[Senate Hearing 109-451]
[From the U.S. Government Publishing Office]



                                                        S. Hrg. 109-451

 
                  IDENTITY THEFT: RECENT DEVELOPMENTS
                       INVOLVING THE SECURITY OF
                     SENSITIVE CONSUMER INFORMATION

=======================================================================

                                HEARINGS

                               before the

                              COMMITTEE ON
                   BANKING,HOUSING,AND URBAN AFFAIRS
                          UNITED STATES SENATE

                       ONE HUNDRED NINTH CONGRESS

                             FIRST SESSION

                                   ON

   RECENT DEVELOPMENTS INVOLVING THE SECURITY OF SENSITIVE CONSUMER 
  INFORMATION RELATING TO IDENTITY THEFT, FOCUSING ON LAWS CURRENTLY 
            APPLICABLE TO RESELLERS OF CONSUMER INFORMATION

                               __________

                         MARCH 10 AND 15, 2005

                               __________

  Printed for the use of the Committee on Banking, Housing, and Urban 
                                Affairs


      Available at: http: //www.access.gpo.gov /congress /senate/
                            senate05sh.html



                                 ______

                    U.S. GOVERNMENT PRINTING OFFICE
28-404                      WASHINGTON : 2006
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½090001


            COMMITTEE ON BANKING, HOUSING, AND URBAN AFFAIRS

                  RICHARD C. SHELBY, Alabama, Chairman

ROBERT F. BENNETT, Utah              PAUL S. SARBANES, Maryland
WAYNE ALLARD, Colorado               CHRISTOPHER J. DODD, Connecticut
MICHAEL B. ENZI, Wyoming             TIM JOHNSON, South Dakota
CHUCK HAGEL, Nebraska                JACK REED, Rhode Island
RICK SANTORUM, Pennsylvania          CHARLES E. SCHUMER, New York
JIM BUNNING, Kentucky                EVAN BAYH, Indiana
MIKE CRAPO, Idaho                    THOMAS R. CARPER, Delaware
JOHN E. SUNUNU, New Hampshire        DEBBIE STABENOW, Michigan
ELIZABETH DOLE, North Carolina       ROBERT MENENDEZ, New Jersey
MEL MARTINEZ, Florida

             Kathleen L. Casey, Staff Director and Counsel

     Steven B. Harris, Democratic Staff Director and Chief Counsel

                         Mark Oesterle, Counsel

                 Dean V. Shahinian, Democratic Counsel

   Joseph R. Kolinski, Chief Clerk and Computer Systems Administrator

                       George E. Whittle, Editor

                                  (ii)
?

                            C O N T E N T S

                              ----------                              

                        THURSDAY, MARCH 10, 2005

                                                                   Page

Opening statement of Chairman Shelby.............................     1

Opening statements, comments, or prepared statements of:
    Senator Corzine..............................................     2
        Prepared statement.......................................    25
    Senator Sarbanes.............................................     5
    Senator Johnson..............................................     7
    Senator Reed.................................................    12
    Senator Dole.................................................    14
        Prepared statement.......................................    26
    Senator Schumer..............................................    14

                               WITNESSES

Partick Leahy, a U.S. Senator from the State of Vermont..........     3
Deborah Platt Majoras, Chairman, Federal Trade Commission........     8
    Prepared statement...........................................    27
Larry Johnson, Special Agent in Charge, Criminal Investigative 
  Division, U.S. Secret Service..................................    19
    Prepared statement...........................................    48
Amy S. Friend, Assistant Chief Counsel, Office of the Comptroller 
  of the Currency................................................    22
    Prepared statement...........................................    50
                              ----------                              

                        THURSDAY, MARCH 15, 2005

Opening statement of Chairman Shelby.............................    55

Opening statements, comments, or prepared statements of:
    Senator Sarbanes.............................................    68
    Senator Bunning..............................................    71
    Senator Schumer..............................................    73
    Senator Allard...............................................    76
        Prepared statement.......................................    83

                               WITNESSES

Don McGuffey, Vice President, ChoicePoint Services, Inc..........    55
Evan Hendricks, Editor and Publisher, Privacy Times..............    58
    Prepared statement...........................................    83
Barbara Desoer, Global Technology, Service and Fulfillment 
  Executive, Bank of America.....................................    61
    Prepared statement...........................................    88

                                 (iii)


                  IDENTITY THEFT: RECENT DEVELOPMENTS
                       INVOLVING THE SECURITY OF
                     SENSITIVE CONSUMER INFORMATION

                              ----------                              


                        THURSDAY, MARCH 10, 2005

                                       U.S. Senate,
          Committee on Banking, Housing, and Urban Affairs,
                                                    Washington, DC.

    The Committee met at 2:50 p.m., in room SD-538, Dirksen 
Senate Office Building, Senator Richard C. Shelby (Chairman of 
the Committee) presiding.

        OPENING STATEMENT OF CHAIRMAN RICHARD C. SHELBY

    Chairman Shelby. The hearing will come to order.
    This afternoon we are going to hold the first of two 
hearings to examine the level of security that has been 
provided to sensitive financial information. While two 
incidents have received significant media attention and brought 
this issue to the forefront, I want to make clear that these 
events are only a small part of larger developments and note 
that I feel this overall subject requires broad, not simply 
anecdotal, consideration.
    The fact is, technology has profoundly changed our economy. 
Automation, depersonalized transactions, and the electronic 
storage, manipulation, and transfer of massive amounts of 
sensitive information are entirely routine. While there are 
significant benefits associated with these developments, we 
must also recognize that there are some significant risks 
associated with them as well.
    Most notably our rapid-fire, credit-in-a-moment economy 
provides tremendous opportunities for fraud and identity theft. 
If a crook gets hold of someone's personal information such as 
their name, date of birth, and Social Security number they can 
steal millions of dollars and wreak havoc on that person's life 
and credit history in only a matter of moments. For this 
reason, I believe it is paramount that this kind of sensitive 
information be properly protected.
    In the past, much of the focus regarding identity theft 
prevention has been directed on what an individual can do to 
protect themselves. This was and remains very important, but 
identity theft criminals have grown more sophisticated and are 
more aggressively pursuing information from centralized data 
sources. At a minimum, recent events indicate that we must 
remain constantly vigilant regarding the financial information, 
security practices and entities that hold millions, if not 
billions, of financial records.
    Thus, the purpose of today's hearing is to gain insight 
into the state of the industry compliance with the laws 
designed to protect personal financial information and to learn 
whether the current legal framework provides adequate 
protections and has kept pace with the change in the 
marketplace.
    We look forward to hearing from the witnesses today.
    Senator Corzine, do you have an opening statement?

              STATEMENT OF SENATOR JON S. CORZINE

    Senator Corzine. Yes, I do, sir. Thank you, Mr. Chairman, 
and I want to thank you for holding this hearing on identify 
theft and related security issues with regard to sensitive 
consumer information. I want to say your response to this 
emerging problem is typical of your leadership. I think it is 
strong leadership on a whole series of issues as has been the 
case with Ranking Member Sarbanes as well. I appreciate it and 
I know the public will because it is something of great 
concern.
    The importance of this, as we have all heard, has been 
underscored recently. As the Chairman said, it may be anecdotal 
but it seems to be more broad based than just the occasional 
anecdote. Just yesterday, the announced breach of LexisNexis, 
the scandal at data broker ChoicePoint, and the loss by Bank of 
America of sensitive information on over one million 
individuals, among them Members of the U.S. Senate, including 
some sitting at this table.
    These alarming instances are a stark reminder of just how 
vulnerable consumers and each of us are at having our personal 
information fall into the wrong hands, the hands of thieves. 
Personal information such as our Social Security numbers, 
drivers license, auto registration numbers, credit histories, 
and credit card numbers are vulnerable to people who know how 
to use technology for ill-begotten ways.
    As alarming as the brashness of the identity thieves and 
the growth of the crime is, is the notion that there are likely 
other instances of large-scale identity theft that we have 
never been able to define or disclose to the public.
    Mr. Chairman, identity theft is on the rise and is probably 
our fastest-growing consumer crime. According to the FTC, 
nearly 10 million Americans were the victims of identity theft 
in 2003, three times the number of victims just 3 years before 
that. Research shows that there are as many as 13 identity 
thefts every minute.
    It is a crime that harms our economy in the form of lost 
productivity and capital. Aggregate estimates of the costs are 
not truly identified, and I think that actually identifies a 
problem in and of itself in the sense that we do not have a 
complete handle on what its impact is on the public. According 
to the Identity Theft Resource Center, identity theft victims 
spend nearly 600 working hours recovering from the crime, and 
the cost in lost wages can be as much as $16,000 per incident 
before the loss itself, and the emotional distress is 
immeasurable.
    Technological innovation has brought about a data 
revolution that most consumers have benefited from, but it has 
come with some cost.
    In this context, Mr. Chairman, next week I will be offering 
and introducing the Identity Theft Prevention and Victim 
Notification and Assistance Act. The bill takes a comprehensive 
approach to the problem of identity theft, better oversight, 
strong standards aimed at preventing identity theft, victim 
notification and assistance, and tough enforcement by Federal 
regulators, including those that will testify today if we can 
give them the resources to do their job.
    It authorizes the FTC to write rules requiring firms to 
ensure the accuracy, security, and integrity of sensitive 
personnel information, enhances identity theft prevention by 
requiring all companies maintain sensitive personal 
information, establish security systems that safeguard their 
information. I could go through the details of it, but I will 
submit that in a longer statement for the record. But one of 
the things it does is not unlike what is in Sarbanes-Oxley. It 
requires that the chief enforcement officer attest to the 
effectiveness of the systems that provide for control of 
information.
    So there is a whole series of additional steps which I 
think are absolutely vital, including--and the last one might 
be most important--immediate notification of the consumers who 
are impacted by this. Too often as we saw in the ChoicePoint 
and other situations, people were not informed immediately. 
They only find out when someone has used their credit or has 
stolen from them, and it is a problem that needs to be 
addressed.
    I look forward to working with the Committee, the Chairman, 
and my colleagues on addressing this as we go forward. Thank 
you very much. I have a more extensive statement.
    Chairman Shelby. Your entire statement will be made part of 
the record in its entirety, Senator Corzine.
    Chairman Shelby. Our first panel we have our colleague, 
Senator Patrick Leahy, U.S. Senator from Vermont, someone who 
spent a lot of time--former Chairman of the Judiciary Committee 
and now ranking Democrat--there in this area.
    Senator Leahy, welcome to the Banking Committee. Your 
entire statement will be made part of the record. You proceed 
as you wish.

                   STATEMENT OF PATRICK LEAHY

            A U.S. SENATOR FROM THE STATE OF VERMONT

    Senator Leahy. Thank you, Mr. Chairman, and I appreciate 
the courtesy of having me here. I spoke to earlier in private 
about this. I will state publicly that I applaud your decision 
to hold today's hearing about recent security breaches at 
ChoicePoint and Bank of America, and what that means about 
protecting sensitive consumer data. You and Senator Sarbanes 
have been leaders on these issues and I thank you for this 
opportunity.
    We are in a challenging area. The advanced technologies 
have opened up new possibilities. They have brought enormous 
benefits to consumers and commerce, law enforcement, and there 
is no doubt these advances have made our lives better, safer, 
but they have also created new vulnerabilities for our privacy 
and for our security. It is becoming increasingly clear these 
trends have challenged the privacy laws we currently have. And 
today's security saturated environment is fostering 
partnerships between Government and private data brokers, 
creating new challenges for maintaining privacy standards over 
the sensitive information that more and more involves every 
single American.
    The troubling events at ChoicePoint, Bank of America, and 
now LexisNexis are a window on some of these weaknesses. 
ChoicePoint's bread and butter business includes identity 
verification and screening to help corporate America, as they 
say, ``know its customers.'' Well, this company failed to know 
its own customers. They sold personal information on at least 
145,000 Americans to criminals posing as legitimate companies. 
It was an irresponsible violation of the fiduciary relationship 
they have to their customers.
    Then there is Bank of America which recently announced that 
the personal information of more than a million Government 
employees, including some Senators and Senate staff members, 
was compromised when backup tapes disappeared during transport 
on a commercial airliner. We now understand this type of 
transport is routine not only for them but also the entire 
industry.
    I do not know what these people are thinking. Mr. Chairman, 
you and I travel commercially. We travel a lot. We have had our 
suitcases lost. Do they think that the suitcase full of some of 
the most important data on their customers could not get lost 
too? Can you imagine how disillusioned their customers must 
feel when they find Bank of America did not care any more about 
them than to let that happen? On the eve of this hearing we 
have also learned that personal information on 32,000 more 
Americans was potentially compromised at a subsidiary of 
LexisNexis.
    The susceptibility of our most personal data to relatively 
unsophisticated scams or logistical mishaps is greatly 
disturbing, and that is even before we consider the dangers 
posed by insiders, by hackers, by organized crime, and now we 
know by terrorists. In an era where personal information is a 
key commodity, the personal information of Americans has become 
a treasure trove, valuable but also vulnerable.
    Today, companies around the world routinely traffic in 
billions of personal records about consumers. The magnitude of 
these transactions has rendered the individuals behind the data 
faceless. But at the end of the day if things go south, it is 
the consumer that bears the brunt of the harm, not the company. 
For consumers, caught up in the endless cycle of watching their 
credit unravel, and doing the damage caused by such breaches 
becomes life-consuming and monumental.
    Congress needs to act. We have to do it right. Many of us 
have been examining the information brokering industry. 
Consumers should know who has their data, what it is being used 
for, how they can correct mistakes. They should have notice 
consistent with law enforcement considerations so they can 
protect themselves. That is just basic fairness.
    We have to look closely at ensuring a standard of care 
consistent with the high value of this data, including penalty 
options when companies fall short of meeting those standards. 
Data brokers are increasingly partnering with the Government in 
law enforcement and homeland security efforts. It could prove 
useful for us here in Congress to consider the extent to which 
a company's privacy and security practices are the qualifying 
factors in securing Federal contracts, because then we could 
also ask what would be the appropriate penalties in the 
contract procurement process for any failure. So, I welcome the 
opportunity to work with you, with my colleagues on Judiciary, 
and with this Committee. And Judiciary will also have hearings. 
Senator Specter and I intend to.
    Privacy and liberty are important values to the American 
people. It is not a Democratic or Republican issue, it is an 
American issue. Our collective vigilance in protecting these 
cherished values has allowed us to enjoy unparalleled freedom, 
security, and economic vitality. We have to continue this 
vigilance.
    I applaud you, Mr. Chairman. Your hearing today is going to 
shed much needed light on a rapidly growing industry and its 
practices in handling the financial and personal information of 
every American. I look forward to continuing to work with you. 
I think at the end of the day when we finish the hearings here 
and in Judiciary, the American people should end up being 
better protected, but I think they are also going to have a 
better idea what happens to their personal information.
    Thank you, sir.
    Chairman Shelby. Thank you, Senator. We look forward to 
working with you and also the Judiciary and other Committees, 
whatever we have to do to try to secure the American people's 
financial information.
    We have got a vote on the floor now of the Schumer 
Amendment. We are going to take a break and go vote, and then 
we will get in the second panel. We will be in recess until we 
get back.
    [Recess.]

             STATEMENT OF SENATOR PAUL S. SARBANES

    Senator Sarbanes. [Presiding.] First of all, let me assure 
you this is not a coup.
    [Laughter.]
    I saw Chairman Shelby in the hallway, and he is on his way 
for this vote, and I had just finished it. There is another 
vote that will be coming so we are trying to keep the process 
moving ahead, although it is under rather difficult 
circumstances. So, I am going to go ahead now and make my 
opening statement so we get that behind us in terms of the 
business yet to be done.
    First of all, I want to commend Chairman Shelby for holding 
this very timely hearing. I underscore his quick response to 
the news of recent breaches of data security that potentially 
affect millions of Americans. Data security and financial 
privacy are important values in our society. They have been the 
subject of Banking Committee hearings and legislative markups 
since the 105th Congress. Title V of the Gramm-Leach-Bliley Act 
of 1999 contained data security and privacy protections. And 
the identity theft and affiliate sharing protections were in 
the Fair and Accurate Credit Transaction Act of 2003. Both of 
those bills came out of this Committee.
    Security breaches, very regrettably, have led to the 
improper release of the sensitive personal data of millions of 
Americans. Last month, ChoicePoint, a data broker, described by 
a journalist as the world's largest private intelligence 
operation, sold information that had personally identifiable 
data on 145,000 people to imposters, people not properly 
entitled to the information. According to ChoicePoint's 
testimony, this included ``access [to] information products 
primarily containing the following information: Consumer names, 
current and former addresses, Social Security numbers, drivers 
license numbers, certain other public record information such 
as bankruptcies, liens and judgments, and in certain cases 
credit reports.''
    Bank of America, one of the world's largest financial 
institutions, serving 33 million consumer relationships, 
reported the loss of backup computer tapes which, according to 
testimony today, ``contained customer and account information 
for approximately 1.2 million Government charge holders . .  
and may have included name, address, account number and Social 
Security number.'' I understand that both of these companies 
are taking actions to prevent future problems.
    More data security breaches were revealed this week. On 
Tuesday, DSW Shoe Warehouse stores reported that credit card 
information from customers of more than 100 of its stores had 
been stolen. On Wednesday, LexisNexis announced the theft of 
the names, addresses, Social Security numbers, and drivers 
license numbers of more than 30,000 people from its Seisint 
subsidiary.
    These and other breachers have caused widespread concern 
among the public and in the Congress. The Washington Post 
reported, ``public ire is intensifying.'' I can vouch for that 
on the basis of the constituents who have contacted me, and I 
hear the same from my colleagues. We know that Americans have 
strong concerns about protecting their personal information. 
The Baltimore Sun, in an editorial entitled ``Stealing by the 
Numbers,'' said, This is an industry ripe for Federal and State 
controls.''
    Congressional hearings are being planned and legislation is 
being introduced by Senator Corzine and by others to address 
this problem.
    I strongly share the concern about the improper release of 
personally identifiable financial information. A particular 
danger is that citizens whose data is compromised may become 
victims of identity theft, which is of course a serious 
national problem that has grown in recent years. Honest 
citizens who become identity theft victims incur a high cost in 
money, time, anxiety, and efforts to correct their spoiled 
credit histories and restore their good credit name. While 
swift apprehension and punishment of criminals is important, we 
must also seek to prevent breaches, to enable consumers to 
protect themselves, and to assist citizens who have become 
victims through no fault of their own.
    Many questions are raised. What potentials harms to 
consumers can result from breaches of personal data held by 
financial institutions or data brokers? How are the data 
practices of data brokers and financial institutions regulated? 
What steps should be taken to prevent future breaches? Is 
additional Federal regulation needed in order to adequately 
protect consumers? Should consumers be given more rights to 
protect data about themselves, giving consumers the rights to 
have access to a copy of the records and to correct errors, or 
requiring notification of consumers when data breaches occur? 
And should financial institutions more fully inform consumers 
about the specific types of information they possess and what 
they do with data?
    Other questions also of course occur, and I expect this to 
be a matter which the Congress will examine very carefully.
    Do you have a statement, Senator Johnson?

                STATEMENT BY SENATOR TIM JOHNSON

    Senator Johnson. Yes, thank you, Senator Sarbanes. I 
appreciate both you and Chairman Shelby for convening this 
important hearing, and I welcome the distinguished panel of 
participants that we have here today. I regret that we have 
these ongoing votes plus a markup in the Budget Committee, 
which is going to take me away from being here personally, as 
much as I would like to be. But it is my hope that this is just 
the first of a series of hearings about information security. 
Clearly, we need to take a hard look at whether governing 
statutes are adequate to protect the increasing body of 
personal information databases. I appreciate the clarity with 
which the FTC has summarized those laws in its written 
testimony, and I hope that we can work together to legislate in 
a speedy and effective manner to capture all industry players.
    Mr. Chairman, I believe that we also need to take a close 
look at what we can do within the current legal framework to 
protect sensitive personal and financial information. We know 
companies face significant and ongoing problems with both 
insider breaches and outside hackers. In these cases, the 
problem is not the absence of a governing statute, but rather a 
violation of an ongoing statute.
    I would like to call the Committee's attention to some 
innovations in the area of data security which bear discussion. 
One example is Dakota State University in Madison, South 
Dakota. DSU's Information Assurance program has developed 
important technologies to protect community banks from 
information breaches. DSU recently won accreditation from the 
National Security Agency for its bank-focused program which 
specializes in assisting banks to protect sensitive information 
within current legal frameworks.
    A security breach is costly both financially and toward 
reputation. Many companies, though regrettably not all, go 
beyond legal requirements to ensure the security of their data. 
I hope through this hearing process we will get a better sense 
of the landscape of technologies available to financial and 
other institutions that might help them protect their 
databases.
    As we examine how to capture all players with access to 
sensitive financial and personal information in a regulatory 
framework, we need to be careful to preserve the success of the 
Fair Credit Reporting Act. I was struck just this past week 
again by the potential benefits that FCRA can bring consumers 
who handle credit responsibly.
    As we stand poised to pass bankruptcy reform legislation, I 
believe that the credit reporting system may be able to play a 
positive role in helping bankruptcy filers rehabilitate their 
credit more quickly.
    In the coming weeks, it is my intention to work actively 
with the bankruptcy advisory committees and trustees, the 
credit bureaus, and the industry players to encourage a full 
reporting of Chapter 13 payment plans to credit bureaus. The 
credit reporting system is only as good as the information 
contained in it, and we have an important opportunity to 
encourage reporting that will help hard-working Americans who 
have fallen on hard times prove that they can in fact handle 
credit responsibly. Those people who are able to repay any part 
of their debt should get credit for that effort, and I intend 
to work hard to make sure that that in fact happens.
    Thank you, Senator Sarbanes.
    Senator Sarbanes. Thank you very much, Senator Johnson.
    I think the best course now would be to recess again 
because there is a vote about to happen, and I think the 
Chairman will then be on his way back, and I think he will then 
be in a position to go into the hearing with the next panel, 
which I gather would be with the Chairwoman of the FTC.
    Thank you all very much.
    [Recess.]
    Chairman Shelby. [Presiding.] The Committee will come back 
to order. We are sorry about the inconvenience, but that is the 
way the Senate works, two straight votes.
    Our second panel we have the Chairman of the Federal Trade 
Commission, Deborah Platt Majoras. We welcome you to the 
Committee. Your written statement will be made part of the 
record in its entirety. You proceed as you wish.

