b"<html>\n<title> - IDENTITY THEFT: RECENT DEVELOPMENTS INVOLVING THE SECURITY OF SENSITIVE CONSUMER INFORMATION</title>\n<body><pre>[Senate Hearing 109-451]\n[From the U.S. Government Printing Office]\n\n\n\n                                                        S. Hrg. 109-451\n\n \n                  IDENTITY THEFT: RECENT DEVELOPMENTS\n                       INVOLVING THE SECURITY OF\n                     SENSITIVE CONSUMER INFORMATION\n\n=======================================================================\n\n                                HEARINGS\n\n                               before the\n\n                              COMMITTEE ON\n                   BANKING,HOUSING,AND URBAN AFFAIRS\n                          UNITED STATES SENATE\n\n                       ONE HUNDRED NINTH CONGRESS\n\n                             FIRST SESSION\n\n                                   ON\n\n   RECENT DEVELOPMENTS INVOLVING THE SECURITY OF SENSITIVE CONSUMER \n  INFORMATION RELATING TO IDENTITY THEFT, FOCUSING ON LAWS CURRENTLY \n            APPLICABLE TO RESELLERS OF CONSUMER INFORMATION\n\n                               __________\n\n                         MARCH 10 AND 15, 2005\n\n                               __________\n\n  Printed for the use of the Committee on Banking, Housing, and Urban \n                                Affairs\n\n\n      Available at: http: //www.access.gpo.gov /congress /senate/\n                            senate05sh.html\n\n\n\n                                 ______\n\n                    U.S. GOVERNMENT PRINTING OFFICE\n28-404                      WASHINGTON : 2006\n_____________________________________________________________________________\nFor Sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512\xef\xbf\xbd091800  \nFax: (202) 512\xef\xbf\xbd092250 Mail: Stop SSOP, Washington, DC 20402\xef\xbf\xbd090001\n\n\n            COMMITTEE ON BANKING, HOUSING, AND URBAN AFFAIRS\n\n                  RICHARD C. SHELBY, Alabama, Chairman\n\nROBERT F. BENNETT, Utah              PAUL S. SARBANES, Maryland\nWAYNE ALLARD, Colorado               CHRISTOPHER J. DODD, Connecticut\nMICHAEL B. ENZI, Wyoming             TIM JOHNSON, South Dakota\nCHUCK HAGEL, Nebraska                JACK REED, Rhode Island\nRICK SANTORUM, Pennsylvania          CHARLES E. SCHUMER, New York\nJIM BUNNING, Kentucky                EVAN BAYH, Indiana\nMIKE CRAPO, Idaho                    THOMAS R. CARPER, Delaware\nJOHN E. SUNUNU, New Hampshire        DEBBIE STABENOW, Michigan\nELIZABETH DOLE, North Carolina       ROBERT MENENDEZ, New Jersey\nMEL MARTINEZ, Florida\n\n             Kathleen L. Casey, Staff Director and Counsel\n\n     Steven B. Harris, Democratic Staff Director and Chief Counsel\n\n                         Mark Oesterle, Counsel\n\n                 Dean V. Shahinian, Democratic Counsel\n\n   Joseph R. Kolinski, Chief Clerk and Computer Systems Administrator\n\n                       George E. Whittle, Editor\n\n                                  (ii)\n?\n\n                            C O N T E N T S\n\n                              ----------                              \n\n                        THURSDAY, MARCH 10, 2005\n\n                                                                   Page\n\nOpening statement of Chairman Shelby.............................     1\n\nOpening statements, comments, or prepared statements of:\n    Senator Corzine..............................................     2\n        Prepared statement.......................................    25\n    Senator Sarbanes.............................................     5\n    Senator Johnson..............................................     7\n    Senator Reed.................................................    12\n    Senator Dole.................................................    14\n        Prepared statement.......................................    26\n    Senator Schumer..............................................    14\n\n                               WITNESSES\n\nPartick Leahy, a U.S. Senator from the State of Vermont..........     3\nDeborah Platt Majoras, Chairman, Federal Trade Commission........     8\n    Prepared statement...........................................    27\nLarry Johnson, Special Agent in Charge, Criminal Investigative \n  Division, U.S. Secret Service..................................    19\n    Prepared statement...........................................    48\nAmy S. Friend, Assistant Chief Counsel, Office of the Comptroller \n  of the Currency................................................    22\n    Prepared statement...........................................    50\n                              ----------                              \n\n                        THURSDAY, MARCH 15, 2005\n\nOpening statement of Chairman Shelby.............................    55\n\nOpening statements, comments, or prepared statements of:\n    Senator Sarbanes.............................................    68\n    Senator Bunning..............................................    71\n    Senator Schumer..............................................    73\n    Senator Allard...............................................    76\n        Prepared statement.......................................    83\n\n                               WITNESSES\n\nDon McGuffey, Vice President, ChoicePoint Services, Inc..........    55\nEvan Hendricks, Editor and Publisher, Privacy Times..............    58\n    Prepared statement...........................................    83\nBarbara Desoer, Global Technology, Service and Fulfillment \n  Executive, Bank of America.....................................    61\n    Prepared statement...........................................    88\n\n                                 (iii)\n\n\n                  IDENTITY THEFT: RECENT DEVELOPMENTS\n                       INVOLVING THE SECURITY OF\n                     SENSITIVE CONSUMER INFORMATION\n\n                              ----------                              \n\n\n                        THURSDAY, MARCH 10, 2005\n\n                                       U.S. Senate,\n          Committee on Banking, Housing, and Urban Affairs,\n                                                    Washington, DC.\n\n    The Committee met at 2:50 p.m., in room SD-538, Dirksen \nSenate Office Building, Senator Richard C. Shelby (Chairman of \nthe Committee) presiding.\n\n        OPENING STATEMENT OF CHAIRMAN RICHARD C. SHELBY\n\n    Chairman Shelby. The hearing will come to order.\n    This afternoon we are going to hold the first of two \nhearings to examine the level of security that has been \nprovided to sensitive financial information. While two \nincidents have received significant media attention and brought \nthis issue to the forefront, I want to make clear that these \nevents are only a small part of larger developments and note \nthat I feel this overall subject requires broad, not simply \nanecdotal, consideration.\n    The fact is, technology has profoundly changed our economy. \nAutomation, depersonalized transactions, and the electronic \nstorage, manipulation, and transfer of massive amounts of \nsensitive information are entirely routine. While there are \nsignificant benefits associated with these developments, we \nmust also recognize that there are some significant risks \nassociated with them as well.\n    Most notably our rapid-fire, credit-in-a-moment economy \nprovides tremendous opportunities for fraud and identity theft. \nIf a crook gets hold of someone's personal information such as \ntheir name, date of birth, and Social Security number they can \nsteal millions of dollars and wreak havoc on that person's life \nand credit history in only a matter of moments. For this \nreason, I believe it is paramount that this kind of sensitive \ninformation be properly protected.\n    In the past, much of the focus regarding identity theft \nprevention has been directed on what an individual can do to \nprotect themselves. This was and remains very important, but \nidentity theft criminals have grown more sophisticated and are \nmore aggressively pursuing information from centralized data \nsources. At a minimum, recent events indicate that we must \nremain constantly vigilant regarding the financial information, \nsecurity practices and entities that hold millions, if not \nbillions, of financial records.\n    Thus, the purpose of today's hearing is to gain insight \ninto the state of the industry compliance with the laws \ndesigned to protect personal financial information and to learn \nwhether the current legal framework provides adequate \nprotections and has kept pace with the change in the \nmarketplace.\n    We look forward to hearing from the witnesses today.\n    Senator Corzine, do you have an opening statement?\n\n              STATEMENT OF SENATOR JON S. CORZINE\n\n    Senator Corzine. Yes, I do, sir. Thank you, Mr. Chairman, \nand I want to thank you for holding this hearing on identify \ntheft and related security issues with regard to sensitive \nconsumer information. I want to say your response to this \nemerging problem is typical of your leadership. I think it is \nstrong leadership on a whole series of issues as has been the \ncase with Ranking Member Sarbanes as well. I appreciate it and \nI know the public will because it is something of great \nconcern.\n    The importance of this, as we have all heard, has been \nunderscored recently. As the Chairman said, it may be anecdotal \nbut it seems to be more broad based than just the occasional \nanecdote. Just yesterday, the announced breach of LexisNexis, \nthe scandal at data broker ChoicePoint, and the loss by Bank of \nAmerica of sensitive information on over one million \nindividuals, among them Members of the U.S. Senate, including \nsome sitting at this table.\n    These alarming instances are a stark reminder of just how \nvulnerable consumers and each of us are at having our personal \ninformation fall into the wrong hands, the hands of thieves. \nPersonal information such as our Social Security numbers, \ndrivers license, auto registration numbers, credit histories, \nand credit card numbers are vulnerable to people who know how \nto use technology for ill-begotten ways.\n    As alarming as the brashness of the identity thieves and \nthe growth of the crime is, is the notion that there are likely \nother instances of large-scale identity theft that we have \nnever been able to define or disclose to the public.\n    Mr. Chairman, identity theft is on the rise and is probably \nour fastest-growing consumer crime. According to the FTC, \nnearly 10 million Americans were the victims of identity theft \nin 2003, three times the number of victims just 3 years before \nthat. Research shows that there are as many as 13 identity \nthefts every minute.\n    It is a crime that harms our economy in the form of lost \nproductivity and capital. Aggregate estimates of the costs are \nnot truly identified, and I think that actually identifies a \nproblem in and of itself in the sense that we do not have a \ncomplete handle on what its impact is on the public. According \nto the Identity Theft Resource Center, identity theft victims \nspend nearly 600 working hours recovering from the crime, and \nthe cost in lost wages can be as much as $16,000 per incident \nbefore the loss itself, and the emotional distress is \nimmeasurable.\n    Technological innovation has brought about a data \nrevolution that most consumers have benefited from, but it has \ncome with some cost.\n    In this context, Mr. Chairman, next week I will be offering \nand introducing the Identity Theft Prevention and Victim \nNotification and Assistance Act. The bill takes a comprehensive \napproach to the problem of identity theft, better oversight, \nstrong standards aimed at preventing identity theft, victim \nnotification and assistance, and tough enforcement by Federal \nregulators, including those that will testify today if we can \ngive them the resources to do their job.\n    It authorizes the FTC to write rules requiring firms to \nensure the accuracy, security, and integrity of sensitive \npersonnel information, enhances identity theft prevention by \nrequiring all companies maintain sensitive personal \ninformation, establish security systems that safeguard their \ninformation. I could go through the details of it, but I will \nsubmit that in a longer statement for the record. But one of \nthe things it does is not unlike what is in Sarbanes-Oxley. It \nrequires that the chief enforcement officer attest to the \neffectiveness of the systems that provide for control of \ninformation.\n    So there is a whole series of additional steps which I \nthink are absolutely vital, including--and the last one might \nbe most important--immediate notification of the consumers who \nare impacted by this. Too often as we saw in the ChoicePoint \nand other situations, people were not informed immediately. \nThey only find out when someone has used their credit or has \nstolen from them, and it is a problem that needs to be \naddressed.\n    I look forward to working with the Committee, the Chairman, \nand my colleagues on addressing this as we go forward. Thank \nyou very much. I have a more extensive statement.\n    Chairman Shelby. Your entire statement will be made part of \nthe record in its entirety, Senator Corzine.\n    Chairman Shelby. Our first panel we have our colleague, \nSenator Patrick Leahy, U.S. Senator from Vermont, someone who \nspent a lot of time--former Chairman of the Judiciary Committee \nand now ranking Democrat--there in this area.\n    Senator Leahy, welcome to the Banking Committee. Your \nentire statement will be made part of the record. You proceed \nas you wish.\n\n                   STATEMENT OF PATRICK LEAHY\n\n            A U.S. SENATOR FROM THE STATE OF VERMONT\n\n    Senator Leahy. Thank you, Mr. Chairman, and I appreciate \nthe courtesy of having me here. I spoke to earlier in private \nabout this. I will state publicly that I applaud your decision \nto hold today's hearing about recent security breaches at \nChoicePoint and Bank of America, and what that means about \nprotecting sensitive consumer data. You and Senator Sarbanes \nhave been leaders on these issues and I thank you for this \nopportunity.\n    We are in a challenging area. The advanced technologies \nhave opened up new possibilities. They have brought enormous \nbenefits to consumers and commerce, law enforcement, and there \nis no doubt these advances have made our lives better, safer, \nbut they have also created new vulnerabilities for our privacy \nand for our security. It is becoming increasingly clear these \ntrends have challenged the privacy laws we currently have. And \ntoday's security saturated environment is fostering \npartnerships between Government and private data brokers, \ncreating new challenges for maintaining privacy standards over \nthe sensitive information that more and more involves every \nsingle American.\n    The troubling events at ChoicePoint, Bank of America, and \nnow LexisNexis are a window on some of these weaknesses. \nChoicePoint's bread and butter business includes identity \nverification and screening to help corporate America, as they \nsay, ``know its customers.'' Well, this company failed to know \nits own customers. They sold personal information on at least \n145,000 Americans to criminals posing as legitimate companies. \nIt was an irresponsible violation of the fiduciary relationship \nthey have to their customers.\n    Then there is Bank of America which recently announced that \nthe personal information of more than a million Government \nemployees, including some Senators and Senate staff members, \nwas compromised when backup tapes disappeared during transport \non a commercial airliner. We now understand this type of \ntransport is routine not only for them but also the entire \nindustry.\n    I do not know what these people are thinking. Mr. Chairman, \nyou and I travel commercially. We travel a lot. We have had our \nsuitcases lost. Do they think that the suitcase full of some of \nthe most important data on their customers could not get lost \ntoo? Can you imagine how disillusioned their customers must \nfeel when they find Bank of America did not care any more about \nthem than to let that happen? On the eve of this hearing we \nhave also learned that personal information on 32,000 more \nAmericans was potentially compromised at a subsidiary of \nLexisNexis.\n    The susceptibility of our most personal data to relatively \nunsophisticated scams or logistical mishaps is greatly \ndisturbing, and that is even before we consider the dangers \nposed by insiders, by hackers, by organized crime, and now we \nknow by terrorists. In an era where personal information is a \nkey commodity, the personal information of Americans has become \na treasure trove, valuable but also vulnerable.\n    Today, companies around the world routinely traffic in \nbillions of personal records about consumers. The magnitude of \nthese transactions has rendered the individuals behind the data \nfaceless. But at the end of the day if things go south, it is \nthe consumer that bears the brunt of the harm, not the company. \nFor consumers, caught up in the endless cycle of watching their \ncredit unravel, and doing the damage caused by such breaches \nbecomes life-consuming and monumental.\n    Congress needs to act. We have to do it right. Many of us \nhave been examining the information brokering industry. \nConsumers should know who has their data, what it is being used \nfor, how they can correct mistakes. They should have notice \nconsistent with law enforcement considerations so they can \nprotect themselves. That is just basic fairness.\n    We have to look closely at ensuring a standard of care \nconsistent with the high value of this data, including penalty \noptions when companies fall short of meeting those standards. \nData brokers are increasingly partnering with the Government in \nlaw enforcement and homeland security efforts. It could prove \nuseful for us here in Congress to consider the extent to which \na company's privacy and security practices are the qualifying \nfactors in securing Federal contracts, because then we could \nalso ask what would be the appropriate penalties in the \ncontract procurement process for any failure. So, I welcome the \nopportunity to work with you, with my colleagues on Judiciary, \nand with this Committee. And Judiciary will also have hearings. \nSenator Specter and I intend to.\n    Privacy and liberty are important values to the American \npeople. It is not a Democratic or Republican issue, it is an \nAmerican issue. Our collective vigilance in protecting these \ncherished values has allowed us to enjoy unparalleled freedom, \nsecurity, and economic vitality. We have to continue this \nvigilance.\n    I applaud you, Mr. Chairman. Your hearing today is going to \nshed much needed light on a rapidly growing industry and its \npractices in handling the financial and personal information of \nevery American. I look forward to continuing to work with you. \nI think at the end of the day when we finish the hearings here \nand in Judiciary, the American people should end up being \nbetter protected, but I think they are also going to have a \nbetter idea what happens to their personal information.\n    Thank you, sir.\n    Chairman Shelby. Thank you, Senator. We look forward to \nworking with you and also the Judiciary and other Committees, \nwhatever we have to do to try to secure the American people's \nfinancial information.\n    We have got a vote on the floor now of the Schumer \nAmendment. We are going to take a break and go vote, and then \nwe will get in the second panel. We will be in recess until we \nget back.\n    [Recess.]\n\n             STATEMENT OF SENATOR PAUL S. SARBANES\n\n    Senator Sarbanes. [Presiding.] First of all, let me assure \nyou this is not a coup.\n    [Laughter.]\n    I saw Chairman Shelby in the hallway, and he is on his way \nfor this vote, and I had just finished it. There is another \nvote that will be coming so we are trying to keep the process \nmoving ahead, although it is under rather difficult \ncircumstances. So, I am going to go ahead now and make my \nopening statement so we get that behind us in terms of the \nbusiness yet to be done.\n    First of all, I want to commend Chairman Shelby for holding \nthis very timely hearing. I underscore his quick response to \nthe news of recent breaches of data security that potentially \naffect millions of Americans. Data security and financial \nprivacy are important values in our society. They have been the \nsubject of Banking Committee hearings and legislative markups \nsince the 105th Congress. Title V of the Gramm-Leach-Bliley Act \nof 1999 contained data security and privacy protections. And \nthe identity theft and affiliate sharing protections were in \nthe Fair and Accurate Credit Transaction Act of 2003. Both of \nthose bills came out of this Committee.\n    Security breaches, very regrettably, have led to the \nimproper release of the sensitive personal data of millions of \nAmericans. Last month, ChoicePoint, a data broker, described by \na journalist as the world's largest private intelligence \noperation, sold information that had personally identifiable \ndata on 145,000 people to imposters, people not properly \nentitled to the information. According to ChoicePoint's \ntestimony, this included ``access [to] information products \nprimarily containing the following information: Consumer names, \ncurrent and former addresses, Social Security numbers, drivers \nlicense numbers, certain other public record information such \nas bankruptcies, liens and judgments, and in certain cases \ncredit reports.''\n    Bank of America, one of the world's largest financial \ninstitutions, serving 33 million consumer relationships, \nreported the loss of backup computer tapes which, according to \ntestimony today, ``contained customer and account information \nfor approximately 1.2 million Government charge holders . .  \nand may have included name, address, account number and Social \nSecurity number.'' I understand that both of these companies \nare taking actions to prevent future problems.\n    More data security breaches were revealed this week. On \nTuesday, DSW Shoe Warehouse stores reported that credit card \ninformation from customers of more than 100 of its stores had \nbeen stolen. On Wednesday, LexisNexis announced the theft of \nthe names, addresses, Social Security numbers, and drivers \nlicense numbers of more than 30,000 people from its Seisint \nsubsidiary.\n    These and other breachers have caused widespread concern \namong the public and in the Congress. The Washington Post \nreported, ``public ire is intensifying.'' I can vouch for that \non the basis of the constituents who have contacted me, and I \nhear the same from my colleagues. We know that Americans have \nstrong concerns about protecting their personal information. \nThe Baltimore Sun, in an editorial entitled ``Stealing by the \nNumbers,'' said, This is an industry ripe for Federal and State \ncontrols.''\n    Congressional hearings are being planned and legislation is \nbeing introduced by Senator Corzine and by others to address \nthis problem.\n    I strongly share the concern about the improper release of \npersonally identifiable financial information. A particular \ndanger is that citizens whose data is compromised may become \nvictims of identity theft, which is of course a serious \nnational problem that has grown in recent years. Honest \ncitizens who become identity theft victims incur a high cost in \nmoney, time, anxiety, and efforts to correct their spoiled \ncredit histories and restore their good credit name. While \nswift apprehension and punishment of criminals is important, we \nmust also seek to prevent breaches, to enable consumers to \nprotect themselves, and to assist citizens who have become \nvictims through no fault of their own.\n    Many questions are raised. What potentials harms to \nconsumers can result from breaches of personal data held by \nfinancial institutions or data brokers? How are the data \npractices of data brokers and financial institutions regulated? \nWhat steps should be taken to prevent future breaches? Is \nadditional Federal regulation needed in order to adequately \nprotect consumers? Should consumers be given more rights to \nprotect data about themselves, giving consumers the rights to \nhave access to a copy of the records and to correct errors, or \nrequiring notification of consumers when data breaches occur? \nAnd should financial institutions more fully inform consumers \nabout the specific types of information they possess and what \nthey do with data?\n    Other questions also of course occur, and I expect this to \nbe a matter which the Congress will examine very carefully.\n    Do you have a statement, Senator Johnson?\n\n                STATEMENT BY SENATOR TIM JOHNSON\n\n    Senator Johnson. Yes, thank you, Senator Sarbanes. I \nappreciate both you and Chairman Shelby for convening this \nimportant hearing, and I welcome the distinguished panel of \nparticipants that we have here today. I regret that we have \nthese ongoing votes plus a markup in the Budget Committee, \nwhich is going to take me away from being here personally, as \nmuch as I would like to be. But it is my hope that this is just \nthe first of a series of hearings about information security. \nClearly, we need to take a hard look at whether governing \nstatutes are adequate to protect the increasing body of \npersonal information databases. I appreciate the clarity with \nwhich the FTC has summarized those laws in its written \ntestimony, and I hope that we can work together to legislate in \na speedy and effective manner to capture all industry players.\n    Mr. Chairman, I believe that we also need to take a close \nlook at what we can do within the current legal framework to \nprotect sensitive personal and financial information. We know \ncompanies face significant and ongoing problems with both \ninsider breaches and outside hackers. In these cases, the \nproblem is not the absence of a governing statute, but rather a \nviolation of an ongoing statute.\n    I would like to call the Committee's attention to some \ninnovations in the area of data security which bear discussion. \nOne example is Dakota State University in Madison, South \nDakota. DSU's Information Assurance program has developed \nimportant technologies to protect community banks from \ninformation breaches. DSU recently won accreditation from the \nNational Security Agency for its bank-focused program which \nspecializes in assisting banks to protect sensitive information \nwithin current legal frameworks.\n    A security breach is costly both financially and toward \nreputation. Many companies, though regrettably not all, go \nbeyond legal requirements to ensure the security of their data. \nI hope through this hearing process we will get a better sense \nof the landscape of technologies available to financial and \nother institutions that might help them protect their \ndatabases.\n    As we examine how to capture all players with access to \nsensitive financial and personal information in a regulatory \nframework, we need to be careful to preserve the success of the \nFair Credit Reporting Act. I was struck just this past week \nagain by the potential benefits that FCRA can bring consumers \nwho handle credit responsibly.\n    As we stand poised to pass bankruptcy reform legislation, I \nbelieve that the credit reporting system may be able to play a \npositive role in helping bankruptcy filers rehabilitate their \ncredit more quickly.\n    In the coming weeks, it is my intention to work actively \nwith the bankruptcy advisory committees and trustees, the \ncredit bureaus, and the industry players to encourage a full \nreporting of Chapter 13 payment plans to credit bureaus. The \ncredit reporting system is only as good as the information \ncontained in it, and we have an important opportunity to \nencourage reporting that will help hard-working Americans who \nhave fallen on hard times prove that they can in fact handle \ncredit responsibly. Those people who are able to repay any part \nof their debt should get credit for that effort, and I intend \nto work hard to make sure that that in fact happens.\n    Thank you, Senator Sarbanes.\n    Senator Sarbanes. Thank you very much, Senator Johnson.\n    I think the best course now would be to recess again \nbecause there is a vote about to happen, and I think the \nChairman will then be on his way back, and I think he will then \nbe in a position to go into the hearing with the next panel, \nwhich I gather would be with the Chairwoman of the FTC.\n    Thank you all very much.\n    [Recess.]\n    Chairman Shelby. [Presiding.] The Committee will come back \nto order. We are sorry about the inconvenience, but that is the \nway the Senate works, two straight votes.\n    Our second panel we have the Chairman of the Federal Trade \nCommission, Deborah Platt Majoras. We welcome you to the \nCommittee. Your written statement will be made part of the \nrecord in its entirety. You proceed as you wish.\n\n               STATEMENT OF DEBORAH PLATT MAJORAS\n\n               CHAIRMAN, FEDERAL TRADE COMMISSION\n\n    Ms. Majoras. Thank you, Mr. Chairman and Members of the \nCommittee. I am Deborah Majoras, Chairman of the Federal Trade \nCommission.\n    I am grateful for the opportunity to testify about identity \ntheft, the security of consumer information, and in particular, \nthe collection of that information by data brokers.\n    Although the views expressed in the written testimony \nrepresent the views of the entire Commission, my oral \npresentation and responses to questions are my own and do not \nnecessarily reflect the views of the Commission or the other \nCommissioners.\n    Recent revelations about security breaches that resulted in \ndisclosure of sensitive information about thousands of \nconsumers have put a spotlight on the practices of data brokers \nlike ChoicePoint that collect and sell this information. The \ndata broker industry includes many types of businesses, \nproviding a variety of services to an array of commercial and \nGovernment entities. Information sold by data brokers is used \nfor many purposes, from marketing to assisting in law \nenforcement.\n    Despite the potential benefits of these information \nservices, the data broker industry is the subject of both \nprivacy and information security concerns. As recent events \ndemonstrate, if the sensitive information they collect gets \ninto the wrong hands it can cause serious harm to consumers, \nincluding identity theft.\n    Identify theft is a pernicious problem. A recent FTC survey \nestimated that as many as 10 million consumers discovered that \nthey were victims of some form of identity theft in the 12 \nmonths preceding the survey, costing consumers nearly $5 \nbillion in losses, and American businesses roughly $48 billion \nin losses. We must look seriously at ways to reduce identity \ntheft which has shaken consumer confidence to the core.\n    One means of reducing identity theft is to ensure that \nsensitive, nonpublic information that is collected by data \nbrokers is maintained securely.