 
a third may follow suit shortly, industry officials acknowledge 
for the first time, end of quote.
    Mr. Chairman, with growing problems in identity theft and 
with no domestic legal protection for the privacy of the 
personal records of American citizens, the situation is 
unhappily ripe for abuse, and the evidence is mounting. It was 
recently reported that three former call center workers in 
India allegedly cheated Citibank customers in the U.S. out of 
hundreds of thousands of dollars. It has also been reported 
that Geometric Software Solutions in India, another overseas 
outsourcer, illegally tried to sell the U.S. clients' 
intellectual property. And an employee in Pakistan doing 
clerical work for a medical center in California threatened to 
post confidential medical records of U.S. patients on the 
Internet unless she was adequately compensated for her work.
    I would like to ask that witnesses today--and I hope that 
this is an issue that you will cover, the following questions. 
Exactly what kind of legal protections do U.S. consumers have 
when our privacy laws are violated overseas? As I understand 
it, it would be difficult, if not impossible, to prosecute 
financial services or credit bureau workers outside of the 
United States for breaking laws relating to financial privacy 
and consumer protection. That is why I am supportive of 
legislation introduced by Congressman Markey that would make it 
illegal for companies in the U.S. to send financial data abroad 
without the express written consent of their customers.
    Mr. Chairman, thank you again for holding this very 
important hearing. And I look forward to hearing our witnesses.
    [The prepared statement of Hon. Bernard Sanders can be 
found on page 40 in the appendix.]
    Chairman Bachus. I thank the ranking member.
    Are there other members that wish to make an opening 
statement? If not, we will hear from our witnesses. Ms. Parnes.

  STATEMENT OF LYDIA B. PARNES, DIRECTOR, BUREAU OF CONSUMER 
              PROTECTION, FEDERAL TRADE COMMISSION

    Ms. Parnes. Thank you. Mr. Chairman and members of this 
subcommittee, I am Lydia Parnes, Director of the Bureau of 
Consumer Protection of the Federal Trade Commission.
    I want to thank you for holding today's hearing on the 
important issue of improving the security of consumers' 
personal information and reducing the risks of identity theft. 
The FTC staff greatly appreciate the leadership of Chairman 
Bachus, Representative Sanders, and the Financial Services 
Committee in the recent revisions to the Fair Credit Reporting 
Act. And I look forward to working with you on this issue as 
well.
    Although the written testimony submitted to the 
subcommittee represents the views of the Commission, my oral 
presentation and responses to your questions are my own and do 
not necessarily reflect the views of the Commission or any 
individual commissioner.
    Americans are very concerned about the security of their 
personal information, and for good reason. All told, each year 
identity theft costs American businesses $48 billion and 
consumers $5 billion more. Not surprisingly, there is a direct 
correlation between the type of identity theft and its cost to 
victims. According to an FTC survey, although people who had 
new accounts opened in their names made up only one-third of 
the victims, they suffered two-thirds of the harm.
    The Commission has worked hard to assist victims and to 
educate consumers and businesses about the risks of identity 
theft. We facilitate cooperation, information sharing, and 
training among Federal, State, and local law enforcement. The 
Commission maintains a Web site and a toll-free hotline to 
respond to the 15,000 to 20,000 inquiries we receive each week, 
and our trained counselors advise victims on how to reclaim 
their identities. In addition, many of the recent revisions to 
the Fair Credit Reporting Act are designed to assist victims of 
identity theft, and the Commission is working hard to implement 
these provisions.
    The recent breaches of consumer information have focused 
attention on the practices of data brokers that collect and 
sell information for a wide variety of purposes. Despite the 
potential benefits of these information services, as recent 
events demonstrate, if the sensitive information they collect 
gets into the wrong hands, it can cause serious harm to 
consumers.
    A variety of laws and regulations address the security of 
and access to sensitive information that these companies 
maintain. When breaches occur, the Commission staff takes a 
close look to determine if existing laws have been violated. 
Although such investigations are nonpublic, ChoicePoint has 
publicly acknowledged that it is under investigation by the 
FTC.
    The recent breaches raise the question of whether existing 
laws are sufficient to protect consumers' information, and new 
legislation in fact could be useful. As FTC Chairman Majoras 
has testified, the most immediate need is to address the risks 
to the security of the information. At the outset, companies 
should take steps to prevent breaches before they happen. 
Therefore, it makes sense to impose substantive security 
requirements on data brokers and other entities that collect 
sensitive personal information, much like the security 
requirements imposed under the Commission's safeguards rule.
    Another step to consider would be a workable Federal 
requirement for notice to consumers when there has been a 
security breach that raises a significant risk of harm to 
consumers. As was the case in this committee's consideration of 
the FACT Act, the challenge is to fashion effective consumer 
protection while preserving the benefits that legitimate 
information services provide to consumers and the economy.
    Mr. Chairman, members of the subcommittee, the FTC shares 
your concern for the security of consumer information, and we 
will continue to take steps within our authority to protect 
consumers.
    Thank you for the opportunity to discuss this vitally 
important subject, and I am happy to respond to your questions.
    Chairman Bachus. Thank you.
    [The prepared statement of Lydia B. Parnes can be found on 
page 63 in the appendix.]
    Chairman Bachus. Ms. Thompson.

  STATEMENT OF SANDRA THOMPSON, DEPUTY DIRECTOR, DIVISION OF 
SUPERVISION AND CONSUMER PROTECTION, FEDERAL DEPOSIT INSURANCE 
                          CORPORATION

    Ms. Thompson. Thank you, Chairman Bachus, Ranking Member 
Sanders, and members of the subcommittee. I appreciate the 
opportunity to testify before this subcommittee on behalf of 
the FDIC. I cannot overemphasize the importance we place on 
data security and protecting sensitive information. As well as 
causing financial harm and emotional distress to consumers, the 
failure or misuse of data security can impact the safety and 
soundness of an institution and undermine confidence in the 
banking system and the economy.
    My oral statement this morning will briefly describe some 
of the emerging trends and developing threats we see in terms 
of security breaches. I will also discuss the FDIC's 
examination programs, and I will touch on our outreach efforts 
to the industry and consumers.
    The Internet has made it possible to build a virtual 
storefront that criminals can use to conduct business.
    Malicious software on users' computers, phishing, schemes, 
and pharming technologies are all aimed at consumers. Financial 
institutions and companies that store, transport, and use 
consumers' information are also targets.
    Phishing continues to increase and now comprises over 50 
percent of the incidents reported to the FDIC. Phishers have 
begun attacking smaller institutions, expanding their 
operations as the larger often phished banks become less 
fertile.
    The FDIC recently published a study discussed in my written 
statement that recommends financial institutions and service 
providers consider stronger risk-based authentication 
strategies to reduce fraud related to passwords and other 
Internet account access vehicles. The Federal banking agencies 
have plans to release guidance on authentication later this 
year. To address the specialized nature of technology-related 
supervision, risks, and controls in the banking industry, the 
FDIC regularly and routinely evaluates all of its regulated 
financial institutions' information security programs through 
our information technology examinations, as well as enforcing 
privacy requirements through our compliance examination 
program.
    The FDIC also conducts IT examinations of the major 
technology service providers that support financial 
institutions. Through a national examination program, onsite 
reviews of large technology service providers are conducted on 
an interagency basis.
    As you know, Congress has passed several key laws designed 
to protect personal information. These laws have become part of 
the business of banking and include the Gramm-Leach-Bliley Act, 
the Fair and Accurate Credit Transaction Act, and the Fair 
Credit Reporting Act. Institutions that fail to comply with 
these laws may face enforcement actions ranging from informal 
agreements to civil money penalties or other administrative 
actions.
    The FDIC takes a proactive approach to enforcing data 
security regulations and guidance. If an institution's program 
for securing customer data is inadequate, the FDIC takes action 
regardless of whether or not there has been a compromise in 
data security. When data protection fails, financial 
institutions must adhere to the "Response Program" guidance 
issued by the FDIC and the other regulators in late March. The 
guidance is designed to address incidents of unauthorized 
access to sensitive customer information. Among many other 
things, customer notice should be given in a clear and 
conspicuous manner and should include a description of the 
incident, the types of information subject to unauthorized 
access, measures taken to protect the customers from further 
unauthorized access, a telephone number customers can call for 
information and assistance, and a reminder to customers to be 
vigilant in monitoring their account activity over the next 12 
to 24 months.
    With regard to outreach, the FDIC has taken an active role 
in reaching out to large numbers of people in the financial 
community to discuss cyber risks and controls. We have done 
this in several ways. As members with our fellow regulators in 
the Finance and Banking Information Infrastructure Committee, a 
body committed to promoting public-private partnership and 
improving coordination and communication among financial 
regulators, we hosted a series of symposia examining the 
security of the U.S. financial sector and identifying steps 
banks should take to protect themselves. To date, we have held 
20 of these sessions around the country, and over 1,000 bank 
executives have attended.
    In terms of consumer education, we recently launched a 
series of identity theft symposia, the first here in Washington 
in conjunction with National Consumer Protection Week. Given 
the standing-room-only crowd, we decided to do several more 
across the country. The idea is to bring together government, 
industry, law enforcement, and consumer interests to identify 
the scope of the identity theft problem and discuss proposed 
solutions. At our February symposium, we invited audience 
members and speakers to participate in a consumer education 
focus group and give us input on our education efforts and to 
help identify consumer needs in this area.
    Finally, I would mention that our publication, the 
quarterly FDIC Consumer News, frequently includes articles on 
identity theft. This publication goes to 60,000 subscribers 
besides being available on our Web site.
    Mr. Chairman and members of the subcommittee, thank you for 
inviting us to speak on this very important topic. No amount of 
legislation or regulation can completely eliminate the threats 
to data security; however, we believe that our collaborative 
efforts with the industry, the public, and our fellow 
regulators have and will continue to significantly minimize 
threats.
    We stand ready to work with the committee to provide any 
assistance to effectively address the elusive issues associated 
with data security.
    Chairman Bachus. Thank you.
    [The prepared statement of Sandra Thompson can be found on 
page 84 in the appendix.]
    Chairman Bachus. Mr. Fenner.

