b"<html>\n<title> - EXAMINING THE FINANCIAL SERVICES INDUSTRY'S RESPONSIBILITIES AND ROLE IN PREVENTING IDENTITY THEFT AND PROTECTING SENSITIVE FINANCIAL INFORMATION</title>\n<body><pre>[Senate Hearing 109-728]\n[From the U.S. Government Printing Office]\n\n\n\n                                                        S. Hrg. 109-728\n\n \n                    EXAMINING THE FINANCIAL SERVICES\n                  INDUSTRY'S RESPONSIBILITIES AND ROLE\n                    IN PREVENTING IDENTITY THEFT AND\n               PROTECTING SENSITIVE FINANCIAL INFORMATION\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                              COMMITTEE ON\n                   BANKING,HOUSING,AND URBAN AFFAIRS\n                          UNITED STATES SENATE\n\n                       ONE HUNDRED NINTH CONGRESS\n\n                             FIRST SESSION\n\n                                   ON\n\n EXAMINING THE FINANCIAL SERVICES INDUSTRY'S RESPONSIBILITIES AND ROLE \n    IN PREVENTING IDENTITY THEFT AND PROTECTING SENSITIVE FINANCIAL \n                              INFORMATION\n\n                               __________\n\n                           SEPTEMBER 22, 2005\n\n                               __________\n\n  Printed for the use of the Committee on Banking, Housing, and Urban \n                                Affairs\n\n\n      Available at: http: //www.access.gpo.gov /congress /senate/\n                            senate05sh.html\n\n\n                                 ______\n\n                    U.S. GOVERNMENT PRINTING OFFICE\n31-069                      WASHINGTON : 2006\n_____________________________________________________________________________\nFor Sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512\xef\xbf\xbd091800  \nFax: (202) 512\xef\xbf\xbd092250 Mail: Stop SSOP, Washington, DC 20402\xef\xbf\xbd090001\n\n\n            COMMITTEE ON BANKING, HOUSING, AND URBAN AFFAIRS\n\n                  RICHARD C. SHELBY, Alabama, Chairman\n\nROBERT F. BENNETT, Utah              PAUL S. SARBANES, Maryland\nWAYNE ALLARD, Colorado               CHRISTOPHER J. DODD, Connecticut\nMICHAEL B. ENZI, Wyoming             TIM JOHNSON, South Dakota\nCHUCK HAGEL, Nebraska                JACK REED, Rhode Island\nRICK SANTORUM, Pennsylvania          CHARLES E. SCHUMER, New York\nJIM BUNNING, Kentucky                EVAN BAYH, Indiana\nMIKE CRAPO, Idaho                    THOMAS R. CARPER, Delaware\nJOHN E. SUNUNU, New Hampshire        DEBBIE STABENOW, Michigan\nELIZABETH DOLE, North Carolina       ROBERT MENENDEZ, New Jersey\nMEL MARTINEZ, Florida\n\n             Kathleen L. Casey, Staff Director and Counsel\n\n     Steven B. Harris, Democratic Staff Director and Chief Counsel\n\n                         Mark Oesterle, Counsel\n\n                Skip Fischer, Senior Staff Professional\n\n              John V. O'Hara Senior Investigative Counsel\n\n                 Dean V. Shahinian, Democratic Counsel\n\n   Joseph R. Kolinski, Chief Clerk and Computer Systems Administrator\n\n                       George E. Whittle, Editor\n\n                                  (ii)\n\n\n                            C O N T E N T S\n\n                              ----------                              \n\n                      THURSDAY, SEPTEMBER 22, 2005\n\n                                                                   Page\n\nOpening statement of Chairman Shelby.............................     1\n\nOpening statements, comments, or prepared statements of:\n    Senator Sarbanes.............................................     2\n    Senator Allard...............................................     2\n    Senator Reed.................................................     2\n    Senator Dole.................................................     3\n    Senator Bunning..............................................     5\n    Senator Dodd.................................................    22\n    Senator Carper...............................................    30\n    Senator Pryor................................................     6\n        Prepared statement.......................................    33\n\n                               WITNESSES\n\nStuart K. Pratt, President and CEO, Consumer Data Industry \n  Association....................................................     8\n    Prepared statement...........................................    34\nEdmund Mierzwinski, Consumer Program Director, U.S. Public \n  Interest Research Group on Behalf of Consumer Federation of \n  America, Consumers Union, Electronic Privacy Information \n  Center, Privacy Consultant Mari Frank, Privacy Rights \n  Clearinghouse, Privacy Times, U.S. Public Interest Research \n  Group, and World Privacy Forum.................................    10\n    Prepared statement...........................................    39\nIra D. Hammerman, Senior Vice President and General Counsel, \n  Securities Industry Association................................    12\n    Prepared statement...........................................    62\n    Response to written questions of Senator Bunning.............    74\nGilbert T. Schwartz, Partner, Schwartz & Ballen LLP, on Behalf of \n  the American Council of Life Insurers..........................    13\n    Prepared statement...........................................    66\n    Response to written questions of Senator Bunning.............    75\nOliver I. Ireland, Partner, Morrison & Foerster LLP, on Behalf of \n  the American Bankers Association...............................    15\n    Prepared statement...........................................    69\n    Response to written questions of Senator Bunning.............    76\n\n                                 (iii)\n\n\n                    EXAMINING THE FINANCIAL SERVICES\n                    INDUSTRY'S RESPONSIBILITIES AND\n                   ROLE IN PREVENTING IDENTITY THEFT\n             AND PROTECTING SENSITIVE FINANCIAL INFORMATION\n\n                              ----------                              \n\n\n                      THURSDAY, SEPTEMBER 22, 2005\n\n                                       U.S. Senate,\n          Committee on Banking, Housing, and Urban Affairs,\n                                                    Washington, DC.\n\n    The Committee met at 10:25 a.m., in room SD-538, Dirksen \nSenate Office Building, Senator Richard C. Shelby (Chairman of \nthe Committee) presiding.\n\n        OPENING STATEMENT OF CHAIRMAN RICHARD C. SHELBY\n\n    Chairman Shelby. The hearing will come to order. I want to \nthank my colleague from Arkansas, he is going to join us, \nSenator Pryor, this morning, but I thought we would move ahead \nwith our opening statements while he is coming.\n    The broad focus of the hearing this morning, identity \ntheft, is not a subject that is new to this Committee. Indeed, \nit is far from it. During the Committee's consideration of the \nFair Credit Reporting Act, we heard from numerous witnesses who \nrepresented various perspectives regarding this issue. \nFurthermore, we also held additional hearings on this subject \nindependent of the FCRA reauthorization process.\n    It is important to highlight the Committee's longstanding \nengagement with respect to this matter. We will spend \nconsiderable time and effort attempting to ascertain the nature \nand the scope of the identity theft threat. As a result, we \nhave directed legal and regulatory changes to provide greater \nprotections for consumers and the overall financial system. \nTherefore, as we might consider any changes in this area, it is \nvery important that we assess what we are doing in the context \nof the things we have already done.\n    That said, I do want to indicate that I am also aware of \nthe fact that the criminal element is constantly searching for \nnew ways to take advantage of consumers and the financial \nsystem. In as much, I recognize that this means that we must be \nconstantly vigilant to ensure that we have the means in place \nto provide the appropriate safeguards necessary relative to the \nexisting threats.\n    The purpose of today's hearing is to continue this \nconsideration, and we look forward at the proper time to \nhearing from all of our witnesses.\n    Senator Sarbanes.\n\n             STATEMENT OF SENATOR PAUL S. SARBANES\n\n    Senator Sarbanes. Thank you very much, Mr. Chairman. I know \nwe are awaiting the arrival of Senator Pryor. Let me first of \nall comment you for holding the hearing as we examine the \nquestion of protecting consumer financial information. You, of \ncourse, have been involved in a leadership way on the privacy \nissue for a number of years, and this Committee does have an \nimportant jurisdiction in this area.\n    I think this is the third hearing we have held in this \nCongress on this subject. We previously heard from regulators \nand law enforcement officials, and also from financial \ninstitutions and a data broker. We do have these instances \noccurring where large amounts of information in the hands of \nprivate companies go outside the perimeter of security, and of \ncourse that raises very serious questions with respect to \nconsumer data breaches.\n    A number of States have responded to this issue, and have \nenacted their own legislation, and there are a number of \nimportant questions to be addressed, and I welcome this hearing \nas I welcomed the ones that have preceded it, and I am prepared \nto go forward to the witnesses at the appropriate time.\n    Chairman Shelby. Senator Allard.\n\n               STATEMENT OF SENATOR WAYNE ALLARD\n\n    Senator Allard. Thank you, Mr. Chairman, for holding this \nimportant hearing regarding identity theft. I have been \nfollowing this issue closely over a number of years, and look \nforward to hearing from our witnesses.\n    For many of my constituents, identity theft is something \nthat they believe will never happen to them. However, according \nto the Federal Trade Commission, in 2004, 246,570 people \nsuffered from a stolen identity, and 4,409 of those cases were \nmy constituents in Colorado, making the State the fifth highest \nin the Nation.\n    Identity theft is becoming common to the point that I \nsuspect that many of us in this room know a friend or family \nmember who has had their identity stolen. This presents a grave \nsituation for unsuspecting Americans and a challenge for all \nfinancial institutions in the United States.\n    While there is a need to protect sensitive personal \ninformation from getting into the wrong hands, there is also a \nneed for a certain degree of transparency in order for the U.S. \nfinancial system to function. The passage of recent \nlegislation, including the FACT Act in 2003, has mandated that \nconsumers be notified of information sharing between various \ncredit reporting agencies. A recent GAO report stated that the \nimplementation of such laws is going well, but it is too early \nto determine how successful these new laws will be in \npreventing more cases of identity theft.\n    I look forward to hearing updates from the industry on \nthese issues, and Mr. Chairman, thank you for holding this \nhearing.\n    Chairman Shelby. Senator Reed.\n\n                 STATEMENT OF SENATOR JACK REED\n\n    Senator Reed. Thank you very much, Mr. Chairman, for \nholding this hearing, along with Senator Sarbanes, and this is \nindeed a very important topic. Identity theft is America's \nfastest-growing crime. Last year, 9.9 million Americans were \nvictims of identity theft at a cost estimated to be about $5 \nbillion. We live in a time when proliferation of information \nthrough various electronic modes of exchange offers \nextraordinary opportunities to reshape our culture and our \neconomy, but the down side, of course, is we open ourselves up \nto the exploitation of that information by criminals and by \nothers.\n    This is especially the case when safeguards are not in \nplace to protect the security and integrity of the electronic \ninformation.\n    We are here to discuss the state of large-scale security \nbreaches leading to compromised personal data and the role that \nthe financial industry can play in preventing these types of \nbreaches, and each of these breaches have affected millions of \nindividuals throughout the country.\n    We have learned of many data breaches in the past year, \nwhere companies have announced that there were significant \nbreaches. Hackers broke into databases belonging to these \ncommunities and stole names, passwords, addresses, Social \nSecurity numbers, and driver's license information. But in many \nof these cases, it is troubling to read in the media that \ncompanies have learned of intrusion weeks before disclosing the \nincident, and that if it were not for specific State laws such \nas the California law, that companies' breaches may never have \nbeen reported and would have gone unnoticed and unreported.\n    Even with the zero liability policies of many major credit \ncard, debt cardholders could see their bank accounts depleted \nin the interim. So we do have to do much.\n    I commend the banking agencies for taking a step forward in \nthe right direction by revising their guidance originally \nissued under Section 501(b) of the GLB Act, Gramm-Leach-Bliley \nAct, concerning the security of customer information, and the \nrevised guidance requires banking institutions to notify their \ncustomers of breaches of security of sensitive information \nrelating to those customers, and that timely disclosure of such \nbreaches will allow the Federal Government, along with the \ninstitutions and consumers to closely monitor transaction \ninformation and mitigate any resulting damage from the breach.\n    We have a unique challenge to face in this regard. I hope \nwe can adapt our law to emerging technology which seems to be \nchanging with each passing day, and again, I hope the \nGovernment and private industry can increasingly collaborate to \nstem the threat of identity theft, and look forward to today's \nhearing.\n    Thank you, Mr. Chairman.\n    Chairman Shelby. Senator Dole.\n\n              STATEMENT OF SENATOR ELIZABETH DOLE\n\n    Senator Dole. Thank you, Mr. Chairman. This is indeed a \ncritical issue, and I certainly hope the American public is \npaying close, close attention to the fact that identity theft \nis very real and very prevalent.\n    Identity thieves are constantly looking for new scams to \nrip off hard-working, law-abiding Americans. And, the stakes \ncould not be higher for the security of the families we \nrepresent.\n    In fact, I will be hosting a workshop in Raleigh, North \nCarolina the next month or so to educate North Carolinians on \nthe ways to prevent identity theft and what to do if, heaven \nforbid, they become a victim.\n    As already mentioned, identity theft is often cited as the \nfastest growing crime in the Nation. A large portion of the \nvictims include our senior citizens. According to a recent FTC \nsurvey, approximately 10 million Americans as we have heard of, \nvictimized by identity thieves every year, at an astonishing \ncost of $48 billion to businesses, and an additional $5 billion \nto consumers.\n    The survey focused on two major categories of identity \ntheft, first the misuse of personal accounts, and second, the \ncreation of new accounts in the victim's name. Not \nsurprisingly, the survey showed a direct correlation between \nthe type of identity theft and its cost to victims, including \nthe time and money spent resolving the problems. For example, \nalthough people who had new accounts opened in their names made \nup only one-third of the victims, they suffered two-thirds of \nthe direct financial harm. The FTC survey also found that \nvictims of these two categories, cumulatively spent almost 300 \nmillion hours, or an average of 30 hours per person, correcting \ntheir records and reclaiming their reputation for good credit.\n    Precise statistics are unfortunately not available to \nproperly gauge the full extent of the problem, since some 40 \npercent of identity theft cases are believed to involve friends \nor family members and are never reported.\n    While financial institutions are liable for the larger part \nof identity theft fraud, consumers are hurt in more profound \nways. In addition to the hours and hours spent reversing the \ndamage, they bear the burden of the insecurity, the \ninconvenience, and the resulting loss.\n    A gentleman from Cary, North Carolina told the Raleigh News \nand Observer, ``I wouldn't wish it upon my worst enemy.'' He \nwent on to describe the mess of trying to restore his credit, \nbeing turned down for a credit card, having to pay a higher \ninterest rate for a car loan because of his damaged credit. \n``The hardest thing,'' he said, ``was feeling powerless to do \nanything once the fraud started to happen.'' There can be no \ndoubt that when fraud is committed, every law-abiding citizen \nloses.\n    Consumers are left to foot part of the bill through the \nhigher cost of services from financial institutions. In March, \nthis Committee held a hearing that focused on two cases in \nwhich institutions made public disclosures, as we have heard, \nwith regard to data security breaches. At that hearing, we \nheard testimony from the Chair of the Federal Trade Commission, \nwho detailed a very reasonable position on this subject, and \ntestified that Congress should consider requiring prompt \nnotification only when there is a significant risk to \nconsumers. This makes sense. Unnecessary notifications could \nscare consumers, as well as numb them to the risks, and such \nnotification carries a great cost.\n    As a former FTC Commissioner, I have a great deal of \nrespect for their views.\n    I look forward, Mr. Chairman, to working with my colleagues \nto ultimately pass legislation that requires such disclosures \nwhen there is a significant risk to consumers.\n    Thank you.\n    Chairman Shelby. Senator Bunning.\n\n                STATEMENT OF SENATOR JIM BUNNING\n\n    Senator Bunning. I would like to thank you, Mr. Chairman, \nfor holding this very important hearing, and I would like to \nthank all of our witnesses for coming before us today. I would \nespecially like to thank and welcome to the Committee our good \nfriend and colleague, Senator Mark Pryor. Thank you for showing \nup, and we are glad to have you.\n    Senator Pryor. Thank you.\n    Senator Bunning. This Committee has been a leader on this \nissue, with Gramm-Leach-Bliley, the FACT Act, and the extensive \nhearings we have held thanks to you, Mr. Chairman. I appreciate \nyour leadership on this issue, and I am glad we are continuing \nour good work to assure Americans' financial privacy. These \nissues should be handled by this Committee. We have the \nexpertise and experience to best deal with privacy issues that \naffect individuals' financial information and financial \ninstitutions. I applaud the Chairman and the Ranking Member for \ntheir continued work.\n    The stories of data breaches that have come to light in the \npast few years have given all Americans pause. Many of my \nconstituents have taken more and more steps to ensure their \nfinancial privacy. They are checking their free credit reports \nthat were provided for in the FACT Act. They are buying paper \nshredders, and they have made sure the websites they use are \nsecure. Identity theft is a very pressing problem. If the \nChairman of the Federal Trade Commission, Deborah Majoras, can \nbecome a victim of identity theft, anyone can.\n    I also understand the fears of the financial services \nindustry. It is very difficult to try and do business and serve \ntheir customers, if they have to comply with 50 different State \nand hundreds of different local financial privacy laws. They \ncan become a liability for noncompliance and for many \nlocalities where they have their customers. Also, individuals \nmay not understand their rights. I am not sure how many \nindividuals understand the rights under Gramm-Leach-Bliley and \nthe FACT Act, let alone what rights or prohibitions they may \nhave under State or local laws that may have been passed. \nBusiness and individuals need certainty.\n    However, we must remember that there is a reason why these \nState and local laws have been passed. Although I am sure many \nquestion the motives of politicians, we pass laws because our \nconstituents want them. Given the data breaches that have \noccurred, and the identity thefts that have happened each year, \nbusiness must do a better job of protecting private \ninformation. We are not at this point today and mistakes have \nnot been made.\n    Once again, thank you, Mr. Chairman, for holding these \nhearings, and your dogged efforts on this issue, and thank all \nof you for coming before us today.\n    Chairman Shelby. Thank you.\n    We welcome our colleague and friend, Senator Mark Pryor \nfrom Arkansas, former Attorney General of Arkansas. I think he \nknew a little about this before he came to the Senate.\n    Senator Pryor, your written testimony will be made part of \nthe record in its entirety. You proceed as you wish.\n\n                   STATEMENT OF MARK L. PRYOR\n           A U.S. SENATOR FROM THE STATE OF ARKANSAS\n\n    Senator Pryor. Thank you very much, Mr. Chairman, and thank \nyou for your leadership on this and the leadership of the \nCommittee. Thank you for the hospitality and for inviting me \nhere to talk today about identity theft and a security freeze.\n    As Senator Dole mentioned a few moments ago, identity theft \nis the fastest growing financial crime in the country. \nAccording to the Federal Trade Commission, almost 10 million \npeople per year become the victims of identity theft.\n    In Arkansas, which is a relatively small State, as we all \nknow, identity theft is the top category of reported fraud, \nwith over 1,397 cases reported last year. That does not mean \nthat is all the cases, but is what was reported last year, and \nin this issue that I first became involved with when I was the \nState's Attorney General.\n    According to the Identify Theft Resource Center, it takes \nabout an average of about $1,500 for a person to undo the \nidentity theft, and in some cases we have heard that they have \nhad to spend 600 hours. That is an amazing amount of time, but \nthat is what they have had to expend to try to get out of the \nmess that someone has created for them.\n    This crime, it is estimated--I think Senator Dole mentioned \nthis as well--to cost the American business community about $48 \nbillion a year. Just as an example of how our personal \ninformation is spread very widely around the country and all of \nour personal information is, I have right here a stack of about \n11 pieces of mail that one of my staff members has received in \nthe last week, 11 pieces in the last week. Only about half of \nthis mail is for him. The other half is for previous occupants \nof his apartment, and the thing about that is, he knows that \nwhen he leaves, a lot of his mail will end up in someone else's \nhands and he does not know who is going to open that mail, who \nis going to go through these. A lot of these are for \nprescreened credit.\n    So the problem is out there, and there are a lot of \ndifferent dimensions to it, and certainly I think it is \nsomething that the Senate should be very vigilant about. \nCompanies, we all know, we have all read the stories and seen \nthem on television, companies, in the last year or so have had \nmany instances where they have lost data. Sometimes they lose \nit off a truck, sometimes they accidently expose it, and it is \neasy to get, sometimes it is stolen from them, but for a while \nthere, as you all remember, there was so much of that going on, \nthat it seemed like almost every other day someone was coming \nout with a new story.\n    I think it is just very important that consumers have a \ntool where they can protect themselves. What I would hope this \nCommittee would consider is the security freeze, and that is \none reason that I have pushed S. 1336, the Consumer Identify \nProtection and Security Act of 2005, because what it allows \nconsumers to do, Americans to do, it allows them some tool that \nthey have at their disposal, totally voluntary, where they can \nput a security freeze on their information. The way it would be \nset up would be fairly simple, where they could put this \nsecurity freeze out there and then no one could have access to \ntheir credit information without them saying so.