b"<html>\n<title> - PROTECTING CONSUMERS' DATA: POLICY ISSUES RAISED BY CHOICEPOINT</title>\n<body><pre>[House Hearing, 109 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n    PROTECTING CONSUMERS' DATA: POLICY ISSUES RAISED BY CHOICEPOINT\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                            SUBCOMMITTEE ON\n                COMMERCE, TRADE, AND CONSUMER PROTECTION\n\n                                 of the\n\n                    COMMITTEE ON ENERGY AND COMMERCE\n                        HOUSE OF REPRESENTATIVES\n\n                       ONE HUNDRED NINTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             MARCH 15, 2005\n\n                               __________\n\n                           Serial No. 109-76\n\n                               __________\n\n      Printed for the use of the Committee on Energy and Commerce\n\n\n Available via the World Wide Web: http://www.access.gpo.gov/congress/\n                                 house\n\n                               __________\n\n\n                U.S. GOVERNMENT PRINTING OFFICE\n99-916PDF            WASHINGTON : 2005\n________________________________________________________________________________\nFor Sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512-1800  \nFax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001\n\n\n\n\n                    ------------------------------  \n\n                    COMMITTEE ON ENERGY AND COMMERCE\n\n                      JOE BARTON, Texas, Chairman\n\nRALPH M. HALL, Texas                 JOHN D. DINGELL, Michigan\nMICHAEL BILIRAKIS, Florida             Ranking Member\n  Vice Chairman                      HENRY A. WAXMAN, California\nFRED UPTON, Michigan                 EDWARD J. MARKEY, Massachusetts\nCLIFF STEARNS, Florida               RICK BOUCHER, Virginia\nPAUL E. GILLMOR, Ohio                EDOLPHUS TOWNS, New York\nNATHAN DEAL, Georgia                 FRANK PALLONE, Jr., New Jersey\nED WHITFIELD, Kentucky               SHERROD BROWN, Ohio\nCHARLIE NORWOOD, Georgia             BART GORDON, Tennessee\nBARBARA CUBIN, Wyoming               BOBBY L. RUSH, Illinois\nJOHN SHIMKUS, Illinois               ANNA G. ESHOO, California\nHEATHER WILSON, New Mexico           BART STUPAK, Michigan\nJOHN B. SHADEGG, Arizona             ELIOT L. ENGEL, New York\nCHARLES W. ``CHIP'' PICKERING,       ALBERT R. WYNN, Maryland\nMississippi, Vice Chairman           GENE GREEN, Texas\nVITO FOSSELLA, New York              TED STRICKLAND, Ohio\nROY BLUNT, Missouri                  DIANA DeGETTE, Colorado\nSTEVE BUYER, Indiana                 LOIS CAPPS, California\nGEORGE RADANOVICH, California        MIKE DOYLE, Pennsylvania\nCHARLES F. BASS, New Hampshire       TOM ALLEN, Maine\nJOSEPH R. PITTS, Pennsylvania        JIM DAVIS, Florida\nMARY BONO, California                JAN SCHAKOWSKY, Illinois\nGREG WALDEN, Oregon                  HILDA L. SOLIS, California\nLEE TERRY, Nebraska                  CHARLES A. GONZALEZ, Texas\nMIKE FERGUSON, New Jersey            JAY INSLEE, Washington\nMIKE ROGERS, Michigan                TAMMY BALDWIN, Wisconsin\nC.L. ``BUTCH'' OTTER, Idaho          MIKE ROSS, Arkansas\nSUE MYRICK, North Carolina\nJOHN SULLIVAN, Oklahoma\nTIM MURPHY, Pennsylvania\nMICHAEL C. BURGESS, Texas\nMARSHA BLACKBURN, Tennessee\n\n                      Bud Albright, Staff Director\n\n      James D. Barnette, Deputy Staff Director and General Counsel\n\n      Reid P.F. Stuntz, Minority Staff Director and Chief Counsel\n\n                                 ______\n\n        Subcommittee on Commerce, Trade, and Consumer Protection\n\n                    CLIFF STEARNS, Florida, Chairman\n\nFRED UPTON, Michigan                 JAN SCHAKOWSKY, Illinois\nNATHAN DEAL, Georgia                   Ranking Member\nBARBARA CUBIN, Wyoming               MIKE ROSS, Arkansas\nGEORGE RADANOVICH, California        EDWARD J. MARKEY, Massachusetts\nCHARLES F. BASS, New Hampshire       EDOLPHUS TOWNS, New York\nJOSEPH R. PITTS, Pennsylvania        SHERROD BROWN, Ohio\nMARY BONO, California                BOBBY L. RUSH, Illinois\nLEE TERRY, Nebraska                  GENE GREEN, Texas\nMIKE FERGUSON, New Jersey            TED STRICKLAND, Ohio\nMIKE ROGERS, Michigan                DIANA DeGETTE, Colorado\nC.L. ``BUTCH'' OTTER, Idaho          JIM DAVIS, Florida\nSUE MYRICK, North Carolina           CHARLES A. GONZALEZ, Texas\nTIM MURPHY, Pennsylvania             TAMMY BALDWIN, Wisconsin\nMARSHA BLACKBURN, Tennessee          JOHN D. DINGELL, Michigan,\nJOE BARTON, Texas,                     (Ex Officio)\n  (Ex Officio)\n\n                                  (ii)\n\n\n\n\n                            C O N T E N T S\n\n                               __________\n                                                                   Page\n\nTestimony of:\n    Majoras, Deborah Platt, Chairman, Federal Trade Commission...    17\n    Sanford, Kurt P., President and Chief Executive Officer, U.S. \n      Corporate and Federal Government Markets, LexisNexis.......    37\n    Smith, Derek, Chairman and Chief Executive Officer, \n      ChoicePoint, Inc...........................................    44\n\n             Additional Material Submitted for the Record:\n\n    Smith, Derek, Chairman and Chief Executive Officer, \n      ChoicePoint, Inc, response for the record..................    94\n\n                                 (iii)\n\n  \n\n \n    PROTECTING CONSUMERS' DATA: POLICY ISSUES RAISED BY CHOICEPOINT\n\n                              ----------                              \n\n\n                        TUESDAY, MARCH 15, 2005\n\n              House of Representatives,    \n              Committee on Energy and Commerce,    \n                       Subcommittee on Commerce, Trade,    \n                                   and Consumer Protection,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to notice, at 10:10 a.m., in \nroom 2123 of the Rayburn House Office Building, Hon. Cliff \nStearns (chairman) presiding.\n    Members present: Representatives Stearns, Deal, Bass, \nPitts, Bono, Terry, Otter, Myrick, Murphy, Blackburn, Barton \n(ex officio), Schakowsky, Markey, Towns, Brown, Green, \nStrickland, DeGette, Gonzalez, and Baldwin.\n    Staff Present: David Cavicke, chief counsel; Chris Leahy, \npolicy coordinator; Shannon Jacquot, majority counsel; Andy \nBlack, deputy staff director; Brian McCullough, majority \nprofessional staff; Will Carty, majority professional staff; \nBud Albright, staff director; Larry Neal, deputy staff \ndirector; Jon Tripp, deputy communications director; Kevin \nSchweers, communications director; Billy Harvard, legislative \nclerk; Julie Fields, special assistant to the policy \ncoordinator; Consuela Washington, minority counsel; Jonathan \nCordone, minority counsel; Edith Holleman, minority counsel; \nVoncille Hines, minority staff assistant; and Turney Hall, \nminority staff assistant.\n    Mr. Stearns. Good morning, everybody. The subcommittee \nhearing today will come to order on Protecting Consumers' Data: \nPolicy Issues Raised by ChoicePoint and identity theft.\n    Just like knowledge, information is power. In a world where \ninformation can be transmitted at the speed of light to anybody \nwith the ability to access it, legitimately or fraudulently, \nthere are a multitude of potential security issues that \nobviously can occur. The security of that information can be \ncompromised within the sanctuary of the data base, along the \npipeline of the network, and at the final destination, which in \nmany cases, is a point of sale.\n    What is more worrying is that sensitive information and \naccess to it involves very specific pieces about who we are, \nwhere we live, what we buy, how much money we make, what we \ndrive, our criminal history, in fact, and so on. The growing \nbusiness of commercial data collection and brokering has made \nproducts like packaged consumer information profiles tailored \nfor specific requirements and clients, a major and important \nmode of business. These information products and their \napplications are becoming more sophisticated and comprehensive, \nas advances in technology continue to improve the capability to \ncollect, store, analyze, and package information, both personal \nand non-personal.\n    My colleagues, our focus today is directed at the apparent \ncracks in the comprehensive system of information sharing and \nbrokering, including understanding how penetrable and \nvulnerable the data bases and network pipelines are, as well as \nassessing the accuracy and effectiveness of identity \nverification.\n    Now, the recent security breaches at two of the biggest and \nmost sophisticated companies in the industry, ChoicePoint and \nLexisNexis, which are both represented here today, by their \nCEOs, serve to highlight the need for Congress and this \ncommittee to examine closely the effectiveness of the current \nregulatory regimes. This would include Federal law, like the \nFair Credit Reporting Act, and State laws designated to protect \nand secure this highly sensitive information from the criminals \nworking to breach these fortifications. These laws tend to \noperate independently in the marketplace, in addition to the \nState requirements. As a result, there is clearly a need to \nconsider a comprehensive Federal consumer notification \nrequirement, a uniform national standard, so that \njurisdictional issues don't cause unnecessary problems for \nconsumers victimized by this criminal activity. Any solution \nneeds to ensure that consumers are notified as quickly as \npossible when these breaches occur. We owe that to every \nAmerican. And additionally, recent events compel us to visit \nthe fundamental privacy debate, as it relates to the power of \nthe consumer to control the transmission of that data, ensure \nits accuracy, and be given notice when it is being used \nlegitimately or compromised for nefarious purposes.\n    Now, as we all know, this hearing today is taking place \nagainst a backdrop of one of the most rapidly growing crimes in \nAmerica, identity theft. As we will hear today, a recent \nFederal Trade Commission survey showed that almost 10 million \npeople in the United States discovered that they were involved \nin some sort of identity theft. These numbers translate into \nlosses of almost $50 billion for businesses and $5 billion for \nconsumers. My colleagues, this is a huge and growing market for \nfraudsters, and according to some reports, for terrorist \nnetworks seeking to cash in in this lucrative crime.\n    The commercializing or monetarizing, as some may suggest, \nof consumer data has made protecting it far more complex and \nimportant, given its value in the wired marketplace. Today's \ncyber-thieves employ high tech surveillance, in some case slip \nanonymously into secure data bases to complete the heist. More \ntraditional criminals simply acquire official identification \nand business licenses fraudulently, then dupe the verification \nprocess used by the information company, and set up a shop to \nreceive their first shipment of sensitive consumer financial \ndata, personal data. These two case studies we have before us \nthis morning, the high tech and mundane, are now in the \nheadlines, and indicate the digital dike is starting to leak \nvery sensitive information about ourselves to those who wish to \ndo us harm. As we will learn, breaches can occur from inside \ncompanies as well. Data security firms, including the one \njoining us today are working on novel approaches to secure data \nbases and network traffic before breaches destroy the financial \nsoundness and privacy of thousands of Americans.\n    At the same time, my colleagues, the ability to access much \nof this personal information obviously facilitates legitimate \ncommerce that benefits all of us today. Trusted third parties, \nincluding data brokers and financial institutions, facilitate \nimportant commercial and public functions through their ability \nto quickly and securely access vast amounts of consumer data. \nTheir technology and products help us, for example, screen out \nrisky job applicants from sensitive positions, obtain faster \ncredit and more securely, pay less for our insurance products, \nand in a few dramatic cases, allow law enforcement to move \nquickly to find criminal suspects. Many people value these \nservices and products, and may not even know about it.\n    Today's hearing is not an effort to demonize these \nlegitimate practices and companies. But, my colleagues, it is, \nrather, an opportunity to understand the reasons behind the \nrecent breaches, examine the legal regimes involved, and create \na means by which consumers affected by a breach can be provided \nprompt and detailed notice, as well as an opportunity to verify \nand correct their personal information. The average consumers \nloves the convenience many of these systems provide, but \nobviously also want control over the details of his or her \nlife, public or not.\n    The value of that information in today's digital \nmarketplace, coupled with illicit motives, make its proper use \nharder to police. Accordingly, this committee must ensure that \nthe commercial application of consumer information retains that \ncareful balance between security, the protection of privacy, \nand liberty that every American holds so dear.\n    I would like to thank our panel, particularly the \nChairwoman of the Federal Trade Commission, for being with us, \nand also, the CEOs of both ChoicePoint and LexisNexis, for \ntheir time and their willingness to come forward with their \ntestimony.\n    With that, I recognize the Ranking Member, Ms. Schakowsky \nof Illinois.\n    [The prepared statement of Hon. Cliff Stearns follows:]\nPrepared Statement of Hon. Clifford Stearns, Chairman, Subcommittee on \n                Commerce, Trade, and Consumer Protection\n    Good Morning. Just like knowledge, information is power. And in a \nworld where information can be transmitted at the speed of light to \nanyone with the ability to access it, legitimately or fraudulently, \nthere are a multitude of potential security issues that can occur. The \nsecurity of that information can be compromised within the sanctuary of \nthe database, along the pipeline of the network, and at the final \ndestination, which in many cases is the point of sale. What's more \nworrying is that sensitive information and access to it involves very \nspecific pieces about who we are: where we live, what we buy, how much \nmoney we make, how we drive, our criminal history, and so on. The \ngrowing business of commercial data aggregation and brokering has made \nproducts like packaged consumer information profiles, tailored for \nspecific requirements and clients, a major and important business. \nThese information products and their applications are becoming more \nsophisticated and comprehensive as advances in technology continue to \nimprove the capability to collect, store, analyze, and package \ninformation, both personal and non-personal. Our focus today is \ndirected at the apparent cracks in the comprehensive system of \ninformation sharing and brokering, including understanding how \npenetrable and vulnerable the databases and network pipelines are, as \nwell as assessing the accuracy and effectiveness of identity \nverification.\n    The recent security breaches at two of the biggest and most \nsophisticated companies in the industry, Choicepoint and LexisNexis, \nwhich are represented before us today by their chief executives, serve \nto highlight the need for Congress and this great Committee to examine \nclosely the effectiveness of the current regulatory regimes. This would \ninclude federal law, like the Fair Credit Reporting Act, and state laws \ndesigned to protect and secure this highly sensitive information from \nthe criminals working to breach those fortifications. These laws tend \nto operate independently in the marketplace, in addition to the state \nrequirements. As a result, there is clearly a need to consider a \ncomprehensive federal consumer notification requirement, a uniform \nnational standard, so that jurisdictional issues don't cause \nunnecessary problems for consumers victimized by criminal activity. Any \nsolution needs to ensure that consumers are notified as quickly as \npossible when breaches occur. We owe that to every American.\n    Additionally, recent events compel us to revisit the fundamental \nprivacy debate as it relates to the power of the consumer to control \nthe transmission of that data, ensure its accuracy, and be given notice \nwhen it's being used legitimately or compromised for nefarious \npurposes. As we all know, this hearing today is taking place against \nthe backdrop of the most rapidly growing crime in America--identity \ntheft. As we will hear today, a recent Federal Trade Commission survey \nshowed that almost 10 million people in the United States discovered \nthat they were involved in some sort of identity theft. These numbers \ntranslate into losses of almost $50 billion for businesses and $5 \nbillion for consumers. This is a huge and growing market for fraudsters \nand, according to some reports, for terrorist networks seeking to cash \nin on this lucrative crime.\n    The commercializing or monetizing, as some may suggest, of consumer \ndata has made protecting it far more complex and important given its \nvalue in the wired marketplace. Today's cyber-thieves employ high-tech \nsurveillance and, in some cases, slip anonymously into secure databases \nto complete the heist. More traditional criminals simply acquire \nofficial identification and business licenses fraudulently, dupe the \nverification process used by the information company, and set up shop \nto receive their first shipment of sensitive consumer financial and \npersonal data. These two case studies, the high-tech and mundane, are \nnow in the headlines and indicate the digital dike is starting to leak \nvery sensitive information about ourselves to those who wish to do us \nharm. As we will also learn, breaches can also occur from inside \ncompanies as well. Data security firms, including the one joining us \ntoday, are working on novel approaches to secure databases and network \ntraffic before breaches destroy the financial soundness and privacy of \nthousands of Americans.\n    At the same time, the ability to access much of this personal \ninformation facilitates legitimate commerce that benefits all of us. \nTrusted third parties, including data brokers and financial \ninstitutions, facilitate important commercial and public functions \nthrough their ability to quickly and securely access vast amounts of \nconsumer data. Their technology and products help us, for example, \nscreen out risky job applicants from sensitive positions, obtain credit \nfaster and more securely, pay less for our insurance products, and in a \nfew dramatic cases, allow law enforcement to more quickly find criminal \nsuspects. Many people value these services and products and may not \neven know it.\n    Today's hearing is not an effort to demonize those legitimate \npractices and companies, rather it is an opportunity to understand the \nreasons behind the recent breaches, examine the legal regimes involved, \nand create a means by which consumers affected by a breach can be \nprovided prompt and detailed notice, as well as an opportunity to \nverify and correct their personal information. The average consumer \nloves the convenience many of these systems provide, but also wants \ncontrol over the details of his life, public or not. The value of that \ninformation in today's digital marketplace coupled with illicit motives \nmakes its proper use harder to police. Accordingly, this Committee must \nensure that the commercial application of consumer information retain \nthe careful balance between security, the protection of privacy, and \nliberty that every American holds so dear.\n    I would like to again graciously thank our distinguished panel of \nwitnesses for joining us today. We look forward to your testimony. \nThank you.\n\n    Ms. Schakowsky. Thank you, Chairman Stearns, for holding \nthis hearing today on the risks that consumers face, because \nthe data brokers, like ChoicePoint, and problems that they have \nhad. We were all shocked to hear that a few criminals were able \nto set up scams which jeopardized the personal and financial \nsecurity of hundreds of thousands of people. We need to close \nthe gaps in the law that are putting consumers and their \nsensitive information at greater risk for privacy invasion, \nidentity theft, and other crimes.\n    Stories of security breaches of data bases of personal and \nfinancial information have been all over the news in the past \nfew weeks. Most notably, we have heard about ChoicePoint \nselling personal records of 145,000 people to sham businesses, \nand of con artists using real accounts and passwords to access \n32,000 people's records in LexisNexis' Seisint data base.\n    My own State of Illinois has already ranked ninth in the \nNation for identity theft cases, and the fact that 5,025 more \nresidents are at greater risk because of the ChoicePoint's \nfumble, and 481 more, because of the LexisNexis' problem, I am \neven more troubled by these reports. Chairman Stearns, being \nthat Florida is fifth in the Nation for ID theft, I know, and \nyou just testified that you are quite aware that these \nbreaches, what they can mean for consumers and our \nconstituents.\n    While our witnesses will admit that some of the data \naccessed as a result of the breaches is sensitive personal \ninformation, including Social Security numbers and driver's \nlicense numbers, we are also going to hear disclaimers about \nhow most of that information was from public records. \nDownplaying the security breaches does not provide me or many \nothers with comfort. Although the information may be public, \nwhen those records are compiled and then linked to other \ninformation about consumers, the nature of those records is \nradically changed.\n    In fact, the power of aggregated information was one of the \ndriving forces before the 1974 Privacy Act, which makes it \nillegal for government agencies to amass the kind of personal \ninformation that data brokers do today. Our Congressional \npredecessors knew that limits were needed to protect the \npeople's privacy from government spying. What they did not \nrealize was that Big Business would handle the dirty work for \nBig Brother, and that technology would make it possible to \ngather and store thousands of pieces of personal information \nwhich is available with just the click of a mouse.\n    Despite its power, profit, and reach, the burgeoning data \nbrokerage industry is largely unregulated. The lack of \nregulation is seriously troubling for a number of reasons. \nFirst of all, data brokers sell their information to employers, \ninsurance companies, debt collectors, government agencies, and \nin some cases, individuals. They see their role as being ``risk \nmitigators'' for their clients. However, the information they \nsell could cost people jobs, insurance, the right to vote, or \neven their lives, if the information is sold to a stalker or \nabusive spouse, for example.\n    The risk is shifted to defenseless and unaware people, at \ntimes crime victims. There are no guarantees that the \ninformation that data brokers are selling is accurate, and they \nhave few, if any, obligations to consumers to correct it. Data \nbrokers could blacklist people, and there is little victims can \ndo about it. On top of that, as these recent breaches reveal, \nthe very collection and sale of the information could mean that \neven more accurate information is added to--inaccurate, excuse \nme--that even more inaccurate information is added to \nconsumers' records.\n    Already, 700 people who had their information bought by \nfraudsters from ChoicePoint have become victims to identify \ntheft, and although ChoicePoint has promised to help them \ncorrect the problems they will incur, it will take these \nindividuals on average 2 years or longer to clear their names. \nEven then, we have no guarantee that all their future records \nwill reflect that, and who knows the costs they will incur \nalong the way.\n    I find the lax security and regulation of data brokers \nespecially disturbing because of the government reliance on \nthem. One report put the number of government agencies using \ndata brokers at around 7,000, from local police stations to the \nDepartment of Justice, with $67 million in contracts with \nChoicePoint in 2004 alone. Hundreds of millions of dollars are \nflowing each year from the taxpayers' pockets and into the data \nbrokers' banks. While I am troubled by the prospect that the \ngovernment agencies may be violating the spirit of the 1974 \nPrivacy Act, I am particularly concerned about the fact that \nthey are turning to freewheeling contractors to get their \ninformation.\n    If we are going to be using taxpayer dollars to pay for \nthese services, we need to make sure data brokers are \naccountable when it comes to the security and accuracy of the \ndata they are compiling. People's very lives are at stake, and \nwe do not need a Halliburton of the information industry, or \nanother legal black hole through which contractors fall, and \nfrom which they profit.\n    Again, Chairman Stearns, I look forward to working with you \nand the other members of our committee, to do what we can to \nprotect consumers. Thank you.\n    Mr. Stearns. I thank the gentlelady. The chairman of the \nfull committee, the distinguished gentleman from Texas, Mr. \nBarton, is recognized.\n    Chairman Barton. Thank you, Mr. Chairman. Thank you for \nholding this hearing, and thank you, Commissioner, for being \nhere. I would also like to recognize the former Chairman of the \nScience Committee, Bob Walker of Pennsylvania, is in the \naudience, and we appreciate him being here.\n    This is an important hearing. We are all very concerned \nabout what has happened. Nobody takes this more seriously than \nI do, along with Congressman Markey of Massachusetts. We are \noriginal founders of the Privacy Caucus in the House, and in \nthe Senate, the founders are Senator Chris Dodd of Connecticut, \nand Senator Shelby of Alabama. So I have not only a \nprofessional interest as Chairman of the Committee, but a \npersonal interest as a privacy--co-chairman of the Privacy \nCaucus, with Mr. Markey here in the House.\n    It wasn't so long ago that your Social Security number was \nknown to two people, yourself AND the Social Security \nAdministration. I have stopped carrying my Social Security \ncard. I have just memorized it, but if I forgot it, it wouldn't \nbe very hard for me to get it. I could just almost touch base \nwith any number of creditors and, I think, get it very easily. \nI didn't find out until I prepared for this hearing that your \nSocial Security number is routinely given, along with other \nvery sensitive information, a number of agencies--that data is \ncollected by two of the companies that are before us today, \nthat have had a problem, and that for almost any purpose, it \ncan be obtained rather easily. I think that is just wrong. I \njust think that is wrong. If I want to give my Social Security \nnumber to somebody, I will give it to them. I know if I go to \nthe bank, and I want a loan, I am going to have to give them \nsome information, and I will voluntarily disclose that in order \nto get the loan, or at least to be reviewed for the loan. But I \ndon't see how it serves my purpose as an individual when my \nnumber and my information is routinely given without my \npermission. I just fundamentally think that is unfair. In the \nInternet age, it is just dangerous.\n    With the availability of information sharing and file \nsharing and all that over the Internet, it is just--it is \nfrightening. Identify theft, consequently, is becoming one of \nthe top issues in consumers' and voters' minds. My former wife \nhad her Social Security number stolen and used for medical \npurposes at a hospital in Dallas, and only found out about it \nwhen the hospital tried to collect some emergency room charges. \nAnd since she was not in that hospital at any time for medical \nservices, we were able to prove that it wasn't her. If somebody \nelse had gotten her Social Security number, and tried to use it \nto get medical treatment in Dallas.\n    I understand that some of these groups that are here today \nprovide a public service by collecting information and selling \nit, so that business groups can market legitimately their \nproducts, over the Internet and through the mail and by \ntelephone. But I don't think that that is a guaranteed right, \nand I do believe that individuals have the right to know what \nis going on with their information. I think that after we hold \nthis hearing, we are going to have to make a decision whether \nwe need to set some national standards about what can be \ntraded, when, and what you have to tell the individual that \ntheir own information is being used, and whether when, in this \ncase, it is stolen, people should be notified of that. \nCurrently, there is no Federal standard or Federal law that \nrequires that.\n    Last year, according to the Federal Trade Commission, 10 \nmillion consumers were victims of identity theft. Ten million. \nThat number is going up, and if you are one of those 10 million \npeople, just getting your identity stolen is not the end of it. \nIt takes years and years, sometimes, to clean up the damage of \none inadvertent problem. We have a lot of members on this \ncommittee that are very interested in this issue. I have \nalready mentioned Congressman Markey. Chairman Stearns has held \na number of hearings on this. Congressman Shadegg, our whip on \nthe committee, passed a Public Law, the Identity Theft and \nAssumption Deterrence Act of 1998, 7 years ago. So we are ready \nto go. We are going to hear our Chairman of the Federal Trade \nCommission. We are going to hear some of our private sector \nCEOs. Then we will hear some consumer advocates.\n    I don't know if this is the only hearing we are going to do \non this. We may do another one. But some time this spring, we \nare going to sit down after we have listened and digested the \ntestimony, and make a decision what legislative strategy, if \nany, we need to employ. But my guess is we are going to move \nforward with some Federal legislation on this issue, and with \nthat, Mr. Chairman, I would yield back.\n    [The prepared statement of Hon. Joe Barton follows:]\n Prepared Statement of Hon. Joe Barton, Chairman, Committee on Energy \n                              and Commerce\n    Thank you Mr. Chairman for holding this hearing today. It is no \nsecret that privacy and information security are important to me. I co-\nfounded the Congressional Privacy Caucus, and as Chairman of the \nCommittee on Energy and Commerce, I have focused on Internet issues \nlike the spyware legislation that passed out of the Committee by a vote \nof 43 to 0 just last week.\n    Not long ago, your Social Security number was between you and the \ngovernment and nobody else. Nowadays, everybody seems to have your \nnumber. That knowledge is the key to your financial security. It opens \na door for identity thieves to sneak into your life and steal both your \nmoney and your good name.\n    I just think this situation is fundamentally wrong any time. And in \nthe Internet age, it's downright dangerous. Under current law, anyone \nhas a near-perfect right to package your personal information and do \nalmost anything they want with it. They can change it, share it, rent \nit or sell it. The constraints are so flimsy they're laughable.\n    Although I recognize the consumer benefits of an increased flow of \ninformation--such as easier and cheaper access to credit--I do believe \nthat consumers should have some measure of control over their \ninformation. In particular, I believe that the businesses that benefit \nfrom the use of consumer information should bear greater responsibility \nfor the security and integrity of that information. While specific \nindustries and particular types of information are governed by Federal \ndata security standards, Congress has not set comprehensive data \nsecurity standards. It may be time we do so.\n    I believe we will need to consider whether there should be national \nstandards for protecting consumers when their personal information is \nlost or wrongfully disclosed by a data broker. Consumers have no direct \nrelationships with these data brokers. To data brokers, we are not \ncustomers--information about each of us is a product that is sold for \nmany purposes, including marketing without our knowledge or consent.\n    I have been troubled by the press accounts that have revealed \nsecurity breaches at companies in a range of industries from financial \ninstitutions, to data brokers, to retail outlets. Those breaches range \nfrom misplaced information to outright fraud by identity thieves. No \nmatter the particular circumstances, these breaches demonstrate that \nAmerican businesses must do more to outwit identity thieves, and this \nCommittee must take the lead in developing appropriate safeguards for \nconsumer information.\n    Identity theft is big business and the thieves are getting smarter \nand more resourceful. According to the Federal Trade Commission, \napproximately 10 million consumers were victims of identity theft in \n2003. It is estimated that in 2003, identity theft victims spent 297 \nmillion hours trying to clear up the problems and their reputations.\n    Even after unauthorized credit cards are closed and charges are \nsettled, it can take years for an innocent consumer to repair a credit \nreport. All the while, home ownership and other personal goals innate \nto the American Dream could be out of reach. Data brokers do not bear \ndirect responsibility, but we have to ask: What are these companies \ndoing to cure the epidemic of identity theft?\n    This Committee has a deep bench of experts in the areas of identity \ntheft and privacy. Chairman Stearns has held numerous hearings parsing \nthrough important issues surrounding information privacy and security. \nRepresentative Shadegg was the author of an important public law, the \nIdentity Theft and Assumption Deterrence Act of 1998. That Act has \nprovided significant tools for enforcement against identity theft. It \nalso directed the Federal Trade Commission to set up an identity theft \nconsumer resource center. That center has been a success as it has \ngathered important information regarding identity theft, acted as a \ncentral repository for complaints, and provided important consumer \neducation. I am pleased Chairman Majoras is here to testify today as \nshe brings much expertise in this area. I am eager to hear her \nproposals for better and more comprehensive Federal data security \nstandards.\n    I would also like to welcome the other witnesses today and I thank \nthem in advance for their testimony. We have a number of witnesses with \nbusy schedules and we appreciate their cooperation and assistance in \nworking through these challenging policy questions. Thank you and I \nyield back the balance of my time.\n\n    Mr. Stearns. I thank the gentleman. Ms. Baldwin, from \nWisconsin. I think. He was the first one here. She was the \nfirst, actually. Mr.----\n    Ms. Baldwin. Representative Markey was here before me. I--\n--\n    Mr. Stearns. Oh, okay.\n    Ms. Baldwin. He greeted me as I walked in the door.\n    Mr. Stearns. All right. Good. I am glad you corrected. The \ngentleman from Massachusetts, Mr. Markey.\n    Mr. Markey. I thank the chairman very much. And I would \nlike to reiterate what the chairman of the full committee just \nsaid, which is that this is an issue which knows no political \nboundaries. Chairman Barton and I co-founded the Privacy \nCaucus, 7 or 8 years ago, because there is a point on privacy \nissues where the libertarian right and the liberal left agree \nwholeheartedly, and that is that the privacy of individuals \nshould be inviolate.\n    Now, we find that there is a pragmatic middle that argues \nthat it interferes with the ability of businesses to make money \noff of the privacy of individuals, but whether you are a \nDemocrat or a Republican, regardless of your age, it all polls \nout the same way. Eighty percent to 90 percent of all Americans \nwant stronger privacy protections. And Chairman Barton and \nChairman Stearns and I, Democrats and Republicans, Jan \nSchakowsky, we all agree on this issue. Americans take privacy \nseriously. We guard our credit cards by carefully returning \nthem to our wallets. We keep our mortgage records and Social \nSecurity cards and personal documents locked up.\n    How would consumers feel if they discovered that while they \ntake extra precautions to guard their personal information, \ntheir names, Social Security numbers, tax records, credit \nhistories, and employment records were piled high into \nwheelbarrows and baskets, and sold to the highest bidder, in a \nbustling marketplace that is as frenetic and unregulated as the \nstreets of Bombay? Right here, get your Social Security \nnumbers, medical records, employment history, cheaper by the \ndozen. Come, purchase them, the records of all Americans. How \nwould we all feel that our Social Security number was in some \nidentity vendor's suitcase of wares? How would we feel? We \nwould feel violated. That is exactly how two of my \nconstituents, Kei and Karen Kishimoto felt this week, when they \nwrote me about a letter they received from ChoicePoint, stating \nthat they were among the 145,000 victims whose Social Security \nnumbers and other sensitive and personal data were compromised \nby ChoicePoint.\n    ``We are furious,'' they wrote, ``that ChoicePoint has \nirresponsibly allowed this to happen. We take every precaution \nwithin our power to minimize our risk of becoming victims of \nidentity theft.'' These are just two of 145,000 victims. They \nhad no choice about this, and that is the point. They all feel \nviolated, each and every one of them. And so as this scandal \ngrows, we must legislate. I have introduced one piece of \nlegislation with Senator Bill Nelson from Florida, which would \nrequire the FTC to put tough new safeguards in place, that all \nof these information brokers will have to abide by, and I have \na second bill, that Senator Feinstein, in the Senate, has the \ncounterpart to, that I have introduced for several years, that \nwill make it a crime for a person to sell someone's Social \nSecurity numbers. I think we have reached a point where all of \nAmerica, through ChoicePoint, has begun to understand how \nvulnerable each and every one of their families has become.\n    I thank you, Mr. Chairman, for holding this very important \nhearing.\n    Mr. Stearns. I thank the gentleman. Mr. Terry is--if Terry \nis not here, then Mr. Murphy.\n    Mr. Murphy. Thank you, Mr. Chairman. Thank you for holding \nthis very important meeting on a topic that is both timely and \npertinent in today's world.\n    Today, the Federal Trade Commission Chairman will remind us \nthat this committee, that in 2003, the FTC estimated almost 10 \nmillion Americans were the victims of identity theft. In the \nlast 5 years alone, the FTC estimates that 27 million Americans \nhave been victims, costing consumers more than $5 billion. Nary \na week goes by that I do not see a story on the nightly news \nabout the dire effects consumers suffer when they fall victims \nto identify theft.\n    The term ``identity theft'' has unfortunately become \ncommonplace in the American lexicon. Yet, it is important to \ntake a second to consider the term and the crime, and remember \nthat it is, in fact, a crime as heinous as burglary or \nextortion. The perpetrators of these crimes are the bane of e-\ncommerce, and must be hunted down, prosecuted, and imprisoned \nfor a long while.\n    Too often we hear of schemes involving numerous consumer \nvictims, and we focus on the companies that were also \nvictimized, instead of placing the blame squarely on the \nshoulders of the terrorists who perpetrate these crimes. Recent \nevents have brought this topic into the limelight. ChoicePoint \nand LexisNexis were both victims of malicious and fraudulent \ncrimes. ChoicePoint was deceived into selling aggregated \nconsumer data to criminals, who may or may not have used it to \ndefraud upwards of 150,000 consumers. According to early \nestimates, data from almost 2,000 Pennsylvanians were placed in \njeopardy, and similarly, a LexisNexis data base was subject to \ncriminal hacking, which resulted in thousands of customers \nbeing placed at risk for financial fraud being committed \nagainst them.\n    I am alarmed at the amount of personal information that \nmost of think to be private is sold and traded every day \nwithout the knowledge of the actual person. It is important for \nCongress and especially this committee to be vigilant in \nmonitoring the personal data commodity markets, because an \ninfinitesimal number of consumers actually are aware of how \nmuch their information is publicly available for companies to \npurchase without giving you a dime. It is equally important not \nto fear-monger on this topic. The ability of data aggregators \nto provide accurate information about individuals is vital to \nour credit-based economy, and has become essential to law \nenforcement, and a vital component in our homeland security \nnetwork.\n    Every one of us submits to providing the detailed \ninformation almost every time we enter into contract with a \nvendor, whether it is for a credit card or even a newspaper \nsubscription. Some companies refuse to sell consumer--customer \ninformation to data aggregators. If companies wish not to have \ntheir data traded or disseminated, then they should seek out \nsuch companies. However, it is important to emphasize that we \nare not holding this hearing to take gratuitous potshots at an \nindustry that is vital. We are here this morning to figure out \nwhat the industry and Federal Government are doing to ensure \nconsumer data does not fall prey to criminals who will use it \nto defraud.\n    I am eager to hear from the witnesses, and stand ready to \ntake legislative actions to further protect consumers, and more \nharshly punish the pirates that commit these crimes.\n    Thank you.\n    Mr. Stearns. I thank my colleague. The gentlelady from \nWisconsin.\n    Ms. Baldwin. Thank you, Mr. Chairman.\n    Over the past quarter century, we have all witnessed the \nrevolution in information technology, and with access to the \nright data bases, a touch of the button, vast amounts of \ninformation about a person can be immediately accessed, their \ndate of birth, Social Security number, credit rating, debt, \nloans, insurance claims, magazine subscriptions, and even DNA \ninformation. Much of this information is relatively easily \naccessible to companies for a variety of legitimate purposes, \nbut such broad compilations raise significant concerns that \nhave been insufficiently considered by this Congress, and more \ngenerally, by the American people.\n    First, how do we ensure that the data is not misused? The \npotential here for fraud and abuse is significant, and as we \nknow from the Federal Trade Commission, identity theft \naccounted for 39 percent of consumer fraud complaints in 2004. \nUnfortunately, this problem is far greater than just \nChoicePoint.\n    Second, how do we ensure that the data is accurate? The \neveryday lives of Americans are affected by business decisions \nbased on personal information dossiers that are compiled \nwithout their knowledge or input. A person has no easy way to \nreview that data, or determine that the information is accurate \nor, perhaps, inaccurate, misleading, perhaps incomplete. And I \nrealize, Mr. Chairman, that that second question is beyond the \nscope of today's hearing, but I do hope that the subcommittee \nwill also focus on this question in the near future.\n    I am concerned that there is an inadequate and a sort of \npatchwork of laws and regulations that cover and govern the \ncollection, compilation, distribution, and use of aggregated \npersonal and financial information. Today, I hope to hear from \nour witnesses, as they articulate ways in which we can protect \nconsumers from identity theft and other misuses of their data.\n    Thank you, Mr. Chairman.\n    Mr. Stearns. I thank the gentlelady. The gentlelady from \nWisconsin--from California, Ms. Bono. Waive, the gentlelady \nwaives. Mr. Deal. Waive. Mr. Pitts. Pass. Mr. Otter. Ms. \nBlackburn. Waive, okay. Mr. Brown.\n    Mr. Brown. Thank you, Mr. Chairman.\n    Instead of data brokers, it is probably better to think of \ncompanies like ChoicePoint as data banks. Like financial banks, \nthey hold something valuable, and by choosing to profit from \nwhat they store, they must accept the responsibility to protect \nit from those who misuse it. Imagine that the bank down the \nstreet has been robbed repeatedly. The vault lock is pretty \nold, the night watchman's vision isn't what it used to be, and \nthey have no alarm system. The crooks know the bank is an easy \nmark, so the depositors keep taking it on the chin. Would we \nrespond, would we even consider responding only with tougher \nbank robber penalties in mandatory robbery disclosure? Of \ncourse not. We would make sure that the bank got a state-of-\nthe-art lock, perhaps Lasik surgery for the guard, and an alarm \nsystem designed maybe for a nuclear missile silo.