[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]


 
                         SOCIAL SECURITY NUMBERS IN 
                           COMMERCE:  RECONCILING 
                        BENEFICIAL USES WITH THREATS 
                                 TO PRIVACY


                                   HEARING

                                 BEFORE THE

                       SUBCOMMITTEE ON COMMERCE, TRADE, 
                            AND CONSUMER PROTECTION

                                   OF THE 

                           COMMITTEE ON ENERGY AND 
                                 COMMERCE
                          HOUSE OF REPRESENTATIVES


                         ONE HUNDRED NINTH CONGRESS

                               SECOND SESSION


                                MAY 11, 2006

                             Serial No. 109-91

       Printed for the use of the Committee on Energy and Commerce



Available via the World Wide Web:  http://www.access.gpo.gov/congress/house



                    U.S. GOVERNMENT PRINTING OFFICE
29-388                      WASHINGTON : 2006
_____________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Printing Office 
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; DC area (202) 
512-1800 Fax: (202) 512-2250  Mail: Stop  SSOP, Washington, DC 20402-0001


                     COMMITTEE ON ENERGY AND COMMERCE
                        JOE BARTON, Texas, Chairman

RALPH M. HALL, Texas                      JOHN D. DINGELL, Michigan          
MICHAEL BILIRAKIS, Florida                  Ranking Member
  Vice Chairman                           HENRY A. WAXMAN, California
FRED UPTON, Michigan                      EDWARD J. MARKEY, Massachusetts
CLIFF STEARNS, Florida                    RICK BOUCHER, Virginia
PAUL E. GILLMOR, Ohio                     EDOLPHUS TOWNS, New York
NATHAN DEAL, Georgia                      FRANK PALLONE, JR., New Jersey
ED WHITFIELD, Kentucky                    SHERROD BROWN, Ohio
CHARLIE NORWOOD, Georgia                  BART GORDON, Tennessee
BARBARA CUBIN, Wyoming                    BOBBY L. RUSH, Illinois
JOHN SHIMKUS, Illinois                    ANNA G. ESHOO, California
HEATHER WILSON, New Mexico                BART STUPAK, Michigan
JOHN B. SHADEGG, Arizona                  ELIOT L. ENGEL, New York
CHARLES W. "CHIP" PICKERING,  Mississippi ALBERT R. WYNN, Maryland
  Vice Chairman                           GENE GREEN, Texas
VITO FOSSELLA, New York                   TED STRICKLAND, Ohio
ROY BLUNT, Missouri                       DIANA DEGETTE, Colorado
STEVE BUYER, Indiana                      LOIS CAPPS, California
GEORGE RADANOVICH, California             MIKE DOYLE, Pennsylvania
CHARLES F. BASS, New Hampshire            TOM ALLEN, Maine
JOSEPH R. PITTS, Pennsylvania             JIM DAVIS, Florida
MARY BONO, California                     JAN SCHAKOWSKY, Illinois
GREG WALDEN, Oregon                       HILDA L. SOLIS, California
LEE TERRY, Nebraska                       CHARLES A. GONZALEZ, Texas
MIKE FERGUSON, New Jersey                 JAY INSLEE, Washington
MIKE ROGERS, Michigan                     TAMMY BALDWIN, Wisconsin
C.L. "BUTCH" OTTER, Idaho                 MIKE ROSS, Arkansas                
SUE MYRICK, North Carolina
JOHN SULLIVAN, Oklahoma
TIM MURPHY, Pennsylvania
MICHAEL C. BURGESS, Texas
MARSHA BLACKBURN, Tennessee


                    BUD ALBRIGHT, Staff Director
                   DAVID CAVICKE, General Counsel
    REID P. F. STUNTZ, Minority Staff Director and Chief Counsel


      SUBCOMMITTEE ON COMMERCE, TRADE, AND CONSUMER PROTECTION
                  CLIFF STEARNS, Florida, Chairman
FRED UPTON, Michigan               JAN SCHAKOWSKY, Illinois
NATHAN DEAL, Georgia                 Ranking Member
BARBARA CUBIN, Wyoming             MIKE ROSS, Arkansas
GEORGE RADANOVICH, California      EDWARD J. MARKEY, Massachusetts   
CHARLES F. BASS, New Hampshire     EDOLPHUS TOWNS, New York
JOSEPH R. PITTS, Pennsylvania      SHERROD BROWN, Ohio
MARY BONO, California              BOBBY L. RUSH, Illinois
LEE TERRY, Nebraska                GENE GREEN, Texas
MIKE FERGUSON, New Jersey          TED STRICKLAND, Ohio
MIKE ROGERS, Michigan              DIANA DEGETTE, Colorado
C.L. "BUTCH" OTTER, Idaho          JIM DAVIS, Florida
SUE MYRICK, North Carolina         CHARLES A. GONZALEZ, Texas
TIM MURPHY, Pennsylvania           TAMMY BALDWIN, Wisconsin
MARSHA BLACKBURN, Tennessee        JOHN D. DINGELL, Michigan
JOE BARTON, Texas                    (EX OFFICIO)                    
  (EX OFFICIO)

                              CONTENTS


                                                                Page
Testimony of:
     Leibowitz, Hon. Jon, Commissioner, Federal Trade Commission  16
     Ireland, Oliver I., Partner, Morrison & Foerster, LLP, on 
          behalf of Financial Services Coordinating Council	  30
     McDonald, Susan, President, Pension Benefit Information	  39
     Steinfeld, Lauren, Former Associate Chief Counselor, 
          Office of Management and Budget	                  44
     Lively, Jr., H. Randy, President and CEO, American 
          Financial Services Association	                  49
     Rotenberg, Marc, Executive Director, Electronic Privacy 
          Information Center	                                  53

                  SOCIAL SECURITY NUMBERS IN 
                    COMMERCE:  RECONCILING 
                BENEFICIAL USES WITH THREATS TO 
                           PRIVACY


                    THURSDAY, MAY 11, 2006

                   HOUSE OF REPRESENTATIVES,
              COMMITTEE ON ENERGY AND COMMERCE,
               SUBCOMMITTEE ON COMMERCE, TRADE, 
                   AND CONSUMER PROTECTION,
                                                    Washington, DC.


     The subcommittee met, pursuant to notice, at 2:45 p.m., in Room 
2123, Rayburn House Office Building, Hon Cliff Stearns [chairman] 
presiding.
     Present:  Representatives Stearns, Deal, Bass, Blackburn, Barton (Ex 
Officio), Schakowsky, Markey, and DeGette.
     Staff Present:  David Cavicke, General Counsel; Shannon Jacquot, 
Counsel; Chris Leahy, Policy Coordinator; Will Carty, Professional Staff 
Member; Billy Harvard, Legislative Clerk; Consuela Washington, 
Minority Senior Counsel; and Alec Gerlach, Minority Staff Assistant.
     MR. STEARNS.  Good afternoon, everybody.  The subcommittee will 
come to order.  I am pleased that we are holding this important hearing 
on the use of Social Security numbers and the implication use of personal 
privacy.  I would like to thank Chairman Barton for bringing this issue to 
the fore.  Our work on data security did not address Social Security 
numbers, because we believe it is a complex issue that needs more focus 
and distinct treatment from securing personal information, notice, and 
yes, privacy issues that arise in the commercial world--a world is fueled 
by information, incredible technology that facilitates our tremendous 
progress, and one that is starting to present us with some very serious and 
complex challenges that require our attention today.  
     If you are an American citizen, you, without exception, have one of 
those long string of numbers associated with our individual identity 
called a Social Security number.  As Chairman Barton has pointed out, in 
1935, the Social Security Administration was directed to create an 
accounting system that would be able to track how much we put into the 
Social Security pot in taxes so we can get credit for those contributions 
when we act to withdraw them.  The Social Security Administration was 
not directed to create a unique personal identifier for commercial 
purposes.  
     The issues that are before us today have arisen because government 
and private businesses quickly realized how good the idea was, a unique 
identifier, and soon adopted it for their own use, whether for tax 
administration, fraud prevention, or to send out marketing information.  I 
think all of those uses can be legitimate as long as they are conducted 
with the utmost respect for the personal privacy of the individual, 
including adhering to the security principles outlined in our data security 
bill.  A bill designed to prevent misuse and fraud.  My colleagues, I do, 
however, want to learn more about those cases when a customer is 
denied goods or services because he or she decides they don't want to 
furnish their Social Security number.  
     I think most Members here don't want to give it out.  We understand 
the emotional issues involved when confronted by such a request, and we 
are continuing to be confronted.  So I would like to ask today's witnesses 
to help us understand why that is something business needs to have these 
days, and is it an anti-fraud mechanism or what?  
     I would also like to suggest our witnesses take us through the 
concept addressed in perhaps three of the major bills that have been 
introduced in this Congress and deal with the issue of Social Security 
number use and personal privacy, particularly the bill H.R. 1745, the 
Social Security Number Privacy and Identity Prevention Act of 2005, 
introduced by my colleague from Florida, Mr. Shaw.  Chairman Shaw 
has done great work in this area, and I commend him for his work as a 
tireless advocate for protecting the privacy of consumers and maintaining 
the integrity of Social Security numbers, balancing the benefits that 
accrue to consumers from private use Social Security numbers with the 
harm caused by identity theft is a difficult feat.  
     In addition, because identity theft is a very important consumer 
protection issue, we would like to hear specifics about that issue and how 
it relates to Social Security number misuse and security from the Federal 
Trade Commission.  The FTC data indicates that in a 1 year period of 
time from September 2002 to September 2003, over 10 million people 
were victims of identity theft.  This is a big cost to consumers and 
businesses both in terms of money lost and time spent trying to clear up 
names and credit reports.  The Federal Trade Commission has done a 
tremendous job in gathering important statistical information regarding 
identity theft.  This will help us in policy decisions we make in this 
committee.  
     I look forward to a general update from the FTC on the state of 
identity theft today and would like to hear what ideas the commission has 
for reducing the occurrence of identity theft.  So I would like to thank 
everybody for joining us today, especially Commissioner Leibowitz, who 
had to juggle some scheduling to be here, and I look forward to his 
testimony, as we take a dive into this very interesting and important 
issue.
     And with that, I will conclude and ask Ms. DeGette, who is standing 
in for the Ranking Member, for her opening statement.  
[The prepared statement of Hon. Cliff Stearns follows:]

PREPARED STATEMENT OF THE HON. CLIFF STEARNS, CHAIRMAN, SUBCOMMITTEE ON 
COMMERCE, TRADE, AND CONSUMER PROTECTION

	I am very happy that we are holding this important hearing on the 
use of social security numbers and the implications for personal privacy.  
I'd like to thank Chairman Barton for bringing this issue to the fore.  
Our work on data security did not address social security numbers because 
we believe it is a complex issue that needs more focus and distinct treatment 
from securing personal information, notice, and yes, privacy issues that 
arise in the commercial world - a world that is fueled by information, 
incredible technology that facilitates our tremendous progress, and one that 
is starting to present us with very serious and complex challenges that 
require attention now.  
        If you have a heartbeat and are an American citizen, you will, 
almost without exception, have one of those long strings of numbers 
associated with our very person, called the social security number.  As 
Chairman Barton has pointed out, back in 1935, The Social Security 
Administration was directed to create an accounting system that would be 
able to track how much we put into the social security pot in taxes so we 
can get credit for those contributions when we act to draw on them.  The 
Social Security Administration was not directed to create a unique personal 
identifier for commercial purposes.  The issues that are before us today 
have arisen because government and private business quickly realized how 
good the idea was - a unique identifier - and soon adopted it for their 
own use - whether for tax administration, fraud prevention, or to send 
marketing.  I think all those uses can be legitimate as long as they 
conducted with the utmost respect for the personal privacy, including 
adhering to the security principles outlined in our data security bill- a 
bill designed to prevent misuse and fraud.  I do, however, want to learn 
more about those instances when a consumer is denied goods or services 
because he or she decides they don't want to furnish their social security 
number.  I don't like to give it out so I understand the emotional issues 
involved when confronted by such a request.  I'd like to ask today's 
witnesses to help us understand why that is something business need to do 
these days - is it an anti-fraud mechanism or what?
        I also would like to suggest that our witnesses take us through 
the concepts addressed in the major bills that have been introduced this 
Congress and deal with the issues of social security number use and 
personal privacy, particularly the bill HR 1745, the Social Security 
Number Privacy and Identity Theft Prevention Act of 2005, introduced by 
my good friend and colleague from Florida, Mr. Shaw.  Chairman Shaw has done 
a tremendous amount of work in this area.  I commend him for his work as a 
tireless advocate for protecting the privacy of consumers and maintaining 
the integrity of social security numbers.  Balancing the benefits that 
accrue to consumers from private use of social security numbers with the 
harm caused by identity theft is a difficult feat.  
        In addition, because identity theft is a very important consumer 
protection issue, we would like to hear specifics about that issue and how 
it relates to social security number misuse and security from the Federal 
Trade Commission.  FTC data indicates that in a one-year period of time, 
from September 2002 to September 2003, over 10 million people were victims 
of identity theft.  This is a significant cost to consumers and businesses 
both in terms of money lost and time spent trying to clear up names and 
credit reports.  The Federal Trade Commission has done a tremendous job 
in gathering important statistical information regarding identity theft.  
This will help us in policy decisions we make.  I look forward to a general 
update from the Federal Trade Commission on the state of identity theft 
today and would like to hear what ideas the Commission has for reducing 
the occurrence of identity theft.
        Again, I thank everyone for joining us today, especially 
Commissioner Liebowitz, who had to juggle some scheduling and logistical 
issues to be here today.  Thank you.  We look forward to the testimony.  
This is a very important hearing as my Subcommittee begins to take a deep 
dive into the issue surrounding personal privacy in the commercial 
world.

     MS. DEGETTE.  Thank you, Mr. Chairman, and Ms. Schakowsky 
should be along shortly.  She has an amendment up on the floor right 
now.  So she will--
     MR. STEARNS.  I understand.  
     MS. DEGETTE.  --be along.  First of all, I want to welcome 
Commissioner Leibowitz, who I just found out is a fellow graduate of the 
New York University School of Law.  
     MR. LEIBOWITZ.  You might have had better grades than me, though.  
     MS. DEGETTE.  Hmm?  
     MR. LEIBOWITZ.  You might have had better grades than me, though.  
     MS. DEGETTE.  I don't know.  We will talk about that later.  I also 
want to thank you, Mr. Chairman, for having this series on privacy.  I 
know it has long been an issue that you have chaired personally and 
really, really made it an effort to have full, full hearings.  I think that 
the wide range of views among different industries and consumer groups, 
coupled with the complexity of the issue, has made it a challenging task 
to craft legislation, and so I am impressed by the bills that really go in 
depth on this issue, and I look forward to debating their merits.  
     The first privacy hearing that we had in this series was actually 5 
years ago, in 2001, and at that hearing, I talked about how many of my 
constituents have been contacting me and express an interest in and 
concern about personal privacy.  This, of course, remains even more so 
true today, and I would say their concerns have grown more accurate.  
     Just this morning we saw, for example, that the NSA is apparently 
trying to collect records of every single telephone call made--these are 
not international terrorist phone calls but made domestically in this 
country.  And one has to ask oneself, what is the nexus between people 
making domestic phone calls and the NSA collecting all of the 
information on the phone numbers that are making and receiving the 
phone calls, how could that possibly have a nexus to national security 
and fighting terrorism?  
     And I talked just a few minutes ago to Chairman Barton, and I talked 
to Mr. Markey earlier, and we all share a concern about government 
agencies and others collecting more and more data about people with 
seemingly no controls over this.  
     And so I am hoping Chairman Barton will hold some hearings on 
this issue, which is within the preview of this committee because it is of 
real concern.  And a similar issue I hear about from constituents all the 
time is the growing requirement that a Social Security number be given 
to conduct business with various companies, whether it is getting a credit 
card, opening an account, or whatever else.  And people always ask me, 
is it legal for companies to require a Social Security number to do 
business with them?  Do they have any recourse if they are refused a 
transaction or if they are turned away for applying for something when 
they do not provide their Social Security number?  So clearly, there is a 
great deal of discomfort among many about giving out their Social 
Security number, even for a seemingly legitimate purpose.  
     And I will tell you, the more recent revelations like the ones that we 
see today with the NSA taking the phone numbers of legitimate domestic 
phone calls is only going to make people feel more and more 
uncomfortable about giving out any personal information, and they are 
really going to begin wondering if big brother is looking over them, and I 
am sure, Mr. Chairman, you and the other members of this committee are 
hearing from our constituents.  The drum beat is growing ever louder, 
and we have got to do something to secure people's privacy and their 
private information.
     Social Security numbers, interestingly, are seen as the gold standard 
of identifying information, and yet, the more that groups use them, then 
the more the Social Security numbers are out there, then the greater 
likelihood it is that these Social Security numbers will be given out and 
stolen and used for fraud.  
     So with respect to this hearing on the one hand, we have the current 
practice of businesses who are trying to protect themselves from fraud, 
requiring Social Security numbers, and then on the other hand, we have 
consumers who are increasingly reluctant to give their Social Security 
numbers out, and for increasingly good reasons.  
     So how do we reconcile this?  I think it is going to be an interesting 
balancing act, but I have got to tell you, I feel like the tipping point has 
been reached, and we have got to make a real effort not just at the Social 
Security numbers, but at all of people's identifying information and 
communications.  How do we protect people's security, while at the 
same time encouraging commerce and encouraging legitimate national 
security uses.  And with that, Mr. Chairman, I will yield back the balance 
of my time.  
     MR. STEARNS.  I thank the gentlelady.  Mrs. Blackburn.  
     MRS. BLACKBURN.  Thank you, Mr. Chairman.  I want to thank you 
for your attention on the issue, and Mr. Leibowitz, I want to thank you 
for taking the time to be with us today and for being here to present the 
information and to join us as we look at the use of Social Security 
numbers with financial transactions and also with commerce.  
     Congress has enacted several laws to guard against the misuse of 
consumer information, but it absolutely has not been enough.  In the past 
few years, identity theft has become the fastest growing crime in 
America and has cost consumers and businesses in the neighborhood of 
$50 billion.  We were astounded at the number of people that showed up 
at an identity theft town hall in our district, and we were appalled and 
really quite concerned with some of the stories that they had to tell.  
     One of the major glaring examples is the occurrence of security 
breaches at several data brokers.  These breaches have subjected many 
consumers to theft of personal information, and I appreciate this 
committee has passed the Data Act to address that problem, and now we 
know that we must look at the role of Social Security numbers in the era 
of e-commerce.  I know that companies do want a quick and reliable 
method of identifying people to conduct business, yet we do have to 
balance the privacy concerns that exist, and as we move forward and 
look at data security and privacy, we understand that the world of 
e-commerce presents many new opportunities for individuals.  At the 
same time we have to recognize that it does present many challenges that 
new technologies are presenting wonderful opportunities, but at the same 
time, there are challenges and there are concerns and there is truly a need 
for us to review our existing policies.  And, Mr. Chairman, I thank you 
for your leadership and your willingness to review those existing 
policies.  I look forward to the information we will have in this hearing, 
and looking at how we can achieve balance, and I yield back.  
     MR. STEARNS.  Thank you.  The gentleman from Massachusetts is 
recognized.  
     MR. MARKEY.  Thank you, Mr. Chairman.  And thank you for 
having this hearing.  This hearing, at my request, of the full committee 
Chairman and yourself, Mr. Chairman, is meant to consider my proposed 
legislation H.R. 1078, the Social Security Number Protection Act, as 
well as other legislative ideas on how to protect Americans from the 
misuse of their Social Security numbers.  H.R. 1078 would bring a halt to 
unregulated commerce in Social Security numbers.  It does not establish 
an absolute prohibition on all commercial use of the number, but it 
would make it a crime for a person to sell or purchase Social Security 
numbers in violation of the rules promulgated by the Federal Trade 
Commission.  The FTC would be given the power to restrict the sale of 
Social Security numbers, determine appropriate exemptions, and to 
enforce civil compliance and the bill's restrictions.  
     We thank Mr. Leibowitz for being here, and the other experts that 
are here to talk to us today, and what could be a more appropriate day, 
given the fact that Mr. Rotenberg has a lawsuit against the NSA to 
determine exactly how the NSA is spying on Americans, than on a day 
that we learn that there has been a new telecom merger between NSA 
and AT&T.  And it is the last takeover in this chain of mergers which has 
occurred.  NSA, AT&T now stands for now spying on Americans, 
anytime you talk, NSA, AT&T, the new America, the new telecom NSA 
America.  
     So we have got a new slogan for the NSA and AT&T, "Reach out 
and tap someone."  And what we see is an incredible violation of the 
privacy of Americans by the Federal government.  The argument is made 
that they are going to compile every phone call ever made in the United 
States, I think that we have now reached a point of privacy crisis in the 
name of security.  The price being paid is the privacy of all Americans, 
and it is too high a price to pay.  
     Here in the Social Security area, from Amy Boyer through thousands 
of other examples, we see what happens when people's privacy, their 
Social Security number is used as an identifier.  What the NSA and 
AT&T have made clear today is that this is just part of a larger puzzle, 
where technology makes possible things which were unimaginable when 
we were younger, and it is our responsibility to make sure that we 
safeguard, we secure that private information so that the DNA of each 
family isn't just a commodity out there for purchase by the highest 
bidder, notwithstanding the consequences for the history of that family.  I 
thank you, Mr. Chairman, for having this hearing.  
     MR. STEARNS.  I thank the gentleman.  The Chairman of the full 
committee, Mr. Barton from Texas.  
     CHAIRMAN BARTON.  Thank you, Mr. Chairman.  I apologize for 
being delayed.  We were doing a hearing on gasoline prices in the same 
committee hearing room, and it went longer than expected.  I made a 
commitment to Congressman Markey at a full committee markup on the 
data security bill, that we would address the issue of Social Security 
number privacy.  And I want to thank you, Chairman Stearns, for 
honoring my commitment to hold this hearing so I could honor the 
commitment I made to Congressman Markey at that markup.  
     I share Mr. Markey's concerns about the widespread abuse, and I 
want to highlight abuse, of Social Security numbers.  I believe, like 
Congressman Markey, that not enough is being done to protect this 
unique personal identifier.  The Data Act which passed this committee, I 
think, 42-0, recently would go a long way towards ensuring proper 
security for databases that contain Social Security numbers and other 
personal information.  I am proud of our committee's work on that bill, 
and am working very hard, as late as noon today, to get that bill to the 
floor of the House.  
     While the Data Act is a very important component of protecting 
Social Security numbers and sensitive personal data, the bill does not 
address the issue surrounding the use of Social Security numbers.  There 
are a number of complex issues in this area.  
     The nature of business has evolved over the past several decades to 
serve a population that engages much more frequently in interstate 
commerce.  The rise of the Internet has popularized electronic 
commerce.  Also rising unfortunately is the risk of criminal activity, and 
for crooks, a Social Security number is like a key to the bank.  
     Twenty years ago, nobody thought much about showing their 
number.  Their Social Security number on a driver's license or, I 
apologize, a store clerk writing it on checks.  Now we know that this 
number is an integral part of our identity, and there are lots and lots of 
people who want to steal our identity.  Our economic system allows us to 
conduct transactions anywhere, anytime almost instantaneously.  
     In this world of e-commerce, companies have to know who they are 
dealing with.  That is why they believe consumer's Social Security 
numbers is a necessary component to many transactions, because it has 
evolved to become a unique and required identifier for almost every 
significant aspect of our lives.  Its value is even more important than 
simply a claim on a future government retirement check, which was its 
original intention, because it is so important.  
     My belief, and Congressman Markey's belief, is Congress needs to 
act to put in place new protections.  I recognize that removing the link 
between our Social Security number and our personal accounts is 
difficult, and maybe it will turn out to be impractical.  What I want to see 
is a development of an alternative identifier and then we can judge the 
suitability of removing Social Security numbers all together.  Sometimes 
using Social Security numbers as a commercial identifier speeds 
business, and that is a benefit, no question about it, both to the companies 
and to the consumers.  That said, there are also many situations in which 
there's no apparent reason or consumer benefit to provide a Social 
Security number.  
     This committee has looked at many issues in this area and will 
continue to consider other issues in this area.  We continue to wonder, 
for example, whether businesses can or should require consumers to 
provide a Social Security number in order to buy a product or service.  
     I recently purchased a new cell phone for my charitable foundation 
for my personal use in making charitable calls.  I had to give my Social 
Security number three times in the process of being approved for that cell 
phone, and my Social Security number was not necessary to prove that I 
had the financial ability to pay for the phone or really, that I was who I 
said I was since I also had to give my driver's license number.  But if I 
didn't give my Social Security number, I wasn't going to get that phone.  
I just don't see that that is a necessity.  
     Further, once a business has a consumer's Social Security number, 
can they share it?  Can they sell it?  And if so, to who?  Having your 
number is one thing.  Selling it, I think, or using it for a purpose without 
your permission is quite another.  And how should a company go about 
getting a person's consent to transfer a Social Security number to another 
entity?  
     These were important questions to which there are not always simple 
answers.  But one question to which there is an easy answer is whether 
our Social Security number should be sold by Internet data brokers to 
anyone willing to pay.  Indistinguishable from sales of sports scores or 
stock quotes that to me is a no-brainer.  There is no legitimate reason 
why my Social Security number should be sold or used by a business 
without a relationship with me, and without my knowledge and consent, 
period, end of debate.  
     There are some uses of Social Security numbers that many people 
agree provide benefits beyond the potential for harm.  Locating 
criminals, locating witnesses, enforcing child support obligations, and 
other purposes are clearly legitimate.  It gets more difficult when we are 
talking about locating people, generally confirming identity outside of 
fraud prevention, and marketing just generic products and services.  The 
potential for harm, which has been well documented by this committee, 
raises serious questions about using Social Security numbers for those 
purposes.  
     I expect this committee will consider legislation on Social Security 
numbers this year.  I want to repeat that.  I expect this committee will 
consider legislation on Social Security numbers this year.  
     I hope the Ways and Means Committee will also act on an important 
bill by Congressman Clay Shaw, one of their subcommittee chairmen.  
And I support his effort to get that bill out of the Ways and Means 
Committee.  But I intend to use the jurisdiction of the Energy and 
Commerce Committee to move a Social Security bill out of this 
committee this year.  
     We have a very distinguished group of witnesses here today to work 
through some of these issues.  I want to thank all of you for participation 
and, in particular, I want to thank Commissioner Leibowitz who has been 
with us before.  I understand that you have made some significant 
changes to your schedule to be here, and I appreciate it.  I look forward 
to the testimony today, Mr. Chairman.  I yield back the 3 minutes and 35 
seconds that I have already overextended.  
     [The prepared statement of Hon. Joe Barton follows:]  

