[House Hearing, 109 Congress] [From the U.S. Government Printing Office] SOCIAL SECURITY NUMBERS IN COMMERCE: RECONCILING BENEFICIAL USES WITH THREATS TO PRIVACY HEARING BEFORE THE SUBCOMMITTEE ON COMMERCE, TRADE, AND CONSUMER PROTECTION OF THE COMMITTEE ON ENERGY AND COMMERCE HOUSE OF REPRESENTATIVES ONE HUNDRED NINTH CONGRESS SECOND SESSION MAY 11, 2006 Serial No. 109-91 Printed for the use of the Committee on Energy and Commerce Available via the World Wide Web: http://www.access.gpo.gov/congress/house U.S. GOVERNMENT PRINTING OFFICE 29-388 WASHINGTON : 2006 _____________________________________________________________________________ For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 COMMITTEE ON ENERGY AND COMMERCE JOE BARTON, Texas, Chairman RALPH M. HALL, Texas JOHN D. DINGELL, Michigan MICHAEL BILIRAKIS, Florida Ranking Member Vice Chairman HENRY A. WAXMAN, California FRED UPTON, Michigan EDWARD J. MARKEY, Massachusetts CLIFF STEARNS, Florida RICK BOUCHER, Virginia PAUL E. GILLMOR, Ohio EDOLPHUS TOWNS, New York NATHAN DEAL, Georgia FRANK PALLONE, JR., New Jersey ED WHITFIELD, Kentucky SHERROD BROWN, Ohio CHARLIE NORWOOD, Georgia BART GORDON, Tennessee BARBARA CUBIN, Wyoming BOBBY L. RUSH, Illinois JOHN SHIMKUS, Illinois ANNA G. ESHOO, California HEATHER WILSON, New Mexico BART STUPAK, Michigan JOHN B. SHADEGG, Arizona ELIOT L. ENGEL, New York CHARLES W. "CHIP" PICKERING, Mississippi ALBERT R. WYNN, Maryland Vice Chairman GENE GREEN, Texas VITO FOSSELLA, New York TED STRICKLAND, Ohio ROY BLUNT, Missouri DIANA DEGETTE, Colorado STEVE BUYER, Indiana LOIS CAPPS, California GEORGE RADANOVICH, California MIKE DOYLE, Pennsylvania CHARLES F. BASS, New Hampshire TOM ALLEN, Maine JOSEPH R. PITTS, Pennsylvania JIM DAVIS, Florida MARY BONO, California JAN SCHAKOWSKY, Illinois GREG WALDEN, Oregon HILDA L. SOLIS, California LEE TERRY, Nebraska CHARLES A. GONZALEZ, Texas MIKE FERGUSON, New Jersey JAY INSLEE, Washington MIKE ROGERS, Michigan TAMMY BALDWIN, Wisconsin C.L. "BUTCH" OTTER, Idaho MIKE ROSS, Arkansas SUE MYRICK, North Carolina JOHN SULLIVAN, Oklahoma TIM MURPHY, Pennsylvania MICHAEL C. BURGESS, Texas MARSHA BLACKBURN, Tennessee BUD ALBRIGHT, Staff Director DAVID CAVICKE, General Counsel REID P. F. STUNTZ, Minority Staff Director and Chief Counsel SUBCOMMITTEE ON COMMERCE, TRADE, AND CONSUMER PROTECTION CLIFF STEARNS, Florida, Chairman FRED UPTON, Michigan JAN SCHAKOWSKY, Illinois NATHAN DEAL, Georgia Ranking Member BARBARA CUBIN, Wyoming MIKE ROSS, Arkansas GEORGE RADANOVICH, California EDWARD J. MARKEY, Massachusetts CHARLES F. BASS, New Hampshire EDOLPHUS TOWNS, New York JOSEPH R. PITTS, Pennsylvania SHERROD BROWN, Ohio MARY BONO, California BOBBY L. RUSH, Illinois LEE TERRY, Nebraska GENE GREEN, Texas MIKE FERGUSON, New Jersey TED STRICKLAND, Ohio MIKE ROGERS, Michigan DIANA DEGETTE, Colorado C.L. "BUTCH" OTTER, Idaho JIM DAVIS, Florida SUE MYRICK, North Carolina CHARLES A. GONZALEZ, Texas TIM MURPHY, Pennsylvania TAMMY BALDWIN, Wisconsin MARSHA BLACKBURN, Tennessee JOHN D. DINGELL, Michigan JOE BARTON, Texas (EX OFFICIO) (EX OFFICIO) CONTENTS Page Testimony of: Leibowitz, Hon. Jon, Commissioner, Federal Trade Commission 16 Ireland, Oliver I., Partner, Morrison & Foerster, LLP, on behalf of Financial Services Coordinating Council 30 McDonald, Susan, President, Pension Benefit Information 39 Steinfeld, Lauren, Former Associate Chief Counselor, Office of Management and Budget 44 Lively, Jr., H. Randy, President and CEO, American Financial Services Association 49 Rotenberg, Marc, Executive Director, Electronic Privacy Information Center 53 SOCIAL SECURITY NUMBERS IN COMMERCE: RECONCILING BENEFICIAL USES WITH THREATS TO PRIVACY THURSDAY, MAY 11, 2006 HOUSE OF REPRESENTATIVES, COMMITTEE ON ENERGY AND COMMERCE, SUBCOMMITTEE ON COMMERCE, TRADE, AND CONSUMER PROTECTION, Washington, DC. The subcommittee met, pursuant to notice, at 2:45 p.m., in Room 2123, Rayburn House Office Building, Hon Cliff Stearns [chairman] presiding. Present: Representatives Stearns, Deal, Bass, Blackburn, Barton (Ex Officio), Schakowsky, Markey, and DeGette. Staff Present: David Cavicke, General Counsel; Shannon Jacquot, Counsel; Chris Leahy, Policy Coordinator; Will Carty, Professional Staff Member; Billy Harvard, Legislative Clerk; Consuela Washington, Minority Senior Counsel; and Alec Gerlach, Minority Staff Assistant. MR. STEARNS. Good afternoon, everybody. The subcommittee will come to order. I am pleased that we are holding this important hearing on the use of Social Security numbers and the implication use of personal privacy. I would like to thank Chairman Barton for bringing this issue to the fore. Our work on data security did not address Social Security numbers, because we believe it is a complex issue that needs more focus and distinct treatment from securing personal information, notice, and yes, privacy issues that arise in the commercial world--a world is fueled by information, incredible technology that facilitates our tremendous progress, and one that is starting to present us with some very serious and complex challenges that require our attention today. If you are an American citizen, you, without exception, have one of those long string of numbers associated with our individual identity called a Social Security number. As Chairman Barton has pointed out, in 1935, the Social Security Administration was directed to create an accounting system that would be able to track how much we put into the Social Security pot in taxes so we can get credit for those contributions when we act to withdraw them. The Social Security Administration was not directed to create a unique personal identifier for commercial purposes. The issues that are before us today have arisen because government and private businesses quickly realized how good the idea was, a unique identifier, and soon adopted it for their own use, whether for tax administration, fraud prevention, or to send out marketing information. I think all of those uses can be legitimate as long as they are conducted with the utmost respect for the personal privacy of the individual, including adhering to the security principles outlined in our data security bill. A bill designed to prevent misuse and fraud. My colleagues, I do, however, want to learn more about those cases when a customer is denied goods or services because he or she decides they don't want to furnish their Social Security number. I think most Members here don't want to give it out. We understand the emotional issues involved when confronted by such a request, and we are continuing to be confronted. So I would like to ask today's witnesses to help us understand why that is something business needs to have these days, and is it an anti-fraud mechanism or what? I would also like to suggest our witnesses take us through the concept addressed in perhaps three of the major bills that have been introduced in this Congress and deal with the issue of Social Security number use and personal privacy, particularly the bill H.R. 1745, the Social Security Number Privacy and Identity Prevention Act of 2005, introduced by my colleague from Florida, Mr. Shaw. Chairman Shaw has done great work in this area, and I commend him for his work as a tireless advocate for protecting the privacy of consumers and maintaining the integrity of Social Security numbers, balancing the benefits that accrue to consumers from private use Social Security numbers with the harm caused by identity theft is a difficult feat. In addition, because identity theft is a very important consumer protection issue, we would like to hear specifics about that issue and how it relates to Social Security number misuse and security from the Federal Trade Commission. The FTC data indicates that in a 1 year period of time from September 2002 to September 2003, over 10 million people were victims of identity theft. This is a big cost to consumers and businesses both in terms of money lost and time spent trying to clear up names and credit reports. The Federal Trade Commission has done a tremendous job in gathering important statistical information regarding identity theft. This will help us in policy decisions we make in this committee. I look forward to a general update from the FTC on the state of identity theft today and would like to hear what ideas the commission has for reducing the occurrence of identity theft. So I would like to thank everybody for joining us today, especially Commissioner Leibowitz, who had to juggle some scheduling to be here, and I look forward to his testimony, as we take a dive into this very interesting and important issue. And with that, I will conclude and ask Ms. DeGette, who is standing in for the Ranking Member, for her opening statement. [The prepared statement of Hon. Cliff Stearns follows:] PREPARED STATEMENT OF THE HON. CLIFF STEARNS, CHAIRMAN, SUBCOMMITTEE ON COMMERCE, TRADE, AND CONSUMER PROTECTION I am very happy that we are holding this important hearing on the use of social security numbers and the implications for personal privacy. I'd like to thank Chairman Barton for bringing this issue to the fore. Our work on data security did not address social security numbers because we believe it is a complex issue that needs more focus and distinct treatment from securing personal information, notice, and yes, privacy issues that arise in the commercial world - a world that is fueled by information, incredible technology that facilitates our tremendous progress, and one that is starting to present us with very serious and complex challenges that require attention now. If you have a heartbeat and are an American citizen, you will, almost without exception, have one of those long strings of numbers associated with our very person, called the social security number. As Chairman Barton has pointed out, back in 1935, The Social Security Administration was directed to create an accounting system that would be able to track how much we put into the social security pot in taxes so we can get credit for those contributions when we act to draw on them. The Social Security Administration was not directed to create a unique personal identifier for commercial purposes. The issues that are before us today have arisen because government and private business quickly realized how good the idea was - a unique identifier - and soon adopted it for their own use - whether for tax administration, fraud prevention, or to send marketing. I think all those uses can be legitimate as long as they conducted with the utmost respect for the personal privacy, including adhering to the security principles outlined in our data security bill- a bill designed to prevent misuse and fraud. I do, however, want to learn more about those instances when a consumer is denied goods or services because he or she decides they don't want to furnish their social security number. I don't like to give it out so I understand the emotional issues involved when confronted by such a request. I'd like to ask today's witnesses to help us understand why that is something business need to do these days - is it an anti-fraud mechanism or what? I also would like to suggest that our witnesses take us through the concepts addressed in the major bills that have been introduced this Congress and deal with the issues of social security number use and personal privacy, particularly the bill HR 1745, the Social Security Number Privacy and Identity Theft Prevention Act of 2005, introduced by my good friend and colleague from Florida, Mr. Shaw. Chairman Shaw has done a tremendous amount of work in this area. I commend him for his work as a tireless advocate for protecting the privacy of consumers and maintaining the integrity of social security numbers. Balancing the benefits that accrue to consumers from private use of social security numbers with the harm caused by identity theft is a difficult feat. In addition, because identity theft is a very important consumer protection issue, we would like to hear specifics about that issue and how it relates to social security number misuse and security from the Federal Trade Commission. FTC data indicates that in a one-year period of time, from September 2002 to September 2003, over 10 million people were victims of identity theft. This is a significant cost to consumers and businesses both in terms of money lost and time spent trying to clear up names and credit reports. The Federal Trade Commission has done a tremendous job in gathering important statistical information regarding identity theft. This will help us in policy decisions we make. I look forward to a general update from the Federal Trade Commission on the state of identity theft today and would like to hear what ideas the Commission has for reducing the occurrence of identity theft. Again, I thank everyone for joining us today, especially Commissioner Liebowitz, who had to juggle some scheduling and logistical issues to be here today. Thank you. We look forward to the testimony. This is a very important hearing as my Subcommittee begins to take a deep dive into the issue surrounding personal privacy in the commercial world. MS. DEGETTE. Thank you, Mr. Chairman, and Ms. Schakowsky should be along shortly. She has an amendment up on the floor right now. So she will-- MR. STEARNS. I understand. MS. DEGETTE. --be along. First of all, I want to welcome Commissioner Leibowitz, who I just found out is a fellow graduate of the New York University School of Law. MR. LEIBOWITZ. You might have had better grades than me, though. MS. DEGETTE. Hmm? MR. LEIBOWITZ. You might have had better grades than me, though. MS. DEGETTE. I don't know. We will talk about that later. I also want to thank you, Mr. Chairman, for having this series on privacy. I know it has long been an issue that you have chaired personally and really, really made it an effort to have full, full hearings. I think that the wide range of views among different industries and consumer groups, coupled with the complexity of the issue, has made it a challenging task to craft legislation, and so I am impressed by the bills that really go in depth on this issue, and I look forward to debating their merits. The first privacy hearing that we had in this series was actually 5 years ago, in 2001, and at that hearing, I talked about how many of my constituents have been contacting me and express an interest in and concern about personal privacy. This, of course, remains even more so true today, and I would say their concerns have grown more accurate. Just this morning we saw, for example, that the NSA is apparently trying to collect records of every single telephone call made--these are not international terrorist phone calls but made domestically in this country. And one has to ask oneself, what is the nexus between people making domestic phone calls and the NSA collecting all of the information on the phone numbers that are making and receiving the phone calls, how could that possibly have a nexus to national security and fighting terrorism? And I talked just a few minutes ago to Chairman Barton, and I talked to Mr. Markey earlier, and we all share a concern about government agencies and others collecting more and more data about people with seemingly no controls over this. And so I am hoping Chairman Barton will hold some hearings on this issue, which is within the preview of this committee because it is of real concern. And a similar issue I hear about from constituents all the time is the growing requirement that a Social Security number be given to conduct business with various companies, whether it is getting a credit card, opening an account, or whatever else. And people always ask me, is it legal for companies to require a Social Security number to do business with them? Do they have any recourse if they are refused a transaction or if they are turned away for applying for something when they do not provide their Social Security number? So clearly, there is a great deal of discomfort among many about giving out their Social Security number, even for a seemingly legitimate purpose. And I will tell you, the more recent revelations like the ones that we see today with the NSA taking the phone numbers of legitimate domestic phone calls is only going to make people feel more and more uncomfortable about giving out any personal information, and they are really going to begin wondering if big brother is looking over them, and I am sure, Mr. Chairman, you and the other members of this committee are hearing from our constituents. The drum beat is growing ever louder, and we have got to do something to secure people's privacy and their private information. Social Security numbers, interestingly, are seen as the gold standard of identifying information, and yet, the more that groups use them, then the more the Social Security numbers are out there, then the greater likelihood it is that these Social Security numbers will be given out and stolen and used for fraud. So with respect to this hearing on the one hand, we have the current practice of businesses who are trying to protect themselves from fraud, requiring Social Security numbers, and then on the other hand, we have consumers who are increasingly reluctant to give their Social Security numbers out, and for increasingly good reasons. So how do we reconcile this? I think it is going to be an interesting balancing act, but I have got to tell you, I feel like the tipping point has been reached, and we have got to make a real effort not just at the Social Security numbers, but at all of people's identifying information and communications. How do we protect people's security, while at the same time encouraging commerce and encouraging legitimate national security uses. And with that, Mr. Chairman, I will yield back the balance of my time. MR. STEARNS. I thank the gentlelady. Mrs. Blackburn. MRS. BLACKBURN. Thank you, Mr. Chairman. I want to thank you for your attention on the issue, and Mr. Leibowitz, I want to thank you for taking the time to be with us today and for being here to present the information and to join us as we look at the use of Social Security numbers with financial transactions and also with commerce. Congress has enacted several laws to guard against the misuse of consumer information, but it absolutely has not been enough. In the past few years, identity theft has become the fastest growing crime in America and has cost consumers and businesses in the neighborhood of $50 billion. We were astounded at the number of people that showed up at an identity theft town hall in our district, and we were appalled and really quite concerned with some of the stories that they had to tell. One of the major glaring examples is the occurrence of security breaches at several data brokers. These breaches have subjected many consumers to theft of personal information, and I appreciate this committee has passed the Data Act to address that problem, and now we know that we must look at the role of Social Security numbers in the era of e-commerce. I know that companies do want a quick and reliable method of identifying people to conduct business, yet we do have to balance the privacy concerns that exist, and as we move forward and look at data security and privacy, we understand that the world of e-commerce presents many new opportunities for individuals. At the same time we have to recognize that it does present many challenges that new technologies are presenting wonderful opportunities, but at the same time, there are challenges and there are concerns and there is truly a need for us to review our existing policies. And, Mr. Chairman, I thank you for your leadership and your willingness to review those existing policies. I look forward to the information we will have in this hearing, and looking at how we can achieve balance, and I yield back. MR. STEARNS. Thank you. The gentleman from Massachusetts is recognized. MR. MARKEY. Thank you, Mr. Chairman. And thank you for having this hearing. This hearing, at my request, of the full committee Chairman and yourself, Mr. Chairman, is meant to consider my proposed legislation H.R. 1078, the Social Security Number Protection Act, as well as other legislative ideas on how to protect Americans from the misuse of their Social Security numbers. H.R. 1078 would bring a halt to unregulated commerce in Social Security numbers. It does not establish an absolute prohibition on all commercial use of the number, but it would make it a crime for a person to sell or purchase Social Security numbers in violation of the rules promulgated by the Federal Trade Commission. The FTC would be given the power to restrict the sale of Social Security numbers, determine appropriate exemptions, and to enforce civil compliance and the bill's restrictions. We thank Mr. Leibowitz for being here, and the other experts that are here to talk to us today, and what could be a more appropriate day, given the fact that Mr. Rotenberg has a lawsuit against the NSA to determine exactly how the NSA is spying on Americans, than on a day that we learn that there has been a new telecom merger between NSA and AT&T. And it is the last takeover in this chain of mergers which has occurred. NSA, AT&T now stands for now spying on Americans, anytime you talk, NSA, AT&T, the new America, the new telecom NSA America. So we have got a new slogan for the NSA and AT&T, "Reach out and tap someone." And what we see is an incredible violation of the privacy of Americans by the Federal government. The argument is made that they are going to compile every phone call ever made in the United States, I think that we have now reached a point of privacy crisis in the name of security. The price being paid is the privacy of all Americans, and it is too high a price to pay. Here in the Social Security area, from Amy Boyer through thousands of other examples, we see what happens when people's privacy, their Social Security number is used as an identifier. What the NSA and AT&T have made clear today is that this is just part of a larger puzzle, where technology makes possible things which were unimaginable when we were younger, and it is our responsibility to make sure that we safeguard, we secure that private information so that the DNA of each family isn't just a commodity out there for purchase by the highest bidder, notwithstanding the consequences for the history of that family. I thank you, Mr. Chairman, for having this hearing. MR. STEARNS. I thank the gentleman. The Chairman of the full committee, Mr. Barton from Texas. CHAIRMAN BARTON. Thank you, Mr. Chairman. I apologize for being delayed. We were doing a hearing on gasoline prices in the same committee hearing room, and it went longer than expected. I made a commitment to Congressman Markey at a full committee markup on the data security bill, that we would address the issue of Social Security number privacy. And I want to thank you, Chairman Stearns, for honoring my commitment to hold this hearing so I could honor the commitment I made to Congressman Markey at that markup. I share Mr. Markey's concerns about the widespread abuse, and I want to highlight abuse, of Social Security numbers. I believe, like Congressman Markey, that not enough is being done to protect this unique personal identifier. The Data Act which passed this committee, I think, 42-0, recently would go a long way towards ensuring proper security for databases that contain Social Security numbers and other personal information. I am proud of our committee's work on that bill, and am working very hard, as late as noon today, to get that bill to the floor of the House. While the Data Act is a very important component of protecting Social Security numbers and sensitive personal data, the bill does not address the issue surrounding the use of Social Security numbers. There are a number of complex issues in this area. The nature of business has evolved over the past several decades to serve a population that engages much more frequently in interstate commerce. The rise of the Internet has popularized electronic commerce. Also rising unfortunately is the risk of criminal activity, and for crooks, a Social Security number is like a key to the bank. Twenty years ago, nobody thought much about showing their number. Their Social Security number on a driver's license or, I apologize, a store clerk writing it on checks. Now we know that this number is an integral part of our identity, and there are lots and lots of people who want to steal our identity. Our economic system allows us to conduct transactions anywhere, anytime almost instantaneously. In this world of e-commerce, companies have to know who they are dealing with. That is why they believe consumer's Social Security numbers is a necessary component to many transactions, because it has evolved to become a unique and required identifier for almost every significant aspect of our lives. Its value is even more important than simply a claim on a future government retirement check, which was its original intention, because it is so important. My belief, and Congressman Markey's belief, is Congress needs to act to put in place new protections. I recognize that removing the link between our Social Security number and our personal accounts is difficult, and maybe it will turn out to be impractical. What I want to see is a development of an alternative identifier and then we can judge the suitability of removing Social Security numbers all together. Sometimes using Social Security numbers as a commercial identifier speeds business, and that is a benefit, no question about it, both to the companies and to the consumers. That said, there are also many situations in which there's no apparent reason or consumer benefit to provide a Social Security number. This committee has looked at many issues in this area and will continue to consider other issues in this area. We continue to wonder, for example, whether businesses can or should require consumers to provide a Social Security number in order to buy a product or service. I recently purchased a new cell phone for my charitable foundation for my personal use in making charitable calls. I had to give my Social Security number three times in the process of being approved for that cell phone, and my Social Security number was not necessary to prove that I had the financial ability to pay for the phone or really, that I was who I said I was since I also had to give my driver's license number. But if I didn't give my Social Security number, I wasn't going to get that phone. I just don't see that that is a necessity. Further, once a business has a consumer's Social Security number, can they share it? Can they sell it? And if so, to who? Having your number is one thing. Selling it, I think, or using it for a purpose without your permission is quite another. And how should a company