\n    There is no single Federal law governing the practices of \ndata brokers. There are, however, statutes and regulations that \naddress the security of the information they maintain, \ndepending on how the information was collected, and how it is \nused.\n    The Fair Credit Reporting Act, for example, makes it \nillegal to disseminate consumer report information, like credit \nreports, to someone who does not have a permissible purpose; \nthat is, a legitimate business need for the information. Thus, \ndata brokers are only subject to the FCRA's requirements to the \nextent that they provide consumer reports, as that term is \ndefined in the statute.\n    Similarly, the Gramm-Leach-Bliley Act, which the Commission \nalso enforces, imposes restrictions on the extent to which \nfinancial institutions may disclose consumer information \nrelated to financial products and services. Under Gramm-Leach-\nBliley, the Commission issued a Safeguards Rule, which imposes \nsecurity requirements on a broadly defined group of financial \ninstitutions that hold customer information. The Commission \nrecently brought two cases in which we alleged that companies \nhad not taken reasonable precautions to safeguard consumer \ninformation.\n    Finally, in the third statutory regime, Section 5 of the \nFTC Act prohibits unfair and deceptive practices by a broad \nspectrum of businesses, including those involved in the \ncollection or use of personal information. Under this \nauthority, the Federal Trade Commission has brought several \nactions against companies that have made false promises about \nhow they would use or secure sensitive personal information, \nand these cases make clear that an actual breach of security is \nnot necessary for enforcement under Section 5 if the Commission \ndetermines the company's security procedures are not reasonable \nin light of the sensitivity of the information that they \ncollect and hold. Evidence of a breach, of course, may be \nrelevant, though, to whether the procedures were not adequate. \nIt is important to remember, though, that there is no such \nthing as perfect security, and breaches can occur even when a \ncompany has taken every reasonable precaution.\n    The Commission, consistent with the role Congress delegated \nin 1998, has worked hard to educate consumers and businesses \nabout the risks of identity theft and to assist victims and law \nenforcement officials. The Commission maintains a website and a \ntoll-free hotline staffed with trained counselors to advise \nvictims on how to reclaim their identities. We receive roughly \n15,000 to 20,000 contacts per week on the hotline, through our \nwebsite, or mail from victims and from consumers who want to \navoid becoming victims. The Commission also facilitates \ncooperation, information sharing, and training among Federal, \nState, and local law enforcement authorities fighting this \ncrime.\n    Although data brokers are currently subject to this \npatchwork of laws, depending on the nature of their operations, \nrecent events clearly raise the issue of whether these laws are \nsufficient to ensure the security of their information. I \nbelieve that there may be additional measures that would \nbenefit consumers.\n    The most immediate need is to address the risks to the \nsecurity of the information. Extending the Commission's \nSafeguards Rule to sensitive personal information collected by \ndata brokers is one sensible step that could be taken. It also \nmay be appropriate to consider a workable Federal requirement \nfor notice to consumers when there has been a security breach \nthat raises a significant risk of harm to consumers.\n    Mr. Chairman, Members of the Committee, the FTC shares your \nconcern for the security of consumer information, and we will \ncontinue to take steps within our authority to protect \nconsumers. Thank you for the opportunity to discuss this vital \ntopic, and I would be happy to respond to your questions.\n    Chairman Shelby. Thank you, Madam Chairman.\n    The Federal Trade Commission does a lot of work that is \ndirected at helping individuals protect themselves from \nidentity theft. Is that correct, Madam Chair?\n    Ms. Majoras. That is correct.\n    Chairman Shelby. Additionally, you also do a great deal to \nhelp individuals recover from the damage done--and this is a \nbig thing--by identity thieves. You are clearly well aware in \nyour position of the kind of damage that can be inflicted on \nthe average American. We have heard horror stories here--you \nhear them every day, I am sure that have involved massive \namounts of data involving thousands, even millions of people, \nrecent cases. Could you provide us your views as to what kind \nof damage this kind of large-scale information theft can cause, \njust for the record?\n    Ms. Majoras. The biggest injury, of course, is identity \ntheft on potentially a massive scale when we have a substantial \nsecurity breach. The majority of the incidents that we see \ninvolve the misuse of existing accounts, but a far more \ndestructive practice is when an identity theft takes the \npersonal information for a particular consumer, poses as that \nconsumer, and opens new accounts. That is one of the most \ndifficult problems for consumers to overcome when they are \ntrying to get their financial and personal life back, quite \nfrankly.\n    Chairman Shelby. Isn't this one of the biggest robberies \ngoing on in the country today?\n    Ms. Majoras. It is 9 to 10 million people a year, Mr. \nChairman. That is 4.5 percent of our adult population.\n    Chairman Shelby. And involving billions of dollars?\n    Ms. Majoras. Involving billions of dollars, not only to \nconsumers but also to businesses, and we estimate that per year \nabout 300 million hours of time goes into dealing with identity \ntheft in terms of consumers trying to get their identities back \nand businesses, of course, trying to work through what has \nhappened, what fraud has occurred, and what can be done to fix \nit.\n    Chairman Shelby. Our traditional bank robbers are petty \nthieves compared to the aggregate of this, are they not?\n    Ms. Majoras. Some of them certainly are, Mr. Chairman, yes.\n    Chairman Shelby. Could you give us several examples of the \nkinds of sensitive financial information that would be included \nin the credit report?\n    Ms. Majoras. The most common type of information would be \ninformation about consumers' accounts and, in particular, \ncredit card accounts. So information on a credit report would \ninclude the account number, the account balance, the consumer's \ncredit history.\n    Chairman Shelby. Real private things.\n    Ms. Majoras. Very private.\n    Chairman Shelby. Isn't this kind of information supposed to \nbe covered by the protections of FCRA?\n    Ms. Majoras. The FCRA does cover this type of information, \ndepending on how the information is used.\n    Chairman Shelby. Okay.\n    Ms. Majoras. I think the easiest way to say it is to \ndetermine a consumer's eligibility for credit, for employment, \nfor insurance purposes, then that information falls within the \nFCRA.\n    Chairman Shelby. What kind of safeguards does the FCRA have \nto ensure that credit reporting agencies do not provide credit \nreports to anyone coming in off the street?\n    Ms. Majoras. The FCRA requires that consumer reporting \nagencies and anyone else who falls within the statute to have \nin place reasonable procedures to ensure that those to whom \nthey sell the information have a permissible purpose, that is, \nan appropriate business purpose, as I said most commonly \ndetermining a consumer's eligibility for credit, for \nemployment, or insurance.\n    This means under the FCRA that the CRA's must receive \ncertification from those to whom they sell the information, and \nthey also must make a reasonable effort to verify the user's \nidentity and also that the user, in fact, does have a \npermissible purpose.\n    Chairman Shelby. Ma'am, how many firms are there in the \ndata brokerage industry? And how big is their information \ncapacity? In other words, how much data on how many Americans \nare they dealing with?\n    Ms. Majoras. I am afraid that is a tough one to answer, Mr. \nChairman. We have not been able to find statistics on the \nnumber of data brokers there are. We know that there is a great \nvariety, and, of course, it depends on how you define it.\n    Chairman Shelby. If you do find out something approximately \nthe number, can you furnish that for the record?\n    Ms. Majoras. We would be pleased to present that for you, \nChairman Shelby. I will say, however, that we know that \nindividual data brokers, just like the CRA's, can have billions \nof pieces of data regarding consumers.\n    Chairman Shelby. A treasure trove of all of the financial \nprivate information in a sense.\n    Ms. Majoras. Yes, indeed.\n    Chairman Shelby. Do you think that data brokers take steps \nto avoid becoming credit reporting agencies to avoid the FCRA \nrequirements? And if so, how do they accomplish this?\n    Ms. Majoras. Actually, what we have seen in the data \nbrokerage industry is that some of the products they sell \nactually do fall within the FCRA and some of them do not. And \nit just depends on the type of products.\n    Chairman Shelby. You have to look at the situation.\n    Ms. Majoras. You have to look at each individual--and, \nagain, because it is dependent not on the label you put on the \ntype of company, it is dependent on the kind of information, \nthat makes a difference.\n    Chairman Shelby. Sure. Do you have any information about \nthe manner in which the Gramm-Leach-Bliley information use \nrestrictions flow with information? In other words, could you \ngive us a little detail about where Gramm-Leach-Bliley use \nrestrictions flow with information? Am I clear? In other words, \nthese rules do not simply apply to financial institutions that \nhave the relationship with the consumer. They apply downstream \nas well, do they not?\n    Ms. Majoras. They absolutely do. Once a financial \ninstitution covered by GLB provides information to a \nnonaffiliated party, that party is then also subject to the \nsecurity provisions.\n    Chairman Shelby. Give us an example, if you could, a \nspecific example. What kind of information is covered by Gramm-\nLeach-Bliley?\n    Ms. Majoras. Nonpublic personal information.\n    Chairman Shelby. Okay.\n    Ms. Majoras. Which the financial institutions are \ncollecting so that they can provide financial services.\n    Chairman Shelby. Proprietary information?\n    Ms. Majoras. Yes, although it is defined very broadly, so \nit includes name, address, Social Security number, and account \nnumbers.\n    Chairman Shelby. Things about your family?\n    Ms. Majoras. If they have it. Mother's maiden name is one \nthat often is asked for.\n    Chairman Shelby. Is this kind of information used very \noften by or is it very important to data brokers, all this \nstuff you are talking about?\n    Ms. Majoras. It is important to data brokers generally, \ndepending on what they are selling information for. It is the \ninformation that we understand data brokers do collect.\n    Chairman Shelby. Do you know if there are any meaningful \nsafeguards that the data information brokers have to jump \nthrough before they sell information?\n    Ms. Majoras. It depends. Some of the information they \nprovide may fall under the FCRA, and if that is the case, then \nthey have to comply with that. If they were a financial \ninstitution or they were receiving information from a financial \ninstitution and they are a downstream reseller, then they would \nhave some requirements under Gramm-Leach-Bliley. And, of \ncourse, we enforce Section 5 of the Federal Trade Commission \nAct, so we can look for deception and unfairness.\n    Chairman Shelby. Is this the kind of information that is in \nthese data banks that identity thieves would be interested in?\n    Ms. Majoras. There really is not any question. They are \ninterested in identities of individuals that perhaps they could \npose as, and they are absolutely interested in account numbers.\n    Chairman Shelby. Again you said earlier in, I believe, your \nopening statement, was it 40-something billion dollars a year \nloss to businesses, and then so much to consumers, too?\n    Ms. Majoras. That is correct. So if we put our estimates \nfor out-of-pocket losses to businesses and consumers together, \nit is well over $50 billion.\n    Chairman Shelby. Senator Reed.\n\n                 STATEMENT OF SENATOR JACK REED\n\n    Senator Reed. Thank you very much, Mr. Chairman. Thank you, \nChairman Majoras. This is a very important hearing. I am sure \neveryone has made that point quite clearly.\n    Let me ask a question. We were talking about essentially \ndomestic operations, but there is a growing trend to outsource \nthese types of information searches and data manipulation \noverseas. Does that pose another additional problem to you?\n    Ms. Majoras. Well, it may. There are some difficulties that \nwe have generally with any kind of fraud over the Internet when \nit crosses more than one border, as more and more we are seeing \nin this Internet information age. And we have been working on \nlegislation that would give us better tools to address cross-\nborder fraud, and some of this would absolutely fall into that \ncategory.\n    Senator Reed. Last year, Senator Corzine in the \nreauthorization of the FCRA proposed an amendment that would \nrequire prompt notification of breaches. That amendment was \ndropped in the conference. Would this prompt notification be \nuseful given the experience we have just witnessed in the last \nfew weeks?\n    Ms. Majoras. We think prompt notification when there is a \nsignificant risk to consumers is what makes the most sense. And \nthe reason that we say that is that there are some security \nbreaches that occur that really actually do not present harm to \nconsumers. And there is a great cost to notifying consumers of \nevery breach. One might have a hacker who is a teenager in \nsomeone's garage who enjoys seeing if he or she could hack into \na database and might do it and then call and say, ``Ha, ha, I \ndid this,'' but is not stealing information. And there are \nother, if you will, breaches on a smaller scale.\n    If we try to inform consumers of every single breach, for \none thing they are going to become numb to it. It will be very \nmuch, okay, all right, sure, I am at risk; and then they may \nnot take the precautions which the FTC and others encourage \nthem to take when there really has been a significant breach.\n    So we think there has to be some--that the best course is \nto have some limitation on it so that companies must take \nreasonable steps when there is a significant risk.\n    Senator Reed. Right now, there is no requirement in Federal \nlegislation to make this notification; is that accurate?\n    Ms. Majoras. Not quite. I know that the OCC--and I know \nthat you will hear from one of their witnesses--has proposed \nguidance through their Gramm-Leach-Bliley implementation, which \nactually proposes a very similar requirement to the one I was \njust discussing, which is you would take some reasonable \nprecautions when you think that consumers really are at risk.\n    Senator Reed. You have alluded to legislation that you are \nworking on with respect to international ramifications of \ntechnology and the Internet that is spreading across the globe \nand what you have just mentioned with respect to notification. \nAre there any other safeguards that you would urge us to \nconsider with respect to problems like we have seen?\n    Ms. Majoras. I think considering taking the FTC's \nSafeguards Rule, which we promulgated under Gramm-Leach-Bliley, \nand extending it more broadly so that the requirements that we \nhave in the safeguards will go beyond just financial \ninstitutions that are covered by GLB but, in fact, would cover \nmore companies, which would include the data brokers.\n    The difficulty in passing too many statutes in which we try \nto limit it to particular labels that we can put on a company \nis that our commerce and our society, as we can see today, is \nchanging so quickly that if we use something like the FTC \nSafeguards Rule, which requires companies to use reasonable \nprecautions depending on type of company they are, the \nsensitivity of the data, the surrounding circumstances, is \nlikely the best way to deal with this problem on a broader \nbasis.\n    Senator Reed. Thank you, Madam Chairman.\n    Ms. Majoras. You are welcome.\n    Chairman Shelby. Senator Dole.\n\n              STATEMENT OF SENATOR ELIZABETH DOLE\n\n    Senator Dole. Mr. Chairman, I ask unanimous consent that my \nstatement go in the record, please.\n    Chairman Shelby. Without objection, it is so ordered.\n    Senator Dole. Madam Chairwoman, let me ask you about your \ntestimony where you mention reasonable procedures to ensure \nthat a credit reporting agency supply consumer reports only to \nthose with an FCRA-sanctioned permissible purpose. Could you \ntell the Committee what the FTC considers to be a reasonable \nprocedure?\n    Ms. Majoras. Fortunately, the FCRA then goes a little \nbeyond requiring reasonable procedures and then imposes some \nvery specific requirements. So, for example, before companies \nsubject to the FCRA release the type of information covered by \nthat statute, they must get certification from the user that it \nwill be used for a permissible purpose. And they also have to \ntake reasonable steps to verify that.\n    Now, those reasonable steps have included things like \nmaking on-site visits to companies to make sure that they are \nactually legitimate businesses who are using this information \nfor legitimate purposes under the statute.\n    Senator Dole. So this reasonable procedure standard would \nwork well for consumers, and do you think in any way that \nCongress should consider strengthening it?\n    Ms. Majoras. We think it is a reasonable standard for \nensuring that consumer reports are provided only to those who \nhave a permissible purpose, and the reason is it is flexible \nenough to apply to all types of businesses who have this \nsensitive information and so that it can be tailored according \nto the sensitivity of the information as well. So, yes, we \nactually think this would be a reasonable way to proceed.\n    Senator Dole. Thank you, Mr. Chairman.\n    Chairman Shelby. Thank you.\n    Senator Schumer.\n\n            STATEMENT OF SENATOR CHARLES E. SCHUMER\n\n    Senator Schumer. Thank you, Mr. Chairman, and I appreciate \nvery much your having this hearing, and I know your interest in \nthis issue, which is mine as well, from being a Member of this \nCommittee as well as the Judiciary Committee. And I look \nforward to working with you to help solve this kind of problem.\n    Let me say, Mr. Chairman, that identity theft costs \nbusinesses millions of dollars each year because criminals use \nfalse pretenses to purchase goods, leaving businesses to foot \nthe bill. Identity theft costs consumers and businesses an \nestimated $5 billion a year, and, in addition, the typical \nidentity theft victim has to spend about 175 hours to clear up \nhis or her credit report.\n    Identity theft is skyrocketing. Every year it gets much \nworse and yet we are doing very little about it. Our laws are a \npatchwork quilt of State and Federal laws that, frankly, do not \ndo the job. And if we do nothing, this is going to almost \nenvelop crime-fighting in America. It is the crime of choice \nthese days.\n    What bank robbery was to the Depression Era, identity theft \nis to the Information Age.\n    My point is that we in Congress need to learn the lessons \nof ChoicePoint, LexisNexis, Westlaw, and so many other \ncompanies, all of whom seem to feel that your personal \ninformation was their domain to do with whatever they chose. We \nneed to replace the current patchwork of State and Federal laws \nwith a real security blanket, one that protects privacy, keeps \nSocial Security numbers private, and prevent fraud and identity \ntheft.\n    Right now, Mr. Chairman, there is no arm of the Federal \nGovernment that has clear jurisdiction over online and off-line \nidentity theft. Companies seeking to obtain personal data from \ncustomers are subject to few, if any, limitations. I am utterly \namazed at how companies allow anyone to get hold of this \ninformation and even let almost anyone work within them. You \nknow, it is like not having background checks for people \nworking at Fort Knox.\n    And, finally, customers have no idea if or when a company \nmight transfer personal data to a third party. Too many \nconsumers are entrusting their information to companies for \nsafekeeping, only to have it sold away for the highest dollar, \noften in the dark of night.\n    We learned this even here in the Senate with Westlaw, where \njust about anyone on the Senate staff with no background check, \ninterns or anybody else, could get 95 percent of all Americans' \nSocial Security numbers. No questions asked. That was on our \nSenate server until we brought this to the public's attention, \nand now they have blocked out the last four numbers.\n    Mr. Chairman, we have to do something about this. We have \nto stop malicious companies conning consumers out of their \ninformation with privacy policies that are impossible to \nunderstand. Often all of those lines of legalese mean only one \nthing. You get all these pages, and what they basically are \nsaying is we will sell your personal information to whomever we \nwant, whenever we want. And this has to stop.\n    To plug these loopholes, I will be introducing \ncomprehensive identity theft legislation in the near future \nwhich would, Mr. Chairman, create an Office of Identity Theft \nin the FTC to have jurisdiction over companies that lawfully \nacquire and keep personal consumer data. It will also create a \nSchumer box to be posted on any website that seeks to request \npersonal information from a customer. In that box, companies \nwould give a clear warning in simple language to consumers if \nthey plan to sell their information. This is like the Schumer \nbox that we successfully did for credit cards, and it helped \nbring down credit card interest rates. It was clear and simple \nand it was required to be published.\n    And, finally, we are going to force companies to \ndemonstrate a need for customers' personal information before \nrequiring it from them, as well as making sure that those who \nhandle the information are carefully screened. It is high time \nfor Congress to fill the breach that hackers, thieves, and the \nInternet have combined to create, leaving consumers vulnerable \nand costing our economy billions. Again, I want to ask my \nfriend from Alabama, the Chairman of this Committee, who has \nbeen a thoughtful and persistent advocate for privacy--I \nremember this from all the banking bills we worked on \ntogether--to work with us to create a bipartisan, comprehensive \npiece of legislation that will really get to the heart of the \ninformation epidemic.\n    With that, I have a couple of questions for our witness. \nFor years the FTC has built the expertise to address consumer \nissues in a variety of industry sectors. When Congress, for \ninstance, enacted the Fair Credit Reporting Act, the FTC built \non that expertise to examine abuses in the credit card \nindustry.\n    Beyond the dissemination of helpful hints, which is what \nyou have done so far, does the FTC have sufficient jurisdiction \nto examine identity theft allegations?\n    Ms. Majoras. Thank you, Senator Schumer. We have \njurisdiction to examine some of them. Now, remember that \nidentity theft itself is a crime, and the FTC does not have \ncriminal jurisdiction. So that is number one.\n    On the civil side, however, we have authority to enforce \nthe FCRA when the information that is being provided is subject \nto that statute. We have some authority over some financial \ninstitutions who are subject to Gramm-Leach-Bliley. And, of \ncourse, we have Section 5 of the FTC Act, in which we can \nattack deceptive or unfair conduct and which we have done in \nthe area of information security several times recently.\n    Chairman Shelby. But DSW, the store, that has thousands of \nlines of personal data. Do you have jurisdiction over how they \nhandle that data, whether they can sell it, what they do with \nit?\n    Ms. Majoras. I have to be careful about talking about any \nparticular company.\n    Senator Schumer. Okay. Let us take a hypothetical shoe \nstore that kept a lot of people's data.\n    [Laughter.]\n    Ms. Majoras. Thank you, Senator. Under Section 5 of the FTC \nAct, we can take a look at security measures that companies \nhave in place, which we already have done in some cases, and--\n--\n    Senator Schumer. But isn't Section 5 a fraud provision?\n    Ms. Majoras. It is.\n    Senator Schumer. So let's say they attached--when you \nsigned out to buy shoes at this hypothetical shoe store, there \nwas something in small little language way at the back that \nsaid, hey, we can sell your information to whomever we want. \nThey wouldn't be committing fraud. What would give you the \njurisdiction?\n    In other words, I think the jurisdiction has to go--\nnotification is important, but it goes beyond that in this \nmodern world we are in.\n    Ms. Majoras. Well, and I am not suggesting, Senator, that \nsome other tools would not be useful, both in the area of \nsecurity and in the area of notice, as I said in my testimony. \nBut we do think--yes, it is true, the five cases we brought \nunder the FTC Act so far have been instances in which companies \nhave told consumers we are protecting your data and then they \ndid not. So you are right. That was the deception we attacked.\n    But, in addition, it might be possible, depending on the \negregiousness and the circumstances, to use the Unfairness \nDoctrine to attack some of these practices.\n    Senator Schumer. Right. Let us take--well, you do not want \nto talk about a specific case. Aren't there many instances \nwhere this hypothetical company would not really need the \ncustomer's Social Security number but would ask for the purpose \nof selling it?\n    Ms. Majoras. Sometimes we have seen instances where out of \nhabit, for example, Social Security numbers are requested when \nthey are not needed. Now, sometimes they are needed. They are \nused for matching. They are used for matching so that the right \nconsumer is matched with the right information.\n    Senator Schumer. Got you. Okay. Are we making it too easy \nfor companies to collect and disseminate this information in \nthe first place? What is your judgment on that?\n    Ms. Majoras. I am not sure how--are we making it too easy?\n    Senator Schumer. Or is it too easy? Not are we making it. \nIs it too easy is a better way to ask the question.\n    Ms. Majoras. Right. Data brokers, in particular, collect \ninformation from many sources, including many publicly \navailable sources.\n    Senator Schumer. Right.\n    Ms. Majoras. And lots of public records information. They \nthen do get nonpublic information as well. Now, why do they get \nit and why do they sell it? Because there is a market need for \nit.\n    Senator Schumer. No question.\n    Ms. Majoras. So that is why they do it. So it is easy for \nthem to get it. I think that what we really should be looking \nat is how they secure the data and making sure they secure it, \nbecause there are a lot of beneficial uses to this information, \nSenator, things that consumers have come to count on.\n    Senator Schumer. No one is saying that there should be no \ndata held by anybody, and it is even a difficult question to \nsay should you need the permission of the person. But we are \nthe opposite. We are in the Wild, Wild West here where they can \ncollect the information from legal and/or public and nonpublic \nsources. And they can use it in just about any way they choose. \nAnd we have seen just in the last month, almost every third day \nyou see another major example of data theft, identity theft. So \nwe clearly have to change the law. Don't you agree with that?\n    Ms. Majoras. We think that we should look at a broader \nsecurity standard that is not--as you say, we have a patchwork \nin the law today.\n    Senator Schumer. Right.\n    Ms. Majoras. And so it depends on how this information is \nused and what kind of company, whether it is a financial \ninstitution and so forth. And we think if you look at the \napproach we have taken under Gramm-Leach-Bliley at the FTC with \nour Safeguards Rule, where we require companies to have \nreasonable procedures--and what does that mean? It means you \nhave to look at the sensitivity of the data. You have to look \nat what it is used for and develop security procedures that \nwill protect the type of data that is being collected.\n    Senator Schumer. Was ChoicePoint under your jurisdiction \nunder Gramm-Leach-Bliley?\n    Ms. Majoras. It depends on whether it is a financial \ninstitution.\n    Senator Schumer. I understand.\n    Ms. Majoras. And that is an issue we are looking at in the \ninvestigation.\n    Senator Schumer. Well, haven't you then answered my \nquestion?\n    Ms. Majoras. But also, as we understand it----\n    Senator Schumer. Wait, wait. Madam Chairman, if you cannot \nanswer yes or no succinctly whether ChoicePoint, one of the \nmost major data collection companies in the country, is under \nyour jurisdiction or not, don't you think we need to tighten \nthis up?\n    Ms. Majoras. I think they are potentially under three \nstatutes, but because we are--as they have acknowledged \npublicly, because we are investigating them, I am just being \nultra-cautious.\n    Senator Schumer. But that is a different question as to \nwhat the investigation reveals about what they did. \nJurisdiction is a separate issue. Isn't the law kind of vague? \nI mean, in certain places under Gramm-Leach-Bliley, it is \nclear. A bank.\n    Ms. Majoras. Right. That is right.\n    Senator Schumer. With many of these others, it is not clear \nat all. And my guess is, if the company is this hypothetical \nshoe company, you do not have jurisdiction unless fraud comes \nto your attention right away. But you would not have \njurisdiction barring fraud to set standards right now. Is that \ncorrect?\n    Ms. Majoras. We think it is broader than that under Section \n5, Senator. But I absolutely agree with you that this is a \ncomplicated maze and that there is not one place to go to say \nyes, this practice, whether it is by ChoicePoint or anyone \nelse, unless, as you say, it is bank, is absolutely subject to \nthis statute. We are piecing together three statutes----\n    Senator Schumer. Right. So, therefore, we need some \nchanges, correct?\n    Ms. Majoras. Security and notice, yes.\n    Senator Schumer. Yes, okay. Let us see.\n    Let me ask you this: Would it help consumers if companies \nwere required to notify their customers before transferring \ntheir data to a third party? I did not specify the type of \nnotification. It could be specific--we are giving this data to \nwhom, or it could be in general--be careful, your data could be \ndisseminated. Would that be a good idea, bad idea, neutral, in \nyour opinion?