STATEMENT OF ROBERT M. FENNER, GENERAL COUNSEL, NATIONAL CREDIT 
                      UNION ADMINISTRATION

    Mr. Fenner. Thank you. Mr. Chairman and members of the 
subcommittee, thanks for the opportunity to present NCUA's 
views on this important subject of personal data security.
    Chairman Bachus. I don't think the mike is on.
    Mr. Fenner. Off to a good start. Can you hear me now, Mr. 
Chairman?
    Chairman Bachus. That is great.
    Mr. Fenner. All right. Mr. Chairman and members of the 
subcommittee, I want to thank you for the opportunity to 
present NCUA's views on this important subject of personal data 
security. And knowing that my written testimony is part of the 
record, I will be brief in my oral statement.
    My written testimony is in three parts. The first part 
describes examples of data security breaches that NCUA has 
encountered involving credit unions and credit union members. 
It is our hope that this information will be useful to the 
committee as you continue to study this serious problem and as 
you consider whether additional legislative measures are 
appropriate.
    Also, we believe these examples show that when breaches 
have occurred in the credit union system, NCUA and credit 
unions have been aggressive about taking the necessary steps 
both to notify credit union members and to minimize potential 
losses.
    The second part of my testimony describes the measures that 
NCUA has taken to enhance data security in credit unions and to 
implement the provisions of the Gramm-Leach-Bliley Act and the 
FACT Act related to data security issues. These actions include 
regulations and guidelines requiring data security programs of 
all federally insured credit unions and regulations and 
guidelines which will take effect this June 1st requiring 
response programs in the event of security breaches. These 
response programs guidelines include a requirement to notify 
members of the credit union whenever misuse of information has 
occurred or is reasonably possible and to inform members of the 
type of information that was subject to unauthorized access or 
use.
    Regulation and guidance to implement the relevant FACT Act 
provision are also well underway. Included are rules on proper 
disposal of information--those rules took effect last 
December--and ongoing interagency work to develop regulations 
on red flag programs.
    My written testimony also describes numerous other actions 
that NCUA has taken to keep the issue of data security in the 
forefront with credit unions and the interagency effort to 
examination and enforcement procedures. And we appreciate, by 
the way, the lead that both the FTC and the FDIC have taken in 
developing many of these rules and guidelines.
    Finally, NCUA has two recommendations. First, we recommend 
that Congress restore NCUA's authority to examine third-party 
vendors that provide data processing and other services to 
credit unions. We note that we are the only FFIEC agency that 
does not possess this authority.
    Also, while the vast majority of vendors are fully 
cooperative with NCUA, we have encountered instances of lack of 
cooperation, and as you can imagine, those tend to be the 
vendors who have something to hide. We believe that examination 
authority would strengthen NCUA's bargaining position in 
obtaining needed information quickly from vendors as well as 
enabling us to actually conduct full examinations in those rare 
cases where it becomes necessary.
    Lastly, we want to note that we support Congress' 
consideration of whether data brokers and other nonfinancial 
institutions that maintain and distribute consumer data should 
be subject to requirements similar to those of Gramm-Leach-
Bliley and the FACT Act.
    Again, I want to thank you for the opportunity to appear 
today, and I would be happy to answer any questions.
    Chairman Bachus. Thank you.
    [The prepared statement of Robert M. Fenner can be found on 
page 44 in the appendix.]
    Chairman Bachus. Mr. Hensarling, do you have questions?
    Mr. Hensarling. Thank you, Mr. Chairman.
    Ms. Parnes, under one of the titles of Gramm-Leach-Bliley, 
I believe it is a criminal act to use deceptive tactics to 
obtain certain sensitive financial information. I understand 
that an ounce of prevention is worth a pound of cure, but with 
respect to the FTC can you give me some insight into what is 
going on in the enforcement side to the bad actors out there?
    Mr. Parnes. Of course. Congressman, the FTC, as you know, 
has only civil authority; we do not have any criminal 
authority. On the civil side, the Commission enforces the 
safeguards rule which was issued under Gramm-Leach-Bliley. The 
rule requires financial institutions--and that would include 
consumer reporting agencies--or other service providers to 
maintain reasonable procedures to safeguard the customer 
information that they have. And the Commission has brought 
cases to enforce the safeguards rule.
    We also enforce section 5 of the Federal Trade Commission 
Act, which prohibits unfair and deceptive practices. And the 
Commission has brought a number of cases challenging, as 
deceptive, promises that were made to keep consumers' 
information secure. Although the Commission has not exercised 
its unfairness authority, the Commission has stated that it 
believes that security breaches can be unfair under the FTC 
Act. So we have engaged in enforcement both under Gramm-Leach-
Bliley and under the FTC Act.
    Mr. Hensarling. I am still a little unclear on exactly 
where the trigger mechanism might be under the interagency 
guidance document on when a consumer would be notified that 
there has been a breach of security. Or are you concerned that 
if the trigger--or I guess to use a different metaphor, if the 
hurdle rate is too low, that consumers will be getting perhaps 
too many of these notices to where those that really do not 
pose a significant risk somehow detract from those that 
actually do, and the consumer ends up ignoring all of this 
disclosure to their detriment?
    Ms. Parnes. I think that the trigger for notice is probably 
the most difficult issue here. And the issue that you are 
raising is precisely the concern. If consumers are inundated 
with notices, there are two potential problems: One is that 
they may put fraud alerts on their consumer reports when there 
really is no problem, and that can cause--that can create 
problems for consumers and for the industry as well.
    On the other hand, they may get so many notices that they 
just start ignoring them, and when there is a notice that 
represents a real threat, they won't act on it. So I think that 
is a balance that we will have to consider.
    Mr. Hensarling. Ms. Thompson.
    Ms. Thompson. I would like to add to that, because the 
banking regulators spend a considerable amount of time trying 
to determine the threshold. And I think that in the "Response 
Guidance" that we recently issued in March, the threshold for 
customer notification was after the institution conducts an 
investigation on the incident and there is clear evidence that 
misuse has occurred or there is a reasonable possibility that 
misuse is likely to occur, then that sets the threshold for the 
customer notice. But, again, we did want to strike a balance 
and make sure that customers and consumers were not inundated 
with notices that would over time become meaningless. But the 
agencies did spend a considerable amount of time on this issue.
    Mr. Hensarling. I was pleased to see in the interagency 
guidance that it seemingly avoids kind of a one-size-fits-all 
approach. Ms. Thompson, can you tell us why the security and 
notification guidelines might be different for Citibank and 
First State Bank of Athens, Texas, in the Fifth Congressional 
District of Texas?
    Ms. Thompson. Congressman, I would be happy to. We believe 
that it is inappropriate to have the same procedures for small 
and large institutions. There are approximately 8,000 
institutions that have Federal deposit insurance, and they 
range from the very small community banks to the large 
institutions. And the risk profiles for each bank are 
significantly different. For example, a small community bank 
would typically offer limited Internet banking services to 
retail customers and/or small businesses; whereas a large 
institution, such as the one that you have mentioned, would 
have very extensive Internet access and sophisticated online 
services that would entail a much greater risk to the bank and 
its customers. We believe that the controls that are in place 
should be commensurate with the risk and that each institution 
poses a different risk.
    Mr. Hensarling. My time has expired. Thank you. Thank you, 
Mr. Chairman.
    Chairman Bachus. Thank you. Mr. Moore.
    Mr. Moore of Kansas. Mr. Chairman, I thank the witnesses 
for being here this morning. I just want to listen to the 
testimony and the other questions. Thank you, sir.
    Chairman Bachus. Thank you.
    Mr. Neugenbauer.
    Mr. Neugenbauer. Thank you, Mr. Chairman.
    I think the first question I would have to the panel is 
that once these breaches have occurred and this personal data 
is out into somewhat of a public domain, what are some of the 
remedies or things that we can do or the public can do? Do they 
need to start changing their driver's license numbers? I mean, 
obviously you can't change their birthday, although some of us 
might would like to do that. But what are some of the things 
that we can do and the industry can do to help mitigate the 
issue once we do have a breach?
    Ms. Parnes. Well, Congressman, I will respond to that, but 
I think that your question really underscores the fact that 
once there has been a breach, that horse is out of the barn. 
You know, it really becomes a problem for consumers. And so in 
the first instance we really think that data brokers need to 
focus on security procedures, safeguards. And, in fact, all 
businesses that maintain personal sensitive information should 
have safeguards that they apply to personal information that 
they maintain.
    When there has been a breach, though, the FACT Act has 
provided a number of new protections for consumers who may be 
ID theft victims. For example, identity theft victims can place 
