[Senate Hearing 109-60]
[From the U.S. Government Publishing Office]



                                                         S. Hrg. 109-60

 SECURING ELECTRONIC PERSONAL DATA: STRIKING A BALANCE BETWEEN PRIVACY 
                  AND COMMERCIAL AND GOVERNMENTAL USE

=======================================================================

                                HEARING

                               before the

                       COMMITTEE ON THE JUDICIARY
                          UNITED STATES SENATE

                       ONE HUNDRED NINTH CONGRESS

                             FIRST SESSION

                               __________

                             APRIL 13, 2005

                               __________

                          Serial No. J-109-11

                               __________

         Printed for the use of the Committee on the Judiciary


                    U.S. GOVERNMENT PRINTING OFFICE
22-293                      WASHINGTON : 2005
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½090001

                       COMMITTEE ON THE JUDICIARY

                 ARLEN SPECTER, Pennsylvania, Chairman
ORRIN G. HATCH, Utah                 PATRICK J. LEAHY, Vermont
CHARLES E. GRASSLEY, Iowa            EDWARD M. KENNEDY, Massachusetts
JON KYL, Arizona                     JOSEPH R. BIDEN, Jr., Delaware
MIKE DeWINE, Ohio                    HERBERT KOHL, Wisconsin
JEFF SESSIONS, Alabama               DIANNE FEINSTEIN, California
LINDSEY O. GRAHAM, South Carolina    RUSSELL D. FEINGOLD, Wisconsin
JOHN CORNYN, Texas                   CHARLES E. SCHUMER, New York
SAM BROWNBACK, Kansas                RICHARD J. DURBIN, Illinois
TOM COBURN, Oklahoma
                       David Brog, Staff Director
                     Michael O'Neill, Chief Counsel
      Bruce A. Cohen, Democratic Chief Counsel and Staff Director


                            C O N T E N T S

                              ----------                              

                    STATEMENTS OF COMMITTEE MEMBERS

                                                                   Page

Feingold, Hon. Russell D., a U.S. Senator from the State of 
  Wisconsin......................................................    24
    prepared statement...........................................   142
Feinstein, Hon. Dianne, a U.S. Senator from the State of 
  California.....................................................     4
    prepared statement...........................................   145
Leahy, Hon. Patrick J., a U.S. Senator from the State of Vermont.     2
    prepared statement...........................................   155
Schumer, Charles E., a U.S. Senator from the State of New York...    26
    prepared statement...........................................   181
Specter, Hon. Arlen, a U.S. Senator from the State of 
  Pennsylvania...................................................     1

                               WITNESSES

Barrett, Jennifer, Chief Privacy Officer, Acxiom Corporation, 
  Little Rock, Arkansas..........................................    33
Curling, Douglas C. President and Chief Operating Officer, 
  ChoicePoint, Alpharetta, Georgia...............................    31
Dempsey, James X., Executive Director, Center for Democracy & 
  Technology, Washington, D.C....................................    35
Douglas, Robert, Chief Executive Officer, PrivacyToday.Com, 
  Steamboat Springs, Colorado....................................     7
Johnson, Larry, Special Agent in Charge, Criminal Investigative 
  Division, U.S. Secret Service, Washington, D.C.................    13
Majoras, Deborah Platt, Chairman, Federal Trade Commission, 
  Washington, D.C................................................     9
Sanford, Kurt P., President and Chief Executive Officer, U.S. 
  Corporate and Federal Markets, LexisNexis, Miamisburg, Ohio....    29
Sorrell, William H., Attorney General, State of Vermont, and 
  President, National Association of Attorneys General, 
  Montpelier, Vermont............................................    15
Swecker, Chris, Assistant Director, Criminal Investigative 
  Division, Federal Bureau of Investigation, Washington, D.C.....    11

                         QUESTIONS AND ANSWERS

Responses of Jennifer T. Barrett to questions submitted by 
  Senator Leahy..................................................    49
Responses of Douglas Curling to questions submitted by Senators 
  Specter and Leahy..............................................    52
Responses of Deborah Platt Majoras to questions submitted by 
  Senators Leahy and Biden.......................................    66
Responses of Kurt P. Sanford to questions submitted by Senators 
  Specter and Leahy..............................................    79

                       SUBMISSIONS FOR THE RECORD

Barrett, Jennifer, Chief Privacy Officer, Acxiom Corporation, 
  Little Rock, Arkansas, prepared statement......................    87
Consumers Union, Gail Hillebrand, San Francisco, California, 
  prepared statement.............................................    95
Curling, Douglas C. President and Chief Operating Officer, 
  ChoicePoint, Alpharetta, Georgia, prepared statement...........    97
Dempsey, James X., Executive Director, Center for Democracy & 
  Technology, Washington, D.C., prepared statement...............   103
Douglas, Robert, Chief Executive Officer, PrivacyToday.Com, 
  Steamboat Springs, Colorado, prepared statement and attachments   120
Johnson, Larry, Special Agent in Charge, Criminal Investigative 
  Division, U.S. Secret Service, Washington, D.C., prepared 
  statement......................................................   148
Kuhlmann, Arkadi, Cheif, Executive Officer, ING Direct, 
  Wilmington, Delaware, prepared statement.......................   153
Majoras, Deborah Platt, Chairman, Federal Trade Commission, 
  Washington, D.C., prepared statement...........................   160
Sanford, Kurt P., President and Chief Executive Officer, U.S. 
  Corporate and Federal Markets, LexisNexis, Miamisburg, Ohio, 
  prepared statement.............................................   184
Sorrell, William H., Attorney General, State of Vermont, and 
  President, National Association of Attorneys General, 
  Montpelier, Vermont, prepared statement........................   198
Swecker, Chris, Assistant Director, Criminal Investigative 
  Division, Federal Bureau of Investigation, Washington, D.C., 
  prepared statement.............................................   214

 
 SECURING ELECTRONIC PERSONAL DATA: STRIKING A BALANCE BETWEEN PRIVACY 
                  AND COMMERCIAL AND GOVERNMENTAL USE

                              ----------                              


                       WEDNESDAY, APRIL 13, 2005

                              United States Senate,
                                Committee on the Judiciary,
                                                   Washington, D.C.
    The Committee met, pursuant to notice, at 9:30 a.m., in 
room SD-226, Dirksen Senate Office Building, Hon. Arlen 
Specter, Chairman of the Committee, presiding.
    Present: Senators Specter, Coburn, Leahy, Kohl, Feinstein, 
Feingold, and Schumer.

 OPENING STATEMENT OF HON. ARLEN SPECTER, A U.S. SENATOR FROM 
                   THE STATE OF PENNSYLVANIA

    Chairman Specter. It is 9:30 and our practice is to begin 
these hearings precisely on time. We have a long list of 
witnesses today, ten in number. We have a vote scheduled for 
11:15, and once Senators disperse to go to vote, it is pretty 
hard to get the attention of the Senators after that. So we are 
going to be operating under our usual time limit of five 
minutes for statements by witnesses. All statements will be 
made a part of the record in full and that will be our method 
of proceeding.
    First, on a brief personal note, I was stopped coming over 
by a young woman who told me her father has a situation similar 
to mine. And I get a tremendous number of questions and I am 
glad to report that I am doing fine with certain treatments. I 
have a new hair stylist. That is the most marked change in my 
situation. I have been on the job. We have had the hearings, 
persevering with the work of the Senate. Some days are better 
than others, but it is all fine.
    Our subject matter today is an issue of great importance on 
breaches of data security involving the invasion of privacy. 
The statistics show that--you can start to run the clock now 
that I am on the subject matter. I adhere to the strict time 
limits myself.
    The statistics show that there were 10 million victims of 
identity theft and identity fraud in the year 2003, at a cost 
to those individuals of some $5 billion, $50 billion in 
business losses; very extensive participation by the Government 
on data, with the Department of Justice having paid some $75 
million to ChoicePoint last year on data processing.
    We are in a field of phenomenal electronic advances. Chief 
Justice Warren was prescient back in 1963 in a decision on 
Lopez v. United States, saying that, quote, ``The fantastic 
advances in the field of electronic communications constitute a 
great danger to the privacy of the individual.'' And where we 
have moved from 1963 is enormous and we now see the breaches in 
security and it is a matter of serious consequences for our 
individual privacy and also for law enforcement, which is 
relying upon these electronic mechanisms to identify suspects 
and pursue legitimate law enforcement interests.
    There has been an entire industry which has grown up on 
this subject providing very, very important services, having 
databanks which enable applicants for mortgages to get them the 
same day, applicants for leases on apartments to get them the 
same day, credit card applications being processed, so that it 
has facilitated our lives, but it has had the corollary problem 
of the invasions of privacy.
    There has been limited governmental response. Some States 
have laws. There is no Federal legislation on the issue. The 
United States General Accounting Office reports that, quote, 
``Criminal law has thus far proven to be quite ineffective in 
grappling with identity theft in that States devote 
insufficient attention and resources to prosecuting identity 
theft.'' The major companies who are represented here today--
ChoicePoint, LexisNexis and Acxiom--have personal data on 
millions of Americans, including the identity as to name, 
address, Social Security numbers, insurance claims history, 
credit history, vehicle ownership, military service, 
educational history, outstanding liens or judgments, 
fingerprints, and even DNA. So it is a very, very wide array of 
information which is available.
    There is no Federal legislation on the subject, and after 
the review for this hearing it is my conclusion that we do need 
Federal legislation, that there needs to be uniformity as we 
approach an enormous problem of this sort.
    I took about a minute before the clock went on, so I am 
going to stop at this juncture and yield to my distinguished 
ranking member, Senator Leahy.

  STATEMENT OF HON. PATRICK J. LEAHY, A U.S. SENATOR FROM THE 
                        STATE OF VERMONT

    Senator Leahy. That is a hint for the ranking member not to 
go overly long, too, but I want to thank the Chairman for doing 
this hearing. I wrote to him earlier this year and asked that 
we do it. I know that we both share this concern about privacy 
and this helps a great deal.
    I am glad to see Senator Feinstein here, who has been a 
leader on this, and Senator Schumer and other members of the 
Committee, and Senator Nelson from Commerce. I am glad to see a 
fellow Vermonter, Bill Sorrell, who is the Attorney General of 
Vermont and President of the National Association of Attorneys 
General.
    I think of all the major security breaches involving large 
firms such as ChoicePoint, Bank of America and Seisint, a 
LexisNexis subsidiary, and it shows the susceptibility of our 
most personal data to relatively unsophisticated scams. These 
are not major things where somebody went in with some major, 
high-tech hacking. This was something where they used basically 
con games and got so much of this information.
    It raises broader concerns, like industry's failure to know 
its own customers by properly screening the buyers of 
consumers' data. Advanced technology, combined with the 
realities of the post-9/11 digital era, have created strong 
incentives and opportunities for collecting and selling 
personal information about each and every American. Every 
single American in this room, as well as every American 
throughout the country--there is an incentive to collect the 
data about them and then to sell it.
    All types of corporate entities routinely traffic in 
billions of digitized personal records to move commerce along. 
Our Government is using it now to know its residents. There is 
a certain Orwellian twist to this. I can make a lot of 
arguments of why business needs it, but I can also make a 
strong argument why if business is not careful with their trust 
or Government is not careful with their trust, we Americans are 
severely damaged and the country is severely damaged. Our 
privacy and our security is damaged.
    Increasingly, those who trade in data have no direct 
relationship with the individuals and faces behind the numbers 
or letters that identify them. So the normal market discipline 
of disgruntled consumers does not save the companies from 
themselves.
    We had one major company that sent the most personal data 
about their consumers on an airplane just to ship it off to 
another area. All of us who fly very much, we know our 
suitcases get lost. This was a case, and they were cavalier 
about that, where they just sent it out, showing absolutely no 
concern for their customers. And then I read in the paper two 
days ago that their former president is given, even though he 
is retired, lifetime use of the corporate jet. No wonder they 
treated it so cavalierly. They don't have to worry about lost 
luggage. If they did, maybe they would be concerned about the 
lost data of their customers. Frankly, if I were a customer of 
that company, I would change companies.
    The case of Amy Boyer is a poignant reminder. In 1999, a 
man who had been obsessed with her since high school bought 
Amy's Social Security number, work address and other 
information from data broker Docusearch for $154. He used that 
information to track her down, and one day as she was leaving 
work he fatally shot her just before killing himself. For $154, 
he could track her down.
    For others, inaccurate or misused data has meant job 
refusals or in many cases a life-consuming cycle of watching 
their credit unravel and undoing the damage caused by security 
breaches and identity theft. Individuals working for an Indian 
data processor stole personal information of Citibank 
customers, along with $350,000 just to make it worthwhile.
    Last year, a Pakistani transcriber of medical files from a 
San Francisco hospital threatened to post that information on 
the Internet unless she received back pay. We outsource this to 
other countries anyway. They are holding our information in 
other countries and if they want to blackmail us with it, there 
is not much we can do.
    I think weaknesses in the data industry can jeopardize our 
law enforcement and our homeland security. Government contracts 
that provide critical data and processing tools have to get it 
right. Our hearing today is not about shutting down these data 
brokers or abandoning their services. It is about shedding a 
little sunshine on current practices and weaknesses, and 
frankly, in my estimation, some very, very sloppy, sloppy 
business practices by some of these companies, and then to 
establish a sound legal framework to ensure that privacy, 
security and civil liberties will not be pushed aside.
    Industry leaders like ChoicePoint, Acxiom and LexisNexis 
play a legitimate and a valuable role in the information 
economy. But because they are so valuable, they also need to 
treat these more carefully.
    I will put the rest of my statement in the record, Mr. 
Chairman, but I am extremely concerned that we are not 
protecting customers and consumers around this country in the 
way we should. The companies get the benefit of having the 
data, but they also have a responsibility. We have to also 
consider some of the privacy issues that should affect every 
single one of us.
    Chairman Specter. Without objection, Senator Leahy's full 
statement will be made a part of the record, as will my full 
statement.
    [The prepared statement of Senator Leahy appears as a 
submission for the record.]
    Chairman Specter. We turn now to a distinguished member of 
this panel who has taken initiative in introducing legislation 
in the field, as has Senator Schumer and some other Senators, 
but I think Senator Feinstein has put in the lead legislation, 
with some substantial experience from her home State of 
California.
    We are going to waive the oath for you, Senator Feinstein, 
but everybody else is going to be put under oath.