\n    Ms. Majoras. It all depends on the database. There are some \ndatabases that are used to go after people who have committed \nfraud. And, of course, we would not want to tell them in \nadvance we are looking at you, or personal information to try \nto find you because you have victimized other consumers.\n    Senator Schumer. Let us say I sign up for a loan at the \nbank. Would it not be a good idea to tell somebody, to tell me \nthis information you are giving us might be disseminated to \nother people; we even might sell it.\n    Ms. Majoras. Yes. And for a bank, we have that under Gramm-\nLeach-Bliley and we have an opt-out provision.\n    Senator Schumer. Right. Exactly. And what if it is a \nnonbank that sells a good? Why would we not want to do that to \nthem? It is a nonfinancial institution.\n    Ms. Majoras. Again, it just depends on what they are using \nthe information for.\n    Senator Schumer. It is a hypothetical shoe company.\n    Ms. Majoras. Well, it is a hypothetical shoe company who is \ngoing to sell what kind of information?\n    Senator Schumer. Well, you know----\n    Ms. Majoras. I mean, most certainly, Senator, if they were \ngoing to sell credit card information, then by all means.\n    Senator Schumer. Okay, good. I was not referring to shoe \nsize. I do not know: Give me a list of all the Size 8-D's in \nKansas. I was not quite thinking of that.\n    Ms. Majoras. Well, sometimes marketing information is what \nwe are talking about.\n    Senator Schumer. Okay. So in general, notification would be \na good idea, except there would have to be outlier situations, \nfraud and things like that. General notification.\n    Ms. Majoras. I think there are a number of situations in \nwhich notification might not be the best course.\n    Senator Schumer. Okay. I do not want to ask you about the \nChoicePoint. That is not really your jurisdiction, right, the \nChoicePoint executive officers? This is more SEC, from what \nthey did. Or are you looking into that as well?\n    Ms. Majoras. We are investigating ChoicePoint.\n    Senator Schumer. No, that I know. Okay.\n    I think I am finished with my questions, Mr. Chairman.\n    Chairman Shelby. Thank you, Senator Schumer.\n    Madam Chairman, we look forward to working with you. We \nappreciate your appearance here today. There are some things \nthat we might work together to tighten up in this area, and we \nwill be awaiting your investigation.\n    Ms. Majoras. Thank you very much, Mr. Chairman. Thank you, \nSenator Schumer.\n    Chairman Shelby. Our third panel consists of Mr. Larry \nJohnson, Special Agent in Charge, Criminal Investigative \nDivision, U.S. Secret Service; Ms. Amy Friend, Assistant Chief \nCounsel, Office of the Comptroller of the Currency.\n    If you two would come to the table. Both of your written \ntestimony will be made part of the record in its entirety.\n    Mr. Johnson, we will start with you. Welcome to the \nCommittee.\n\n      STATEMENT OF LARRY JOHNSON, SPECIAL AGENT IN CHARGE\n\n      CRIMINAL INVESTIGATIVE DIVISION, U.S. SECRET SERVICE\n\n    Mr. Johnson. Thank you, Mr. Chairman, and Members of the \nCommittee.\n    In addition to providing the highest level of physical \nprotection to our Nation's leaders, the Secret Service \nexercises broad investigative jurisdiction over a wide variety \nof financial crimes. As the original guardian of our Nation's \nfinancial payment systems, the Secret Service has a long \nhistory of protecting American customers and industry from \nfinancial fraud. With the passage of the new Federal laws in \n1984, the Secret Service was provided primary authority for the \ninvestigation of access-device fraud, including credit card and \ndebit card fraud, and parallel authority with other law \nenforcement agencies in identity crime cases.\n    In recent years, the combination of the information \nrevolution, the effects of globalization, and the rise of \ninternational terrorism have caused the investigative mission \nof the Secret Service to evolve dramatically. The explosive \ngrowth of these crimes has resulted in the evolution of the \nSecret Service into an agency that is recognized worldwide for \nits expertise in the investigation of all times of financial \ncrimes. Our efforts to detect, investigate, and prevent \nfinancial crimes are aggressive, innovative, and comprehensive.\n    The expanding use of the Internet and the advances in \ntechnology, coupled with increased investment and expansion, \nhas intensified competition within the financial sector. With \nthe lower costs of information processing, legitimate companies \nhave found it profitable to specialize in data mining, data \nwarehousing, and information brokerage. Information collection \nhas become a common by-product of the new, emerging e-commerce. \nInternet purchases, credit card sales, and other forms of \nelectronic transactions are being captured, stored, and \nanalyzed by businesses seeking to find the best customers for \ntheir products.\n    This has led to a new measure of growth within the direct \nmarketing industry that promotes the buying and selling of \npersonal information. In today's market, consumers routinely \nprovide personal and financial identifiers to companies engaged \nin business on the Internet. They may not realize that that \ninformation provided in credit card applications, loan \napplications, or with merchants they patronize are valuable \ncommodities in this new age of information trading. Customers \nmay even be less aware of the legitimate uses to which this \ninformation can be utilized.\n    This wealth of available personal information creates a \ntarget-rich environment for today's sophisticated criminals, \nmany of whom are organized and operate across international \nborders. But legitimate businesses can provide a first line of \ndefense against identity crime by safeguarding the information \nit collects. Such efforts can significantly limit the \nopportunities for identity crime, even while not eliminating \nits occurrence altogether.\n    The methods of identity theft utilized by criminals vary. \nLow-tech identity criminals obtain personal and financial \nidentifiers by going through commercial and residential trash, \na practice known by the Secret Service as ``dumpster diving.'' \nThe theft of wallets, purses, and mail is also a widespread \npractice employed by both individuals and organized groups. \nWith the proliferation of computers and increased use of the \nInternet, high-tech identity criminals began to obtain \ninformation from company databases and websites. In some cases, \nthe information obtained is in the public domain, while in \nothers it is proprietary and is obtained by means of computer \nintrusion or by means of deception, such as phishing, Web-\nspoofing, or even social engineering.\n    The method that may be most difficult to prevent is theft \nby a collusive employee. Individuals or groups who wish to \nobtain personal or financial identifiers for a large-scale \nfraud ring will often pay or extort an employee who has access \nto this information through their employment at workplaces such \nas billing centers, financial institutions, medical offices, or \nGovernment agencies. Once the criminal has obtained the \nproprietary information, it can be exploited by creating false \nbreeder documents, such as birth certificates or Social \nSecurity cards. These documents are then used to obtain genuine \nfalse identification such as driver's licenses and passports. \nNow the criminal is ready to use the illegally obtained \npersonal information to apply for credit cards, consumer loans, \nor establish bank accounts, leading to the laundering of stolen \nor counterfeit checks or to conduct a check-kiting scheme.\n    I would like to talk a little bit, Mr. Chairman, about \nagency coordination. It has been the Secret Service's \nexperience that the criminal groups involved in these types of \ncrimes routinely operate in a multijurisdictional environment. \nThis has created problems for law enforcement agencies that \ngenerally act as first responders to criminal activities. By \nworking closely with other Federal, State, and local law \nenforcement, as well as international police agencies, we are \nable to provide a comprehensive network of intelligence \nsharing, resource sharing, and technical expertise that bridges \njurisdictional boundaries.\n    This partnership approach to law enforcement is exemplified \nby our financial and electronic crimes task forces located \nthroughout the country. These task forces primarily target \nsuspects and organized criminal enterprises engaged in \nfinancial and electronic criminal activity that fall within the \ninvestigative jurisdiction of the Secret Service. The members \nof these task forces, who include representatives from State \nand local law enforcement, prosecutors offices, private \nindustry, and academia, pool their resources and expertise into \na collaborative effort to detect and prevent electronic crimes. \nThe value of this crime-fighting and crime-prevention model has \nbeen recognized by Congress, which authorizes Secret Service \npursuant to the USA PATRIOT Act of 2001 to expand our \nelectronic crimes task forces to cities and regions throughout \nthe country.\n    Finally, the best example of agency cooperation came in \nOctober 2004, when the Secret Service arrested 30 individuals \nacross the United States and abroad for credit card fraud, \nidentity theft, computer fraud, and conspiracy. These suspects \nwere part of a multicount indictment out of the District of New \nJersey and were involved in a transnational cyber-organized \ncrime underground network that spanned around the world. In \naddition to the 30 arrests, 28 search warrants were served \nsimultaneously across the United States. Internationally, 13 \nsearch warrants were served in 11 different countries in \nconjunction with the Secret Service-led investigation.\n    This case began in July 2003, when the Secret Service \ninitiated an investigation involving global credit card fraud \nand identity fraud. Although the catalyst for the crime came \nfrom a more traditional crime of access-device fraud, the case \nevolved into a very technical transnational investigation. Much \nof the aforementioned criminal activity primarily occurred over \nthe Internet. After the initial acts of fraud, suspects would \nexchange contraband, for example, counterfeit credit cards, \ncounterfeit driver's licenses, et cetera. This case, entitled \nOperation Firewall, developed into a multilateral effort \ninvolving 18 Secret Service domestic offices and 11 foreign \ncountries. As the lead investigative office, the Secret Service \nNewark Field Office conducted a complex undercover operation \ninvolving the first-ever wiretap of a computer network.\n    Mr. Chairman, that concludes my oral comments.\n    Chairman Shelby. Thank you.\n    Ms. Friend.\n\n      STATEMENT OF AMY S. FRIEND, ASSISTANT CHIEF COUNSEL,\n\n           OFFICE OF THE COMPTROLLER OF THE CURRENCY\n\n    Ms. Friend. Thank you, Mr. Chairman.\n    The OCC appreciates the opportunity to testify about a \nsubject that is essential to the integrity of the relationship \nbetween a bank and its customers--a bank's ability and legal \nobligation to safeguard customer information. We commend the \nCommittee's leadership in addressing this important subject.\n    It is a matter of primary importance to the OCC, as it is \nto the Committee, that national banks have adequate procedures \nin place to safeguard customer information. Safeguarding \ncustomer information is critical to protecting consumers and \nmaintaining the safe and sound operations of a bank. For that \nreason, information security has been a part of our overall \nexam process for years.\n    More recently, the OCC has been examining for and enforcing \ncompliance with the information security guidelines that we \nissued under the Gramm-Leach-Bliley Act. Section 501 states \nthat each financial institution has an affirmative and \ncontinuing obligation to protect the security and \nconfidentiality of customer information. It further directs \nFederal regulators to establish standards for financial \ninstitutions relating to the administrative, technical, and \nphysical safeguards of customer information.\n    To carry out this broad mandate, the Federal banking \nagencies issued enforceable guidelines in 2001 that require \neach bank to have a comprehensive written information security \nprogram. Under the guidelines, a bank must first assess the \nrisks both to its customer information and to any methods that \nthe bank uses to access, collect, store, use, transmit, \nprotect, or dispose of its customer information. The bank must \nthen design its information security program to control these \nrisks.\n    A bank's information security program must not be static. \nBanks must continuously test their programs and adjust them to \naddress new threats to customer information, changes in \ntechnology, and new business arrangements.\n    OCC examiners review national banks' information security \nprograms. Typically, an examiner will assess the overall \nadequacy of a bank's security program, as well as specific \ncomponents of that program. An examiner will consider whether \nthe bank has sufficiently identified the risks to its customer \ninformation and then implemented an effective program to manage \nand control those risks.\n    But from time to time, things can go wrong, and customer \ninformation may be compromised even though a bank has an \ninformation security program in place. Where the OCC finds that \na bank or its employees or a bank's service provider is at \nfault, the OCC can bring an enforcement action. The OCC, in \nfact, has taken a number of enforcement actions to enforce \ncompliance with the security guidelines. We have required banks \nto improve their systems and controls and to notify their \ncustomers where warranted.\n    We believe that a key element of a bank's duty to protect \ncustomer information against unauthorized access and use is \nappropriate notification to customers of security breaches that \nwould compromise their confidential information. Armed with \nnotice, bank customers may take steps to protect their \ninformation from misuse, such as by placing fraud alerts on \ntheir credit reports.\n    The information security guidelines, however, do not \nspecifically require banks to notify their customers about \nsecurity breaches. Therefore, in 2003, the OCC and the other \nFederal banking agencies took the initiative to propose \nguidance to address this. I am pleased to inform the Committee \nthat, after considering numerous public comments on this \nproposal, the agencies have just reached an agreement on this \nguidance. The OCC signed off on the final guidance earlier this \nweek, and the other agencies are currently in the midst of \ntheir individual agency approval processes. Once this guidance \nbecomes final, we expect immediate compliance.\n    The OCC will consider a bank's failure to follow the final \nguidance as a violation of the underlying security guidelines. \nWe have a number of remedies at our disposal, including the \nability to compel a bank to provide notice to customers about a \nsecurity breach involving their personal information.\n    Mr. Chairman, the Gramm-Leach-Bliley Act gave the \nregulators the direction and important authority to establish \ninformation security standards for use by the institutions we \nregulate. The OCC has found this authority to be well-suited to \naddress the evolving information security challenges that we \nface. We are committed to using this authority to assure that \nnational banks have adequate procedures in place to safeguard \ntheir customers' information.\n    Thank you, and I am pleased to answer any questions.\n    Chairman Shelby. Thank you.\n    Special Agent Johnson, what trends are you seeing, from \nyour perspective, with respect to the level of the \nsophistication of the identity thieves? Specifically, do the \nrecent incidents reveal that they are now systematically \ntargeting major data sources--banks and so forth? Can you speak \nto that?\n    Mr. Johnson. Yes, Mr. Chairman. We are seeing, like my oral \ntestimony, 5 to 6 years ago we saw more low-tech identity theft \ntype of crimes, which evolved into a little more technical with \nskimming--waiters in restaurants taking your credit card and \nswiping it through a skimmer which downloads that information \nand is used. So it is individual. We are now seeing much more \nintrusions into financial institutions, data brokerages, where \nthousands and thousands of either credit card access devices \nare stolen or personal identifiers. And then it is sold on the \nInternet at some of these websites that pop up daily.\n    We see other developments into key loggers, keystroke \nloggers, that are able to record information by keystroke, or \neven key logger situations on telephones that can download \ntelephone information.\n    Chairman Shelby. Sophisticated.\n    Mr. Johnson. Yes, sir.\n    Chairman Shelby. How adaptive are these kinds of criminals? \nDo they probe for vulnerabilities everywhere?\n    Mr. Johnson. Yes, Mr. Chairman. Also, 5 to 10 years ago \nmost hackers saw intruding into a financial institution as a \nchallenge, without criminal intent. Now, with the success of \nselling this information and gaining monetary means, they have \nprofited, so it has evolved into----\n    Chairman Shelby. They see gold there, don't they?\n    Mr. Johnson. Yes, sir.\n    Chairman Shelby. Okay. What would be your best guess, if \nyou had a guess, as to who their next target might be, these \nsophisticated criminals? Anything dealing with electronics, \nanything----\n    Mr. Johnson. What I can comment on is that the Secret \nService, we have analysts, we have agents that, we are looking \nfor that next trend.\n    Chairman Shelby. Anticipation.\n    Mr. Johnson. Exactly.\n    Chairman Shelby. And you keep that inside of you. Thank \nyou.\n    Ms. Friend, what can a national bank do to protect itself \nfrom large amounts of personally identifiable data that are \ncompromised at another source?\n    Ms. Friend. Are you talking about a situation where a \nservice provider has bank customer information?\n    Chairman Shelby. Yes.\n    Ms. Friend. Under our security guidelines, banks are \nrequired to oversee the arrangements that they have with \nservice providers. There are several aspects to that. Banks \nhave to use due diligence in selecting a service provider. \nBanks, by contract, have to require their service providers to \nhave safeguards in place to protect bank customer information. \nAnd, if banks determine that their service providers present an \nundue risk to them, they have to actively monitor those service \nproviders.\n    Chairman Shelby. I appreciate both of you appearing here, \nand we will continue to work this.\n    I have just been informed that we are going to have a \nseries of seven votes beginning in the next few minutes in the \nSenate. In light of this, I am going to recess--this will take \ntwo or three hours--I am going to recess the hearing and ask \nthat the last panel, who have come from far away, probably, \nhere--and I recognize the inconvenience, but there is not \nanything we can do about it--that we get with you and \nreschedule. Not you, Ms. Friend and Mr. Johnson, but the \nothers, the last panel here, ChoicePoint Services, Mr. McGuffy; \nEvan Hendricks, Editor and Publisher of Privacy Times; and Ms. \nBarbara Desoer, Executive Vice President, Global Technology, \nand Service and Fulfillment Executive, Bank of America, that \nthey reappear before the Committee next week. We hate to do \nthis, but we have no choice. This issue is too big and too \nimportant not to have you come back.\n    But Mr. Johnson and Ms. Friend, we thank you for your \nappearance here.\n    The hearing is adjorned.\n    [Whereupon, at 4:24 p.m., the hearing was adjourned.]\n    [Prepared statements supplied for the record follow:]\n\n              PREPARED STATEMENT OF SENATOR JON S. CORZINE\n\n    Mr. Chairman, I want to thank you for holding this hearing on \nidentity theft and issues related to the security of sensitive consumer \ninformation.\n    Your response to this emerging problem and the request for a \nhearing submitted last week by Senators Schumer, Stabenow, Reed, and \nmyself are reflective of the strong leadership both you and Ranking \nMember Sarbanes have displayed in response to this growing and \ndangerous weakness in our society.\n    The importance of this, as we all have heard, has been underscored \nrecently with news of the information breach of a unit of LexisNexis, \nthe scandal at data broker ChoicePoint, and the loss by Bank of America \nof sensitive information on over one-million individuals, among them \nMembers of the U.S. Senate--including some Members of this panel.\n    These alarming instances are a stark reminder of just how \nvulnerable consumers, and each of us, are to having our personal \ninformation fall into the wrong hands--hand of thieves. Personal \ninformation such as our Social Security numbers, drivers license and \nauto registration numbers, credit histories, and credit card numbers.\n    But as equally as alarming as the brashness of identity thieves is \nthe notion that there are likely other instances of large-scale \nidentity theft that have never been disclosed to the public.\n    Mr. Chairman, identity theft is on the rise and is now our Nation's \nfastest growing consumer crime. According to the Federal Trade \nCommission, nearly 10 million Americans were the victims of identity \ntheft in 2003, three times the number of victims just 3 years earlier. \nResearch shows that there are little more than 13 identity thefts every \nminute.\n    It is a crime that harms our economy in the form of lost \nproductivity and capital. Aggregate estimates of the costs of identity \ntheft are hard to quantify--a problem in itself. According to the \nIdentity Theft Resource Center, identity theft victims spend on average \nnearly 600 hours recovering from the crime. Additional research \nindicates the costs of lost wages and income as a result of the crime \ncan soar as high as $16,000 per incident.\n    Technological innovation has brought about a data revolution that \nmost consumers have benefited from through efficiency, expanding \naccess, product marketing, and lowered costs. And it is spurred the \ncreation on an entire industry of data collectors and brokers who \nprofit from the packaging and commoditization of one's personal and \nfinancial information.\n    But regrettably, this technology has also provided identity thieves \nwith an attractive target, and relative anonymity, with which to ply \ntheir sinister trade.\n    So what can we do to?\n    Well for starters Mr. Chairman, Congress must recognize the \nseverity of this problem and stop trying to address identity theft in a \npiecemeal fashion or ignore its reality.\n    It is ironic that we are holding this hearing today--the same day \nthat the full Senate is likely to pass a Bankruptcy bill intended to \nprotect credit card companies and other financial entities from \nconsumers--but we have yet to act on comprehensive legislation aimed at \nprotecting consumers from having their personal and financial \ninformation lost or stolen from those very same credit card companies \nand financial institutions.\n    Next week, I plan to introduce the Identity Theft Prevention and \nVictim Notification and Assistance Act. The bill takes a comprehensive \napproach to the problem of identity theft--better oversight, strong \nstandards aimed at preventing identity theft, victim notification and \nassistance, and tough enforcement by Federal regulators.\n    The legislation improves oversight by establishing the Federal \nTrade Commission as the primary regulator of nonfinancial third party \ndata collectors. It also authorizes the FTC to write rules requiring \nfirms to ensure the accuracy, security, and integrity of sensitive \npersonal information, and to consider applying the security and \npersonal information safeguard provisions of the Gramm-Leach-Bliley and \nFair Credit Reporting Acts to these entities.\n    The bill would enhance identity theft prevention by requiring all \ncompanies that maintain sensitive personal information to establish \nsecurity systems that safeguard that information. The safeguards would \nhave to be in compliance with minimum standards established by Federal \nregulators, and the company's chief compliance office, or CEO, would \nhave to personally attest to the fact that those safeguards are in \nplace and being monitored on an ongoing basis.\n    The legislation would also help identity theft victims protect \nthemselves--by requiring companies to immediately notify affected \ncustomers, Federal regulators, credit reporting agencies, and law \nenforcement when the breach or loss of sensitive customer information \nhas occurred in a manner that could lead to identity theft. This should \nnot be voluntary on the part of the data broker, bank, or credit card \ncompany.\n    Mr. Chairman, this measure is similar to an amendment I offered \nduring the Committee's consideration of the Fair Credit Reporting Act \nreauthorization bill over a year ago. The provision was dropped due to \nopposition from the financial services industry and some regulators--\nincluding the Office of the Comptroller of the Currency (OCC), which is \namong the witnesses testifying before us. I hope the reality and \nseverity of the identity theft issue has moved these bodies to a \nchanged view.\n    Mr. Chairman, notification is vital, because as many as 85 percent \nof all identity theft victims find out about the crime only when they \nare denied credit or employment, contacted by the police, or have to \ndeal with collection agencies, credit cards, and bills.\n    I would point out that the only reason the ChoicePoint scandal \nbecame public was the fact that the company was required to notify the \npublic under California law, the only breach notification law of its \ntype in the Nation.\n    Finally, the legislation includes tough enforcement measures and \nwill allow civil action to be taken by individuals, and State AG's, for \nviolations of this Act that result in identity theft.\n    I urge my colleagues to support this vitally needed legislation.\n    In closing Mr. Chairman, I want to again thank you for your \nleadership on this important issue. I thank you for holding this \nhearing and I welcome all of our witnesses.\n\n                               ----------\n\n              PREPARED STATEMENT OF SENATOR ELIZABETH DOLE\n\n    Identity theft is often cited as the fastest growing crime in the \nNation. According to Federal Trade Commission estimates, approximately \n10 million Americans are victimized by identity thieves every year at a \ncost of an astonishing $50 billion. And this number is a conservative \nestimate. Precise statistics are not available to properly gauge the \nfull extent of the problem, since some 40 percent of identity theft \ncases are believed to involve friends or family members and are never \nreported.\n    Today, we will examine two recent incidents in which the sensitive \npersonal information of Americans may have been compromised. The first \ninvolves ChoicePoint, a company that provides credit information to \nbusinesses. A ring of Nigerian identity thieves posing as a collection \nagency fraudulently obtained sensitive personal information from \nChoicePoint. The second incident involves Bank of America's data tapes \nthat were lost while in transit to a backup storage facility.\n    We in this Committee and in the Senate as a whole are justifiably \nconcerned about how these situations will be resolved. In the near-\nterm, I applaud Bank of America for their efforts to promptly inform \nauthorities and concerned customers of the missing backup tapes. I am \nrelieved to learn that, according to representatives of the bank, there \nhave been no reports of fraud on any of the accounts in question in the \n2 months since the loss of these tapes.\n    Fighting fraud and protecting the security of personal information \nis a concern that unites financial institutions and consumers. Each \ngroup is harmed by the fraudulent use of personal information. \nFinancial institutions are usually liable for any losses suffered as a \nresult of the fraud, and their customers may be less willing to utilize \ntheir services for fear of fraud. Consumers are harmed by the \ninsecurity, inconvenience, and loss resulting from fraud. Consumers \nalso suffer from the fact that at least a portion of financial \ninstitutions' fraud losses can be expected to be passed on to consumers \nin the form of higher prices. There can be no doubt that when fraud is \ncommitted, every law-abiding citizen loses.\n    I am proud of the work that this Committee undertook in 2003 when \nwe designed and approved the so-called ``FACT Act,'' which gave \nconsumers powerful new tools to detect and prevent identity theft. By \nensuring access to free yearly credit reports, allowing consumers to \nplace ``fraud alerts'' on their credit reports, and placing meaningful \nnew obligations on financial institutions to prevent identity theft, \nthis Committee made significant strides toward closing the loopholes \nthat identity thieves \nexploit. I am confident that we will continue to close these loopholes \nuntil identity theft is no longer a growth industry for criminals.\n    I would like to thank our witnesses for taking the time to join us \nhere today to discuss these issues. And I would like to thank the \nChairman for the attention he is giving to resolving issues of such \nimportance to all Americans.\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n                  PREPARED STATEMENT OF LARRY JOHNSON\n\n        Special Agent in Charge, Criminal Investigative Division\n                          U.S. Secret Service\n                             March 10, 2005\n\n    Good afternoon, Chairman Shelby. I would like to thank you, as well \nas the distinguished Ranking Member, Senator Sarbanes, and the other \nMembers of the Committee for providing an opportunity to discuss the \nsubject of information security, and the role of the Secret Service in \nsafeguarding our financial and critical infrastructures.\nBackground\n    In addition to providing the highest level of physical protection \nto our Nation's leaders, the Secret Service exercises broad \ninvestigative jurisdiction over a wide variety of financial crimes. As \nthe original guardian of our Nation's financial payment systems, the \nSecret Service has a long history of protecting American consumers and \nindustry from financial fraud. With the passage of new Federal laws in \n1982 and 1984, the Secret Service was provided primary authority for \nthe investigation of access device fraud, including credit and debit \ncard fraud, and parallel authority with other law enforcement agencies \nin identity crime cases. In recent years, the combination of the \ninformation revolution, the effects of globalization and the rise of \ninternational terrorism have caused the investigative mission of the \nSecret Service to evolve dramatically. The explosive growth of these \ncrimes has resulted in the evolution of the Secret Service into an \nagency that is recognized worldwide for its expertise in the \ninvestigation of all types of financial crimes. Our efforts to detect, \ninvestigate, and prevent financial crimes are aggressive, innovative, \nand comprehensive.