PREPARED STATEMENT OF THE HON. JOE BARTON, CHAIRMAN, COMMITTEE ON ENERGY 
AND COMMERCE

     Thank you, Mr. Chairman, for holding this hearing today.  I made a 
commitment to Congressman Markey at the Full Committee markup on data 
security to address the issue of Social Security number privacy.  I share 
Mr. Markey's concerns about widespread abuse of Social Security numbers 
and believe, like him, that not enough is being done to protect this unique 
personal identifier.  The DATA Act, recently reported out of this 
Committee, goes a long way toward ensuring proper security for databases 
that contain Social Security numbers and other personal information.  I am 
proud of this Committee's work on that bill and will continue my efforts to 
see that bill move to the House floor.
     While the DATA Act is a very important component of protecting social 
security numbers and sensitive personal data, the bill does not address the 
issues surrounding the use of Social Security numbers.  There are a number 
of complex issues to consider in this area.  The nature of business has 
evolved over the past several decades to serve a population that engages 
much more frequently in interstate commerce.  The rise of the Internet has 
popularized electronic commerce.  Also rising is the risk of criminal 
activity, and for crooks, a Social Security number is the key to the bank. 
Twenty years ago, nobody thought much about showing the Social Security 
number on a driver's license or about a store clerk writing it on our 
checks.  Now we know that number is an integral part of our identity, and 
lots of people want to steal our identity.  
     Our economic system allows us to conduct transactions anywhere and 
anytime, and almost instantaneously.  In this world of e-commerce, 
companies have to know who they're dealing with.  That's why they believe 
a consumer's Social Security number is a necessary component to many 
transactions.  Because it has evolved to become a unique and required 
identifier for almost every significant aspect of our lives, its value is 
even more important than simply a claim on a future government retirement 
check. Because it is so important, Congress may need to act to put in place 
new protections.
     I recognize that removing the link between our Social Security number 
and our personal accounts is difficult, and maybe it will turn out to be 
impractical, too.  What I want is the development of an alternative, and 
then we can judge the suitability of removing Social Security numbers 
altogether.  
     Sometimes, using Social Security numbers as commercial identifiers 
speeds business, and that's a benefit to companies, to consumers, and to 
the economy.  That said, there are also many situations in which there is 
no apparent reason or consumer benefit to providing a Social Security 
number.  This Committee has looked at many issues in this area, and will 
continue to consider others.  We continue to wonder, for example, whether 
businesses can or should require consumers to provide a Social Security 
number in order to buy a product or service? If so, which businesses?  
Further, once a business has a consumer's Social Security number, can they 
share it?    Can they even sell it, and to whom?  Having your number is 
one thing.  Selling it, I think, is another.  And how should a company go 
about getting a person's consent to transfer a Social Security number to 
another entity?  
     These are important questions to which there are not always simple 
answers.  But one question to which there IS an easy answer is whether our 
Social Security numbers should be sold by Internet data brokers to anyone 
willing to pay, indistinguishable from sales of sports scores or stock 
quotes.  That's a no-brainer.  There is no legitimate reason why my number 
should be sold or used by a business without a relationship with me, and 
without my knowledge and consent.
     There are some uses of Social Security numbers that many people would 
agree provide benefits far beyond the potential for harm.  Locating 
criminals, locating witnesses, enforcing child support obligations, and 
other noble purposes are clearly legitimate.  It gets more difficult when 
we are talking about locating people generally, confirming identity (outside 
of the fraud prevention context), and marketing products and services.  The 
potential for harm, which has been well documented by this Committee, raises 
serious questions about using social security numbers for these services.
     I expect this Committee will consider legislation on Social Security 
numbers later this year.  I hope the Ways and Means Committee will also act 
on an important bill by Congressman Clay Shaw and send us the part that is 
in this committee's jurisdiction.
     We have a very distinguished group of witnesses here today to work 
though some of these issues with us.  I want to thank you all for your 
participation.  In particular, I want to thank Commissioner Leibowitz.  I 
understand you made some significant changes to your schedule to be here and 
we do appreciate it.  I look forward to the testimony today and yield back 
the balance of my time.

     MR. STEARNS.  And I thank the Chairman for his leadership.  The 
Ranking Member, Ms. Schakowsky is recognized.  
     MS. SCHAKOWSKY.  Thank you, Chairman Stearns.  I apologize for 
being late.  I had an amendment to address.  I also want to thank 
Mr. Markey for his great leadership on this issue, and I am very 
encouraged by Chairman Barton's remarks.  
     First, let me say that the topic of protecting consumers' privacy 
could not be timelier.  Before I get into the subject of our hearing, I want 
to say a few, not as clever as Mr. Markey, things today about the latest 
instance of big business jumping into bed with big brother.  That was my 
effort.  As the USA Today article on NSA:  "NSA has a massive 
database of Americans' phone calls.  Telecoms help government collect 
billions of domestic records," reveals AT&T, BellSouth and Verizon 
have been providing the records of millions of Americans to the National 
Security Agency without consumers' knowledge or consent.  
     We have entered a time where consumers' rights and privacy are for 
sale, and it turns out the Government may be the best customer.  In our 
fight to protect consumers from unsavory characters, like ID thieves, we 
also need to fight the erosion of our civil liberties of what our 
government is doing.  With that said, I do believe today's hearing is 
important because protecting Social Security numbers is vital in the fight 
for consumers' privacy in the fight against identity theft.  
     I think it is important that our subcommittee delve into how the 
Social Security number is used and explore legislative solutions to curb 
the overuse and abuse of it.  Unfortunately, Chairman Stearns, our States, 
Florida and Illinois, have ranked in the top 10 for number of victims of 
identity theft each year for the last 3 years.  A recent report by the 
Government Accountability Office refers to the Social Security number 
as "The identifier of choice for public and private entities."  It went on to 
say that the Social Security number is the most sought-after information 
by identity thieves.  
     Many in the financial, housing, and insurance and other industries 
claim they need consumers' Social Security numbers to protect their 
business and supposedly consumers from risk.  However, the reality is 
that requiring Social Security numbers for everything from opening a 
bank account to signing a cell phone contract, as Chairman Barton 
experienced, shifts all the risk to the consumer and all the advantages to 
ID thieves.  
     Having a consumer Social Security number is like having the master 
key to his or her life.  It can throw open the door to detailed financial 
information, unlock your private medical information, and in at least one 
tragic instance, provided the stalker of Amy Boyer with where she would 
be and at what time.  He used that information to end her life.  
     While most of us give our Social Security numbers to whatever 
business asks for it without question, or at least many of us do, we should 
be asking a lot of questions.  Why does a landlord need the master key to 
my life to rent me an apartment?  Does my doctor really need to store my 
health care records under my Social Security number?  What does an 
insurance company use my Social Security number for?  And why is it 
that with more and more transactions, I am being required to give my 
Social Security number and put my finances, personal safety, and 
medical privacy in jeopardy?  
     We are all so used to being asked for our numbers, we may not give 
enough thought to what that other party does with the Social Security 
number.  That company may sell them.  The numbers may be sent over 
the Internet for legitimate purposes but may not be protected in those 
transmissions.  Our new accounts often stay linked to our Social Security 
numbers.  The numbers may be displayed on forms or files that are not 
adequately protected.  And as the GAO points out, even government 
agencies aren't keeping them as safe and secure as they should.  
     This should give everyone pause.  If we can limit how other parties 
use our numbers, then we can establish a good framework to prevent the 
misuse of the key to our personal financial information.  We know that 
identity theft is financially and emotionally devastating.  Anyway, that is 
why I am glad that we are considering what we can do to protect 
consumers.  
     I am proud to support Mr. Markey's bill, H.R. 1078, the Social 
Security Number Protection Act, which would restrict the display and 
sale of Social Security numbers, and I hope today's hearing is just the 
beginning of our discussions but will lead to a concrete proposal and 
passage of a bill in the end.  
     I thank you for this hearing and look forward to hearing from our 
witnesses.  
     MR. STEARNS.  I thank the gentlelady.  
     The gentleman from New Hampshire. 
     MR. BASS.  Thank you very much, Mr. Chairman.  This is a very 
relevant and important hearing.  Amy Boyer was my constituent.  She 
was murdered in 1999.  The stalker and murderer bought her Social 
Security number over the Internet and other information about her.  
     The other day I went to a well-known retailer to purchase a clothes 
dryer, and in order to get a $50 rebate, I had to give the retailer my Social 
Security number.  I don't know whether that was really relevant, but I 
had to.  My daughter, at the age of 6 or 7 years old, signed up for travel 
soccer, and she could not participate in travel soccer without giving her 
Social Security number.  
     The Social Security number was created, as has been said by the 
Chairman, back in the 1930s for purposes of identifying people who 
qualified for a defined benefit retirement program.  Clearly, the use of 
these numbers is totally out of control at this point.  I am heartened by 
Chairman Barton's commitment to move a bill in this Congress that will 
move decisively to protect the holders of Social Security numbers who 
have that Social Security number not because it is a privilege, like a 
driver's license or any other kind of document, but that it is a 
requirement that every American have, and that this number is then used 
for all sorts of different purposes that are not generic to its original 
issuance.  
     So I welcome the Commissioner of the Federal Trade Commission 
here today and the other witnesses that will be appearing, and I thank you 
for having this hearing.  
     MR. STEARNS.  I thank the gentleman.  
     The gentleman from Georgia, Mr. Deal. 
     MR. DEAL.  I waive. 
     MR. STEARNS.  The gentleman waives his opening statement.  
     With that, we move to the first panel and we recognize the Federal 
Trade Commission, the Honorable Jon Leibowitz, Commissioner.  And if 
you will just pull the mike close to you, turn it on, we welcome you with 
your opening statement.

STATEMENT OF HON. JON LEIBOWITZ, COMMISSIONER, FEDERAL TRADE COMMISSION  
  
     MR. LEIBOWITZ.  Chairman Stearns, Ranking Member Schakowsky, 
Ms. DeGette, Mr. Bass, Mr. Deal, it is always a pleasure to come back to 
this committee, whether in the context of helping to prohibit telephone 
pretexting, stop spam or spyware, or determine the best ways to address 
the uses and, obviously, the misuses, of Social Security numbers.  
     Today I will be talking about that aspect of privacy, the balance 
between the benefits of Social Security numbers and the harms that 
misuse can cause.  That is really at the heart of the debate, and I 
commend you for holding this hearing.  
     With your permission, I ask that my full written statement be 
submitted for the record.  My oral remarks, though, are my own 
comments, and do not necessarily reflect the views of the Commission or 
any other individual commissioner. 
     MR. STEARNS.  So ordered.  
     MR. LEIBOWITZ.  Thank you.  At the FTC, we take our obligation to 
protect privacy very, very seriously.  We have brought more than a dozen 
cases involving data security as well as six spyware and adware cases--
we have several more in the pipeline--almost 20 financial and cell phone 
pretexting cases, and more than 80 spam cases.  
     Just yesterday, we announced a complaint, together with a 
settlement, against a major real estate services firm, Nations Title, that 
failed to safeguard information properly and disposed of that information 
cavalierly.  Among other things, we allege that the company threw out 
detailed customer files, which included Social Security numbers, in a 
dumpster just outside of its corporate headquarters.  Just think about that 
for a minute.  
     As you know, Social Security numbers do serve many important 
functions.  For example, the credit reporting system hinges on the 
availability of Social Security numbers to match consumers accurately 
with their financial information.  Other uses of Social Security numbers 
include locating lost beneficiaries and collecting child support.  Indeed, 
SSNs are often used to prevent fraud.  But Social Security numbers are a 
substantial contributor to the worst form of identity theft:  Having new 
accounts opened in your name.  
     Not surprisingly, Americans today are very concerned about 
protecting their identities.  And rightly so.  I think as you mentioned, 
Mr. Chairman, about 10 million people each year are victims of identity 
theft, and more than 3 million people each year have new accounts 
opened fraudulently in their names.  
     If your identity is stolen, you may struggle for months or years to 
clear your name, and the emotional impact can be severe.  American 
businesses pay a heavy price as well, as someone mentioned, I think it 
was Mrs. Blackburn, $50 billion a year in costs.  
     The key, then, is to find the right balance between permitting the 
beneficial uses of Social Security numbers while keeping them out of the 
hands of criminals and other people who shouldn't have them.  There is 
no panacea, of course, but it helps to approach the problem in a 
multifaceted way.  
     Users of Social Security numbers should migrate, I think, towards 
using less sensitive identifiers whenever possible.  For example, some 
colleges still use SSNs on ID cards, though doing so is clearly 
unnecessary.  And Chairman Barton mentioned his experience when he 
was getting a cell phone.  My wife had exactly the same experience just a 
few weeks ago at Tyson's Corner, where she was asked to say in public 
what her Social Security number was, and it was very troubling to her.  
And I don't want to say that the Social Security number wasn't necessary 
in that circumstance, but companies overall do need to do a better job of 
securing consumer data.  They have a fundamental legal responsibility to 
do so.  
     The Commission, of course, can sue firms that misrepresent their 
security procedures or fail to take reasonable steps to secure or dispose of 
sensitive information.  Two of our most recent cases, as you know, 
Mr. Chairman, ChoicePoint and Card Systems, involved massive data 
breaches that led to numerous instances of identity theft.  In each, the 
Commission alleged that the company failed to take reasonable measures 
to protect consumer information, including, in ChoicePoint, Social 
Security numbers.  These actions, along with Nations Title, are just the 
most recent in a long line of cases that send a message to businesses:  
protect consumers' personal information.  
     And you can further strengthen our hand and help ensure that Social 
Security numbers are better protected from fraud by enacting strong data 
security legislation that requires all businesses to safeguard sensitive 
personal information, gives notice to consumers if there is a breach--
whether under your reasonable risk standard or the significant risk 
standard that we suggested last year--and allows us to fine companies 
that don't live up to their legal obligations.  
     Consumer and business education are also critical.  We receive 
between 15,000 and 20,000 contacts each week from people seeking 
advice on avoiding identity theft or coping with its consequences.  We 
provide information and assistance to simplify the recovery process.  The 
Commission also works with the business community to try to promote a 
culture of security.  
     Yesterday, I was in our calling center when a man phoned in.  He 
was very anxious because his Social Security number had just been 
discovered on a suspect arrested by the police.  He was worried that his 
identity had been stolen.  And our staff did a terrific job with him, gave 
him the appropriate advice, including putting a fraud alert on his credit 
report.  
     Also yesterday, we launched a major new campaign designed to give 
advice to anyone who wants to learn about identity theft, and it is entitled 
"Deter, Detect, and Defend."  It is a tool kit that provides specific 
suggestions so consumers can prevent identity theft before it happens and 
reduce the damage after it occurs.  It is available in both English and 
Spanish.  It is very, very good, and we have a handful of packets here for 
Members and staff and we will bring them up to the dais.  
     Finally, the Commission assists criminal law enforcement through 
our operation of the Identity Theft Clearinghouse, a nationwide database 
that includes more than a million identity theft complaints.  Law 
enforcers ranging from the FBI to the Postal Service to local sheriffs use 
the clearinghouse to aid in their investigations.  
     Mr. Chairman, determining how best to keep Social Security 
numbers out of the hands of wrongdoers, without giving up the benefits 
that their use provides, is a daunting challenge, and there is no simple 
solution.  Still, by working together, there is much that we can do.  This 
committee, as always on privacy matters, will be crucial to striking the 
appropriate balance.  
     Thank you so much.  I am happy to answer any questions. 
     [The prepared statement of Hon. Jon Leibowitz follows:] 

PREPARED STATEMENT OF THE HON. JON LEIBOWITZ, COMMISSIONER, FEDERAL TRADE 
COMMISSION

I. 	INTRODUCTION 
        Mr. Chairman, Ms. Schakowsky, and members of the Subcommittee, I am 
Jon Leibowitz, Commissioner of the Federal Trade Commission ("FTC" or 
"Commission").   I appreciate the opportunity to present the Commission's 
views on identity theft and Social Security numbers ("SSNs").  
        The Commission has a broad mandate to protect consumers generally 
and to combat identity theft specifically.  Controlling identity theft is 
an issue of critical concern to all consumers - and to the Commission.  
The FTC serves a key role as the central repository for identity theft 
complaints, facilitates criminal law enforcement in detecting and 
prosecuting identity thieves, and provides extensive victim assistance and 
consumer education.  In recognition of the need to protect sensitive 
consumer information and prevent identity theft, the FTC recently created 
a new Division of Privacy and Identity Protection.  This division -  which 
consists of staff with expertise in privacy, data security, and identity 
theft - addresses cutting-edge consumer privacy matters through aggressive 
enforcement, as well as rulemaking, policy development, and outreach to 
consumers and businesses.
        This testimony describes the ways in which SSNs are collected and 
used, their relationship to identity theft, current laws that restrict the 
use or transfer of consumers' personal information, and the Commission's 
efforts to help consumers avoid identity theft or remediate its consequences.	

II. 	THE IDENTITY THEFT PROBLEM
        Identity theft is a pernicious crime that harms both consumers and 
businesses.  Recent surveys estimate that nearly 10 million consumers are 
victimized by some form of identity theft each year.   The costs of this 
crime are staggering.  The Commission's 2003 survey estimated that identity 
theft cost businesses approximately $50 billion, and cost consumers an 
additional $5 billion in out-of-pocket expenses, over the twelve-month 
period prior to the survey.   The 2003 survey looked at two major categories 
of identity theft:  (1) misuse of existing accounts; and  (2) the creation of 
new accounts in the victim's name.  The 2003 survey found that the costs 
imposed by new account fraud were substantially higher than the misuse of 
existing accounts.   

III.	USES AND SOURCES OF SOCIAL SECURITY NUMBERS
        SSNs today play a vital role in our economy.  With 300 million 
American consumers, many of whom share the same name,  the unique 9-digit 
SSN is a key identification tool for businesses, government, and others.   
For example, consumer reporting agencies use SSNs to ensure that the data 
furnished to them is placed in the correct file and that they are providing 
a credit report on the correct consumer.   Businesses and other entities use 
these reports to evaluate the risk of providing to individuals services, such 
as credit, insurance, home rentals, or employment.  Timely access to consumer 
credit, as well as the overall accuracy of credit reporting files, could 
be compromised if SSNs could not be used to match consumers to their financial 
information.  Additionally, SSNs are used in locator databases to find lost 
beneficiaries, potential witnesses, and law violators, and to collect child 
support and other judgments.  SSN databases also are used to fight identity 
fraud - for example, to confirm that an SSN provided by a loan applicant does 
not, in fact, belong to someone who is deceased.   Without the ability to use 
SSNs as a personal identifier and fraud prevention tool, the granting of 
credit and the provision of other financial services would become riskier and 
more expensive and inconvenient for consumers.
        SSNs are available from both public and private sources.  Public 
records in city and county government offices across the country, including 
birth and death records, property records, tax lien records, voter 
registrations, licensing records, and court records, often contain 
consumers' SSNs.   Increasingly, these records are being placed online where 
they can be accessed easily and anonymously.   There also are a number of 
private sources of SSNs, including consumer reporting agencies that include 
name, address, and SSN as part of the "credit header" information on consumer 
reports.  Data brokers also collect personal information, including SSNs, 
from a variety of sources and compile and resell that data to third parties. 
        The misuse of SSNs, however, can facilitate identity theft.  For 
example, new account fraud - the most serious form of identity theft - is 
often possible only if the thief obtains the victim's SSN.  The challenge is 
to find the proper balance between the need to keep SSNs out of the hands of 
identity thieves, while giving businesses and government entities sufficient 
means to attribute information to the correct person.  Restrictions on 
disclosure of SSNs also could have a broad impact on such important 
purposes as public health, criminal law enforcement, and anti-fraud and 
anti-terrorism efforts.  Moreover, as referenced above, regulation or 
restriction of the availability of SSNs in public records poses substantial 
policy and practical concerns.