  STATEMENT OF HON. DIANNE FEINSTEIN, A U.S. SENATOR FROM THE 
                      STATE OF CALIFORNIA

    Senator Feinstein. Thank you very much, Mr. Chairman, and 
because you referred to what you have been going through in 
your opening statement, I just want to say how much personal 
respect I have for you for doing what you are doing in the way 
in which you are doing it. You have been an extraordinarily 
fair Chairman and this Senator really appreciates it. I think 
your vigor and your ability to carry out this work is truly 
amazing.
    Chairman Specter. Thank you very much. Thank you.
    Senator Feinstein. You are welcome.
    Chairman Specter. Start Senator Feinstein's clock at five 
minutes.
    Senator Feinstein. Thank you.
    [Laughter.]
    Chairman Specter. And anything else she may care to say 
about me, we will restart it at five minutes, so long as it is 
similarly laudatory.
    Senator Feinstein. Thank you very much.
    I think most people don't understand that when they shop, 
when they buy a car, when they buy a home, what they buy, when 
they buy out of a catalog, when they use a credit card, all 
bits and pieces about their personal data are collated and put 
together--their Social Security number, their driver's license, 
their personal financial data, their personal health data.
    And it is used; it is used by banks who sell to 
subsidiaries. I am told Citibank sells to 2,000 different 
companies. There are companies that put this data together that 
are here today that also sell it, and the individual has no 
knowledge of this, has not given their permission, knows 
nothing about it, until one day they are a victim of identity 
theft.
    And this is not a small thing. There were 9 million victims 
this last year alone. Of the 12 big breaches of databases that 
took place this year and during last year, the personal data of 
10.7 million Americans has been put in jeopardy of identity 
theft. That is where we are going. It is huge and it is large.
    This is the third Congress in which I have introduced 
bills, bills to give an individual some control. You have to 
give your permission before your personal data is sold. That is 
called opt-in. For less personal data, it is opt-out. To 
restrict use of Social Security numbers, to require that they 
be redacted from public documents--that is a second bill, and 
so on.
    This bill, S. 115, is patterned after the California law. 
We would not have known of these breaches had it not been for 
California law. As a matter of fact, I am told that 
ChoicePoint--and I am sure if this is not correct, they will 
say so when they testify--had a prior breach and didn't notify 
anyone until the California law required them to notify 
Californians, and then others protested and they notified more 
people. So we have a bill that follows California law.
    On Monday, I introduced a new bill after working with 
consumer advocates to broaden the scope, and the new bill's 
number is 751. This bill will ensure that Americans are 
notified when their most sensitive personal information--their 
Social Security number, their driver's license or State 
identification number, their bank account and credit card 
information--is part of a data breach, putting them at risk of 
identity theft.
    This bill would require a business or government entity to 
notify an individual in writing or e-mail when it is believed 
that personal information such as a Social Security number, 
driver's license, credit card number has been compromised. Only 
two exceptions exist: first, upon the written request of law 
enforcement--that is obviously pending an investigation--for 
purposes of criminal investigation, and, second, for national 
security purposes.
    The bill is based on California law, but California law 
really opened our eyes to the breadth and depth of the problem. 
This bill covers both electronic and non-electronic data, as 
well as encrypted and unencrypted data. California law only 
includes unencrypted electronic data.
    This new bill would allow individuals to put a seven-year 
fraud alert on their credit report. The California law doesn't 
address fraud alerts. It doesn't include a major loophole 
allowing companies to follow weaker notification requirements, 
as the California law does. Our bill lays out specific 
requirements for what must be included in notices, including a 
description of the data that may have been compromised, a toll-
free number to learn what information and which individuals 
have been put at risk, and the numbers and addresses for the 
three major credit reporting agencies. By contrast, California 
law is silent on what should be in notices.
    This bill has tougher civil penalties--$1,000 per 
individual they fail to notify, or not more than $50,000 a day 
while the failure to notify continues or exists. In California, 
a victim may bring a civil action to recover damages or the 
company may be enjoined from further violations. And most 
importantly, this bill sets a national standard so that 
individuals in Iowa, Oklahoma and Maine have the same 
protection as consumers in California.
    The law would be enforced by the Federal Trade Commission 
or other relevant regulators, or by a State attorney general 
who could file a civil suit. And because the bill is stronger 
than California law, leading privacy groups, including 
Consumers Union and Privacy Rights Clearinghouse, have endorsed 
this legislation.
    I would like, if I might, to put these letters in the 
record, Mr. Chairman.
    Chairman Specter. Without objection, they will be made part 
of the record.
    Senator Feinstein. I would like to end with one case that I 
think depicts what has happened. You can't tell the true impact 
of identity theft by looking at numbers. Let me give you the 
case of Rebecca Williams. She lived in San Diego in 2000. A 
thief was using her Social Security number, her birth date and 
her name to establish a parallel identity thousands of miles 
away in the Chicago area.
    The thief opened a phone line and utilities, obtained a 
driver's license and signed up for credit cards in her name. He 
even tried to use her identity to purchase a car. In all, the 
thief used Ms. Williams' identity to open more than 30 
accounts, accruing tens of thousands of dollars' worth of goods 
and services. Sometimes, accounts were opened despite the fact 
that fraud alerts had been issued.
    Ms. Williams said that restoring her identity is like a 
full-time job, and estimates that she spent the equivalent of 
eight hours a day for three full months working with credit 
bureaus, credit card companies and various government agencies.
    Chairman Specter. Senator Feinstein, I note you have 
considerably more text. Could you summarize?
    Senator Feinstein. I certainly will. The point is that five 
years later, she has not fully restored her identity. That is 
how serious this is.
    So I thank you for holding this hearing, and I would ask 
that my full statement be entered into the record.
    Chairman Specter. Without objection, it will be made a part 
of the record in full. Again, thank you, Senator Feinstein for 
your leadership and your early leadership in this field.
    [The prepared statement of Senator Feinstein appears as a 
submission for the record.]
    Chairman Specter. We are going to start the hearing today 
with a video demonstration on what the impact is of knowing 
someone's Social Security number. We all know that the Social 
Security number is an entry point to a great deal of 
information about people, and we similarly know that we are 
frequently asked to give our Social Security number in contexts 
where we question the necessity for it. It may well be that 
Congress will consider prohibitions against disclosure of 
Social Security numbers and some very heavy tightening up of 
this very basic point of identification which we all 
necessarily have.
    We have with us Mr. Robert Douglas, who is the CEO of 
PrivacyToday.com. His full background will be made a part of 
the record, but in the interest of brevity I want to turn to 
him right now for his video demonstration.

     STATEMENT OF ROBERT DOUGLAS, CHIEF EXECUTIVE OFFICER, 
         PRIVACYTODAY.COM, STEAMBOAT SPRINGS, COLORADO

    Mr. Douglas. Thank you, Chairman Specter, ranking member 
Leahy, distinguished members of the Committee. My name is 
Robert Douglas.
    Chairman Specter. Excuse me. Do you have similar screens 
for Senator Feinstein and Senator Feingold so they can follow 
this?
    Senator Feinstein. It is right over there.
    Chairman Specter. Can you see it?
    Senator Feinstein. No, but it is there.
    [Laughter.]
    Chairman Specter. Let the record show it is there.
    Proceed, Mr. Douglas.
    Mr. Douglas. We do have hard copies of these available for 
the members.
    My name is Robert Douglas. I have been a private 
investigator and security consultant for the last 22 years, the 
last 8 years of which I have specialized in identity crimes and 
fraud. This is my fifth appearance before the United States 
Congress testifying on these types of crimes.
    I have provided expert testimony to the Federal Trade 
Commission in Operation Detect Pretext, the Florida statewide 
grand jury on identity theft, and on the murder case of Amy 
Boyer that Senator Leahy--
    Chairman Specter. Your credentials as an expert are taken. 
On to the issue.
    Mr. Douglas. Thank you, sir. I have been asked to provide a 
brief demonstration of how it is to obtain a Social Security 
number, the other types of information that are available, and 
what harm can come from that information.
    The first screen up is a website called SecretInfo.com, 
which when asked by the Washington Post to obtain a Social 
Security of one of their reporters, I was able to do so on this 
search right here, locate a Social Security in 36 hours. I 
would note that from another company, U.S. Records Search, I 
received it in two hours telephonically.
    To place the search online, all I did was go to the order 
page. I put in the name of the reporter, Jonathan Krim. I 
provided his current address, which we won't do for obvious 
reasons in the presentation here, and no other information. I 
scrolled down. I entered my name in the appropriate spot, 
entered my address information, which once again we won't 
share, and phone numbers that I could be contacted at.
    I scrolled down a little further, provided a credit card 
number to make payment, hit the ``I agree'' button, and in 36 
hours back came a very brief e-mail from Michael at 
SecretInfo.com providing the search results, the charge that 
had been applied to my credit card, the company that had 
applied the charge, and at the bottom Jonathan Krim, and 
obviously we have redacted his Social Security number for the 
presentation this morning. I would once again say that the 
other company, in two hours--they called me on my cell phone 
while I was driving home two hours afterwards.
    This is another company that gives a very good example of 
the scope of the information that is available on the 
Internet--name and address information, phone record 
information, Social Security numbers, post office box--I would 
much of this already protected by Federal law--utility 
information, DMV information. I am sure the Senators are 
familiar with the Driver's Privacy Protection Act.
    This is another search site that gives descriptions of the 
types of searches available. I would point out once again 
driving records, credit reports, and they often will have 
language that qualifies who they will sell this to. But the 
experience in the FTC operation when we called more than a 
hundred of these companies is if they trusted you, they would 
sell anything to anybody over the phone--credit card activity, 
including specific details of purchases; telephone records, 
including specific numbers that have been called; bank account 
information which, depending on how it is obtained, is in 
violation of Gramm-Leach-Bliley; airline travel records, which 
is a terrorist's dream.
    Finally, I would like to just mention--and Senator Leahy 
mentioned the Amy Boyer case. That is the case that I worked on 
in New Hampshire. This is the firm that sold Amy's information, 
Docusearch.com. They are still in business today. In fact, 
Forbes magazine lists them as number one, and ChoicePoint is 
number two, of the firms that they recommend that people go to 
to buy information.
    Why is that dangerous? In Amy's case, it ended up in this 
gentleman's hands, and I use the term ``gentleman'' quite 
loosely. This is Liam Youens standing in the corner of his 
bedroom with an AK-47. That is the gentleman that killed Amy 
Boyer once he bought her Social Security number, data of birth 
and place of employment.
    That is the conclusion of my presentation, Mr. Chairman.
    Chairman Specter. Thank you very much, Mr. Douglas. That is 
very informative.
    We will now turn to our first panel--the Honorable Deborah 
Platt Majoras, Mr. Chris Swecker, Mr. Larry Johnson and Mr. 
Bill Sorrell. Would you all please step forward?
    As a matter of practice, the Committee will swear in all 
witnesses. We are non-discriminatory. We had the Attorney 
General in last week and the Director of the FBI, so we want 
you to know that regardless of rank, station, et cetera, we 
think this is a preferred policy.
    If you would all rise and raise your right hands, do you 
swear that the testimony you will provide to the Senate 
Judiciary Committee will be the truth, the whole truth and 
nothing but the truth, so help you God?
    Ms. Majoras. I do.
    Mr. Swecker. I do.
    Mr. Johnson. I do.
    Mr. Sorrell. I do.
    Chairman Specter. May the record show that all of the 
witnesses answered in the affirmative.
    Our first witness is the Honorable Deborah Platt Majoras, 
Chairman of the Federal Trade Commission. Prior to her service 
at the FTC, she practiced law with the prestigious firm of Day 
Jones in Washington. In 2001, she was appointed Deputy 
Assistant Attorney General for the Antitrust Division, and 
Principal Deputy in 2002. She has an excellent academic record, 
summa cum laude from Westminster and a law degree from the 
University of Virginia.
    Thank you for joining us, Madam Chairman, Madam Chairwoman, 
Madam Chairperson, and you have five minutes. We look forward 
to your testimony.

  STATEMENT OF HON. DEBORAH PLATT MAJORAS, CHAIRMAN, FEDERAL 
               TRADE COMMISSION, WASHINGTON, D.C.

    Ms. Majoras. Thank you very much, Mr. Chairman, ranking 
member Leahy, Members of the Committee. I am Deborah Majoras, 
Chairman of the Federal Trade Commission. I am grateful for the 
opportunity to testify today about securing personal 
information collected by data brokers and reducing the risks of 
identity theft.
    Although the views expressed in my written testimony 
represent the views of the Commission, my oral presentation and 
responses to your questions are my own and do not necessarily 
reflect the views of the Commission or any individual 
commissioner.
    Recent revelations about security breaches that resulted in 
disclosure of sensitive personal information about thousands of 
consumers have put the spotlight on data brokers like 
ChoicePoint and LexisNexis which collect and sell this 
information. This data broker industry includes many types of 
businesses providing a variety of services to an array of 
commercial and government entities.
    The information they sell is used for many purposes, from 
marketing to assisting in law enforcement. Despite the 
potential benefits of these services, the data broker industry 
is the subject of both privacy and information security 
concerns. As recent events demonstrate, if the sensitive 
information they collect gets into the wrong hands, it can 
cause serious harm to consumers, including identity theft.
    As the FTC is well aware, identity theft is a pernicious 
problem. Our 2003 survey estimated that almost 10 million 
consumers discovered that they were victims of some form of 
identity theft in the preceding 12 months, costing consumers $5 
billion in out-of-pocket losses and American businesses $48 
billion in losses.
    The survey looked at two major categories of identity 
theft--the misuse of existing accounts and the creation of new 
accounts in the victim's name. Not surprisingly, the survey 
showed a direct correlation between the type of identity theft 
and its cost to victims in both time and money spent solving 
the problem. So, of course, people who had new accounts opened 
in their names, while they made up only one-third of the 
victims, nonetheless suffered two-thirds of the direct 
financial harm. Our survey also found that victims spent almost 
300 million hours correcting their records and reclaiming their 
good names. That is a substantial toll and we take seriously 
the need to reduce it.
    There is no single Federal law governing data brokers. 
There are, however, some statutes and regulations that address 
the security of access to the information they maintain, 
depending on how the information is collected and used.
    The Fair Credit Reporting Act, for example, makes it 
illegal to disseminate consumer report information like credit 
reports to someone who does not have a permissible purpose; 
that is, a legitimate business need for the information. 
Similarly, the Gramm-Leach-Bliley Act imposes restrictions on 
the extent to which financial institutions may disclose 
consumer information related to financial services and 
products.
    Under that Act, the Commission issued its Safeguards Rule, 
which imposes security requirements on a broadly defined group 
of financial institutions that hold customer information. The 
Commission recently brought two cases in which we alleged that 
the companies there had not taken reasonable precautions to 
safeguard consumer information.
    Finally, Section 5 of the FTC Act prohibits unfair or 
deceptive practices by a broad spectrum of businesses, 
including those involved in the collection and use of personal 
information. Using this authority, the Commission has brought a 
number of actions against companies that made false promises to 
consumers about how they would use or secure their sensitive 
personal information.
    These cases make clear that an actual breach of security is 
not necessary for us to enforce under Section 5 if we determine 
that a company's security procedures were not reasonable in 
light of the sensitivity of the information the company 
maintains. Evidence of a breach, of course, however, may 
indicate that the company's procedures were not adequate, and 
our Commission staff monitors reports of breaches and initiates 
investigations where appropriate.
    The Commission, consistent with the role Congress delegated 
in 1998, has worked hard to educate consumers and businesses 
about the risks of identity theft, as well as to assist victims 
and law enforcement officials. The Commission maintains a 
website and a toll-free hotline staffed with trained counselors 
to advise victims on how to reclaim their identities. We 
receive roughly 15,000 to 20,000 contacts per week on our 
hotline or through our website or from mail from consumers who 
want to avoid becoming victims and from victims themselves. The 
Commission also facilitates cooperation, information-sharing 
and training among Federal, State and local law enforcement 
authorities.
    Although data brokers are currently subject to a patchwork 
of laws, depending on the nature of their operations, recent 
events raise the issue of whether these laws are sufficient. 
Although several alternatives have been proposed and we are 
considering each very carefully, the most immediate need is to 
address the risks to security.
    One sensible step would be to mandate security requirements 
for sensitive personal information collected by data brokers 
much like the Commission's Safeguards Rule imposes on certain 
companies. It also is appropriate--
    Chairman Specter. Chairman Majoras, could you summarize at 
this point?
    Ms. Majoras. Yes, I will.
    Finally, it is also appropriate to consider a workable 
Federal requirement for notice to consumers when there has been 
a security breach that raises significant risks to consumers.
    Mr. Chairman, members of the Committee, thank you very 
much. I look forward to working with all of you.
    [The prepared statement of Ms. Majoras appears as a 
submission for the record.]
    Chairman Specter. Thank you.
    We turn now to Mr. Chris Swecker, who is the Assistant 
Director of the Criminal Division of the Federal Bureau of 
Investigation. Mr. Swecker has a very extensive background in 
field work, has been with the FBI since 1982. His academic 
record is a bachelor's degree from Appalachian State University 
and a law degree from Wake Forest. He also served as--this is 
the highlight of your resume, Mr. Swecker. You were an 
assistant district attorney. People sometimes ask me what is 
the best job I ever held and expect to hear Senator, maybe D.A. 
And I say, no, assistant D.A.
    Start the clock at five minutes for Mr. Swecker.

   STATEMENT OF CHRIS SWECKER, ASSISTANT DIRECTOR, CRIMINAL 
   INVESTIGATIVE DIVISION, FEDERAL BUREAU OF INVESTIGATION, 
                        WASHINGTON, D.C.