go about getting a person's consent to transfer a Social Security number to another entity? These were important questions to which there are not always simple answers. But one question to which there is an easy answer is whether our Social Security number should be sold by Internet data brokers to anyone willing to pay. Indistinguishable from sales of sports scores or stock quotes that to me is a no-brainer. There is no legitimate reason why my Social Security number should be sold or used by a business without a relationship with me, and without my knowledge and consent, period, end of debate. There are some uses of Social Security numbers that many people agree provide benefits beyond the potential for harm. Locating criminals, locating witnesses, enforcing child support obligations, and other purposes are clearly legitimate. It gets more difficult when we are talking about locating people, generally confirming identity outside of fraud prevention, and marketing just generic products and services. The potential for harm, which has been well documented by this committee, raises serious questions about using Social Security numbers for those purposes. I expect this committee will consider legislation on Social Security numbers this year. I want to repeat that. I expect this committee will consider legislation on Social Security numbers this year. I hope the Ways and Means Committee will also act on an important bill by Congressman Clay Shaw, one of their subcommittee chairmen. And I support his effort to get that bill out of the Ways and Means Committee. But I intend to use the jurisdiction of the Energy and Commerce Committee to move a Social Security bill out of this committee this year. We have a very distinguished group of witnesses here today to work through some of these issues. I want to thank all of you for participation and, in particular, I want to thank Commissioner Leibowitz who has been with us before. I understand that you have made some significant changes to your schedule to be here, and I appreciate it. I look forward to the testimony today, Mr. Chairman. I yield back the 3 minutes and 35 seconds that I have already overextended. [The prepared statement of Hon. Joe Barton follows:] PREPARED STATEMENT OF THE HON. JOE BARTON, CHAIRMAN, COMMITTEE ON ENERGY AND COMMERCE Thank you, Mr. Chairman, for holding this hearing today. I made a commitment to Congressman Markey at the Full Committee markup on data security to address the issue of Social Security number privacy. I share Mr. Markey's concerns about widespread abuse of Social Security numbers and believe, like him, that not enough is being done to protect this unique personal identifier. The DATA Act, recently reported out of this Committee, goes a long way toward ensuring proper security for databases that contain Social Security numbers and other personal information. I am proud of this Committee's work on that bill and will continue my efforts to see that bill move to the House floor. While the DATA Act is a very important component of protecting social security numbers and sensitive personal data, the bill does not address the issues surrounding the use of Social Security numbers. There are a number of complex issues to consider in this area. The nature of business has evolved over the past several decades to serve a population that engages much more frequently in interstate commerce. The rise of the Internet has popularized electronic commerce. Also rising is the risk of criminal activity, and for crooks, a Social Security number is the key to the bank. Twenty years ago, nobody thought much about showing the Social Security number on a driver's license or about a store clerk writing it on our checks. Now we know that number is an integral part of our identity, and lots of people want to steal our identity. Our economic system allows us to conduct transactions anywhere and anytime, and almost instantaneously. In this world of e-commerce, companies have to know who they're dealing with. That's why they believe a consumer's Social Security number is a necessary component to many transactions. Because it has evolved to become a unique and required identifier for almost every significant aspect of our lives, its value is even more important than simply a claim on a future government retirement check. Because it is so important, Congress may need to act to put in place new protections. I recognize that removing the link between our Social Security number and our personal accounts is difficult, and maybe it will turn out to be impractical, too. What I want is the development of an alternative, and then we can judge the suitability of removing Social Security numbers altogether. Sometimes, using Social Security numbers as commercial identifiers speeds business, and that's a benefit to companies, to consumers, and to the economy. That said, there are also many situations in which there is no apparent reason or consumer benefit to providing a Social Security number. This Committee has looked at many issues in this area, and will continue to consider others. We continue to wonder, for example, whether businesses can or should require consumers to provide a Social Security number in order to buy a product or service? If so, which businesses? Further, once a business has a consumer's Social Security number, can they share it? Can they even sell it, and to whom? Having your number is one thing. Selling it, I think, is another. And how should a company go about getting a person's consent to transfer a Social Security number to another entity? These are important questions to which there are not always simple answers. But one question to which there IS an easy answer is whether our Social Security numbers should be sold by Internet data brokers to anyone willing to pay, indistinguishable from sales of sports scores or stock quotes. That's a no-brainer. There is no legitimate reason why my number should be sold or used by a business without a relationship with me, and without my knowledge and consent. There are some uses of Social Security numbers that many people would agree provide benefits far beyond the potential for harm. Locating criminals, locating witnesses, enforcing child support obligations, and other noble purposes are clearly legitimate. It gets more difficult when we are talking about locating people generally, confirming identity (outside of the fraud prevention context), and marketing products and services. The potential for harm, which has been well documented by this Committee, raises serious questions about using social security numbers for these services. I expect this Committee will consider legislation on Social Security numbers later this year. I hope the Ways and Means Committee will also act on an important bill by Congressman Clay Shaw and send us the part that is in this committee's jurisdiction. We have a very distinguished group of witnesses here today to work though some of these issues with us. I want to thank you all for your participation. In particular, I want to thank Commissioner Leibowitz. I understand you made some significant changes to your schedule to be here and we do appreciate it. I look forward to the testimony today and yield back the balance of my time. MR. STEARNS. And I thank the Chairman for his leadership. The Ranking Member, Ms. Schakowsky is recognized. MS. SCHAKOWSKY. Thank you, Chairman Stearns. I apologize for being late. I had an amendment to address. I also want to thank Mr. Markey for his great leadership on this issue, and I am very encouraged by Chairman Barton's remarks. First, let me say that the topic of protecting consumers' privacy could not be timelier. Before I get into the subject of our hearing, I want to say a few, not as clever as Mr. Markey, things today about the latest instance of big business jumping into bed with big brother. That was my effort. As the USA Today article on NSA: "NSA has a massive database of Americans' phone calls. Telecoms help government collect billions of domestic records," reveals AT&T, BellSouth and Verizon have been providing the records of millions of Americans to the National Security Agency without consumers' knowledge or consent. We have entered a time where consumers' rights and privacy are for sale, and it turns out the Government may be the best customer. In our fight to protect consumers from unsavory characters, like ID thieves, we also need to fight the erosion of our civil liberties of what our government is doing. With that said, I do believe today's hearing is important because protecting Social Security numbers is vital in the fight for consumers' privacy in the fight against identity theft. I think it is important that our subcommittee delve into how the Social Security number is used and explore legislative solutions to curb the overuse and abuse of it. Unfortunately, Chairman Stearns, our States, Florida and Illinois, have ranked in the top 10 for number of victims of identity theft each year for the last 3 years. A recent report by the Government Accountability Office refers to the Social Security number as "The identifier of choice for public and private entities." It went on to say that the Social Security number is the most sought-after information by identity thieves. Many in the financial, housing, and insurance and other industries claim they need consumers' Social Security numbers to protect their business and supposedly consumers from risk. However, the reality is that requiring Social Security numbers for everything from opening a bank account to signing a cell phone contract, as Chairman Barton experienced, shifts all the risk to the consumer and all the advantages to ID thieves. Having a consumer Social Security number is like having the master key to his or her life. It can throw open the door to detailed financial information, unlock your private medical information, and in at least one tragic instance, provided the stalker of Amy Boyer with where she would be and at what time. He used that information to end her life. While most of us give our Social Security numbers to whatever business asks for it without question, or at least many of us do, we should be asking a lot of questions. Why does a landlord need the master key to my life to rent me an apartment? Does my doctor really need to store my health care records under my Social Security number? What does an insurance company use my Social Security number for? And why is it that with more and more transactions, I am being required to give my Social Security number and put my finances, personal safety, and medical privacy in jeopardy? We are all so used to being asked for our numbers, we may not give enough thought to what that other party does with the Social Security number. That company may sell them. The numbers may be sent over the Internet for legitimate purposes but may not be protected in those transmissions. Our new accounts often stay linked to our Social Security numbers. The numbers may be displayed on forms or files that are not adequately protected. And as the GAO points out, even government agencies aren't keeping them as safe and secure as they should. This should give everyone pause. If we can limit how other parties use our numbers, then we can establish a good framework to prevent the misuse of the key to our personal financial information. We know that identity theft is financially and emotionally devastating. Anyway, that is why I am glad that we are considering what we can do to protect consumers. I am proud to support Mr. Markey's bill, H.R. 1078, the Social Security Number Protection Act, which would restrict the display and sale of Social Security numbers, and I hope today's hearing is just the beginning of our discussions but will lead to a concrete proposal and passage of a bill in the end. I thank you for this hearing and look forward to hearing from our witnesses. MR. STEARNS. I thank the gentlelady. The gentleman from New Hampshire. MR. BASS. Thank you very much, Mr. Chairman. This is a very relevant and important hearing. Amy Boyer was my constituent. She was murdered in 1999. The stalker and murderer bought her Social Security number over the Internet and other information about her. The other day I went to a well-known retailer to purchase a clothes dryer, and in order to get a $50 rebate, I had to give the retailer my Social Security number. I don't know whether that was really relevant, but I had to. My daughter, at the age of 6 or 7 years old, signed up for travel soccer, and she could not participate in travel soccer without giving her Social Security number. The Social Security number was created, as has been said by the Chairman, back in the 1930s for purposes of identifying people who qualified for a defined benefit retirement program. Clearly, the use of these numbers is totally out of control at this point. I am heartened by Chairman Barton's commitment to move a bill in this Congress that will move decisively to protect the holders of Social Security numbers who have that Social Security number not because it is a privilege, like a driver's license or any other kind of document, but that it is a requirement that every American have, and that this number is then used for all sorts of different purposes that are not generic to its original issuance. So I welcome the Commissioner of the Federal Trade Commission here today and the other witnesses that will be appearing, and I thank you for having this hearing. MR. STEARNS. I thank the gentleman. The gentleman from Georgia, Mr. Deal. MR. DEAL. I waive. MR. STEARNS. The gentleman waives his opening statement. With that, we move to the first panel and we recognize the Federal Trade Commission, the Honorable Jon Leibowitz, Commissioner. And if you will just pull the mike close to you, turn it on, we welcome you with your opening statement. STATEMENT OF HON. JON LEIBOWITZ, COMMISSIONER, FEDERAL TRADE COMMISSION MR. LEIBOWITZ. Chairman Stearns, Ranking Member Schakowsky, Ms. DeGette, Mr. Bass, Mr. Deal, it is always a pleasure to come back to this committee, whether in the context of helping to prohibit telephone pretexting, stop spam or spyware, or determine the best ways to address the uses and, obviously, the misuses, of Social Security numbers. Today I will be talking about that aspect of privacy, the balance between the benefits of Social Security numbers and the harms that misuse can cause. That is really at the heart of the debate, and I commend you for holding this hearing. With your permission, I ask that my full written statement be submitted for the record. My oral remarks, though, are my own comments, and do not necessarily reflect the views of the Commission or any other individual commissioner. MR. STEARNS. So ordered. MR. LEIBOWITZ. Thank you. At the FTC, we take our obligation to protect privacy very, very seriously. We have brought more than a dozen cases involving data security as well as six spyware and adware cases-- we have several more in the pipeline--almost 20 financial and cell phone pretexting cases, and more than 80 spam cases. Just yesterday, we announced a complaint, together with a settlement, against a major real estate services firm, Nations Title, that failed to safeguard information properly and disposed of that information cavalierly. Among other things, we allege that the company threw out detailed customer files, which included Social Security numbers, in a dumpster just outside of its corporate headquarters. Just think about that for a minute. As you know, Social Security numbers do serve many important functions. For example, the credit reporting system hinges on the availability of Social Security numbers to match consumers accurately with their financial information. Other uses of Social Security numbers include locating lost beneficiaries and collecting child support. Indeed, SSNs are often used to prevent fraud. But Social Security numbers are a substantial contributor to the worst form of identity theft: Having new accounts opened in your name. Not surprisingly, Americans today are very concerned about protecting their identities. And rightly so. I think as you mentioned, Mr. Chairman, about 10 million people each year are victims of identity theft, and more than 3 million people each year have new accounts opened fraudulently in their names. If your identity is stolen, you may struggle for months or years to clear your name, and the emotional impact can be severe. American businesses pay a heavy price as well, as someone mentioned, I think it was Mrs. Blackburn, $50 billion a year in costs. The key, then, is to find the right balance between permitting the beneficial uses of Social Security numbers while keeping them out of the hands of criminals and other people who shouldn't have them. There is no panacea, of course, but it helps to approach the problem in a multifaceted way. Users of Social Security numbers should migrate, I think, towards using less sensitive identifiers whenever possible. For example, some colleges still use SSNs on ID cards, though doing so is clearly unnecessary. And Chairman Barton mentioned his experience when he was getting a cell phone. My wife had exactly the same experience just a few weeks ago at Tyson's Corner, where she was asked to say in public what her Social Security number was, and it was very troubling to her. And I don't want to say that the Social Security number wasn't necessary in that circumstance, but companies overall do need to do a better job of securing consumer data. They have a fundamental legal responsibility to do so. The Commission, of course, can sue firms that misrepresent their security procedures or fail to take reasonable steps to secure or dispose of sensitive information. Two of our most recent cases, as you know, Mr. Chairman, ChoicePoint and Card Systems, involved massive data breaches that led to numerous instances of identity theft. In each, the Commission alleged that the company failed to take reasonable measures to protect consumer information, including, in ChoicePoint, Social Security numbers. These actions, along with Nations Title, are just the most recent in a long line of cases that send a message to businesses: protect consumers' personal information. And you can further strengthen our hand and help ensure that Social Security numbers are better protected from fraud by enacting strong data security legislation that requires all businesses to safeguard sensitive personal information, gives notice to consumers if there is a breach-- whether under your reasonable risk standard or the significant risk standard that we suggested last year--and allows us to fine companies that don't live up to their legal obligations. Consumer and business education are also critical. We receive between 15,000 and 20,000 contacts each week from people seeking advice on avoiding identity theft or coping with its consequences. We provide information and assistance to simplify the recovery process. The Commission also works with the business community to try to promote a culture of security. Yesterday, I was in our calling center when a man phoned in. He was very anxious because his Social Security number had just been discovered on a suspect arrested by the police. He was worried that his identity had been stolen. And our staff did a terrific job with him, gave him the appropriate advice, including putting a fraud alert on his credit report. Also yesterday, we launched a major new campaign designed to give advice to anyone who wants to learn about identity theft, and it is entitled "Deter, Detect, and Defend." It is a tool kit that provides specific suggestions so consumers can prevent identity theft before it happens and reduce the damage after it occurs. It is available in both English and Spanish. It is very, very good, and we have a handful of packets here for Members and staff and we will bring them up to the dais. Finally, the Commission assists criminal law enforcement through our operation of the Identity Theft Clearinghouse, a nationwide database that includes more than a million identity theft complaints. Law enforcers ranging from the FBI to the Postal Service to local sheriffs use the clearinghouse to aid in their investigations. Mr. Chairman, determining how best to keep Social Security numbers out of the hands of wrongdoers, without giving up the benefits that their use provides, is a daunting challenge, and there is no simple solution. Still, by working together, there is much that we can do. This committee, as always on privacy matters, will be crucial to striking the appropriate balance. Thank you so much. I am happy to answer any questions. [The prepared statement of Hon. Jon Leibowitz follows:] PREPARED STATEMENT OF THE HON. JON LEIBOWITZ, COMMISSIONER, FEDERAL TRADE COMMISSION I. INTRODUCTION Mr. Chairman, Ms. Schakowsky, and members of the Subcommittee, I am Jon Leibowitz, Commissioner of the Federal Trade Commission ("FTC" or "Commission"). I appreciate the opportunity to present the Commission's views on identity theft and Social Security numbers ("SSNs"). The Commission has a broad mandate to protect consumers generally and to combat identity theft specifically. Controlling identity theft is an issue of critical concern to all consumers - and to the Commission. The FTC serves a key role as the central repository for identity theft complaints, facilitates criminal law enforcement in detecting and prosecuting identity thieves, and provides extensive victim assistance and consumer education. In recognition of the need to protect sensitive consumer information and prevent identity theft, the FTC recently created a new Division of Privacy and Identity Protection. This division - which consists of staff with expertise in privacy, data security, and identity theft - addresses cutting-edge consumer privacy matters through aggressive enforcement, as well as rulemaking, policy development, and outreach to consumers and businesses. This testimony describes the ways in which SSNs are collected and used, their relationship to identity theft, current laws that restrict the use or transfer of consumers' personal information, and the Commission's efforts to help consumers avoid identity theft or remediate its consequences. II. THE IDENTITY THEFT PROBLEM Identity theft is a pernicious crime that harms both consumers and businesses. Recent surveys estimate that nearly 10 million consumers are victimized by some form of identity theft each year. The costs of this crime are staggering. The Commission's 2003 survey estimated that identity theft cost businesses approximately $50 billion, and cost consumers an additional $5 billion in out-of-pocket expenses, over the twelve-month period prior to the survey. The 2003 survey looked at two major categories of identity theft: (1) misuse of existing accounts; and (2) the creation of new accounts in the victim's name. The 2003 survey found that the costs imposed by new account fraud were substantially higher than the misuse of existing accounts. III. USES AND SOURCES OF SOCIAL SECURITY NUMBERS SSNs today play a vital role in our economy. With 300 million American consumers, many of whom share the same name, the unique 9-digit SSN is a key identification tool for businesses, government, and others. For example, consumer reporting agencies use SSNs to ensure that the data furnished to them is placed in the correct file and that they are providing a credit report on the correct consumer. Businesses and other entities use these reports to evaluate the risk of providing to individuals services, such as credit, insurance, home rentals, or employment. Timely access to consumer credit, as well as the overall accuracy of credit reporting files, could be compromised if SSNs could not be used to match consumers to their financial information. Additionally, SSNs are used in locator databases to find lost beneficiaries, potential witnesses, and law violators, and to collect child support and other judgments. SSN databases also are used to fight identity fraud - for example, to confirm that an SSN provided by a loan applicant does not, in fact, belong to someone who is deceased. Without the ability to use SSNs as a personal identifier and fraud prevention tool, the granting of credit and the provision of other financial services would become riskier and more expensive and inconvenient for consumers. SSNs are available from both public and private sources. Public records in city and county government offices across the country, including birth and death records, property records, tax lien records, voter registrations, licensing records, and court records, often contain consumers' SSNs. Increasingly, these records are being placed online where they can be accessed easily and anonymously. There also are a number of private sources of SSNs, including consumer reporting agencies that include name, address, and SSN as part of the "credit header" information on consumer reports. Data brokers also collect personal information, including SSNs, from a variety of sources and compile and resell that data to third parties. The misuse of SSNs, however, can facilitate identity theft. For example, new account fraud - the most serious form of identity theft - is often possible only if the thief obtains the victim's SSN. The challenge is to find the proper balance between the need to keep SSNs out of the hands of identity thieves, while giving businesses and government entities sufficient means to attribute information to the correct person. Restrictions on disclosure of SSNs also could have a broad impact on such important purposes as public health, criminal law enforcement, and anti-fraud and anti-terrorism efforts. Moreover, as referenced above, regulation or restriction of the availability of SSNs in public records poses substantial policy and practical concerns. IV. CURRENT LAWS RESTRICTING THE USE OR DISCLOSURE OF SOCIAL SECURITY NUMBERS There are a variety of specific statutes and regulations that restrict disclosure of certain consumer information, including SSNs, in certain contexts. In addition, under some circumstances, entities are required to have procedures in place to ensure the security and integrity of sensitive consumer information such as SSNs. Three statutes that protect SSNs from improper access fall within the Commission's jurisdiction: Title V of the Gramm-Leach-Bliley Act ("GLBA"); Section 5 of the Federal Trade Commission Act ("FTC Act"); and the Fair and Accurate Credit Transactions Act of 2003 ("FACT Act"), amending the Fair Credit Reporting Act ("FCRA"). A. The Gramm-Leach-Bliley Act The Gramm-Leach-Bliley Act ("GLBA") imposes privacy and security obligations on "financial institutions." Financial institutions are defined broadly as those entities engaged in "financial activities" such as banking, lending, insurance, loan brokering, and credit reporting. 