IV.  	CURRENT LAWS RESTRICTING THE USE OR DISCLOSURE OF 
SOCIAL 	SECURITY NUMBERS
        There are a variety of specific statutes and regulations that 
restrict disclosure of certain consumer information, including SSNs, in 
certain contexts.  In addition, under some circumstances, entities are 
required to have procedures in place to ensure the security and integrity of 
sensitive consumer information such as SSNs.  Three statutes 
that protect SSNs from improper access fall within the Commission's 
jurisdiction:  Title V of the Gramm-Leach-Bliley Act ("GLBA");  Section 5 
of the Federal Trade Commission Act ("FTC Act");  and the Fair and Accurate 
Credit Transactions Act of 2003 ("FACT Act"),  amending the Fair Credit 
Reporting Act ("FCRA"). 

        A. The Gramm-Leach-Bliley Act
        The Gramm-Leach-Bliley Act ("GLBA") imposes privacy and security 
obligations on "financial institutions."   Financial institutions are 
defined broadly as those entities engaged in "financial activities" such as 
banking, lending, insurance, loan brokering, and credit reporting. 

        1. Privacy of Consumer Financial Information
        In general, financial institutions are prohibited by Title V of 
the GLBA  from disclosing nonpublic personal information, including SSNs, 
to non-affiliated third parties without first providing consumers with 
notice and the opportunity to opt out of the disclosure.   However, the 
GLBA includes a number of statutory exceptions under which disclosure is 
permitted without having to provide notice and an opt-out.  These 
exceptions include consumer reporting (pursuant to the FCRA), fraud 
prevention, law enforcement and regulatory or self-regulatory purposes, 
compliance with judicial process, and public safety investigations.   
Entities that receive information under an exception to the GLBA are 
subject to the reuse and redisclosure restrictions of the GLBA Privacy 
Rule, even if those entities are not themselves financial institutions.   
In particular, the recipients may only use and disclose the information 
"in the ordinary course of business to carry out the activity covered by 
the exception under which . . . the information [was received]." 
        Entities can obtain SSNs from consumer reporting agencies, 
generally from the credit header data on the credit report.  However, 
because credit header data is typically derived from information 
originally provided by financial institutions, entities that 
receive this information generally are limited by the GLBA's reuse and 
redisclosure provision. 

        2. Required Safeguards for Customer Information
        The GLBA also requires financial institutions to implement 
appropriate physical, technical, and procedural safeguards to protect the 
security and integrity of the information they receive from customers, 
whether directly or from other financial institutions.   The FTC's 
Safeguards Rule, which implements these requirements for entities under FTC 
jurisdiction,  requires financial institutions to develop a written 
information security plan that describes their procedures to protect 
customer information.  Given the wide variety of entities covered, the 
Safeguards Rule requires a plan that accounts for each entity's particular 
circumstances - its size and complexity, the nature and scope of its 
activities, and the sensitivity of the customer information it handles.  It 
also requires covered entities to take certain procedural steps (for 
example, designating appropriate personnel to oversee the security plan, 
conducting a risk assessment, and overseeing service providers) in 
implementing their plans.  

        B. 	Section 5 of the FTC Act
        Section 5 of the FTC Act prohibits "unfair or deceptive acts or 
practices in or affecting commerce."   Under the FTC Act, the Commission 
has broad jurisdiction over a wide variety of entities and individuals 
operating in commerce.  Prohibited practices include making deceptive 
claims about one's privacy procedures, including claims about the security 
provided for consumer information.  
        In addition to deception, the FTC Act prohibits unfair practices.  
Practices are unfair if they cause or are likely to cause consumers 
substantial injury that is neither reasonably avoidable by consumers nor 
offset by countervailing benefits to consumers or competition.   The 
Commission has used this authority to challenge a variety of injurious 
practices, including companies' failure to provide reasonable and 
appropriate security for sensitive customer data.   The Commission can 
obtain injunctive relief for violations of Section 5, as well as consumer 
redress or disgorgement in appropriate cases.

        C. 	The Fair and Accurate Credit Transactions Act of 2003 
        The FACT Act amended the FCRA to include a number of provisions 
designed to increase the protection of sensitive consumer information, 
including SSNs.  One such provision required the banking regulatory 
agencies, the NCUA, and the Commission to promulgate a coordinated rule 
designed to prevent unauthorized access to consumer report information by 
requiring all users of such information to have reasonable procedures to 
dispose of it properly and safely.   This Disposal Rule, which took effect 
on June 1, 2005, should help minimize the risk of improper disclosure of 
SSNs. In addition, the FACT Act requires consumer reporting agencies to 
truncate the SSN on consumer reports at the consumer's request when 
providing the reports to the consumer.   Eliminating the unnecessary 
display of this information could lessen the risk of it getting into the 
wrong hands.  

        D.	Other Laws
        Other federal laws not enforced by the Commission regulate certain 
other specific classes of information, including SSNs.  For example, the 
Driver's Privacy Protection Act ("DPPA")  prohibits state motor vehicle 
departments from disclosing personal information in motor vehicle records, 
subject to fourteen "permissible uses," including law enforcement, motor 
vehicle safety, and insurance.  The Health Information Portability and 
Accountability Act ("HIPAA") and its implementing privacy rule prohibit 
the disclosure to third parties of a consumer's medical information without 
prior consent, subject to a number of exceptions (such as, for the 
disclosure of patient records between entities for purposes of routine 
treatment, insurance, or payment).    Like the GLBA Safeguards Rule, the 
HIPAA Privacy Rule also requires entities under its jurisdiction to 
have in place "appropriate administrative, technical, and physical 
safeguards to protect the privacy of protected health information." 

        E.	FTC Enforcement Actions
        Over the past year or so, reports have proliferated about 
information compromises at U.S. businesses, universities, government 
agencies, and other organizations that collect and store sensitive consumer 
information, including SSNs.  Some of these incidents reportedly have led 
to identity theft, confirming that security breaches can cause real and 
tangible harm to consumers, businesses, and other institutions.
        Since 2001, the Commission has brought thirteen cases challenging 
businesses that have failed to take reasonable steps to protect sensitive 
consumer information in their files.   Two of the Commission's most recent 
law enforcement actions arose from high-profile data breaches that occurred 
last year.  In the first case, the Commission alleged that a major data 
broker, ChoicePoint, Inc., failed to use reasonable procedures to screen 
prospective subscribers and monitor their access to sensitive consumer data, 
in violation of the FCRA  and the FTC Act. The Commission's complaint 
alleged that ChoicePoint's failures allowed identity thieves to obtain 
access to the personal information of over 160,000 consumers, including 
nearly 10,000 consumer reports.  In settling the case, ChoicePoint agreed 
to pay $10 million in civil penalties for the FCRA violations - the highest 
civil penalty ever levied in a consumer protection case - and $5 
million in consumer redress for identity theft victims.  The Order also 
requires ChoicePoint to implement a number of strong data security measures, 
including bi-annual audits to ensure that these security measures are in 
place. 
        In the second action, the Commission reached a settlement with 
CardSystems Solutions, Inc., the card processor allegedly responsible for 
last year's breach of credit and debit card information for Visa and 
MasterCard, which exposed tens of millions of consumers' credit and debit 
numbers.    This case addresses the largest known compromise of sensitive 
financial data to date.  As in the ChoicePoint case, the FTC alleged that 
CardSystems engaged in a number of practices that, taken together, failed to 
provide reasonable and appropriate security for sensitive consumer data.  
These settlements provide important protections for consumers and also 
provide important lessons for industry about the need to safeguard consumer 
information. 

        V. THE COMMISSION'S EFFORTS TO COMBAT IDENTITY THEFT 
        In addition to our efforts to ensure that businesses take 
reasonable steps to safeguard sensitive consumer information, the Commission 
works in many other ways to address the identity theft problem.  Pursuant to 
the 1998 Identity Theft Assumption and Deterrence Act ("the Identity Theft 
Act"),  the Commission has implemented a program that assists consumers, 
businesses, and other law enforcers.

        A. Working with Consumers	
        The Commission hosts a toll-free hotline, 1-877-ID THEFT, and a 
secure online complaint form on its website, www.consumer.gov/idtheft, for 
consumers concerned about identity theft.  Every week, the Commission 
receives about 15,000 to 20,000 contacts from victims and consumers seeking 
information on how to avoid identity theft.  The callers to the hotline 
receive counseling from trained personnel who provide information on steps 
they can take both to prevent identity theft and to resolve problems 
resulting from the misuse of their identities. Victims are advised to: (1) 
obtain copies of their credit reports and have a fraud alert placed on them; 
(2) contact each of the creditors or service providers with which the thief 
has established or accessed an account to request that the account be closed 
and to dispute any associated charges; and (3) report the theft to the police 
and, if possible, obtain a police report.  The police report is useful 
in demonstrating to purported creditors and debt collectors that the 
consumer is a victim of identity theft, and serves as an "identity theft 
report" that can be used for exercising various victims' rights granted by 
the FACT Act.   The Commission's identity theft website, 
www.consumer.gov/idtheft, has an online complaint form where victims can 
enter their complaints into the Clearinghouse. 
        The Commission also has taken the lead in developing and 
disseminating identity theft-related consumer education materials, including 
an identity theft primer, ID Theft: What It's All About, and a victim 
recovery guide, Take Charge: Fighting Back Against Identity Theft.  The 
Commission alone has distributed more than 2.1 million copies of the 
Take Charge booklet (formerly known as ID Theft: When Bad Things Happen To 
Your Good Name) since its release in February 2000 and has recorded more 
than 2.4 million visits to the Web version.  The Commission also maintains 
the identity theft website, www.consumer.gov/idtheft, which provides 
publications and links to testimony, reports, press releases, identity 
theft-related state laws, and other resources.
        Last fall, the Commission, together with partners from law 
enforcement, the technology industry, and nonprofits, launched OnGuard 
Online, an interactive, multi-media resource for information and up-to-the 
minute tools on how to recognize Internet fraud, avoid hackers and viruses, 
shop securely online, and deal with identity theft, spam, phishing, and 
file-sharing.  
        In addition, yesterday the Commission launched a major new consumer 
education campaign called Deter, Detect, and Defend - Fighting Back Against 
Identity Theft.  The campaign provides specific information on what 
consumers can do to reduce their risk of falling victim to ID theft, keep a 
close eye on their personal information, and move quickly to minimize the 
damage if identity theft occurs.  The centerpiece of the campaign is a 
turnkey toolkit, available in both English and Spanish, that gives consumers 
resources for teaching clear, actionable tips on how to avoid becoming a 
victim of identity theft, protect their sensitive financial information, and 
reduce the damage should they suspect ID theft.  The Commission will join 
with partners in the public and private sectors, including other federal 
agencies, industry associations, and consumer and civic organizations to make 
this information available where it is needed - in neighborhoods, 
at the workplace and on campuses across the country.
        The Commission also has developed ways to simplify the recovery 
process.  One example is the ID Theft Affidavit, included in the Take Charge 
booklet and on the website.  This standard form was developed in partnership 
with industry and consumer advocates for victims to use in resolving identity 
theft debts.  To date, the Commission has distributed more than 293,000 print 
copies of the Affidavit and has recorded more than 1.1 million hits to the 
Web version.

        B. Working with Industry
        The private sector can play a key role in combating identity theft 
by reducing its incidence through better security and authentication.  The 
Commission works with institutions to promote a "culture of security" by 
identifying ways to spot risks to the information they maintain and keep it 
safe. 
        Among other things, the Commission has disseminated advice for 
businesses on reducing risks to their computer systems  and on compliance 
with the Safeguards Rule.   Our emphasis is on preventing breaches before 
they happen by encouraging businesses to make security part of their regular 
operations and corporate culture.  The Commission also has published 
Information Compromise and the Risk of Identity Theft: Guidance for 
Your Business, a booklet on managing data compromises.   This publication 
provides guidance on when it would be appropriate for an entity to notify 
law enforcement and consumers in the event of a breach of personal 
information.
        In 2003, the Commission held a workshop that explored the challenges 
consumers and industry face in securing their computers.  Titled 
"Technologies for Protecting Personal Information: The Consumer and Business 
Experiences," the workshop also examined the role of technology in meeting 
these challenges.   Workshop participants, including industry leaders, 
technologists, researchers on human behavior, and representatives from 
consumer and privacy groups, identified a range of challenges in 
safeguarding information and proposed possible solutions.

        C. Working with Law Enforcement
        A primary purpose of the Identity Theft Act was to provide law 
enforcement with access to a centralized repository of identity theft victim 
data to support their investigations.  The Commission operates this database 
as a national clearinghouse for complaints received directly from consumers 
and through numerous state and federal agencies, including the Social 
Security Administration's Office of Inspector General.
        With over 1.1 million complaints, the Clearinghouse provides a 
detailed snapshot of current identity theft trends as reported by the 
victims themselves.  The Commission publishes data annually showing the 
prevalence of complaints broken out by state and city.   Since its inception, 
over 1,400 law enforcement agencies have registered for access to the 
Clearinghouse database.  Individual investigators within those agencies can 
access the system from their desktop computers 24 hours a day, seven days a 
week.  The Clearinghouse also gives access to training resources, and 
enables users to coordinate their investigations.
        The Commission also encourages use of the Clearinghouse through 
training seminars offered to law enforcement.  In cooperation with the 
Department of Justice, the U.S. Postal Inspection Service, the U.S. Secret 
Service, and the American Association of Motor Vehicle Administrators, the 
Commission began organizing full-day identity theft training seminars for 
state and local law enforcement officers in 2002.  To date, this group has 
held 20 seminars across the country.  More than 2,880 officers have attended 
these seminars, representing over 1,000 different agencies.  This week three 
new seminars are being held in California.
        To further assist law enforcers, the Commission staff developed an 
identity theft case referral program.  The staff creates preliminary 
investigative reports by examining patterns of identity theft activity in the 
Clearinghouse, and refers the reports to financial crimes task forces and 
others for further investigation and possible prosecution.  In addition, 
analysts from the FBI, U.S. Secret Service, and Postal Inspection Service 
work on-site at the FTC, developing leads and supporting ongoing 
investigations for their agencies.

        VI. 	CONCLUSION
        The crime of identity theft is a scourge, causing enormous damage 
to businesses and consumers.  The unauthorized use of consumers' SSNs is an 
important tool of identity thieves, especially those seeking to create new 
accounts in the victim's name.  Although current laws place some 
restrictions on the use or disclosure of SSNs by certain entities under 
certain circumstances, this information is still otherwise available from 
both public and private sources, thereby enabling identity thieves to obtain 
SSNs through legal means as well as illegal means. 
        At the same time, SSNs are an important driver of our market system. 
Businesses and others rely on SSNs to provide many important benefits for 
consumers and to fight identity theft. 
        There are a number of things that government, industry, and 
consumers can do to help stem the tide of identity theft.  First, both 
government and industry need to consider what information they collect and 
maintain from or about consumers and whether they need to do so.  Entities 
that possess sensitive consumer information should continue to enhance their 
procedures to protect it.  The Commission will continue its law enforcement 
and outreach efforts to encourage and, when necessary, require better 
protections.
        Second, industry should continue the development of improved fraud 
prevention methods to stop identity thieves from misusing the consumer 
information they have managed to obtain.  In this regard, the FACT Act should 
prove instrumental by requiring the bank regulatory agencies, the NCUA, and 
the FTC to develop jointly regulations and guidelines for financial 
institutions and creditors to identify possible risks of identity theft.  
        Third, the Commission will continue and strengthen its efforts to 
empower consumers by providing them with the knowledge and tools to protect 
themselves from identity fraud and to deal with the consequences when it 
does occur.  As discussed above, new consumer rights granted by the FACT Act 
should help consumers minimize the damage.
        Finally, the Commission will continue to assist criminal law 
enforcement in detecting and prosecuting identity thieves.  The prospect of 
serious jail time hopefully will discourage those considering identity 
theft from perpetrating this crime. 
        The Commission looks forward to continuing to work with Congress to 
address ways to reduce identity theft. 		

        MR. STEARNS.  Thank you, Mr. Commissioner.  I will start here with 
the questions.  We have a vote, but I think we can make progress here 
with a couple.  
        Let's say that Congress decided in the bill to restrict the use of 
Social Security numbers in commerce so we wouldn't have the thing with Mr. 
Bass' daughter, or Chairman Barton getting a new cell phone, or your 
wife, or anything like that.  What would be the cost?  Would it be a lot of 
cost for industry to stop using that as an identifier?  
And what else would be the identifier?  Would it be something like a 
State-issued driver's license number?  What could you predict in the 
future?  
        MR. LEIBOWITZ.  If you immediately banned all Social Security 
number use in a commercial context tomorrow, some businesses would 
be able to switch, I think, from Social Security numbers to other 
identifiers.  There might be some dislocation.  The Social Security 
number is the most underprotected and overused identifier in America 
today, but if you banned them entirely, there would be a lot of 
dislocation and a lot of legitimate transactions that use a Social Security 
number to identify who someone  is so that they can get, for example, a 
mortgage or credit, would be hard to do.  It might not be hard with Jon 
Leibowitz, there aren't too many of us out there, but there are 23,000 
Michael Smiths in America.  So making sure you have the right one can 
be challenging.  
        MR. STEARNS.  What would the identifier be, if it wouldn't be the 
Social Security number?  
        MR. LEIBOWITZ.  Well, I don't think we know that.  If you banned 
the Social Security number, perhaps a variety of different identifiers 
would take their place.  There might be one new identifier that would 
begin to dominate the market, and then you would have some of the 
same problems with the new identifier that you have today with Social 
Security numbers.  
        MR. STEARNS.  So the President signs the bill today and it prohibits, 
let's say, starting tomorrow, business from refusing to do business with a 
consumer without receipt of a Social Security number.  What would the 
consumer transaction look like then?  
        MR. LEIBOWITZ.  Again, many consumer transactions are done 
without Social Security numbers, and some consumer transactions are 
done with Social Security numbers that don't need to be.  
        MR. STEARNS.  I know in Florida we have these very sophisticated 
licenses with pictures and holograms and everything, and that is getting 
to be much used.  The number on the license is being used.
        MR. LEIBOWITZ.  Well, that might become--
        MR. STEARNS.  The new identifier.
        MR. LEIBOWITZ.  The default identifier.  It sounds like Florida has a 
fairly sophisticated identifier for its license.  And what might happen, 
and I think the bills that you are considering in this committee, whether it 
is the Shaw bill or the Markey bill, have a series of exemptions--for law 
enforcement, for national security, for emergencies, or with the consent 
of consumers.  And I know in the Markey bill, at least there is sort of a 
catch-all provision that would allow us to set up the regulations for 
appropriate commercial uses.  
        So if President Bush signed a bill, presumably it would have this 
committee's imprimatur and it would strike the appropriate balance. 
        MR. STEARNS.  Let me, just for a moment, talk about Mr. Markey's 
bill, H.R. 1078.  Does this bill give the FTC the authority to write a 
regulatory exception for fraud prevention purposes?  
        MR. LEIBOWITZ.  Yes.  I mean we would want to work with this 
committee, but the short answer is yes, it would.  It is a good point of 
departure to start a debate in this committee for what that law should 
look like. 
        MR. STEARNS.  In dealing with the Shaw bill, is there any aspect 
about it that you feel would be not workable; that should be changed at 
all?  
        MR. LEIBOWITZ.  Well, Mr. Chairman, I am not as familiar with the 
Shaw bill, because that is in the Ways and Means Committee.  I do know 
it is similar in many ways to Mr. Markey's bill.  I believe it has a 
provision that would drop Social Security numbers below the line, and 
that may cause a fair amount of dislocation, because some people don't 
need an entire credit report.  This might force or encourage more people 
to get such credit reports, which includes even more sensitive personal 
information.  
        And if you dropped it below the line, I believe, and made it part of 
the Fair Credit Reporting Act, you would need to think about appropriate 
exemptions because the FCRA doesn't have an exemption for law 
enforcement.  And I think that would be very, very useful, certainly from 
our perspective as a civil law enforcement agency. 
        MR. STEARNS.  This is my last question.  If a private entity adds a 
Social Security number from a public record to a database, should that 
public information, that public record information necessarily be treated 
differently suddenly because you add a Social Security number to it than 
other nonpublic information in a database?  
        MR. LEIBOWITZ.  If I understand your question, I think under current 
law, you should look to where the information came from.  So if the 
information is a Social Security number and came from a public 
database, it should be continued to be treated as such.  The information 
in the database, which may be under Gramm-Leach-Bliley's reuse and 
redisclosure provisions, or maybe under the FCRA, should be treated 
under that statute.  
        MR. STEARNS.  My time has expired.  
        Ms. Schakowsky.  
        MS. SCHAKOWSKY.  Thank you.  I want to ask what legislative 
measures do you think would be effective in better securing, in general, 
consumers' financial information, I mean, considering data security 
legislation?  
        MR. LEIBOWITZ.  Well, I think you put your finger on it.  The data 
security legislation that came out of this committee unanimously would 
go a long way towards ensuring that all businesses maintain safeguards 
for sensitive consumer information, and it would give us the club of civil 
penalties--or fines--to go after those who don't honor their obligations 
under the law.  So we are very supportive of strong data security 
legislation.  
        MS. SCHAKOWSKY.  We have heard from a number of industries that 
the differences between significant and reasonable risk is a trigger from 
when notification should go out to consumers when their information is 
breached is itself significant.  I wondered if you see the difference 
between the two as dramatically different.  
        MR. LEIBOWITZ.  Speaking for myself, I think the most important 
thing, and again, this was actually a debate we had internally in the 
Commission when we made a recommendation, the most important thing 
is to have a trigger.  You don't want every breach to require a 
notification to consumers because some breaches really don't raise any 
possibilities of harm.  
        From our perspective, we went back and forth and we came up with 
significant risk, and we think that is a pretty good standard.  I don't see a 
whole lot of difference between significant risk and reasonable risk.  
They both have a trigger and they both seem, from my perspective at 
least, workable.  
        MS. SCHAKOWSKY.  You may have said this already, but when do 
you think that the sale of Social Security numbers is good or useful, or is 
there a time?  
        MR. LEIBOWITZ.  I think Social Security numbers have a lot of use in 
commerce and for commercial transactions.  There are a lot of times 
when it involves credit, mortgages. 
        MS. SCHAKOWSKY.  The sale of Social Security numbers?
        MR. LEIBOWITZ.  The sale of Social Security numbers?  They have 
very legitimate uses in commercial transactions.  Having said that, we 
also think they are overused and they are underprotected.  So we look 
forward to working with you in trying to strike the appropriate balance, 
should you move legislation forward. 
        MS. SCHAKOWSKY.  Great.  I have no more questions.  I can yield 
back. 
        MR. STEARNS.  I thank the gentlewoman.  
        The gentleman from New Hampshire. 
        MR. BASS.  No questions. 
        MR. STEARNS.  Commissioner, I think you are all done, and so we 
will move to the second panel.  But, of course, we have a vote here in 6 
minutes, so we will take a temporary recess.  
        If the second panel will come forward, I think we have 2 or 3 votes 
and we will come back in a short amount of time.  Thank you for your 
patience.  
        [Recess.]
        MR. STEARNS.  The subcommittee come to order.  I want to thank 
you for your patience for waiting.  And we thought that there weren't 
that many votes, but it turned out there were.  
        So from the second panel, Mr. Oliver I. Ireland, Partner with 
Morrison & Foerster; Ms. Susan McDonald, President of Pension Benefit 
Information; Ms. Lauren Steinfeld, former Associate Chief Counsel, 
Office of OMB; H. Randy Lively, Jr., President and CEO of American 
Financial Services Association; and Mr. Marc Rotenberg, Executive 
Director of Electronic Privacy Information Center. 
        I don't know if you have your mike on.