\n    We have to consider a similar approach here. We ought to \ngive the FTC clear authority to set and enforce tough rules for \ndata protection. We ought to make all these rules seamless, so \nthe bad guys can't sneak in through the cracks, and we ought to \nput the--use the government's purchasing power to promote best \npractices that take security beyond the bare minimum. If the \nFederal Government fails to respond that way here, with a \ncomprehensive approach, we are as negligent as the data brokers \nwho allowed these violations to occur in the first place.\n    The economic impact of the crimes resulting from \nChoicePoint's negligence may reach the tens of millions of \ndollars, but in a broader context, the stakes are much higher. \nChoicePoint, this same company, is famous, or should I say \ninfamous, for a mistake with the voter files in Florida during \nthe 2000 Presidential election. Its error, coupled with the \nerrors of public officials, disenfranchised thousands of \nAfrican-American voters, and may have decided the Florida \nelections and the Presidential elections. But ChoicePoint, with \nall of its political connections to the highest levels of the \ngovernment in this country, was not the only party at fault. \nThe politician who chooses a contractor to perform a basic \ngovernment function, like administering elections, is just \nasking for trouble, and the costs of contracting out are not \nmeasured only in terms of dollars.\n    The lesson here, and I urge my colleagues to remember all \nof that the next time someone suggests a privatization plan, a \nprivatization of any function that has been performed \neffectively and efficiently, and honorably and honestly, by our \ngovernment. And I urge this subcommittee to act thoughtfully, \nbut quickly, on legislation to reform the data brokerage \nindustry.\n    Thank you, Mr. Chairman.\n    Mr. Stearns. I thank the gentleman. Mr. Green. No, let's \nsee. Coming back over here. Okay. Now, Mr. Green. Yeah. The \ngentleman from Texas.\n    Mr. Green. Thank you, Mr. Chairman. I would like to have my \nfull statement in the record, and I won't use all my time.\n    Mr. Stearns. By unanimous consent, so ordered.\n    [The prepared statement of Hon. Gene Green follows:]\n  Prepared Statement of Hon. Gene Green, a Representative in Congress \n                        from the State of Texas\n    I'd like to thank Chairman Stearns and Ranking Member Schakowsky \nfor taking the lead on this issue and holding this important hearing. \nI'd also like to welcome Chairwoman Majoras for being here today. Your \ncooperation and willingness to share your knowledge and experience with \nthis committee is imperative to our success in combating data and \nidentity theft.\n    Also, Mr. Smith and Sanford are to be commended for being here as \nthe leaders of their companies to share with us how their business \nworks, what's wrong with the current system and how we might be able to \nfix it.\n    Identity theft is the number one crime in the United States. The \nFTC estimates about $48 billion is lost each year to business due to \nthis crime, and $5 billion to consumers. We have held an Identity Theft \nWorkshops for our constituents so they know what they can do to lower \nthe chance that someone can access their information.\n    These workshops only work when credit reporting agencies, financial \ninstitutions and data brokers do their job to make sure information \ndoesn't fall into the wrong hands.\n    Now more than ever, we've ``become a number'': Most often, than \nnumber is our Social Security Number. Every financial institution uses \nthat number to verify that you are who you say you are.\n    Most of the time, this system works. However, when the information \nhas been stolen and others have been using your name to get credit, \nmake purchases, or start phony businesses, the results can be tragic. \nWithout good credit, you can't buy a home, you may be turned down for a \njob and it can take months even years to repair the damage that's been \ndone.\n    Our current systems of laws addressing this problem are piecemeal. \nWe have the Fair Credit Reporting Act to address Credit Reporting \nAgencies. The Federal Trade Commission Act addresses unfair and \ndeceptive trade practices. There is a separate law for Drivers License \ndata, Gramm-Leach--bliley addresses Financial Institutions and of \ncourse, there's HIPPA, which protects the security of our medical \nrecords.\n    Today, there is no encompassing law that addresses this problem on \nthe federal level. I believe this is one of the problems. While I \nsupport crafting legislation specifically to address the unique uses of \ninformation, we have not sent a message to Americans that this is \nsomething we are going to be tough on regardless of what type of \ninformation is stolen or misused.\n    In the case of ChoicePoint, information was sold to a faulty \nbusiness and approximately 145,000 people are at risk of having their \ninformation used without their knowledge. Hundreds are reported to have \nalready been affected in California.\n    Choice Point brokers information for a variety of purposes and does \nso through some of their subsidiaries such as Database Technologies \n(DBT). DBT was contracted with the State of Florida in 2001 and was \nresponsible for the removal of almost ten thousand minorities and \neligible voters from the rolls in Florida which threw our country into \nuncertainty for several days while we determined who was elected \nPresident of the United States.\n    In addition, Choice Point DNA data was used to help identify many \nof the victims on September 11. The scope of the information out there \nis immense and the responsibility that comes with collecting and \nselling this information is just as large.\n    We are here today to begin a dialogue with industry, the FTC and \nour colleagues to see what we can do to make our information as secure \nas possible. Billions of dollars can be made by using this information \nillegally. There will always be those who want to obtain this \ninformation for illegal purposes. Our purpose is to improve the \nsafeguards to the consumer.\n    As we will hear today, this issue is complex. However, what is \nclear is that something needs to be done to improve the security of our \nidentities. I believe requiring notification of individuals affected by \na security breech is where we should start.\n    I look forward to working with all of you on this important issue.\n    Thank you Mr. Chairman. I yield the balance of my time.\n\n    Mr. Green. But I just wanted to make three points.\n    One of them, I want to welcome our FTC Chairman here today, \nand identity theft is such a major issue, and when we heard \nabout what happened with ChoicePoint, it was frustrating, \nbecause ChoicePoint may have provided the data for 140,000 \npeople, and I know they have a great deal of data. The bad part \nis, is that they also struck some voters off the rolls in \nFlorida in 2001, but the good point is they were helping, they \nactually helped victims of 9/11 to identify the folks.\n    The problem I have is that I know, under Federal law now, \nwe are allowed, our constituents and ourselves are allowed \ncopies of--annually, of our credit reports from the three major \nagencies. But I have a copy of an MSNBC report about a lady, \nDonna Pierce, who received her ClearPoint, or--sorry, \nChoicePoint document, and yet, it wasn't supposed to be in our \nhands. Does not--does Federal law not allow me to ask \nChoicePoint, I want to see what you have on me?\n    If it is not, Mr. Chairman, we need to make sure that \nchanges, because if it is my information, I ought to have \naccess to it and correct it, just like we have now for our \nthree major credit agencies.\n    With that, Mr. Chairman, I will put my full statement in \nthe record. Thank you.\n    Mr. Stearns. I thank the gentleman. Mr. Otter.\n    Mr. Otter. Thank you, Mr. Chairman. I have a full statement \nthat I would like to submit for the record.\n    But just a couple of points that I would like to make that, \nso far, no member on either side of the aisle has made. And \nthat is, in my belief, that your information is actually your \nprivate property. And maybe it is our general disregard in this \ncountry, any more, for private property, copyright, patent, \ncreative genius, or what have you. That is your private \nproperty, and so long as you are engaged in peaceful use of \nthat private property, then it is the government's job to \nprotect that.\n    Yet, I also note, from the chairman, from the full \ncommittee chairman, who was just, I asked him, in his \nrecollection, is there any law or any punishment for even a \ngovernment bureaucrat, saying the IRS, or saying some other \ninformation gathering, Medicaid, Medicare, entity of \ngovernment, is there a penalty for them giving out private \ninformation? And so far as we have been able to ascertain, \nthere is none.\n    So Mr. Chairman, this is far and reaching, and I think if \nwe just look at the private sector and the private sector only, \nand forget about our privacy, and forget about our personal \nrights to peaceful use of our privacy, we are making a big \nmistake. I do appreciate your having this hearing, and allowing \na broad perspective research and development of this issue.\n    Thank you, Mr. Chairman.\n    [The prepared statement of Hon. C.L. ``Butch'' Otter \nfollows:]\n Prepared Statement of Hon. C.L. ``Butch'' Otter, a Representative in \n                    Congress from the State of Idaho\n    I would like to thank the chairman for holding this hearing. I \nthink it is an extremely important issue and believe we have a real \nopportunity to assist businesses and their customers in providing a \nsafe electronic marketplace.\n    In recent years there has been an increased awareness of identity \ntheft, yet we still hear relatively little about the losses associated \nwith these thefts.\n    While there will always be those who are dishonest and seek to scam \nthe system, we must be more diligent in protecting our electronic \nassets and information. A system of shields employed to provide \nprotections is certainly in the best interest of both consumers and \ncompanies that rely on the Internet to conduct business.\n    I am very interested in hearing from the witnesses today on what \nrole they believe the government has in safeguarding consumers and \ncompanies that rely on the Internet and electronic transactions to \nconduct business.\n    Mr. Chairman, I thank you again for the opportunity to examine this \nissue and I look forward to hearing from the witnesses.\n\n    Mr. Stearns. I thank the gentleman from Idaho. Mr. \nGonzalez, the gentleman from Texas.\n    Mr. Gonzalez. Thank you very much, Mr. Chairman. I will be \nbrief. But I was on Financial Services when the Fair Credit \nReporting Act and reauthorization and what we were thinking of \ndoing came up, and I was there when the Gramm-Leach-Bliley Act \ncame up, and we voted it out.\n    And the big question, then, was recognizing the economic \nrealities of how people do business, and the need to, of \ncourse, acquire and store, exchange and share information, and \nit was quite a debate. We finally came up and recognized \nrealities. But what we are faced with today is something that \neverybody feared, and that is okay, what about the safekeeping \nand the proper sharing with the proper individuals that are \nentitled to the information? We assumed, of course, that there \nwould be some mischief out there, but maybe never to the scale \nthat we are experiencing today, with some of the stories that \nare out there in the press, and what we are dealing with this \nmorning.\n    The question then comes down to, because you have heard how \nstrongly members on both sides of the aisle feel about the \nnature of this information. If you can't protect it, if you \ncannot secure it, should it be out there at all? And if we are \nnot going to have that kind of information collection and \nsharing, how does it, then, impact the day to day businesses of \nwhat we do in this country? And so I think we have to really \nkeep the two issues, and see if we can still, you know, come up \nwith some solutions to make sure that we don't impact the \nbigger and greater picture out there, of the necessity for \nresponsible collection and sharing of information.\n    I yield back.\n    Mr. Stearns. The gentleman yields back. The gentlelady from \nColorado.\n    Ms. DeGette. Thank you. Mr. Chairman, I would ask unanimous \nconsent to put my full statement in the record.\n    Mr. Stearns. By unanimous consent.\n    Ms. DeGette. Let me just make a couple of points.\n    There is a real human face on this problem. Thirty-two \nthousand people, people, our constituents, were affected by the \nincidence at LexisNexis, and credit card numbers were stolen \nfrom customers of over 100 stores at a popular retailer. One \nhundred fourty-five thousand people were affected by the \nChoicePoint security lapse, and of course, 1.2 million Federal \nworkers now know that the Bank of America has lost computer \ntapes that contained confidential financial data.\n    And what all of this shows together is that the information \nbroker business needs a closer look. These companies are \ndealing in the business of people's most confidential \ninformation, their Social Security numbers, their credit card \ndata, their driver's license records, and their other personal \ninformation, and this is information that belongs to millions \nand millions of people.\n    If these companies are vulnerable to hacking and other \nfraudulent practices, which obviously they are, then we have no \nchoice but to draw the conclusion that the privacy and overall \nsecurity of our citizens is at risk, and so I am looking \nforward to hearing more from the FTC about the recent study \nthat was released showing that in a 1-year period, over 10 \nmillion people in this country had their personal information \nstolen and used in a fraudulent manner, and I am hoping that \nthere is some idea as to the new tools that we can use to deal \nwith this growing problem.\n    Society pays a great price, frankly, the citizen's personal \ninformation is available to criminals. The economy suffers \nbecause of business losses, and to individuals who are victims \nof identity theft, it can be utterly devastating, and it takes \nhuge numbers of hours for people to try to deal with this. And \nso, Mr. Chairman, I, like everyone else, am glad that you had \nthis hearing to decide what tools we have in place to combat \nthis problem, but more importantly, I am looking forward to, as \na committee, determining what more may need to be done to \nprotect this very sensitive data.\n    And with that, Mr. Chairman, I yield back.\n    Mr. Stearns. I thank the gentlelady. The gentleman, Mr. \nTowns, from New York.\n    Mr. Towns. Thank you very much, Mr. Chairman, for holding \nthis hearing.\n    The recent high profile cases of consumers' personal data \nbeing unwittingly sold or stolen has brought this issue to the \nforefront. The American public is looking for answers to how \ndata brokers, such as ChoicePoint, could make such a glaring \nerror. I am hopeful today's hearing will begin the important \nprocess of examining our current laws, and help our committee \ndetermine what we can do to strengthen those laws, or improve \nenforcement of our existing statutes.\n    I have had a longstanding interest in protecting consumers' \nprivacy. I first began advocating for safeguarding medical \nrecords when I found my own medical records in a public trash \nbin, and of course, the hospital had closed, and they threw the \nrecords out, and the records were just there for anybody to \ngrab or to see, and in response, I introduced a bill protecting \nthe privacy rights of insurance claimants, which became part of \nHIPAA.\n    Since last Congress, I have been working with my colleague, \nCongresswoman Mary Bono, to protect consumer privacy on the \nInternet from spyware. Our committee passed this bill last \nweek, and I am hopeful that we can send it to the President's \ndesk before the end of this year. But perhaps most frightening \nis the ability of these large companies to aggregate data, so \nthat almost anything can be found out about you by a wide range \nof people.\n    On one hand, ChoicePoint should be commended for using its \ndata to help clear wrongly convicted felons, as part of the \nInnocence Project. However, on the other hand, its data was \nmistakenly used to wrongly disenfranchise thousands of African-\nAmerican voters in the 2000 election.\n    I look forward to hearing from our witnesses today, Mr. \nChairman. I think this is a very important hearing, and I think \nthat what we do here will determine the lives of many, in terms \nof what they will go through in years to come. So I look \nforward to hearing from the witnesses.\n    Mr. Stearns. I thank the gentleman. I think we are ready. \nMr. Terry, did you have--I will--glad to consider. All right.\n    With that, we will have our first panel. Mr. Strickland. I \nam sorry. Did you have an opening statement?\n    Mr. Strickland. No, thank you, Mr. Chairman.\n    Mr. Stearns. Okay. I thank the gentleman. With that, I \nthink the opening statements are complete.\n    [Additional statement submitted for the record follows:]\nPrepared Statement of Hon. Barbara Cubin, a Representative in Congress \n                       from the State of Wyoming\n    Thank you, Mr. Chairman, for holding this timely markup.\n    I would like to thank the three panels of witnesses who have agreed \nto join us today. The subcommittee has compiled a very respectable list \nof witnesses who will be able to offer us several distinct looks at the \nrole of data collection agencies, how these corporations operate, and \nthe federal laws governing these information services. The brokerage of \npersonal information is a complex issue, and I look forward to \nbenefitting from the testimony offered today.\n    Throughout my tenure on this subcommittee, we have continuously \naddressed issues relating to privacy protection and the ability of \nthird parties to access and distribute personally identifiable \ninformation. As we will hear today, there are most certainly valid and \nappropriate roles for personal data collection. You can't argue with \nthe role data collection agencies play in prosecuting criminals and \nmonitoring national security threats. However, with the rapid advance \nof technology, the definition of ``theft'' has been dramatically \naltered. For every genuine and useful role of data collection, there \nseems to be a corresponding opportunity to use this information in a \ncriminal nature.\n    Internet technology has opened the doors to business and consumer \nopportunities and increased educational access to millions, and this \nincreased access is particularly important to the rural areas of \nWyoming I represent. However, this increasing reliance on web-based \ntechnologies has opened the door for new crimes. As I said, many of the \npeople in Wyoming enjoy the benefits of the internet, but these same \nfolks still hold fast to the values of honesty and integrity. These \nprinciples should not have to be compromised to enjoy the benefits of \ninternet technology.\n    It is my hope that today's hearing will open a dialogue that will \ndemonstrate if Congress is doing enough to protect the common citizen \nfrom blatant crime and deception posed by identity theft. I also hope \nto hear suggestions regarding what consumers can immediately do to \nprotect themselves from identity theft.\n    Again, I thank the Chairman, and I yield back the balance of my \ntime.\n\n    Mr. Stearns. We welcome the Chairwoman of the Federal Trade \nCommission, Deborah Platt Majoras, for her opening statement, \nand I am very glad to have her. And I had an opportunity to \nmeet with her, and we were very impressed, and worked in--close \ntogether with Tim Muris, your predecessor, and we hope we can \ndo the same with you, and we have followed your testimony on \nthe Senate Banking Committee, so we hope to hear from you \nagain, and with that, welcome.\n\n  STATEMENT OF DEBORAH PLATT MAJORAS, CHAIRMAN, FEDERAL TRADE \n                           COMMISSION\n\n    Ms. Majoras. Thank you very much, Mr. Chairman, members of \nthe committee. I am Deborah Majoras, Chairman of the Federal \nTrade Commission. I am grateful for the opportunity to testify \nabout identity theft, security of consumer information, and in \nparticular, the collection of that information by data brokers.\n    Although the views expressed in the written testimony \nrepresent the views of the Commission, my oral presentation and \nresponses to your questions are my own, and do not necessarily \nrepresent the views of the Commission or any other individual \nCommissioner.\n    Recent revelations about security breaches that have \nresulted in disclosure of sensitive personal information about \nthousands of consumers have put a spotlight on the practices of \ndata brokers like ChoicePoint that collect and sell this \ninformation. The data broker industry includes many types of \nbusinesses, providing a variety of services to an array of \ncommercial and governmental entities. Information sold by data \nbrokers is used for many purposes, from marketing to assisting \nin law enforcement.\n    Despite the potential benefits of these information \nservices, the data broker industry is the subject of both \nprivacy and information security concerns. As recent events \ndemonstrate, if the sensitive information they collect gets \ninto the wrong hands, it can cause serious harm to consumers, \nincluding identity theft.\n    As every member here has acknowledged today, identity theft \nis a pernicious problem. As has also been acknowledged several \ntimes today, our recent survey estimated that as many as 10 \nmillion consumers discovered that they were victims of some \nform of identity theft in the 12 months preceding this survey. \nThat is 4.5 percent of our adult population, and it represented \nan estimated nearly $5 billion in losses to consumers, and $48 \nbillion in losses in business. We must look at ways to reduce \nidentity theft, which has shaken consumer confidence to the \ncore.\n    One means of reducing identity theft is to ensure that \nsensitive, nonpublic information that is collected by data \nbrokers is maintained securely. There is no single Federal law \ngoverning the practices of data brokers. There are, however, \nstatutes and regulations that address the security of the \ninformation they maintain, depending on how the information was \ncollected, and how it is used. The Fair Credit Reporting Act, \nfor example, makes it illegal to disseminate consumer report \ninformation, like credit reports, to someone who does not have \na permissible purpose, that is, a legitimate business purpose \nfor using that information. Thus, data brokers are only subject \nto FCRA's requirements to the extent that they provide consumer \nreports as that is defined in the statute.\n    Similarly, the Gramm-Leach-Bliley Act, which the Commission \nalso enforces, imposes restrictions on the extent to which \nfinancial institutions may disclose consumer information \nrelated to financial products and services. Under GLB, the \nCommission issued its Safeguards Rule, which imposes security \nrequirements on a broadly defined group of financial \ninstitutions that hold customer information, and the Commission \nrecently brought two cases in which we alleged the companies \nhad not taken reasonable precautions to safeguard consumer \ninformation.\n    And finally, Section 5 of the FTC Act prohibits unfair or \ndeceptive practices by a broad spectrum of businesses, \nincluding those involved in the collection or use of consumer \ninformation. Using this authority, the Commission has brought \nseveral actions against companies that made false promises \nabout how they would use or secure sensitive information, and \nthese cases make clear that an actual breach of security is not \nnecessary for an enforcement actions under Section 5, if the \nCommission determines that the company's security procedures \nwere not reasonable in light of the sensitivity of the \ninformation being maintained. Evidence of a breach, of course, \nthough, may indicate that the company's procedures were not \nadequate.\n    Now, it is important to remember that there is no such \nthing as perfect security, and breaches can occur, even for \ncompanies that have taken reasonable precautions. The \nCommission, consistent with the role that Congress gave us in \n1998, has worked hard to educate consumers and business about \nthe risks of identity theft, and to assist victims and law \nenforcement officials. The Commission maintains a website and a \ntoll-free hotline, staffed with trained counselors, who advise \nvictims on how to reclaim their identities.\n    We receive roughly 15,000 to 20,000 contacts per week on \nthe hotline, or through our website, or mail from victims, and \nfrom consumers who want to avoid becoming victims. The \nCommission also facilitates cooperation, information sharing, \nand training among Federal, State, and local law enforcement \nauthorities fighting this crime.\n    Although data brokers are currently subject to a patchwork \nof laws, depending on the nature of their operations, recent \nevents clearly raise the issue of whether these laws are \nsufficient to ensure the security of this information. I \nbelieve that there may be additional measures that would \nbenefit consumers. Although a variety of proposals have been \nput forward, and all should be considered, the most immediate \nneed is to address the risks to the security of the \ninformation.\n    Extending the Federal Trade Commission's Safeguards Rule to \nsensitive personal information collected by data brokers is one \nsensible step that could be taken. It also may be appropriate \nto consider a workable Federal requirement for notice to \nconsumers when there has been a security breach that raises a \nsignificant risk of harm to consumers.\n    Mr. Chairman, members of the committee, the FTC shares your \nconcern for the safety for the security of consumer \ninformation. We have been working hard on this issue, and we \nwill continue to take all steps within our authority to protect \nconsumers.\n    I thank you for the opportunity to discuss this vitally \nimportant subject, and I would be happy to respond to your \nquestions.\n    [The prepared statement of Deborah Platt Majoras follows:]\n Prepared Statement of Deborah Platt Majoras, Chairman, Federal Trade \n                               Commission\n\n                            I. INTRODUCTION\n    Mr. Chairman and members of the Subcommittee, I am Deborah Platt \nMajoras, Chairman of the Federal Trade Commission.<SUP>1</SUP> I \nappreciate the opportunity to appear before you today to discuss the \nlaws currently applicable to resellers of consumer information, \ncommonly known as ``data brokers.''\n---------------------------------------------------------------------------\n    \\1\\ This written statement reflects the views of the Federal Trade \nCommission. My oral statements and responses to any questions you may \nhave represent my own views, and do not necessarily reflect the views \nof the Commission or any individual Commissioner.\n---------------------------------------------------------------------------\n    Data brokers provide information services to a wide variety of \nbusiness and government entities. The information they provide may help \ncredit card companies detect fraudulent transactions or assist law \nenforcement agencies in locating potential witnesses. Despite these \nbenefits, however, there are concerns about the aggregation of \nsensitive consumer information and whether this information is \nprotected adequately from misuse and unauthorized disclosure. In \nparticular, recent security breaches have raised questions about \nwhether sensitive consumer information collected by data brokers may be \nfalling into the wrong hands, leading to increased identity theft and \nother frauds. In this testimony, I will briefly describe what types of \ninformation data brokers collect, how the information is used, and some \nof the current federal laws that may apply to these entities, depending \non the nature of the information they possess.\n    All of this discussion takes place against the background of the \nthreat of identity theft, a pernicious crime that harms both consumers \nand financial institutions. A 2003 FTC survey showed that over a one-\nyear period nearly 10 million people--or 4.6 percent of the adult \npopulation--had discovered that they were victims of some form of \nidentity theft.<SUP>2</SUP> As described in this testimony, the FTC has \na substantial ongoing program both to assist the victims of identity \ntheft and to collect data to assist criminal law enforcement agencies \nin prosecuting the perpetrators of identity theft.\n---------------------------------------------------------------------------\n    \\2\\ Federal Trade Commission--Identity Theft Survey Report (Sept. \n2003) (available at http://www.ftc.gov/os/2003/09/synovatereport.pdf).\n---------------------------------------------------------------------------\n\n    II. THE COLLECTION AND USE OF CONSUMER INFORMATION <SUP>3</SUP>\n\n---------------------------------------------------------------------------\n    \\3\\ For more information on how consumer data is collected, \ndistributed, and used, see generally General Accounting Office, Private \nSector Entities Routinely Obtain and use SSNs, and Laws Limit the \nDisclosure of this Information (GAO-04-11) (2004); General Accounting \nOffice, SSNs Are Widely Used by Government and Could be Better \nProtected, Testimony Before the House Subcommittee on Social Security, \nCommittee on Ways and Means (GAO-02-691T) (statement of Barbara D. \nBovbjerg, April 29, 2002); Federal Trade Commission, Individual \nReference Services: A Report to Congress (December 1997) (available at \nhttp://www.ftc.gov/os/1997/12/irs.pdf). The Commission has also held \ntwo workshops on the collection and use of consumer information. An \nagenda, participant biographies, and transcript of ``Information Flows, \nThe Costs and Benefits to Consumers and Businesses of the Collection \nand Use of Consumer Information,'' held on June 18, 2003, is available \nat http://www.ftc.gov/bcp/workshops/infoflows/030618agenda.html. \nMaterials related to ``The Information Marketplace: Merging and \nExchanging Consumer Data,'' held on March 13, 2001, are available at \nhttp://www.ftc.gov/bcp/workshops/infomktplace/index.html.\n---------------------------------------------------------------------------\n    The information industry is large and complex and includes \ncompanies of all sizes. Some collect information from original sources, \nothers resell data collected by others, and many do both. Some provide \ninformation only to government agencies or large companies, while \nothers sell information to small companies or the general public.\nA. Sources of Consumer Information\n    Data brokers obtain their information from a wide variety of \nsources and provide it for many different purposes. The amount and \nscope of information that they collect varies from company to company, \nand many offer a range of products tailored to different markets and \nuses. Some data brokers, such as consumer reporting agencies, store \ncollected information in a database and allow access to various \ncustomers. Some data brokers may collect information for one-time use \nby a single customer. For example, a data broker may collect \ninformation for an employee background check and provide that \ninformation to one employer.\n    There are three broad categories of information that data brokers \ncollect and sell: public record information, publicly-available \ninformation, and non-public information.\n1. Public Record Information\n    Public records are a primary source of information about consumers. \nThis information is obtained from public entities and includes birth \nand death records, property records, tax lien records, voter \nregistrations, licensing records, and court records (including criminal \nrecords, bankruptcy filings, civil case files, and judgments). Although \nthese records generally are available to anyone directly from the \npublic agency where they are on file, data brokers, often through a \nnetwork of subcontractors, are able to collect and organize large \namounts of this information, providing access to their customers on a \nregional or national basis. The nature and amount of personal \ninformation on these records varies with the type of records and agency \nthat created them.<SUP>4</SUP>\n---------------------------------------------------------------------------\n    \\4\\ Specific state or federal laws may govern the use of certain \ntypes of public records. For example, the federal Driver's Privacy \nProtection Act, discussed infra, places restrictions on the disclosure \nof motor vehicle information.\n---------------------------------------------------------------------------\n2. Publicly-Available Information\n    A second type of information collected is information that is not \nfrom public records but is publicly available. This information is \navailable from telephone directories, print publications, Internet \nsites, and other sources accessible to the general public. As is true \nwith public record information, the ability of data brokers to amass a \nlarge volume of publicly-available information allows their customers \nto obtain information from an otherwise disparate array of sources.\n3. Non-Public Information\n    Data brokers may also obtain personal information that is not \ngenerally available to members of the public. Types of non-public \ninformation include:\n\n<bullet> Identifying or contact information submitted to businesses by \n        consumers to obtain products or services (such as name, \n        address, phone number, email address, and Social Security \n        number);\n<bullet> Information about the transactions consumers conduct with businesses \n        (such as credit card numbers, products purchased, magazine \n        subscriptions, travel records, types of accounts, claims filed, \n        or fraudulent transactions);\n<bullet> Information from applications submitted by consumers to obtain \n        credit, employment, insurance, or other services (such as \n        information about employment history or assets); and\n<bullet> Information submitted by consumers for contests, website \n        registrations, warranty registrations, and the like.\nB. Uses of Consumer Information\n    Business, government, and non-profit entities use information \nprovided by data brokers for a wide variety of purposes. For example, \nthe commercial or non-profit sectors may use the information to:\n\n<bullet> Authenticate potential customers and to prevent fraud by ensuring \n        that the customer is who he or she purports to be;\n<bullet> Evaluate the risk of providing services to a particular consumer, for \n        example to decide whether to extend credit, insurance, rental, \n        or leasing services and on what terms;\n<bullet> Ensure compliance with government regulations, such as customer \n        verification requirements under anti-money laundering statutes;\n<bullet> Perform background checks on prospective employees;\n<bullet> Locate persons for a variety of reasons, including to collect child \n        support or other debts; to find estate beneficiaries or holders \n        of dormant accounts; to find potential organ donors; to find \n        potential contributors; or in connection with private legal \n        actions, such as to locate potential witnesses or defendants;\n<bullet> Conduct marketing and market research; and\n<bullet> Conduct academic research.\n    Government may use information collected by data brokers for:\n\n<bullet> General law enforcement, including to investigate targets and locate \n        witnesses;\n<bullet> Homeland security, including to detect and track individuals with \n        links to terrorist groups; and\n<bullet> Public health and safety activities, such as locating people who may \n        have been exposed to a certain virus or other pathogen.\n    These are just some examples of how these entities use information \ncollected by data brokers.\n    It is important to understand that the business of data brokers \ncould cover a wide spectrum of activities, everything from telephone \ndirectory information services, to fraud data bases, to sophisticated \ndata aggregations.\n\n             III. LAWS CURRENTLY APPLICABLE TO DATA BROKERS\n    There is no single federal law that governs all uses or disclosures \nof consumer information. Rather, specific statutes and regulations may \nrestrict disclosure of consumer information in certain contexts and \nrequire entities that maintain this information to take reasonable \nsteps to ensure the security and integrity of that data. The FTC's \nefforts in this area have been based on three statutes: the Fair Credit \nReporting Act (``FCRA''),<SUP>5</SUP> Title V of the Gramm-Leach-Bliley \nAct (``GLBA''),<SUP>6</SUP> and Section 5 of the Federal Trade \nCommission Act (``FTC Act'').<SUP>7</SUP> Although the FCRA is one of \nthe oldest private sector data protection laws, it was significantly \nexpanded in 1996 and in the last Congress. The Commission is engaged in \na number of rulemakings to implement the new provisions of the FCRA, \nmany of which are directly targeted to the problem of ID Theft. The \nGLBA is a relatively recent law, and its implementing rule on consumer \ninformation privacy became effective in 2001. Other laws, such as the \nDriver's Privacy Protection Act <SUP>8</SUP> and the Health Insurance \nPortability and Accountability Act <SUP>9</SUP> also restrict the \ndisclosure of certain types of information, but are not enforced by the \nCommission. Although these laws all relate in some way to the privacy \nand security of consumer information, they vary in scope, focus, and \nremedies. Determining which--if any--of these laws apply to a given \ndata broker requires an examination of the source and use of the \ninformation at issue.\n---------------------------------------------------------------------------\n    \\5\\ 15 U.S.C. Sec. Sec. 1681-1681u, as amended.\n    \\6\\ 15 U.S.C. Sec. Sec. 6801-09.\n    \\7\\ 15 U.S.C. Sec.  45(a).\n    \\8\\ 18 U.S.C. Sec. Sec. 2721-25.\n    \\9\\ 42 U.S.C. Sec. Sec. 1320d et seq.\n---------------------------------------------------------------------------\nA. The Fair Credit Reporting Act\n    Although much of the FCRA focuses on maintaining the accuracy and \nefficiency of the credit reporting system, it also plays a role in \nensuring consumer privacy.<SUP>10</SUP> The FCRA primarily prohibits \nthe distribution of ``consumer reports'' by ``consumer reporting \nagencies'' (``CRAs'') except for specified ``permissible purposes,'' \nand requires CRAs to employ procedures to ensure that they provide \nconsumer reports to recipients only for such purposes.\n---------------------------------------------------------------------------\n    \\10\\ ``[A] major purpose of the Act is the privacy of a consumer's \ncredit-related data.'' Trans Union Corp. v. FTC, 81 F.3d 228, 234 (D.C. \nCir. 1996).\n---------------------------------------------------------------------------\n1. Overview\n    In common parlance, the FCRA applies to consumer data that is \ngathered and sold to businesses in order to make decisions about \nconsumers. In statutory terms, it applies to ``consumer report'' \ninformation,<SUP>11</SUP> provided by a CRA,<SUP>12</SUP> limiting such \nprovision for a ``permissible purpose.'' <SUP>13</SUP> Although the \nmost common example of a ``consumer report'' is a credit report and the \nmost common CRA is a credit bureau, the scope of the FCRA is much \nbroader. For example, there exist many CRAs that provide reports in \nspecialized areas, such as tenant screening services (that report to \nlandlords on consumers who have applied to rent apartments) and \nemployment screening services (that report to employers to assist them \nin evaluating job applicants).\n---------------------------------------------------------------------------\n    \\11\\ What constitutes a ``consumer report'' is a matter of \nstatutory definition (15 U.S.C. Sec.  1681a(d)) and case law. Among other \nconsiderations, to constitute a consumer report, information must be \ncollected or used for ``eligibility'' purposes. That is, the data must \nnot only ``bear on'' a characteristic of the consumer (such as credit \nworthiness, credit capacity, character, general reputation, personal \ncharacteristics, or mode of living), it must also be used in \ndeterminations to grant or deny credit, insurance, employment, or in \nother determinations regarding permissible purposes. Trans Union, 81 \nF.3d at 234.\n    \\12\\ The FCRA defines a ``consumer reporting agency'' as an entity \nthat regularly engages in ``assembling or evaluating consumer credit \ninformation or other information on consumers for the purpose of \nfurnishing consumer reports to third parties . . . .'' 15 U.S.C. Sec.  \n1681a(f).\n    \\13\\ As discussed more fully below, the ``permissible purposes'' \nset forth in the FCRA generally allow CRAs to provide consumer reports \nto their customers who have a legitimate business need for the \ninformation to evaluate a consumer who has applied to the report user \nfor credit, employment, insurance, or an apartment rental. 15 U.S.C. Sec.  \n1681b(a)(3).\n---------------------------------------------------------------------------\n    CRAs other than credit bureaus provide many different types of \nconsumer reports. They may report information they have compiled \nthemselves, purchased from another CRA, or both. For example, a tenant \nscreening service may report only the information in its files that it \nhas received from landlords, only a consumer report obtained from \nanother CRA, or a combination of both its own information and resold \nCRA data, depending on the needs of the business and the information \navailable. Data brokers are subject to the requirements of the FCRA \nonly to the extent that they are providing ``consumer reports.''\n2. ``Permissible Purposes'' For Disclosure of Consumer Reports\n    The FCRA limits distribution of consumer reports to those with \nspecific, statutorily-defined ``permissible purposes.'' Generally, \nreports may be provided for the purposes of making decisions involving \ncredit, insurance, or employment.<SUP>14</SUP> Consumer reporting \nagencies may also provide reports to persons who have a ``legitimate \nbusiness need'' for the information in connection with a consumer-\ninitiated transaction.<SUP>15</SUP> Target marketing--making \nunsolicited mailings or telephone calls to consumers based on \ninformation from a consumer report--is generally not a permissible \npurpose.<SUP>16</SUP>\n---------------------------------------------------------------------------\n    \\14\\ 15 U.S.C. Sec.  1681b(a)(3)(A), (B), and (C). Consumer reports may \nalso be furnished for certain ongoing account-monitoring and collection \npurposes.\n    \\15\\ 15 U.S.C. Sec.  1681b(a)(3)(F). This subsection allows landlords a \npermissible purpose to receive consumer reports. It also provides a \npermissible purpose in other situations, such as for a consumer who \noffers to pay with a personal check.\n    \\16\\ The FCRA permits target marketing for firm offers of credit or \ninsurance, subject to statutory procedures, including affording \nconsumers the opportunity to opt out of future prescreened \nsolicitations. 15 U.S.C. Sec.  1681a(c), (e).\n---------------------------------------------------------------------------\n    There is no general ``law enforcement'' permissible purpose for \ngovernment agencies. With few exceptions, government agencies are \ntreated like other parties--that is, they must have a permissible \npurpose to obtain a consumer report.<SUP>17</SUP> There are only two \nlimited areas in which the FCRA makes any special allowance for \ngovernmental entities. First, the law has always allowed such entities \nto obtain limited identifying information (name, address, employer) \nfrom CRAs without a ``permissible purpose.'' <SUP>18</SUP> Second, the \nFCRA was amended to add express provisions permitting government use of \nconsumer reports for counterintelligence and counter-\nterrorism.<SUP>19</SUP>\n---------------------------------------------------------------------------\n    \\17\\ For example, a government agency may obtain a consumer report \nin connection with a credit transaction or pursuant to a court order.