a fraud alert on their credit report. They can obtain from 
creditors the business records of the fraudulent accounts that 
were opened in their name. And that is a very important new 
right for consumers. They can get multiple free credit reports 
throughout the year to check to see if there are still problems 
being caused by the identity thief, and they can get 
information about the bad accounts that were opened by identity 
thieves. I would say victims of identity theft are also 
encouraged to contact the FTC either on our Web site or our 
toll-free number because we do have really a library of very 
good advice for consumers. The information that we have gives 
them step-by-step advice on how to regain their good name and 
model forms that they can use.
    Mr. Neugenbauer. I think this second question, Ms. 
Thompson, how important is the data sharing that is going on 
today? I mean, we have data brokers and information brokers, 
and, you know, how--I mean, I think one of the concerns we have 
is it is just probably a lot of people that have a lot of 
information, probably no telling how many people have 
information about me individually. What is the impact on 
commerce if we just start saying to individuals and 
institutions and banks is we just don't share that information 
maybe other than with for credit reporting or--but selling 
lists and that type of thing. What impact would that have?
    Ms. Thompson. Well, Congressman, data brokers don't come 
under the authority of the FDIC, so I will speak to what 
happens in financial institutions. Financial institutions are 
required, as you may be aware, to have opt-out provisions, and 
they are only allowed to share information with affiliates. The 
financial regulators know that financial institutions engage in 
activities with service providers. They outsource information. 
And we hold the financial institution, the bank management, and 
the board of directors accountable for that information whether 
they process it or whether it is processed by a service 
provider.
    We conduct onsite examinations of our institutions, and in 
those examinations we make sure that we look at the contractual 
arrangements between a financial institution and a service 
provider because they are held to the same standards as the 
financial institution.
    Mr. Neugenbauer. Ms. Parnes.
    Ms. Parnes. Well, we do--data brokers do come under the 
Commission's jurisdiction. And I think that while consumers are 
very concerned about the security of their personal 
information, they also really care about the economic benefits 
that accrue to all of us based on the free flow of information 
in the economy. So I think that those are interests that we 
need to balance.
    It is important for information to be secure, for personal 
sensitive information to be secure. It is also at the same time 
important for information to be able to flow so that consumers 
can get credit, they can get--they can, you know, purchase a 
car, get a mortgage with the ease that they are used to.
    Mr. Neugenbauer. I think my time has expired, Mr. Chairman. 
Thank you.
    Chairman Bachus. Ms. Carson, did you? You were through, 
right?
    Mr. Neugenbauer. My time has expired. I am sorry, Mr. 
Chairman.
    Chairman Bachus. Okay. Ms. Carson. No questions? Mr. Baca.
    Mr. Baca. Thank you very much, Mr. Chairman.
    Ms. Parnes, my first question. My home State of California 
has been a leader in consumer notification through the 2003 
laws, which require companies to notify the public about any 
security breach of computer data. However, according to USA 
Today's article in March, California is still a main target for 
identity theft, knowing that we have 36 million people in that 
area. Being the only State this year to have 1 million reported 
victims of identity theft, according to FTC California, 
Riverside, Los Angeles, San Francisco, San Diego, and my home 
county of San Bernardino are likely vulnerable. The article 
states that California's reputation as identity theft capital 
can be tied to major methamphetamine sales.
    I am wondering if you have any comments on the link and 
meth labs, and how the two problems can be dealt with together.
    Ms. Parnes. I am going to have to give that some thought. 
This is linking identity--the problem of identity theft?
    Mr. Baca. With meth labs in our area, since we have quite a 
few in those counties, in that area, and the availability to 
get that. I just wanted to hear your comments. But if not, you 
can submit a written statement later on and answer the 
question, if you don't mind.
    Ms. Parnes. Thank you.
    Mr. Baca. If not, my next question would be to Sandra 
Thompson. As you know, in your testimony, consumer data in 
transit, such as information stored in backup tapes and hard 
drives, have always been vulnerable to theft. However, the 
knowledge of the theft of such data can contribute to identity 
theft growing. Well, we know that. We know what our prison 
system is doing right now. What is FDIC guidance? How much 
sensitive information should be transported is the question 
number one. Does FDIC suggest that such data be encrypted to 
protect the information from hackers is question number two, or 
does the guidance encourage more common sense in physically 
protecting the backup tapes and hard drives?
    Ms. Thompson. Congressman, all of the banking regulators 
have guidance. We have 12 examination handbooks that are 
available to the public, the industry, and these handbooks have 
the examination procedures that all of the Federal banking 
regulators use when they go in and conduct banking examinations 
on IT security systems at banks.
    One of the things that is addressed in our handbooks is the 
transport of data. We don't recommend encryption specifically. 
We do suggest that data be transported in a safe and secure 
manner and that institutions consider using bonded services or 
secure vehicles to transport information.
    Generally speaking, banks back up their data so that they 
can have a system, or the information, to return to should 
something take place, and this is part of the bank's business 
continuity plan. We don't recommend specific instructions on 
exactly what to do, but we do have some suggestions on how to 
transport data, and confidential data specifically.
    Mr. Baca. Have any studies been done in reference to what I 
have been seeing on "60 Minutes" this last week on prisons and 
their availability to gather data and run their companies like 
Fortune 500 companies? Has a study been done based on the 
availability of our prisoners being able to obtain identity 
theft and the utilization of information?
    Ms. Thompson. Congressman, I am not aware of any studies 
that the FDIC has conducted in that area, but I would be happy 
to--
    Mr. Baca. I think we have got to look at it since these 
guys are so sophisticated right now and there is so much 
identity theft going on. Is there some kind of linkage that is 
done within our prison systems that is done outside that may 
affect the consumer? It is just some studies that need to be 
done. Hopefully, we can look at that.
    My next question, since I still have got some time, is for 
Mr. Fenner.
    As you know, FACTA requires--when reporting data to 
consumer reporting agencies, credit unions must use reasonable 
procedures to stop reporting data that has been already stolen 
upon notice there has been identify theft.
    In your written testimony, you explain that large credit 
unions may be able to report identity theft almost immediately, 
while smaller credit unions can take even a week to report.
    How would you describe reasonable procedures--and I state, 
reasonable procedures--and how do these procedures differ 
depending on the size of the credit union? Which is question 
number one.
    And does NCUA make the recommendations to member credit 
unions of varying size and capabilities on how to handle the 
differences and notification process when there has been 
identity theft?
    Mr. Fenner. Well, I do think that especially in the case of 
credit unions, where many of the institutions are very small, 
often run by volunteer employees, that it is important for us 
to distinguish and to clarify that the procedures need to be 
reasonable and may vary from one size institution to the next.
    Now I think that in the case of very small credit unions, a 
reasonable procedure might be as simple as keeping paper files 
on situations where members file fraud alerts, or other 
notices, that they may have been subject to identity theft so 
that that credit union, which is not run on an automated 
system--the employees and the volunteers who run the credit 
union can simply know that that is a member on whom they should 
not be re-reporting to the consumer reporting agency what might 
be fraudulent information. In other larger credit unions, it is 
going to be more of a fully automated system, but it should be 
equally effective.
    Mr. Baca. Yes. But there is a difference in the process 
between the larger ones that have an automatic system. They 
immediately get it, while the other ones, the system may vary. 
And that is what we are trying to do, is have the same kind of 
process.
    Mr. Fenner. I don't think there is any reason that it can't 
be immediate in the case of a smaller credit union as soon as 
they receive the notice from their member.
    Mr. Baca. Thank you.
    Thank you, Mr. Chairman.
    Chairman Bachus. Ms. Kelly.
    Mrs. Kelly. Thank you, Mr. Chairman.
    I want to thank all of you for your testimony, and 
specifically the FDIC and the NCUA. I am discouraged, however, 
that the FTC only referred to the practice of phishing in its 
footnotes. This is my BlackBerry. It was given to me after 9/11 
by the Federal Government. This morning I came in, and on my 
BlackBerry there are two messages. The messages are in German 
from people I have never heard of.
    I believe that phishing is the greatest threat to consumers 
in our financial system, and I think it is one of the most 
important things that we need to look at because, unlike other 
forms of financial crime, even an unsuccessful phishing effort 
undermines confidence in the institutions whose names are 
stolen, and the Federal Government's ability to protect us is 