1. Privacy of Consumer Financial Information In general, financial institutions are prohibited by Title V of the GLBA from disclosing nonpublic personal information, including SSNs, to non-affiliated third parties without first providing consumers with notice and the opportunity to opt out of the disclosure. However, the GLBA includes a number of statutory exceptions under which disclosure is permitted without having to provide notice and an opt-out. These exceptions include consumer reporting (pursuant to the FCRA), fraud prevention, law enforcement and regulatory or self-regulatory purposes, compliance with judicial process, and public safety investigations. Entities that receive information under an exception to the GLBA are subject to the reuse and redisclosure restrictions of the GLBA Privacy Rule, even if those entities are not themselves financial institutions. In particular, the recipients may only use and disclose the information "in the ordinary course of business to carry out the activity covered by the exception under which . . . the information [was received]." Entities can obtain SSNs from consumer reporting agencies, generally from the credit header data on the credit report. However, because credit header data is typically derived from information originally provided by financial institutions, entities that receive this information generally are limited by the GLBA's reuse and redisclosure provision. 2. Required Safeguards for Customer Information The GLBA also requires financial institutions to implement appropriate physical, technical, and procedural safeguards to protect the security and integrity of the information they receive from customers, whether directly or from other financial institutions. The FTC's Safeguards Rule, which implements these requirements for entities under FTC jurisdiction, requires financial institutions to develop a written information security plan that describes their procedures to protect customer information. Given the wide variety of entities covered, the Safeguards Rule requires a plan that accounts for each entity's particular circumstances - its size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles. It also requires covered entities to take certain procedural steps (for example, designating appropriate personnel to oversee the security plan, conducting a risk assessment, and overseeing service providers) in implementing their plans. B. Section 5 of the FTC Act Section 5 of the FTC Act prohibits "unfair or deceptive acts or practices in or affecting commerce." Under the FTC Act, the Commission has broad jurisdiction over a wide variety of entities and individuals operating in commerce. Prohibited practices include making deceptive claims about one's privacy procedures, including claims about the security provided for consumer information. In addition to deception, the FTC Act prohibits unfair practices. Practices are unfair if they cause or are likely to cause consumers substantial injury that is neither reasonably avoidable by consumers nor offset by countervailing benefits to consumers or competition. The Commission has used this authority to challenge a variety of injurious practices, including companies' failure to provide reasonable and appropriate security for sensitive customer data. The Commission can obtain injunctive relief for violations of Section 5, as well as consumer redress or disgorgement in appropriate cases. C. The Fair and Accurate Credit Transactions Act of 2003 The FACT Act amended the FCRA to include a number of provisions designed to increase the protection of sensitive consumer information, including SSNs. One such provision required the banking regulatory agencies, the NCUA, and the Commission to promulgate a coordinated rule designed to prevent unauthorized access to consumer report information by requiring all users of such information to have reasonable procedures to dispose of it properly and safely. This Disposal Rule, which took effect on June 1, 2005, should help minimize the risk of improper disclosure of SSNs. In addition, the FACT Act requires consumer reporting agencies to truncate the SSN on consumer reports at the consumer's request when providing the reports to the consumer. Eliminating the unnecessary display of this information could lessen the risk of it getting into the wrong hands. D. Other Laws Other federal laws not enforced by the Commission regulate certain other specific classes of information, including SSNs. For example, the Driver's Privacy Protection Act ("DPPA") prohibits state motor vehicle departments from disclosing personal information in motor vehicle records, subject to fourteen "permissible uses," including law enforcement, motor vehicle safety, and insurance. The Health Information Portability and Accountability Act ("HIPAA") and its implementing privacy rule prohibit the disclosure to third parties of a consumer's medical information without prior consent, subject to a number of exceptions (such as, for the disclosure of patient records between entities for purposes of routine treatment, insurance, or payment). Like the GLBA Safeguards Rule, the HIPAA Privacy Rule also requires entities under its jurisdiction to have in place "appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information." E. FTC Enforcement Actions Over the past year or so, reports have proliferated about information compromises at U.S. businesses, universities, government agencies, and other organizations that collect and store sensitive consumer information, including SSNs. Some of these incidents reportedly have led to identity theft, confirming that security breaches can cause real and tangible harm to consumers, businesses, and other institutions. Since 2001, the Commission has brought thirteen cases challenging businesses that have failed to take reasonable steps to protect sensitive consumer information in their files. Two of the Commission's most recent law enforcement actions arose from high-profile data breaches that occurred last year. In the first case, the Commission alleged that a major data broker, ChoicePoint, Inc., failed to use reasonable procedures to screen prospective subscribers and monitor their access to sensitive consumer data, in violation of the FCRA and the FTC Act. The Commission's complaint alleged that ChoicePoint's failures allowed identity thieves to obtain access to the personal information of over 160,000 consumers, including nearly 10,000 consumer reports. In settling the case, ChoicePoint agreed to pay $10 million in civil penalties for the FCRA violations - the highest civil penalty ever levied in a consumer protection case - and $5 million in consumer redress for identity theft victims. The Order also requires ChoicePoint to implement a number of strong data security measures, including bi-annual audits to ensure that these security measures are in place. In the second action, the Commission reached a settlement with CardSystems Solutions, Inc., the card processor allegedly responsible for last year's breach of credit and debit card information for Visa and MasterCard, which exposed tens of millions of consumers' credit and debit numbers. This case addresses the largest known compromise of sensitive financial data to date. As in the ChoicePoint case, the FTC alleged that CardSystems engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for sensitive consumer data. These settlements provide important protections for consumers and also provide important lessons for industry about the need to safeguard consumer information. V. THE COMMISSION'S EFFORTS TO COMBAT IDENTITY THEFT In addition to our efforts to ensure that businesses take reasonable steps to safeguard sensitive consumer information, the Commission works in many other ways to address the identity theft problem. Pursuant to the 1998 Identity Theft Assumption and Deterrence Act ("the Identity Theft Act"), the Commission has implemented a program that assists consumers, businesses, and other law enforcers. A. Working with Consumers The Commission hosts a toll-free hotline, 1-877-ID THEFT, and a secure online complaint form on its website, www.consumer.gov/idtheft, for consumers concerned about identity theft. Every week, the Commission receives about 15,000 to 20,000 contacts from victims and consumers seeking information on how to avoid identity theft. The callers to the hotline receive counseling from trained personnel who provide information on steps they can take both to prevent identity theft and to resolve problems resulting from the misuse of their identities. Victims are advised to: (1) obtain copies of their credit reports and have a fraud alert placed on them; (2) contact each of the creditors or service providers with which the thief has established or accessed an account to request that the account be closed and to dispute any associated charges; and (3) report the theft to the police and, if possible, obtain a police report. The police report is useful in demonstrating to purported creditors and debt collectors that the consumer is a victim of identity theft, and serves as an "identity theft report" that can be used for exercising various victims' rights granted by the FACT Act. The Commission's identity theft website, www.consumer.gov/idtheft, has an online complaint form where victims can enter their complaints into the Clearinghouse. The Commission also has taken the lead in developing and disseminating identity theft-related consumer education materials, including an identity theft primer, ID Theft: What It's All About, and a victim recovery guide, Take Charge: Fighting Back Against Identity Theft. The Commission alone has distributed more than 2.1 million copies of the Take Charge booklet (formerly known as ID Theft: When Bad Things Happen To Your Good Name) since its release in February 2000 and has recorded more than 2.4 million visits to the Web version. The Commission also maintains the identity theft website, www.consumer.gov/idtheft, which provides publications and links to testimony, reports, press releases, identity theft-related state laws, and other resources. Last fall, the Commission, together with partners from law enforcement, the technology industry, and nonprofits, launched OnGuard Online, an interactive, multi-media resource for information and up-to-the minute tools on how to recognize Internet fraud, avoid hackers and viruses, shop securely online, and deal with identity theft, spam, phishing, and file-sharing. In addition, yesterday the Commission launched a major new consumer education campaign called Deter, Detect, and Defend - Fighting Back Against Identity Theft. The campaign provides specific information on what consumers can do to reduce their risk of falling victim to ID theft, keep a close eye on their personal information, and move quickly to minimize the damage if identity theft occurs. The centerpiece of the campaign is a turnkey toolkit, available in both English and Spanish, that gives consumers resources for teaching clear, actionable tips on how to avoid becoming a victim of identity theft, protect their sensitive financial information, and reduce the damage should they suspect ID theft. The Commission will join with partners in the public and private sectors, including other federal agencies, industry associations, and consumer and civic organizations to make this information available where it is needed - in neighborhoods, at the workplace and on campuses across the country. The Commission also has developed ways to simplify the recovery process. One example is the ID Theft Affidavit, included in the Take Charge booklet and on the website. This standard form was developed in partnership with industry and consumer advocates for victims to use in resolving identity theft debts. To date, the Commission has distributed more than 293,000 print copies of the Affidavit and has recorded more than 1.1 million hits to the Web version. B. Working with Industry The private sector can play a key role in combating identity theft by reducing its incidence through better security and authentication. The Commission works with institutions to promote a "culture of security" by identifying ways to spot risks to the information they maintain and keep it safe. Among other things, the Commission has disseminated advice for businesses on reducing risks to their computer systems and on compliance with the Safeguards Rule. Our emphasis is on preventing breaches before they happen by encouraging businesses to make security part of their regular operations and corporate culture. The Commission also has published Information Compromise and the Risk of Identity Theft: Guidance for Your Business, a booklet on managing data compromises. This publication provides guidance on when it would be appropriate for an entity to notify law enforcement and consumers in the event of a breach of personal information. In 2003, the Commission held a workshop that explored the challenges consumers and industry face in securing their computers. Titled "Technologies for Protecting Personal Information: The Consumer and Business Experiences," the workshop also examined the role of technology in meeting these challenges. Workshop participants, including industry leaders, technologists, researchers on human behavior, and representatives from consumer and privacy groups, identified a range of challenges in safeguarding information and proposed possible solutions. C. Working with Law Enforcement A primary purpose of the Identity Theft Act was to provide law enforcement with access to a centralized repository of identity theft victim data to support their investigations. The Commission operates this database as a national clearinghouse for complaints received directly from consumers and through numerous state and federal agencies, including the Social Security Administration's Office of Inspector General. With over 1.1 million complaints, the Clearinghouse provides a detailed snapshot of current identity theft trends as reported by the victims themselves. The Commission publishes data annually showing the prevalence of complaints broken out by state and city. Since its inception, over 1,400 law enforcement agencies have registered for access to the Clearinghouse database. Individual investigators within those agencies can access the system from their desktop computers 24 hours a day, seven days a week. The Clearinghouse also gives access to training resources, and enables users to coordinate their investigations. The Commission also encourages use of the Clearinghouse through training seminars offered to law enforcement. In cooperation with the Department of Justice, the U.S. Postal Inspection Service, the U.S. Secret Service, and the American Association of Motor Vehicle Administrators, the Commission began organizing full-day identity theft training seminars for state and local law enforcement officers in 2002. To date, this group has held 20 seminars across the country. More than 2,880 officers have attended these seminars, representing over 1,000 different agencies. This week three new seminars are being held in California. To further assist law enforcers, the Commission staff developed an identity theft case referral program. The staff creates preliminary investigative reports by examining patterns of identity theft activity in the Clearinghouse, and refers the reports to financial crimes task forces and others for further investigation and possible prosecution. In addition, analysts from the FBI, U.S. Secret Service, and Postal Inspection Service work on-site at the FTC, developing leads and supporting ongoing investigations for their agencies. VI. CONCLUSION The crime of identity theft is a scourge, causing enormous damage to businesses and consumers. The unauthorized use of consumers' SSNs is an important tool of identity thieves, especially those seeking to create new accounts in the victim's name. Although current laws place some restrictions on the use or disclosure of SSNs by certain entities under certain circumstances, this information is still otherwise available from both public and private sources, thereby enabling identity thieves to obtain SSNs through legal means as well as illegal means. At the same time, SSNs are an important driver of our market system. Businesses and others rely on SSNs to provide many important benefits for consumers and to fight identity theft. There are a number of things that government, industry, and consumers can do to help stem the tide of identity theft. First, both government and industry need to consider what information they collect and maintain from or about consumers and whether they need to do so. Entities that possess sensitive consumer information should continue to enhance their procedures to protect it. The Commission will continue its law enforcement and outreach efforts to encourage and, when necessary, require better protections. Second, industry should continue the development of improved fraud prevention methods to stop identity thieves from misusing the consumer information they have managed to obtain. In this regard, the FACT Act should prove instrumental by requiring the bank regulatory agencies, the NCUA, and the FTC to develop jointly regulations and guidelines for financial institutions and creditors to identify possible risks of identity theft. Third, the Commission will continue and strengthen its efforts to empower consumers by providing them with the knowledge and tools to protect themselves from identity fraud and to deal with the consequences when it does occur. As discussed above, new consumer rights granted by the FACT Act should help consumers minimize the damage. Finally, the Commission will continue to assist criminal law enforcement in detecting and prosecuting identity thieves. The prospect of serious jail time hopefully will discourage those considering identity theft from perpetrating this crime. The Commission looks forward to continuing to work with Congress to address ways to reduce identity theft. MR. STEARNS. Thank you, Mr. Commissioner. I will start here with the questions. We have a vote, but I think we can make progress here with a couple. Let's say that Congress decided in the bill to restrict the use of Social Security numbers in commerce so we wouldn't have the thing with Mr. Bass' daughter, or Chairman Barton getting a new cell phone, or your wife, or anything like that. What would be the cost? Would it be a lot of cost for industry to stop using that as an identifier? And what else would be the identifier? Would it be something like a State-issued driver's license number? What could you predict in the future? MR. LEIBOWITZ. If you immediately banned all Social Security number use in a commercial context tomorrow, some businesses would be able to switch, I think, from Social Security numbers to other identifiers. There might be some dislocation. The Social Security number is the most underprotected and overused identifier in America today, but if you banned them entirely, there would be a lot of dislocation and a lot of legitimate transactions that use a Social Security number to identify who someone is so that they can get, for example, a mortgage or credit, would be hard to do. It might not be hard with Jon Leibowitz, there aren't too many of us out there, but there are 23,000 Michael Smiths in America. So making sure you have the right one can be challenging. MR. STEARNS. What would the identifier be, if it wouldn't be the Social Security number? MR. LEIBOWITZ. Well, I don't think we know that. If you banned the Social Security number, perhaps a variety of different identifiers would take their place. There might be one new identifier that would begin to dominate the market, and then you would have some of the same problems with the new identifier that you have today with Social Security numbers. MR. STEARNS. So the President signs the bill today and it prohibits, let's say, starting tomorrow, business from refusing to do business with a consumer without receipt of a Social Security number. What would the consumer transaction look like then? MR. LEIBOWITZ. Again, many consumer transactions are done without Social Security numbers, and some consumer transactions are done with Social Security numbers that don't need to be. MR. STEARNS. I know in Florida we have these very sophisticated licenses with pictures and holograms and everything, and that is getting to be much used. The number on the license is being used. MR. LEIBOWITZ. Well, that might become-- MR. STEARNS. The new identifier. MR. LEIBOWITZ. The default identifier. It sounds like Florida has a fairly sophisticated identifier for its license. And what might happen, and I think the bills that you are considering in this committee, whether it is the Shaw bill or the Markey bill, have a series of exemptions--for law enforcement, for national security, for emergencies, or with the consent of consumers. And I know in the Markey bill, at least there is sort of a catch-all provision that would allow us to set up the regulations for appropriate commercial uses. So if President Bush signed a bill, presumably it would have this committee's imprimatur and it would strike the appropriate balance. MR. STEARNS. Let me, just for a moment, talk about Mr. Markey's bill, H.R. 1078. Does this bill give the FTC the authority to write a regulatory exception for fraud prevention purposes? MR. LEIBOWITZ. Yes. I mean we would want to work with this committee, but the short answer is yes, it would. It is a good point of departure to start a debate in this committee for what that law should look like. MR. STEARNS. In dealing with the Shaw bill, is there any aspect about it that you feel would be not workable; that should be changed at all? MR. LEIBOWITZ. Well, Mr. Chairman, I am not as familiar with the Shaw bill, because that is in the Ways and Means Committee. I do know it is similar in many ways to Mr. Markey's bill. I believe it has a provision that would drop Social Security numbers below the line, and that may cause a fair amount of dislocation, because some people don't need an entire credit report. This might force or encourage more people to get such credit reports, which includes even more sensitive personal information. And if you dropped it below the line, I believe, and made it part of the Fair Credit Reporting Act, you would need to think about appropriate exemptions because the FCRA doesn't have an exemption for law enforcement. And I think that would be very, very useful, certainly from our perspective as a civil law enforcement agency. MR. STEARNS. This is my last question. If a private entity adds a Social Security number from a public record to a database, should that public information, that public record information necessarily be treated differently suddenly because you add a Social Security number to it than other nonpublic information in a database? MR. LEIBOWITZ. If I understand your question, I think under current law, you should look to where the information came from. So if the information is a Social Security number and came from a public database, it should be continued to be treated as such. The information in the database, which may be under Gramm-Leach-Bliley's reuse and redisclosure provisions, or maybe under the FCRA, should be treated under that statute. MR. STEARNS. My time has expired. Ms. Schakowsky. MS. SCHAKOWSKY. Thank you. I want to ask what legislative measures do you think would be effective in better securing, in general, consumers' financial information, I mean, considering data security legislation? MR. LEIBOWITZ. Well, I think you put your finger on it. The data security legislation that came out of this committee unanimously would go a long way towards ensuring that all businesses maintain safeguards for sensitive consumer information, and it would give us the club of civil penalties--or fines--to go after those who don't honor their obligations under the law. So we are very supportive of strong data security legislation. MS. SCHAKOWSKY. We have heard from a number of industries that the differences between significant and reasonable risk is a trigger from when notification should go out to consumers when their information is breached is itself significant. I wondered if you see the difference between the two as dramatically different. MR. LEIBOWITZ. Speaking for myself, I think the most important thing, and again, this was actually a debate we had internally in the Commission when we made a recommendation, the most important thing is to have a trigger. You don't want every breach to require a notification to consumers because some breaches really don't raise any possibilities of harm. From our perspective, we went back and forth and we came up with significant risk, and we think that is a pretty good standard. I don't see a whole lot of difference between significant risk and reasonable risk. They both have a trigger and they both seem, from my perspective at least, workable. MS. SCHAKOWSKY. You may have said this already, but when do you think that the sale of Social Security numbers is good or useful, or is there a time? MR. LEIBOWITZ. I think Social Security numbers have a lot of use in commerce and for commercial transactions. There are a lot of times when it involves credit, mortgages. MS. SCHAKOWSKY. The sale of Social Security numbers? MR. LEIBOWITZ. The sale of Social Security numbers? They have very legitimate uses in commercial transactions. Having said that, we also think they are overused and they are underprotected. So we look forward to working with you in trying to strike the appropriate balance, should you move legislation forward. MS. SCHAKOWSKY. Great. I have no more questions. I can yield back. MR. STEARNS. I thank the gentlewoman. The gentleman from New Hampshire. MR. BASS. No questions. MR. STEARNS. Commissioner, I think you are all done, and so we will move to the second panel. But, of course, we have a vote here in 6 minutes, so we will take a temporary recess. If the second panel will come forward, I think we have 2 or 3 votes and we will come back in a short amount of time. Thank you for your patience. [Recess.] MR. STEARNS. The subcommittee come to order. I want to thank you for your patience for waiting. And we thought that there weren't that many votes, but it turned out there were. So from the second panel, Mr. Oliver I. Ireland, Partner with Morrison & Foerster; Ms. Susan McDonald, President of Pension Benefit Information; Ms. Lauren Steinfeld, former Associate Chief Counsel, Office of OMB; H. Randy Lively, Jr., President and CEO of American Financial Services Association; and Mr. Marc Rotenberg, Executive Director of Electronic Privacy Information Center. I don't know if you have your mike on. STATEMENTS OF OLIVER I. IRELAND, PARTNER, MORRISON & FOERSTER, LLP, ON BEHALF OF FINANCIAL SERVICES COORDINATING COUNCIL; SUSAN McDONALD, PRESIDENT, PENSION BENEFIT INFORMATION; LAUREN STEINFELD, FORMER ASSOCIATE CHIEF COUNSELOR, OFFICE OF MANAGEMENT AND BUDGET; H. RANDY LIVELY, JR., PRESIDENT AND CEO, AMERICAN FINANCIAL SERVICES ASSOCIATION; AND MARC ROTENBERG, EXECUTIVE DIRECTOR, ELECTRONIC PRIVACY INFORMATION CENTER MR. IRELAND. Here it is. I am here today on behalf of the Financial Services Coordinating Council, whose members are the American Bankers Association, American Council of Life Insurers, American Insurance Association, and Securities Industry Association. The FSCC represents the largest and most diverse group of financial institutions in the United States, consisting of thousands of banks, insurance companies, and investment companies and securities firms that collectively provide financial services to virtually every household in the United States. The FSCC appreciates the opportunity to be here today to discuss the use of Social Security numbers. Financial institutions work hard to protect the confidentiality and security of Social Security numbers. While the FSCC recognizes that misuses of Social Security numbers have occurred, we believe that it is imperative to avoid restricting necessary and appropriate uses of Social Security numbers by financial institutions since they have become critically important to our efficient and cost-effective financial system. Financial institutions use Social Security numbers as a unique identifier for individuals. Broad restrictions on the use of Social Security numbers would have serious unintended consequences. Further, there are already substantial protections for the use of Social Security numbers by financial institutions. Financial institutions do not make Social Security numbers accessible to the general public. They use Social Security numbers to combat fraud and identity theft; to assess underwriting risk, administer benefits, identify money laundering and terrorist financing, comply with Federal and State tax and securities laws; to transfer assets and accounts; to comply with deadbeat spouse laws; to verify DMV records for auto insurance; to obtain medical information used for underwriting life, disability income and long-term care insurance; to locate missing insurance beneficiaries; and to locate lost insurance policies. As the Government Accountability Office has recognized, the uniqueness and broad applicability of the Social Security number has made it the identifier of choice for government agencies and private businesses, both for compliance with Federal and State law and for business and administrative purposes. The use of Social Security numbers have become woven into the fabric of both government and commercial transactions in this country. The FSCC is concerned about the potential consequences of a broad restriction on the use of Social Security numbers. As I have already noted, a broad restriction on the use of Social Security numbers could seriously impede the delivery of important financial services and the battle against criminal activity. For example, Social Security numbers are key for fraud detection. Without a unique common identifier such as a Social Security number, we believe that identity theft ultimately would be easier, not more difficult. Further, the FSCC believes that there is no need to further restrict the use of Social Security numbers by financial institutions, given the strong Social Security number restrictions applied to these institutions under the Gramm-Leach-Bliley Act and other laws. For example, the Gramm-Leach-Bliley Act requires financial institutions to protect the security of their numbers, their customers' Social Security numbers, and, subject to exceptions for legitimate business purposes, each customer has a right to block a financial institution from transferring his or her Social Security number to a nonaffiliated third party. In addition, this committee and other committees of Congress recently have passed additional requirements that would protect Social Security numbers at financial institutions and other institutions. Thank you for the opportunity to be here today, and I will be happy to respond to any questions the committee may have. MR. STEARNS. I thank you. [The prepared statement of Oliver I. Ireland follows:] PREPARED STATEMENT OF OLIVER I. IRELAND, PARTNER, MORRISON & FOERSTER, LLP, ON BEHALF OF FINANCIAL SERVICES COORDINATING COUNCIL I am Oliver Ireland with Morrison & Foerster LLP testifying on behalf of the Financial Services Coordinating Council ("FSCC"), whose members are the American Bankers Association, American Council of Life Insurers, American Insurance Association, and Securities Industry Association. The FSCC represents the largest and most diverse group of financial institutions in the United States, consisting of thousands of large and small banks, insurance companies, investment companies, and securities firms. Together, these financial institutions provide financial services to virtually every household in the United States. The FSCC very much appreciates the opportunity to submit this statement to the Subcommittee concerning the use and misuse of Social Security numbers ("SSNs"). Our comments focus on the integral role of SSNs in United States commerce; the many consumer benefits that result from the use of SSNs by financial institutions; and the potentially negative effects that could occur if undue restrictions are imposed on such use. While the FSCC recognizes that there have been misuses of SSNs, we strongly urge that any legislation intended to address this problem be carefully targeted to specifically identified abuses, such as measures to stop identity theft. We believe it is imperative to avoid restrictions on legitimate and beneficial uses of SSNs. Our testimony today focuses on three fundamental points: ? First, following the lead of the U.S. Government for the last 65 years, businesses have legitimately used the SSN as a unique identifier of individuals, and this use is now woven into the fabric of consumer and commercial transactions throughout the country. Moreover, this legitimate use of SSNs has produced real benefits for American consumers and taxpayers, and has become critically important for a wide range of government agencies, financial institutions, hospitals, blood banks, and many other businesses, both large and small. ? Second, broad restrictions on the use of SSNs could have serious unintended consequences, including: higher credit costs; increased fraud and identity theft; fundamental and costly changes to internal business operating systems; decreased consumer service; and costly delays in consumer and commercial transactions. Further restrictions on the use of SSNs may also impede law enforcement purposes, including with respect to money laundering and terrorist financing. ? Third, Congress has enacted privacy and information security protections under the Gramm-Leach-Bliley Act ("GLBA") that, among other things, subject financial institutions to an affirmative and continuing obligation to protect the security and confidentiality of their customer's nonpublic personal information, including SSNs, and establish stringent requirements for financial institutions concerning the use, transfer and protection of SSNs. In addition, more than 20 states have adopted statutes designed to protect the confidentiality of SSNs. Further, state security breach notification laws in some 30 states provide additional incentives to protect SSNs. Moreover, this Committee and other Committees of Congress recently have passed express requirements that would protect the security of SSNs. In light of these current and proposed protections, the FSCC strongly believes that further legislative restrictions on the use and transfer of SSNs by financial institutions are unnecessary. Our statement also discusses the potentially negative impact of SSN restrictions on the legitimate use by financial institutions of public records. As the Subcommittee is aware, Congress adopted privacy protections as part of the GLBA. The GLBA subjects the financial services industry to a comprehensive privacy framework that requires the annual disclosure of a financial institution's privacy policies, allows customers to direct the institution not to share their "nonpublic personal information" with nonaffiliated third parties, contains significant prohibitions on the disclosure of detailed account information, and establishes regulatory standards to protect the security of "nonpublic personal information." Importantly, under the GLBA, SSNs are considered "nonpublic personal information," and thus are already subject to significant restrictions on the transfer of, and the ability of others to reuse, such information. Moreover, in 2003, Congress enacted additional legislation addressing concerns over identity theft, as part of its passage of the "Fair and Accurate Credit Transactions Act of 2003." These two Congressional initiatives go straight to the heart of Congressional concerns over identity theft and the efforts of financial institutions to combat this growing problem. In addition, the Committee on Energy and Commerce and other Committees of Congress recently have passed express requirements that would protect the security of SSNs. As a practical matter, we do not believe that the financial services industry is the subject of the concern that Congressional legislation would attempt to address. We use SSNs, as well as other personal financial information, to assist us in making sound credit decisions, underwriting applications for insurance coverage and performing other ordinary insurance business functions, combating fraud, rooting out identity theft, and uncovering financial support for terrorism. We do not make SSNs accessible to the general public. As a result, we believe that any legislation should be targeted at those entities at the heart of the problem, be they unregulated information brokers, those engaged in illegal pretext-calling, or the like. Integral Role of Social Security Numbers in U.S. Commercial Activities To assist the Subcommittee in its deliberations, it may be helpful to review the important role that SSNs play in U.S. commercial activities. As the Government Accountability Office (GAO) noted in a February 1999 report, the Social Security Administration created the SSN in 1935 as a means to maintain individual earnings records for the purposes of that program. But, Congress soon realized the tremendous value to society of a unique identifier that is common to nearly every American. As a result, it began to require federal government use of the SSN as a common unique identifier for a broad range of wholly unrelated purposes and programs. For example, "a number of federal laws and regulations require the use of the SSN as an individual's identifier to facilitate automated exchanges that help administrators enforce compliance with federal laws, determine eligibility for benefits, or both." These include federal laws applicable to tax reporting, food stamps, Medicaid, Supplemental Security Income, and Child Support Enforcement, among others. Moreover, as the GAO acknowledged, it has repeatedly recommended in numerous reports that the federal government use SSNs as a unique identifier to reduce fraud and abuse in federal benefits programs. Following the federal government's lead, American businesses complied with federal requirements to use SSNs as identifiers for federal laws unrelated to Social Security, such as income tax reporting. In doing so, they also realized the powerful consumer benefits to be derived from comparable business use of SSNs as a common unique identifier. Thus, businesses began to use SSNs in a manner similar to the federal government, e.g., to match records with other organizations to carry out data exchanges for such legitimate business purposes as transferring and locating assets, tracking patient care among multiple health care providers, and preventing fraud and identity theft. Many businesses also use SSNs as an efficient unique identifier for such internal activities as identifying income tax filers. Similarly, the financial services industry has used the SSN for many decades for a broad range of responsible purposes that benefit consumers and the economy. For example, our nation's remarkably efficient credit reporting system-which has helped make America's affordable and accessible credit the envy of the world-relies fundamentally on the SSN as a common identifier to compile disparate information from many different sources into a single, reliable credit file for a given consumer. Indeed, the banking, insurance, and securities industries each use SSNs for a variety of important regulatory and business transactions. Set forth below is an illustrative sample of the many financial institution uses of SSNs:
To combat fraud and identity theft; To accurately assess underwriting risk; To assist in internal benefits tracking; To identify and report money laundering and terrorist financing activities; To comply with reporting requirements of federal and state tax and securities laws; To transfer assets and accounts to third parties; To comply with "deadbeat spouse" laws; To verify appropriate Department of Motor Vehicle records when underwriting auto insurance; To obtain medical information used in underwriting life, disability income, and long-term care insurance polices; To locate missing beneficiaries to pay insurance proceeds; To locate insurance policies for owners that have lost their policy numbers; and To facilitate a multitude of administrative functions. As noted in the GAO report discussed above, "the uniqueness and broad applicability of the SSN have made it the identifier of choice for government agencies and private businesses, both for compliance with federal requirements and for the agencies' and businesses' own purposes." As a result, the use of SSNs as common unique identifiers has become woven into the very fabric of both government and commercial transactions in this country, and has been so for decades. In short, the federal government began the use of SSNs for unrelated identification purposes; it required businesses to do the same under certain federal laws; and its use served as an example for businesses, including financial institutions, for over half a century. These uses have produced tremendous efficiencies and benefits for all Americans. The FSCC strongly urges members of Congress to keep such legitimate uses and benefits in the forefront when considering proposals to restrict the use of SSNs. Unintended Consequences of Broad Restrictions on the Use of Social Security Numbers As a result of the widespread use of SSNs for legitimate purposes, the FSCC is concerned about the potential unintended consequences of any legislation that is intended to restrict SSN abuses. If legislation is not carefully targeted to avoid these unintended consequences, consumers and the smooth operation of the U.S. economy could be seriously harmed. The following provides some specific examples of such harm: Potential Harm to Consumers. The use of SSNs allows financial institutions to provide a level of service to customers that would otherwise not be possible. By using these numbers to verify individual identities, credit bureaus and others can quickly provide financial institutions with accurate credit histories and verification information on people seeking credit, insurance, securities, and other financial products. In turn, a financial institution can act swiftly and efficiently on applications or requests related to these products. Use of SSNs also enables financial institutions to provide more seamless administrative service, including, for example, by allowing a life insurer to more easily verify the identity of an individual calling into a call center to change a beneficiary or premium mode or to make some other change to an insurance policy. The FSCC's concern is that a broad restriction on the sale or use of SSNs, however well-intended, could seriously impede the delivery of such important services by driving up processing costs and impairing decision-making. Increased Risk of Fraud and Identity Theft. SSNs are critical for fraud detection. Banks, insurance companies, and securities firms rely on information available from both public and private sources-with embedded SSNs to ensure correct identification-to check for "inconsistencies" that may suggest the occurrence of fraud or identity theft. The use of these numbers also helps financial institutions verify credit and other information necessary to make sound underwriting decisions that minimize losses. The sophisticated processes used for these purposes rely fundamentally on SSNs as the common unique identifier to assemble accurate and verifiable information for a given individual. That is, without a unique common identifier such as a SSN, we believe it would be easier, not harder, for an individual's identity to be stolen. Thus, to reiterate, we believe that Congress should exercise great caution in restricting the use of SSNs so as not to risk an increase in consumer fraud or identity theft-a result that would be squarely at odds with the intended purpose of such restrictions. Market Disruption. A prohibition on the sale of SSNs could be construed to restrict such activities as the sale of assets among financial institutions. This is so because financial institution assets (e.g., mortgage servicing accounts, credit card accounts, and traditional bank accounts) often use SSNs as the basis for account identification. Also, SSNs are part of policy files that may be transferred by an insurer in connection with a merger or acquisition or as part of a reinsurance agreement. When it sells such an asset or transfers such files, a financial institution could be viewed as technically "selling" the embedded SSN as well. Thus, legislative efforts that "directly or indirectly" limit the transfer, sale, or purchase of SSNs could effectively preclude such plainly legitimate transactions. To address this problem, businesses would need to rework their internal systems completely to eliminate the reliance on such numbers-a massive and needless expense. Accordingly, we believe that any legislative proposal must be crafted to avoid such a significant, unintended consequence. Money Laundering and Terrorist Financing. Rules implementing section 326 of the USA PATRIOT Act require many financial institutions to obtain a taxpayer identification number, typically a SSN, before opening an account for the individual. The financial institution also must verify the identity of the individual. The verification process is facilitated by the use of SSNs. The section 326 requirement was adopted as part of comprehensive legislation to address terrorism following September 11, 2001. Any limitations on the use of SSNs would need to accommodate the section 326 information collection and verification processes. Current Protections for Social Security Numbers The FSCC believes there is no need to further restrict the use of SSNs by financial institutions in light of the strong SSN restrictions that apply to such institutions under the GLBA and other laws. The GLBA and its implementing regulations treat a financial institution customer's SSN as protected "nonpublic personal information." As a result, each financial institution is subject to an affirmative and continuing obligation to protect the security of its customers' SSNs, and each customer has the right to block a financial institution from selling or transferring his or her SSN to a nonaffiliated third party or the general public. There are exceptions to this general rule for legitimate transfers of SSNs, such as ones that are necessary: to carry out a transaction requested by the consumer; to protect against fraud; and to provide necessary identifying information to credit bureaus. However, even with respect to such legitimate transfers of SSNs, the consumer remains protected because the recipient of the number is prohibited by law from re-using or re-disclosing the number-it may do so only as necessary to carry out the purpose of the exception under which the number was received from the financial institution. Further, the GLBA also requires financial institutions to establish appropriate safeguards to ensure the security of, and to protect against unauthorized access to or use of, SSNs. In addition, more than 20 states have adopted statutes designed to protect the confidentiality of SSNs. For example, several states have enacted laws that prohibit specified uses of SSNs, including, for example, prohibiting the public display of a SSN. In addition, several states have enacted laws that limit the use of SSNs by state departments and agencies. Further, 30 states have enacted security breach notification laws. These laws generally require a business to notify consumers when a security breach occurs involving sensitive personal information relating to those consumers, including SSNs. Moreover, the Committee on Energy and Commerce and other Committees of Congress recently have passed express requirements that would protect the security of SSNs. The existing and proposed federal and state protections for SSNs create strong incentives for financial institutions to protect the SSNs that they maintain. In light of these existing and proposed protections, and the corresponding incentives of financial institutions, the FSCC strongly believes that further legislative restrictions on the use and transfer of SSNs by financial institutions are unnecessary. Concerns Over Restrictions On Access to Public Records Finally, some concerns have also been expressed regarding the inappropriate use of SSNs available in the public record. The FSCC believes it is important to remember that a wide range of private sector enterprises-including banks, insurance companies, and securities firms-rely on these records to conduct a broad range of legitimate business activities. For example, financial institutions use public records to: Uncover fraud and identity theft; Make sound credit and other financial product determinations; Verify identities of the customer at the account opening phase; Assist in internal security operations (e.g., employee background checks); and Otherwise verify identities in order to conduct a broad range of business transactions. Business reliance upon public records facilitates the efficient operation of the financial and credit markets, limits mistakes, and ensures that consumers receive prompt and lower-cost service. It also helps protect the customer from fraud. More specifically, to achieve the purposes described above, financial institutions directly use: public records involving liens on real estate; criminal records and fraud detection databases; and similar types of public records. Financial institutions also indirectly use these records for the same purposes by relying on databases developed by third parties that themselves rely on information from public records. Importantly, SSN identifiers are central to ensuring that the information included in these records matches the correct individual. This allows banks, for example, to verify the identity of a person so that a direction from a customer to transfer funds to a third party can be executed without mistake, as well as to check important credit-related characteristics of loan applicants (such as pending bankruptcies, tax liens, or other credit problems). Moreover, financial institutions employ sophisticated programs that cross-check public information against information supplied by an applicant in order to uncover fraud. For example, if the age information provided by an applicant posing as another individual were inconsistent with other information known about that individual from public records made available through SSN identification, a "red flag" would be raised, which would trigger further checking to uncover the identity theft. Thus, overly-broad limits on access to public record information would compromise a financial institution's ability to make sound business decisions and to protect its customers. Such limits could also greatly slow the decision-making process of U.S. businesses, to the detriment of consumers and the economy. For example, if a SSN were stricken from a public record, it is possible that the ability to use that record for legitimate purposes would become impractical because of the expense involved in verifying the identity of the person covered by that record. The consequences could include delayed loan approvals, increased consumer costs for products and services, and limits on an institution's ability to discover identity theft on a timely basis. Even if public entities could still retain SSNs in their internal nonpublic files and financial institutions could obtain access to such files, the cost and delays in efficiently accessing such files would be significant. Ultimately, the cost efficiencies and speed of delivery inherent in our current market system would be compromised. The effect could be the same as denying financial institutions access to such records. Conclusion The benefits to society from the legitimate and responsible use of SSNs are real and substantial. As a result, the FSCC believes that policymakers should look carefully at the unintended consequences that could occur with any proposal that would restrict the use of these numbers. And, because of the existing restrictions on financial institution disclosure of SSNs, including the GLBA, we believe that no new SSN restrictions are required for the financial services industry. MR. STEARNS. Ms. McDonald. Pull the mic up, and just turn it on, if you could. MS. MCDONALD. Good afternoon, Mr. Chairman, and thank you for the opportunity to appear before your subcommittee as it reconciles the beneficial uses of SSNs with threats to privacy. My name is Susan McDonald, and I am the President of Pension Benefit Information, otherwise known as PBI. For over 26 years PBI has provided research services to the pension industry. We assist sponsors of pension plans in fulfilling their fiduciary responsibility to manage their plans under the Employee Retirement Income Security Act of 1974, ERISA. PBI also supports pension plans in maintaining their qualified status. IRS regulations require minimum distributions to planned participants or their beneficiaries for that purpose. Our services allow planned sponsors to ensure benefits get distributed to eligible participants. Our clients would be severely impacted by an enactment of legislation that would restrict PBI from purchasing SSNs for the purposes of matching and retrieval. Such legislative restrictions would have serious consequences on millions of Americans that have earned benefits from their