    Mr. Swecker. Good morning, Mr. Chairman and members of the 
Committee. I want to thank you for the opportunity to testify 
today on the FBI's efforts to combat identity theft, as well as 
the FBI's use of public source data.
    The FBI views identity theft as a significant and growing 
crime problem, especially as it relates to the theft of 
consumer information from large wholesale data companies. The 
FBI opened 1,081 investigations related to identity theft in 
fiscal year 2003, and 889 in fiscal year 2004. I might add that 
a case that involves the theft of 1,000 identities would only 
be counted as one investigation within the FBI's structure.
    That number is expected to increase as identity thieves 
become more sophisticated and as the technique is further 
embraced by large criminal organizations, placing more identity 
theft crime within the FBI's investigative priorities. At 
present, we have over 1,600 active investigations involving 
some aspect of identity theft.
    The FBI does not specifically track identity theft 
convictions and indictments, as identity theft crosses all 
program lines and is usually perpetrated to facilitate other 
crimes such as credit card fraud, check fraud, mortgage fraud 
and health care fraud.
    Armed with a person's identifying information, an identity 
thief can open new accounts in the name of a victim, borrow 
funds in the victim's name, or take over and withdraw funds 
from existing accounts of the victim, such as their checking 
account or their home equity line of credit. Although by far 
the most prevalent, these financial crimes are not the only 
criminal uses of identity theft information, which can even 
include evading detection by law enforcement in the commission 
of violent crimes.
    Identity theft takes many forms, but generally includes the 
acquiring of an individual's personal information such as 
Social Security number, date of birth, mother's maiden name, et 
cetera. Identity theft has emerged as one of the dominant white 
collar crime problems of the 21st century. Estimates vary 
regarding the true impact of the problem, but agreement exists 
that it is pervasive and growing.
    In addition to the significant monetary harm caused to the 
victims of the frauds, often by providers of financial, 
government or other services, the individual victim of the 
identity theft may experience a severe loss in their ability to 
utilize their credit and their financial identity.
    In a May 2003 survey commissioned by the FTC, they 
estimated that the number of consumer victims of identity theft 
over the year prior to the survey at 4.6 percent of the 
population of U.S. consumers over the age of 19, or 9.9 million 
individuals, with losses totaling $52.6 billion. Half of these 
individuals experienced the takeover of existing credit cards, 
which is generally not considered identity theft. New account 
frauds, more generally considered to be identity theft, were 
estimated to have victimized 3.23 million consumers and to have 
resulted in losses of $36.7 billion.
    The FBI's Cyber Division also investigates instances of 
identity theft which occur over the Internet or through 
computer intrusions by hackers. The Internet Crime Complaints 
Center, also known as IC3, is a joint project between the FBI 
and the National White Collar Crime Center. This joint 
collaboration serves as a vehicle to receive, develop and refer 
criminal complaints regarding the rapidly expanding arena of 
cyber crime.
    The IC3 receives an average of 17,000 complaints every 
month from consumers alone, and additionally receives a growing 
volume of referrals from key e-commerce stakeholders. Of the 
more than 400,000 complaints referred to IC3 since its opening 
in May of 2000, more than 100,000 were either characterized as 
identity theft or involved conduct that could be characterized 
as identity theft.
    The FBI is developing cooperative efforts to address the 
identity theft crime problem in cities such as Detroit, 
Chicago, Memphis and Mobile. Task forces are currently 
operating in conjunction with our other State, Federal and 
local partners.
    An example of some of the cases involve a case involving, 
in September 2004, Phillip Cummings in the theft of over 30,000 
consumer credit histories from 2000 to 2002. Losses to 
financial institutions in this case exceeded $11 million. He 
was sentenced to 14 years in Federal prison.
    In January of 2003, another case involved the theft of over 
100 credit reports by someone posing in the account name of 
NEXTEL. The cases go on and on. I won't belabor you with all of 
the different investigations. There is a case, as you well 
know, involving ChoicePoint, where there wasn't an IT 
intrusion. It was actually a socially-engineered con effort, as 
Senator Leahy pointed out, involving a customer who used over 
23 business identities to access accounts through ChoicePoint.
    Chairman Specter. Mr. Swecker, your red light is on. Time 
has expired. If you could summarize at this point, we would 
appreciate it.
    Mr. Swecker. ChoicePoint information is not considered in a 
vacuum. It is one of the many investigative tools which are 
used in law enforcement by investigators and analysts. As with 
any source of information, it is considered in relation to the 
totality of available information. It is particularly useful in 
that it allows analysts to inductively and deductively develop 
information about subjects, their confederates, witnesses and 
corporations that are associated with an investigation.
    Once again, I appreciate the opportunity to come before you 
today and share the work that the FBI has undertaken involving 
identity theft. The FBI's efforts in this arena will continue 
and we will continue to keep the Committee informed of our 
progress.
    [The prepared statement of Mr. Swecker appears as a 
submission for the record.]
    Chairman Specter. Thank you very much, Mr. Swecker.
    We turn now to Mr. Larry Johnson, who is the Special Agent 
in Charge of the Criminal Investigative Division of the Secret 
Service. Mr. Johnson is a 20-year-plus veteran of the Secret 
Service, having started in 1982. He has worked in quite a 
number of field offices around the country and was the 
Assistant Special Agent in Charge of the Presidential 
Protective Division. He has a bachelor's degree from Eastern 
Kentucky.
    Thank you very much for joining us, Mr. Johnson.

 STATEMENT OF LARRY JOHNSON, SPECIAL AGENT IN CHARGE, CRIMINAL 
 INVESTIGATIVE DIVISION, U.S. SECRET SERVICE, WASHINGTON, D.C.

    Mr. Johnson. Thank you, Mr. Chairman. In addition to 
providing the highest level of physical protection to our 
Nation's leaders, the Secret Service exercises broad 
investigative jurisdiction over a wide variety of financial 
crimes. As the original guardian of our Nation's financial 
payment system, the Secret Service has a long history of 
protecting American consumers and industry from financial 
fraud.
    With the passage of Federal laws in 1984, the Secret 
Service was provided primary authority for the investigation of 
access device fraud, including credit card, debit card fraud, 
and parallel authority with other law enforcement agencies in 
identity crime cases.
    In recent years, the combination of the information 
revolution, the effects of globalization and the rise of 
international terrorism have caused the investigative mission 
of the Secret Service to evolve dramatically. With the 
expanding use of the Internet and lower cost of information 
processing, legitimate companies have found it profitable to 
specialize in data mining, data warehousing and information 
brokering.
    Information collection has become a common by-product of 
newly emerging e-commerce. Internet purchases, credit card 
sales and other forms of electronic transactions are being 
captured, stored and analyzed by businesses seeking to find the 
best customers for their products.
    This has led to a new measure of growth within the data 
collection industry that promotes the buying and selling of 
personal information. In today's markets, consumers routinely 
provide personal and financial identifiers to companies engaged 
in business on the Internet. They may not realize that the 
information they provide in credit card applications, loan 
applications or with merchants they patronize are valuable 
commodities in this new age of information trading.
    This wealth of available personal information creates a 
target-rich environment for today's sophisticated criminals, 
many of whom will organize and operate across international 
borders. But legitimate businesses can provide a first line of 
defense against identity crime by safeguarding the information 
they collect. Creating industry standards in this area can 
significantly limit the opportunities for identity crime even 
while not limiting its occurrence altogether.
    With the proliferation of computers and the increased use 
of the Internet, high-tech identity criminals began to obtain 
information from company databases and websites. In some cases, 
the information obtained is in the public domain, while in 
others it is proprietary and is obtained by means of computer 
intrusion or by means of deceptions such as Web spoofing, 
phishing and social engineering.
    The method that may be most difficult to prevent is the 
theft by a collusive employee. Individuals or groups who wish 
to obtain personal or financial identifiers for a large-scale 
fraud ring will often pay or extort an employee who has access 
to this information through their employment. This collusive 
employee will access the proprietary database, or copy or 
download the information or remove it from the workplace either 
electronically or simply by walking it out.
    The Secret Service has seen Internet crime increase 
significantly within the last several years. Since the early 
1990s, the Eurasia-based computer underground in particular has 
developed a prodigious record for malicious software 
development. Starting in the late 1990s and increasing over the 
last few years, the criminal element has used such malicious 
software to penetrate financial and government institutions, 
extract data and illicitly traffic in stolen financial identity 
information. We believe that the exploitation of identity theft 
information is primarily for financial purposes.
    I would like to talk briefly about agency coordination and 
criminal sophistication. It has been our experience that 
criminal groups involved in these types of crimes routinely 
operate in a multi-jurisdictional environment. This has created 
problems for local law enforcement agencies that generally act 
as first responders to criminal activity.
    By working closely with other Federal, State and local law 
enforcement, as well as international police agencies, we are 
able to provide a comprehensive network of intelligence-
sharing, resource-sharing and technical expertise that bridges 
jurisdictional boundaries. This partnership approach to law 
enforcement is exemplified by our financial and electronic 
crime task forces located throughout the country. These task 
forces primarily target suspects and organized criminal 
enterprises in financial and electronic criminal activity that 
fall within the investigative jurisdiction of the Secret 
Service.
    Chairman Specter. Mr. Johnson, your time is expired. If you 
would summarize, we would appreciate it.
    Mr. Johnson. Finally, the best example of agent 
coordination was on October 24, 2004, when the Secret Service 
arrested 30 individuals across the United States and abroad for 
credit card fraud. The suspects were part of a multi-count 
jurisdiction investigation out of the district in New Jersey. 
We had 30 arrests, 28 search warrants served simultaneously not 
only in the United States, but in 11 different countries 
throughout the world in conjunction with this investigation.
    Thank you.
    [The prepared statement of Mr. Johnson appears as a 
submission for the record.]
    Chairman Specter. Thank you very much, Mr. Johnson.
    I note that there are still some people in the hall. If 
there are, you ladies and gentlemen are welcome to move into an 
area here where we have some space. Are there others who are 
still in the hall without being able to come into the hearing 
room? We don't want anybody to miss our hearing. Well, if 
anybody comes, they are welcome to come, and if you folks would 
move over into some open space to give some room, we would 
appreciate it.
    I want to turn now to the distinguished ranking member to 
introduce his home State attorney general.
    Senator Leahy. Well, thank you, Mr. Chairman. I am glad to 
have Bill Sorrell here. He has been Attorney General of Vermont 
since May of 1997--that is an elective office--first appointed 
when the then attorney general went on to become chief justice 
of the State. In elections, he has ended up being basically 
endorsed by both parties. While everybody else worries about 
reelection, he just sort of walks in with the strong support of 
all Vermonters.
    But I mention that, really, before being attorney general 
he held the best elected job that there has ever been in the 
State of Vermont, and that is he was Chittenden County State's 
attorney. Anyone who has been Chittenden County State's 
attorney will tell you that there is no finer job that you 
could have in the State of Vermont, even the United States 
Senate. So I am glad he is here. He is now President of the 
National Association of Attorneys General, and I think we are 
fortunate to have him here with us. I thank you, Mr. Chairman, 
for inviting him.
    Chairman Specter. Welcome, Mr. Sorrell. Were you ever an 
assistant prosecutor?

  STATEMENT OF WILLIAM H. SORRELL, ATTORNEY GENERAL, STATE OF 
   VERMONT, AND PRESIDENT, NATIONAL ASSOCIATION OF ATTORNEYS 
                  GENERAL, MONTPELIER, VERMONT