STATEMENTS OF OLIVER I. IRELAND, PARTNER, MORRISON & FOERSTER, LLP, ON 
BEHALF OF FINANCIAL SERVICES COORDINATING COUNCIL; SUSAN McDONALD, 
PRESIDENT, PENSION BENEFIT INFORMATION; LAUREN STEINFELD, FORMER 
ASSOCIATE CHIEF COUNSELOR, OFFICE OF MANAGEMENT AND BUDGET; H. RANDY 
LIVELY, JR., PRESIDENT AND CEO, AMERICAN FINANCIAL SERVICES ASSOCIATION; 
AND MARC ROTENBERG, EXECUTIVE DIRECTOR, ELECTRONIC PRIVACY 
INFORMATION CENTER 
  
        MR. IRELAND.  Here it is.  I am here today on behalf of the Financial 
Services Coordinating Council, whose members are the American 
Bankers Association, American Council of Life Insurers, American 
Insurance Association, and Securities Industry Association.  The FSCC 
represents the largest and most diverse group of financial institutions in 
the United States, consisting of thousands of banks, insurance 
companies, and investment companies and securities firms that 
collectively provide financial services to virtually every household in the 
United States.  
        The FSCC appreciates the opportunity to be here today to discuss the 
use of Social Security numbers.  Financial institutions work hard to 
protect the confidentiality and security of Social Security numbers.  
While the FSCC recognizes that misuses of Social Security numbers 
have occurred, we believe that it is imperative to avoid restricting 
necessary and appropriate uses of Social Security numbers by financial 
institutions since they have become critically important to our efficient 
and cost-effective financial system.  
        Financial institutions use Social Security numbers as a unique 
identifier for individuals.  Broad restrictions on the use of Social Security 
numbers would have serious unintended consequences.  Further, there 
are already substantial protections for the use of Social Security numbers 
by financial institutions.  
        Financial institutions do not make Social Security numbers 
accessible to the general public.  They use Social Security numbers to 
combat fraud and identity theft; to assess underwriting risk, administer 
benefits, identify money laundering and terrorist financing, comply with 
Federal and State tax and securities laws; to transfer assets and accounts; 
to comply with deadbeat spouse laws; to verify DMV records for auto 
insurance; to obtain medical information used for underwriting life, 
disability income and long-term care insurance; to locate missing 
insurance beneficiaries; and to locate lost insurance policies.  
        As the Government Accountability Office has recognized, the 
uniqueness and broad applicability of the Social Security number has 
made it the identifier of choice for government agencies and private 
businesses, both for compliance with Federal and State law and for 
business and administrative purposes.  The use of Social Security 
numbers have become woven into the fabric of both government and 
commercial transactions in this country.  
        The FSCC is concerned about the potential consequences of a broad 
restriction on the use of Social Security numbers.  As I have already 
noted, a broad restriction on the use of Social Security numbers could 
seriously impede the delivery of important financial services and the 
battle against criminal activity.  For example, Social Security numbers 
are key for fraud detection.  Without a unique common identifier such as 
a Social Security number, we believe that identity theft ultimately would 
be easier, not more difficult.  
        Further, the FSCC believes that there is no need to further restrict the 
use of Social Security numbers by financial institutions, given the strong 
Social Security number restrictions applied to these institutions under the 
Gramm-Leach-Bliley Act and other laws.  For example, the 
Gramm-Leach-Bliley Act requires financial institutions to protect the 
security of their numbers, their customers' Social Security numbers, and, 
subject to exceptions for legitimate business purposes, each customer has 
a right to block a financial institution from transferring his or her Social 
Security number to a nonaffiliated third party.  
        In addition, this committee and other committees of Congress 
recently have passed additional requirements that would protect Social 
Security numbers at financial institutions and other institutions.  
        Thank you for the opportunity to be here today, and I will be happy 
to respond to any questions the committee may have.  
        MR. STEARNS.  I thank you. 
        [The prepared statement of Oliver I. Ireland follows:] 

PREPARED STATEMENT OF OLIVER I. IRELAND, PARTNER, MORRISON & FOERSTER, LLP, 
ON BEHALF OF FINANCIAL SERVICES COORDINATING COUNCIL

        I am Oliver Ireland with Morrison & Foerster LLP testifying on 
behalf of the Financial Services Coordinating Council ("FSCC"), whose 
members are the American Bankers Association, American Council of Life 
Insurers, American Insurance Association, and Securities Industry 
Association.  The FSCC represents the largest and most diverse group of 
financial institutions in the United States, consisting of thousands 
of large and small banks, insurance companies, investment companies, and 
securities firms.  Together, these financial institutions provide financial 
services to virtually every household in the United States.
        The FSCC very much appreciates the opportunity to submit this 
statement to the Subcommittee concerning the use and misuse of Social 
Security numbers ("SSNs").  Our comments focus on the integral role of SSNs 
in United States commerce; the many consumer benefits that result from the 
use of SSNs by financial institutions; and the potentially negative effects 
that could occur if undue restrictions are imposed on such use.  While the 
FSCC recognizes that there have been misuses of SSNs, we strongly urge 
that any legislation intended to address this problem be carefully targeted 
to specifically identified abuses, such as measures to stop identity theft. 
We believe it is imperative to avoid restrictions on legitimate and 
beneficial uses of SSNs. 
        Our testimony today focuses on three fundamental points:
        ? First, following the lead of the U.S. Government for the last 65 
years, businesses have legitimately used the SSN as a unique identifier of 
individuals, and this use is now woven into the fabric of consumer and 
commercial transactions throughout the country.  Moreover, this legitimate 
use of SSNs has produced real benefits for American consumers and taxpayers, 
and has become critically important for a wide range of government agencies, 
financial institutions, hospitals, blood banks, and many other businesses, 
both large and small.
        ? Second, broad restrictions on the use of SSNs could have serious 
unintended consequences, including:  higher credit costs; increased fraud 
and identity theft; fundamental and costly changes to internal business 
operating systems; decreased consumer service; and costly delays in consumer 
and commercial transactions.  Further restrictions on the use of SSNs may 
also impede law enforcement purposes, including with respect to money 
laundering and terrorist financing.
        ? Third, Congress has enacted privacy and information security 
protections under the Gramm-Leach-Bliley Act ("GLBA") that, among other 
things, subject financial institutions to an affirmative and continuing 
obligation to protect the security and confidentiality of their customer's 
nonpublic personal information, including SSNs, and establish stringent 
requirements for financial institutions concerning the use, transfer and 
protection of SSNs.  In addition, more than 20 states have adopted statutes 
designed to protect the confidentiality of SSNs.  Further, state security 
breach notification laws in some 30 states provide additional incentives to 
protect SSNs.  Moreover, this Committee and other Committees of Congress 
recently have passed express requirements that would protect the security 
of SSNs.  In light of these current and proposed protections, the FSCC 
strongly believes that further legislative restrictions on the use and 
transfer of SSNs by financial institutions are unnecessary.

Our statement also discusses the potentially negative impact of SSN 
restrictions on the legitimate use by financial institutions of public 
records.
        As the Subcommittee is aware, Congress adopted privacy protections 
as part of the GLBA.  The GLBA subjects the financial services industry to 
a comprehensive privacy framework that requires the annual disclosure of a 
financial institution's privacy policies, allows customers to direct the 
institution not to share their "nonpublic personal information" with 
nonaffiliated third parties, contains significant prohibitions on the 
disclosure of detailed account information, and establishes regulatory 
standards to protect the security of "nonpublic personal information."  
Importantly, under the GLBA, SSNs are considered "nonpublic personal 
information," and thus are already subject to significant restrictions on 
the transfer of, and the ability of others to reuse, such information.  
Moreover, in 2003, Congress enacted additional legislation addressing 
concerns over identity theft, as part of its passage of the "Fair and 
Accurate Credit Transactions Act of 2003."  These two Congressional 
initiatives go straight to the heart of Congressional concerns over 
identity theft and the efforts of financial institutions to combat this 
growing problem.  In addition, the Committee on Energy and Commerce and 
other Committees of Congress recently have passed express requirements 
that would protect the security of SSNs.
        As a practical matter, we do not believe that the financial 
services industry is the subject of the concern that Congressional 
legislation would attempt to address.  We use SSNs, as well as other 
personal financial information, to assist us in making sound credit 
decisions, underwriting applications for insurance coverage and performing 
other ordinary insurance business functions, combating fraud, rooting out 
identity theft, and uncovering financial support for terrorism.  We do not 
make SSNs accessible to the general public.  As a result, we believe that 
any legislation should be targeted at those entities at the heart of the 
problem, be they unregulated information brokers, those engaged in illegal 
pretext-calling, or the like.

Integral Role of Social Security Numbers in U.S. Commercial Activities
	To assist the Subcommittee in its deliberations, it may be helpful 
to review the important role that SSNs play in U.S. commercial activities. 
        As the Government Accountability Office (GAO) noted in a February 1999 
report,  the Social Security Administration created the SSN in 1935 as a 
means to maintain individual earnings records for the purposes of that 
program.  But, Congress soon realized the tremendous value to society of a 
unique identifier that is common to nearly every American.  As a result, it 
began to require federal government use of the SSN as a common unique 
identifier for a broad range of wholly unrelated purposes and programs.  
For example, "a number of federal laws and regulations require the use of 
the SSN as an individual's identifier to facilitate automated exchanges that 
help administrators enforce compliance with federal laws, determine 
eligibility for benefits, or both."   These include federal laws applicable 
to tax reporting, food stamps, Medicaid, Supplemental Security Income, 
and Child Support Enforcement, among others.  Moreover, as the GAO 
acknowledged, it has repeatedly recommended in numerous reports that the 
federal government use SSNs as a unique identifier to reduce fraud and abuse 
in federal benefits programs. 
        Following the federal government's lead, American businesses 
complied with federal requirements to use SSNs as identifiers for federal 
laws unrelated to Social Security, such as income tax reporting.  In doing 
so, they also realized the powerful consumer benefits to be derived from 
comparable business use of SSNs as a common unique identifier.  Thus, 
businesses began to use SSNs in a manner similar to the federal government, 
e.g., to match records with other organizations to carry out data exchanges 
for such legitimate business purposes as transferring and locating assets, 
tracking patient care among multiple health care providers, and preventing 
fraud and identity theft.  Many businesses also use SSNs as an efficient 
unique identifier for such internal activities as identifying income tax 
filers.
        Similarly, the financial services industry has used the SSN for 
many decades for a broad range of responsible purposes that benefit 
consumers and the economy.  For example, our nation's remarkably efficient 
credit reporting system-which has helped make America's affordable and 
accessible credit the envy of the world-relies fundamentally on the SSN as 
a common identifier to compile disparate information from many different 
sources into a single, reliable credit file for a given consumer.  Indeed, 
the banking, insurance, and securities industries each use SSNs for a 
variety of important regulatory and business transactions.  Set forth below 
is an illustrative sample of the many financial institution uses of SSNs:
         To combat fraud and identity theft;
         To accurately assess underwriting risk;
         To assist in internal benefits tracking;
         To identify and report money laundering and terrorist 
financing activities;
         To comply with reporting requirements of federal and state 
tax and securities laws;
         To transfer assets and accounts to third parties;
         To comply with "deadbeat spouse" laws;
         To verify appropriate Department of Motor Vehicle records 
when underwriting auto insurance;
         To obtain medical information used in underwriting life, 
disability income, and long-term care insurance polices;
         To locate missing beneficiaries to pay insurance proceeds;
         To locate insurance policies for owners that have lost their 
policy numbers; and 
         To facilitate a multitude of administrative functions.
        As noted in the GAO report discussed above, "the uniqueness and broad 
applicability of the SSN have made it the identifier of choice for government 
agencies and private businesses, both for compliance with federal requirements 
and for the agencies' and businesses' own purposes."   As a result, the use 
of SSNs as common unique identifiers has become woven into the very fabric of 
both government and commercial transactions in this country, and has been so 
for decades.
        In short, the federal government began the use of SSNs for unrelated 
identification purposes; it required businesses to do the same under certain 
federal laws; and its use served as an example for businesses, including 
financial institutions, for over half a century.  These uses have produced 
tremendous efficiencies and benefits for all Americans.  The FSCC strongly 
urges members of Congress to keep such legitimate uses and benefits in the 
forefront when considering proposals to restrict the use of SSNs.

          Unintended Consequences of Broad Restrictions on the Use of 
                            Social Security Numbers

        As a result of the widespread use of SSNs for legitimate purposes, 
the FSCC is concerned about the potential unintended consequences of any 
legislation that is intended to restrict SSN abuses.  If legislation is not 
carefully targeted to avoid these unintended consequences, consumers and the 
smooth operation of the U.S. economy could be seriously harmed.  The 
following provides some specific examples of such harm:
         Potential Harm to Consumers.  The use of SSNs allows 
financial institutions to provide a level of service to customers that would 
otherwise not be possible.  By using these numbers to verify individual 
identities, credit bureaus and others can quickly provide financial 
institutions with accurate credit histories and verification information on 
people seeking credit, insurance, securities, and other financial products.  
In turn, a financial institution can act swiftly and efficiently on 
applications or requests related to these products.  Use of SSNs 
also enables financial institutions to provide more seamless administrative 
service, including, for example, by allowing a life insurer to more easily 
verify the identity of an individual calling into a call center to change 
a beneficiary or premium  mode or to make some other change to an insurance 
policy.  The FSCC's concern is that a broad restriction on the sale or use of 
SSNs, however well-intended, could seriously impede the delivery of such 
important services by driving up processing costs and impairing 
decision-making.
         Increased Risk of Fraud and Identity Theft.  SSNs are 
critical for fraud detection.  Banks, insurance companies, and securities 
firms rely on information available from both public and private 
sources-with embedded SSNs to ensure correct identification-to check for 
"inconsistencies" that may suggest the occurrence of fraud or identity 
theft.  The use of these numbers also helps financial institutions verify 
credit and other information necessary to make sound underwriting decisions 
that minimize losses.  The sophisticated processes used for these purposes 
rely fundamentally on SSNs as the common unique identifier to assemble 
accurate and verifiable information for a given individual.  That is, 
without a unique common identifier such as a SSN, we believe it would be 
easier, not harder, for an individual's identity to be stolen.  Thus, to 
reiterate, we believe that Congress should exercise great caution in 
restricting the use of SSNs so as not to risk an increase in consumer fraud 
or identity theft-a result that would be squarely at odds with the intended 
purpose of such restrictions. 
         Market Disruption.  A prohibition on the sale of SSNs could 
be construed to restrict such activities as the sale of assets among 
financial institutions.  This is so because financial institution assets 
(e.g., mortgage servicing accounts, credit card accounts, and traditional 
bank accounts) often use SSNs as the basis for account identification.  
Also, SSNs are part of policy files that may be transferred by an insurer 
in connection with a merger or acquisition or as part of a reinsurance 
agreement.  When it sells such an asset or transfers such files, a 
financial institution could be viewed as technically "selling" the embedded 
SSN as well.  Thus, legislative efforts that "directly or indirectly" limit 
the transfer, sale, or purchase of SSNs could effectively preclude such 
plainly legitimate transactions.  To address this problem, businesses would 
need to rework their internal systems completely to eliminate the reliance 
on such numbers-a massive and needless expense.  Accordingly, we believe that 
any legislative proposal must be crafted to avoid such a significant, 
unintended consequence.
         Money Laundering and Terrorist Financing.  Rules 
implementing section 326 of the USA PATRIOT Act require many financial 
institutions to obtain a taxpayer identification number, typically a SSN, 
before opening an account for the individual.  The financial institution 
also must verify the identity of the individual.  The verification process 
is facilitated by the use of SSNs.  The section 326 requirement was adopted 
as part of comprehensive legislation to address terrorism following September 
11, 2001.  Any limitations on the use of SSNs would need to accommodate the 
section 326 information collection and verification processes.

             Current Protections for Social Security Numbers
        The FSCC believes there is no need to further restrict the use of 
SSNs by financial institutions in light of the strong SSN restrictions that 
apply to such institutions under the GLBA and other laws.  The GLBA and its 
implementing regulations treat a financial institution customer's SSN as 
protected "nonpublic personal information."   As a result, each financial 
institution is subject to an affirmative and continuing obligation to protect 
the security of its customers' SSNs, and each customer has the right to block 
a financial institution from selling or transferring his or her SSN to a 
nonaffiliated third party or the general public.
        There are exceptions to this general rule for legitimate transfers 
of SSNs, such as ones that are necessary:  to carry out a transaction 
requested by the consumer; to protect against fraud; and to provide 
necessary identifying information to credit bureaus.  However, even with 
respect to such legitimate transfers of SSNs, the consumer remains 
protected because the recipient of the number is prohibited by law from 
re-using or re-disclosing the number-it may do so only as necessary to 
carry out the purpose of the exception under which the number was received 
from the financial institution.  Further, the GLBA also requires financial 
institutions to establish appropriate safeguards to ensure the security of, 
and to protect against unauthorized access to or use of, SSNs.
        In addition, more than 20 states have adopted statutes designed to 
protect the confidentiality of SSNs.  For example, several states have 
enacted laws that prohibit specified uses of SSNs, including, for example, 
prohibiting the public display of a SSN.  In addition, several states have 
enacted laws that limit the use of SSNs by state departments and agencies.  
Further, 30 states have enacted security breach notification laws.  These 
laws generally require a business to notify consumers when a security 
breach occurs involving sensitive personal information relating to those 
consumers, including SSNs.  Moreover, the Committee on Energy and Commerce 
and other Committees of Congress recently have passed express requirements 
that would protect the security of SSNs.
        The existing and proposed federal and state protections for SSNs 
create strong incentives for financial institutions to protect the SSNs that 
they maintain.  In light of these existing and proposed protections, and the 
corresponding incentives of financial institutions, the FSCC strongly 
believes that further legislative restrictions on the use and transfer of 
SSNs by financial institutions are unnecessary.

Concerns Over Restrictions On Access to Public Records
        Finally, some concerns have also been expressed regarding the 
inappropriate use of SSNs available in the public record.  The FSCC believes 
it is important to remember that a wide range of private sector 
enterprises-including banks, insurance companies, and securities firms-rely 
on these records to conduct a broad range of legitimate business 
activities.  For example, financial institutions use public records to:
         Uncover fraud and identity theft;
         Make sound credit and other financial product 
determinations;
         Verify identities of the customer at the account opening 
phase;
         Assist in internal security operations (e.g., employee 
background checks); and 
         Otherwise verify identities in order to conduct a broad 
range of business transactions.  

Business reliance upon public records facilitates the efficient operation of 
the financial and credit markets, limits mistakes, and ensures that consumers 
receive prompt and lower-cost service.  It also helps protect the customer 
from fraud.
        More specifically, to achieve the purposes described above, financial 
institutions directly use:  public records involving liens on real estate; 
criminal records and fraud detection databases; and similar types of public 
records.  Financial institutions also indirectly use these records for the 
same purposes by relying on databases developed by third parties that 
themselves rely on information from public records.  Importantly, SSN 
identifiers are central to ensuring that the information included in these 
records matches the correct individual.  This allows banks, for example, to 
verify the identity of a person so that a direction from a customer to 
transfer funds to a third party can be executed without mistake, as well as 
to check important credit-related characteristics of loan applicants (such 
as pending bankruptcies, tax liens, or other credit problems).
        Moreover, financial institutions employ sophisticated programs that 
cross-check public information against information supplied by an applicant 
in order to uncover fraud.  For example, if the age information provided by 
an applicant posing as another individual were inconsistent with other 
information known about that individual from public records made available 
through SSN identification, a "red flag" would be raised, which would trigger 
further checking to uncover the identity theft. 
        Thus, overly-broad limits on access to public record information 
would compromise a financial institution's ability to make sound business 
decisions and to protect its customers.  Such limits could also greatly slow 
the decision-making process of U.S. businesses, to the detriment of consumers 
and the economy.  For example, if a SSN were stricken from a public record, 
it is possible that the ability to use that record for legitimate purposes 
would become impractical because of the expense involved in verifying the 
identity of the person covered by that record.  The consequences could 
include delayed loan approvals, increased consumer costs for products and 
services, and limits on an institution's ability to discover identity theft 
on a timely basis. 
        Even if public entities could still retain SSNs in their internal 
nonpublic files and financial institutions could obtain access to such files, 
the cost and delays in efficiently accessing such files would be significant.  
Ultimately, the cost efficiencies and speed of delivery inherent in our 
current market system would be compromised.  The effect could 
be the same as denying financial institutions access to such records.

                                 Conclusion

        The benefits to society from the legitimate and responsible use of 
SSNs are real and substantial.  As a result, the FSCC believes that 
policymakers should look carefully at the unintended consequences that could 
occur with any proposal that would restrict the use of these numbers.  And, 
because of the existing restrictions on financial institution disclosure of 
SSNs, including the GLBA, we believe that no new SSN restrictions are 
required for the financial services industry.