               STATEMENT OF DEBORAH PLATT MAJORAS

               CHAIRMAN, FEDERAL TRADE COMMISSION

    Ms. Majoras. Thank you, Mr. Chairman and Members of the 
Committee. I am Deborah Majoras, Chairman of the Federal Trade 
Commission.
    I am grateful for the opportunity to testify about identity 
theft, the security of consumer information, and in particular, 
the collection of that information by data brokers.
    Although the views expressed in the written testimony 
represent the views of the entire Commission, my oral 
presentation and responses to questions are my own and do not 
necessarily reflect the views of the Commission or the other 
Commissioners.
    Recent revelations about security breaches that resulted in 
disclosure of sensitive information about thousands of 
consumers have put a spotlight on the practices of data brokers 
like ChoicePoint that collect and sell this information. The 
data broker industry includes many types of businesses, 
providing a variety of services to an array of commercial and 
Government entities. Information sold by data brokers is used 
for many purposes, from marketing to assisting in law 
enforcement.
    Despite the potential benefits of these information 
services, the data broker industry is the subject of both 
privacy and information security concerns. As recent events 
demonstrate, if the sensitive information they collect gets 
into the wrong hands it can cause serious harm to consumers, 
including identity theft.
    Identify theft is a pernicious problem. A recent FTC survey 
estimated that as many as 10 million consumers discovered that 
they were victims of some form of identity theft in the 12 
months preceding the survey, costing consumers nearly $5 
billion in losses, and American businesses roughly $48 billion 
in losses. We must look seriously at ways to reduce identity 
theft which has shaken consumer confidence to the core.
    One means of reducing identity theft is to ensure that 
sensitive, nonpublic information that is collected by data 
brokers is maintained securely.
    There is no single Federal law governing the practices of 
data brokers. There are, however, statutes and regulations that 
address the security of the information they maintain, 
depending on how the information was collected, and how it is 
used.
    The Fair Credit Reporting Act, for example, makes it 
illegal to disseminate consumer report information, like credit 
reports, to someone who does not have a permissible purpose; 
that is, a legitimate business need for the information. Thus, 
data brokers are only subject to the FCRA's requirements to the 
extent that they provide consumer reports, as that term is 
defined in the statute.
    Similarly, the Gramm-Leach-Bliley Act, which the Commission 
also enforces, imposes restrictions on the extent to which 
financial institutions may disclose consumer information 
related to financial products and services. Under Gramm-Leach-
Bliley, the Commission issued a Safeguards Rule, which imposes 
security requirements on a broadly defined group of financial 
institutions that hold customer information. The Commission 
recently brought two cases in which we alleged that companies 
had not taken reasonable precautions to safeguard consumer 
information.
    Finally, in the third statutory regime, Section 5 of the 
FTC Act prohibits unfair and deceptive practices by a broad 
spectrum of businesses, including those involved in the 
collection or use of personal information. Under this 
authority, the Federal Trade Commission has brought several 
actions against companies that have made false promises about 
how they would use or secure sensitive personal information, 
and these cases make clear that an actual breach of security is 
not necessary for enforcement under Section 5 if the Commission 
determines the company's security procedures are not reasonable 
in light of the sensitivity of the information that they 
collect and hold. Evidence of a breach, of course, may be 
relevant, though, to whether the procedures were not adequate. 
It is important to remember, though, that there is no such 
thing as perfect security, and breaches can occur even when a 
company has taken every reasonable precaution.
    The Commission, consistent with the role Congress delegated 
in 1998, has worked hard to educate consumers and businesses 
about the risks of identity theft and to assist victims and law 
enforcement officials. The Commission maintains a website and a 
toll-free hotline staffed with trained counselors to advise 
victims on how to reclaim their identities. We receive roughly 
15,000 to 20,000 contacts per week on the hotline, through our 
website, or mail from victims and from consumers who want to 
avoid becoming victims. The Commission also facilitates 
cooperation, information sharing, and training among Federal, 
State, and local law enforcement authorities fighting this 
crime.
    Although data brokers are currently subject to this 
patchwork of laws, depending on the nature of their operations, 
recent events clearly raise the issue of whether these laws are 
sufficient to ensure the security of their information. I 
believe that there may be additional measures that would 
benefit consumers.
    The most immediate need is to address the risks to the 
security of the information. Extending the Commission's 
Safeguards Rule to sensitive personal information collected by 
data brokers is one sensible step that could be taken. It also 
may be appropriate to consider a workable Federal requirement 
for notice to consumers when there has been a security breach 
that raises a significant risk of harm to consumers.
    Mr. Chairman, Members of the Committee, the FTC shares your 
concern for the security of consumer information, and we will 
continue to take steps within our authority to protect 
consumers. Thank you for the opportunity to discuss this vital 
topic, and I would be happy to respond to your questions.
    Chairman Shelby. Thank you, Madam Chairman.
    The Federal Trade Commission does a lot of work that is 
directed at helping individuals protect themselves from 
identity theft. Is that correct, Madam Chair?
    Ms. Majoras. That is correct.
    Chairman Shelby. Additionally, you also do a great deal to 
help individuals recover from the damage done--and this is a 
big thing--by identity thieves. You are clearly well aware in 
your position of the kind of damage that can be inflicted on 
the average American. We have heard horror stories here--you 
hear them every day, I am sure that have involved massive 
amounts of data involving thousands, even millions of people, 
recent cases. Could you provide us your views as to what kind 
of damage this kind of large-scale information theft can cause, 
just for the record?
    Ms. Majoras. The biggest injury, of course, is identity 
theft on potentially a massive scale when we have a substantial 
security breach. The majority of the incidents that we see 
involve the misuse of existing accounts, but a far more 
destructive practice is when an identity theft takes the 
personal information for a particular consumer, poses as that 
consumer, and opens new accounts. That is one of the most 
difficult problems for consumers to overcome when they are 
trying to get their financial and personal life back, quite 
frankly.
    Chairman Shelby. Isn't this one of the biggest robberies 
going on in the country today?
    Ms. Majoras. It is 9 to 10 million people a year, Mr. 
Chairman. That is 4.5 percent of our adult population.
    Chairman Shelby. And involving billions of dollars?
    Ms. Majoras. Involving billions of dollars, not only to 
consumers but also to businesses, and we estimate that per year 
about 300 million hours of time goes into dealing with identity 
theft in terms of consumers trying to get their identities back 
and businesses, of course, trying to work through what has 
happened, what fraud has occurred, and what can be done to fix 
it.
    Chairman Shelby. Our traditional bank robbers are petty 
thieves compared to the aggregate of this, are they not?
    Ms. Majoras. Some of them certainly are, Mr. Chairman, yes.
    Chairman Shelby. Could you give us several examples of the 
kinds of sensitive financial information that would be included 
in the credit report?
    Ms. Majoras. The most common type of information would be 
information about consumers' accounts and, in particular, 
credit card accounts. So information on a credit report would 
include the account number, the account balance, the consumer's 
credit history.
    Chairman Shelby. Real private things.
    Ms. Majoras. Very private.
    Chairman Shelby. Isn't this kind of information supposed to 
be covered by the protections of FCRA?
    Ms. Majoras. The FCRA does cover this type of information, 
depending on how the information is used.
    Chairman Shelby. Okay.
    Ms. Majoras. I think the easiest way to say it is to 
determine a consumer's eligibility for credit, for employment, 
for insurance purposes, then that information falls within the 
FCRA.
    Chairman Shelby. What kind of safeguards does the FCRA have 
to ensure that credit reporting agencies do not provide credit 
reports to anyone coming in off the street?
    Ms. Majoras. The FCRA requires that consumer reporting 
agencies and anyone else who falls within the statute to have 
in place reasonable procedures to ensure that those to whom 
they sell the information have a permissible purpose, that is, 
an appropriate business purpose, as I said most commonly 
determining a consumer's eligibility for credit, for 
employment, or insurance.
    This means under the FCRA that the CRA's must receive 
certification from those to whom they sell the information, and 
they also must make a reasonable effort to verify the user's 
identity and also that the user, in fact, does have a 
permissible purpose.
    Chairman Shelby. Ma'am, how many firms are there in the 
data brokerage industry? And how big is their information 
capacity? In other words, how much data on how many Americans 
are they dealing with?
    Ms. Majoras. I am afraid that is a tough one to answer, Mr. 
Chairman. We have not been able to find statistics on the 
number of data brokers there are. We know that there is a great 
variety, and, of course, it depends on how you define it.
    Chairman Shelby. If you do find out something approximately 
the number, can you furnish that for the record?
    Ms. Majoras. We would be pleased to present that for you, 
Chairman Shelby. I will say, however, that we know that 
individual data brokers, just like the CRA's, can have billions 
of pieces of data regarding consumers.
    Chairman Shelby. A treasure trove of all of the financial 
private information in a sense.
    Ms. Majoras. Yes, indeed.
    Chairman Shelby. Do you think that data brokers take steps 
to avoid becoming credit reporting agencies to avoid the FCRA 
requirements? And if so, how do they accomplish this?
    Ms. Majoras. Actually, what we have seen in the data 
brokerage industry is that some of the products they sell 
actually do fall within the FCRA and some of them do not. And 
it just depends on the type of products.
    Chairman Shelby. You have to look at the situation.
    Ms. Majoras. You have to look at each individual--and, 
again, because it is dependent not on the label you put on the 
type of company, it is dependent on the kind of information, 
that makes a difference.
    Chairman Shelby. Sure. Do you have any information about 
the manner in which the Gramm-Leach-Bliley information use 
restrictions flow with information? In other words, could you 
give us a little detail about where Gramm-Leach-Bliley use 
restrictions flow with information? Am I clear? In other words, 
these rules do not simply apply to financial institutions that 
have the relationship with the consumer. They apply downstream 
as well, do they not?
    Ms. Majoras. They absolutely do. Once a financial 
institution covered by GLB provides information to a 
nonaffiliated party, that party is then also subject to the 
security provisions.
    Chairman Shelby. Give us an example, if you could, a 
specific example. What kind of information is covered by Gramm-
Leach-Bliley?
    Ms. Majoras. Nonpublic personal information.
    Chairman Shelby. Okay.
    Ms. Majoras. Which the financial institutions are 
collecting so that they can provide financial services.
    Chairman Shelby. Proprietary information?
    Ms. Majoras. Yes, although it is defined very broadly, so 
it includes name, address, Social Security number, and account 
numbers.
    Chairman Shelby. Things about your family?
    Ms. Majoras. If they have it. Mother's maiden name is one 
that often is asked for.
    Chairman Shelby. Is this kind of information used very 
often by or is it very important to data brokers, all this 
stuff you are talking about?
    Ms. Majoras. It is important to data brokers generally, 
depending on what they are selling information for. It is the 
information that we understand data brokers do collect.
    Chairman Shelby. Do you know if there are any meaningful 
safeguards that the data information brokers have to jump 
through before they sell information?
    Ms. Majoras. It depends. Some of the information they 
provide may fall under the FCRA, and if that is the case, then 
they have to comply with that. If they were a financial 
institution or they were receiving information from a financial 
institution and they are a downstream reseller, then they would 
have some requirements under Gramm-Leach-Bliley. And, of 
course, we enforce Section 5 of the Federal Trade Commission 
Act, so we can look for deception and unfairness.
    Chairman Shelby. Is this the kind of information that is in 
these data banks that identity thieves would be interested in?
    Ms. Majoras. There really is not any question. They are 
interested in identities of individuals that perhaps they could 
pose as, and they are absolutely interested in account numbers.
    Chairman Shelby. Again you said earlier in, I believe, your 
opening statement, was it 40-something billion dollars a year 
loss to businesses, and then so much to consumers, too?
    Ms. Majoras. That is correct. So if we put our estimates 
for out-of-pocket losses to businesses and consumers together, 
it is well over $50 billion.
    Chairman Shelby. Senator Reed.

                 STATEMENT OF SENATOR JACK REED

    Senator Reed. Thank you very much, Mr. Chairman. Thank you, 
Chairman Majoras. This is a very important hearing. I am sure 
everyone has made that point quite clearly.
    Let me ask a question. We were talking about essentially 
domestic operations, but there is a growing trend to outsource 
these types of information searches and data manipulation 
overseas. Does that pose another additional problem to you?
    Ms. Majoras. Well, it may. There are some difficulties that 
we have generally with any kind of fraud over the Internet when 
it crosses more than one border, as more and more we are seeing 
in this Internet information age. And we have been working on 
legislation that would give us better tools to address cross-
border fraud, and some of this would absolutely fall into that 
category.
    Senator Reed. Last year, Senator Corzine in the 
reauthorization of the FCRA proposed an amendment that would 
require prompt notification of breaches. That amendment was 
dropped in the conference. Would this prompt notification be 
useful given the experience we have just witnessed in the last 
few weeks?
    Ms. Majoras. We think prompt notification when there is a 
significant risk to consumers is what makes the most sense. And 
the reason that we say that is that there are some security 
breaches that occur that really actually do not present harm to 
consumers. And there is a great cost to notifying consumers of 
every breach. One might have a hacker who is a teenager in 
someone's garage who enjoys seeing if he or she could hack into 
a database and might do it and then call and say, ``Ha, ha, I 
did this,'' but is not stealing information. And there are 
other, if you will, breaches on a smaller scale.
    If we try to inform consumers of every single breach, for 
one thing they are going to become numb to it. It will be very 
much, okay, all right, sure, I am at risk; and then they may 
not take the precautions which the FTC and others encourage 
them to take when there really has been a significant breach.
    So we think there has to be some--that the best course is 
to have some limitation on it so that companies must take 
reasonable steps when there is a significant risk.
    Senator Reed. Right now, there is no requirement in Federal 
legislation to make this notification; is that accurate?
    Ms. Majoras. Not quite. I know that the OCC--and I know 
that you will hear from one of their witnesses--has proposed 
guidance through their Gramm-Leach-Bliley implementation, which 
actually proposes a very similar requirement to the one I was 
just discussing, which is you would take some reasonable 
precautions when you think that consumers really are at risk.
    Senator Reed. You have alluded to legislation that you are 
working on with respect to international ramifications of 
technology and the Internet that is spreading across the globe 
and what you have just mentioned with respect to notification. 
Are there any other safeguards that you would urge us to 
consider with respect to problems like we have seen?
    Ms. Majoras. I think considering taking the FTC's 
Safeguards Rule, which we promulgated under Gramm-Leach-Bliley, 
and extending it more broadly so that the requirements that we 
have in the safeguards will go beyond just financial 
institutions that are covered by GLB but, in fact, would cover 
more companies, which would include the data brokers.
    The difficulty in passing too many statutes in which we try 
to limit it to particular labels that we can put on a company 
is that our commerce and our society, as we can see today, is 
changing so quickly that if we use something like the FTC 
Safeguards Rule, which requires companies to use reasonable 
precautions depending on type of company they are, the 
sensitivity of the data, the surrounding circumstances, is 
likely the best way to deal with this problem on a broader 
basis.
    Senator Reed. Thank you, Madam Chairman.
    Ms. Majoras. You are welcome.
    Chairman Shelby. Senator Dole.

              STATEMENT OF SENATOR ELIZABETH DOLE

    Senator Dole. Mr. Chairman, I ask unanimous consent that my 
statement go in the record, please.
    Chairman Shelby. Without objection, it is so ordered.
    Senator Dole. Madam Chairwoman, let me ask you about your 
testimony where you mention reasonable procedures to ensure 
that a credit reporting agency supply consumer reports only to 
those with an FCRA-sanctioned permissible purpose. Could you 
tell the Committee what the FTC considers to be a reasonable 
procedure?
    Ms. Majoras. Fortunately, the FCRA then goes a little 
beyond requiring reasonable procedures and then imposes some 
very specific requirements. So, for example, before companies 
subject to the FCRA release the type of information covered by 
that statute, they must get certification from the user that it 
will be used for a permissible purpose. And they also have to 
take reasonable steps to verify that.
    Now, those reasonable steps have included things like 
making on-site visits to companies to make sure that they are 
actually legitimate businesses who are using this information 
for legitimate purposes under the statute.
    Senator Dole. So this reasonable procedure standard would 
work well for consumers, and do you think in any way that 
Congress should consider strengthening it?
    Ms. Majoras. We think it is a reasonable standard for 
ensuring that consumer reports are provided only to those who 
have a permissible purpose, and the reason is it is flexible 
enough to apply to all types of businesses who have this 
sensitive information and so that it can be tailored according 
to the sensitivity of the information as well. So, yes, we 
actually think this would be a reasonable way to proceed.
    Senator Dole. Thank you, Mr. Chairman.
    Chairman Shelby. Thank you.
    Senator Schumer.

            STATEMENT OF SENATOR CHARLES E. SCHUMER

    Senator Schumer. Thank you, Mr. Chairman, and I appreciate 
very much your having this hearing, and I know your interest in 
this issue, which is mine as well, from being a Member of this 
Committee as well as the Judiciary Committee. And I look 
forward to working with you to help solve this kind of problem.
    Let me say, Mr. Chairman, that identity theft costs 
businesses millions of dollars each year because criminals use 
false pretenses to purchase goods, leaving businesses to foot 
the bill. Identity theft costs consumers and businesses an 
estimated $5 billion a year, and, in addition, the typical 
identity theft victim has to spend about 175 hours to clear up 
his or her credit report.
    Identity theft is skyrocketing. Every year it gets much 
worse and yet we are doing very little about it. Our laws are a 
patchwork quilt of State and Federal laws that, frankly, do not 
do the job. And if we do nothing, this is going to almost 
envelop crime-fighting in America. It is the crime of choice 
these days.
    What bank robbery was to the Depression Era, identity theft 
is to the Information Age.
    My point is that we in Congress need to learn the lessons 
of ChoicePoint, LexisNexis, Westlaw, and so many other 
companies, all of whom seem to feel that your personal 
information was their domain to do with whatever they chose. We 
need to replace the current patchwork of State and Federal laws 
with a real security blanket, one that protects privacy, keeps 
Social Security numbers private, and prevent fraud and identity 
theft.
    Right now, Mr. Chairman, there is no arm of the Federal 
Government that has clear jurisdiction over online and off-line 
identity theft. Companies seeking to obtain personal data from 
customers are subject to few, if any, limitations. I am utterly 
amazed at how companies allow anyone to get hold of this 
information and even let almost anyone work within them. You 
know, it is like not having background checks for people 
working at Fort Knox.
    And, finally, customers have no idea if or when a company 
might transfer personal data to a third party. Too many 
consumers are entrusting their information to companies for 
safekeeping, only to have it sold away for the highest dollar, 
often in the dark of night.
    We learned this even here in the Senate with Westlaw, where 
just about anyone on the Senate staff with no background check, 
interns or anybody else, could get 95 percent of all Americans' 
Social Security numbers. No questions asked. That was on our 
Senate server until we brought this to the public's attention, 
and now they have blocked out the last four numbers.
    Mr. Chairman, we have to do something about this. We have 
to stop malicious companies conning consumers out of their 
information with privacy policies that are impossible to 
understand. Often all of those lines of legalese mean only one 
thing. You get all these pages, and what they basically are 
saying is we will sell your personal information to whomever we 
want, whenever we want. And this has to stop.
    To plug these loopholes, I will be introducing 
comprehensive identity theft legislation in the near future 
which would, Mr. Chairman, create an Office of Identity Theft 
in the FTC to have jurisdiction over companies that lawfully 
acquire and keep personal consumer data. It will also create a 
Schumer box to be posted on any website that seeks to request 
personal information from a customer. In that box, companies 
would give a clear warning in simple language to consumers if 
they plan to sell their information. This is like the Schumer 
box that we successfully did for credit cards, and it helped 
bring down credit card interest rates. It was clear and simple 
and it was required to be published.
    And, finally, we are going to force companies to 
demonstrate a need for customers' personal information before 
requiring it from them, as well as making sure that those who 
handle the information are carefully screened. It is high time 
for Congress to fill the breach that hackers, thieves, and the 
Internet have combined to create, leaving consumers vulnerable 
and costing our economy billions. Again, I want to ask my 
friend from Alabama, the Chairman of this Committee, who has 
been a thoughtful and persistent advocate for privacy--I 
remember this from all the banking bills we worked on 
together--to work with us to create a bipartisan, comprehensive 
piece of legislation that will really get to the heart of the 
information epidemic.
    With that, I have a couple of questions for our witness. 
For years the FTC has built the expertise to address consumer 
issues in a variety of industry sectors. When Congress, for 
instance, enacted the Fair Credit Reporting Act, the FTC built 
on that expertise to examine abuses in the credit card 
industry.
    Beyond the dissemination of helpful hints, which is what 
you have done so far, does the FTC have sufficient jurisdiction 
to examine identity theft allegations?
    Ms. Majoras. Thank you, Senator Schumer. We have 
jurisdiction to examine some of them. Now, remember that 
identity theft itself is a crime, and the FTC does not have 
criminal jurisdiction. So that is number one.
    On the civil side, however, we have authority to enforce 
the FCRA when the information that is being provided is subject 
to that statute. We have some authority over some financial 
institutions who are subject to Gramm-Leach-Bliley. And, of 
course, we have Section 5 of the FTC Act, in which we can 
attack deceptive or unfair conduct and which we have done in 
the area of information security several times recently.
    Chairman Shelby. But DSW, the store, that has thousands of 
lines of personal data. Do you have jurisdiction over how they 
handle that data, whether they can sell it, what they do with 
it?
    Ms. Majoras. I have to be careful about talking about any 
particular company.
    Senator Schumer. Okay. Let us take a hypothetical shoe 
store that kept a lot of people's data.
    [Laughter.]
    Ms. Majoras. Thank you, Senator. Under Section 5 of the FTC 
Act, we can take a look at security measures that companies 
have in place, which we already have done in some cases, and--
--
    Senator Schumer. But isn't Section 5 a fraud provision?
    Ms. Majoras. It is.
    Senator Schumer. So let's say they attached--when you 
signed out to buy shoes at this hypothetical shoe store, there 
was something in small little language way at the back that 
said, hey, we can sell your information to whomever we want. 
They wouldn't be committing fraud. What would give you the 
jurisdiction?
    In other words, I think the jurisdiction has to go--
notification is important, but it goes beyond that in this 
modern world we are in.
    Ms. Majoras. Well, and I am not suggesting, Senator, that 
some other tools would not be useful, both in the area of 
security and in the area of notice, as I said in my testimony. 
But we do think--yes, it is true, the five cases we brought 
under the FTC Act so far have been instances in which companies 
have told consumers we are protecting your data and then they 
did not. So you are right. That was the deception we attacked.
    But, in addition, it might be possible, depending on the 
egregiousness and the circumstances, to use the Unfairness 
Doctrine to attack some of these practices.
    Senator Schumer. Right. Let us take--well, you do not want 
to talk about a specific case. Aren't there many instances 
where this hypothetical company would not really need the 
customer's Social Security number but would ask for the purpose 
of selling it?
    Ms. Majoras. Sometimes we have seen instances where out of 
habit, for example, Social Security numbers are requested when 
they are not needed. Now, sometimes they are needed. They are 
used for matching. They are used for matching so that the right 
consumer is matched with the right information.
    Senator Schumer. Got you. Okay. Are we making it too easy 
for companies to collect and disseminate this information in 
the first place? What is your judgment on that?
    Ms. Majoras. I am not sure how--are we making it too easy?
    Senator Schumer. Or is it too easy? Not are we making it. 
Is it too easy is a better way to ask the question.
    Ms. Majoras. Right. Data brokers, in particular, collect 
information from many sources, including many publicly 
available sources.
    Senator Schumer. Right.
    Ms. Majoras. And lots of public records information. They 
then do get nonpublic information as well. Now, why do they get 
it and why do they sell it? Because there is a market need for 
it.
    Senator Schumer. No question.
    Ms. Majoras. So that is why they do it. So it is easy for 
them to get it. I think that what we really should be looking 
at is how they secure the data and making sure they secure it, 
because there are a lot of beneficial uses to this information, 
Senator, things that consumers have come to count on.
    Senator Schumer. No one is saying that there should be no 
data held by anybody, and it is even a difficult question to 
say should you need the permission of the person. But we are 
the opposite. We are in the Wild, Wild West here where they can 
collect the information from legal and/or public and nonpublic 
sources. And they can use it in just about any way they choose. 
And we have seen just in the last month, almost every third day 
you see another major example of data theft, identity theft. So 
we clearly have to change the law. Don't you agree with that?
    Ms. Majoras. We think that we should look at a broader 
security standard that is not--as you say, we have a patchwork 
in the law today.
    Senator Schumer. Right.
    Ms. Majoras. And so it depends on how this information is 
used and what kind of company, whether it is a financial 
institution and so forth. And we think if you look at the 
approach we have taken under Gramm-Leach-Bliley at the FTC with 
our Safeguards Rule, where we require companies to have 
reasonable procedures--and what does that mean? It means you 
have to look at the sensitivity of the data. You have to look 
at what it is used for and develop security procedures that 
will protect the type of data that is being collected.
    Senator Schumer. Was ChoicePoint under your jurisdiction 
under Gramm-Leach-Bliley?
    Ms. Majoras. It depends on whether it is a financial 
institution.
    Senator Schumer. I understand.
    Ms. Majoras. And that is an issue we are looking at in the 
investigation.
    Senator Schumer. Well, haven't you then answered my 
question?
    Ms. Majoras. But also, as we understand it----
    Senator Schumer. Wait, wait. Madam Chairman, if you cannot 
answer yes or no succinctly whether ChoicePoint, one of the 
most major data collection companies in the country, is under 
your jurisdiction or not, don't you think we need to tighten 
this up?
    Ms. Majoras. I think they are potentially under three 
statutes, but because we are--as they have acknowledged 
publicly, because we are investigating them, I am just being 
ultra-cautious.
    Senator Schumer. But that is a different question as to 
what the investigation reveals about what they did. 
Jurisdiction is a separate issue. Isn't the law kind of vague? 
I mean, in certain places under Gramm-Leach-Bliley, it is 
clear. A bank.
    Ms. Majoras. Right. That is right.
    Senator Schumer. With many of these others, it is not clear 
at all. And my guess is, if the company is this hypothetical 
shoe company, you do not have jurisdiction unless fraud comes 
to your attention right away. But you would not have 
jurisdiction barring fraud to set standards right now. Is that 
correct?
    Ms. Majoras. We think it is broader than that under Section 
5, Senator. But I absolutely agree with you that this is a 
complicated maze and that there is not one place to go to say 
yes, this practice, whether it is by ChoicePoint or anyone 
else, unless, as you say, it is bank, is absolutely subject to 
this statute. We are piecing together three statutes----
    Senator Schumer. Right. So, therefore, we need some 
changes, correct?
    Ms. Majoras. Security and notice, yes.
    Senator Schumer. Yes, okay. Let us see.
    Let me ask you this: Would it help consumers if companies 
were required to notify their customers before transferring 
their data to a third party? I did not specify the type of 
notification. It could be specific--we are giving this data to 
whom, or it could be in general--be careful, your data could be 
disseminated. Would that be a good idea, bad idea, neutral, in 
your opinion?
    Ms. Majoras. It all depends on the database. There are some 
databases that are used to go after people who have committed 
fraud. And, of course, we would not want to tell them in 
advance we are looking at you, or personal information to try 
to find you because you have victimized other consumers.
    Senator Schumer. Let us say I sign up for a loan at the 
bank. Would it not be a good idea to tell somebody, to tell me 
this information you are giving us might be disseminated to 
other people; we even might sell it.
    Ms. Majoras. Yes. And for a bank, we have that under Gramm-
Leach-Bliley and we have an opt-out provision.
    Senator Schumer. Right. Exactly. And what if it is a 
nonbank that sells a good? Why would we not want to do that to 
them? It is a nonfinancial institution.
    Ms. Majoras. Again, it just depends on what they are using 
the information for.
    Senator Schumer. It is a hypothetical shoe company.
    Ms. Majoras. Well, it is a hypothetical shoe company who is 
going to sell what kind of information?
    Senator Schumer. Well, you know----
    Ms. Majoras. I mean, most certainly, Senator, if they were 
going to sell credit card information, then by all means.
    Senator Schumer. Okay, good. I was not referring to shoe 
size. I do not know: Give me a list of all the Size 8-D's in 
Kansas. I was not quite thinking of that.
    Ms. Majoras. Well, sometimes marketing information is what 
we are talking about.
    Senator Schumer. Okay. So in general, notification would be 
a good idea, except there would have to be outlier situations, 
fraud and things like that. General notification.
    Ms. Majoras. I think there are a number of situations in 
which notification might not be the best course.
    Senator Schumer. Okay. I do not want to ask you about the 
ChoicePoint. That is not really your jurisdiction, right, the 
ChoicePoint executive officers? This is more SEC, from what 
they did. Or are you looking into that as well?
    Ms. Majoras. We are investigating ChoicePoint.
    Senator Schumer. No, that I know. Okay.
    I think I am finished with my questions, Mr. Chairman.
    Chairman Shelby. Thank you, Senator Schumer.
    Madam Chairman, we look forward to working with you. We 
appreciate your appearance here today. There are some things 
that we might work together to tighten up in this area, and we 
will be awaiting your investigation.
    Ms. Majoras. Thank you very much, Mr. Chairman. Thank you, 
Senator Schumer.
    Chairman Shelby. Our third panel consists of Mr. Larry 
Johnson, Special Agent in Charge, Criminal Investigative 
Division, U.S. Secret Service; Ms. Amy Friend, Assistant Chief 
Counsel, Office of the Comptroller of the Currency.
    If you two would come to the table. Both of your written 
testimony will be made part of the record in its entirety.
    Mr. Johnson, we will start with you. Welcome to the 
Committee.