    Mr. Sorrell. I was, yes, and that was a great job, too.
    Chairman Specter. Thank you for joining us and the floor is 
yours.
    Mr. Sorrell. Thank you, Mr. Chairman, Senator Leahy, and 
other members of the Committee, for giving me the opportunity 
to be here and talk about some issues that are of great 
importance to me and my fellow attorneys general.
    I am the President of the National Association of Attorneys 
General, and I am confident that most of my colleagues, if not 
all--and it could be all--agree with the thoughts that I will 
present today. But I would ask the Committee to consider that 
these are my remarks as the Vermont Attorney General.
    First of all, I want to start, Senator Feinstein, by 
thanking California for enacting the disclosure law. But for 
that law, ChoicePoint might not have disclosed the security 
breaches. We might not have seen and had the scrutiny we have 
on these issues. We might well not be here today. So my thanks.
    In thinking about my remarks today, I was reminded of the 
quote that is attributed to the famous bank robber Willie 
Sutton. Asked why he robbed banks, he said that is where the 
money is. Unlike the days perhaps when Senator Leahy and I were 
county prosecutors and you were worried about losing your TV or 
your stereo and maybe your money, these days where the money is 
is in the computers of data brokers, credit reporting agencies 
and other large financial institutions, academic institutions 
and the like, the personal information that they have, because 
if they can gain that personal information, they can not only 
drain your finances from the accounts that you have, but more 
importantly, and in the case of so many Americans, more than 
the value of what they have in accounts is their access to 
credit. What identity theft is about in many, many cases is 
stealing one's access to credit.
    I am maybe dating myself a bit, but five or so years ago I 
was here in D.C. speaking to one of the Senate committees on 
Gramm-Leach-Bliley issues and saying at that time that with the 
way the economy was changing, with the ability to collect more 
and more information, we might well have been looking back on 
that time someday and saying that was the good old days when 
privacy was privacy.
    Well, here we are today and we see that more information is 
being gathered and that clever criminals are finding more and 
more ways to steal from us, to the tune of what the Chair of 
the FTC indicated to be $50 billion a year, and that number 
going up.
    We are here to say that the time for Federal action is now. 
We much appreciate the fact several bills are being considered 
in this area of the importance of the privacy and protection of 
our personal information. We hope that the Congress will follow 
the lead of California, and now up to 30 States that are 
considering disclosure laws, to enact a security breach 
notification law.
    To the extent that you can take into account the fact that 
the quicker the notification goes out to consumers that their 
personal information has been accessed, then the FTC studies 
show rather dramatically that the amount of the loss can be 
significantly reduced. So time and effectiveness of the notice 
are of significant importance.
    We ask you, if you enact such a law, to have your law be a 
floor rather than a ceiling in the same way under Gramm-Leach-
Bliley the opt-out standard applies nationally. You have 
allowed States like Vermont to go forward and protect our 
citizens more and to adopt an opt-in standard if we wish. And 
we ask in this arena that you do the same thing, that you be 
respectful of the ability of the States; if the State wishes to 
be more protective, to be able to do so.
    The Chair indicated that the regulation of data brokers is 
sort of piecemeal. We ask you to pass a Federal statute that 
regulates data brokers, again, not to preempt the States with 
whatever you might do. Finally, we ask you to strengthen the 
safeguards rules under Gramm-Leach-Bliley and to include in 
those safeguard rules data brokers. We trust and hope that you 
will remain mindful and appreciative of the role that the 
States have played both legislatively and in investigations in 
this area of personal information, the importance of it, and we 
look forward to working with you going forward.
    Thank you for asking me to be here today.
    [The prepared statement of Mr. Sorrell appears as a 
submission for the record.]
    Chairman Specter. Thank you very much, Attorney General 
Sorrell.
    Senator Coburn has appropriately noted that some of the 
testimony was submitted late, and we are going to be enforcing 
a strong rule that where testimony is not submitted in time, 
then witnesses will not be permitted to make opening 
statements, but only to respond to questions, because it is 
very important that we get that on time. There is a tremendous 
amount of work to do to collate these materials and I thought 
that cautionary word would be in order at this time.
    Thank you, Senator Coburn, for focusing on that.
    Senator Leahy. Mr. Chairman, I have a question on that. 
What do we do in those cases where testimony is submitted, but 
then entirely different testimony is given? I am thinking, for 
example, of the Attorney General the other day submitted 
testimony, but then the testimony he gave was considerably 
different. I wouldn't to preclude him.
    Chairman Specter. Well, that happens from time to time and 
leads to more vigorous cross-examination. I heard you, Senator 
Leahy. He paid the price by offering different testimony from 
what he had submitted in writing.
    Senator Leahy. Thank you.
    Chairman Specter. I don't think there is any way you can 
control that. If people have to submit testimony, they will 
have to focus on it and we will have at least that advanced 
notice. But I do agree with you that it is problemsome when you 
have something new that you haven't been prepared for, but I 
thought you handled it very adroitly.
    Senator Leahy. We are talking about the U.S. Attorney 
General, not the Vermont Attorney General.
    Mr. Sorrell. I understand that. Thank you.
    Chairman Specter. Each member will now have five minutes on 
questioning, and I would ask that the responses be brief.
    Starting with you, Madam Chairwoman Majoras, what kind of 
Federal legislation would you like to see?
    Ms. Majoras. Well, as I said briefly in my opening 
statement, Senator, we think that looking at extending our GLB 
Safeguards Rule across a broader spectrum of companies so that 
companies are required by law to have in place security 
measures would be a terrific first step. And as a second step, 
we think we ought to look at notice provisions where consumers 
are at risk from breaches.
    Chairman Specter. Well, we will be submitting to you the 
draft legislation we have. You have had a lot of experience in 
the FTC.
    I want to address a question to both Mr. Swecker and Mr. 
Johnson. Both the FBI and the Secret Service has contracted 
out; the FBI paid about $75 million last year. What are you 
doing, Mr. Swecker, to guarantee the security of information 
which is so critical to law enforcement?
    Mr. Swecker. Well, the existence of our queries by 
contractor are not known--I mean, the existence is known, but 
the substance of the queries are not known to ChoicePoint or 
any of the data brokers that we contract with. They collect the 
number and other information, but they do not collect the 
subject of the query.
    Chairman Specter. Are you saying then that the security 
breaches like we have seen do not impact on the FBI and the 
security of the information that you deal with?
    Mr. Swecker. Not in the sense of knowing who we have 
initiated queries on. That data, ChoicePoint and other data 
brokers tell us, is not collected by them, only the number of 
queries and some other basic information for billing purposes.
    Chairman Specter. From the point of view of the Secret 
Service, Mr. Johnson, do you face any security problems on 
breaches that we have seen here?
    Mr. Johnson. Mr. Chairman, no, we have not. In similar form 
and fashion with the FBI, that is not known to the broker. 
Other things that the Secret Service does is we continuously 
monitor the information. We have assessment teams only looking 
at the information flow to see if we are vulnerable in any 
aspect of the information being leaked.
    Chairman Specter. Attorney General Sorrell, you have 
testified that you would not like to see the State laws 
preempted. We have now many States which have legislated in the 
field and we are considering Federal legislation. You have 
these companies which will have to comply with a patchwork of 
legislation.
    There has been some thought that this ought to be a matter 
for Federal jurisdiction on lawsuits, and at least at this 
point I have grave reservations about that, first, because the 
Federal courts are so heavily burdened at the present time. 
And, secondly, if you come from a rural part illustratively of 
Pennsylvania, Fulton County, you don't want to go to Harrisburg 
or Pittsburgh to litigate your case. You can litigate Federal 
claims in the State court.
    I would like you to address the two issues. First, why not 
preempt State laws so that these companies know what they are 
dealing with and don't have to familiarize themselves with the 
many, many differences?
    Mr. Sorrell. First of all, Senator, on this idea of a 
patchwork of different laws, our economy, with globalization, 
is becoming a world economy so that there are clearly 
differences between countries. We have some States which have 
economies larger than most of the countries of the world, and 
since we are talking about computers and information, it is 
really more of a system of programming.
    I mentioned Gramm-Leach-Bliley. We have for our insurance 
and financial services and banking industry in Vermont an opt-
in standard rather than the national opt-out standard. Our 
Vermont economy has not suffered. Companies want to come in and 
do business there. It is doable and it is a minimum burden to 
become aware of the level of laws in each of the States and to 
stay in compliance with that.
    Roughly 30 of the States are looking at disclosure laws now 
and many of the States are looking at the security freeze laws. 
These same companies are very mindful of what is going on in 
the State houses and are in there lobbying. They want a single 
standard which would be easier for them. But in our view, in 
Vermont, Vermonters, if they want to go further, should be 
allowed to do so.
    Chairman Specter. My time has expired and I will yield at 
this point to Senator Leahy.
    Senator Leahy. Well, thank you, Mr. Chairman.
    Madam Chair, we talked about ChoicePoint, LexisNexis, and 
so on. These are well-known, but there are a whole lot of other 
companies that operate well beneath the radar. Some get even 
more involved in our personal life and data.
    Does the FTC have any current plans to examine, identity 
and check these other industry players?
    Ms. Majoras. Senator Leahy, the FTC has been interested in 
this industry for some time, since before the recent 
revelations that have been in the news. We are working hard to 
try to get a better handle on this industry. It is hard to know 
at this point whether we can even call it just an industry 
because it seems to have many facets, depending on how you 
define it.
    So in addition to several investigations that we have 
pending, we are, in fact, trying to get our arms around who the 
players are here so that when we are working in law enforcement 
and when we are asked by Congress to help with possible 
legislation, we have the facts and we know what it ought to 
pertain to.
    Senator Leahy. Some of the privacy experts suggest applying 
some kind of fair information practices, something similar to 
the Fair Credit Reporting Act, to the data brokers that are not 
currently subject to such similar protections. Would you 
support such an application?
    Ms. Majoras. I think we should look at whether some of 
those provisions should be applied. For example, if we have a 
data broker who is collecting information with respect to 
marketing practices, consumers, for example, may not care very 
much about the accuracy of that information that is being 
collected. So that may be an area where consumers don't even 
want to be bothered with checking the accuracy. So again we 
want to make sure that if we extend these, we extend them in a 
way that makes sense.
    Senator Leahy. Thank you, and I may have my staff follow up 
a little bit with yours on that subject.
    Ms. Majoras. Yes, sir.
    Senator Leahy. Mr. Swecker, just to follow up a little bit 
on what the Chairman was asking you, has the FBI audited any of 
the commercial data brokers with whom you have contracts to 
evaluate how they comply with those contracts and security 
products? I am thinking insofar as you use them sometimes for 
criminal searches.
    Mr. Swecker. No, Senator, we have not done a formal audit. 
We have looked at their protocols and how they capture our 
queries and the substance of the query is not captured. The way 
it is explained to me is there is a logging protocol that is 
used that masks the existence or the substance of our query, 
but does capture other information just simply for their 
billing purposes, but no formal audit.
    Senator Leahy. And none planned?
    Mr. Swecker. I am sorry, sir?
    Senator Leahy. And none planned that you know of?
    Mr. Swecker. None planned that I know of.
    Senator Leahy. We may want to follow up further on that 
with you.
    We also have the whole question of data mining technology. 
There are a lot of different forms of it, algorithms that look 
for patterns, profiles, and so on. What kind of data mining 
does the FBI utilize, and assuming you can answer this in an 
open hearing, what kinds of protections are in place to prevent 
abuse?
    Mr. Swecker. There really isn't data mining, per se. Each 
query is predicated and connected to an investigation, at least 
a preliminary inquiry. So we don't data-mine through the data 
broker's information. There are specific queries that are made 
that are connected to specific investigations that are 
predicated.
    The closest that you could come to calling it data mining 
would be large-batch queries that are sometimes done with 40, 
50 names at one time. But as far as just mining through the 
data, that does not occur.
    Senator Leahy. I will follow up with a further question on 
that.
    Attorney General Sorrell, you said that many consumers in 
Vermont attempted to obtain a free report under Vermont law 
after learning about the ChoicePoint and the other security 
breaches. And they were told incorrectly, it turned out, by the 
credit bureau's voice mail systems that they were not eligible 
for a free credit report.
    Have the credit reporting bureaus since resolved this 
problem? Have you heard from other attorneys general that they 
have had in their State the same kind of problem?
    Mr. Sorrell. I think there are about seven States that, 
like Vermont, had a statute before the Federal statute granting 
individuals annual access to their credit reports. I haven't 
heard from the other States. We have communicated with the 
credit reporting agencies reminding them of the Vermont law, 
quite apart from the Federal law which, for Vermont, I don't 
think is effective until this coming September.
    I don't have up-to-date information to know whether 
consumers have called in within the last couple of days to 
complain about that. But, again, this is one of those issues 
where Vermont and some other States were ahead of the Federal 
Government in setting a more protective standard for our 
consumers and the Congress followed suit, ultimately.
    Senator Leahy. Thank you. Thank you, Mr. Chairman.
    Chairman Specter. Thank you very much, Senator Leahy.
    Senator Leahy. I have other questions I will submit for the 
record.
    Chairman Specter. Fine.
    Senator Coburn.
    Senator Coburn. Thank you, Mr. Chairman.
    Attorney General Sorrell, if we were to make changes in 
terms of trying to protect States' rights and States' options, 
can you suggest a way to create an opt-in/opt-out phenomenon in 
the Bliley bill that would incorporate your concerns and still 
give you the flexibility as a State, but still we could have a 
more uniform practice throughout the country?
    Mr. Sorrell. I would be happy to. This is really an area 
where I would be out in front of my colleagues, since we have 
not discussed an opt-in/opt-out national standard. I think it 
would depend on the nature of the information that is being 
collected and for what purposes it may be accessed; as the 
Chair suggested, marketing surveys as opposed to considerations 
for extension of credit and such.
    One thing that a number of the States are doing right now 
which is very effective in terms of combatting identity theft 
is to be able to freeze access to your credit reports. 
California, Texas, Louisiana and Vermont have those laws or 
they are about to go into effect.
    There is some downside for consumers when you do that 
because if you go to a store and want to open up an instant 
credit account, you can't get it. If you haven't thought a 
little bit ahead that you are looking for a mortgage to 
refinance or a new mortgage, or rent an apartment or buy a car 
or something like that, there is a time lag.
    But on the other hand, when it is access to your credit 
that is the main way that you can be the victim of identity 
theft crimes, then you can put a hold on your credit history 
going out. Four States have done it and others are considering 
it, and it is a very effective tool that some of the States 
have looked at to combat identity theft. And you can do it for 
periods of time, you can do it on an ongoing basis, and it is 
much more effective than just putting a security alert on your 
credit history.
    Senator Coburn. But for the State of Vermont and your 
position, you can't see that you would object if you were left 
with the flexibility to opt in or opt out for Vermont if we 
were to have Federal legislation?
    Mr. Sorrell. I am sorry if I missed the point of your 
question, Senator. What I am asking for is that in this area of 
privacy, if there is Federal legislation that it be a floor as 
opposed to a ceiling and give the laboratory of the States, 
mindful of their priorities, the ability to be more protective 
if they wish, knowing that there might be some downside for 
individuals or for the economy in those States if they are 
willing to take on those burdens in return for the extra 
protection.
    There is some burden for the companies to be dealing with 
different rules and regulations, but that is the case 
environmentally with any number of other consumer laws right 
now and it can be the case here.
    Senator Coburn. Mr. Chairman, just for the record I would 
note that I have a great deal of difficulty with my credit card 
company because they are so aggressive, and as much as I travel 
around the country they won't let me charge until they talk to 
me on the phone. They are not sure I am who I think I am. 
Sometimes, I am not sure I am who I think I am.
    But either way, we have a broad continuum of security 
checks that are going on now by individual businesses who offer 
credit, and I just think that the hearing ought to focus in the 
future on how do we create a better climate for the security of 
consumers in terms of their credit, but also leave the States 
the individual right to opt higher. I would agree with you.
    I thank you, Mr. Chairman.
    Chairman Specter. Well, those are very important 
considerations, Senator Coburn. How do they tell it is you? Do 
they know your voice?
    Senator Coburn. They ask for my mother's maiden name and my 
grandmother's maiden name.
    Chairman Specter. You fellows from Oklahoma don't have such 
distinct dialects as those of us from Kansas.
    Senator Coburn. We have a twang, Mr. Chairman.
    Chairman Specter. Thank you, Senator Coburn.
    Senator Feinstein.
    Senator Feinstein. Well, thanks very much. Just quickly in 
response to Senator Coburn, the legislation that I have 
introduced in terms of protections for people in the opt-in/
opt-out is that the opt-out is for significant personal data--
Social Security number, driver's license, personal health, 
personal financial data. That would be opt-in. Lesser things 
would be opt-out. That is just for your information.
    Attorney General, thank you very much for your comment 
about California. You mentioned that you thought this 
legislation should be a floor and not a ceiling, and that other 
States should be able to enter the arena. My concern is that if 
you have a different standard for notification--I am going to 
talk about that in a minute, but a different standard for 
notification in every State, it makes it very difficult.
    It seems to me that the standard for notification should be 
the same; in other words, what kind of information you must 
notify on, what the procedures for notification are, can you do 
it in e-mail, must you do it in writing and e-mail. Those kinds 
of things should be national, and then anything a State wants 
to do in addition to that would be up to the State.
    Could you comment?
    Mr. Sorrell. Do you envision a standard of whether there is 
substantial likelihood of misuse of the information or that it 
is just notification that the information has been accessed?
    Senator Feinstein. Well, this is what I wanted to talk with 
the Chairman about because she has some quotes on this subject. 
I think any time the database is breached, that information is 
then out there. How do you know if it is significant risk, 
because somebody who gets 100,000 I.D.s about different people 
can sit back and use them in a year, in two years, can sell 
them? I think it is very difficult to determine significant 
risk.
    Mr. Sorrell. I agree with you, Senator. I am pleased to 
hear you say that. I guess in answer to your other question, it 
depends on what standard you set. In the case of ChoicePoint, 
and with all due respect to ChoicePoint, it is my understanding 
that the notifications that they sent out originally to 
California and then, under some pressure or encouragement, to 
other Americans--these notices, or a number of them, when 
coming through the mail, came in envelopes that just said 
``ChoicePoint.''
    Now, frankly, I had never heard of ChoicePoint until this 
issue broke and if I had received something from ChoicePoint, I 
would have assumed it was just another credit card offer and it 
would have gone in the recycling bin. So, hopefully, to the 
extent that a Federal standard is set, the notification will be 
such that it will prominently let consumers know that this has 
to do with access to your personal information as opposed to 
something from a company maybe they never heard of.
    Senator Feinstein. Thank you. You have made a very good 
suggestion. We will take you up on it.
    Good morning, Madam Chair. If I may, when you appeared 
before the Senate Committee on Banking, you stated in response 
to Senator Reed that prompt notification of breaches should be 
given when there is significant risk to consumers. I think this 
is one of the biggest areas in notice, the idea of what 
triggers notice so as to avoid over-notification, but at the 
same time ensure, just as I have pointed out, that individuals 
are notified because you don't know what might be done with 
that information. So I would like to explore this with you 
further.
    I would like to know why you take the position that notice 
should only be sent if there is significant risk to consumers 
and how you would define that.
    Ms. Majoras. Thank you. That is an excellent question, 
Senator Feinstein, and one that we are currently grappling with 
at the FTC. The issue is exactly the one that you have raised--
over-notification. We have a lot of experience in dealing with 
consumers on a lot of different types of security issues and, 
of course, Gramm-Leach-Bliley, and what we have learned is that 
eventually consumers will become numb to notices if they are 
getting them consistently.
    So, for example, when we have a young hacker who finds it 
to be sport to hack into a significant database and then call 
the company and say, ``ha, ha,'' I hacked into your database, 
but who is then investigated and is seen not to have any 
intention, and indeed no longer has access to the information 
so that the person can commit the crime of identity theft, 
there isn't a risk there to consumers.
    There are other types of situations we are envisioning in 
which, if we define breach very, very broadly, companies will 
have no choice but to be sending out constant notices to avoid 
liability. And we are worried that consumers will just think 
that it is a cry of wolf and will stop worrying about it. That 
is the concern.
    Senator Feinstein. I think your point is well taken if you 
have an opt-in/opt-out situation. Right now, consumers don't 
know; they don't know the depth and breadth. For example, the 
gentleman that ran the video--Senator Leahy pointed out health 
information is advertised on that website. They can get your 
hospital records. Now, how they do that I don't know.
    Does anybody in this room want their hospital records sold 
or available to anybody? I don't think so, and that is where we 
are. So if we have for significant personal data the individual 
has to say, yes, Wells Fargo Bank, yes, ChoicePoint, yes, 
LexisNexis, you can sell my data, or you cannot sell my data, 
and for less significant data that they must opt in, they must 
write a letter and I say I don't want any of my personal data 
sold for commercial profit--
    Chairman Specter. Senator Feinstein, your time is a bit 
past.
    Senator Feinstein. It went by fast. Thank you, Mr. 
Chairman.
    Chairman Specter. We are going to be starting a vote in 
just a few minutes. It has been advanced to 10:50 and I want to 
be sure we cover this round.
    Senator Feinstein, have you concluded?
    Senator Feinstein. No, but my time is up.
    Chairman Specter. Thank you.
    Senator Feingold.

STATEMENT OF HON. RUSSELL D. FEINGOLD, A U.S. SENATOR FROM THE 
                       STATE OF WISCONSIN

    Senator Feingold. Thank you, Mr. Chairman. I do want to 
thank you for holding this hearing today and I have benefitted 
from listening to the witnesses. I ask that my full statement 
be printed in the record.
    Chairman Specter. Without objection, it will be made part 
of the record.
    [The prepared statement of Senator Feingold appears as a 
submission for the record.]
    Senator Feingold. Thank you, Mr. Chairman.
    I am concerned about an aspect of the data broker business 
that has not received a lot of attention. The information 
gathered by these companies is sold not just to individuals and 
businesses, but also to law enforcement agencies like the FBI. 
While the Government should be able to access commercial 
databases in appropriate circumstances, there are no existing 
rules or guidelines to ensure that this information is used 
responsibly, nor are there restrictions on the use of 
commercial data for powerful, privacy-intrusive data mining 
programs.
    Mr. Chairman, that is why I am planning to reintroduce in 
the next few days my Data Mining Reporting Act which would 
require all Federal agencies to report to Congress on data 
mining programs used to find patterns, including terrorist or 
other criminal activity. I am glad this hearing gives us an 
opportunity to explore both government and commercial reliance 
on data brokers, and I look forward to working on Senator 
Feinstein's legislation and the other legislation that is being 
introduced to address this issue.
    In terms of my time to question, Mr. Swecker, you testified 
that the FBI subscribes to some of ChoicePoint's products. No 
doubt that these databases are useful investigative tools and 
can in appropriate circumstances enhance the efficiency of 
investigations. But it would be helpful to understand more 
about how the Bureau uses information from companies like 
ChoicePoint.
    So to begin, from what companies besides ChoicePoint does 
the FBI currently subscribe?
    Mr. Swecker. Senator, we contract with Dun and Bradstreet, 
LexisNexis, Westlaw, the National Insurance Crime Bureau, 
Credit Bureau Reports, as well. I think it is important to 
emphasize this is all publicly available information. It is 
just a compilation of public source information all in one 
place.
    Twenty-three years ago when I first came to the FBI, I 
would have had to physically walk down to the courthouse to get 
courthouse records or go places to collect these records. Being 
able to make one query and get all these records at one time 
saves investigative time and it saves resources. That is why we 
use it. There is no data mining that takes place and I think 
that is--
    Senator Feingold. I am just trying to get some information 
first.
    Mr. Swecker. Okay.
    Senator Feingold. You mentioned in your testimony that 
ChoicePoint makes available public record information, but in 
an aggregated form. What type of public record information is 
contained in the products to which the FBI subscribes, and what 
other types of records are available to the FBI through 
commercial data brokers?
    Mr. Swecker. Everything from driver's license information, 
last known addresses, dates of birth, public court records, 
court filings, liens, newspaper records. It runs the whole 
gamut of public information.
    Senator Feingold. And then how often do investigators use 
these databases?
    Mr. Swecker. The data that I looked at showed that we 
conducted somewhere over a million inquires in 2003, I think, 
or close to a million, and possibly about 1.2 million, I think, 
just with ChoicePoint more recently, I think, in 2004. I may 
have my fiscal years mixed up there.
    Senator Feingold. Does the FBI have benchmarks regarding 
the accuracy and security of data that it uses to evaluate 
whether to enter into a contract with information brokers? Do 
you have a process to review the quality and the accuracy of 
the data?
    Mr. Swecker. My understanding is that is why we contract 
with all of these different companies because we are able to 
compare the information that comes in on the same person from 
four or five different data brokers and actually get to the 
accurate information. So that is why we don't just contract 
with one company. We contract with four or five different 
companies.
    Senator Feingold. But do you have a process to sort of 
compare and evaluate the quality of what you are getting? I 
mean, you are talking about contracting, you are talking 
presumably about spending the taxpayers' dollars to purchase 
this ability to do this. Is there an accountable and effective 
way to evaluate the quality and accuracy and security of this 
information?
    Mr. Swecker. Coming from the data brokers? We compare it to 
our own information as well and we have analysts that go 
through this data. Yes, of course, we try to make sure this is 
accurate information.
    Senator Feingold. Do you make determinations as to whether 
one is better than the other in terms of who you are going to 
contract with? I assume you make judgments that some are better 
than others.
    Mr. Swecker. Each one of these data brokers has a different 
strength in terms of what type of information they provide us 
and a lot of it is lead information that takes us somewhere 
else and it gives us places to start, comparing last known 
addresses, for example.
    Senator Feingold. Mr. Swecker, I understand from your 
testimony--I think Senator Leahy talked about this--that FBI 
agents use commercial databases to conduct individualized 
searches to locate people who are already suspects or to 
further an investigation of someone who is already a suspect. 
Actually, on this one I am interested in hearing from Mr. 
Johnson. I believe you already covered this.
    Mr. Johnson, is the Secret Service also using commercial 
data to run more open-ended data mining searches to look for 
people who might fit a certain pattern of criminal or terrorist 
activity?
    Mr. Johnson. We do. The way the Secret Service is, through 
partnerships and our electronic crimes task forces, most, if 
not all, data brokers are members of our task forces. So in 
conjunction with an investigation, they provide that small part 
of what we might need to further that investigation. Does that 
answer your question?
    Senator Feingold. So you use it, but you--
    Chairman Specter. Senator Feingold, your time is expired. 
If you would conclude perhaps with another question--
    Senator Feingold. Thank you, Mr. Chairman. I am fine.
    Chairman Specter. Senator Schumer has just joined us. His 
timing is impeccable. Economizing on his own time, he was here 
at the start and now comes right in when he is recognized.
    Senator Schumer.