clearly not total.
    I have on this very recently had messages coming that 
looked like they are coming from banks, the Bank of America, 
Citibank. I don't have accounts in those banks, so I 
immediately blank them out, but other people may open them.
    I would like to read to you an article that was posted on 
anti-phishing.org yesterday. It is called Phishing Gets 
Personal by John Leyden. It says, "Fraudsters are using stolen 
information to lure victims into divulging additional sensitive 
information in a new form of phishing attack. These so-called 
personalized phishing attacks target individual, named account 
holders at specific banks. Crooks are using real information 
about the account holder, such as a person's name, the correct 
full account number, and other bank information to make the e-
mails look more legitimate and, thereby, increase response 
rates.
    "The approach contrasts with typical phishing attacks where 
fraudsters randomly dispatch thousands of spam e-mails without 
the slightest attempts to target their attacks. Personalized 
phishing attacks seek to supplement existing lists of stolen 
credentials with even more sensitive information such as ATM 
pin numbers or credit card CVD codes." And I am ending the 
quote there.
    I think with the continued epidemic of phishing and 
pharming that is assaulting millions of Americans and while I 
know both the FDIC and the NCUA have issued guidance on this 
issue to their members and made information available to share 
with customers, I want to know when we will expect further 
guidance from your agencies on steps that the institutions can 
take to make sure that their Web sites are secure from 
exploitation, but also what you think we in Congress can do to 
stop this kind of phishing attack.
    And I am going to throw that out to all three of you.
    Ms. Parnes. Representative, I would be--I am happy to 
answer that question from the Commission's perspective.
    We actually have a lot of information that we provide to 
consumers in terms of how to protect themselves from phishing. 
Our Web site provides that information as part of our consumer 
education.
    Phishing clearly violates the FTC Act, and we have brought 
cases under the act challenging those practices. We have also 
worked with criminal authorities. And, in fact, in one of the 
cases that we brought, the Department of Justice acted also and 
the phisher was sentenced to 46 months in prison. We actually 
think that criminal prosecution of phishing is much more 
effective than civil prosecution.
    I have to say, though, from our perspective, the most 
significant challenge in fighting this scam is not proving a 
law violation; it is finding the individuals who committed the 
violation, because they are hidden behind walls in the 
Internet. Often we find that they are overseas or that the 
transaction is crossing many borders, and it is very difficult 
for us to conduct those investigations and to really find those 
people.
    One of the things that we think will help is legislation 
that was introduced last year, the International Consumer 
Protection Act, which would give the FTC additional authority 
to conduct investigations when the fraudsters are overseas. And 
while it wasn't--this was not--this was introduced last year, 
but not passed, we are hopeful that in this session of Congress 
it will be reintroduced and become law.
    Mrs. Kelly. Do you think that there is a need for a Federal 
coordinator on consumer financial data security who could be 
put in a position not only to try to track this back, but also 
prosecute phishing and pharming?
    Ms. Parnes. I actually think that with additional tools at 
the Commission, if we had--if we had additional tools to go--to 
pursue some of these actors cross-border, I think that we would 
be in a good position to--in a better position to bring more 
enforcement actions.
    But, again, I also think that there are laws in place, and 
I think that the criminal authorities--the Justice Department, 
the U.S. Attorneys--I think that if they are able to turn their 
attention to this, I think that they have ample authority.
    Mrs. Kelly. Most of the agencies you mentioned have a lot 
on their plates.
    Ms. Parnes. They do.
    Mrs. Kelly. So I am going to ask again: Would it be a good 
thing for us to put together a Federal coordinator for this, to 
make sure that the agencies are working together to drill down 
on this problem? This is a growing problem. Anybody who has--it 
is not just on the BlackBerrys; it is on any type of electronic 
money transfer.
    Mr. Chairman, I wonder if we could ask the FDIC if they 
have some specific suggestions for what we might be able to do 
to help you legislatively? If you would be willing to give us--
to report back to this committee with a list of some specific 
suggestions to try to help coordination between agencies and to 
help you get your job done, utilizing what laws are already on 
the books, there may be some ways that we can integrate what is 
out there, because phishing and pharming--both of these, 
incidentally, are spelled with a PF--I don't want the farmers 
in my district to call me up and say, "Why are you trying to 
stop farming?"
    But I think it is very important that we start focusing on 
this. And would you be willing to ask for that?
    Chairman Bachus. Sure. And we will do that. And, in fact, 
Ms. Kelly and I will join on a letter and outline some of the 
information we would like.
    And I will also ask Ms. Hooley--she is working on 
legislation--and Chairman Pryce and Chairman Castle to join 
with us, along with Chairman Kelly. Chairman Kelly has actually 
conducted hearings for probably 2 years on this issue.
    I think you were the first person on the committee to 
conduct those hearings.
    Mrs. Kelly. Thank you.
    My time is up, but I appreciate your response.
    Chairman Bachus. Thank you.
    Mr. Green.
    Mr. Green. Thank you, Mr. Chairman. And thank you, 
Congresswoman Kelly. I appreciate greatly what you have just 
discussed because those were some of my concerns. I would also 
add spyware into the mix of concerns.
    I am also concerned about the punishment that was mentioned 
just a moment ago, 46 months; and that causes me some concern 
because, if you get 46 months, is that sufficient punishment? 
And I ask because a low-tech criminal can get 5 years for 
snatching a purse, and a high-tech criminal gets 46 months for 
snatching thousands of purses. Is that appropriate punishment 
for the high-tech criminal? Are the criminal penalties 
sufficient?
    In Harris County, the district attorney himself had his 
identity stolen. Is this sufficient punishment?
    Would someone kindly give me a response to the query?
    Ms. Parnes. Well, Congressman, as a civil enforcement 
agency, we would certainly have to defer to the Department of 
Justice with respect to the adequacy of criminal penalties. 
From our perspective, the fact that criminal authorities are 
prosecuting these frauds is an incredibly important step, and 
we want to see more of that.
    Mr. Green. Would someone else care to comment? And I am 
pursuing it persistently because we don't want a standard that 
allows high-tech criminals to get slaps on the hands and low-
tech criminals to get incarceration. I want all criminals to be 
punished appropriately.
    Yes, ma'am.
    Ms. Thompson. Congressman Green, in one case that I am 
aware of, it was an insider transaction, and that person got 
convicted for 10 years. So I am not sure that there is one 
particular rule or one particular sentence for every single 
violation.
    Mr. Green. My next concern has to do with whether there is 
a market for this information. Are we finding that this is the 
case, that people are actually acquiring this intelligence and 
then they are marketing it to persons for a fee?
    And if so, give me some information, if you would, please, 
on the extent to which this marketing takes place.
    Ms. Thompson. Well, as you know, the Internet makes 
available a global market. And I think I mentioned in my 
opening remarks that the Internet provides a virtual store for 
the exchange of information.
    We break identity theft into two phases: the acquiring of 
information, which is done through phishing or pharming, and 
the actual sale or misuse of that information. And we do 
believe and know that there is a market for that information 
and that that information can and will be misused and nine 
times out of ten ends up in cases of identity theft.
    We believe at the FDIC that consumer education is really 
important because in phishing scams the consumer has to 
actively give information. And to the extent that people are 
aware that these types of scams are taking place, we would like 
to facilitate more consumer education, more consumer awareness 
about these issues.
    Mr. Green. I concur with you, and I support an intelligent 
society, especially consumers acquiring as much intelligence as 
possible. But I do still have concerns about the punishments.
    And I appreciate this market information because those who 
acquire the information, they do so with malice aforethought, 
and they ought to be punished severely as well. Criminals are 
criminals. If you are high tech, you are just a sophisticated 
thug, and you ought to be punished just like we punish other 
thugs and thieves.
    Mr. Chairman, I yield back the balance of my time.
    Chairman Bachus. Thank you, Mr. Green.
    Mr. McHenry.
    Mr. McHenry. Thank you, Mr. Chairman. And thank you for 
having this hearing.
    My question really goes to the question of whether or not 
we have enough regulations on the books already dealing with 
data security--whether or not we have enough laws on the books 
already for data security. And is it a question more of 
enforcement of the laws and regs that we have on the books, or 
do we need to rewrite everything?
    And this really goes to the heart of the FDIC and NCUA, and 
so if Mr. Fenner and Ms. Thompson, if you could address this.
    Ms. Thompson. We believe that Congress has been very 
proactive in the area of data security with the Gramm-Leach-
Bliley Act, the Fair and Accurate Credit Transaction Act, and 
the Fair Credit Reporting Act, coupled with interagency 