      STATEMENT OF LARRY JOHNSON, SPECIAL AGENT IN CHARGE

      CRIMINAL INVESTIGATIVE DIVISION, U.S. SECRET SERVICE

    Mr. Johnson. Thank you, Mr. Chairman, and Members of the 
Committee.
    In addition to providing the highest level of physical 
protection to our Nation's leaders, the Secret Service 
exercises broad investigative jurisdiction over a wide variety 
of financial crimes. As the original guardian of our Nation's 
financial payment systems, the Secret Service has a long 
history of protecting American customers and industry from 
financial fraud. With the passage of the new Federal laws in 
1984, the Secret Service was provided primary authority for the 
investigation of access-device fraud, including credit card and 
debit card fraud, and parallel authority with other law 
enforcement agencies in identity crime cases.
    In recent years, the combination of the information 
revolution, the effects of globalization, and the rise of 
international terrorism have caused the investigative mission 
of the Secret Service to evolve dramatically. The explosive 
growth of these crimes has resulted in the evolution of the 
Secret Service into an agency that is recognized worldwide for 
its expertise in the investigation of all times of financial 
crimes. Our efforts to detect, investigate, and prevent 
financial crimes are aggressive, innovative, and comprehensive.
    The expanding use of the Internet and the advances in 
technology, coupled with increased investment and expansion, 
has intensified competition within the financial sector. With 
the lower costs of information processing, legitimate companies 
have found it profitable to specialize in data mining, data 
warehousing, and information brokerage. Information collection 
has become a common by-product of the new, emerging e-commerce. 
Internet purchases, credit card sales, and other forms of 
electronic transactions are being captured, stored, and 
analyzed by businesses seeking to find the best customers for 
their products.
    This has led to a new measure of growth within the direct 
marketing industry that promotes the buying and selling of 
personal information. In today's market, consumers routinely 
provide personal and financial identifiers to companies engaged 
in business on the Internet. They may not realize that that 
information provided in credit card applications, loan 
applications, or with merchants they patronize are valuable 
commodities in this new age of information trading. Customers 
may even be less aware of the legitimate uses to which this 
information can be utilized.
    This wealth of available personal information creates a 
target-rich environment for today's sophisticated criminals, 
many of whom are organized and operate across international 
borders. But legitimate businesses can provide a first line of 
defense against identity crime by safeguarding the information 
it collects. Such efforts can significantly limit the 
opportunities for identity crime, even while not eliminating 
its occurrence altogether.
    The methods of identity theft utilized by criminals vary. 
Low-tech identity criminals obtain personal and financial 
identifiers by going through commercial and residential trash, 
a practice known by the Secret Service as ``dumpster diving.'' 
The theft of wallets, purses, and mail is also a widespread 
practice employed by both individuals and organized groups. 
With the proliferation of computers and increased use of the 
Internet, high-tech identity criminals began to obtain 
information from company databases and websites. In some cases, 
the information obtained is in the public domain, while in 
others it is proprietary and is obtained by means of computer 
intrusion or by means of deception, such as phishing, Web-
spoofing, or even social engineering.
    The method that may be most difficult to prevent is theft 
by a collusive employee. Individuals or groups who wish to 
obtain personal or financial identifiers for a large-scale 
fraud ring will often pay or extort an employee who has access 
to this information through their employment at workplaces such 
as billing centers, financial institutions, medical offices, or 
Government agencies. Once the criminal has obtained the 
proprietary information, it can be exploited by creating false 
breeder documents, such as birth certificates or Social 
Security cards. These documents are then used to obtain genuine 
false identification such as driver's licenses and passports. 
Now the criminal is ready to use the illegally obtained 
personal information to apply for credit cards, consumer loans, 
or establish bank accounts, leading to the laundering of stolen 
or counterfeit checks or to conduct a check-kiting scheme.
    I would like to talk a little bit, Mr. Chairman, about 
agency coordination. It has been the Secret Service's 
experience that the criminal groups involved in these types of 
crimes routinely operate in a multijurisdictional environment. 
This has created problems for law enforcement agencies that 
generally act as first responders to criminal activities. By 
working closely with other Federal, State, and local law 
enforcement, as well as international police agencies, we are 
able to provide a comprehensive network of intelligence 
sharing, resource sharing, and technical expertise that bridges 
jurisdictional boundaries.
    This partnership approach to law enforcement is exemplified 
by our financial and electronic crimes task forces located 
throughout the country. These task forces primarily target 
suspects and organized criminal enterprises engaged in 
financial and electronic criminal activity that fall within the 
investigative jurisdiction of the Secret Service. The members 
of these task forces, who include representatives from State 
and local law enforcement, prosecutors offices, private 
industry, and academia, pool their resources and expertise into 
a collaborative effort to detect and prevent electronic crimes. 
The value of this crime-fighting and crime-prevention model has 
been recognized by Congress, which authorizes Secret Service 
pursuant to the USA PATRIOT Act of 2001 to expand our 
electronic crimes task forces to cities and regions throughout 
the country.
    Finally, the best example of agency cooperation came in 
October 2004, when the Secret Service arrested 30 individuals 
across the United States and abroad for credit card fraud, 
identity theft, computer fraud, and conspiracy. These suspects 
were part of a multicount indictment out of the District of New 
Jersey and were involved in a transnational cyber-organized 
crime underground network that spanned around the world. In 
addition to the 30 arrests, 28 search warrants were served 
simultaneously across the United States. Internationally, 13 
search warrants were served in 11 different countries in 
conjunction with the Secret Service-led investigation.
    This case began in July 2003, when the Secret Service 
initiated an investigation involving global credit card fraud 
and identity fraud. Although the catalyst for the crime came 
from a more traditional crime of access-device fraud, the case 
evolved into a very technical transnational investigation. Much 
of the aforementioned criminal activity primarily occurred over 
the Internet. After the initial acts of fraud, suspects would 
exchange contraband, for example, counterfeit credit cards, 
counterfeit driver's licenses, et cetera. This case, entitled 
Operation Firewall, developed into a multilateral effort 
involving 18 Secret Service domestic offices and 11 foreign 
countries. As the lead investigative office, the Secret Service 
Newark Field Office conducted a complex undercover operation 
involving the first-ever wiretap of a computer network.
    Mr. Chairman, that concludes my oral comments.
    Chairman Shelby. Thank you.
    Ms. Friend.

      STATEMENT OF AMY S. FRIEND, ASSISTANT CHIEF COUNSEL,

           OFFICE OF THE COMPTROLLER OF THE CURRENCY

    Ms. Friend. Thank you, Mr. Chairman.
    The OCC appreciates the opportunity to testify about a 
subject that is essential to the integrity of the relationship 
between a bank and its customers--a bank's ability and legal 
obligation to safeguard customer information. We commend the 
Committee's leadership in addressing this important subject.
    It is a matter of primary importance to the OCC, as it is 
to the Committee, that national banks have adequate procedures 
in place to safeguard customer information. Safeguarding 
customer information is critical to protecting consumers and 
maintaining the safe and sound operations of a bank. For that 
reason, information security has been a part of our overall 
exam process for years.
    More recently, the OCC has been examining for and enforcing 
compliance with the information security guidelines that we 
issued under the Gramm-Leach-Bliley Act. Section 501 states 
that each financial institution has an affirmative and 
continuing obligation to protect the security and 
confidentiality of customer information. It further directs 
Federal regulators to establish standards for financial 
institutions relating to the administrative, technical, and 
physical safeguards of customer information.
    To carry out this broad mandate, the Federal banking 
agencies issued enforceable guidelines in 2001 that require 
each bank to have a comprehensive written information security 
program. Under the guidelines, a bank must first assess the 
risks both to its customer information and to any methods that 
the bank uses to access, collect, store, use, transmit, 
protect, or dispose of its customer information. The bank must 
then design its information security program to control these 
risks.
    A bank's information security program must not be static. 
Banks must continuously test their programs and adjust them to 
address new threats to customer information, changes in 
technology, and new business arrangements.
    OCC examiners review national banks' information security 
programs. Typically, an examiner will assess the overall 
adequacy of a bank's security program, as well as specific 
components of that program. An examiner will consider whether 
the bank has sufficiently identified the risks to its customer 
information and then implemented an effective program to manage 
and control those risks.
    But from time to time, things can go wrong, and customer 
information may be compromised even though a bank has an 
information security program in place. Where the OCC finds that 
a bank or its employees or a bank's service provider is at 
fault, the OCC can bring an enforcement action. The OCC, in 
fact, has taken a number of enforcement actions to enforce 
compliance with the security guidelines. We have required banks 
to improve their systems and controls and to notify their 
customers where warranted.
    We believe that a key element of a bank's duty to protect 
customer information against unauthorized access and use is 
appropriate notification to customers of security breaches that 
would compromise their confidential information. Armed with 
notice, bank customers may take steps to protect their 
information from misuse, such as by placing fraud alerts on 
their credit reports.
    The information security guidelines, however, do not 
specifically require banks to notify their customers about 
security breaches. Therefore, in 2003, the OCC and the other 
Federal banking agencies took the initiative to propose 
guidance to address this. I am pleased to inform the Committee 
that, after considering numerous public comments on this 
proposal, the agencies have just reached an agreement on this 
guidance. The OCC signed off on the final guidance earlier this 
week, and the other agencies are currently in the midst of 
their individual agency approval processes. Once this guidance 
becomes final, we expect immediate compliance.
    The OCC will consider a bank's failure to follow the final 
guidance as a violation of the underlying security guidelines. 
We have a number of remedies at our disposal, including the 
ability to compel a bank to provide notice to customers about a 
security breach involving their personal information.
    Mr. Chairman, the Gramm-Leach-Bliley Act gave the 
regulators the direction and important authority to establish 
information security standards for use by the institutions we 
regulate. The OCC has found this authority to be well-suited to 
address the evolving information security challenges that we 
face. We are committed to using this authority to assure that 
national banks have adequate procedures in place to safeguard 
their customers' information.
    Thank you, and I am pleased to answer any questions.
    Chairman Shelby. Thank you.
    Special Agent Johnson, what trends are you seeing, from 
your perspective, with respect to the level of the 
sophistication of the identity thieves? Specifically, do the 
recent incidents reveal that they are now systematically 
targeting major data sources--banks and so forth? Can you speak 
to that?
    Mr. Johnson. Yes, Mr. Chairman. We are seeing, like my oral 
testimony, 5 to 6 years ago we saw more low-tech identity theft 
type of crimes, which evolved into a little more technical with 
skimming--waiters in restaurants taking your credit card and 
swiping it through a skimmer which downloads that information 
and is used. So it is individual. We are now seeing much more 
intrusions into financial institutions, data brokerages, where 
thousands and thousands of either credit card access devices 
are stolen or personal identifiers. And then it is sold on the 
Internet at some of these websites that pop up daily.
    We see other developments into key loggers, keystroke 
loggers, that are able to record information by keystroke, or 
even key logger situations on telephones that can download 
telephone information.
    Chairman Shelby. Sophisticated.
    Mr. Johnson. Yes, sir.
    Chairman Shelby. How adaptive are these kinds of criminals? 
Do they probe for vulnerabilities everywhere?
    Mr. Johnson. Yes, Mr. Chairman. Also, 5 to 10 years ago 
most hackers saw intruding into a financial institution as a 
challenge, without criminal intent. Now, with the success of 
selling this information and gaining monetary means, they have 
profited, so it has evolved into----
    Chairman Shelby. They see gold there, don't they?
    Mr. Johnson. Yes, sir.
    Chairman Shelby. Okay. What would be your best guess, if 
you had a guess, as to who their next target might be, these 
sophisticated criminals? Anything dealing with electronics, 
anything----
    Mr. Johnson. What I can comment on is that the Secret 
Service, we have analysts, we have agents that, we are looking 
for that next trend.
    Chairman Shelby. Anticipation.
    Mr. Johnson. Exactly.
    Chairman Shelby. And you keep that inside of you. Thank 
you.
    Ms. Friend, what can a national bank do to protect itself 
from large amounts of personally identifiable data that are 
compromised at another source?
    Ms. Friend. Are you talking about a situation where a 
service provider has bank customer information?
    Chairman Shelby. Yes.
    Ms. Friend. Under our security guidelines, banks are 
required to oversee the arrangements that they have with 
service providers. There are several aspects to that. Banks 
have to use due diligence in selecting a service provider. 
Banks, by contract, have to require their service providers to 
have safeguards in place to protect bank customer information. 
And, if banks determine that their service providers present an 
undue risk to them, they have to actively monitor those service 
providers.
    Chairman Shelby. I appreciate both of you appearing here, 
and we will continue to work this.
    I have just been informed that we are going to have a 
series of seven votes beginning in the next few minutes in the 
Senate. In light of this, I am going to recess--this will take 
two or three hours--I am going to recess the hearing and ask 
that the last panel, who have come from far away, probably, 
here--and I recognize the inconvenience, but there is not 
anything we can do about it--that we get with you and 
reschedule. Not you, Ms. Friend and Mr. Johnson, but the 
others, the last panel here, ChoicePoint Services, Mr. McGuffy; 
Evan Hendricks, Editor and Publisher of Privacy Times; and Ms. 
Barbara Desoer, Executive Vice President, Global Technology, 
and Service and Fulfillment Executive, Bank of America, that 
they reappear before the Committee next week. We hate to do 
this, but we have no choice. This issue is too big and too 
important not to have you come back.
    But Mr. Johnson and Ms. Friend, we thank you for your 
appearance here.
    The hearing is adjorned.
    [Whereupon, at 4:24 p.m., the hearing was adjourned.]
    [Prepared statements supplied for the record follow:]

              PREPARED STATEMENT OF SENATOR JON S. CORZINE

    Mr. Chairman, I want to thank you for holding this hearing on 
identity theft and issues related to the security of sensitive consumer 
information.
    Your response to this emerging problem and the request for a 
hearing submitted last week by Senators Schumer, Stabenow, Reed, and 
myself are reflective of the strong leadership both you and Ranking 
Member Sarbanes have displayed in response to this growing and 
dangerous weakness in our society.
    The importance of this, as we all have heard, has been underscored 
recently with news of the information breach of a unit of LexisNexis, 
the scandal at data broker ChoicePoint, and the loss by Bank of America 
of sensitive information on over one-million individuals, among them 
Members of the U.S. Senate--including some Members of this panel.
    These alarming instances are a stark reminder of just how 
vulnerable consumers, and each of us, are to having our personal 
information fall into the wrong hands--hand of thieves. Personal 
information such as our Social Security numbers, drivers license and 
auto registration numbers, credit histories, and credit card numbers.
    But as equally as alarming as the brashness of identity thieves is 
the notion that there are likely other instances of large-scale 
identity theft that have never been disclosed to the public.
    Mr. Chairman, identity theft is on the rise and is now our Nation's 
fastest growing consumer crime. According to the Federal Trade 
Commission, nearly 10 million Americans were the victims of identity 
theft in 2003, three times the number of victims just 3 years earlier. 
Research shows that there are little more than 13 identity thefts every 
minute.
    It is a crime that harms our economy in the form of lost 
productivity and capital. Aggregate estimates of the costs of identity 
theft are hard to quantify--a problem in itself. According to the 
Identity Theft Resource Center, identity theft victims spend on average 
nearly 600 hours recovering from the crime. Additional research 
indicates the costs of lost wages and income as a result of the crime 
can soar as high as $16,000 per incident.
    Technological innovation has brought about a data revolution that 
most consumers have benefited from through efficiency, expanding 
access, product marketing, and lowered costs. And it is spurred the 
creation on an entire industry of data collectors and brokers who 
profit from the packaging and commoditization of one's personal and 
financial information.
    But regrettably, this technology has also provided identity thieves 
with an attractive target, and relative anonymity, with which to ply 
their sinister trade.
    So what can we do to?
    Well for starters Mr. Chairman, Congress must recognize the 
severity of this problem and stop trying to address identity theft in a 
piecemeal fashion or ignore its reality.
    It is ironic that we are holding this hearing today--the same day 
that the full Senate is likely to pass a Bankruptcy bill intended to 
protect credit card companies and other financial entities from 
consumers--but we have yet to act on comprehensive legislation aimed at 
protecting consumers from having their personal and financial 
information lost or stolen from those very same credit card companies 
and financial institutions.
    Next week, I plan to introduce the Identity Theft Prevention and 
Victim Notification and Assistance Act. The bill takes a comprehensive 
approach to the problem of identity theft--better oversight, strong 
standards aimed at preventing identity theft, victim notification and 
assistance, and tough enforcement by Federal regulators.
    The legislation improves oversight by establishing the Federal 
Trade Commission as the primary regulator of nonfinancial third party 
data collectors. It also authorizes the FTC to write rules requiring 
firms to ensure the accuracy, security, and integrity of sensitive 
personal information, and to consider applying the security and 
personal information safeguard provisions of the Gramm-Leach-Bliley and 
Fair Credit Reporting Acts to these entities.
    The bill would enhance identity theft prevention by requiring all 
companies that maintain sensitive personal information to establish 
security systems that safeguard that information. The safeguards would 
have to be in compliance with minimum standards established by Federal 
regulators, and the company's chief compliance office, or CEO, would 
have to personally attest to the fact that those safeguards are in 
place and being monitored on an ongoing basis.
    The legislation would also help identity theft victims protect 
themselves--by requiring companies to immediately notify affected 
customers, Federal regulators, credit reporting agencies, and law 
enforcement when the breach or loss of sensitive customer information 
has occurred in a manner that could lead to identity theft. This should 
not be voluntary on the part of the data broker, bank, or credit card 
company.
    Mr. Chairman, this measure is similar to an amendment I offered 
during the Committee's consideration of the Fair Credit Reporting Act 
reauthorization bill over a year ago. The provision was dropped due to 
opposition from the financial services industry and some regulators--
including the Office of the Comptroller of the Currency (OCC), which is 
among the witnesses testifying before us. I hope the reality and 
severity of the identity theft issue has moved these bodies to a 
changed view.
    Mr. Chairman, notification is vital, because as many as 85 percent 
of all identity theft victims find out about the crime only when they 
are denied credit or employment, contacted by the police, or have to 
deal with collection agencies, credit cards, and bills.
    I would point out that the only reason the ChoicePoint scandal 
became public was the fact that the company was required to notify the 
public under California law, the only breach notification law of its 
type in the Nation.
    Finally, the legislation includes tough enforcement measures and 
will allow civil action to be taken by individuals, and State AG's, for 
violations of this Act that result in identity theft.
    I urge my colleagues to support this vitally needed legislation.
    In closing Mr. Chairman, I want to again thank you for your 
leadership on this important issue. I thank you for holding this 
hearing and I welcome all of our witnesses.

                               ----------

              PREPARED STATEMENT OF SENATOR ELIZABETH DOLE

    Identity theft is often cited as the fastest growing crime in the 
Nation. According to Federal Trade Commission estimates, approximately 
10 million Americans are victimized by identity thieves every year at a 
cost of an astonishing $50 billion. And this number is a conservative 
estimate. Precise statistics are not available to properly gauge the 
full extent of the problem, since some 40 percent of identity theft 
cases are believed to involve friends or family members and are never 
reported.
    Today, we will examine two recent incidents in which the sensitive 
personal information of Americans may have been compromised. The first 
involves ChoicePoint, a company that provides credit information to 
businesses. A ring of Nigerian identity thieves posing as a collection 
agency fraudulently obtained sensitive personal information from 
ChoicePoint. The second incident involves Bank of America's data tapes 
that were lost while in transit to a backup storage facility.
    We in this Committee and in the Senate as a whole are justifiably 
concerned about how these situations will be resolved. In the near-
term, I applaud Bank of America for their efforts to promptly inform 
authorities and concerned customers of the missing backup tapes. I am 
relieved to learn that, according to representatives of the bank, there 
have been no reports of fraud on any of the accounts in question in the 
2 months since the loss of these tapes.
    Fighting fraud and protecting the security of personal information 
is a concern that unites financial institutions and consumers. Each 
group is harmed by the fraudulent use of personal information. 
Financial institutions are usually liable for any losses suffered as a 
result of the fraud, and their customers may be less willing to utilize 
their services for fear of fraud. Consumers are harmed by the 
insecurity, inconvenience, and loss resulting from fraud. Consumers 
also suffer from the fact that at least a portion of financial 
institutions' fraud losses can be expected to be passed on to consumers 
in the form of higher prices. There can be no doubt that when fraud is 
committed, every law-abiding citizen loses.
    I am proud of the work that this Committee undertook in 2003 when 
we designed and approved the so-called ``FACT Act,'' which gave 
consumers powerful new tools to detect and prevent identity theft. By 
ensuring access to free yearly credit reports, allowing consumers to 
place ``fraud alerts'' on their credit reports, and placing meaningful 
new obligations on financial institutions to prevent identity theft, 
this Committee made significant strides toward closing the loopholes 
that identity thieves 
exploit. I am confident that we will continue to close these loopholes 
until identity theft is no longer a growth industry for criminals.
    I would like to thank our witnesses for taking the time to join us 
here today to discuss these issues. And I would like to thank the 
Chairman for the attention he is giving to resolving issues of such 
importance to all Americans.