 STATEMENT OF HON. CHARLES E. SCHUMER, A U.S. SENATOR FROM THE 
                       STATE OF NEW YORK

    Senator Schumer. Thank you, Mr. Chairman. I want to thank 
you for holding this hearing and Senator Leahy for requesting 
that the hearing be held. I have a couple of questions, but 
before I do I just want to note that yesterday Senator Nelson, 
of Florida, and I dropped in a comprehensive bill on identity 
theft and here are some of the things it would do.
    It would create an FTC office of identity theft that would 
help millions of victims of I.D. theft each year get their 
identities back through an accessible website, a toll-free 
phone number and consumer service teams. We all know the 
hundreds of hours people spend trying to get their identities 
back.
    Second, we would regulate data merchants. It would be 
similar to the regulation we have done in the Banking 
Committee. I know you testified before them, Madam Chairperson. 
It would be akin to what we do with credit bureaus. We would 
make them register with the FTC. We would institute safeguards 
to prevent fraudulent access by unauthorized parties and 
require them to develop authentication processes. In other 
words, we would actually regulate the use of people's 
information.
    We have a tightrope to walk here. On the one hand, in this 
new society with computers we want information to be available. 
It helps commerce. On the other hand, when so much information 
is available, it is part of people's identity and they have 
some right to be protected. I think our legislation--we have 
worked long and hard at it--does walk that tightrope in terms 
of accuracy and in terms of what can be done.
    We do a disclosure box so that people will know what has 
happened with their information. It is similar to the Schumer 
box which has been on credit cards for a long time, which I had 
championed while I was in the House. We require companies to 
take reasonable steps to protect sensitive information and we 
have a whole bunch of provisions about Social Security numbers 
which make it much harder, not impossible, but harder, without 
justification, to use Social Security numbers.
    So this is the basic outline of the legislation, which I 
think is comprehensive. I think we have had lots of pieces out 
there from the States, a few here federally. The notification 
proposal that Senator Feinstein has championed, I think, is 
excellent and we want to support that as well. But these are 
things in terms of regulating the companies and things like 
that.
    [The prepared statement of Senator Schumer appears as a 
submission for the record.]
    Senator Schumer. So I want to ask you, Chairwoman Majoras, 
when I talked with you in front of the Senate Banking Committee 
you were unsure whether the FTC had jurisdiction over data 
brokers like ChoicePoint and some of the others where we have 
seen problems. This lack of clear jurisdiction risks leaving 
data brokers subject to a confusing and incomplete patchwork of 
laws. In our legislation, Senator Nelson and I give the FTC 
clear jurisdiction to regulate data merchants like ChoicePoint.
    Do you agree that a clear mandate for the FTC would go a 
long way in clearing up the confusion about the laws and better 
protect consumers? Do you also agree that it would help stop 
the situations we have seen with many companies like 
ChoicePoint and LexisNexis to have clear jurisdiction over 
these companies?
    Ms. Majoras. Thank you, Senator. The FTC currently does 
have jurisdiction, but it is under a patchwork of a couple of 
different laws. Just to be absolutely clear, I haven't had an 
opportunity yet, Senator, nor has my staff to review your bill 
closely.
    Senator Schumer. We sent it to you.
    Ms. Majoras. Yes, and we appreciate that. We look forward 
to reviewing it very carefully and, where we have found any 
gaps in the law, to work with you on whether this is the right 
legislation to fill those gaps.
    Senator Schumer. I would just ask could you respond to us 
for the Committee record about the legislation in, say, within 
a week? Could I ask unanimous consent that we get a response 
within a week, or is that too quick?
    Ms. Majoras. It is a bit quick because lots of bills are 
coming in at a rapid rate, and so a couple of--
    Senator Schumer. Then I will just ask you to get a response 
to us quickly.
    My final question is this: One of the biggest complaints I 
have heard from constituents on identity theft is people don't 
know where to go or what to do when their identity has been 
compromised. When your car breaks down, you know where to go. 
When you are the victim of a burglary, you know where to go, 
the local police station. But when you get your identity 
stolen, you don't know where to go.
    What do you think off the top of your head of the idea of 
creating this office in the FTC of identity theft--we would 
fund it, obviously; we would spend $60 million--so that people 
would have a place to go with experts who could help them clear 
their names?
    Ms. Majoras. In my eight months on the job, I don't think I 
have ever turned down any additional funding, Senator. Thank 
you. It does sound like perhaps--and, of course, I haven't 
looked at it, so I have to be cautious.
    Senator Schumer. Yes, I understand.
    Ms. Majoras. But it does sound like an expansion of what we 
are already doing in our office. We have been the clearinghouse 
for identity theft information and for education and training 
for consumers, businesses and other law enforcement for years 
now. We think that message is getting out, which is why we get 
15 to 20,000 contacts from consumers a week on identity theft. 
But by all means, education empowers consumers and we would be 
happy to expand our education efforts.
    Senator Schumer. I know my time is about to expire.
    Chairman Specter. No, no, it has expired.
    [Laughter.]
    Senator Schumer. I would just say the job is not just 
education, but it is also helping people with their problems, 
and that is what we would want the office to do.
    Ms. Majoras. I understand. Thank you.
    Senator Schumer. Thank you. Thank you, Mr. Chairman.
    Chairman Specter. Thank you very much, Senator Schumer.
    Thank you, Chairman Majoras. Thank you, Mr. Swecker. Thank 
you, Mr. Johnson. Thank you, Attorney General Sorrell. We very 
much appreciate your testimony and coming in.
    The time of the vote has now been deferred until 12:15. You 
just can't rely on times for votes, but we are still going to 
maintain meticulous observance of our time limits, and we are 
going to have a job in getting through the next panel even 
thus.
    If we could now have Mr. Curling, Mr. Sanford, Ms. Barrett, 
Mr. Dempsey and Mr. Douglas step forward, I would appreciate 
it.
    If you would raise your right hands, do you solemnly swear 
that the testimony you will present before the Senate Judiciary 
Committee will be the truth, the whole truth and nothing but 
the truth, so help you God?
    Mr. Sanford. I do.
    Mr. Curling. I do.
    Ms. Barrett. I do.
    Mr. Dempsey. I do.
    Mr. Douglas. I do.
    Chairman Specter. Let the record show that all five 
answered in the affirmative.
    Our first witness is Mr. Kurt Sanford, President and Chief 
Executive Officer of U.S. Corporate and Federal Markets for 
Reed Elsevier's Global Division of LexisNexis Group. He was 
previously the CEO of LexisNexis Asia-Pacific, a $2 billion 
division.
    We welcome you here, Mr. Sanford, and the floor is yours 
for five minutes.

  STATEMENT OF KURT P. SANFORD, PRESIDENT AND CHIEF EXECUTIVE 
   OFFICER, U.S. CORPORATE AND FEDERAL MARKETS, LEXISNEXIS, 
                        MIAMISBURG, OHIO

    Mr. Sanford. Chairman Specter, ranking member Leahy and 
distinguished members of the Committee, good morning. My name 
is Kurt Sanford. I am the President and Chief Executive Officer 
for Corporate and Federal Markets at LexisNexis. I appreciate 
the opportunity to be here today to discuss the important 
issues surrounding data security and privacy in the use of 
commercial data.
    LexisNexis is a leading provider of authoritative legal 
public records and business information. LexisNexis plays a 
vital role in supporting government, law enforcement and 
business customers who use our information services for 
important uses, including detecting and preventing identity 
theft and fraud, locating suspects, finding missing children, 
and preventing and investigating criminal and terrorist 
activities.
    LexisNexis works closely with Federal, State and local law 
enforcement agencies on a variety of criminal investigations. 
For example, information provided by LexisNexis was recently 
used to locate and apprehend an individual who threatened a 
district court judge and his family in Louisiana.
    LexisNexis products are also used by financial institutions 
to help address the growing problem of identity theft and 
fraud. In 2004, 9.3 million consumers were victimized by 
identity fraud. Credit card companies report $1 billion in 
losses each year from credit card fraud. With the use of 
LexisNexis, a major bank card issuer experienced a 77-percent 
reduction in the dollar losses due to fraud associated with 
identity theft. These are just a few examples of some of the 
important ways in which our products are used by our customers.
    While we work hard to provide our customers with effective 
products, we also recognize the importance of protecting the 
privacy of the consumer information in our databases. We have 
privacy policies, practices and procedures in place to protect 
this information. Our chief privacy officer and privacy policy 
review board work together to ensure that LexisNexis has strong 
policies to help safeguard consumer privacy. LexisNexis also 
has multi-layer security processes and procedures in place to 
protect our systems and the information contained in our 
databases.
    Maintaining security is not a static process; it requires 
continuously evaluating and adjusting our security procedures 
to adjust to the new threats we face everyday. Even with these 
safeguards, we recently discovered some security incidents at 
our Seisint business which we acquired last September.
    In February 2005, a LexisNexis integration team became 
aware of some billing irregularities and unusual usage patterns 
with several customer accounts. Upon further investigation, we 
discovered that unauthorized persons using I.D.s and passwords 
of legitimate Seisint customers may have accessed personal 
identifying information such as Social Security numbers and 
drivers' license numbers. No personal financial, credit or 
medical information was involved, since LexisNexis and Seisint 
do not collect that type of information.
    In March, we notified approximately 30,000 individuals 
whose personal identifying information may have been unlawfully 
accessed. Although no individuals who have responded to our 
notice have reported any incidents of identity theft or fraud, 
law enforcement has recently informed us of ten incidents of 
potential identity fraud where new accounts have been opened. 
Most of these incidents involve the opening of a new e-mail 
account or similar activity, while a few involve potential 
credit card fraud. We are in the process of reaching out to 
those individuals to put them in touch with the identity theft 
counselors.
    Based on these incidents at Seisint, I ordered an extensive 
review of data search activity going back to January 2003 at 
our Seisint unit and across all LexisNexis databases that 
contain personal identifying information. We have just 
completed that review and concluded that unauthorized persons, 
primarily using I.D.s and passwords of legitimate Seisint 
customers, may have accessed personal identifying information 
on approximately 280,000 additional individuals. At no time was 
the LexisNexis or Seisint technology infrastructure hacked into 
or penetrated, and no customer data was accessed or 
compromised.
    We sincerely regret these incidents and any adverse impact 
they may have on the individuals whose information may have 
been accessed. We will begin notifying those individuals 
immediately. We are providing all individuals with a 
consolidated credit report and credit monitoring services. For 
those individuals who do become victims of fraud, we will 
provide counselors to help them clear their credit reports of 
any information relating to fraudulent activity. We also 
provide them with identity theft insurance to cover expenses 
associated with restoring their identity and repairing their 
credit reports.
    We are working cooperatively with the U.S. Secret Service 
and the Electronic Crimes Task Force in their investigation of 
these crimes. We greatly appreciate the professionalism, 
specialized skills and efforts provided by the Secret Service 
and other law enforcement organizations.
    We have learned a great deal from the security incidents at 
Seisint and are making substantial changes in our business 
practices and policies across all LexisNexis businesses to help 
prevent any future incidents. I have included the details of 
these enhancements in my written statement.
    I note my time is expired. I appreciate the opportunity to 
be here. In my written statement, I indicated the type of 
legislation that LexisNexis has already indicated it would 
support.
    [The prepared statement of Mr. Sanford appears as a 
submission for the record.]
    Chairman Specter. Thank you very much, Mr. Sanford.
    We turn now to Mr. Douglas Curling, President and Chief 
Operating Officer of ChoicePoint. Mr. Curling has had a variety 
of positions with ChoicePoint, and before was Vice President 
and Assistant Corporate Controller at Equifax.
    We welcome you here, Mr. Curling, and we would be 
interested to know what your company has found, the breaches, 
and what you have done about them. The floor is yours for five 
minutes.

STATEMENT OF DOUGLAS C. CURLING, PRESIDENT AND CHIEF OPERATING 
           OFFICER, CHOICEPOINT, ALPHARETTA, GEORGIA

    Mr. Curling. Chairman Specter, Senator Leahy and members of 
the Committee, good morning. I am Doug Curling, President and 
Chief Operating Officer of ChoicePoint. At ChoicePoint, we 
recognize that in an increasingly risky world, information and 
technology can be used to help create a safer, more secure 
society. At the same time, we know, and have been painfully 
reminded by recent events, that there can be negative 
consequences to the improper access of personally identifiable 
information.
    On behalf of ChoicePoint, let me again offer our sincere 
apology to those consumers whose information may have been 
accessed by criminals who perpetrated this recent fraud. As a 
result of these experiences, we have made fundamental changes 
to our business model and products to prevent this from 
happening in the future.
    By way of background, ChoicePoint is a leading provider of 
identification and credential verification to businesses, 
governments and non-profit organizations. We have 5,000 
associates in 60 locations. We serve more than 7,000 Federal, 
State and local law enforcement agencies, as well as a 
significant number of Fortune 500 companies, more than 700 
insurance companies and many large financial services 
institutions.
    The majority of transactions our business supports are 
initiated by consumers. Last year, ChoicePoint helped over 100 
million American consumers secure home and auto insurance, more 
than 7 million American consumers get jobs from our workplace 
solutions pre-employment screening services, and more than 1 
million consumers obtain expedited copies of their vital 
records--birth, death and marriage certificates.
    In addition to helping consumers, ChoicePoint helps 
agencies at all levels of government fulfill their mission to 
safeguard our country and its citizens. Our products and 
services are also used by many non-profit organizations. For 
example, we have identified 11,000 undisclosed felons among 
those volunteering or seeking to volunteer with the Nation's 
leading youth service organizations.
    Mr. Chairman, apart from what we do, I also understand that 
the Committee is interested in how our business is regulated by 
Federal legislation as well as various State regulations, 
including the FCRA, the recently enacted companion FACT Act, 
the Gramm-Leach-Bliley Act and the Drivers' Protection Act.
    Sixty percent of ChoicePoint's business is driven by 
consumer-initiated transactions, most of which are regulated by 
the FCRA. These include pre-employment screening, auto and home 
insurance underwriting services, tenant screening services, and 
facilitating the delivery of vital records to consumers.
    Nine percent of ChoicePoint's business is related to 
marketing services, none of which include the distribution of 
personally identifiable information. Five percent of 
ChoicePoint's business is related to supporting law enforcement 
agencies in pursuit of their investigative missions through 
information and data services.
    Six percent of our business supports law firms, financial 
institutions and general businesses to help mitigate fraud 
through data and authentication services. Finally, 20 percent 
of our business consists of software and technology services 
that do not include the distribution of personally identifiable 
information.
    Financial and identity fraud is a rapidly growing and 
costly threat to our Nation's economy. While we offer a wide 
range of tools to help avoid fraud, no one is immune to it, as 
we and other companies and institutions have learned. 
ChoicePoint has previously provided Congress with information 
about how identity thieves in California were able to access 
our products. As you know, California has been the only State 
that requires consumers to be notified of a potential breach of 
personally identifiable information.
    Contrary to prior statements at this hearing, we not only 
followed California law, we built upon it and voluntarily 
notified consumers who may have been impacted across the 
country, and we did that before anyone called upon us to do so.
    We have also taken other steps to help the system protect 
consumers who may have been harmed in this incident. First, we 
arranged for a dedicated website and toll-free number. Second, 
we provided free of charge a three-bureau credit report. And, 
third, we are providing free of charge a one-year subscription 
to Credit Monitoring Service.
    In addition to helping those affected consumers, we have 
taken strong remedial action and made fundamental changes to 
our business and products. First and most importantly, 
ChoicePoint has decided to discontinue the sale of information 
products that contain personally identifiable information, 
unless these products and services meet one of three tests.
    First, the product supports consumer-driven transactions 
such as insurance, employment and tenant screening, or provides 
consumers with access to their own data. Second, the product 
provides authentication or fraud prevention tools to large 
accredited corporate customers where consumers have existing 
relationships, and, third, when personally identifiable 
information is needed to assist Federal, State or local 
government and criminal justice agencies in their important 
missions.
    We have also significantly reviewed and strengthened our 
credentialing process. We are recredentialing broad sections of 
our customer base, including more stringent diligence like bank 
references and site visits. We have created an independent 
office of credentialing compliance and privacy that reports 
directly to the board of directors' privacy committee. Finally, 
we appointed Robert McConnell, a 28-year veteran of the Secret 
Service and former chief of the Federal Government's Nigerian 
organized fraud crime task force, to serve as our liaison to 
law enforcement.
    My testimony includes the legislation we would support and 
we welcome the opportunity to work with this Committee in 
trying to address this important issue.
    [The prepared statement of Mr. Curling appears as a 
submission for the record.]
    Chairman Specter. Thank you very much, Mr. Curling.
    Our next witness is Ms. Jennifer Barrett, Chief Privacy 
Officer of Acxiom Corporation. She has been with the company 
since 1974, after receiving a degree in mathematics and 
computer science at the University of Texas. She has had a 
series of important positions with the company.
    We welcome you here today, Ms. Barrett, and look forward to 
your testimony.