\n    \\18\\ 15 U.S.C. Sec.  681f. The information a government agency may \nobtain under this provision does not include Social Security numbers.\n    \\19\\ 15 U.S.C. Sec. Sec. 1681u, 1681v.\n---------------------------------------------------------------------------\n3. ``Reasonable Procedures'' to Identify Recipients of Consumer Reports\n    The FCRA also requires that CRAs employ ``reasonable procedures'' \nto ensure that they supply consumer reports only to those with an FCRA-\nsanctioned ``permissible purpose.'' Specifically, Section 607(a) \nprovides that CRAs must make ``reasonable efforts'' to verify the \nidentity of prospective recipients of consumer reports and that they \nhave a permissible purpose to use the report.<SUP>20</SUP>\n---------------------------------------------------------------------------\n    \\20\\ 15 U.S.C. Sec. 1681e(a).\n---------------------------------------------------------------------------\n    The Commission has implemented the general and specific \nrequirements of this provision in a number of enforcement actions that \nresulted in consent orders with the major nationwide CRAs <SUP>21</SUP> \nand with resellers of consumer reports (businesses that purchase \nconsumer reports from the major bureaus and resell them).<SUP>22</SUP> \nFor example, in the early 1990s, the FTC charged that resellers of \nconsumer report information violated Section 607(a) of the FCRA when \nthey provided consumer report information without adequately ensuring \nthat their customers had a permissible purpose for obtaining the \ndata.<SUP>23</SUP> In settling these charges, the resellers agreed to \nemploy additional verification procedures, including verifying the \nidentities and business of current and prospective subscribers, \nconducting periodic, unannounced audits of subscribers, and obtaining \nwritten certifications from subscribers as to the permissible purposes \nfor which they seek to obtain consumer reports.<SUP>24</SUP> In 1996, \nCongress amended the FCRA to impose specific duties on resellers of \nconsumer reports.<SUP>25</SUP>\n---------------------------------------------------------------------------\n    \\21\\ Equifax Credit Information Services, Inc., 130 F.T.C. 577 \n(1995); Trans Union Corp. 116 F.T.C. 1357 (1993) (consent settlement of \nprescreening issues only in 1992 target marketing complaint; see also \nTrans Union Corp. v. FTC, 81 F.3d 228 (D.C. Cir. 1996)); FTC v. TRW \nInc., 784 F. Supp. 362 (N.D. Tex. 1991); Trans Union Corp., 102 F.T.C. \n1109 (1983). Each of these ``omnibus'' orders differed in detail, but \ngenerally covered a variety of FCRA issues including accuracy, \ndisclosure, permissible purposes, and prescreening.\n    \\22\\ W.D.I.A., 117 F.T.C. 757 (1994); CDB Infotek, 116 F.T.C. 280 \n(1993); Inter-Fact, Inc., 116 F.T.C. 294 (1993); I.R.S.C., 116 F.T.C. \n266 (1993) (consent agreements against resellers settling allegations \nof failure to adequately insure that users had permissible purposes to \nobtain the reports).\n    \\23\\ Id.\n    \\24\\ A press release describing the consent agreement is available \nat: http://www.ftc.gov/opa/predawn/F93/irsccdb3.htm.\n    \\25\\ Resellers are required to identify their customers (the ``end \nusers'') to the CRA providing the report and specify the purpose for \nwhich the end users bought the report, and to establish reasonable \nprocedures to ensure that their customers have permissible purposes for \nthe consumer reports they are acquiring through the reseller. 15 U.S.C. \nSec. 1681f(e).\n---------------------------------------------------------------------------\n    In addition to the reasonable procedures requirement of Section \n607(a), the FCRA also imposes civil liability on users of consumer \nreport information who do not have a permissible purpose and criminal \nliability on persons who obtain such information under false pretenses.\nB. The Gramm-Leach-Bliley Act\n    The Gramm-Leach-Bliley Act imposes privacy and security obligations \non ``financial institutions.'' <SUP>26</SUP> Financial institutions are \ndefined as businesses that are engaged in certain ``financial \nactivities'' described in Section 4(k) of the Bank Holding Company Act \nof 1956 <SUP>27</SUP> and its accompanying regulations.<SUP>28</SUP> \nThese activities include traditional banking, lending, and insurance \nfunctions, as well as other activities such as brokering loans, credit \nreporting, and real estate settlement services. To the extent that data \nbrokers fall within the definition of financial institutions, they \nwould be subject to the Act.\n---------------------------------------------------------------------------\n    \\26\\ 15 U.S.C. Sec.  6809(3)(A).\n    \\27\\ 12 U.S.C. Sec.  1843(k).\n    \\28\\ 12 C.F.R. Sec. Sec. 225.28, 225.86.\n---------------------------------------------------------------------------\n1. Privacy of Consumer Financial Information\n    In general, financial institutions are prohibited by Title V of \nGLBA and its implementing privacy rule <SUP>29</SUP> from disclosing \nnonpublic personal information to non-affiliated third parties without \nfirst providing consumers with notice and the opportunity to opt out of \nthe disclosure.<SUP>30</SUP> However, GLBA provides a number of \nstatutory exceptions under which disclosure is permitted without \nspecific notice to the consumer. These exceptions include consumer \nreporting (pursuant to the FCRA), fraud prevention, law enforcement and \nregulatory or self-regulatory purposes, compliance with judicial \nprocess, and public safety investigations.<SUP>31</SUP> Entities that \nreceive information under an exception to GLBA are subject to the reuse \nand redisclosure restrictions under the GLBA Privacy Rule, even if \nthose entities are not themselves financial institutions.<SUP>32</SUP> \nIn particular, the recipients may only use and disclose the information \n``in the ordinary course of business to carry out the activity covered \nby the exception under which . . . the information [was received].'' \n<SUP>33</SUP>\n---------------------------------------------------------------------------\n    \\29\\ Privacy of Consumer Financial Information, 16 C.F.R. Part 313 \n(``GLBA Privacy Rule'').\n    \\30\\ The GLBA defines ``nonpublic personal information'' as any \ninformation that a financial institution collects about an individual \nin connection with providing a financial product or service to an \nindividual, unless that information is otherwise publicly available. \nThis includes basic identifying information about individuals, such as \nname, Social Security number, address, telephone number, mother's \nmaiden name, and prior addresses. See, e.g., 65 Fed. Reg. 33,646, \n33,680 (May 24, 2000) (the FTC's Privacy Rule).\n    \\31\\ 15 U.S.C. Sec.  6802(e).\n    \\32\\ 16 C.F.R. Sec.  313.11(a).\n    \\33\\ Id.\n---------------------------------------------------------------------------\n    Data brokers may receive some of their information from CRAs, \nparticularly in the form of identifying information (sometimes referred \nto as ``credit header'' data) that includes name, address, and Social \nSecurity number. Because credit header data is typically derived from \ninformation originally provided by financial institutions, data brokers \nwho receive this information are limited by GLBA's reuse and \nredisclosure provision. For example, if a data broker obtains credit \nheader information from a financial institution pursuant to the GLBA \nexception ``to protect against or prevent actual or potential fraud,'' \n<SUP>34</SUP> then that data broker may not reuse and redisclose that \ninformation for marketing purposes.\n---------------------------------------------------------------------------\n    \\34\\ 15 U.S.C. Sec.  502(e)(3)(B).\n---------------------------------------------------------------------------\n2. Required Safeguards for Customer Information\n    GLBA also requires financial institutions to implement appropriate \nphysical, technical, and procedural safeguards to protect the security \nand integrity of the information they receive from customers directly \nor from other financial institutions.<SUP>35</SUP> The FTC's Safeguards \nRule, which implements these requirements for entities under FTC \njurisdiction,<SUP>36</SUP> requires financial institutions to develop a \nwritten information security plan that describes their programs to \nprotect customer information. Given the wide variety of entities \ncovered, the Safeguards Rule requires a plan that accounts for each \nentity's particular circumstances--its size and complexity, the nature \nand scope of its activities, and the sensitivity of the customer \ninformation it handles. It also requires covered entities to take \ncertain procedural steps (for example, designating appropriate \npersonnel to oversee the security plan, conducting a risk assessment, \nand overseeing service providers) in implementing their plans. Since \nthe GLBA Safeguards Rule became effective in May 2003, the Commission \nhas brought two law enforcement actions against companies that violated \nthe Rule by not having reasonable protections for customers'' personal \ninformation.<SUP>37</SUP>\n---------------------------------------------------------------------------\n    \\35\\ 15 U.S.C. Sec.  6801(b); Standards for Safeguarding Customer \nInformation, 16 C.F.R. Part 314 (``Safeguards Rule'').\n    \\36\\ The Federal Deposit Insurance Corporation, the National Credit \nUnion Administration, the Securities Exchange Commission, the Office of \nthe Comptroller of the Currency, the Board of Governors of the Federal \nReserve System, the Office of Thrift Supervision, and state insurance \nauthorities have promulgated comparable information safeguards rules, \nas required by Section 501(b) of the GLBA. 15 U.S.C. Sec.  6801(b); see, \ne.g., Interagency Guidelines Establishing Standards for Safeguarding \nCustomer Information and Rescission of Year 2000 Standards for Safety \nand Soundness, 66 Fed. Reg. 8,616-41 (Feb. 1, 2001). The FTC has \njurisdiction over entities not subject to the jurisdiction of these \nagencies.\n    \\37\\ Sunbelt Lending Services, (Docket No. C-4129) (consent order); \nNationwide Mortgage Group, Inc., (Docket No. 9319) (consent order).\n---------------------------------------------------------------------------\n    To the extent that data brokers fall within GLBA's definition of \n``financial institution,'' they must maintain reasonable security for \ncustomer information. If they fail to do so, the Commission could find \nthem in violation of the Rule. The Commission can obtain injunctive \nrelief for such violations, as well as consumer redress or disgorgement \nin appropriate cases.<SUP>38</SUP>\n---------------------------------------------------------------------------\n    \\38\\ 15 U.S.C. Sec.  6805(a)(7). In enforcing GLBA, the FTC may seek \nany injunctive and other equitable relief available to it under the FTC \nAct.\n---------------------------------------------------------------------------\nC. Section 5 of the FTC Act\n    In addition, Section 5 of the FTC Act prohibits ``unfair or \ndeceptive acts or practices in or affecting commerce.'' <SUP>39</SUP> \nUnder the FTC Act, the Commission has broad jurisdiction to prevent \nunfair or deceptive practices by a wide variety of entities and \nindividuals operating in commerce.\n---------------------------------------------------------------------------\n    \\39\\ 15 U.S.C. Sec.  45(a).\n---------------------------------------------------------------------------\n    Prohibited practices include deceptive claims that companies make \nabout privacy, including claims about the security they provide for \nconsumer information.<SUP>40</SUP> To date, the Commission has brought \nfive cases against companies for deceptive security claims, alleging \nthat the companies made explicit or implicit promises to take \nreasonable steps to protect sensitive consumer information. Because \nthey allegedly failed to take such steps, their claims were \ndeceptive.<SUP>41</SUP> The consent orders settling these cases have \nrequired the companies to implement rigorous information security \nprograms generally conforming to the standards set forth in the GLBA \nSafeguards Rule.<SUP>42</SUP>\n---------------------------------------------------------------------------\n    \\40\\ Deceptive practices are defined as material representations or \nomissions that are likely to mislead consumers acting reasonably under \nthe circumstances. Cliffdale Associates, Inc., 103 F.T.C. 110 (1984).\n    \\41\\ Petco Animal Supplies, Inc. (Docket No. C-4133); MTS Inc., d/\nb/a Tower Records/Books/Video (Docket No. C-4110); Guess?, Inc. (Docket \nNo. C-4091); Microsoft Corp., (Docket No. C-4069); Eli Lilly & Co., \n(Docket No. C-4047). Documents related to these enforcement actions are \navailable at http://www.ftc.gov/privacy/privacyinitiatives/promises--\nenf.html.\n    \\42\\ As the Commission has stated, an actual breach of security is \nnot a prerequisite for enforcement under Section 5; however, evidence \nof such a breach may indicate that the company's existing policies and \nprocedures were not adequate. It is important to note, however, that \nthere is no such thing as perfect security, and breaches can happen \neven when a company has taken every reasonable precaution. See \nStatement of the Federal Trade Commission Before the House Subcommittee \non Technology, Information Policy, Intergovernmental Relations, and the \nCensus, Committee on Government Reform (Apr. 21, 2004) (available at \nhttp://www.ftc.gov/os/2004/04/042104cybersecuritytestimony.pdf).\n---------------------------------------------------------------------------\n    In addition to deception, the FTC Act prohibits unfair practices. \nPractices are unfair if they cause or are likely to cause consumers \nsubstantial injury that is neither reasonably avoidable by consumers \nnor offset by countervailing benefits to consumers or \ncompetition.<SUP>43</SUP> The Commission has used this authority to \nchallenge a variety of injurious practices.<SUP>44</SUP>\n---------------------------------------------------------------------------\n    \\43\\ 15 U.S.C. Sec.  45(n).\n    \\44\\ These include, for example, unauthorized charges in connection \nwith ``phishing,'' which are high-tech scams that use spam or pop-up \nmessages to deceive consumers into disclosing credit card numbers, bank \naccount information, Social Security numbers, passwords, or other \nsensitive information. See FTC v. Hill, Civ. No. H 03-5537 (filed S.D. \nTex. Dec. 3, 2003), http://www.ftc.gov/opa/2004/03/\nphishinghilljoint.htm; FTC v. C.J., Civ. No. 03-CV-5275-GHK (RZX) \n(filed C.D. Cal. July 24, 2003), http://www.ftc.gov/os/2003/07/\nphishingcomp.pdf.\n---------------------------------------------------------------------------\n    The Commission can obtain injunctive relief for violations of \nSection 5, as well as consumer redress or disgorgement in appropriate \ncases.\nD. Other Laws\n    Other federal laws not enforced by the Commission regulate certain \nother specific classes of information. For example, the Driver's \nPrivacy Protection Act (``DPPA'') <SUP>45</SUP> prohibits state motor \nvehicle departments from disclosing personal information in motor \nvehicle records, subject to fourteen ``permissible uses,'' including \nlaw enforcement, motor vehicle safety, and insurance.\n---------------------------------------------------------------------------\n    \\45\\ 18 U.S.C. Sec. Sec. 2721-25.\n---------------------------------------------------------------------------\n    The privacy rule under the Health Information Portability and \nAccountability (``HIPAA'') Act allows for the disclosure of medical \ninformation (including patient records and billing statements) between \nentities for routine treatment, insurance, and payment \npurposes.<SUP>46</SUP> For non-routine disclosures, the individual must \nfirst give his or her consent. As with the DPPA, the HIPAA Privacy Rule \nprovides a list of uses for which no consent is required before \ndisclosure. Like the GLBA Safeguards Rule, the HIPAA Privacy Rule also \nrequires entities under its jurisdiction to have in place ``appropriate \nadministrative, technical, and physical safeguards to protect the \nprivacy of protected health information.'' <SUP>47</SUP>\n---------------------------------------------------------------------------\n    \\46\\ 45 C.F.R. Part 164 (``HIPAA Privacy Rule'').\n    \\47\\ 45 C.F.R. Sec. 164.530(c).\n---------------------------------------------------------------------------\n\n  IV. THE FEDERAL TRADE COMMISSION'S ROLE IN COMBATING IDENTITY THEFT\n    In addition to its regulatory and enforcement efforts, the \nCommission assists consumers with advice on the steps they can take to \nminimize their risk of becoming identity theft victims, supports \ncriminal law enforcement efforts, and provides resources for companies \nthat have experienced data breaches. The 1998 Identity Theft Assumption \nand Deterrence Act (``the Identity Theft Act'' or ``the Act'') provides \nthe FTC with a specific role in combating identity theft.<SUP>48</SUP> \nTo fulfill the Act's mandate, the Commission implemented a program that \nfocuses on collecting complaints and providing victim assistance \nthrough a telephone hotline and a dedicated website; maintaining and \npromoting the Clearinghouse, a centralized database of victim \ncomplaints that serves as an investigative tool for law enforcement; \nand providing outreach and education to consumers, law enforcement, and \nindustry.\n---------------------------------------------------------------------------\n    \\48\\ Pub. L. No. 105-318, 112 Stat. 3007 (1998) (codified at 18 \nU.S.C. Sec. 1028).\n---------------------------------------------------------------------------\nA. Working with Consumers\n    The Commission hosts a toll-free hotline, 1-877-ID THEFT, and a \nsecure online complaint form on its website, www.consumer.gov/idtheft. \nWe receive about 15,000 to 20,000 contacts per week on the hotline, or \nvia our website or mail from victims and consumers who want to learn \nabout how to avoid becoming a victim. The callers to the hotline \nreceive counseling from trained personnel who provide information on \nprevention of identity theft, and also inform victims of the steps to \ntake to resolve the problems resulting from the misuse of their \nidentities. Victims are advised to: (1) obtain copies of their credit \nreports and have a fraud alert placed on them; (2) contact each of the \ncreditors or service providers where the identity thief has established \nor accessed an account, to request that the account be closed and to \ndispute any associated charges; and (3) report the identity theft to \nthe police and, if possible, obtain a police report. A police report is \nhelpful both in demonstrating to would-be creditors and debt collectors \nthat the consumers are victims of identity theft, and also serves as an \n``identity theft report'' that can be used for exercising various \nrights under the newly enacted Fair and Accurate Credit Transactions \nAct.<SUP>49</SUP> The FTC's identity theft website, www.consumer.gov/\nidtheft, has an online complaint form where victims can enter their \ncomplaint into the Clearinghouse.<SUP>50</SUP>\n---------------------------------------------------------------------------\n    \\49\\ These include the right to an extended, seven-year fraud \nalert, the right to block fraudulent trade lines on credit reports, and \nthe ability to obtain copies of fraudulent applications and transaction \nreports. See 15 U.S.C. Sec. 1681 et seq., as amended.\n    \\50\\ Once a consumer informs a consumer reporting agency that the \nconsumer believes that he or she is the victim of identity theft, the \nconsumer reporting agency must provide the consumer with a summary of \nrights titled ``Remedying the Effects of Identity Theft'' (available at \nhttp://www.ftc.gov/bcp/conline/pubs/credit/idtsummary.pdf).\n---------------------------------------------------------------------------\n    The FTC has also taken the lead in the development and \ndissemination of consumer education materials. To increase awareness \nfor consumers and provide tips for minimizing the risk of identity \ntheft, the FTC developed a primer on identity theft, ID Theft: What's \nIt All About? Together with the victim recovery guide, Take Charge: \nFighting Back Against Identity Theft, the two publications help to \neducate consumers. The FTC alone has distributed more than 1.4 million \ncopies of the Take Charge booklet since its release in February 2000 \nand has recorded more than 1.7 million visits to the Web version. The \nFTC's consumer and business education campaign includes other \nmaterials, media mailings, and radio and television interviews. The FTC \nalso maintains the identity theft website, www.consumer.gov/idtheft, \nwhich provides publications and links to testimony, reports, press \nreleases, identity theft-related state laws, and other resources.\n    The Commission has also developed ways to simplify the recovery \nprocess. One example is the ID Theft Affidavit, which is included in \nthe Take Charge booklet and on the website. The FTC worked with \nindustry and consumer advocates to create a standard form for victims \nto use in resolving identity theft debts. To date, the FTC has \ndistributed more than 293,000 print copies of the ID Theft Affidavit \nand has recorded more than 709,000 hits to the Web version.\nB. Working with Law Enforcement\n    A primary purpose of the Identity Theft Act was to enable criminal \nlaw enforcement agencies to use a single database of victim complaints \nto support their investigations. To ensure that the database operates \nas a national clearinghouse for complaints, the FTC accepts complaints \nfrom state and federal agencies as well as from consumers.\n    With almost 800,000 complaints, the Clearinghouse provides a \npicture of the nature, prevalence, and trends of the identity theft \nvictims who submit complaints. The Commission publishes annual charts \nshowing the prevalence of identity theft complaints by states and \ncities.<SUP>51</SUP> Law enforcement and policy makers use these \nreports to better understand identity theft.\n---------------------------------------------------------------------------\n    \\51\\ Federal Trade Commission--National and State Trends in Fraud & \nIdentity Theft (Feb. 2004) (available at http://www.consumer.gov/\nsentinel/pubs/Top10Fraud2004.pdf).\n---------------------------------------------------------------------------\n    Since the inception of the Clearinghouse, more than 1,100 law \nenforcement agencies have signed up for the database. Individual \ninvestigators within those agencies can access the system from their \ndesktop computers 24 hours a day, seven days a week.\n    The Commission also encourages even greater use of the \nClearinghouse through training seminars offered to law enforcement. \nBeginning in 2002, the FTC, in cooperation with the Department of \nJustice, the U.S. Postal Inspection Service, and the U.S. Secret \nService, initiated full day identity theft training seminars for state \nand local law enforcement officers. To date, this group has held 16 \nseminars across the country. More than 2,200 officers have attended \nthese seminars, representing over 800 different agencies. Future \nseminars are being planned for additional cities.\n    The FTC staff also developed an identity theft case referral \nprogram. The staff creates preliminary investigative reports by \nexamining patterns of identity theft activity in the Clearinghouse. The \nstaff then refers the investigative reports to Financial Crimes Task \nForces and other law enforcers for further investigation and potential \nprosecution.\nC. Working with Industry\n    The private sector can help tackle the problem of identity theft in \nseveral ways. From prevention of identity theft through better security \nand authentication, to helping victims recover, businesses play a key \nrole in addressing identity theft.\n    The FTC works with institutions that maintain personal information \nto identify ways to keep that information safe from identity theft. In \n2002, the FTC invited representatives from financial institutions, \ncredit issuers, universities, and retailers to a roundtable discussion \nof what steps entities can and do take to prevent identity theft and \nensure the security of personal information in employee and customer \nrecords. This type of informal event provides an opportunity for the \nparticipants to share information and learn about the practices used by \ndifferent entities to protect against identity theft.\n    The FTC also provides guidance to businesses about information \nsecurity risks and the precautions they must take to protect or \nminimize risks to personal information. For example, the Commission has \ndisseminated guidance for businesses on reducing risks to their \ncomputer systems,<SUP>52</SUP> as well as guidance for complying with \nthe GLBA Safeguards Rule.<SUP>53</SUP> Our emphasis is on preventing \nbreaches before they happen by encouraging businesses to make security \npart of their regular operations and corporate culture. The Commission \nhas also published Information Compromise and the Risk of Identity \nTheft: Guidance for Your Business, which is a business education \nbrochure on managing data compromises.<SUP>54</SUP> This publication \nprovides guidance on when it would be appropriate for an entity to \nnotify law enforcement and consumers in the event of a breach of \npersonal information.\n---------------------------------------------------------------------------\n    \\52\\ Security Check: Reducing Risks to Your Computer Systems, \navailable at http://www.ftc.gov/bcp/conline/pubs/buspubs/security.htm.\n    \\53\\ Financial Institutions and Customer Data: Complying with the \nSafeguards Rule, available at http://www.ftc.gov/bcp/conline/pubs/\nbuspubs/safeguards.htm.\n    \\54\\ Information Compromise and the Risk of Identity Theft: \nGuidance for Your Business, available at http://www.ftc.gov/bcp/\nconline/pubs/buspubs/idtrespond.pdf.\n---------------------------------------------------------------------------\n\n                             V. CONCLUSION\n    Data brokers collect and distribute a wide assortment of consumer \ninformation and may therefore be subject to a variety of federal laws \nwith regard to the privacy and security of consumers' personal \ninformation. Determining which laws apply depends on the type of \ninformation collected and its intended use. The Commission is committed \nto ensuring the continued safety of consumers' personal information and \nlooks forward to working with you to explore this subject in more \ndepth.\n\n    Mr. Stearns. I thank the Madam Chairman for her opening \nstatement. I will start with my questions. And it might be \nhelpful, in light of your opening statement, to indicate in \nyour answers whether this is your personal opinion, or whether \nthis is the policy of the Federal Trade Commission, if it turns \nout that is the case.\n    And if you don't mind, I would like you just to give a yes \nor no here. Should Congress prohibit the disclosure of Social \nSecurity numbers without consumers' prior consent? Just yes or \nno.\n    Ms. Majoras. I will try, Congressman Stearns. I----\n    Mr. Stearns. Well, we can go back to this, but you know, \nas--dealing with these hearings, I like to put people right on \nthe spot, just yes or no.\n    Ms. Majoras. I understand, but I am afraid on that one, I \nhave to answer I can't absolutely answer yes.\n    Mr. Stearns. Because you are saying there is extenuating \ncircumstances.\n    Ms. Majoras. Absolutely.\n    Mr. Stearns. Okay. Okay. I will accept that. Would you say \nthat Social Security numbers that appear on credit headers \nshould be truncated?\n    Ms. Majoras. It depends on what they are used for.\n    Mr. Stearns. Okay. So in your--like the Chairman Barton \ntalked about, the Social Security number, and other members are \nsaying it is your personal property, so you are saying that \nCongress should not prohibit the disclosure of Social Security \nnumbers in some cases?\n    Ms. Majoras. Well, that is correct.\n    Mr. Stearns. Okay.\n    Ms. Majoras. I don't think that would be valuable to \nconsumers----\n    Mr. Stearns. Okay. So there is a tipping point, then, you \nare saying, where they get much more information of a consumer, \nand where that Social Security number would be conclusive \nenough that it should be----\n    Ms. Majoras. No question there is a line drawing.\n    Mr. Stearns. Okay. In your--you have indicated that there \nshould be a comprehensive Federal law dealing with privacy and \nsecurity of consumer information. That is correct, right?\n    Ms. Majoras. Yes.\n    Mr. Stearns. And is that your personal opinion, or the \nFederal Trade Commission?\n    Ms. Majoras. It is not in my written testimony, so I will \nhave to say that it is my opinion that we can extend some of \nthe Federal laws in place today, and regulations, much more \nbroadly.\n    Mr. Stearns. Beyond the Gramm-Leach-Bliley Act----\n    Ms. Majoras. Correct.\n    Mr. Stearns. [continuing] and beyond the Sarbanes-Oxley, \nyou think there is another role for the Federal Government, \ndealing with privacy and security. And I have a privacy bill, \nso I am sympathetic to what you say.\n    Ms. Majoras. Yes.\n    Mr. Stearns. But I am just trying to--should consumers have \nthe right to inspect information maintained about them by data \nbrokers, and seek correction of errors in that information?\n    Ms. Majoras. It depends on what the data bank is being used \nfor. If it is a fraud data bank, for example, we wouldn't want \nfraudsters to be able to see the information collected on them, \nfor example.\n    Mr. Stearns. But a lot of people would argue that just like \nwith a credit report, you can call the credit company and say, \nwhat does a credit report look like on me, and I think I should \nhave the right, which you do today, to correct it.\n    Ms. Majoras. Yes.\n    Mr. Stearns. So following that line of reasoning, why \nwouldn't consumers have the right to inspect this information \nthat is maintained by data brokers, and seek correction of \nerrors if there are some?\n    Ms. Majoras. And they do, in fact, if data brokers like \nChoicePoint are providing information that is considered to be \nconsumer report information under the statute.\n    Mr. Stearns. California has a law dealing with disclosure \nto consumers, and of course, because of that law, that made \nChoicePoint have to notify these 146,000. That is extremely \ntime-consuming. It is difficult if they can find all these \npeople, but we can envision 50 States now starting to pass \ntheir own laws, 49 others. Should there be a nationwide \nrequirement for disclosure, sort of a preemption that the \nFederal Government does, so that all companies like \nChoicePoint, LexisNexis, deal with this Federal law, and not \nhave to deal with 50 separate laws?\n    Ms. Majoras. Yes. A Federal requirement would be \nappropriate when there is a significant risk to consumers from \nthe breach.\n    Mr. Stearns. Okay. There is some talk about some people \nsaying we should--we are now--and we need a Communications Bill \nof Rights, that specifies what a person dealing in this new \ninformation technology age, he or she has a consumer--a \nCommunications Bill of Rights. Do you see anything like that \nthrough the Federal Trade Commission?\n    Ms. Majoras. I am sorry, not particularly something we are \ncalling the Communications Bill of Rights.\n    Mr. Stearns. But what are you calling it then?\n    Ms. Majoras. I am--I want to make sure I am clear on what \nyou are talking about. Are you talking about communication \nbetween a consumer and, for example, a financial institution?\n    Mr. Stearns. Yes. Well, dealing with a data base, and \ndealing with--what are the rights of the consumers, in terms of \nwhether they opt in, opt out, and that is my next question, \nwhether you would favor it within this, an opt-in or opt-out \nprovision.\n    Ms. Majoras. First and foremost, we believe consumers want \nto be sure that their personal information is safeguarded. We \nthink that is--that security is what consumers are first and \nforemost concerned about, and that they do have the right to \nensure that those companies that have their information are \nsafeguarding it appropriately. No question about that.\n    With respect to opt-in or opt-out, I think it is important \nthat we learn from the Gramm-Leach-Bliley scheme. What we have \nfound is that, in fact, consumers have received millions \ncollectively of notices of their right to opt out of a \nfinancial institution sharing their personal information, and \nthey have not exercised that right. They have not wanted to \nbother with that. We believe, again, they really want to just \nmake sure that banks and merchants and others are responsibly \nhandling their information and safeguarding it.\n    Mr. Stearns. Going back to my first question, should \nCongress prohibit the disclosure of Social Security numbers \nwithout consumers' prior consent. You could not answer that yes \nor no. Can you give me a sentence to answer that? A couple \nsentences.\n    Ms. Majoras. Okay. Social Security numbers are used for \npermissible purposes, like matching a particular consumer to a \nparticular credit report, for example, and for verifying \naccuracy of credit reports, which is something we have talked \nabout here today already. And those are important purposes, \nbecause there is no other unique identifier for U.S. citizens. \nSo the key is to not squelch use of Social Security numbers for \npurposes for which consumers would want to--would want that \nuse, because in fact, consumers care a lot about things like \ninstant credit, and that is also important.\n    But one more sentence, I promise, Mr. Congressman, Mr. \nChairman. We believe there are instances in which Social \nSecurity numbers may be asked for or shared just simply out of \nhabit, where they are really not necessary, and there, we \nshould be looking at whether further restriction would be \nappropriate.\n    Mr. Stearns. Okay. My time has expired, but I would \ninterpret what you say, that should Congress prohibit the \ndisclosure of Social Security numbers without consumers, is you \nwould say no, they should not prohibit. That is what I \ninterpreted.\n    The ranking member, Ms. Schakowsky.\n    Ms. Schakowsky. Thank you. Welcome, Chairman Majoras.\n    Ms. Majoras. Thank you.\n    Ms. Schakowsky. Illinois just became eligible--Illinoisans \njust became eligible to get free credit reports under a \nprogram, I think, administered by you, that we can now get that \ninformation. And it is pretty widely known, and I would assume, \npretty widely used, that consumer--is that correct?\n    Ms. Majoras. Yes, ma'am.\n    Ms. Schakowsky. People are doing that. But I am wondering \nhow many consumers really know about data brokers? You know, we \nall know about credit agencies and about our credit reports, \nbut do you think most consumers actually know about data \nbrokers?\n    Ms. Majoras. Until recently, no. I don't believe so.\n    Ms. Schakowsky. I don't think so either. And so, I think \nthat this--the revelation that this information is out there, \nand has been--that security has been breached has really been \nan eye-opener, I think, for a lot of people, and I think \nappropriately, now, the Congress is looking on where it fits \nin.\n    And one of the questions I had, as I said in my opening \nstatement, the 1974 Privacy Act, I thought, said that the--\nacknowledged the power of this aggregated information, and made \nit illegal for government agencies to amass the kind of \npersonal information that it seems to me that data brokers do. \nAnd yet, the government agencies, how many are they, that \nactually purchase this information from data brokers? So it \nseems to me that from the government standpoint alone, that \nthat is, if not a breach of the actual language of the law, the \nspirit of the law, in saying that well, we can't do that kind \nof data collection, but we will actually purchase it, and then, \nthat is further problematic, because that information is not--\nthere is no safeguards that it is even accurate.\n    I wanted your response, in relation to the 1974 law.\n    Ms. Majoras. Well, it is true that government agencies use \ninformation that has been compiled by data brokers, and we need \nto remember that the reason they use it is if there is a strong \nneed in tracking down deadbeats who have not paid their child \nsupport, or in tracking down those, you know, criminals. There \nis a need for information like that, and that is why, as I \nunderstand it, government agencies have been using data \nbrokers.\n    Now, I don't enforce that statute, obviously, against \ngovernment agencies, and so I don't have a personal opinion on \nthe application of that statute. But I do wholeheartedly agree \nwith you that consumers have the right to ensure that the \ninformation is safeguarded, and certainly, for the types of \ninformation that data brokers are collecting, that is being \nused for eligibility decisions on consumers, then data brokers \nshould be following the Fair Credit Reporting Act, which does \nrequire certain standards for accuracy and the like.\n    Ms. Schakowsky. So who assures that that happens? If \nconsumers are unaware, actually, of the existence of these data \nbrokers, and if that information, then, is used to deny them \ncredit, for example, how do they--how would they know that?\n    Ms. Majoras. Well, there are certain requirements under the \nFCRA that accompany--that is giving out the information is \nrequired to follow. So if, for example--so any company that is \nsupplying consumer report information, and that is, generally, \ninformation that is being used to make eligibility \ndeterminations, has some requirements that it must follow, but \nit is true that unlike with respect to the three credit \nreporting agencies, who I agree with you, most consumers know \nabout, I don't know that at least to date, consumers have known \nabout these data brokers.\n    Ms. Schakowsky. So if I am applying for a loan, and the \nfinancial institution is going to one of these data brokers for \nthe information, am I supposed to get notified that that is the \nsource of the information, that the data broker is the source \nof the information? And does that ever happen?\n    Ms. Majoras. I don't believe you would be notified of the \nsource of the information, no. I can't think of an--in this \npatchwork of laws we have, I can't think of one requiring in \nparticular----\n    Ms. Schakowsky. I am confused about what this notification \nprovision is for credit reporting agencies, for example. What \nare you saying?\n    Ms. Majoras. Well, if information on your credit report is \nused, and an adverse determination is made on that, then a \nconsumer----\n    Ms. Schakowsky. Is notified at their home.\n    Ms. Majoras. [continuing] is notified--would have to be \nnotified that they have been denied on the basis of that \ninformation.\n    Ms. Schakowsky. Is that the responsibility of the financial \ninstitution, rather than the credit reporting agency?\n    Ms. Majoras. I believe it is the financial institution.\n    Ms. Schakowsky. Okay. So do we know that they are, in fact, \nif they are using this other source of information, are they \nregularly telling consumers that it is, you know, ChoicePoint \nor whatever, that it is the basis--on that basis, you are being \ndenied?\n    Ms. Majoras. They are being notified that they are being--\nthat it was on the basis of what has been supplied in their \nconsumer report. I don't know whether they are notified as to \nwhich credit reporting agency or private data broker. I just \ndon't know the answer.\n    Ms. Schakowsky. Obviously, there is a lot of holes that we \nneed to be filling in. Thank you.\n    Ms. Majoras. It is very complicated. Thank you.\n    Mr. Stearns. The chairman of the full committee, Mr. \nBarton.\n    Chairman Barton. Thank you, Mr.--Chairman Stearns. Madam \nChairwoman, I just have two questions.\n    Is there any reason that we should not make it illegal to \nshare or trade a person's Social Security number, and the data \nthat goes with it, without their permission?\n    Ms. Majoras. There are a couple of reasons why, and that \nis, in the context of, for example, a transaction in which the \nconsumer is attempting to get credit or a loan.\n    Chairman Barton. I said without their permission.\n    Ms. Majoras. Right. So if they--if it is being provided. \nThe only other place I can think of, Chairman Barton, is with \nrespect to tracking down criminals. And if we are tracking down \ncriminals, and trying to match criminals, like, for example, \nidentity thieves, that might be another area where we would \nwant to consider----\n    Chairman Barton. So a law enforcement exception, and then, \nwhen you give permission, in order to get something of value to \nyou, that they can check on you, and--so--but other than that, \nyou would support a law that Social Security number can't be \nused, period, without your permission?\n    Ms. Majoras. I think we would want to take a closer look to \nall the exceptions. For example, in Gramm-Leach-Bliley, which \nare very similar to the law enforcement exceptions, to make \nsure that we are not missing something. But in terms of--for \nmarketing purposes, or----\n    Chairman Barton. But under Gramm-Leach-Bliley, all they \nhave to do is tell you they are doing it. They don't have to \nget your permission.\n    Ms. Majoras. Well, that is right, and they give you the \nability to opt out, but there are some exceptions in Gramm-\nLeach-Bliley, where they don't even have to give you the chance \nto opt out, and those are the exceptions, I think, that we \nought to look at closely, in the same context.\n    Chairman Barton. What would the Federal Trade Commission's \nresponse be to requiring that if your personal information is \nstolen, as has been--has happened in these two instances, that \nat a minimum, the company that had the information compromised \nwould have to notify the individual that their information has \nbeen stolen or compromised?\n    Ms. Majoras. If the information that has been stolen or \ncompromised puts the consumer at significant risk, then we \nthink that the company should be required to take reasonable \nsteps to provide notice to consumers.\n    Chairman Barton. Take reasonable steps. Define reasonable \nsteps.\n    Ms. Majoras. Well, it all depends on the circumstances. \nConsumers move around, and so the question is, how--really, the \nquestion is only to what degree does the company need to spend \ntime trying to track down that individual.\n    Chairman Barton. What if we said reasonableness is the same \nstandard as if you were trying to collect a bill from that \nindividual?\n    Ms. Majoras. Well, that would be something that most \ncompanies would be very familiar with. Probably a good----\n    Chairman Barton. Well, they--see--you know----\n    Ms. Majoras. Probably a good starting point, Chairman.\n    Chairman Barton. Okay. Just a second. Staff would like me \nto ask you about your--under Gramm-Leach-Bliley, one of the \nexceptions is for fraud prevention, and my understanding is \nthat the ChoicePoint identity theft, or the theft of the \nmaterial, the company, the individuals, falsely portrayed \nthemselves to be a corporation that was trying to get \ninformation to prevent fraud.\n    So is that something that we need to tighten up, the--\neither eliminate as an exception, or tighten up the conditions \nunder which you could use that exception?\n    Ms. Majoras. Well, I think we should take a very close look \nat the exception, and make sure it is not swallowing the rule, \nbut in addition, in this instance, we also need to look, I \nthink, at extending the Commission's Safeguards Rule, so that \nall companies, like consumer reporting agencies, are required \nto take certain steps when information is requested, so that \nthey are not just selling it to anyone, but they are, in fact, \nselling it to someone who has a permissible purpose. That is \nthe other way we could tighten.\n    Chairman Barton. All right. And I guess my final question, \nin general, would it be the Federal Trade Commission's position \nthat Federal legislation of some sort is necessary and helpful \nin this area?\n    Ms. Majoras. Yes, that is my position.\n    Chairman Barton. Okay. Thank you, Mr. Chairman.\n    Mr. Stearns. I thank the gentleman. The gentlelady from \nWisconsin. Oh, the gentleman from Massachusetts. Yes.\n    Mr. Markey. Thank you, Mr. Chairman. Madam Chairlady, in \nthe prepared testimony submitted by the Electronic Privacy \nInformation Center, EPIC, Marc Rotenberg states that back on \nDecember 16, 2004, EPIC urged the FTC to investigate \nChoicePoint and other data brokers for possible violations of \nthe Federal privacy laws.