guidance that provides mechanisms for financial institutions to 
make sure that the data is secure.
    I think when Gramm-Leach-Bliley was implemented, it 
recommended or required that every financial institution have 
an information security program that goes to the institution's 
board of directors. And that is a very important step, coupled 
with the interagency guidance. Most recently, we issued 
"Response Program" guidance, in late March. We think that we 
have a lot of tools at our disposal to ensure that data is 
secure in financial institutions.
    And because I think Chairman Bachus mentioned it earlier, 
this guidance was just issued in March, so it is a little 
premature for us to comment on that. But we do think that we 
have a lot of tools available.
    Mr. Fenner. Congressman, I would agree that, for the most 
part, with respect to financial institutions, the laws and the 
regulations that we have in place and are now developing will 
prove adequate, including our Gramm-Leach-Bliley implementing 
regulations that require in our case that every credit union 
have a data security program and, moreover, that they have a 
response program to deal with instances of unauthorized access 
where the security program, in fact, has failed in some 
fashion, and also, as Ms. Thompson mentioned, the rules that we 
are now developing to implement the provisions of the FACT Act.
    I would add that with respect to NCUA, as I mentioned in 
both my written and my oral testimony, there is one area where 
we do come up short, and that is that the other Federal 
financial regulatory agencies do have authority to examine 
third-party vendors such as data processing firms. We don't. We 
had that authority at one time; under a sunset provision, we 
have lost it. We would like to see it restored.
    And it is not that we would have the intent of examining 
every third-party vendor that does business with credit unions, 
but we think just the existence of the authority provides a 
powerful incentive for those third parties to cooperate with us 
when we need information from them. And we have, in fact--since 
the authority sunsetted, have had instances where we haven't 
received full and timely cooperation. And so we think it is 
important to ask Congress to consider restoring that authority 
for us.
    I would also add that I think in the case of other data 
brokers, nonfinancial data brokers, that it is reasonable for 
Congress to consider whether some of the requirements that 
exist for financial institutions under Gramm-Leach-Bliley and 
the FACT Act should be imposed on other data brokers as well.
    Mr. McHenry. So perhaps NCUA and FDIC are doing a pretty 
good job, and you have pretty much the tools you need aside 
from the tools you mentioned, Mr. Fenner. So largely, you are 
taking on this task already? Yes or no would be fine.
    Ms. Thompson. Yes.
    Mr. Fenner. Yes.
    Mr. McHenry. Great. One of the best answers you can give 
Congress, yes or no.
    A follow-up to Ms. Thompson. You mentioned interagency 
guidelines and the new implementation of those guidelines, and 
one thing that you have brought about is that the one-size-
fits-all categorization for financial institutions does not 
work. And one of those areas is subjecting a small community 
bank to the same regulations you subject an international bank 
that has billions of dollars of assets when it comes to data 
security. And can you outline just a few examples of why that 
is the best approach?
    Ms. Thompson. We, again, believe that it is inappropriate 
to require the same security procedures for small institutions 
that we expect for large institutions. And I think an example 
would be that a small community bank might just offer Internet 
banking services to small businesses or retail customers, and a 
large institution would have more sophisticated transactions. 
They would probably have very extensive Internet access, and 
the size of the transaction would be greater.
    We take a look at the risk profile of each of our 
institutions. We conduct technology examinations based on the 
risk profile that is attributed to those specific institutions. 
And we think it is very important that the controls that are in 
place are commensurate with the risk.
    Small institutions may have a noncomplex technology 
operation, or they may outsource to a service provider. And we 
want to make sure that our expectations are reasonable for 
financial institutions because we do not want to increase any 
burden.
    Mr. McHenry. Thank you.
    And thank you, Mr. Chairman.
    Chairman Bachus. Thank you.
    Ms. Moore. 
    Ms. Moore of Wisconsin. Well, thank you, Mr. Chairman, and 
thank you, panel, for this very important hearing.
    Congressman McHenry really raised the questions that I had, 
and I appreciate his doing that. So I was prepared to pass but 
for the fact that I really didn't get--I don't feel that we 
have really gotten a full response to his question as to 
whether or not we think it is appropriate to have some sort of 
czar or something look at data security for those other 
industries outside of financial institutions.
    I point specifically to the testimony of you, Mrs. Parnes, 
on pages 4 and 5, where you go through this laundry list of 
information the data brokers can secure. And, you know, stuff 
like child support payments, finding potential organ donors, 
locating witnesses and defendants, so on and so forth, that 
don't seem to come under the--and you say in the testimony that 
it does not come under the jurisdiction of the Fair Credit 
Reporting Act. And I don't get the sense that it comes under 
any sort of regulatory authority that the FDIC has, and 
certainly none under which the NCUA is governed.
    Secondly, I would--so I would like you respond to that.
    I would also like to address a question to you, Ms. 
Thompson, relating to your insight that encrypting 
information--and I don't know if this is just from magnetic 
tapes or whether this would work for Internet services as 
well--that encrypting information would provide a much more 
secure environment for this information but for the cost.
    I mean, is it just down to--is it just about the money in 
terms of protecting data?
     And to Mr. Fenner I would just like to say, I would love 
to give you the authority.
    Mr. Fenner. Thank you.
    Ms. Moore of Wisconsin. Thank you. So please respond.
    Ms. Parnes. I actually haven't given any thought to whether 
there should be a kind of information security czar in the 
Federal Government. My initial response is that the agencies 
that have jurisdiction in this area, I think we actually work 
very closely together.
    And so my inclination would be to say if you--
    Ms. Moore of Wisconsin. Excuse me. Let me interrupt because 
they have clocks in this institution. I am not used to that 
from State senate.
    You specifically mentioned stuff like HIPAA, who has 
jurisdiction over that kind of information? Not you. You 
specifically said that you don't have jurisdiction over that 
kind of information. So I am convinced that you do a good job 
as it relates to the information for which you have 
jurisdiction. I am talking about other stuff.
    Ms. Parnes. Right. So, for example, in HIPAA, HHS has 
jurisdiction there.
    In the driver's license laws that I think we mentioned, 
there are States that enforce those.
    And I think that what you are pointing out is really how 
complex this area is. There is information that is collected 
and used, you know, on so many different levels. Much of the 
information is public record information, and it is compiled by 
data brokers.
    I am not certain, frankly, what, you know, a kind of 
centralized office would add to enforcement efforts here. I 
think that, you know, if Congress wants those of us on the 
Federal level to work more closely together, we certainly have 
with the banking regulators under the guidance of this 
committee--you know, give us that direction, and we will do 
that.
    You know, I think we do. But as I have said, I am just not 
certain what, you know, a centralized point, what that will 
add.
    Ms. Thompson. I would like to respond to your question 
about encryption. The agencies really tend to shy away from 
prescribing specific standards such as encryption because we 
want to have a flexible approach, and we want our institutions 
to use a flexible approach when they address this issue.
    What works for one institution may not work for another 
institution. What works for the larger institutions may be 
cost-prohibitive for the smaller institutions. So we try to not 
prescribe specific tools to accommodate certain standards. We 
try to establish the standard, and we try to have a flexible 
approach.
    Encryption is something that many institutions use and many 
Government agencies use to protect and secure confidential 
data, but there are other methods to secure that data as well.
    Ms. Moore of Wisconsin. But it is costly. It costs. It 
costs a lot of money, right?
    Ms. Thompson. It can.
    Ms. Moore of Wisconsin. But were it not for the cost, that 
would go a long way. Would you say it would go a long way in 
protecting information?
    Ms. Thompson. Well, I think that any, including encryption, 
and that is--
    Ms. Moore of Wisconsin. And would the Internet as well, 
would that help?
    Ms. Thompson. Well, any time you take steps to protect and 
secure your information, I think that goes a long way to 
enhancing data security. Any additional steps that people or 
potential criminals have to take in order to access information 
is helpful. We want to make sure, again, that there is a 
balance, there is a cost implication, and there is also an ease 
of use implication as well, and we want to make sure that 
people have the option to select the appropriate tool that fits 
their particular circumstance.
    Chairman Bachus. Thank you, Ms. Moore.
    Mr. Pearce?
    Mr. Pearce. Thank you, Mr. Chairman. I would like to 
associate my comments myself with Mr. Green's comments. I have 
the same feeling toward the high-tech thugs. I think maybe the 
best punishment--locking them away in a cell maybe is not much 
different than some of them live already. So maybe we should 