 STATEMENT OF JENNIFER BARRETT, CHIEF PRIVACY OFFICER, ACXIOM 
               CORPORATION, LITTLE ROCK, ARKANSAS

    Ms. Barrett. Thank you, Chairman Specter, Senator Leahy, 
distinguished members of the Committee. Thank you for allowing 
Acxiom the opportunity to participate in today's hearing, and I 
ask that my written statement be inserted into the record.
    Chairman Specter. Without objection, your full statement 
will be made a part of the record.
    Ms. Barrett. Thank you.
    Mr. Chairman, let me be blunt. The bad guys are smart and 
they are getting more organized. They are using their skills to 
illegally and fraudulently access information. Acxiom must 
therefore remain diligent and innovative by constantly 
improving, auditing and testing our systems and, yes, even 
learning from security breaches in the marketplace.
    Information is an integral part of the American economy and 
Acxiom recognizes its responsibility to safeguard the personal 
information it collects and brings to market. As FTC Chairman 
Majoras recently stated in testimony before both the Senate and 
the House, there is no such thing as perfect security and 
breaches can happen even when a company has taken every 
reasonable precaution. Although we believe this is true, no one 
has a greater interest than Acxiom in protecting its 
information because our very existence depends on it.
    Acxiom's U.S. business includes two distinct components--
our customized computer services and a line of information 
products. Our computer services represent more than 80 percent 
of the company's business and help businesses, not-for-profit 
organizations, political parties and government manage their 
own information. Less than 20 percent of Acxiom's business 
comes from its four information product lines--fraud management 
products, background screening products, directory products and 
marketing products. Our fraud management and background 
screening products are the only Acxiom products containing 
sensitive information and they represent less than 10 percent 
of our business.
    Acxiom would like to set the record straight in response to 
a number of misunderstandings that have developed about the 
company. First, Acxiom does not maintain one database 
containing dociers on anyone. Instead, we maintain discreet, 
segregated databases for every product.
    Second, Acxiom does not commingle client information from 
our computer services with our information products. Such 
activity would constitute a violation of our contracts and 
consumer privacy.
    Third, Acxiom's fraud management products are sold only to 
a handful of large companies and government agencies who have a 
legitimate need for them. The information utilized in these 
products is covered under the safeguard and use rules of the 
Gramm-Leach-Bliley Act and both State and Federal drivers' 
privacy protection laws.
    Fourth, Acxiom's management verification services only 
validate information already in our clients' possession. Access 
to additional information is only available to law enforcement 
and the internal fraud departments of large financial 
institutions and insurance companies. Fifth, our background 
screening products are covered under the Fair Credit Reporting 
Act. We do not pre-aggregate any of the information for this 
purpose.
    Beyond these protections, the following additional 
safeguards exist. First, because Acxiom has blended public 
information with regulated information in both our fraud 
management and background screening products, we voluntarily 
apply the more stringent security standards to all such blended 
data, even though not required by law.
    Since 1997, Acxiom has posted a privacy policy on our 
website describing our on- and offline practices, thus 
voluntarily subjecting the company to the FTC rules governing 
unfair and deceptive conduct.
    Third, the company has imposed our own more stringent, 
restrictive guidelines on sensitive information such as Social 
Security numbers. Fourth, all of Acxiom's products and 
practices have been audited on an annual basis since 1997 and 
our security policies are regularly audited both internally and 
externally by our clients.
    Two years ago, Acxiom experienced a security breach on one 
of our external file transfer servers. Fortunately, the vast 
majority of the information involved was of a non-sensitive 
nature and law enforcement was able to apprehend the suspects 
and ascertain that none of the information was used to commit 
identity fraud. Since then, Acxiom has put even greater 
protections in place for the benefit of both consumers and our 
clients.
    In concluding, ongoing privacy concerns indicate that 
adoption of additional legislation may be appropriate. Acxiom 
supports efforts to pass federally preemptive legislation 
requiring notice to consumers in the event of a security breach 
which places the consumer at risk of identity fraud, and we 
also support the recent proposal from FTC Chairman Majoras and 
her comments today extending the GLBA safeguards rule.
    Mr. Chairman, on behalf of Acxiom, I want to express our 
gratitude for the opportunity to participate in this hearing 
and we are happy to answer any questions the Committee may 
have.
    [The prepared statement of Ms. Barrett appears as a 
submission for the record.]
    Chairman Specter. Thank you very much, Ms. Barrett.
    We now turn to Mr. James Dempsey, who is the global 
Internet policy head for the Center for Democracy & Technology. 
He has a record of having been deputy director for the Center 
for National Security Studies, special counsel to the National 
Archives, and with a House Judiciary subcommittee in the past.
    Thank you for joining us, Mr. Dempsey, and we look forward 
to your testimony.

 STATEMENT OF JAMES X. DEMPSEY, EXECUTIVE DIRECTOR, CENTER FOR 
            DEMOCRACY & TECHNOLOGY, WASHINGTON, D.C.