years of employment. Our clients typically come to us after they have performed a mailing, and it has come back undeliverable. We serve over 9,000 planned sponsors in every industry segment. One of the greatest challenges for pension administrators is staying in contact with terminated vested participants. These participants are entitled to benefits, but are no longer employed by the company. They often forget to keep their address up to date and typically don't think about their benefits until they are nearing retirement age. By that time it can be hard to track down their pension, especially if the company has been sold or closed up shop decades ago. A recent Boston Globe article outlined a widow's 6 year journey to track down her deceased husband's benefits. Most would have simply given up. Although it is hard to comprehend, every week PBI locates participants who had no idea they were entitled to benefits. PBI retrieves our address information for participants based on their SSN. Maintaining accurate pension records is certainly a challenge since they have to maintain for so many decades, from the time a participant starts employment until their beneficiary dies. A lot can happen to lose contact with participants over that time. The companies we serve have migrated from 3-by-5 cards to keypunch cards and now to multiple system conversions. Records can and do get corrupted. Clients come to PBI because they are missing Social Security numbers or dates of birth for participants, or they have a beneficiary with no SSN. PBI is currently able to perform research to identify a SSN so that a search for a participant can be made. The challenge of locating a female participant that could have changed her last name several times due to marriage or divorce would become nearly impossible if it were unable to utilize an SSN for research purposes. To date we have located over 900,000 lost participants with their retirement benefits. We support greater security and restriction for companies that are given access to information containing SSNs. Simply faxing a business license and checking a box to indicate a search for beneficial interests should not be deemed sufficient. This has been clearly demonstrated by several security breaches involving bogus accounts. As a consumer, this keeps me up at night. PBI's primary data source for locate services is one of the three credit reporting agencies. We have established a long-term relationship with them, meet on a regular basis, and they understand the services we provide and our customer base. My desire in this testimony is to set forth the positive use of SSNs. We believe that our business is a prime example of how the use of SSNs yields socially beneficial results. Many of the people we help are older Americans who desperately need their pension benefits no matter how small or large. With so many people changing jobs today, the task of locating former employees is becoming extremely difficult. They also change jobs. After they have changed their jobs, there are other issues associated with locating them as well. If we were not able to use the SSN, someone leaving out the middle initial or going by Bill versus William on employment documents would make it extremely difficult to locate them. We currently locate 80 to 90 percent of the participants we look for using a SSN. If PBI is unable to utilize an SSN to research and retrieve addresses, our locate business would be in jeopardy. We search for participants nationwide and believe our results would be less than 8 percent if we could only use a participant's name. The chances of us ever finding the correct John Smith who worked for a particular employer would be nonexistent. Our current process provides a cost-effective and efficient way to reunite former workers with their benefits. I doubt PBI could continue to provide our valuable service with diminished results and increased cost to validate we have located the right person. We serve the Fortune 500, labor unions, government agencies, and third-party administrators across the country. We are required for the financial sector to complete 50-plus-page questionnaires and have the appropriate policies and procedures regarding data security, and we feel that that should be something that other companies have to provide in order to get access to the data. I have highlighted some of the participants that we have found, and many of these were unable to find their benefits on their own, females that have changed their names. There are a lot of beneficial reasons that we perform our services, and feel that if we were unable to do the searches based upon that information, we would not be able to serve the constituents that you probably really want to serve at this point. Thank you. MR. STEARNS. Thank you. [The prepared statement of Susan McDonald follows:] PREPARED STATEMENT OF SUSAN MCDONALD, PRESIDENT, PENSION BENEFIT INFORMATION Good afternoon Mr. Chairman and thank you for the opportunity to appear before your Subcommittee as it reconciles the beneficial uses of Social Security Numbers (SSNs) with threats to privacy. My name is Susan McDonald, and I am the President of Pension Benefit Information, otherwise known as PBI. For over 26 years PBI has provided research services to the pension industry. We assist sponsors of pension plans in fulfilling their fiduciary responsibility to manage their plans under the Employee Retirement Income Security Act of 1974, ERISA. PBI also supports pension plans in maintaining their qualified status. IRS regulations require minimum distributions to plan participants, and PBI locate participants, or their beneficiaries, for that purpose. Our services allow plan sponsors to ensure pension benefits are distributed to eligible participants or their beneficiaries. Our clients would be severely impacted by the enactment of legislation that would restrict PBI from purchasing SSNs for the purposes of matching and retrieval. Such legislative restrictions would have serious consequences for millions of Americans who have earned benefits from their years of employment. Clients typically come to PBI after they have performed an ERISA mandated mailing, and communications come back undeliverable. PBI serves over 9,000 plan sponsors in every industry segment. One of the greatest challenges for pension administrators is staying in contact with terminated vested participants. These participants are entitled to benefits, but are no longer employed by the company. They often forget to keep their address up to date, and typically don't think about their benefits until they're nearing retirement age. By that time it can be hard to track down their pension, especially if the company has been sold or closed up shop decades ago. A recent Boston Globe article outlined a widow's 6 year journey to track down her deceased husband's benefits, most would have simply given up. Although it's difficult to comprehend, every week PBI locates participants who had no idea they were entitled to benefits. PBI retrieves address information for participants based upon their SSN. Maintaining accurate pension records is a challenge, since these records must be maintained for several decades. From the time a participant starts employment, until their beneficiary dies. A lot can happen to lose contact with participants over that time span. Companies have migrated from 3-by-5 cards, to keypunch cards, and now through multiple system conversions. Records can, and do get corrupted. Clients come to PBI because they are missing Social Security Numbers or Dates of Birth for participants. Or, they have the name of a beneficiary with no SSN. PBI is currently able to perform research to identify a SSN so that a search for a lost participant or beneficiary can take place. The challenge of locating a female participant, that could have changed their last name multiple times due to marriage or divorce, would become nearly impossible if we were unable to utilize a SSN for research purposes. PBI's address location service is designed to meet the requirements of the Pension Benefit Guaranty Corporation (PBGC) to perform a "diligent" search. The PBGC protects the retirement incomes for companies that have terminated their pension plans. The PBGC provides specific guidelines to administrators of terminating plans with regards to lost participants. Under the law, a search is considered diligent if it includes use of a commercial location service to search for the missing participants (29 CFR 4050.4). PBI performs this valuable service, and ERISA attorneys provide many of our referrals. To date, PBI has reunited over 900,000 lost participants with their retirement benefits. We don't simply provide an address retrieved from a database. We communicate an important message to lost participants, and the lost participant confirms their address to PBI. Clients look to PBI to perform our diligent search process, since many of them are ill equipped to manage returned mail. Our clients also want to demonstrate they've been prudent in fulfilling their responsibilities to participants. PBI supports greater scrutiny and restrictions for companies that are given access to information containing SSNs. Simply faxing a business license and checking a box to indicate a search is for beneficial interest should not be deemed sufficient. This has been clearly demonstrated by several security breaches involving bogus accounts. As a consumer, this keeps me up at night! PBI's primary data source for locate services is one of the three credit reporting agencies. We've established a long term relationship with them, meet on a regular basis, and they understand the services we provide and our customer base. Due to the increase in data security breaches, along with the sophisticated phishing scams, consumers are fearful of disclosing any information. What used to be the simple confirmation of a correct address has raised concerns with lost participants. As a result, PBI's costs have sky-rocketed to provide our locate service. My desire in this testimony is to set forth the positive uses of SSNs. We believe that our business is a prime example of how the use of SSNs yields socially beneficial results. Many of the people we help are older Americans, who desperately need their pension benefits, no matter how small or large. With so many people changing jobs today, the task of locating former employees is becoming increasingly difficult. Americans move on average every five years, particularly when they change jobs. They also often change their names with marriage or list slightly different names (i.e., leave out a middle initial or use Bill versus William) on employment documents. If PBI was unable to utilize a SSN for retrieval purposes our results would plummet. We currently locate 80-90+% using a participant's SSN. If PBI is unable to utilize a SSN to research and retrieve addresses our locate business will be in jeopardy. We search for participants nationwide, and believe our results would be less than 8% if we could only use a participant's name. The chances of us ever finding the correct "John Smith", who worked for a particular employer, would be non-existent. Our current process provides a cost-effective and efficient way to reunite former workers with their benefits. I doubt PBI could continue to provide our valuable service with diminished results and increased costs to validate we've located the "right" person. PBI serves the Fortune 500, labor unions, government agencies and third party administrators throughout the country. We also work with many of the largest financial and insurance companies. Our clients, especially those in the financial sector, demand that PBI have policies and procedures in place to protect confidential information. It's a pre-requisite for doing business with them. We are required to answer 50+ page questionnaires regarding data security, and provide documentation on our policies and procedures. Similarly, PBI requires clients to provide written authorization before we start a locate project. We only search for participants that are entitled to benefits. On occasion a client will come to us because they unintentionally overpaid a participant. We refer them to other services in those instances, since it violates our policy of "beneficial interest". Our locate service is used for a variety of reasons. These include uncashed/stale dated checks, returned 1099 statements, notice of plan changes, eligibility to commence benefits, due a distribution, terminating plans, Summary Annual Reports, etc. One of the most recurring corporate events that contribute to lost participants is mergers and acquisitions ("M & A"). When an M & A activity takes place the pension assets usually move to the new company. This company is often in a new city, with a new corporate name. Individuals lose track of these occurrences and, thus, have obvious difficulties tracking down their vested benefits. As an example, PBI successfully located thousands of participants for a division of Westinghouse. This division of Westinghouse was acquired by CBS, and then CBS was acquired by Viacom. Now Viacom is in the process of splitting into two separate companies. How will participants know where to find their benefits in these types of situations? Sometimes we locate individuals whose lives are changed dramatically by our use of SSN searches. For example, we recently located a disabled woman who worked decades ago for a grocery store that's no longer in business. She had been trying to track down her benefits for years, and was unsuccessful. PBI located her, and she was so happy to be found that she sent us a letter and included a check for $20.00! We promptly returned her check, but this shows just how valuable a lost participant deems our service. In her letter to PBI she said "I have been married and divorced twice since then and have taken back my birth name." The chances of PBI locating her without an SSN is remote, just as her ability to locate her hard earned benefits on her own were. Similarly, we were able to locate a 67 year old man who worked for a metal plating company for 25 years. He paid union dues and knew he was entitled to an annuity at retirement age. The company he worked for went bankrupt 16 years ago, and he was unable to locate his benefits. After he applied to the Social Security Administration at age 65, the SSA sent him a letter notifying him he was eligible for an annuity. An address was provided for him, and he thought his lost pension had been found. Wrong, when he arrived at the address provided no one was aware of his pension benefits. The only advice given to him was to hire an attorney. With a pending move to Texas, combined with fear over the fees involved in hiring an attorney, he gave up on ever finding his benefits. PBI located him on March 20th of this year, and he just received confirmation of his monthly annuity. Needless to say, he's ecstatic to be reunited with his benefits. Last fall we assisted Shell Oil Company in locating several hundred employees that were unaccounted for due to Hurricanes Katrina and Rita. Shell discovered that many employees did not have emergency contact information on file, or if they did, they were in the same area impacted by poor telephone communications. We promptly went to work and provided them with valuable information to reach out to employee's relatives. Our contact at Shell was thrilled to notify PBI that all of Shell's employees were located and found safe. PBI provided valuable assistance to Shell under chaotic circumstances. Their employees were delighted to obtain housing assistance from their employer in their time of need. As the above examples underscore, the ability to use SSNs for matching purposes in commercial databases is critical to our efforts to reunite former employees with their benefits. Without the ability to use an SSN, a slight misspelling in a name, the presence or absence of a middle initial, and a less distinctive name can drastically reduce a plans ability to locate pension fund beneficiaries. I'm urging you to carefully consider the beneficial reasons for having access to SSNs and request that provisions be put in place that allow exceptions for qualified businesses such as ours. The Department of Labor (DOL) just finalized regulations for dealing with "orphaned" plans, or plans which have been abandoned by their sponsors. The regulations rely on a Qualified Termination Administrator to notify participants and distribute benefits. I can't imagine how this function will be performed for participants that have moved since there previous employment with a defunct company. In addition, terminating defined contribution plans, not insured by the PBGC, are required to distribute all funds by law. Plans are required to demonstrate their due diligence in attempting to locate participants, and PBI fulfills that purpose. If participants are not located the plan will need to take out an Individual Retirement Account (IRA) or annuity. Or, they can escheat the funds to the state's unclaimed property fund of the participant's last known address. I'm convinced the chances of a participant ever finding their account balances under these circumstances are slim to none. I believe these participants would be thrilled to be reunited with their account balances through our service. Thank you, Mr. Chairman and Members of the Subcommittee, for the opportunity to express the views of Pension Benefit Information. I welcome the opportunity to provide additional information to you regarding this troublesome issue. My sincere desire is that future legislation will best serve and protect constituents while preserving privacy at the same time. Legitimate business to business relationships must be preserved so that plan sponsors can fulfill their responsibilities under ERISA. Since PBI provides call center support to lost participants, I can tell you with confidence how grateful they are to be reunited with their benefits. I look forward to an opportunity to work with your committee to ensure the positive uses of Social Security Numbers continue to be protected. MR. STEARNS. Ms. Steinfeld. MS. STEINFELD. Good afternoon, Mr. Chairman. And thank you for the opportunity to speak before you about Social Security numbers and commerce, reconciling beneficial uses with threats to privacy. My name is Lauren Steinfeld. I have worked on privacy generally at the Federal Trade Commission, on SSN legislation in my time at OMB, and I now work for the University of Pennsylvania as its Chief Privacy Officer. I'm testifying today on my own individual capacity and not on behalf of the University of Pennsylvania. In my written testimony I discussed the risks and benefits of using SSNs, the positive direction of H.R. 1078 introduced by Representative Markey, and H.R. 1745 introduced by Representative Shaw, and I introduced certain comments on specific provisions in the bill. Today I will discuss what I believe are the most important points. First and foremost, in my view, it is entirely appropriate to ban the uncontrolled sale and purchase of Social Security numbers. SSNs can be and are used by thieves to take out credit, to apply for insurance, and even to defraud the tax system. The abuse of Social Security numbers causes considerable harm to individual victims, to merchants who are not paid, and, ultimately, to honest consumers who bear the cost by paying more for credit. It is difficult for us to say that we, as a society, are sincerely working to curb the rising incidence of identity theft when Social Security numbers are lawfully for sale to anybody with an Internet connection. Second, it is not appropriate to ban all sales and purchases of Social Security numbers. SSNs are the closest thing we have to a national identifier, and by helping to link the different sources, SSNs are often the key, when properly used, to many important commercial activities, to public health interventions, to medical research, to finding missing children, to locating fugitives from justice, and other law enforcement and national security imperatives. The proper way to balance the risks and benefits of using Social Security numbers is to utilize the rulemaking process to allow for detailed analysis and careful crafting of exceptions based on public comment and agency expertise. H.R. 1078 and H.R. 1745 each include rulemaking provisions, but they differ in their assignment of rulemaking authority. The former gives it to the FTC and the latter to the Attorney General. I believe the rulemaking authority should go to the FTC for three reasons. One, the FTC, through its dedicated ID theft program, is well versed on the causes of identity theft and is in a solid position to address the privacy risks and overexposing SSNs. Two, the FTC has a deep understanding of the competing interests to SSN restriction through its long history of working with the data broker industry. Finally, the FTC, through its experience in promulgating the Safeguards Rule under the Gramm-Leach-Bliley Act, has now developed more technical expertise to better evaluate the burdens and benefits of securing the sensitive SSN. Now I would like to focus on some provisions that appear in H.R. 1745. Several of them go far towards protecting privacy and involve very few trade-offs. These are the provisions restricting the display of SSNs on government checks and restricting the display of SSNs on employee ID cards from the Government and private sector. H.R. 1745 also contains worthwhile reasonable measures to protect provisions that can offer strong advantages similar to those coming from the Gramm-Leach-Bliley rule. I would like to raise the following point about Section 109. That section makes it unlawful to refuse to do business with an individual because that individual will not provide a Social Security number, and that provision is to be effective within 180 days. The provision could be problematic for some industries in this time frame, particularly health care where the SSNs may very well be the key to linking medical data for treatment purposes, coordination of benefits, and performing critical medical research. In conclusion, there is ample room for optimism for greatly reducing risks that arise from the overavailability of Social Security numbers, and this is a critical effort and will remain so for as long as we have credit processes that allow for the extension of credit based on name, address, and Social Security number alone. In the last several years, we have learned a great deal about workable models for protecting privacy, about compromising important other priorities. I applaud the authors of H.R. 1078 and H.R. 1745 for creating another good example of this in the important area of protecting SSNs. I thank you for the opportunity to appear before you and welcome any questions you may have. MR. STEARNS. Okay. Thank you. [The prepared statement of Lauren B. Steinfeld follows:] PREPARED STATEMENT OF LAUREN STEINFELD, FORMER ASSOCIATE CHIEF COUNSELOR, OFFICE OF MANAGEMENT AND BUDGET Good morning and thank you for the opportunity to speak before you today about Social Security Numbers in Commerce - Reconciling Beneficial Uses with Threats to Privacy. I am delighted to share some views on an issue about which I have thought for some time. In today's testimony, I will describe some examples of the risks and benefits of using SSNs. I will also share my view that the two bills being considered by this Committee, H.R. 1078 and H.R. 1745, go far towards advancing privacy protection while also addressing important commercial, health, and safety concerns. Finally, I will offer some views on particular provisions in the bills. My background on privacy issues is as follows. I began working at the Federal Trade Commission in 1995 where I was a staff attorney in the Division of Financial Practices and then in 1998 served as Attorney Advisor to Commissioner Mozelle Thompson. The following year, I became Associate Chief Counselor for Privacy, working for Peter Swire, the Chief Counselor for Privacy, at the Office of Management and Budget. In this role, I worked on a wide variety of privacy issues, two of which are especially relevant to this discussion: First, I served as the lead staff person to help develop proposed legislation regarding Social Security number protection - the Social Security Number Protection Act of 2000 was introduced by Representative Markey as H.R. 4611 and Senator Feinstein as S. 2699. Second, I was the coordinator within OMB for the report issued by OMB, the Department of Treasury and the Department of Justice entitled "Financial Privacy in Bankruptcy: A Case Study on Privacy in Public and Judicial Records." Currently, I serve as Chief Privacy Officer for the University of Pennsylvania where I coordinate programs on a number of fronts to reduce SSN-related risks. In today's testimony, I am presenting my own views based on my experiences and not the views of the University of Pennsylvania, nor the views of the Clinton or Bush Administrations from my time at OMB. The Risks and Benefits of SSNs We, as a society, are struggling to get our arms around how to manage a small piece of data that can raise big problems and provide big benefits - that is, the Social Security number. The most common problem the SSN creates is that it can be used, indeed abused, by thieves, in combination with often other publicly available data, to commit identity theft. Often identity theft occurs in the following way: the thief starts by obtaining a limited amount of information about someone else and uses it to obtain credit, for example by opening a credit card account or cell phone account, in the victim's name. The thief then runs up charges on the account and fails to pay those charges. The victim's credit reports will show significant delinquencies that interfere with the victim's ability to obtain a loan, a mortgage, insurance, even a job. In addition to damage to identity theft victims, identity theft also costs credit providers who are not paid amounts based on fraudulent charges. These costs are eventually largely borne by honest users of credit who pay more. Another example of identity theft comes in the context of tax filings. A thief may use a legitimate taxpayer's personal information to file a fraudulent tax return designed to provide a refund. Those thieves may then go on to take out "refund anticipation loans," based on the amount they have "allowed themselves" in their filing. A recent New York Times article, based on an interview with an IRS official, reported that there were 8,000 instances in one year of information of legitimate taxpayers being used by imposters to try to defraud the tax system. Identity theft is now the fastest growing crime in America, because of the ease with which it can be