lock them away and not give them access to the Internet or 
maybe make them write on a yellow pad and a pencil instead of 
giving them a computer. Maybe the best punishment might be to 
sentence them to use a 286 for the rest of their lives. I don't 
know. We need to figure out some way to redirect their creative 
energies.
    Ms. Parnes, you noted in your testimony that the FTC holds 
roundtable discussions talking about steps that we can do, and 
if you were to characterize the outcome of your meetings the 
last year, what actual things have gone into practice of things 
that we can do, or what suggestions have you made into the 
system that come out of the roundtable discussions during the 
last year?
    Ms. Parnes. Well, the last year has actually been a 
particularly productive one for us as we have been adopting the 
rules that are required under FACTA. And we have adopted 
already, I believe, seven or eight of the required regulations, 
and all of them--in working on all of those rules, we have had 
very productive discussions with industry, consumer groups, you 
know, all of the stakeholders on these issues.
    If you would like, I could go through the rules that we 
have accomplished thus far.
    Mr. Pearce. I suspect that the thing that I would like to 
understand, without going through the entire list, is are we 
keeping up with the technology on the other side? In other 
words, are the processes to steal information developing faster 
than the process to defend against stealing of information?
    Ms. Parnes. Keeping up with technology is always a 
difficult issue.
    Mr. Pearce. Is that a no?
    Ms. Parnes. No, but--
    Mr. Pearce. Is that a no, no or--
    Ms. Parnes. Well, it is hard to. And particularly when you 
are talking about technology in the hands of people who are 
engaged in fraud, you know, they try and stay a step ahead of 
us. We try to stay a step ahead of them.
    Mr. Pearce. Would you recommend that we make the entire 
concept, that is, that we have speeding violations in order 
that people not hit innocent bystanders, so the speeding itself 
becomes the criminal act?
    Would you make even the prospect of sending out blanket e-
mails intended to attract, even if we don't tie it down-- would 
you make that a penalty?
    Ms. Parnes. Well, you know, one of the things that we have 
done--
    Mr. Pearce. Would you make that a penalty, yes or no? We 
need to get a sense of where we can go here. The technology is 
developing faster than we are. We have got no tools. They are 
causing tremendous chaos in people's lives and financial 
distress in the system. What do we do?
    Ms. Parnes. Well, I don't think that I would make that a 
crime. I think that what we are hoping happens, and we are 
working with industry on this, we had one of our workshops was 
on authentication under the Canned Spam Act, and what we are 
encouraging industry to develop is technology that 
authenticates the domain that an e-mail comes from. And I think 
that that would go a long way towards addressing the kind of 
phishing and pharming--
    Mr. Pearce. Except technology is developing faster, so that 
somebody is going to beat that.
    Ms. Thompson, would you have a different answer? And I will 
ask Mr. Fenner, too. Would you have a different answer? Would 
you--maybe the entire process of even going out and trying to 
elicit information that is not going to be used in a productive 
fashion, would you make that illegal?
    Ms. Thompson. Well, I think that we should work with 
industry, because technology is being developed to do good 
things as well. And to the extent that we have a misuse of 
technology, we need to be working with industry to make sure 
that we have solutions.
    And I can't stress enough the collaboration that needs to 
take place between the Government and the private sector to 
address this issue because this isn't, as we heard today, just 
an issue for banks or financial institutions.
    Mr. Pearce. Mr. Fenner, the red light is about to come on. 
Mr. Fenner, do you have an opinion?
    Mr. Fenner. I don't have any problem with making it a crime 
to solicit information for purposes that are fraudulent or to 
further a criminal enterprise.
    Mr. Pearce. Yes, but while we are sitting here having these 
patient, long discussions, someone else is developing a 
technology this morning that is going to get around anything 
that we develop. And at some point the concept of developing 
the technology to get around other technology in order to hurt 
people should be something that we concentrate on. We are going 
to have to make some tough, tough decisions somewhere down the 
road.
    Thank you, Mr. Chairman.
    Chairman Bachus. Thank you.
    Mr. Clay.
    Wait a minute. I am sorry. Mrs. Maloney.
    Mrs. Maloney. First of all, this hearing makes it apparent 
that data security today is regulated by a confusing patchwork 
of laws and regulations that have obvious gaps and conflicts. 
The same personally identifiable data is subject to different 
protections, and its loss is subject to different remedies 
depending on who has it, and this doesn't make sense. So I hope 
that we will be moving towards a more unified approach or 
theory of data protection that will provide the same protection 
and remedies to the same sets of data no matter who has them.
    And I want to note that there has been some guidance on 
this issue from the regulators involved, not just the banking 
regulators, but also NCUA has come out with some guidelines. 
But the FTC has not followed suit and come out with any 
guidelines. And I think at the least we need to encourage our 
regulators to come forward with consistent guidance.
    So my first question is to Ms. Parnes from the FTC. Do you 
think guidance like that put out by the banking regulators and 
the NCUA is necessary for the institutions that you supervise? 
And if the not, why not?
    Ms. Parnes. Congresswoman, we have a different relationship 
with industries that are subject to the FTC's jurisdiction. The 
FDIC is, and the bank regulators are, involved in an 
examination process. There is--it is a discrete industry that 
they are dealing with. There are a set number of members, a lot 
of members of the industry, but they have a very close 
relationship with the members of the industry. And as I said, 
they are--it is an examination type of relationship.
    That is not what the FTC does. Our jurisdiction is 
extremely broad. We regulate all sectors of the economy with, 
you know, very specific exemptions. So, I think that the 
specific type of guidance that has been issued by the bank 
regulators would not necessarily be appropriate for the FTC.
    However, the Commission issues guidance to the industries 
that it regulates in a different fashion. We have rules that we 
have adopted and implemented. Under Gramm-Leach-Bliley we have 
a safeguards rule, and we provide business education on how to 
implement that rule.
    We brought a number of cases under section 5 dealing with 
information security, and we think that our law enforcement 
sets standards that industry should follow. And, again, right 
now, we are conducting nonpublic investigations in this area. 
We are learning more about this industry. And I think that it 
would be likely that at some point we would put out more 
general business guidance in this area. But, again, I think it 
would be a bit different from what the bank regulators do.
    Mrs. Maloney. So basically are you saying the FTC can't 
regulate the industry as carefully as the bank regulators?
    I mean, they have their oversight. Why in the world can't 
the FTC have the same type of regulation? I don't get it. If 
you can't come out with it, then possibly we need to come 
forward with some legislation on it.
    Ms. Parnes. Well, I think that--I certainly don't mean to 
suggest that the FTC can't give guidance to industries that 
fall within our jurisdiction. I think we can. We are primarily 
a law enforcement agency, and, for example--
    Mrs. Maloney. You can give guidance. And the FDIC has given 
guidance, and NCUA, they have all come forward trying to set 
more uniform guidance. Why don't you step in and give some 
guidance, too? This is a tremendous challenge.
    Ms. Parnes. Well, you know, the issues that we are looking 
at right now on notice in particular, we are learning a lot 
about this. As we conduct these investigations, we have had 
many meetings with members of the industry and with consumer 
advocates.
    The issues are complex. We are learning about them. But I 
would expect that we will seriously consider issuing guidance 
when we feel as if we have a better sense of what that should 
be.
    Ms. Maloney. My time is up. Thank you.
    Chairman Bachus. Thank you.
    I would say this to the panel and to the members that are 
still here. As far as financial institutions and credit unions 
are concerned, there is a standard of care in Gramm-Leach-
Bliley. It is called a privacy obligation. But it is a standard 
of care, and it is very precise.
    There are also safeguards listed, and there are three of 
them, and the regulators under those have a right to issue 
regulations, and you all are doing that. And they are pretty 
comprehensive as far as what those safeguards are to ensure the 
security and confidentiality of the customer records 
information, to protect against any anticipated threats or 
hazard to security or integrity of such records, and to protect 
against unauthorized access to or use of such records or 
information which could result in substantial harm or 
inconvenience to any customer. So there is no lack of law when 
it comes to financial institutions or credit bureaus.
    And the regulations are coming out. I think, as I see the 
problems, Mr. Fenner, you said that NCUA doesn't have the right 
to inspect third-party vendors, and, of course, you know CUNA 
and NAFCU are opposed to giving you that right so that you 
don't have that examination right.
    So you have raised that today, and I think you raised a 
good issue. But I think the problem comes, and if I am hearing, 
your testimony is your data brokers aren't regulated by, they 
don't fall under this standard. They don't follow any of these 
safeguards. Is that right?
    Ms. Parnes. Well, Chairman, data brokers could fall under 