    Mr. Dempsey. Good morning, Mr. Chairman, Senator Leahy. 
Thank you for the opportunity to testify this morning.
    We are at a historic moment, I think, today at this hearing 
for four reasons. First of all, the recent security breaches at 
a range of companies and institutions have opened a window on 
the really extraordinary changes that have occurred to the 
information landscape in recent years.
    There is no need to demonize the information service 
companies. The goal is not to put them out of business. They 
serve very legitimate purposes, as we have heard today, but 
they have grown up very rapidly and now it is time for the law 
to catch up, to provide a framework of oversight and 
accountability.
    Secondly, the debate over harms is now ended. It is clear 
that the lack of a privacy and security framework is causing 
real harm to individuals. This isn't some hypothetical debate 
about marketing data.
    Third, the concerns go beyond security and the harms go 
beyond identity theft. If people are being screened for 
employment or being denied jobs or screened by landlords and 
denied the ability to rent an apartment, those are real harms. 
People should have a right to see that information that is used 
and the right to challenge it, and the companies compiling it 
should have some responsibility for its accuracy. The Fair 
Credit Reporting Act covers many of those applications, but has 
gaps.
    Finally, the industry itself is now open to closing some of 
the gaps in the law, as you have heard at the table today. So 
we have an urgent situation. We clearly lack an adequate policy 
framework. How do we make sure we do not squander this 
opportunity? There are five sets of policy responses for this 
Committee and for the Congress.
    As a first step toward mitigating identity theft, entities, 
including universities and government agencies, holding 
sensitive personal data should be required to notify 
individuals in the event of a security breach. Since leading 
information service companies already have spoken in favor of 
Federal legislation, there is no need to dwell on this other 
than to say that it makes no sense to enact a law weaker or 
less comprehensive than the California law. Also, part of the 
notice solution should be options about what consumers can do 
when they receive notice. There should be easier ways to freeze 
credit reports or to put more permanent fraud alerts on credit 
reports.
    Secondly, since notice only kicks in after a breach has 
occurred, Congress should require entities that electronically 
store personal information to implement security safeguards 
similar to those required by a California law AB 1950 and the 
regulations under Gramm-Leach-Bliley.
    Third, Congress should impose tighter controls on the sale, 
disclosure and use of Social Security numbers. Senator 
Feinstein has been a leader on this issue for a number of years 
and the time to address this issue has clearly come. We should 
take the Social Security number out of the credit header. I 
don't see any need to send that out in response to a name 
query, or to use that in the credit header.
    I think we need to shut down the kinds of sales of Social 
Security numbers illustrated by Mr. Douglas. Keep the Social 
Security number off student I.D. cards and employee cards and 
medical insurance cards. Also, we need somehow to break the 
habit of using the Social Security number as an authenticator. 
People treat it as if it is a secret or a PIN number, when it 
is clearly widely available.
    The fourth and fifth areas of policy that require 
addressing concern the legitimate uses of data, because even 
legitimate uses of data have consequences if the data is 
inaccurate. Several Senators raised what I consider to be the 
fourth set of policy issues, which is the Federal Government 
and other government agencies' use of information brokers. 
Clearly, national security and law enforcement are legitimate 
uses, but that doesn't mean we should leave aside questions of 
accuracy. As a first step, we clearly need to get a handle at 
least on what information the Federal Government is purchasing 
and how it is using it.
    Finally, Congress needs to look at the fair information 
practices that have helped define privacy in the credit and 
financial sectors and adapt them as appropriate to this new 
data landscape. It is most important here--and I will 
conclude--to focus on consequences. When data is used in ways 
that have implications for people's insurance or whether their 
claims get paid or for a host of other reasons that may not be 
covered by current law, we need to fill those gaps.
    A book was written recently entitled No Place to Hide.
    Chairman Specter. Mr. Dempsey, your time has expired. Would 
you please summarize?
    Mr. Dempsey. Is there no place to hide? Senator, really it 
doesn't have to be that way. We can shape the policy to reclaim 
our privacy and to set some framework of accountability.
    Thank you.
    [The prepared statement of Mr. Dempsey appears as a 
submission for the record.]
    Chairman Specter. Thank you very much, Mr. Dempsey.
    We now turn to Mr. Robert Douglas, who has already been 
introduced and has already testified.
    You still have five minutes left, Mr. Douglas.
    Mr. Douglas. Thank you. I appreciate that.
    As I discussed in the opening presentation and concluded 
with the murder of Amy Boyer, I would like to concentrate on 
some of the facts in that case that illuminate, I think, many 
of the issues that we are discussing here today and what I have 
learned over the last eight years about information brokers and 
the harm that can occur.
    The facts behind the murder of Amy encapsulate all the 
issues before this Committee today. Amy's murder demonstrates 
the problem is much larger than recent breaches of information 
broker databases.
    In October 1999, Amy was entering her car, having just left 
work. A stalker named Liam Youens pulled alongside Amy and shot 
and killed her, then killed himself. Youens published his plans 
to murder Amy on a website for several years, but that website 
contained more than the perversity of Youens. It contained a 
trail of evidence proving personal information gathered with 
good intent can lead to incalculable harm.
    Youens decided to ambush Amy at work, but didn't know where 
she worked. He used information brokers and private 
investigators to find her. On the Internet, Youens bought Amy's 
date of birth, Social Security, home address, and finally place 
of employment. Youens himself was struck by how easily he could 
buy Amy's personal information, writing on his website ``It is 
actually obscene what you can find out about a person on the 
Internet.''
    The Internet site Youens found was Docusearch.com. 
Docusearch located Amy's work address by using her Social 
Security number and other personal information as elements of a 
deceit designed to fool Amy and/or her mother into revealing 
the employment address. Indeed, this was Docusearch's 
expertise. Like many other companies that I demonstrated this 
morning, at the time of Amy's murder Docusearch specialized in 
defeating the information security systems of financial 
institutions, telecommunications companies and unsuspecting 
citizens with information about loved ones.
    But the evidence in Amy's murder doesn't end there. It 
leads to thousands of documents showing how databases of 
American businesses that contain our most personal information 
are breached everyday. As mentioned, Docusearch was penetrating 
the information systems of financial institutions, 
telecommunications firms, other utility companies, and selling 
that information to just about anyone.
    In the files of Docusearch and other similar companies is 
evidence that when it comes to being guardians of personal 
information, both government and the private sector deserve a 
failing grade. Several years ago, I worked with the FTC to 
catch information brokers selling citizens' personal financial 
information. The investigation revealed hundreds of Internet-
based information brokers and private investigators advertising 
the sale of personal information, in violation of laws Congress 
has already passed, including Gramm-Leach-Bliley, the FCRA, the 
DPPA and the Unfair and Deceptive Trade Practices Act.
    Many of the illicit information brokers have subscriber 
access to legitimate information brokers similar to those at 
the table here at this moment. The illegitimate brokers, along 
with I.D. thieves, as we have learned, need the biographical 
information contained in the databases of the legitimate 
information brokers in order to carry out their crimes.
    Specifically, some will purchase the biographical data 
needed by means of a legitimate information broker via a 
fraudulent subscriber agreement, as in the ChoicePoint case, or 
via a reseller who obtains the information from a legitimate 
broker, then willingly violates the ``no resale'' clause of 
their contract. This is the worst-kept secret in the 
information broker-private investigative world today.
    While a number of the major brokers have announced they 
will restrict access to certain subscriber classes, absent 
legislation, other companies will step in. But even if all 
legitimate information brokers were secure, the flow of 
information would continue. Criminals and others will just 
continue to access databases from the government and private 
sector.
    And there is a reason these databases are easily defeated. 
Far too often, personal biographical information, as we see for 
sale on the charts in the Committee room today, is the key to 
unlocking the databases. So even if Social Security numbers 
were not for sale on the Internet, the reality is Social 
Security numbers have been compromised in this country in many 
ways for such a long period that it is laughable that either 
government or commercial enterprises use the number or other 
biographical personal information as identifiers for 
maintaining security of databases.
    Yet, this is the method chosen by more than 50 percent of 
the Nation's banks, telecommunications companies, hospitals, 
doctors' offices, universities, utility providers, government 
programs and almost any government or commercial entity one can 
name. The bottom line: any information security system using 
personal biographical information as the primary security 
identifier is fatally flawed.
    Thank you.
    [The prepared statement of Mr. Douglas appears as a 
submission for the record.]
    Chairman Specter. Thank you very much, Mr. Douglas.
    Mr. Sanford, I am advised that LexisNexis just yesterday 
announced a breach of security involving some 310,000 people. 
Did that announcement yesterday have any connection with this 
hearing scheduled for today?
    Mr. Sanford. The announcement had everything to do with the 
conclusion of a review that I commenced in February of 2005. As 
I testified, we acquired the Seisint business in the fall of 
2004. One of our integration teams became aware of some 
irregular billing activities in February.
    Chairman Specter. That is a no?
    Mr. Sanford. That would be a no, Senator.
    Chairman Specter. You stated an investigation in February, 
but you knew about the breach in February?
    Mr. Sanford. We became aware of some irregular billing 
activities in February.
    Chairman Specter. Did you know about the breach in 
February?
    Mr. Sanford. I didn't know what I had until I did an 
investigation, Senator.
    Chairman Specter. Well, I am still uncertain as to whether 
you knew about the breach. Did you have enough information--
    Mr. Sanford. We were not--
    Chairman Specter. Let me finish the question, since I 
didn't get an answer to the last one.
    Did you know in February that there was a breach?
    Mr. Sanford. I knew in February that I had irregular 
billing activity in a handful of customer accounts.
    Chairman Specter. Well, why would it take until mid-April 
to make a determination sufficient to notify the people whose 
information had been breached?
    Mr. Sanford. That is an excellent question and I am glad 
you have asked it because it seems to have been misreported in 
the press. We are not talking about an incident. In March, we 
made a statement acknowledging that we had discovered a handful 
of security breaches and we immediately made notice.
    Based on those incidents, I ordered a review going back 
some 27 months in our business that we had--
    Chairman Specter. Mr. Sanford, I don't want to cut you off, 
but there are five minutes and I have got a lot of questions of 
this panel. I would like the specifics in writing focusing on 
why the people whose information was breached couldn't have 
been notified earlier.
    Those people are all at risk and you have a duty to notify 
them at the earliest possible moment. So I want to know 
precisely what you did, what was the intensity of your 
investigation and whether it could have been done faster.
    Mr. Sanford. I would be happy to provide that.
    Chairman Specter. Mr. Curling, I am advised that 
ChoicePoint had a breach in the past and did not report it. Is 
that true.
    Mr. Curling. There has been a recent arrest, or conviction, 
rather, reported by the Secret Service that involved 
ChoicePoint information. My understanding is that the subpoena 
was issued on that individual in 2001.
    Chairman Specter. Well, see, I am having a hard relating 
your answer to my question. Did ChoicePoint have a breach of 
security and failed to report it and notify the people whose 
information had been breached?
    Mr. Curling. Yes, sir, it would appear in 2001 that 
happened.
    Chairman Specter. And it was not reported?
    Mr. Curling. No, it was not reported.
    Chairman Specter. Why not?
    Mr. Curling. No one was made aware of it, sir. We turned 
over the information to law enforcement, didn't know the 
purpose of their investigation.
    Chairman Specter. No one was made aware of it? Well, how 
about the person who turned it over to law enforcement?
    Mr. Curling. I don't think that person understood the 
purpose of the subpoena, sir.
    Chairman Specter. Well, where did that person stand in the 
company hierarchy? Somebody who has the authority to turn it 
over to law enforcement doesn't know enough to say confidential 
information is now out and it ought to be reported and these 
people ought to be told about it?
    Mr. Curling. Current circumstances would certainly cause 
that to happen. Going back four years--
    Chairman Specter. Well, I am talking about before. Why not?
    Mr. Curling. I can't explain why someone four years ago 
didn't--
    Chairman Specter. Well, Mr. Curling and Mr. Sanford, we may 
well face the necessity for some really tough legislation that 
will have you do your duty. It is very, very disconcerting that 
ChoicePoint doesn't make a report of it. A lot of people are at 
risk and subject to damage.
    I would like you also to provide more detailed information 
as to what you testified, Mr. Sanford, about identity theft 
insurance--people have to pay for it--whether you have been 
sued by people whose information has been disclosed.
    Let me turn to the Social Security number question, Mr. 
Dempsey and Mr. Douglas. You need the Social Security number to 
report your wages and get that information to the Federal 
Government so they know what your Social Security claim is.
    What problem would arise if we legislated that you couldn't 
use the Social Security number at all, except for purposes 
relating to collecting Social Security taxes and having the 
employee get the benefits?
    You may both answer. My time is now expired.
    Mr. Dempsey. Well, that was the original purpose, of 
course, Senator, and over the years a lot of people became 
dependent upon the Social Security number as an identifier for 
purposes unrelated to Social Security. For connecting people, 
it is not perfect, but it is better than name and address, and 
that is how people use it.
    Now, at the very least we need to begin to wean away from 
that. I think you would need some kind of implementation time 
frame to get people that are currently dependent upon the 
Social Security number for aggregating data and for knowing 
which Jim Dempsey it is--they use the Social Security number 
for that. I think we should right away stop using it as an 
authenticator, which is different from an identifier. People 
are using it to determine that someone calling up and saying he 
is Arlen Specter is, in fact, Arlen Specter, when the Social 
Security number, we know, is widely available.
    Chairman Specter. There are a lot of people with that name.
    [Laughter.]
    Mr. Dempsey. I can guarantee you that there are probably 
more than one, Senator.
    Chairman Specter. I doubt it, but okay.
    [Laughter.]
    Chairman Specter. Senator Leahy.
    Senator Leahy. In the Senate, there is only one.
    Mr. Dempsey. That is true.
    Senator Leahy. I understand what you mean, Mr. Dempsey. The 
name is not enough.
    Mr. Curling, the CEO of ChoicePoint recently wrote a book 
about the information industry entitled The Risk Revolution. In 
the book he said everyone should have a right of access to data 
that is used to make decisions about them, subject to law 
enforcement and national security exceptions. He also 
recommended that we expand the principles of the Fair Credit 
Reporting Act to all types of information--right to access, 
right to question the accuracy and prompt review, right to 
comment if a negative record is found to be inaccurate. The 
Fair Credit Reporting Act also includes procedures to delete 
inaccurate information and identifying sources that furnish 
disputed information.
    Does ChoicePoint support the expansion of these principles 
from fair credit to all types of information?
    Mr. Curling. We certainly do, sir.
    Senator Leahy. This past January 20, the Washington Post 
quoted a ChoicePoint executive as saying, ``We do act as an 
intelligence agency gathering data, applying analytics.'' He 
also reported that ChoicePoint acquired I2, Inc., and quoted an 
I2 company executive as saying, quote, ``We are principally a 
company whose focus is all about converting large volumes of 
information into actionable intelligence,'' close quote.
    The article described I2 as a company that uses software to 
head off crimes or attacks, not just investigate them after the 
fact--sort of something like the movie ``Minority Report.'' How 
would you head off a crime? How do you identify a potential 
crime or criminal? Do you have predictive algorithms or 
profiling, risk-scoring? It seems fascinating as a former 
prosecutor. Can you just put us all out of business? Can you 
tell who is going to commit a crime?
    Mr. Curling. These are tools that ChoicePoint sells to law 
enforcement agencies. They are the ones that use the tools to 
try and figure out how to solve crimes, and largely the data 
they are using is data they gather on their own. I2 is a 
software company. It is a company that provides a robust 
analytic engine to link disparate data together so you can look 
for similarities.
    If two people don't necessarily know each other but they 
both made phone calls to the same phone number, you can look 
for that kind of linkage through vast amounts of data. They use 
it as an analyst aid for an analyst to almost interact with the 
data iteratively and reach conclusions that they might 
otherwise have reached doing manual research, but in a much 
faster way.
    Senator Leahy. To identify a crime before it happens?
    Mr. Curling. Or just look at patterns to try and track down 
criminals that have suspicious behavior going on.
    Senator Leahy. ChoicePoint also purchased--is it Bode 
Technology?
    Mr. Curling. Yes, sir.
    Senator Leahy. A company that specializes in the use of DNA 
to identify people. The CEO, Derek Smith, wrote in his book, 
``Biometrics provide an opportunity to shore up the society's 
fundamental building blocks of identification through 
technology.''
    Biometrics is a technology with great potential, but there 
are concerns. Unlike a Social Security number which actually is 
changeable, with some difficulty, but can be changed, a 
fingerprint or other biometric compromised by a security breach 
can't be replaced. There are technological limitations. We 
found that with facial recognition technology that that doesn't 
always work.
    What types and how much biometric information, if any, is 
contained or accessible in the systems at ChoicePoint or any of 
its subsidiaries, and under what conditions is it used or 
provided and what are the protections?
    Mr. Curling. We don't warehouse biometric data. We don't 
maintain biometric databases on behalf of anyone. Bode Labs is 
a forensic DNA laboratory that supports law enforcement 
activities on an outsource basis. That laboratory was the lab 
that identified the victims of the World Trade Center from a 
DNA perspective. That laboratory had a scientist over in 
Thailand recently for the tsunami aid.
    It is a law enforcement outsource laboratory that does very 
high-technology DNA assistance in prosecution of cases. They 
receive samples directly from law enforcement. They manage the 
chain of custody of that sample and they turn it back over to 
law enforcement when the lab activities are processed.
    Senator Leahy. Thank you.
    Mr. Dempsey, government relies more and more on the 
services and products of data brokers for law enforcement and 
homeland security efforts. Is this allowing the government to 
access and use information that otherwise it might not be 
allowed to under privacy and information laws? In other words, 
does it allow them to do a search that they wouldn't be allowed 
to do if they were doing it directly through a government 
agency?
    Mr. Dempsey. Well, it does allow them to, in essence, 
outsource data collection activities outside of the Privacy 
Act. Right now, if the government is going to start a new 
collection of data, it needs to comply with the Privacy Act and 
it needs to perform a privacy impact assessment. But if it goes 
and buys that same data or subscribes to it, some of those 
rules don't apply, and I think that is an issue that needs to 
be definitely included in the scope of these hearings and needs 
to be addressed in legislation.
    Senator Leahy. Thank you. Thank you, Mr. Chairman.
    Chairman Specter. Thank you very much, Senator Leahy.
    Senator Feinstein.
    Senator Feinstein. Thank you very much.
    The California law went into effect in 2003. I would like 
to ask each of the people here representing companies to 
indicate if, prior to 2003, you had a breach and did not notify 
people.
    Mr. Sanford?
    Mr. Sanford. I believe there were security breaches in the 
business that I acquired that I mentioned, Seisint. I believe 
there may have been a security breach in LexisNexis prior to 
2003, and we did not make notice prior.
    Senator Feinstein. Thank you. I appreciate the honesty.
    Mr. Curling?
    Mr. Curling. Yes, ma'am, I previously indicated there was a 
breach that we didn't notify them.
    Senator Feinstein. Thank you.
    Ms. Barrett?
    Ms. Barrett. The breach that we had in 2003 did span the 
enactment of the law in July. Our obligation as a provider, 
since the breach did not involve--
    Senator Feinstein. My question is did you have a breach 
prior to the 2003 law going into effect?
    Ms. Barrett. Yes, the breach that we had did span it, but 
we did provide notice to our clients.
    Senator Feinstein. Thank you. This is my point: If it 
weren't for the California law, we would have no way of knowing 
breaches that have occurred. It is really only because of that 
law that we now know. We in no way, shape or form are able to 
pierce the depth of what has happened in this industry.
    Now, I would like to ask the question of each, how did the 
data breach or breaches occur and what has been done to correct 
it? Who would like to go first?
    Mr. Sanford?
    Mr. Sanford. The data breaches that we have reported 
principally involve compromised passwords and I.D.s of 
legitimate customers, and that happened through a variety of 
methods.
    Senator Feinstein. Could you explain ``compromised?''
    Mr. Sanford. Sure. Where a company has individual users, 
each person would have an I.D. and would have a password. A 
company may report to us that they notice search activity that 
showed up on their bill that they said that they didn't do.
    Senator Feinstein. Now, take a big company. How many people 
would have a password?
    Mr. Sanford. In most companies, there would be individual 
I.D.s and individual passwords. There were some instances in--
    Senator Feinstein. But how many per company?
    Mr. Sanford. It depends, Senator. You could have two. You 
could have 10,000.
    Senator Feinstein. That is correct, so that a large bank 
like a Citibank could have a large number of individuals that 
would have passwords to the system, correct?
    Mr. Sanford. I.D.s and passwords, that is correct.
    Senator Feinstein. I am asking for speculation. I don't 
know what they have, but this is a weak link, shall we say.
    Mr. Sanford. Well, passwords and I.D.s are part of the 
security and when those password and I.D. protocols are not 
strong, then you do have a weak link in the system. What we 
have found is we have weak links in some of the passwords and 
I.D.s in some of our customer environments that were 
compromised and unauthorized persons gained access to those 
passwords and I.D.s and did searches.
    Sometimes that was because it was a weak password-I.D. 
combination. Sometimes that was because there may have been 
virus in that business and someone compromised it through 
criminal means.
    Senator Feinstein. Right, and did you find out who that 
person was?
    Mr. Sanford. We have referred all of these incidents to the 
U.S. Secret Service and it is an ongoing investigation.
    Senator Feinstein. Were those persons found out?
    Mr. Sanford. I don't know. That is not the kind of 
information they share with me.
    Senator Feinstein. And you didn't think you would be 
interested in finding out?
    Mr. Sanford. Well, as the agent in charge advised me, he 
will be briefing us on it as they conclude their investigation.
    Senator Feinstein. You have had more than one breach, 
though.
    Mr. Sanford. That is correct.
    Senator Feinstein. So there are a number of people whose 
passwords have been compromised.
    Mr. Sanford. That is correct.
    Senator Feinstein. Which means they could have sold them 
for a lot of money to somebody else who got into the system.
    Mr. Sanford. That is a possibility, so each password and 
I.D.--
    Senator Feinstein. But you have no knowledge. How many 
breaches have you had?
    Mr. Sanford. We reported 59 incidents going back to the 
beginning of 2003.
    Senator Feinstein. And these were all from compromised 
passwords?
    Mr. Sanford. I believe all but four or five of them were 
through compromised password I.D.s.
    Senator Feinstein. And you don't know who compromised the 
passwords?
    Mr. Sanford. I don't know who did.
    Senator Feinstein. Okay, that is fine.
    I want to go down the line on this and then back on what 
you have done. Mr. Curling, how many breaches have you had, 
total?
    Mr. Curling. The breaches that we investigated and reported 
were a number between 45 and 50. It was an organized ring of 
fraudsters and they hijacked legitimate business identities or 
created false business identities and were able to get through 
our credentialing processes. We ultimately identified that 
activity when they were trying to set up accounts, but 
unfortunately and regrettably, accounts had been set up prior 
to that.
    Senator Feinstein. Ms. Barrett?
    Ms. Barrett. Yes. The breaches that we had in 2003 involved 
two different individuals.
    Senator Feinstein. How many breaches have you had, total--
has Acxiom had?
    Ms. Barrett. These are the only two breaches.
    Senator Feinstein. You have only had two breaches, okay.
    Ms. Barrett. They involved a file transfer server sitting 
outside of our main system that was used to send information 
back and forth between our clients. They did not penetrate our 
main firewalls of the system. The data on this server belonged 
to our clients. The data was breached because an individual at 
a client location with legitimate access to that server 
downloaded the password file for that server and unencrypted a 
portion of the encrypted passwords, then used those passwords 
to access other people's data.
    Senator Feinstein. My time is up. Can I ask just one other 
question? I have sat here patiently all morning.
    Chairman Specter. Yes, you may, Senator Feinstein.
    Senator Feinstein. Just one other question and this is on 
the subject of whether there should be a requirement that all 
data in these data companies be encrypted and there should be a 
prohibition on using PCs to hold this data. I am looking 
specifically at University of California data breaches which 
involved the names of over 700,000 people from thefts of 
personal computers.
    Would anyone care to comment on that?
    Mr. Dempsey. Senator, I would only say that encryption is 
not as easy to do as it sounds and I would hate to see the 
Federal Government get into the posture of dictating specific 
security measures that companies or institutions like 
universities have to take.
    Senator Feinstein. So you think it is okay for personal 
data, for somebody to be walking around with a computer with 
700,000 names in it?
    Mr. Dempsey. Well, I think there is a separate question 
about the physical custody of that kind of--at some level, that 
is a physical custody issue. If you look at the Gramm-Leach-
Bliley regulations, they talk about technical, physical and 
administrative safeguards. And I think without, again, 
dictating what is the right balance of those, all three have to 
be considered. And I agree with you that people have clearly 
gotten far too lax about storage of data.
    Senator Feinstein. Thank you. My time is up.
    Chairman Specter. Thank you, Senator Feinstein.
    Senator Schumer.
    Senator Schumer. Thank you, Mr. Chairman, and I have a 
question I am going to ask of the whole panel, but take your 
pencils out because it has a few parts. I want to ask your 
opinion on various ways to deal with identity theft, all of 
which are embodied in the legislation that we have. If you 
could give us a yes or no answer, that would be great and save 
time. If you can't, keep your explanation as short as possible.
    Do you support the goal of regulating data merchants, 
similar to the way we regulate credit bureaus I would say, but 
certainly data merchants? Do you support the idea of creating a 
one-stop shop to help consumers get their identity back, as we 
have done in the FTC? They have done something, but they are 
not close to what is needed.
    Do you support disclosure laws for companies that plan to 
sell your information? Do you support making any company that 
has sensitive personal information on its consumers take 
reasonable steps to protect it? That would be the words of the 
law--``reasonable steps to protect it.'' Do you support 
limiting the sale of people's Social Security numbers on a 
narrow needs basis--law enforcement and things like that?
    Just two more. Would you support rules authenticating 
customers? This relates to ChoicePoint, which actually sold the 
information to criminals. And would you support increased 
background examination of those within your companies and other 
companies who have access to sensitive personal information?
    I realize that is a long question. It will be my only one 
and I await your answers.
    Mr. Sanford?
    Mr. Sanford. Senator, I don't know if I got it all down, 
but I think the first one was with respect to regulating the 
industry similar to FCRA. I think some of the portions of the 
FCRA could be appropriate. I would like to see specifically 
what the wording would be on that. I would be glad to work with 
you on that.
    A one-stop shop at the FTC.
    Senator Schumer. But, in general, you support regulating 
data companies like yours in terms of how they deal with the 
data, data merchants?
    Mr. Sanford. I certainly think the safeguards as contained 
in GLBA would certainly be a step in the right direction.
    Senator Schumer. Thank you.
    Mr. Sanford. I don't know anybody who could argue with a 
one-stop shop at the FTC and additional funding to help, given 
the pervasiveness of identity theft. I am not sure I understand 
the provision on disclosure laws on companies. I didn't quite 
get the rest of it down here in my notes.
    We would support data safeguards. We would support 
legislation--
    Senator Schumer. That is disclosure to the individual, 
whoever gives it in, that we may be giving or selling that 
information to somebody.
    Mr. Sanford. I don't know, unless I saw the wording, 
whether I could support that, given the number of transactions 
we are talking about.
    Senator Schumer. Okay.
    Mr. Sanford. Limiting the sale of SSNs. Certainly, there 
are limits today on the use of personally sensitive information 
and I support the limits that are there. I think there could be 
greater limits on the display of information, but perhaps not 
the access because of the importance of using some of that 
sensitive information to provide services to detect fraud, for 
example.
    And then on rules authenticating customers, I think I would 
support, again, GLBA, and I think reasonable safeguards would 
pretty much pick that up and say you have got to make sure you 
are doing business with legitimate customers.
    Senator Schumer. And then the last one was background 
checks on the people who handle the sensitive information.
    Mr. Sanford. I would have to learn more about that, but 
again I think that would be part of an overall safeguard 
program and make sure that the people who are dealing with 
sensitive data--
    Senator Schumer. Thank you.
    Mr. Curling?
    Mr. Curling. In the interest of time, Senator, obviously I 
would like to read the specific proposals, but I would answer 
yes, in general, to all of the questions.
    Senator Schumer. Thank you.
    Ms. Barrett?
    Ms. Barrett. Yes, I would also say yes, in general, to all 
of the questions. Many of what you are suggesting are already 
policies of ours.
    Senator Schumer. Mr. Dempsey?
    Mr. Dempsey. I have never seen a vote count like this, 
Senator. I am a ``yes'' on all as well.
    Senator Schumer. And Mr. Douglas?
    Mr. Douglas. Absolutely.
    Senator Schumer. Mr. Chairman, I yield back my 32 remaining 
seconds.
    Chairman Specter. It is greatly appreciated, Senator 
Schumer.
    Senator Schumer. I knew it would be.
    Chairman Specter. You now owe the yield-back bank only 17 
hours and 23 seconds.
    Senator Schumer. No good deed goes unpunished.
    Chairman Specter. On behalf of Senator DeWine, I am going 
to direct this question to you, Mr. Sanford. Senator DeWine 
could not be here. I understand that LexisNexis has been 
working with the National Center for Missing and Exploited 
Children and law enforcement to help find abducted children. 
Can you explain to the Committee how LexisNexis contributes to 
this effort?
    Mr. Sanford. Senator, the National Center, as you know, has 
been in existence for nearly 20 years. It provides critical 
assistance to find abducted and missing children. I think in 
the last 20 years, they have recovered 85,000 children.
    What the National Center does is we provide our service to 
them at no charge. They work with law enforcement and what they 
have determined is the best way to find an abducted child in 
the first 48 hours is to do searches and to find the 
relationships of the custodial and non-custodial parents. And 
by doing those searches with law enforcement, they are able to 
recover many of the abducted and missing children rapidly.
    Chairman Specter. Well, thank you very much, Mr. Sanford, 
Mr. Curling, Ms. Barrett, Mr. Dempsey and Mr. Douglas.
    Senator Leahy. Could I ask one more question?
    Chairman Specter. Sure, Senator Leahy.
    Senator Leahy. Mr. Dempsey, you and I have had discussions 
over the years on some of these issues and I have appreciated 
very much your input. I think about public records, and let's 
just take one example. You have whatever court handles divorce 
matters in your State and you may have divorce records in there 
which contain a number of things because of payments--Social 
Security numbers and maybe even the names of the banks that the 
litigants have, and so on.
    If you were to walk into that court and ask, they would 
say, well, we can give you the judge's findings, the pleadings, 
of course, but we can't give you this page that has all the 
rest. So you kind of felt you were pretty safe because had to 
go to court, to court, to court, to court and be turned down.
    Now, if it is all electronic, you don't have that 
inconvenience. Is there a responsibility on the part of data 
brokers who might go through every single court in the Nation 
pulling up Jones v. Jones or whatever--do they have a 
responsibility in weeding out the things that the courts would 
normally expect not to be shown?
    Mr. Dempsey. Well, I think, Senator, you are on to a very 
important point, which is just because information is in a 
public record, does it mean that there are no privacy issues, 
particularly in terms of accuracy, particularly in terms of 
sensitivity?
    The Supreme Court held in the Reporter's Committee case and 
in the DPPA case, the Reno v. Condon case, that even if 
information is publicly available, interests in accuracy apply, 
and the computerized compilation of that data into a single 
database changes the privacy equation. So you can't just say, 
oh, it is public record information, therefore there are no 
concerns.
    There are still concerns about the accuracy in the 
transcription of that data and still concerns about the fact 
that, as you say, in bankruptcy court there is a lot of very 
sensitive information. I know that bankruptcy judges are 
struggling with that specifically.
    Senator Leahy. Adoption courts; probate courts handle 
adoptions. Courts have allegations that are made in initial 
filings in a case, but the case may be heard six months later 
and all the allegations thrown out.
    Mr. Dempsey. So I think that that has to absolutely be part 
of the equation here. Under the Fair Credit Reporting Act, we 
have created this cycle of responsibility where the data 
furnishers have a responsibility for accuracy, the data 
aggregators and the credit reporting agencies have a 
responsibility, and the users have a responsibility in terms of 
accuracy.
    It is a little bit different in the public record system, 
in that the government entities are not pushing that data. It 
is being pulled by sending people out, but we still have to 
somehow address that, Senator, and work on what is the 
responsibility for accuracy of the compilier of that so-called 
public record information because it is being used against 
people in ways that have implications.
    Senator Leahy. And some of it is there for a very, very 
specific purpose. I mean, you could actually have on public 
record what kind of alarm systems you have in your house from 
an appraisal that had been done of the house.
    Mr. Dempsey. Well, for example, criminal history records. 
There is a very important public policy interest in having 
arrests be public, in having court proceedings be public. But 
we also know that a lot of arrests don't result in convictions 
for the charges. We have put limits in the fair credit 
reporting area on reporting of old arrests reporting of so-
called naked arrests. I think we need to make sure that those 
kinds of accuracy responsibilities spread across the data 
landscape.
    Senator Leahy. Thank you. Thank you, Mr. Chairman. I 
appreciate again your holding this hearing. I think it is 
extremely important and I am glad to see the Committee doing 
this kind of oversight.
    Chairman Specter. Well, thank you, Senator Leahy. You were 
the first one on the Committee to ask for it and I promptly 
responded and said yes. I think it has been a very, very 
productive hearing and I believe that there will be some very 
firm Federal legislation coming out of this issue.
    Thank you all very much.
    [Whereupon, at 12:00 p.m., the Committee was adjourned.]
    [Questions and answers and submissions for the record 
follow.]
    [Additional material is being retained in the Committee 
files.]