committed. It is so easy because the very limited information required to open accounts is easily available. While name and address and even date of birth are often presumed to be public, it is the Social Security number that is intended to be the one key piece of private data that lets, for example, creditors know they are in fact extending credit to the person whom the applicant claims to be. When that Social Security number is not in fact private, a key foundation for the integrity of the credit granting system is compromised. I have heard anecdotally from a law enforcement officer that in the past, the conversation in prison yards centered on bank robbery. Now, the "buzz" is that bank robbery is too difficult; identity theft is the way to go. It is tempting as a society to declare then that Social Security numbers should be banned except for purposes of administering the Social Security system and for tax-related purposes. But to shut down the use of Social Security numbers poses different, but also highly significant, problems. Social Security numbers are the closest thing we have to a national identifier and, by helping to link different data sources, they are often the key to advancing national priorities. They facilitate important commercial activities, including the granting of loans, insurance and employment through the credit reporting system that - when working ideally - allows industry to judge an applicant according to information about that applicant. They help us gather critical public health data for investigations and sometimes life-saving interventions. They enable vital health-related research on individuals over time and over different health care settings. Social Security numbers help us locate missing children and fugitives from justice and generally provide crucial data for law enforcement and national security purposes. Crafting Legislation With the risks and the benefits of Social Security numbers largely understood, the challenge in crafting legislation is how best to tackle the privacy concerns, without creating the unintended consequences of hindering fraud detection, law enforcement, national security, research, and other significant priorities. In my personal opinion, the two bills being considered by the Committee strike the balance quite well in many respects. Banning the Uncontrolled Sale and Purchase of SSNs First and foremost, the bills would outlaw the uncontrolled sale and purchase of Social Security numbers. Today, it is lawful to create a website and offer SSNs for sale - regardless of who is asking and regardless of the purpose. In fact, one website I found advertises "Locate a Social Security number -- Supply a name & address or previous address, we will supply a social security number!" Another site says, "The Internet is the largest information base in the world, and we have uncovered thousands of resources that will have you simply amazed ... and all of this is 100% legal." When working on SSN-related initiatives at the University of Pennsylvania, I have heard people remark that while we are spending great amounts of money, time, and effort to remove SSNs from our systems and documents, and to convert to what we call a "PennID," it is frustrating to know that the SSNs we are protecting are literally "for sale" by others on the Internet. Legislation banning the uncontrolled sale or purchase of SSNs can help send a strong signal to organizations working to protect SSNs that their efforts are even that much more worthwhile. As I stated above, the bills would outlaw the uncontrolled sale and purchase- but not all sales and purchases. That is appropriate to accommodate the critical beneficial uses of SSNs described above. Both H.R. 1078 and H.R. 1745 set out largely similar exceptions to the restrictions on the sale and purchase of SSNs. They allow, for example, SSNs to be sold or purchased for law enforcement or national security purposes, for public health purposes, for emergency situations, to the extent necessary for research, and pursuant to consent - and each bill allows for further development of the exceptions in a subsequent rulemaking. Differences in Approach to Rulemaking A key difference in the bills lies in how that rulemaking will be conducted. H.R. 1078 gives the Federal Trade Commission authority to promulgate rules within one year regarding unfair or deceptive acts or practices in connection with the sale and purchase of SSNs - all in consultation with the Commissioner of Social Security, the Attorney General, and other agencies as the Commission deems appropriate. H.R. 1745 gives the rulemaking authority to the Attorney General, in consultation with the Commissioner of Social Security, the Secretary of Health and Human Services, the Secretary of Homeland Security, the Secretary of the Treasury, the Federal Trade Commission, the Federal banking agencies, and National Credit Union Administration, the Securities and Exchange Commission, State attorneys general, and certain State insurance commissioners. In my opinion, the Federal Trade Commission should be given the primary authority to issue regulations in this area for the following reasons: The FTC has significant expertise in understanding identity theft through the program it administers under the Identity Theft Assumption and Deterrence Act of 1998. In particular, the FTC is well versed on the causes of identity theft and is in a solid position to address the privacy risks in overexposing SSNs. FTC also has a deep understanding of the competing interests to SSN restriction through its work with the data broker industry, first in helping to develop the industry self-regulatory program in the late 1990s and more recently in the aftermath of the Choicepoint breach. Finally, the FTC, through its experience in promulgating the Safeguards Rule under the Gramm-Leach-Bliley Act, is aware of the important difference between "reasonable safeguards" and "perfect security." As a result, the FTC has now developed more technical expertise to evaluate burdens and benefits in securing the sensitive SSN. While I believe the FTC expertise should be leveraged to the fullest advantage, I also believe that consultation with the agencies named in H.R. 1745 would provide additional controls to ensure that the many considerations of beneficial and risky uses are addressed. As far as what the rulemaking should cover, I recommend that the bills contain an additional provision - the rulemaking agency should address the issue of verifying the identity and authority of requesters seeking SSNs under one of the enumerated exceptions. We have seen in the Choicepoint breach that a critical control to protecting privacy is adopting robust procedures to check the credentials of callers and writers claiming to be legitimate and to be using data for legitimate purposes. Today, certain websites are willing to furnish sensitive data such as Social Security number on the mere "I agree" click that I have a permissible purpose under the Fair Credit Reporting Act. It is worth considering the burdens and benefits of different verification approaches to provide reasonable assurances that requests truly are legitimate. Adding requirements in this area is important to realize the goals of the bills overall. Additional Regulation in H.R. 1745 Another key difference between H.R. 1078 and H.R. 1745 is that the latter goes beyond restricting the sale and purchase of SSNs. H.R. 1745 reaches into many additional areas that are well worth acting upon and for the most part do not raise the same types of tradeoffs. The provisions dealing with public display of SSNs are especially valuable. H.R. 1745 places special provisions on governmental agencies and prohibits them from displaying SSNs on checks issued for payment. For the public and private sector, the bill also prohibits placing SSNs on employee identification cards or tags. H.R. 1745 also prohibits inmate access to SSNs. These measures are entirely appropriate as a risk benefit matter, though one must recognize that even seemingly simple process changes, when applied so broadly, can take significant time and resources. I encourage the Committee to confirm the appropriate timeframe for instituting these measures. H.R. 1745 also includes a requirement that both the public and the private sector adopt "measures to preclude the unauthorized disclosure of Social Security numbers." The spirit of this provision seems very well aligned with the Safeguards Rule of the Gramm-Leach-Bliley Act. I encourage aligning the language of the bill more closely with the GLB Safeguards Rule and, again, vesting rulemaking authority with the Federal Trade Commission to help achieve that consistency. One final point on H.R. 1745 concerns Section 109 - making it unlawful to refuse to do business with an individual because the individual will not provide a Social Security number - that provision being effective within 180 days. I suspect that this provision could be very problematic for some industries in this time frame, particularly health care, where the SSN may very well be the key to linking medical data for treatment purposes, coordinating benefits, and performing critical medical research. I encourage the Committee to review this provision and the timeframe more closely and to reach out to affected industries, before passing legislation. Alternatively, the impact of this provision could be researched and the language refined in a rulemaking as well. Conclusion There is ample room for optimism in greatly reducing risks arising from the overavailability of Social Security numbers. This is a critical effort and will remain so for as long as we have credit processes that allow for the extension of credit based on name, address, and Social Security number alone. In the last several years, we have learned a great deal about workable models for protecting privacy without compromising important other priorities. For example, I described above the work of OMB, the Department of Treasury and the Department of Justice on "Financial Privacy in Bankruptcy: A Case Study on Privacy In Public and Judicial Records." That report recommended what I believe to be a balanced model in which full bankruptcy case files are available to "real parties in interest," to enable them to protect their rights, while the general public would be restricted from certain sensitive data, like Social Security numbers and bank account numbers, that are not necessary for the public to know in the name of accountability of the bankruptcy system. In this example, combined with many others, we have learned that privacy and accountability - or commerce or national security as the case may be -- may be spoken in the same sentence and often do one another a service. When stakeholders from all vantage points work in earnest on crafting a better data confidentiality model - all are better off. My optimism is confirmed by the authors of the two bills before the Committee who recognize that the time has come for a consensus to prohibit the uncontrolled sale and purchase of the highly sensitive Social Security number. I am pleased that the authors are finding ways to take important steps to protect privacy while also protecting other critical goals. I thank you for the opportunity to appear before you and welcome any questions you may have. MR. STEARNS. Mr. Lively. MR. LIVELY. Thank you, Mr. Chairman. Good afternoon. My name is Randy Lively. I am the president and CEO of the American Financial Services Association here in Washington. AFSA's 300-member companies include consumer and commercial finance companies, captive auto finance companies, credit card issuers, mortgage lenders, and other financial service firms that lend to consumers and small businesses. I am pleased to be here today to discuss the importance of the Social Security number for our member companies. While Social Security numbers are not the sole identifier used by the financial services companies, they are critically important to our industry for a couple of reasons. First, they provide a unique means of identity verification, and second, they are an essential component of the industry's system to detect fraud. The Social Security number itself acts as an identity verification. It provides a unique identifier that accompanies most consumers throughout their lifetime. This number remains consistent in a world where people's names and addresses are changing constantly, whether for marriage, divorce, or, in the case of people moving from State to State, the reissuance of driver's licenses. Financial services companies use Social Security numbers to help ensure the accurate association of financial accounts, credit reports, public records, medical records, and other relationships or services to a consumer. A company typically uses the Social Security number or subsets of the number internally to track a customer's relationship with that company across multiple accounts and for other legitimate reasons. For a financial services company, a Social Security number plays a pivotal role in identity determination. In particular, it allows companies to establish and verify the identity of people with whom the institution conducts business. With millions of John Smiths in America, a financial services company needs a way to determine which John Smith is its customer. It does this with the help of a unique identifier common to all Americans, the Social Security number. Importantly, financial services companies realize that the ability to successfully verify John Smith's Social Security number is not the same as successfully determining his identity. To do this, a company uses a driver's license, passport, or another government-issued identification document with a picture, signature, expiration date, security features, and a physical description and so forth. It is worth noting that the Social Security number has not been used solely for identity verification due to the lack of a highly secure Social Security number card with a tamper-proof signature, picture, and expiration date. The Social Security number card contains few security features, thus making it easy to counterfeit. The Social Security number is only a tool, albeit an invaluable one, in the process of determining the identity of an individual. It is clear, however, that verification is a key tool for achieving positive identity determination. The issue of fraud, according to the Federal Trade Commission, identity theft robs the Nation of more than $50 billion annually. Consumer losses account for about $5 billion of that, and of the total, the business community absorbs the remaining $45 billion. The availability of the Social Security number both in the financial services companies' database and in public records is essential for law enforcement officials during a criminal investigation. The number provides the most reliable method to identify and associate perpetrators to their public records which often provide details needed to solve the crime. What is more, the Social Security number is critical in verifying a potential employee's background and allows for the ongoing monitoring of employees in high-risk positions. Without the use of a Social Security number, financial services companies would find it very difficult to adhere to a know-your-employee standard. To keep the trust of valued customers, AFSA companies take every precaution to protect their customers' Social Security numbers and other personal financial information. This an ongoing employee training in the handling of sensitive personal information. It also includes close scrutiny of the practices of third-party vendors who store or dispose of data which may contain personal financial information. The industry has worked hard to put mechanisms in place to ensure security breaches are rare. Just as this is important to law enforcement and legislators, it is also critical to the financial services industry so it has customers who are safe, content, and desirous to do business with its companies. In conclusion, as we explore ways to protect consumers' privacy, we should take care to thoroughly evaluate any proposed restrictions on the use, sale and purchase of Social Security numbers to ensure that unintended consequences do not occur. Thank you, Mr. Chairman. MR. STEARNS. Thank you. [The prepared statement of H. Randy Lively, Jr., follows:] PREPARED STATEMENT OF H. RANDY LIVELY, JR., PRESIDENT AND CEO, AMERICAN FINANCIAL SERVICES ASSOCATION Mr. Chairman, my name is Randy Lively and I am the President and CEO of the American Financial Services Association located here in Washington, DC. AFSA's 300 member companies include consumer and commercial finance companies, "captive" auto finance companies, credit card issuers, mortgage lenders and other financial service firms that lend to consumers and small businesses. This year, AFSA is celebrating its 90th birthday as the nation's premiere consumer and commercial credit association. I am pleased to testify here today on the importance of the Social Security Number for our member companies in the auto finance, mortgage finance, credit card and personal loan lines of business. While Social Security Numbers are not the sole identifier used by financial services companies, they are critically important to our industry for a couple of reasons. First, they provide a unique means of identity verification. And second, they are an essential component for the credit industry's systems designed to detect and prevent fraud. Let's look at these one at a time. I. Social Security Numbers - A Unique Means of Identification The Social Security Number provides a unique identifier that accompanies most consumers from cradle to grave. This number remains a constant in a world where people's names and addresses are constantly changing -- whether from marriage, divorce, addresses, or driver's license re-issuance as consumers move from one state to another. Financial services companies use Social Security Numbers to help ensure the accurate association of financial accounts, credit reports, public records, medical records and a host of other critical relationships and services to a consumer. A company typically uses the Social Security Number (or subsets of the number) internally to track a customer's relationship with that company across multiple accounts and for other legitimate internal reasons. For a financial services company, a Social Security Number plays a pivotal role in identity determination. In particular, it allows companies to establish and verify the identity of unique persons with whom the institution, and others, conduct business. With millions of John Smiths in America, the identity determinate of which John Smith with whom a finance company is dealing is made by the single unique identifier common to all Americans, his Social Security number. Importantly, financial services companies realize that the ability to successfully verify John Smith's Social Security Number is not the same as successfully determining his identity. A company must do this by using a driver's license, passport or another government-issued, identification document containing a picture, signature, expiration date, security features, a physical description, etc. It's worth noting that Social Security Numbers have not been used soley for identity verification due to the lack of a highly secure Social Security Number card, tamper-proof signature, picture and expiration. The Social Security Number card contains few security features, making it easy to counterfeit thus reducing or eliminating any value in its sole use for identity verification. The Social Security Number is thus only a tool, albeit an invaluable one, in the process of determining the identity of an individual. It is clear, however, that verification is a key tool for achieving positive identity determination. II. Social Security Numbers - An Essential Component of the Industry's Ability to Detect Fraud According to the Federal Trade Commission, identity theft robs the nation of more than $50 billion annually. Consumer losses account for about $5 billion of the total and business absorbs the remaining $45 billion. The availability of the Social Security Number both in the financial services company's database and in public records is essential for law enforcement officials during a criminal investigation. This number is the most reliable method of identification, correlation and association of the perpetrators to their public records, which often provide critical details imperative to solving the crime and locating the suspect(s). The loss of this valuable tool would jeopardize the effective investigation of financial crimes. What's more, the Social Security Number is critical in verifying a potential employee's background and allows for the ongoing monitoring of employees in high-risk positions. Without the use of a Social Security Number, financial services companies would find it very difficult to adhere to a "know your employee" standard. To earn and keep the trust of valued customers, AFSA companies take every precaution to protect their customers' Social Security Numbers and other personal financial information. This includes on-going training for employees in the handling of sensitive personal information. It also includes close scrutiny of the practices of third-party vendors who store or dispose of data which may contain personal financial information. The industry has worked hard to put mechanisms in place to ensure security breaches are rare. Just as this is important to law enforcement and legislators, it is also critical to the financial services industry, so we have customers who are safe, content and desirous to do business with our companies. Conclusion: AFSA member companies share this committee's goal of wanting to assure American consumers that their personal information, including their Social Security Number, is safely protected. At the same time, we must be mindful that many financial services companies utilize the Social Security Number internally for a variety of legitimate business reasons, which should remain exempt from additional limitations. As we explore ways to protect consumers' privacy, we should take care to thoroughly evaluate any proposed restrictions on the use, sale and purchase of Social Security numbers to ensure that unintended consequences do not occur. Obviously, the best way to protect our customers' information is to prevent fraud from occurring in the first instance. Through the kinds of methods I just described - such as employee training of the handling of sensitive information, and close scrutiny of third-party vendors - the industry is committed to doing its part. Finally, it worth mentioning the role of the customer. Consumers who are proactive and understand the importance of safeguarding their Social Security Number can serve as the first line of defense in preventing fraud. I appreciate the opportunity to be here today and would be happy to answer any question you may have. MR. STEARNS. Mr. Rotenberg. MR. ROTENBERG. Thank you, Mr. Chairman. My name is Marc Rotenberg. I am Executive Director of the Electronic Privacy Information Center. I appreciate the opportunity to be before the subcommittee today, to see you again, and to talk about the Social Security number issue. I would like to ask that my written statement be entered. MR. STEARNS. By unanimous consent, so ordered. MR. ROTENBERG. I would like to make a few brief comments. I know it is late in the day. I think this is a very important hearing that you are holding. The risks of the misuse of the Social Security number in the United States, I think, are widely shared by American consumers. There has been a dramatic increase in the incidence of identity theft in this country. It imposes a real economic hardship, and it has been closely linked to the use of the Social Security number in the private sector. Now, I would like to describe two of the types of problems that arise for consumers when their Social Security numbers become available to others. The first, as you may know, is that many financial institutions use the Social Security number both as an account locator and as the password on the account, so that, in effect, if you have a person's Social Security number, you have the ability to access the contents of that financial account, which is why it is so attractive to identity thieves. It is literally the keys to the kingdom. The Social Security number also makes it possible to link together records from different sources and to build profiles. Now, it is true in terms of investigating a financial fraud and making credit determinations that it plays an important role in the private sector, and we understand that. But at the same time, it also opens the door to a kind of open-ended profiling of American consumers that makes the work of identity thieves that much easier. Now, the interesting thing about this particular issue is that Congress understood the problem, both in the creation of the number when the Social Security agency said, we are going to limit the use of the number so that it is only used for the SSA purposes, and again in 1974 when the Comprehensive Privacy Act passed on a bipartisan basis, said to the Federal agencies, we really want to limit the use of the Social Security number. Now, I actually went back the other day and looked at the history of the 1974 act and found something very interesting. It was an important report that provided the basis for that act, and that report said specifically that legislation should be adopted, and I am quoting now, it is in my statement, "prohibiting uses of an SSN or any number represented as an SSN for promotional or commercial purposes." The Senate report that accompanied passage of the Privacy Act said, in 1974, the use of the Social Security number in the private sector is, quote, "one of the most serious manifestations of privacy concerns in the Nation." So I think there was a broad-based understanding at a time when these computer systems were coming into place and making it possible to create these profiles on Americans that the Social Security numbers' use should be regulated. But, of course, over the last 30 years, what we have seen instead has been the expanded use of the Social Security number, both by the Federal agencies and in the private sector. So I think it is very appropriate to be looking at legislation today. I think it is also not surprising, if I might point out, that many of the States all across the country have passed legislation, from New York and West Virginia to Arizona and California and Colorado, limiting the use of the Social Security number in the private sector because so many people have complained in those States about being asked to put their Social Security number on their check or