\n    Now, honestly, we need to understand this. Some of these \ncompanies like to provide instant credit, like right here, you \nare prescreened, you are preapproved, and all of that. That may \nnot work for people who do not want to receive these. That \nmeans that these companies may not be able to do the \nprescreening but it is almost like signing up for a do-not-call \nlist. If you are going to go to the trouble of signing up for \ndo-not-call, chances are you are not going to be a very good \npotential customer for a telemarketer. This is the same thing \nas here. Chances are these people are not going to be very good \npotential customers here.\n    Right now, what we are starting to see is States taking \naction. You have California, Louisiana, Texas, Vermont, and \nWashington that have the law. Maine and Nevada, looks like they \nare going to come on in the next couple of months. There are a \nnumber of other States. I think it is 20 some odd States that \nare considering the law this year, and so what is happening out \nthere is you are getting this thing that we see a lot, this \npatchwork quilt around the country. Even though I like States \nto have the authority to do things, under this circumstance it \nmight be better--I believe it is better--to have a Federal \nsystem that everybody can tap into. If nothing else, the credit \nbureaus then have one system that they have to comply with, not \n50 different systems.\n    Also technology and the technology sector is going to \nrespond to this. There is a company out in California that is \ntrying to set up some software for one-stop-shopping that will \nbe very easy for consumers to use, so it looks like the \nmarketplace is going to adjust to this. I think it is going to \nbe a win-win for everybody.\n    This Committee will consider a lot of different factors \nwhen they look at this. I appreciate your time and your \ndeliberation on this, but I do think it is important for the \nSenate to act, and that we try to show some leadership on this \nbecause it is just too big of a problem that is growing every \nsingle year, as Senator Dole said a few moments ago.\n    We do have the ability to do this, and our inaction would \njust make a bad situation worse out there.\n    Mr. Chairman, thank you for that, and thank you for \nallowing my full statement to be part of the record.\n    Chairman Shelby. Thank you. I understand you have \nCommittees you have to attend. We appreciate your appearance.\n    Senator Pryor. Thank you very much.\n    Chairman Shelby. Our second panel will be Mr. Stuart Pratt, \nPresident and Chief Executive Officer, Consumer Data Industry \nAssociation; Mr. Ed Mierzwinski, Consumer Program Director, \nU.S. Public Interest Research Group; Mr. Ira Hammerman, Senior \nVice President and General Counsel, Securities Industry \nAssociation; Mr. Gilbert Schwartz, Partner, Schwartz & Ballen, \nLLP; and Mr. Oliver Ireland, Partner, Morrison & Foerster.\n    Gentleman, you take your seats. All of your written \ntestimony will be made part of the hearing record in its \nentirety. We will start with you, Mr. Pratt, for you to briefly \nsum up your top points.\n\n                  STATEMENT OF STUART K. PRATT\n             PRESIDENT AND CHIEF EXECUTIVE OFFICER,\n               CONSUMER DATA INDUSTRY ASSOCIATION\n\n    Mr. Pratt. Chairman Shelby, Senator Sarbanes, Members of \nthe Committee, thank you for this opportunity to appear before \nyou today. For the record, I am Stuart Pratt, President and CEO \nof the Consumer Data Industry Association.\n    Mr. Chairman, we commend you as well for holding this \nhearing. It is an important subject and one on which we welcome \nthe chance to share our views.\n    I am very pleased to announce on behalf of CDIA's members, \nEquifax, Experian, and TransUnion, a new initiative focusing on \nencryption of data reported to them. As of today, any furnisher \nof information can choose one of a number of acceptable \nencryption standards for use with all three companies by \noffering a data furnisher the choice to use one encryption \nstandard. We reduce costs. We simplify the administration of \nencryption. It is our hope that with these new encryption \nstandards in place, we will accelerate the choice to encrypt \ndata that is supplied to consumer reporting agencies, and \nultimately to achieve the goal of all information being \nencrypted when it is transmitted to us.\n    Now let us take a look at the FACT Act that has been \nmentioned a number of times, and we believe it materially does \nadd to the protections of consumers through the Uniform \nNational Standards that were established through the leadership \nof this Committee in particular. Fraud alerts, for example, we \nbelieve often strike the right balance for consumers who wish \nto ensure that a lender is notified of their concerns about \nidentity verification. I think consumers recognize fraud alerts \nslow down the process. They do not stop the transaction, \nhowever. In fact, the FACT Act strengthened the fraud alert \nsystem on members that had voluntarily established by making a \nresponsibility of the receiving party that they must take \nadditional steps to verify the identity of a consumer when a \nfraud alert is present. The FACT Act also addressed the needs \nof active military service personnel through a special alert \nthat can be added to the credit report as well.\n    Address discrepancy indicators was another idea that was \nenacted through the FACT Act. This duty requires us, the \nnationwide consumer reporting agencies, to indicate to a \nlender, when they request a credit report, when the address \nthey have submitted to us differs substantially from the \naddress we have in the file. It is a very practical idea. It is \na good idea. We were glad to have been able to put that into \nplace by December 1, the effective date, in 2004.\n    Identity theft reports was a particularly important \naddition because consumers at times had trouble obtaining \npolice reports in order to take advantage of rights they had \nunder the law. The report is more flexible and allows consumers \nto obtain a report from any one of a number of law enforcement \nagencies.\n    Ultimately, I think Congress was prescient in recognizing \nthat fraud prevention identity theft victim assistance are best \nhandled through uniform national standards, and it remains \ncritical to our members who are operating as consumer reporting \nagencies, that we remain regulated solely under a single set of \nlaw and regulation, and that would be the Fair Credit Reporting \nAct.\n    You have asked for our views on sensitive personal \ninformation that is held by nonfinancial institutions, and we \nhave really two key themes in that regard, ensuring the \nsecurity of information and sending consumers meaningful \nnotices when there is a breach of that information.\n    It is our view that a rational and effective national \nstandard should be enacted both for information security and \nconsumer notification as it applies to sensitive personal \ninformation, regardless of whether the person is a financial \ninstitution or not.\n    Information security standards that are substantially \nsimilar to those we see in the GLB are well-suited for this \ntype of regulation, and we would encourage this Committee to \ncontinue to look into that. To ensure regulatory continuity, we \nbelieve if there are new provisions established, these \nprovisions would therefore also deem a financial institutions \nas being in compliance with those standards because of their \ncompliance already with the GLB standards.\n    For consumers and notification, we believe consumers should \nreceive notices when their sensitive information is breached, \nand when there is a significant risk of harm, and in fact, key \nto notification requirements is making sure they do not result \nin either over-notification, but equally important, too few \nnotices being sent.\n    Chairman Shelby. When you say receive it, receive it \nimmediately?\n    Mr. Pratt. In terms of the notice, sir?\n    Chairman Shelby. Yes.\n    Mr. Pratt. I am sorry, I should have brought another set of \nglasses so I can see at the same time I am reading my \ntestimony, but I think we would say that in concert with law \nenforcement investigations, Mr. Chairman, just to make sure \nthat we do not open the door too soon before they have shut \ndown the problem. I think that is the only coordination issue \nthat we would raise with you, Mr. Chairman.\n    Chairman Shelby. Thank you.\n    Mr. Pratt. I think key to notification is the trigger, when \ndo you send that notice? Chairman Majoras suggested, and got it \nright, when she said that a trigger should pivot off of a \nsignificant risk of harm. We think significant risk of harm is \nbest defined as a risk of being a victim of identity theft, the \nvery subject of this hearing.\n    We also need coordination with national credit bureaus if \nthousands of notices are being sent out the door by many \ndifferent agencies, many different companies, many of whom we \ndo not have business relationships with. It is our job to plan \nand be able to handle the contacts that come back to us. We \nneed some coordination. We would ask for that to be included in \na proposal of this sort.\n    You have asked us to also discuss file freezing, and we \nprovide the following background. File freezing, as Senator \nPryor has discussed, allows a consumer to freeze his or her \ncredit report for I think what we would call new business \npurposes. File freezes have been enacted in 12 States. The file \nfreeze enactments do often allow a consumer to charge a fee. \nCertainly, we have been on record in many States as indicating \nconcerns about the rigidity of file freezes, how operable they \nwill be for consumers, but I will tell you at this point, with \nthis many enactments in the States and with many State \nlegislatures looking at this next year, we encourage this \nCommittee to continue to look at what we now have, and \npreserving what we now have, which is a seamless nationwide \ncredit reporting system servicing a nationwide credit system in \nthis country.\n    And that is a dialogue that needs to continue in the \ncontext of these State laws, and it is a dialogue that needs to \ncontinue. It is an extension of the good work of this Committee \nin creating national standards through the FACT Act.\n    With that, Mr. Chairman, I will close my opening remarks. \nThank you, sir.\n    Chairman Shelby. Thank you.\n    Mr. Mierzwinski.\n\n                STATEMENT OF EDMUND MIERZWINSKI\n                   CONSUMER PROGRAM DIRECTOR,\n              U.S. PUBLIC INTEREST RESEARCH GROUP\n                          ON BEHALF OF\n        CONSUMER FEDERATION OF AMERICA, CONSUMERS UNION,\n             ELECTRONIC PRIVACY INFORMATION CENTER,\n                 PRIVACY CONSULTANT MARI FRANK,\n          PRIVACY RIGHTS CLEARINGHOUSE, PRIVACY TIMES,\n            U.S. PUBLIC INTEREST RESEARCH GROUP, AND\n                      WORLD PRIVACY FORUM\n\n    Mr. Mierzwinski. Thank you, Chairman Shelby. I am Ed \nMierzwinski, the Consumer Program Director of the U.S. Public \nInterest Research Group. My testimony is also on behalf of a \nnumber of consumer and privacy groups, including the Consumer \nFederation, the Consumers Union, the Privacy Rights \nClearinghouse, and EPIC.\n    I want to commend you for your longstanding leadership on \nprivacy, along with Senator Sarbanes for his leadership, \nparticularly on the Sarbanes Amendment, which allowed States to \ngo further with financial privacy laws to the Gramm-Leach-\nBliley Act.\n    We would not know about the nearly 100, depending on whose \nlist you look at, security breaches that have occurred this \nyear if it were not for the pioneering efforts of California in \nenacting a security breach notification law. Because the States \nhave demonstrated such leadership on security breach \nnotification laws, we believe the Committee should look very \ncarefully, if it is going to enact any breach notification \nprovisions, at maintaining only a Federal floor and allowing \nthe States to continue to go further.\n    As another example of how the States have shown leadership \nand how our nonuniform system has worked well, I would point \nout that the FACT Act allows States to go further in identity \ntheft areas. Although our groups were disappointed that you did \nnot allow States to go further in all areas, the FACT Act did \nallow States to pass stronger identity theft laws, and that is \nwhy a number of States, a dozen so far--and New Jersey is \nsigning its law today--have enacted security freeze legislation \naround the country.\n    Chairman Shelby. How would a security freeze work exactly?\n    Mr. Mierzwinski. A security freeze really is the first way \nthat we can give consumers control over their confidential \nperson information, Senator Shelby. Most of the protections \nthat are given to consumers in the FACT Act are protections \nafter you have already become a victim--the right to a fraud \nalert, the right to clear your name, that type of thing. \nIdentity thieves take advantage of the easy availability of \nSocial Security numbers, coupled with the way that creditors \napply for credit reports, and obtain them in your name to \nobtain credit in your name at a creditor's. A security freeze \ngives you the right to freeze access to your report for any new \ncreditors. It essentially leaves the thieves out in the cold, \nbut your existing creditors can still look.\n    Chairman Shelby. But in the FCRA, we use fraud alerts \ninstead of that, I believe.\n    Mr. Mierzwinski. We use fraud alerts, but, again, a fraud \nalert is after you have already become a victim or suspect you \nare a victim. A freeze, in our view, should be available to \neveryone in advance. It essentially puts your credit report in \na freezer so that the bad guy applies for credit in your name, \nand the creditor says, ``We cannot get a credit report on \nyou.'' So you are protected. You can sleep at night.\n    Chairman Shelby. So it is working.\n    Mr. Mierzwinski. We think it is working. We would prefer \nthat the freeze be easier to do, that it be cheaper, that it be \nselectively unfrozen, that you could turn it on and leave it \non, but then, for example, on a Saturday if you are looking for \ncars, you should be able to selectively unfreeze it for car \ndealers just for the day. We have instant credit. Why can't we \nhave an instant freeze? That is really what we are looking for.\n    Getting back to the issue of the security breach, which is \non Congress' mind because of all the security breaches that \nhave occurred, I first want to point out that a lot of the \ncompanies have claimed that they were victims. Well, I am \nshocked to hear that. CitiFinancial, an arm of CitiGroup, and \nBank of America both lost unencrypted data tapes containing \nrecords of millions of Americans. Other banks have lost laptops \nthat were unencrypted containing records on many Americans. \nChoicePoint sold its records. It did not lose them. It sold \nrecords to a thief. So we have some real problems out there \nwith the way industries are taking care of our information. And \nthe notion of a harm trigger is, I think, one that has been \ndebated almost as much if not more than preemption of State \nlaw.\n    Our view, the consumer coalition that I represent, is that \nif you lose the information, there should be disclosure to the \nconsumer. That will, number one, force the companies to do a \nbetter job in the first place; but, number two, it will give \nconsumers knowledge that their personal information has been \nlost. The problem has been that half of consumers do not know \nhow they became identity theft victims.\n    Chairman Shelby. But all this requires changes in statutes, \nstatutory change?\n    Mr. Mierzwinski. Well, I think that if you were to enact a \nsecurity breach law, your Committee, the bank regulators have \nalready enacted a breach regulation that applies to financial \ninstitutions under their regulation.\n    Chairman Shelby. They did that by regulation.\n    Mr. Mierzwinski. By regulation, by guidelines actually. But \nfor other types of entities, ChoicePoint is not regulated by \nthe bank regulators, nor are these card processors. So they \nwould require additional legislation.\n    My written testimony, Mr. Chairman goes into a number of \nother details on improvements to the FACT Act. For example, we \nbelieve that breach victims should have the right to obtain \nfraud alerts more easily, that extended fraud alerts should be \nmore easily available, that police reports should not be \nrequired for a consumer to obtain business information. We also \nlist a number of recommendations that may not be in the purview \nof the Committee, but I know are of very much interest to you, \nto improve Social Security number protection and get our \nfinancial DNA out of the marketplace so that the thieves cannot \nget at it.\n    I appreciate the opportunity to testify before you today, \nand I want to point out that my written testimony includes a \nlist of the major breaches that have occurred this year as \nAppendix 1. It includes a list of all the State security breach \nlaws and a list of all the State security freeze laws.\n    Thank you.\n    Chairman Shelby. Thank you.\n    Mr. Hammerman.\n\n                 STATEMENT OF IRA D. HAMMERMAN\n           SENIOR VICE PRESIDENT AND GENERAL COUNSEL,\n                SECURITIES INDUSTRY ASSOCIATION\n\n    Mr. Hammerman. Mr. Chairman, Ranking Member Sarbanes, and \nMembers of the Committee, I am Ira Hammerman, Senior Vice \nPresident and General Counsel of the Securities Industry \nAssociation, and I appreciate the opportunity to testify on our \nindustry's responsibility to prevent identity theft and protect \nour customers' financial information. We applaud your \nleadership and foresight, Mr. Chairman, and that of Senator \nSarbanes in passing the precedent-setting law for data \nsecurity, the Gramm-Leach-Bliley Act of 1999. Maintaining the \ntrust and confidence of our customers is the bedrock of the \nsecurities industry. The long-term success of our markets \ndepends on customers feeling confident that their personal \ninformation is secure. We, therefore, devote enormous time and \nresources to the protection of customer data. We are, however, \nconcerned that the expanding patchwork of State and local laws \naffecting data security and notice will make effective \ncompliance very difficult for us and equally confusing for \nconsumers.\n    The problem of data security is a distinct Federal \nresponsibility that requires a targeted Federal legislative and \nregulatory response. In light of the increasing number of \ndisparate Federal and State legislative proposals, we urge this \nCommittee to strike the appropriate balance between addressing \nthe legitimate concerns of American consumers threatened by \nidentity theft and ensuring that protections are indeed \nmeaningful.\n    All businesses that have custody of sensitive personal \ninformation have a responsibility to provide data security \nmeasures. It is our belief businesses have a similar obligation \nto notify consumers when a breach of security creates a \nsignificant risk to their identity.\n    As the Committee is well aware, the securities industry is \nsubject to Securities and Exchange Commission regulations that \nrequires every registered broker-dealer to have in place \npolicies and procedures to safeguard sensitive customer records \nand information. The SEC and the self-regulatory organizations \nperiodically examine broker-dealers to ensure compliance with \nthis regulation. Similarly, the SEC has full authority to issue \nrelevant guidance on how to construct a notification regime \nthat best benefits consumers, and SIA looks forward to working \nwith SEC Chairman Cox and his staff in determining how best to \ndevelop such a regime.\n    In considering legislation related to data breach, SIA \nurges the Committee to consider the following six principles: \nFirst, adopt a clean National standard to achieve a uniform, \nconsistent approach that meets consumer expectations; second, \nimplement a trigger for consumer notice that is tied to \nsignificant risk of harm or injury that might result in \nidentity theft; third, a need for a precise definition of \nsensitive personal information that is tied to the risk of \nidentity theft; fourth, exclusive functional regulator \noversight and rulemaking authority; fifth, a flexible \nnotification standard; and, finally, reasonable administrative \ncompliance obligations.\n    SIA urges the Committee to develop meaningful and carefully \ntargeted legislation that embodies these important principles.\n    The securities industry recognizes that we face a major \nthreat from criminals, including potential terrorists, who \nperpetrate identity theft. Therefore, we take very seriously \nour duty to safeguard our customers' sensitive financial \ninformation. Identity theft and other kinds of fraud hurt not \nonly consumers but also businesses whose reputations inevitably \nsuffer from security breaches. The cost of fraud is often \nbeyond the monetary. Lost customers and reduced confidence can \nbe the death knell for a business so dependent on the public's \ntrust.\n    Thank you again for the opportunity to testify today. We \nare eager to work with the Committee and its staff to draft \nmeaningful and targeted effective data breach legislation. \nThank you.\n    Chairman Shelby. Mr. Schwartz.\n\n                STATEMENT OF GILBERT T. SCHWARTZ\n                PARTNER, SCHWARTZ & BALLEN LLP,\n                          ON BEHALF OF\n             THE AMERICAN COUNCIL OF LIFE INSURERS\n\n    Mr. Schwartz. Chairman Shelby, Ranking Member Sarbanes, and \nMembers of the Committee, I am Gilbert Schwartz, Partner in the \nWashington law firm of Schwartz & Ballen, and I am appearing \ntoday on behalf of the American Council of Life Insurers, the \nprincipal trade association for the Nation's life insurance \nindustry. ACLI's 356 member companies account for 80 percent of \nthe life insurance industry's total assets in the United \nStates.\n    This hearing today represents another chapter in the \nCommittee's longstanding leadership in this area and strong \ncommitment to the protection of consumer information and to the \nprevention of identity theft, as evidenced by the Committee's \ncentral role in the enactment of the Gramm-Leach-Bliley Act and \nthe FACT Act. ACLI appreciates the opportunity to discuss the \nimportant role that life insurers play in preventing identity \ntheft and protecting financial information of our \npolicyholders.\n    Life insurers have long been committed to establishing and \nmaintaining policies and procedures to protect sensitive \ncustomer information and to prevent misuse of such information. \nInsurers expend considerable resources to achieve these goals. \nACLI and its members were, and continue to be, strong \nsupporters of Title V's privacy and information security \nprovisions.\n    As a result of the Gramm-Leach-Bliley Act, 34 States have \nadopted comprehensive regulations or statutes that establish \nstandards for safeguarding customer information by insurers. \nThe State requirements generally track the National Association \nof Insurance Commissioners' Standards for Safeguarding Customer \nInformation Model Regulation. Under the NAIC model reg, life \ninsurers are required to adopt comprehensive security programs \nto protect customer information.\n    In 2003, Congress enacted the FACT Act in part to respond \nto the growing crime of identity theft. Because of recent \nconcerns with the possibility of identity theft resulting from \nsecurity breaches, 20 States have enacted legislation requiring \ncompanies to notify consumers in the event that sensitive \npersonal information is affected by a security breach. Some \nStates' notices require differences in scope and coverage. As \nSenator Pryor indicated, this is a patchwork quilt. The need to \ntrack these differences and factor them into a notification \nprogram will inevitably make it more difficult for institutions \nto send notices to consumers promptly. This may cause some \nconsumers to experience delays in receiving notices and \nincrease the likelihood that they will become victims of \nidentity theft.