\n    After 138 years in the Department of the Treasury, the Secret \nService transferred to the Department of Homeland Security (DHS) in \n2003 with all of our personnel, resources, and investigative \njurisdictions and responsibilities. Today, those jurisdictions and \nresponsibilities require us to be involved in the investigation of \ntraditional financial crimes as well as identity crimes and a wide \nrange of electronic and high-tech crimes.\n    The expanding use of the Internet and the advancements in \ntechnology, coupled with increased investment and expansion, has \nintensified competition within the financial sector. With lower costs \nof information-processing, legitimate companies have found it \nprofitable to specialize in data mining, data warehousing, and \ninformation brokerage. Information collection has become a common by-\nproduct of newly emerging e-commerce. Internet purchases, credit card \nsales, and other forms of electronic transactions are being captured, \nstored, and analyzed by businesses seeking to find the best customers \nfor their products. This has led to a new measure of growth within the \ndirect marketing industry that promotes the buying and selling of \npersonal information. In today's markets, consumers routinely provide \npersonal and financial identifiers to companies engaged in business on \nthe Internet. They may not realize that the information they provide in \ncredit card applications, loan applications, or with merchants they \npatronize is a valuable commodity in this new age of information \ntrading. Consumers may be even less aware of the illegitimate uses to \nwhich this information can be put. This wealth of available personal \ninformation creates a target-rich environment for today's sophisticated \ncriminals, many of whom are organized and operate across international \nborders.\n    Legitimate business can provide a first line of defense against \nidentity crime by safeguarding the information it collects and such \nefforts can significantly limit the opportunities for identity crime.\n    The methods of identity theft utilized by criminals vary. ``Low \ntech'' identity criminals obtain personal and financial identifiers by \ngoing through commercial and residential trash, a practice known as \n``dumpster diving.'' The theft of wallets, purses, and mail is also a \nwidespread practice employed by both individuals and organized groups.\n    With the proliferation of computers and increased use of the \nInternet, ``high-tech'' identity criminals began to obtain information \nfrom company databases and websites. In some cases, the information \nobtained is in the public domain, while in others it is proprietary and \nis obtained by means of a computer intrusion or by means of deception \nsuch as ``web-spoofing'' or ``phishing.''\n    The method that may be most difficult to prevent is theft by a \ncollusive employee. Individuals or groups who wish to obtain personal \nor financial identifiers for a large-scale fraud ring will often pay or \nextort an employee who has access to this information through their \nemployment at workplaces such as a utility billing center, financial \ninstitution, medical office, or Government agency. The collusive \nemployee will access the proprietary database, copy or download the \ninformation, and remove it from the workplace either electronically or \nsimply by walking it out.\n    Once the criminal has obtained the proprietary information, it can \nbe exploited by creating false ``breeder documents'' such as a birth \ncertificate or Social Security card. These documents are then used to \nobtain genuine, albeit false, identification such as a driver's license \nand passport. Now the criminal is ready to use the illegally obtained \npersonal identification to apply for credit cards or consumer loans or \nto establish bank accounts, leading to the laundering of stolen or \ncounterfeit checks or to a check-kiting scheme. Our own investigations \nhave frequently involved the targeting of organized criminal groups \nthat are engaged in financial crimes on both a national and \ninternational scale. Many of these groups are prolific in their use of \nstolen financial and personal identifiers to further their other \ncriminal activity.\nAgency Coordination\n    It has been our experience that the criminal groups involved in \nthese types of crimes routinely operate in a multijurisdictional \nenvironment. This has created problems for local law enforcement \nagencies that generally act as the first responders to their criminal \nactivities. By working closely with other Federal, State, and local law \nenforcement, as well as international police agencies, we are able to \nprovide a comprehensive network of intelligence sharing, resource \nsharing, and technical expertise that bridges jurisdictional \nboundaries. This partnership approach to law enforcement is exemplified \nby our financial and electronic crime task forces located throughout \nthe country. These task forces primarily target suspects and organized \ncriminal enterprises engaged in financial and electronic criminal \nactivity that fall within the investigative jurisdiction of the Secret \nService.\n    Members of these task forces, including representatives from local \nand State law enforcement, prosecutors' offices, private industry, and \nacademia, pool their resources and expertise in a collaborative effort \nto detect and prevent electronic crimes. The value of this crime \nfighting and crime prevention model has been recognized by Congress, \nwhich authorized the Secret Service (pursuant to the USA PATRIOT Act of \n2001) to expand our Electronic Crime Task Forces (ECTF) initiative to \ncities and regions across the country. Additional ECTF's have been \nadded in the last 2 years in Dallas, Houston, Columbia (SC), Cleveland, \nAtlanta, and Philadelphia, bringing the total number of such task \nforces to 15.\n    The Secret Service ECTF program bridges the gap between \nconventional cyber-crimes investigations and the larger picture of \ncritical infrastructure protection. \nSecret Service efforts to combat cyber-based assaults that target \ninformation and communications systems supporting the financial sector \nare part of the larger and more comprehensive critical infrastructure \nprotection and counterterrorism strategy.\n    As part of DHS, the Secret Service continues to be involved in a \ncollaborative effort targeted at analyzing the potential for financial, \nidentity, and electronic crimes to be used in conjunction with \nterrorist activities. The Secret Service takes great pride in its \ninvestigative and preventive philosophy, which fully involves our \npartners in the private sector and academia and our colleagues at all \nlevels of law enforcement, in combating the myriad types of financial \nand electronic crimes. Central to our efforts in this arena are our \nliaison and information exchange relationships with the U.S. \nImmigration and Customs Enforcement (ICE), the Department of the \nTreasury, the Department of State, the Federal Bureau of Investigation \nand our Joint Terrorist Task Force participation.\n    The Secret Service is actively involved with a number of \nGovernment-sponsored initiatives. At the request of the Attorney \nGeneral, the Secret Service joined an interagency identity theft \nsubcommittee that was established by the Department of Justice (DOJ). \nThis group, which is comprised of Federal, State, and local law \nenforcement agencies, regulatory agencies, and professional \norganizations, meets regularly to discuss and coordinate investigative \nand prosecutorial strategies as well as consumer education programs.\n    In a joint effort with DOJ, the U.S. Postal Inspection Service, the \nFederal Trade Commission, the International Association of Chiefs of \nPolice, and the American Association of Motor Vehicle Administrators, \nwe are hosting Identity Crime Training Seminars for law enforcement \nofficers. In the last 2 years, we have held seminars in 18 cities \nnationwide including Denver, Colorado; Raleigh, North Carolina; \nOrlando, Florida; Rochester, New York; and Santa Fe, New Mexico. \nIdentity Crime seminars scheduled for the upcoming months include \nBoise, Idaho; Providence, Rhode Island; and Baltimore, Maryland. These \ntraining seminars are focused on providing local and State law \nenforcement officers with tools and resources that they can immediately \nput to use in their investigations of identity crime. Additionally, \nofficers are provided resources that they can pass on to members of \ntheir community who are victims of identity crime.\n    It is through our work in the areas of financial and electronic \ncrime that we have developed particular expertise in the investigation \nof credit card fraud, identity theft, check fraud, cyber crime, false \nidentification fraud, computer intrusions, bank fraud, and \ntelecommunications fraud. Secret Service investigations typically focus \non organized criminal groups, both domestic and transnational. As \nSecret Service investigations uncover activities of individuals or \ngroups focusing on doing harm to the United States, appropriate contact \nis immediately made and information is passed to those agencies whose \nprimary mission is counterterrorism.\n    Finally, the best example of interagency and multijurisdictional \ncooperation came on October 24, 2004, when the Secret Service arrested \n30 individuals across the United States and abroad for credit card \nfraud, identity theft, computer fraud, and conspiracy. These suspects \nwere part of a multicount indictment out of the District of New Jersey \nand were involved in a transnational cyber ``organized crime'' \nunderground network that spanned around the world. In addition to the \n30 arrests, 28 search warrants were served simultaneously across the \nUnited States. Internationally, 13 search warrants were served in 11 \ndifferent countries in conjunction with this Secret Service-led \ninvestigation. Central to the success of this operation was the \ncooperation and assistance the Secret Service received from local, \nState, and other Federal law enforcement agencies as well as our \nforeign law enforcement partners and Europol.\n    This case began in July 2003, when the Secret Service initiated an \ninvestigation involving global credit card fraud and identity fraud. \nAlthough the catalyst for the case came from a more ``traditional'' \ncrime of access device fraud, the case evolved into a very technical, \ntransnational investigation. The aforementioned criminal activity \nprimarily occurred over the Internet. After the initial act(s) of \nfraud, suspects would exchange contraband (such as counterfeit credit \ncards and counterfeit driver's licenses). This case, entitled Operation \nFirewall, developed into a multilateral effort involving 18 Secret \nService domestic offices and 11 foreign countries. As the lead \ninvestigative office, the Secret Service Newark Field Office conducted \na complex undercover operation involving the first ever wiretap on a \ncomputer network.\n    Chairman Shelby and Senator Sarbanes, this concludes my prepared \nstatement. Thank you again for this opportunity to testify on behalf of \nthe Secret Service. I will be pleased to answer any questions at this \ntime.\n\n                               ----------\n\n                  PREPARED STATEMENT OF AMY S. FRIEND\n   Assistant Chief Counsel, Office of the Comptroller of the Currency\n                             March 10, 2005\n\n    Mr. Chairman, Ranking Member Sarbanes, and Members of the \nCommittee, the OCC appreciates the opportunity to testify today about a \nsubject that is critically important to the integrity of the \nrelationship between a bank and its customers--a bank's ability and \nlegal obligation to safeguard customer information. We commend the \nBanking Committee's leadership in addressing this important subject.\n    It is a matter of primary importance to the OCC, as it is to the \nCommittee, that national banks have adequate procedures in place to \nsafeguard customer information. My testimony will describe the legal \nrequirements on banks to safeguard customer information, the \nexamination process for assessing the adequacy of a bank's security \nprogram, OCC enforcement actions against banks and individuals for \nbreaches of information security, and upcoming interagency guidance \nthat will detail the circumstances under which the Federal banking \nagencies expect institutions to notify their customers of security \nbreaches.\nBackground\n    The OCC routinely examines national banks for the safe handling of \ncustomer information. We consider safeguarding customer information to \nbe essential to maintaining the safe and sound operations of a bank. As \na result, information security has been a part of our overall \nsupervisory process for many years. The level and extent of our \nsupervisory review has evolved as bank operations and the technology \nbanks employ have become increasingly complex and sophisticated. The \nOCC has a number of examiners dedicated full-time to conducting \ninformation technology and information security examinations, as well \nas many additional examiners performing these functions for a portion \nof their time.\n    Over the years, the OCC, on its own and in conjunction with the \nother bank regulators, has published guidance and handbooks in this \narea advising banks of our \nexpectations about acceptable risk management processes and procedures \nfor safeguarding information, including in the areas of maintaining, \ntransporting, and disposing of information. Further, OCC examination \nstaff and attorneys participate in interagency coordination meetings \nconcerning information security, such as regularly attending and \nparticipating in the Attorney General's Council on White Collar Crime, \nSubcommittee on Identity Theft.\nInformation Security Guidelines\n    Section 501(a) of the Gramm-Leach-Bliley Act states that each \nfinancial institution has an affirmative and continuing obligation to \nprotect the security and confidentiality of customer information. Under \nSsection 501(b), the Federal financial \ninstitutions regulators are directed to establish standards for \nfinancial institutions relating to the administrative, technical, and \nphysical safeguards of that information in order to:\n\n<bullet> Ensure the security and confidentiality of customer \n    information;\n<bullet> Protect against any anticipated threats or hazards to the \n    security or integrity of such information; and\n<bullet> Protect against unauthorized access to or use of customer \n    information that could result in substantial harm or inconvenience \n    to any customer.\n\n    To carry out this broad mandate, in February 2001, the OCC and the \nother Federal banking agencies issued standards in the form of \nguidelines, requiring each bank to have a written information security \nprogram designed to meet these statutory objectives.\n    Under these security guidelines, the board of directors must \napprove a bank's written information security program and oversee its \ndevelopment, implementation, and maintenance. The Board must review \nannual reports on the status of the program and the bank's compliance \nwith the guidelines.\n    In developing its information security program, a bank must assess \nthe risks to its customer information and any methods the bank uses to \naccess, collect, store, use, transmit, protect, or dispose of customer \ninformation. A bank must identify reasonably foreseeable internal and \nexternal threats that could result in unauthorized disclosure or misuse \nof its customer information, assess the likelihood and potential damage \nof these threats taking into account the sensitivity of customer \ninformation, and assess the sufficiency of policies, procedures, and \nsystems the bank maintains to control the risks.\n    The bank must then design its information security program to \ncontrol the identified risks. Each bank must consider at least the 8 \nspecific security measures set forth in the guidelines and adopt those \nthat are appropriate for the institution. These measures include access \ncontrols on customer information, encryption of electronic information, \nmonitoring systems to detect actual and attempted attacks on customer \ninformation, and response programs that specify actions to be taken \nwhen a bank suspects or detects unauthorized access to customer \ninformation.\n    Each bank must train staff to implement the program and oversee its \narrangements with service providers that have access to bank customer \ninformation. This includes using due diligence in selecting service \nproviders, requiring by contract that service providers implement \nappropriate safeguard measures, and monitoring the activities of \nservice providers where necessary to control the risks the bank has \nidentified that may be posed by the service provider's access to the \nbank's customer information.\n    A bank's information security program must not be static. Banks \nmust routinely test their systems and address any weaknesses they \ndiscover. Banks must adjust their programs to address new threats to \ncustomer information, changes in technology, and new business \narrangements.\nExaminations for Information Security Programs\n    The OCC examines national banks for compliance with the security \nguidelines. In conducting an examination, an examiner will review the \nbank's written information security program and its implementation in \naccordance with interagency examination procedures. These procedures \ninclude the following determinations:\n\n<bullet> whether the program is appropriate for the size and complexity \n    of the bank and the nature and scope of its activities;\n<bullet> the degree of the board's involvement in overseeing the \n    program;\n<bullet> the adequacy and effectiveness of the bank's risk assessment, \n    including whether the bank has considered risks to all methods to \n    access, collect, use, transmit, protect, and dispose of \n    information;\n<bullet> the adequacy of the program to manage and control the \n    identified risks, including technical and procedural controls to \n    guard against attacks, encryption standards used, and monitoring \n    systems;\n<bullet> whether staff are adequately trained to implement the security \n    program;\n<bullet> the nature and frequency of tests of the bank's key security \n    controls, the results of these tests, and whether they are \n    conducted or reviewed by independent sources;\n<bullet> the adequacy of measures to oversee service providers; and\n<bullet> whether the bank has an effective process to adjust its \n    information security program as needed to address such matters as \n    new threats, the sensitivity of customer information, technology \n    changes, a bank's changing business arrangements, and outsourcing \n    arrangements.\nOCC Enforcement Actions and Investigative Activities\n    From time to time, things can go wrong and customer information may \nbe compromised despite a bank's information security program. The \nprogram itself may be inadequate, the systems to protect customer \ninformation may be breached, bank employees may not follow the program \nrequirements, or unanticipated risks may arise. An outside service \nprovider that maintains bank customer information on the bank's behalf \nmay face the same issues. Where the OCC finds the bank, the bank's \nemployees, or the bank's service provider to be at fault, the OCC can \nbring an enforcement action.\nSupervisory and Enforcement Actions Against Banks\n    The OCC has taken various actions to enforce compliance with the \nsecurity guidelines against banks. In some cases, where the bank had \nnot already done so, the OCC required national banks to notify their \ncustomers of security breaches involving their personal information. In \nanother circumstance, the OCC directed a national bank to revamp its \nemployee screening processes.\n    For example, the OCC issued a cease-and-desist order against a \nCalifornia-based national bank, requiring, among other things, that the \nbank notify customers of security breaches, after the OCC's \ninvestigation revealed that the bank's service provider improperly \ndisposed of hundreds of customer loan files. The OCC also issued a \ncease-and-desist order against the bank's service provider, and \nassessed hundreds of thousands of dollars in civil money penalties \nagainst the bank and its service provider.\n    In another case, the OCC, after investigating allegations of a data \ncompromise by a bank employee, directed a retail credit card bank to \nnotify customers whose accounts or information may have been \ncompromised. The OCC was able to determine that the information was \nused for nefarious purposes, after working collaboratively with the \nFederal Trade Commission to review complaints of identity theft made to \nthe Commission through its Consumer Sentinel Program, of which the OCC \nis an information-sharing member.\n    The OCC also directed a large bank to improve its employee \nscreening policies, procedures, systems, and controls after the OCC \ndetermined that the bank's employee screening practices had \ninadvertently permitted a convicted felon, who engaged in identity \ntheft related crimes, to become employed at the bank. Deficiencies in \nthe bank's screening practices came to light through the OCC's review \nof the former employee's activities. OCC examination staff and \nattorneys regularly discuss appropriate employee screening practices \nand processes with national banks.\nInvestigations and Enforcement Actions against Bank Insiders\n    In more than 15 other cases, the OCC has taken enforcement actions \nagainst bank insiders who have breached their duty of trust to \ncustomers, were engaged in identity theft-related activities, or were \notherwise involved in serious breaches or compromises of customer \ninformation. These enforcement actions have included, for example, \nprohibiting individuals from working in the banking industry, personal \ncease and desist orders restricting the use of customer information, \nthe assessment of significant civil money penalties, and orders \nrequiring restitution.\n    For example, after the OCC investigated and determined that a \nColorado-based bank loan officer and loan processing assistant \nmisappropriated customer information and emailed the information to a \nthird party, the OCC prohibited the two individuals from the banking \nindustry, assessed civil money penalties against each, and issued cease \nand desist orders against each that placed restrictions on their future \nuse of customer information.\n    In another matter involving a collections supervisor of a bank, the \nOCC's investigation revealed that the former bank employee \nmisappropriated customer information, created fictitious Paypal payment \naccounts, and then embezzled money from the customers' bank accounts, \nthereafter depositing the money into the fictitious Paypal accounts. \nThe OCC prohibited the employee from the banking industry, the employee \npaid tens of thousands in restitution, and the OCC assessed a civil \nmoney penalty against the employee.\n    Many of these data compromise or identity theft cases were \ninitially processed as part of the OCC's Fast Track Enforcement \nProgram, whereby the OCC specifically targets current or former bank \ninsiders for enforcement action based upon criminal authorities' \ndeclining to prosecute. Typically, law enforcement relies upon loss \namounts in deciding whether to prosecute. However, loss amount from \ntheft of customer information is both difficult to quantify and may not \nbe present for the institution from which the information has been \nmisappropriated. In such cases, the OCC has acted to remove wrongdoers \nfrom the industry, and, in appropriate circumstances, ordered \nrestitution and civil money penalties as well. The OCC was also \ninvolved with the recent amendment of the Suspicious Activity Report \n(SAR) form to include a specific check box for identity theft, thereby \nmaking it easier for criminal law enforcement and the Federal banking \nagencies to identify referrals concerning identity theft and data \ncompromise.\nUpcoming Guidance on Response Programs and Customer Notice\n    The OCC believes that notifying customers of a security breach \ninvolving their personal information is a key part of a bank's \naffirmative duty under the security guidelines to protect customer \ninformation against unauthorized access or use. While a bank may \nmonitor a customer's account for suspicious activity following an \nincident of unauthorized access to that customer's information, \nmonitoring will not prevent an identity thief from misusing that \ncustomer's personal information at another institution, such as to open \na new account at a different bank. Armed with notice, however, bank \ncustomers may take steps to protect their information from further \nmisuse, such as by placing fraud alerts on their credit reports that \nwill alert other creditors that these individual may be victims of \nfraud.\n    The information security guidelines, however, do not specifically \nrequire banks to notify their customers in the event of security \nbreaches involving their personal information; therefore, the OCC is \nworking with the other Federal bank regulators to finalize \ninterpretative guidance stating the agencies' expectation that banks \nnotify their customers of security breaches in appropriate \ncircumstances. I am pleased to inform the Committee that, after \nconsidering public comments, the agencies reached an agreement on this \nguidance last week. The Acting Comptroller of the Currency approved the \nguidance on behalf of the OCC earlier this week, and the other agencies \nare now working through their approval processes.\n    The OCC, along with the other banking regulators took the \ninitiative to propose the guidance in 2003 as an interpretation of the \nsecurity guidelines. Noting that internal and external threats to a \nbank's customer information are reasonably foreseeable, the guidance \nstated that the agencies expect each bank to implement a \nresponse program with specific policies and procedures for addressing \nincidents of unauthorized access to customer information. Specifically, \nthe guidance described the components of a bank's response program. It \nstated that a bank should assess the nature and scope of the security \nbreach, take appropriate steps to contain and control the incident to \nprevent further unauthorized access to or use of the customer \ninformation, notify law enforcement and the bank's primary regulator of \nthe incident, and notify customers of the incident when warranted, as \nwell as provide customers with helpful information about how to contact \nthe bank with questions and how to place a fraud alert on consumer \nreports.\n    The guidance provided that customer notice is warranted when the \nsecurity breach involves access to information of the type that could \neasily be misused, such as a customer's Social Security number and \naccount number, which could be used by an identity thief to impersonate \nan individual and take over the customer's account. The guidance stated \nthat banks are expected to notify their customers of the security \nbreach unless they determine that the breach is unlikely to result in \nmisuse of the customer information.\n    In crafting the standard for customer notice the agencies have \nsought to establish the appropriate threshold for when customers may \nactually benefit from receiving notice. For instance, under the \nproposed guidance, notice would not be warranted where a bank can \nimmediately contain security breach and establish that the information \nhas not been and is unlikely to be misused. An example of this would be \nwhere a bank determines that customer information was destroyed before \nit could be retrieved or used.\n    The agencies received a number of comments on the proposed guidance \nemphasizing that not every breach of information security will result \nin harm to \ncustomers. Commenters stated that providing an overabundance of notices \nto consumers may have unintended consequences mainly that consumers may \ninitially be alarmed and perhaps monitor or close their accounts, or \nplace a fraud alert on their credit reports, but eventually may be \nlulled into complacency by a proliferation of notices. Moreover, \ncommenters maintained that notifying customers of security breaches in \nevery instance could result in the unnecessary placement of fraud \nalerts on consumer reports and, over time, erode the usefulness of \nfraud alerts. The agencies agree that some potential for misuse of a \ncustomer's information should be present to trigger notice to that \ncustomer.\n    A number of commenters recommended permitting a delay of notice to \ncustomers while a law enforcement investigation is pending to avoid \ncompromising the investigation. California law provides for a delay of \ncustomer notice if the notice would impede a criminal investigation. \nThe agencies have taken into consideration these and other comments in \nfinalizing the guidance.\nEnforcement of Noncompliance with the Guidance\n    The OCC will consider a bank's failure to follow the final guidance \nas noncompliance with the underlying security guidelines. The OCC has \nseveral enforcement \noptions available to address noncompliance. One option is to use the \nsafety and soundness enforcement process provided by Federal law and \nOCC regulations. Under this process, the OCC would issue a notice to \nthe bank detailing deficiencies and requiring the bank to submit a \ncorrective action compliance plan within 30 days. An \nacceptable plan could provide that the bank will adopt measures to \ncorrect deficiencies, including notification to customers and \nrestitution for any loss caused by the bank's conduct. If the bank \nfailed to submit an acceptable compliance plan, or failed to materially \ncomply with its compliance plan, the OCC could then issue a Safety and \nSoundness Order. A Safety and Soundness Order is a formal, public \ndocument that is the legal equivalent of a cease-and-desist order. If a \nbank fails to comply with such an order, the order may be enforced in \nFederal District Court and the bank could be assessed civil money \npenalties. The OCC could also choose other enforcement options to \naddress a bank's failure to comply with the guidelines, such as issuing \na cease-and-desist order, or assessing civil money penalties.\nConclusion\n    Mr. Chairman, through the Gramm-Leach-Bliley Act, particularly \nSection 501(b), Congress gave the regulators the direction and \nimportant authority to establish information security standards for use \nby the financial institutions we regulate. The OCC has found this \nauthority to be well-suited to address the evolving information \nsecurity challenges we face. We are committed to using this authority \nto assure that national banks have adequate procedures in place to \nsafeguard their customers' information. Thank you.