finding their Social Security number on their employee identification card. There is a real push today in the country at the State level to improve safeguards for the use of the Social Security number to try to protect privacy. Now, I think the two bills under consideration, H.R. 1078 and H.R. 1745, would certainly help. I think a lot of effort has obviously gone into these proposals, and I hope they will be acted upon by the committee. But as you see in my statement, I am actually urging you to consider going somewhat further. I am concerned, for example, that if too many statutory exceptions are created, if too many of the current business practices that make use of the Social Security number are left in place, we really won't do a particularly good job in safeguarding the privacy of American consumers. And so my hope is that Congress will be able to send a clear message that there may be some circumstances in the private sector where the Social Security number is necessary. It is certainly being used as the tax identification number, and employers need it. And it may also be necessary for fraud investigation, but I think what we need to do today is to limit the use of the Social Security number in the private sector and make clear that there are certain uses, such as the commercial sale of a Social Security number, for which there really is no basis. And I thank you again for the opportunity to be here today. MR. STEARNS. And I thank you, MR. ROTENBERG. [The prepared statement of Marc Rotenberg follows:] PREPARED STATEMENT OF MARC ROTENBERG, EXECUTIVE DIRECTOR, ELECTRONIC PRIVACY INFORMATION CENTER Chairman Stearns, Ranking Member Schakowsky, and Members of the Subcommittee, thank you for the opportunity to testify today on Social Security Numbers in commerce and how best to reconcile beneficial uses with threats to privacy. My name is Marc Rotenberg and I am Executive Director of the Electronic Privacy Information Center. EPIC is a non-partisan research organization based in Washington, D.C. Founded in1994. EPIC has participated in leading cases involving the privacy of the Social Security Number (SSN) and has frequently testified in Congress about the need to establish privacy safeguards for the Social Security Number. Last year, we testified on H.R. 98, the Illegal Immigration Enforcement and Social Security Protection Act of 2005, and urged Members to reject the use of the SSN as a national identifier and to ensure the development of adequate privacy and security safeguard to address the growing crisis of identity theft. Social Security numbers have become a classic example of "mission creep." A number that was created for a specific, limited purpose has been transformed for additional, unintended purposes, sometimes with disastrous results. The pervasiveness of the SSN threatens privacy and the financial security of Americans. For example, SSNs are routinely used to both identify and authenticate an individual, a deeply flawed security practice. SSNs are also used to build detailed profiles on American consumers, linking together records that might otherwise be difficult to match. Without the SSN, businesses would have to be more forthcoming with individuals about the sources of information that are obtained and the profiles that are created. However, the SSN makes it possible to create profiles that are not only detailed but also secretive. As a consequence, consumers are able to exercise less control over their personal information held by others. Absent an explicit statutory protection, they have no idea what information about them is collected, how it is used, or to whom it is disclosed. The privacy risks associated with the creation of the SSN have been well understood for a long time. Although Congress successfully limited some uses of the SSN by federal agencies with the passage of the Privacy Act in 1974, since that time Congress has largely failed to establish the necessary safeguards to protect American consumers. History of SSN Use The Social Security Number (SSN) was created in 1936 for the purpose of administering the Social Security laws. SSNs were intended solely to track workers' contributions to the social security fund. Legislators and the public were immediately distrustful of such a tracking system, which can be used to index a vast amount of personal information and track the behavior of citizens. Public concern over the potential abuse of the SSN was so high that the first regulation issued by the new Social Security Board declared that the SSN was for the exclusive use of the Social Security system. Over time, however, legislation allowed the SSN to be used for purposes unrelated to the administration of the Social Security system. For example, in 1961 Congress authorized the Internal Revenue Service to use SSNs as taxpayer identification numbers. A major government report on privacy in 1973 outlined many of the concerns with the use and misuse of the Social Security Number that show a striking resemblance to the problems we face today. Although the term "identify theft" was not yet in use, Records, Computer, and the Rights of Citizens, the report that provided the basis for comprehensive privacy legislation in 1974, described the risks of a "Standard Universal Identifier," how the number was promoting invasive profiling, and that many of the uses were clearly inconsistent with the original purpose of the 1936 Act. The report recommended several limitations on the use of the SSN and specifically said that legislation should be adopted "prohibiting use of an SSN, or any number represented as an SSN for promotional or commercial purposes." In enacting the landmark Privacy Act of 1974, Congress recognized the dangers of the widespread use of SSNs as universal identifiers, and enacted provisions to limit uses of the SSN. The Senate Committee report stated that the widespread use of SSNs as universal identifiers in the public and private sectors is "one of the most serious manifestations of privacy concerns in the Nation." Short of prohibiting the use of the SSN outright, Section 7 of the Privacy Act provides that any agency requesting an individual to disclose his SSN must "inform that individual whether that disclosure is mandatory or voluntary, by what statutory authority such number is solicited, and what uses will be made of it." This provision attempts to limit the use of the number to only those purposes where there is clear legal authority to collect the SSN. It was hoped that citizens, fully informed that the disclosure was not required by law and facing no loss of opportunity in failing to provide the SSN, would be unlikely to provide an SSN and institutions would not pursue the SSN as a form of identification. However, the Privacy Act failed to limit the use of the SSN by the private sector as the 1973 report had urged. Credit reporting agencies, marketing firms, and more recently, data brokers to build detailed profiles on American citizens exploited this loophole. As a consequence, consumers have experienced the extraordinary problem of identity theft. Identity Theft Commercial enterprises have made the SSN synonymous with an individual's identity. Despite the fact that the SSN was never intended to be used for identification purposes, they are considered the "keys to the kingdom" for records about individual consumers. The financial services sector, for instance, has created a system of files containing personal and financial information on nearly ninety percent of the American adult population, keyed to individuals' SSNs. This information is sold and traded freely, with virtually no legal limitations. This widespread use, combined with lax verification procedures and aggressive credit marketing has lead to widespread identity theft. Credit grantors rely upon the SSN to authenticate a credit applicant's identity; many cases of identity theft occur when thieves apply using a stolen SSN and their own name. Despite the fact that the names, addresses, or telephone numbers of the thief and victim do not match, accounts are opened and credit granted using only the SSN as a means of authentication. EPIC has detailed many of these cases in other testimony. The root of this problem is that the SSN is used not only to tell the credit issuer who the applicant is, but also to verify the applicant's identity. This would be like using the exact same series of characters as both the username and password on an email account. The fact that this practice provides little security should not be a surprise. The printing of SSNs on government-issued drivers licenses provided yet another opening for identity thieves. A thief who stole your wallet could also easily steal your identity, with name, address, diver's license number, and SSN in one easy place. Congress recognized this threat and in the Intelligence Reform and Terrorism Prevention Act of 2004, prevented the printing of SSNs on drivers' licenses and other government-issued ID. States are Taking the Lead on SSN Privacy Several states have, in recent years, established new privacy protections for SSNs. These laws demonstrate that major government and private sector entities can still operate in environments where disclosure and use of the SSN is limited. They also provide examples of protections that should be considered at the federal level. For example, Colorado, Arizona, and California all have laws that broadly restrict the disclosure and use of the SSN by both government and private actors. These laws encourage agencies and businesses to use different identifiers for their specific purposes, reducing the vulnerability that the disclosure of any one identifier may create. Arizona's law also prohibits the printing of the SSN on material mailed to Arizona residents, reducing the threat of fraud from intercepted correspondence. Other states, including New York and West Virginia, have statutes that limit the use of the SSN as a student ID number. This reduces the vulnerability of students to identity theft and protecting the privacy of students whose personal information is collected in databases, and whose grades are often publicly posted, indexed by their student ID numbers. Similar laws exist in Arizona, Rhode Island, Wisconsin, and Kentucky. Of course, we would welcome strong legislation in Congress that would limit the use of the Social Security Number in the private sector and help safeguard the privacy interests of American consumers, but the bills now pending before the Committee have been so watered down it is not clear that they would provide much actual benefit. Many exceptions have been created to permit business to continue to collect and use the SSN for a wide range of commercial activities. There are also problems with the lack of effective enforcement. And the bills generally provide less protection than comparable state measures. Possible SSN Privacy Legislation I would like today to propose a simple approach to safeguarding privacy and limiting the misuse of the Social Security Number and that is to recommend legislation that would prohibit the collection and use of the Social Security Number by a commercial organization where there is no legal authority to do so. Simply stated, if Congress determined that it was necessary to authorize the use of the SSN in the private sector, as it did when it chose to make the SSN the Tax Identification Number, then a commercial firm would have the legal authority to collect and use the SSN consistent with that statutory purpose. But where there is no legal authority to collect an individual's SSN, the commercial firm would be prohibited from doing so. This would change the default on the use of the SSN and help ensure that the number was used only for appropriate purposes. You could also, if you wish, apply the approach set out in section 7 of the Privacy Act by requiring private sector organizations that seek to collect an individual's SSN to inform that individual whether the disclosure of the SSN is mandatory or voluntary, by what statutory authority such number is solicited, and what uses will be made of the individual's SSN. Many privacy notices have become extraordinary complex and are routinely ignored. But the original notice for the collection and use of the SSN set out in the Privacy Act of 1974 would actually be very helpful for consumers who are tying to safeguard their privacy. Either approach would provide meaningful limitations on the use of the SSN, reduce the risk of identity theft, and help restore consumer privacy. These are also the approaches consistent with the Privacy Act of 1974 and the 1973 report that provided the basis for that landmark law. Conclusion The expanded use of the Social Security Number is fueling the increase in identity theft in the United States and placing the privacy of American citizens are great risk. The widespread use of the SSN has made it too easy for government agencies, businesses, and even criminals to create detailed profiles of individuals Americans. Congress wisely sought to limit the use of the Social Security Number by federal agencies when it passed the Privacy Act of 1974, and the states have since established additional safeguards. Still it is clear that the problem of the misuse of the Social Security Number is on the rise. Effective privacy legislation for the SSN in the commercial sector could be based on either requiring businesses to have legal basis to collect and use the SSN or by applying Section 7 of the Privacy Act to commercial entities. MR. STEARNS. You have been kind enough to come and testify before, and I think we were in Rome together. So let me just start off with you. The Gramm-Leach-Bliley and the Fair Reporting Credit Act, do you think that these things specifically should be changed? MR. ROTENBERG. If you are referring to the security standard in the Gramm-Leach-Bliley Act, I don't think it goes far enough to address the specific problems with the Social Security number. I think that was kind of left as an open issue, and it is one of the reasons why it probably would be appropriate to do some legislation around the SSN. MR. STEARNS. We have a data security bill that we passed out of my subcommittee and the full committee. Do you think that goes to help a little bit? MR. ROTENBERG. I think it will probably, and I haven't looked at it recently, but my recollection is that that bill didn't specifically address some of the SSN misuse issues. So that piece I think you could still get to. MR. STEARNS. We are thinking about perhaps having an amendment. And Chairman Barton has talked about having a markup or a bill in our subcommittee, but we are thinking about possibly having an amendment to the data security bill to include something on Social Security. You say it is not part of it and should be part of it, and we agree. MR. ROTENBERG. I think that would be a good approach. MR. STEARNS. Ms. Steinfeld, your testimony describes a practice of furnishing data under the FCRA, in which a company furnishes data to an entity that merely clicks a, quote, "I agree" box; that it has a permissible purpose under the FCRA. Is this a violation of the FCRA? MS. STEINFELD. Well, what I found was an Internet site that was making a lot of public record information available, and, again, public record information, including the Social Security numbers, is currently lawfully available for sale on line. What the Website said is for the Social Security number, we will only give that out if you have a permissible purpose under the Fair Credit Reporting Act. And then it said, click here to say, yes, I do have that permissible purpose. So the point I was making in the testimony is that if you do establish a regime like the two bills are contemplating, one important key piece is to make sure that you verify the identity and the authority of the requester of data that they actually meet one of the exceptions that are in the statute. Having people say, "Yes, I am legitimate," under your law is not enough. MR. STEARNS. How do we identify a person in a remote location, in a computer, with a click? I mean, how do you identify that person? MS. STEINFELD. I think it is very difficult, and I think it is what a lot of major industry players have been wrestling with. I have been looking a little bit at some of the ChoicePoint plans and the aftermath of some of their problems, and they have some robust credentialing requirements now that they impose before requesters can request sensitive data. And I have been told by another industry leader lately that there are actually site visits to test the authenticity of the requester when the volume and the sensitivity of the data is so great. But I recognize that is not going to work in all cases, and there is an interest in being able to deliver services online in a sufficient way, and I do think we are still wrestling with how to authenticate identity and authority in an online world. MR. STEARNS. Mr. Lively, we have touched upon it with the Commissioner Leibowitz when he was here earlier. Let us say, for example, just a hypothetical, the President signed the bill that prohibited a business from refusing to do business with a consumer without receipt of a Social Security number. How would that affect your membership? MR. LIVELY. It would clearly have an impact on service levels because alternative methodologies would have to be sought out and would have to be pursued, and the timely service that the industry is able to provide to its customers would be seriously deteriorated. MR. STEARNS. And it would be expensive, I guess. MR. LIVELY. Very expensive. MR. STEARNS. Well, you heard the Commissioner's testimony, and there are a lot of members who might vote for banning the sale or purchase of Social Security numbers without the person's consent. And even in certain cases, you heard the Chairman talk about his cell phone, you heard the Commissioner talk about this giving of the Social Security number, so a lot of members are sort of thinking, well, Social Security numbers are something we should not allow to be used, and there might be another identifiable thing. MR. LIVELY. Yes. I totally understand that and appreciate the concern that is being applied to that particular circumstance, but when the terms are being used about purchasing a Social Security number, you have to be awfully careful not to cause the credit report, which contains a Social Security number, from being classified as the purchase of a Social Security number. These things are so tightly integrated, and the systems have been developed both from the standpoint of fraud control as well as from the standpoint of customer service, and when you have got those objectives--because, after all, these institutions are in business to provide services to consumers. And by definition, services need to be timely, they need to be accurate, they need to be effective, and they need to provide the customer with the service they intended to obtain from that institution. And today we have situations in which the consumer can go to purchase an automobile and drive the automobile away from the dealership the same afternoon because of the facility-- MR. STEARNS. Quite incredible. MR. LIVELY. --access to this technology that is driving the Nation's economy. And at the end of the day, the care that has to be taken by this committee and all of the other people who are going to be involved in this process must be very, very, very carefully driven because inadvertent mistakes in the legislative process can create some havoc in the marketplace. MR. STEARNS. Mr. Ireland, I will close with you and Ms. McDonald. Mr. Ireland, do you see any problems with banning the sale of Social Security numbers to nonfinancial entities? And what nonfinancial entities should have access or require Social Security numbers? MR. IRELAND. When you talk about the sale of Social Security numbers, if you just mean somebody that is going to offer a list of Social Security numbers for sale, I don't know of a legitimate business purpose for that, and I am not troubled by the idea of banning it to nonfinancial entities. If we are talking about selling a loan file, for example, that includes a Social Security number and that is banned, I have just shut down the secondary mortgage market, among other things. So I think you have to define your terms carefully, and there are clearly practices out there that you could identify that don't have a legitimate commercial purpose, and you could further restrain, we think, in the case of financial institutions that are already probably prohibited by the Gramm-Leach-Bliley Act. But for nonfinancial institutions, they don't have comparable restrictions. There may be areas where it is appropriate to have further restrictions, but you have to be careful as you do that because Social Security numbers, as part of a loan file or as a component of a larger financial transaction, are sold all the time and are key to many commercial transactions and retail transactions in this country. MR. STEARNS. Mr. McDonald, perhaps you could, just for illustrative purposes, give us an example, worst practices you may have seen with regard to securing Social Security numbers in your area, if you have any. MS. MCDONALD. Well, when you say worst practices -- MR. STEARNS. Do you have the speaker on? MS. MCDONALD. Yes. I am not sure when you are saying worst practices, the abuses we have seen. From our standpoint, what we see with concerned participants has made them extremely paranoid, and in our service we are doing a good thing. We are finding them, reuniting them, they are excited to, in many cases to be back with their benefits. In other cases, they are calling their congressman and saying, "I got this letter, I don't understand." For our purposes though, if we were not able to get access to Social Security numbers, there's no way we could find a lot of the female participants by a name that is no longer theirs, due to marriage or divorce. MR. STEARNS. So a Social Security number is the only way you can identify these people, is what you are saying? MS. MCDONALD. To find the right person, yes. I mean, even in our database with all the people we have located, if somebody gives a name, it takes us forever to go through and give them all the names of the companies that they worked for. MR. STEARNS. Mr. Rothberg, do you agree with that? MR. ROTENBERG. I am sorry. The SSN can be useful in locating individuals? MR. STEARNS. Yes. Social Security number's the only way that you can identify people, and that is why she feels it is so important. MR. ROTENBERG. Well, I am sure there are circumstances where that may be the case, but I think it is also true that many businesses create their own unique identification numbers. I was thinking about this the other day-- MR. STEARNS. Like the military. MR. ROTENBERG. Well, the military does, your credit card company, your utility company. I think we are quite used to seeing a lot of different types of identifiers. What is really different about the Social Security number and the reason that it creates both benefits and risks is that it makes it possible to link data across different worlds, financial records and medical records. MR. STEARNS. My time has expired. The gentleman from Massachusetts. MR. MARKEY. Thank you, Mr. Chairman, very much. Just to restate a thank you, Mr. Chairman, and the full committee Chairman, Mr. Barton, for having this hearing. My bill would halt unregulated commerce in Social Security numbers. It does not establish an absolute prohibition on all commercial use of the number, but it would make it a crime for a person to sell or purchase Social Security numbers in violation of rules promulgated by the Federal Trade Commission. The Federal Trade Commission would be given the power to restrict the sale of Social Security numbers, determine appropriate exemptions, and to enforce civil compliance with the bill's restrictions. So you actually put together an all-star cast here, a privacy all-star team, both sides represented, I might say, on the issue. Mr. Ireland, if I may begin with you, and welcome back. I remember you with the Fed. MR. IRELAND. Yes. MR. MARKEY. Always a vigorous opponent of strong privacy protections, and you are consistent here in your testimony today. And you argue in your testimony that the financial services industry should be exempt from any Social Security number legislation, and in part, because of the existence of the privacy provisions of the Gramm-Leach-Bliley Act. Now, as Debbie Shannon remembers back in 1999 and 2000, sitting right behind you, the financial services industry was actually able to convince the Banking Committee in the House and in the Senate to have no privacy protections in Gramm-Leach-Bliley until it came to this committee when, in a surprise vote, Mr. Bliley sided with me. And pretty much all the privacy in the Gramm-Leach-Bliley is because of the vote in this committee on my amendment. And as a result, I am very aware of all of the loopholes in that law. As it finally went back over to the Banking Committee conferees as well, successfully worked upon by the financial services industry. So my first question to you, why should your member banks, brokerages, insurance companies be able to sell my Social Security number without my permission? MR. IRELAND. Well, as I said in a response to Chairman Stearns a little while ago, we don't sell lists of Social Security numbers, and we have no interest in doing that. There are circumstances, however, when you sell loans or groups of loans, and the loan files include Social Security numbers, it is necessary to the secondary mortgage market, for example, to be able to do that. So to be able to sell Social Security numbers in that context, I think is critical to the effect of operation of the mortgage market and for consumers to be able to enjoy low mortgage rates. MR. MARKEY. Do you think it would be unrealistic to ask the secondary mortgage market to develop their own individual identifiers for their own clients that would not require them to use Social Security numbers as a universal identifier? How hard can that be? MR. IRELAND. I think that is actually very, very difficult because one of the things you want to do if you are looking at a mortgage loan in the secondary market is you want to get an assessment of the credit quality of the borrower. So you are not only going to have to be able to identify them as that mortgage loan borrower, but you may want to get a credit report on them to know whether this is a subprime 620 borrower or it is a superprime 820 borrower, that will go into how much you are going to pay for that particular mortgage. MR. MARKEY. So when companies secure ties, for example, credit card loans, do they always use a Social Security number, or do they have another identifier system