\n    Varying State laws may also result in uneven enforcement \nfrom State to State. Accordingly, ACLI supports Federal \nlegislation that provides preemptive uniform national standards \nfor notifications to individuals whose personal information has \nbeen the subject of a security breach where such information \nmay lead to substantial likelihood of identity theft. Such an \napproach benefits consumers because it ensures that they \nreceive the same information in a timely fashion, regardless of \nwhere they reside.\n    ACLI also recommends focusing on breaches involving \nsensitive consumer information that is not encrypted or secured \nby a method that renders the information either unreadable or \nunusable. To avoid needlessly alarming consumers and \nundermining the significance of these notices, ACLI supports \nnotification when there is a significant likelihood of identity \ntheft. Uniform enforcement of notification standards is very \nimportant. ACLI strongly supports enforcement of insurers' \ncompliance exclusively by the Department of the Treasury. \nTreasury is well-positioned to assume this role because it has \nhad extensive experience with the insurance industry in \nconnection with such laws as the USA PATRIOT Act, the Terrorism \nRisk Insurance Act, the Bank Secrecy Act, and OFAC regulations.\n    In the event it is not possible to provide for enforcement \nby the Treasury Department, ACLI supports adoption of an \napproach set forth in the GLB Act. Under this approach, an \ninsurer's compliance with Federal breach of security \nnotification legislation would be enforced by the insurance \nauthority of the insurer's State of domicile. If this approach \nis used, ACLI also requests that the legislation state that it \nis the intent of Congress that State insurance authorities \nenforce the legislation in a uniform manner.\n    If the legislation provides for implementing regulations, \nACLI believes that the relevant Federal agencies should jointly \npromulgate the rules. This would benefit consumers and assure \nthat they will receive the same protection across all \nindustries.\n    The issues before you today, Mr. Chairman, are complex. \nACLI anticipates that legislation you adopt will provide \nmeaningful protection to consumers who might otherwise become \nvictims of identity theft.\n    Thank you for your attention.\n    Chairman Shelby. Thank you, Mr. Schwartz.\n    Mr. Ireland.\n\n                 STATEMENT OF OLIVER I. IRELAND\n                 PARTNER, MORRISON & FOERSTER,\n                        ON BEHALF OF THE\n                  AMERICAN BANKERS ASSOCIATION\n\n    Mr. Ireland. Chairman Shelby, Ranking Member Sarbanes, and \nMembers of the Committee, my name is Oliver Ireland, and I am a \nPartner in the DC office of Morrison & Foerster. I am here \ntoday on behalf of the American Bankers Association to address \nthe role of banks in protecting consumers from identity theft \nand account fraud.\n    The American Bankers Association includes community, \nregional, and money center banks and holding companies, as well \nas savings associations, trust companies, and savings banks, \nand it is the largest banking trade association in the country.\n    We appreciate your leadership in the area of privacy and \nidentity theft and the opportunity to participate in this \nhearing. Identity theft occurs when a criminal uses information \nrelating to another person to open a new account in that \nperson's name. In addition, information relating to consumer \naccounts can be used to initiate unauthorized charges to those \naccounts. The issue of identity theft and account fraud are of \nparamount importance to banking institutions and the customers \nthat they serve.\n    In this regard, I would like to emphasize three key points: \nBanks have a vested interest in protecting customer information \nand are highly regulated in this area; a uniform approach to \ninformation security is critical; and any security breach \nnotification requirement should be risk-based.\n    First, banks have an interest in protecting customer \ninformation. Simply put, banks that fail to maintain the trust \nof their customers will lose those customers. In addition, \nbecause banks do not impose the losses for fraudulent accounts \nor fraudulent transactions directly on their customers, banks \nincur significant costs for identity theft and account fraud. \nThese costs are in the form of direct dollar losses as well as \nreputational harm. Accordingly, banks aggressively protect \nsensitive information relating to consumers. Among those that \nhandle and process consumer information, banks are among the \nmost highly regulated and closely supervised.\n    Guidance under Title V of the Gramm-Leach-Bliley Act \nrequires banks not only to limit the disclosure of consumer \ninformation but also to protect that information from \nunauthorized access and to notify customers when there is a \nbreach of security of sensitive customer information. In order \nto provide consistent protection for consumers, merchants, \ninformation brokers, and others that handle sensitive customer \ninformation should be subject to similar requirements.\n    In designing security notification requirements, national \nuniformity is critical to preserving efficient national \nmarkets. A score of State legislatures have already passed new \ndata security bills. While these laws have many similarities, \nthey also have important differences. State laws that are \ninconsistent result in both higher costs and uneven consumer \nprotection. Further, a single State that adopts a unique \nrequirement or omits a key provision can effectively nullify \nthe policy of other States.\n    Finally, any notification requirement should be risk-based. \nWhile it is important to protect all sensitive consumer \ninformation from unauthorized use, it is most critical to \nprotect consumers from identity theft and account fraud. Any \nsecurity breach notification requirement should be limited to \nthose cases where the consumer needs to act to avoid \nsubstantial harm. Further, security breach notification \nrequirements should be tailored to the particular circumstances \nand the threat presented.\n    Identity theft and account fraud pose different risks. In \neach case, the need for notification and the form of the \nnotification will differ. Any Federal legislative requirement \nmust recognize and accommodate these differences.\n    Banks are proud of their record in protecting information \nrelating to their customers and will continue to work to ensure \nthat consumers receive the highest level of protection.\n    Thank you. I will be happy to address any questions that \nyou may have.\n    Chairman Shelby. Thank you, Mr. Ireland.\n    I will direct my first to Mr. Pratt. Do you believe that \nthe fraud alert scheme that we included in the FCRA can work in \ntandem with the various State credit freeze laws that have been \nenacted in recent years that we have discussed here?\n    Mr. Pratt. There is no doubt that credit freeze laws do not \nprohibit, if you will, a credit reporting agency from also \nputting a fraud alert on the file, so that fraud alert could be \nconveyed to a bank, for example, that has a current business \nrelationship and is accessing the credit report for that \npurpose. But the fraud alert system is a more flexible system. \nIt is a system that allows the transaction to go forward under \na caution flag. A file freeze, as has been described--and I \nthink rightly so--is an absolute stop. It will stop the \ntransaction cold in its track. File freezes, by the way, are \nnot absolute. You can lift a freeze for a temporary period of \ntime, and this is a consistent element of the laws that we have \nseen in the States. But you have to do that in advance of the \ntransaction in which you intend to engage.\n    Chairman Shelby. Ed, do you have any comments on that? Can \nthey work together?\n    Mr. Mierzwinski. I agree with everything that Stuart said \nthere. The two are separate rights; the two are separate \nprotections. Again, the freeze, as Stuart pointed out, anyone, \nregardless of whether you have been a victim or think you are \nthreatened by identity theft, can impose a freeze. A fraud \nalert you put on after you think you have been a victim, and \nthe company must take additional steps before issuing credit.\n    Chairman Shelby. Is a freeze, in a sense, preemptive?\n    Mr. Mierzwinski. Preemptive, in the other sense of \npreemptive, yes.\n    Chairman Shelby. Okay.\n    Mr. Mierzwinski. It is often used around Capitol Hill, too.\n    Chairman Shelby. Mr. Ireland, do you have any concerns \nabout the impact that the use of credit freezes could have on \nthe credit reporting system, the users of credit reports, or \nconsumers? In other words, will there be an impact here if a \nfreeze continues?\n    Mr. Ireland. There is a significant potential for impact in \nthis area. We saw some examples earlier of prescreened \nsolicitations and the possibility that prescreening as a \nprocess could be disrupted. I think perhaps more significantly \nthere are other credit transactions that occur with little \nprior notice, including opening credit charge accounts at \nretail outlets, automobile purchases, and so on, that are \nlikely to be disrupted by a security freeze process. And the \nconsumers, when they place those freezes, may well not \nunderstand that that is going to occur and may not remember to \nremove them in time.\n    Chairman Shelby. Mr. Ireland, I think it is important to go \nover just some of the basic, elemental questions associated \nwith the situation where information held by financial \ninstitutions is compromised.\n    First, what, if any, different distinction should we make \nbased on the kind of information that has been compromised? In \nother words, does the type of information that has been \ndisclosed matter?\n    Mr. Ireland. I think the type of information is critical.\n    Chairman Shelby. Give us an example.\n    Mr. Ireland. There is an initial issue as to whether you \nwant to merely protect the privacy of consumer information with \nnotifications or you want to be concerned about alerting \nconsumers when they need to protect themselves, take action to \nprotect themselves from identity theft or fraud. Much \ninformation about consumers cannot be used for either identity \ntheft or account fraud, and while it is desirable to protect \nthat information from unauthorized use, providing notices to \nconsumers about disclosures of that information that may be \nunauthorized runs the risk of inundating them with notices, so \nthat when a final notice does come that they need to do \nsomething, they miss it.\n    Chairman Shelby. Should the nature--in other words, the \nsecurity breach you alluded to--matter?\n    Mr. Ireland. I think the nature of the security breach also \nmatters. It matters in terms of the information. The nature of \nthe security breach also matters in terms of determining \nwhether harm will result. There are security breaches that \noccur which are for competitive purposes in financial markets \nwhere there is no risk of identity theft or fraud associated \nwith it.\n    Chairman Shelby. If you have different situations here, how \nshould the differences be dealt with in relation to the type of \nnotice provided to consumers?\n    Mr. Ireland. The classic example is the difference between \naccount fraud and identity theft information. If somebody loses \nname, address, and Social Security number, the thief can go \nopen an account at another institution, and the consumers need \nto check their credit report to determine whether that happens. \nAs Mr. Pratt has already indicated, in those cases coordination \nwith the credit reporting agencies is appropriate and may be \nnecessary. And the consumer has to take action with the credit \nreporting agencies.\n    If the information is merely account number and name, it \nmight be used to commit account fraud, but the credit reporting \nagencies need not be involved in that matter.\n    Chairman Shelby. Mr. Hammerman and Mr. Schwartz, I will \ndirect this question to you two. The financial institutions \nthat you represent have duties under the Gramm-Leach-Bliley Act \nto protect sensitive consumer information. However, I would \nassume protecting consumers and yourselves is not merely a \nquestion of complying with the law and that you have to be more \nproactive in response to the threats that exist. You know there \nare threats out there. Is it true that you could highlight some \nof the efforts that you undertake as being proactive in your \narea?\n    Mr. Schwartz. Certainly. Insurers have robust systems and \nprocedures in place: Who can have access to the information in \nterms of encryption keys that are placed on information, who \nhas access to buildings where some of the data are collected, \nhow that information may be processed in various circumstances. \nAnd there are a whole range of actions that are put into place \nthat ensure that only information will be made available when \nthe appropriate parties are asking for it.\n    So we are very confident that the insurance industry has \nstate-of-the-art protections in place and is constantly trying \nto upgrade and ensure that whatever is developed is put into \nplace as well. Encryption devices are always being upgraded as \nhackers try to break those encryption keys, and new procedures \nare implemented all the time.\n    Chairman Shelby. Mr. Hammerman, do you have any comments?\n    Mr. Hammerman. Yes, Mr. Chairman. I think this issue first \nstarts with getting senior management support for data \nprotection, and we have that among our members.\n    In addition, there are dedicated groups of people within \neach firm whose sole job is to handle information security and \nprivacy. As was mentioned, our firms have strong perimeter \ndefenses to protect their networks. We are constantly utilizing \ntechnology to try and anticipate the next problem, and we are \nalways trying to stay one step ahead----\n    Chairman Shelby. But the thieves also use technology, do \nthey not?\n    Mr. Hammerman. I was just going to say that we try to stay \none step ahead of them, and it is constantly changing. But we \nare putting the resources set forth to do that.\n    Chairman Shelby. Senator Sarbanes.\n    Senator Sarbanes. Thank you very much, Mr. Chairman.\n    I have a couple of very simplistic-sounding questions to \nput first to the members of the panel.\n    Senator Dodd. Be careful.\n    [Laughter.]\n    Senator Sarbanes. If I am in a State which has passed \nadditional legislation on this issue, providing additional \nsubstantive standards guarding me against identity theft, and a \nnational law is passed which preempts State law, and the \nsubstantive standard in the national law is less, lower than \nthe protections provided under my State law, I will have lost \nconsumer protection, will I not?\n    Mr. Mierzwinski. Senator, I would agree that you have lost \nconsumer protection. I would also point out that under the \ncurrent regime that we have the California law has effectively \nbeen adopted nationwide by State Attorneys General. After the \nChoicePoint breach, when California citizens started receiving \nnotices, the State Attorneys General of other States told \nChoicePoint, ``What about our citizens?'' And they provided \nnotice nationwide. And so the opposite has occurred. You have \nmore rights in States. So that argues for not preempting.\n    Senator Sarbanes. I want to address this argument which I \nheard that a preemptive Federal law, would provide more \nconsumer protection. And I have trouble understanding that \nexcept in a State that has no consumer protections whatsoever, \nperhaps. Whether it does or not would depend directly upon the \nsubstantive standard in the Federal law, would it not?\n    Mr. Schwartz. Yes, that is correct, Senator Sarbanes.\n    Senator Sarbanes. So if the Federal standard is weak, or \nindeed fairly strong but not as strong as the State standards, \nat least if I am a consumer in a State that has enacted \nlegislation, I will actually lose protection, not gain \nprotection. Is that correct?\n    Mr. Schwartz. Senator, I think it depends upon the nature \nof the State provisions. I think many of the State provisions \nare different from State to State. It is not that necessarily \none is regarded as stronger but, rather, it is different. And, \nfor example, if the nature of the information that is the \nsubject of a particular State's legislation differs from \nanother State, as Senator Pryor indicated, you end up with a \npatchwork quilt. And, in fact, you end up perhaps resulting in \na delay in informing the consumer until the company can figure \nout exactly what information was taken and whether or not that \nparticular State law applies to that information.\n    I think that it is really a compliance issue that, \nunfortunately, given the differing State laws, could very well \nresult in less consumer protection, not more for that \nparticular consumer in the State.\n    Senator Sarbanes. Are you telling us that there is a very \nsignificant compliance issue, that these data collectors, who \npresumably have very sophisticated means of data collection, \nretention, cross-filing, and all the rest of it, cannot comply \nwith varying State laws?\n    Mr. Schwartz. I am not saying they cannot comply with the \nvarying State laws. It makes it much more complex, and it takes \nthem more time to comply with State laws that differ from place \nto place. A uniform Federal statute that addresses the identity \ntheft provisions and provides for notification to consumers can \nbe very well-tailored and be done promptly as opposed to having \nto decide and do an investigation to determine whether that \nparticular breach falls within that particular State's law. And \nif you have 50 different State provisions, it could result in a \nsignificant time lag.\n    Senator Sarbanes. Would you anticipate that the substantive \nFederal standard, if you moved in that direction and were to \npreempt, would be at least as strong as the existing California \nstandard or even stronger?\n    Mr. Schwartz. I think we would have to look at the \nprovisions. I think it has to be tailored to specific problems \nof identity theft, and California was the first one that passed \nand it perhaps needs some tweaking.\n    Senator Sarbanes. In which direction?\n    Mr. Schwartz. In the direction of assuring that it \nidentifies the problem and is directed toward solving the \nproblem as opposed to being over-inclusive.\n    Senator Sarbanes. So you think the California standards at \nthe moment are too strict and rigid. Is that correct?\n    Mr. Schwartz. I would have to take a look at them and \ncompare them to what is being proposed. But I do think, for \nexample, if you have to provide a notice for a breach of all \ninformation, you end up receiving so many notices in the mail \nthat, if I were a consumer, I would completely ignore them \nbecause I am receiving one for any type of breach even though \nit may not result in any harm to me.\n    Senator Sarbanes. Well, that leads me into my next \nquestion, if I could.\n    Chairman Shelby. Go ahead, Senator Sarbanes.\n    Senator Sarbanes. I won't be long.\n    Mr. Ireland, I am reading your testimony, and I notice you \nmake reference to the guidance which the Federal banking \nagencies have issued and the final Interagency Guidance on \nResponse Programs for Unauthorized Access to Customer \nInformation.\n    Mr. Ireland. That is correct.\n    Senator Sarbanes. The standard there is to notify its \naffected customers where misuse of the information has occurred \nor is reasonably possible. Is that correct?\n    Mr. Ireland. That is correct.\n    Senator Sarbanes. But I take it it is your position that it \nshould be that there is a significant risk of harm. Is that \ncorrect?\n    Mr. Ireland. That is correct.\n    Senator Sarbanes. And that is a higher threshold to cross \nwith respect to notice--would that be correct?--than the \nexisting guidance. If that were the standard, that would \ndiminish the number of notices to provide compared with the \ncurrent guidance from the Federal banking agencies. Would that \nbe correct?\n    Mr. Ireland. I am not sure that would be the case. In the \nbanking agency guidance, there is a process created by which, \nwhen a breach occurs, the bank suffering the breach notifies \ntheir examiner about the breach, and this is likely to lead and \ntypically does lead to a dialogue about whether or not notice \nis required. And so you have an ongoing process with the bank \nregulators about whether or not there is sufficient risk to \ngenerate notice. I am not sure that the language in the \nguidance completely captures that process. I think if you are \ngoing to go out and adopt a bill that is supposed to be self-\neffectuating, that people are going to adhere without the \nbenefit of that dialogue--and that dialogue really cannot occur \nin less regulated institutions. You need a crisper line, and I \nwould recommend the significant risk of harm standard there, \nwhich I think is broadly consistent with what the banking \nagencies have done.\n    Senator Sarbanes. Do you think that the guidance they have \nissued is equivalent to significant risk of harm?\n    Mr. Ireland. I believe that generally the way the banking \nagencies have implemented that has been consistent. I do not \nhave a survey of all of the notifications that have been given \nunder that standard, but I think they are generally consistent.\n    Senator Sarbanes. So you think you already have a risk-\nbased standard. Is that right?\n    Mr. Ireland. We think we already have a risk-based \nstandard--\n    Senator Sarbanes. Why in your statement then do you, after \nyou set out the guidance of the banking agencies, say that you \nbelieve that a workable notification law would require \nentities, et cetera, et cetera, to notify individuals upon \ndiscovering a significant breach of security? Your statement \nseems to carry with it the implication that you do not, at the \nmoment, have the significant risk of harm standard?\n    Mr. Ireland. We have a standard under 501(b) for customer \ninformation that is being implemented as I described through a \nprocess. If I were going to try to articulate the results of \nthat process in a bill, as I said, to be self-effectuating, the \nlanguage I would use to describe it would be ``significant risk \nof harm.''\n    I would also point out that the 501(b) guidance does not \ncapture all of the information that is currently held by banks \nabout consumers, and that if you adopt a bill that requires \nnotification based on security breaches of consumer \ninformation, there will be places where that bill would apply \nto banking information that is not covered by the current \nguidance.\n    Senator Sarbanes. Mr. Mierzwinski, do you have a take on \nall of this?\n    Mr. Mierzwinski. Well, the consumer groups and the privacy \ngroups have made it pretty clear that a harm standard or a harm \ntrigger would work against giving consumers greater privacy \nrights. We think that the California standard is the proper \nstandard to adopt nationally. Lose the information, almost in \nall circumstances provide the notice. But I would certainly say \nthat the way that you have described the bank regulator \nguidances is the way we read them and that the industry seeks a \nhigher standard which is much more difficult to attain. And I \nwould respectfully disagree with Mr. Ireland.\n    One of the other issues with harm triggers is the issue of \nwhether they apply to identity theft, whether they apply to \nharm, or whether they apply to simple misuse. We believe that \ninformation can be misused in many ways in addition to identity \ntheft. Information can be used to publicly embarrass you. It \ncan be used for stalking. It can be used for terrorism. It can \nbe used for criminal identity theft as well as financial \nidentity theft. Account fraud may not be captured by a \ndefinition of identity theft.\n    So there are a lot of problems with any of these triggers. \nThey will all be litigated, and that is just another reason not \nto use them.\n    Senator Sarbanes. Thank you.\n    Thank you, Mr. Chairman.\n    Chairman Shelby. Senator Dodd.