\n\n\n                  IDENTITY THEFT: RECENT DEVELOPMENTS\n                       INVOLVING THE SECURITY OF\n                     SENSITIVE CONSUMER INFORMATION\n\n                              ----------                              \n\n\n                        TUESDAY, MARCH 15, 2005\n\n                                       U.S. Senate,\n           Committee on Banking, Housing and Urban Affairs,\n                                                    Washington, DC.\n\n    The committee met at 10:13 a.m., in room SD-538, Dirksen \nSenate Office Building, Richard C. Shelby (Chairman of the \nCommittee) presiding.\n\n        OPENING STATEMENT OF CHAIRMAN RICHARD C. SHELBY\n\n    Chairman Shelby. The hearing will come to order.\n    I apologize to you again about disrupting the hearing the \nother day, but when we had seven scheduled votes, I knew you \ndid not want to come back at 2:00 in the morning. So thank you \nfor coming again today. I recognize that all of you had to \nshuffle your schedules, reshuffle them a great deal to \naccommodate the Committee, but this is a very important \nsubject, and I think it deserves our full time and our \nattention.\n    Mr. McGuffey, we will start with you. Your written \ntestimony will be made a part of the hearing record in its \nentirety. You proceed as you wish.\n\n                   STATEMENT OF DON McGUFFEY\n\n           VICE PRESIDENT, CHOICEPOINT SERVICES, INC.\n\n    Mr. McGuffey. Thank you, Chairman Shelby, Members of the \nCommittee, good morning. I am Don McGuffey, Vice President of \nChoicePoint for data acquisition.\n    Good morning, I am Don McGuffey, Vice President of \nChoicePoint for Data Acquisition and Strategy. I have been with \nthe company since its inception in 1997. The Committee has \nconvened this hearing to address the important issues of \nidentity theft and the security of sensitive consumer \ninformation. At ChoicePoint, our mission statement recognizes \nthat in an increasingly risky world, information, through the \nuse of modern technology, can be utilized to create a safer, \nmore secure society. We also recognize the limitations of \ninappropriate information use as well as the limitations of \ntechnology. We know, and have been painfully reminded by recent \nevents, that there can be negative consequences to the improper \nuse of sensitive, personally identifiable data.\n    As a company committed to the highest standards of \ninformation security, we recognize that with respect to the \nrecent events in Los Angeles, we failed to prevent certain \nconsumer data from being accessed by criminals. For this, we \napologize again to those consumers who have been put \npotentially at risk by this fraudulent \nactivity, and we have and are taking steps to protect them from \nactual financial harm. We are also working actively with law \nenforcement to bring to justice those individuals who committed \nthis crime, and we have and will take actions designed to \nprevent similar violations from occurring in the future.\n    The modern crime of identity theft, whether in the form of \ncredit card fraud, false business identifications or in other \nguises, poses a significant threat to all Americans and we \nsupport this Committee's efforts to address that danger. In my \ntestimony today, I would like to tell the Committee today about \nChoicePoint, describe for you the recent crime perpetrated in \nLos Angeles, tell you about the steps that we have taken to \nprotect individuals who may have been placed at financial risk \nas a result of this crime and what we are doing to diminish the \nlikelihood of such incidents from occurring in the future. For \nexample, we recently announced that the company will \ndiscontinue the sale of information products that contain \nsensitive consumer data except where there is a specific \nconsumer-driven transaction or benefit or where the product \nsupports Federal, State, or local government and law \nenforcement purposes.\n    Mr. Chairman, ChoicePoint is a leading provider of \nidentification and credential verification services to \nbusinesses, government, and nonprofit organizations. We have \napproximately 5,000 associates in nearly 60 locations. \nChoicePoint provides services to more than 7,000 Federal, \nState, and local law enforcement agencies as well as a \nsignificant number of Fortune 500 companies, more than 700 \ninsurance companies and many large financial services \ncompanies. Our goal is to put the positive power of information \nto work for society at-large. We at ChoicePoint are proud of \nthe company's efforts to identify over 11,000 undisclosed \nfelons among those volunteering or seeking to volunteer with \ncommunity organizations and of our role in helping law \nenforcement.\n    Financial and identity fraud is a rapidly growing and \ncostly threat to our Nation's economy. While ChoicePoint offers \na large range of tools to help avoid fraud, but no one is \nimmune to it, as other companies and institutions are also \nlearning. This was underscored by recent events in California, \nwhich I would like to describe in more detail to the Committee. \nOn September 27, 2004, a ChoicePoint employee became suspicious \nwhile credentialling a prospective small business customer \nbased in the Los Angeles area. This employee brought his \nconcerns regarding the application to the ChoicePoint Security \nServices Department. After a preliminary review, the manager of \nthe Security Services Department alerted the Los Angeles County \nSheriff's Department. They decided to initiate an official \ninvestigation and asked for our assistance. That investigation \nis still ongoing, and so far has resulted in the arrest and \nconviction of at least one individual. As we did in the recent \nLos Angeles incident, we have worked with law enforcement on \nother occasions of suspicious activity relating to customer use \nof our information products. With respect to California, we \nhave learned that those involved had previously opened \nChoicePoint accounts by presenting fraudulently obtained \nCalifornia business licenses and fraudulent documents. They \nwere then able to access information products primarily \ncontaining the following information: Consumer names, current \nand former addresses, Social Security numbers, driver's license \nnumbers, and certain other public record information such as \nbankruptcies, liens, and judgments and, in certain cases, \ncredit reports.\n    Based on information currently available, we estimate that \ndata from approximately 145,000 consumers may have been \naccessed as a result of unauthorized access to our information \nproducts. Nearly one quarter of those consumers are California \nresidents. Since July 2003, California is the only State that \nstatutorily requires affected consumers to be notified of a \npotential breach of personally identifiable information and \nauthorizes law enforcement officials to delay notification to \nallow a criminal investigation to proceed. Last fall, we \nreceived such a request from the Los Angeles County Sheriff's \nDepartment after the issue of consumer notification was \ndiscussed between ChoicePoint and the Department. At that time, \nChoicePoint had not yet reconstructed all the searches required \nto identify consumers at risk, and law enforcement officers had \nnot learned all pertinent details of the crime. Working \ncooperatively with the Sheriff's Department and after \ncompleting the necessary reconstruction, we began the process \nof notifying consumers last month. We elected to utilize the \nCalifornia law as a basis for notifying consumers in all \nStates. Absent specific notification from law enforcement \npersonnel, affected consumers or others, we cannot determine \nwhether a particular consumer has been a victim of actual \nidentity theft. However, law enforcement officials have \ninformed us that they have identified approximately 750 \nconsumers nationwide where some attempt was made to compromise \ntheir identity.\n    Mr. Chairman, our efforts to protect affected individuals \ndid not stop simply with notification in California. We \nnotified consumers nationwide and have taken other steps to \nassist potentially affected consumers who have identified to \ndate. These include providing dedicated toll-free customer \nservice numbers and a special website to respond to inquiries \nand to provide information associated with the tools for which \nChoicePoint has paid; purchasing and providing free of charge a \ncombined, 3-bureau credit report; purchasing and providing free \nof charge a 1-year credit monitoring service; and for anyone \nwho has suffered actual identity theft from this fraud, we will \nprovide further assistance to help them resolve any issues from \nthe identity theft.\n    We hope our efforts will help those individuals take steps \nto protect their personal data from being used in a criminal \nmanner. In addition, we have taken steps to minimize the \nlikelihood of future occurrences of this nature. We have \ndecided to exit the non-FCRA consumer sensitive data market, \nmeaning we will no longer sell information products containing \nsensitive consumer data, including Social Security and driver's \nlicense numbers, except where there is a specific consumer-\ndriven transaction or benefit or where the product supports \nFederal, State, or local government and law enforcement \npurposes. We will continue to provide authentication, fraud \nprevention, and other tools to large, accredited corporate \ncustomers where consumers have existing relationships. We have \nstrengthened our customer credentialling procedures and have \nembarked on a recredentialling process for certain customer \nsegments, including all small business customers. We have \ncreated an independent Office of Credentialling Compliance and \nPrivacy that will report to the Board of Directors' Privacy \nCommittee. This office will oversee improvements in customer \ncredentialling processes, the expansion of a site visit based \nverification program and implementation of procedures designed \nto expedite the reporting of incidents. This office will be led \nby Carol DiBattiste, the Deputy Administrator of the \nTransportation Security Administration and a former Senior \nProsecutor in the Department of Justice with extensive \nexperience in the detection and prosecution of financial fraud. \nWe have also appointed Robert McConnell, a 28-year veteran of \nthe U.S. Secret Service and former chief of the Federal \nGovernment's Nigerian Organized Crime Task Force, to serve as \nour liaison to law enforcement officials.\n    Chairman Shelby, to conclude, we have all witnessed the \nsignificant benefits to society that can come with the proper \nuse of information. ChoicePoint is proud of the role it has \nplayed in assisting law enforcement and intelligence agencies \nas well as vast segments of the American business community in \npreventing fraud. We have also learned first hand the damage \nthat can be caused when criminals improperly obtain access to \nconsumer information. We have spoken out previously and would \nwelcome a broad national debate on these issues and support \nefforts by the Congress to provide the independent oversight \nand increased accountability of entities that handle public \nrecord data. We also support increased penalties for theft of \npersonally identifiable information and a reasonable nationwide \nmandatory requirement for the prevention of unauthorized access \nto personally identifiable data. As I noted previously, we \ndetermined that our commitment to consumers required us to go \nbeyond both the geographic and substantive requirements of \nexisting law and therefore provided nationwide notification and \nvarious consumer protection services for those affected. As \nCongress continues its work in this area, we stand ready as a \ncompany to cooperate with your efforts and look forward to \nparticipating in the continued discussion of issues related to \nidentity theft and the protection of sensitive consumer \ninformation. I would be pleased to answer any questions that \nyou might have.\n    Chairman Shelby. Thank you.\n    Mr. Evan Hendricks, Editor and Publisher, Privacy Times. \nThank you, sir.\n\n                  STATEMENT OF EVAN HENDRICKS\n\n              EDITOR AND PUBLISHER, PRIVACY TIMES\n\n    Mr. Hendricks. Thank you, Senator Shelby for the \ninvitation.\n    A quick housekeeping matter: Since this is the first \nhearing since Senator Sarbanes announced his retirement, I \nwanted to thank him on behalf of all constituents for the \nexample he sets of public service, and he will be sorely \nmissed, but think it will inspire many others.\n    Chairman Shelby. He is going to be around for 22 more \nmonths.\n    [Laughter.]\n    Mr. Hendricks. And I want this subject to be on his to-do \nlist, too, and also, the last time I had the privilege of \nsitting at this table, Senator, you told me that we were going \nto get a good FCRA bill, and we did thanks to your leadership \nand the work of this Committee and the Congress, and I want to \nlet you know we are already seeing the benefits to consumers in \nthe marketplace.\n    Chairman Shelby. Thank you.\n    Mr. Hendricks. That experience and recent events show us \nthat we still have a lot of work to do. The recent events of \ndata leakages at ChoicePoint, Bank of America, LexisNexis, DSW, \nshows us there are many problems here, and there are many \nironies. And one of the ironies is that in order to protect \nprivacy, we need greater sunshine. We need more transparency. \nThere is too much that we do not know.\n    When a task force was convened in 1973 to decide how do we \nprotect privacy as we enter the computer age, the first \nprinciple they established was there should be no information \nsystems whose very existence is secret, and unfortunately, we \nare bordering on that with the kind of database companies that \nwe have that claim they are out of the reach of the FCRA.\n    One of the things we need here is a full accounting, an \ninventory. We need a full accounting first of this episode so \nwe understand what went wrong here. Where are the weaknesses? \nFor instance, Equifax was quoted as saying they sold 8,000 \ncredit reports possibly illegally to ChoicePoint. ChoicePoint \nsent notices to 145,000 people. Why is this their discrepancy? \nHow did they calculate there were 145,000 people? How long has \nthis been going on? And why did not ChoicePoint or Equifax \nnotice that something suspicious was going on?\n    I think more broadly, we need an accounting and an \ninventory of this entire industry. We need to know what \nGovernment agencies are providing information to the \nChoicePoints and Lexis Nexis, Sizant, Acxiom, and the like. We \nneed to know how do they house their data? How is it organized? \nWe need to know how is warranty card information collected? We \nknow it is collected, but we do not know exactly how. We know \nwhen people call an 800-phone number, their information can be \ncaptured, a profile can be produced, but we do not know how \nthat information is used and stored.\n    These are companies that amassed billions of records. The \nmedia reports say that ChoicePoint has 19 billion records. That \nis a lot of records. The problem is that this information, \nconsumers do not have a clear right of access to information \nthat is being held on them. One of my colleagues is Maury \nFrank. She is an attorney in California who has written about \nidentity theft, and she was at a bar convention meeting, and \nChoicePoint had a stand there where they were showing their \nproducts, and she said that they put out a 30-page printout \nfrom all of their records on her, but they would not give her a \ncopy of the printout. They were just trying to promote their \nservice.\n    And she noticed there were a lot of mistakes in that, and \nshe said, well, can I get this copy of this? No. How do I \ncorrect the mistakes? You cannot. This is basically what I am \ntalking about when I am talking about a secret record system.\n    Even when consumers do have access for instance, \nChoicePoint will say that we have three products: We have a \ntenant screening product, we have an employment background \nproduct, and then, we have our insurance claims products, and \nwe will give you access to those under the FCRA. In fact, they \nwill give you a free copy. But they say that if they have never \nsold an employment report, or if they have never sold a tenant \nscreening report on you, then, they do not have a report that \nyou can get access to.\n    And this raises the fundamental question, if they can sell \na report on you, why can they not give access to you? And the \nthing is what we want consumers to do is to check their reports \nbefore transactions so they can ensure the accuracy of the \nreport, but under ChoicePoint's interpretation, they cannot do \nthat, and this is something that we really need to clear up.\n    I think that most troubling is that it is not clear that \nthey are subject to law and accountable to consumers, they tend \nnot to take responsibility when things go wrong. In my written \ntestimony, I list some examples of run-ins that ChoicePoint has \nhad with accuracy problems or people being disadvantaged by the \nuse of their records. There was one episode where they had \npurchased information on voters from the Mexican Government and \nother Latin American countries, but it turned out that itt was \ndone in violation of the laws of those countries, yet, \nChoicePoint basically said it was the people who bought the \ninformation who were at fault, and they, again, did not take \nresponsibility of it.\n    In one case, there was a consumer who had problems with \ntheir insurance. They had false insurance information simply \ntrying to get the ChoicePoint report cleared up under the FCRA \nso that they could get insurance at the rate that they were \nentitled to get it. The thing turned into a Federal lawsuit, \nand there was a Federal judge in Kentucky named John Heyburn \nII, who in summing up the case, he wrote that ChoicePoint \nrepeatedly denied making any mistakes and instead seemed to \nblame all defective data on others. Furthermore, ChoicePoint \nemployees appeared slow to recognize problems, even once they \nwere put on notice and disclaimed all responsibility. Most \nnotably, they seemed annoyed for even having to appear at \ntrial. They never really explained the computer glitches which \napparently caused this problem, and to this day, the Court is \nstill unclear what procedures, if any, ChoicePoint uses to \nensure the accuracy of its mass circulated reports.\n    So when there is a full hearing, and someone drills down \nand looks at the system, we see there are major problems there. \nAnd of course, accuracy is one of our first goals of our fair \ninformation practices. That is what we want to see in credit \nreports. These are what we want to see in these other reports. \nThese are reporting agencies. They are just not credit \nreporting agencies. And the anecdotal report that we have is \nthat there are major accuracy problems--which makes sense. When \nyou have information coming from all sorts of different sources \nlike courthouses and State government agencies and licensing \nagencies, the more the information moves away from the original \nsource, the more you lose data integrity.\n    As we look at solutions, I think we need to, again, have a \nfull accounting so that we understand what is going on. I think \nthat we need to look particularly at the use of drivers' data. \nI think we need to understand in light of all these problems, \nis it prudent to continue to have, for example, drivers' \nagencies giving all the drivers' data to companies like \nChoicePoint until we know everything that went wrong here, \nuntil we know there is full accounting of the system? I think \nwe should consider and the States should consider suspending \nthat information until we have full answers here.\n    More broadly, we need to extend fair information principles \nto this database sector to make sure everyone has the right of \naccess to their information, the right of correction, \nrequirements of adequate security, and most importantly the \nright to enforce their rights when something goes wrong. \nWhenever you are talking about privacy rights, you are talking \nabout 200 million Americans. You can never build a bureaucracy \nbig enough to enforce those rights, and you do not want to, but \nyou have to empower citizens to enforce their own rights, as we \nhave done in the Fair Credit Reporting Act.\n    And finally, the California law is responsible for helping \nus understand that these problems are existing. I know Senator \nFeinstein is working very hard to make that the law of the \nland. Many of us favor that, and we just want to make sure that \nany law passed by Congress is at least as good as the \nCalifornia law.\n    Mr. Chairman, I want to thank you very much for the \nopportunity to testify. I look forward to answering your \nquestions.\n    Chairman Shelby. Ms. Desoer.\n\n                  STATEMENT OF BARBARA DESOER\n\n                 GLOBAL TECHNOLOGY, SERVICE AND\n\n             FULFILLMENT EXECUTIVE, BANK OF AMERICA\n\n    Ms. Desoer. Mr. Chairman, Senator Sarbanes, Committee \nMembers, good morning. I am Barbara Desoer, Global Technology \nService and Fulfillment Executive for Bank of America. I am a \nmember of Chairman and CEO Ken Lewis' executive leadership \nteam, and on behalf of that leadership of our company and all \nBank of America associates, thank you for the opportunity to \nappear before this Committee this morning to provide our \nperspective on recent events involving our Government charge \ncardholders.\n    First, I would like to express how deeply all of us at Bank \nof America regret this incident. We pursue our professional \nmission by helping people manage their financial lives. This \nwork rests on a strong foundation of trust. One of our highest \npriorities, therefore, is building and maintaining a track \nrecord of responsible stewardship of customer information that \ninspires our customers' confidence and provides some peace of \nmind.\n    On February 25, 2005, Bank of America began proactively \ncommunicating to U.S. GSA SmartPay Charge Card holders that \ncomputer data backup tapes were lost during transport to a \nbackup data center. The missing tapes contained customer and \naccount information for approximately 1.2 million Government \ncharge card holders. The actual data on the tapes varied by \ncard holder and may have included name, address, account \nnumber, and Social Security number.\n    Backup tapes such as these are created and stored at remote \nlocations as a routine industry contingency practice in the \ncase of any event that might interrupt our ability to serve our \ncustomers. After the tapes were reported missing, Bank of \nAmerica notified the GSA and also engaged the Secret Service, \nwhich began a thorough investigation into the matter, working \nclosely with our corporate information security team.\n    Federal law enforcement initially directed that to preserve \nthe integrity of the investigation, no communication could take \nplace to the public or to the card holders. While the \ninvestigation was moving ahead, we put in place a system to \nmonitor the accounts and, in fact, researched account activity \nretroactively to the date of the data shipment to identify any \nunusual or potentially fraudulent activity in the accounts.\n    The Secret Service has advised us and GSA management that \ntheir investigation has revealed no evidence to indicate that \nthe tapes were wrongfully accessed or that their data content \nwas compromised. In mid-February, law enforcement authorities \nadvised us that communication to our customers would no longer \nadversely impact the investigation. Now, we have completed the \ninitial notifications and are continuing to communicate to our \ncustomers to ensure that they understand additional steps we \nare taking to help protect their personal information.\n    Bank of America quickly established a toll-free number that \nGovernment charge card holders could use to call with questions \nor to request additional assistance. We also have offered \ncredit reports and enhanced fraud monitoring services to card \nholders at our expense. Government card holder accounts \nincluded on the data tapes have been and will continue to be \nmonitored by Bank of America, and Government card holders will \nbe contacted should any unusual activity be detected. According \nto standard Bank of America policy, Government card holders \nwill not be held liable for any unauthorized use of their \ncards.\n    The incident was unfortunate and regrettable. That said, we \nfeel that it can shed helpful light on the critical element of \nthe industry's practices for data transport. We view this as an \nopportunity to learn and to lead the industry to better answers \nthat will give our customers the confidence and security they \ndeserve.\n    As I said earlier, we decided as an abundance of caution to \nnotify the account holders after law enforcement advised us \nthat notification would no longer adversely impact the \ninvestigation. However, we also acknowledge that providing \nnotices when there is low risk that the information will be \nmisused has potential drawbacks, such as creating unnecessary \nanxiety in customers and, if provided too frequently in \nnonthreatening situations, degrading the effectiveness of a \nsecurity breach notice.\n    For example, in some instances, a thorough investigation of \nthe incident may conclude that there was no risk that the \ninformation was used for illegal purposes. In these instances, \nit is probably best to leave it to the discretion of the \ninstitution to determine if customers should be notified.\n    Members of the Committee, I would like to conclude by \nemphasizing that the privacy of customer information is one of \nthe highest priorities at Bank of America, and we take our \nresponsibility for safeguarding it very seriously. I can assure \nyou on behalf of our leadership team and all our associates, we \nwill do all we can to ensure that our customers have the \nfreedom to engage in business and commerce and to manage their \nfinancial lives, secure in the knowledge that their personal \ninformation will be respected and protected by the institutions \nin which they place their trust.\n    This concludes my prepared testimony, and I am happy to \nanswer any questions.\n    Chairman Shelby. Thank you very much.\n    Mr. McGuffey, your testimony among other things indicates \nthat ChoicePoint employees first became aware of something \nunusual on September 27, 2004, and that you began cooperating \nwith California law enforcement officials almost immediately \nthereafter. As the law enforcement investigation proceeded, \nyou, to use your word, reconstructed the search activities of \nthe suspected criminals and determined the nature and scope of \nthe information that was compromised, and that this took about \n3 months.\n    After this was completed, and after you got the go-ahead \nfrom law enforcement officials, you then began to notify \naffected customers; is that correct?\n    Mr. McGuffey. Yes, Senator, that is correct.\n    Chairman Shelby. Okay; at this point, ChoicePoint also took \nsteps to help those whose information was stolen to protect \nthemselves prospectively. That is, you provided free credit \nreports, credit report monitoring, and the like; is that \ncorrect?\n    Mr. McGuffey. Yes, Senator, we did.\n    Chairman Shelby. Finally, ChoicePoint has decided to get \nout of the non-FCRA businesses, and that was just a week or so \nago. Is that correct, that decision was made then?\n    Mr. McGuffey. Yes, Senator, I believe it was a couple of \nweeks ago.\n    Chairman Shelby. A couple of weeks ago.\n    I think it is important for the hearing record for us to \ncorrectly establish the sequence of events, and I appreciate \nyou going back through this with me. I know it is tedious.\n    For further clarification, who, sir, at ChoicePoint was \nmade aware of this situation when it was first discovered in \nSeptember 2004, in other words, the breach? Was senior \nmanagement involved in responding to this situation? You are \nVice President of ChoicePoint and you have been there from the \nbeginning; is that correct?\n    Mr. McGuffey. Yes, Senator, I have.\n    Chairman Shelby. Let me ask you a question again: When \nChoicePoint, found out that you had a breach here in the \nsecurity in September, who was made aware of that situation?\n    Mr. McGuffey. The incident was actually discovered by one \nof the individuals in the credentialling area.\n    Chairman Shelby. And who would that be?\n    Mr. McGuffey. I am not sure of that gentleman's name.\n    Chairman Shelby. Would you furnish that for the record?\n    Mr. McGuffey. Yes, sir.\n    Chairman Shelby. Okay.\n    Mr. McGuffey. After that individual found out, within a day \nor so, they notified the manager of our security services \ndepartment.\n    Chairman Shelby. Does he report to you?\n    Mr. McGuffey. No, sir.\n    Chairman Shelby. Okay; go ahead. And what is his name? Do \nyou know his name?\n    Mr. McGuffey. Yes, sir, Robert Kneuth.\n    Chairman Shelby. He is a manager of the----\n    Mr. McGuffey. Security services department.\n    Chairman Shelby. Okay; and then, what happened?\n    Mr. McGuffey. At that point, the security services \ndepartment and the credentialling group started working \ncooperatively to try to figure out whether this was, indeed, a \nreal problem, because at this point, what we are aware of is \nthat there is an unusual circumstance in the process of trying \nto get an account credentialed.\n    Chairman Shelby. Let us go over which departments they were \nagain just for the record.\n    Mr. McGuffey. I believe it is the credentialling department \nand the security services department.\n    Chairman Shelby. The security services became aware of the \nbreach first; is that right?\n    Mr. McGuffey. Second, actually.\n    Chairman Shelby. Second? Who became--the credentials \nbecame----\n    Mr. McGuffey. Yes, the credentials first, because we \nreceived a call coming in trying to have a company credentialed \nto become a customer. At this point, that particular account is \nnot a customer.\n    Chairman Shelby. Does this set off an alarm?\n    Mr. McGuffey. Well what happened was the individual began \nto be suspicious because of----\n    Chairman Shelby. Because it set off an alarm or caution.\n    Mr. McGuffey. Caution in their head, yes, sir as to how \nthis individual was responding to questions and what kinds of \ndocuments----\n    Chairman Shelby. Suspicious activity.\n    Mr. McGuffey. Suspicious activity. They alerted our \nsecurity department. They then started having a dialogue to try \nto figure out----\n    Chairman Shelby. This was early September?\n    Mr. McGuffey. Actually, it was around October 1, I believe \nthat the security services department was actually notified.\n    Chairman Shelby. When were you notified?\n    Mr. McGuffey. I was notified on about November 15.\n    Chairman Shelby. In other words, there was 6 weeks' lapse \nbetween when they were notified of this and when you, as a vice \npresident, was notified of it?