\n    Did the FTC initiate any investigation into ChoicePoint in \nresponse to this request?\n    Ms. Majoras. The EPIC petition asked us to examine whether \nexisting laws provided adequate regulation and oversight over \ncompanies like ChoicePoint, a very important question.\n    We actually had been looking at the issue before we \nreceived the EPIC petition. When we received the EPIC letter, \nwe increased our efforts, and as you may have heard, we have \nrecently been able to publicly acknowledge that we have, in \nfact, opened an investigation of ChoicePoint.\n    Mr. Markey. But had you officially begun an investigation \nbefore press reports appeared, indicating that there had been \nsecurity breaches at ChoicePoint?\n    Ms. Majoras. No, we had no evidence that ChoicePoint had \nviolated the law at that point.\n    Mr. Markey. You did not believe that EPIC's information was \nsufficient to trigger an investigation?\n    Ms. Majoras. We thought EPIC's information was sufficient \nto look at the entire landscape, to see if new regulation or \nlaw was necessary.\n    Mr. Markey. And what was deficient in EPIC's information? \nWhat was lacking that you feel was--that would have been \nnecessary to trigger an investigation?\n    Ms. Majoras. I am sorry, sir, because I have an active \ninvestigation of ChoicePoint, I am afraid I can't talk further \nabout their actual conduct in the public forum.\n    Mr. Markey. The point I am trying to make here is that I \nthink that there was a warning, that there was information at \nthe Federal Trade Commission, that the Federal Trade Commission \nhas to be much more aggressive than it has been in the pursuit \nof the protection of the privacy of individuals, and this is a \nperfect example of where the Federal Trade Commission was not \nas aggressive as the American people would expect you to be.\n    Now, as I understand it, ChoicePoint maintained some data \nbases of credit reports that would be regulated under the Fair \nCredit Reporting Act, but that it also had other data bases of \ninformation that did not meet the Federal Credit Reporting \nAct's definition of a credit report. Is that right?\n    Ms. Majoras. That is my understanding from public sources, \nyes.\n    Mr. Markey. And this information may have been amongst the \ninformation that was compromised. Is that right?\n    Ms. Majoras. That is my understanding, again, from press \nreports.\n    Mr. Markey. Now, a Social Security number is not considered \na credit report, and also, isn't protected under the Federal \nCredit Reporting Act? Is that also correct?\n    Ms. Majoras. Correct.\n    Mr. Markey. So don't we really need a new law that \nregulates these information brokers, so that we have fair \ninformation practices in place to protect the public?\n    Ms. Majoras. I think we could use new law that focuses on \nmisuse and absolutely focuses on the security of sensitive \ninformation, yes.\n    Mr. Markey. Shouldn't we ban the commercial sale of Social \nSecurity numbers?\n    Ms. Majoras. It depends on what they are being used for.\n    Mr. Markey. If they are just being used in a way that \nallows my neighbors to gain access to my Social Security \nnumber, shouldn't that be banned?\n    Ms. Majoras. Yes, absolutely.\n    Mr. Markey. Should BJ's Wholesale have the ability to get \nmy Social Security number?\n    Ms. Majoras. Well, it all depends on what they are using it \nfor, and consumers, of course, part with their Social Security \nnumber, indeed, to be able to buy goods and services, or to get \ncredit, for example.\n    Mr. Markey. But should they be able to obtain it, if I \nhaven't given it to them?\n    Ms. Majoras. They might--we might want them to be able to \nobtain it, for example, from a credit reporting agency, if they \nare trying to verify, for example, that I am who I say I am, \nand so that is something we need to look at closely. But \ncertainly, banning misuse and purposes outside a window, \nabsolutely.\n    Mr. Markey. Thank you, Mr. Chairman.\n    Mr. Stearns. I thank the gentleman. Mr. Murphy.\n    Mr. Murphy. Thank you, Mr. Chairman. A couple of quick \nquestions. First of all, if we do nothing here in correcting \nsome of these patterns, what do you anticipate the level this \nwill grow to in 5 or 10 years?\n    Ms. Majoras. My goodness. I don't know that I can \nspeculate. I am--we try to look for good news wherever we can \nfind it. This isn't much good news, but at least between--from \nwhat we can tell, between 2003 and 2004, the number of identity \ntheft victims didn't grow. We hope that is because some of the \nsteps that we have been able to take under our authority, and \nthat banking agencies have been taking, and of course, \nmerchants and responsible companies, are having some impact. \nBut it is--we do believe that more needs to be done to \nsafeguard personal information.\n    Mr. Murphy. My point is, do you believe that there will be \na number of technological advances that companies will make in \norder to safeguard things on their own, or I am thinking your \ntestimony did not contain references to legislation needed to \nprotect consumers' security and privacy. So I am wondering if \nyou think that the current Federal law regarding data security \nand privacy is adequate to protect consumers.\n    Ms. Majoras. Yes, sir. As I said in my oral remarks, we \nthink there are two places where we should start with respect \nto new legislation, perhaps. The first is extending the \nCommission's GLB Safeguards Rule beyond financial institutions, \nto include far more institutions that collect or disseminate \npersonal data.\n    And the second would be to consider a Federal requirement \nfor notice when there have been security breaches that pose a \nsignificant risk to consumers.\n    Mr. Murphy. All right. Thank you. And I want, you know, I \nappreciate the work you are doing, to make sure you continue on \nwith an investigation that is protecting consumers. Thank you \nvery much.\n    And thank you, Mr. Chairman.\n    Ms. Majoras. Thank you.\n    Mr. Stearns. I thank the gentleman. The gentlelady from \nWisconsin.\n    Ms. Baldwin. Thank you, Mr. Chairman, and thank you for \nyour testimony today.\n    I wanted to probe just a little bit more with the \nreasonableness standard that was being discussed earlier. Under \nthe Fair Credit Reporting Act, it would also--Gramm-Leach-\nBliley--companies have a duty to take, or make reasonable \nefforts to verify both the identity of prospective recipients \nof consumer reports, and they also have to make reasonable \nefforts to make sure that these prospective recipients have a \npermissible purpose.\n    Without getting into the details of any open investigation, \ncould you make this real for us by giving some examples of what \nthe Commission views as reasonable efforts?\n    Ms. Majoras. Okay. Yes.\n    We--and we have entered into some consent agreements with \ncompanies over time, in which we have laid out, in fact, what \nneeds to be done. Now, in the statute itself, there are \nrequirements that a CRA that falls under the statute must \nrequire certification of the identity, and certification of the \npermissible purpose. That is one. Beyond that, there are other \nthings that can be done, and we understand are done, at times, \nby CRAs, like audits, and like onsite drop-in visits. And \naudits of the actual information as it is going out, and to \nwhom it is going to. Those are some of the measures.\n    Ms. Baldwin. Okay. And quickly, I wanted to note the \nefforts undertaken by the Commission under the Identity Theft \nAct, to provide consumers with information and assistance, and \nparticularly, assistance to victims of identity theft. I also \nappreciate the Commission's leadership in providing educational \nmaterials to increase consumer awareness about the problem of \nidentity theft.\n    I am wondering, in that arena, do you feel that the \nCommission has sufficient statutory authority to provide any \nservices deemed necessary or advisable under that law?\n    Ms. Majoras. I think we do, and we will continue to educate \nconsumers, and help any consumers who have fallen victim, and \nof course, what we really want to do is educate consumers in \nadvance, because there are a number of things that consumers \ncan do to at least decrease the risk.\n    It is always a matter of resources. We are a small agency, \nand I think we are doing a lot in stretching our dollars. I \nthink our efforts in education and in training of law \nenforcement have been greatly appreciated. I recently received \nan email from a local police officer, talking about how much \nthey appreciate our educating them, because of course, they are \nthe first line in this. We don't have criminal enforcement \nauthority against this crime. We are facilitating the \nprosecution of these thieves, and we are obviously facilitating \neducation.\n    Mr. Baldwin. Thank you.\n    Mr. Stearns. I thank the gentlelady. We have one vote, and \nthen we--I am going to come right back. So we are going to \nrecess the committee for this one vote, and with your patience, \nif you will stay with us, and I will start immediately, and I \nwill urge members to come back quickly, and there is about 7 \nminutes before we have--they shut down the vote, so I will be \nright back.\n    Ms. Majoras. Thank you, Mr. Chairman.\n    [Recess.]\n    Mr. Stearns. The subcommittee will reconvene, and the \ngentleman from New Hampshire, Mr. Bass, is recognized.\n    Mr. Bass. Thank you very much, and I would just like to ask \nsome basic questions, if I could.\n    Could you tell the committee, the subcommittee exactly what \na credit bureau is, and do they sell consumers' information?\n    Ms. Majoras. Forgive me. A credit bureau is a company that \ncollects information regarding consumers, generally speaking, \nso that it can be compiled and sold, so that merchants, banks, \nand insurance companies and the like can make eligibility \ndeterminations about consumers.\n    Mr. Bass. Do consumers have the ability to opt out of \ninformation collection by credit bureaus?\n    Ms. Majoras. They do not.\n    Mr. Bass. Do credit bureaus sell information to entities \nlike ChoicePoint and LexisNexis, and is there Federal \nsupervision by a regulator of the downstream use of information \nsold by credit bureaus to data brokers?\n    Ms. Majoras. Yes, there is some, so yes, they do sell the \ninformation, and yes, there is some Federal supervision under \nthe Fair Credit Reporting Act.\n    Mr. Bass. Is there Federal supervision by a regulator of \nthe subsequent sale of consumers' information by a data broker \nto other businesses?\n    Ms. Majoras. It depends on what kind of information they \nare selling. If it is a consumer report, for example, that they \nare reselling, which they originally got from a CRA, then the \nanswer is yes, then they must comply with the requirements of \nthe FCRA. There may be other information, however, that data \nbrokers collect, in fact, I believe there are, that are not \nsubject to the requirements of the FCRA.\n    Mr. Bass. Could you explain ``permissible purposes'' for \nwhich consumer reports can be disclosed under the Fair Credit \nReporting Act?\n    Ms. Majoras. It--generally, a permissible purpose is to \ndetermine a consumer's eligibility for credit, for insurance, \nfor employment, and the like.\n    Mr. Bass. You have testified that, ``targeted marketing is \ngenerally not a permissible purpose.'' When is targeted \nmarketing permissible?\n    Ms. Majoras. There is an exception in the statute with \nrespect to prescreened offers.\n    Mr. Bass. Has the FTC brought any enforcement cases against \nfirms who have used credit reports for targeted marketing?\n    Ms. Majoras. No.\n    Mr. Bass. Okay. I yield back, Mr. Chairman.\n    Mr. Stearns. I thank the gentleman. Madam Chairman, we \nwould like to thank you very much for your patience and for \nattending. We are now going to call up the second panel.\n    Ms. Majoras. Okay. Thank you very much, Mr. Chairman.\n    Mr. Stearns. We have Mr. Kurt Sanford, President and Chief \nExecutive Officer of U.S. Corporate and Federal Government \nMarkets, LexisNexis; Mr. Derek Smith, Chairman and CEO of \nChoicePoint; Mr. Joseph--no, excuse me, that is just the two. \nSo we are--just those two on the second panel, and we are going \nto let you start your opening statement.\n    We have about 12\\1/2\\ minutes to a vote, so I was hoping we \ncould tear through this, so when we come back, this is a \nsurprise vote, we can start on the questions.\n    So Mr. Sanford, I will let you start with your opening \nstatement. Just make sure the mike is close to you, and it also \nis turned on.\n\n STATEMENTS OF KURT P. SANFORD, PRESIDENT AND CHIEF EXECUTIVE \n    OFFICER, U.S. CORPORATE AND FEDERAL GOVERNMENT MARKETS, \n   LEXISNEXIS; AND DEREK SMITH, CHAIRMAN AND CHIEF EXECUTIVE \n                   OFFICER, CHOICEPOINT, INC.\n\n    Mr. Sanford. Good morning, Chairman Stearns and other \ndistinguished members of the subcommittee. My name is Kurt \nSanford. I am the Chief Executive Officer for Corporate and \nFederal Markets at LexisNexis. I appreciate the opportunity to \nbe here today to discuss the important public policy issues \nassociated with cybercrime, identity theft, and the protection \nof consumer information. LexisNexis commends the subcommittee \nfor its leadership on these important issues.\n    LexisNexis is a leading provider of authoritative legal, \npublic records, and business information. Today, over 3 million \nprofessionals, law enforcement officials, government agencies, \nfinancial institutions, and others, subscribe to the LexisNexis \nservices. LexisNexis plays a vital role in supporting \ngovernment and business customers, who use our information \nservices for important uses, including preventing identity \ntheft and fraud, locating suspects, preventing and \ninvestigating terrorist activities, and locating missing \nchildren.\n    LexisNexis is committed to the responsible use of \npersonally identifiable information. We have stringent privacy \npolicies and security measures in place to protect the consumer \ninformation in our data bases. We share the subcommittee's \nconcern about the potential misuse of this information to \ncommit identity theft and fraud. We look forward to sharing our \nviews on possible ways to further enhance information security, \nand address the growing problems of cybercrime and identity \ntheft.\n    I would like to take a few minutes to discuss data security \nincidents announced last week at Seisint, the information \ncompany we acquired last September. As part of the integration \nof Seisint with LexisNexis, we are conducting a thorough review \nof the company's verification, authorization, and security \nprocedures and policies. During that process, a LexisNexis \nintegration team became aware of some billing irregularities \nwith several customer accounts. Upon further investigation, the \nteam detected some unusual usage pattern within these accounts. \nThe team then informed senior management, and I contacted the \nUnited States Secret Service.\n    The incident is still being investigated, but it appears \nthat cybercriminals compromised IDs and passwords of legitimate \nSeisint customers, and used those IDs and passwords to access \npublic records and certain personally identifying information, \nsuch as Social Security numbers and driver's license numbers.\n    No personal financial, credit, or medical information was \ninvolved, because Seisint does not collect or sell information \nof this type. Because this is an ongoing law enforcement \ninvestigation, the U.S. Secret Service has asked us to refer \nall questions regarding the investigation to them. We sincerely \nregret this incident and any adverse impact that this crime may \nhave upon the individuals whose information was accessed. We \nhave already begun to take steps to assist the affected \nconsumers.\n    First, based on the investigation to date, we are in the \nprocess of notifying approximately 32,000 individuals whose \npersonal information may have been accessed. We expect to \ncomplete mailing notices by March 16. Second, we are providing \nall individuals with a consolidated report, containing \ninformation from the three major credit bureaus, and credit \nmonitoring services for 1 year. Third, for those individuals \nwho do become victims of fraud as a result of this incident, we \nwill provide counselors to help them clear their credit reports \nof any information relating to fraudulent activity.\n    I would like to take a minute to discuss the security \nsystems at LexisNexis and the specific steps we are taking to \nprevent any future incidents. LexisNexis has long recognized \nthe importance of undertaking extensive measures to protect the \ninformation in our data bases, and has a comprehensive security \nprogram. Maintaining security is not a static process, but \nrather, involves continuously evaluating and adjusting our \nsecurity program.\n    LexisNexis has physical, administrative, and technical \nmeasures to protect the security of information it maintains. \nOur data facilities are physically secure, and are monitored 24 \nby 7. Administratively, we have policies and procedures in \nplace to prevent and detect employee misuse of our systems. In \naddition, we limit a customer's access to sensitive \ninformation, according to the purposes which they seek to use \nthe information. Our Chief Privacy Officer and Privacy and \nPolicy Review Board work together to help protect the privacy \nof information contained in our data bases.\n    We also undertake regular assessments by independent third \nparties of both our privacy and security practices. In addition \nto these security safeguards, LexisNexis has a multilayer \nprocess in place to screen potential customers to ensure that \nonly legitimate customers have access to sensitive information. \nOnly those customers with a permissible purpose under Federal \nlaw are granted access to sensitive data, such as driver's \nlicense number and Social Security numbers.\n    LexisNexis plans to further restrict access to the most \nsensitive data elements by extending the more restrictive \nSocial Security number truncation policy currently in place for \nLexisNexis to its recently acquired Seisint business, and by \nadding a policy to include the masking of driver's license \nnumbers. We are also enhancing ID and password administration \nprocedures. These steps are part of the ongoing review that \nLexisNexis has undertaken on security practices and procedures \nand privacy policies across its businesses.\n    I would like to focus the remainder of my time on policy \nissues being considered to further protect consumer \ninformation. While there are various laws currently in place \nthat govern the collection and distribution of personally \nidentifiable information, we recognize that additional \nlegislation may be necessary to address the growing problem of \ncybercrime and identity theft.\n    LexisNexis would support the following legislative \napproaches. First, consistent with the proposal outlined by FTC \nChairman Majoras in her testimony, we support requiring \nnotification in the event of a security breach, where there is \na substantial risk of harm to consumers. We share the concerns \nthat Chairman Majoras raised in her testimony about ensuring \nthat there is an appropriate threshold for when consumers \nactually would benefit from receiving notification, such as \nwhere the breach is likely to result in misuse of customer \ninformation. In addition, we believe that is it important that \nany such proposal contain Federal preemption.\n    Second, we would support the adoption of data security \nsafeguards, modeled after the Safeguard Rule of the Gramm-\nLeach-Bliley Act. I understand that the FTC is supportive of \nthis approach as well.\n    And finally, we strongly encourage legislation that imposes \nmore stringent penalties for identity theft and cybercrimes. \nAdditionally, consumers and industry alike would benefit from \nan enhanced training for law enforcement, and an expansion of \nthe resources available to investigate and prosecute the \nperpetrators of identity theft and fraud.\n    It is critical that any legislation being considered ensure \nthat legitimate businesses, government agencies, and other \norganizations continue to have access to identifying \ninformation that they depend on for important purposes, \nincluding fraud detection and prevention, law enforcement, and \nother critical applications. Moreover, legislation must strike \nthe right balance between security, protecting privacy, and \nensuring continued access to critically important information \nthat is provided through information service providers.\n    Thank you again for the opportunity to be here today to \nprovide the subcommittee with our company's perspective on \nthese important public policy issues. We look forward to \nworking with the subcommittee as it develops proposals to help \nprotect consumers and help fight cybercrime and identity theft. \nThank you.\n    [The prepared statement of Kurt P. Sanford follows:]\n    Prepared Statement of Kurt P. Sanford, President and CEO, U.S. \n          Corporate and Federal Government Markets, LexisNexis\n\n                              INTRODUCTION\n    Good morning. My name is Kurt Sanford. I am the Chief Executive \nOfficer for Corporate and Federal Markets at LexisNexis, a division of \nReed Elsevier Inc. On behalf of LexisNexis, I appreciate the \nopportunity to be here today to discuss the important public policy \nissues associated with the protection of consumer information, \ncybercrime, and identity theft. LexisNexis commends the Subcommittee \nfor its leadership on these important issues.\n    LexisNexis is a leading provider of authoritative legal, public \nrecords, and business information. Today, over three million \nprofessionals--lawyers, law enforcement officials, government agencies, \nfinancial institutions and others--subscribe to the LexisNexis \nservices. Government agencies at all levels, businesses, researchers, \nand others rely on LexisNexis to carry out important functions in our \nsociety. LexisNexis Risk Management unit plays a vital role in \nsupporting government and business customers who use our information \nservices for a variety of important uses.\n    The following are examples of some of the important ways in which \nthe services of LexisNexis are used by customers:\n\n<bullet> Prevent identity theft and fraud--Banks and other financial \n        institutions routinely rely on personally identifying \n        information contained in LexisNexis' databases to verify the \n        identities of individuals and businesses and prevent identity \n        theft and fraud. For example, LexisNexis has partnered with the \n        American Bankers Association to enable banks and other \n        customers to prevent money laundering and ensure compliance \n        with applicable laws by helping the banks determine if they are \n        doing business with legitimate businesses and consumers. The \n        use of this information by financial institutions to verify and \n        validate information on prospective customers is critical to \n        the success of that program. With the help of LexisNexis, major \n        banks and bank card issuers have experienced significant \n        reductions in dollar losses due to fraud, holding down costs \n        charged to consumers. Special investigation units of insurance \n        companies have experienced similar successes through the use of \n        information in our databases.\n<bullet> Locating suspects and helping make arrests--Many federal, state and \n        local law enforcement agencies rely on LexisNexis to help them \n        locate criminal suspects and to identify witnesses to a crime. \n        For example, Seisint products were used during the course of \n        the D.C. sniper investigation and helped lead to the arrest of \n        the suspects.\n<bullet> Preventing and investigating terrorist activities--Information \n        service providers like LexisNexis offer important tools in the \n        battle against terrorism. Our data, technology, and policy \n        expertise has been instrumental in detecting and preventing \n        terrorist activities.\n<bullet> Locating and recovering missing children and assisting in the \n        enforcement of child support obligations--For many years, \n        LexisNexis has partnered with the National Center for Missing \n        and Exploited Children to help that organization locate missing \n        and abducted children. Locating a missing child within the \n        first 48 hours is critical to success in the recovery effort. \n        The NCMEC has told us that information from LexisNexis has been \n        critical in the Center's successful recovery of many children. \n        In addition, public and private agencies rely on information \n        provided by LexisNexis to locate parents who are delinquent in \n        child support payments and to locate and attach assets in \n        satisfying court-ordered judgments. The Association for \n        Children for Enforcement of Support (ACES), a private child \n        support recovery organization, has had tremendous success in \n        locating nonpaying parents using LexisNexis.\n    LexisNexis is committed to the responsible use of personally \nidentifiable information and to the protection of consumer privacy. We \nshare the Subcommittee's concern about the potential misuse of this \ninformation to commit identity theft and fraud. We look forward to \nsharing our views on possible ways to further enhance information \nsecurity and address the growing problems of cybercrime and identity \ntheft.\n\n     THE PENDING INVESTIGATION OF THE SEISINT SECURITY INCIDENTS, \n            LEXISNEXIS' RESPONSE AND CYBERCRIME IMPLICATIONS\n    Before I proceed, I would like to take a few minutes to discuss the \ndata security incidents we recently discovered at Seisint, the \ninformation company we acquired last September.\n    As part of LexisNexis integration of Seisint, we have been \nconducting a thorough review of the company's verification, \nauthorization, and security procedures and policies. During that \nprocess, a LexisNexis integration team became aware of some billing \nirregularities within several customer accounts. Upon further \ninvestigation, the team detected within those accounts some unusual \nusage patterns. The team then informed senior management and we \ncontacted the United States Secret Service. The U.S. Secret Service was \nnotified because of its well-known expertise in investigating \ncybercrime and because of its national High Tech Crime Task Force, in \nwhich LexisNexis participates.\n    The incidents are still being investigated, but it appears that \ncybercriminals compromised IDs and passwords of legitimate Seisint \ncustomers and used those IDs and passwords to access certain Seisint \ndatabases. The information accessed was limited to public record \ninformation and certain identifying information, such as social \nsecurity numbers and driver's license information. No personal \nfinancial, credit, or medical information was involved because Seisint \ndoes not collect or distribute information of this type.\n    We take these incidents very seriously. LexisNexis has long been \ncommitted to the protection of consumer privacy and security. We \nsincerely regret that these criminals were able to fraudulently access \nthis information. We further regret any adverse impact that this crime \nmay have upon the individuals whose information was accessed. We have \nalready begun to take steps to assist individuals whose information may \nhave been accessed. First, based on the investigation to date, we are \nin the process of notifying approximately 32,000 individuals whose \npersonal information may have been accessed and we expect to complete \nmailing notices by March 16. Second, we will be providing all affected \nindividuals with a consolidated report containing information from the \nthree major credit bureaus. Third, we will be providing credit \nmonitoring service for one year. Fourth, for those individuals who do \nbecome victims of fraud, we will provide them with ID theft counselors \nto help them through the process of clearing their credit reports of \nany information from related fraudulent activity.\n    Because this is an ongoing law enforcement investigation, the U.S. \nSecret Service has advised us that discussing additional details could \ncompromise its investigation.\n    the types of measures used to safeguard identifiable information\n    LexisNexis has long recognized the importance of undertaking \nextensive measures to protect the information in our databases and has \nin place a comprehensive security program. Maintaining security is a \nnot a static process, but rather involves continuously evaluating and \nadjusting our security program in light of technological advances and \nperceived or real threats.\n    LexisNexis has physical, administrative, and technical measures to \nprotect the security of information it maintains on its services. Our \ndata facilities are physically secure. Comprehensive monitoring \ncapabilities exist throughout these facilities. These capabilities \ninclude interior and exterior cameras and a badge-access system with \nbadge readers at all key entry points in the building, which are \nmonitored 24x7 by on-site security guards.\n    Administratively, we limit access to data center facilities to \nthose individuals with job-related needs and management authorization. \nTo prevent employee misuse of our systems, we have policies and \nprocedures in place to monitor usage and address policy abuses through \nclearly stated measures, up to and including termination.\n    In addition, we limit a customer's access to information, including \nsensitive information, in LexisNexis products according to the purposes \nfor which they seek to use the information. Our Chief Privacy Officer \nand Privacy and Policy Review Board work together to ensure that \nLexisNexis has strong privacy policies in place to help protect the \nprivacy of information contained in our databases. We also undertake \nregular assessments by independent third parties of both our privacy \nand security practices. In addition, because we recognize that the \nsuccess of our security program depends on our employees, we have \ndeveloped training programs on privacy and security policies and \npractices.\n    We use a multi-layered technical approach to securing data and \napplications. Preventive and detective technologies are deployed to \nmitigate risk throughout the network and system infrastructure and \nserve to thwart potentially malicious activities.\n    In addition to the security safeguards outlined above, LexisNexis \nhas a multi-layer process in place to screen potential customers to \nensure that only legitimate customers have access to sensitive \ninformation contained in our systems. Our procedures include a detailed \nauthentication process to determine the validity of business licenses, \nmemberships in professional societies and other credentials. We also \nauthenticate the documents provided to us to ensure they have not been \ntampered with or forged.\n    We have verification procedures in place to vet customers prior to \nproviding them with access to sensitive information. Customers \nrequesting access to sensitive information must go through a multi-step \napplication and approval process. Only those customers with a \npermissible purpose under federal law are granted access to sensitive \ndata such as driver's license information and social security numbers. \nIn addition, customers are required to make express representations and \nwarranties regarding access and use of sensitive information.\n    LexisNexis plans to further restrict access to the most sensitive \ndata elements, Social Security Numbers and Driver's License Numbers, by \nextending LexisNexis current more restrictive SSN truncation policy to \nits recently acquired Seisint business and is adding a policy to \ninclude the masking of DLNs. These steps are part of the on-going \nreview that LexisNexis has been conducting on security practices, \nauthorization and verification procedures and privacy policies across \nits businesses.\n    We have also accelerated our program to review and integrate \nverification and security procedures at LexisNexis and Seisint. \nSpecifically, LexisNexis is in the process of:\n\n<bullet> Enhancing ID and password administration procedures;\n<bullet> Enhancing security requirements applied to our customers; and\n<bullet> Working with law enforcement and outside consultants to establish new \n        procedures and techniques to thwart criminal activity.\n\n           THE TYPES OF INFORMATION MAINTAINED BY LEXISNEXIS\n    The information maintained by LexisNexis falls into the following \nthree general classifications: public record information, publicly \navailable information, and non-public information. I briefly describe \neach below.\n    Public record information. Public record information is information \noriginally obtained from government records that are available to the \npublic. Land records, court records, and professional licensing records \nare examples of public record information collected and maintained by \nthe government for public purposes, including dissemination to the \npublic.\n    Publicly available information. Publicly available information is \ninformation about an individual that is available to the general public \nfrom non-governmental sources. Some examples of these non-governmental \nsources are telephone directories, newspaper reports, and other \ngeneral-distribution publications.\n    Non-public information. Non-public information is information about \nan individual that is not obtained directly from public record \ninformation or publicly available information. This information comes \nfrom proprietary or non-public sources. Non-public data maintained by \nLexisNexis consists primarily of information obtained from either motor \nvehicle records or so-called credit header data. Credit header data is \nthe non-financial individual identifying information located at the top \nof a credit report, such as name, current and prior address, listed \ntelephone number, social security number, and month and year of birth.\n\nLAWS GOVERNING LEXISNEXIS COMPILATION AND DISSEMINATION OF IDENTIFIABLE \n                              INFORMATION\n    There are a wide range of federal and state privacy laws to which \nLexisNexis is subject in the collection and distribution of personally \nidentifiable information. These include:\n    The Gramm-Leach-Bliley Act. Social security numbers are one of the \ntwo most sensitive types of information that we maintain in our systems \nand credit headers are the principal commercial source of social \nsecurity numbers. Credit header data is obtained from consumer \nreporting agencies.<SUP>1</SUP> Starting in July 2001, the compilation \nof credit header data is subject to the Gramm-Leach-Bliley Act \n(``GLBA''), 15 U.S.C. Sec. Sec. 6801 et seq., and information subject to the \nGLBA cannot be distributed except for purposes specified by the \nCongress, such as the prevention of fraud. For credit header data \ncompiled prior to July 2001, the dissemination of this information is \nsubject to a set of industry-developed principles endorsed and enforced \nby the Federal Trade Commission.\n---------------------------------------------------------------------------\n    \\1\\ Consumer reporting agencies are governed by the Fair Credit \nReporting Act (``FCRA''), 15 U.S.C. Sec. Sec. 1681 et seq. Some information \nservices, such as Seisint's Securint service and LexisNexis PeopleWise, \nalso are subject to the requirements of the FCRA.\n---------------------------------------------------------------------------\n    Driver's Privacy Protection Act. The compilation and distribution \nof driver's license numbers and other information obtained from \ndriver's licenses are subject to the Driver's Privacy Protection Act \n(``DPPA''), 18 U.S.C. Sec. Sec. 2721 et seq., as well as state laws. \nInformation subject to the DPPA cannot be distributed except for \npurposes specified by the Congress, such as fraud prevention, insurance \nclaim investigation, and the execution of judgments.\n    Telecommunications Act of 1996. Telephone directories and similar \npublicly available repositories are a major source of name, address, \nand telephone number information. The dissemination of telephone \ndirectory and directory assistance information is subject to the \nrequirements of the Telecommunications Act of 1996, as well as state \nlaw.\n    FOIA and other Open Records Laws: Records held by local, state, and \nfederal governments are another major source of name, address, and \nother personally identifiable information. The Freedom of Information \nAct, state open record laws, and judicial rules govern the ability of \nLexisNexis to access and distribute personally identifiable information \nobtained from government agencies and entities. See, e.g., 5 U.S.C. Sec.  \n552.\nOther laws:\n    Unfair and Deceptive Practice Laws: Section 5 of the Federal Trade \nCommission Act, and its state counterparts, prohibit companies from \nmaking deceptive claims about their privacy and security practices. \nThese laws have served as the basis for enforcement actions by the \nFederal Trade Commission and state attorneys general for inadequate \ninformation security practices. The consent orders settling these \nenforcement actions typically have required companies to implement \ninformation security programs that conform to the standards set forth \nin the GLBA Safeguards Rule, 16 C.F.R. Part 314.\n    Information Security Laws: A growing body of state law imposes \nobligations upon information service providers to safeguard the \nidentifiable information they maintain. For example, California has \nenacted two statutes that require businesses to implement and maintain \nreasonable security practices and procedures and, in the event of a \nsecurity breach, to notify individuals whose personal information has \nbeen compromised. See California Civil Code Sec. Sec. 1798.81.5, 1798.82-84.\n\n                LEGISLATIVE MEASURES LEXISNEXIS SUPPORTS\n    We recognize that additional legislation may be necessary to \naddress the growing problem of cybercrime and identity theft. \nLexisNexis supports the following legislative approaches:\n    Data Security Breach Notification. Consistent with the proposals \noutlined by FTC Chairman Majoras in her testimony before the Senate \nBanking Committee last week, we support requiring notification in the \nevent of a security breach where there is substantial risk of harm to \nconsumers. We share the concerns that Chairman Majoras raised in her \ntestimony about ensuring that there is an appropriate threshold for \nwhen customers actually would benefit from receiving notification, such \nas where the breach is likely to result in misuse of customer \ninformation. In addition, we believe that it is important that any such \nproposal contain federal preemption to insure that companies can \nquickly and effectively notify consumers and not struggle with \ncomplying with multiple, potentially conflicting and inconsistent state \nlaws.\n    Adoption of Data Security Safeguards for Information Service \nProviders Modeled After the GLBA Safeguard Rule. LexisNexis would \nsupport the proposal outlined by Chairman Majoras whereby the types of \nsecurity protections required by the Safeguard Rule of the GLBA would \nbe applicable to information service providers that are not themselves \n``financial institutions'' as defined under GLBA.\n    Increased penalties for identity theft and other cybercrimes and \nincreased resources for law enforcement. LexisNexis strongly encourages \nlegislation that imposes more stringent penalties for identity theft \nand other cybercrimes. Additionally, consumers and industry alike would \nbenefit from enhanced training for law enforcement and an expansion of \nthe resources available to investigate and prosecute the perpetrators \nof identity theft and cybercrime. Too many of our law enforcement \nagencies do not have the resources to neutralize these high-tech \ncriminals.\n    It is critical that any legislation being considered ensure that \nlegitimate businesses, government agencies, and other organizations \ncontinue to have access to identifying information that they depend on \nfor important purposes including fraud detection and prevention, law \nenforcement, and other critical applications. Moreover, legislation \nmust strike the right balance between protecting privacy and ensuring \ncontinued access to critically important information that is provided \nthrough information service providers.\n\n                               CONCLUSION\n    Mr. Chairman, members of the Subcommittee, thank you again for the \nopportunity to testify before you today. LexisNexis is committed to:\n\n<bullet> Developing effective products involving the responsible use of \n        personally identifiable information to support law enforcement, \n        government, and responsible businesses ;\n<bullet> Safeguarding consumer privacy; and\n<bullet> Protecting the security of our data systems.\n    We look forward to working with you as you develop proposals to \nhelp protect consumers and help fight cybercrime and identity theft.\n\n    Mr. Stearns. Thank you, Mr. Sanford. I was hoping we could \nget the second opening statement in. We have one vote, and then \nno votes for a long period of time.\n    So Mr. Smith, we are going to have to recess the \nsubcommittee, and I will go vote, and members have just been \nemailed to come back, so the subcommittee is----\n    [Brief recess.]\n    Mr. Stearns. [continuing] members will be filing in, but \nMr. Smith, we wanted to give you an opportunity to proceed.\n    Mr. Smith. Chairman----\n    Mr. Stearns. And just move it a little closer. Sometimes, \nit is--if you don't mind, that would be helpful. Thanks.\n\n                    STATEMENT OF DEREK SMITH\n\n    Mr. Smith. Chairman Stearns, Representative Schakowsky, and \nmembers of the committee. I am Derek Smith, Chairman and Chief \nExecutive Officer of ChoicePoint, Inc.\n    I have thought a great deal, both professionally and as a \nfather, about the role information can play in making our world \nmore or less secure. I have devoted the last 12 years to the \npursuit of making our society safer through the innovative but \nproper use of information and technology.\n    At ChoicePoint, our customers cover a broad spectrum of \nAmerican business, nonprofits, and government services \norganizations, including most of America's Federal, State, and \nlocal law enforcement agencies. Last year, ChoicePoint helped \n100 million American consumers obtain fairly priced home and \nauto insurance, and thousands of American businesses obtain \ncommercial property insurance.\n    We also helped 8 million Americans get jobs through our \nworkplace pre-employment screening services. We helped more \nthan 1 million consumers obtain expedited copies of their vital \nrecords, birth, death, and marriage certificates. ChoicePoint \nhelped government fulfill its mission guarding the safety of \nAmericans.\n    But regrettably, I know that I am not here today to talk \nonly about the good things that ChoicePoint has done. I know I \nam here because your committee and your constituents are \nconcerned about the harm that may have been done to \napproximately 145,000 Americans whose information may have \nfallen into the hands of criminals who accessed ChoicePoint \nsystems.\n    Let me begin by offering an apology on behalf of our \ncompany, and my own personal apology to those consumers whose \ninformation may have been accessed by the criminals whose \nfraudulent activity ChoicePoint failed to prevent. Beyond our \napology, I want to assure the public and the members of this \ncommittee that we have moved aggressively to safeguard the \ninformation in our possession from future criminal theft.\n    We have also moved promptly to provide assistance to every \naffected individual, to help them avoid financial harm. We are \nalso participating in the efforts of--we also welcome \nparticipating in the efforts of this committee and other \npolicymakers seeking to provide an appropriate regulation of \nour industry. We have decided to exit the consumer-sensitive \ndata market not covered by the Fair Credit Reporting Act, \nmeaning ChoicePoint will no longer sell information products \ncontaining sensitive consumer data, including Social Security \nand driver's license numbers, except where there is a specific \nconsumer-driven transaction or benefit, or where the products \nsupport Federal, State, or local government and criminal \njustice purposes.