\n\n            STATEMENT OF SENATOR CHRISTOPHER J. DODD\n\n    Senator Dodd. Thanks, Mr. Chairman, and thank you and \nSenator Sarbanes for holding this hearing and asserting what I \nthink is the appropriate jurisdiction of the Committee over \nthis issue. And I thank Senator Pryor in his absence for \nsubmitting some legislation. It is a complicated area, but \nobviously I was looking over that chart that appeared in the \nWashington Post some time this year--I do not have the exact \ndate on it--which identifies at least in the area of 15 million \naccounts that have been exposed to the possibility of identify \nfraud as the result of various problems that have occurred from \nvarious institutions, going back to February 15 with \nChoicePoint and the identification fees on assessed accounts, \n145,000, to, of course, the Card Systems hacker on June 18 of \n40 million people. So there is a serious problem, obviously, \nthat hangs out here that needs to be addressed. I think you all \nrecognize and acknowledge that, and that is up to June. I \npresume those numbers may be even larger today. I do not have \nthat information in front of me. So this is a significant issue \nand a tremendously important one for people across the country.\n    I have a couple of issues. I want to get to--the last \nquestion I want to ask you about and have you think about this \nis Katrina and what the credit bureaus are doing for the people \nin the hard-hit areas of the Gulf States to protect their \ncredit information as a result of what has happened to them, \nlosing a lot of their own documentation, and whether or not \nthere are any problems that are emerging here with identity \ntheft of people in that region because of the devastation that \nhas occurred there.\n    But I want to pursue two other issues more generally. Under \nTitle V of the Gramm-Leach-Bliley law, financial institutions \nare required to protect their customers' sensitive personal \ninformation where a customer is defined as a person to whom the \ninstitution provides a product or service. However, many \nfinancial institutions have data and information on people that \nare not customers. For instance, I apply for a credit card and \nI provide financial information. I decide or you decide either \nnot to grant me a credit card or I decide to do business with \nanother company. What do you do with that information about me? \nI am not a customer under Title V of Gramm-Leach-Bliley, but \nthere is a lot of information being held by people out there \nnow that can be misused, that can be the subject of theft. And \nI would like particularly the representatives of our financial \ninstitutions here to comment on what happens to that \ninformation that exists.\n    Mr. Ireland. Senator, typically banks protect that \ninformation the same way they protect customer information.\n    Senator Dodd. Are they required to, in your view, under the \nlaw?\n    Mr. Ireland. Under the Gramm-Leach-Bliley guidance, I do \nnot think they are required to. Let me make it clear, we are \nhappy to live with the standards in the Gramm-Leach-Bliley \nbanking agency guidance that we have today, and we are happy to \napply that to that additional information maintained by banks \nas well as the customer information that is currently subject \nto the guidance.\n    Senator Dodd. But there is no legal requirement of you to \ndo so, the kind of information I just described?\n    Mr. Ireland. Not under the guidance. There is no legal \nrequirement under the guidance.\n    Senator Dodd. What is being done on----\n    Mr. Schwartz. Senator Dodd, with respect to the insurance \nindustry, clearly all that information on applications, whether \nthe insurance policy is issued or not, is protected, just the \nsame way that an insured's information is protected.\n    Senator Dodd. Protected because it is a matter of policy of \nthe insurance industry but not as a matter of law?\n    Mr. Schwartz. Yes. From a reputational risk standpoint, \nthat information is just as protected and just as valuable from \nthe standpoint of being protected. And, again, the policies and \nprocedures will apply across the board to the information \nregardless of whether it is a customer or not.\n    Senator Dodd. Do you share that viewpoint?\n    Mr. Hammerman. Yes, Senator.\n    Senator Dodd. Do you have any comment on this as an area \nthat we should maybe look at here in terms of protection of \nconsumer information?\n    Mr. Mierzwinski. Senator, I think you should look at that \narea, and our testimony goes into detail about two other areas, \none of which you touched on. The third-party processors, such \nas Card Systems, do not have customers. They are not covered by \nthe GLB Act either, although they may be acting as agents of \nregulated entities. And I believe that at least one of the card \nassociations has suspended Card Systems for violating its own \nrules. That may not have been enough. It may have been after \nthe horse had left the barn, but they did do so.\n    The other big area, of course, are the data brokers, and \nChoicePoint may sometimes be a credit reporting agency or a \ncredit bureau, and it may sometimes be covered by Gramm-Leach-\nBliley for other reasons. But as Chairman Majoras has \ntestified, they are not covered by Gramm-Leach-Bliley in all \ntheir businesses. They are essentially unregulated in the view \nof the consumer groups, and they should be regulated more like \ncredit reporting agencies under a robust system than merely \ncovered by the security rule known as the safeguards rule.\n    Senator Dodd. Well, Mr. Chairman, I would invite us to \nmaybe look at that as part of our----\n    Chairman Shelby. I think that is a very important question.\n    Senator Dodd. Let me move, if I can, to one other area. \nAgain, I think you have all pointed out this is complicated. \nThe freeze issue is one that is--because it is a double-edged \nsword, obviously. It is a benefit obviously to the consumer to \nbe able to protect that credit information. The other side of \nthat sword is, of course, that same consumer then who wants to \nget a credit card, wants to buy a home, wants to buy a car, \nwants to unfreeze that information or they are not going to get \nthey are seeking or the products they may be pursuing. And the \nindustry says--and I hear you, and I am not suggesting it is \nsimple. But this is a complicated matter to turn on and turn \noff.\n    I want you to walk me through this a little bit. We are in \nthe 21st century now, and it seems to me we have--and, again, I \nam old enough now to find all of this terribly complicated, but \nI know there are people smart enough to figure this out. Why is \nit so complicated to do that? Why does that become so hard to \ndo? And I realize it can be complicated, and you can go back \nand forth rather quickly. But today, given the technology that \nexists that allows us to be able to transfer trillions of \ndollars at the speed of light, it seems to me the ability to \nrespond to the customers that we seek, whose business we enjoy, \nwhose hard-earned dollars we take, we cannot do a better job of \nresponding to those people today. I mean, 15 million people in \n6 months in this country have been potentially subjected to \nidentity theft, and the numbers are growing. And I do not quite \nunderstand--and I may be terribly naive about this--why the \nindustry with all of its sophistication cannot more \nsophisticatedly respond to that consumer who wants to be able \nto engage in that stop-and-go process. Tell me why that is \ndifficult. Walk me through it. Do you want to start, Mr. \nIreland?\n    Mr. Ireland. Senator, I think you have to add an extra \nparty to the transaction. Under what this Committee and the \nCongress did in the FACT Act, a consumer who thinks they are \ngoing to be a victim of identity theft can place an extended \nfraud alert on their file, and a creditor opening a new credit \naccount has to talk to that consumer, either in person or call \nthem on the phone, before they open the account to make sure \nthat they are dealing with the right person. Now, that system \nis not infallible. It has been in effect since last December, \nbut we think it is working and it is too early to give that up.\n    In the security freeze context, in order to go through with \nthe transaction you have to add another party to the \ncommunication. The consumer has to talk not only to the \nprospective creditor but also to the credit bureau and \nauthorize the credit bureau to release the information. And \nthat all has to happen at the same time.\n    We do transfer trillions of dollars around the country by \nwire transfer, but those are over dedicated lines in very \ncarefully constructed systems. And my ability to talk to the \ncredit bureau from the lobby of an auto dealership when I want \nto buy a car, convince the credit bureau who I am, and then \nhave them release the report back to the auto dealer so that \nthe auto dealer can use the report to give me a loan is more \ncomplicated than my talking directly to the auto dealer and the \nauto dealer verifying who I am.\n    You might get there at some point in the future, but I \nthink right now you have complicated the transaction. It is not \njust auto dealers. It is checkout lines at retail stores where \nthey are going to offer you a discount for entering into a \ncharge arrangement with them, and numerous other places. And \nthat addition of another party creates another link of secure \ncommunications. You create a triangle instead of a bilateral \nrelationship, and that is a challenge.\n    Senator Dodd. Any distinction here you want to tell me for \nthe life insurance industry or the securities industry?\n    Mr. Schwartz. I think Mr. Ireland summarized it very well.\n    Senator Dodd. It would be a similar situation where you are \ntalking about a trilateral relationship with insurance?\n    Mr. Schwartz. Well, somebody who would be applying for \ninsurance would have to release the freeze, and then there \nwould be a question as to how do you identify the person. So, I \nthink you would run into the same potential for unintended \nconsequences, and inefficiencies in terms of processing \napplications.\n    Senator Dodd. Is the industry thinking about this at all \nand how to, in fact, do this? It seems to me it is a service \nthat would be rather attractive in terms of who I do business \nwith. If the insurance company I do business with offers this \nservice to me to be able to respond to my desires to have that \ncredit information available or not available to people, it \nwould be a very attractive offer.\n    Mr. Schwartz. That would have to be addressed on a company-\nby-company basis, Senator, and we would be glad to get back to \nyou on that.\n    Mr. Hammerman. The only thing I would add from the \nsecurities industry standpoint is that the industry, as you \nknow, is heavily regulated, and there are times that the \nindustry may need to tap into that credit report when the \nconsumer has put a freeze on for the industry to comply with \nthe USA PATRIOT Act or other obligations that it has. So that \nwould just be something to look at. But obviously, being able \nto provide this tool to a customer undergoing the difficulties \nof identity theft is important.\n    Senator Dodd. Do you want to comment on this?\n    Mr. Mierzwinski. Well, I will just say--and I will let \nStuart have the last word for once after me--I think that \nfundamentally this is the first consumer protection in the \nprivacy sphere that has really given consumers control over \ntheir information. And so there is a philosophical disconnect \nbetween the industry and the consumers. Really, a lot of our \nprivacy laws are in name only. They allow the sharing of \ninformation as long as disclosure is made. Our industry has \ngotten used to a system where they are in the driver's seat all \nthe time. This puts consumers in the driver's seat, and it is \nnew, so it is going to take some time. But if you adopt it \nnationwide, I believe that they will make it easier for us \nbecause it will be in their interest to do so.\n    Mr. Pratt. Senator, from our perspective, we are obviously \nthe one that has to effectuate the freeze. Let me just remind \nall of us, of course, of a few truths that we have.\n    This Committee and other Committees in the Congress and \nultimately the USA PATRIOT Act Section 326 places obligations. \nThat has been mentioned. It is important to know that that is \nout there and that companies must take additional steps to \nverify identities for those purposes, and that inures benefits \nto consumers even into the realm of risk of becoming a victim \nof identity theft.\n    Fraud alerts, Mr. Chairman, you have discussed this before, \nand fraud alerts are another flexible choice that you have \noffered consumers today. I can place a temporary alert while I \nam still trying to decide whether I really have a higher level \nof risk. If I am a victim, I can place an extended alert on my \nfiles. So those choices are out there today.\n    So there are many systems today, some of which are just \nbrand new with the FACT Act, that are not final, that have not \nbeen tested large-scale in the marketplace. And this is also \nsomewhat true for file freezing, and I think that is important. \nFile freezing we think of as being out there for some time. It \nhas been in California's law for some time. But in California, \nwe only have 9,000 consumers who have frozen their credit \nreports.\n    Senator Dodd. I am sorry. What is that again?\n    Mr. Pratt. Nine thousand.\n    Senator Dodd. Have what?\n    Mr. Pratt. Out of 25 million or more consumers who are \ncredit active in California, only 9,000 have frozen their \ncredit reports. So we have a hard time giving you a good \ngranular answer as to does it work, does it not work, how do \nconsumers feel about it, how often are they act the countertop. \nWhat has been described by Mr. Ireland is true, though. If a \nconsumer is at the countertop, we still have the question: How \ndo you close the transaction at that point? Do you want \nconsumers blurting out PIN numbers, if you will, at the \ncountertop to the clerk who is hired during the holiday season? \nAnd how secure is that?\n    You will have all the same kinds of challenges that you \nhave in the online banking world where you have to authenticate \nconsumers. To what extent do you have to deploy a two-factor \nauthentication system to ensure that you are really unfreezing \nthe file for the real consumer and that you do not at some \npoint find that criminals, as has been pointed out, who get \nclever about these things start to chase you down the road a \nlittle bit further?\n    I do not want us to think of file freezing as a panacea \nthat somehow definitely cures all the ills, and I think you \nsaid it very well, Senator. It is complex.\n    Our only message here is to say that in the absence of a \ndialogue here at the Federal level, and regardless, really, of \nwhat you do now or later, the States are continuing to act on \nthis. And so our concern is variations of standards. We have \nsome States beginning to say, well, you should be able to turn \nit on in X number of minutes. I cannot tell you what an \nanathema we think that is. We might as well just also obligate \nevery credit vendor in the country to approve credit \napplications in X number of minutes, irrespective of whether \nthe USA PATRIOT Act was complied with or not or irrespective of \nwhether we have deployed all the fraud prevention tools or not. \nSo those are concerns for us, that, in fact, we are now having \non a service level performance standards.\n    To your point, we will over time, regardless of what the \nCongress does, have to live with some degree of file freezing \nin this country for some percentage of the population. I think \nit will grow next year as a result of legislative activity. And \nwe will have to find a way to deploy a system that operates \nwith the variations that we see in the States today.\n    Senator Dodd. I see Senator Reed is here, and I have taken \nmore time here, but I am just curious on the Katrina issue. I \nhad asked, Jack, before you walked in, what has happened with \nthat at all. Any comments you want to share with us about the \nvictims here?\n    Mr. Pratt. Absolutely. We have three areas of focus with \nKatrina.\n    First of all, the nationwide credit reporting systems have \neach set up toll-free numbers, either dedicated or options for \nKatrina victims specifically. Those toll-free numbers allow you \naccess to live personnel up front because we know Katrina \nvictims many times have left their homes with little or no \ninformation, little or no financial information that they \nreally need in order to be properly identified. So, I think the \nhuman touch is very important in those cases.\n    All Katrina victims have access to free reports. \nAnnualcreditreport.com, the website through which you can \nobtain free reports, one of the elements of the FACT Act that \nwas brought forward by this very Committee has been opened up \nso that free reports are available to consumers who can be \nauthenticated online. But the key here is that when you cannot \nfor some reason, we will have live personnel try to work \nthrough with you how to get a credit report to you.\n    We have a lot of complexity. Are you still--you know, \nunfortunately, because of the new hurricane heading toward \nHouston, we now have a group of Katrina victims who are moving \nout of Houston and moving out of Galveston and some of the \nareas that are affected. So those addresses that might have \nbeen temporarily set up have now shifted again. And so the key \nis not to have credit reports floating, if you will, out there \nin the Postal Service at the same time. But we are dedicated to \ndoing that.\n    Second, within the first week of this, we sent out \ncommunications to more than 16,500 data furnishers, more than \n40,000 discrete contacts within the data furnisher system, \nnotifying them of specific guidance on how to use the Metro-2 \ndata format, the Metro format to report natural disaster as an \nannotation on your credit account. We also explained how you \ncould report account deferrals. This was in support of Treasury \nSecretary Snow's advocating lenders take a lenient approach to \nall of this.\n    Third, though candidly I hope we never have to use it, we \nhave now brought online a new Katrina dispute code so that if, \nin fact, at the end of the day, after all the communications to \ndata furnishers, we have the unintended consequence of data \nreported that affects a consumer, we want to be able to \nsensitize that data furnisher very quickly to the fact that \nthis is not just a dispute; this is a dispute about a victim of \nthe Katrina disaster.\n    Senator Dodd. Any evidence of identity theft at all \noccurring in the midst of all of this? It seems like a rather \nopen system here, people calling in. I do not want to tie up \nthe Committee time on this, but I am a little uneasy. Someone \ncalls in and says they are so-and-so, give me my information.\n    Mr. Pratt. Rest assured, Senator, the fact that you have \naccess to live personnel does not mean that we are going to \nautomatically make the decision to turn that credit report over \nto the individual on the call. Protocols that we probably \nshould not discuss in a public forum are deployed in order to \ntest----\n    Senator Dodd. I am curious only because it may apply \nexactly to what we are talking about here in the freeze \ninformation. If you have found a means by which you can confirm \ninformation for people who do not have their data that they \nleft back in their homes in Louisiana or Mississippi, it might \nbe an interesting process to give us some guidance on how to \naddress these issues outside of a natural disaster \ncircumstance.\n    Mr. Pratt. We do not know how easy that is going to be, by \nthe way. This is new and uncharted territory. We are going to \nhave to have these discussions with consumers along the way. \nOur hope is many of them can be authenticated through \ntraditional systems so we do not actually have to move off \npoint, if you will.\n    Senator Dodd. I appreciate that.\n    Thank you, Mr. Chairman. I thank Senator Reed. I took a lot \nof time.\n    Chairman Shelby. Senator Reed.\n    Senator Reed. Thank you very much, Mr. Chairman.\n    Thank you, gentlemen. We are faced with an issue that we \ninevitably confront when we are trying to craft legislation, \nparticularly when there are competing State legislative \nschemes, and that is coming with a national standard that is \nadequate, not just a national standard that is there but does \nnot provide protection. I know we have talked about the \nCalifornia standard.\n    And I am curious, I think Mr. Mierzwinski indicated that \nthe California standard is something he sees as a good starting \npoint, but I would like to get impressions of all the panelists \nabout the California standard as a starting point for a \nnational standard. One reason is it covers already a \nsignificant portion of the population. Is that an appropriate \nplace to begin, particularly in terms of notification, or what \nthings should be added or subtracted? Mr. Pratt?\n    Mr. Pratt. From our perspective, the basic operation of \nCalifornia is a standard that we apply generally, but I think \nthat as has been discussed, California has what is called an \nacquisition standard for its notification trigger. And this is \nwhere we do digress from, I suppose, the support for a national \nstandard for notices to consumers.\n    An example would be a laptop is stolen, a laptop is fenced, \na laptop is recovered in a short period of time, and forensics \nindicates that nothing was done with that laptop. It was never \neven booted up. It was simply sold for cash, and the purpose \nfor the crime was simply to get cash and not to use the data.\n    The California acquisition standard, on its face in the \nlaw, would still require that you send every consumer a notice \nsaying that your information was breached, although we know \ntechnically it was not, meaning the forensic analysis would \ntell you otherwise.\n    So our only reason for pushing back on that is to make sure \nwe do not send notices and create anxiety where anxiety is not \nnecessary. What we want to do is make sure the notice is \ntargeted to the risk, and I think this has been said several \ntimes on the Committee. Our goal and the goal that we will have \nto wrestle with is ultimately a goal the Committee has to \nwrestle with, is to make sure that we have the right trigger so \nthat we send good, actionable notices, notices that consumers \nopen, notices that consumers act on, and that is really the \nonly underlying goal for why we push back on a sending notice \nto all consumers type of standard. We believe it has to do with \nremediation and taking actions when you are at risk.\n    Senator Reed. Mr. Mierzwinski, can you tell me----\n    Mr. Mierzwinski. This is other than preemption the status \nof the harm trigger is where the consumer and privacy community \ndisagrees the most with the industry. Our view is you do not \nhave an acquisition-based trigger, then you will not have \ncompanies doing a good job of protecting information in the \nfirst place. I would prefer that all those laptops have \nencrypted information on them, but then I hear that banks are \nlosing laptops without even passwords, laptops let alone that \nare encrypted. So if you force the companies to disclose, there \nwill be fewer losses, there will be better protection of the \ninformation.\n    And the second point I made earlier is that 50 percent of \npeople do not know where their identity theft came from, and if \nthey start getting notices, they start keeping those notices, \nand then they later become a victim of identity theft, they may \nbe able to track it backward and more people will find out how \nthey became victims if they receive more notices,\n    Senator Reed. I do not want to necessarily retrace ground \nyou have covered, but I am curious if Mr. Hammerman, Mr. \nSchwartz, and Mr. Ireland have comments. Mr. Hammerman.\n    Mr. Hammerman. Thank you. As Mr. Pratt had mentioned, the \ndifficult with the California standard is that being an \nacquisition standard, the result will be an over-notification, \nif you will, even though there is no substantial risk of harm \nof identity theft to the customer. For example, if someone \nmisplaces their Blackberry, their hand-held device that might \nhave a customer name and phone number, that does not \nnecessarily mean that customer is at risk of identity theft or \nother account fraud. Yet, as I understand it, under the \nCalifornia standard, a notification would be triggered, and we \nthink that is the wrong balance.\n    We think having the trigger apply when there is a \nsignificant risk of harm to the customer, that is the \nappropriate balance.