\n    Mr. McGuffey. Yes, sir, actually the notice----\n    Chairman Shelby. Can you furnish the exact dates, because I \nknow you have--for the record?\n    Mr. McGuffey. Yes, sir, I can. I would be more than happy \nto.\n    Chairman Shelby. In other words, who knew what when? What \nthey knew, when they learned it, what they did with it.\n    Mr. McGuffey. Yes.\n    Chairman Shelby. Sequentially.\n    Mr. McGuffey. Okay; be glad to do that.\n    Chairman Shelby. And where did this information go then?\n    Mr. McGuffey. Prior to November 15----\n    Chairman Shelby. Did this languish, now, with two or three \npeople until November 15?\n    Mr. McGuffey. No, sir, actually, the security services \ndepartment called in to the home office, which was in \nAlpharetta. Again, this was happening in Boca Raton, Florida.\n    Chairman Shelby. Alpharetta, that is near Atlanta, correct?\n    Mr. McGuffey. Yes, sir, it is north of Atlanta.\n    Chairman Shelby. Who did they call in the home office?\n    Mr. McGuffey. It came in to our legal department.\n    Chairman Shelby. Your general counsel?\n    Mr. McGuffey. No, not to my knowledge. It went in to one of \nthe staff within the legal department. I will be glad to----\n    Chairman Shelby. Furnish this for the record.\n    Mr. McGuffey. Furnish this for the record, sir.\n    Chairman Shelby. What happened to it then?\n    Mr. McGuffey. They had discussion and then called Los \nAngeles County to make notice and to try to have a discussion \nas to----\n    Chairman Shelby. But you were aware of what happened at \nthis----\n    Mr. McGuffey. Not at this time, no, sir.\n    Chairman Shelby. What time frame are you talking about now?\n    Mr. McGuffey. This was in the second week of October, \nabout, and I will be glad to specify and provide to your staff \nand to this Committee the details exactly, but it was in the \nsecond week of October when the dialogue was taking place with \nour legal department. So at that point, communication went to \nthe Los Angeles County Sheriff's Department.\n    Chairman Shelby. And nobody knew that? You did not know \nthat at that time?\n    Mr. McGuffey. No, sir, I did not.\n    Chairman Shelby. Did anybody else know that in your company \nat your level or higher? Within your counsel's office.\n    Mr. McGuffey. It was in our legal department, which is part \nof the--yes, our general counsel's----\n    Chairman Shelby. No one was notified by an email or \nanything? I mean, there are many ways to transmit information.\n    Mr. McGuffey. Not to my knowledge, sir, but I will be more \nthan happy to provide any other details that I am not currently \naware of as part of that investigation.\n    Chairman Shelby. Well, what happened then? And where are we \nnow on the calendar?\n    Mr. McGuffey. Okay; we are in about the middle of October.\n    Chairman Shelby. Okay.\n    Mr. McGuffey. And there is dialogue with the Sheriff's \nDepartment, Los Angeles County. They had, at this point in \ntime, not really accepted the case, if you will. We, on the \nother hand, were still having dialogue with this individual on \nthe other end of the telephone asking for additional documents. \nIn other words, we are trying to keep this individual engaged, \nif you will, and requesting additional documents from this \nindividual while we are also having conversation with the \nSheriff's Department.\n    Chairman Shelby. You are part of senior management. You are \na vice-president. Was your president, your chairman, any \nmembers of the board made aware of this situation?\n    Mr. McGuffey. Not at this time, no, sir.\n    Chairman Shelby. Okay; when were they made aware of this \nsituation? November 1?\n    Mr. McGuffey. I had a conversation with our president, who \nI report to----\n    Chairman Shelby. What is his name?\n    Mr. McGuffey. --Doug Carling----\n    Chairman Shelby. Okay.\n    Mr. McGuffey. --in the latter part of November, inquiring \nas to whether he had been informed of this matter, because it \nwould be not necessarily natural for that notification system \nto come through me. It would be natural for it to go as it had, \nwhich is into the legal department, and be handled as a legal \nand a law enforcement matter.\n    Chairman Shelby. This was the end of November? Before \nThanksgiving or after Thanksgiving?\n    Mr. McGuffey. I do not recall.\n    Chairman Shelby. Do you have a log on this?\n    Mr. McGuffey. No, sir, I do not.\n    Chairman Shelby. Will you go back, and there will be \nsomething to indicate?\n    Mr. McGuffey. Attempt to find something; I certainly will.\n    Chairman Shelby. Sure.\n    Mr. McGuffey. I certainly will.\n    Chairman Shelby. When was your chairman notified of this?\n    Mr. McGuffey. To my knowledge, it was in January before a \nboard meeting.\n    Chairman Shelby. And he had no inkling of this before then?\n    Mr. McGuffey. From what I understand and what we have \nreported, that is correct.\n    Chairman Shelby. Who made the decision in the company to \nprovide free credit reports and provide other forms of \nassistance? Did you do that? Did the president do it?\n    Mr. McGuffey. I believe that was in conversation between \nour president and our chairman.\n    Chairman Shelby. What was the time frame on this?\n    Mr. McGuffey. I, again, will be glad to provide the \nspecific data to your staff.\n    Chairman Shelby. Was it in October?\n    Mr. McGuffey. No, sir, it would have been in the middle of \nFebruary, something in that time frame.\n    Chairman Shelby. Who was involved in making the decision to \nexit the entire line of business that you referenced?\n    Mr. McGuffey. Again, it would have been----\n    Chairman Shelby. Was it the board?\n    Mr. McGuffey. No, sir, I do not believe so. I believe it \nwas in conversation between our chairman and our president.\n    Chairman Shelby. I believe you testified that ChoicePoint, \nand you correct me if I misstate something, that ChoicePoint \ntook this very seriously when the breach was first discovered; \nis that correct? Did you consider this a serious situation?\n    Mr. McGuffey. Yes, Senator.\n    Chairman Shelby. A potentially serious situation?\n    Mr. McGuffey. I believe any time when you have a great deal \nof dialogue trying to keep someone involved to try to figure \nout whether they are fraudulently trying to engage with us and \nalso contacting law enforcement is a serious matter.\n    Chairman Shelby. How do you reconcile what you testified to \nthus far, that in your own words, senior management--of course, \nyou are senior management and others--did not play a critical \nrole in this situation? In other words, were not aware of the \nsituation until later in the game? You say November?\n    Mr. McGuffey. November is when I was aware, yes.\n    Chairman Shelby. Is that right? And yet, in your written \nstatement, you claim that ChoicePoint, ``is committed to the \nhighest standards of information security;'' in other words, \nthat is central to your business, is it not?\n    Mr. McGuffey. Yes, Senator, it is.\n    Chairman Shelby. If senior management were not aware of \nwhat was going on, let alone involved with a major information \nsecurity breach like this, and you are in the information \nbusiness, what does that say? Is that the way you all do \nbusiness in the company?\n    Mr. McGuffey. Senator, at the time when even I became \naware, I was told was that there were only a couple of accounts \nthat were under investigation, so there was no recognition at \nthat time as to the size and the scope of this issue.\n    Chairman Shelby. I believe in your written statement, you \nindicate, and I will quote you, and you correct me if I am \nwrong on this, ``we have worked with enforcement on other \noccasions of suspicious activity related to customer use of our \ninformation products.''\n    The question follows, how many other instances of \nsuspicious activity are we talking about? Are we talking about \ndozens of times?\n    Mr. McGuffey. Senator, I am not aware that it is a dozen. I \nknow there are probably a handful of incidents that are related \nin that manner.\n    Chairman Shelby. Would you furnish that information for the \nrecord?\n    Mr. McGuffey. Yes, sir, I shall.\n    Chairman Shelby. Have you, sir, in your experience, had \nother situations like this, did you ever formally consider that \nclients or potential clients were the most serious information \nsecurity threat, in other words, the ultimate consumer of this \nreport? That is who the real threat is to, is it not, sir?\n    Mr. McGuffey. Yes, Senator.\n    Chairman Shelby. To their privacy and their information?\n    In other words, did senior management take steps specific \nto your business model and the risk associated with it to \nprotect your data and your company? Do you believe they did?\n    Mr. McGuffey. Yes, Senator, we have spent a great deal of \neffort on the technology security side to assure that we do not \nhave technology breaches and have technology policies \nassociated with that, have hired outside individuals in order \nto make sure that individuals cannot hack into our system. And \nso, we have addressed fairly, I believe, significantly certain \nrisks associated with access. In this case, we had \ncredentialling procedures in place, and unfortunately, we had \nsome fairly sophisticated criminals who were able to circumvent \nour credentialling procedures and get access.\n    Chairman Shelby. Senator Sarbanes.\n\n             STATEMENT OF SENATOR PAUL S. SARBANES\n\n    Senator Sarbanes. Thank you very much, Mr. Chairman. I am \nsorry I was not able to be here at the outset.\n    Chairman Shelby. Go ahead.\n    Senator Sarbanes. First of all, I want to thank you for \nyour leadership on this very important issue raised by the \nrecent breaches of data security and financial privacy. You \nactually have been a leader in the Senate for many years on the \nissue of privacy of financial information, and moving on this \nissue is just another demonstration of that. Millions of \nAmericans are very deeply concerned about this situation.\n    Chairman Shelby. Thank you.\n    Senator Sarbanes. The Baltimore Sun in an editorial March \n2, ``Stealing by the Numbers,'' said that Federal oversight of \ndata brokers is sorely needed, and there should be stiff \nfinancial penalties for improper releases. The Philadelphia \nInquirer on March 6 wrote both episodes, involving ChoicePoint \nand Bank of America are outrageous instances of businesses \nfalling down on the job after they have been entrusted with \nvital data. The data leaks demonstrate the need for greater \noversight of data bank repositories.\n    Of course, the data brokers possess many types of \ninformation about citizens. The Washington Post, in an article, \nindicated that ChoicePoint has the following types of data on \nsome citizens: and if any of these are not correct, if you do \nnot have these, enter a dissent at the appropriate point: Name, \naddress, and Social Security numbers, automobile and insurance \nclaims history, credit history, vehicle ownership, public \nrecords which would contain liens and judgments, military \nservice, educational history, names and addresses of neighbors \nand relatives, birth, marriage, and death certificates, \nfingerprints and DNA.\n    They do not assert that you have it on all citizens but \nthat you keep this kind of very extensive data on at least some \ncitizens. Is that accurate?\n    Mr. McGuffey. Senator, you read through the list fairly \nquickly, and I think the one or two that I would----\n    Senator Bunning. Read it slowly.\n    Mr. McGuffey. --make comment on would be on the educational \nhistory. The educational history that we may have would be only \non those individuals whom we would have performed a \npreemployment background screening check and only in those \ninstances where our customer would request us to have validated \ninformation on an application for a job.\n    On the military records, we really do not have what I would \ncall military records. We do have historical data prior to 2001 \non individuals that may be in the military.\n    Senator Sarbanes. Well, I take it in effect that is a \nconfirmation of the article, though, because in effect, the \narticle does not assert that you have all of this information \non everybody, but it does assert that you have it at least on \nsome citizens, so, I mean, it gives some sense of the \nparameters of the kind of data you collect and how extensive it \nis in its coverage. I mean, is that a fair statement?\n    Mr. McGuffey. I would agree, Senator, it is a reasonable \nstatement.\n    Senator Sarbanes. Mr. Chairman, in the face of corporate \ndata banks holding and selling such an extensive array of data \non citizens, this issue of data privacy, security, and identity \ntheft obviously takes on particular importance, and I think \nyour analysis in this hearing has focused on it, and I commend \nyou for that.\n    Chairman Shelby. Thank you.\n    Senator Sarbanes. It includes consideration of the \nsituation of the consumer both before and after a data security \nbreach. Should a consumer have rights to notice, access, and \ncorrection of data held in a data repository? Should a consumer \nbe able to prevent his or her personal, nonpublic data from \nbeing included in certain data banks for resale? I mean, you, \nin effect, sell the data, correct? I mean, that is your \nbusiness. That is where your income comes from, correct?\n    Mr. McGuffey. Generally speaking, yes, I would agree with \nthat.\n    Senator Sarbanes. Should Federal minimum data security \nstandards be required for data brokers? What should a data \nrepository be required to do after a breach occurs to prevent \nconsumer fraud and identity theft? And of course, we face the \nbasic question, which we have had to discuss in here before, of \nwhose property is a person's financial information, a \nconsumer's or an institution's?\n    Mr. Chairman, I remember when we did a hearing, Phyllis \nSchlafly came before the Committee.\n    Chairman Shelby. We did. Had Ralph Nader and Phyllis \nSchlafly together on the same issue right here.\n    Senator Sarbanes. Exactly. And, of course, she took the \nvery strong position this is a property right, and it belongs \nto the institution. And in effect, their property rights are \nbeing--it was a very interesting----\n    Chairman Shelby. There was pretty good agreement between \nboth the left and the right.\n    Senator Sarbanes. It was an interesting concept, and I \nstill recall it.\n    I received a letter from a constituent saying that he had \nreceived a letter from ChoicePoint informing him that a fraud \nmay have resulted in personally identifiable information such \nas your name, address, Social Security number, or credit report \nbeing viewed by businesses that should not have access to such \ninformation. So he received a letter from you telling him that.\n    One of the things he says in his letter to me, he says \nobviously, this letter from ChoicePoint is very unsettling. The \nuse of the word ``may'' indicates that ChoicePoint does not \nknow what information was released and demonstrates their \ninadequate security procedures.\n    What do I say to him? Of course, one of the things that I \nwill say to him is that you were here, and I had the \nopportunity to ask you this directly, but what is your \nresponse? Of course, his focus now is not that the information \nwent out but that ChoicePoint does not really know by saying to \nhim may what information went out; is that correct?\n    Mr. McGuffey. Senator, we regret and are deeply sorry that \nwe had this event and the criminal activity associated with it. \nWe did have to take, and a lot of times, as I believe the \nChairman had indicated earlier, to recreate all of the various \ndifferent individual searches that had been instituted against \nour databases, and in those cases, we actually went back for \neach and every one of those searches and recreated it.\n    The information--and my expectation is that the information \ndoes actually exist, although in sending out the letters that \nwe sent, we generally patterned that notice after the \nCalifornia law in making notice to those individuals, but my \nexpectation is in that particular case, the details are there.\n    Senator Sarbanes. I have run over my time, so let me just \nclose. This constituent went on to say he recommended these \nactions, and if I could get a quick reaction, I apologize to my \ncolleague: A data broker company must obtain written approval \nfrom the person before any personal information can be given \nout. That is one recommendation. The other is the data broker \ncompanies must be held liable for a person's identity theft and \nbear the full and total cost to reestablish the person's credit \nrating and identity. They should also incur punitive damages \nfor their security malpractice.\n    Can each of you give me a quick reaction to that? Mr. \nChairman, I appreciate your indulgence.\n    Chairman Shelby. That is okay.\n    Mr. McGuffey. Senator, one of the concerns that I would \nhave of requiring any individual to consent to the release of \nthe information is related to the activities associated with \ninvestigations. I had made the comment earlier in my statement \nabout the variety of services that we have and, indeed, the \n11,000 criminals that we had identified that through the \nprocess of performing screens, identified the fact that these \nindividuals may have been harmful.\n    The investigative process, it seems to me that if we have a \ncriminal or someone who was trying to do harm, it is not likely \nthat they are going to give their consent to allow law \nenforcement or others to investigate that individual.\n    Senator Sarbanes. Well, let us have a law enforcement \nexception. Does that take care of it?\n    Mr. McGuffey. What we have taken as a position along those \nlines is that we should use the principles that are contained \nin the Gramm-Leach-Bliley Act that was passed, I believe, back \nin 2001 and some of the principles that are contained in the \nFair Credit Reporting Act and apply those to public record \ndata.\n    Senator Sarbanes. And what about bearing the full and total \ncost to reestablish a person's credit rating and identity when \nthere has been identity theft?\n    Mr. McGuffey. I suppose, Senator, that we were also the \nvictim of a crime, and it does not seem at least to me at first \nblush that in that case, where we believe we had reasonable \nprocedures in place to try to prevent a crime, that that would \nbe entirely appropriate, but we obviously would like to engage \nin that debate with you and the Committee.\n    Senator Sarbanes. All right; Mr. Hendricks, real quick.\n    Mr. Hendricks. Thank you. Quickly, I agree with my fellow \nMarylander that that is exactly what we need. You cannot have \nlarge organizations enjoying the benefits of trafficking in our \npersonal data if they are not going to take responsibility for \nit, and I am very troubled by the questioning where you hear \nabout a breach in September, and then, ultimately, it trickles \nup to senior management by the turn of the year. That is very \ntroubling.\n    I have had the opportunity to talk to one person who \nreceived the ChoicePoint letter, and working with that person, \nwe found out that a couple of years ago, he was called by his \nDiscover Card, and he was asked have you changed your address? \nBecause somebody--this is what the thieves did in this case. \nThey were trying to change the address. And it looked like \nDiscover helped catch that, but these two New Jersey addresses \nturned up on his credit report and the credit report is the \nepicenter of this crime.\n    So he gave me these addresses, and I tracked both addresses \ndown to Mail Boxes, ETC., indicating that these were the drop \nslots of identity thieves. So there is a lot to be found out \nhere if we have a real joint effort to work here with the \nconsumer. There is valuable data on those consumers' credit \nreports, and it is a bit disturbing to me that a lot of time \nhas gone by, and valuable leads might have been lost.\n    Senator Sarbanes. Did you want to add anything, Ms. Desoer?\n    Ms. Desoer. From the perspective of Bank of America, we do \nnot sell our information to any third parties, and we give \ncustomers the option to opt out of any sharing of information \nwithin our own company that could be used for cross-marketing \npurposes.\n    We do have a policy that does not hold the consumer liable \nfor any losses on the product because of fraud, and then, we \nwork with customers on an individual basis to determine what \nthe circumstances are and what else we might be able to do to \nhelp them.\n    Senator Sarbanes. Thank you very much.\n    Thank you, Mr. Chairman.\n    Chairman Shelby. Senator Bunning.\n\n                STATEMENT OF SENATOR JIM BUNNING\n\n    Senator Bunning. Thank you, Mr. Chairman.\n    Ms. Desoer, 1.2 million customers lost records, 900,000 in \nthe military; is that correct?\n    Ms. Desoer. That is correct.\n    Senator Bunning. That seems beyond comprehension to me that \nthat happened with one of the biggest banks in the country, 5, \nmaybe 10, but 1.2 million? You are going to have to give me a \nbetter explanation than you gave the Chairman.\n    Ms. Desoer. Okay; what we have as a process in the \nagreement that we have with our client, the GSA, is that for \ncontingency and data recovery purposes, every day, we back up \nthe data on the entire GSA charge card SmartPay portfolio, and \nwe ship that data to a recovery backup site across the country.\n    Senator Bunning. Electronically.\n    Ms. Desoer. No, these are tapes----\n    Senator Bunning. These are backup tapes.\n    Ms. Desoer. Backup tapes that are taken a slice at a point \nin time of all of the transaction records for those cardholders \nand are physically moved. Those tapes are physically moved \nacross the country was the process that happened.\n    Senator Bunning. Okay. You explained that nothing has \nhappened, and there is no use, or you have not found any?\n    Ms. Desoer. Correct.\n    Senator Bunning. What is to prevent somebody from holding \nthat data for a year or a year and a half and then using it?\n    Ms. Desoer. A couple of things: First of all, the data is \nnot easily recoverable. The tapes that were lost were part of a \nlarger set of tapes that in concert need to be run together on \nspecialized equipment using specialized software that require \nparticular expertise and knowledge about how the data is \nfragmented on those tapes to reconstruct it; not to say it is \nimpossible, but it would--an average person cannot reconstruct \nthat, so in theory, they could.\n    Senator Bunning. How much money does Bank of America spend \non securing data, that type of personal data?\n    Ms. Desoer. I would need to get back to you on that \nparticular. I can get that information.\n    Senator Bunning. I would like to know exactly how much \nmoney they spend.\n    ChoicePoint Services, Inc., how much money does ChoicePoint \nspend on securing data, making sure that consumers' information \nis kept secure?\n    Mr. McGuffey. Senator, I do not have that figure with me, \nand I would be happy to----\n    Senator Bunning. Would it not be nice to, since you are \nmake money selling information that obviously should not have \nbeen sold, it would be nice to know how much money you are \nspending to secure the data you should not be selling in the \nfirst place.\n    I want to go back to the case in Kentucky, because I \npersonally know the judge. In the case of Mary L. Boris v. \nChoicePoint Services, and Western District of Kentucky, March \n14, 2003, Judge John Heyburn on appeal found that one could \ninfer from the evidence that ChoicePoint included incorrect \ndata on plaintiff's claim report; that plaintiff complained \nabout this false information; and that after the original \nmistakes were corrected, more incorrect claim data reappeared \non her report and remained well after the suit was filed.\n    Based on this series of events, a jury could certainly \nconclude that a reasonable, prudent company would have \nprevented a similar outcome. He added, this is Judge Heyburn, \n``to this day, this Court is still unclear what procedures, if \nany, ChoicePoint uses to ensure the accuracy of its mass \ncirculated reports.''\n    That is a Federal District Judge, the Chief Judge of the \nWestern District of Kentucky. Now, what did you have to say \nabout that? What did your lawyers have to say about it?\n    Mr. McGuffey. Senator, I have not personally had \nconversation with our lawyers about this particular case. We \nhandle 100 million transactions probably a year, and \nunfortunately, this one appears to be one where we had \ninconsistencies in our data associated with the record.\n    Senator Bunning. Okay; answer this question, then: What \nprocedures does ChoicePoint have in place so that a consumer \ncan make corrections of inaccurate information they find in \nyour database and make it stick and not reappear on your \ndatabase?\n    Mr. McGuffey. Senator, in this case, this was an insurance-\nrelated incident, and it is covered by the Fair Credit \nReporting Act. So we comply with the Fair Credit Reporting Act, \nwhere in case of a consumer who is interested in understanding, \ncan get a report, does get a report, and if there is a dispute, \nwe have dispute processes in place, and if you like, I would be \nmore than happy to provide a detail of those dispute processes \nfor you and your staff.\n    Senator Bunning. I would like that.\n    There are many more questions, but I see my time has \nexpired. Thank you, Mr. Chairman.\n    Chairman Shelby. Thank you.\n\n            STATEMENT OF SENATOR CHARLES E. SCHUMER\n\n    Senator Schumer. Thank you, Mr. Chairman. I want to say I \nshare my colleague from Kentucky's outrage about this, and, you \nknow, what happened here just boggles the mind, that you \nactually sold information to criminals who used it for criminal \npurposes. I mean, if banks operated like ChoicePoint, bank \nrobbers would not need guns. They would open an account, walk \nin, and take all the money they wanted out of the safe.\n    It is just amazing, because, and we all know what happens, \nas Jim has talked about, when somebody has their identity \nstolen. It takes them on average 175 hours to get it back. So \nyou did not just sell their identities to these crooks; you \nsold their peace of mind. And the attitude of this company is \njust casual. I mean, the questions you do not know after these \nmishaps? You do not know much money is being spent to protect \npeople's identities? You are a vice president of the company?\n    The time lapse that Senators Shelby and Sarbanes elapsed, \nhow is it that the CEO did not know that thousands of people's \nidentities were stolen until a couple of months later? You tell \nme: Why did you not call law enforcement immediately? Do you \nknow how much damage might have been done between the day you \nfound out or your company found out and the day you notified \nlaw enforcement?\n    Do you have a policy when somebody's identity is stolen--\nthat is a question--about notifying law enforcement \nimmediately? Does the company have a policy to do that? Yes or \nno?\n    Mr. McGuffey. I am not aware as to whether we do or not, \nbut I will certainly provide that----\n    Senator Schumer. Well, why are you here, sir, if you are \nnot aware of a question like that after everything that has \nhappened?\n    Mr. McGuffey. I was invited by the Committee, sir.\n    Senator Schumer. All right; well, the company chose you to \ncome, right?\n    Mr. McGuffey. I believe that is correct.\n    Senator Schumer. Did you get briefed?\n    Mr. McGuffey. Yes, Senator, I did.\n    Senator Schumer. And that question never came up?\n    Mr. McGuffey. No, Senator, it did not.\n    Senator Schumer. And neither the question about how much \nmoney you spend to protect people's identities?\n    Mr. McGuffey. No, Senator, it did not.\n    Senator Schumer. Let me ask you another one: Have there \nbeen other instances where ChoicePoint has been aware that \npeople's identities have been stolen but that has not been made \npublic?\n    Mr. McGuffey. In these instances, there have been two or \nthree, as I had indicated earlier, and all of those--\n    Senator Schumer. Two or three instances?\n    Mr. McGuffey. And in all of those cases, we have made \nnotice and in that 145,000----\n    Senator Schumer. Immediately?\n    Mr. McGuffey. As soon as we were able to recreate the \nsearches, Senator.\n    Senator Schumer. But I am asking, there were rumors that a \ncouple of years ago, this happened, too, and that has not been \nmade public. Is that true?\n    Mr. McGuffey. No, Senator. In those cases, we found out \nabout the 2002 incident, which may be what you are referring \nto.\n    Senator Schumer. When did you find out?\n    Mr. McGuffey. In those cases, we found out in the fall of \n2004, because we did an internal investigation and found cases \nthat----\n    Senator Schumer. How is it that identities that you have \nare stolen or information is stolen, and you do not know until \n2 years later? You got no complaints?\n    Mr. McGuffey. To my knowledge.\n    Senator Schumer. Did you check to see if you had \ncomplaints?\n    Mr. McGuffey. To my knowledge, no, sir.\n    Senator Schumer. And did the company check to see if they \nhad complaints?\n    Mr. McGuffey. Yes, Senator, those complaints do come in to \na central environment.\n    Senator Schumer. Okay; so, were there complaints between \n2002 and 2004 that came in to the company?\n    Mr. McGuffey. With regard to this incident, not that I am \naware of, sir.\n    Senator Schumer. And does that mean no, or does that mean \nyou may just not be aware? I mean, did you check? Did you ask \nbefore you came here today?\n    Mr. McGuffey. Yes, Senator, I did.\n    Senator Schumer. And they said?\n    Mr. McGuffey. No.\n    Senator Schumer. Okay; you do not have to say, then, not \nthat you are aware of; no, you checked.\n    Have you notified customers before this last situation? In \nthose situations, did you notify customers about the thefts \nwhen you found out about them?\n    Mr. McGuffey. Senator, in these cases, when we did our \ninternal investigation was when we found the various accounts \nthat had been misrepresented to us, and in all of those cases, \nwe made notice.\n    Senator Schumer. To every customer, not just in the States \nthat had a law that you had to.\n    Mr. McGuffey. Absolutely.\n    Senator Schumer. Okay; let me ask you about your \nexecutives. I think this stinks from the head. What about these \nexecutives taking $16 million in the months after the company \nlearned that the database had been breached? Now, I understand \nthe executives are arguing based on their recent 10(b)(5)(1) \ntrading plan, they have a contract to sell these stocks weekly, \nbut according to my understanding and the SEC's rules, those \nplans can only be entered into if they are entered into in good \nfaith and not as part of a plan to scheme or evade the insider \ntrading rules.\n    So my question is did the ChoicePoint board of executives \nand executive officers in question work together to approve a \nnew stock trading plan on October 26, 1 day before the LAPD was \ntipped off by the company?