\n    ChoicePoint will continue to provide authentication, fraud \nprevention, and other services to large, accredited customers, \nwhere consumers have existing relationships. We have \nstrengthened ChoicePoint's customer credentialing process, and \nwe are changing our products and services to many customer \nsegments. We are requiring additional due diligence, such as \nbank references and site visits, to small business applications \nbefore allowing access to personally identifiable information.\n    We are recredentialing broad sections of our customer base, \nincluding our small business customers. We are modifying the \nservices that ChoicePoint is delivering to our customers. I \nhave created an Office of Credentialing Compliance and Privacy \nthat will report to our Board of Directors Privacy Committee, \nand be independent of ChoicePoint management. This Office will \nbe led by Carol DiBattiste, previously Deputy Administrator of \nthe Transportation Security Administration, and a former senior \nprosecutor in the Department of Justice, with extensive \nexperience in detection and prosecution of financial fraud.\n    I have also appointed Robert McConnell, a 28 year veteran \nof the Secret Service and former chief of the Federal \nGovernment's Nigerian Organized Crime Taskforce, to serve as \nour liaison to law enforcement officials. These changes reflect \nsome of the lessons that we have already learned as a result of \nthe breaches of ChoicePoint security, which have resulted in \nthe recent convictions of several individuals.\n    From what I now know, on September 27, 2004, a ChoicePoint \nemployee became suspicious while credentialing a prospective \nsmall business customer based in the Los Angeles area. This \nemployee brought his concerns regarding the application to our \nSecurity Services Department. After a preliminary review, the \nmanager of the Security Services Department alerted the Los \nAngeles County Sheriff's Department. They decided to initiate \nan official police investigation, and asked for our assistance. \nThe investigation is still ongoing, and has, I am told, already \nresulted in the arrest and conviction of at least one \nindividual.\n    After the situation became public last month, I learned \nthat another instance in which ChoicePoint had been working \nwith law enforcement inquiry also involved a criminal use of \nour information products, and late last year, had resulted in a \nguilty plea.\n    With respect to California, we have learned that those \ninvolved had previously opened ChoicePoint accounts by \npresenting fraudulently obtained California business licenses \nand other fraudulent documents. They were able to access \ninformation products primarily containing the following \ninformation: consumer names, current and former addresses, \nSocial Security numbers, driver's license numbers, certain \nother public record information such as bankruptcies, liens, \nand judgments, and, in certain cases, credit reports.\n    Based on the information currently available, we estimate \nthe data from approximately 145,000 consumers may have been \naccessed as a result of unauthorized access to our information \nproducts. Nearly one quarter of those consumers are California \nresidents. California is the only State that statutorily \nrequires affected consumers to be notified of a potential \nbreach of personally identifiable information, and authorized \nlaw enforcement officials to delay notification to allow a \ncriminal investigation to proceed.\n    Last fall, ChoicePoint received such a request from the \nSheriff's Department, after the issue of consumer notification \nwas discussed between ChoicePoint and the Department. At that \ntime, ChoicePoint had not yet reconstructed all the searches \nrequired to identify consumers at risk, and law enforcement \nofficers had not yet learned all the pertinent details of the \ncrime. Working cooperatively with the Sheriff's Department, and \nafter completing the necessary reconstruction, we began the \nprocess of notifying consumers last month. We voluntarily \nelected to use the California law as the basis for notifying \nconsumers in all States.\n    Absent specific notification from law enforcement \npersonnel, affected consumers, or others, we cannot determine \nwhether a particular consumer has been a victim of actual \nidentity theft. However, law enforcement officials have \ninformed us that they have identified approximately 750 \nconsumers nationwide, where some attempt was made to compromise \ntheir identity. The security breach that ChoicePoint discovered \nlast fall in California has caused us to go through some \nserious soul searching at ChoicePoint.\n    In retrospect, the company should have acted more quickly. \nI should have been notified earlier of the investigation being \nconducted by the Los Angeles County Sheriff's Department. What \nI can tell you today is that from now on, I will be notified \nwhen ChoicePoint learns of a formal law enforcement inquiry \ninvolving any potential breach of our security.\n    In the meantime, we have taken other steps to help and \nprotect the consumers who may have been harmed. First, \nChoicePoint established a dedicated toll-free customer service \nnumber, and a special website to respond to inquiries. Second, \nwe are providing, free of charge, a combined three bureau \ncredit report. Third, we are providing, free of charge, a 1-\nyear credit monitoring service, and for anyone who has suffered \nactual identity theft from this fraud, ChoicePoint will provide \nfurther assistance to help them resolve any issue arising from \nthat identity theft. We hope these efforts will help those \nindividuals protect their personal data from being used in a \ncriminal manner, and that they will mitigate any harm.\n    Mr. Chairman, to conclude, I would like to state before \nthis committee, for the record, my position on further \nregulation or oversight of information and credential \nverification providers. For the past 2 years, I have been \nworking to prompt a broad discussion on how we can build a \nframework that defines how personally identifiable information \nshould be used, by whom, and for what purpose.\n    I have called for independent oversight to give the public \nthe confidence it needs. I support increased penalties, \ncriminal penalties, for the unauthorized access to information. \nI support a single, reasonable, nationwide, mandatory \nnotification requirement of any unauthorized access to \npersonally identifiable information.\n    Every advance in technology that makes our lives easier \nalso makes it easier for enemies to move swiftly against us. \nYou and I can be approved for a bank account in a matter of \nminutes, but a person can use that same technology to get a \nfalse or real driver's license, or to create a fake business. \nThe point being, technology and information are neither good \nnor bad. People determine if the power of information is used \nfor the benefit of individuals or society, or to create harm.\n    I believe that only by adding a more formal structure to \nthe current scheme of information use will we realize the full \nvalue of technology-based tools to society. The architects of \nthese guidelines will be working against a backdrop of \napparently conflicting principles. Increased concerns about \nprivacy, balanced against society's need to identify people who \nwould do us harm. But it is important to remember that these \ntwo principles are not mutually exclusive, and that too much \nweight on either end of the spectrum leads not to balance, but \nto immobility, or worse, to a breaking point.\n    The privacy debate should not be a choice between civil \ndefense and civil liberty. We must aim to preserve both. We \nlook forward to participating in the continued discussion of \nthese issues, and I pledge our cooperation and my personal \ncooperation to these efforts.\n    I thank you for your consideration, and I will be pleased \nto answer any questions you might have.\n    [The prepared statement of Derek Smith follows:]\n    Prepared Statement of Derek Smith, Chairman and Chief Executive \n                       Officer, ChoicePoint Inc.\n    Chairman Stearns, Representative Schakowsky, and Members of the \nCommittee: I am Derek Smith, Chairman and Chief Executive Officer of \nChoicePoint Inc.\n    I have thought a great deal, both professionally and as a father, \nabout the role information can play in making our world more, or less, \nsecure. I have devoted the last 12 years to the pursuit of making our \nsociety safer through the innovative, but proper, use of technology and \ninformation.\n    At ChoicePoint, our customers cover a broad spectrum of American \nbusiness, non-profits and government service organizations--from half \nthe Fortune 1000 to notable community organizations, and most of \nAmerica's federal, state and local law enforcement agencies.\n    Last year ChoicePoint helped 100 million American consumers obtain \nfairly priced home and auto insurance, and thousands of American \nbusinesses obtain commercial property insurance. We also helped 8 \nmillion Americans get jobs through our workplace pre-employment \nscreening services. We helped more than one million consumers obtain \nexpedited copies of their vital records--birth, death and marriage \ncertificates. ChoicePoint helped government fulfill its mission \nguarding the safety of Americans.\n    But regretfully, I know that I am not here today to talk only about \nthe good things ChoicePoint has done. I know I am here because your \ncommittee and your constituents are concerned about the harm that may \nhave been done to approximately 145,000 Americans, whose information \nmay have fallen into the hands of criminals who accessed ChoicePoint \nsystems.\n    Let me begin by offering an apology on behalf of our company, as \nwell as my own personal apology, to those consumers whose information \nmay have been accessed by the criminals whose fraudulent activity \nChoicePoint failed to prevent.\n    Beyond our apology, I want to assure the public and the members of \nthis committee that we have moved aggressively to safeguard the \ninformation in our possession from future criminal theft. We have also \nmoved promptly to provide assistance to every affected individual to \nhelp them avoid financial harm. We also welcome participating in the \nefforts of this Committee and other policy-makers seeking to provide an \nappropriate regulation of our industry.\n    We have decided to exit the consumer sensitive data market not \ncovered by the Fair Credit Reporting Act, meaning ChoicePoint will no \nlonger sell information products containing sensitive consumer data \nincluding social security and drivers license numbers except where \nthere is a specific consumer driven transaction or benefit or where the \nproducts support federal, state or local government and criminal \njustice purposes. ChoicePoint will continue to provide authentication, \nfraud prevention and other services to large accredited corporate \ncustomers where consumers have existing relationships.\n    We have strengthened ChoicePoint's customer credentialing process \nand we are changing our products and services to many customer \nsegments. We are requiring additional due diligence such as bank \nreferences and site visits to small business applicants before allowing \naccess to personally identifiable information. We are recredentialing \nbroad sections of our customer base, including our small business \ncustomers. We are modifying the services that ChoicePoint is delivering \nto our customers.\n    The remaining ChoicePoint products and services that contain \nsensitive information will satisfy one of three tests:\n\n<bullet> Support consumer driven transactions, for which data is needed to \n        complete or maintain relationships such as insurance, \n        employment or tenant screening.\n<bullet> Provide authentication or fraud prevention tools to large, accredited \n        corporate customers to enable services such as identity \n        verification, customer enrollment or insurance claims.\n<bullet> Support federal, state or local government and law enforcement \n        purposes.\n    I have created an office of Credentialing, Compliance and Privacy \nthat will report to our Board of Directors' Privacy Committee and be \nindependent of ChoicePoint management. This office will be based here \nin Washington and be led by Carol DiBattiste, previously deputy \nadministrator of the Transportation Security Administration and a \nformer senior prosecutor in the Department of Justice with extensive \nexperience in the detection and prosecution of financial fraud.\n    I have also appointed Robert McConnell, a 28-year veteran of the \nSecret Service and former chief of the federal government's Nigerian \nOrganized Crime Task Force, to serve as our liaison to law enforcement \nofficials.\n    These changes reflect some of the lessons we have already learned \nas a result of the breaches of ChoicePoint's security which have \nresulted in the recent convictions of several individuals.\n    From what I now know, on September 27, 2004 a ChoicePoint employee \nbecame suspicious while credentialing a prospective small business \ncustomer based in the Los Angeles area. This employee brought his \nconcerns regarding the application to our Security Services Department. \nAfter a preliminary review, the manager of the Security Services \nDepartment alerted the Los Angeles County Sheriff's Department. They \ndecided to initiate an official police investigation and asked for our \nassistance. That investigation is still ongoing, and has, I am told, \nalready resulted in the arrest and conviction of at least one \nindividual.\n    After this situation became public last month I learned that \nanother instance in which ChoicePoint had been working with a law \nenforcement inquiry also involved a criminal use of our information \nproducts and, late last year, had resulted in a guilty plea.\n    With respect to California, we have learned that those involved had \npreviously opened ChoicePoint accounts by presenting fraudulently \nobtained California business licenses and fraudulent documents. They \nwere then able to access information products primarily containing the \nfollowing information: consumer names, current and former addresses, \nsocial security numbers, driver's license numbers, certain other public \nrecord information such as bankruptcies, liens and judgments and, in \ncertain cases, credit reports.\n    Based on information currently available, we estimate that data \nfrom approximately 145,000 consumers may have been accessed as a result \nof unauthorized access to our information products. Nearly one quarter \nof those consumers are California residents. California is the only \nstate that statutorily requires affected consumers to be notified of a \npotential breach of personally identifiable information, and authorizes \nlaw enforcement officials to delay notification to allow a criminal \ninvestigation to proceed. Last fall, ChoicePoint received such a \nrequest from the Sheriff's Department after the issue of consumer \nnotification was discussed between ChoicePoint and the Department. At \nthat time ChoicePoint had not yet reconstructed all of the searches \nrequired to identify consumers at risk and law enforcement officers had \nnot yet learned all of the pertinent details of the crime. Working \ncooperatively with the Sheriff's Department and after completing the \nnecessary reconstruction, we began the process of notifying consumers \nlast month. We voluntarily elected to use the California law as the \nbasis for notifying consumers in all states. Absent specific \nnotification from law enforcement personnel, affected consumers or \nothers, we can not determine whether a particular consumer has been a \nvictim of actual identity theft. However, law enforcement officials \nhave informed us that they have identified approximately 750 consumers \nnationwide where some attempt was made to compromise their identity.\n    The security breach that ChoicePoint discovered last fall in \nCalifornia has caused us to go through some serious soul-searching at \nChoicePoint. In retrospect, the company should have acted more quickly. \nI should have been notified earlier of the investigation being \nconducted by Los Angeles County Sheriff's Department. What I can tell \nyou today is that from now on, I will be notified when ChoicePoint \nlearns of a formal law enforcement inquiry involving any potential \nbreach of our security.\n    In the meantime, we have taken other steps to help and protect the \nconsumers who may have been harmed.\n    <bullet> First, ChoicePoint has established a dedicated toll-free customer \nservice number and a special web site to respond to inquiries;\n    <bullet> Second, we are providing, free of charge, a combined three-bureau \ncredit report;\n    <bullet> Third, we are providing, free of charge, a one-year credit \nmonitoring service; and\n    <bullet> For anyone who has suffered actual identity theft from this \nfraud, ChoicePoint will provide further assistance to help them resolve \nany issue arising from that identity theft.\n    We hope these efforts will help those individuals protect their \npersonal data from being used in a criminal manner and that they will \nmitigate any harm.\n    Mr. Chairman, I would like to state before this committee, for the \nrecord, my position on further regulation or oversight of information \nand credential verification providers. For the past two years, I have \nbeen working to prompt a broad discussion on how we can build a \nframework that defines how personally identifiable information should \nbe used, by whom and for what purposes. I have called for independent \noversight to give the public the confidence it needs. I support \nincreased penalties--criminal penalties--for the unauthorized access to \ninformation. I support a single, reasonable, nationwide mandatory \nnotification requirement of any unauthorized access to personally \nidentifiable information.\n    Every advance in technology that makes our lives easier also makes \nit easier for our enemies to move swiftly against us. You and I can be \napproved for a bank account in a matter of minutes, but a person can \nuse that same technology to get a fake or real drivers' license or to \ncreate a fake business.\n    The point being, technology and information are neither good nor \nbad. People determine if the power of information is used for the \nbenefit of individuals or society or to create harm.\n    I believe that only by adding a more formal structure to the \ncurrent scheme of information use, will we realize the full value of \ntechnology-based tools to society.\n    The architects of these guidelines will be working against a \nbackdrop of apparently conflicting principles: increased concerns about \nprivacy balanced against society's need to identify people who would do \nus harm. But it is important to remember that these two principles are \nnot mutually exclusive, and that too much weight on either end of the \nspectrum leads not to balance, but to immobility, or worse, to a \nbreaking point. The privacy debate should not be a choice between civil \ndefense and civil liberty. We must aim to preserve both.\n    Perhaps I might take a few minutes to describe some of the benefits \nof having access to an individual's personal information. ChoicePoint \nhas helped find more than 800 missing children--we were even able to \nfind a baby kidnapped from a hospital the day he was born, and return \nhim to his parents within 24 hours. Our company works with the largest \nyouth services organizations around the country to help them screen \nvolunteers--we have helped identify more than 11,000 undisclosed felons \namong those volunteering, or seeking to volunteer. Included in this \ngroup, individuals who did not disclose they had been convicted of a \ncollective 5176 violent crimes, 1137 sex crimes, 11,397 illegal \nsubstance offenses, 1055 crimes against children. Forty-two of these \nindividuals were registered sex offenders.\n    ChoicePoint's DNA laboratories have freed those wrongly accused \nfrom prison, and helped to identify suspects and victims of violent \ncrimes. Our labs matched thousands of bone fragments found in the World \nTrade Center rubble with DNA samples provided by victims' families. Our \nscientists are currently in the tsunami ravaged areas of Asia helping \nto identify victims to help bring closure to families devastated by the \ndisaster.\n    ChoicePoint helped Maryland police identify and locate two men \nnamed John Allen Muhammad and Lee Boyd Malvo. The two had no obvious \nrelationship to one another and no known ties to Washington, DC. \nInformation technology found those hidden links, and provided the tools \nfor locating the people now known as the DC Snipers.\n    In fact, ChoicePoint provides service to more than 7,000 federal, \nstate and local law enforcement agencies.\n    Not all of what we do is so dramatic. ChoicePoint also serves 700 \ninsurance companies, a large number of Fortune 500 companies, and many \nlarge financial services companies.\n    And the products involved in these transactions are regulated by \nthe FCRA, which represents a significant portion of our business. \nCertain other segments of our business are regulated by Gramm-Leach-\nBliley Act and various state laws.\n    We look forward to participating in continued discussion of these \nissues, and I pledge our cooperation to your efforts.\n    I thank you for your consideration, and I would be pleased to \nanswer any questions you might have.\n\n    Mr. Stearns. I thank you, Mr. Smith, and first of all, I \nwould like to thank both of you, a President and CEO, Mr. \nSanford, and a Chairman and CEO, Mr. Smith, for coming here to \nspeak about these important issues.\n    And I would caution all members that they cannot actually \ntalk about the investigation with the Federal investigation \ngoing on. It is going to be difficult for them to talk about \nit, but they obviously can talk about what happened, and give \nus policy presentation on what they think should happen.\n    Mr. Smith, my first question is to you. And I--you know, \neverything I have read about this report in the paper. We have \nhad a little conversation ourselves. This case, a man from Los \nAngeles filled out all the proper applications to receive \ninformation from ChoicePoint, and it appears that due diligence \nby you was to confirm his application, confirm a copy of a \nbusiness license he had. Evidently, this person paid his bills, \nreceived information, including consumers' Social Security \nnumbers, which the person used fraudulently.\n    So the question for you is, based upon that scenario, what \nwould you do differently knowing what you do today, to make \nsure that this person who got this business license, who paid \nhis bills, that seemed to be, to you, a legitimate customer, \nhow would you have stopped that, today?\n    Mr. Smith. Well, I think that there are a couple things. \nFirst, we are strengthening the credentialing procedures now to \ninclude even a more rigorous analysis of that process----\n    Mr. Stearns. Can you strengthen it----\n    Mr. Smith. [continuing] to include----\n    Mr. Stearns. [continuing] good enough, you think? On your \nown, do you think you can strengthen it good enough?\n    Mr. Smith. Well, the reality is, one of the reasons why we \nare exiting the consumer-sensitive market, particularly as it \nrelates to small businesses, is that it is possible for a \nbusiness to set up themselves as a legitimate business, operate \nas a legitimate business, and yet, then subsequently use that \nparticular business for access to information that would be \ninappropriate.\n    We can't find out how we would avoid that, and as we went \nback through our recredentialing procedures, we determined that \nthe only way in which we could prevent the data from being \naccessed inappropriately in that circumstance, was in fact, to \nrestrict the data and not provide it all in those instances, or \nin a masked format.\n    Mr. Stearns. Well, that is what it seems to me. Now, as I \nunderstand, I read that a scam like this had been perpetrated \nagainst ChoicePoint before. Is that correct?\n    Mr. Smith. Well, what had happened is, back in 2001, we had \nreceived a subpoena about one particular account. During 2002, \nwe actually received three subpoenas asking for additional \ninformation about that account, but then, we never heard \nanything else for almost a 2\\1/2\\ year period of time. And \nthen, in late 2004, we were asked to testify, potentially, at a \ntrial of an individual, which is the first time we had heard \nabout that since that point in time, that the person \nsubsequently pleaded guilty, and we were not asked to testify. \nSo during that previous incident, we had had subpoenas, but we \nhad not understood what the nature of the investigation was, or \nwhat potentially the crime was, until just recently.\n    Mr. Stearns. Is there any way for a private citizen to find \nout what types of information ChoicePoint data base may contain \nabout him or her?\n    Mr. Smith. There are several. I mean, to the extent that a \nmajority of products are actually governed under the Fair \nCredit Reporting Act, and you have the right to be able to get \na copy of those particular reports. In the public record arena, \nwe do provide individuals who request access to those reports a \ncopy of a specific report, as it references themselves.\n    Mr. Stearns. Mr. Stanford, now your case is a little \ndifferently than ChoicePoint. A person stole sensitive \ninformation about consumers by the use of passwords \nfraudulently obtained from your customer. And I guess the \ncustomers affected the breach--do the customers affected by the \nbreach have to worry about identity theft for the rest of their \nlives, and when will the elevated risk of identity theft \nsubside, if ever?\n    Mr. Sanford. Well, sir, in our situation, the facts as we \nunderstand them, and I think we talked about this yesterday, in \nearly February of this year, one of our integration teams, \nrecall that we acquired the Seisint business late in 2004, one \nof our integration teams which was charged with the \nresponsibility of reviewing the security procedures, \nauthentication, verification, and kind of the physical security \nof the business we acquired. It came to their attention that \nthere were some irregular billing activities in a handful of \naccounts, and they did that investigation. They gathered more \nfacts, they brought that to my attention late in February, I \nthink it was the February 28, and on March 2, I got on an \nairplane and flew here to Washington, DC., and met with the \nAssistant Director of the United States Secret Service, and \nasked them if they would investigate it for us, and we have \nturned over our records.\n    We don't know yet how that compromise occurred in the \ncustomer environment. Law enforcement is investigating that, \nand we will be forthright and share the details of that \ninvestigation when it is completed.\n    Mr. Stearns. I am sorry I am asking you to speculate. It is \nprobably not fair, but you know, this identity theft, what is \nyour experience about--does it last a year, or 2 years? I mean, \nwhat--I mean, this is--I mean, I've run into people that say it \nis a long time.\n    Mr. Sanford. I haven't seen any statistics that indicate a \ntime, you know, a cause and effect timeline that says, if an \nidentity, you know, if a record is, you know, obtained \nfraudulently, you know, is that going to then be used 4 or 5 \nyears later? I don't know----\n    Mr. Stearns. Okay.\n    Mr. Sanford. [continuing] if there are any published \nreports on that, sir.\n    Mr. Stearns. Now, in your case, it wasn't LexisNexis. It \nwas Seisint. And this company, you acquired. And is it possible \nthat Seisint outsourced, in other words, they are a \nsubcontractor, they have this information, you are the parent--\nthey are not a subcontractor, but they are owned by you. But is \nyour data base effectively outsourced to all your customers, so \nthat a breach of their security systems potentially allows \ncriminals access to sensitive information in your data bases?\n    Mr. Sanford. I am not sure I understand the question. Let \nme see if I can respond, and let me know if I am responsive to \nwhat you are looking for. This is our company. We bought this \ncompany.\n    Mr. Stearns. Right.\n    Mr. Sanford. This is not a subcontractor.\n    Mr. Stearns. Right.\n    Mr. Sanford. This is a LexisNexis business----\n    Mr. Stearns. Yeah.\n    Mr. Sanford. [continuing] that was acquired in the second \nhalf of 2004. We enter into agreements with legitimate \nbusinesses who subscribe to services. They have password and ID \naccess to a data base that we maintain.\n    Mr. Stearns. Does Seisint outsource some of their business \nto some other companies?\n    Mr. Sanford. We license some of our data base information \nto----\n    Mr. Stearns. Okay. So my question is, when you license it \nto these other companies, is it possible their employees, then, \nwould have access to this information, they could fraudulently \ndo it?\n    Mr. Sanford. I am still not sure I follow the question, \nsir.\n    Mr. Stearns. Okay. So if your new company outsources a lot \nof their work, they give them the identity of individuals to \nprocess, and----\n    Mr. Sanford. We license our data to other parties who are \nresellers, credit bureaus, for example.\n    Mr. Stearns. Okay.\n    Mr. Sanford. And they contractually enter into agreements \nwith us to comply with all the same safety, verification, \nsecurity safeguards that we have in place for our business.\n    Mr. Stearns. So I think what we are saying is, if you allow \nemployees to have access to this information through passwords, \nthen you are effectively outsourcing the ability of others to \nget access to this secured information.\n    Mr. Sanford. I am--I don't--I still don't understand how I \nam outsourcing to employees.\n    Mr. Stearns. Okay. Okay. My time has expired. The Ranking \nwoman, Ms. Schakowsky.\n    Ms. Schakowsky. Okay. First, Mr. Smith, in your SEC filing \nabout the 145,000 consumers that were exposed, you say that \nthat number represents those whose data was compromised after \nJuly 1, 2003, when the California law required you to report.\n    We know that there were earlier breaches, in fact, prior to \n2003, that you were unaware of, the Benson case, where they \npled guilty and were guilty of fraud. So I would assume, then, \nthe numbers are higher than 145,000. Do you have any idea what \nthat number is, and are you going back at all to review your \nrecords to find out if there were earlier breaches? What is \nyour plan here?\n    Mr. Smith. The Board or the committee has sanctioned a \nstudy to go back and to look at not only this incident, but \nprior incidents, to determine if, in fact, any other such \ncircumstances took place. And so that investigation is \ncurrently underway, and is being done on a very aggressive \nbasis.\n    Ms. Schakowsky. I have to say that I am pretty surprised, \nand I think a number of other people were, would be as well, to \nfind out that there was this case, you said subpoenas were \nissued, but I guess you didn't bother to figure out why or what \nthe case was about, that you would have been unaware of a \ncriminal prosecution that resulted in a conviction. How could \nthat happen, and has anybody been made to take responsibility \nfor that at all?\n    Mr. Smith. Well, we do receive subpoenas to support law \nenforcement investigations. They don't always give us \ninformation, because of the sensitive nature of the \ninvestigation, what type of investigation it might be. It could \nhave been involved in a situation such as identity theft, but \nit could have been involved in any other type of criminal \npotential incident.\n    Ms. Schakowsky. So in other words, such an instance could \ngo unnoticed still?\n    Mr. Smith. No, not today, as I have said, that we have now \nchanged our procedures so that in any circumstance where we are \nissued a subpoena, it will be elevated to me personally. We \nhave also instituted a new department that is in charge of all \nof our credentialing compliance and privacy. It is headed up by \nCarol DiBattiste, who is a recognized leader in this area, and \nshe will be assuring that any type situation that this occurs \nin the future will be dealt with very quickly, and will be \nelevated appropriately and responsibly----\n    Ms. Schakowsky. Okay.\n    Mr. Smith. [continuing] immediately.\n    Ms. Schakowsky. You know, you said that some information is \navailable to the public if they ask for it. People understand \nabout credit reporting agencies, but I have a feeling before \nall this came out with LexisNexis and with ChoicePoint that \nnobody even knew really, hardly anybody knew about you. Could \nyou provide us with information, or--unless you have it at your \nfingertips, of how many people have actually asked for their \ninformation from you before the ChoicePoint, before these \nscandals were revealed?\n    Mr. Smith. I will have to get you, and will be pleased to \nget you that particular information.\n    Ms. Schakowsky. Do you have any order of magnitude, of how \nmany people actually asked for that information?\n    Mr. Smith. Again, many of our products and services are \nunder the Fair Credit Reporting Act, so that they would \nnaturally be part of the new FACT act, which requires a free \ncopy of that report----\n    Ms. Schakowsky. I understand what the requirement is, but I \nam saying I don't think there is a lot of consumer awareness \nabout it, and I am just wondering----\n    Mr. Smith. There has not been----\n    Ms. Schakowsky. [continuing] how many people----\n    Mr. Smith. [continuing] an overwhelming number of people \nwho have requested the reports. That would be correct.\n    Ms. Schakowsky. Thousands of voters were inaccurately \nlisted as felons by your company in 2000, and were denied the \nright to vote in the Florida election. That is very serious, \nand we are talking more about identity theft, et cetera, but \nthis precious right to vote. Were any laws violated by that?\n    Mr. Smith. Well, first, I appreciate the opportunity to \nrespond to that particular question and situation. The incident \nyou are referring to was a project done between a company \ncalled Data base Technologies and the State of Florida. It was \noperated and run between 1998 and roughly 2000. At that \nparticular point in time, Data base Technologies was a very \nsignificant competitor to ChoicePoint.\n    In the middle of 2000, but prior to the election, but after \nall of that information had been provided to the State of \nFlorida, we acquired that company. So ChoicePoint was not \ninvolved in any way in screening the voter rolls, in dealing \nwith the issues of what potential people were allowed to vote. \nWe have not been involved in any such situation in that regard. \nSo unfortunately, because we acquired that company, it has been \ninterpreted that we were involved. But we were not involved at \nall in that particular situation.\n    Ms. Schakowsky. Did you know about it when you acquired \nthem?\n    Mr. Smith. We--I--we did not. It was a contract between \nthemselves and the State of Florida.\n    Ms. Schakowsky. If I could ask this last question, I \nrealize it may go over time, but I want to know from both of \nyou, what quality assessment of your data do you do? How do you \nensure that the information on people is correct, and perhaps, \nmost importantly, what do you feel is your responsibility if \nsomeone is denied a home or a job or insurance because the \ninformation you are selling and profiting from about them is \nwrong?\n    Mr. Sanford.\n    Mr. Sanford. Sure. Congresswoman, we have a very few \nproducts that are governed by the FCRA. These are products that \nare involved in employment screening. And we follow a rigorous \nprocedure to make corrections. I personally get emails from \ntime to time, even phone calls from consumers that want to \nquestion the accuracy of data in our data bases. We have a \ngroup of lawyers who work with them. They have to first go \nthrough an authentication and verification procedure to make \nsure they really are who they say purport to be, and then, we \nwork with them to make corrections in the data base. Sometimes, \nthat requires them to go back to the source of where we got \nthat data from. Perhaps there is an error in a credit header \nthat we got from a credit bureau. The overwhelming majority \nof----\n    Ms. Schakowsky. So they have to go back. You don't have to \ngo back. They have to go back.\n    Mr. Sanford. Well, normally, a credit bureau would not \nallow us to correct a record of a consumer, since we are not \nthat consumer. We wouldn't have the legal authority to do that.\n    Ms. Schakowsky. Well, it is a source of data that you got \nit from, though.\n    Mr. Sanford. We help them. We, you know, we advise them of \nhow they can make that correction. With respect to the rest of \nthe data in our systems, it is principally public record \ninformation. And public record information is just that, \ninformation that we get from public sources.\n    And again, we don't have the authority to change an \nofficial public record that we have in our data base. We tell \npeople who ask these questions where we got the data from, \nwhere the source is, to the extent that we have the contact \ninformation, we provide them with that, and we ask them to go \nand correct that. As soon as that is corrected, our records are \nupdated, and then, we have inaccurate information in our \nsystems.\n    Mr. Smith. Again, we apply extraordinarily rigorous \nstandards to ensure the accuracy of the information. And I \nwould suggest that--I believe that people should have the right \nto access their public records, and that if, in fact, they \nshould have the right to question the accuracy of that \ninformation, and have it done in a very prompt way.\n    Again, there are cases where, when that information is \ninaccurate, the important part is to direct them back \nimmediately to the source of that information, which many \ntimes, is in some kind of State repository. Otherwise, even if \nwe had the ability to change the information, it would \nperpetuate itself through the system, because the source \ndocument itself was fundamentally wrong.\n    I do believe that we should allow consumers, though, to \nhave, much like it is in a credit report, the ability to make a \ncomment on their public record, if a record is deemed correct, \nbut they want to make a comment, because there is some \nextenuating circumstance associated with that information, they \nshould have the ability to do so, and I support that.\n    Mr. Stearns. The gentlelady's time has expired. The \ngentlelady from Wisconsin.\n    Ms. Baldwin. Thank you, Mr. Chairman. A couple of brief \nquestions. Mr. Smith, you anticipated one of my questions in \nyour testimony, when you expressed support for mandatory \ndisclosure of any sort of security breach in which consumers' \ndata is compromised.\n    I didn't hear, Mr. Sanford, did you take such a position, \nand is that your position also?\n    Mr. Sanford. Yes, we thought that the approach that the \nChairwoman of the Federal Trade Commission has outlined in her \ntestimony not only here today, but last week, in the Senate \nBanking Committee, is a very sensible approach.\n    I can tell you that we, as a matter of policy, are \nnotifying consumers, where we believe there is a significant \nrisk that some harm could come to those consumers, irrespective \nof the State in which that consumer resides.\n    I am very concerned that if we do have a host of \nnotification bills enacted across the United States in 30, 40, \n50 jurisdictions, that we will actually defeat the intent of \nwhat those statutes were intended to do, which is to put \nconsumers on notice, and have them take appropriate actions.\n    If they get flooded with a whole variety of different \nstandards, different bills, different approaches, I think we \nare going to confuse consumers, and defeat the purpose of what \nthe legislation would have been intended from the first place.\n    So a national standard, and Federal preemption is most \nappropriate here. We don't want to flood the market with a \nbunch of notices, not just from companies like information \nservices, but financial institutions, where people lose things. \nI think if we do that, they are going to end up like the junk \nmail that people get and go right in the trashcan.\n    Ms. Baldwin. Thank you.\n    Mr. Smith, in your written testimony, and you also \nreiterated it in your oral testimony, you stated that \nChoicePoint would no longer sell information products \ncontaining sensitive consumer data, and I quote, ``except where \nthere is a specific consumer-driven transaction or benefit.''\n    I am interested in precisely what that means, and \nparticularly, does it mean that a consumer would have to give \npermission for the release of that specific information, and if \nnot, how do you determine what would benefit the consumer?\n    Mr. Smith. Well, to give you an example of a consumer-\ninitiated transaction, it would be things such as the purchase \nof insurance. It would be seeking employment, potentially, \ntrying to rent an apartment. And so what we were trying to \nidentify there were things that it was in the consumer's best \ninterest, and they, in essence, initiated a transaction.\n    There may be cases where, and I think, the majority of \ncases, they would, in fact, have given their consent, but there \nmay be a circumstance where, in seeking a benefit, they didn't \ndirectly do that, but in fact, they benefited from that \nparticular process that was taking place, and that certainly \ncan be defined.\n    Ms. Baldwin. And how are you defining that?\n    Mr. Smith. Well, today, again, we are in the process, over \nthe next 90-day period, as we said, that we were exiting that \nmarket. Today, we are not doing it at all. We will try to \nclarify that to a greater extent as the policy is implemented.\n    Ms. Baldwin. Okay. Thank you.\n    Mr. Stearns. The gentleman from Texas, Mr. Green.\n    Mr. Green. Thank you, Mr. Chairman. I apologize, because of \nthe vote schedule, and not being able to question our Chairman \nof the Federal Trade Commission, but hopefully, we can submit \nquestions.\n    Mr. Stearns. Absolutely.\n    Mr. Green. Mr. Derek, Mr. Smith, one, I welcome, and up \nuntil I guess 2 months ago, I didn't know what ChoicePoint was, \nand as a lawyer, I understood what LexisNexis was, over the \nyears, and the expansion. But to find out that not only do you \ngather this information, but you sell it to folks who want it, \nI know under current law, I have the right to question the \nthree credit reporting agencies, and to get an annual report. \nDo any of your companies come under your--come under that \nrequirement?\n    Mr. Smith. I will speak first. I mean, over a majority of \nthe products and services that we supply, particularly to the \ninsurance industry, as well as to major employers, who are \ndoing background pre-employment screenings, fall under the \njurisdiction of the Fair Credit Reporting Act, and therefore, \nconsumers have the same rights under those applications, as \nthey would any other particular application.\n    Mr. Green. So we would request from ChoicePoint or \nLexisNexis the information on individual Members of Congress, \nif we wanted? I mean, I could have my own information, for \nexample. I don't really need it on on the chairman, but the \nchairman ought to, maybe ought to be interested in what his is \nin your data base.\n    Mr. Smith. You can get information on yourself, yes, sir.\n    Mr. Green. Okay. And I know one of the concerns we have is \nthat the notification, I know California has a notification \nrequirement. Is that notification only when the--what is the \nrequirement under California law for notification?\n    Mr. Smith. It is when sensitive personal information may \nhave been compromised.\n    Mr. Green. Okay. So for example, if I applied for a job, \nand my employer, or potential employer, requested information \nfrom you, I would not necessarily know that that is where my \npotential information was receiving that information from?\n    Mr. Smith. No. In fact, that is an application, pre-\nemployment screening, again under the Fair Credit Reporting \nAct, and they would have to sign an application that allows \nthat that particular background screen to take place. So they \nwould know that the background screening was taking place on \nbehalf of that employer.\n    Mr. Green. Okay. Would they know it would be ChoicePoint or \nLexisNexis? Or would it just be--it is a general approval that \nI say yes, you can do a background check on me?\n    Mr. Smith. I don't know whether all specific applications \nsay the company. I would suggest generally that is not true. If \nyou, though, are for some reason denied employment as a result \nof a particular instance, then that particular company is \nidentified as the company that provided that employer with the \nspecific information.