\n    Senator Reed. Let me inject one more point, which is, if \nthe California standard is not adequate, what is the \nappropriate standard, from those people that would depart from \nthat standard?\n    Mr. Hammerman. From the securities industry standpoint, we \nwould look forward to working with the SEC as a functional \nregulator to develop the details around the concept of \nsignificant risk of harm of identity theft or other fraud to \nthe account.\n    Senator Reed. Mr. Schwartz, Mr. Ireland.\n    Mr. Schwartz. Senator Reed, actually, the California \nlegislation just does not say ``unauthorized acquisition'' \nalone, it says ``unauthorized acquisition of computerized data \nthat compromises the security, confidentiality, or integrity of \nthe information.'' Those are ambiguous words that may very well \nimpose or carry with it a standard of harm. I think the concern \nis the ambiguity and the fact that really you want to send a \nnotice when there is a substantial likelihood of harm to \nconsumers. So even the California legislation is not entirely \nclear as to what triggers a notification requirement.\n    Senator Reed. Mr. Ireland.\n    Mr. Ireland. I think I would agree with several of the \nother panelists, and Mr. Mierzwinski and I would probably \ndisagree here. We are in favor of a risk-based standard. We \nthink that California can be read to be an acquisition \nstandard. Mr. Schwartz points out the compromise language, but \nit is not terribly clear what that means. We are concerned that \nCalifornia results in over-notification, and therefore it \nlessen the effectiveness of notices.\n    Senator Reed. Mr. Pratt.\n    Mr. Pratt. Senator, just one last point. If you go to the \nCalifornia Office of Privacy, they provide additional guidance \non what they think the acquisition standard means. That \nacquisition standard looks more like a harm standard, so it is \nvery important to look at the California guidance that \nunderlies the statutory regime that you have in California.\n    Senator Reed. Thank you very much.\n    Thank you, Mr. Chairman.\n    Chairman Shelby. Senator Carper, you have any comments?\n\n             STATEMENT OF SENATOR THOMAS R. CARPER\n\n    Senator Carper. I just have a quick question. I apologize \nfor missing the hearing. We were having a markup on Homeland \nSecurity on Katrina, and a number of bills that we are just \nstill working on.\n    I want to ask maybe one question if I could of the panel, \nMr. Chairman?\n    Chairman Shelby. Go ahead.\n    Senator Carper. First of all, thanks for being here and for \nyour input. I understand that several States have enacted laws \nto protect the consumers against identity theft, and are now \nenacting laws mandating companies inform consumers when the \nconsumer's information has somehow been compromised. I just \nwant to ask which State approaches do you think work the best, \nif any, and why? We think of States as laboratories of \ndemocracy, and to see if there might be a model out there for \nus to emulate, and that is basically what I am asking you to \nhelp us do, identify if you think they are doing a particularly \ngood job. No, not all at once.\n    [Laughter.]\n    Mr. Ireland. Senator, the lag in responding to your \nquestion is that it is complicated. All the State laws differ, \nand there are good pieces in a law here and there and I think \nwe can very much learn from the States, and much of the \ntestimony that has been given here today has been based on \nexperience with some of those State laws, particularly \nCalifornia.\n    I am not sure that I would advocate any particular State \nlaw as a single model. I think the issue of the way \nnotification needs to be given and the factors it needs to \naddress are perhaps more complicated and complex than many of \nthe States have recognized, but we can certainly learn from \nthose States.\n    We can also learn from some of the mistakes, because, for \nexample, Illinois has a law that says there is no delay for law \nenforcement in notification, even though every other State has \na law that provides for delay, so that the law enforcement \npeople can go try to get the crooks. In the current situation, \nthe Illinois law effectively nullifies all the rest of the \ndelays in other States, because you give notice in Illinois and \nthe cat is out of the bag.\n    I think the States have provided a valuable laboratory here \nand we can learn from each of the State laws, but I would not \npick any particular one and make it the sole model to look to.\n    Senator Carper. Do any of the other witnesses want to agree \nwith anything that Mr. Ireland has said, or disagree?\n    Mr. Schwartz. I would say, Senator Carper, that certainly \nthe States do have provisions that we can look to, for example, \nfor types of information that would be regarded as sensitive, \npersonal information that would be the subject of the \nlegislation, the various triggers, so I think there are \nelements in there, and I would agree with Mr. Ireland, that we \nshould look to them and consider them and determine whether or \nnot they should be applicable.\n    But in terms of coming up with a specific State that has \nthe magic bullet, I do not think that there is one.\n    Senator Carper. Thanks. Others, please?\n    Mr. Hammerman. I would agree with what has previously been \nsaid.\n    Mr. Mierzwinski. Senator, the Consumer and Privacy Group \ntestimony, Appendix 2, we list all the breach laws. Nine of \nthem have no so-called ``harm trigger,'' starting with \nCalifornia. We prefer laws without a harm trigger.\n    We also list in Appendix 3 all the State security freeze \nlaws, and the best one is one that is expected to be signed \ntoday, which would be New Jersey's, because it makes it easy \nfor consumers to selectively unfreeze their credit, and it is \nvery inexpensive and it applies to all consumers. Those are the \nkinds of principles we believe in.\n    Senator Carper. Thanks.\n    Mr. Pratt. From our perspective, we would again agree with \nMr. Ireland in terms of the characterization. Carrying forward \nyour laboratory analogy here, really, it is up to you to find a \nfinal precipitate to know what it is that should be mixed and \nworkable for the entire country. We have great confidence you \nwill be able to do that as you have done with many other \nFederal laws that have created national standards.\n    And as for file freezing, again, I think it is a dialogue \nthat we really just would like to continue to have with all of \nyou. We disagree with Mr. Mierzwinski about the merits of the \nNew Jersey standard, in particular find it troubling because it \ncreates regulatory powers at a State level over what is a \nnationwide credit reporting system. We think that that is the \nwrong direction in which for us to head.\n    Senator Carper. One last quick question, if I could, just \nof Mr. Mierzwinski?\n    In recent years we have seen an increase in certainly in \nthe awareness of identity theft and the steps that people can \ntake to protect themselves. Do you think consumers have enough \ninformation about ways to guard against prior financial \nprivacy? And if not, what if anything can we do on this \nCommittee here in the Congress to further educate people that \nis not being done, and is there something else you can think of \nthat the financial services industry should be doing \nthemselves?\n    Mr. Mierzwinski. That is a big question in terms of \nidentity theft and financial privacy. On financial privacy, I \nthink the consumer groups are on the record. The Gramm-Leach-\nBliley privacy notices, the problem with them is they are \nrights without remedies, and that is why consumers get \nfrustrated. We need to give consumers privacy rights, not \nsimply privacy notices.\n    In terms of identity theft, I think that consumers are \nstarting to become more aware of the problem, but again, more \ninformation would always be adequate, and we will certainly \nthink about ways that we can provide the Committee with greater \nrecommendations to educate people about identity theft.\n    When you are a victim of identity theft and when you \ncontact your credit bureau, they do send you information \nautomatically, am I correct?\n    Mr. Pratt. That is right.\n    Mr. Mierzwinski. That is right. So at the point of contact \nwith identity theft you find out about it. However, in advance \nof identity theft there needs to be better ways to find out.\n    We have been concerned that some of the companies are \nmaking money on identity theft, selling credit monitoring \nservices. I would point out that this summer the Federal Trade \nCommission fined Experian, one of the big credit bureaus, \n$950,000, for deceiving consumers into obtaining its \nsubscription based credit monitoring service, which it was \nmarketing as if it were free. So we have to be careful how we \nurge companies to provide information.\n    Mr. Pratt. Senator, if I could?\n    Senator Carper. Very briefly. I have used up all my time.\n    Mr. Pratt. We are mixing apples and oranges here. There was \na marketing issue that was addressed by the Federal Trade \nCommission, the same Federal Trade Commission that said the \nmonitoring services are a good idea. They do serve consumers. \nThey are a product in the marketplace. It is like saying that \nhome security systems are a bad idea, or OnStar in your car is \na bad idea. Monitoring services are in the market because we \nhave a great market and because we create great products in \nthat marketplace, and monitoring services are one of those, and \nmillions upon millions of consumers are purchasing them today.\n    Senator Carper. Gentlemen, thank you all very much.\n    Mr. Chairman, thanks for giving me a chance to ask those \nquestions.\n    Chairman Shelby. Thank you, gentlemen. This is a very \ninformative panel. This is a very complex issue, as we all \nknow.\n    The hearing is adjourned.\n    [Whereupon, at 12:05 p.m., the hearing was adjourned.]\n    [Prepared statements, response to written questions, and \nadditional material supplied for the record follow:]\n\n                    PREPARED STATEMENT OF MARK PRYOR\n               A U.S. Senator from the State of Arkansas\n                           September 22, 2005\n\n    Chairman Shelby, Ranking Member Sarbanes, and Members of the \nBanking Committee, I thank you for your kind invitation to testify \nabout identity theft and security freeze.\n    As you are all aware, identity theft is one of the fastest growing \nfinancial crimes in the country. According to the Federal Trade \nCommission, almost 10 million people per year become the victims of \nidentity theft. It is especially important to my constituents in \nArkansas. Identity theft is in the top category of reported fraud in my \nState, with over 1,397 cases last year. It is an issue that I have \ncared about since my days as Arkansas Attorney General.\n    The Identity Theft Resource Center noted that identity theft \nvictims spend on average about $1,500 and expend 600 hours of time to \nrestore their credit histories after they realize what has happened to \nthem. In addition, this crime costs American business an estimated $48 \nbillion annually this must be prevented. A person's sensitive personal \ninformation is better than gold bullion. It weighs nothing, and in the \nhands of an experienced thief, yields far more wealth than the victim \nmay actually possess. And all of our sensitive personal information is \nvery vulnerable.\n    The California notification law educated every American consumer \nabout the difficulties of keeping our sensitive personal information \nsafe. Companies can lose it off a truck, accidently expose it, or have \nit stolen from them. It seemed that there was a large breach at every \nturn. First, there was ChoicePoint, then Lexis-Nexis, Card Systems, \nDSW, and the list goes on and on.\n    The goal is to make sure that companies adequately safeguard the \npersonal information they keep. Then, in the event of a breach or a \nloss of sensitive personal information, we want to make sure those \nconsumers are notified as soon as possible so that they can protect \nthemselves from the potential identity theft.\n    The issue that struck me is that we are not providing consumers the \ntools to protect themselves. And we should give consumers a broad array \nof positive actions they can take to protect their information. An \nounce of prevention is worth a pound of cure.\n    The Federal Government can place as many requirements as they \nplease on businesses to protect sensitive personal information, but \nbreaches will still happen. Hopefully, after a strong identity theft \nlaw is passed there will be fewer occurrences, but they will still \nhappen. Sensitive personal information is readily available in paper \nsources and public records. Identity thieves will still steal mail and \ndig through trash for sensitive personal information.\n    As a quick example, my staff has received 11 prescreened credit \noffers at his home in the past week--several of them for previous \noccupants. It is this environment that spurred me to introduce S. 1336, \nThe Consumer Identity Protection and Security Act of 2005, to provide \nthe opportunity for consumers to have a choice to place a security \nfreeze on their credit reports.\n    There is a philosophical tension regarding passage of a national \nsecurity freeze law. Several States have security freeze laws in force \nright now, including California, Louisiana, Texas, Vermont, and \nWashington State, and even more States are considering such a law. \nMaine and Nevada security freeze laws are scheduled to come online in \nthe next few months.\n    Usually, in this situation, businesses come to Congress looking for \na national law for uniformity. This is the case in terms of the notice \nissue and safeguarding information, but not when it comes to providing \nsecurity freezes.\n    I see the provision of a national security freeze law as the means \nof providing consumers a choice to protect themselves financially and \nto exercise their right to privacy. Security freezes are not for \neveryone. If a consumer enjoys having the ability to apply for instant \ncredit and does not wish to surrender that convenience, he or she \nshould not place a security freeze on their credit report. On the other \nhand, if you are a consumer that is not interested in instant credit \nand wants to eliminate the possibility of identity theft being turned \ninto a tremendous financial loss, then a security freeze may be the \nright tool.\n    The constituencies that argue against security freezes make the \nargument that consumers are too accustomed to having instant credit, \nand that having security freezes available to all consumers will have \nunintended consequences, such as missing sales or missing offers with \nshort time frames. Or more simply stated, they do not want to lose \ncustomers for instant credit.\n    But what is the danger in giving consumers a choice? The credit \nreporting agencies currently have to honor the security freeze laws for \nCalifornia, Louisiana, Texas, Vermont, and Washington. The agencies \nwill have to honor the security freeze laws of Colorado, Connecticut, \nIllinois, Maine, and Nevada, so impracticability is clearly not the \nissue.\n    There were 21 other States that considered security freeze \nlegislation this year, with bills in New Jersey and North Carolina \nwaiting for their governor's signature. In fact, technology companies \nin California are currently in the development stage of products for \none-stop-shopping for consumers who wish to have their credit frozen at \nall three credit reporting agencies. In as little as 60 days, this type \nof one-stop-shopping for consumers could be available to all consumers \nin States where security freeze laws have been enacted.\n    People that elect to put a security freeze on their reports are not \ncustomers for instant credit, just like people who elect to put their \nnames on the Do Not Call list are not customers for telemarketers. To \nnot provide consumers this choice because they will not understand the \ninconvenience a freeze may cause them does not strike me as a reason to \ndeny Americans this protection. If this is truly a concern, educating \nthe consumer would solve that problem.\n    Another criticism I heard while we were discussing this issue was \nthat security freeze legislation would impede necessary functions that \nrely on access to credit reports. After reviewing what the States have \ndone, I am convinced that carefully crafted exceptions will insure that \nthe flow of information needed for identity verification, fraud \nprevention, debt collection, government services, and the maintenance \nof prior business relationships will ensure those functions can \ncontinue in the normal course while fully protecting the consumer. \nCalifornia and Texas have had security freezes in place since 2003, and \nbusiness continues to be conducted there with no incident.\n    Still, credit reports are legitimately needed for fraud protection, \nto collect current outstanding debts, and for the proof of identity. \nAny national security freeze bill has to maintain the ability for \nproper and necessary uses of credit report information.\n    Yet another criticism I heard was that a security freeze is the \nsame as a fraud alert, which can be placed on a consumer s account from \nthe recently passed FACTA. This is not true. Fraud alerts, while \nproviding a level of security, are not as comprehensive as a freeze. \nFraud alerts last only 90 days. In order to get an extended fraud \nalert, a consumer has to prove they have already been victimized by \nproviding a police report or an affidavit. In addition, fraud alerts do \nnot prohibit the release of a consumer's credit information from a \nconsumer reporting agency. There is room for a security freeze option.\n    Consumers that wish to have more flexibility in having instant \ncredit but want a level of protection can use the fraud alert. If a \nconsumer wishes to deal with a level of inconvenience but wants \ncertainty that no new credit will be issued from his or her credit \nreport can elect to have a freeze.\n    In summary, Mr. Chairman and Senator Sarbanes, I believe that \nstrengthening data safeguard and consumer breach notification \nrequirements are important to help stop identity theft. But requiring \nbusinesses to better safeguard data and notify consumers of breaches \nare not the only answers. I believe we must also provide consumers with \nnew tools to prevent identity theft. A national security freeze law \nwill provide consumers with that additional tool.\n    Consumers will have a choice on whether to actively protect their \ncredit through affirmative action or to trust credit reporting \nagencies, financial institutions, data brokers, and others to do it for \nthem. This is an important choice.\n    The option of placing a security freeze on a consumer's credit file \nhas proved to be a viable and workable one in several States across the \ncountry. It is my hope that the Congress will agree to give this choice \nto all consumers across the country to help prevent them from becoming \nvictims of identity theft and protect their most important personal \ninformation.\n    I thank the Chairman, Senator Sarbanes, and the Members of the \nCommittee for inviting me to give testimony on this issue that is very \nimportant to me and my constituents. Thank you.\n\n                               ----------\n\n                 PREPARED STATEMENT OF STUART K. PRATT\n                           President and CEO\n                   Consumer Data Industry Association\n                           September 22, 2005\n\n    Chairman Shelby, Senator Sarbanes, and Members of the Committee, \nthank you for this opportunity to appear before the Committee on \nBanking, Housing, and Urban Affairs. For the record, I am Stuart Pratt, \nPresident and CEO for the Consumer Data Industry Association.\n    CDIA, as we are commonly known, is an international trade \nassociation representing approximately 250 consumer information \ncompanies that are the Nation's leading institutions in credit and \nmortgage reporting services, fraud prevention and risk management \ntechnologies, tenant and employment screening services, check fraud \nprevention and verification products, and collection services.\n    We commend you for holding this hearing on the financial services \nindustry's responsibilities and role in preventing identity theft and \nprotecting the sensitive financial information of their customers. You \nhave asked the CDIA to provide input on a number of issues that have \nbeen raised in hearings and legislation this year and in doing so, let \nme begin with some comments on how the Fair Credit Reporting Act \\1\\ as \namended by the Fair and Accurate Credit Transactions Act (PL 108-159) \nhas already contributed materially to the protection of consumers by \nestablishing new duties for the industry and empowering consumers with \nimportant new rights. It bears noting that these new duties and rights \nare all the more effective and easy for consumers to use because they \nare uniform. We again thank you, Mr. Chairman, Senator Sarbanes, and \nthe Committee for the successful effort to set these national standards \nwhich are necessary to ensure that all consumers continue to enjoy the \nbenefits of a nationwide credit reporting system and ultimately a low-\ncost, competitive and creative credit marketplace which helps fuel our \nNation's continued economic expansion.\n---------------------------------------------------------------------------\n    \\1\\ 15 U.S.C. 1681 et seq.\n---------------------------------------------------------------------------\nFACT Act\n    By December 1, 2004, all FACT Act amendments made to the Fair \nCredit Reporting Act were effective. As of this date our members had \nbrought online a series of nationwide practices which inure particular \nbenefits to consumers who may have concerns about identity theft. These \nnational standards include:\n    Fraud Alerts--These alerts were voluntarily established by our \nmembers in the mid-1990's. Our members have long believed that fraud \nalerts strike the right balance for consumers who wish to ensure that a \nlender is notified of their concerns about identity verification where \nthey have already been or may become victims of the crime of identity \ntheft. Consumers recognize that while these alerts can slow down credit \napproval processes, alerts do not stop a transaction and, thus, \nconsumers can continue to actively seek out better financial products \nand services whenever they wish.\n    The FACT Act created two specific types of fraud alerts. Initial \nalerts stay on the consumer's report for a minimum of 90 days and will \nbe placed on the report even when there is just a concern that a person \nmight become a victim of identity theft. Creditors which receive this \nalert must take steps to form a reasonable basis that they have \nproperly identified the consumer. Extended alerts are placed on the \nconsumer's file when he/she presents an identity theft report. This \nalert remains on the consumer's file for a full 7 years and it may \ninclude contact information for a consumer which can be used as part of \nthe identity verification process. Most important to the codification \nof our members' voluntary fraud-alert practice was that the FACT Act \ntied the presence of the alerts to specific duties for the recipients. \nThis tying of the consumer reporting agency's duty to place such alerts \nwith a corresponding duty for recipients to form a reasonable basis for \nidentity verification had never previously been established and our \nmembers believe that this materially improves upon the fraud alert \nsystems that previously existed.\n    Active Duty Alerts--Though similar to fraud alerts, active duty \nalerts may only be used by individuals who are serving in an active \nduty capacity for our armed services. These alerts remain on the \nservice member's credit report for 12 months and, like fraud alerts, \nare tied to duties for recipients to take steps necessary to reasonably \nidentify the identity of the applicant before approving the \napplication.