\n    Mr. McGuffey. No, Senator, I do not believe that they did. \nIn fact, what I believe that the position of the company and \nthe communication that we provided, although this incident is \ncurrently under investigation by the SEC, is that the \nindividuals in question did not know about this until after \nthose plans had been put into place.\n    Senator Schumer. Do you think they should return the money \non their own? I think that is what most people would think.\n    Mr. McGuffey. I am not sure that my opinion, sir, is \nrelevant here.\n    Senator Schumer. Oh, it is relevant.\n    Mr. McGuffey. Well, in my view, they followed the \nregulations. The 10(b)(5) plans were put in place by the SEC.\n    Senator Schumer. Let me tell you: I think they should \nreturn the money on their own. I will tell you something else I \nthink: I do not know what the law is here, but just from an \nethical point of view, you are dealing in important valuables \nabout people. Your attitude has been casual, to say the least; \nthat is putting it kindly. I do not think ChoicePoint should be \nin business to do anything to do with people's private \ninformation. I know you are not selling Social Security numbers \nto some people, but you are still selling them to State and \nlocal governments: Is that right?\n    Mr. McGuffey. Yes, sir.\n    Senator Schumer. And law enforcement.\n    Mr. McGuffey. And law enforcement under permissible \npurpose, yes, sir.\n    Senator Schumer. Well, I would urge any credit company that \nhas this information not to give it to ChoicePoint, because \ntheir attitude is just casual, not caring, the kinds of \nquestions that after a major egregious mistake was made should \nbe on the tip of the witness' tongue who was chosen by the \ncompany to come are not.\n    I mean, I think we can do a lot better, and a lot of other \ncompanies can do better. Now, I have a question for Ms. Desoer.\n    Ms. Desoer. Yes.\n    Senator Schumer. My view here is different. I think BofA, \nBank of America, was very careful, and when this happened, they \nnotified people immediately. Obviously, this problem occurred. \nSo, I have two questions for you as a result of what happened, \nhow we can make this better.\n    One, should we do much better screening of cargo handlers, \nparticularly cargo handlers who handle this kind of vital \ninformation? And two, would it not be a good way to avoid these \nincidents by using the RFID technology, radio frequency \nidentification to track cargo? It is very cheap, as I \nunderstand it. It would let us know where everything was.\n    You know, these thieves stole the wrong thing, but we still \nknow where they are and who had it, et cetera. Does your \ncompany have a position on either of those two things as a \nresult of what has happened here?\n    Ms. Desoer. Yes, Senator, in terms of the tracking, there \nis tracking that lets us know where the package is at all times \nwith all the carriers that we use.\n    Senator Schumer. Is that an RFID?\n    Ms. Desoer. I do not know if it is an RFID.\n    Senator Schumer. I suggest you find out.\n    Ms. Desoer. I will.\n    Senator Schumer. Because if it is stolen, the tracking \nsystem that you might have that A passed it to B who passed it \nto C, and they call you up, is gone, while an RFID would know \nexactly where it is.\n    Ms. Desoer. At what stage; that is correct.\n    Senator Schumer. Do you not think that, off the top of your \nhead, would make some sense?\n    Ms. Desoer. That makes sense.\n    Senator Schumer. Yes.\n    Ms. Desoer. And in this particular case, we are no longer \nsending these tapes via courier, so they are going by ground \ntransportation to a different location.\n    Senator Schumer. Right.\n    Ms. Desoer. And in response to your first question, we \nthink this is an opportunity to revisit the whole issue of how \nwe do send information and send tapes, and we are in the \nprocess of doing that.\n    Senator Schumer. Okay.\n    Thank you, Mr. Chairman.\n\n               STATEMENT OF SENATOR WAYNE ALLARD\n\n    Senator Allard. [Presiding.] Thank you, and I am sitting in \nhere temporarily for the Chairman.\n    Senator Schumer. You are doing an excellent job, I might \nsay, Mr. Chairman, Mr. Temporary Chairman.\n    Senator Allard. It is getting to be funny at the time.\n    Senator Schumer. That is why I said it.\n    Senator Allard. First of all, I ask unanimous consent that \nmy full statement be made part of the record, and without \nobjection, we will so do that\n    Senator Allard. And then, I have a couple of questions.\n    This Committee has in the last 2 or 3 years gotten involved \nwith the credit score, and I think that many on the Committee \ndid not realize how deeply embedded the credit score was and \nthe credit rating and how just some small change can have a \nfairly profound impact on your credit rating; for example, the \nnumber of charges that were put on your credit card, the number \nof times you applied for a credit card would all have an impact \non your credit score.\n    And when you go to losing your identity, and it gets \nmanipulated out here in the underworld, I can see really an \nimpact on credit score. What can you do as companies to correct \nwhat is happening to the credit score? Maybe Mr. McGuffey, you \nwould like to, and then Ms. Desoer.\n    Ms. Desoer. Desoer.\n    Senator Allard. Desoer. Maybe you would both like to \nrespond.\n    Mr. McGuffey. Senator, we are not a credit company, first \nof all, as you may be aware.\n    Senator Allard. I know that, but it does have an impact on \nthe credit score.\n    Mr. McGuffey. It may; it may indeed have an impact, and the \nonly real answer may be for us to evaluate in our actuarial \nmodels that build those scores and determine whether there are \nfacets of or features of or line items within the credit report \nthat may be more impacted than not in a situation of identity \ntheft; for instance, I do know that if someone were to put a \nsecurity alert on their credit report that we pass that \nsecurity alert along with the score to our end user customer, \nso our end user customer would be aware that the individual has \nplaced a security alert on their score, on their credit report, \nand therefore be in a position to take some action on that or \nbe conscious of that, inquire of the consumer as to whether \nthere were anything on the credit report that may have \nadversely impacted that score.\n    Senator Allard. Ms. Desoer.\n    Ms. Desoer. From our perspective, we are very much in the \nbusiness of providing credit, and along with that comes advice \nabout ways that consumers can enable themselves to get credit, \nso that is part of our business. We increasingly supplement the \nscores with other kinds of information, because a big part of \nour population, for example, are people who are new to the \ncountry who might not have an established credit score, and so, \nwe use alternatives like records of paying rent and that thing \nto supplement credit making decisions in addition.\n    But again, we work very closely with our consumers and on \nan individual basis, we will help give them advice as \nappropriate.\n    Mr. Hendricks. Senator.\n    Senator Allard. Yes, go ahead, Mr. Hendricks.\n    Mr. Hendricks. Because you ask--and it is a very important \nquestion, because the main damage from identity theft is then, \nyou get all these fraudulent, unpaid accounts, and it causes \nyour credit score to take a nosedive. Companies can help \nbecause the credit score is based on your credit report, and \nthe credit reporting agencies believe what the credit granters \ntell them.\n    So if a Bank of America or a ChoicePoint is involved, and \nif they know the information is wrong, if they will help the \nconsumer communicate that to the credit reporting agency, it \nhelps get the bad news off a lot quicker.\n    Senator Allard. Okay; and if you put a security alert on an \naccount, does that suggest that they do--Mr. McGuffey brought \nthat up. Does that help you in getting your loan, or does that \nhinder you?\n    Mr. Hendricks. Well, in a security alert, it is supposed to \nmake them careful about disclosing that report. Now, in the \npast, it was not working that well, and this Committee helped \npass a law which is supposed to bring better respect for those \nsecurity alerts.\n    Senator Allard. But if I go in, and I am buying a house, \nand all of a sudden, I have a security alert on my score, I can \nimagine that it may very well slow down my loan, and I guess it \ncould cause some problems. But I guess it is a tradeoff, is it \nnot?\n    Ms. Desoer. That is correct.\n    Senator Allard. Between how far you want to protect \nsomebody, but yet, if somebody needs that credit score, it \ncannot slow them down.\n    Mr. Hendricks. And in California, they can put a freeze on \ntheir credit report, and the victims of identity theft do that, \nbut if they want to get credit, that means they have to \nunfreeze the report. So, yes, it is not a fun situation either \nway.\n    Senator Allard. No, it is a problem.\n    Okay; Ms. Desoer, how long did Bank of America have to wait \nbefore informing its customers about the loss of personal \ninformation on 1.2 million Government charge cards?\n    Ms. Desoer. The tapes were lost late in December, and we \nnotified customers or began notifying customers on February 25. \nWe became aware of the loss of the tapes right after the New \nYear, and very shortly thereafter, once we reconstructed the \ninformation and knew that customers' information was on the \nlost tapes, we got the Secret Service involved, who asked us \nnot to share knowledge of this with the public or with our \ncardholders until they could get further into the \ninvestigation, and as soon as they released that hold on the \ninformation, we went ahead and notified customers.\n    Senator Allard. And so, how long did it take you to \nreconstruct that information, and how long did the \ninvestigators ask you to hold that information before you \nnotified the consumers?\n    Ms. Desoer. It took us about a week to reconstruct that \ninformation, and I can get exact dates if you like, Senator, \nand then, the Secret Service was engaged on January 10, and \nthey released the hold on the information just before we went \npublic February 25, so a day or two before.\n    Senator Allard. So it took them quite awhile to do that \ninvestigation.\n    Ms. Desoer. Yes.\n    Senator Allard. It seems like, and I assume that was a \npretty high priority as far as you know.\n    Ms. Desoer. Yes, it was very high priority for us and our \ncorporate information security team, who was working jointly \nwith the Secret Service in tracking the tapes every step of the \nway and reconstructing where they were and who was dealing with \nthose, and it still is an ongoing investigation.\n    Senator Allard. What was the first item of information that \nthe Bank of America provided customers informing them of that \nincident? That was February, then?\n    Ms. Desoer. February 25, correct.\n    Senator Allard. February 25. And do you feel that this \ninformation was helpful to the individual customers? In other \nwords, what steps could customers have taken to actually \nprotect their identity from theft?\n    Ms. Desoer. It is a great question, sir, and what we did, \nit is always a balance of what it is we are trying to \ncommunicate, because these customers, the information was \npresumed lost, and there had been no evidence for these \ncustomers that there was any misuse of their information.\n    So it was an awareness of what had happened, an indication \nof an 800-number where we would be in a position, for example, \nto share with them individually, exactly what information was \non the tapes as it related to them as an individual, and then, \nwe also used it as an opportunity to communicate a list of \nactivities that the consumer could take to protect themselves \non an ongoing basis against identity theft.\n    In addition, we made available free of charge to the \nconsumer a credit report if they wanted additional verification \nthat there had been no activity and fraud monitoring services. \nAnd of course, we were monitoring their accounts retroactive to \nday one when the tapes were lost, and we continue to do that.\n    Senator Allard. What did you lose from the loss, from this \nincident where you lost information? What did you learn?\n    Ms. Desoer. Oh, what did we learn?\n    Senator Allard. Yes, what did you learn when this \ninformation--when you had this incident where you lost \ninformation?\n    Ms. Desoer. That we need to revisit the standard industry \npractice of shipping tapes in this way for contingency and \nbackup data recovery purposes.\n    Senator Allard. So you learned that you need to do more on \ndata backup recovery; that you need to do something different \nas far as how you are transporting this information.\n    Ms. Desoer. No, we need to stay committed to the path that \nwe are on of data backup recovery, that it is very important \nthat we comply with each of our contracts and with requirements \nunder which we operate that, for certain types of data, set the \ntime lines in which after, say, a hurricane or an event that \nwould take out a data center, we need, within hours in some \ncases, 2, 4, 24, 48 hours, to be able to be up and running \nagain on behalf of our customers.\n    That is in place, and that remains in place. What we are in \nthe process of reconsidering is the way we get the information \nfrom point A to point B.\n    Senator Allard. I see. Anything else you learned? Have you \ntaken corrective action once you have learned these things?\n    Ms. Desoer. Yes, we have stopped shipping the tapes the way \nwe have; we are working closely with the customers with whom we \nhave communicated, and it is a reinforcement, and we followed \nvery standard policies and procedures that we have in place at \nBank of America for dealing with events such as this, and it \nreinforced for us that it is a good process and works well.\n    Senator Allard. Thank you.\n    Ms. Desoer. Thank you.\n    Chairman Shelby. [Presiding.] Thank you, Senator Allard.\n    Mr. McGuffey, how large is your counsel office? In other \nwords, how many attorneys work in your counsel's office?\n    Mr. McGuffey. I believe, Senator, that there are four \nlawyers today.\n    Chairman Shelby. Four lawyers? And how many support people \nroughly?\n    Mr. McGuffey. I do not know exactly, but I would say that \nthere is probably a dozen would be my guess.\n    Chairman Shelby. Is a lot of the focus in that counsel's \noffice to protect or to focus on possible breaches of \ninformation in all of this and the legal ramifications that \nperhaps go with it?\n    Mr. McGuffey. There is a set of staff that are focused on \nreviewing incidents and audits. There is an audit program that \nwe have in place that goes back and audits customers, and \nindeed, in this case, the reference to the 2002 incident that \nwas made earlier, that particular account was shut down, I \nbelieve, in May 2002 as the result of an audit. So we audit our \ncustomers, and that is part of that team. We review subpoenas \nin that team as well as responding to litigation and other \nmatters, other legal matters.\n    Chairman Shelby. Would you for the record furnish a summary \nof the sequence of events dealing with when counsel was \ninvolved, exactly when they notified who in the company, your \ncompany, or outside, who they dealt with and so forth? Could \nyou do that?\n    Mr. McGuffey. Yes, Senator; yes, Senator, we will.\n    Chairman Shelby. If the facts in this case from what you \nhave said did not lead to an immediate notification of senior \nmanagement--and this has been your testimony--can you help me \nunderstand a situation where your senior management would be \nnotified immediately? In other words, what would it take to \nnotify them, your president, your chairman, perhaps some of \nyour board members that this is a serious situation, which it \nwas? What would it take? What kind of situation would it take?\n    Mr. McGuffey. Senator, I am----\n    Chairman Shelby. Just help us understand.\n    Mr. McGuffey. I am certain that there are a number of \nmatters, as there are a variety of disciplines, there are a \nvariety of departments, obviously, that report to both those \nindividuals, and any of the major events associated with those \ndisciplines as perceived by those individuals at the time would \nprobably be appropriate and probably are discussed with those \nsuperiors, and what I would like to make sure the Committee \nunderstands is that at the time in the fall of 2004, we were \naware of only a handful of accounts that we believed were \nproblematic.\n    The investigation continued, and we continued to try to \nfind and identify accounts that were similar in nature. We did \nour investigation to find additional accounts, even beyond \nthose that were identified by our employee in the \ncredentialling process.\n    In the future, our CEO has required that he will be \nnotified of any of the breaches that could lead to any serious \nintrusion into our systems, any law enforcement activity \nassociated with this type of activity, so we are setting up \nprocesses; in fact, I had indicated earlier that we have even \nset up a new department that will be reviewing these matters \nheaded up by Carol DiBattiste, and we are looking forward to \nher joining our management team, and I am certain that she will \nalso make additional changes and recommendations associated \nwith how we proceed with these matters.\n    Chairman Shelby. You can tell there is concern here with \nthe fact that there was a gap between--from your testimony--\nbetween discovery of the breach and the notification of people \nup the line. If a lot of people were in senior management of \nyour firm, I think there would be concerns about the fact that \nthey had not been notified, and that would be cause for \nprobably some discipline there, who knows, and change of \npolicy. Have there been any dismissals of personnel because of \nfailure to notify up the line for something this serious? It is \nso central to your company and the well-being of your company \nand perhaps the future of your company.\n    Mr. McGuffey. Yes, Senator, it is a very serious matter, \nand we regret in this case----\n    Chairman Shelby. But there have been no personnel \ndisciplined, dismissals of people because of their conduct \nregarding this?\n    Mr. McGuffey. In this case, Senator, no, the activities \nwere handled as a law enforcement and a legal matter, and those \npersonnel were informed.\n    Chairman Shelby. How does your firm make sure, Mr. \nMcGuffey, that you are complying with each of the applicable \nlaws such as FCRA and GLBA that govern the use of information \nin your possession?\n    Mr. McGuffey. We have both legal counsel who advises the \nbusinesses with regard to those matters. We have technology \ninfrastructure.\n    Chairman Shelby. Do you do an audit?\n    Mr. McGuffey. Yes, we do. We have both an internal audit \ndepartment as well as an audit group within our legal \ndepartment that focuses on these types of matters.\n    Chairman Shelby. How frequently do you do your audits, \ncheck on your customers?\n    Mr. McGuffey. It is a continuous process.\n    Chairman Shelby. Okay; have you ever terminated customers \nbased on violations of the fair credit laws and the Gramm-\nLeach-Bliley Act?\n    Mr. McGuffey. We have, indeed, yes, Senator, and also \nterminated accounts that did not pass through our audits.\n    Chairman Shelby. How confident are you today of your \nability to ensure that the Fair Credit Reporting Act and Gramm-\nLeach-Bliley are being complied with in view of everything that \nhas happened?\n    Mr. McGuffey. I am confident, Senator, that we have \ncomplied with those laws and will continue to be diligent in \nassuring that the customers that we do credential are \ncredentialed at a high standard and in fact have instituted new \nprocedures and will be instituting additional procedures such \nas site inspections for those customers who have access to \npersonally identifiable information.\n    Chairman Shelby. Mr. Hendricks, I have a couple of \nquestions for you, if you would.\n    Mr. McGuffey indicated that ChoicePoint conducts audits to \nensure that its customers are in compliance with the applicable \nlaws governing information use, the ones I cited. Who has the \nstrongest interest in making sure that those laws are followed? \nChoicePoint, the firm trying to obtain the information, or the \nconsumer to whom the information relates?\n    Mr. Hendricks. I think the consumer has the strongest \ninterest in ensuring the privacy, accuracy, security of their \ndata, because if something goes wrong with their data----\n    Chairman Shelby. It could be very hurtful, could it not?\n    Mr. Hendricks. Yes, they are the ones sitting at the bottom \nof the driveway, and all the stuff comes down their way. The \nmain damage from identity theft is all that bad stuff goes on \nyour credit report, and as this Committee knows, it takes a \nlong time to get it off. I am concerned that ChoicePoint and a \nlot of companies, a lot of database companies, they do not \naudit for the accuracy of their information from a consumer \nprivacy accuracy point of view. There is no independent audit, \nnot even Arthur Andersen. I mean, it is a very insular process, \nand sunshine is the best disinfectant.\n    Chairman Shelby. Last year, Derek Smith, the Chief \nExecutive Officer of ChoicePoint, said that if they were going \nto be viewed as the most admired information company in the \nworld, they were going to have to, using his words, ``win the \nbattle of trust.'' After what has happened, what is ChoicePoint \nin particular and the information brokerage industry in general \ngoing to have to do to deserve a modicum of public trust?\n    Mr. Hendricks. I think they are going to have to show that \nthey can work with this Committee to establish fair information \npractices in law, as we have, the same kinds of rights we have \nwith the Fair Credit Reporting Act and show they can comply \nwith those rights and to bring transparency to their business, \nand that is going to be a long, hard haul, and that is why it \nis going to take them possibly years to get trust back for \ntheir entire sector.\n    Chairman Shelby. I appreciate your coming today, especially \nafter the break of the hearing the other day. We will continue \nto pursue these questions, because I am not sure they are going \naway.\n    Mr. Hendricks. No, we do not know where they are going, but \nwe know they are not going away.\n    Chairman Shelby. We thank the panel for your appearance and \nyour participation today.\n    [Whereupon, at 11:44 a.m., the hearing was adjourned.]\n    [Prepared statements supplied for the record follow:]\n\n              PREPARED STATEMENT FOR SENATOR WAYNE ALLARD\n\n    I would like to thank Chairman Shelby for holding this timely \nhearing on identity theft and recent developments involving the \nsecurity of sensitive consumer information.\n    Of more than one million complaints the Federal Trade Commission \nreceived in 2001, 86,680 of them were identity fraud complaints. \nFurthermore, the Government Accountability Office reports that identity \ntheft has been steadily increasing in recent years, based on data \nprovided by credit reporting agencies.\n    Mr. Chairman, I was shocked to hear that personal information on \napproximately 1.2 million Federal Government charge cards was lost in \ntransit to a data-storage facility. I am very concerned to hear about \nall of the time, energy, and effort that consumers involved in this \nsituation have had to put forth in order to protect their information \nfrom being misused, abused, and potentially stolen.\n    I will be particularly interested to hear about what specific steps \nBank of America is taking to help protect their customers' identities \nafter the loss of these tapes. By steps, I do not mean a form letter \nabout common sense procedures that a customer can follow in order to \nprotect his or her identity. I mean specific procedures a customer can \ntake, with Bank of America's help, to protect their personal \ninformation and identity in this specific circumstance.\n    In an event such as this, the burden should fall on the entity that \nmade the error--not on the consumer who is entirely helpless and \npowerless. I have heard from my constituents, and unfortunately this \nhas not been the case, with the burden falling almost entirely on the \ncustomer. I will be very interested to hear today how the investigation \nis proceeding, but more importantly, what Bank of America is doing in \nthe mean time to help the customers involved.\n    I also look forward to hearing about the 145,000 people whose \nconsumer information was purchased by scam artists from ChoicePoint, \nand the steps that have been taken to safeguard against this occurrence \nbeing repeated in the future.\n    Again, Chairman Shelby and Ranking Member Sarbanes, I appreciate \nyour attention to this important matter, and look forward to learning \nwhat these companies are doing to insure the protection of their \ncustomers, as well as determining whether or not the current law \nprovides the necessary protections to consumers.\n\n                               ----------\n\n                  PREPARED STATEMENT OF EVAN HENDRICKS\n                  Editor and Publisher, Privacy Times\n                             March 15, 2005\n\n    Mr. Chairman, Ranking Senator Sarbanes, distinguished Members, \nthank you for the opportunity to testify before the Committee. My name \nis Evan Hendricks, Editor and Publisher of Privacy Times, a Washington \nnewsletter since 1981. For the past 27 years, I have studied, reported \non, and published on a wide range of privacy issues, including credit, \nmedical, employment, Internet, communications, and Government records. \nI have authored a book about credit scoring and credit reporting, as \nwell as books about general privacy matters and the Freedom of \nInformation Act. I have served as an expert witness in Fair Credit \nReporting Act and identity theft litigation, and as an expert \nconsultant for government agencies and corporations.\n    I was closely involved in the multiyear process that resulted in \nthe 1996 Amendments and 2003 Amendments to the Fair Credit Reporting \nAct. Working with your highly competent staffs, I was proud of our many \naccomplishments in 2003.\n    The recent ChoicePoint and Bank of America incidents underscore \nthat we have much more work to do in order to ensure Americans' rights \nto information-privacy.\n    I think that there is broad agreement that an important lesson to \nbe drawn from our FCRA work is that the best way to improve our \nnational credit reporting system is to strengthen protections for \nconsumers. The more power that consumers have to maintain reasonable \ncontrol over their credit reports, the better the chances for improving \ntheir accuracy and ensuring they will be used fairly and only for \npermissible purposes. What is true for credit reporting is true for the \nother noncredit systems filled with personal information.\n    What is starkly clear from the ChoicePoint episode is the lack of \ntransparency regarding the personal data collected, stored and sold by \nChoicePoint and its ``cousins,'' which include Acxiom, LexisNexis/\nSeisent, and Westlaw--to name a few. Most people do not know about \nthese companies, even though they maintain personal data on over 100 \nmillion people.\n    Moreover, these companies often do not allow individuals to access \ntheir data or correct errors--even though other companies and \nGovernment agencies could buy the same information data and use it for \nmaking decisions about those individuals.\n    In essence, these are ``secret files.'' In being the first Federal \nbody to articulate Fair Information Principles, the first principle set \nforth by the 1973 HEW Secretary's Advisory Committee On Automated \nPersonal Data Systems was: ``There must be no personal data \nrecordkeeping systems whose very existence is secret.'' This is because \nhistory has shown us that secret files are a recipe for inaccuracy, \nabuse of privacy, and poor security.\n    In my opinion, the noncredit database companies generally operate \nin violation of principles 2-5 as well, at least in regard to \ninformation not already covered by the FCRA. Those principles are: (2) \nthere must be a way for an individual to find out what information \nabout him is in a record and how it is used; (3) there must be a way \nfor an individual to prevent information about him obtained for one \npurpose from being used or made available for other purposes without \nhis consent; (4) there must be a way for an individual to correct or \namend a record of identifiable information about him; and (5) any \norganization creating, maintaining, using, or disseminating records of \nidentifiable personal data must assure the reliability of the data for \ntheir intended use and must take reasonable precautions to prevent \nmisuse of the data.\nPossible Solutions\n    There are no quick or easy solutions to protecting privacy. Like \nmany privacy and consumer experts and advocates, I heartily endorse the \nconcepts underlying legislation introduced by Sen. Bill Nelson and Rep. \nEdward Markey to extent the protections of the FCRA to noncredit \ndatabase companies. Similarly, I conceptually favor Sen. Dianne \nFeinstein's efforts to make notification of security breaches the law \nof the land. Were it not for the pioneering Californian State law, we \nmight not even know about the ChoicePoint debacle. On the other hand, \nit would probably be counterproductive for Congress to pass a law that \nwas not at least as strong as the California law. I also agree with the \ngeneral thrust of measures to curb trafficking in Social Security \nnumbers by Rep. Clay Shaw and others. Details are always important, but \nsince this is not a strictly legislative hearing, we do not need to get \ninto them now.\n    I also want to bring to the committee's attention the fine work of \nsome of my colleagues, including Consumer Union's endorsement of the \nefforts of Sen. Nelson/Rep. Markey; \\1\\ the newly drafted ``Model \nRegime For Privacy Protection,'' by George Washington Univ. Law Prof. \nDaniel J. Solove & Chris Jay Hoofnagle, head of the San Francisco \noffice of the Electronic Privacy Information Center (EPIC); \\2\\ U.S. \nPIRG's emphasis that any legislation (1) should be based on FIP's, (2) \nshould have a private right of action, (3) should not preempt \nStates.\\3\\ In addition, Linda Foley of The Identity Theft Resource \nCenter pointed out that when there are security breaches, consumers \nshould not only be notified, but should also be advised as to what \ninformation fields were stolen or acquired illegally. And, the Center \nfor Democracy and Technology reminds us not to forget about the oft-\noverlooked problem of Government access to private sector data.