        MR. STEARNS.  Ms. McDonald.  Pull the mic up, and just turn it on, 
if you could.
        MS. MCDONALD.  Good afternoon, Mr. Chairman, and thank you for 
the opportunity to appear before your subcommittee as it reconciles the 
beneficial uses of SSNs with threats to privacy.  
        My name is Susan McDonald, and I am the President of Pension 
Benefit Information, otherwise known as PBI.  For over 26 years PBI 
has provided research services to the pension industry.  We assist 
sponsors of pension plans in fulfilling their fiduciary responsibility to 
manage their plans under the Employee Retirement Income Security Act 
of 1974, ERISA.  PBI also supports pension plans in maintaining their 
qualified status.  IRS regulations require minimum distributions to 
planned participants or their beneficiaries for that purpose.  
        Our services allow planned sponsors to ensure benefits get 
distributed to eligible participants.  Our clients would be severely 
impacted by an enactment of legislation that would restrict PBI from 
purchasing SSNs for the purposes of matching and retrieval.  Such 
legislative restrictions would have serious consequences on millions of 
Americans that have earned benefits from their years of employment.  
Our clients typically come to us after they have performed a mailing, and 
it has come back undeliverable.  
        We serve over 9,000 planned sponsors in every industry segment.  
One of the greatest challenges for pension administrators is staying in 
contact with terminated vested participants.  These participants are 
entitled to benefits, but are no longer employed by the company.  They 
often forget to keep their address up to date and typically don't think 
about their benefits until they are nearing retirement age.  By that time it 
can be hard to track down their pension, especially if the company has 
been sold or closed up shop decades ago.  
        A recent Boston Globe article outlined a widow's 6 year journey to 
track down her deceased husband's benefits.  Most would have simply 
given up.  Although it is hard to comprehend, every week PBI locates 
participants who had no idea they were entitled to benefits.  
        PBI retrieves our address information for participants based on their 
SSN.  Maintaining accurate pension records is certainly a challenge since 
they have to maintain for so many decades, from the time a participant 
starts employment until their beneficiary dies.  A lot can happen to lose 
contact with participants over that time.  The companies we serve have 
migrated from 3-by-5 cards to keypunch cards and now to multiple 
system conversions.  Records can and do get corrupted.  Clients come to 
PBI because they are missing Social Security numbers or dates of birth 
for participants, or they have a beneficiary with no SSN.  
        PBI is currently able to perform research to identify a SSN so that a 
search for a participant can be made.  The challenge of locating a female 
participant that could have changed her last name several times due to 
marriage or divorce would become nearly impossible if it were unable to 
utilize an SSN for research purposes.  
        To date we have located over 900,000 lost participants with their 
retirement benefits.  
        We support greater security and restriction for companies that are 
given access to information containing SSNs.  Simply faxing a business 
license and checking a box to indicate a search for beneficial interests 
should not be deemed sufficient.  This has been clearly demonstrated by 
several security breaches involving bogus accounts.  As a consumer, this 
keeps me up at night.  
        PBI's primary data source for locate services is one of the three 
credit reporting agencies.  We have established a long-term relationship 
with them, meet on a regular basis, and they understand the services we 
provide and our customer base.  
        My desire in this testimony is to set forth the positive use of SSNs.  
We believe that our business is a prime example of how the use of SSNs 
yields socially beneficial results.  Many of the people we help are older 
Americans who desperately need their pension benefits no matter how 
small or large.  
        With so many people changing jobs today, the task of locating 
former employees is becoming extremely difficult.  They also change 
jobs.  After they have changed their jobs, there are other issues 
associated with locating them as well.  If we were not able to use the 
SSN, someone leaving out the middle initial or going by Bill versus 
William on employment documents would make it extremely difficult to 
locate them.  
        We currently locate 80 to 90 percent of the participants we look for 
using a SSN.  If PBI is unable to utilize an SSN to research and retrieve 
addresses, our locate business would be in jeopardy.  We search for 
participants nationwide and believe our results would be less than 
8 percent if we could only use a participant's name.  The chances of us 
ever finding the correct John Smith who worked for a particular 
employer would be nonexistent.  
        Our current process provides a cost-effective and efficient way to 
reunite former workers with their benefits.  I doubt PBI could continue to 
provide our valuable service with diminished results and increased cost 
to validate we have located the right person.  
        We serve the Fortune 500, labor unions, government agencies, and 
third-party administrators across the country.  We are required for the 
financial sector to complete 50-plus-page questionnaires and have the 
appropriate policies and procedures regarding data security, and we feel 
that that should be something that other companies have to provide in 
order to get access to the data.  
        I have highlighted some of the participants that we have found, and 
many of these were unable to find their benefits on their own, females 
that have changed their names.  There are a lot of beneficial reasons that 
we perform our services, and feel that if we were unable to do the 
searches based upon that information, we would not be able to serve the 
constituents that you probably really want to serve at this point.  Thank 
you.  
        MR. STEARNS.  Thank you.  
        [The prepared statement of Susan McDonald follows:] 

PREPARED STATEMENT OF SUSAN MCDONALD, PRESIDENT, PENSION BENEFIT INFORMATION

        Good afternoon Mr. Chairman and thank you for the opportunity to 
appear before your Subcommittee as it reconciles the beneficial uses of 
Social Security Numbers (SSNs) with threats to privacy. My name is Susan 
McDonald, and I am the President of Pension Benefit Information, otherwise 
known as PBI.  For over 26 years PBI has provided research services to the 
pension industry.  We assist sponsors of pension plans in fulfilling their 
fiduciary responsibility to manage their plans under the Employee 
Retirement Income Security Act of 1974, ERISA.  PBI also supports pension 
plans in maintaining their qualified status.  IRS regulations require 
minimum distributions to plan participants, and PBI locate participants, or 
their beneficiaries, for that purpose.
        Our services allow plan sponsors to ensure pension benefits are 
distributed to eligible participants or their beneficiaries.    Our clients 
would be severely impacted by the enactment of legislation that would 
restrict PBI from purchasing SSNs for the purposes of matching and 
retrieval. Such legislative restrictions would have serious consequences 
for millions of Americans who have earned benefits from their years of 
employment. Clients typically come to PBI after they have performed an ERISA 
mandated mailing, and communications come back undeliverable.
        PBI serves over 9,000 plan sponsors in every industry segment.  One 
of the greatest challenges for pension administrators is staying in contact with terminated vested participants.  These participants are entitled to 
benefits, but are no longer employed by the company.  They often forget to 
keep their address up to date, and typically don't think about their benefits 
until they're nearing retirement age. By that time it can be hard to 
track down their pension, especially if the company has been sold or closed 
up shop decades ago.  A recent Boston Globe article outlined a widow's 6 year 
journey to track down her deceased husband's benefits, most would have simply 
given up. Although it's difficult to comprehend, every week PBI locates 
participants who had no idea they were entitled to benefits. 
        PBI retrieves address information for participants based upon their 
SSN. Maintaining accurate pension records is a challenge, since these records 
must be maintained for several decades. From the time a participant starts 
employment, until their beneficiary dies.  A lot can happen to lose contact 
with participants over that time span. Companies have migrated from 3-by-5 
cards, to keypunch cards, and now through multiple system conversions. 
Records can, and do get corrupted.  Clients come to PBI because they are 
missing Social Security Numbers or Dates of Birth for participants.  Or, 
they have the name of a beneficiary with no SSN.  PBI is currently able to 
perform research to identify a SSN so that a search for a lost participant 
or beneficiary can take place.  The challenge of locating a female 
participant, that could have changed their last name multiple times due to 
marriage or divorce, would become nearly impossible if we were unable to 
utilize a SSN for research purposes.  
        PBI's address location service is designed to meet the requirements 
of the Pension Benefit Guaranty Corporation (PBGC) to perform a "diligent" 
search.  The PBGC protects the retirement incomes for companies that have 
terminated their pension plans. The PBGC provides specific guidelines to 
administrators of terminating plans with regards to lost participants.  Under 
the law, a search is considered diligent if it includes use of a commercial 
location service to search for the missing participants (29 CFR 4050.4).  
PBI performs this valuable service, and ERISA attorneys provide many of our 
referrals. 
        To date, PBI has reunited over 900,000 lost participants with their 
retirement benefits.  We don't simply provide an address retrieved from a 
database.  We communicate an important message to lost participants, and the 
lost participant confirms their address to PBI.  Clients look to PBI to 
perform our diligent search process, since many of them are ill equipped to 
manage returned mail.  Our clients also want to demonstrate they've been 
prudent in fulfilling their responsibilities to participants. 
        PBI supports greater scrutiny and restrictions for companies that 
are given access to information containing SSNs. Simply faxing a business 
license and checking a box to indicate a search is for beneficial interest 
should not be deemed sufficient.  This has been clearly demonstrated by 
several security breaches involving bogus accounts.  As a consumer, this 
keeps me up at night! PBI's primary data source for locate services is one 
of the three credit reporting agencies.  We've established a long term 
relationship with them, meet on a regular basis, and they understand the 
services we provide and our customer base.  Due to the increase in data 
security breaches, along with the sophisticated phishing scams, consumers 
are fearful of disclosing any information.  What used to be the simple 
confirmation of a correct address has raised concerns with lost participants.  
As a result, PBI's costs have sky-rocketed to provide our locate service.  
        My desire in this testimony is to set forth the positive uses of 
SSNs. We believe that our business is a prime example of how the use of SSNs 
yields socially beneficial results. Many of the people we help are older 
Americans, who desperately need their pension benefits, no matter how small 
or large. With so many people changing jobs today, the task of locating 
former employees is becoming increasingly difficult. Americans move on 
average every five years, particularly when they change jobs. They also 
often change their names with marriage or list slightly different names 
(i.e., leave out a middle initial or use Bill versus William) on employment 
documents. If PBI was unable to utilize a SSN for retrieval purposes our 
results would plummet.  We currently locate 80-90+% using a participant's 
SSN.  If PBI is unable to utilize a SSN to research and retrieve addresses 
our locate business will be in jeopardy.  We search for participants 
nationwide, and believe our results would be less than 8% if we could only 
use a participant's name. The chances of us ever finding the correct "John 
Smith", who worked for a particular employer, would be non-existent. Our 
current process provides a cost-effective and efficient way to reunite 
former workers with their benefits. I doubt PBI could continue to provide 
our valuable service with diminished results and increased costs to validate 
we've located the "right" person.   
        PBI serves the Fortune 500, labor unions, government agencies and 
third party administrators throughout the country.  We also work with many 
of the largest financial and insurance companies.  Our clients, especially 
those in the financial sector, demand that PBI have policies and procedures 
in place to protect confidential information.  It's a pre-requisite for doing 
business with them.  We are required to answer 50+ page questionnaires 
regarding data security, and provide documentation on our policies and 
procedures. Similarly, PBI requires clients to provide written authorization 
before we start a locate project. We only search for participants that are 
entitled to benefits.  On occasion a client will come to us because they 
unintentionally overpaid a participant.  We refer them to other services in 
those instances, since it violates our policy of "beneficial interest".  
        Our locate service is used for a variety of reasons.  These include 
uncashed/stale dated checks, returned 1099 statements, notice of plan 
changes, eligibility to commence benefits, due a distribution, terminating 
plans, Summary Annual Reports, etc.  One of the most recurring corporate 
events that contribute to lost participants is mergers and acquisitions 
("M & A").  When an M & A activity takes place the pension assets usually 
move to the new company.  This company is often in a new city, with a new 
corporate name.  Individuals lose track of these occurrences and, thus, 
have obvious difficulties tracking down their vested benefits.  As an 
example, PBI successfully located thousands of participants for a division 
of Westinghouse.  This division of Westinghouse was acquired by CBS, and 
then CBS was acquired by Viacom. Now Viacom is in the process of splitting 
into two separate companies.  How will participants know where to find their 
benefits in these types of situations?  
        Sometimes we locate individuals whose lives are changed dramatically 
by our use of SSN searches.  For example, we recently located a disabled 
woman who worked decades ago for a grocery store that's no longer in 
business. She had been trying to track down her benefits for years, and was 
unsuccessful. PBI located her, and she was so happy to be found that she 
sent us a letter and included a check for $20.00!  We promptly returned her 
check, but this shows just how valuable a lost participant deems our 
service.  In her letter to PBI she said "I have been married and divorced 
twice since then and have taken back my birth name."  The chances of PBI 
locating her without an SSN is remote, just as her ability to locate her 
hard earned benefits on her own were. 
        Similarly, we were able to locate a 67 year old man who worked for 
a metal plating company for 25 years.  He paid union dues and knew he was 
entitled to an annuity at retirement age. The company he worked for went 
bankrupt 16 years ago, and he was unable to locate his benefits. After he 
applied to the Social Security Administration at age 65, the SSA sent him a 
letter notifying him he was eligible for an annuity.  An address was 
provided for him, and he thought his lost pension had been found.  Wrong, 
when he arrived at the address provided no one was aware of his pension 
benefits.  The only advice given to him was to hire an attorney.  With a 
pending move to Texas, combined with fear over the fees involved in hiring 
an attorney, he gave up on ever finding his benefits.  PBI located him on 
March 20th of this year, and he just received confirmation of his monthly 
annuity. Needless to say, he's ecstatic to be reunited with his benefits.         
        Last fall we assisted Shell Oil Company in locating several hundred 
employees that were unaccounted for due to Hurricanes Katrina and Rita.  
Shell discovered that many employees did not have emergency contact 
information on file, or if they did, they were in the same area impacted by 
poor telephone communications.  We promptly went to work and provided them 
with valuable information to reach out to employee's relatives.  Our 
contact at Shell was thrilled to notify PBI that all of Shell's employees 
were located and found safe.  PBI provided valuable assistance to Shell 
under chaotic circumstances.  Their employees were delighted to obtain 
housing assistance from their employer in their time of need.  
        As the above examples underscore, the ability to use SSNs for 
matching purposes in commercial databases is critical to our efforts to 
reunite former employees with their benefits. Without the ability to use an 
SSN, a slight misspelling in a name, the presence or absence of a middle 
initial, and a less distinctive name can drastically reduce a plans 
ability to locate pension fund beneficiaries. I'm urging you to carefully 
consider the beneficial reasons for having access to SSNs and request that 
provisions be put in place that allow exceptions for qualified businesses 
such as ours.    
        The Department of Labor (DOL) just finalized regulations for dealing 
with "orphaned" plans, or plans which have been abandoned by their sponsors. 
The regulations rely on a Qualified Termination Administrator to notify 
participants and distribute benefits. I can't imagine how this function will 
be performed for participants that have moved since there previous employment 
with a defunct company.  In addition, terminating defined contribution plans, 
not insured by the PBGC, are required to distribute all funds by law. Plans 
are required to demonstrate their due diligence in attempting to locate 
participants, and PBI fulfills that purpose. If participants are not 
located the plan will need to take out an Individual Retirement Account (IRA) 
or annuity.  Or, they can escheat the funds to the state's unclaimed property 
fund of the participant's last known address.  I'm convinced the chances of 
a participant ever finding their account balances under these circumstances 
are slim to none. I believe these participants would be thrilled to be 
reunited with their account balances through our service.   
        Thank you, Mr. Chairman and Members of the Subcommittee, for the 
opportunity to express the views of Pension Benefit Information.  I welcome 
the opportunity to provide additional information to you regarding this 
troublesome issue.  My sincere desire is that future legislation will best 
serve and protect constituents while preserving privacy at the same time.  
Legitimate business to business relationships must be preserved so that plan 
sponsors can fulfill their responsibilities under ERISA.  Since PBI provides 
call center support to lost participants, I can tell you with confidence how 
grateful they are to be reunited with their benefits. I look forward to an 
opportunity to work with your committee to ensure the positive uses of Social 
Security Numbers continue to be protected.

        MR. STEARNS.  Ms. Steinfeld.
        MS. STEINFELD.  Good afternoon, Mr. Chairman.  And thank you for 
the opportunity to speak before you about Social Security numbers and 
commerce, reconciling beneficial uses with threats to privacy.  
        My name is Lauren Steinfeld.  I have worked on privacy generally at 
the Federal Trade Commission, on SSN legislation in my time at OMB, 
and I now work for the University of Pennsylvania as its Chief Privacy 
Officer.  I'm testifying today on my own individual capacity and not on 
behalf of the University of Pennsylvania.  
        In my written testimony I discussed the risks and benefits of using 
SSNs, the positive direction of H.R. 1078 introduced by Representative 
Markey, and H.R. 1745 introduced by Representative Shaw, and I 
introduced certain comments on specific provisions in the bill.  
        Today I will discuss what I believe are the most important points.  
First and foremost, in my view, it is entirely appropriate to ban the 
uncontrolled sale and purchase of Social Security numbers.  SSNs can be 
and are used by thieves to take out credit, to apply for insurance, and 
even to defraud the tax system.  The abuse of Social Security numbers 
causes considerable harm to individual victims, to merchants who are not 
paid, and, ultimately, to honest consumers who bear the cost by paying 
more for credit.  It is difficult for us to say that we, as a society, are 
sincerely working to curb the rising incidence of identity theft when 
Social Security numbers are lawfully for sale to anybody with an Internet 
connection.  
        Second, it is not appropriate to ban all sales and purchases of Social 
Security numbers.  SSNs are the closest thing we have to a national 
identifier, and by helping to link the different sources, SSNs are often the 
key, when properly used, to many important commercial activities, to 
public health interventions, to medical research, to finding missing 
children, to locating fugitives from justice, and other law enforcement 
and national security imperatives.  
        The proper way to balance the risks and benefits of using Social 
Security numbers is to utilize the rulemaking process to allow for 
detailed analysis and careful crafting of exceptions based on public 
comment and agency expertise.  H.R. 1078 and H.R. 1745 each include 
rulemaking provisions, but they differ in their assignment of rulemaking 
authority.  The former gives it to the FTC and the latter to the Attorney 
General.  
        I believe the rulemaking authority should go to the FTC for three 
reasons.  One, the FTC, through its dedicated ID theft program, is well 
versed on the causes of identity theft and is in a solid position to address 
the privacy risks and overexposing SSNs.  Two, the FTC has a deep 
understanding of the competing interests to SSN restriction through its 
long history of working with the data broker industry.  Finally, the FTC, 
through its experience in promulgating the Safeguards Rule under the 
Gramm-Leach-Bliley Act, has now developed more technical expertise 
to better evaluate the burdens and benefits of securing the sensitive SSN.  
        Now I would like to focus on some provisions that appear in 
H.R. 1745.  Several of them go far towards protecting privacy and 
involve very few trade-offs.  These are the provisions restricting the 
display of SSNs on government checks and restricting the display of 
SSNs on employee ID cards from the Government and private sector.  
        H.R. 1745 also contains worthwhile reasonable measures to protect 
provisions that can offer strong advantages similar to those coming from 
the Gramm-Leach-Bliley rule.  
        I would like to raise the following point about Section 109.  That 
section makes it unlawful to refuse to do business with an individual 
because that individual will not provide a Social Security number, and 
that provision is to be effective within 180 days.  The provision could be 
problematic for some industries in this time frame, particularly health 
care where the SSNs may very well be the key to linking medical data 
for treatment purposes, coordination of benefits, and performing critical 
medical research.  
        In conclusion, there is ample room for optimism for greatly reducing 
risks that arise from the overavailability of Social Security numbers, and 
this is a critical effort and will remain so for as long as we have credit 
processes that allow for the extension of credit based on name, address, 
and Social Security number alone.  
        In the last several years, we have learned a great deal about workable 
models for protecting privacy, about compromising important other 
priorities.  I applaud the authors of H.R. 1078 and H.R. 1745 for creating 
another good example of this in the important area of protecting SSNs.  
        I thank you for the opportunity to appear before you and welcome 
any questions you may have.  
        MR. STEARNS.  Okay.  Thank you. 
        [The prepared statement of Lauren B. Steinfeld follows:] 

PREPARED STATEMENT OF LAUREN STEINFELD, FORMER ASSOCIATE CHIEF 
COUNSELOR, OFFICE OF MANAGEMENT AND BUDGET

        Good morning and thank you for the opportunity to speak before you 
today about Social Security Numbers in Commerce - Reconciling Beneficial 
Uses with Threats to Privacy.  I am delighted to share some views on an 
issue about which I have thought for some time.  In today's testimony, I 
will describe some examples of the risks and benefits of using SSNs.  I 
will also share my view that the two bills being considered by this 
Committee, H.R. 1078 and H.R. 1745, go far towards advancing privacy 
protection while also addressing important commercial, health, and safety 
concerns.  Finally, I will offer some views on particular provisions in the 
bills.  
        My background on privacy issues is as follows.  I began working at 
the Federal Trade Commission in 1995 where I was a staff attorney in the 
Division of Financial Practices and then in 1998 served as Attorney Advisor 
to Commissioner Mozelle Thompson.  The following year, I became Associate 
Chief Counselor for Privacy, working for Peter Swire, the Chief Counselor 
for Privacy, at the Office of Management and Budget.  In this role, I worked 
on a wide variety of privacy issues, two of which are especially relevant to 
this discussion:  First, I served as the lead staff person to help develop 
proposed legislation regarding Social Security number protection - the Social 
Security Number Protection Act of 2000 was introduced by Representative 
Markey as H.R. 4611 and Senator Feinstein as S. 2699.  Second, I was the 
coordinator within OMB for the report issued by OMB, the Department of 
Treasury and the Department of Justice entitled "Financial Privacy in 
Bankruptcy:   A Case Study on Privacy in Public and Judicial Records."  Currently, I serve as Chief Privacy Officer for the University of 
Pennsylvania where I coordinate programs on a number of fronts to reduce 
SSN-related risks.  
        In today's testimony, I am presenting my own views based on my 
experiences and not the views of the University of Pennsylvania, nor the 
views of the Clinton or Bush Administrations from my time at OMB.

The Risks and Benefits of SSNs
	We, as a society, are struggling to get our arms around how to 
manage a small piece of data that can raise big problems and provide big 
benefits - that is, the Social Security number.  The most common problem 
the SSN creates is that it can be used, indeed abused, by thieves, in 
combination with often other publicly available data, to commit identity 
theft.  Often identity theft occurs in the following way:  the thief starts 
by obtaining a limited amount of information about someone else and uses 
it to obtain credit, for example by opening a credit card account or cell 
phone account, in the victim's name.  The thief then runs up charges on 
the account and fails to pay those charges.  The victim's credit reports 
will show significant delinquencies that interfere with the victim's 
ability to obtain a loan, a mortgage, insurance, even a job.  In addition 
to damage to identity theft victims, identity theft also costs credit 
providers who are not paid amounts based on fraudulent charges.  These 
costs are eventually largely borne by honest users of credit who pay more.  
        Another example of identity theft comes in the context of tax 
filings.  A thief may use a legitimate taxpayer's personal information to 
file a fraudulent tax return designed to provide a refund.  Those thieves 
may then go on to take out "refund anticipation loans," based on the amount 
they have "allowed themselves" in their filing.  A recent New York Times 
article, based on an interview with an IRS official, reported that there 
were 8,000 instances in one year of information of legitimate taxpayers 
being used by imposters to try to defraud the tax system.  
        Identity theft is now the fastest growing crime in America, because 
of the ease with which it can be committed.  It is so easy because the very 
limited information required to open accounts is easily available.  While 
name and address and even date of birth are often presumed to be public, it 
is the Social Security number that is intended to be the one key piece of 
private data that lets, for example, creditors know they are in fact extending 
credit to the person whom the applicant claims to be.  When that Social 
Security number is not in fact private, a key foundation for the integrity 
of the credit granting system is compromised.   I have heard anecdotally 
from a law enforcement officer that in the past, the conversation in prison 
yards centered on bank robbery.  Now, the "buzz" is that bank robbery is too 
difficult; identity theft is the way to go.
	It is tempting as a society to declare then that Social Security 
numbers should be banned except for purposes of administering the Social 
Security system and for tax-related purposes.  But to shut down the use of 
Social Security numbers poses different, but also highly significant, 
problems.  
        Social Security numbers are the closest thing we have to a national 
identifier and, by helping to link different data sources, they are often 
the key to advancing national priorities.  They facilitate important 
commercial activities, including the granting of loans, insurance and 
employment through the credit reporting system that - when working ideally - 
allows industry to judge an applicant according to information about 
that applicant.   They help us gather critical public health data for 
investigations and sometimes life-saving interventions.  They enable vital 
health-related research on individuals over time and over different health 
care settings.  Social Security numbers help us locate missing children and 
fugitives from justice and generally provide crucial data for law enforcement 
and national security purposes.  