\n    Address Discrepancy Indicators--The FACT Act also established \nadditional protections for consumers in transactions even where a fraud \nalert might not be involved. Specifically, the FCRA now requires that \nwhere a nationwide consumer reporting agency receives a request from a \ncreditor for a credit report and finds that the address submitted by \nthe creditor differs materially from the address on the consumer's \ncredit report, it must indicate to the creditor that this difference \nexists. Thus, lenders have an additional red flag to consider in \nattempting to properly validate the identity of an applicant. It is \nimportant to note that changes in addresses are not necessarily a \nstrong indication of fraud when one considers that approximately 40 \nmillion addresses change each year in this country. Nonetheless, the \nFACT Act ensured an appropriate focus on address discrepancies by all \nfinancial institutions and this adds additional protection for \nconsumers. While final regulations specifying what a recipient of an \naddress discrepancy indicator must do with them are not completed, no \ndoubt these indicators are being used by lenders today.\n    Identity Theft Reports--The FACT Act also defined the term \n``identity theft report.'' This definition was a key to ensuring that \nvictims of identity theft could avail themselves of a number of rights \nunder the law even if they were having trouble obtaining a traditional \npolice report. The ultimate success of this new definition is in the \nbalance struck by the rules which ensure that such reports can be \nreadily accessed and used by all victims without creating a situation \nwhere the reports are hard to verify, misused, or easily forged.\n    Identity Theft Reports and Blocking Fraudulent Data--In year 2000, \nCDIA's national credit reporting agency members established a \nnationwide voluntary initiative for victims of identity theft which \nallowed them to submit a police report and request that fraudulent data \nbe blocked in victims' reports. The FACT Act codified this initiative \nand expanded it by use of the new ``identity theft report'' definition. \nIn enacting this national standard, Congress ensured that all victims \nreceived the same treatment and that fraudulent data would be removed \nfrom victims' reports.\n    Red Flag Guidelines--Beyond the specific provisions of law \ndiscussed above, Congress recognized the need to empower regulators to \ndevelop guidance for financial institutions which is intended to \nencourage the use and accelerate the adoption of a robust combination \nof technologies and business rules to further reduce the incidence of \nidentity theft. These guidelines are still under development.\n    The fact that the provisions just discussed all operate as national \nstandards bears repeating. The Congress was prescient in recognizing \nthat fraud prevention and, in fact, regulation of a nationwide system \nof credit reporting and credit markets is best handled through uniform \nnational standards. A series of State laws which impede the free flow \nof information across this country cannot possibly achieve the same \nbenefit for all citizens wherever they may live. We applaud the \nCongress and the principal sponsors of the FACT Act for the necessary \nfocus on the needs of consumers and identity theft victims through the \nestablishment of national standards of practice.\n    In closing our discussion of national standards under FCRA, I am \nreminded of the fact that the FCRA itself remains the only law which \ndirectly regulates our members operating as consumer reporting \nagencies. The national standards reauthorized and established by the \nFACT Act were critical to our nationwide members and it remains vitally \nimportant that our members operating as consumer reporting agencies are \nregulated under this single set of national standards, law, and \nregulation.\nInformation Security and Consumer Notification\n    Beyond the FACT Act's many new protections and rights for \nconsumers, the security of sensitive personal information held by \nnonfinancial institutions has been the focus of debate in a number of \nHouse and Senate Committees. In fact, this Committee was the first to \nhold hearings on breaches of sensitive personal information and \nultimately there are two key themes on which to focus:\n\n<bullet> Ensuring the security of sensitive personal information; and\n<bullet> Sending consumers meaningful notices of a breach of sensitive \n    personal information when there is a significant risk of identity \n    theft.\n\n    Information security and requiring consumer notification if the \nloss of information poses a significant risk are not new areas of focus \nfor this Committee, which has traditionally taken a leadership role on \ninformation policy. Most recently enactment of the Gramm-Leach-Bliley \nAct \\2\\ (GLB), Title V included a requirement \\3\\ that Federal agencies \nwrite regulations \\4\\ for securing and protecting nonpublic personal \ninformation, including taking into consideration when a loss of such \ninformation should lead to consumer notification. The FTC published its \nfinal rule on May 23, 2002 and they became effective on May 23, \n2003.\\5\\\n---------------------------------------------------------------------------\n    \\2\\ 15 U.S.C. 6801-6809 (Financial Privacy).\n    \\3\\ See Section 501(b) of Title V, PL 106-102.\n    \\4\\ See 15 U.S.C. 6801(b), 6805(b)(2).\n    \\5\\ 16 CFR Part 314, Standards for Safeguarding Customer \nInformation; Final Rule.\n---------------------------------------------------------------------------\n    The discussion of safeguarding sensitive personal information and \nnotifying consumers when there is a substantial risk of identity theft \nhas expanded beyond the boundaries of financial institutions. It is our \nview that rational and effective national standards should be enacted \nboth for information security and consumer notification as it applies \nto sensitive personal information, regardless of whether the person is \na ``financial institution.''\n    Safeguarding Sensitive Personal Information--GLB's statutory \nframework for safeguarding sensitive personal information is equally \nwell-suited to information safeguards for sensitive personal \ninformation held by any person not otherwise defined as a financial \ninstitution. Under this approach, the FTC would promulgate rules for \nany nonfinancial persons just as they did under GLB. To ensure that \nthere is absolute regulatory continuity between the applicable \nprovisions of GLB and rules therein and new information security \nstandards and rules, financial institutions which are compliant with \ntheir obligations under GLB should be deemed in compliance with any new \nrequirements. Any new standards for nonfinancial entities should be \nsubstantially similar to those required by the GLB safeguard rule.\n    Consumer Notification--Consumers should receive notices when their \nsensitive personal information is breached and there is a significant \nrisk of identity theft. While there are many details which go into \ncreating an effective notification requirement, a fundamental element \nis making sure that it does not result in either over-notification, or \ntoo few notices sent where there is a significant risk to the consumer.\n    We believe that the general guidance provided this year by FTC \nChairman Majoras in her testimony before a number of Congressional \nCommittees regarding the appropriate ``trigger'' for a notice is on \npoint. That is that notices should be sent when there is a significant \nrisk of harm. In our view, harm is best defined as significant risk of \nidentity theft. A poorly structured trigger leads to over-notification, \nwhich erodes the effectiveness of each subsequent notice sent to a \ngiven consumer. If notices are not tied to events that truly pose \nsignificant risks they will be ignored by many consumers who may become \nanesthetized to the importance of them.\n    Further, consumer reporting agencies as defined under FCRA Section \n603(p),\\6\\ are affected by the volume of even legitimate breach notices \n(in addition to those that result from over-notification). The national \nsystems' contact information is consistently listed in notices going to \nconsumers. If you add up even just a few of the high-profile breaches \nwhich have taken place over the course of this year, it is easy to come \nup with tens of millions notices containing our members' contact \ninformation. Thus, we believe that when a breach results in more than \n1,000 notices to consumers, the company that breached the sensitive \npersonal information should:\n---------------------------------------------------------------------------\n    \\6\\ The Fair Credit Reporting Act: 15 U.S.C. 1681 et seq.\n\n<bullet> Notify each nationwide consumer reporting agency of this fact \n    and provide the estimated number of notices to be sent;\n<bullet> Notify each other consumer reporting agency whose contact \n    information will be listed in the notice; and\n<bullet> Confirm the contact information that should be used for each \n    listed consumer reporting agency. Our members report that there \n    have been times when incorrect telephone numbers have been listed \n    on notices.\n\n    A well-reasoned national standard for information security for \nsensitive personal information, coupled with effective notices where \nsuch information is breached by a party can contribute materially to \nthe reduction in risk for all consumers.\nCredit Report/File Freeze\n    You have also asked us to provide background on and discuss our \nviews of the trend in State laws often termed ``credit report freeze,'' \n``file freeze,'' or ``security freeze.'' First, it is important to \nclarify that a freeze is not a fraud alert as enacted by the FACT Act. \nIt is also important to understand how a file freeze operates based on \nour experience with current State laws.\n    A fraud alert accompanies a credit report sent to a lender and as \nsuch, a lender is notified of the consumer's concern. With a fraud \nalert, the lender can still process the application, though it will \ntake additional measures to ensure that a consumer is properly \nidentified before doing so. In contrast, a file freeze empowers a \nconsumer to request that a consumer reporting agency not provide the \ncredit report for a ``new business'' transaction such as an application \nfor credit and, thus, the transaction cannot be completed.\n    File freezes are not absolute and consumers can request that a \nfreeze be lifted temporarily for a period of time (for example, for 30 \ndays). Depending on when and in what manner the request is received, \nthis temporary lift does not happen instantaneously and consumers have \nto remember to make their request for a temporary lifting of the freeze \nto the consumer reporting agency prior to making an application for \ncredit.\n    All State laws and proposals allow consumer reporting agencies to \ncharge a fee for placing or lifting a freeze (how and where fees are \ncharged varies by State). Our members have viewed the right to charge a \nfee for the placement of a freeze and for each temporary lifting of a \nfreeze as a matter of equity where such laws are enacted. California \nagreed with this principal when it enacted the first law in the \ncountry. Throughout the FACT Act hearings, time and time again this \nCommittee heard testimony regarding the value that the credit reporting \nsystem brings to individual consumers. Simply put, credit reports lower \ncredit costs, by lowering risk. Credit reports empower consumers and \nlead to the robust credit economy that benefits all consumers.\n    In the past several months, Federal legislation has been introduced \nwhich would codify the right of consumers to freeze the release of \ntheir credit reports and/or certain additional sensitive information \nunder certain circumstances. These measures are, S. 1408, introduced by \nSenator Gordon Smith on July 14, 2005 which was marked up and reported \nout of the Senate Commerce Committee on July 28, 2005, and S. 1336 \nintroduced by Senator Mark Pryor on June 29, 2005 and referred to the \nSenate Commerce Committee.\\7\\ On July 21, 2005, Senate Banking \nCommittee Chairman Richard Shelby introduced a virtually identical \nmeasure as S. 1336.\\8\\ That bill was referred to the Senate Banking \nCommittee. The Federal measures follow significant state activity over \nthe past several years in this area. Currently, twelve states have \nenacted file freeze laws (California, Colorado, Connecticut, Illinois, \nLouisiana, Maine, Nevada, New Jersey, North Carolina, Texas, Vermont, \nand Washington). Since 2003, all but approximately 10 States have had \nfile freeze measures introduced and though some have rejected the \nconcept, this past year 7 States enacted new law. It is expected that \nthere will be significant State activity in this area in 2006. The \nState laws vary in terms of substantive scope and operational elements. \nThe measures contain different standards in the following key areas: \n(1) the circumstances under which consumers may request a freeze; (2) \nthe extent to which consumer reporting agencies are required to notify \nother CRA's or entities which report affected information; (3) the \nextent to which certain information is exempt from a freeze; (4) the \ntimetables within which freezes must be imposed or removed; (5) whether \nthere are limits on amounts that can be charged to freeze or unfreeze \nreports; (6) and, the scope of liability for violations of the freeze \nlaws. Though some file freeze provisions of State laws have been \neffective for years, our experience with them remains very limited. For \nexample, we estimate that just a little over 9,000 California consumers \nhave made use of the file freeze. With a population of more than 25 \nmillion credit-active Americans, this population of frozen credit \nreports yields no useful information regarding the individual consumer \nexperience. Most State laws are very recent enactments and, thus, we \nalso have no experience with consumers moving in and out of States \nwhere the file can and cannot be frozen.\n---------------------------------------------------------------------------\n    \\7\\ Note that file freezing is only one of a range of issues \naddressed in this bill.\n    \\8\\ The following quote by Senator Shelby drawn from the \nCongressional Record explains the Senator's motivations for the \nintroduction of this bill:\n\n    ``Mr. President, I rise today to introduce the Consumer Identity \nProtection and Security Act. This legislation provides consumers the \nability to place credit freezes on their credit reports. Mr. President, \nmy sole intent in introducing this legislation is to address a \njurisdictional question that has recently arisen with respect to the \nFair Credit Reporting Act. I want to make sure that the referral \nprecedent with respect to legislation that amends the Fair Credit \nReporting Act, or touches upon the substance covered by that Act, is \nentirely clear. I believe the Parliamentarian's decision to refer this \nbill to the Senate Banking Committee establishes that there is no \nquestion in this regard and that this subject matter is definitively \nand singularly in the jurisdiction of the Senate Banking Committee.''\n---------------------------------------------------------------------------\n    The merits of file freezing have been heatedly debated in many \nState legislative forums and in media. Some States have in fact \nrejected file freezes. The consumer reporting industry has often been \nquoted as expressing concerns that the rigidity of freezes, which \noperate in stark contrast to fraud alerts where transactions can \ncontinue under a ``caution flag.'' However, it is our view that as the \nnumber of State law enactment climbs, disparate State law file freeze \nprovisions will increasingly affect the seamless operation of our \nNation's credit reporting system which the FACT Act sought to preserve \nthrough the reauthorization of existing and establishment of additional \nnational standards. Thus, in the context of significant State \nlegislative activity, an increasing numbers of State file freeze laws, \nand also a country where 40 million consumers' addresses change each \nyear, with many consumers moving across State lines, we must continue \nto monitor the risks to our nationwide credit reporting system and \nengage in an ongoing Federal dialogue about how best to preserve the \nefficiency and economic benefits that were protected first by the \nenactment of the FACT Act.\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n                 PREPARED STATEMENT OF IRA D. HAMMERMAN\n               Senior Vice President and General Counsel\n                    Securities Industry Association\n                           September 22, 2005\n\n    The Securities Industry Association \\1\\ (SIA) welcomes the \nopportunity to testify concerning the financial services industry's \nresponsibility to prevent identity theft and to protect the sensitive \nfinancial information of its customers. Maintaining the trust and \nconfidence of our customers is the bedrock of our industry. The long-\nterm success of our markets depends on customers feeling confident that \ntheir personal information is secure, and we therefore devote enormous \ntime and resources to the protection of customer data. We are, however, \nconcerned that the expanding patchwork of State--and local--laws \naffecting data security and notice will make effective compliance very \ndifficult for us and equally confusing for consumers.\n---------------------------------------------------------------------------\n    \\1\\ The Securities Industry Association brings together the shared \ninterests of approximately 600 securities firms to accomplish common \ngoals. SIA's primary mission is to build and maintain public trust and \nconfidence in the securities markets. SIA members (including investment \nbanks, broker-dealers, and mutual fund companies) are active in all \nU.S. and foreign markets and in all phases of corporate and public \nfinance. According to the Bureau of Labor Statistics, the U.S. \nsecurities industry employs nearly 800,000 individuals, and its \npersonnel manage the accounts of nearly 93 million investors directly \nand indirectly through corporate, thrift, and pension plans. In 2004, \nthe industry generated $236.7 billion in domestic revenue and an \nestimated $340 billion in global revenues. (More information about SIA \nis available at: www.sia.com.)\n---------------------------------------------------------------------------\n    Data security and notice is the legacy of precedents set by the \npassage, in 1999, of the Gramm-Leach-Bliley Act (GLB), which this \nCommittee was so instrumental in passing. We therefore applaud your \nleadership, Chairman Shelby, and that of Senator Sarbanes, in holding \nthis hearing today. We are pleased that your Committee, given its \nbreadth of understanding of the financial services industry, is \nactively reviewing these important data security issues.\n    As you know, at least four other Congressional Committees--the \nSenate Commerce Committee, the Senate Judiciary Committee, the House \nFinancial Services Committee, and the House Energy and Commerce \nCommittee--are currently actively involved in drafting legislation \naddressing many of these same issues, each with the intent to move \ntheir bills to the floor.\n    We are hopeful that, as a result of the review you and your \ncolleagues are embarking upon today, you will agree with the conclusion \nthat we and many others have reached--that the problem of data \nsecurity, especially in this unique time, is a distinct Federal \nresponsibility that requires a targeted Federal legislative and \nregulatory response. In light of the increasing number of disparate \nFederal and State legislative proposals, we urge this Committee to \nstrike the appropriate balance that addresses both the concerns of \nAmerican consumers threatened by identity theft and the duty of those \nof us in the financial services industry to provide meaningful \nprotections.\n    Since 1999, SIA, through its member firm committees and working \ngroups, has addressed the issues surrounding the protection of consumer \nfinancial information. During this period, SIA representatives have \nengaged in a dialogue with the Securities and Exchange Commission (SEC) \nstaff to discuss the industry's requirements under the privacy \nprovisions of GLB, including obligations to secure sensitive consumer \ninformation. In this regard, an SIA committee, comprised of \nrepresentatives from 18 broker-dealers, meets regularly to discuss and \nfocus on issues relating to the use, sharing, safeguarding, and \ndisposal of personal customer information.\n    SIA and its membership have identified six fundamental principles \nthat we hope this Committee will consider in drafting data breach \nlegislation. Before turning to them, however, we wish to underscore our \nconsidered view that all businesses that have custody of sensitive \npersonal information have a responsibility to provide data security \nmeasures commensurate with the sensitivity and nature of the data, and \nto notify consumers whenever a breach of security creates a significant \nrisk of identity theft to the consumer. All businesses should protect \nthe information that consumers provide to them, and justify the trust \nthose consumers place in them by doing so.\n    Federal legislation addressing these duties must be carefully \ntargeted to ensure that it is meaningful and can be speedily enacted. \nLegislation that extends beyond data breach, possibly into unrelated \nareas of privacy, will inevitably slow down the legislative process and \ndelay, if not lessen, the chances for a prompt and appropriate \nCongressional response.\nOverview\n    As the Committee is well aware, Section 502(b) of GLB generally \nprohibits financial institutions from disclosing ``nonpublic personal \ninformation'' to nonaffiliated third parties without first providing \nthose consumers with an opportunity to ``opt out'' of such a \ndisclosure. In addition, and even more relevant to the issues being \naddressed here today, Section 501(b) of GLB specifically requires \nfinancial institutions to implement appropriate ``administrative, \ntechnical, and physical safeguards'' designed to protect the security \nand integrity of their customer information. Congress fully recognized \nthe inherent obligation of financial institutions to protect consumer \ninformation when it drafted Title V. To that end, and pursuant to GLB, \non June 22, 2000, Regulation S-P was issued by the SEC.\\2\\ This \nregulation requires every broker-dealer, investment company, and \ninvestment adviser registered with the SEC to adopt written policies \nand procedures designed to institute administrative, technical, and \nphysical safeguards for information pertaining to sensitive customer \nrecords and information. In addition, broker-dealers are subject to \nperiodic \nexamination by the SEC and Self Regulatory Organizations for compliance \nwith Regulation S-P.\n---------------------------------------------------------------------------\n    \\2\\ 17 CFR Part 48.\n---------------------------------------------------------------------------\n    Earlier this year, the Federal Deposit Insurance Corporation, the \nOffice of Thrift Supervision, the Office of the Comptroller of the \nCurrency, and the Board of Governors of the Federal Reserve System \ncollectively issued interagency guidance, again pursuant to Title V of \nthe GLB, which sets forth certain affirmative obligations aimed at \nprotecting sensitive financial information and notifying customers in \nthe event of a security breach (Interagency Guidance).\\3\\\n---------------------------------------------------------------------------\n    \\3\\ See Interagency Guidance on Response Programs for Unauthorized \nAccess to Customer Information and Customer Notice, 70 Fed. Reg. \n15,736-54 (Mar. 29, 2005).\n---------------------------------------------------------------------------\n    As the functional regulator for the broker-dealer industry, the SEC \nis similarly well-situated to issue guidance for broker-dealers, and \nSIA looks forward to working with this Committee, SEC Chairman Cox, and \nthe SEC staff in determining how best to construct a notification \nregime that considers the likely effect of notification thresholds \ncurrently in effect in various State data security breach notification \nstatutes. Specifically, as we discuss in more detail below, we would \nurge that the Committee consider a standard that links an obligation to \nnotify consumers in the event of a breach with the crime of identity \ntheft. We are concerned that any notification threshold that the \nCommittee might consider for application to the broker-dealer industry \nshould be tied to an actual threat to the consumer to which he or she \nmight reasonably and effectively be expected to respond, and we believe \nthat functional regulators (like the SEC) are best-suited to monitor \nhow industry conforms to statutory requirements.