\n    Mr. Green. Again, is that employer required to tell that \nperson----\n    Mr. Smith. Yes. Yes, they are.\n    Mr. Green. [continuing] the reasons that--and where the \ninformation was from? I guess the MSNBC story worried me a \nlittle bit, being from Texas, and when Ms. Pierce's report was, \nit said ``possible Texas criminal history.'' You know, it seems \nlike that is just a mild innuendo, without saying if you are \ncharged with something, it is public record, and there should \nbe case number or something. Is that typical of what a pre-\nemployment search would say, would be ``possible Texas criminal \nhistory'' without any basis?\n    Mr. Smith. No, a typical, in our case, we don't have arrest \nrecords that are part of a background pre-employment. These are \nthe actual records that are warehoused by--you actually go into \nthe courthouse, and actually acquire the record itself. So it \nwould be reported as it was in the particular court.\n    Mr. Green. Okay. So you would go to that court, for \nexample, in Harris County, in Houston, Texas, we have the \nJustice Information Management System, called JIMS. That is \npublic record, and only certain folks, law enforcement, have \naccess to it, typically. And--but you could be able to access \nthat.\n    Mr. Smith. I can't speak to the specific instance in which \nyou are talking about, but in general, when a record becomes \npublic in the court itself, then anyone, not just ourselves, \nwould have a right to go----\n    Mr. Green. Okay.\n    Mr. Smith. [continuing] and review the record.\n    Mr. Green. Okay. That is true, and I guess what concerns \nme, instead of saying, you know, I don't know where Ms. Pierce \nis from, but she said she only visited Texas a few times, what \nwould be the basis for putting in her employment record, \n``possible Texas criminal history?''\n    Mr. Smith. I am not familiar with that. I will certainly be \npleased to get back with you at that particular circumstance, \nbut I can't really comment on that incident.\n    Mr. Green. It just seems like in a report, it ought to be \nmore specific, and say, you know, instead of--and this in \nquotes from the report, ``possible Texas criminal history,'' or \n``possible New York criminal history.'' It seemed like it would \nbe--should be more specific. If you are providing that \ninformation, and you are responsible, as your company or both \nyour companies, that it would seem like it would be much more \nspecific.\n    But I am glad to know that I can request my dossier, I \nhaven't done it with the FBI, Mr. Chairman, maybe I ought to do \nwith these two agencies, to see what reports. After my \nbriefcase was stolen last August, I got my reports from Equifax \nand typically, it was just misnaming, there are a lot Gene \nGreens that I didn't realize were running around. But anyway, I \nappreciate that, Mr. Chairman. Thank you.\n    Mr. Stearns. I thank the gentleman. The gentleman from \nMassachusetts.\n    Mr. Markey. Thank you, Mr. Chairman, very much. Mr. Smith, \nI understand that ChoicePoint is offering consumers who have \nbeen victimized by this enormous leakage of personal \ninformation a free 1 year credit monitoring service that will \nenable victims to have access to their credit report, and will \nprovide monitoring and email alerts of changes in consumers' \ncredit report activity.\n    My concern is what happens after 1 year? My constituents \nwho have written to me, who have been victimized by \nChoicePoint's privacy breach, are very concerned about the 1 \nyear time limit. They are afraid that these bandits will just \nwait 1 year, and then use all of this information, that will \nbring them great profit.\n    Would you promise, Mr. Smith, to give these people a \nlifetime monitoring service, and instant email and postal \nalerts for each and every consumer who has been victimized as a \nresult of ChoicePoint's negligence?\n    Mr. Smith. Well, we will continue to look at other \nremedies. To date, that was, as people--we were trying to \nunderstand what was a reasonable amount of time to be done. We \nchose that particular period. To the extent that we should \nreview that, or consider it, we will do so.\n    Mr. Markey. Would you give them 10 years? One year just \nisn't enough time. Will you give them 5 years?\n    Mr. Smith. I would be pleased to work with you and others \nof the committee, to find a way----\n    Mr. Markey. No, no, no, no, no, no, no. I want to know \nright now. One year is not long enough. Will you give them more \nthan 1 year? Will you give them 2 years?\n    Mr. Smith. We will consider extending the period of time.\n    Mr. Markey. I know your lawyers said to make no \nconcessions. One year is too short, Mr. Smith. What do you \nthink? What do you think is a reasonable time? Do you think 1 \nyear is a reasonable time, Mr. Smith?\n    Mr. Smith. What I would say is I share your concern, and I \nwill look at--to try to determine what is a reasonable amount--\n--\n    Mr. Markey. What do you think----\n    Mr. Smith. [continuing] to extend that.\n    Mr. Markey. Would you think 1 year is reasonable? You \nalready made that decision. Now that you think about it, do you \nthink 1 year is too short or not, Mr. Smith?\n    Mr. Smith. Well, I can tell you that I personally was a \nvictim of identity theft.\n    Mr. Markey. All right. So what do you think?\n    Mr. Smith. So I conclude that----\n    Mr. Markey. Do you think--do you want these thieves to have \nyour name now for than--do you think after a year, that they \nare not going to use it? Or do you think that you don't want \nthem, maybe, for 5 years, to have some kind of notice that you \nare getting back that it is being compromised, Mr. Smith?\n    Mr. Smith. Well, I mean, identity theft is obviously a \nvery, you know, serious crime.\n    Mr. Markey. Right. So give us more than 1 year. Give these \npeople, give my constituents more than 1 year. Can you give \nthem 2 years, Mr. Smith?\n    Mr. Smith. As I said, I--we will take a very hard look----\n    Mr. Markey. No, no. I want you, you run the shop. Will you \ngive them more than 1 year, Mr. Smith? I don't want you to take \nit under advisement. You have been thinking about this your \nwhole career. This is your business. You don't need any more \ntime to think about it. Is 1 year enough time, or should they \nget more than 1 year----\n    Mr. Smith. It was----\n    Mr. Markey. [continuing] in terms of the protection that \nthey get?\n    Mr. Smith. It was our opinion at the time that 1 year was a \nreasonable and responsible thing to do.\n    Mr. Markey. You think 1 year is reasonable and responsible.\n    Mr. Smith. I think, given what I know today, it is, but I \nwould be glad to, you know----\n    Mr. Markey. It sounds like you are not going to change, \nthen, Mr. Smith. Let me--and I don't think that is a good \nanswer for this committee, and I don't think you should be \ncoming in here letting us think that 1 year is enough time, \nwhen these people can just sit, lay in wait, while the 1 year \nstatute of limitations runs, and then they are off with 145,000 \nnames, okay? That is just absolutely preposterous.\n    Now, what types of personal information has been \ncompromised? You just said in the letter to my constituent, \n``personally identifiable information, such as your name, \naddress, or Social Security number may have been viewed by \nunauthorized individuals.'' Why can't you tell my constituents \nwhether or not it is their bank numbers, their credit card \nnumbers, their passwords, their children's names and ages, \npassport numbers, home addresses, Social Security numbers, and \nsimilar private information? Will you give my constituents and \nall people affected exactly what personal information was \ncompromised, and not this vague letter telling them that it \ncould include all of this, but we are not going to give you the \nexact information.\n    Will you give them the specific information that has been \ncompromised, and give all 145,000 people that specific \ninformation, Mr. Smith?\n    Mr. Smith. Well, if they request this--again, we had to \nrecreate the searches that were done, but if they would like \nthe specific information that was on that report, that could--\npotentially could have been used, then we will provide that \ninformation to them, yes.\n    Mr. Markey. Well, why won't you just provide it to all of \nthem as a matter of course? That is, the information that has \nbeen compromised? Why won't you just give each person that \ninformation, so they will know?\n    Mr. Smith. Well, again, you have got to be--for their own \nbenefit, you have got to be careful in how you disseminate that \nparticular information. By simply sending that information out, \nyou put it back in the public domain, where----\n    Mr. Markey. Will you give a notification to each and every \nperson whose information has been compromised? The notice that \nyou will provide to them if they ask you for it, each and every \npiece of information which will have been compromised, will you \ngive them that notice that you will do this search for them and \nprovide it to them?\n    Mr. Smith. To the extent that we can do that, because we \nhad to go back and recreate the search, and to the extent that \nthat doesn't compromise any law enforcement investigation that \nis going on, then we would be willing to do that.\n    Mr. Markey. You will provide that information, and you--\nwill you notify them that they--that you will provide it for \nthem?\n    Mr. Smith. Given our ability to recreate the search, and \nour ability to make sure we don't compromise law enforcement, \nwe will do that.\n    Mr. Markey. Do you believe that there should be a ban on \nthe sale of Social Security numbers?\n    Mr. Smith. Again, I--my position is basically the same as \nthe Chairperson of the FTC, in the sense that Social Security \nnumbers, for the most part, should be restricted. There are \ncertain uses----\n    Mr. Markey. No, no, I am talking about----\n    Mr. Smith. [continuing] of that information----\n    Mr. Markey. [continuing] the sale of Social Security \nnumbers. That is it. Just on the sale of Social Security \nnumbers. Would you support the ban on the sale of Social \nSecurity numbers?\n    Mr. Smith. Again, I would have to better understand the \ndefinition of sale, and how it is being done. But I don't \nsupport----\n    Mr. Markey. Mr. Smith, you--this is your field. You are an \nexpert in this field. Let us--I am talking about, plain and \nsimple, the sale of Social Security numbers.\n    Mr. Smith. Well, there are certain circumstances where the \nsale of those numbers are, in fact, in the consumer's best \ninterest, and so to the extent that that is correct, just the \ndirect sale of a Social Security number, without a consumer \nbenefit being derived associated with it, I am against that.\n    Mr. Markey. Give me one instance where you think the sale \nof a Social Security number would be appropriate. The sale of \nit.\n    Mr. Smith. Well, I mean, there are cases where you are \nreviewing fraudulent circumstances associated with somebody's \naccount, and you want to make sure that you have got the \nappropriate person, and you are matching them with the \nappropriate fraudulent circumstances----\n    Mr. Markey. And who would you sell this number to? Who--to \nwhom could this number be sold, in your opinion?\n    Mr. Smith. Well, it could be potentially used by law \nenforcement people. It could be used----\n    Mr. Markey. No, no, no. I am talking about the sale of the \nnumber. To whom do you think my Social Security number, my \nSocial Security number could ever be sold, Mr. Smith? Who do \nyou think it would be appropriate for you to sell it to? Sell \nit to.\n    Mr. Smith. Well, again----\n    Mr. Markey. Not law enforcement, not information given to a \npolice officer pursuant to a legally obtained warrant. Who else \nbesides a law enforcement official, in your opinion, Mr. Smith, \ncould you, or should you be allowed to sell my Social Security \nnumber to?\n    Mr. Smith. Again, it is used when--and you have been in a \nposition to be defrauded by somebody. It could be an \nauthentication transaction, where I am trying to determine \nwhether or not you have, in fact, been a victim of identity----\n    Mr. Markey. I am talking about selling my number as a \nproduct. Who do you think you should be allowed to sell it to, \nMr. Smith?\n    Mr. Smith. Well, again, if somebody is trying to determine \nwhether or not there is a fraudulent transaction against your \nthing, they, in essence, get access to that Social Security \nnumber as part of a broader-based service. So I don't know \nwhether you determine that a sale or not, but to the extent \nthat we derive income from the use of that information, I don't \nknow if that is what you determine a sale or not.\n    Mr. Markey. Mr. Sanford, would you oppose the sale, would \nyou oppose--would you support or oppose a ban on the sale of \nSocial Security numbers of ordinary Americans?\n    Mr. Sanford. I would not support a blanket ban on the sale \nof Social Security numbers, as you are describing. I think \nfinancial institutions need unique identifying Social Security \nnumber information when they are investigating fraud, making \nsure that they are doing business with the right individuals. I \nthink law enforcement needs access to Social Security numbers. \nBusinesses that are collecting legitimate debts, you need \nunique Social Security number identifying information to do \ntheir jobs.\n    Mr. Markey. Do you feel that I, or any American, has a \nright to know that you have transferred my Social Security \nnumber to a financial institution, which is now doing an \ninvestigation of me? Do you have a responsibility to give me a \nnotification that you have transferred my number for that \npurpose?\n    Mr. Sanford. Sir----\n    Mr. Markey. Do you think you should have a responsibility \nto notify an individual that my information, or any American's \ninformation, has been transferred to another party without my \nexplicit permission?\n    Mr. Sanford. No, I do not, sir. I think that the laws of \nthe United States clearly lay out the permissible purposes for \nwhich sensitive information like Social Security numbers can be \nused. This deliberative body has decided what those legitimate \nand permissive uses are, and we responsibly use the information \nthat is charged to us, to provide for permissible uses to, in \nfact, help consumers.\n    Mr. Markey. Well, the question is not whether or not the \nlaws that have already been passed are adequate. The question \nis--are sufficient. The question is going forward, and learning \nthe lessons which we have learned, should we have tougher \nprotections on the use of Social Security numbers by companies \nthat collect them?\n    My opinion is, Mr. Chairman, that what we are hearing today \nis basically an industry that is still in denial. It still \ndoesn't recognize how highly all Americans value their privacy, \nand will hope to be able to ride out this scandal, without \nhaving Congress have made the changes that are necessary, and \nall I know is that Mr. Smith and his company are the largest \nsingle contributors to a lobbying effort to block truly \neffective privacy laws being passed in Congress. And that is \nall I have to know, okay? Because we are not going to have a \ndiscussion with him as he sits here, because his company is, in \nfact, effectively the chief lobbyist to block any effective \nprivacy laws from being passed, and we are not going to get the \nanswers we need for the public at this hearing.\n    Mr. Stearns. The gentleman's time has expired. I would say \nto all members we might go a second round, if people feel \nstrongly about it. We don't have a lot of members here. We have \nthe time allotted for it. The gentleman--Mr. Gonzalez.\n    Mr. Gonzalez. Thank you very much, Mr. Chairman. A question \nfor Mr. Smith. I wasn't real clear when you were answering Ms. \nBaldwin's question, Mr. Smith. In your testimony, it says ``we \nhave decided to exit the consumer-sensitive data market not \ncovered by the Fair Credit Reporting Act.'' And you explained \nsome of that, about someone affirmatively asking for something \nthat benefits the consumer, and so on.\n    The incident in California, had you had that in place, that \nperson would not have qualified for that information?\n    Mr. Smith. The information on that particular report would \nnot have had the driver's license or, in fact, the Social \nSecurity numbers on it under that situation. That is correct.\n    Mr. Gonzalez. So what you have in place, you would avoid \ncertain information having been transmitted to this fraudulent \nbusiness that was requesting your services.\n    Mr. Smith. That is correct.\n    Mr. Gonzalez. What is--where do you get all this \ninformation? I am just curious. I know public record is public \nrecord, and I think Mr. Sanford has alluded to it, and we all \nknow that. Once it is in the basic public domain, you collect \nit, disseminate it, and so on. But what are your sources for \nthe Social Security numbers, Texas driver's license numbers, \nthat type, that is not generally made public?\n    Where do you get all that information? And I am not--Mr. \nSanford, Mr. Smith.\n    Mr. Smith. Well, I mean, the information comes from a \nmyriad of sources. It comes from basic Federal, State, and \nlocal data repositories. It comes from--in terms of our Fair \nCredit Reporting Act business, it comes from the insurance \nindustry itself. It comes, in some cases, from the consumers \nthemselves, and information that they have provided.\n    So there are a tremendous myriad of sources of the raw \ndata, that we either directly acquire or we get through \nconduits for things such as the Fair Credit Reporting Act, and \nget credit reports through the credit reporting agencies.\n    Mr. Gonzalez. Okay. And you have indicated in your \ntestimony that maybe there were some red flags, you should have \nacted more quickly in responding to what happened in \nCalifornia. Is that correct?\n    Mr. Smith. Now that we understand that situation, and how \nit evolved, we should have recognized sooner the magnitude of \nthat particular crime, and escalated the processed to a greater \nextent. That is correct.\n    Mr. Gonzalez. I am not familiar with specifics. Was this \njust one individual company fraudulently operating that got \n145,000 records or information on individuals?\n    Mr. Smith. In this particular case, it was--I mean, this is \nan active law enforcement investigation, so I really can't talk \nin great detail.\n    Mr. Gonzalez. Oh, you won't compromise anything, believe \nme.\n    Mr. Smith. But the crime itself, but in essence, an \nindividual was able to get a legitimate, but unfortunately \nfraudulent California business license, that was----\n    Mr. Gonzalez. One business license----\n    Mr. Smith. It was----\n    Mr. Gonzalez. [continuing] with regard to 145,000----\n    Mr. Smith. [continuing] with a business license, and then, \nthey were able to get subsequent account structures under \neither that business license, or other fraudulent licenses \nassociate with that particular situation. It depends on the \ntype of small business in which you are, it would ring a flag \nin terms of whether or not 145,000 or whatever the specific \nnumber was in that case, would be abnormal or not. \nHistorically, there would have been sometimes, collection \nagencies, for instance, would be using the information to help \nfind people who were due bad debts.\n    Mr. Gonzalez. So it was not unusual to have that kind of \nnumber, in the way of requests, from any particular entity.\n    Mr. Smith. It depends on what the customer, the type of \nbusiness in which that customer was, and in particular, the \ntype of permissible purpose or access purpose in which they \nwere granted. You know, again, I would remind you that it was \nthrough our audit processes, in this particular circumstance, \nthat we found that it appeared to be usage that was outside of \nwhat would have been the normal patterns of this particular \ncircumstance, that ultimately led to the investigation in \nCalifornia itself.\n    Mr. Gonzalez. Okay. Let me ask you something quickly. And I \nam not real sure--I know it means a lot of work for you and \nsuch. If someone is making an inquiry on Congressman Gene \nGreen, because someone--obviously, someone stole his briefcase. \nIt could be identity theft. Is there a problem notifying the \nindividual that an inquiry is being made by ABC Company, Wells \nFargo, or whatever, just basically Congressman Gene Green, you \nare notified that our company has been requested to provide \ncertain information to Company ABC. Because then Gene would \nknow he has never gone into ABC Company. He has never made an \napplication for any type of--there is no type of transaction \nrelationship, transactional relationship.\n    Mr. Smith. Again, it would depend upon why that information \nwas being accessed. Many times, it is being accessed to \ndetermine whether or not a fraudulent transaction or some other \nsituation, where not necessarily you would want to let the \nconsumer alerted to the fact that that information was being \naccessed. So there are some cases where there certainly would \nbe nothing wrong with alerting to somebody that, in fact, their \ninformation had been accessed. But in other situations, that \ncould, in essence, defeat the very purpose of why the \ninformation was being used.\n    Mr. Gonzalez. And then, real quick, I think I am out of \ntime. I only need a minute, Mr. Chairman. And that is, if you \nare a victim of identity theft, let us say Congressman Green \nhad been a victim of it, and he is trying to clear up all his \nrecords.\n    Is it reflected in the information that you compile that \nsomeone is a victim? In other words, so there is future \ninquiries. Congressman Markey made a good point. You know, you \nhave got 1 year running on this thing. I guarantee you that \ninformation has been sold, resold, it is all over the place. A \nyear does nothing, and it is ongoing.\n    Is there anything that alerts you guys that gather all this \ninformation that this was a victim of identity theft, and \nthings that may be, again, relevant to that file, or account, \nmay be part of that fraudulent act?\n    Mr. Smith. There is no centralized system that allows for \nthat to take place. You can put a fraud alert on your credit \nreport that would indicate, in fact, that you have been a \nvictim of identity theft, which would change the nature of \nwhich that report was being viewed.\n    Mr. Gonzalez. And that is not mandatory, that is just----\n    Mr. Smith. That is an option that the consumer, and some \nconsumers choose to take that option, and some consumers do \nnot.\n    Mr. Gonzalez. All right. Last question quickly. And what \nwould it cost to get a report? I know that from the credit \nreporting agencies, that I am entitled to get a free report or \nwhatever it is, is it also free from ChoicePoint?\n    Mr. Smith. It is. It is governed, again, those particular \nreports, on the Fair Credit Reporting Act, and you are entitled \nto a free report on an annual basis.\n    Mr. Gonzalez. Thank you. Thank you, Mr. Chairman.\n    Mr. Stearns. The gentleman----\n    Mr. Strickland. Mr. Chairman--oh.\n    Mr. Stearns. Yes.\n    Mr. Strickland. I was just going to--expanding Mr. \nGonzalez's last question----\n    Mr. Stearns. Do you seek additional--unanimous consent?\n    Mr. Strickland. The unanimous consent. Is that report that \nis at no cost similar to what we would get from a credit \nreporting agency, or would it be the expanded report, or the \ncomprehensive report, that I know that was quoted in the MSNBC \narticle?\n    Mr. Smith. The public record report is not governed under \nthe Fair Credit Reporting Act, and so that would be a separate \nreport, in terms to be able to gain access to that report.\n    Mr. Strickland. Although you package that into a \ncomprehensive report for someone who subscribes to the service?\n    Mr. Smith. Well, no, that is just a technical name of a \npublic record report. That is not packaged together with those \nother types of reports that are covered under the Fair Credit \nReporting Act. It is just--that is just a term used for a \nspecific type of public record report.\n    Mr. Strickland. Thank you, Mr. Chairman.\n    Mr. Stearns. I thank the gentleman.\n    Mr. Strickland. Just trying to get our definitions right. \nThank you. The full chairman of the committee.\n    Mr. Stearns. The full chairman is recognized.\n    Chairman Barton. Well, thank you. And of course, \nCongressman Gonzalez just left, but we were in the enviable \nposition just then, that Ranking Member Schakowsky and \nsubcommittee Chairman Stearns were so lucky to be surrounded by \nthree Texans on the right and the left. Sometimes, it is just \nfun to be alive in this committee, isn't it? There you go.\n    I want to first thank you two gentlemen for testifying \nvoluntarily. You know, we didn't have to subpoena you, and we \nwere able to work with your representatives to make sure that \nyou all could come, and felt comfortable coming. So I do want \nto publicly on the record thank you for that.\n    I am going to ask one of the same questions that \nCongressman Markey asked in his questions. I am really \nwrestling with this issue of selling people's Social Security \nnumbers without their permission, and I asked this to the \nChairwoman of the Federal Trade Commission, and she has \nindicated that she--if I heard her correctly, she didn't think \nit should be traded or sold without the permission of the \nindividual, unless there was a law enforcement reason to do \nthat.\n    So I wanted to give you two folks, since you are two of the \nbiggest data collectors in the country, an opportunity to tell \nwhy, if you do think it should be legal to continue to sell the \nSocial Security number, without the permission of the \nindividual, why that is so.\n    Mr. Sanford. Would you like me to go first?\n    Chairman Barton. Either one.\n    Mr. Sanford. All right. Chairman Barton, a Social Security \nnumber is a particular unique identifying number, and there are \nsome Federal laws that govern the use of that, and which \nprovide for legally permissible uses. The intent of that law \nwas to facilitate commerce, to help law enforcement. And in \naddition to law enforcement situations, having the ability to \nactually associate broad records and information with a \nparticular individual, that Social Security number is that \nunique identifying piece of information that allows financial \ninstitutions, for example, to determine whether or not they are \nhaving a fraudulent transaction in their business.\n    It clearly is critical for law enforcement. It is critical, \nalso, in the collection of debts, collection of debts for \ncompanies. It is very, very important in terms of keeping costs \ndown for the rest of the consumer. We restrict the use of \nSocial Security numbers in our data bases for these specific \npermissive uses. At LexisNexis, we truncate the Social Security \nnumber, the last 4 digits, so that unless you have a specific \npermissible use, under Federal law, you will not see that \nSocial Security number displayed in the answer for a query that \nyou do on the system.\n    We are also extending that kind of masking to sensitive \nother information, like driver's license numbers, and our \nrestrictions are more restrictive than what is currently \nrequired by law. I think that strikes the right balance, in \nterms of making sure that we provide for lawful, legitimate \nuses of this information, but at the same time, protecting the \nprivacy of the consumers.\n    Chairman Barton. Okay. Mr. Smith.\n    Mr. Smith. Well, first, you know, I would say that I do \nsupport stronger legislation regarding the uses of Social \nSecurity numbers, in particular, in the display of those Social \nSecurity numbers, so that while they may need to be used to \nvalidate and verify an individual, or help support a \ntransaction, the actual printing out of those numbers, or at \nleast certainly in their totality, I don't believe is a \nnecessary thing to do, and could be restricted in very dramatic \nways.\n    I think what you hear coming from at least me, and I think, \nyou know, my colleague shares this, is that there are more than \n23,000 William Smiths in the United States, and as we try, and \nsociety tries to determine how you can legitimately determine \none individual from another, or particularly, to ensure that \ntheir data is correctly put with that individual and another, \npeople who are trying to find appropriate mechanisms to create \nthe uniqueness of that individual. One of the mechanisms that \nhas been used to do that has been the Social Security number. \nOthers, driver's licenses, so that--and what we are trying to \nsuggest is that there needs to be a recognition that the \nability to use some type of personal identifier, whatever \ncorrect one it is. If you could get to a better, more specific \none, and not use Social Security numbers, that would be \nterrific, so that you can make sure that you are dealing with \nthat unique individual.\n    As William Smith moves around statistically, will move \naround the United States, 15 percent of them will move, you \nwant to make sure that you put the data with the correct one. \nSo I agree, the publishing and making available for anybody to \nsee a Social Security number is not an appropriate thing to do. \nWe just need to make sure that we can maintain the uniqueness \nof individuals, and allow for those applications, such as fraud \nor law enforcement, where it provides a very important tool.\n    Chairman Barton. Well, I don't want to belabor the point, \nand we didn't do this for this hearing, but I thought about it, \nto prove a point. I could have asked the staff to take your two \nnames, and without too much trouble, gotten your Social \nSecurity number, and with that, gotten lots of information out \nthere that is collated on you two gentlemen. A lot of it, I \ndidn't need to know, you know, just almost for prurient \ninterest, to get a profile on you two gentlemen. Just to \nprove--now, I didn't do that, because that would have been kind \nof hitting below the belt, but it is--it would have been easily \ndone. And that is wrong.\n    You know, we had banks long before we had the Social \nSecurity system, and bankers made loans, and bankers checked \nup, and we had fraud long before the Internet, but the Internet \nhas made fraud a lot easier to commit, and you two folks are in \nthe business of collecting information, which is totally \nlegitimate, but sometimes, the information you collect, when \npeople apply to get that information, they apparently use this \nloophole of trying to prevent fraud. They want to--and you sell \nthem the information totally legally, not illegal, but they \ndon't use it for that purpose, and you folks don't make any \nreal attempt to try to guarantee that it is used for the \npurpose for which you allegedly, they purportedly ask that you \ngive it to them, and I think that is just wrong.\n    I mean, we have got to find a way to allow you folks to do \nwhat you do, and protect the privacy of the average citizen, \nand I am not sure what we are going to do, but I think there is \na very good chance we are going to put together a bill that \nwill make it illegal to sell the Social Security number without \nthe permission of the individual, unless there is a legitimate \nlaw enforcement purpose, or there may be one or two other \nexceptions. I don't know what they would be. I have just--I \nhave not heard anything that explains to me why we should allow \nthat to go on.\n    Mr. Chairman, I have exceeded my time. Thank you.\n    Mr. Stearns. I thank the full chairman. Let me just, we are \ngoing to allow a second round here, if the chairman wishes. But \nlet me just follow up a little bit with what the chairman \nmentioned. And with Mr. Markey. He was trying to ask you \nspecifically to give us a case example when you could sell the \nSocial Security number, and I would like each of you just to \ntake John Doe, for example. Under what circumstances would you \nsell the Social Security number for John Doe? Just give me \nspecifically what that would be, each of you.\n    Mr. Sanford. Well, would you like a law enforcement \nexample?\n    Mr. Stearns. Well, let us--okay.\n    Mr. Sanford. Or a financial institution example?\n    Mr. Stearns. For selling, would you--do you actually sell \nto the law enforcement, do the----\n    Mr. Sanford. What we----\n    Mr. Stearns. Does the FBI and the Justice Department pay \nyou for the Social Security numbers for John Doe?\n    Mr. Sanford. We enter into subscription agreements at \nLexisNexis with----\n    Mr. Stearns. Okay.\n    Mr. Sanford. [continuing] law enforcement agencies, \nfinancial institutions. They are subscribers----\n    Mr. Stearns. Financial institution means banks.\n    Mr. Sanford. Yes, sir.\n    Mr. Stearns. All the banks in America. If they----\n    Mr. Sanford. That would be our hope.\n    Mr. Stearns. Yeah, if they----\n    Mr. Sanford. Not yet.\n    Mr. Stearns. [continuing] subscribe. Okay. Financial \ninstitutions, law enforcement, who else?\n    Mr. Sanford. You would have credit departments of \nlegitimate businesses who are trying to collect legitimate----\n    Mr. Stearns. Right.\n    Mr. Sanford. [continuing] debts of----\n    Mr. Stearns. Okay.\n    Mr. Sanford. [continuing] that organization. And then, on a \ncase by case basis, you could have a particular, you could have \na particular organization----\n    Mr. Stearns. Could this----\n    Mr. Sanford. [continuing] a government body who is \ninvestigating----\n    Mr. Stearns. Yeah.\n    Mr. Sanford. [continuing] criminal or fraudulent activity.\n    Mr. Stearns. Well, let us say Chairman Barton wanted to get \nthe Social Security number for John Doe. Could he pay you?\n    Mr. Sanford. He would have to have a--one of the permissive \nuses, and not just because he wanted to look it up. He would \nnot gain access.\n    Mr. Stearns. But if he had the permissive--permitted uses, \nhe could buy it from you.\n    Mr. Sanford. He would, as part of a subscription \nagreement----\n    Mr. Stearns. Okay.\n    Mr. Sanford. [continuing] do a query on the service, and he \nwould get an answer.\n    Mr. Stearns. Okay.\n    Mr. Sanford. And if he was----\n    Mr. Stearns. So let us say he goes out and opens up a \nbusiness. He gets a business license, and he calls himself \nwhatever is necessary to get this permitted use, then you would \ngive it to him.\n    Mr. Sanford. Well, I would like to tell you that our \nverification procedures are not going to allow someone like \nthat to gain access, first of all, even to a--that kind of \ninformation. We have a very, very rigorous verification \nauthentication process. And then, just because we credentialed \nyou, and we are willing even to do business with you, then we \ngo through a special access credentialing to make sure that you \nhave legitimate purposes.\n    Just because you are a bank doesn't mean we are \nautomatically going to----\n    Mr. Stearns. But in the case of ChoicePoint, they did all \nthis, and it still didn't work, and this person got the Social \nSecurity numbers, right? That is what happened.\n    Mr. Sanford. Well, we are never going to--I can't guarantee \nyou that----\n    Mr. Stearns. So----\n    Mr. Sanford. Sir, I can't guarantee you that----\n    Mr. Stearns. So you are credentialing Chairman Barton to \nget John Doe's Social Security number is the key. If that \ncredentialing is not done rigorously, robust, then for all \nintents and purposes, that Social Security number is being sold \nand being used--the key is that credentialing, don't you think?\n    Mr. Sanford. I think it is one of the keys. I think there \nis actually a lot more to it than that.\n    Mr. Stearns. Okay.\n    Mr. Sanford. I think credentialing is the first step. I \nthink strong security protocols is the second step. Making sure \nthat companies that would appear to be legitimate businesses \nstill have a need, have a permissive use to use that, and then, \nongoing monitoring and security to make sure that the usage by \nthose customers is not abnormal. Detection software that people \nlike us use to monitor to see whether or not we have abnormal \nusage.\n    Mr. Stearns. Now, I am not suggesting this, but is there a \npossibility that we need an outside third party to credential \nyour credential? In other words, the credential is between you \nand Chairman Barton in this case. Is it possible that we need \nsome kind of corroboration, authentication of what, how you \ncredential these people, some standards, or the fair--I mean, I \ndon't know. I mean, just your--I mean, I am just asking \nwhether----\n    Mr. Sanford. Yeah. I mean, we contract ourselves with third \nparties to conduct security audits----\n    Mr. Stearns. Okay.\n    Mr. Sanford. [continuing] to advise us. We talk to law \nenforcement. We ask them what else should we be doing, not just \nin this current----\n    Mr. Stearns. Okay.\n    Mr. Sanford. [continuing] situation, where we have----\n    Mr. Stearns. Okay.\n    Mr. Sanford. [continuing] an investigation----\n    Mr. Stearns. All right.\n    Mr. Sanford. [continuing] ongoing.\n    Mr. Stearns. Mr. Smith, you have written a book called Risk \nRevolution, and you have talked about how information \ntechnology can be used to reduce risk and increase peace of \nmind, and you also talk about personal privacy and how we need \nto--need not trade civil liberties for civil defense, if we act \nnow, in this book called risk. But one of your quotes in the \nbook is, it says: ``Each of us have a right to privacy. \nHowever, none of us have a right to absolute anonymity.'' And \ncould you explain that, what you mean by----\n    Mr. Smith. Yes.\n    Mr. Stearns. [continuing] that expression?\n    Mr. Smith. I will be glad to. What I am saying is is that \nas people seek rights and privileges in society, for instance, \nyou are trying to drive a hazardous waste truck through the \nHolland Tunnel in New York, where you could potentially put \nmillions of people at risk, then your ability to be anonymous, \nor not having to disclose who you are, when you are trying to \nget that particular right or privilege, is something that I \nthink in today's risky world, would be extraordinarily \nproblematic, and would create more problems than it would \nsolve.\n    Mr. Stearns. So any American who wants to be anonymous \ncannot be so, in your--he will not have this absolute----\n    Mr. Smith. No.\n    Mr. Stearns. [continuing] anonymity, because he cannot have \nit, in your expression?\n    Mr. Smith. No. Not at all. If you are sitting at a sidewalk \ncafe, and you are not seeking any right or privilege from \nsociety, or you are not at any risk to anyone else, then I \nabsolutely don't believe that people should have the right to \nknow who you are. This is more as you interact throughout \nsociety, because there are risks that are being created every \nday, and to give you an example, 3 percent of all volunteer \nworkers today have undisclosed serious criminal violations, and \njust recently, we had a situation where, in Texas, in fact, \nwhere somebody was applying to be a volunteer at a youth, \nfemale youth organization, who had just been released for his \neighth conviction of child molestation 2 weeks prior to him \ntrying to volunteer. That is a circumstance and situation where \nwe can't allow someone to be anonymous and put our children at \nrisk. That is the kind of situation in which I was referring to \nin the book.\n    Mr. Stearns. All right. Thank you. And the gentlelady.\n    Ms. Schakowsky. Thank you, Mr. Chairman. Our subcommittee \nasked both of you to submit sample reports, that can be \nredacted reports, for the record. And I wanted to be sure that \nyou are going to provide us with that information.\n    Mr. Smith. I didn't know we were asked to. Go ahead.\n    Mr. Sanford. I apologize. I understand we have not yet \nsubmitted that. Chairman Stearns and I talked about my \nattendance on Thursday, last week, so I am sure we will get you \nthat in a matter of days.\n    Ms. Schakowsky. And Mr. Smith.\n    Mr. Smith. We would be pleased to do that.\n    Ms. Schakowsky. You act as if you don't know that you were \nasked for it.\n    Mr. Smith. I checked--I was not aware personally that we \nwere asked for that.\n    Ms. Schakowsky. Okay. Well----\n    Mr. Smith. But we would be pleased to do so.\n    Ms. Schakowsky. Okay. Thank you. I have a number of \nquestions I wanted to ask. Mr. Smith, how much does it cost you \nto provide that information for--to provide that monitoring for \na year? How much is your company going to expend per year to \ntry and protect those whose privacy was breached?\n    Mr. Smith. That is a two--it approaches $2 million.\n    Ms. Schakowsky. Okay. And Mr. Smith, how much did your \ncompany spend last year--well, let me just read you the quote \nfrom the Wall Street Journal. ``These data sellers,'' and I am \nassuming that would include LexisNexis, I am not sure, ``have \ndeveloped a deft combination of lobbying and industry-\naffiliated think tanks to head off increased oversight. \nChoicePoint, and six of the country's other largest sellers of \nprivate consumer data, spent at least $2.4 million last year to \nlobby Members of Congress in a variety of Federal agencies, \naccording to disclosure forms filed with the U.S. House and \nSenate. ChoicePoint was the biggest spender, with $970,000 \neither paid to outside lobbyists, or spent directly by the \ncompany.'' And let me just make an editorial comment here. You \nknow, at the same time as you are saying that now, after the \nfact, you want to help these consumers, your company, at least, \nand I don't know about Mr. Sanford's, are engaged in lobbying \nefforts to defeat increased oversight, to the tune, it appears, \nof about $1 million last year.\n    Mr. Smith. Well, it is my understanding that the majority \nof the dollars you just spent there were not spent in lobbying \nfor no regulation in our industry. A lot of that was done for \nbusiness development here in Washington. We serve a lot of \nclients in this particular area. I mean, I would be glad to get \nyou a more accurate data as to what was done lobbying-wise. I \nwould----\n    Ms. Schakowsky. Well, I--let me ask you this. If both of \nyou could provide us with information on positions that you \nhave taken on legislation that has dealt--or regulations that \nhave dealt with privacy, I would appreciate seeing that \ninformation.\n    Let me ask one final question that deals with victims of \ndomestic violence. I wondered if either of your companies make \nany special efforts--I actually don't know if you are required \nby law, if you voluntarily do anything to protect the \ninformation of domestic violence victims?\n    Mr. Smith. I will have to get back with you to answer this. \nI don't believe so, but I don't know the answer to your \nquestion.\n    Ms. Schakowsky. You realize what I am getting at, that the \nfact that this information, even as basic information as \naddress, could put the lives of people who have been victims of \ndomestic violence at risk.\n    Mr. Smith. Well, we take domestic violence very seriously. \nWe sponsored the National Rape Evidence Project, in which we \nraised, as a company, over $200,000 to help get rape kits \ntested----\n    Ms. Schakowsky. Well, sorry, but----\n    Mr. Smith. [continuing] the police, yeah, so this is an \nissue that we believe very strongly in, and so we support you \nin any way, in order to make sure that in no circumstance, \nsomebody could be subject to violence as a result of this \ninformation.\n    Ms. Schakowsky. So you--I would hope that, then, you would \ncheck what policies you have to prevent, and Mr. Sanford.\n    Mr. Sanford. Yes, we have a policy that under limited \nsituations, individual consumers can opt out of our data bases, \nand that is actually one of the examples where people do opt \nout, because making their identity known to others, then, would \nput them at future risk.\n    Ms. Schakowsky. How would one opt out?\n    Mr. Sanford. I have on our LexisNexis website, we have a \nprivacy page that lays out the procedures, who they call, and \nthey usually submit documentation. It lays out, you know, what \nis the reason.\n    Ms. Schakowsky. How would someone know to do that? How \nwould someone that is a victim of domestic violence know how to \navail themselves of that option?\n    Mr. Sanford. I think unless a consumer agency or a \ncounselor made them aware of it, they probably wouldn't know.\n    Ms. Schakowsky. Thank you.\n    Mr. Stearns. I thank both of you for your time and \nforbearance here. We are completed with the second panel, and \nwe invite the third panel to come forward.