the laws, and so, for example, if a data broker is a financial 
institution, it would fall within their, the GLB, standard.
    Chairman Bachus. Were ChoicePoint and LexisNexis--are 
they--were they financial institutions? Part of their operation 
were financial institutions. Is that correct?
    Ms. Parnes. Chairman, these are--with respect to the 
nonpublic investigations that we have pending, these are issues 
that are kind of at the heart of these investigations, and they 
are nonpublic.
    Chairman Bachus. Okay. But I guess I will just say this, 
then: If part of those operations are financial institutions, 
they fall under Gramm-Leach-Bliley.
    Ms. Parnes. That is correct.
    Chairman Bachus. If determined not to be, they would not.
    Ms. Parnes. That is correct. And if they act as consumer 
reporting agencies, and some of them do, they would fall 
under--
    Chairman Bachus. A credit reporting agency.
    Ms. Parnes. Exactly. The FCRA.
    Chairman Bachus. I actually am the author of the FACT Act, 
and it did give a lot of new rights and empowered consumers 
who--you know, after the fact. Now, also, by letting them see 
their credit reports, it protects them from actually ongoing 
fraud, but--and it did give them certain rights.
    My question, I guess, would be under--from reading section 
501 of Gramm-Leach-Bliley and the FACT Act, the regulators are 
already empowered, in my mind, to establish a uniform notice as 
a part of this, because, you know, statutorily you are asked to 
ensure these things and to safeguard and protect consumers. And 
I would think that you could come out with a uniform notice 
and, as far as financial institutions, you could preempt a 
hodgepodge of State laws where we are getting, you know, 
multiple notices.
    Our financial institutions are having to send really 12- 
and 14-page notices because they have to comply with all these 
different States, and the end result is that the consumer 
doesn't know what he is getting.
    But I guess I would ask you this: Do you think you have the 
authority presently? And if not, would you like that authority, 
to issue uniform notices in case of a--and, if we do, what 
criteria do we--we have always--this Congress, this committee, 
has always established as far as when a notice is required; it 
has gone back to the common-law definition of a significant 
threat or significant, as opposed to insignificant, and used 
that standard. Would that be the standard you would recommend? 
I will ask Ms. Parnes.
    Ms. Parnes. Yeah. We--I think that looking at the risk of 
harm to consumers is absolutely an essential component of a 
trigger for notice.
    Chairman Bachus. And significant is the one that has been 
used for 300 years. Is there any reason to depart from that? If 
it was insignificant, you wouldn't, and you could have 
guidelines to what was considered significant.
    Ms. Parnes. That is absolutely right. And this would be 
something that the Commission would certainly want to flesh out 
in guidelines or in rules. But, you know, again, I mean, I 
think, as you have indicated, you know, it is a balance on 
notice. And we certainly think that that is the consumer 
interest there.
    Chairman Bachus. And the only reason I am saying the use is 
significant, you have got years and years of case law as to 
what is significant and insignificant. And it can be--you know, 
there is a history there. If you came up with some new criteria 
or new standard, it would be--it would take literally years and 
court cases to establish what that meant.
    Any comment on that? Ms. Thompson?
    Ms. Thompson. Well, the FDIC has not made an official 
policy statement on this particular issue, but I believe that 
we will need specific Federal authority to preempt State laws. 
But with regard to the--
    Chairman Bachus. That is right, because there is no 
preemption in Gramm-Leach-Bliley. You are right. You are 
absolutely right. So when I said you could, you couldn't, 
because Senator Sarbanes added a provision in the Senate which 
did not allow for it. It didn't preempt State law. That is 
correct. So any legislation with a uniform standard would have 
to--I suppose it would have to negate the provision in Gramm-
Leach-Bliley.
    Ms. Thompson. I mentioned that in the interagency guidance 
in the customer notice response, there are some principles that 
the financial institutions have to adhere to. The notice has to 
be clear and conspicuous, and it also has to have a telephone 
number for people to call to get information.
    Chairman Bachus. In the FACT Act, we established what the 
notice was, and in Gramm-Leach-Bliley, the only thing we don't 
establish probably is when, what the trigger is.
    And I guess I am asking you, is significant risk of 
significant harm is what has been used in other notices and 
other areas, and in other industries, and other statutes. I 
think that is the most common one. Probably 90 percent of your 
notices are required in that case, you know, when you are 
trying to minimize some damage or notice.
    Ms. Thompson. With the interagency guidance, there is a 
threshold to send the notice. The threshold was again very 
difficult for the agencies to come up with, but it specifically 
states that if there has been misuse, or if there is a 
reasonable possibility that misuse will occur, then the notice 
is sent to the customers or the consumers.
    Chairman Bachus. You would have to probably go--you know, 
that is the reasonableness notice, but you would have to--would 
you distinguish between significant and insignificant?
    Ms. Thompson. I think we have to because we want to make 
sure that customers and consumers are not receiving just 
notices that maybe over time become meaningless.
    We want to make sure that when consumers receive notices 
that they pay attention, and that they understand the 
consequences of not paying attention, and that they take 
appropriate steps to make sure that their identities are 
protected. It is just a balance.
    Ms. Parnes. And I would add, I think that is exactly the 
balance that we are looking at. And I think as we move forward 
on this, we will be looking at what we think is exactly the 
appropriate trigger for notice. I think we have to--
    Chairman Bachus. But you know the "reasonableness" is in 
almost all--you don't even need to put the word in normally 
because I think it is the reasonable man standard, but I think 
you ought to put the word in. Maybe what you do there is you 
say a "reasonable anticipation of significant harm to the 
consumer".
    Ms. Parnes. I think that we would want to certainly on an 
issue--on an issue like this, if we were implementing rules on 
this or advising this Subcommittee, I think that we would want 
to give thought to the issues so that we could really identify 
an appropriate trigger and what appropriate language would be.
    Chairman Bachus. Thank you.
    Mr. Sanders. Thank you very much. We have a vote on the 
floor.
    Mr. Sanders. I wanted to ask one question. I apologize for 
not being here for the whole hearing. I think there is an area, 
though, a very important area, that has not been discussed, and 
that is assuming that we do everything that we can to protect 
the American people, we all work together, there is a huge gap 
in this discussion, and that is what happens if a company 
offshores and that work is being done in India or it is being 
done in China? My feeling is that everything that you have told 
us doesn't really matter terribly much to a hill of beans.
    My question would be in the event that an offshore company 
affiliated with a person subject to your jurisdiction violated 
any of the privacy provisions of GLBA, what authorities would 
your agency have to bring legal action against such persons? 
What authority would you have to bring an enforcement action 
against a rogue employee of such a company for violations 
committed in foreign countries?
    Ms. Thompson. I would agree with you that prosecution of 
workers and employees overseas for data theft is difficult, but 
we do have existing data protection legislation and regulations 
in Gramm-Leach-Bliley in the implementing security guidelines. 
Banks have to choose their service providers carefully, and 
they have to make sure that they have access to the 
information, and they also have to continually monitor how 
their service providers are doing.
    Mr. Sanders. But having said that, Ms. Thompson, you would 
agree that--
    Ms. Thompson. Yes. There is difficulty. Yes, I do agree 
with that.
    Chairman Bachus. What she is referring to is section 501.
    Ms. Thompson. That is correct.
    Ms. Parnes. And our position is that institutions that fall 
within our jurisdiction would be responsible for any data 
breaches that occur, even if they occur outside of our borders. 
Our kind of issue is one on enforcement and kind of tracking 
the violation, and there is legislation that was introduced in 
the last session of Congress, the International Consumer 
Protection Act, that was not passed, but that would be very 
useful in helping us with enforcement.
    Mr. Sanders. So you think we do need legislation, though?
    Ms. Parnes. I think that piece of legislation would help 
this issue, yes.
    Chairman Bachus. Thank you.
    Mr. Sanders. Thank you very much.
    Thank you, Mr. Chairman.
    Chairman Bachus. Just for the record, she is referring to 
the legislation introduced by Mr. Stearns in the Commerce 
Committee, I think, which we also have concurrent jurisdiction 
over. We actually--because we thought that was a good piece of 
legislation, we waived our jurisdiction. But it did not--I 
don't think it got out of the Commerce Committee.
    Mr. Markey has a different piece of legislation, which is 
different. I will just leave it at that.
    But I, too, believe that the International Consumer 
Protection Act would go a long way towards solving the problem 
you have talked about.
    We very much appreciate your testimony here today. We have 
votes on the floor, and I think they come at a time when this 
hearing would conclude. So we appreciate your testimony, and 
you have been very helpful. And this hearing is concluded.
    Ms. Parnes. Thank you.
    [Whereupon, at 11:50 a.m., the subcommittee was adjourned.]