Crafting Legislation
        With the risks and the benefits of Social Security numbers largely 
understood, the challenge in crafting legislation is how best to tackle the 
privacy concerns, without creating the unintended consequences of hindering 
fraud detection, law enforcement, national security, research, and other 
significant priorities.   In my personal opinion, the two bills being 
considered by the Committee strike the balance quite well in many respects.  

Banning the Uncontrolled Sale and Purchase of SSNs
        First and foremost, the bills would outlaw the uncontrolled sale and purchase of 
Social Security numbers.  Today, it is lawful to create a website and offer SSNs for sale - 
regardless of who is asking and regardless of the purpose.  In fact, one website I found 
advertises "Locate a Social Security number -- Supply a name & address or previous 
address, we will supply a social security number!"  Another site says, 

        "The Internet is the largest information base in the world, and we 
        have uncovered thousands of resources that will have you simply 
        amazed  ... and all of this is 100% legal."  

        When working on SSN-related initiatives at the University of 
Pennsylvania, I have heard people remark that while we are spending great 
amounts of money, time, and effort to remove SSNs from our systems and 
documents, and to convert to what we call a "PennID," it is frustrating to 
know that the SSNs we are protecting are literally "for sale" by others on 
the Internet.  Legislation banning the uncontrolled sale or purchase of SSNs 
can help send a strong signal to organizations working to protect SSNs that 
their efforts are even that much more worthwhile.  
        As I stated above, the bills would outlaw the uncontrolled sale and 
purchase- but not all sales and purchases.  That is appropriate to 
accommodate the critical beneficial uses of SSNs described above.  Both H.R. 
1078 and H.R. 1745 set out largely similar exceptions to the restrictions 
on the sale and purchase of SSNs.  They allow, for example, SSNs to be sold 
or purchased for law enforcement or national security purposes, for public 
health purposes, for emergency situations, to the extent necessary for 
research, and pursuant to consent - and each bill allows for further 
development of the exceptions in a subsequent rulemaking.  

Differences in Approach to Rulemaking
        A key difference in the bills lies in how that rulemaking will be 
conducted.  H.R. 1078 gives the Federal Trade Commission authority to 
promulgate rules within one year regarding unfair or deceptive acts or 
practices in connection with the sale and purchase of SSNs - all in 
consultation with the Commissioner of Social Security, the Attorney 
General, and other agencies as the Commission deems appropriate.  H.R. 1745 
gives the rulemaking authority to the Attorney General, in consultation 
with the Commissioner of Social Security, the Secretary of Health and Human 
Services, the Secretary of Homeland Security, the Secretary of the Treasury, 
the Federal Trade Commission, the Federal banking agencies, and National 
Credit Union Administration, the Securities and Exchange Commission, State 
attorneys general, and certain State insurance commissioners.   
        In my opinion, the Federal Trade Commission should be given the 
primary authority to issue regulations in this area for the following 
reasons:
         The FTC has significant expertise in understanding identity 
theft through the program it administers under the Identity Theft Assumption 
and Deterrence Act of 1998.  In particular, the FTC is well versed on the 
causes of identity theft and is in a solid position to address the privacy 
risks in overexposing SSNs.
         FTC also has a deep understanding of the competing 
interests to SSN restriction through its work with the data broker industry, 
first in helping to develop the industry self-regulatory program in the late 
1990s and more recently in the aftermath of the Choicepoint breach.
         Finally, the FTC, through its experience in promulgating 
the Safeguards Rule under the Gramm-Leach-Bliley Act, is aware of the 
important difference between "reasonable safeguards" and "perfect security."  
As a result, the FTC has now developed more technical expertise to evaluate 
burdens and benefits in securing the sensitive SSN. 
        While I believe the FTC expertise should be leveraged to the fullest 
advantage, I also believe that consultation with the agencies named in H.R. 
1745 would provide additional controls to ensure that the many considerations 
of beneficial and risky uses are addressed.  
	As far as what the rulemaking should cover, I recommend that the 
bills contain an additional provision - the rulemaking agency should address 
the issue of verifying the identity and authority of requesters seeking SSNs 
under one of the enumerated exceptions.  We have seen in the Choicepoint 
breach that a critical control to protecting privacy is adopting robust 
procedures to check the credentials of callers and writers claiming to be 
legitimate and to be using data for legitimate purposes.  Today, certain 
websites are willing to furnish sensitive data such as Social Security 
number on the mere "I agree" click that I have a permissible purpose under 
the Fair Credit Reporting Act.  It is worth considering the burdens and 
benefits of different verification approaches to provide reasonable 
assurances that requests truly are legitimate.  Adding requirements in 
this area is important to realize the goals of the bills overall.

Additional Regulation in H.R. 1745
        Another key difference between H.R. 1078 and H.R. 1745 is that the 
latter goes beyond restricting the sale and purchase of SSNs.  H.R. 1745 
reaches into many additional areas that are well worth acting upon and for 
the most part do not raise the same types of tradeoffs.  The provisions 
dealing with public display of SSNs are especially valuable.  
        H.R. 1745 places special provisions on governmental agencies and 
prohibits them from displaying SSNs on checks issued for payment.  For the 
public and private sector, the bill also prohibits placing SSNs on employee 
identification cards or tags.  H.R. 1745 also prohibits inmate access to 
SSNs.  These measures are entirely appropriate as a risk benefit matter, 
though one must recognize that even seemingly simple process changes, 
when applied so broadly, can take significant time and resources.  I 
encourage the Committee to confirm the appropriate timeframe for instituting 
these measures.
        H.R. 1745 also includes a requirement that both the public and the 
private sector adopt "measures to preclude the unauthorized disclosure of 
Social Security numbers."  The spirit of this provision seems very well 
aligned with the Safeguards Rule of the Gramm-Leach-Bliley Act.  I encourage 
aligning the language of the bill more closely with the GLB Safeguards Rule 
and, again, vesting rulemaking authority with the Federal Trade Commission 
to help achieve that consistency.   
        One final point on H.R. 1745 concerns Section 109 - making it 
unlawful to refuse to do business with an individual because the individual 
will not provide a Social Security number - that provision being effective 
within 180 days.  I suspect that this provision could be very problematic 
for some industries in this time frame, particularly health care, where the 
SSN may very well be the key to linking medical data for treatment purposes, 
coordinating benefits, and performing critical medical research.  I encourage 
the Committee to review this provision and the timeframe more closely and 
to reach out to affected industries, before passing legislation.  
Alternatively, the impact of this provision could be researched and the 
language refined in a rulemaking as well. 

Conclusion
        There is ample room for optimism in greatly reducing risks arising 
from the overavailability of Social Security numbers.  This is a critical 
effort and will remain so for as long as we have credit processes that allow 
for the extension of credit based on name, address, and Social Security 
number alone.  
        In the last several years, we have learned a great deal about 
workable models for protecting privacy without compromising important other 
priorities.  For example, I described above the work of OMB, the Department 
of Treasury and the Department of Justice on "Financial Privacy in 
Bankruptcy:   A Case Study on Privacy In Public and Judicial Records."  That 
report recommended what I believe to be a balanced model in which full 
bankruptcy case files are available to "real parties in interest," to 
enable them to protect their rights, while the general public would be 
restricted from certain sensitive data, like Social Security numbers and 
bank account numbers, that are not necessary for the public to know in the 
name of accountability of the bankruptcy system.  In this example, combined 
with many others, we have learned that privacy and accountability - or 
commerce or national security as the case may be -- may be spoken in the same 
sentence and often do one another a service.  When stakeholders from all 
vantage points work in earnest on crafting a better data confidentiality 
model - all are better off.
	My optimism is confirmed by the authors of the two bills before the 
Committee who recognize that the time has come for a consensus to prohibit 
the uncontrolled sale and purchase of the highly sensitive Social Security 
number.  I am pleased that the authors are finding ways to take important 
steps to protect privacy while also protecting other critical goals.  I 
thank you for the opportunity to appear before you and welcome any questions 
you may have.


        MR. STEARNS.  Mr. Lively.
        MR. LIVELY.  Thank you, Mr. Chairman.  Good afternoon.  My 
name is Randy Lively.  I am the president and CEO of the American 
Financial Services Association here in Washington.  AFSA's 
300-member companies include consumer and commercial finance 
companies, captive auto finance companies, credit card issuers, mortgage 
lenders, and other financial service firms that lend to consumers and 
small businesses.  
        I am pleased to be here today to discuss the importance of the Social 
Security number for our member companies.  While Social Security 
numbers are not the sole identifier used by the financial services 
companies, they are critically important to our industry for a couple of 
reasons.  First, they provide a unique means of identity verification, and 
second, they are an essential component of the industry's system to 
detect fraud.  
        The Social Security number itself acts as an identity verification. 
It provides a unique identifier that accompanies most consumers 
throughout their lifetime.  This number remains consistent in a world 
where people's names and addresses are changing constantly, whether 
for marriage, divorce, or, in the case of people moving from State to 
State, the reissuance of driver's licenses.  
        Financial services companies use Social Security numbers to help 
ensure the accurate association of financial accounts, credit reports, 
public records, medical records, and other relationships or services to a 
consumer.  A company typically uses the Social Security number or 
subsets of the number internally to track a customer's relationship with 
that company across multiple accounts and for other legitimate reasons.  
        For a financial services company, a Social Security number plays a 
pivotal role in identity determination.  In particular, it allows companies 
to establish and verify the identity of people with whom the institution 
conducts business.  
        With millions of John Smiths in America, a financial services 
company needs a way to determine which John Smith is its customer.  It 
does this with the help of a unique identifier common to all Americans, 
the Social Security number.  Importantly, financial services companies 
realize that the ability to successfully verify John Smith's Social Security 
number is not the same as successfully determining his identity.  To do 
this, a company uses a driver's license, passport, or another 
government-issued identification document with a picture, signature, 
expiration date, security features, and a physical description and so forth.  
        It is worth noting that the Social Security number has not been used 
solely for identity verification due to the lack of a highly secure Social 
Security number card with a tamper-proof signature, picture, and 
expiration date.  The Social Security number card contains few security 
features, thus making it easy to counterfeit.  The Social Security number 
is only a tool, albeit an invaluable one, in the process of determining the 
identity of an individual.  It is clear, however, that verification is a key 
tool for achieving positive identity determination.  
        The issue of fraud, according to the Federal Trade Commission, 
identity theft robs the Nation of more than $50 billion annually.  
Consumer losses account for about $5 billion of that, and of the total, the 
business community absorbs the remaining $45 billion.  The availability 
of the Social Security number both in the financial services companies' 
database and in public records is essential for law enforcement officials 
during a criminal investigation.  The number provides the most reliable 
method to identify and associate perpetrators to their public records 
which often provide details needed to solve the crime.  
        What is more, the Social Security number is critical in verifying a 
potential employee's background and allows for the ongoing monitoring 
of employees in high-risk positions.  Without the use of a Social Security 
number, financial services companies would find it very difficult to 
adhere to a know-your-employee standard.  
        To keep the trust of valued customers, AFSA companies take every 
precaution to protect their customers' Social Security numbers and other 
personal financial information.  This an ongoing employee training in the 
handling of sensitive personal information.  It also includes close 
scrutiny of the practices of third-party vendors who store or dispose of 
data which may contain personal financial information.  
        The industry has worked hard to put mechanisms in place to ensure 
security breaches are rare.  Just as this is important to law enforcement 
and legislators, it is also critical to the financial services industry so it 
has customers who are safe, content, and desirous to do business with its 
companies.  
        In conclusion, as we explore ways to protect consumers' privacy, we 
should take care to thoroughly evaluate any proposed restrictions on the 
use, sale and purchase of Social Security numbers to ensure that 
unintended consequences do not occur.  
        Thank you, Mr. Chairman.  
        MR. STEARNS.  Thank you.
        [The prepared statement of H. Randy Lively, Jr., follows:] 

PREPARED STATEMENT OF H. RANDY LIVELY, JR., PRESIDENT AND CEO, AMERICAN 
FINANCIAL SERVICES ASSOCATION

        Mr. Chairman, my name is Randy Lively and I am the President and 
CEO of the American Financial Services Association located here in 
Washington, DC. 
        AFSA's 300 member companies include consumer and commercial finance 
companies, "captive" auto finance companies, credit card issuers, mortgage 
lenders and other financial service firms that lend to consumers and small 
businesses. This year, AFSA is celebrating its 90th birthday as the nation's 
premiere consumer and commercial credit association.
        I am pleased to testify here today on the importance of the Social 
Security Number for our member companies in the auto finance, mortgage 
finance, credit card and personal loan lines of business.  While Social 
Security Numbers are not the sole identifier used by financial services 
companies, they are critically important to our industry for a couple of 
reasons.  First, they provide a unique means of identity verification.  And 
second, they are an essential component for the credit industry's systems 
designed to detect and prevent fraud.  Let's look at these one at a time. 

I.	Social Security Numbers - A Unique Means of Identification
        The Social Security Number provides a unique identifier that 
accompanies most consumers from cradle to grave. This number remains a 
constant in a world where people's names and addresses are constantly 
changing -- whether from marriage, divorce, addresses, or driver's license 
re-issuance as consumers move from one state to another. 
        Financial services companies use Social Security Numbers to help 
ensure the accurate association of financial accounts, credit reports, 
public records, medical records and a host of other critical relationships 
and services to a consumer. A company typically uses the Social Security 
Number (or subsets of the number) internally to track a customer's 
relationship with that company across multiple accounts and for other 
legitimate internal reasons.
        For a financial services company, a Social Security Number plays a 
pivotal role in identity determination.  In particular, it allows companies 
to establish and verify the identity of unique persons with whom the 
institution, and others, conduct business. With millions of John Smiths in 
America, the identity determinate of which John Smith with whom a finance 
company is dealing is made by the single unique identifier common to all 
Americans, his Social Security number.  
        Importantly, financial services companies realize that the ability 
to successfully verify John Smith's Social Security Number is not the same 
as successfully determining his identity. A company must do this by using a 
driver's license, passport or another government-issued, identification 
document containing a picture, signature, expiration date, security 
features, a physical description, etc.  
        It's worth noting that Social Security Numbers have not been used 
soley for identity verification due to the lack of a highly secure Social 
Security Number card, tamper-proof signature, picture and expiration. The 
Social Security Number card contains few security features, making it easy 
to counterfeit thus reducing or eliminating any value in its sole use for 
identity verification. The Social Security Number is thus only a tool, 
albeit an invaluable one, in the process of determining the identity of an 
individual. It is clear, however, that verification is a key tool for 
achieving positive identity determination. 

II.	Social Security Numbers - An Essential Component of the Industry's Ability to Detect Fraud
        According to the Federal Trade Commission, identity theft robs the 
nation of more than $50 billion annually.  Consumer losses account for about 
$5 billion of the total and business absorbs the remaining $45 billion. 
        The availability of the Social Security Number both in the financial 
services company's database and in public records is essential for law 
enforcement officials during a criminal investigation.  This number is the 
most reliable method of identification, correlation and association of the 
perpetrators to their public records, which often provide critical details 
imperative to solving the crime and locating the suspect(s). The loss of 
this valuable tool would jeopardize the effective investigation of financial 
crimes. 
        What's more, the Social Security Number is critical in verifying a 
potential employee's background and allows for the ongoing monitoring of 
employees in high-risk positions. Without the use of a Social Security 
Number, financial services companies would find it very difficult to adhere 
to a "know your employee" standard. 
        To earn and keep the trust of valued customers, AFSA companies take 
every precaution to protect their customers' Social Security Numbers and 
other personal financial information.  This includes on-going training for 
employees in the handling of sensitive personal information.  It also 
includes close scrutiny of the practices of third-party vendors who store 
or dispose of data which may contain personal financial information.  The 
industry has worked hard to put mechanisms in place to ensure security 
breaches are rare.   Just as this is important to law enforcement and 
legislators, it is also critical to the financial services industry, so we 
have customers who are safe, content and desirous to do business with our 
companies.     

Conclusion:
        AFSA member companies share this committee's goal of wanting to 
assure American consumers that their personal information, including their 
Social Security Number, is safely protected.   At the same time, we must be 
mindful that many financial services companies utilize the Social Security 
Number internally for a variety of legitimate  business reasons, which 
should remain exempt from additional limitations.  
        As we explore ways to protect consumers' privacy, we should take 
care to thoroughly evaluate any proposed restrictions on the use, sale and 
purchase of Social Security numbers to ensure that unintended consequences 
do not occur. 
        Obviously, the best way to protect our customers' information is to 
prevent fraud from occurring in the first instance.  Through the kinds of 
methods I just described - such as employee training of the handling of 
sensitive information, and close scrutiny of third-party vendors - the 
industry is committed to doing its part. 
 	Finally, it worth mentioning the role of the customer.  Consumers 
who are proactive and understand the importance of safeguarding their 
Social Security Number can serve as the first line of defense in preventing 
fraud.  
        I appreciate the opportunity to be here today and would be happy to 
answer any question you may have.

        MR. STEARNS.  Mr. Rotenberg. 
 	MR. ROTENBERG.  Thank you, Mr. Chairman.  My name is Marc 
Rotenberg.  I am Executive Director of the Electronic Privacy 
Information Center.  I appreciate the opportunity to be before the 
subcommittee today, to see you again, and to talk about the Social 
Security number issue.  I would like to ask that my written statement be 
entered.  
        MR. STEARNS.  By unanimous consent, so ordered.  
        MR. ROTENBERG.  I would like to make a few brief comments.  I 
know it is late in the day.  I think this is a very important hearing that you 
are holding.  The risks of the misuse of the Social Security number in the 
United States, I think, are widely shared by American consumers.  There 
has been a dramatic increase in the incidence of identity theft in this 
country.  It imposes a real economic hardship, and it has been closely 
linked to the use of the Social Security number in the private sector.  
        Now, I would like to describe two of the types of problems that arise 
for consumers when their Social Security numbers become available to 
others.  The first, as you may know, is that many financial institutions 
use the Social Security number both as an account locator and as the 
password on the account, so that, in effect, if you have a person's Social 
Security number, you have the ability to access the contents of that 
financial account, which is why it is so attractive to identity thieves.  It 
is literally the keys to the kingdom.  The Social Security number also 
makes it possible to link together records from different sources and to 
build profiles.  
        Now, it is true in terms of investigating a financial fraud and making 
credit determinations that it plays an important role in the private sector, 
and we understand that.  But at the same time, it also opens the door to a 
kind of open-ended profiling of American consumers that makes the 
work of identity thieves that much easier.  
        Now, the interesting thing about this particular issue is that 
Congress understood the problem, both in the creation of the number when the 
Social Security agency said, we are going to limit the use of the number 
so that it is only used for the SSA purposes, and again in 1974 when the 
Comprehensive Privacy Act passed on a bipartisan basis, said to the 
Federal agencies, we really want to limit the use of the Social Security 
number.  
        Now, I actually went back the other day and looked at the history of 
the 1974 act and found something very interesting.  It was an important 
report that provided the basis for that act, and that report said specifically 
that legislation should be adopted, and I am quoting now, it is in my 
statement, "prohibiting uses of an SSN or any number represented as an 
SSN for promotional or commercial purposes."  The Senate report that 
accompanied passage of the Privacy Act said, in 1974, the use of the 
Social Security number in the private sector is, quote, "one of the most 
serious manifestations of privacy concerns in the Nation."  
        So I think there was a broad-based understanding at a time when 
these computer systems were coming into place and making it possible to 
create these profiles on Americans that the Social Security numbers' use 
should be regulated.  
        But, of course, over the last 30 years, what we have seen instead has 
been the expanded use of the Social Security number, both by the 
Federal agencies and in the private sector.  So I think it is very 
appropriate to be looking at legislation today.  
        I think it is also not surprising, if I might point out, that many of 
the States all across the country have passed legislation, from New York and 
West Virginia to Arizona and California and Colorado, limiting the use 
of the Social Security number in the private sector because so many 
people have complained in those States about being asked to put their 
Social Security number on their check or finding their Social Security 
number on their employee identification card.  There is a real push today 
in the country at the State level to improve safeguards for the use of the 
Social Security number to try to protect privacy.  
        Now, I think the two bills under consideration, H.R. 1078 and 
H.R. 1745, would certainly help.  I think a lot of effort has obviously 
gone into these proposals, and I hope they will be acted upon by the 
committee.  But as you see in my statement, I am actually urging you to 
consider going somewhat further.  
        I am concerned, for example, that if too many statutory exceptions 
are created, if too many of the current business practices that make use of 
the Social Security number are left in place, we really won't do a 
particularly good job in safeguarding the privacy of American 
consumers.  And so my hope is that Congress will be able to send a clear 
message that there may be some circumstances in the private sector 
where the Social Security number is necessary.  It is certainly being used 
as the tax identification number, and employers need it.  And it may also 
be necessary for fraud investigation, but I think what we need to do today 
is to limit the use of the Social Security number in the private sector and 
make clear that there are certain uses, such as the commercial sale of a 
Social Security number, for which there really is no basis.  And I thank 
you again for the opportunity to be here today.  
        MR. STEARNS.  And I thank you, MR. ROTENBERG. 
        [The prepared statement of Marc Rotenberg follows:] 

PREPARED STATEMENT OF MARC ROTENBERG, EXECUTIVE DIRECTOR, ELECTRONIC 
PRIVACY INFORMATION CENTER

        Chairman Stearns, Ranking Member Schakowsky, and Members of the 
Subcommittee, thank you for the opportunity to testify today on Social 
Security Numbers in commerce and how best to reconcile beneficial uses with 
threats to privacy.
        My name is Marc Rotenberg and I am Executive Director of the 
Electronic Privacy Information Center. EPIC is a non-partisan research 
organization based in Washington, D.C.  Founded in1994. EPIC has participated 
in leading cases involving the privacy of the Social Security Number (SSN) 
and has frequently testified in Congress about the need to establish privacy 
safeguards for the Social Security Number.   Last year, we testified on H.R. 
98, the Illegal Immigration Enforcement and Social Security Protection 
Act of 2005, and urged Members to reject the use of the SSN as a national 
identifier and to ensure the development of adequate privacy and security 
safeguard to address the growing crisis of identity theft. 
        Social Security numbers have become a classic example of "mission 
creep." A number that was created for a specific, limited purpose has been 
transformed for additional, unintended purposes, sometimes with disastrous 
results. The pervasiveness of the SSN threatens privacy and the financial 
security of Americans. For example, SSNs are routinely used to both identify 
and authenticate an individual, a deeply flawed security practice.
        SSNs are also used to build detailed profiles on American 
consumers, linking together records that might otherwise be difficult to 
match. Without the SSN, businesses would have to be more forthcoming with 
individuals about the sources of information that are obtained and the 
profiles that are created. However, the SSN makes it possible to create 
profiles that are not only detailed but also secretive. As a consequence, 
consumers are able to exercise less control over their personal information 
held by others. Absent an explicit statutory protection, they have no idea 
what information about them is collected, how it is used, or to whom it is 
disclosed.
        The privacy risks associated with the creation of the SSN have been 
well understood for a long time. Although Congress successfully limited some 
uses of the SSN by federal agencies with the passage of the Privacy Act in 
1974, since that time Congress has largely failed to establish the necessary 
safeguards to protect American consumers.