[GRAPHIC] [TIFF OMITTED] T2293.001

[GRAPHIC] [TIFF OMITTED] T2293.002

[GRAPHIC] [TIFF OMITTED] T2293.003

[GRAPHIC] [TIFF OMITTED] T2293.004

[GRAPHIC] [TIFF OMITTED] T2293.005

[GRAPHIC] [TIFF OMITTED] T2293.006

[GRAPHIC] [TIFF OMITTED] T2293.007

[GRAPHIC] [TIFF OMITTED] T2293.008

[GRAPHIC] [TIFF OMITTED] T2293.009

[GRAPHIC] [TIFF OMITTED] T2293.010

[GRAPHIC] [TIFF OMITTED] T2293.011

[GRAPHIC] [TIFF OMITTED] T2293.012

[GRAPHIC] [TIFF OMITTED] T2293.013

[GRAPHIC] [TIFF OMITTED] T2293.014

[GRAPHIC] [TIFF OMITTED] T2293.015

[GRAPHIC] [TIFF OMITTED] T2293.016

[GRAPHIC] [TIFF OMITTED] T2293.017

[GRAPHIC] [TIFF OMITTED] T2293.018

[GRAPHIC] [TIFF OMITTED] T2293.019

[GRAPHIC] [TIFF OMITTED] T2293.020

[GRAPHIC] [TIFF OMITTED] T2293.021

[GRAPHIC] [TIFF OMITTED] T2293.022

[GRAPHIC] [TIFF OMITTED] T2293.023

[GRAPHIC] [TIFF OMITTED] T2293.024

[GRAPHIC] [TIFF OMITTED] T2293.025

[GRAPHIC] [TIFF OMITTED] T2293.026

[GRAPHIC] [TIFF OMITTED] T2293.027

[GRAPHIC] [TIFF OMITTED] T2293.028

[GRAPHIC] [TIFF OMITTED] T2293.029

[GRAPHIC] [TIFF OMITTED] T2293.030

[GRAPHIC] [TIFF OMITTED] T2293.031

[GRAPHIC] [TIFF OMITTED] T2293.032

[GRAPHIC] [TIFF OMITTED] T2293.033

[GRAPHIC] [TIFF OMITTED] T2293.034

[GRAPHIC] [TIFF OMITTED] T2293.035

[GRAPHIC] [TIFF OMITTED] T2293.036

[GRAPHIC] [TIFF OMITTED] T2293.037

[GRAPHIC] [TIFF OMITTED] T2293.038

[GRAPHIC] [TIFF OMITTED] T2293.039

[GRAPHIC] [TIFF OMITTED] T2293.040

[GRAPHIC] [TIFF OMITTED] T2293.041

[GRAPHIC] [TIFF OMITTED] T2293.042

[GRAPHIC] [TIFF OMITTED] T2293.043

[GRAPHIC] [TIFF OMITTED] T2293.044

[GRAPHIC] [TIFF OMITTED] T2293.045

[GRAPHIC] [TIFF OMITTED] T2293.046

[GRAPHIC] [TIFF OMITTED] T2293.047

[GRAPHIC] [TIFF OMITTED] T2293.048

[GRAPHIC] [TIFF OMITTED] T2293.049

[GRAPHIC] [TIFF OMITTED] T2293.050

[GRAPHIC] [TIFF OMITTED] T2293.051

[GRAPHIC] [TIFF OMITTED] T2293.052

[GRAPHIC] [TIFF OMITTED] T2293.053

[GRAPHIC] [TIFF OMITTED] T2293.054

[GRAPHIC] [TIFF OMITTED] T2293.055

[GRAPHIC] [TIFF OMITTED] T2293.056

[GRAPHIC] [TIFF OMITTED] T2293.057

[GRAPHIC] [TIFF OMITTED] T2293.058

[GRAPHIC] [TIFF OMITTED] T2293.059

[GRAPHIC] [TIFF OMITTED] T2293.060

[GRAPHIC] [TIFF OMITTED] T2293.061

[GRAPHIC] [TIFF OMITTED] T2293.062

[GRAPHIC] [TIFF OMITTED] T2293.063

[GRAPHIC] [TIFF OMITTED] T2293.064

[GRAPHIC] [TIFF OMITTED] T2293.065

[GRAPHIC] [TIFF OMITTED] T2293.066

[GRAPHIC] [TIFF OMITTED] T2293.067

[GRAPHIC] [TIFF OMITTED] T2293.068

[GRAPHIC] [TIFF OMITTED] T2293.069

[GRAPHIC] [TIFF OMITTED] T2293.070

[GRAPHIC] [TIFF OMITTED] T2293.071

[GRAPHIC] [TIFF OMITTED] T2293.072

[GRAPHIC] [TIFF OMITTED] T2293.073

[GRAPHIC] [TIFF OMITTED] T2293.074

[GRAPHIC] [TIFF OMITTED] T2293.075

[GRAPHIC] [TIFF OMITTED] T2293.076

[GRAPHIC] [TIFF OMITTED] T2293.077

[GRAPHIC] [TIFF OMITTED] T2293.078

[GRAPHIC] [TIFF OMITTED] T2293.079

[GRAPHIC] [TIFF OMITTED] T2293.080

[GRAPHIC] [TIFF OMITTED] T2293.081

[GRAPHIC] [TIFF OMITTED] T2293.082

[GRAPHIC] [TIFF OMITTED] T2293.083

[GRAPHIC] [TIFF OMITTED] T2293.084

[GRAPHIC] [TIFF OMITTED] T2293.085

[GRAPHIC] [TIFF OMITTED] T2293.086

[GRAPHIC] [TIFF OMITTED] T2293.087

[GRAPHIC] [TIFF OMITTED] T2293.088

[GRAPHIC] [TIFF OMITTED] T2293.089

[GRAPHIC] [TIFF OMITTED] T2293.090

[GRAPHIC] [TIFF OMITTED] T2293.091

[GRAPHIC] [TIFF OMITTED] T2293.092

[GRAPHIC] [TIFF OMITTED] T2293.093

[GRAPHIC] [TIFF OMITTED] T2293.094

[GRAPHIC] [TIFF OMITTED] T2293.095

[GRAPHIC] [TIFF OMITTED] T2293.096

[GRAPHIC] [TIFF OMITTED] T2293.097

[GRAPHIC] [TIFF OMITTED] T2293.098

[GRAPHIC] [TIFF OMITTED] T2293.099

[GRAPHIC] [TIFF OMITTED] T2293.100

[GRAPHIC] [TIFF OMITTED] T2293.101

[GRAPHIC] [TIFF OMITTED] T2293.102

[GRAPHIC] [TIFF OMITTED] T2293.103

[GRAPHIC] [TIFF OMITTED] T2293.104

[GRAPHIC] [TIFF OMITTED] T2293.105

[GRAPHIC] [TIFF OMITTED] T2293.106

[GRAPHIC] [TIFF OMITTED] T2293.107

[GRAPHIC] [TIFF OMITTED] T2293.108

[GRAPHIC] [TIFF OMITTED] T2293.109

[GRAPHIC] [TIFF OMITTED] T2293.110

[GRAPHIC] [TIFF OMITTED] T2293.111

[GRAPHIC] [TIFF OMITTED] T2293.112

[GRAPHIC] [TIFF OMITTED] T2293.113

[GRAPHIC] [TIFF OMITTED] T2293.114

[GRAPHIC] [TIFF OMITTED] T2293.115

[GRAPHIC] [TIFF OMITTED] T2293.116

[GRAPHIC] [TIFF OMITTED] T2293.117

[GRAPHIC] [TIFF OMITTED] T2293.118

[GRAPHIC] [TIFF OMITTED] T2293.119

[GRAPHIC] [TIFF OMITTED] T2293.120

[GRAPHIC] [TIFF OMITTED] T2293.121

[GRAPHIC] [TIFF OMITTED] T2293.122

[GRAPHIC] [TIFF OMITTED] T2293.123

[GRAPHIC] [TIFF OMITTED] T2293.124

[GRAPHIC] [TIFF OMITTED] T2293.125

[GRAPHIC] [TIFF OMITTED] T2293.126

[GRAPHIC] [TIFF OMITTED] T2293.127

[GRAPHIC] [TIFF OMITTED] T2293.128

[GRAPHIC] [TIFF OMITTED] T2293.129

[GRAPHIC] [TIFF OMITTED] T2293.130

[GRAPHIC] [TIFF OMITTED] T2293.131

[GRAPHIC] [TIFF OMITTED] T2293.132

[GRAPHIC] [TIFF OMITTED] T2293.133

[GRAPHIC] [TIFF OMITTED] T2293.134

[GRAPHIC] [TIFF OMITTED] T2293.135

[GRAPHIC] [TIFF OMITTED] T2293.136

[GRAPHIC] [TIFF OMITTED] T2293.137

[GRAPHIC] [TIFF OMITTED] T2293.138

[GRAPHIC] [TIFF OMITTED] T2293.139

[GRAPHIC] [TIFF OMITTED] T2293.140

[GRAPHIC] [TIFF OMITTED] T2293.141

[GRAPHIC] [TIFF OMITTED] T2293.142

[GRAPHIC] [TIFF OMITTED] T2293.143

[GRAPHIC] [TIFF OMITTED] T2293.144

[GRAPHIC] [TIFF OMITTED] T2293.145

[GRAPHIC] [TIFF OMITTED] T2293.146

[GRAPHIC] [TIFF OMITTED] T2293.147

[GRAPHIC] [TIFF OMITTED] T2293.148

[GRAPHIC] [TIFF OMITTED] T2293.149

[GRAPHIC] [TIFF OMITTED] T2293.150

[GRAPHIC] [TIFF OMITTED] T2293.151

[GRAPHIC] [TIFF OMITTED] T2293.152

[GRAPHIC] [TIFF OMITTED] T2293.153

[GRAPHIC] [TIFF OMITTED] T2293.154

[GRAPHIC] [TIFF OMITTED] T2293.155

[GRAPHIC] [TIFF OMITTED] T2293.156

[GRAPHIC] [TIFF OMITTED] T2293.157

[GRAPHIC] [TIFF OMITTED] T2293.158

[GRAPHIC] [TIFF OMITTED] T2293.159

[GRAPHIC] [TIFF OMITTED] T2293.160

[GRAPHIC] [TIFF OMITTED] T2293.161

[GRAPHIC] [TIFF OMITTED] T2293.162

[GRAPHIC] [TIFF OMITTED] T2293.163

[GRAPHIC] [TIFF OMITTED] T2293.164

[GRAPHIC] [TIFF OMITTED] T2293.165

[GRAPHIC] [TIFF OMITTED] T2293.166

[GRAPHIC] [TIFF OMITTED] T2293.167

[GRAPHIC] [TIFF OMITTED] T2293.168

[GRAPHIC] [TIFF OMITTED] T2293.169

[GRAPHIC] [TIFF OMITTED] T2293.170

[GRAPHIC] [TIFF OMITTED] T2293.171

[GRAPHIC] [TIFF OMITTED] T2293.172

[GRAPHIC] [TIFF OMITTED] T2293.173

[GRAPHIC] [TIFF OMITTED] T2293.174

                                 