                  PREPARED STATEMENT OF LARRY JOHNSON

        Special Agent in Charge, Criminal Investigative Division
                          U.S. Secret Service
                             March 10, 2005

    Good afternoon, Chairman Shelby. I would like to thank you, as well 
as the distinguished Ranking Member, Senator Sarbanes, and the other 
Members of the Committee for providing an opportunity to discuss the 
subject of information security, and the role of the Secret Service in 
safeguarding our financial and critical infrastructures.
Background
    In addition to providing the highest level of physical protection 
to our Nation's leaders, the Secret Service exercises broad 
investigative jurisdiction over a wide variety of financial crimes. As 
the original guardian of our Nation's financial payment systems, the 
Secret Service has a long history of protecting American consumers and 
industry from financial fraud. With the passage of new Federal laws in 
1982 and 1984, the Secret Service was provided primary authority for 
the investigation of access device fraud, including credit and debit 
card fraud, and parallel authority with other law enforcement agencies 
in identity crime cases. In recent years, the combination of the 
information revolution, the effects of globalization and the rise of 
international terrorism have caused the investigative mission of the 
Secret Service to evolve dramatically. The explosive growth of these 
crimes has resulted in the evolution of the Secret Service into an 
agency that is recognized worldwide for its expertise in the 
investigation of all types of financial crimes. Our efforts to detect, 
investigate, and prevent financial crimes are aggressive, innovative, 
and comprehensive.
    After 138 years in the Department of the Treasury, the Secret 
Service transferred to the Department of Homeland Security (DHS) in 
2003 with all of our personnel, resources, and investigative 
jurisdictions and responsibilities. Today, those jurisdictions and 
responsibilities require us to be involved in the investigation of 
traditional financial crimes as well as identity crimes and a wide 
range of electronic and high-tech crimes.
    The expanding use of the Internet and the advancements in 
technology, coupled with increased investment and expansion, has 
intensified competition within the financial sector. With lower costs 
of information-processing, legitimate companies have found it 
profitable to specialize in data mining, data warehousing, and 
information brokerage. Information collection has become a common by-
product of newly emerging e-commerce. Internet purchases, credit card 
sales, and other forms of electronic transactions are being captured, 
stored, and analyzed by businesses seeking to find the best customers 
for their products. This has led to a new measure of growth within the 
direct marketing industry that promotes the buying and selling of 
personal information. In today's markets, consumers routinely provide 
personal and financial identifiers to companies engaged in business on 
the Internet. They may not realize that the information they provide in 
credit card applications, loan applications, or with merchants they 
patronize is a valuable commodity in this new age of information 
trading. Consumers may be even less aware of the illegitimate uses to 
which this information can be put. This wealth of available personal 
information creates a target-rich environment for today's sophisticated 
criminals, many of whom are organized and operate across international 
borders.
    Legitimate business can provide a first line of defense against 
identity crime by safeguarding the information it collects and such 
efforts can significantly limit the opportunities for identity crime.
    The methods of identity theft utilized by criminals vary. ``Low 
tech'' identity criminals obtain personal and financial identifiers by 
going through commercial and residential trash, a practice known as 
``dumpster diving.'' The theft of wallets, purses, and mail is also a 
widespread practice employed by both individuals and organized groups.
    With the proliferation of computers and increased use of the 
Internet, ``high-tech'' identity criminals began to obtain information 
from company databases and websites. In some cases, the information 
obtained is in the public domain, while in others it is proprietary and 
is obtained by means of a computer intrusion or by means of deception 
such as ``web-spoofing'' or ``phishing.''
    The method that may be most difficult to prevent is theft by a 
collusive employee. Individuals or groups who wish to obtain personal 
or financial identifiers for a large-scale fraud ring will often pay or 
extort an employee who has access to this information through their 
employment at workplaces such as a utility billing center, financial 
institution, medical office, or Government agency. The collusive 
employee will access the proprietary database, copy or download the 
information, and remove it from the workplace either electronically or 
simply by walking it out.
    Once the criminal has obtained the proprietary information, it can 
be exploited by creating false ``breeder documents'' such as a birth 
certificate or Social Security card. These documents are then used to 
obtain genuine, albeit false, identification such as a driver's license 
and passport. Now the criminal is ready to use the illegally obtained 
personal identification to apply for credit cards or consumer loans or 
to establish bank accounts, leading to the laundering of stolen or 
counterfeit checks or to a check-kiting scheme. Our own investigations 
have frequently involved the targeting of organized criminal groups 
that are engaged in financial crimes on both a national and 
international scale. Many of these groups are prolific in their use of 
stolen financial and personal identifiers to further their other 
criminal activity.
Agency Coordination
    It has been our experience that the criminal groups involved in 
these types of crimes routinely operate in a multijurisdictional 
environment. This has created problems for local law enforcement 
agencies that generally act as the first responders to their criminal 
activities. By working closely with other Federal, State, and local law 
enforcement, as well as international police agencies, we are able to 
provide a comprehensive network of intelligence sharing, resource 
sharing, and technical expertise that bridges jurisdictional 
boundaries. This partnership approach to law enforcement is exemplified 
by our financial and electronic crime task forces located throughout 
the country. These task forces primarily target suspects and organized 
criminal enterprises engaged in financial and electronic criminal 
activity that fall within the investigative jurisdiction of the Secret 
Service.
    Members of these task forces, including representatives from local 
and State law enforcement, prosecutors' offices, private industry, and 
academia, pool their resources and expertise in a collaborative effort 
to detect and prevent electronic crimes. The value of this crime 
fighting and crime prevention model has been recognized by Congress, 
which authorized the Secret Service (pursuant to the USA PATRIOT Act of 
2001) to expand our Electronic Crime Task Forces (ECTF) initiative to 
cities and regions across the country. Additional ECTF's have been 
added in the last 2 years in Dallas, Houston, Columbia (SC), Cleveland, 
Atlanta, and Philadelphia, bringing the total number of such task 
forces to 15.
    The Secret Service ECTF program bridges the gap between 
conventional cyber-crimes investigations and the larger picture of 
critical infrastructure protection. 
Secret Service efforts to combat cyber-based assaults that target 
information and communications systems supporting the financial sector 
are part of the larger and more comprehensive critical infrastructure 
protection and counterterrorism strategy.
    As part of DHS, the Secret Service continues to be involved in a 
collaborative effort targeted at analyzing the potential for financial, 
identity, and electronic crimes to be used in conjunction with 
terrorist activities. The Secret Service takes great pride in its 
investigative and preventive philosophy, which fully involves our 
partners in the private sector and academia and our colleagues at all 
levels of law enforcement, in combating the myriad types of financial 
and electronic crimes. Central to our efforts in this arena are our 
liaison and information exchange relationships with the U.S. 
Immigration and Customs Enforcement (ICE), the Department of the 
Treasury, the Department of State, the Federal Bureau of Investigation 
and our Joint Terrorist Task Force participation.
    The Secret Service is actively involved with a number of 
Government-sponsored initiatives. At the request of the Attorney 
General, the Secret Service joined an interagency identity theft 
subcommittee that was established by the Department of Justice (DOJ). 
This group, which is comprised of Federal, State, and local law 
enforcement agencies, regulatory agencies, and professional 
organizations, meets regularly to discuss and coordinate investigative 
and prosecutorial strategies as well as consumer education programs.
    In a joint effort with DOJ, the U.S. Postal Inspection Service, the 
Federal Trade Commission, the International Association of Chiefs of 
Police, and the American Association of Motor Vehicle Administrators, 
we are hosting Identity Crime Training Seminars for law enforcement 
officers. In the last 2 years, we have held seminars in 18 cities 
nationwide including Denver, Colorado; Raleigh, North Carolina; 
Orlando, Florida; Rochester, New York; and Santa Fe, New Mexico. 
Identity Crime seminars scheduled for the upcoming months include 
Boise, Idaho; Providence, Rhode Island; and Baltimore, Maryland. These 
training seminars are focused on providing local and State law 
enforcement officers with tools and resources that they can immediately 
put to use in their investigations of identity crime. Additionally, 
officers are provided resources that they can pass on to members of 
their community who are victims of identity crime.
    It is through our work in the areas of financial and electronic 
crime that we have developed particular expertise in the investigation 
of credit card fraud, identity theft, check fraud, cyber crime, false 
identification fraud, computer intrusions, bank fraud, and 
telecommunications fraud. Secret Service investigations typically focus 
on organized criminal groups, both domestic and transnational. As 
Secret Service investigations uncover activities of individuals or 
groups focusing on doing harm to the United States, appropriate contact 
is immediately made and information is passed to those agencies whose 
primary mission is counterterrorism.
    Finally, the best example of interagency and multijurisdictional 
cooperation came on October 24, 2004, when the Secret Service arrested 
30 individuals across the United States and abroad for credit card 
fraud, identity theft, computer fraud, and conspiracy. These suspects 
were part of a multicount indictment out of the District of New Jersey 
and were involved in a transnational cyber ``organized crime'' 
underground network that spanned around the world. In addition to the 
30 arrests, 28 search warrants were served simultaneously across the 
United States. Internationally, 13 search warrants were served in 11 
different countries in conjunction with this Secret Service-led 
investigation. Central to the success of this operation was the 
cooperation and assistance the Secret Service received from local, 
State, and other Federal law enforcement agencies as well as our 
foreign law enforcement partners and Europol.
    This case began in July 2003, when the Secret Service initiated an 
investigation involving global credit card fraud and identity fraud. 
Although the catalyst for the case came from a more ``traditional'' 
crime of access device fraud, the case evolved into a very technical, 
transnational investigation. The aforementioned criminal activity 
primarily occurred over the Internet. After the initial act(s) of 
fraud, suspects would exchange contraband (such as counterfeit credit 
cards and counterfeit driver's licenses). This case, entitled Operation 
Firewall, developed into a multilateral effort involving 18 Secret 
Service domestic offices and 11 foreign countries. As the lead 
investigative office, the Secret Service Newark Field Office conducted 
a complex undercover operation involving the first ever wiretap on a 
computer network.
    Chairman Shelby and Senator Sarbanes, this concludes my prepared 
statement. Thank you again for this opportunity to testify on behalf of 
the Secret Service. I will be pleased to answer any questions at this 
time.

                               ----------

                  PREPARED STATEMENT OF AMY S. FRIEND
   Assistant Chief Counsel, Office of the Comptroller of the Currency
                             March 10, 2005

    Mr. Chairman, Ranking Member Sarbanes, and Members of the 
Committee, the OCC appreciates the opportunity to testify today about a 
subject that is critically important to the integrity of the 
relationship between a bank and its customers--a bank's ability and 
legal obligation to safeguard customer information. We commend the 
Banking Committee's leadership in addressing this important subject.
    It is a matter of primary importance to the OCC, as it is to the 
Committee, that national banks have adequate procedures in place to 
safeguard customer information. My testimony will describe the legal 
requirements on banks to safeguard customer information, the 
examination process for assessing the adequacy of a bank's security 
program, OCC enforcement actions against banks and individuals for 
breaches of information security, and upcoming interagency guidance 
that will detail the circumstances under which the Federal banking 
agencies expect institutions to notify their customers of security 
breaches.
Background
    The OCC routinely examines national banks for the safe handling of 
customer information. We consider safeguarding customer information to 
be essential to maintaining the safe and sound operations of a bank. As 
a result, information security has been a part of our overall 
supervisory process for many years. The level and extent of our 
supervisory review has evolved as bank operations and the technology 
banks employ have become increasingly complex and sophisticated. The 
OCC has a number of examiners dedicated full-time to conducting 
information technology and information security examinations, as well 
as many additional examiners performing these functions for a portion 
of their time.
    Over the years, the OCC, on its own and in conjunction with the 
other bank regulators, has published guidance and handbooks in this 
area advising banks of our 
expectations about acceptable risk management processes and procedures 
for safeguarding information, including in the areas of maintaining, 
transporting, and disposing of information. Further, OCC examination 
staff and attorneys participate in interagency coordination meetings 
concerning information security, such as regularly attending and 
participating in the Attorney General's Council on White Collar Crime, 
Subcommittee on Identity Theft.
Information Security Guidelines
    Section 501(a) of the Gramm-Leach-Bliley Act states that each 
financial institution has an affirmative and continuing obligation to 
protect the security and confidentiality of customer information. Under 
Ssection 501(b), the Federal financial 
institutions regulators are directed to establish standards for 
financial institutions relating to the administrative, technical, and 
physical safeguards of that information in order to:

 Ensure the security and confidentiality of customer 
    information;
 Protect against any anticipated threats or hazards to the 
    security or integrity of such information; and
 Protect against unauthorized access to or use of customer 
    information that could result in substantial harm or inconvenience 
    to any customer.

    To carry out this broad mandate, in February 2001, the OCC and the 
other Federal banking agencies issued standards in the form of 
guidelines, requiring each bank to have a written information security 
program designed to meet these statutory objectives.
    Under these security guidelines, the board of directors must 
approve a bank's written information security program and oversee its 
development, implementation, and maintenance. The Board must review 
annual reports on the status of the program and the bank's compliance 
with the guidelines.
    In developing its information security program, a bank must assess 
the risks to its customer information and any methods the bank uses to 
access, collect, store, use, transmit, protect, or dispose of customer 
information. A bank must identify reasonably foreseeable internal and 
external threats that could result in unauthorized disclosure or misuse 
of its customer information, assess the likelihood and potential damage 
of these threats taking into account the sensitivity of customer 
information, and assess the sufficiency of policies, procedures, and 
systems the bank maintains to control the risks.
    The bank must then design its information security program to 
control the identified risks. Each bank must consider at least the 8 
specific security measures set forth in the guidelines and adopt those 
that are appropriate for the institution. These measures include access 
controls on customer information, encryption of electronic information, 
monitoring systems to detect actual and attempted attacks on customer 
information, and response programs that specify actions to be taken 
when a bank suspects or detects unauthorized access to customer 
information.
    Each bank must train staff to implement the program and oversee its 
arrangements with service providers that have access to bank customer 
information. This includes using due diligence in selecting service 
providers, requiring by contract that service providers implement 
appropriate safeguard measures, and monitoring the activities of 
service providers where necessary to control the risks the bank has 
identified that may be posed by the service provider's access to the 
bank's customer information.
    A bank's information security program must not be static. Banks 
must routinely test their systems and address any weaknesses they 
discover. Banks must adjust their programs to address new threats to 
customer information, changes in technology, and new business 
arrangements.
Examinations for Information Security Programs
    The OCC examines national banks for compliance with the security 
guidelines. In conducting an examination, an examiner will review the 
bank's written information security program and its implementation in 
accordance with interagency examination procedures. These procedures 
include the following determinations:

 whether the program is appropriate for the size and complexity 
    of the bank and the nature and scope of its activities;
 the degree of the board's involvement in overseeing the 
    program;
 the adequacy and effectiveness of the bank's risk assessment, 
    including whether the bank has considered risks to all methods to 
    access, collect, use, transmit, protect, and dispose of 
    information;
 the adequacy of the program to manage and control the 
    identified risks, including technical and procedural controls to 
    guard against attacks, encryption standards used, and monitoring 
    systems;
 whether staff are adequately trained to implement the security 
    program;
 the nature and frequency of tests of the bank's key security 
    controls, the results of these tests, and whether they are 
    conducted or reviewed by independent sources;
 the adequacy of measures to oversee service providers; and
 whether the bank has an effective process to adjust its 
    information security program as needed to address such matters as 
    new threats, the sensitivity of customer information, technology 
    changes, a bank's changing business arrangements, and outsourcing 
    arrangements.
OCC Enforcement Actions and Investigative Activities
    From time to time, things can go wrong and customer information may 
be compromised despite a bank's information security program. The 
program itself may be inadequate, the systems to protect customer 
information may be breached, bank employees may not follow the program 
requirements, or unanticipated risks may arise. An outside service 
provider that maintains bank customer information on the bank's behalf 
may face the same issues. Where the OCC finds the bank, the bank's 
employees, or the bank's service provider to be at fault, the OCC can 
bring an enforcement action.
Supervisory and Enforcement Actions Against Banks
    The OCC has taken various actions to enforce compliance with the 
security guidelines against banks. In some cases, where the bank had 
not already done so, the OCC required national banks to notify their 
customers of security breaches involving their personal information. In 
another circumstance, the OCC directed a national bank to revamp its 
employee screening processes.
    For example, the OCC issued a cease-and-desist order against a 
California-based national bank, requiring, among other things, that the 
bank notify customers of security breaches, after the OCC's 
investigation revealed that the bank's service provider improperly 
disposed of hundreds of customer loan files. The OCC also issued a 
cease-and-desist order against the bank's service provider, and 
assessed hundreds of thousands of dollars in civil money penalties 
against the bank and its service provider.
    In another case, the OCC, after investigating allegations of a data 
compromise by a bank employee, directed a retail credit card bank to 
notify customers whose accounts or information may have been 
compromised. The OCC was able to determine that the information was 
used for nefarious purposes, after working collaboratively with the 
Federal Trade Commission to review complaints of identity theft made to 
the Commission through its Consumer Sentinel Program, of which the OCC 
is an information-sharing member.
    The OCC also directed a large bank to improve its employee 
screening policies, procedures, systems, and controls after the OCC 
determined that the bank's employee screening practices had 
inadvertently permitted a convicted felon, who engaged in identity 
theft related crimes, to become employed at the bank. Deficiencies in 
the bank's screening practices came to light through the OCC's review 
of the former employee's activities. OCC examination staff and 
attorneys regularly discuss appropriate employee screening practices 
and processes with national banks.
Investigations and Enforcement Actions against Bank Insiders
    In more than 15 other cases, the OCC has taken enforcement actions 
against bank insiders who have breached their duty of trust to 
customers, were engaged in identity theft-related activities, or were 
otherwise involved in serious breaches or compromises of customer 
information. These enforcement actions have included, for example, 
prohibiting individuals from working in the banking industry, personal 
cease and desist orders restricting the use of customer information, 
the assessment of significant civil money penalties, and orders 
requiring restitution.
    For example, after the OCC investigated and determined that a 
Colorado-based bank loan officer and loan processing assistant 
misappropriated customer information and emailed the information to a 
third party, the OCC prohibited the two individuals from the banking 
industry, assessed civil money penalties against each, and issued cease 
and desist orders against each that placed restrictions on their future 
use of customer information.
    In another matter involving a collections supervisor of a bank, the 
OCC's investigation revealed that the former bank employee 
misappropriated customer information, created fictitious Paypal payment 
accounts, and then embezzled money from the customers' bank accounts, 
thereafter depositing the money into the fictitious Paypal accounts. 
The OCC prohibited the employee from the banking industry, the employee 
paid tens of thousands in restitution, and the OCC assessed a civil 
money penalty against the employee.
    Many of these data compromise or identity theft cases were 
initially processed as part of the OCC's Fast Track Enforcement 
Program, whereby the OCC specifically targets current or former bank 
insiders for enforcement action based upon criminal authorities' 
declining to prosecute. Typically, law enforcement relies upon loss 
amounts in deciding whether to prosecute. However, loss amount from 
theft of customer information is both difficult to quantify and may not 
be present for the institution from which the information has been 
misappropriated. In such cases, the OCC has acted to remove wrongdoers 
from the industry, and, in appropriate circumstances, ordered 
restitution and civil money penalties as well. The OCC was also 
involved with the recent amendment of the Suspicious Activity Report 
(SAR) form to include a specific check box for identity theft, thereby 
making it easier for criminal law enforcement and the Federal banking 
agencies to identify referrals concerning identity theft and data 
compromise.
Upcoming Guidance on Response Programs and Customer Notice
    The OCC believes that notifying customers of a security breach 
involving their personal information is a key part of a bank's 
affirmative duty under the security guidelines to protect customer 
information against unauthorized access or use. While a bank may 
monitor a customer's account for suspicious activity following an 
incident of unauthorized access to that customer's information, 
monitoring will not prevent an identity thief from misusing that 
customer's personal information at another institution, such as to open 
a new account at a different bank. Armed with notice, however, bank 
customers may take steps to protect their information from further 
misuse, such as by placing fraud alerts on their credit reports that 
will alert other creditors that these individual may be victims of 
fraud.
    The information security guidelines, however, do not specifically 
require banks to notify their customers in the event of security 
breaches involving their personal information; therefore, the OCC is 
working with the other Federal bank regulators to finalize 
interpretative guidance stating the agencies' expectation that banks 
notify their customers of security breaches in appropriate 
circumstances. I am pleased to inform the Committee that, after 
considering public comments, the agencies reached an agreement on this 
guidance last week. The Acting Comptroller of the Currency approved the 
guidance on behalf of the OCC earlier this week, and the other agencies 
are now working through their approval processes.
    The OCC, along with the other banking regulators took the 
initiative to propose the guidance in 2003 as an interpretation of the 
security guidelines. Noting that internal and external threats to a 
bank's customer information are reasonably foreseeable, the guidance 
stated that the agencies expect each bank to implement a 
response program with specific policies and procedures for addressing 
incidents of unauthorized access to customer information. Specifically, 
the guidance described the components of a bank's response program. It 
stated that a bank should assess the nature and scope of the security 
breach, take appropriate steps to contain and control the incident to 
prevent further unauthorized access to or use of the customer 
information, notify law enforcement and the bank's primary regulator of 
the incident, and notify customers of the incident when warranted, as 
well as provide customers with helpful information about how to contact 
the bank with questions and how to place a fraud alert on consumer 
reports.
    The guidance provided that customer notice is warranted when the 
security breach involves access to information of the type that could 
easily be misused, such as a customer's Social Security number and 
account number, which could be used by an identity thief to impersonate 
an individual and take over the customer's account. The guidance stated 
that banks are expected to notify their customers of the security 
breach unless they determine that the breach is unlikely to result in 
misuse of the customer information.
    In crafting the standard for customer notice the agencies have 
sought to establish the appropriate threshold for when customers may 
actually benefit from receiving notice. For instance, under the 
proposed guidance, notice would not be warranted where a bank can 
immediately contain security breach and establish that the information 
has not been and is unlikely to be misused. An example of this would be 
where a bank determines that customer information was destroyed before 
it could be retrieved or used.
    The agencies received a number of comments on the proposed guidance 
emphasizing that not every breach of information security will result 
in harm to 
customers. Commenters stated that providing an overabundance of notices 
to consumers may have unintended consequences mainly that consumers may 
initially be alarmed and perhaps monitor or close their accounts, or 
place a fraud alert on their credit reports, but eventually may be 
lulled into complacency by a proliferation of notices. Moreover, 
commenters maintained that notifying customers of security breaches in 
every instance could result in the unnecessary placement of fraud 
alerts on consumer reports and, over time, erode the usefulness of 
fraud alerts. The agencies agree that some potential for misuse of a 
customer's information should be present to trigger notice to that 
customer.
    A number of commenters recommended permitting a delay of notice to 
customers while a law enforcement investigation is pending to avoid 
compromising the investigation. California law provides for a delay of 
customer notice if the notice would impede a criminal investigation. 
The agencies have taken into consideration these and other comments in 
finalizing the guidance.
Enforcement of Noncompliance with the Guidance
    The OCC will consider a bank's failure to follow the final guidance 
as noncompliance with the underlying security guidelines. The OCC has 
several enforcement 
options available to address noncompliance. One option is to use the 
safety and soundness enforcement process provided by Federal law and 
OCC regulations. Under this process, the OCC would issue a notice to 
the bank detailing deficiencies and requiring the bank to submit a 
corrective action compliance plan within 30 days. An 
acceptable plan could provide that the bank will adopt measures to 
correct deficiencies, including notification to customers and 
restitution for any loss caused by the bank's conduct. If the bank 
failed to submit an acceptable compliance plan, or failed to materially 
comply with its compliance plan, the OCC could then issue a Safety and 
Soundness Order. A Safety and Soundness Order is a formal, public 
document that is the legal equivalent of a cease-and-desist order. If a 
bank fails to comply with such an order, the order may be enforced in 
Federal District Court and the bank could be assessed civil money 
penalties. The OCC could also choose other enforcement options to 
address a bank's failure to comply with the guidelines, such as issuing 
a cease-and-desist order, or assessing civil money penalties.
Conclusion
    Mr. Chairman, through the Gramm-Leach-Bliley Act, particularly 
Section 501(b), Congress gave the regulators the direction and 
important authority to establish information security standards for use 
by the financial institutions we regulate. The OCC has found this 
authority to be well-suited to address the evolving information 
security challenges we face. We are committed to using this authority 
to assure that national banks have adequate procedures in place to 
safeguard their customers' information. Thank you.


                  IDENTITY THEFT: RECENT DEVELOPMENTS
                       INVOLVING THE SECURITY OF
                     SENSITIVE CONSUMER INFORMATION

                              ----------                              


                        TUESDAY, MARCH 15, 2005

                                       U.S. Senate,
           Committee on Banking, Housing and Urban Affairs,
                                                    Washington, DC.

    The committee met at 10:13 a.m., in room SD-538, Dirksen 
Senate Office Building, Richard C. Shelby (Chairman of the 
Committee) presiding.

        OPENING STATEMENT OF CHAIRMAN RICHARD C. SHELBY

    Chairman Shelby. The hearing will come to order.
    I apologize to you again about disrupting the hearing the 
other day, but when we had seven scheduled votes, I knew you 
did not want to come back at 2:00 in the morning. So thank you 
for coming again today. I recognize that all of you had to 
shuffle your schedules, reshuffle them a great deal to 
accommodate the Committee, but this is a very important 
subject, and I think it deserves our full time and our 
attention.
    Mr. McGuffey, we will start with you. Your written 
testimony will be made a part of the hearing record in its 
entirety. You proceed as you wish.

                   STATEMENT OF DON McGUFFEY

           VICE PRESIDENT, CHOICEPOINT SERVICES, INC.