History of SSN Use
	The Social Security Number (SSN) was created in 1936 for the purpose 
of administering the Social Security laws. SSNs were intended solely to track 
workers' contributions to the social security fund. Legislators and the 
public were immediately distrustful of such a tracking system, which can be 
used to index a vast amount of personal information and track the behavior 
of citizens.  Public concern over the potential abuse of the SSN was so high 
that the first regulation issued by the new Social Security Board declared 
that the SSN was for the exclusive use of the Social Security system.
	Over time, however, legislation allowed the SSN to be used for 
purposes unrelated to the administration of the Social Security system. For 
example, in 1961 Congress authorized the Internal Revenue Service to use 
SSNs as taxpayer identification numbers.
	A major government report on privacy in 1973 outlined many of the 
concerns with the use and misuse of the Social Security Number that show a 
striking resemblance to the problems we face today. Although the term 
"identify theft" was not yet in use, Records, Computer, and the Rights of 
Citizens, the report that provided the basis for comprehensive privacy 
legislation in 1974, described the risks of a "Standard Universal 
Identifier," how the number was promoting invasive profiling, and that many 
of the uses were clearly inconsistent with the original purpose of the 1936 
Act. The report recommended several limitations on the use of the SSN and 
specifically said that legislation should be adopted "prohibiting use of an 
SSN, or any number represented as an SSN for promotional or commercial 
purposes." 
        In enacting the landmark Privacy Act of 1974, Congress recognized 
the dangers of the widespread use of SSNs as universal identifiers, and 
enacted provisions to limit uses of the SSN. The Senate Committee report 
stated that the widespread use of SSNs as universal identifiers in the public 
and private sectors is "one of the most serious manifestations of privacy 
concerns in the Nation." Short of prohibiting the use of the SSN outright, 
Section 7 of the Privacy Act provides that any agency requesting an individual 
to disclose his SSN must "inform that individual whether that disclosure is 
mandatory or voluntary, by what statutory authority such number is solicited, 
and what uses will be made of it." This provision attempts to limit the use 
of the number to only those purposes where there is clear legal authority to 
collect the SSN. It was hoped that citizens, fully informed that the 
disclosure was not required by law and facing no loss of opportunity in 
failing to provide the SSN, would be unlikely to provide an SSN and 
institutions would not pursue the SSN as a form of identification.
        However, the Privacy Act failed to limit the use of the SSN by the 
private sector as the 1973 report had urged. Credit reporting agencies, 
marketing firms, and more recently, data brokers to build detailed profiles 
on American citizens exploited this loophole. As a consequence, consumers 
have experienced the extraordinary problem of identity theft.

Identity Theft
        Commercial enterprises have made the SSN synonymous with an 
individual's identity. Despite the fact that the SSN was never intended to 
be used for identification purposes, they are considered the "keys to the 
kingdom" for records about individual consumers.
 	The financial services sector, for instance, has created a system 
of files containing personal and financial information on nearly ninety 
percent of the American adult population, keyed to individuals' SSNs. This 
information is sold and traded freely, with virtually no legal limitations. 
This widespread use, combined with lax verification procedures and aggressive 
credit marketing has lead to widespread identity theft.  
        Credit grantors rely upon the SSN to authenticate a credit 
applicant's identity; many cases of identity theft occur when thieves apply 
using a stolen SSN and their own name.  Despite the fact that the names, 
addresses, or telephone numbers of the thief and victim do not match, 
accounts are opened and credit granted using only the SSN as a means of 
authentication.  EPIC has detailed many of these cases in other testimony. 
        The root of this problem is that the SSN is used not only to tell 
the credit issuer who the applicant is, but also to verify the applicant's 
identity.  This would be like using the exact same series of characters as 
both the username and password on an email account.  The fact that this 
practice provides little security should not be a surprise. 
        The printing of SSNs on government-issued drivers licenses 
provided yet another opening for identity thieves.  A thief who stole your 
wallet could also easily steal your identity, with name, address, diver's 
license number, and SSN in one easy place.  Congress recognized this threat 
and in the Intelligence Reform and Terrorism Prevention Act of 2004, 
prevented the printing of SSNs on drivers' licenses and other 
government-issued ID. 

States are Taking the Lead on SSN Privacy
	Several states have, in recent years, established new privacy 
protections for SSNs. These laws demonstrate that major government and 
private sector entities can still operate in environments where disclosure 
and use of the SSN is limited. They also provide examples of protections 
that should be considered at the federal level.  For example, Colorado, 
Arizona, and California all have laws that broadly restrict the disclosure 
and use of the SSN by both government and private actors.  These laws 
encourage agencies and businesses to use different identifiers for their 
specific purposes, reducing the vulnerability that the disclosure of any 
one identifier may create.  Arizona's law also prohibits the printing of 
the SSN on material mailed to Arizona residents, reducing the threat of 
fraud from intercepted correspondence.  
        Other states, including New York and West Virginia, have statutes 
that limit the use of the SSN as a student ID number.  This reduces the 
vulnerability of students to identity theft and protecting the privacy of 
students whose personal information is collected in databases, and whose 
grades are often publicly posted, indexed by their student ID numbers. 
Similar laws exist in Arizona, Rhode Island, Wisconsin, and Kentucky. 
        Of course, we would welcome strong legislation in Congress that 
would limit the use of the Social Security Number in the private sector 
and help safeguard the privacy interests of American consumers, but the 
bills now pending before the Committee have been so watered down it is not 
clear that they would provide much actual benefit. Many exceptions have 
been created to permit business to continue to collect and use the SSN 
for a wide range of commercial activities. There are also problems with 
the lack of effective enforcement. And the bills generally provide less 
protection than comparable state measures.

Possible SSN Privacy Legislation
        I would like today to propose a simple approach to safeguarding 
privacy and limiting the misuse of the Social Security Number and that is 
to recommend legislation that would prohibit the collection and use of the 
Social Security Number by a commercial organization where there is no legal 
authority to do so. Simply stated, if Congress determined that it was 
necessary to authorize the use of the SSN in the private sector, as it 
did when it chose to make the SSN the Tax Identification Number, then a 
commercial firm would have the legal authority to collect and use the SSN 
consistent with that statutory purpose. But where there is no legal 
authority to collect an individual's SSN, the commercial firm would be 
prohibited from doing so. This would change the default on the use of the 
SSN and help ensure that the number was used only for appropriate purposes.
        You could also, if you wish, apply the approach set out in section 
7 of the Privacy Act by requiring private sector organizations that seek to 
collect an individual's SSN to inform that individual whether the disclosure 
of the SSN is mandatory or voluntary, by what statutory authority such 
number is solicited, and what uses will be made of the individual's SSN. 
Many privacy notices have become extraordinary complex and are routinely 
ignored. But the original notice for the collection and use of the SSN set 
out in the Privacy Act of 1974 would actually be very helpful for consumers 
who are tying to safeguard their privacy.
        Either approach would provide meaningful limitations on the use of 
the SSN, reduce the risk of identity theft, and help restore consumer 
privacy. These are also the approaches consistent with the Privacy Act of 
1974 and the 1973 report that provided the basis for that landmark law.

Conclusion 
        The expanded use of the Social Security Number is fueling the 
increase in identity theft in the United States and placing the privacy of 
American citizens are great risk. The widespread use of the SSN has made it 
too easy for government agencies, businesses, and even criminals to create 
detailed profiles of individuals Americans. Congress wisely sought to limit 
the use of the Social Security Number by federal agencies when it passed 
the Privacy Act of 1974, and the states have since established additional 
safeguards. Still it is clear that the problem of the misuse of the Social 
Security Number is on the rise.
        Effective privacy legislation for the SSN in the commercial sector 
could be based on either requiring businesses to have legal basis to collect 
and use the SSN or by applying Section 7 of the Privacy Act to commercial 
entities.

        MR. STEARNS.  You have been kind enough to come and testify 
before, and I think we were in Rome together.  So let me just start off 
with you.  
        The Gramm-Leach-Bliley and the Fair Reporting Credit Act, do you 
think that these things specifically should be changed?  
        MR. ROTENBERG.  If you are referring to the security standard in the 
Gramm-Leach-Bliley Act, I don't think it goes far enough to address the 
specific problems with the Social Security number.  I think that was kind 
of left as an open issue, and it is one of the reasons why it probably 
would be appropriate to do some legislation around the SSN.  
        MR. STEARNS.  We have a data security bill that we passed out of my 
subcommittee and the full committee.  Do you think that goes to help a 
little bit?  
        MR. ROTENBERG.  I think it will probably, and I haven't looked at it 
recently, but my recollection is that that bill didn't specifically address 
some of the SSN misuse issues.  So that piece I think you could still get 
to.  
        MR. STEARNS.  We are thinking about perhaps having an 
amendment.  And Chairman Barton has talked about having a markup or 
a bill in our subcommittee, but we are thinking about possibly having an 
amendment to the data security bill to include something on Social 
Security.  You say it is not part of it and should be part of it, and we 
agree.  
        MR. ROTENBERG.  I think that would be a good approach.  
        MR. STEARNS.  Ms. Steinfeld, your testimony describes a practice of 
furnishing data under the FCRA, in which a company furnishes data to 
an entity that merely clicks a, quote, "I agree" box; that it has a 
permissible purpose under the FCRA.  Is this a violation of the FCRA?  
        MS. STEINFELD.  Well, what I found was an Internet site that was 
making a lot of public record information available, and, again, public 
record information, including the Social Security numbers, is currently 
lawfully available for sale on line.  What the Website said is for the 
Social Security number, we will only give that out if you have a 
permissible purpose under the Fair Credit Reporting Act.  And then it 
said, click here to say, yes, I do have that permissible purpose.  
        So the point I was making in the testimony is that if you do establish 
a regime like the two bills are contemplating, one important key piece is 
to make sure that you verify the identity and the authority of the 
requester of data that they actually meet one of the exceptions that are in 
the statute.  Having people say, "Yes, I am legitimate," under your law is 
not enough.  
        MR. STEARNS.  How do we identify a person in a remote location, in 
a computer, with a click?  I mean, how do you identify that person?  
        MS. STEINFELD.  I think it is very difficult, and I think it is what 
a lot of major industry players have been wrestling with.  I have been looking 
a little bit at some of the ChoicePoint plans and the aftermath of some of 
their problems, and they have some robust credentialing requirements 
now that they impose before requesters can request sensitive data.  And I 
have been told by another industry leader lately that there are actually 
site visits to test the authenticity of the requester when the volume and 
the sensitivity of the data is so great.  But I recognize that is not going to 
work in all cases, and there is an interest in being able to deliver services 
online in a sufficient way, and I do think we are still wrestling with how 
to authenticate identity and authority in an online world.  
        MR. STEARNS.  Mr. Lively, we have touched upon it with the 
Commissioner Leibowitz when he was here earlier.  Let us say, for 
example, just a hypothetical, the President signed the bill that prohibited 
a business from refusing to do business with a consumer without receipt 
of a Social Security number.  How would that affect your membership?  
        MR. LIVELY.  It would clearly have an impact on service levels 
because alternative methodologies would have to be sought out and 
would have to be pursued, and the timely service that the industry is able 
to provide to its customers would be seriously deteriorated.  
        MR. STEARNS.  And it would be expensive, I guess.  
        MR. LIVELY.  Very expensive.  
        MR. STEARNS.  Well, you heard the Commissioner's testimony, and 
there are a lot of members who might vote for banning the sale or 
purchase of Social Security numbers without the person's consent.  And 
even in certain cases, you heard the Chairman talk about his cell phone, 
you heard the Commissioner talk about this giving of the Social Security 
number, so a lot of members are sort of thinking, well, Social Security 
numbers are something we should not allow to be used, and there might 
be another identifiable thing.  
        MR. LIVELY.  Yes.  I totally understand that and appreciate the 
concern that is being applied to that particular circumstance, but when 
the terms are being used about purchasing a Social Security number, you 
have to be awfully careful not to cause the credit report, which contains a 
Social Security number, from being classified as the purchase of a Social 
Security number.  These things are so tightly integrated, and the systems 
have been developed both from the standpoint of fraud control as well as 
from the standpoint of customer service, and when you have got those 
objectives--because, after all, these institutions are in business to provide 
services to consumers.  And by definition, services need to be timely, 
they need to be accurate, they need to be effective, and they need to 
provide the customer with the service they intended to obtain from that 
institution.  And today we have situations in which the consumer can go 
to purchase an automobile and drive the automobile away from the 
dealership the same afternoon because of the facility--
        MR. STEARNS.  Quite incredible.  
        MR. LIVELY. --access to this technology that is driving the Nation's 
economy.  And at the end of the day, the care that has to be taken by this 
committee and all of the other people who are going to be involved in 
this process must be very, very, very carefully driven because inadvertent 
mistakes in the legislative process can create some havoc in the 
marketplace.  
        MR. STEARNS.  Mr. Ireland, I will close with you and Ms. 
McDonald.  Mr. Ireland, do you see any problems with banning the sale 
of Social Security numbers to nonfinancial entities?  And what 
nonfinancial entities should have access or require Social Security 
numbers?
        MR. IRELAND.  When you talk about the sale of Social Security 
numbers, if you just mean somebody that is going to offer a list of Social 
Security numbers for sale, I don't know of a legitimate business purpose 
for that, and I am not troubled by the idea of banning it to nonfinancial 
entities.  If we are talking about selling a loan file, for example, that 
includes a Social Security number and that is banned, I have just shut 
down the secondary mortgage market, among other things.  
        So I think you have to define your terms carefully, and there are 
clearly practices out there that you could identify that don't have a 
legitimate commercial purpose, and you could further restrain, we think, 
in the case of financial institutions that are already probably prohibited 
by the Gramm-Leach-Bliley Act.  But for nonfinancial institutions, they 
don't have comparable restrictions.  There may be areas where it is 
appropriate to have further restrictions, but you have to be careful as you 
do that because Social Security numbers, as part of a loan file or as a 
component of a larger financial transaction, are sold all the time and are 
key to many commercial transactions and retail transactions in this 
country.  
        MR. STEARNS.  Mr. McDonald, perhaps you could, just for 
illustrative purposes, give us an example, worst practices you may have 
seen with regard to securing Social Security numbers in your area, if you 
have any.  
        MS. MCDONALD.  Well, when you say worst practices --
        MR. STEARNS.  Do you have the speaker on?  
        MS. MCDONALD.  Yes.  I am not sure when you are saying worst 
practices, the abuses we have seen.
        From our standpoint, what we see with concerned participants has 
made them extremely paranoid, and in our service we are doing a good 
thing.  We are finding them, reuniting them, they are excited to, in many 
cases to be back with their benefits.  In other cases, they are calling their 
congressman and saying, "I got this letter, I don't understand."  For our 
purposes though, if we were not able to get access to Social Security 
numbers, there's no way we could find a lot of the female participants by 
a name that is no longer theirs, due to marriage or divorce. 
        MR. STEARNS.  So a Social Security number is the only way you can 
identify these people, is what you are saying?  
        MS. MCDONALD.  To find the right person, yes.  I mean, even in our 
database with all the people we have located, if somebody gives a name, 
it takes us forever to go through and give them all the names of the 
companies that they worked for.  
        MR. STEARNS.  Mr. Rothberg, do you agree with that?  
        MR. ROTENBERG.  I am sorry.  The SSN can be useful in locating 
individuals?  
        MR. STEARNS.  Yes.  Social Security number's the only way that you 
can identify people, and that is why she feels it is so important.  
        MR. ROTENBERG.  Well, I am sure there are circumstances where 
that may be the case, but I think it is also true that many businesses 
create their own unique identification numbers.  I was thinking about this 
the other day--
        MR. STEARNS.  Like the military.  
        MR. ROTENBERG.  Well, the military does, your credit card 
company, your utility company.  I think we are quite used to seeing a lot 
of different types of identifiers.  What is really different about the Social 
Security number and the reason that it creates both benefits and risks is 
that it makes it possible to link data across different worlds, financial 
records and medical records.  
        MR. STEARNS.  My time has expired.  The gentleman from 
Massachusetts.  
        MR. MARKEY.  Thank you, Mr. Chairman, very much.  Just to restate 
a thank you, Mr. Chairman, and the full committee Chairman, 
Mr. Barton, for having this hearing.  
        My bill would halt unregulated commerce in Social Security 
numbers.  It does not establish an absolute prohibition on all commercial 
use of the number, but it would make it a crime for a person to sell or 
purchase Social Security numbers in violation of rules promulgated by 
the Federal Trade Commission.  The Federal Trade Commission would 
be given the power to restrict the sale of Social Security numbers, 
determine appropriate exemptions, and to enforce civil compliance with 
the bill's restrictions.  
        So you actually put together an all-star cast here, a privacy all-star 
team, both sides represented, I might say, on the issue.  Mr. Ireland, if I 
may begin with you, and welcome back.  I remember you with the Fed.  
        MR. IRELAND.  Yes.  
        MR. MARKEY.  Always a vigorous opponent of strong privacy 
protections, and you are consistent here in your testimony today.  And 
you argue in your testimony that the financial services industry should be 
exempt from any Social Security number legislation, and in part, because 
of the existence of the privacy provisions of the Gramm-Leach-Bliley 
Act.  Now, as Debbie Shannon remembers back in 1999 and 2000, sitting 
right behind you, the financial services industry was actually able to 
convince the Banking Committee in the House and in the Senate to have 
no privacy protections in Gramm-Leach-Bliley until it came to this 
committee when, in a surprise vote, Mr. Bliley sided with me.  And 
pretty much all the privacy in the Gramm-Leach-Bliley is because of the 
vote in this committee on my amendment.  
        And as a result, I am very aware of all of the loopholes in that law.  
As it finally went back over to the Banking Committee conferees as well, 
successfully worked upon by the financial services industry.  So my first 
question to you, why should your member banks, brokerages, insurance 
companies be able to sell my Social Security number without my 
permission?  
        MR. IRELAND.  Well, as I said in a response to Chairman Stearns a 
little while ago, we don't sell lists of Social Security numbers, and we 
have no interest in doing that.  There are circumstances, however, when 
you sell loans or groups of loans, and the loan files include Social 
Security numbers, it is necessary to the secondary mortgage market, for 
example, to be able to do that.  
        So to be able to sell Social Security numbers in that context, I think 
is critical to the effect of operation of the mortgage market and for 
consumers to be able to enjoy low mortgage rates.  
        MR. MARKEY.  Do you think it would be unrealistic to ask the 
secondary mortgage market to develop their own individual identifiers 
for their own clients that would not require them to use Social Security 
numbers as a universal identifier?  How hard can that be?  
        MR. IRELAND.  I think that is actually very, very difficult because 
one of the things you want to do if you are looking at a mortgage loan in 
the secondary market is you want to get an assessment of the credit 
quality of the borrower.  So you are not only going to have to be able to 
identify them as that mortgage loan borrower, but you may want to get a 
credit report on them to know whether this is a subprime 620 borrower or 
it is a superprime 820 borrower, that will go into how much you are 
going to pay for that particular mortgage.  
        MR. MARKEY.  So when companies secure ties, for example, credit 
card loans, do they always use a Social Security number, or do they have 
another identifier system which they use?  
        MR. IRELAND.  Well, various companies will attach when they create 
loans, mortgage loan identifiers.  
        MR. MARKEY.  A different number from the Social Security number.  
        MR. IRELAND.  In addition to the Social Security number.  
        MR. MARKEY.  How can they figure out to do that, but they 
couldn't--
        MR. IRELAND.  It is perfectly possible for financial institutions.  
As a matter of fact, most financial institutions do it all the time to 
establish unique account numbers for their customers.  
        MR. MARKEY.  So it is possible, is that what you are saying?  
        MR. IRELAND.  And that works very well for identifying people 
within that financial institution.  The problem comes in linking up their 
identification system with other identification systems.  If you are going 
to transfer assets or you are going to do business across institutions, 
which is key, as I pointed out, in the example in the secondary mortgage 
market, but there are numerous other examples.  
        MR. MARKEY.  Yeah.  Well, I just kind of disagree with you on that, 
sir.  I just think that we have got an information system now that is so 
massive in its delivery capacity that it can practically deliver breakfast to 
you through that wire.  And I don't know why we couldn't figure out or 
these industries couldn't figure out some identifier system that just didn't 
have to use the Social Security number.  
        Let me just move on here.  Under Gramm-Leach-Bliley, a financial 
services company doesn't have to get my permission to transfer my 
personal information, including my Social Security number, to any of its 
affiliates.  If I open a checking account with CitiBank, why should Smith 
Barney, Diners Club, Primerica, Citi Insurance and the rest of 
Citigroup's affiliates be able to get a copy of my personal information, 
including my Social Security number?  
        MR. IRELAND.  Well, as you may recall, one of the principle 
advantages of the Gramm-Leach-Bliley Act in tearing down the walls 
between banking and insurance and securities business was to allow the 
cross-marketing of those services within financial holding companies.  
And typically the way that is done, and to be done most cost effectively 
so the customers enjoy the best price, is out of a common customer 
database, which identifies customers the same way across the holding 
company.  So the customers can deliver one-stop shopping to their--
        MR. MARKEY.  All right.  So that is one-stop shopping.  Let us move 
to the next stage where they can deliver my Social Security number to 
any third party with whom the bank has a joint marketing agreement.  
Does that get into cost effectiveness too?  
        MR. IRELAND.  Well, one of the reasons, as I recall, for the joint 
marketing agreement exception was to allow smaller banking companies 
and securities companies to enter into agreements and try to deliver the 
same kind of one-stop shopping that larger financial services, holding 
companies do deliver.  It was a competitive issue for smaller institutions.  
        MR. MARKEY.  I appreciate it.  But why shouldn't they have to get 
my permission?  It is my identity.  Why shouldn't they have to come 
back to me and get my permission?  
        MR. IRELAND.  Well, as you will recall, Gramm-Leach-Bliley 
basically does an opt-out system for nonaffiliated third parties.  If for 
competitive reasons you wanted to decide that you were going to 
disadvantage the smaller institutions and provide a greater competitive 
advantage for larger institutions, I think that has financial structure 
implications, and my recollection is, that is the rationale for the joint 
marketing exception.  You could disagree with that exception on that 
basis, but I think that was the rationale.  
        MR. MARKEY.  Yeah.  But again, and this goes back to that period of 
time, I still don't believe that I should have to sacrifice my privacy and 
give up my Social Security number so that companies can market to me.  
If I want to give up my privacy, I should be asked to give it up.  And that 
is still a debate, but that gets to the core of the Social Security issue here.  
        People view that as their identity.  And I just don't think that they 
should be viewed to just even in a way if they open up an account in any 
part of Citigroup, and now it is just sloshing through the entire Citigroup 
empire and all third-party relationships that they have.  It just gets 
dangerous in terms of Amy Boyer, murder victim in New Hampshire.  
Okay, that is how this stuff just sloshes through and out, okay.  
        Let me ask Mr. Rotenberg and Ms. Steinfeld, do you believe the 
financial services industry should be exempted from any bill that this 
committee is crafting to create Social Security number protections of 
general applicability for all companies in America?  
        MR. ROTENBERG.  Congressman Markey, quite the opposite.  I think 
the financial services industries should be subject to the greatest 
regulation because they are typically the ones who make the greatest 
demand for the Social Security number.  Now, there may be some 
purposes that are appropriate and necessary, as I suggested in my 
statement, but it is precisely because that industry is making such wide 
spread use of the SSN that I think we need legal protections.  
        MR. MARKEY.  Okay.  Ms. Steinfeld?  
        MS. STEINFELD.  I believe the bill takes the approach of identifying 
the purpose that you would use the SSN for as the basis for the 
exception, and I continue to believe that that is the best approach rather 
than determining that a specific industry should be exempt.  In my view, 
it is better to say, what is the reason for the exemption?  
        It could very well be that at the end of a rule making, which I 
believe is the way to go, that many of the purposes that financial services 
put forward would be considered to be valid purposes, in which case they 
would get exemptions for those purposes.  But again, I think the useful 
exercise is to really explore what are the legitimate uses, what are the 
legitimate purposes and that a rule making is a good place to tee those 
issues up.  
        MR. MARKEY.  Thank you.  Now, Mr. Rotenberg, you have 
suggested that companies should only be able to use and collect Social 
Security numbers when they have explicit legal authority to do so.  
        Under current law, what are the circumstances in which there is such 
a legal authorization for the use of Social Security numbers by the 
private sector?  
        MR. ROTENBERG.  Well, Congressman, right now we really don't 
have an approach that sets up legal authority for collecting the SSN.  In 
some circumstances employers, for example, are required to obtain the 
SSN because it operates also as the employment identification--I am 
sorry, the tax identification number, and therefore is necessary for 
various tax filings.  
        But the point I was trying to make in my statement is I think 
Congress very wisely, back in the Privacy Act in 1974, was trying to 
limit the use, and your bill would certainly do this, but the core principle 
really is you don't ask for the SSN unless you have legal authority to get 
it.  
        MR. MARKEY.  So are there other circumstances where it would be 
permissible for a company to be able to collect or buy or sell a citizen's 
Social Security number?  
        MR. ROTENBERG.  Well, there's some case law that suggests that 
there could be limitations on the sale of the Social Security number.  
There was an interesting case a couple of years ago in Washington State, 
and I have been involved in some litigation surrounding the publication 
of the SSN, but for the most part, we really don't have any restrictions, 
and I think that is what has contributed in part to the growing identity 
theft.  
        MR. MARKEY.  Thank you.  Let me ask, Mr. Ireland, if Congress 
were to exempt the financial services industry from Social Security 
number protection legislation, what would prevent Citicorp from 
acquiring an information broker or creating an in-house information 
broker that would then not be subject to any rules crafted by the Federal 
Trade Commission for all other businesses?  
        MR. IRELAND.  Well, if Citigroup acquired an information broker, 
that broker would, by definition, be a financial institution subject to the 
Gramm-Leach-Bliley rules, which would also restrict the use of Social 
Security numbers.  I mean, I understand--
        MR. MARKEY.  But they have all the exceptions, which we just 
discussed.  
        MR. IRELAND.  They would have all of the exceptions we just 
discussed.  
        MR. MARKEY.  Right.  So Mr. Rotenberg, Ms. Steinfeld, what do 
you think?  What would happen in that kind of a situation where this 
information broker is now lodged safely inside of Citigroup?  What is the 
status for protection of Social Security numbers?  
        MS. STEINFELD.  I think the status of the Social Security numbers 
would be pretty legally available for the sharing except if the safeguards 
rule and the analysis done by Citigroup about security risks and 
mitigating risks resulted in some curbs on the use of the Social Security 
numbers.  
        MR. MARKEY.  What if it is not a customer, though?  What if it is 
someone else that wants to buy somebody else's name?  
        MS. STEINFELD.  I am not sure I understand the question.  If an 
outsider wanted to buy information from Citigroup.  Well, Mr. Ireland 
may want to comment.  
        MR. IRELAND.  If I may, first of all, the Citigroup affiliate would be 
subject to the Federal Reserve Board's rules, not the FTC safeguard's 
rule, Federal Reserve's security rules for the holding company.  And you 
are correct that those rules do not apply to information about 
noncustomers except they would have a reuse limitation under the 
Gramm-Leach-Bliley Act to the extent that they got that information 
from another financial institution.  
        One of the things that the data security bill that this committee 
passed and data security bills that other committees have passed did 
would be to close that loophole in requiring data security regardless of 
whether or not it is your customer.  And to my knowledge, the financial 
services industry doesn't have a problem with closing that loophole.  
        MR. MARKEY.  If I may, Mr. Chairman, I would just like to ask each 
of the witnesses to give us the one-minute nutshell summary of what you 
want us to remember from your testimony.  What do you want us to 
know about Social Security numbers and what Congress should do about 
it?  We will begin with you, Ms. McDonald.  One minute.  
        MR. STEARNS.  Or one sentence.  
        MS. MCDONALD.  Well, what I would like to say is there are 
beneficial uses to getting access to Social Security numbers.  And in the 
case of a missing participant or incorrect data, I don't know how you 
would get their approval up front in order to get that information.  
        MR. MARKEY.  Okay.  Mr. Lively.  
        MR. LIVELY.  I believe that one of the most important things that I 
would like to leave with you folks is the fact that we are very concerned 
about unintended consequences of a legislative process that hasn't gone 
deep enough to make sure that there is not going to be a very downside 
impact of the changes that are made in the law.  
        MR. MARKEY.  Ms. Steinfeld.  
        MS. STEINFELD.  I would say that it is surprising to me that data as 
sensitive as the Social Security number is so unregulated, and so I do 
think it is appropriate to ban the uncontrolled sale and purchase of Social 
Security numbers.  But this has to be done with extreme care for the 
reasons that all the panelists have described.  And a rule making with 
such attention to public comment and agency expertise and the FTC is an 
appropriate way to go.  
        MR. MARKEY.  Mr. Ireland.  
        MR. IRELAND.  I would echo Mr. Lively's comment that any 
requirement should be made with a full understanding of how they affect 
current legitimate business transactions so that we try to avoid 
unintended consequences.  
        MR. MARKEY.  And Mr. Rotenberg.  
        MR. ROTENBERG.  Congressman, I think the Social Security number 
has been pretty much a ticking privacy bomb from the time it was 
created, and I think the SSA has known this.  I think Congress has known 
this.  And I think the American public knows it.  And I think in the end, 
we are going to need some legislation to ensure that the privacy risks 
associated with the misuse of the SSN are minimized.  
        MR. MARKEY.  Thank you all very much.  Mr. Chairman, I can't 
thank you enough for your patience.  
        MR. STEARNS.  Well, thank you for coming back.  And I want to 
thank the panel for their patience while we had all the votes in the House 
floor.  
        I think that for a lot of members, we are just so surprised that 
there is no penalty, civil or criminal, for the sale of Social Security 
numbers, and we have sort of let this thing go.  So it is time we do 
something.  So I am encouraged that Chairman Barton has said we are going to 
try to have a markup or have a bill.  
        And so I think your patience here has helped a lot of us understand 
it better.  We have a written record now that we will use when we go back 
to debate and to convince our colleagues of the importance.  
        So with that, the subcommittee's adjourned.  
        MR. LIVELY.  Mr. Chairman would it be appropriate to submit my 
entire testimony, my written testimony?  
        MR. STEARNS.  By unanimous consent, so ordered.  
        MR. LIVELY.  Thank you, sir.  
        [Whereupon, at 5:50 p.m., the subcommittee was adjourned.] 