                            A P P E N D I X



                              July 8, 2005


[GRAPHIC] [TIFF OMITTED] T5573.001

[GRAPHIC] [TIFF OMITTED] T5573.002

[GRAPHIC] [TIFF OMITTED] T5573.003

[GRAPHIC] [TIFF OMITTED] T5573.004

[GRAPHIC] [TIFF OMITTED] T5573.005

[GRAPHIC] [TIFF OMITTED] T5573.006

[GRAPHIC] [TIFF OMITTED] T5573.007

[GRAPHIC] [TIFF OMITTED] T5573.008

[GRAPHIC] [TIFF OMITTED] T5573.009

[GRAPHIC] [TIFF OMITTED] T5573.010

[GRAPHIC] [TIFF OMITTED] T5573.011

[GRAPHIC] [TIFF OMITTED] T5573.012

[GRAPHIC] [TIFF OMITTED] T5573.013

[GRAPHIC] [TIFF OMITTED] T5573.014

[GRAPHIC] [TIFF OMITTED] T5573.015

[GRAPHIC] [TIFF OMITTED] T5573.016

[GRAPHIC] [TIFF OMITTED] T5573.017

[GRAPHIC] [TIFF OMITTED] T5573.018

[GRAPHIC] [TIFF OMITTED] T5573.019

[GRAPHIC] [TIFF OMITTED] T5573.020

[GRAPHIC] [TIFF OMITTED] T5573.021

[GRAPHIC] [TIFF OMITTED] T5573.022

[GRAPHIC] [TIFF OMITTED] T5573.023

[GRAPHIC] [TIFF OMITTED] T5573.024

[GRAPHIC] [TIFF OMITTED] T5573.025

[GRAPHIC] [TIFF OMITTED] T5573.026

[GRAPHIC] [TIFF OMITTED] T5573.027

[GRAPHIC] [TIFF OMITTED] T5573.028

[GRAPHIC] [TIFF OMITTED] T5573.029

[GRAPHIC] [TIFF OMITTED] T5573.030

[GRAPHIC] [TIFF OMITTED] T5573.031

[GRAPHIC] [TIFF OMITTED] T5573.032

[GRAPHIC] [TIFF OMITTED] T5573.033

[GRAPHIC] [TIFF OMITTED] T5573.034

[GRAPHIC] [TIFF OMITTED] T5573.035

[GRAPHIC] [TIFF OMITTED] T5573.036

[GRAPHIC] [TIFF OMITTED] T5573.037

[GRAPHIC] [TIFF OMITTED] T5573.038

[GRAPHIC] [TIFF OMITTED] T5573.039

[GRAPHIC] [TIFF OMITTED] T5573.040

[GRAPHIC] [TIFF OMITTED] T5573.041

[GRAPHIC] [TIFF OMITTED] T5573.042

[GRAPHIC] [TIFF OMITTED] T5573.043

[GRAPHIC] [TIFF OMITTED] T5573.044

[GRAPHIC] [TIFF OMITTED] T5573.045

[GRAPHIC] [TIFF OMITTED] T5573.046

[GRAPHIC] [TIFF OMITTED] T5573.047

[GRAPHIC] [TIFF OMITTED] T5573.048

[GRAPHIC] [TIFF OMITTED] T5573.049

[GRAPHIC] [TIFF OMITTED] T5573.050

[GRAPHIC] [TIFF OMITTED] T5573.051

[GRAPHIC] [TIFF OMITTED] T5573.052

[GRAPHIC] [TIFF OMITTED] T5573.053

[GRAPHIC] [TIFF OMITTED] T5573.054

[GRAPHIC] [TIFF OMITTED] T5573.055

[GRAPHIC] [TIFF OMITTED] T5573.056

[GRAPHIC] [TIFF OMITTED] T5573.057

[GRAPHIC] [TIFF OMITTED] T5573.058

[GRAPHIC] [TIFF OMITTED] T5573.059

[GRAPHIC] [TIFF OMITTED] T5573.060

[GRAPHIC] [TIFF OMITTED] T5573.061

[GRAPHIC] [TIFF OMITTED] T5573.062

[GRAPHIC] [TIFF OMITTED] T5573.063

[GRAPHIC] [TIFF OMITTED] T5573.064

[GRAPHIC] [TIFF OMITTED] T5573.065

[GRAPHIC] [TIFF OMITTED] T5573.066

[GRAPHIC] [TIFF OMITTED] T5573.067

[GRAPHIC] [TIFF OMITTED] T5573.068

[GRAPHIC] [TIFF OMITTED] T5573.069

[GRAPHIC] [TIFF OMITTED] T5573.070

[GRAPHIC] [TIFF OMITTED] T5573.071

[GRAPHIC] [TIFF OMITTED] T5573.072

[GRAPHIC] [TIFF OMITTED] T5573.073

[GRAPHIC] [TIFF OMITTED] T5573.074

[GRAPHIC] [TIFF OMITTED] T5573.075

[GRAPHIC] [TIFF OMITTED] T5573.076

[GRAPHIC] [TIFF OMITTED] T5573.077

[GRAPHIC] [TIFF OMITTED] T5573.078

[GRAPHIC] [TIFF OMITTED] T5573.079

[GRAPHIC] [TIFF OMITTED] T5573.080

[GRAPHIC] [TIFF OMITTED] T5573.081

[GRAPHIC] [TIFF OMITTED] T5573.082

[GRAPHIC] [TIFF OMITTED] T5573.083

[GRAPHIC] [TIFF OMITTED] T5573.084

[GRAPHIC] [TIFF OMITTED] T5573.085

[GRAPHIC] [TIFF OMITTED] T5573.086

[GRAPHIC] [TIFF OMITTED] T5573.087

[GRAPHIC] [TIFF OMITTED] T5573.088

[GRAPHIC] [TIFF OMITTED] T5573.089

[GRAPHIC] [TIFF OMITTED] T5573.090

[GRAPHIC] [TIFF OMITTED] T5573.091

[GRAPHIC] [TIFF OMITTED] T5573.092

[GRAPHIC] [TIFF OMITTED] T5573.093

[GRAPHIC] [TIFF OMITTED] T5573.094

[GRAPHIC] [TIFF OMITTED] T5573.095

[GRAPHIC] [TIFF OMITTED] T5573.096

[GRAPHIC] [TIFF OMITTED] T5573.097

[GRAPHIC] [TIFF OMITTED] T5573.098

[GRAPHIC] [TIFF OMITTED] T5573.099