which they use? MR. IRELAND. Well, various companies will attach when they create loans, mortgage loan identifiers. MR. MARKEY. A different number from the Social Security number. MR. IRELAND. In addition to the Social Security number. MR. MARKEY. How can they figure out to do that, but they couldn't-- MR. IRELAND. It is perfectly possible for financial institutions. As a matter of fact, most financial institutions do it all the time to establish unique account numbers for their customers. MR. MARKEY. So it is possible, is that what you are saying? MR. IRELAND. And that works very well for identifying people within that financial institution. The problem comes in linking up their identification system with other identification systems. If you are going to transfer assets or you are going to do business across institutions, which is key, as I pointed out, in the example in the secondary mortgage market, but there are numerous other examples. MR. MARKEY. Yeah. Well, I just kind of disagree with you on that, sir. I just think that we have got an information system now that is so massive in its delivery capacity that it can practically deliver breakfast to you through that wire. And I don't know why we couldn't figure out or these industries couldn't figure out some identifier system that just didn't have to use the Social Security number. Let me just move on here. Under Gramm-Leach-Bliley, a financial services company doesn't have to get my permission to transfer my personal information, including my Social Security number, to any of its affiliates. If I open a checking account with CitiBank, why should Smith Barney, Diners Club, Primerica, Citi Insurance and the rest of Citigroup's affiliates be able to get a copy of my personal information, including my Social Security number? MR. IRELAND. Well, as you may recall, one of the principle advantages of the Gramm-Leach-Bliley Act in tearing down the walls between banking and insurance and securities business was to allow the cross-marketing of those services within financial holding companies. And typically the way that is done, and to be done most cost effectively so the customers enjoy the best price, is out of a common customer database, which identifies customers the same way across the holding company. So the customers can deliver one-stop shopping to their-- MR. MARKEY. All right. So that is one-stop shopping. Let us move to the next stage where they can deliver my Social Security number to any third party with whom the bank has a joint marketing agreement. Does that get into cost effectiveness too? MR. IRELAND. Well, one of the reasons, as I recall, for the joint marketing agreement exception was to allow smaller banking companies and securities companies to enter into agreements and try to deliver the same kind of one-stop shopping that larger financial services, holding companies do deliver. It was a competitive issue for smaller institutions. MR. MARKEY. I appreciate it. But why shouldn't they have to get my permission? It is my identity. Why shouldn't they have to come back to me and get my permission? MR. IRELAND. Well, as you will recall, Gramm-Leach-Bliley basically does an opt-out system for nonaffiliated third parties. If for competitive reasons you wanted to decide that you were going to disadvantage the smaller institutions and provide a greater competitive advantage for larger institutions, I think that has financial structure implications, and my recollection is, that is the rationale for the joint marketing exception. You could disagree with that exception on that basis, but I think that was the rationale. MR. MARKEY. Yeah. But again, and this goes back to that period of time, I still don't believe that I should have to sacrifice my privacy and give up my Social Security number so that companies can market to me. If I want to give up my privacy, I should be asked to give it up. And that is still a debate, but that gets to the core of the Social Security issue here. People view that as their identity. And I just don't think that they should be viewed to just even in a way if they open up an account in any part of Citigroup, and now it is just sloshing through the entire Citigroup empire and all third-party relationships that they have. It just gets dangerous in terms of Amy Boyer, murder victim in New Hampshire. Okay, that is how this stuff just sloshes through and out, okay. Let me ask Mr. Rotenberg and Ms. Steinfeld, do you believe the financial services industry should be exempted from any bill that this committee is crafting to create Social Security number protections of general applicability for all companies in America? MR. ROTENBERG. Congressman Markey, quite the opposite. I think the financial services industries should be subject to the greatest regulation because they are typically the ones who make the greatest demand for the Social Security number. Now, there may be some purposes that are appropriate and necessary, as I suggested in my statement, but it is precisely because that industry is making such wide spread use of the SSN that I think we need legal protections. MR. MARKEY. Okay. Ms. Steinfeld? MS. STEINFELD. I believe the bill takes the approach of identifying the purpose that you would use the SSN for as the basis for the exception, and I continue to believe that that is the best approach rather than determining that a specific industry should be exempt. In my view, it is better to say, what is the reason for the exemption? It could very well be that at the end of a rule making, which I believe is the way to go, that many of the purposes that financial services put forward would be considered to be valid purposes, in which case they would get exemptions for those purposes. But again, I think the useful exercise is to really explore what are the legitimate uses, what are the legitimate purposes and that a rule making is a good place to tee those issues up. MR. MARKEY. Thank you. Now, Mr. Rotenberg, you have suggested that companies should only be able to use and collect Social Security numbers when they have explicit legal authority to do so. Under current law, what are the circumstances in which there is such a legal authorization for the use of Social Security numbers by the private sector? MR. ROTENBERG. Well, Congressman, right now we really don't have an approach that sets up legal authority for collecting the SSN. In some circumstances employers, for example, are required to obtain the SSN because it operates also as the employment identification--I am sorry, the tax identification number, and therefore is necessary for various tax filings. But the point I was trying to make in my statement is I think Congress very wisely, back in the Privacy Act in 1974, was trying to limit the use, and your bill would certainly do this, but the core principle really is you don't ask for the SSN unless you have legal authority to get it. MR. MARKEY. So are there other circumstances where it would be permissible for a company to be able to collect or buy or sell a citizen's Social Security number? MR. ROTENBERG. Well, there's some case law that suggests that there could be limitations on the sale of the Social Security number. There was an interesting case a couple of years ago in Washington State, and I have been involved in some litigation surrounding the publication of the SSN, but for the most part, we really don't have any restrictions, and I think that is what has contributed in part to the growing identity theft. MR. MARKEY. Thank you. Let me ask, Mr. Ireland, if Congress were to exempt the financial services industry from Social Security number protection legislation, what would prevent Citicorp from acquiring an information broker or creating an in-house information broker that would then not be subject to any rules crafted by the Federal Trade Commission for all other businesses? MR. IRELAND. Well, if Citigroup acquired an information broker, that broker would, by definition, be a financial institution subject to the Gramm-Leach-Bliley rules, which would also restrict the use of Social Security numbers. I mean, I understand-- MR. MARKEY. But they have all the exceptions, which we just discussed. MR. IRELAND. They would have all of the exceptions we just discussed. MR. MARKEY. Right. So Mr. Rotenberg, Ms. Steinfeld, what do you think? What would happen in that kind of a situation where this information broker is now lodged safely inside of Citigroup? What is the status for protection of Social Security numbers? MS. STEINFELD. I think the status of the Social Security numbers would be pretty legally available for the sharing except if the safeguards rule and the analysis done by Citigroup about security risks and mitigating risks resulted in some curbs on the use of the Social Security numbers. MR. MARKEY. What if it is not a customer, though? What if it is someone else that wants to buy somebody else's name? MS. STEINFELD. I am not sure I understand the question. If an outsider wanted to buy information from Citigroup. Well, Mr. Ireland may want to comment. MR. IRELAND. If I may, first of all, the Citigroup affiliate would be subject to the Federal Reserve Board's rules, not the FTC safeguard's rule, Federal Reserve's security rules for the holding company. And you are correct that those rules do not apply to information about noncustomers except they would have a reuse limitation under the Gramm-Leach-Bliley Act to the extent that they got that information from another financial institution. One of the things that the data security bill that this committee passed and data security bills that other committees have passed did would be to close that loophole in requiring data security regardless of whether or not it is your customer. And to my knowledge, the financial services industry doesn't have a problem with closing that loophole. MR. MARKEY. If I may, Mr. Chairman, I would just like to ask each of the witnesses to give us the one-minute nutshell summary of what you want us to remember from your testimony. What do you want us to know about Social Security numbers and what Congress should do about it? We will begin with you, Ms. McDonald. One minute. MR. STEARNS. Or one sentence. MS. MCDONALD. Well, what I would like to say is there are beneficial uses to getting access to Social Security numbers. And in the case of a missing participant or incorrect data, I don't know how you would get their approval up front in order to get that information. MR. MARKEY. Okay. Mr. Lively. MR. LIVELY. I believe that one of the most important things that I would like to leave with you folks is the fact that we are very concerned about unintended consequences of a legislative process that hasn't gone deep enough to make sure that there is not going to be a very downside impact of the changes that are made in the law. MR. MARKEY. Ms. Steinfeld. MS. STEINFELD. I would say that it is surprising to me that data as sensitive as the Social Security number is so unregulated, and so I do think it is appropriate to ban the uncontrolled sale and purchase of Social Security numbers. But this has to be done with extreme care for the reasons that all the panelists have described. And a rule making with such attention to public comment and agency expertise and the FTC is an appropriate way to go. MR. MARKEY. Mr. Ireland. MR. IRELAND. I would echo Mr. Lively's comment that any requirement should be made with a full understanding of how they affect current legitimate business transactions so that we try to avoid unintended consequences. MR. MARKEY. And Mr. Rotenberg. MR. ROTENBERG. Congressman, I think the Social Security number has been pretty much a ticking privacy bomb from the time it was created, and I think the SSA has known this. I think Congress has known this. And I think the American public knows it. And I think in the end, we are going to need some legislation to ensure that the privacy risks associated with the misuse of the SSN are minimized. MR. MARKEY. Thank you all very much. Mr. Chairman, I can't thank you enough for your patience. MR. STEARNS. Well, thank you for coming back. And I want to thank the panel for their patience while we had all the votes in the House floor. I think that for a lot of members, we are just so surprised that there is no penalty, civil or criminal, for the sale of Social Security numbers, and we have sort of let this thing go. So it is time we do something. So I am encouraged that Chairman Barton has said we are going to try to have a markup or have a bill. And so I think your patience here has helped a lot of us understand it better. We have a written record now that we will use when we go back to debate and to convince our colleagues of the importance. So with that, the subcommittee's adjourned. MR. LIVELY. Mr. Chairman would it be appropriate to submit my entire testimony, my written testimony? MR. STEARNS. By unanimous consent, so ordered. MR. LIVELY. Thank you, sir. [Whereupon, at 5:50 p.m., the subcommittee was adjourned.] Footnotes The views expressed in this statement represent the views of the Commission. My oral presentation and responses to questions are my own and do not necessarily represent the views of the Commission or any other Commissioner. See Federal Trade Commission - Identity Theft Survey Report (2003), http://www.ftc.gov/os/2003/09/synovatereport.pdf and Rubina Johannes, 2006 Identity Fraud Survey Report (2006), http://www.javelinstrategy.com/research. A free summary of the 2006 Identity Fraud Survey Report is available at http://www.bbb.org/alerts/article.asp?ID=651. Federal Trade Commission - Identity Theft Survey Report at 6 (2003), http://www.ftc.gov/os/2003/09/synovatereport.pdf. Id. According to the Consumer Data Industry Association, 14 million Americans have one of ten last names, and 58 million men have one of ten first names. See General Accounting Office, Private Sector Entities Routinely Obtain and Use SSNs, and Laws Limit the Disclosure of This Information (GAO 04-01) (2004). See Federal Trade Commission - Report to Congress Under Sections 318 and 319 of the Fair and Accurate Credit Transactions Act of 2003 at 38-40 (2004), http://www.ftc.gov/reports/facta/041209factarpt.pdf. The federal government also uses the SSN as an identifier, for example, as both an individual's Medicare and taxpayer identification number. It also is used to administer the federal jury system, federal welfare and workmen's compensation programs, and military draft registration. See Social Security Administration, Report to Congress on Options for Enhancing the Social Security Card (Sept. 1997), www.ssa.gov/history/reports/ssnreportc2.html. Local and state governments are reducing their reliance on SSNs for many administrative purposes in response to identity theft concerns. For example, only a few states still use SSNs as drivers license numbers. See David A. Lieb, Millions of Motorists Have Social Security Numbers on Licenses, The Boston Globe, Feb. 6, 2006, http://www.boston.com/news/local/massachusetts/articles/2006/02/06/millions_of_motorists_have_s ocial_security_numbers_on_licenses/. In some cases, however, governments still use SSNs as identifiers when it is not essential to do so. See Mark Segraves, Registering to Vote May Lead to Identity Theft, WTOP Radio, Mar. 22, 2006, http://www.wtop.com/?nid=428&sid=733727. Improved access to public records has important public policy benefits, but at the same time raises privacy concerns. Some public records offices redact sensitive information such as SSNs, but doing so can be very costly. The Commission has recognized the sensitive nature of SSNs, even when they are contained in publicly available records. For example, in response to a comment on the DSW order, the Commission stated that "[C]ertain publicly available records, such as court records, contain Social Security numbers and other highly sensitive information that can be used to perpetrate identity theft." The Commission response letter is available at http://www.ftc.gov/os/caselist/0523096/0523096DSW LettertoCommenter BankofAmerica.pdf. Some data brokers have announced that they are voluntarily restricting the sale of SSNs and other sensitive information to those with a demonstrable and legitimate need. See Social Security Numbers Are for Sale Online, Newsmax.com, Apr. 5, 2005, http://www.newsmax.com/archives/articles/2005/4/4/155759.shtml. 15 U.S.C. 6801-09. 15 U.S.C. 45(a). Pub. L. No. 108-159, 117 Stat. 1952. 15 U.S.C. 1681-1681x, as amended. 15 U.S.C. 6809(3)(A). 12 C.F.R. 225.28, 225.86. See 15 U.S.C. 6802; Privacy of Consumer Financial Information, 16 C.F.R. Part 313 ("GLBA Privacy Rule"). See 15 U.S.C. 6809. The GLBA defines "nonpublic personal information" as any information that a financial institution collects about an individual in connection with providing a financial product or service to an individual, unless that information is otherwise publicly available. This includes basic identifying information about individuals, such as name, SSN, address, telephone number, mother's maiden name, and prior addresses. See, e.g., 65 Fed. Reg. 33,646, 33,680 (May 24, 2000) (the FTC's Privacy Rule). 15 U.S.C. 6802(e). 16 C.F.R. 313.11(a). Id. 15 U.S.C. 6801(b); Standards for Safeguarding Customer Information, 16 C.F.R. Part 314 ("Safeguards Rule"). The Federal Deposit Insurance Corporation, the National Credit Union Administration ("NCUA"), the Securities and Exchange Commission, the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Office of Thrift Supervision, and state insurance authorities have promulgated comparable information safeguards rules, as required by Section 501(b) of the GLBA. 15 U.S.C. 6801(b); see, e.g., Interagency Guidelines Establishing Standards for Safeguarding Customer Information and Rescission of Year 2000 Standards for Safety and Soundness, 66 Fed. Reg. 8,616-41 (Feb. 1, 2001). The FTC has jurisdiction over entities not subject to the jurisdiction of these agencies. The Commission previously has recommended that Congress consider whether companies that hold sensitive consumer data, for whatever purpose, should be required to take reasonable measures to ensure its safety. Such a requirement could extend the FTC's existing GLBA Safeguards Rule to companies that are not financial institutions. See Statement of Federal Trade Commission Before the Committee on Commerce, Science, and Transportation, U.S. Senate, on Data Breaches and Identity Theft (June 16, 2005) at 7, http://www.ftc.gov/os/2005/06/050616databreaches.pdf. 15 U.S.C. 45(a). Deceptive practices are defined as material representations or omissions that are likely to mislead consumers acting reasonably under the circumstances. Cliffdale Associates, Inc., 103 F.T.C. 110 (1984). 15 U.S.C. 45(n). Other practices include, for example, allegations of unauthorized charges in connection with "phishing," high-tech scams that use spam or pop-up messages to deceive consumers into disclosing credit card numbers, bank account information, SSNs, passwords, or other sensitive information. See FTC v. Hill, No. H 03-5537 (filed S.D. Tex. Dec. 3, 2003), http://www.ftc.gov/opa/2004/03/phishinghilljoint.htm; FTC v. C.J., No. 03-CV-5275-GHK (RZX) (filed C.D. Cal. July 24, 2003), http://www.ftc.gov/os/2003/07/phishingcomp.pdf. 16 C.F.R. Part 382 ("Disposal of Consumer Report Information and Record Rule"). 15 U.S.C. 1681g(a)(1)(A). The FTC advises consumers of this right through its consumer outreach initiatives. See, e.g., the FTC's identity theft prevention and victim recovery guide, Take Charge: Fighting Back Against Identity Theft at 5 (2005), available at http://www.ftc.gov/bcp/conline/pubs/credit/idtheft.pdf. 18 U.S.C. 2721-25. 45 C.F.R. Part 164 ("HIPAA Privacy Rule"). 45 C.F.R. 164.530(c). Documents related to these enforcement actions generally are available at http://www.ftc.gov/privacy/index.html. 15 U.S.C. 1681-1681x, as amended. The FCRA specifies that consumer reporting agencies may only provide consumer reports for certain "permissible purposes." ChoicePoint allegedly approved as customers individuals whose applications had several indicia of fraud, including false credentials, the use of commercial mail drops as business addresses, and multiple applications faxed from the same public commercial location. The FTC's complaint alleged that ChoicePoint did not have a permissible purpose in providing consumer reports to such individuals and failed to have reasonable procedures to verify prospective subscribers. United States v. ChoicePoint, Inc., No. 106-CV-0198 (N.D. Ga. Feb. 15, 2006). In the Matter of CardSystems Solutions, Inc., FTC File No. 052-3148 (proposed settlement posted for public comment, Feb. 23, 2006). The settlement requires CardSystems and its successor corporation to implement a comprehensive information security program and obtain audits by an independent third-party professional every other year for 20 years. As noted in the FTC's press release, CardSystems faces potential liability in the millions of dollars under bank procedures and in private litigation for losses related to the breach. Pub. L. No. 105-318, 112 Stat. 3007 (1998) (codified at 18 U.S.C. 1028). The FACT Act added a requirement that consumer reporting agencies, at the request of a consumer, place a fraud alert on the consumer's credit report. Consumers may obtain an initial alert if they have a good faith suspicion that they have been or are about to become an identity theft victim. The initial alert must stay on the file for at least 90 days. Actual victims who submit an identity theft report can obtain an extended alert, which remains in effect for up to seven years. Fraud alerts require users of consumer reports who are extending credit or related services to take certain steps to verify the consumer's identity. See 15 U.S.C. 1681c-1. These include the right to an extended fraud alert, the right to block fraudulent trade lines on credit reports and to prevent such trade lines from being furnished to a consumer reporting agency, and the ability to obtain copies of fraudulent applications and transaction reports. See 15 U.S.C. 1681 et seq., as amended. See www.onguardonline.gov. OnGuard Online is also available in Spanish. See www.AlertaEnLinea.gov. Security Check: Reducing Risks to Your Computer Systems, available at http://www.ftc.gov/bcp/conline/pubs/buspubs/security.htm. Financial Institutions and Customer Data: Complying with the Safeguards Rule, available at http://www.ftc.gov/bcp/conline/pubs/buspubs/safeguards.htm. Information Compromise and the Risk of Identity Theft: Guidance for Your Business, available at http://www.ftc.gov/bcp/conline/pubs/buspubs/idtrespond.pdf. See workshop agenda and transcripts available at www.ftc.gov/bcp/workshops/technology. See Staff Report available at http://www.ftc.gov/bcp/workshops/technology/finalreport.pdf. See Federal Trade Commission - National and State Trends in Fraud & Identity Theft (Jan. 2006), available at http://www.consumer.gov/sentinel/pubs/Top10Fraud2005.pdf. The Commission also conducts national surveys to learn how identity theft impacts the general public. The FTC conducted the first survey in 2003 and is conducting a second survey this spring. See Federal Trade Commission - Identity Theft Survey Report (Sept. 2003), available at http://www.ftc.gov/os/2003/09/synovatereport.pdf. 15 U.S.C. 1681m(e). "Social Security - Government and Commercial Use of the Social Security Number is Widespread," February 1999, GAO/HEHS-99-28. Id. at 4. Id. Id. at 2. Existing law already includes provisions that prohibit identity theft. For example, stealing someone's identity is punishable by civil and criminal penalties. See, e.g., 18 U.S.C. 1028. Moreover, the GLBA bans pretext calling-a tool of identity thieves. See, e.g., 12 C.F.R. 40.3(o). The regulation generally defines protected "personally identifiable financial information" to include "any information . . . [t]he bank . . . obtains about a consumer in connection with providing a financial product or service to that consumers." Id. (emphasis added). EPIC maintains an archive of information about the SSN online at http://www.epic.org/privacy/ssn/. See, e.g., Greidinger v. Davis, 988 F.2d 1344 (4th Cir. 1993) ("Since the passage of the Privacy Act, an individual's concern over his SSN's confidentiality and misuse has become significantly more compelling"); Beacon Journal v. Akron, 70 Ohio St. 3d 605 (Ohio 1994) ("the high potential for fraud and victimization caused by the unchecked release of city employee SSNs outweighs the minimal information about governmental processes gained through the release of the SSNs"); Testimony of Marc Rotenberg, Executive Director, Electronic Privacy Information Center, at a Joint Hearing on Social Security Numbers and Identity Theft, Joint Hearing Before the House Financial Services Subcommittee on Oversight and Investigations and the House Ways and Means Subcommittee on Social Security (Nov. 8, 2001) available at http://www.epic.org/privacy/ssn/testimony_11_08_2001.html; Testimony of Chris Jay Hoofnagle, Legislative Counsel, EPIC, at a Joint Hearing on Preserving the Integrity of Social Security Numbers and Preventing Their Misuse by Terrorists and Identity Thieves Before the House Ways and Means Subcommittee on Social Security and the House Judiciary Subcommittee on Immigration, Border Security, and Claims (Sept. 19, 2002) available at http://www.epic.org/privacy/ssn/ssntestimony9.19.02.html. Testimony of Marc Rotenberg, President, Electronic Privacy Information Center, at a Hearing on H.R. 98, the "Illegal Immigration Enforcement and Social Security Protection Act of 2005" before the House Judiciary Committee Subcommittee on Immigration, Border Security, and Claims (May 12, 2005) available at http://www.epic.org/privacy/ssn/51205.pdf. "Records, Computers, and the Rights of Citizens," Report of the Secretary's Advisory Committee on Automated Personal Data Systems, U.S. Department of Health, Education & Welfare 125-35 (MIT 1973). See, e.g., TRW, Inc. v. Andrews, 534 U.S. 19 (2001) (Credit reporting agencies issued credit reports to identity thief based on SSN match despite address, birth date, and name discrepancies); Dimezza v. First USA Bank, Inc., 103 F. Supp.2d 1296 (D. N.M. 2000) (same). See also United States v. Peyton, 353 F.3d 1080 (9th Cir. 2003) (Credit issued based solely on SSN and name, despite clear location discrepancies); Aylward v. Fleet Bank, 122 F.3d 616 (8th Cir. 1997) (same); Vazquez-Garcia v. Trans Union De P.R., Inc., 222 F. Supp.2d 150 (D. P.R. 2002) (same). Pub. L. No. 108-408 7211-7214, 118 Stat. 3638, 3825-3832 (2004). Colo. Rev. Stat 24-72.3-102; Ariz. Rev. Stat. 44-1373; Cal. Civ. Code 1798.85. N.Y. Educ. Law 2-b; W. Va. Code Ann. 18-2-5f. Ariz. Rev. Stat. 15-1823; R.I. Gen. Laws 16-38-5.1; Wis. Stat. Ann. 36.11(35); Ky. Rev. Stat. Ann. 156.160.