                               Footnotes
 	The views expressed in this statement represent the views of the 
Commission.  My oral presentation and responses to questions are my own and 
do not necessarily represent the views of the Commission or any other 
Commissioner. 
 	See Federal Trade Commission - Identity Theft Survey Report (2003), 
http://www.ftc.gov/os/2003/09/synovatereport.pdf and Rubina Johannes, 2006 
Identity Fraud Survey Report (2006), http://www.javelinstrategy.com/research. 
A free summary of the 2006 Identity Fraud Survey Report is available at 
http://www.bbb.org/alerts/article.asp?ID=651.
 	Federal Trade Commission - Identity Theft Survey Report at 6 (2003), 
http://www.ftc.gov/os/2003/09/synovatereport.pdf. 
 	Id.
 	According to the Consumer Data Industry Association, 14 million 
Americans have one of ten last names, and 58 million men have one of ten 
first names.
 	See General Accounting Office, Private Sector Entities Routinely 
Obtain and Use SSNs, and Laws Limit the Disclosure of This Information (GAO 
04-01) (2004).
 	See Federal Trade Commission - Report to Congress Under Sections 318 
and 319 of the Fair and Accurate Credit Transactions Act of 2003 at 38-40 
(2004), http://www.ftc.gov/reports/facta/041209factarpt.pdf.
 	The federal government also uses the SSN as an identifier, for 
example, as both an individual's Medicare and taxpayer identification number.  
It also is used to administer the federal jury system, federal welfare and 
workmen's compensation programs, and military draft registration.  See Social 
Security Administration, Report to Congress on Options for Enhancing the 
Social Security Card (Sept. 1997), 
www.ssa.gov/history/reports/ssnreportc2.html.
 	Local and state governments are reducing their reliance on SSNs for 
many administrative purposes in response to identity theft concerns.  For 
example, only a few states still use SSNs as drivers license numbers.  See 
David A. Lieb, Millions of Motorists Have Social Security Numbers 
on Licenses, The Boston Globe, Feb. 6, 2006, 
http://www.boston.com/news/local/massachusetts/articles/2006/02/06/millions_of_motorists_have_s 
ocial_security_numbers_on_licenses/.  In some cases, however, governments 
still use SSNs as identifiers when it is not essential to do so.  See Mark 
Segraves, Registering to Vote May Lead to Identity Theft, WTOP Radio, Mar. 22, 
2006, http://www.wtop.com/?nid=428&sid=733727.
 	Improved access to public records has important public policy 
benefits, but at the same time raises privacy concerns.  Some public records 
offices redact sensitive information such as SSNs, but doing so can be very 
costly.  The Commission has recognized the sensitive nature of SSNs, even 
when they are contained in publicly available records.  For example, in 
response to a comment on the DSW order, the Commission stated that "[C]ertain 
publicly available records, such as court records, contain Social Security 
numbers and other highly sensitive information that can be used to 
perpetrate identity theft."  The Commission response letter is available at 
http://www.ftc.gov/os/caselist/0523096/0523096DSW LettertoCommenter
BankofAmerica.pdf.
 	Some data brokers have announced that they are voluntarily 
restricting the sale of SSNs and other sensitive information to those with a 
demonstrable and legitimate need.  See Social Security Numbers Are for Sale 
Online, Newsmax.com, Apr. 5, 2005, 
http://www.newsmax.com/archives/articles/2005/4/4/155759.shtml.
 	15 U.S.C.  6801-09.
 	15 U.S.C.  45(a).
 	Pub. L. No. 108-159, 117 Stat. 1952. 
 	15 U.S.C.  1681-1681x, as amended.
 	15 U.S.C.  6809(3)(A).
 	12 C.F.R.  225.28, 225.86.
 	See 15 U.S.C.  6802; Privacy of Consumer Financial Information, 16 
C.F.R. Part 313 ("GLBA Privacy Rule").
 	See 15 U.S.C.  6809.  The GLBA defines "nonpublic personal 
information" as any information that a financial institution collects about 
an individual in connection with providing a financial product or service to 
an individual, unless that information is otherwise publicly available.  
This includes basic identifying information about individuals, such as name, 
SSN, address, telephone number, mother's maiden name, and prior addresses.  
See, e.g., 65 Fed. Reg. 33,646, 33,680 (May 24, 2000) (the FTC's Privacy 
Rule).
 	15 U.S.C.  6802(e).
 	16 C.F.R.  313.11(a).
 	Id.
 	15 U.S.C.  6801(b); Standards for Safeguarding Customer Information, 
16 C.F.R. Part 314 ("Safeguards Rule").
 	The Federal Deposit Insurance Corporation, the National Credit Union 
Administration ("NCUA"), the Securities and Exchange Commission, the Office 
of the Comptroller of the Currency, the Board of Governors of the Federal 
Reserve System, the Office of Thrift Supervision, and state insurance 
authorities have promulgated comparable information safeguards rules, as 
required by Section 501(b) of the GLBA. 15 U.S.C.  6801(b); see, e.g., 
Interagency Guidelines Establishing Standards for Safeguarding Customer 
Information and Rescission of Year 2000 Standards for Safety and Soundness, 
66 Fed. Reg. 8,616-41 (Feb. 1, 2001).  The FTC has jurisdiction over entities 
not subject to the jurisdiction of these agencies.
 	The Commission previously has recommended that Congress consider 
whether companies that hold sensitive consumer data, for whatever purpose, 
should be required to take reasonable measures to ensure its safety.  Such a 
requirement could extend the FTC's existing GLBA Safeguards Rule to companies 
that are not financial institutions.  See Statement of Federal Trade 
Commission Before the Committee on Commerce, Science, and Transportation, 
U.S. Senate, on Data Breaches and Identity Theft (June 16, 2005) at 7, 
http://www.ftc.gov/os/2005/06/050616databreaches.pdf. 
 	15 U.S.C.  45(a).
 	Deceptive practices are defined as material representations or 
omissions that are likely to mislead consumers acting reasonably under the 
circumstances.  Cliffdale Associates, Inc., 103 F.T.C. 110 (1984). 
 	15 U.S.C.  45(n).
 	Other practices include, for example, allegations of unauthorized 
charges in connection with "phishing," high-tech scams that use spam or 
pop-up messages to deceive consumers into disclosing credit card numbers, 
bank account information, SSNs, passwords, or other sensitive information.  
See FTC v. Hill, No. H 03-5537 (filed S.D. Tex. Dec. 3, 2003), 
http://www.ftc.gov/opa/2004/03/phishinghilljoint.htm; FTC v. C.J., No. 
03-CV-5275-GHK (RZX) (filed C.D. Cal. July 24, 2003), 
http://www.ftc.gov/os/2003/07/phishingcomp.pdf.
 	16 C.F.R. Part 382 ("Disposal of Consumer Report Information and 
Record Rule").
 	15 U.S.C.  1681g(a)(1)(A).  The FTC advises consumers of this 
right through its consumer outreach initiatives.  See, e.g., the FTC's 
identity theft prevention and victim recovery guide, Take 
Charge: Fighting Back Against Identity Theft at 5 (2005), available at  
http://www.ftc.gov/bcp/conline/pubs/credit/idtheft.pdf.
 	18 U.S.C.  2721-25.
 	45 C.F.R. Part 164 ("HIPAA Privacy Rule").
 	45 C.F.R.  164.530(c).
 	Documents related to these enforcement actions generally are 
available at http://www.ftc.gov/privacy/index.html.
 	15 U.S.C.  1681-1681x, as amended.  The FCRA specifies that 
consumer reporting agencies may only provide consumer reports for certain 
"permissible purposes."  ChoicePoint allegedly approved as customers 
individuals whose applications had several indicia of fraud, including 
false credentials, the use of commercial mail drops as business addresses, 
and  multiple applications faxed from the same public commercial location. 
The FTC's complaint alleged that ChoicePoint did not have a permissible 
purpose in providing consumer reports to such individuals and failed to have 
reasonable procedures to verify prospective subscribers. 
 	United States v. ChoicePoint, Inc., No. 106-CV-0198 (N.D. Ga. Feb. 
15, 2006).
 	In the Matter of CardSystems Solutions, Inc., FTC File No. 052-3148 
(proposed settlement posted for public comment, Feb. 23, 2006).  The 
settlement requires CardSystems and its successor corporation to implement a 
comprehensive information security program and obtain audits by an 
independent third-party professional every other year for 20 years.  As 
noted in the FTC's press release, CardSystems faces potential liability in 
the millions of dollars under bank procedures and in private litigation for 
losses related to the breach. 
 	Pub. L. No. 105-318, 112 Stat. 3007 (1998) (codified at 18 U.S.C.  
1028).
 	The FACT Act added a requirement that consumer reporting agencies, 
at the request of a consumer, place a fraud alert on the consumer's credit 
report.  Consumers may obtain an initial alert if they have a good faith 
suspicion that they have been or are about to become an identity theft 
victim.  The initial alert must stay on the file for at least 90 days.  
Actual victims who submit an identity theft report can obtain an extended 
alert, which remains in effect for up to seven years.  Fraud alerts require 
users of consumer reports who are extending credit or related services to take 
certain steps to verify the consumer's identity.  See 15 U.S.C.  1681c-1. 
 	These include the right to an extended fraud alert, the right to 
block fraudulent trade lines on credit reports and to prevent such trade 
lines from being furnished to a consumer reporting agency, and the ability 
to obtain copies of fraudulent applications and transaction reports.  See 15 
U.S.C.  1681 et seq., as amended.
 	See www.onguardonline.gov.  OnGuard Online is also available in 
Spanish.  See www.AlertaEnLinea.gov.
 	Security Check: Reducing Risks to Your Computer Systems, available 
at http://www.ftc.gov/bcp/conline/pubs/buspubs/security.htm.
 	Financial Institutions and Customer Data: Complying with the 
Safeguards Rule, available at 
http://www.ftc.gov/bcp/conline/pubs/buspubs/safeguards.htm.
 	Information Compromise and the Risk of Identity Theft: Guidance for 
Your Business, available at 
http://www.ftc.gov/bcp/conline/pubs/buspubs/idtrespond.pdf.
 	See workshop agenda and transcripts available at 
www.ftc.gov/bcp/workshops/technology.  See Staff Report available at 
 http://www.ftc.gov/bcp/workshops/technology/finalreport.pdf.
 	See Federal Trade Commission - National and State Trends in Fraud & 
Identity Theft (Jan. 2006), available at 
http://www.consumer.gov/sentinel/pubs/Top10Fraud2005.pdf.  The Commission 
also conducts national surveys to learn how identity theft impacts the 
general public.  The FTC conducted the first survey in 2003 and is 
conducting a second survey this spring.  See Federal Trade Commission - 
Identity Theft Survey Report (Sept. 2003), available at 
http://www.ftc.gov/os/2003/09/synovatereport.pdf. 

 	15 U.S.C.  1681m(e).
        "Social Security - Government and Commercial Use of the Social 
Security Number is Widespread," February 1999, GAO/HEHS-99-28.
        Id. at 4.
        Id.
        Id. at 2.
        Existing law already includes provisions that prohibit identity 
theft.  For example, stealing someone's identity is punishable by civil and 
criminal penalties.  See, e.g., 18 U.S.C.  1028.  Moreover, the GLBA bans 
pretext calling-a tool of identity thieves.

        See, e.g., 12 C.F.R.  40.3(o).  The regulation generally defines 
protected "personally identifiable financial information" to include "any 
information . . . [t]he bank . . . obtains about a consumer in connection 
with providing a financial product or service to that consumers."  Id. 
(emphasis added).
        EPIC maintains an archive of information about the SSN online at 
http://www.epic.org/privacy/ssn/.
        See, e.g., Greidinger v. Davis, 988 F.2d 1344 (4th Cir. 1993) 
("Since the passage of the Privacy Act, an individual's concern over his 
SSN's confidentiality and misuse has become significantly more compelling"); 
Beacon Journal v. Akron, 70 Ohio St. 3d 605 (Ohio 1994) ("the high potential 
for fraud and victimization caused by the unchecked release of city employee 
SSNs outweighs the minimal information about governmental processes gained 
through the release of the SSNs"); Testimony of Marc Rotenberg, Executive 
Director, Electronic Privacy Information Center, at a Joint Hearing on Social 
Security Numbers and Identity Theft, Joint Hearing Before the House Financial 
Services Subcommittee on Oversight and Investigations and the House Ways and 
Means Subcommittee on Social Security (Nov. 8, 2001) available at  
http://www.epic.org/privacy/ssn/testimony_11_08_2001.html; Testimony of Chris Jay Hoofnagle, Legislative Counsel, EPIC, at a Joint Hearing on Preserving 
the Integrity of Social Security Numbers and Preventing Their Misuse by 
Terrorists and Identity Thieves Before the House Ways and Means Subcommittee 
on Social Security and the House Judiciary Subcommittee on Immigration, Border 
Security, and Claims (Sept. 19, 2002) available at 
http://www.epic.org/privacy/ssn/ssntestimony9.19.02.html. 
        Testimony of Marc Rotenberg, President, Electronic Privacy 
Information Center, at a Hearing on H.R. 98, the "Illegal Immigration 
Enforcement and Social Security Protection Act of 2005" before the House 
Judiciary Committee Subcommittee on Immigration, Border Security, and Claims 
(May 12, 2005) available at http://www.epic.org/privacy/ssn/51205.pdf.
        "Records, Computers, and the Rights of Citizens," Report of the 
Secretary's Advisory Committee on Automated Personal Data Systems, U.S. 
Department of Health, Education & Welfare 125-35 (MIT 1973).
        See, e.g., TRW, Inc. v. Andrews, 534 U.S. 19 (2001) (Credit 
reporting agencies issued credit reports to identity thief based on SSN 
match despite address, birth date, and name discrepancies); Dimezza v. First 
USA Bank, Inc., 103 F. Supp.2d 1296 (D. N.M. 2000) (same). See also United 
States v. Peyton, 353 F.3d 1080 (9th Cir. 2003) (Credit issued based solely 
on SSN and name, despite clear location discrepancies); Aylward v. Fleet 
Bank, 122 F.3d 616 (8th Cir. 1997) (same); Vazquez-Garcia v. Trans Union 
De P.R., Inc., 222 F. Supp.2d 150 (D. P.R. 2002) (same).
        Pub. L. No. 108-408 7211-7214, 118 Stat. 3638, 3825-3832 (2004). 
        Colo.  Rev. Stat  24-72.3-102; Ariz. Rev. Stat.  44-1373; Cal. 
Civ. Code  1798.85.
        N.Y. Educ. Law  2-b; W. Va. Code Ann.  18-2-5f.
        Ariz. Rev. Stat.  15-1823; R.I. Gen. Laws  16-38-5.1; Wis. Stat. 
Ann.  36.11(35); Ky. Rev. Stat. Ann.  156.160.