\n    Mr. Joseph Ansanelli, Chairman and Chief Executive Officer \nof Vontu, Incorporated, and Mr. Marc Rotenberg, Executive \nDirector, Electronic Privacy Information Center. We welcome \nboth of you, and thank you for your patience for waiting \nthrough the second panel.\n    And Mr. Ansanelli, we will start with you, with your \nopening statement.\n\n    STATEMENTS OF JOSEPH ANSANELLI, CHIEF EXECUTIVE OFFICER, \nVONTU, INC.; AND MARC ROTENBERG, EXECUTIVE DIRECTOR, ELECTRONIC \n                   PRIVACY INFORMATION CENTER\n\n    Mr. Ansanelli. Chairman Stearns, Ranking Member Schakowsky, \nand members of the committee, good afternoon, and thank you for \ninviting me to testify, and thank you for your ongoing efforts \nand focus on this issue of the protection of consumer data. I \nam Joseph Ansanelli, CEO of Vontu. We provide information \nsecurity solutions to help Fortune 500 companies, such as Best \nBuy, Prudential, Charles Schwab, and others prevent the loss of \nconsumer data over the Internet.\n    Given my work with these companies, I hope to provide a \nunique viewpoint for policy considerations, and add to the \ndiscussion of a need for a national consumer data security \nstandard. In order to reduce identity theft, it seems that \nthere are at least three important areas for policy.\n    The first is the criminals who actually steal the \nidentities. Second is the consumers who need education on the \nimportance of protecting their identities, as well as help if \nthey become victims. And the third area is the organizations \nthat actually store consumer data. It is third area, companies, \nbusinesses, government agencies that store consumer data, in \nwhich I have particular expertise, and is the focus of my \ntestimony.\n    An important point to understand is that these \norganizations are not the criminals perpetrating identity \ntheft. In fact, all the companies with which I work invest \nsignificant resources, and are fully committed, to protecting \nconsumer information. However, today, the question that many \npeople are asking is are these organizations doing enough to \nensure the security of consumer data?\n    To answer that question, I suggest we must first ask the \nquestion, is it clear to these organizations what is required \nand expected of them to ensure the security of consumer data? \nUnfortunately, despite existing legislation, there is some \nconfusion around what is required, and confusion is the enemy \nof consumer protection. To date, Congress has taken important \nsteps to address consumer data protection, through industry and \norganization-specific regulations. For example, Congress has \npassed Section 501(b) of Gramm-Leach-Bliley for financial \nservices, Part 164, subpart C of HIPAA for healthcare \nproviders, the Driver's Privacy Protection Act, the Fair Credit \nReporting and FACT Act, and many others. Additionally, many \nStates are creating de facto national standards and \nrequirements, such as California S.B.1386, which requires \nnotification in the case of a breach. These different \nlegislative acts have--all have aspects of consumer data \nprotection, yet each has tackled the problem differently, based \non either industry or State-specific requirements. And that is \nwhere the confusion begins.\n    I think one important question for this committee to \nconsider is what is the difference in how a bank versus how a \nretailer, versus how a utility provider should treat the \nsecurity of a Social Security number or any other consumer \ninformation, and should the focus of policy be on the industry, \nor instead, on the data itself? I think everyone would agree \nthat the data is what needs to be protected across all \nindustries. We support the suggestion of the Chairwoman of the \nFTC earlier today that one possible solution to raise the level \nof consumer data protection is to extend existing regulations, \nsuch as GLBA, and the Safeguard Rules, to any organization \nwhich stores data. This would enable and create a preemptive \nand unified national consumer data security standard. We \nsuggest the standard would require organizations that store \nnonpublic consumer information to one, ensure the security of \nthat information. This would create an affirmative obligation \nof companies that store it to protect it.\n    Second, we think that organizations should protect against \nreasonably anticipated threats to the security of such data. As \nnew threats emerge, this would allow the requirements to evolve \nwithout requiring new legislation. Third, it is important that \ncompanies protect against unauthorized access to or use of such \ninformation that could result in substantial harm to a \nconsumer. This would help prevent against fraudulent efforts to \ngain access to the data by outsiders or insiders, as is the \ncase in many recent breaches. Fourth, we think that companies \nhave an obligation, and should have an obligation, to ensure \ncompliance with their security policies by both their employees \nand workforce, as well as third parties that they give access \nto that information.\n    This would help address the issue of the insider threat, \nwhich was the situation in the recent Teledata case, as well as \nconcerns regarding offshoring and outsourcing. These first four \nare very similar to what is currently required under GLBA and \nHIPAA.\n    The last requirement we suggest and we support is the idea \nof notification. Companies should disclose any loss of \ninformation, when it is reasonably believed that such loss \ncould result in substantial harm to the consumer. This would \nclearly help consumers proactively protect themselves by \nmonitoring their credit reports, setting up fraud alerts, and \nother efforts to watch for potential issues.\n    In addition, while these requirements serve as the \nproverbial stick, I suggest the committee also consider any new \nlegislation also potentially provide a carrot as an incentive \nto go beyond any base requirements. It is important to remember \nthat security is a journey, and like any other crime, it is \nunlikely we will completely eliminate the theft of identities. \nTherefore, a carrot might provide some level of protection \nagainst the risk of excessive punitive damages for those \norganizations with qualifying security programs. This is not \nprotection against economic or reasonable pain and suffering \ndamages, but against excessive punitive actions when companies \nare already meeting or exceeding these requirements.\n    In summary, to reduce identity theft, policy should focus \non the three areas of criminals, the consumers, and the \norganizations that store consumer data. I suggest this \ncommittee consider the idea of a preemptive national consumer \ndata security standard that also protects organizations from \npotential excessive punitive damages, when they are making the \nbest efforts to protect the data.\n    Thank you, and I look forward to any questions.\n    [The prepared statement of Joseph Ansanelli follows:]\n Prepared Statement of Joseph Ansanelli, Chairman and CEO, Vontu, Inc.\n    Chairman Stearns, Ranking Member Schakowsky and all the Committee \nmembers, thank you for your ongoing focus on the protection of consumer \ndata.\n    I am Joseph Ansanelli, CEO of Vontu, an information security \nsolutions company that helps Fortune 500 organizations such as Best \nBuy, Prudential, Charles Schwab and others, prevent the loss of \nconsumer data over the Internet. Given my experience with helping some \nof the largest companies in America protect their consumer data, I hope \nto provide a unique viewpoint on the question of policy considerations \nas a result of recent cases of consumer data loss and if there is a \nneed for a national consumer data security standard.\n\n          PROBLEM: IDENTITY THEFT AFFECTS MILLIONS EVERY YEAR\n    The FTC <SUP>1</SUP> estimated that in one year alone approximately \n10 million people--or almost 5% of the US adult population--were \nvictims of Identity Theft. These victims reported $5 billion in out-of-\npocket expenses and countless hours of lost time repairing their credit \nhistories. In the previous five years, almost 30 million people were \nvictims of identity theft.\n---------------------------------------------------------------------------\n    \\1\\ Federal Trade Commission--Identity Theft Survey Report, \nSeptember, 2003\n---------------------------------------------------------------------------\n    This is not only a problem for consumers, but for business as well. \nAs part of the same FTC report, the losses to businesses totaled nearly \n$50 billion.\n    Additionally, there is a risk to companies that is not mitigated \nthrough insurance or other strategies--loss of consumer trust. Vontu \ncommissioned a survey <SUP>2</SUP> of 1000 consumers in the United \nStates to better understand the effect that security of customer data \nhas on consumer trust and commerce. Some of the findings include:\n---------------------------------------------------------------------------\n    \\2\\ Vontu Consumer Trust Survey, See Appendix 1\n\n<bullet> Security drives purchasing decisions--More than 75 percent of \n        consumers said security and privacy were important in their \n        decisions from whom they purchase.\n<bullet> Consumers will speak with their wallets--Fifty percent said that they \n        would move their business to another company if they did not \n        have confidence in a company's ability to protect their \n        personal data.\n<bullet> Insider theft increases concerns about a company's data security \n        efforts--More than 50 percent of the consumers surveyed said an \n        insider breach would cause them to be more concerned about how \n        a company secures their information\n    Clearly, financial costs and loss of consumer trust as a result of \nidentity theft are a significant problem today.\n                   identity theft policy implications\n    In order to reduce Identity Theft, there are at least three areas \nof focus for policy:\n\n1. Criminals who steal identities. This is important not only for \n        reducing Identity Theft, but other crimes and threats to \n        national security. Professor Judith Collins of Michigan Statue \n        University's ID Theft Crime Lab states that virtually all \n        identity thieves are involved in other felonies or terrorist \n        acts. The Identity Theft Penalty Enhancement Act, which became \n        law in July 2004, was a positive step in the right direction to \n        increase the penalties and provide additional tools for law \n        enforcement and the courts to punish those found guilty of \n        identity theft.\n2. Consumers who need continued education on the importance of \n        protecting their identities and as well as help if they are \n        victims. The efforts of the FTC with the ID Theft hotline, \n        privacy website and on-going educational efforts are important \n        and more can be done to raise awareness of those efforts. \n        Additionally, the FACT Act provided much needed tools for \n        consumers including free annual credit reports, the ability to \n        place fraud alerts in their credit report, and ability to more \n        easily correct inaccuracies in their credit report resulting \n        from identity theft.\n3. Organizations that store consumer data.\n\n                    RESPONSIBILITY OF ORGANIZATIONS\n    The third area, companies, government agencies and organizations \nthat store consumer data, is the one in which I have the most \nexperience and is the focus of my testimony. An important point to \nunderstand, before we can truly begin to address the problem, is that \nthese organizations are not the criminals perpetrating Identity Theft. \nIn fact, all of the companies that I have worked with invest \nsignificant resources and are thoroughly committed in their efforts to \nprotect consumer data.\n    However, we all recognize that organizations with consumer data are \na crucial ``link in the chain'' to prevent identity theft and the \nquestion that many people are asking is:\n          ``Are these organizations doing enough to ensure the security \n        of consumer data?''\n    To answer that question, I suggest one must first ask:\n          ``Is it clear to organizations what is expected of them to \n        best protect consumer information?''\n    Unfortunately, despite existing legislation, there is confusion \naround what is required of organizations and confusion is the enemy of \nconsumer protection.\n\n             CONFUSION IS THE ENEMY OF CONSUMER PROTECTION\n    To date, Congress has taken important steps to address consumer \ninformation protection through industry and organization specific \nregulations. For example, Section 501 (b) of Gramm Leach Bliley for \nfinancial services, PART 164--Subpart C of HIPAA for healthcare \nproviders, the Driver's Privacy Protection Act for state DMVs, the Fair \nCredit Reporting and FACT Act, and others. Additionally, many states \nare creating de facto national requirements such as California SB 1386 \nwhich requires notification in the case of a breach.\n    These different legislative acts have aspects of consumer data \nprotection yet each has tackled the problem differently based on \nindustry or state specific requirements. And that is where the \nbeginning of the confusion lies.\n    One important question for this committee to consider is:\n          ``What is the difference in how a bank versus a retailer \n        versus a utility provider should treat the security of a social \n        security number, and should the focus of policy be on the \n        industry of the data itself?''\n\n                NATIONAL CONSUMER DATA SECURITY STANDARD\n    I am sure everyone would agree, it is the data that matters and \nneeds to be protected across all industries. One possible solution to \nraise the level of consumer data protection is to extend existing \nindustry specific consumer data protection requirements to cover any \norganization which stores private consumer data and create a preemptive \nand unified, National Consumer Data Security Standard.\n    One alternative would be very similar to GLBA and HIPAA \n<SUP>3</SUP> in addition to a requirement for notification. The \ndifference is that it would apply to any organization that stores \nconsumer information regardless of industry or location.\n---------------------------------------------------------------------------\n    \\3\\ See attached Appendix 2 and 3\n---------------------------------------------------------------------------\n    This standard would require any organization that stores non-public \nconsumer data to:\n\n1. Ensure the security and confidentiality of consumer information. \n        This would create an affirmative obligation of the companies to \n        protect the data.\n2. Protect against any reasonably anticipated threats to the security \n        of such information. This would allow the requirements to \n        evolve as new threats emerge without new legislation.\n3. Protect against unauthorized access to or use of such information \n        that could result in substantial harm to a consumer. This would \n        help prevent against fraudulent efforts to gain access to the \n        data by outsiders or insiders as is the cause in many recent \n        breaches.\n4. Ensure compliance with their security policies by an organization's \n        workforce and third parties who are given access to the \n        information. This would address the issue of the insider \n        threat, which was the situation in the recent Teledata case, as \n        well as concerns regarding off shoring and outsourcing;\n5. Disclose any loss of the information when it is reasonably believed \n        that such loss could result in substantial harm to a consumer. \n        This would help consumers to proactively protect themselves by \n        monitoring their credit reports, setting up fraud alerts and \n        other efforts to watch for potential issues.\n    Rule making for this legislation would exist in relevant agencies \nand I believe that the FTC has already done much of the work under the \nGLBA Safeguards Rule 16 CFR Part 314 and could apply this rule beyond \nentities covered under GLBA.\n    In addition, while these requirements serve as the proverbial \n``stick'', I suggest the Committee consider any new legislation also \nprovide a ``carrot'' as an inventive to go beyond any base \nrequirements. This ``carrot'' might provide some level of protection \nagainst excessive punitive damages for those organizations with \nqualifying security programs. This is important to help remove existing \nand valid concerns that organizations have about increased litigation \nrisk as they proactively uncover new threats with respect to consumer \ndata security. This is not protection against economic or reasonable \npain and suffering damages, but against excessive punitive actions when \ncompanies are clearly meeting and exceeding these requirements.\n\n                                SUMMARY\n    In summary, to reduce identity theft policy must focus on the \ncriminals, consumers and organizations that store the data.\n    I suggest this Committee consider the idea of a preemptive, \nnational consumer data security standard that also protects \norganizations from potential excessive punitive damages when they are \nmaking best efforts to protect consumer information. The standard would \nclearly state what is required of an organization and encourage them to \nuse their best efforts to improve the protection of consumer \ninformation and help to reduce Identity Theft.\n\n                   Appendix 1: Relevant GLBA Section\n                          Gramm Leach Blilely\n                            TITLE V--PRIVACY\n        Subtitle A--Disclosure of Nonpublic Personal Information\n        Sec.  501. PROTECTION OF NONPUBLIC PERSONAL INFORMATION.\n    (b) FINANCIAL INSTITUTIONS SAFEGUARDS.--In furtherance of the \npolicy in subsection (a), each agency or authority described in section \n505(a) shall establish appropriate standards for the financial \ninstitutions subject to their jurisdiction relating to administrative, \ntechnical, and physical safeguards--\n\n(1) to insure the security and confidentiality of customer records and \n        information;\n(2) to protect against any anticipated threats or hazards to the \n        security or integrity of such records; and\n(3) to protect against unauthorized access to or use of such records or \n        information which could result in substantial harm or \n        inconvenience to any customer.\n\n                   Appendix 2: Relevant HIPAA Section\n                      HIPAA Security Requirements\n                     PART 164--SECURITY AND PRIVACY\nSubpart C Security Standards for the Protection of Electronic Protected \n                           Health Information\n                 Section 164.306--General requirements\n    Covered entities must do the following:\n\n(1) Ensure the confidentiality, integrity, and availability of all \n        electronic protected health information the covered entity \n        creates, receives, maintains, or transmits.\n(2) Protect against any reasonably anticipated threats or hazards to \n        the security or integrity of such information.\n(3) Protect against any reasonably anticipated uses or disclosures of \n        such information that are not permitted or required under \n        subpart E of this part.\n(4) Ensure compliance with this subpart by its workforce.\n          Attachment 1: 2003 Consumer Information Trust Survey\n     Attachment 2: Harris Interactive Database Security Highlights\n        Attachment 3: Ponemon Research on Data Security Breaches\n          Attachment 4: Vontu 2004 Data Security Trends Report\n                 2003 customer information trust survey\n    Those organizations that sit on the highest perch when it comes to \ncustomer trust have the farthest to fall if they lose that trust \naccording to the 2003 Customer Information Trust Survey commissioned by \nsecurity technology innovator Vontu, Inc.\n    Consumers have the greatest amount of trust that companies within \nthe health care industry have measures in place to protect personal \ninformation from identity thieves. Web retailers and retailers scored \nnear the bottom in consumer trust in a ranking of 14 major industries. \nHowever, even the companies that scored well with consumers can face \nserious financial consequences if security breaches within their \norganization lead to a loss of consumer trust. Some of the major \nfindings of the survey are:\n\n<bullet> Security is important in the purchasing decision. More than 75 \n        percent of the consumers said security and privacy was \n        important in their decisions from whom they purchase.\n<bullet> Not all security breaches are equal in the eye of the customer. More \n        than 54 percent said security breaches by insiders or \n        employees, now one of the fastest growing contributors to \n        identity theft, would have the greatest impact on their trust \n        in an organization.\n<bullet> Consumers choose with their wallets. Fifty percent said that they \n        would move their business to another company if they did not \n        have confidence in a company's ability to protect their \n        personal data.\n\n                   VONTU INFORMATION TRUST RANKINGS*\nHospital or Clinic 82%\nPharmacy 79%\nBank 78%\nCharity/Religious Org. 78%\nAirlines 60%\nCar Rental Company 53%\nUtility 48%\nCredit Card Company 47%\nCable Company 42%\nRestaurants 42%\nHotels 41%\nWeb Retailers 41%\nRetail Stores 38%\nGrocery Store 25%\n\n    * The Vontu Information Trust Rankings rate 14 major industries \nbased on the level of trust consumers surveyed said they had that these \norganizations would protect personal information from identity theft.\n\n    Two examples of the questions from the survey are:\n    How important is privacy and security to your purchasing decision?\n<bullet> Very important 19%\n<bullet> Important 57%\n<bullet> Not important 9%\n<bullet> Unsure/No Comment 14%\n    If an insider (such as an employee of the company) stole your data \nrather than an outsider (such as a computer hacker), would it change \nyour answers to previous question about trust?\n<bullet> Yes--More concerned about insider 54%\n<bullet> Yes--Less concerned about insider 12%\n<bullet> No--No difference 17%\n<bullet> Unsure/No comment 18%\n<SUP><dbl-dagger></SUP>2003 Vontu Inc.\n\n    Mr. Stearns. I thank the gentleman. Mr. Rotenberg, welcome.\n\n                   STATEMENT OF MARC ROTENBERG\n\n    Mr. Rotenberg. Mr. Chairman, Congresswoman Schakowsky, \nmembers of the committee. Thank you so much for the opportunity \nto appear today. My name is Marc Rotenberg. I am Executive \nDirector of the Electronic Privacy Information Center. We are a \nnonpartisan research organization here in Washington, and we \nhave been before the committee before, and we thank you, Mr. \nChairman, for holding this very important hearing today.\n    With all the news reporting of the ChoicePoint matter over \nthe last several weeks, I think it is very important to keep in \nmind what actually happened here. This was not a computer hack. \nThis was not a theft. ChoicePoint sold this information on \nAmerican consumers to a criminal ring engaged in identity \ntheft.\n    ChoicePoint is in the business of selling personal \ninformation about American consumers, and while many other \ncompanies in the last few weeks have reported significant \nsecurity breaches, I think it is critical for the committee not \nto lose sight of what is at issue here.\n    Our organization, EPIC, wrote to the Federal Trade \nCommission in December, before any of this became public, and \nwe urged the FTC to open an investigation into ChoicePoint's \npractices. We were concerned about whether current Federal \nprivacy law, and particularly, the Fair Credit Reporting Act, \nadequately protected the privacy of American consumers. We were \nalso concerned because it became increasingly aware to us that \nChoicePoint had developed a number of products and services \nthat seemed to us very similar to the type of information \nproducts that would otherwise be covered by the Fair Credit \nReporting Act, but ChoicePoint had, in fact, artfully found \nways to avoid Federal oversight. And so it seemed obvious to us \nthat the Federal Trade Commission would open an investigation, \nand try to determine what, in fact, was happening with the \npersonal information of American consumers.\n    I have to say, Mr. Chairman, I was very disappointed this \nmorning, when I heard the Chairwoman of the FTC say that, in \nfact, they did not open the investigation until the after the \nincident was publicly reported. I don't think it can be the \ncase that the Federal Trade Commission waits until they read \nabout a matter in the morning newspaper before they pursue what \nwe believe was a very well-founded complaint that we had \npursued at the Federal Trade Commission.\n    Now, there are a number of others points that I make in my \ntestimony about the lessons that I believe we can draw from the \nChoicePoint matter. One of the critical concerns that I know \nyou have, sir, over the years, as we have talked about privacy \nlegislation, is the need to show that there is actual harm to \nconsumers. And I think here, with ChoicePoint, it should be \nclear that the absence of effective privacy protection leads to \nsignificant harms. In fact, the harm here, the harm of identity \ntheft, is the No. 1 crime that American consumers face, and the \ncrime is increasing, as the FTC's own reports show. Over the \nlast 5 years, the level of identity theft in this country is \nbecoming the No. 1 problem that American consumers have.\n    I think the question as to whether privacy protection is \nnecessary to prevent consumer harm has simply been answered by \nthe ChoicePoint matter. I think it is also important to \nunderstand that with ChoicePoint, unlike a lot of other \nAmerican businesses, consumers do not have a direct \nrelationship. They can't exercise market control, as they might \nwith a bank or an insurer, or somebody else who might have a \nbad privacy policy. People say about the Internet, for example, \nif you don't like a website's privacy policy, you can go \nsomewhere else. But with ChoicePoint, consumers have no such \ncontrol to go somewhere else, because they have no direct \nrelationship with that company that simply collects and sells \npersonal information about them.\n    We know already that there are problems with the adequacy \nof privacy protection, and we think particularly in this \nindustry, information brokers such as ChoicePoint have made \nclear the need for more effective privacy regulation.\n    I think it is also important to understand from the \nChoicePoint episode just how important State legislation is. \nNow, this has been another consideration before this committee, \nand we fully understand why it may be the case that companies \nwould prefer to have a single, uniform standard, rather than 50 \ndifferent State laws, and of course, we have had this \ndiscussion in the past. But please don't lose sight of what \nhappened here.\n    Because the State of California took the initiative, and \nsaid we are going to try a new, innovative approach, it wasn't \na comprehensive law, by the way, it was merely notification. \nThey simply told people after the fact, after the breach had \noccurred, that they might be at heightened risk of identity \ntheft, and because of that, American consumers, and consumers, \nyou know, all across the country, outside of California, who \nwere also notified, will be able to respond more effectively to \nthis threat.\n    And I think we have to keep this in mind, even a national \nnotification standard should not prevent States from coming up \nwith more innovative solutions. States may find certain ways of \nnotification, maybe by electronic means, that turn out to be \nmore effective than what can be done here in Washington. So \nthere is a strong case, following from the ChoicePoint matter, \nI believe, to avoid Federal preemption.\n    Now, I would like to say just a couple of words about the \nproposals that have been discussed this morning, and again, \nexpress a bit of concern that apparently, there has been some \nsignificant discussion between the Chair of the Federal Trade \nCommission, and the witnesses that have appeared before you, \nabout what might be done. But there has been no discussion with \nthe consumer organizations about what might be effective \nprivacy legislation to respond in this situation.\n    The Chairwoman proposes, for example, the extension of the \nGramm-Leach-Bliley security standards rule. Now, that is not a \nbad proposal, and we certainly wouldn't oppose it, but we think \nit is an inadequate proposal, because it simply deals with a \nsecurity matter, and as I have made clear at the outset, we \nwere talking about the routine sale of personal information on \nAmerican consumers by an information broker. So an effective \nsolution certainly must do something more than simply extend \nthe security standard rule.\n    In similar fashion, we think the California notification \nlaw provides a good basis to notify consumers after the fact \nwhen a breach has occurred, and without preemption, we think \nthat would be a sensible thing for the committee to support, \nbut what we really believe needs to be done at this point is \nlegislation that brings this industry within some type of \nFederal control, accountability, oversight, that will safeguard \nAmerican consumers.\n    We think the legislation that Mr. Markey has introduced is \na very sensible starting point, and we have made some \nproposals, in fact, about how that can be strengthened. We \nthink it is important that the Federal Trade Commission take a \nproactive stand on these issues. It is not sufficient to create \na circumstance where there may be privacy violations, and the \nFTC can effectively sit on that fact, and not provide the type \nof assurance that would be necessary to safeguard American \nconsumers.\n    So in conclusion, Mr. Chairman, I thank you again for \nholding this hearing. It is extremely important, for the \n150,000 American consumers who are today at a heightened risk \nof identity theft, that the Congress act swiftly and \neffectively to make sure that we have no future incidents like \nthe one that has occurred recently.\n    [The prepared statement of Marc Rotenberg follows:]\n         Prepared Statement of Marc Rotenberg, President, EPIC\n    Mr. Chairman, and members of the Committee, thank you for the \nopportunity to appear before you today. My name is Marc Rotenberg and I \nam Executive Director and President of the Electronic Privacy \nInformation Center in Washington, DC. EPIC is a non-partisan public \ninterest research organization established in 1994 to focus public \nattention on emerging civil liberties issues. We are very pleased that \nyou have convened this hearing today on protecting consumer's data and \nthe policy issues raised by Choicepoint.\n    In my statement today, I will summarize the significance of the \nChoicepoint matter, discuss EPIC's efforts to bring public attention to \nthe problem before the incident was known, suggest several lessons that \ncan be drawn from this matter, and then make several specific \nrecommendations.<SUP>1</SUP>\n---------------------------------------------------------------------------\n    \\1\\ Many other organizations have also played a critical role in \ndrawing attention to the growing problem of identity theft. These \ninclude Consumers Union, the Identity Theft Resource Center, Privacy \nInternational, the Privacy Rights Clearinghouse, the Privacy Times, the \nUS Public Interest Research Group, and the World Privacy Forum.\n---------------------------------------------------------------------------\n    The main point of my testimony today is to make clear the \nextraordinary urgency of addressing the unregulated sale of personal \ninformation in the United States and how the data broker industry is \ncontributing to the growing risk of identity theft in the United \nStates. Whatever your views may be on the best general approach to \nprivacy protection, Choicepoint has made clear the need to regulate the \ninformation broker industry.\n\n               THE SIGNIFICANCE OF THE CHOICEPOINT MATTER\n    With all the news reporting of the last several weeks, it has often \nbeen difficult to tell exactly how a criminal ring engaged in identity \ntheft obtained the records of at least 145,000 Americans. According to \nsome reports, there was a computer ``break-in. ``Others described it as \n``theft.'' <SUP>2</SUP> In fact, Choicepoint simply sold the \ninformation. <SUP>3</SUP> This is Choicepoint's business and it is the \nbusiness of other companies that are based primarily on the collection \nand sale of detailed information on American consumers. In this most \nrecent case, the consequences of the sale were severe.\n---------------------------------------------------------------------------\n    \\2\\ Associated Press, ``ChoicePoint hacking attack may have \naffected 400,000,'' Feb. 17, 2005, available at http://www.ledger-\nenquirer.com/mld/ledgerenquirer/news/local/10920220.htm.\n    \\3\\ Robert O'Harrow Jr., ``ID Theft Scam Hits D.C. Area \nResidents,'' Washington Post, Feb. 21, 2005, at A01.\n---------------------------------------------------------------------------\n    According to California police, at least 750 people have already \nsuffered financial harm. <SUP>4</SUP> Investigators believe data on \nleast 400,000 individuals may have been compromised.<SUP>5</SUP> \nSignificantly, this was not an isolated incident. Although Choicepoint \nCEO Derek Smith said that the recent sale was the first of its kind, \nsubsequent reports revealed that Choicepoint also sold similar \ninformation on 7,000 people to identity thieves in 2002 with losses \nover $1 million.<SUP>6</SUP> And no doubt, there may have been many \ndisclosures before the California notification law went into effect as \nwell as more recent disclosures of which that we are not yet aware.\n---------------------------------------------------------------------------\n    \\4\\ Bob Sullivan, ``Data theft affects 145,000 nationwide,'' MSNBC, \nFeb. 18, 2005, available at http://www.msnbc.msn.com/id/6979897/.\n    \\5\\ Associated Press, ``ChoicePoint hacking attack may have \naffected 400,000,'' Feb. 17, 2005, available at http://www.ledger-\nenquirer.com/mld/ledgerenquirer/news/local/10920220.htm.\n    \\6\\ David Colker and Joseph Menn, ``ChoicePoint CEO Had Denied Any \nPrevious Breach of Database,'' Los Angeles Times, March 3, 2005, at \nA01.\n---------------------------------------------------------------------------\n    The consumer harm that results from the wrongful disclosure of \npersonal information is very clear. According to the Federal Trade \nCommission, last year 10 million Americans were affected by identity \ntheft. Identity theft is the number one crime in the country. For the \nfifth year in a row, identity theft topped the list of complaints, \naccounting for 39 percent of the 635,173 consumer fraud complaints \nfiled with the agency last year.<SUP>7</SUP> And there is every \nindication that the level of this crime is increasing.\n---------------------------------------------------------------------------\n    \\7\\ Federal Trade Commission, ``FTC Releases Top 10 Consumer \nComplaint Categories for 2004,'' (Feb. 1, 2005), available at http://\nwww.ftc.gov/opa/2005/02/top102005.htm.\n---------------------------------------------------------------------------\n    Choicepoint is not the only company that has improperly disclosed \npersonal information on Americans. Bank of America misplaced back-up \ntapes containing detailed financial information on 1.2 million \nemployees in the federal government, including many members of \nCongress.<SUP>8</SUP> Lexis-Nexis made available records from its \nSeisint division on 32,000 Americans to a criminal ring that exploited \npasswords of legitimate account holders.<SUP>9</SUP> DSW, a shoe \ncompany, announced that 103 of its 175 stores had customers' credit and \ndebit card information improperly accessed.<SUP>10</SUP>\n---------------------------------------------------------------------------\n    \\8\\ Robert Lemos, ``Bank of America loses a million customer \nrecords,'' CNet News.com, Feb. 25, 2005, available at http://\nearthlink.com.com/Bank+of+America+loses+a+million+customer+\nrecords/2100-1029_3-5590989.html?tag=st.rc.targ_mb.\n    \\9\\ Jonathan Krim and Robert O'Harrow, Jr., ``LexisNexis Reports \nTheft of Personal Data,'' Washingtonpost.com, March 9, 2005, available \nat http://www.washingtonpost.com/ac2/wp-dyn/A19982-\n2005Mar9?language=printer.\n    \\10\\ Associated Press, ``Credit Information Stolen From DSW \nStores,'' March 9, 2005, available at http://abcnews.go.com/Business/\nwireStory?id=563932&CMP=OTC-RSSFeeds0312.\n---------------------------------------------------------------------------\n    But there are factors that set Choicepoint apart and make clear the \nneed for legislation for the information broker industry. First, \nChoicepoint is the largest information broker in the United Stares. The \ncompany has amassed more than 19 billion records and has acquired a \nlarge number of smaller companies that obtain everything from criminal \nhistory records and insurance claims to DNA databases. The private \nsector and increasingly government rely on the data provided by \nChoicepoint to determine whether Americans get home loans, are hired \nfor jobs, obtain insurance, pass background checks, and qualify for \ngovernment contracts.\n    Choicepoint has become the true invisible hand of the information \neconomy. Its ability to determine the opportunities for American \nworkers, consumers, and voters is without parallel.\n    Second, the Choicepoint databases are notoriously inaccurate. A \nrecent article in MSNBC, ``Choicepoint files found riddled with \nerrors,'' recounts the extraordinary errors in just one Choicepoint \nreport that was provided to a privacy expert.<SUP>11</SUP> Among the \nstatements in the 20-page National Comprehensive Report was an \ninaccurate entry that described ``possible Texas criminal history'' and \na recommendation for a follow-up search. The report listed an ex-\nboyfriend's address, even though she had never lived with the fellow. \nAs MSNBC reporter Bob Sullivan writes, ``The report also listed three \nautomobiles she never owned and three companies listed that she never \nowned or worked for.''\n---------------------------------------------------------------------------\n    \\11\\ Bob Sullivan, ``ChoicePoint files found riddled with errors \nData broker offers no easy way to fix mistakes, either,'' MSNBC, March \n8, 2005, available at http://www.msnbc.msn.com/id/7118767/.\n---------------------------------------------------------------------------\n    The report on the document provided to Deborah Pierce is very \nsimilar to an earlier report described by another privacy expert \nRichard Smith, ``who paid a $20 fee and received a similar report from \nChoicepoint several years ago. The company offers a wide variety of \nreports on individuals; Smith purchased a commercial version that's \nsold to curious consumers. Smith's dossier had the same kind of errors \nthat Pierce reported. His file also suggested a manual search of Texas \ncourt records was required, and listed him as connected to 30 \nbusinesses that he knew nothing about.''\n    Third, Choicepoint and other information brokers have spent a great \ndeal of time and money trying to block effective privacy legislation in \nCongress. According to disclosure forms filed with the U.S. House and \nSenate, obtained by the Wall Street Journal, Choicepoint and six of the \ncountry's other largest sellers of private consumer data spent at least \n$2.4 million last year to lobby members of Congress and a variety of \nfederal agencies. The Journal reports that, ``Choicepoint was the \nbiggest spender, with $970,000 either paid to outside lobbyists or \nspent directly by the company.'' <SUP>12</SUP>\n---------------------------------------------------------------------------\n    \\12\\ Evan Perez and Rick Brooks, ``Data Providers Lobby to Block \nMore Oversight,'' Wall Street Journal, March 4, 2005, at B1.\n---------------------------------------------------------------------------\n    This improper disclosure and use of personal information is \ncontributing to identity theft, which is today the number one crime in \nthe United States. According to a 2003 survey by the Federal Trade \nCommission, over a one-year period nearly 5% of the adult populations \nwere victims of some form of identity theft.<SUP>13</SUP>\n---------------------------------------------------------------------------\n    \\13\\ Federal Trade Commission, ``Identity Theft Survey Report'' \n(Sept. 2003), available at http://www.ftc.gov/os/2003/09/\nsynovatereport.pdf.\n---------------------------------------------------------------------------\n\n     EPIC'S EFFORTS TO BRING PUBLIC ATTENTION TO THE PROBLEMS WITH \n                              CHOICEPOINT\n    Well before the recent news of the Choicepoint debacle became \npublic, EPIC had been pursuing the company and had written to the FTC \nto express deep concern about its business practices and its ability to \nflout the law. On December 16, 2004, EPIC urged the Federal Trade \nCommission to investigate Choicepoint and other data brokers for \ncompliance with the Fair Credit Reporting Act (FCRA), the federal \nprivacy law that helps insure that personal financial information is \nnot used improperly.<SUP>14</SUP> The EPIC letter said that Choicepoint \nand its clients had performed an end-run around the FCRA and was \nselling personal information to law enforcement agencies, private \ninvestigators, and businesses without adequate privacy protection.\n---------------------------------------------------------------------------\n    \\14\\ Letter from Chris Jay Hoofnagle, Associate Director, EPIC, and \nDaniel J. Solove, Associate Professor, George Washington University Law \nSchool, to Federal Trade Commission, Dec. 16, 2004, available at http:/\n/www.epic.org/privacy/choicepoint/fcraltr12.16.04.html.\n---------------------------------------------------------------------------\n    Choicepoint wrote back to us to say, in effect, that there was no \nproblem The company claimed to fully comply with FCRA and that the \nquestion of whether FCRA, or other federal privacy laws, should apply \nto all of its products as simply a policy judgment. It made this claim \nat the same time it was spending several million dollars over the last \nfew years to block the further expansion of the FCRA.\n    Mr. Chairman, hindsight may be 20-20, but it is remarkable to us \nthat Choicepoint had the audacity to write such a letter when it \nalready knew that state investigators had uncovered the fact that the \ncompany had sold information on American consumer to an identity theft \nring. They were accusing us of inaccuracy at the same time that state \nand federal prosecutors knew that Choicepoint, a company that offered \nservices for business credentialing, had exposed more than a hundred \nthousand Americans to a heightened risk of identity theft because it \nsold data to crooks.\n    But the problems with Choicepoint long preceded this recent \nepisode. Thanks to Freedom of Information Act requests relentlessly \npursued by EPIC's Senior Counsel Chris Hoofnagle, we have obtained over \nthe last several yeas extraordinary documentation of Choicepoint's \ngrowing ties to federal agencies and the increasing concerns about the \naccuracy and legality of these products.<SUP>15</SUP> So far, EPIC has \nobtained FOIA documents from nine different agencies concerning \nChoicepoint. Much of the material is available on our web site at \nhttp:www.epic.org/privacy/Choicepoint. One document from the Department \nof Justice, dated December 13, 2002, discusses a ``Report of \nInvestigation and Misconduct Allegations . . . Concerning Unauthorized \nDisclosure of Information.'' <SUP>16</SUP> There are documents from the \nIRS that describe how the agency would mirror huge amounts of personal \ninformation on IRS computers so that Choicepoint could perform \ninvestigations.<SUP>17</SUP> Several documents describe Choicepoint's \nsole source contracts with such agencies as the United States Marshals \nService and the FBI.<SUP>18</SUP>\n---------------------------------------------------------------------------\n    \\15\\ EPIC v. Dep't of Justice et al., No. 1:02cv0063 (CKK)(D.D.C.).\n    \\16\\ Available at http://www.epic.org/privacy/choicepoint/\ndefault.html.\n    \\17\\ Id.\n    \\18\\ Id.\n---------------------------------------------------------------------------\n    Among the most significant documents obtained by EPIC were those \nfrom the Department of State, which revealed the growing conflicts \nbetween the United States and foreign governments that resulted from \nthe efforts of Choicepoint to buy data on citizens across Latin America \nfor use by the US federal law enforcement agencies.