    Mr. McGuffey. Thank you, Chairman Shelby, Members of the 
Committee, good morning. I am Don McGuffey, Vice President of 
ChoicePoint for data acquisition.
    Good morning, I am Don McGuffey, Vice President of 
ChoicePoint for Data Acquisition and Strategy. I have been with 
the company since its inception in 1997. The Committee has 
convened this hearing to address the important issues of 
identity theft and the security of sensitive consumer 
information. At ChoicePoint, our mission statement recognizes 
that in an increasingly risky world, information, through the 
use of modern technology, can be utilized to create a safer, 
more secure society. We also recognize the limitations of 
inappropriate information use as well as the limitations of 
technology. We know, and have been painfully reminded by recent 
events, that there can be negative consequences to the improper 
use of sensitive, personally identifiable data.
    As a company committed to the highest standards of 
information security, we recognize that with respect to the 
recent events in Los Angeles, we failed to prevent certain 
consumer data from being accessed by criminals. For this, we 
apologize again to those consumers who have been put 
potentially at risk by this fraudulent 
activity, and we have and are taking steps to protect them from 
actual financial harm. We are also working actively with law 
enforcement to bring to justice those individuals who committed 
this crime, and we have and will take actions designed to 
prevent similar violations from occurring in the future.
    The modern crime of identity theft, whether in the form of 
credit card fraud, false business identifications or in other 
guises, poses a significant threat to all Americans and we 
support this Committee's efforts to address that danger. In my 
testimony today, I would like to tell the Committee today about 
ChoicePoint, describe for you the recent crime perpetrated in 
Los Angeles, tell you about the steps that we have taken to 
protect individuals who may have been placed at financial risk 
as a result of this crime and what we are doing to diminish the 
likelihood of such incidents from occurring in the future. For 
example, we recently announced that the company will 
discontinue the sale of information products that contain 
sensitive consumer data except where there is a specific 
consumer-driven transaction or benefit or where the product 
supports Federal, State, or local government and law 
enforcement purposes.
    Mr. Chairman, ChoicePoint is a leading provider of 
identification and credential verification services to 
businesses, government, and nonprofit organizations. We have 
approximately 5,000 associates in nearly 60 locations. 
ChoicePoint provides services to more than 7,000 Federal, 
State, and local law enforcement agencies as well as a 
significant number of Fortune 500 companies, more than 700 
insurance companies and many large financial services 
companies. Our goal is to put the positive power of information 
to work for society at-large. We at ChoicePoint are proud of 
the company's efforts to identify over 11,000 undisclosed 
felons among those volunteering or seeking to volunteer with 
community organizations and of our role in helping law 
enforcement.
    Financial and identity fraud is a rapidly growing and 
costly threat to our Nation's economy. While ChoicePoint offers 
a large range of tools to help avoid fraud, but no one is 
immune to it, as other companies and institutions are also 
learning. This was underscored by recent events in California, 
which I would like to describe in more detail to the Committee. 
On September 27, 2004, a ChoicePoint employee became suspicious 
while credentialling a prospective small business customer 
based in the Los Angeles area. This employee brought his 
concerns regarding the application to the ChoicePoint Security 
Services Department. After a preliminary review, the manager of 
the Security Services Department alerted the Los Angeles County 
Sheriff's Department. They decided to initiate an official 
investigation and asked for our assistance. That investigation 
is still ongoing, and so far has resulted in the arrest and 
conviction of at least one individual. As we did in the recent 
Los Angeles incident, we have worked with law enforcement on 
other occasions of suspicious activity relating to customer use 
of our information products. With respect to California, we 
have learned that those involved had previously opened 
ChoicePoint accounts by presenting fraudulently obtained 
California business licenses and fraudulent documents. They 
were then able to access information products primarily 
containing the following information: Consumer names, current 
and former addresses, Social Security numbers, driver's license 
numbers, and certain other public record information such as 
bankruptcies, liens, and judgments and, in certain cases, 
credit reports.
    Based on information currently available, we estimate that 
data from approximately 145,000 consumers may have been 
accessed as a result of unauthorized access to our information 
products. Nearly one quarter of those consumers are California 
residents. Since July 2003, California is the only State that 
statutorily requires affected consumers to be notified of a 
potential breach of personally identifiable information and 
authorizes law enforcement officials to delay notification to 
allow a criminal investigation to proceed. Last fall, we 
received such a request from the Los Angeles County Sheriff's 
Department after the issue of consumer notification was 
discussed between ChoicePoint and the Department. At that time, 
ChoicePoint had not yet reconstructed all the searches required 
to identify consumers at risk, and law enforcement officers had 
not learned all pertinent details of the crime. Working 
cooperatively with the Sheriff's Department and after 
completing the necessary reconstruction, we began the process 
of notifying consumers last month. We elected to utilize the 
California law as a basis for notifying consumers in all 
States. Absent specific notification from law enforcement 
personnel, affected consumers or others, we cannot determine 
whether a particular consumer has been a victim of actual 
identity theft. However, law enforcement officials have 
informed us that they have identified approximately 750 
consumers nationwide where some attempt was made to compromise 
their identity.
    Mr. Chairman, our efforts to protect affected individuals 
did not stop simply with notification in California. We 
notified consumers nationwide and have taken other steps to 
assist potentially affected consumers who have identified to 
date. These include providing dedicated toll-free customer 
service numbers and a special website to respond to inquiries 
and to provide information associated with the tools for which 
ChoicePoint has paid; purchasing and providing free of charge a 
combined, 3-bureau credit report; purchasing and providing free 
of charge a 1-year credit monitoring service; and for anyone 
who has suffered actual identity theft from this fraud, we will 
provide further assistance to help them resolve any issues from 
the identity theft.
    We hope our efforts will help those individuals take steps 
to protect their personal data from being used in a criminal 
manner. In addition, we have taken steps to minimize the 
likelihood of future occurrences of this nature. We have 
decided to exit the non-FCRA consumer sensitive data market, 
meaning we will no longer sell information products containing 
sensitive consumer data, including Social Security and driver's 
license numbers, except where there is a specific consumer-
driven transaction or benefit or where the product supports 
Federal, State, or local government and law enforcement 
purposes. We will continue to provide authentication, fraud 
prevention, and other tools to large, accredited corporate 
customers where consumers have existing relationships. We have 
strengthened our customer credentialling procedures and have 
embarked on a recredentialling process for certain customer 
segments, including all small business customers. We have 
created an independent Office of Credentialling Compliance and 
Privacy that will report to the Board of Directors' Privacy 
Committee. This office will oversee improvements in customer 
credentialling processes, the expansion of a site visit based 
verification program and implementation of procedures designed 
to expedite the reporting of incidents. This office will be led 
by Carol DiBattiste, the Deputy Administrator of the 
Transportation Security Administration and a former Senior 
Prosecutor in the Department of Justice with extensive 
experience in the detection and prosecution of financial fraud. 
We have also appointed Robert McConnell, a 28-year veteran of 
the U.S. Secret Service and former chief of the Federal 
Government's Nigerian Organized Crime Task Force, to serve as 
our liaison to law enforcement officials.
    Chairman Shelby, to conclude, we have all witnessed the 
significant benefits to society that can come with the proper 
use of information. ChoicePoint is proud of the role it has 
played in assisting law enforcement and intelligence agencies 
as well as vast segments of the American business community in 
preventing fraud. We have also learned first hand the damage 
that can be caused when criminals improperly obtain access to 
consumer information. We have spoken out previously and would 
welcome a broad national debate on these issues and support 
efforts by the Congress to provide the independent oversight 
and increased accountability of entities that handle public 
record data. We also support increased penalties for theft of 
personally identifiable information and a reasonable nationwide 
mandatory requirement for the prevention of unauthorized access 
to personally identifiable data. As I noted previously, we 
determined that our commitment to consumers required us to go 
beyond both the geographic and substantive requirements of 
existing law and therefore provided nationwide notification and 
various consumer protection services for those affected. As 
Congress continues its work in this area, we stand ready as a 
company to cooperate with your efforts and look forward to 
participating in the continued discussion of issues related to 
identity theft and the protection of sensitive consumer 
information. I would be pleased to answer any questions that 
you might have.
    Chairman Shelby. Thank you.
    Mr. Evan Hendricks, Editor and Publisher, Privacy Times. 
Thank you, sir.

                  STATEMENT OF EVAN HENDRICKS

              EDITOR AND PUBLISHER, PRIVACY TIMES

    Mr. Hendricks. Thank you, Senator Shelby for the 
invitation.
    A quick housekeeping matter: Since this is the first 
hearing since Senator Sarbanes announced his retirement, I 
wanted to thank him on behalf of all constituents for the 
example he sets of public service, and he will be sorely 
missed, but think it will inspire many others.
    Chairman Shelby. He is going to be around for 22 more 
months.
    [Laughter.]
    Mr. Hendricks. And I want this subject to be on his to-do 
list, too, and also, the last time I had the privilege of 
sitting at this table, Senator, you told me that we were going 
to get a good FCRA bill, and we did thanks to your leadership 
and the work of this Committee and the Congress, and I want to 
let you know we are already seeing the benefits to consumers in 
the marketplace.
    Chairman Shelby. Thank you.
    Mr. Hendricks. That experience and recent events show us 
that we still have a lot of work to do. The recent events of 
data leakages at ChoicePoint, Bank of America, LexisNexis, DSW, 
shows us there are many problems here, and there are many 
ironies. And one of the ironies is that in order to protect 
privacy, we need greater sunshine. We need more transparency. 
There is too much that we do not know.
    When a task force was convened in 1973 to decide how do we 
protect privacy as we enter the computer age, the first 
principle they established was there should be no information 
systems whose very existence is secret, and unfortunately, we 
are bordering on that with the kind of database companies that 
we have that claim they are out of the reach of the FCRA.
    One of the things we need here is a full accounting, an 
inventory. We need a full accounting first of this episode so 
we understand what went wrong here. Where are the weaknesses? 
For instance, Equifax was quoted as saying they sold 8,000 
credit reports possibly illegally to ChoicePoint. ChoicePoint 
sent notices to 145,000 people. Why is this their discrepancy? 
How did they calculate there were 145,000 people? How long has 
this been going on? And why did not ChoicePoint or Equifax 
notice that something suspicious was going on?
    I think more broadly, we need an accounting and an 
inventory of this entire industry. We need to know what 
Government agencies are providing information to the 
ChoicePoints and Lexis Nexis, Sizant, Acxiom, and the like. We 
need to know how do they house their data? How is it organized? 
We need to know how is warranty card information collected? We 
know it is collected, but we do not know exactly how. We know 
when people call an 800-phone number, their information can be 
captured, a profile can be produced, but we do not know how 
that information is used and stored.
    These are companies that amassed billions of records. The 
media reports say that ChoicePoint has 19 billion records. That 
is a lot of records. The problem is that this information, 
consumers do not have a clear right of access to information 
that is being held on them. One of my colleagues is Maury 
Frank. She is an attorney in California who has written about 
identity theft, and she was at a bar convention meeting, and 
ChoicePoint had a stand there where they were showing their 
products, and she said that they put out a 30-page printout 
from all of their records on her, but they would not give her a 
copy of the printout. They were just trying to promote their 
service.
    And she noticed there were a lot of mistakes in that, and 
she said, well, can I get this copy of this? No. How do I 
correct the mistakes? You cannot. This is basically what I am 
talking about when I am talking about a secret record system.
    Even when consumers do have access for instance, 
ChoicePoint will say that we have three products: We have a 
tenant screening product, we have an employment background 
product, and then, we have our insurance claims products, and 
we will give you access to those under the FCRA. In fact, they 
will give you a free copy. But they say that if they have never 
sold an employment report, or if they have never sold a tenant 
screening report on you, then, they do not have a report that 
you can get access to.
    And this raises the fundamental question, if they can sell 
a report on you, why can they not give access to you? And the 
thing is what we want consumers to do is to check their reports 
before transactions so they can ensure the accuracy of the 
report, but under ChoicePoint's interpretation, they cannot do 
that, and this is something that we really need to clear up.
    I think that most troubling is that it is not clear that 
they are subject to law and accountable to consumers, they tend 
not to take responsibility when things go wrong. In my written 
testimony, I list some examples of run-ins that ChoicePoint has 
had with accuracy problems or people being disadvantaged by the 
use of their records. There was one episode where they had 
purchased information on voters from the Mexican Government and 
other Latin American countries, but it turned out that itt was 
done in violation of the laws of those countries, yet, 
ChoicePoint basically said it was the people who bought the 
information who were at fault, and they, again, did not take 
responsibility of it.
    In one case, there was a consumer who had problems with 
their insurance. They had false insurance information simply 
trying to get the ChoicePoint report cleared up under the FCRA 
so that they could get insurance at the rate that they were 
entitled to get it. The thing turned into a Federal lawsuit, 
and there was a Federal judge in Kentucky named John Heyburn 
II, who in summing up the case, he wrote that ChoicePoint 
repeatedly denied making any mistakes and instead seemed to 
blame all defective data on others. Furthermore, ChoicePoint 
employees appeared slow to recognize problems, even once they 
were put on notice and disclaimed all responsibility. Most 
notably, they seemed annoyed for even having to appear at 
trial. They never really explained the computer glitches which 
apparently caused this problem, and to this day, the Court is 
still unclear what procedures, if any, ChoicePoint uses to 
ensure the accuracy of its mass circulated reports.
    So when there is a full hearing, and someone drills down 
and looks at the system, we see there are major problems there. 
And of course, accuracy is one of our first goals of our fair 
information practices. That is what we want to see in credit 
reports. These are what we want to see in these other reports. 
These are reporting agencies. They are just not credit 
reporting agencies. And the anecdotal report that we have is 
that there are major accuracy problems--which makes sense. When 
you have information coming from all sorts of different sources 
like courthouses and State government agencies and licensing 
agencies, the more the information moves away from the original 
source, the more you lose data integrity.
    As we look at solutions, I think we need to, again, have a 
full accounting so that we understand what is going on. I think 
that we need to look particularly at the use of drivers' data. 
I think we need to understand in light of all these problems, 
is it prudent to continue to have, for example, drivers' 
agencies giving all the drivers' data to companies like 
ChoicePoint until we know everything that went wrong here, 
until we know there is full accounting of the system? I think 
we should consider and the States should consider suspending 
that information until we have full answers here.
    More broadly, we need to extend fair information principles 
to this database sector to make sure everyone has the right of 
access to their information, the right of correction, 
requirements of adequate security, and most importantly the 
right to enforce their rights when something goes wrong. 
Whenever you are talking about privacy rights, you are talking 
about 200 million Americans. You can never build a bureaucracy 
big enough to enforce those rights, and you do not want to, but 
you have to empower citizens to enforce their own rights, as we 
have done in the Fair Credit Reporting Act.
    And finally, the California law is responsible for helping 
us understand that these problems are existing. I know Senator 
Feinstein is working very hard to make that the law of the 
land. Many of us favor that, and we just want to make sure that 
any law passed by Congress is at least as good as the 
California law.
    Mr. Chairman, I want to thank you very much for the 
opportunity to testify. I look forward to answering your 
questions.
    Chairman Shelby. Ms. Desoer.

                  STATEMENT OF BARBARA DESOER

                 GLOBAL TECHNOLOGY, SERVICE AND

             FULFILLMENT EXECUTIVE, BANK OF AMERICA

    Ms. Desoer. Mr. Chairman, Senator Sarbanes, Committee 
Members, good morning. I am Barbara Desoer, Global Technology 
Service and Fulfillment Executive for Bank of America. I am a 
member of Chairman and CEO Ken Lewis' executive leadership 
team, and on behalf of that leadership of our company and all 
Bank of America associates, thank you for the opportunity to 
appear before this Committee this morning to provide our 
perspective on recent events involving our Government charge 
cardholders.
    First, I would like to express how deeply all of us at Bank 
of America regret this incident. We pursue our professional 
mission by helping people manage their financial lives. This 
work rests on a strong foundation of trust. One of our highest 
priorities, therefore, is building and maintaining a track 
record of responsible stewardship of customer information that 
inspires our customers' confidence and provides some peace of 
mind.
    On February 25, 2005, Bank of America began proactively 
communicating to U.S. GSA SmartPay Charge Card holders that 
computer data backup tapes were lost during transport to a 
backup data center. The missing tapes contained customer and 
account information for approximately 1.2 million Government 
charge card holders. The actual data on the tapes varied by 
card holder and may have included name, address, account 
number, and Social Security number.
    Backup tapes such as these are created and stored at remote 
locations as a routine industry contingency practice in the 
case of any event that might interrupt our ability to serve our 
customers. After the tapes were reported missing, Bank of 
America notified the GSA and also engaged the Secret Service, 
which began a thorough investigation into the matter, working 
closely with our corporate information security team.
    Federal law enforcement initially directed that to preserve 
the integrity of the investigation, no communication could take 
place to the public or to the card holders. While the 
investigation was moving ahead, we put in place a system to 
monitor the accounts and, in fact, researched account activity 
retroactively to the date of the data shipment to identify any 
unusual or potentially fraudulent activity in the accounts.
    The Secret Service has advised us and GSA management that 
their investigation has revealed no evidence to indicate that 
the tapes were wrongfully accessed or that their data content 
was compromised. In mid-February, law enforcement authorities 
advised us that communication to our customers would no longer 
adversely impact the investigation. Now, we have completed the 
initial notifications and are continuing to communicate to our 
customers to ensure that they understand additional steps we 
are taking to help protect their personal information.
    Bank of America quickly established a toll-free number that 
Government charge card holders could use to call with questions 
or to request additional assistance. We also have offered 
credit reports and enhanced fraud monitoring services to card 
holders at our expense. Government card holder accounts 
included on the data tapes have been and will continue to be 
monitored by Bank of America, and Government card holders will 
be contacted should any unusual activity be detected. According 
to standard Bank of America policy, Government card holders 
will not be held liable for any unauthorized use of their 
cards.
    The incident was unfortunate and regrettable. That said, we 
feel that it can shed helpful light on the critical element of 
the industry's practices for data transport. We view this as an 
opportunity to learn and to lead the industry to better answers 
that will give our customers the confidence and security they 
deserve.
    As I said earlier, we decided as an abundance of caution to 
notify the account holders after law enforcement advised us 
that notification would no longer adversely impact the 
investigation. However, we also acknowledge that providing 
notices when there is low risk that the information will be 
misused has potential drawbacks, such as creating unnecessary 
anxiety in customers and, if provided too frequently in 
nonthreatening situations, degrading the effectiveness of a 
security breach notice.
    For example, in some instances, a thorough investigation of 
the incident may conclude that there was no risk that the 
information was used for illegal purposes. In these instances, 
it is probably best to leave it to the discretion of the 
institution to determine if customers should be notified.
    Members of the Committee, I would like to conclude by 
emphasizing that the privacy of customer information is one of 
the highest priorities at Bank of America, and we take our 
responsibility for safeguarding it very seriously. I can assure 
you on behalf of our leadership team and all our associates, we 
will do all we can to ensure that our customers have the 
freedom to engage in business and commerce and to manage their 
financial lives, secure in the knowledge that their personal 
information will be respected and protected by the institutions 
in which they place their trust.
    This concludes my prepared testimony, and I am happy to 
answer any questions.
    Chairman Shelby. Thank you very much.
    Mr. McGuffey, your testimony among other things indicates 
that ChoicePoint employees first became aware of something 
unusual on September 27, 2004, and that you began cooperating 
with California law enforcement officials almost immediately 
thereafter. As the law enforcement investigation proceeded, 
you, to use your word, reconstructed the search activities of 
the suspected criminals and determined the nature and scope of 
the information that was compromised, and that this took about 
3 months.
    After this was completed, and after you got the go-ahead 
from law enforcement officials, you then began to notify 
affected customers; is that correct?
    Mr. McGuffey. Yes, Senator, that is correct.
    Chairman Shelby. Okay; at this point, ChoicePoint also took 
steps to help those whose information was stolen to protect 
themselves prospectively. That is, you provided free credit 
reports, credit report monitoring, and the like; is that 
correct?
    Mr. McGuffey. Yes, Senator, we did.
    Chairman Shelby. Finally, ChoicePoint has decided to get 
out of the non-FCRA businesses, and that was just a week or so 
ago. Is that correct, that decision was made then?
    Mr. McGuffey. Yes, Senator, I believe it was a couple of 
weeks ago.
    Chairman Shelby. A couple of weeks ago.
    I think it is important for the hearing record for us to 
correctly establish the sequence of events, and I appreciate 
you going back through this with me. I know it is tedious.
    For further clarification, who, sir, at ChoicePoint was 
made aware of this situation when it was first discovered in 
September 2004, in other words, the breach? Was senior 
management involved in responding to this situation? You are 
Vice President of ChoicePoint and you have been there from the 
beginning; is that correct?
    Mr. McGuffey. Yes, Senator, I have.
    Chairman Shelby. Let me ask you a question again: When 
ChoicePoint, found out that you had a breach here in the 
security in September, who was made aware of that situation?
    Mr. McGuffey. The incident was actually discovered by one 
of the individuals in the credentialling area.
    Chairman Shelby. And who would that be?
    Mr. McGuffey. I am not sure of that gentleman's name.
    Chairman Shelby. Would you furnish that for the record?
    Mr. McGuffey. Yes, sir.
    Chairman Shelby. Okay.
    Mr. McGuffey. After that individual found out, within a day 
or so, they notified the manager of our security services 
department.
    Chairman Shelby. Does he report to you?
    Mr. McGuffey. No, sir.
    Chairman Shelby. Okay; go ahead. And what is his name? Do 
you know his name?
    Mr. McGuffey. Yes, sir, Robert Kneuth.
    Chairman Shelby. He is a manager of the----
    Mr. McGuffey. Security services department.
    Chairman Shelby. Okay; and then, what happened?
    Mr. McGuffey. At that point, the security services 
department and the credentialling group started working 
cooperatively to try to figure out whether this was, indeed, a 
real problem, because at this point, what we are aware of is 
that there is an unusual circumstance in the process of trying 
to get an account credentialed.
    Chairman Shelby. Let us go over which departments they were 
again just for the record.
    Mr. McGuffey. I believe it is the credentialling department 
and the security services department.
    Chairman Shelby. The security services became aware of the 
breach first; is that right?
    Mr. McGuffey. Second, actually.
    Chairman Shelby. Second? Who became--the credentials 
became----
    Mr. McGuffey. Yes, the credentials first, because we 
received a call coming in trying to have a company credentialed 
to become a customer. At this point, that particular account is 
not a customer.
    Chairman Shelby. Does this set off an alarm?
    Mr. McGuffey. Well what happened was the individual began 
to be suspicious because of----
    Chairman Shelby. Because it set off an alarm or caution.
    Mr. McGuffey. Caution in their head, yes, sir as to how 
this individual was responding to questions and what kinds of 
documents----
    Chairman Shelby. Suspicious activity.
    Mr. McGuffey. Suspicious activity. They alerted our 
security department. They then started having a dialogue to try 
to figure out----
    Chairman Shelby. This was early September?
    Mr. McGuffey. Actually, it was around October 1, I believe 
that the security services department was actually notified.
    Chairman Shelby. When were you notified?
    Mr. McGuffey. I was notified on about November 15.
    Chairman Shelby. In other words, there was 6 weeks' lapse 
between when they were notified of this and when you, as a vice 
president, was notified of it?
    Mr. McGuffey. Yes, sir, actually the notice----
    Chairman Shelby. Can you furnish the exact dates, because I 
know you have--for the record?
    Mr. McGuffey. Yes, sir, I can. I would be more than happy 
to.
    Chairman Shelby. In other words, who knew what when? What 
they knew, when they learned it, what they did with it.
    Mr. McGuffey. Yes.
    Chairman Shelby. Sequentially.
    Mr. McGuffey. Okay; be glad to do that.
    Chairman Shelby. And where did this information go then?
    Mr. McGuffey. Prior to November 15----
    Chairman Shelby. Did this languish, now, with two or three 
people until November 15?
    Mr. McGuffey. No, sir, actually, the security services 
department called in to the home office, which was in 
Alpharetta. Again, this was happening in Boca Raton, Florida.
    Chairman Shelby. Alpharetta, that is near Atlanta, correct?
    Mr. McGuffey. Yes, sir, it is north of Atlanta.
    Chairman Shelby. Who did they call in the home office?
    Mr. McGuffey. It came in to our legal department.
    Chairman Shelby. Your general counsel?
    Mr. McGuffey. No, not to my knowledge. It went in to one of 
the staff within the legal department. I will be glad to----
    Chairman Shelby. Furnish this for the record.
    Mr. McGuffey. Furnish this for the record, sir.
    Chairman Shelby. What happened to it then?
    Mr. McGuffey. They had discussion and then called Los 
Angeles County to make notice and to try to have a discussion 
as to----
    Chairman Shelby. But you were aware of what happened at 
this----
    Mr. McGuffey. Not at this time, no, sir.
    Chairman Shelby. What time frame are you talking about now?
    Mr. McGuffey. This was in the second week of October, 
about, and I will be glad to specify and provide to your staff 
and to this Committee the details exactly, but it was in the 
second week of October when the dialogue was taking place with 
our legal department. So at that point, communication went to 
the Los Angeles County Sheriff's Department.
    Chairman Shelby. And nobody knew that? You did not know 
that at that time?
    Mr. McGuffey. No, sir, I did not.
    Chairman Shelby. Did anybody else know that in your company 
at your level or higher? Within your counsel's office.
    Mr. McGuffey. It was in our legal department, which is part 
of the--yes, our general counsel's----
    Chairman Shelby. No one was notified by an email or 
anything? I mean, there are many ways to transmit information.
    Mr. McGuffey. Not to my knowledge, sir, but I will be more 
than happy to provide any other details that I am not currently 
aware of as part of that investigation.
    Chairman Shelby. Well, what happened then? And where are we 
now on the calendar?
    Mr. McGuffey. Okay; we are in about the middle of October.
    Chairman Shelby. Okay.
    Mr. McGuffey. And there is dialogue with the Sheriff's 
Department, Los Angeles County. They had, at this point in 
time, not really accepted the case, if you will. We, on the 
other hand, were still having dialogue with this individual on 
the other end of the telephone asking for additional documents. 
In other words, we are trying to keep this individual engaged, 
if you will, and requesting additional documents from this 
individual while we are also having conversation with the 
Sheriff's Department.
    Chairman Shelby. You are part of senior management. You are 
a vice-president. Was your president, your chairman, any 
members of the board made aware of this situation?
    Mr. McGuffey. Not at this time, no, sir.
    Chairman Shelby. Okay; when were they made aware of this 
situation? November 1?
    Mr. McGuffey. I had a conversation with our president, who 
I report to----
    Chairman Shelby. What is his name?
    Mr. McGuffey. --Doug Carling----
    Chairman Shelby. Okay.
    Mr. McGuffey. --in the latter part of November, inquiring 
as to whether he had been informed of this matter, because it 
would be not necessarily natural for that notification system 
to come through me. It would be natural for it to go as it had, 
which is into the legal department, and be handled as a legal 
and a law enforcement matter.
    Chairman Shelby. This was the end of November? Before 
Thanksgiving or after Thanksgiving?
    Mr. McGuffey. I do not recall.
    Chairman Shelby. Do you have a log on this?
    Mr. McGuffey. No, sir, I do not.
    Chairman Shelby. Will you go back, and there will be 
something to indicate?
    Mr. McGuffey. Attempt to find something; I certainly will.
    Chairman Shelby. Sure.
    Mr. McGuffey. I certainly will.
    Chairman Shelby. When was your chairman notified of this?
    Mr. McGuffey. To my knowledge, it was in January before a 
board meeting.
    Chairman Shelby. And he had no inkling of this before then?
    Mr. McGuffey. From what I understand and what we have 
reported, that is correct.
    Chairman Shelby. Who made the decision in the company to 
provide free credit reports and provide other forms of 
assistance? Did you do that? Did the president do it?
    Mr. McGuffey. I believe that was in conversation between 
our president and our chairman.
    Chairman Shelby. What was the time frame on this?
    Mr. McGuffey. I, again, will be glad to provide the 
specific data to your staff.
    Chairman Shelby. Was it in October?
    Mr. McGuffey. No, sir, it would have been in the middle of 
February, something in that time frame.
    Chairman Shelby. Who was involved in making the decision to 
exit the entire line of business that you referenced?
    Mr. McGuffey. Again, it would have been----
    Chairman Shelby. Was it the board?
    Mr. McGuffey. No, sir, I do not believe so. I believe it 
was in conversation between our chairman and our president.
    Chairman Shelby. I believe you testified that ChoicePoint, 
and you correct me if I misstate something, that ChoicePoint 
took this very seriously when the breach was first discovered; 
is that correct? Did you consider this a serious situation?
    Mr. McGuffey. Yes, Senator.
    Chairman Shelby. A potentially serious situation?
    Mr. McGuffey. I believe any time when you have a great deal 
of dialogue trying to keep someone involved to try to figure 
out whether they are fraudulently trying to engage with us and 
also contacting law enforcement is a serious matter.
    Chairman Shelby. How do you reconcile what you testified to 
thus far, that in your own words, senior management--of course, 
you are senior management and others--did not play a critical 
role in this situation? In other words, were not aware of the 
situation until later in the game? You say November?
    Mr. McGuffey. November is when I was aware, yes.
    Chairman Shelby. Is that right? And yet, in your written 
statement, you claim that ChoicePoint, ``is committed to the 
highest standards of information security;'' in other words, 
that is central to your business, is it not?
    Mr. McGuffey. Yes, Senator, it is.
    Chairman Shelby. If senior management were not aware of 
what was going on, let alone involved with a major information 
security breach like this, and you are in the information 
business, what does that say? Is that the way you all do 
business in the company?
    Mr. McGuffey. Senator, at the time when even I became 
aware, I was told was that there were only a couple of accounts 
that were under investigation, so there was no recognition at 
that time as to the size and the scope of this issue.
    Chairman Shelby. I believe in your written statement, you 
indicate, and I will quote you, and you correct me if I am 
wrong on this, ``we have worked with enforcement on other 
occasions of suspicious activity related to customer use of our 
information products.''
    The question follows, how many other instances of 
suspicious activity are we talking about? Are we talking about 
dozens of times?
    Mr. McGuffey. Senator, I am not aware that it is a dozen. I 
know there are probably a handful of incidents that are related 
in that manner.
    Chairman Shelby. Would you furnish that information for the 
record?
    Mr. McGuffey. Yes, sir, I shall.
    Chairman Shelby. Have you, sir, in your experience, had 
other situations like this, did you ever formally consider that 
clients or potential clients were the most serious information 
security threat, in other words, the ultimate consumer of this 
report? That is who the real threat is to, is it not, sir?
    Mr. McGuffey. Yes, Senator.
    Chairman Shelby. To their privacy and their information?
    In other words, did senior management take steps specific 
to your business model and the risk associated with it to 
protect your data and your company? Do you believe they did?
    Mr. McGuffey. Yes, Senator, we have spent a great deal of 
effort on the technology security side to assure that we do not 
have technology breaches and have technology policies 
associated with that, have hired outside individuals in order 
to make sure that individuals cannot hack into our system. And 
so, we have addressed fairly, I believe, significantly certain 
risks associated with access. In this case, we had 
credentialling procedures in place, and unfortunately, we had 
some fairly sophisticated criminals who were able to circumvent 
our credentialling procedures and get access.
    Chairman Shelby. Senator Sarbanes.