\n    In considering legislation relating to data breach, SIA believes \nthat the Committee should create a statutory framework under which \nregulations can properly and effectively be promulgated. In doing so, \nwe urge the Committee to consider the following six principles:\n\n<bullet> a clear national standard to achieve a uniform, consistent \n    approach that meets consumer expectations;\n<bullet> trigger for consumer notice tied to significant risk of harm \n    or injury that might result in identity theft;\n<bullet> a precise definition of sensitive personal information tied to \n    the risk of identity theft;\n<bullet> exclusive functional regulator oversight and rulemaking \n    authority;\n<bullet> flexible notification provisions; and\n<bullet> reasonable administrative compliance obligations.\nPrinciples for Legislation\nUniform National Standards\n    As of this morning, a total of 19 States--and one major \nmetropolitan area, New York City--have passed security breach \nnotification laws, and a number of other States are poised to consider \nlegislation in this area. Very few States provide exceptions to \ncoverage for functionally regulated entities at the Federal level. \nAlthough much of the early legislation enacted in the States was \nmodeled after California's 2002 security breach notification law, which \nwas the first in the Nation, States are increasingly enacting much \nbroader legislation that differs in many respects from the original \nCalifornia law.\\4\\\n---------------------------------------------------------------------------\n    \\4\\ The California legislation, S.B. 1386, was enacted in 2002 and \nwent into effect on July 1, 2003.\n---------------------------------------------------------------------------\n    For example, New York City enacted three laws in May, marking the \nfirst instance of a locality enacting an ordinance placing affirmative \nobligations on businesses to safeguard data, dispose of it in a secure \nmanner, and notify consumers in the event of a security breach. In \naddition, New York City also authorized the Commissioner of the New \nYork City Department of Consumer Affairs to ``refuse to issue or \nrenew'' any business license to any New York City business applicant or \nlicensee if there are, among other things, ``two or more criminal \nconvictions within a 2-year period of any employees or associates of \nthe applicant or licensee for acts of identity theft or unlawful \npossession of personal identification information.'' Additionally, any \nlicensed business must ``immediately notify the department upon the \noccurrence'' of a judgment or conviction against any employee, or the \nbusiness itself, of any one of several enumerated offenses. These laws \nall went into effect 3 days ago, on September 19, 2005.\n    Although some of these New York City provisions will likely be \npreempted by the recently enacted New York State data security breach \nbill, the provisions authorizing the denial of business licenses may \nnot be preempted due to the construction of the preemption clause in \nthe New York State legislation. The clear implication to regional and \nnational businesses of this law is that, potentially, 100,000 or more \nlocalities in the United States may similarly decide to seek passage of \ntheir own data security compliance regimes, further complicating the \ncompliance obligations of businesses that operate in more than one \nlocality across the Nation. To this point, apart from the California \nand New York legislation, no other State has specifically incorporated \nprovisions into their legislation preempting local branches of \ngovernment within their States from instituting their own data security \nlegislation.\n    From a policy perspective, a patchwork of 19 (and likely more) \nState laws, let alone those of potentially thousands of localities, \ndoes not and will not serve the public interest. In fact, the \nmultiplication of State and local laws is likely to exacerbate the \nconfusion and potential harm to consumers. Consumers in different \nStates would be subject to different security standards and levels of \nnotification despite the fact that the harm they may suffer as a result \nof a security breach at the same institution is identical. \nAdditionally, businesses would be subject to such an array of \nobligations, which would be ever-shifting, that they may not be able to \ncomply in one jurisdiction without running afoul of the obligations \nimposed on them in another.\n    For these reasons, SIA strongly urges that this Committee act \nquickly to create and obtain passage by Congress of legislation that \nresults in a uniform national standard without subjecting the industry \nto a myriad of conflicting State and local laws.\nHarm/Injury Trigger For Notice\n    A principal benefit to uniform national standards is the creation \nof a consistent definition for a trigger that results in the \nnotification of consumers in the event of security breaches. SIA \nrecommends that the Committee create a statutory framework that defines \na reasonable and balanced notification trigger to be activated \nfollowing a breach of security. Specifically, consumers must be \nnotified when there is a ``significant risk'' that they will become \nvictims of identity theft.\n    Under the California breach notification law, for example, the \nunauthorized acquisition of sensitive information--regardless of \nwhether any harm has or could result from its acquisition--creates an \nobligation for the custodian of that data to notify consumers that it \nhas been so acquired. The Interagency Guidance issued this year \nproposed that consumer notifications be issued whenever it was \nreasonable to expect that the data would be misused in a manner \ncreating substantial harm or inconvenience to a consumer.\\5\\ Of course, \ncompanies are always free to unilaterally issue notifications whenever \nthey feel it is appropriate to do so. However, a Federal mandate should \nbe linked to some demonstrable risk of harm to the consumer, such as \nthe possible theft of the consumer's identity. Notification in the wake \nof each incident of data breach, without regard to significant risk of \nidentity theft that might result, could well have the counterproductive \neffect of overwhelming customers with notices that bear no relation to \nsignificant risk, and therefore might not only needlessly frighten and \nconfuse people, but also likely desensitize them to future notices \naltogether.\n---------------------------------------------------------------------------\n    \\5\\ In testimony before the Senate Commerce Committee this past \nJune, Federal Trade Commission (FTC) Chairman Deborah Majoras observed \nthat neither the ``unauthorized acquisition'' standard of California \nlaw nor the ``misuse'' standard of the Interagency Guidance is optimal. \nInstead, she and her colleagues on the FTC suggested a different \nstandard, one in which notifications would automatically go to \ncustomers when a significant risk of harm to them exists as a result of \nthe breach. See Prepared Statement of the FTC before the Committee on \nCommerce, Science, and Transportation on Data Breaches and Identity \nTheft (June 16, 2005).\n---------------------------------------------------------------------------\n    Linking the notice trigger to a significant risk of harm strikes \nthe appropriate balance for both consumers and financial institutions \nalike. Specifically, before a broker-dealer is required to notify \npotentially great numbers of customers of a security breach, it should \nbe obligated to make a determination, following a reasonable \ninvestigation, that a significant risk of identity theft has occurred \nor could occur as a result of the breach. SIA recommends that the \nactual formulation for the notification trigger should be determined by \nfunctional regulators, through rulemaking. In the case of broker-\ndealers, the SEC is in the best position to make that determination.\nPrecise Definition of Sensitive Personal Information\n    As noted previously, 19 States and one locality have already passed \nlaws imposing consumer notification requirements in the event of a \nsecurity breach. In many of these States, the scope of the information \ncovered by the laws varies widely. For example, Arkansas and Delaware \nhave expanded California's definition of ``personal information'' to \ninclude medical information, while the definitions in the Illinois and \nMaine statutes include account numbers, regardless of whether they are \naccompanied by the security code required to access the account.\n    New York State's recently enacted law expands the definition of \ncovered personal information even further, to include ``any information \nconcerning a natural person which, because of name, number, personal \nmark, or other identifier, can be used to identify such natural \nperson,'' when acquired in combination with a Social Security number, \ndriver's license or State identification number, or account number with \na password or access code. Additionally, New York City's ordinance \ncovers all forms of data, whether on paper or computerized, and whether \nencrypted or not. In addition, the North Carolina legislature \nunanimously passed a law just last month, which now awaits only the \ngovernor's signature, that would specifically cover ``personal \ninformation in any form (whether computerized, paper, or otherwise).'' \nThis raises a question as to whether oral statements containing \npersonal information are also covered by the impending North Carolina \ndata security and notification law.\n    SIA believes that the scope of the type of information that \nunderpins any notification obligation should be carefully defined so \nthat the obligation to notify only arises when the sensitive personal \ninformation acquired in the breach can actually be used to perpetrate \nthe crime of identity theft upon a consumer. For instance, in the \nabsence of a key, encrypted information is useless to others who \nacquire it and should be excluded from the definition of sensitive \npersonal information, as it was in the California law. Consumers would \nbenefit more from a specific definition of covered personal information \nwhich includes combinations of identifying data, as opposed to a broad \ndefinition that includes any single piece of information which could \nnot alone be used to steal a consumer's identity.\nExclusive Functional Regulator Oversight and Rulemaking Authority\n    Given the existing regulatory framework of GLB and the depth of \nexpertise of the functional regulators in dealing with issues like \nidentity theft and data security, any legislation should continue to \nrecognize the primary role of the functional regulators in addressing \nthese issues by granting them exclusive rulemaking and oversight \nauthority.\n    Functional regulators are in the best position to evaluate the \nrisks for consumers served by each sector of the financial services \nindustry and to determine the specific consumer protection measures \nthat best address them. Functional regulators also have the expertise \nto adjust these protections over time as threat levels change and the \nindustry's ability to respond evolves. Likewise, functional regulators \nhave the ability to examine the institutions they regulate for \ncompliance and sanction those not in compliance. Accordingly, \nlegislation addressing the security of data held by securities firms \nand other financial institutions subject to GLB should provide that the \nfunctional regulators of these institutions have the exclusive \nauthority to develop and enforce appropriate regulations.\nFlexible Notification\n    The number and variety of security breaches reported in the press \nover the past 8 months have made clear that the optimal means of \nnotification will vary with the type and scope of security breach.\n    Accordingly, SIA suggests that businesses should be permitted to \ndeliver the customer notice in any timely manner designed to ensure \nthat a customer can be reasonably expected to receive it. The specific \nrequirements of any notification process should be determined by the \nfunctional regulators whose unique expertise will allow them to \ndetermine the optimal means of notification.\nReasonable Compliance Obligations\n    Security breaches may occur through no fault of the business and \ndespite the existence of reasonable safeguarding measures. As Deborah \nMajoras, Chairman of the FTC, said when she testified before the Senate \nCommerce Committee this past June, ``It is important to note . . . that \nthere is no such thing as perfect security, and breaches can happen \neven when a company has taken every reasonable \nprecaution.'' When that happens, businesses should be permitted to \nraise as an affirmative defense that they have acted in good faith and \nimplemented systems to reasonably comply with applicable regulations. \nThis opportunity will create incentives for businesses to better secure \ndata and reward those who have already taken such steps.\n    SIA supports a compliance regime that is both reasonable and \npredictable, with appropriate administrative liability for those \nbusinesses that fail to take the appropriate measures to protect \nsensitive consumer information. Given the complexity of the issues \nsurrounding a data breach, and the intimate knowledge that functional \nregulators have about the financial services industry, SIA believes \nthat any bill the Committee drafts should provide for administrative \nenforcement only.\nConclusion\n    American consumers and industries are currently facing a major \nthreat from criminals, including potential terrorists, who seek to \nperpetrate identity theft. The financial services industry takes very \nseriously its duty to safeguard the sensitive financial information \nthat pertains to its customers. The damage created by incidents of \nidentity theft and other kinds of fraud are not only attacks on \nconsumers, but also of serious concern to businesses whose reputations \ninevitably suffer from security breaches and who must bear the cost of \nthe fraud in both lost customers and reduced confidence in their brand.\n    We believe that to resolve these issues, the Banking Committee \nshould work to create carefully targeted legislation that embodies the \nprinciples we have outlined above. SIA is eager to serve as a valued \nresource for the Committee in this endeavor, and welcomes the \nopportunity to work with the Committee and its staff as it continues \nthis critically important work.\n    Mr. Chairman, thank you again for the opportunity to testify before \nthe Banking Committee today. I welcome your questions, and those of \nyour colleagues, and will endeavor to answer them fully and completely.\n\n                               ----------\n\n               PREPARED STATEMENT OF GILBERT T. SCHWARTZ\n                     Partner, Schwartz & Ballen LLP\n                            On Behalf of the\n                   American Council of Life Insurers\n                           September 22, 2005\n\nIntroduction\n    Chairman Shelby, Ranking Member Sarbanes, and Members of the \nCommittee, I am Gilbert Schwartz, Partner in the Washington DC law firm \nof Schwartz & Ballen LLP. I am appearing before the Committee today on \nbehalf of the American Council of Life Insurers (ACLI) to discuss the \nlife insurance industry's responsibilities and role in preventing \nidentity theft and protecting sensitive financial information.\n    ACLI is the principal trade association for the Nation's life \ninsurance industry. ACLI's 356 member companies account for 80 percent \nof the life insurance industry's total assets in the United States. \nACLI member companies offer life insurance, annuities, pensions, long-\nterm care insurance, disability income insurance, reinsurance, and \nother retirement and financial protection products.\n    This hearing represents another chapter in this Committee's long-\nstanding commitment to the protection of consumer information and to \nthe prevention of identity theft, as evidenced by the Committee's \ncentral role in the enactment of the Gramm-Leach-Bliley Act (the GLB \nAct) and the Fair and Accurate Credit Transactions Act of 2003 (the \nFACT Act). ACLI appreciates the opportunity to discuss with the \nCommittee the important role that life insurers play in protecting \nsensitive financial information of our policyholders and in preventing \nidentity theft.\nBackground\n    The issue of preserving the confidentiality and security of \ncustomer information is a critically important matter for our country. \nIt is significant not only to the Nation's economic well-being, but \nalso to insurers and other financial institutions that use this \ninformation to provide vital services to our country's consumers. Due \nto the inherent nature of the life insurance business, ACLI member \ncompanies obtain and maintain sensitive personal information about \ntheir policyholders and insureds. The life insurance industry has long \nrecognized the importance of maintaining and protecting the \nconfidentiality and security of this information and ensuring that it \nis not otherwise compromised.\n    Life insurers have long been committed to establishing and \nmaintaining processes that protect sensitive customer information and \nto preventing misuse of such information. Insurers expend considerable \nresources to achieve these objectives. They recognize that \npolicyholders expect insurers to protect their confidential personal \ninformation. Life insurers' recognition of the need to protect customer \ninformation predates enactment of the GLB Act. Indeed, ACLI and its \nmembers were, and continue to be, strong supporters of Title V's \nprivacy provisions.\nThe Gramm-Leach-Bliley Act\n    Title V of the GLB Act sets forth the Congressional policy that \nevery financial institution has an affirmative and continuing \nobligation to protect the security and confidentiality of personal \ninformation of its customers. The institution's primary supervisor is \nrequired to establish appropriate safeguards relating to \nadministrative, technical and physical safeguards to ensure the \nsecurity and confidentiality of such information, to protect against \nanticipated threats or hazards to the security or integrity of the \ninformation and to protect against unauthorized access to, or use of, \nsuch records that could result in substantial harm or inconvenience to \ncustomers.\n    The Federal agencies with supervisory authority over financial \ninstitutions have adopted comprehensive guidance or rules implementing \nthe GLB Act's data security provisions.\\1\\ In addition, 34 States have \nadopted comprehensive regulations or statutes which establish standards \nfor safeguarding customer information by insurers. The State \nrequirements generally track the National Association of Insurance \nCommissioners' Standards for Safeguarding Customer Information Model \nRegulation and are consistent with the Federal guidance.\n---------------------------------------------------------------------------\n    \\1\\ See 66 Fed. Reg. 8615 (February 1, 2001) (Office of the \nComptroller of the Currency, Federal Reserve Board, Federal Deposit \nInsurance Corporation, and Office of Thrift Supervision); 66 Fed. Reg. \n8152 (January 30, 2001) (National Credit Union Administration); and 67 \nFed. Reg. 36484 (May 23, 2002) (Federal Trade Commission).\n---------------------------------------------------------------------------\n    Under State law and regulation, life insurers are required to \nimplement a comprehensive written security program that includes \nadministrative, technical, and physical safeguards for the protection \nof customer information. The program must be appropriate to the size \nand complexity of the insurer and to the nature and scope of its \nactivities. The program must also be designed to ensure the security \nand confidentiality of customer information, protect against any \nanticipated threats or hazards to the security or integrity of customer \ninformation, and protect against unauthorized access to, or use of, \ncustomer information that could result in substantial harm or \ninconvenience to customers. Insurers also require that companies from \nwhich they receive operational services maintain rigorous information \nsecurity programs that meet the requirements of the GLB Act.\nIdentity Theft and the FACT Act\n    Consumers are very concerned with the issue of identity theft. The \nFederal Trade Commission has reported that the number of identity theft \ncomplaints rose to almost 250,000 in 2004, an increase of 15 percent \nfrom 2003. Identity theft accounted for 39 percent of the total number \nof consumer complaints, topping the list of consumer frauds reported by \nthe Federal Trade Commission by an overwhelming margin.\\2\\\n---------------------------------------------------------------------------\n    \\2\\ ``National and State Trends in Fraud & Identity Theft, January-\nDecember 2004,'' Federal TradeCommission, February 1, 2005.\n---------------------------------------------------------------------------\n    Congress enacted the FACT Act, in part, to respond to the growing \ncrime of identity theft. It directs Federal regulators to develop \nguidance to identify and prevent identity theft. The Federal agencies \nhave proposed and adopted several regulations and provided guidance to \ndeter identity theft. We anticipate that additional guidance will be \nforthcoming to educate consumers and the financial industry as to how \nto reduce the incidence of identify theft.\nBreach of Security Notices\n    As a result of growing concerns with the possibility of identity \ntheft resulting from security breaches of information systems, 20 \nStates have enacted legislation requiring companies to notify consumers \nin the event their sensitive personal information is affected by a \nsecurity breach of their information systems. Additional States are \nconsidering legislation as well. These statutes typically require \ndisclosure of a breach of security of the computer system to the person \nwhose unencrypted sensitive information was or is reasonably believed \nto have been compromised. Generally, notice is not required if after \nreasonable investigation it is determined that there is no reasonable \nlikelihood of harm to customers.\n    Some States have adopted requirements that differ in certain key \nrespects. The need to track these differences and factor them into a \nnotification program will inevitably make it more difficult for \ninstitutions to send notices to consumers promptly. The complexity \nresulting from differing State requirements will likely mean that \nconsumers may experience delays in receiving timely notices. Moreover, \nState laws may also result in overlapping enforcement mechanisms, which \nincreases the likelihood of uneven enforcement policies from State to \nState.\nFederal Banking Agency Guidance\n    In March, 2005, the Federal banking agencies amended their \ninteragency guidance on information security safeguards to require \nbanking organizations to adopt response programs in the event of \nunauthorized access to customer information.\\3\\ Under the agency \nguidance, depository institutions are required to develop and implement \nrisk-based response programs to address incidents of unauthorized \naccess to customer information in customer information systems. The \nguidance requires that if, after conducting a reasonable investigation, \na depository institution determines that misuse of sensitive customer \ninformation has occurred or is reasonably possible, it should notify \nthe customer as soon as possible. Customer notice may be delayed if law \nenforcement authorities request a delay so as not to interfere with \ntheir criminal investigation.\n---------------------------------------------------------------------------\n    \\3\\ 70 Fed. Reg. 15736 (March 29, 2005).