<SUP>19</SUP> One \ndocument lists news articles that were collected by the agency to track \noutrage in Mexico and other countries over the sale of personal \ninformation by Choicepoint.<SUP>20</SUP> A second document contains a \ncable from the American Embassy in Mexico to several different \ngovernment agencies warning that a ``potential firestorm may be brewing \nas a result of the sale of personal information by \nChoicepoint.<SUP>21</SUP> A third set of documents describes public \nrelations strategies for the American Embassy to counter public anger \nsurrounding the release of personal information of Latin Americans to \nChoicepoint.<SUP>22</SUP>\n---------------------------------------------------------------------------\n    \\19\\ Available at http://www.epic.org/privacy/choicepoint/\ndefault.html.\n    \\20\\ Id.\n    \\21\\ Id.\n    \\22\\ Id.\n---------------------------------------------------------------------------\n    Choicepoint's activities have fueled opposition to the United \nStates overseas and raised the alarming prospect that our country \ncondones the violation of privacy laws of other \ngovernment.<SUP>23</SUP> As USA Today reported on September 1, 2003:\n---------------------------------------------------------------------------\n    \\23\\ EPIC and Privacy International, Privacy and Human Rights: An \nInternational Survey of Privacy Laws and Developments 123-24, 182, 493 \n(2004) (Public Records, Argentina country report, Mexico country \nreport)\n---------------------------------------------------------------------------\n          After the Mexican government complained that its federal \n        voter rolls were the source, and were likely obtained illegally \n        by a Mexican company that sold them to Choicepoint, the \n        suburban Atlanta company cut off access to that information.\n          In June, ChoicePoint wiped its hard drives of Mexicans' home \n        addresses, passport numbers and even unlisted phone numbers. \n        The company also backed out of Costa Rica and Argentina.\n          ChoicePoint had been collecting personal information on \n        residents of 10 Latin American countries--apparently without \n        their consent or knowledge--allowing three dozen U.S. agencies \n        to use it to track and arrest suspects inside and outside the \n        United States.<SUP>24</SUP>\n---------------------------------------------------------------------------\n    \\24\\ Associated Press, ``Vendor sells Latin American citizen data \nto U.S.,'' Sept. 1, 2003, available at http://www.usatoday.com/tech/\nnews/techpolicy/2003-09-01-choicepoint_x.htm.\n---------------------------------------------------------------------------\n          The revelations helped kindle privacy movements in at least \n        six countries where the company operates. Government officials \n        have ordered--or threatened--inquiries into the data sales, \n        saying ChoicePoint and the U.S. government violated national \n        sovereignty.\n\n                         LESSONS OF CHOICEPOINT\n    The Choicepoint incident proves many important lessons for the \nCongress as it considers how best to safeguard consumer privacy in the \ninformation age.\n    First, it should be clear now that privacy harms have real \nfinancial consequences. In considering privacy legislation in the past, \nCongress has often been reluctant to recognize the actual economic harm \nthat consumers suffer when their personal information is misused, when \ninaccurate information leads to the loss of a loan, a job, or \ninsurance. Consumers suffer harms both from information that is used \nfor fraud and inaccurate information that leads to lost opportunities \nthrough no fault of the individual.\n    A clear example of how the company has contributed to the growing \nproblem of identity theft may be found in Choicepoint's subscriber \nagreement for access to AutoTrackXP, a detailed dossier of individuals' \npersonal information. A sample AutoTrackXP report on the ChoicePoint \nweb site shows that it contains Social Security Numbers; driver license \nnumbers; address history; phone numbers; property ownership and \ntransfer records; vehicle, boat, and plane registrations; UCC filings; \nfinancial information such as bankruptcies, liens, and judgments; \nprofessional licenses; business affiliations; ``other people who have \nused the same address of the subject,'' ``possible licensed drivers at \nthe subject's address,'' and information about the data subject's \nrelatives and neighbors.<SUP>25</SUP> This sensitive information is \navailable to a wide array of companies that do not need to articulate a \nspecific need for personal information each time a report is purchased. \nChoicepoint's subscriber agreement shows that the company allows access \nto the following businesses: attorneys, law offices, investigations, \nbanking, financial, retail, wholesale, insurance, human resources, \nsecurity companies, process servers, news media, bail bonds, and if \nthat isn't enough, Choicepoint also includes ``other.''\n---------------------------------------------------------------------------\n    \\25\\ ChoicePoint, AutoTrackXP Report, http://www.choicepoint.com/\nsample_rpts/AutoTrack\nXP.pdf.\n---------------------------------------------------------------------------\n    Second, it should be clear that market-based solutions fail utterly \nwhen there is no direct relationship between the consumer and the \ncompany that proposed to collect and sell information on the consumer. \nWhile we continue to believe that privacy legislation is also \nappropriate for routine business transactions, it should be obvious to \neven those that favor market-based solutions that this approach simply \ndoes not work where the consumer exercises no market control over the \ncollection and use of their personal information. As computer security \nexpert Bruce Schneier has noted, ``ChoicePoint doesn't bear the costs \nof identity theft, so ChoicePoint doesn't take those costs into account \nwhen figuring out how much money to spend on data security.'' \n<SUP>26</SUP> This argues strongly for regulation of the information \nbroker industry.\n---------------------------------------------------------------------------\n    \\26\\ ``Schneier on Security: Choicepoint'' available at http://\nwww.schneier.com/blog/archives/2005/02/choicepoint.html.\n---------------------------------------------------------------------------\n    Third, there are clearly problems with both the adequacy of \nprotection under current federal law and the fact that many information \nproducts escape any kind privacy rules. Choicepoint has done a \nremarkable job of creating detailed profiles on American consumers that \nthey believe are not subject to federal law. Products such as \nAutoTrackXP are as detailed as credit reports and have as much impact \non opportunities in the marketplace for consumers as credit reports, \nyet Choicepoint has argued that they should not be subject to FCRA. \nEven their recent proposal to withdraw the sale of this information is \nnot reassuring. They have left a significant loophole that will allow \nthem to sell the data if they believe there is a consumer \nbenefit.<SUP>27</SUP>\n---------------------------------------------------------------------------\n    \\27\\ Aleksandra Todorova, ``ChoicePoint to Restrict Sale of \nPersonal Data,'' Smartmoney.com, March 4, 2005, available at http://\nwww.smartmoney.com/bn/index.cfm?story=20050304015004.\n---------------------------------------------------------------------------\n    But even where legal coverage exists, there is insufficient \nenforcement, consumers find it difficult to exercise their rights, and \nthe auditing is non-existent. According to EPIC's research, there is no \nindication that commercial data brokers audit their users and refer \nwrongdoers for prosecution. In other words, in the case where a \nlegitimate company obtains personal information, there is no publicly \navailable evidence that Choicepoint has any interest in whether that \ninformation is subsequently used for illegitimate purposes.\n    Law enforcement, which has developed increasingly close ties to \ninformation brokers such as Choicepoint seems to fall entirely outside \nof any auditing procedures. This is particularly troubling since even \nthose reports that recommend greater law enforcement use of private \nsector databases for public safety recognize the importance of auditing \nto prevent abuse.<SUP>28</SUP>\n---------------------------------------------------------------------------\n    \\28\\ See Chris J. Hoofnagle, ``Big Brother's Little Helpers: How \nChoicepoint and Other Commercial Data brokers Collect, process, and \nPackage Your Data for Law Enforcement,'' University of North Carolina \nJournal of International Law & Commercial Regulation (Summer 2004), \navailable at http://ssrn.com/abstract=582302.\n---------------------------------------------------------------------------\n    And of course there are ongoing concerns about the broad \npermissible purposes under the FCRA, the use of credit header \ninformation to build detailed profiles, and the difficulty that \nconsumers continue to face in trying to obtain free credit reports that \nthey are entitled to under the FACTA.\n    Fourth, we believe this episode also demonstrates the failure of \nthe FTC to aggressively pursue privacy protection. We have repeatedly \nurged the FTC to look into these matters. While on some occasions, the \nFTC has acted.<SUP>29</SUP> But too often the Commission has ignored \nprivacy problems that are impacting consumer privacy and producing a \nloss of trust and confidence in the electronic marketplace. In the late \n1990s, the FTC promoted self-regulation for the information broker \nindustry and allowed a weak set of principles promulgated as the \nIndividual References Service Group to take the place of effective \nlegislation. It may well be that the Choicepoint fiasco could have been \navoided if the Commission chose a different path when it considered the \npractices of the information broker industry.\n---------------------------------------------------------------------------\n    \\29\\ See FTC's investigation into Microsoft's Passport program. \nDocumentation available at http://www.epic.org/privacy/consumer/\nmicrosoft/passport.html.\n---------------------------------------------------------------------------\n    The FTC has also failed to pursue claims that it could under \nsection 5 of the FTC Act that prohibits unfair practices. Practices are \nunfair if they cause or are likely to cause consumers substantial \ninjury that is neither reasonably avoidable by consumer nor offset by \ncountervailing benefits to consumers and competition.<SUP>30</SUP> It \nmay be that the unfairness doctrine could be applied in cases where \nthere is no direct relationship between the consumer and the company, \nbut to date the FTC has failed to do this.<SUP>31</SUP>\n---------------------------------------------------------------------------\n    \\30\\ 15 U.S.C. 45(n); Letter from Michael Pertschuk, FTC Chairman, \nand Paul Rand Dixon, FTC Commissioner, to Wendell H. Ford, Chairman, \nHouse Commerce Subcommittee on Commerce, Science, and Transportation \n(Dec. 17, 1980), at http://www.ftc.gov/bcp/policystmt/ad-unfair.htm.\n    \\31\\ In FTC v. Rapp, the ``Touch Tone'' case, the FTC pursued \nprivate investigators engaged in ``pretexting,'' a practice where an \nindividual requests personal information about others under false \npretenses. No. 99-WM-783 (D. Colo. 2000), 2000 U.S. Dist. LEXIS 20627. \nIn a typical scheme, the investigator will call a bank with another's \nSocial Security Number, claim that he has forgotten his bank balances, \nand requests that the information be given over the phone. The FTC \nalleged that this practice of the defendants, was deceptive and unfair. \nIt was deceptive because the defendants deceived the bank in providing \nthe personal information of another. The practice was unfair in that it \noccurs without the knowledge or consent of the individual, and it is \nunreasonably difficult to avoid being victimized by the practice.\n---------------------------------------------------------------------------\n    Fifth, we believe the Choicepoint episode makes clear the \nimportance of state-based approaches to privacy protection. Congress \nsimply should not pass laws that tie the hands of state legislators and \nprevent the development of innovative solutions that respond to \nemerging privacy concerns. Many states are today seeking to establish \nstrong notification procedures to ensure that their residents are \nentitled to at least the same level of protection as was provided by \nCalifornia.<SUP>32</SUP>\n---------------------------------------------------------------------------\n    \\32\\ ``Choicepoint Incident Prompts State Lawmakers to Offer Data \nNotification Bills,'' 10 BNA Electronic Commerce & Law Report 217-18 \n(March 9, 2005)\n---------------------------------------------------------------------------\n    In this particular case, the California notification statute helped \nensure that consumers would at least be notified that they are at risk \nof heightened identity theft. This idea makes so much sense that 38 \nattorney generals wrote to Choicepoint to say that their residents \nshould also be notified if their personal information was wrongly \ndisclosed.<SUP>33</SUP> Choicepoint could not object. It was an obvious \nsolution.\n---------------------------------------------------------------------------\n    \\33\\ Associated Press, ``38 AGs send open letter to ChoicePoint,'' \navailable at http://www.\nusatoday.com/tech/news/computersecurity/infotheft/2005-02-19-ag-letter-\nto-choicepoint_x.htm.\n---------------------------------------------------------------------------\n    Finally, there is still a lot we do not know about the Choicepoint \ncompany. This firm has expanded so rapidly and acquired so many \ncompanies in the last few years, it is very difficult to assess how \nmuch information it actually has on Americans. As a starting point for \nfurther work by the Committee, I would urge you and Committee Staff to \nobtain your own Choicepoint records in the AutoTrackXP service as well \nas the National Comprehensive Report. This is the information about you \nthat Choicepoint sells to strangers. If you want to understand the \nserious problem of record accuracy, this is one good place to start.\n\n                            RECOMMENDATIONS\n    Clearly, there is a need for Congress to act. Although Choicepoint \nhas taken some steps to address public concerns, it continues to take \nthe position that it is fee to sell personal information on American \nconsumers to whomever it wishes where Choicepoint, and not the \nconsumer, believes there ``consumer-driven benefit or transaction.'' \n<SUP>34</SUP> Moreover, the company remains free to change its policies \nat some point in the future, and the steps taken to date do not address \nthe larger concerns across the information broker industry.\n---------------------------------------------------------------------------\n    \\34\\ ``Choicepoint Halts Sale of Sensitive Information, as Agencies \nLaunch Probes,'' 10 BNA Electronic Commerce and Law Report 219 (March \n9, 2005).\n---------------------------------------------------------------------------\n    Modest proposals such as the extension of the Gramm-Leach-Bliley \nAct's Security Safeguards Rule are unlikely to prevent future \nChoicepoint debacles. The Safeguards Rule merely requires that \nfinancial institutions have reasonable policies and procedures to \nensure the security and confidentiality of customer information. Recall \nthat the disclosure by Choicepoint did not result from a ``hack'' or a \n``theft'' but from a routine sale. Moreover, the Security Safeguards \nRule will do nothing to give consumers greater control over the \ntransfer of their personal information to third parties or to promote \nrecord accuracy.\n    Extending notification statutes such as the California bill would \nbe a sensible step but this is only a partial answer. Notification only \naddresses the problem once the disclosure has occurred. The goal should \nbe to minimize the likelihood of future disclosure. It is also \nimportant to ensure that any federal notification bill is as least as \ngood as the California state bill and leaves the states the freedom to \ndevelop stronger and more effective measures. What happens for example, \nwhen at some point in the future, we must contend with the \nextraordinary privacy problems that will result from the disclosure of \npersonal information contained in a database built on biometric \nidentifiers?\n    At this time, legislation such as the Information Protection and \nSecurity Act, H.R. 1080, provides a good starting point to safeguard \nconsumer privacy and reduce the growing threat of identity theft. It \nwould allow the FTC to develop fair information practices for data \nbrokers; violators would be subject to civil penalties. Enforcement \nauthority would be given to the FTC and state attorneys general. \nConsumers would be able to pursue a private right of action, albeit a \nmodest one. And states would be free to develop stronger measures if \nthey chose.\n    But a stronger measure would establish by statute these same \nauthorities and impose stricter reporting requirements on the \ninformation broker industry. It would include a liquidated damages \nprovision that sets a floor, not a limit, on damages when a violation \noccurs, as is found in other privacy laws. It is even conceivable that \nCongress could mandate that information brokers provide to consumers \nthe same information that they propose to sell to a third party prior \nto the sale. This would make consent meaningful. It would promote \nrecord accuracy. And it would allow the consumer to determine for \nhimself or herself whether in fact the transaction will provide a \n``consumer-driven benefit.'' Proposals for credit report ``freeze'' \nlegislation that allow consumers to determine when it is in their \nbenefit to release personal credit information provides a good parallel \nfor strong legislation in the data broker field.\n    Furthermore, to the extent that information brokers, such as \nChoicepoint, routinely sell data to law enforcement and other federal \nagencies, they should be subject to the federal Privacy Act. A \n``privatized intelligence service,'' as Washington Post reporter Robert \nO'Harrow has aptly described the company, Choicepoint should not be \npermitted to flout the legal rules that help ensure accuracy, \naccountability, and due process in the use of personal information by \nfederal agencies.<SUP>35</SUP>\n---------------------------------------------------------------------------\n    \\35\\ Robert O'Harrow, No Place to Hide: Behind the Scenes of Our \nEmerging Surveillance Society (Free Press 2005).\n---------------------------------------------------------------------------\n    Also, a very good framework has been put forward by Professor \nDaniel Solove and EPIC's Chris Hoofnagle.<SUP>36</SUP> This approach is \nsimilar to other frameworks that attempt to articulate Fair Information \nPractices in the collection and use of personal information. But Solove \nand Hoofnagle make a further point that is particularly important in \nthe context of this hearing today on Choicepoint. Increasingly, the \npersonal information made available through public records to enable \noversight of government records has been transformed into a privatized \ncommodity that does little to further government oversight but does \nmuch to undermine the freedom of Americans. While EPIC continues to \nfavor strong open government laws, it is clearly the case that open \ngovernment interests are not served when the government compels the \nproduction of personal information, sells the information to private \ndata vendors, who then make detailed profiles available to strangers. \nThis is a perversion of the purpose of public records.\n---------------------------------------------------------------------------\n    \\36\\ Daniel Solove and Chris Jay Hoofnagle, ``A Model Regime of \nPrivacy Protection,'' March 8, 2005, available at http://\npapers.ssrn.com/sol3/papers.cfm?abstract_id=681902.\n---------------------------------------------------------------------------\n    Looking ahead, there is a very real risk that the consequences of \nimproper data use and data disclosure are likely to accelerate in the \nyears ahead. One has only to look at the sharp increase in identity \ntheft documented by the Federal Trade Commission, consider the \nextraordinary rate of data aggregation in new digital environments, as \nwell as the enormous efforts of the federal government to build ever \nmore elaborate databases to realize that the risk to personal privacy \nis increasing rapidly. Congress can continue to deal with these \nchallenges in piecemeal fashion, but it seems that the time has come to \nestablish a formal government commission charged with the development \nof long-terms solutions to the threats associated with the loss of \nprivacy. Such a commission should be established with the clear goal of \nmaking specific proposals. It should include a wide range of experts \nand advocates. And it should not merely be tasked with trying to \ndevelop privacy safeguards to counter many of the government new \nsurveillance proposals. Instead, it should focus squarely on the \nproblem of safeguard privacy.\n    Congress needs to establish a comprehensive framework to safeguard \nthe right of privacy in the twenty-first century. With identity theft \nalready the number one crime, and the recent spate of disclosures, any \nfurther delay could come at enormous cost to American consumers and the \nAmerican economy.\n    Finally, Mr. Chairman, there are several practical questions left \nopen by the Choicepoint matter. First, as we said to the FTC in \nDecember, Choicepoint has done a poor job tracking he use of personal \ninformation on American consumers that it routinely sells to strangers. \nNow is the time for Choicepoint to go back to its audit logs and \ndetermine what the legal basis was for selling the information that was \nprovided to the identity theft ring. In fact, we believe that \nChoicepoint should be required to review all of its audit logs for the \npast year and report to this committee on whether it has uncovered any \nother instance of breaches within the company. Just as heads of \nfinancial companies are now required to vouch for the accuracy of their \nfinancial statements, the heads of the information broker companies \nshould be required to make an annual representation tot he public that \nthey have reviewed the audit logs of their companies and are assured \nthat the information they have disclosed has only been used for lawful \npurposes.\n    Second, there is the question of what Choicepoint intends to do \nwith the money that it received from the sale of personal information \nto an identity theft ring. How can Choicepoint possibly keep the funds \nfrom those transactions? In a letter that EPIC sent to Choicepoint COO \nDouglas Curling, we urged the company to ``disgorge the funds that you \nobtained from the sale of the data and make these funds available to \nthe individuals who will suffer from identity theft as a result of this \ndisclosure.'' Since Mr. Smith, the company's President is at the \nhearing today, perhaps he can explain what Choicepoint will do with the \nfunds.\n    Third Choicepoint has still not provided to the victims of the \nnegligent sale the same information that it disclosed to the identity \nthieves. At the very least, we think the company should give people the \nsame records it sold to the crooks.\n\n                               CONCLUSION\n    For many years, privacy laws came up either because of the efforts \nof a forward-looking Congress or the tragic experience of a few \nindividuals. Now we are entering a new era. Privacy is no longer \ntheoretical. It is no longer about the video records of a federal judge \nor the driver registry information of a young actress. Today privacy \nviolations affect hundreds of thousands of American all across the \ncountry. The harm is real and the consequences are devastating.\n    Whatever one's view may be of the best general approach to privacy \nprotection, there is no meaningful way that market-based solutions can \nprotect the privacy of American consumers when consumers have no direct \ndealings with the companies that collect and sell their personal \ninformation. There is too much secrecy, too little accountability, and \ntoo much risk of far-reaching economic damage. The Choicepoint debacle \nhas made this clear.\n    The Committee may not be able to solve every privacy problem, but I \nurge you today to focus on the information broker industry and to pass \nlegislation such as the Information Protection and Security Act. The \ninformation broker industry has been flying under the radar for too \nlong.\n    I appreciate the opportunity to be here today. I will be pleased to \nanswer your questions\n\n                               REFERENCES\n    EPIC Choicepoint Page, available at http://www.epic.org/privacy/\nchoicepoint/\n\n    Mr. Stearns. I thank the gentleman, and I will start the \nquestions. Just the two of us. Mr. Rotenberg, I think you are \nsaying that ChoicePoint, in your opinion, violated the Fair \nCredit Reporting Act. Is that true?\n    Mr. Rotenberg. Well, it is not clear to us, sir, at this \npoint, if we can say that, because we don't know exactly what \ntype of information was disclosed, and if it was subject to the \nFair Credit Reporting Act.\n    Mr. Stearns. But you are saying that, you know, that you \nthought the products and service they are providing, they \nprovided something so they wouldn't have to comply, so they \njust tweaked a bit, tailored a bit, so that they could avoid \noversight that you feel is critical to the consumer, and would \nhave the applicability of the Fair Credit Reporting Act.\n    Mr. Rotenberg. Yes.\n    Mr. Stearns. So you are sort of--you are suggesting that \nthey did this so that they wouldn't have to comply, so the \nquestion is, you can't really say whether they violated it at \nthis point, only because you don't know--you are asking the FTC \nto tell us, right?\n    Mr. Rotenberg. Right.\n    Mr. Stearns. Yes.\n    Mr. Rotenberg. Well, we did say in our letter that we \nbelieve that a particular product, the AutoTrack XP product, \nwhich contains a great deal of detailed personal information on \nAmerican consumers, much like a credit report does, should be \nsubject to rules like the Fair Credit Reporting Act. Now, \nChoicePoint has taken the position that that product is not \nsubject to the Fair Credit Reporting Act.\n    Mr. Stearns. It is called Auto----\n    Mr. Rotenberg. AutoTrack XP.\n    Mr. Stearns. XP. Gee, I don't think many people, Members of \nCongress----\n    Mr. Rotenberg. No, I don't think so.\n    Mr. Stearns. [continuing] know anything about the \nAutoTrack--so it is pretty much like a consumer report.\n    Mr. Rotenberg. Yes, that is our view.\n    Mr. Stearns. Yeah, and they are--they don't think it is.\n    Mr. Rotenberg. No. In fact, we had an exchange of letters \nwith them when we filed our complaint at the Federal Trade \nCommission, I heard from Mr. Curling, who is their Chief \nOperating Officer, and he said that their company had simply \ntaken the position that this product was not subject to the \nFCRA. He----\n    Mr. Stearns. Is the AutoTrack XP, still--are they still \ndoing it? Is ChoicePoint----\n    Mr. Rotenberg. This is the interesting question that is \nraised by the hearing today, because Mr. Smith suggested that \nChoicePoint was withdrawing from the non-FCRA products.\n    Mr. Stearns. Okay. So doesn't----\n    Mr. Rotenberg. But then, he left----\n    Mr. Stearns. [continuing] the withdrawal now, that \nattention has been called.\n    Mr. Rotenberg. That is right. But he left significant \nloopholes.\n    Mr. Stearns. Yeah.\n    Mr. Rotenberg. And he said for example, products that might \nprovide a consumer benefit, they would continue with. So it is, \nI think an open question at this point, what they plan to do \nwith this particular product.\n    Mr. Stearns. Mr. Ansanelli, you have software, is that what \nyou have, is your company providing software? Is that primary--\nyour product?\n    Mr. Ansanelli. That is correct. We provide software for \ninformation security.\n    Mr. Stearns. And do you work with ChoicePoint, or do you \nwork with LexisNexis at all?\n    Mr. Ansanelli. Currently, neither of those are customers of \nours now.\n    Mr. Stearns. Tell me some of your customers.\n    Mr. Ansanelli. Companies like Prudential Financial, Best \nBuy, Charles Schwab, basically a lot of companies that store \nlots of consumer data, and want to make sure that it doesn't \nget out inappropriately over the Internet.\n    Mr. Stearns. Do you feel--you have heard most of the \ntestimony today--do you feel that we need Federal legislation, \nas Mr. Rotenberg has talked about?\n    Mr. Ansanelli. I think there has been a discussion about \ntwo parts of Federal legislation, both security and privacy. I \nam a little bit more knowledgeable on the security side, and I \nwould----\n    Mr. Stearns. Right.\n    Mr. Ansanelli. [continuing] say that things like Gramm-\nLeach-Bliley, in financial services, have made an impact in \nterms of the data at banks and other financial institutions \nbeing more secure, and I do think it is a question why, when \nthe similar data is stored by other organizations that might \nnot be in financial services, like a Social Security number, or \na credit card, why that data does not have to be protected in \nthe same way we require a bank or a financial institution. And \nI think that in order to ever get to a state where we have \nimproved privacy, you must first have security, so that is why \nwe do suggest that some improvements in clarifying what the \nrequirements are for data security, regardless of the industry, \nwould make a big difference.\n    Mr. Stearns. When I was talking to Mr. Sanford, he didn't \nquite understand my question. Maybe outsourcing was not the \nright word, but I was saying that if you had a company, and you \nbought me, as another company, and then I had employees that \nhad access to all these passwords right on up the line, how do \nyou have the assurance that the password he has, he works for \nme, he is not using that for his own personal use? So how does \na CEO, in this case, of LexisNexis, control the company they \nbought's employees, who have access to, all up the line, the \npasswords? And that is why I started to go--I mean, how would \nyou suggest we control the security on that?\n    Mr. Ansanelli. I think you are commenting on something many \npeople refer to as the insider security threat.\n    Mr. Stearns. Yeah, insider. That is better than \noutsourcing. That is why--he didn't quite--that is what I mean, \ninsider security threat.\n    Mr. Ansanelli. And it is obviously quite complicated.\n    Mr. Stearns. Yeah.\n    Mr. Ansanelli. Most security and infrastructure has focused \non the issue of hackers trying to break into networks, and \ntrying to get access to data, where many of the very known \ncases are actually issues of people with legitimate, allegedly \nlegitimate credentials, either by borrowing a password, or \nstealing a password, gaining access to information.\n    Mr. Stearns. But you could include the customers, not just \nthe employees, too.\n    Mr. Ansanelli. Correct. I mean----\n    Mr. Stearns. So you have not only the insider trading, but \nyou have customers having this access.\n    Mr. Ansanelli. Correct. I mean, the case at AOL, it is \nalleged that there was an IT professional who stole all the \nemail addresses at AOL, because he borrowed a password from \nsomebody else and got access to that data base. A number of \nthings that people can do. Clearly, you know, one of the things \nis clearly what we do, which is monitoring to make sure that \nthe data is not getting out. So for example, if someone gets \naccess to that data that shouldn't be sending it, either via \nemail or over the Web, we can help organizations to understand \nwhen information like Social Security numbers or credit card \nnumbers are being distributed inappropriately electronically, \noutside the company. That is clearly an important thing that \nmany, many companies are starting to do.\n    There is also--there is important things in terms of sort \nof physical precautions. How do you limit----\n    Mr. Stearns. You change the passwords frequently.\n    Mr. Ansanelli. Changing passwords frequently, making sure \nthat the--there is also technologies which allow for stronger \nthings than just a password and a name. You might have to \nactually have a physical card that has an identifier which is \nconstantly changing, for example. So there is many, many things \nthat people can do, and you know, one thing I would say, \nthough, is I think it is important that legislation not \nrecommend any particular technology.\n    Mr. Stearns. No, no. I understand. It is just that----\n    Mr. Ansanelli. There is lots going----\n    Mr. Stearns. My time has expired. Mr. Rotenberg, when I had \nthe discussion with the CEOs, I sort of alluded to the fact \nthere might be a third party required to authenticate their--\nthat their system is secure, or that they are--have best \npractices. And I don't think they want that. Do you think that \nis something that is necessary? I mean, like, to verify that \nthe corporations P&L, they have an outside accounting firm. And \nhe--the accounting firm authenticates, and if it turns out, \nlike in the case of Enron, in which--and that accounting firm \nshows a lack of credibility, and they lose their business. So \nit is to the advantage of the accounting firm, just like it \nwould be to the security firm, to say this company is secure, \nand is doing best practices.\n    I don't know. Is that----\n    Mr. Rotenberg. I think that is a very good proposal, Mr. \nChairman. In fact, when we wrote to the FTC in December, one of \nthe issues that we raised with them was the lack of auditing. \nYou know, under the FCRA, people get information for \npermissible purposes, but very little effort is made after the \ninformation is disclosed, to determine if, in fact, the \ninformation was used for a permissible purpose. And we think \nsystems of better auditing and outside auditing would reduce \nthe likelihood of the misuse of information, and I think it \nwould make the companies more accountable.\n    Mr. Stearns. I mean, just the fact if you kept a data base \nof companies that have breaks in security, and you pretty soon \nknew which companies did and which didn't, and it started to be \na reoccurring pattern, that would be something that would be \nvery helpful to alert the Federal Trade Commission and \neverybody else, hey, there is a problem here with our security. \nJust the reporting process.\n    Mr. Rotenberg. Yeah, I think it is a very good proposal, \nand I think also for the CEO to certify the adequacy of the \nauditing, the accounting of this personal information, would \nserve much of the same purpose that was done when concerns were \nraised about financial reporting, and the risks to consumers \nare very similar. When mistakes are made, consumers carry those \ncosts.\n    Mr. Stearns. Well, obviously, you could do this voluntarily \nthrough a best practice association that does this for them, \nbut it seems to me, in the case of ChoicePoint, this individual \nin Los Angeles, they did everything, yet the individual was \nusing it fraudulently, and there is nothing they could have \ndone about it.\n    My time has expired. Ms. Schakowsky.\n    Ms. Schakowsky. You know, Mr. Chairman, there actually was \na report issued. I don't know much about--the Ponemon, Ponemon \nInstitute, of 163 U.S. companies that were surveyed in the past \n12 months, 75 percent reported a serious security breach \nresulting in stolen data, and of those breaches, 27 percent \ninvolved customer information.\n    I mean, we haven't heard reports about that. I am \nwondering, is this because there is unwillingness to make the \ninvestment, because they don't know best practices, because we \nhave failed to make requirements on them to implement certain \npractices? Mr. Ansanelli?\n    Mr. Ansanelli. I do think that one of the issues is clear \nrequirements for organizations that store data. I mean, \nfinancial services organizations under GLBA clearly now, and \nhave a requirement, and guidelines both by the FTC, as well as \nthe financial services agencies, to what they are supposed to \ndo. But other companies in different industries that have \nsimilar data don't have the same requirements. So without clear \nrequirements, with respect to protecting the data, as well as \nnotification, I don't think it should be too much of a surprise \nthat necessarily people haven't come forward with it.\n    I do think that one of the other challenges and issues is \nthat there is a concern that if companies are proactive in \ndoing things, that they are taking on additional litigation \nrisk, that people are going to sue them for punitive damages, \nand that has definitely been something which, I think, presents \na bit of a stumbling block for some companies, that I suggest \nwe can deal with as well.\n    Ms. Schakowsky. To both of you. A few--California and a few \nother States have laws that allow consumers to put security \nfreezes on their credit reports, and the freezes mean that \ntheir credit reports can't be accessed, unless the consumer \nallows it to be accessed, an opt-in. Do you think laws of this \ntype would be useful for other personal information that is \nheld by data brokers? Mr. Rotenberg.\n    Mr. Rotenberg. I think it is a very sensible proposal. I \nmean, all of us understand that this disclosure of personal \ninformation will, in some circumstances, provide important \nbenefits to consumers, to obtain a loan or, you know, a job, or \nsome of these other things. But if there is a benefit to the \nconsumer, it would seem obvious that the consumer should be \nable to decide when the information is disclosed. And what \nconsumer organizations have realized over the last couple of \nyears is that if we simply say, if you are intending to get a \nhome loan, for example, at that point, you will make your \ncredit report available, and others can make use of it, and \nmake a determination, and if you are not intending to get a \nloan, or there is no other basis for someone to get access to \nyour credit report, then it really should be in the offsetting.\n    So that particular approach, which both recognizes that \nthis information is important to businesses making decisions \nabout consumers, and gives consumers control over the \ndisclosure of the information, I think is absolutely the right \napproach. I hope we will follow it in more areas.\n    Ms. Schakowsky. Thank you. I wanted to follow up on this \nissue of victims of domestic violence, where it didn't sound \nlike--well, at least off the top of their head, that either \ncompany was aware of the kind of procedures that may be put in \nplace.\n    Is this a problem, and is there an obvious solution to that \nproblem, where even an address could put someone's life in \njeopardy?\n    Mr. Rotenberg. Congresswoman, I am not certain about the \nspecific practices of the information broker industry today. I \ncan tell you that in the privacy world, we confronted a very \nsimilar issue more than 15 years ago, when Caller ID first \nbecame available, and you know, and people who were in shelters \nand elsewhere were very concerned about their ability to make \ncontact with family members, without having their location or \nactual phone number disclosed, and at that time, when we were \narguing for privacy protection as Caller ID was being \nintroduced, the telephone companies agreed to put in place what \nwas called per line blocking, so that people calling from \nshelters would not have their numbers disclosed, and they \nwouldn't even have to worry about it.\n    I think today, you know, to do at least something like \nthat, in the information broker industry, should be expected.\n    Ms. Schakowsky. You know, the fact that these data brokers \nare required, under--to have certain data under the Fair Credit \nReporting Act, under Gramm-Leach-Bliley, under all those \nprotection, the usefulness of that fact is dependent on anybody \nknowing about it. I mean, I have been asking all the witnesses \nwho the heck knew before the ChoicePoint scandal came out \nreally, that these companies even really existed? I mean, in \nterms of mass knowledge of this, I think it was nonexistent.\n    So is this really useful, that they have to comply, and \nthey have to provide information back to consumers, if nobody \nknows about it, and what are we going to do about that?\n    Mr. Rotenberg. Well, as I tried to explain in my testimony, \nI think the absence of the relationship between the consumer \nand the business makes clear that market-based solutions simply \ncan't work. I mean, you have to regulate in this area, because \nthere is no other effective mechanism, and in fact, this was \nexactly the same theory that the Congress pursued, leading up \nto the passage of the Fair Credit Reporting Act in 1970. And \nthe Congress looked at it, and they said well, this information \nis being compiled on American consumers. They are not going to \nhave a choice over which credit reporting agency is going to \ncollect and use this information, so it has to be regulated, \nand you have to do what you can to minimize the misuse of this \ninformation, which continues to be a problem as well.\n    Ms. Schakowsky. I would agree with that. Do you want to----\n    Mr. Ansanelli. I think the one thing I would add is again, \nwith respect to ID theft, I do think that consumer education is \nreally, really important, and I do think that the FTC has done \na fair amount in that area, and I think they continue to do \nmore, in terms of people just not understanding what is going \non. There is no--there is very--there is not an obvious place \nwhere they go right now to get that information about where \ntheir data is, and how they can deal with it, and I do think \nmore can be done there.\n    Ms. Schakowsky. That is true, but I think that putting the \nonus on the consumer is ultimately a problem, because I think \nthere are so many actors in this field that you could spend \nyour life trying to get that information, and make sure that \nyou are protected. I think we do have a role here.\n    Mr. Ansanelli. I would agree. I wasn't suggesting that \nwould be the only thing. I do think that there are those three \nareas, again, the criminals, the companies, and the consumers \nall play a role in this, and I think we could do more on all \nthree of those efforts.\n    Ms. Schakowsky. Thank you very much.\n    Mr. Stearns. Well, I want to thank you for staying with us \nall through this roughly 4 hours, and your contribution is very \nhelpful, and I think it is nice to have a little bit of a \ndifferent slant.\n    So we are going to conclude the hearing. I think it has \nbeen very productive, and I want to thank you again for waiting \nfor the other two panels.\n    And with that, the committee is adjourned.\n    [Whereupon, at 2 p.m., the subcommittee was adjourned.]\n    [Additional material submitted for the record follows:]\n    [GRAPHIC] [TIFF OMITTED] T9916.001\n    \n    [GRAPHIC] [TIFF OMITTED] T9916.002\n    \n    [GRAPHIC] [TIFF OMITTED] T9916.003\n    \n    [GRAPHIC] [TIFF OMITTED] T9916.004\n    \n    [GRAPHIC] [TIFF OMITTED] T9916.005\n    \n    [GRAPHIC] [TIFF OMITTED] T9916.006\n    \n    [GRAPHIC] [TIFF OMITTED] T9916.007\n    \n    [GRAPHIC] [TIFF OMITTED] T9916.008\n    \n    [GRAPHIC] [TIFF OMITTED] T9916.009\n    \n    [GRAPHIC] [TIFF OMITTED] T9916.010\n    \n    [GRAPHIC] [TIFF OMITTED] T9916.011\n    \n    [GRAPHIC] [TIFF OMITTED] T9916.012\n    \n    [GRAPHIC] [TIFF OMITTED] T9916.013\n    \n    [GRAPHIC] [TIFF OMITTED] T9916.014\n    \n    [GRAPHIC] [TIFF OMITTED] T9916.015\n    \n    [GRAPHIC] [TIFF OMITTED] T9916.016\n    \n    [GRAPHIC] [TIFF OMITTED] T9916.017\n    \n    [GRAPHIC] [TIFF OMITTED] T9916.018\n    \n    [GRAPHIC] [TIFF OMITTED] T9916.019\n    \n    [GRAPHIC] [TIFF OMITTED] T9916.020\n    \n    [GRAPHIC] [TIFF OMITTED] T9916.021\n    \n    [GRAPHIC] [TIFF OMITTED] T9916.022\n    \n    [GRAPHIC] [TIFF OMITTED] T9916.023\n    \n    [GRAPHIC] [TIFF OMITTED] T9916.024\n    \n    [GRAPHIC] [TIFF OMITTED] T9916.025\n    \n    [GRAPHIC] [TIFF OMITTED] T9916.026\n    \n    [GRAPHIC] [TIFF OMITTED] T9916.027\n    \n    [GRAPHIC] [TIFF OMITTED] T9916.028\n    \n    [GRAPHIC] [TIFF OMITTED] T9916.029\n    \n    [GRAPHIC] [TIFF OMITTED] T9916.030\n    \n\x1a\n</pre></body></html>\n"