             STATEMENT OF SENATOR PAUL S. SARBANES

    Senator Sarbanes. Thank you very much, Mr. Chairman. I am 
sorry I was not able to be here at the outset.
    Chairman Shelby. Go ahead.
    Senator Sarbanes. First of all, I want to thank you for 
your leadership on this very important issue raised by the 
recent breaches of data security and financial privacy. You 
actually have been a leader in the Senate for many years on the 
issue of privacy of financial information, and moving on this 
issue is just another demonstration of that. Millions of 
Americans are very deeply concerned about this situation.
    Chairman Shelby. Thank you.
    Senator Sarbanes. The Baltimore Sun in an editorial March 
2, ``Stealing by the Numbers,'' said that Federal oversight of 
data brokers is sorely needed, and there should be stiff 
financial penalties for improper releases. The Philadelphia 
Inquirer on March 6 wrote both episodes, involving ChoicePoint 
and Bank of America are outrageous instances of businesses 
falling down on the job after they have been entrusted with 
vital data. The data leaks demonstrate the need for greater 
oversight of data bank repositories.
    Of course, the data brokers possess many types of 
information about citizens. The Washington Post, in an article, 
indicated that ChoicePoint has the following types of data on 
some citizens: and if any of these are not correct, if you do 
not have these, enter a dissent at the appropriate point: Name, 
address, and Social Security numbers, automobile and insurance 
claims history, credit history, vehicle ownership, public 
records which would contain liens and judgments, military 
service, educational history, names and addresses of neighbors 
and relatives, birth, marriage, and death certificates, 
fingerprints and DNA.
    They do not assert that you have it on all citizens but 
that you keep this kind of very extensive data on at least some 
citizens. Is that accurate?
    Mr. McGuffey. Senator, you read through the list fairly 
quickly, and I think the one or two that I would----
    Senator Bunning. Read it slowly.
    Mr. McGuffey. --make comment on would be on the educational 
history. The educational history that we may have would be only 
on those individuals whom we would have performed a 
preemployment background screening check and only in those 
instances where our customer would request us to have validated 
information on an application for a job.
    On the military records, we really do not have what I would 
call military records. We do have historical data prior to 2001 
on individuals that may be in the military.
    Senator Sarbanes. Well, I take it in effect that is a 
confirmation of the article, though, because in effect, the 
article does not assert that you have all of this information 
on everybody, but it does assert that you have it at least on 
some citizens, so, I mean, it gives some sense of the 
parameters of the kind of data you collect and how extensive it 
is in its coverage. I mean, is that a fair statement?
    Mr. McGuffey. I would agree, Senator, it is a reasonable 
statement.
    Senator Sarbanes. Mr. Chairman, in the face of corporate 
data banks holding and selling such an extensive array of data 
on citizens, this issue of data privacy, security, and identity 
theft obviously takes on particular importance, and I think 
your analysis in this hearing has focused on it, and I commend 
you for that.
    Chairman Shelby. Thank you.
    Senator Sarbanes. It includes consideration of the 
situation of the consumer both before and after a data security 
breach. Should a consumer have rights to notice, access, and 
correction of data held in a data repository? Should a consumer 
be able to prevent his or her personal, nonpublic data from 
being included in certain data banks for resale? I mean, you, 
in effect, sell the data, correct? I mean, that is your 
business. That is where your income comes from, correct?
    Mr. McGuffey. Generally speaking, yes, I would agree with 
that.
    Senator Sarbanes. Should Federal minimum data security 
standards be required for data brokers? What should a data 
repository be required to do after a breach occurs to prevent 
consumer fraud and identity theft? And of course, we face the 
basic question, which we have had to discuss in here before, of 
whose property is a person's financial information, a 
consumer's or an institution's?
    Mr. Chairman, I remember when we did a hearing, Phyllis 
Schlafly came before the Committee.
    Chairman Shelby. We did. Had Ralph Nader and Phyllis 
Schlafly together on the same issue right here.
    Senator Sarbanes. Exactly. And, of course, she took the 
very strong position this is a property right, and it belongs 
to the institution. And in effect, their property rights are 
being--it was a very interesting----
    Chairman Shelby. There was pretty good agreement between 
both the left and the right.
    Senator Sarbanes. It was an interesting concept, and I 
still recall it.
    I received a letter from a constituent saying that he had 
received a letter from ChoicePoint informing him that a fraud 
may have resulted in personally identifiable information such 
as your name, address, Social Security number, or credit report 
being viewed by businesses that should not have access to such 
information. So he received a letter from you telling him that.
    One of the things he says in his letter to me, he says 
obviously, this letter from ChoicePoint is very unsettling. The 
use of the word ``may'' indicates that ChoicePoint does not 
know what information was released and demonstrates their 
inadequate security procedures.
    What do I say to him? Of course, one of the things that I 
will say to him is that you were here, and I had the 
opportunity to ask you this directly, but what is your 
response? Of course, his focus now is not that the information 
went out but that ChoicePoint does not really know by saying to 
him may what information went out; is that correct?
    Mr. McGuffey. Senator, we regret and are deeply sorry that 
we had this event and the criminal activity associated with it. 
We did have to take, and a lot of times, as I believe the 
Chairman had indicated earlier, to recreate all of the various 
different individual searches that had been instituted against 
our databases, and in those cases, we actually went back for 
each and every one of those searches and recreated it.
    The information--and my expectation is that the information 
does actually exist, although in sending out the letters that 
we sent, we generally patterned that notice after the 
California law in making notice to those individuals, but my 
expectation is in that particular case, the details are there.
    Senator Sarbanes. I have run over my time, so let me just 
close. This constituent went on to say he recommended these 
actions, and if I could get a quick reaction, I apologize to my 
colleague: A data broker company must obtain written approval 
from the person before any personal information can be given 
out. That is one recommendation. The other is the data broker 
companies must be held liable for a person's identity theft and 
bear the full and total cost to reestablish the person's credit 
rating and identity. They should also incur punitive damages 
for their security malpractice.
    Can each of you give me a quick reaction to that? Mr. 
Chairman, I appreciate your indulgence.
    Chairman Shelby. That is okay.
    Mr. McGuffey. Senator, one of the concerns that I would 
have of requiring any individual to consent to the release of 
the information is related to the activities associated with 
investigations. I had made the comment earlier in my statement 
about the variety of services that we have and, indeed, the 
11,000 criminals that we had identified that through the 
process of performing screens, identified the fact that these 
individuals may have been harmful.
    The investigative process, it seems to me that if we have a 
criminal or someone who was trying to do harm, it is not likely 
that they are going to give their consent to allow law 
enforcement or others to investigate that individual.
    Senator Sarbanes. Well, let us have a law enforcement 
exception. Does that take care of it?
    Mr. McGuffey. What we have taken as a position along those 
lines is that we should use the principles that are contained 
in the Gramm-Leach-Bliley Act that was passed, I believe, back 
in 2001 and some of the principles that are contained in the 
Fair Credit Reporting Act and apply those to public record 
data.
    Senator Sarbanes. And what about bearing the full and total 
cost to reestablish a person's credit rating and identity when 
there has been identity theft?
    Mr. McGuffey. I suppose, Senator, that we were also the 
victim of a crime, and it does not seem at least to me at first 
blush that in that case, where we believe we had reasonable 
procedures in place to try to prevent a crime, that that would 
be entirely appropriate, but we obviously would like to engage 
in that debate with you and the Committee.
    Senator Sarbanes. All right; Mr. Hendricks, real quick.
    Mr. Hendricks. Thank you. Quickly, I agree with my fellow 
Marylander that that is exactly what we need. You cannot have 
large organizations enjoying the benefits of trafficking in our 
personal data if they are not going to take responsibility for 
it, and I am very troubled by the questioning where you hear 
about a breach in September, and then, ultimately, it trickles 
up to senior management by the turn of the year. That is very 
troubling.
    I have had the opportunity to talk to one person who 
received the ChoicePoint letter, and working with that person, 
we found out that a couple of years ago, he was called by his 
Discover Card, and he was asked have you changed your address? 
Because somebody--this is what the thieves did in this case. 
They were trying to change the address. And it looked like 
Discover helped catch that, but these two New Jersey addresses 
turned up on his credit report and the credit report is the 
epicenter of this crime.
    So he gave me these addresses, and I tracked both addresses 
down to Mail Boxes, ETC., indicating that these were the drop 
slots of identity thieves. So there is a lot to be found out 
here if we have a real joint effort to work here with the 
consumer. There is valuable data on those consumers' credit 
reports, and it is a bit disturbing to me that a lot of time 
has gone by, and valuable leads might have been lost.
    Senator Sarbanes. Did you want to add anything, Ms. Desoer?
    Ms. Desoer. From the perspective of Bank of America, we do 
not sell our information to any third parties, and we give 
customers the option to opt out of any sharing of information 
within our own company that could be used for cross-marketing 
purposes.
    We do have a policy that does not hold the consumer liable 
for any losses on the product because of fraud, and then, we 
work with customers on an individual basis to determine what 
the circumstances are and what else we might be able to do to 
help them.
    Senator Sarbanes. Thank you very much.
    Thank you, Mr. Chairman.
    Chairman Shelby. Senator Bunning.

                STATEMENT OF SENATOR JIM BUNNING

    Senator Bunning. Thank you, Mr. Chairman.
    Ms. Desoer, 1.2 million customers lost records, 900,000 in 
the military; is that correct?
    Ms. Desoer. That is correct.
    Senator Bunning. That seems beyond comprehension to me that 
that happened with one of the biggest banks in the country, 5, 
maybe 10, but 1.2 million? You are going to have to give me a 
better explanation than you gave the Chairman.
    Ms. Desoer. Okay; what we have as a process in the 
agreement that we have with our client, the GSA, is that for 
contingency and data recovery purposes, every day, we back up 
the data on the entire GSA charge card SmartPay portfolio, and 
we ship that data to a recovery backup site across the country.
    Senator Bunning. Electronically.
    Ms. Desoer. No, these are tapes----
    Senator Bunning. These are backup tapes.
    Ms. Desoer. Backup tapes that are taken a slice at a point 
in time of all of the transaction records for those cardholders 
and are physically moved. Those tapes are physically moved 
across the country was the process that happened.
    Senator Bunning. Okay. You explained that nothing has 
happened, and there is no use, or you have not found any?
    Ms. Desoer. Correct.
    Senator Bunning. What is to prevent somebody from holding 
that data for a year or a year and a half and then using it?
    Ms. Desoer. A couple of things: First of all, the data is 
not easily recoverable. The tapes that were lost were part of a 
larger set of tapes that in concert need to be run together on 
specialized equipment using specialized software that require 
particular expertise and knowledge about how the data is 
fragmented on those tapes to reconstruct it; not to say it is 
impossible, but it would--an average person cannot reconstruct 
that, so in theory, they could.
    Senator Bunning. How much money does Bank of America spend 
on securing data, that type of personal data?
    Ms. Desoer. I would need to get back to you on that 
particular. I can get that information.
    Senator Bunning. I would like to know exactly how much 
money they spend.
    ChoicePoint Services, Inc., how much money does ChoicePoint 
spend on securing data, making sure that consumers' information 
is kept secure?
    Mr. McGuffey. Senator, I do not have that figure with me, 
and I would be happy to----
    Senator Bunning. Would it not be nice to, since you are 
make money selling information that obviously should not have 
been sold, it would be nice to know how much money you are 
spending to secure the data you should not be selling in the 
first place.
    I want to go back to the case in Kentucky, because I 
personally know the judge. In the case of Mary L. Boris v. 
ChoicePoint Services, and Western District of Kentucky, March 
14, 2003, Judge John Heyburn on appeal found that one could 
infer from the evidence that ChoicePoint included incorrect 
data on plaintiff's claim report; that plaintiff complained 
about this false information; and that after the original 
mistakes were corrected, more incorrect claim data reappeared 
on her report and remained well after the suit was filed.
    Based on this series of events, a jury could certainly 
conclude that a reasonable, prudent company would have 
prevented a similar outcome. He added, this is Judge Heyburn, 
``to this day, this Court is still unclear what procedures, if 
any, ChoicePoint uses to ensure the accuracy of its mass 
circulated reports.''
    That is a Federal District Judge, the Chief Judge of the 
Western District of Kentucky. Now, what did you have to say 
about that? What did your lawyers have to say about it?
    Mr. McGuffey. Senator, I have not personally had 
conversation with our lawyers about this particular case. We 
handle 100 million transactions probably a year, and 
unfortunately, this one appears to be one where we had 
inconsistencies in our data associated with the record.
    Senator Bunning. Okay; answer this question, then: What 
procedures does ChoicePoint have in place so that a consumer 
can make corrections of inaccurate information they find in 
your database and make it stick and not reappear on your 
database?
    Mr. McGuffey. Senator, in this case, this was an insurance-
related incident, and it is covered by the Fair Credit 
Reporting Act. So we comply with the Fair Credit Reporting Act, 
where in case of a consumer who is interested in understanding, 
can get a report, does get a report, and if there is a dispute, 
we have dispute processes in place, and if you like, I would be 
more than happy to provide a detail of those dispute processes 
for you and your staff.
    Senator Bunning. I would like that.
    There are many more questions, but I see my time has 
expired. Thank you, Mr. Chairman.
    Chairman Shelby. Thank you.

            STATEMENT OF SENATOR CHARLES E. SCHUMER

    Senator Schumer. Thank you, Mr. Chairman. I want to say I 
share my colleague from Kentucky's outrage about this, and, you 
know, what happened here just boggles the mind, that you 
actually sold information to criminals who used it for criminal 
purposes. I mean, if banks operated like ChoicePoint, bank 
robbers would not need guns. They would open an account, walk 
in, and take all the money they wanted out of the safe.
    It is just amazing, because, and we all know what happens, 
as Jim has talked about, when somebody has their identity 
stolen. It takes them on average 175 hours to get it back. So 
you did not just sell their identities to these crooks; you 
sold their peace of mind. And the attitude of this company is 
just casual. I mean, the questions you do not know after these 
mishaps? You do not know much money is being spent to protect 
people's identities? You are a vice president of the company?
    The time lapse that Senators Shelby and Sarbanes elapsed, 
how is it that the CEO did not know that thousands of people's 
identities were stolen until a couple of months later? You tell 
me: Why did you not call law enforcement immediately? Do you 
know how much damage might have been done between the day you 
found out or your company found out and the day you notified 
law enforcement?
    Do you have a policy when somebody's identity is stolen--
that is a question--about notifying law enforcement 
immediately? Does the company have a policy to do that? Yes or 
no?
    Mr. McGuffey. I am not aware as to whether we do or not, 
but I will certainly provide that----
    Senator Schumer. Well, why are you here, sir, if you are 
not aware of a question like that after everything that has 
happened?
    Mr. McGuffey. I was invited by the Committee, sir.
    Senator Schumer. All right; well, the company chose you to 
come, right?
    Mr. McGuffey. I believe that is correct.
    Senator Schumer. Did you get briefed?
    Mr. McGuffey. Yes, Senator, I did.
    Senator Schumer. And that question never came up?
    Mr. McGuffey. No, Senator, it did not.
    Senator Schumer. And neither the question about how much 
money you spend to protect people's identities?
    Mr. McGuffey. No, Senator, it did not.
    Senator Schumer. Let me ask you another one: Have there 
been other instances where ChoicePoint has been aware that 
people's identities have been stolen but that has not been made 
public?
    Mr. McGuffey. In these instances, there have been two or 
three, as I had indicated earlier, and all of those--
    Senator Schumer. Two or three instances?
    Mr. McGuffey. And in all of those cases, we have made 
notice and in that 145,000----
    Senator Schumer. Immediately?
    Mr. McGuffey. As soon as we were able to recreate the 
searches, Senator.
    Senator Schumer. But I am asking, there were rumors that a 
couple of years ago, this happened, too, and that has not been 
made public. Is that true?
    Mr. McGuffey. No, Senator. In those cases, we found out 
about the 2002 incident, which may be what you are referring 
to.
    Senator Schumer. When did you find out?
    Mr. McGuffey. In those cases, we found out in the fall of 
2004, because we did an internal investigation and found cases 
that----
    Senator Schumer. How is it that identities that you have 
are stolen or information is stolen, and you do not know until 
2 years later? You got no complaints?
    Mr. McGuffey. To my knowledge.
    Senator Schumer. Did you check to see if you had 
complaints?
    Mr. McGuffey. To my knowledge, no, sir.
    Senator Schumer. And did the company check to see if they 
had complaints?
    Mr. McGuffey. Yes, Senator, those complaints do come in to 
a central environment.
    Senator Schumer. Okay; so, were there complaints between 
2002 and 2004 that came in to the company?
    Mr. McGuffey. With regard to this incident, not that I am 
aware of, sir.
    Senator Schumer. And does that mean no, or does that mean 
you may just not be aware? I mean, did you check? Did you ask 
before you came here today?
    Mr. McGuffey. Yes, Senator, I did.
    Senator Schumer. And they said?
    Mr. McGuffey. No.
    Senator Schumer. Okay; you do not have to say, then, not 
that you are aware of; no, you checked.
    Have you notified customers before this last situation? In 
those situations, did you notify customers about the thefts 
when you found out about them?
    Mr. McGuffey. Senator, in these cases, when we did our 
internal investigation was when we found the various accounts 
that had been misrepresented to us, and in all of those cases, 
we made notice.
    Senator Schumer. To every customer, not just in the States 
that had a law that you had to.
    Mr. McGuffey. Absolutely.
    Senator Schumer. Okay; let me ask you about your 
executives. I think this stinks from the head. What about these 
executives taking $16 million in the months after the company 
learned that the database had been breached? Now, I understand 
the executives are arguing based on their recent 10(b)(5)(1) 
trading plan, they have a contract to sell these stocks weekly, 
but according to my understanding and the SEC's rules, those 
plans can only be entered into if they are entered into in good 
faith and not as part of a plan to scheme or evade the insider 
trading rules.
    So my question is did the ChoicePoint board of executives 
and executive officers in question work together to approve a 
new stock trading plan on October 26, 1 day before the LAPD was 
tipped off by the company?
    Mr. McGuffey. No, Senator, I do not believe that they did. 
In fact, what I believe that the position of the company and 
the communication that we provided, although this incident is 
currently under investigation by the SEC, is that the 
individuals in question did not know about this until after 
those plans had been put into place.
    Senator Schumer. Do you think they should return the money 
on their own? I think that is what most people would think.
    Mr. McGuffey. I am not sure that my opinion, sir, is 
relevant here.
    Senator Schumer. Oh, it is relevant.
    Mr. McGuffey. Well, in my view, they followed the 
regulations. The 10(b)(5) plans were put in place by the SEC.
    Senator Schumer. Let me tell you: I think they should 
return the money on their own. I will tell you something else I 
think: I do not know what the law is here, but just from an 
ethical point of view, you are dealing in important valuables 
about people. Your attitude has been casual, to say the least; 
that is putting it kindly. I do not think ChoicePoint should be 
in business to do anything to do with people's private 
information. I know you are not selling Social Security numbers 
to some people, but you are still selling them to State and 
local governments: Is that right?
    Mr. McGuffey. Yes, sir.
    Senator Schumer. And law enforcement.
    Mr. McGuffey. And law enforcement under permissible 
purpose, yes, sir.
    Senator Schumer. Well, I would urge any credit company that 
has this information not to give it to ChoicePoint, because 
their attitude is just casual, not caring, the kinds of 
questions that after a major egregious mistake was made should 
be on the tip of the witness' tongue who was chosen by the 
company to come are not.
    I mean, I think we can do a lot better, and a lot of other 
companies can do better. Now, I have a question for Ms. Desoer.
    Ms. Desoer. Yes.
    Senator Schumer. My view here is different. I think BofA, 
Bank of America, was very careful, and when this happened, they 
notified people immediately. Obviously, this problem occurred. 
So, I have two questions for you as a result of what happened, 
how we can make this better.
    One, should we do much better screening of cargo handlers, 
particularly cargo handlers who handle this kind of vital 
information? And two, would it not be a good way to avoid these 
incidents by using the RFID technology, radio frequency 
identification to track cargo? It is very cheap, as I 
understand it. It would let us know where everything was.
    You know, these thieves stole the wrong thing, but we still 
know where they are and who had it, et cetera. Does your 
company have a position on either of those two things as a 
result of what has happened here?
    Ms. Desoer. Yes, Senator, in terms of the tracking, there 
is tracking that lets us know where the package is at all times 
with all the carriers that we use.
    Senator Schumer. Is that an RFID?
    Ms. Desoer. I do not know if it is an RFID.
    Senator Schumer. I suggest you find out.
    Ms. Desoer. I will.
    Senator Schumer. Because if it is stolen, the tracking 
system that you might have that A passed it to B who passed it 
to C, and they call you up, is gone, while an RFID would know 
exactly where it is.
    Ms. Desoer. At what stage; that is correct.
    Senator Schumer. Do you not think that, off the top of your 
head, would make some sense?
    Ms. Desoer. That makes sense.
    Senator Schumer. Yes.
    Ms. Desoer. And in this particular case, we are no longer 
sending these tapes via courier, so they are going by ground 
transportation to a different location.
    Senator Schumer. Right.
    Ms. Desoer. And in response to your first question, we 
think this is an opportunity to revisit the whole issue of how 
we do send information and send tapes, and we are in the 
process of doing that.
    Senator Schumer. Okay.
    Thank you, Mr. Chairman.