\\4\\\n---------------------------------------------------------------------------\n    \\1\\ http://www.consumersunion.org/pub/core_financial_services/\n002028.html; asking for strong Federal standards for security, customer \nscreening, and consumer access and correction.\n    \\2\\ http://papers.ssrn.com/sol3/papers.cfm?abstract_id=681902.\n    \\3\\ www.pirg.org/consumer/pdfs/pirgendorsesnelsonmarkey.pdf.\n    \\4\\ www.cdt.org.\n---------------------------------------------------------------------------\n    Because there is so much that we do not know about the ChoicePoint \nand Bank of America incidents, it is premature at this point to \nidentify all of the appropriate responses. That is why my \nrecommendations include a call for a thorough investigation of each \nincident and a public airing of the results. At the end of the day, I \nfavor Congress taking as comprehensive approach as is politically \npossible.\nCurrent Gaps In Law, Policy, and Information Systems\n    The recent incidents underscore gaps in current law, policy and \ninformation systems. In its recent exchange with EPIC, ChoicePoint \nacknowledged that its insurance, employment background and tenant \nscreening ``products'' were covered by the FCRA. But it argued that the \nrest of the data, including those sold to law enforcement, were not \ncovered by FCRA. This is particularly troubling given that, as noted in \nRobert O'Harrow's book, ``No Place To Hide'' (Free Press 2005), \nChoicePoint effectively bills itself as a private intelligence service.\n    I probably disagree with ChoicePoint's view that so many of its \ninformation products fall outside of the FCRA. The Act's definition is \nintentionally very broad, and includes ``character, general reputation, \npersonal characteristics, or mode of living . . .'' However, the fact \nthat ChoicePoint takes this position means that consumers cannot be \nassured that they can see and ensure the accuracy of data about them.\n    Even where ChoicePoint agrees that its products are covered by the \nFCRA, there are troubling loopholes.\n    For examples, ChoicePoint says it has three ``products'' that are \nfree under the FACT Act: the C.L.U.E. (auto and homeowners insurance); \n``WorkPlace Solutions'' (employment background screening) and ``Tenant \nHistory'' (apartment rentals).\n    ChoicePoint said there would be no C.L.U.E report on you if you \nhave not filed an auto or home insurance during the last 5 years.\n    However, it also said it would not have an employment history or \ntenant history report ``if you have not applied for employment with a \ncustomer that we serve,'' or ``have not submitted a residential lease \napplication with a customer that we serve.'' \\5\\\n---------------------------------------------------------------------------\n    \\5\\ www.choicepoint.com/factact.html, visited March 13, 2005.\n---------------------------------------------------------------------------\n    How could it not have a ``report'' on you, but then sell one to an \nemployer or landlord when they asked for it? Under ChoicePoint's \ninterpretation, you apparently could not check the accuracy of a report \nbefore it was sold to a landlord or employer. But the FCRA requires \nthat every CRA shall, upon request, disclose to the consumer ``all \ninformation in the consumer's file.'' And, even if no insurance claims \nwere filed, ChoicePoint regularly buys data from State Departments of \nMotor Vehicles, which presumably means it maintain records on most \nAmerican drivers in one or more of its databases.\n    Absent Congressional action, this fundamental question of access \nmight have to be decided by the courts. But that could take years, \nwhich is one more reason that Congress should require by law that \ndatabase companies comply with Fair Information Principles, and give \nindividuals the ability to enforce their rights.\n    The Gramm-Leach-Bliley Act includes safeguards for the security of \ncredit data, including credit header data (identifying information from \ncredit reports). But if ChoicePoint files are based on identifying \ninformation from public records or other noncredit files, then \nChoicePoint presumably would argue that it is not subject to GLB's \nsecurity safeguards.\n    Under this reasoning, the coverage may be even scantier for other \ndatabase companies, including Acxiom, LexisNexis/Seisint, and Westlaw.\n    One of the many ironies is the secrecy shrouding these and other \ndatabase companies that traffic in consumer data. Accordingly, to \nadequately protect privacy we need to have greater disclosure about all \naspects of their operations and practices. This should not be \nsurprising. After all, the same Supreme Court Justice, Louis Brandeis, \ncalled privacy, ``the right to be let alone--the most comprehensive of \nrights and the right most valued by civilized men.'' Brandeis also said \n``the Sunshine is the best disinfectant.''\nPrivacy Protection Requires ``Sunshine''\n    The truth is that we do not know:\n\n<bullet> Precisely what information these companies; collect\n<bullet> Where they collect it from;\n<bullet> The manner in which they organize and/or maintain it;\n<bullet> The mechanisms they have to ensure security, or to facilitate \n    both consumer access to their data and correction of errors (if \n    any);\n<bullet> Whether they audit their systems to ensure accuracy or take \n    other steps to do so;\n<bullet> The mechanisms (if any) for notifying consumers if data are \n    leaked.\n\n    In the ChoicePoint matter, we do not know precisely how the fraud \nring exploited weaknesses in the company's systems. It appears that the \nthieves used ChoicePoint as a ``portal'' for accessing credit report \ndata. Equifax told the Atlanta Business Journal that as many as 8,000 \nof its credit reports may have been obtained fraudulently through \nChoicePoint.\n\n<bullet> Is the 8,000 number accurate?\n<bullet> Why then did ChoicePoint send notices to 145,000 people? How \n    did ChoicePoint calculate that number and why the discrepancy with \n    the Equifax number?\n<bullet> Did the fraud ring engage in some two-step process, using \n    ChoicePoint to first try and identify a universe of good candidates \n    for identity theft, and then zero in on the best candidates and \n    pull their full credit reports?\n<bullet> How long had this been going on?\n<bullet> Why did not ChoicePoint or Equifax notice what might have been \n    an unusual pattern?\nNeeded: A Complete Accounting of The ChoicePoint Case and The Overall \n        Landscape\n    The unanswered questions cited above underscore the need for a full \naccounting, not only of the specifics of the ChoicePoint case, but of \nthe overall landscape. Because of the need to maintain the integrity of \nthe ongoing investigations, the various law enforcement authorities are \nnot likely to fully inform the public of what they learn. Therefore, it \nis imperative that Congress ensure that we have a full accounting of \nthe affair.\n    More broadly, the time has come for a full accounting of the large \ndatabase companies and the personal information they collect, maintain, \nand disclose.\n    ChoicePoint, Acxiom, LexisNexis/Seisint, Westlaw, and the like \nshould move promptly to disclose publicly the following inventories:\n\n<bullet> The Government agencies--Federal, State, and local--that \n    provide them with personal data and under what terms;\n<bullet> The kinds of personal data they collect;\n<bullet> The manner in which personal data are housed. To what extent \n    is information from different sources co-mingled? Are there \n    separate ``silos?'';\n<bullet> Warranty card information--which database companies collect \n    this, what are their sources, how is it stored and used?;\n<bullet> 800-toll-free profiling data--consumers can give up personal \n    information about themselves simply by calling well-equipped 800 \n    phone numbers. The information that is captured by a Caller-ID type \n    technology known as Automatic Number Identification (ANI) is stored \n    and sold by some database companies.\nState Agencies Should Suspend Sale of Some Personal\nData Until Truth Be Known\n    Considering there remain many ``unknowns'' concerning the \nChoicePoint episode in particular, and the database industry in \ngeneral, it would seem prudent for some governmental agencies to \nsuspend their release of at least some personal data to ChoicePoint \nuntil there is a full accounting.\n    There simply is no way of assessing the risk to consumers' privacy \nuntil we know the answers to the questions listed above. Therefore, it \nwould be imprudent for agencies like State Depts. Of Motor Vehicles to \ncontinue to permit the possibly undersupervised sharing of drivers' \ndata with ChoicePoint until confidence is restored. Curbing the release \nof such data would help reduce the risk of breaches in the near-future, \nand could also expedite industry cooperation in establishing more \nrobust consumer protections.\n``Self-Regulation Already Failed''\n    Several database companies attempted to show that consumers did not \nneed legal rights by ``self-regulating.'' With much fanfare in 1997, \nsome of them joined with the FTC to announce the ``IRSG Principles'' \n(Individual Reference Services Group).\\6\\ While it seemed to offer some \npromise at the time, in hindsight the effort turned out to be little \nmore than a public relations exercise designed to stave off \nCongressional action. Many of the FTC's privacy-related recommendations \nwere not followed by industry.\n---------------------------------------------------------------------------\n    \\6\\ http://www.ftc.gov/bcp/privacy/wkshp97/irsdoc1.htm.\n---------------------------------------------------------------------------\nChoicePoint Wants Benefits, But Not Responsibility\n    ChoicePoint has been involved in various episodes relating to \neither improper collection of information or providing inaccurate \ninformation that unfairly disadvantaged individuals.\n    Prior to the 2000 George Bush-Al Gore Presidential battle, Florida-\nbased DBT Online Inc. signed a $4 million contract with the State of \nFlorida to ``cleanse'' voter rolls of convicted felons. DBT, later \nacquired by ChoicePoint, had misidentified 8,000 Floridians as felons, \ntemporarily barring them from voting. In July 2002, ChoicePoint settled \nout of court with the NAACP, which had sued on behalf of the voters. \nThe company recently disputed charges by the Electronic Privacy \nInformation Center that it was responsible for the incident.\n    ``Simply put, ChoicePoint played no role in the Florida election in \n2000. Database Technologies (DBT) performed the legally mandated review \nof Florida's voter rolls prior to our acquisition in 2000. The process, \na part of which included DBT, was created by the Florida legislature \nand implemented by State election officials. DBT was hired to create an \noverly inclusive list of potential voter exceptions based on criteria \nestablished by the Secretary of State, which DBT told the State might \ncreate false positives. County election supervisors--not DBT--were \nsolely responsible for verifying the eligibility to vote of any voter \nidentified by DBT on the exceptions list. In particular, county \nelection supervisors--not DBT--were solely responsible for the decision \nto remove any voter from the rolls,'' wrote CEO Derek Smith in a \nstatement posted to the company website.\n    Here are some other incidents:\n\n<bullet> In 2000, ChoicePoint was accused of breaking its contract with \n    the Pennsylvania Department of Transportation for posting drivers' \n    records on the Internet. The State fined ChoicePoint $1.3 million \n    and made the company agree to provide driver information only to \n    insurance companies for insurance-related purposes. The State also \n    barred the ChoicePoint employees involved in the posting from \n    having any association with Pennsylvania records. (see Privacy \n    Times, Vol. 20 No. 2, 1/19/00)\n<bullet> A pending lawsuit accuses the company of violating the Federal \n    Drivers Privacy Protection Act by selling DMV data without drivers' \n    consent (see Privacy Times, Vol. 23 No. 13, 7/1/03). ChoicePoint \n    said in SEC filings that an unfavorable outcome in such a case \n    ``could have a material adverse effect on the company's financial \n    position or results of operations.''\n<bullet> Also in 2003, ChoicePoint announced it would end its practice \n    of obtaining and selling personal data on Mexican citizens for \n    purposes of verifying identity and citizenship once the person was \n    in the United States. The information--name, address, date of \n    birth, and citizen indentification number--was purchased by the \n    Georgia-based company under a contract that required the vendor to \n    certify the information was legally obtained and was available to \n    be used for identity. ChoicePoint's Chuck Jones told the media that \n    the company agreed to stop the practice because the results of a \n    government inquiry determined the information was confidential \n    under Mexican law. He said the data would be returned to government \n    representatives and purged from the company's system. In April \n    2003, the AP reported that the U.S. Government had bought access \n    from ChoicePoint to data on hundreds of millions of residents of 10 \n    Latin American countries--apparently without their consent or \n    knowledge. The information allowed a myriad of Federal agencies to \n    track foreigners entering and living in the U.S. (see PT, Vol. 23 \n    No. 13, 7/1/03).\n  The same year, a Federal judge in Kentucky ordered ChoicePoint to pay \n    single mom Mary L. Boris $447,000 in punitive and actual damages \n    for violating the Fair Credit Reporting Act by failing to corrected \n    inaccurate insurance claims data after it was disputed. \n    ``ChoicePoint's witnesses made particularly negative impressions \n    upon the jury,'' Judge John Heyburn II wrote. ``They repeatedly \n    denied making any mistakes and instead seemed to blame all \n    defective data on others. Furthermore, ChoicePoint employees \n    appeared slow to recognize problems even once they were put on \n    notice and disclaimed all responsibility . . . Most notable, they \n    seemed annoyed at even having to appear at trial. . . ChoicePoint \n    never really explained the computer glitches which apparently \n    caused this problem. To this day, the court is still unclear what \n    procedures, if any, ChoicePoint uses to (e)nsure the accuracy of \n    its mass-circulated reports.''\n<bullet> In two separate cases in 2003, ChoicePoint settled out of \n    court with Louisianans Deborah Esteen and Dorothy Moten Johnson for \n    allegedly selling false information about them to potential \n    employers, according to the Atlanta Business Journal and MSNBC. \n    Johnson's background check supposedly revealed she was convicted of \n    public payroll fraud. According to her suit, she had never been \n    arrested or convicted of anything in her life.\n\n    Anyone can make mistakes. But what is most troubling about some of \nthese incidents is what appears to be ChoicePoint's consistent \nunwillingness to take responsibility for them.\n    Moreover, a new article by Bob Sullivan at MSNBC found that two \nprivacy activists who were able to review their ChoicePoint ``general'' \nfile found many inaccuracies. For Deborah Pierce, one notation \nsuggested a ``possible Texas criminal history'' and then recommended a \nmanual search of Texas court records. Pierce had only been in Texas \ntwice and never had a problem with police. There were also numerous \ninaccuracies in her past addresses and other routine data. The report \nalso listed three automobiles she never owned and three companies \nlisted that she never owned or worked for.\n    Richard Smith's dossier had the same kind of errors as Pierce's. \nHis file also suggested a manual search of Texas court records was \nrequired, and listed him as connected to 30 businesses which he knew \nnothing about.\n    It also said that he and his wife had a child 3 years before they \nwere married, that he had been married previously to another woman, and \nmost absurd, that he had died in 1976. ``Pretty obviously the data \nquality is low,'' Smith said. He equated a ChoicePoint report to the \nresults of a Google search on a person--solid information is mixed in \nwith dozens of unrelated items. The more common a name, the more \nextraneous information is produced.\n    These descriptions raise troubling doubts about ChoicePoint's \nmethods for collecting data and ensuring accuracy.\nComprehensive Approach is Needed\n    As U.S. PIRG pointed out, Congress needs to fashion legislation \nthat is based upon principles of ``Fair Information Practices'' \n(FIP's). Earlier, I mentioned the five principles developed by the 1973 \nHEW Task Force.\n    The Committee should also be guided by the 1980 FIP's developed by \nthe Organization of Economic Cooperation and Development (OECD), with \nthe endorsement of the U.S. Government, Japan, and Western European \ngovernments. These eight principles are often referred to as the ``Gold \nStandard'' of privacy.\n\n    (1) Collection Limitation.\n    (2) Data Quality.\n    (3) Purpose Specification.\n    (4) Use Limitation.\n    (5) Security Safeguards.\n    (6) Openness.\n    (7) Participation.\n    (8) Accountability.\n\n    As mentioned before, the newly drafted ``Model Regime For Privacy \nProtection,'' by Prof. Daniel J. Solove & Chris Jay Hoofnagle offers \neven more specific guidance for the issues before the Committee. They \nare:\nNotice, Consent, Control, and Access\n    1. Universal Notice.\n    2. Meaningful Informed Consent.\n    3. One-Step Exercise of Rights.\n    4. Individual Credit Management\n    5. Access to, and Accuracy of Personal Information.\nSecurity of Personal Information\n    6. Secure Identification.\n    7. Disclosure of Security Breaches.\nBusiness Access to and Use of Personal Information\n    8. Social Security Number Use Limitation.\n    9. Access and Use Restrictions for Public Records.\n    10. Curbing Excessive Uses of Background Checks.\n    11. Private Investigators.\nGovernment Access to and Use of Personal Data\n    12. Limiting Government Access to Business and Financial Records.\n    13. Government Data Mining.\n    14. Control of Government Maintenance of Personal Information.\nPrivacy Innovation and Enforcement\nEffective Enforcement of Privacy Rights\n    Mr. Chairman, thank you again for this opportunity. I would be \nhappy to answer any questions and look forward to working with this \nCommittee and others to fashion a solution to the problems raised by \nthese recent data leakages.\n\n                               ----------\n\n                  PREPARED STATEMENT OF BARBARA DESOER\n Global Technology, Service and Fulfillment Executive, Bank of America\n                             March 8, 2005\n\n    Chairman Shelby, Senator Sarbanes, Committee Members, good \nafternoon. I am Barbara Desoer, Global Technology, Service & \nFulfillment executive for Bank of America. I am a member of Chairman \nand CEO Ken Lewis' executive leadership team.\n    On behalf of the leadership of our company and all Bank of America \nassociates, thank you for the opportunity to appear before this \nCommittee to provide our perspective on recent events involving our \nGovernment charge cardholders.\n    I would like to express how deeply all of us at Bank of America \nregret this incident. We collectively make our living and pursue our \nprofessional mission by helping people at home, in business, and in \nGovernment manage their financial lives. This work rests on a strong \nfoundation of trust, more so in today's incredibly complex and fast-\nmoving world of electronic commerce than ever before. One of our \nhighest priorities, therefore, is building and maintaining a track \nrecord of responsible stewardship of customer information that inspires \nour customers' confidence and provides them peace of mind.\n    In my opening remarks today, I will provide an overview of:\n\n<bullet> What we know regarding the loss of our computer data backup \n    tapes;\n<bullet> The steps we have taken to alert and protect our Government \n    charge cardholders;\n<bullet> Our current information security practices; and,\n<bullet> Our thoughts regarding new legislation or regulations to \n    improve the security of personal information in our country.\n\n    On February 25, 2005, Bank of America began proactively \ncommunicating to U.S. General Services Administration (GSA) \nSmartPay<SUP>'</SUP> charge cardholders that computer data backup tapes \nwere lost during transport to a backup data center. The missing tapes \ncontained customer and account information for approximately 1.2 \nmillion Government charge cardholders. The actual data on the tapes \nvaried by cardholder, and may have included name, address, account \nnumber, and Social Security number.\n    The shipment took place on December 22, 2004. A total of 15 tapes \nwere shipped. Five were lost in transit. Two of the lost tapes included \ncustomer information; the remaining three contained nonsensitive, \nbackup software.\n    Backup tapes such as these are created and stored at remote \nlocations as a routine industry contingency practice in the case of any \nevent that might interrupt our ability to serve our customers. This is \nstandard industry practice, and is designed to protect businesses, \ntheir customers, and the U.S. economy at-large, in the event of \ndisruptions in the economic environment that arise from either natural \nor man-made causes. Such contingency planning is a fundamental part of \nour enterprise risk management program.\n    As is our standard practice, none of the tapes or their containers \nbore any markings or information identifying our company, the nature of \ntheir contents, or their destination. Nor are any of the personnel \ninvolved in the shipping process aware of the nature of the materials \nbeing shipped. As to the tapes themselves, sophisticated equipment, \nsoftware and operator expertise are all required to access the \ninformation. In addition, specific knowledge of the manner in which the \ndata is stored--that is, the ``fragmented'' nature of the data and the \nsteps required to reassemble it--would be required.\n    After the tapes were reported missing, Bank of America officials \nnotified appropriate officials at the GSA. Bank of America officials \nalso engaged Federal law enforcement officials at the Secret Service, \nwho began a thorough investigation into the matter, working closely \nwith Bank of America.\n    Federal law enforcement initially directed that to preserve the \nintegrity of the investigation, no communication could take place to \nthe public or the cardholders. Doing so would have drawn enormous \npublic attention to the tapes at a time when their whereabouts were \nstill a matter of intense investigation and the specific content was \nstill being analyzed. While the investigation was moving ahead, we put \nin place a system to monitor the affected accounts and, in fact, \nresearched account activity retroactively to the date of the data \nshipment to identify any unusual or potentially fraudulent activity in \nthe accounts.\n    The investigation, which continues today, included a detailed \nreview of the entire transit process for the shipment including the \narchive vendor, truck drivers, airline personnel, and Bank of America \nemployees. The Secret Service has advised us and GSA management that \ntheir investigation has revealed no evidence to indicate that the tapes \nwere wrongfully accessed or their content compromised. The Secret \nService findings are complemented by the Bank of America fraud \nmonitoring process which continues to indicate there has been no \nunusual activity or attempted unauthorized use of the monitored \naccounts to date.\n    In mid-February, law enforcement authorities advised us that \ncommunication to our customers would no longer adversely impact the \ninvestigation. We have completed the initial notifications and are \ncontinuing to communicate to our customers to ensure they understand \nadditional steps we are taking to help protect their personal \ninformation.\n    Bank of America quickly established a toll-free number Government \ncharge cardholders could use to call with questions or request \nadditional assistance. We also have offered credit reports and enhanced \nfraud monitoring services to cardholders at our expense. In an effort \nto be extra cautious and open with our customers, we also communicated \nto Government cardholders whose account information was not included in \nthe lost tapes.\n    Government cardholder accounts included on the data tapes have been \nand will continue to be monitored by Bank of America, and Government \ncardholders will be contacted should any unusual activity be detected. \nNo unusual activity has been observed to date. Per standard Bank of \nAmerica policy, Government cardholders will not be held liable for any \nunauthorized use of their cards.\n    In 2002, the Treasury Department chose our company to establish and \nchair the Financial Services Sector Coordinating Council for Critical \nInfrastructure Protection and Homeland Security. We also are a member \nof the President's National Security Telecommunications Advisory \nCommittee, which provides subject matter expertise to study issues \nvital to advancement of national security and emergency preparedness.\n    I mention this evidence of our leadership not simply to highlight \nour accomplishments. We all agree this is a time for humility, and we \nhave come here in that spirit. Rather, I wish only to demonstrate to \nthe Committee the seriousness with which we regard these issues and the \ngravity with which we regard our responsibility for leadership.\n    Without a strong foundation of trust and confidence, our industry \ncannot function and cannot serve our customers. We understand all too \nwell this fact and its implications for our business, our economy, and \nour country.\n    Our information security standards are based on regulatory guidance \nfrom the Federal Government (such as the OCC, the FRB, and others) and \ninternational banking regulatory bodies. In addition, the bank's \nstrategy includes a continuous \nreview of information security assessment criteria used by industry \ninformation security professionals. It is the bank's goal to meet or \nexceed information security standards and regulations dictated by our \nregulators or used by our industry peers in our day-to-day operations.\n    In that spirit, I would like to provide a brief overview of our \nCorporate Information Security Program. The Bank of America Corporate \nInformation Security Program is designed to:\n\n<bullet> Develop and implement safeguards for the security, \n    confidentiality, integrity, and availability of customer \n    information;\n<bullet> Achieve protection of information against threats to security \n    based on the value of the information or the harm that could result \n    to a customer from unauthorized access;\n<bullet> Monitor and respond to attempts to threaten the security of \n    customer information;\n<bullet> Develop and implement plans to provide backup systems to \n    prevent information damage or destruction caused by environmental \n    hazards or malicious actions; and,\n<bullet> Adjust the Bank of America Corporate Information Security \n    Program in response to changes in technology, information \n    sensitivity, threats, or the business environment.\n\n    As a national financial institution, we are highly regulated and \nregularly examined on our practices regarding security of customer \ninformation. We are required to follow specific regulatory guidance \nfrom the Office of the Comptroller of the Currency on how to handle \nsuch information. And we are constantly working to enhance the systems \nwe use to monitor customer data to ensure that we know where that data \nis and how it is being used.\n    The incident we are discussing was unfortunate and regrettable. \nThat said, we feel that it has shed helpful light on a critical element \nof the industry's practices for data transport. We view this as an \nopportunity to learn and to lead the industry to better answers that \nwill give our customers the confidence and security they deserve.\n    As I said earlier, we decided, out of an abundance of caution, to \nnotify the affected accountholders after law enforcement advised us \nthat notification would no longer adversely affect the investigation. \nHowever, we also acknowledge that providing notices when there is low \nrisk that the information will be misused has potential drawbacks, such \nas creating unnecessary anxiety in customers, and if provided too \nfrequently in non-threatening situations, degrading the effectiveness \nof a security breach notice.\n    Proposed Federal legislation would require that customers be \nnotified immediately whenever a security breach is discovered. Our \nrecent actions demonstrate our support of the conviction that customers \nhave a right to know when their information may have been compromised, \nand that timely notification in the appropriate circumstances could \nhelp to minimize various risks associated with a compromise of customer \ninformation.\n    At the same time, we advise some caution regarding legislative \nsolutions. For example, in some instances a thorough investigation of \nthe security may conclude there is no risk that the information was \nused for illegal purposes. In these instances, it is probably best to \nleave it to the discretion of the institution to decide if customers \nshould be notified.\n    Bank of America's participation in and leadership of public-private \npartnerships to advance the cause of information security in this \ncountry is clear. We have always maintained that both Government and \nindustry have a role to play, and we have leveraged these working \nrelationships over the past several years with extremely positive \nresults.\n    That said, in our experience, often the best solutions arise out of \nthe work we do together, but are implemented through the voluntary \ncooperation of private sector organizations. This is because the \ninformation security environment is by its very nature so fluid and \nrapidly evolving. The environment demands solutions and countermeasures \nthat can evolve and advance with speed and flexibility, in contrast to \nthe more static nature of purely legislative or regulatory solutions.\n    Members of the Committee, I would like to conclude by emphasizing \nhow much all of us at Bank of America deeply regret this unfortunate \nincident. The privacy of customer information is one of the highest \npriorities at our company, and we take our responsibility for \nsafeguarding it very seriously.\n    I can assure you on behalf of our leadership team and all our \nassociates, we will do all we can to ensure that our customers have the \nfreedom to engage in business and commerce and manage their financial \nlives secure in the knowledge that their personal information will be \nrespected and protected by the institutions in which they place their \ntrust.\n    This concludes my prepared testimony. I will now be happy to answer \nany questions.\n\x1a\n</pre></body></html>\n"