               STATEMENT OF SENATOR WAYNE ALLARD

    Senator Allard. [Presiding.] Thank you, and I am sitting in 
here temporarily for the Chairman.
    Senator Schumer. You are doing an excellent job, I might 
say, Mr. Chairman, Mr. Temporary Chairman.
    Senator Allard. It is getting to be funny at the time.
    Senator Schumer. That is why I said it.
    Senator Allard. First of all, I ask unanimous consent that 
my full statement be made part of the record, and without 
objection, we will so do that
    Senator Allard. And then, I have a couple of questions.
    This Committee has in the last 2 or 3 years gotten involved 
with the credit score, and I think that many on the Committee 
did not realize how deeply embedded the credit score was and 
the credit rating and how just some small change can have a 
fairly profound impact on your credit rating; for example, the 
number of charges that were put on your credit card, the number 
of times you applied for a credit card would all have an impact 
on your credit score.
    And when you go to losing your identity, and it gets 
manipulated out here in the underworld, I can see really an 
impact on credit score. What can you do as companies to correct 
what is happening to the credit score? Maybe Mr. McGuffey, you 
would like to, and then Ms. Desoer.
    Ms. Desoer. Desoer.
    Senator Allard. Desoer. Maybe you would both like to 
respond.
    Mr. McGuffey. Senator, we are not a credit company, first 
of all, as you may be aware.
    Senator Allard. I know that, but it does have an impact on 
the credit score.
    Mr. McGuffey. It may; it may indeed have an impact, and the 
only real answer may be for us to evaluate in our actuarial 
models that build those scores and determine whether there are 
facets of or features of or line items within the credit report 
that may be more impacted than not in a situation of identity 
theft; for instance, I do know that if someone were to put a 
security alert on their credit report that we pass that 
security alert along with the score to our end user customer, 
so our end user customer would be aware that the individual has 
placed a security alert on their score, on their credit report, 
and therefore be in a position to take some action on that or 
be conscious of that, inquire of the consumer as to whether 
there were anything on the credit report that may have 
adversely impacted that score.
    Senator Allard. Ms. Desoer.
    Ms. Desoer. From our perspective, we are very much in the 
business of providing credit, and along with that comes advice 
about ways that consumers can enable themselves to get credit, 
so that is part of our business. We increasingly supplement the 
scores with other kinds of information, because a big part of 
our population, for example, are people who are new to the 
country who might not have an established credit score, and so, 
we use alternatives like records of paying rent and that thing 
to supplement credit making decisions in addition.
    But again, we work very closely with our consumers and on 
an individual basis, we will help give them advice as 
appropriate.
    Mr. Hendricks. Senator.
    Senator Allard. Yes, go ahead, Mr. Hendricks.
    Mr. Hendricks. Because you ask--and it is a very important 
question, because the main damage from identity theft is then, 
you get all these fraudulent, unpaid accounts, and it causes 
your credit score to take a nosedive. Companies can help 
because the credit score is based on your credit report, and 
the credit reporting agencies believe what the credit granters 
tell them.
    So if a Bank of America or a ChoicePoint is involved, and 
if they know the information is wrong, if they will help the 
consumer communicate that to the credit reporting agency, it 
helps get the bad news off a lot quicker.
    Senator Allard. Okay; and if you put a security alert on an 
account, does that suggest that they do--Mr. McGuffey brought 
that up. Does that help you in getting your loan, or does that 
hinder you?
    Mr. Hendricks. Well, in a security alert, it is supposed to 
make them careful about disclosing that report. Now, in the 
past, it was not working that well, and this Committee helped 
pass a law which is supposed to bring better respect for those 
security alerts.
    Senator Allard. But if I go in, and I am buying a house, 
and all of a sudden, I have a security alert on my score, I can 
imagine that it may very well slow down my loan, and I guess it 
could cause some problems. But I guess it is a tradeoff, is it 
not?
    Ms. Desoer. That is correct.
    Senator Allard. Between how far you want to protect 
somebody, but yet, if somebody needs that credit score, it 
cannot slow them down.
    Mr. Hendricks. And in California, they can put a freeze on 
their credit report, and the victims of identity theft do that, 
but if they want to get credit, that means they have to 
unfreeze the report. So, yes, it is not a fun situation either 
way.
    Senator Allard. No, it is a problem.
    Okay; Ms. Desoer, how long did Bank of America have to wait 
before informing its customers about the loss of personal 
information on 1.2 million Government charge cards?
    Ms. Desoer. The tapes were lost late in December, and we 
notified customers or began notifying customers on February 25. 
We became aware of the loss of the tapes right after the New 
Year, and very shortly thereafter, once we reconstructed the 
information and knew that customers' information was on the 
lost tapes, we got the Secret Service involved, who asked us 
not to share knowledge of this with the public or with our 
cardholders until they could get further into the 
investigation, and as soon as they released that hold on the 
information, we went ahead and notified customers.
    Senator Allard. And so, how long did it take you to 
reconstruct that information, and how long did the 
investigators ask you to hold that information before you 
notified the consumers?
    Ms. Desoer. It took us about a week to reconstruct that 
information, and I can get exact dates if you like, Senator, 
and then, the Secret Service was engaged on January 10, and 
they released the hold on the information just before we went 
public February 25, so a day or two before.
    Senator Allard. So it took them quite awhile to do that 
investigation.
    Ms. Desoer. Yes.
    Senator Allard. It seems like, and I assume that was a 
pretty high priority as far as you know.
    Ms. Desoer. Yes, it was very high priority for us and our 
corporate information security team, who was working jointly 
with the Secret Service in tracking the tapes every step of the 
way and reconstructing where they were and who was dealing with 
those, and it still is an ongoing investigation.
    Senator Allard. What was the first item of information that 
the Bank of America provided customers informing them of that 
incident? That was February, then?
    Ms. Desoer. February 25, correct.
    Senator Allard. February 25. And do you feel that this 
information was helpful to the individual customers? In other 
words, what steps could customers have taken to actually 
protect their identity from theft?
    Ms. Desoer. It is a great question, sir, and what we did, 
it is always a balance of what it is we are trying to 
communicate, because these customers, the information was 
presumed lost, and there had been no evidence for these 
customers that there was any misuse of their information.
    So it was an awareness of what had happened, an indication 
of an 800-number where we would be in a position, for example, 
to share with them individually, exactly what information was 
on the tapes as it related to them as an individual, and then, 
we also used it as an opportunity to communicate a list of 
activities that the consumer could take to protect themselves 
on an ongoing basis against identity theft.
    In addition, we made available free of charge to the 
consumer a credit report if they wanted additional verification 
that there had been no activity and fraud monitoring services. 
And of course, we were monitoring their accounts retroactive to 
day one when the tapes were lost, and we continue to do that.
    Senator Allard. What did you lose from the loss, from this 
incident where you lost information? What did you learn?
    Ms. Desoer. Oh, what did we learn?
    Senator Allard. Yes, what did you learn when this 
information--when you had this incident where you lost 
information?
    Ms. Desoer. That we need to revisit the standard industry 
practice of shipping tapes in this way for contingency and 
backup data recovery purposes.
    Senator Allard. So you learned that you need to do more on 
data backup recovery; that you need to do something different 
as far as how you are transporting this information.
    Ms. Desoer. No, we need to stay committed to the path that 
we are on of data backup recovery, that it is very important 
that we comply with each of our contracts and with requirements 
under which we operate that, for certain types of data, set the 
time lines in which after, say, a hurricane or an event that 
would take out a data center, we need, within hours in some 
cases, 2, 4, 24, 48 hours, to be able to be up and running 
again on behalf of our customers.
    That is in place, and that remains in place. What we are in 
the process of reconsidering is the way we get the information 
from point A to point B.
    Senator Allard. I see. Anything else you learned? Have you 
taken corrective action once you have learned these things?
    Ms. Desoer. Yes, we have stopped shipping the tapes the way 
we have; we are working closely with the customers with whom we 
have communicated, and it is a reinforcement, and we followed 
very standard policies and procedures that we have in place at 
Bank of America for dealing with events such as this, and it 
reinforced for us that it is a good process and works well.
    Senator Allard. Thank you.
    Ms. Desoer. Thank you.
    Chairman Shelby. [Presiding.] Thank you, Senator Allard.
    Mr. McGuffey, how large is your counsel office? In other 
words, how many attorneys work in your counsel's office?
    Mr. McGuffey. I believe, Senator, that there are four 
lawyers today.
    Chairman Shelby. Four lawyers? And how many support people 
roughly?
    Mr. McGuffey. I do not know exactly, but I would say that 
there is probably a dozen would be my guess.
    Chairman Shelby. Is a lot of the focus in that counsel's 
office to protect or to focus on possible breaches of 
information in all of this and the legal ramifications that 
perhaps go with it?
    Mr. McGuffey. There is a set of staff that are focused on 
reviewing incidents and audits. There is an audit program that 
we have in place that goes back and audits customers, and 
indeed, in this case, the reference to the 2002 incident that 
was made earlier, that particular account was shut down, I 
believe, in May 2002 as the result of an audit. So we audit our 
customers, and that is part of that team. We review subpoenas 
in that team as well as responding to litigation and other 
matters, other legal matters.
    Chairman Shelby. Would you for the record furnish a summary 
of the sequence of events dealing with when counsel was 
involved, exactly when they notified who in the company, your 
company, or outside, who they dealt with and so forth? Could 
you do that?
    Mr. McGuffey. Yes, Senator; yes, Senator, we will.
    Chairman Shelby. If the facts in this case from what you 
have said did not lead to an immediate notification of senior 
management--and this has been your testimony--can you help me 
understand a situation where your senior management would be 
notified immediately? In other words, what would it take to 
notify them, your president, your chairman, perhaps some of 
your board members that this is a serious situation, which it 
was? What would it take? What kind of situation would it take?
    Mr. McGuffey. Senator, I am----
    Chairman Shelby. Just help us understand.
    Mr. McGuffey. I am certain that there are a number of 
matters, as there are a variety of disciplines, there are a 
variety of departments, obviously, that report to both those 
individuals, and any of the major events associated with those 
disciplines as perceived by those individuals at the time would 
probably be appropriate and probably are discussed with those 
superiors, and what I would like to make sure the Committee 
understands is that at the time in the fall of 2004, we were 
aware of only a handful of accounts that we believed were 
problematic.
    The investigation continued, and we continued to try to 
find and identify accounts that were similar in nature. We did 
our investigation to find additional accounts, even beyond 
those that were identified by our employee in the 
credentialling process.
    In the future, our CEO has required that he will be 
notified of any of the breaches that could lead to any serious 
intrusion into our systems, any law enforcement activity 
associated with this type of activity, so we are setting up 
processes; in fact, I had indicated earlier that we have even 
set up a new department that will be reviewing these matters 
headed up by Carol DiBattiste, and we are looking forward to 
her joining our management team, and I am certain that she will 
also make additional changes and recommendations associated 
with how we proceed with these matters.
    Chairman Shelby. You can tell there is concern here with 
the fact that there was a gap between--from your testimony--
between discovery of the breach and the notification of people 
up the line. If a lot of people were in senior management of 
your firm, I think there would be concerns about the fact that 
they had not been notified, and that would be cause for 
probably some discipline there, who knows, and change of 
policy. Have there been any dismissals of personnel because of 
failure to notify up the line for something this serious? It is 
so central to your company and the well-being of your company 
and perhaps the future of your company.
    Mr. McGuffey. Yes, Senator, it is a very serious matter, 
and we regret in this case----
    Chairman Shelby. But there have been no personnel 
disciplined, dismissals of people because of their conduct 
regarding this?
    Mr. McGuffey. In this case, Senator, no, the activities 
were handled as a law enforcement and a legal matter, and those 
personnel were informed.
    Chairman Shelby. How does your firm make sure, Mr. 
McGuffey, that you are complying with each of the applicable 
laws such as FCRA and GLBA that govern the use of information 
in your possession?
    Mr. McGuffey. We have both legal counsel who advises the 
businesses with regard to those matters. We have technology 
infrastructure.
    Chairman Shelby. Do you do an audit?
    Mr. McGuffey. Yes, we do. We have both an internal audit 
department as well as an audit group within our legal 
department that focuses on these types of matters.
    Chairman Shelby. How frequently do you do your audits, 
check on your customers?
    Mr. McGuffey. It is a continuous process.
    Chairman Shelby. Okay; have you ever terminated customers 
based on violations of the fair credit laws and the Gramm-
Leach-Bliley Act?
    Mr. McGuffey. We have, indeed, yes, Senator, and also 
terminated accounts that did not pass through our audits.
    Chairman Shelby. How confident are you today of your 
ability to ensure that the Fair Credit Reporting Act and Gramm-
Leach-Bliley are being complied with in view of everything that 
has happened?
    Mr. McGuffey. I am confident, Senator, that we have 
complied with those laws and will continue to be diligent in 
assuring that the customers that we do credential are 
credentialed at a high standard and in fact have instituted new 
procedures and will be instituting additional procedures such 
as site inspections for those customers who have access to 
personally identifiable information.
    Chairman Shelby. Mr. Hendricks, I have a couple of 
questions for you, if you would.
    Mr. McGuffey indicated that ChoicePoint conducts audits to 
ensure that its customers are in compliance with the applicable 
laws governing information use, the ones I cited. Who has the 
strongest interest in making sure that those laws are followed? 
ChoicePoint, the firm trying to obtain the information, or the 
consumer to whom the information relates?
    Mr. Hendricks. I think the consumer has the strongest 
interest in ensuring the privacy, accuracy, security of their 
data, because if something goes wrong with their data----
    Chairman Shelby. It could be very hurtful, could it not?
    Mr. Hendricks. Yes, they are the ones sitting at the bottom 
of the driveway, and all the stuff comes down their way. The 
main damage from identity theft is all that bad stuff goes on 
your credit report, and as this Committee knows, it takes a 
long time to get it off. I am concerned that ChoicePoint and a 
lot of companies, a lot of database companies, they do not 
audit for the accuracy of their information from a consumer 
privacy accuracy point of view. There is no independent audit, 
not even Arthur Andersen. I mean, it is a very insular process, 
and sunshine is the best disinfectant.
    Chairman Shelby. Last year, Derek Smith, the Chief 
Executive Officer of ChoicePoint, said that if they were going 
to be viewed as the most admired information company in the 
world, they were going to have to, using his words, ``win the 
battle of trust.'' After what has happened, what is ChoicePoint 
in particular and the information brokerage industry in general 
going to have to do to deserve a modicum of public trust?
    Mr. Hendricks. I think they are going to have to show that 
they can work with this Committee to establish fair information 
practices in law, as we have, the same kinds of rights we have 
with the Fair Credit Reporting Act and show they can comply 
with those rights and to bring transparency to their business, 
and that is going to be a long, hard haul, and that is why it 
is going to take them possibly years to get trust back for 
their entire sector.
    Chairman Shelby. I appreciate your coming today, especially 
after the break of the hearing the other day. We will continue 
to pursue these questions, because I am not sure they are going 
away.
    Mr. Hendricks. No, we do not know where they are going, but 
we know they are not going away.
    Chairman Shelby. We thank the panel for your appearance and 
your participation today.
    [Whereupon, at 11:44 a.m., the hearing was adjourned.]
    [Prepared statements supplied for the record follow:]

              PREPARED STATEMENT FOR SENATOR WAYNE ALLARD

    I would like to thank Chairman Shelby for holding this timely 
hearing on identity theft and recent developments involving the 
security of sensitive consumer information.
    Of more than one million complaints the Federal Trade Commission 
received in 2001, 86,680 of them were identity fraud complaints. 
Furthermore, the Government Accountability Office reports that identity 
theft has been steadily increasing in recent years, based on data 
provided by credit reporting agencies.
    Mr. Chairman, I was shocked to hear that personal information on 
approximately 1.2 million Federal Government charge cards was lost in 
transit to a data-storage facility. I am very concerned to hear about 
all of the time, energy, and effort that consumers involved in this 
situation have had to put forth in order to protect their information 
from being misused, abused, and potentially stolen.
    I will be particularly interested to hear about what specific steps 
Bank of America is taking to help protect their customers' identities 
after the loss of these tapes. By steps, I do not mean a form letter 
about common sense procedures that a customer can follow in order to 
protect his or her identity. I mean specific procedures a customer can 
take, with Bank of America's help, to protect their personal 
information and identity in this specific circumstance.
    In an event such as this, the burden should fall on the entity that 
made the error--not on the consumer who is entirely helpless and 
powerless. I have heard from my constituents, and unfortunately this 
has not been the case, with the burden falling almost entirely on the 
customer. I will be very interested to hear today how the investigation 
is proceeding, but more importantly, what Bank of America is doing in 
the mean time to help the customers involved.
    I also look forward to hearing about the 145,000 people whose 
consumer information was purchased by scam artists from ChoicePoint, 
and the steps that have been taken to safeguard against this occurrence 
being repeated in the future.
    Again, Chairman Shelby and Ranking Member Sarbanes, I appreciate 
your attention to this important matter, and look forward to learning 
what these companies are doing to insure the protection of their 
customers, as well as determining whether or not the current law 
provides the necessary protections to consumers.

                               ----------

                  PREPARED STATEMENT OF EVAN HENDRICKS
                  Editor and Publisher, Privacy Times
                             March 15, 2005

    Mr. Chairman, Ranking Senator Sarbanes, distinguished Members, 
thank you for the opportunity to testify before the Committee. My name 
is Evan Hendricks, Editor and Publisher of Privacy Times, a Washington 
newsletter since 1981. For the past 27 years, I have studied, reported 
on, and published on a wide range of privacy issues, including credit, 
medical, employment, Internet, communications, and Government records. 
I have authored a book about credit scoring and credit reporting, as 
well as books about general privacy matters and the Freedom of 
Information Act. I have served as an expert witness in Fair Credit 
Reporting Act and identity theft litigation, and as an expert 
consultant for government agencies and corporations.
    I was closely involved in the multiyear process that resulted in 
the 1996 Amendments and 2003 Amendments to the Fair Credit Reporting 
Act. Working with your highly competent staffs, I was proud of our many 
accomplishments in 2003.
    The recent ChoicePoint and Bank of America incidents underscore 
that we have much more work to do in order to ensure Americans' rights 
to information-privacy.
    I think that there is broad agreement that an important lesson to 
be drawn from our FCRA work is that the best way to improve our 
national credit reporting system is to strengthen protections for 
consumers. The more power that consumers have to maintain reasonable 
control over their credit reports, the better the chances for improving 
their accuracy and ensuring they will be used fairly and only for 
permissible purposes. What is true for credit reporting is true for the 
other noncredit systems filled with personal information.
    What is starkly clear from the ChoicePoint episode is the lack of 
transparency regarding the personal data collected, stored and sold by 
ChoicePoint and its ``cousins,'' which include Acxiom, LexisNexis/
Seisent, and Westlaw--to name a few. Most people do not know about 
these companies, even though they maintain personal data on over 100 
million people.
    Moreover, these companies often do not allow individuals to access 
their data or correct errors--even though other companies and 
Government agencies could buy the same information data and use it for 
making decisions about those individuals.
    In essence, these are ``secret files.'' In being the first Federal 
body to articulate Fair Information Principles, the first principle set 
forth by the 1973 HEW Secretary's Advisory Committee On Automated 
Personal Data Systems was: ``There must be no personal data 
recordkeeping systems whose very existence is secret.'' This is because 
history has shown us that secret files are a recipe for inaccuracy, 
abuse of privacy, and poor security.
    In my opinion, the noncredit database companies generally operate 
in violation of principles 2-5 as well, at least in regard to 
information not already covered by the FCRA. Those principles are: (2) 
there must be a way for an individual to find out what information 
about him is in a record and how it is used; (3) there must be a way 
for an individual to prevent information about him obtained for one 
purpose from being used or made available for other purposes without 
his consent; (4) there must be a way for an individual to correct or 
amend a record of identifiable information about him; and (5) any 
organization creating, maintaining, using, or disseminating records of 
identifiable personal data must assure the reliability of the data for 
their intended use and must take reasonable precautions to prevent 
misuse of the data.
Possible Solutions
    There are no quick or easy solutions to protecting privacy. Like 
many privacy and consumer experts and advocates, I heartily endorse the 
concepts underlying legislation introduced by Sen. Bill Nelson and Rep. 
Edward Markey to extent the protections of the FCRA to noncredit 
database companies. Similarly, I conceptually favor Sen. Dianne 
Feinstein's efforts to make notification of security breaches the law 
of the land. Were it not for the pioneering Californian State law, we 
might not even know about the ChoicePoint debacle. On the other hand, 
it would probably be counterproductive for Congress to pass a law that 
was not at least as strong as the California law. I also agree with the 
general thrust of measures to curb trafficking in Social Security 
numbers by Rep. Clay Shaw and others. Details are always important, but 
since this is not a strictly legislative hearing, we do not need to get 
into them now.
    I also want to bring to the committee's attention the fine work of 
some of my colleagues, including Consumer Union's endorsement of the 
efforts of Sen. Nelson/Rep. Markey; \1\ the newly drafted ``Model 
Regime For Privacy Protection,'' by George Washington Univ. Law Prof. 
Daniel J. Solove & Chris Jay Hoofnagle, head of the San Francisco 
office of the Electronic Privacy Information Center (EPIC); \2\ U.S. 
PIRG's emphasis that any legislation (1) should be based on FIP's, (2) 
should have a private right of action, (3) should not preempt 
States.\3\ In addition, Linda Foley of The Identity Theft Resource 
Center pointed out that when there are security breaches, consumers 
should not only be notified, but should also be advised as to what 
information fields were stolen or acquired illegally. And, the Center 
for Democracy and Technology reminds us not to forget about the oft-
overlooked problem of Government access to private sector data.\4\
---------------------------------------------------------------------------
    \1\ http://www.consumersunion.org/pub/core_financial_services/
002028.html; asking for strong Federal standards for security, customer 
screening, and consumer access and correction.
    \2\ http://papers.ssrn.com/sol3/papers.cfm?abstract_id=681902.
    \3\ www.pirg.org/consumer/pdfs/pirgendorsesnelsonmarkey.pdf.
    \4\ www.cdt.org.
---------------------------------------------------------------------------
    Because there is so much that we do not know about the ChoicePoint 
and Bank of America incidents, it is premature at this point to 
identify all of the appropriate responses. That is why my 
recommendations include a call for a thorough investigation of each 
incident and a public airing of the results. At the end of the day, I 
favor Congress taking as comprehensive approach as is politically 
possible.
Current Gaps In Law, Policy, and Information Systems
    The recent incidents underscore gaps in current law, policy and 
information systems. In its recent exchange with EPIC, ChoicePoint 
acknowledged that its insurance, employment background and tenant 
screening ``products'' were covered by the FCRA. But it argued that the 
rest of the data, including those sold to law enforcement, were not 
covered by FCRA. This is particularly troubling given that, as noted in 
Robert O'Harrow's book, ``No Place To Hide'' (Free Press 2005), 
ChoicePoint effectively bills itself as a private intelligence service.
    I probably disagree with ChoicePoint's view that so many of its 
information products fall outside of the FCRA. The Act's definition is 
intentionally very broad, and includes ``character, general reputation, 
personal characteristics, or mode of living . . .'' However, the fact 
that ChoicePoint takes this position means that consumers cannot be 
assured that they can see and ensure the accuracy of data about them.
    Even where ChoicePoint agrees that its products are covered by the 
FCRA, there are troubling loopholes.
    For examples, ChoicePoint says it has three ``products'' that are 
free under the FACT Act: the C.L.U.E. (auto and homeowners insurance); 
``WorkPlace Solutions'' (employment background screening) and ``Tenant 
History'' (apartment rentals).
    ChoicePoint said there would be no C.L.U.E report on you if you 
have not filed an auto or home insurance during the last 5 years.
    However, it also said it would not have an employment history or 
tenant history report ``if you have not applied for employment with a 
customer that we serve,'' or ``have not submitted a residential lease 
application with a customer that we serve.'' \5\
---------------------------------------------------------------------------
    \5\ www.choicepoint.com/factact.html, visited March 13, 2005.
---------------------------------------------------------------------------
    How could it not have a ``report'' on you, but then sell one to an 
employer or landlord when they asked for it? Under ChoicePoint's 
interpretation, you apparently could not check the accuracy of a report 
before it was sold to a landlord or employer. But the FCRA requires 
that every CRA shall, upon request, disclose to the consumer ``all 
information in the consumer's file.'' And, even if no insurance claims 
were filed, ChoicePoint regularly buys data from State Departments of 
Motor Vehicles, which presumably means it maintain records on most 
American drivers in one or more of its databases.
    Absent Congressional action, this fundamental question of access 
might have to be decided by the courts. But that could take years, 
which is one more reason that Congress should require by law that 
database companies comply with Fair Information Principles, and give 
individuals the ability to enforce their rights.
    The Gramm-Leach-Bliley Act includes safeguards for the security of 
credit data, including credit header data (identifying information from 
credit reports). But if ChoicePoint files are based on identifying 
information from public records or other noncredit files, then 
ChoicePoint presumably would argue that it is not subject to GLB's 
security safeguards.
    Under this reasoning, the coverage may be even scantier for other 
database companies, including Acxiom, LexisNexis/Seisint, and Westlaw.
    One of the many ironies is the secrecy shrouding these and other 
database companies that traffic in consumer data. Accordingly, to 
adequately protect privacy we need to have greater disclosure about all 
aspects of their operations and practices. This should not be 
surprising. After all, the same Supreme Court Justice, Louis Brandeis, 
called privacy, ``the right to be let alone--the most comprehensive of 
rights and the right most valued by civilized men.'' Brandeis also said 
``the Sunshine is the best disinfectant.''
Privacy Protection Requires ``Sunshine''
    The truth is that we do not know:

 Precisely what information these companies; collect
 Where they collect it from;
 The manner in which they organize and/or maintain it;
 The mechanisms they have to ensure security, or to facilitate 
    both consumer access to their data and correction of errors (if 
    any);
 Whether they audit their systems to ensure accuracy or take 
    other steps to do so;
 The mechanisms (if any) for notifying consumers if data are 
    leaked.

    In the ChoicePoint matter, we do not know precisely how the fraud 
ring exploited weaknesses in the company's systems. It appears that the 
thieves used ChoicePoint as a ``portal'' for accessing credit report 
data. Equifax told the Atlanta Business Journal that as many as 8,000 
of its credit reports may have been obtained fraudulently through 
ChoicePoint.

 Is the 8,000 number accurate?
 Why then did ChoicePoint send notices to 145,000 people? How 
    did ChoicePoint calculate that number and why the discrepancy with 
    the Equifax number?
 Did the fraud ring engage in some two-step process, using 
    ChoicePoint to first try and identify a universe of good candidates 
    for identity theft, and then zero in on the best candidates and 
    pull their full credit reports?
 How long had this been going on?
 Why did not ChoicePoint or Equifax notice what might have been 
    an unusual pattern?
Needed: A Complete Accounting of The ChoicePoint Case and The Overall 
        Landscape
    The unanswered questions cited above underscore the need for a full 
accounting, not only of the specifics of the ChoicePoint case, but of 
the overall landscape. Because of the need to maintain the integrity of 
the ongoing investigations, the various law enforcement authorities are 
not likely to fully inform the public of what they learn. Therefore, it 
is imperative that Congress ensure that we have a full accounting of 
the affair.
    More broadly, the time has come for a full accounting of the large 
database companies and the personal information they collect, maintain, 
and disclose.
    ChoicePoint, Acxiom, LexisNexis/Seisint, Westlaw, and the like 
should move promptly to disclose publicly the following inventories:

 The Government agencies--Federal, State, and local--that 
    provide them with personal data and under what terms;
 The kinds of personal data they collect;
 The manner in which personal data are housed. To what extent 
    is information from different sources co-mingled? Are there 
    separate ``silos?'';
 Warranty card information--which database companies collect 
    this, what are their sources, how is it stored and used?;
 800-toll-free profiling data--consumers can give up personal 
    information about themselves simply by calling well-equipped 800 
    phone numbers. The information that is captured by a Caller-ID type 
    technology known as Automatic Number Identification (ANI) is stored 
    and sold by some database companies.
State Agencies Should Suspend Sale of Some Personal
Data Until Truth Be Known
    Considering there remain many ``unknowns'' concerning the 
ChoicePoint episode in particular, and the database industry in 
general, it would seem prudent for some governmental agencies to 
suspend their release of at least some personal data to ChoicePoint 
until there is a full accounting.
    There simply is no way of assessing the risk to consumers' privacy 
until we know the answers to the questions listed above. Therefore, it 
would be imprudent for agencies like State Depts. Of Motor Vehicles to 
continue to permit the possibly undersupervised sharing of drivers' 
data with ChoicePoint until confidence is restored. Curbing the release 
of such data would help reduce the risk of breaches in the near-future, 
and could also expedite industry cooperation in establishing more 
robust consumer protections.
``Self-Regulation Already Failed''
    Several database companies attempted to show that consumers did not 
need legal rights by ``self-regulating.'' With much fanfare in 1997, 
some of them joined with the FTC to announce the ``IRSG Principles'' 
(Individual Reference Services Group).\6\ While it seemed to offer some 
promise at the time, in hindsight the effort turned out to be little 
more than a public relations exercise designed to stave off 
Congressional action. Many of the FTC's privacy-related recommendations 
were not followed by industry.
---------------------------------------------------------------------------
    \6\ http://www.ftc.gov/bcp/privacy/wkshp97/irsdoc1.htm.
---------------------------------------------------------------------------
ChoicePoint Wants Benefits, But Not Responsibility
    ChoicePoint has been involved in various episodes relating to 
either improper collection of information or providing inaccurate 
information that unfairly disadvantaged individuals.
    Prior to the 2000 George Bush-Al Gore Presidential battle, Florida-
based DBT Online Inc. signed a $4 million contract with the State of 
Florida to ``cleanse'' voter rolls of convicted felons. DBT, later 
acquired by ChoicePoint, had misidentified 8,000 Floridians as felons, 
temporarily barring them from voting. In July 2002, ChoicePoint settled 
out of court with the NAACP, which had sued on behalf of the voters. 
The company recently disputed charges by the Electronic Privacy 
Information Center that it was responsible for the incident.
    ``Simply put, ChoicePoint played no role in the Florida election in 
2000. Database Technologies (DBT) performed the legally mandated review 
of Florida's voter rolls prior to our acquisition in 2000. The process, 
a part of which included DBT, was created by the Florida legislature 
and implemented by State election officials. DBT was hired to create an 
overly inclusive list of potential voter exceptions based on criteria 
established by the Secretary of State, which DBT told the State might 
create false positives. County election supervisors--not DBT--were 
solely responsible for verifying the eligibility to vote of any voter 
identified by DBT on the exceptions list. In particular, county 
election supervisors--not DBT--were solely responsible for the decision 
to remove any voter from the rolls,'' wrote CEO Derek Smith in a 
statement posted to the company website.
    Here are some other incidents:

 In 2000, ChoicePoint was accused of breaking its contract with 
    the Pennsylvania Department of Transportation for posting drivers' 
    records on the Internet. The State fined ChoicePoint $1.3 million 
    and made the company agree to provide driver information only to 
    insurance companies for insurance-related purposes. The State also 
    barred the ChoicePoint employees involved in the posting from 
    having any association with Pennsylvania records. (see Privacy 
    Times, Vol. 20 No. 2, 1/19/00)
 A pending lawsuit accuses the company of violating the Federal 
    Drivers Privacy Protection Act by selling DMV data without drivers' 
    consent (see Privacy Times, Vol. 23 No. 13, 7/1/03). ChoicePoint 
    said in SEC filings that an unfavorable outcome in such a case 
    ``could have a material adverse effect on the company's financial 
    position or results of operations.''
 Also in 2003, ChoicePoint announced it would end its practice 
    of obtaining and selling personal data on Mexican citizens for 
    purposes of verifying identity and citizenship once the person was 
    in the United States. The information--name, address, date of 
    birth, and citizen indentification number--was purchased by the 
    Georgia-based company under a contract that required the vendor to 
    certify the information was legally obtained and was available to 
    be used for identity. ChoicePoint's Chuck Jones told the media that 
    the company agreed to stop the practice because the results of a 
    government inquiry determined the information was confidential 
    under Mexican law. He said the data would be returned to government 
    representatives and purged from the company's system. In April 
    2003, the AP reported that the U.S. Government had bought access 
    from ChoicePoint to data on hundreds of millions of residents of 10 
    Latin American countries--apparently without their consent or 
    knowledge. The information allowed a myriad of Federal agencies to 
    track foreigners entering and living in the U.S. (see PT, Vol. 23 
    No. 13, 7/1/03).
  The same year, a Federal judge in Kentucky ordered ChoicePoint to pay 
    single mom Mary L. Boris $447,000 in punitive and actual damages 
    for violating the Fair Credit Reporting Act by failing to corrected 
    inaccurate insurance claims data after it was disputed. 
    ``ChoicePoint's witnesses made particularly negative impressions 
    upon the jury,'' Judge John Heyburn II wrote. ``They repeatedly 
    denied making any mistakes and instead seemed to blame all 
    defective data on others. Furthermore, ChoicePoint employees 
    appeared slow to recognize problems even once they were put on 
    notice and disclaimed all responsibility . . . Most notable, they 
    seemed annoyed at even having to appear at trial. . . ChoicePoint 
    never really explained the computer glitches which apparently 
    caused this problem. To this day, the court is still unclear what 
    procedures, if any, ChoicePoint uses to (e)nsure the accuracy of 
    its mass-circulated reports.''
 In two separate cases in 2003, ChoicePoint settled out of 
    court with Louisianans Deborah Esteen and Dorothy Moten Johnson for 
    allegedly selling false information about them to potential 
    employers, according to the Atlanta Business Journal and MSNBC. 
    Johnson's background check supposedly revealed she was convicted of 
    public payroll fraud. According to her suit, she had never been 
    arrested or convicted of anything in her life.

    Anyone can make mistakes. But what is most troubling about some of 
these incidents is what appears to be ChoicePoint's consistent 
unwillingness to take responsibility for them.
    Moreover, a new article by Bob Sullivan at MSNBC found that two 
privacy activists who were able to review their ChoicePoint ``general'' 
file found many inaccuracies. For Deborah Pierce, one notation 
suggested a ``possible Texas criminal history'' and then recommended a 
manual search of Texas court records. Pierce had only been in Texas 
twice and never had a problem with police. There were also numerous 
inaccuracies in her past addresses and other routine data. The report 
also listed three automobiles she never owned and three companies 
listed that she never owned or worked for.
    Richard Smith's dossier had the same kind of errors as Pierce's. 
His file also suggested a manual search of Texas court records was 
required, and listed him as connected to 30 businesses which he knew 
nothing about.
    It also said that he and his wife had a child 3 years before they 
were married, that he had been married previously to another woman, and 
most absurd, that he had died in 1976. ``Pretty obviously the data 
quality is low,'' Smith said. He equated a ChoicePoint report to the 
results of a Google search on a person--solid information is mixed in 
with dozens of unrelated items. The more common a name, the more 
extraneous information is produced.
    These descriptions raise troubling doubts about ChoicePoint's 
methods for collecting data and ensuring accuracy.
Comprehensive Approach is Needed
    As U.S. PIRG pointed out, Congress needs to fashion legislation 
that is based upon principles of ``Fair Information Practices'' 
(FIP's). Earlier, I mentioned the five principles developed by the 1973 
HEW Task Force.
    The Committee should also be guided by the 1980 FIP's developed by 
the Organization of Economic Cooperation and Development (OECD), with 
the endorsement of the U.S. Government, Japan, and Western European 
governments. These eight principles are often referred to as the ``Gold 
Standard'' of privacy.

    (1) Collection Limitation.
    (2) Data Quality.
    (3) Purpose Specification.
    (4) Use Limitation.
    (5) Security Safeguards.
    (6) Openness.
    (7) Participation.
    (8) Accountability.

    As mentioned before, the newly drafted ``Model Regime For Privacy 
Protection,'' by Prof. Daniel J. Solove & Chris Jay Hoofnagle offers 
even more specific guidance for the issues before the Committee. They 
are:
Notice, Consent, Control, and Access
    1. Universal Notice.
    2. Meaningful Informed Consent.
    3. One-Step Exercise of Rights.
    4. Individual Credit Management
    5. Access to, and Accuracy of Personal Information.
Security of Personal Information
    6. Secure Identification.
    7. Disclosure of Security Breaches.
Business Access to and Use of Personal Information
    8. Social Security Number Use Limitation.
    9. Access and Use Restrictions for Public Records.
    10. Curbing Excessive Uses of Background Checks.
    11. Private Investigators.
Government Access to and Use of Personal Data
    12. Limiting Government Access to Business and Financial Records.
    13. Government Data Mining.
    14. Control of Government Maintenance of Personal Information.
Privacy Innovation and Enforcement
Effective Enforcement of Privacy Rights
    Mr. Chairman, thank you again for this opportunity. I would be 
happy to answer any questions and look forward to working with this 
Committee and others to fashion a solution to the problems raised by 
these recent data leakages.

                               ----------

                  PREPARED STATEMENT OF BARBARA DESOER
 Global Technology, Service and Fulfillment Executive, Bank of America
                             March 8, 2005

    Chairman Shelby, Senator Sarbanes, Committee Members, good 
afternoon. I am Barbara Desoer, Global Technology, Service & 
Fulfillment executive for Bank of America. I am a member of Chairman 
and CEO Ken Lewis' executive leadership team.
    On behalf of the leadership of our company and all Bank of America 
associates, thank you for the opportunity to appear before this 
Committee to provide our perspective on recent events involving our 
Government charge cardholders.
    I would like to express how deeply all of us at Bank of America 
regret this incident. We collectively make our living and pursue our 
professional mission by helping people at home, in business, and in 
Government manage their financial lives. This work rests on a strong 
foundation of trust, more so in today's incredibly complex and fast-
moving world of electronic commerce than ever before. One of our 
highest priorities, therefore, is building and maintaining a track 
record of responsible stewardship of customer information that inspires 
our customers' confidence and provides them peace of mind.
    In my opening remarks today, I will provide an overview of:

 What we know regarding the loss of our computer data backup 
    tapes;
 The steps we have taken to alert and protect our Government 
    charge cardholders;
 Our current information security practices; and,
 Our thoughts regarding new legislation or regulations to 
    improve the security of personal information in our country.

    On February 25, 2005, Bank of America began proactively 
communicating to U.S. General Services Administration (GSA) 
SmartPay' charge cardholders that computer data backup tapes 
were lost during transport to a backup data center. The missing tapes 
contained customer and account information for approximately 1.2 
million Government charge cardholders. The actual data on the tapes 
varied by cardholder, and may have included name, address, account 
number, and Social Security number.
    The shipment took place on December 22, 2004. A total of 15 tapes 
were shipped. Five were lost in transit. Two of the lost tapes included 
customer information; the remaining three contained nonsensitive, 
backup software.
    Backup tapes such as these are created and stored at remote 
locations as a routine industry contingency practice in the case of any 
event that might interrupt our ability to serve our customers. This is 
standard industry practice, and is designed to protect businesses, 
their customers, and the U.S. economy at-large, in the event of 
disruptions in the economic environment that arise from either natural 
or man-made causes. Such contingency planning is a fundamental part of 
our enterprise risk management program.
    As is our standard practice, none of the tapes or their containers 
bore any markings or information identifying our company, the nature of 
their contents, or their destination. Nor are any of the personnel 
involved in the shipping process aware of the nature of the materials 
being shipped. As to the tapes themselves, sophisticated equipment, 
software and operator expertise are all required to access the 
information. In addition, specific knowledge of the manner in which the 
data is stored--that is, the ``fragmented'' nature of the data and the 
steps required to reassemble it--would be required.
    After the tapes were reported missing, Bank of America officials 
notified appropriate officials at the GSA. Bank of America officials 
also engaged Federal law enforcement officials at the Secret Service, 
who began a thorough investigation into the matter, working closely 
with Bank of America.
    Federal law enforcement initially directed that to preserve the 
integrity of the investigation, no communication could take place to 
the public or the cardholders. Doing so would have drawn enormous 
public attention to the tapes at a time when their whereabouts were 
still a matter of intense investigation and the specific content was 
still being analyzed. While the investigation was moving ahead, we put 
in place a system to monitor the affected accounts and, in fact, 
researched account activity retroactively to the date of the data 
shipment to identify any unusual or potentially fraudulent activity in 
the accounts.
    The investigation, which continues today, included a detailed 
review of the entire transit process for the shipment including the 
archive vendor, truck drivers, airline personnel, and Bank of America 
employees. The Secret Service has advised us and GSA management that 
their investigation has revealed no evidence to indicate that the tapes 
were wrongfully accessed or their content compromised. The Secret 
Service findings are complemented by the Bank of America fraud 
monitoring process which continues to indicate there has been no 
unusual activity or attempted unauthorized use of the monitored 
accounts to date.
    In mid-February, law enforcement authorities advised us that 
communication to our customers would no longer adversely impact the 
investigation. We have completed the initial notifications and are 
continuing to communicate to our customers to ensure they understand 
additional steps we are taking to help protect their personal 
information.
    Bank of America quickly established a toll-free number Government 
charge cardholders could use to call with questions or request 
additional assistance. We also have offered credit reports and enhanced 
fraud monitoring services to cardholders at our expense. In an effort 
to be extra cautious and open with our customers, we also communicated 
to Government cardholders whose account information was not included in 
the lost tapes.
    Government cardholder accounts included on the data tapes have been 
and will continue to be monitored by Bank of America, and Government 
cardholders will be contacted should any unusual activity be detected. 
No unusual activity has been observed to date. Per standard Bank of 
America policy, Government cardholders will not be held liable for any 
unauthorized use of their cards.
    In 2002, the Treasury Department chose our company to establish and 
chair the Financial Services Sector Coordinating Council for Critical 
Infrastructure Protection and Homeland Security. We also are a member 
of the President's National Security Telecommunications Advisory 
Committee, which provides subject matter expertise to study issues 
vital to advancement of national security and emergency preparedness.
    I mention this evidence of our leadership not simply to highlight 
our accomplishments. We all agree this is a time for humility, and we 
have come here in that spirit. Rather, I wish only to demonstrate to 
the Committee the seriousness with which we regard these issues and the 
gravity with which we regard our responsibility for leadership.
    Without a strong foundation of trust and confidence, our industry 
cannot function and cannot serve our customers. We understand all too 
well this fact and its implications for our business, our economy, and 
our country.
    Our information security standards are based on regulatory guidance 
from the Federal Government (such as the OCC, the FRB, and others) and 
international banking regulatory bodies. In addition, the bank's 
strategy includes a continuous 
review of information security assessment criteria used by industry 
information security professionals. It is the bank's goal to meet or 
exceed information security standards and regulations dictated by our 
regulators or used by our industry peers in our day-to-day operations.
    In that spirit, I would like to provide a brief overview of our 
Corporate Information Security Program. The Bank of America Corporate 
Information Security Program is designed to:

 Develop and implement safeguards for the security, 
    confidentiality, integrity, and availability of customer 
    information;
 Achieve protection of information against threats to security 
    based on the value of the information or the harm that could result 
    to a customer from unauthorized access;
 Monitor and respond to attempts to threaten the security of 
    customer information;
 Develop and implement plans to provide backup systems to 
    prevent information damage or destruction caused by environmental 
    hazards or malicious actions; and,
 Adjust the Bank of America Corporate Information Security 
    Program in response to changes in technology, information 
    sensitivity, threats, or the business environment.

    As a national financial institution, we are highly regulated and 
regularly examined on our practices regarding security of customer 
information. We are required to follow specific regulatory guidance 
from the Office of the Comptroller of the Currency on how to handle 
such information. And we are constantly working to enhance the systems 
we use to monitor customer data to ensure that we know where that data 
is and how it is being used.
    The incident we are discussing was unfortunate and regrettable. 
That said, we feel that it has shed helpful light on a critical element 
of the industry's practices for data transport. We view this as an 
opportunity to learn and to lead the industry to better answers that 
will give our customers the confidence and security they deserve.
    As I said earlier, we decided, out of an abundance of caution, to 
notify the affected accountholders after law enforcement advised us 
that notification would no longer adversely affect the investigation. 
However, we also acknowledge that providing notices when there is low 
risk that the information will be misused has potential drawbacks, such 
as creating unnecessary anxiety in customers, and if provided too 
frequently in non-threatening situations, degrading the effectiveness 
of a security breach notice.
    Proposed Federal legislation would require that customers be 
notified immediately whenever a security breach is discovered. Our 
recent actions demonstrate our support of the conviction that customers 
have a right to know when their information may have been compromised, 
and that timely notification in the appropriate circumstances could 
help to minimize various risks associated with a compromise of customer 
information.
    At the same time, we advise some caution regarding legislative 
solutions. For example, in some instances a thorough investigation of 
the security may conclude there is no risk that the information was 
used for illegal purposes. In these instances, it is probably best to 
leave it to the discretion of the institution to decide if customers 
should be notified.
    Bank of America's participation in and leadership of public-private 
partnerships to advance the cause of information security in this 
country is clear. We have always maintained that both Government and 
industry have a role to play, and we have leveraged these working 
relationships over the past several years with extremely positive 
results.
    That said, in our experience, often the best solutions arise out of 
the work we do together, but are implemented through the voluntary 
cooperation of private sector organizations. This is because the 
information security environment is by its very nature so fluid and 
rapidly evolving. The environment demands solutions and countermeasures 
that can evolve and advance with speed and flexibility, in contrast to 
the more static nature of purely legislative or regulatory solutions.
    Members of the Committee, I would like to conclude by emphasizing 
how much all of us at Bank of America deeply regret this unfortunate 
incident. The privacy of customer information is one of the highest 
priorities at our company, and we take our responsibility for 
safeguarding it very seriously.
    I can assure you on behalf of our leadership team and all our 
associates, we will do all we can to ensure that our customers have the 
freedom to engage in business and commerce and manage their financial 
lives secure in the knowledge that their personal information will be 
respected and protected by the institutions in which they place their 
trust.
    This concludes my prepared testimony. I will now be happy to answer 
any questions.