\n---------------------------------------------------------------------------\n    The notification requirement focuses on sensitive customer \ninformation because this type of information is most likely to be \nmisused by identity thieves. Sensitive customer information is regarded \nas the customer's name, address or telephone number in conjunction with \na Social Security number, driver's license number, credit or debit card \naccount number, or password or PIN that would allow someone to access \nthe customer's account.\nPossible Federal Legislation\nUniform Nationwide Protections\n    ACLI supports Federal legislation that provides uniform national \nstandards for notification to individuals whose personal information \nhas been subject to a security breach. ACLI member companies believe it \ncritical that the substantive requirements of Federal security breach \nnotification legislation preempt State or local laws or regulations \naddressing any aspect of this subject matter.\n    When a security breach occurs, it is important that the institution \nthat maintained the sensitive information move quickly to investigate \nthe nature of the breach, determine the likelihood that information may \nhave been misused and notify customers. The proliferation of State laws \nthat impose similar but varying requirements could result in a delay in \nnotifying consumers while separate notices are developed for consumers \nwho are located in States with nonuniform standards. Varying State \nrequirements, therefore, could have an adverse effect on consumers and \nincrease the likelihood that consumers will be victimized by identity \nthieves. Accordingly, ACLI urges Congress to establish uniform \npreemptive guidelines that will apply nationwide. Such an approach will \nbe beneficial to consumers because it will ensure that consumers \nreceive the same information in a timely fashion regardless of where \nthey reside.\nSensitive Consumer Information\n    ACLI believes that the Federal banking agencies and the States are \ncorrect in focusing attention on notice to consumers in connection with \nbreaches of security of unencrypted or unsecured sensitive consumer \ninformation, such as a person's name and address when combined with \nsuch information as account number or Social Security number. While \ndatabases may contain other personal information about their customers, \nmuch of the information is of little or no value to identity thieves. \nAccordingly, ACLI recommends that security breach legislation apply \nonly to sensitive consumer information obtained by an unauthorized \nperson if the information is not encrypted or secured by a method that \nrenders the information unreadable or unusable.\n    ACLI also believes that it is important that Federal security \nbreach notification legislation apply to all businesses that maintain \nsensitive consumer information. Consumers should be protected \nregardless of the nature of the business that maintains their sensitive \ninformation.\nLikelihood of Harm\n    ACLI member companies support legislation that avoids needlessly \nalarming consumers and undermining the significance of notification of \na security breach by \nrequiring notification only when the security and confidentiality of \npersonal information is truly at risk. If the primary purpose of \nsecurity breach legislation is to alert consumers to the possibility \nthat their sensitive personal information may be subject to identity \ntheft, it makes good sense to require companies to inform consumers \nonly when there is a significant likelihood of identity theft. If there \nis little chance of identity theft or substantial harm, why needlessly \nalarm consumers when personal information is not at risk.\nEnforcement and Rulemaking\n    It is also very important that there be uniform enforcement of \nnotification standards. For this reason, ACLI strongly supports \nenforcement of insurers' compliance with security breach legislation \nexclusively by the Department of the Treasury. The Treasury Department \nhas extensive experience with the insurance industry in connection with \nthe implementation and enforcement of laws such as the\n    USA PATRIOT Act, the Terrorism Risk Insurance Act and the Bank \nSecrecy Act, as well as regulations promulgated by the Office of \nForeign Asset Controls. As a result of this experience, ACLI believes \nthat the Treasury is well positioned to implement and enforce the \ninsurance industry's compliance with security breach notification \nlegislation.\n    In the event it is not possible to provide for enforcement \njurisdiction by the Treasury Department, ACLI recommends adoption of \nthe enforcement structure set out in the GLB Act. Under this approach, \nan insurer's compliance with Federal breach of security notification \nlegislation would be enforced exclusively by the insurance authority of \nthe insurer's State of domicile. If this approach is used, ACLI also \nrequests that the legislation State that it is the intent of the \nCongress that State insurance authorities enforce the legislation in a \nuniform manner.\n    If Federal security breach notification legislation provides for \npromulgation of implementing regulations, ACLI believes that the \nlegislation should provide for the promulgation of uniform standards \njointly by the relevant Federal agencies. Such an approach ensures that \nguidance will be applied uniformly across all industries and that the \nspecial needs of each sector of the economy will be taken into account \nand carefully considered. Adoption of joint standards has the added \nbenefit of avoiding potential confusion among consumers because it \nprovides certainty as to what consumers can expect to receive from \ncompanies that possess their sensitive information.\nConclusion\n    The issues you have before you today are indeed complex. They \nshould be carefully studied and considered, as you are doing. ACLI \nanticipates that legislation you adopt will provide meaningful \nprotection to consumers who might otherwise become victims of identity \ntheft.\n    Thank you for your attention.\n\n                               ----------\n\n                PREPARED STATEMENT OF OLIVER I. IRELAND\n                    Partner, Morrison & Foerster LLP\n                            On Behalf of the\n                      American Bankers Association\n                           September 22, 2005\n\n    Mr. Chairman and Members of the Committee, my name is Oliver \nIreland. I am a Partner in the law firm of Morrison & Foerster LLP, \npracticing in the firm's Washington, DC office. I am here today on \nbehalf of the American Bankers Association (ABA) to address the role of \nbanking institutions in protecting consumers from identity theft and \naccount fraud.\n    ABA, on behalf of the more than two million men and women who work \nin the nation's banks, brings together all categories of banking \ninstitutions to best represent the interests of this rapidly changing \nindustry. Its membership--which includes community, regional, and money \ncenter banks and holding companies, as well as savings associations, \ntrust companies, and savings banks--makes ABA the largest banking trade \nassociation in the country.\n    In general terms, identity theft occurs when a criminal uses \npersonal identifying information relating to another person (generally, \na name, address, and Social Security number (SSN)) to open a new \naccount in that person's name. Identity theft can range from using a \nperson's personal identifying information to obtain a cell phone, lease \nan apartment, open a credit card account, or obtain a mortgage loan or \neven a driver's license. In addition, in some cases, information \nrelating to consumer accounts can be used to initiate unauthorized \ncharges to those accounts.\n    The issue of identity theft and account fraud, and related concerns \nabout data security, are of paramount importance to banking \ninstitutions and the customers that we serve. Identity theft and \naccount fraud can harm consumers and banking institutions, and \nchallenge law enforcement. A major priority of the banking industry is \nstopping identity theft and account fraud before it occurs, and \nresolving those unfortunate cases that do occur. Both consumers and \nbanking institutions benefit from a financial system that protects \nsensitive information relating to consumers, while remaining efficient, \nreliable, and convenient.\n    In my statement, I would like to emphasize three key points:\nBanking Institutions Are Already Regulated\n    Unlike many other industries that maintain or process consumer \ninformation, banking institutions and their customer information \nsecurity programs are subject to regulatory requirements and regular \nexaminations. Banking institutions have a vested interest in protecting \nsensitive information relating to their customers, and work \naggressively to do so.\nUniform Approach Will Promote Information Security\n    The security of sensitive consumer information will be promoted \nmost effectively by a uniform national standard.\nSecurity Breach Notification Requirements Should be Risk-Based\n    Any requirements should focus on situations that create a \nsubstantial risk of identity theft. Over-notification of consumers \nabout breaches of information security will desensitize consumers and \nmay lead consumers to ignore the very notices that explain the action \nthey need to take to protect themselves from identity theft.\nBanking Institutions Are Already Regulated\n    Among those that handle and process sensitive consumer information, \nbanking institutions are among the most highly regulated and closely \nsupervised. Title V of the Gramm-Leach-Bliley Act (GLB Act), and \nassociated rulemakings and guidance, require bank institutions not only \nto limit the disclosure of customer information, but also to protect \nthat information from unauthorized accesses or uses and to notify \ncustomers when there is a breach of security with respect to sensitive \ninformation relating to those customers.\n    Banking institutions have a strong interest in protecting customer \ninformation. Banking institutions that fail to earn and to maintain the \ntrust of their customers will lose those customers. In the competitive \nmarket for financial services, consumers tend to hold their banking \ninstitution accountable for any problems that they experience with \ntheir accounts or information, regardless of the actual source of the \nproblem. For example, if fraud is committed on a bank account as a \nresult of a breach of security at a data processor working for a \nretailer--an entity that the bank does not control--the customer is \nlikely to first seek a solution through his or her bank. Therefore, \ninformation security is critical in order for banking institutions to \nmaintain customer relations.\n    Because banking institutions do not impose the losses for \nfraudulent accounts on consumers and because banking institutions do \nnot impose the losses associated with fraudulent transactions made on \nexisting accounts on their customers, banking institutions incur \nsignificant costs from identity theft and account fraud. These costs \nare in the form of direct dollar losses from credit that will not be \nrepaid, and also can be in the form of indirect costs, including \nreputational harm. In addition, when a breach of information security \noccurs at a banking institution, the banking institution typically \nincurs other costs in responding to that breach. Accordingly, banking \ninstitutions aggressively protect sensitive information relating to \ntheir customers.\nExisting Security Guidance\n    Earlier this year, the Federal banking agencies revised their \nguidance, originally issued in 2001 under Section 501(b) of the GLB \nAct, concerning the security of customer information. The revised \nguidance requires banking institutions to notify their customers of \nbreaches of the security of sensitive information relating to those \ncustomers. We support the agencies' action and recommend their general \napproach as a model for going forward.\n    Already in force, the guidance requires banking institutions to \nestablish and maintain comprehensive information security programs to \nidentify and assess the risks to customer information and then to \naddress these potential risks by adopting appropriate security \nmeasures. The guidance requires that each banking institution's program \nfor information security must be risk-based. Each banking institution \nmust tailor its information security program to the specific \ncharacteristics of its business, customer information, and customer \ninformation systems, and must continuously assess the threats to its \ncustomer information and customer information systems. As those threats \nchange, a banking institution must appropriately adjust or upgrade its \nsecurity measures to respond to those threats.\n    A banking institution must consider access controls on its customer \ninformation systems, background checks for employees with \nresponsibilities for access to customer information systems, and a \nresponse program in the event of unauthorized access to customer \ninformation. Not only do these requirements apply to customer \ninformation while in the banking institution's customer information \nsystems, but the guidance also requires that a banking institution's \ncontracts with its service providers must require those service \nproviders to implement appropriate measures to protect against \nunauthorized access to or use of customer information.\n    A banking institution also must implement a risk-based response \nprogram to address instances of unauthorized access to customer \ninformation. A risk-based response program must include plans to:\n\n<bullet> Assess the nature and scope of an incident of unauthorized \n    access to customer information, and identify what customer \n    information systems and the types of customer information that have \n    been accessed or misused;\n<bullet> Notify the banking institution's primary Federal regulator \n    ``as soon as possible'' about any threats ``to sensitive customer \n    information;''\n<bullet> Consistent with Suspicious Activity Report (SAR) regulations, \n    notify appropriate law enforcement authorities and file SAR's in \n    situations involving Federal criminal violations requiring \n    immediate attention; and\n<bullet> Take appropriate steps to contain the incident to prevent \n    further unauthorized access to or use of customer information. This \n    could include, for example, monitoring, freezing, or closing \n    accounts, while preserving records and other evidence.\nExisting Notification Requirements\n    A critical component of the guidance is customer notification. The \nguidance dictates that when a banking institution becomes aware of a \nbreach of ``sensitive \ncustomer information,'' it must conduct a reasonable investigation to \ndetermine whether the information has been or will be misused. If the \nbanking institution determines that misuse of the information ``has \noccurred or is reasonably possible,'' it must notify, as soon as \npossible, those customers to whom the information relates. Customer \nnotification may be delayed if law enforcement determines that \nnotification will interfere with an investigation and provides a \nwritten request for a delay. The banking institution need only notify \ncustomers affected by the breach where it is able to identify those \naffected. If it cannot identify those affected, it should notify all \ncustomers in the group if it determines that misuse of the information \nis reasonably possible.\n    The customer notification standards established by the guidance \ncombine tough security measures with practical steps designed to help \nconsumers. These standards assure a timely, coordinated response that \nenables consumers to take steps to protect themselves, in addition to \nknowing the steps that their banking institution has taken to address \nthe incident. The guidance permits banking institutions to focus their \nresources in a result-orientated way, without requiring unnecessary and \npossibly misleading customer notifications.\n    The customer notices required under these standards must be clear \nand conspicuous. The notices must describe the incident in general and \nthe type of customer information affected. In addition, the notices \nmust generally describe the banking institution's actions to protect \nthe information from further unauthorized access and include a \ntelephone number by which the customers can contact the institution \nconcerning the incident. The notices should remind customers to remain \nvigilant over the following 12 to 24 months and to promptly report \nincidents of suspected identity theft to the institution. Where \nappropriate, the notices also should include:\n\n<bullet> Recommendations that the customer review account statements \n    immediately and report any suspicious activity;\n<bullet> A description of fraud alerts available under the Fair Credit \n    Reporting Act (FCRA), and how to place them;\n<bullet> Recommendations that the customer periodically obtain credit \n    reports and have incorrect information removed from those reports;\n<bullet> Explanations of how to obtain a free credit report; and\n<bullet> Further information about the agencies' guidance.\nRisk-Based Standard\n    The agencies' approach encourages banking institutions to work on \nan ongoing basis with their regulators and customers, while requiring \nthe institutions to take concrete and well-defined steps to address a \nsuspected security breach. Immediately upon the discovery of a breach \nof any size or scope, banking institutions are required to communicate \nthe problem to their primary regulator and to begin devising a strategy \nto best deal with the problem. This fosters close cooperation between \nbanking institutions and their regulators in order to keep the focus \nwhere it belongs: protecting consumers.\n    Although serious, a data security breach does not automatically, \nnor necessarily, result in identity theft or account fraud. Customer \ndata is stored and transmitted in a variety of unique media forms that \nrequire highly specialized and often proprietary technology to read, \nand may be subject to sophisticated encryption. Even if customer data \nfinds itself in the wrong hands, it is often not in a readable or \nuseable form. Banking institutions and their regulators need to retain \nthe ability to react to each situation using a risk-based approach, \nwhich takes into account the ability to use the information to harm \nconsumers through identity theft or account fraud.\nUniform Approach Will Promote Information Security\n    In order to provide meaningful and consistent protection for all \nconsumers, all entities that handle sensitive consumer information--not \njust banking institutions--should be subject to similar information \nsecurity standards. For example, retailers, data brokers, and even \nemployers collect sensitive consumer information, but many of these \nentities are not subject to data security and/or security breach \nnotification requirements. These entities, including data brokers, such \nas ChoicePoint, universities, hospitals, private businesses, and even \nthe Federal Deposit Insurance Corporation, have been the victims of \nsecurity breaches. The information security breaches that have occurred \nat banking institutions over the past year represent only a small \npercentage of the breaches that have been reported. However, any entity \nthat maintains sensitive consumer information should protect that \ninformation and should provide notice to consumers when a security \nbreach has occurred with respect to that information and the affected \nconsumers can take steps to protect themselves.\n    It is not necessary to design a completely new system to address \nthis issue. The regulations that already apply to banking institutions \noffer policymakers both a model and a measure of experience to aid in \nestablishing umbrella consumer protections that span all industries \nthat maintain sensitive consumer information. In \nconsidering the extension of bank-like regulation to unregulated \nindustries that maintain sensitive consumer information, we believe \nthat Congress should focus on a uniform approach that is designed to \nprotect consumers from actual harm.\nUniformity Benefits Consumers\n    National uniformity is critical to preserving a fully functioning \nand efficient \nnational marketplace. A score of state legislatures have already passed \nnew data security or privacy bills that will take effect in 2006. While \nthese laws have many similarities, they also have many differences. \nMillions of businesses--retailers, insurers, banks, employers, \nlandlords, and others--use consumer information to make important \neveryday decisions on the eligibility of consumers for credit, \ninsurance, employment, or other needs. State laws that are inconsistent \nresult in both higher costs and uneven consumer protection. In some \ncases, a single State that adopts a unique requirement or omits a key \nprovision can effectively nullify the policies of the other States.\nSecurity Breach Notification Requirements Should be Risk-Based\n    While it is important to protect all sensitive consumer information \nfrom unauthorized use, it is most critical to protect consumers from \nidentity theft and account fraud. In order to avoid immunizing \nconsumers to notices that information about them may have been \ncompromised, security breach notification requirements, like the \nFederal banking agencies guidance, should be limited to those cases \nwhere the consumer needs to act to protect himself or herself from \nsubstantial harm. Security breach notification requirements should be \ntailored to those circumstances and, within these circumstances, to the \ntype of threat presented.\n    For example, a breach involving consumers' names and SSN's may \nexpose them to the risk of identity theft, while a breach involving \naccount information may pose no risk or cost to the consumer or may \nrequire the consumer to follow established procedures to reverse \nerroneous changes to their accounts. In each case, the need for \nnotification and the form of notification will differ. Any Federal \nlegislative requirement must recognize and accommodate these \ndifferences.\nOther Issues\n    While we believe that Federal legislation should focus on the \nsecurity of sensitive consumer information and notification where a \nbreach of that security threatens substantial harm to consumers, we \nrecognize that in connection with this debate other issues, including \nthe ability of consumers to place ``security freezes'' on their credit \nreports and the regulation of the display or sale of SSN's, have been \nraised. With respect to security freezes, we believe that the FCRA \nfraud alert system adopted in the Fair and Accurate Credit Transactions \nAct of 2003 appropriately alerts creditors to the potential for \nidentity theft on particular accounts. It would be premature to discard \nthis system in favor of a system of security freezes that could \nsignificantly disrupt the credit granting process by preventing \nconsumers from obtaining credit without going through time-consuming \nprocedures to lift security freezes.\n    With respect to potential limitations on the display or sale of \nSSN's, it is important to avoid unintended consequences. For example, \ndisrupting the many transactions that rely on these numbers, including \nthe identification of bank customers for purposes of Section 326 of the \nUSA PATRIOT Act, could harm consumers and national interests.\n    Finally, it is important to remember that regulatory compliance \ncosts fall disproportionately on community banks. Any legislative \nsolution to data security must consider these and other costs that \nwould be imposed on community banks and their customers.\nConclusion\n    Bank institutions are proud of their record in protecting sensitive \ninformation relating to their customers, and will continue to work with \nthe Committee and banking regulators to ensure consumers receive the \nhighest level of protection possible.\n    Thank you. I will be happy to answer any questions that you may \nhave.\n       RESPONSE TO WRITTEN QUESTIONS OF SENATOR BUNNING \n                     FROM IRA D. HAMMERMAN\n\nQ.1. Do you have an opinion on what kind of notice should be \nsent out?\n\nA.1. A notification requirement should be flexible, allowing \nfinancial institutions to deliver the notice in any manner \ndesigned to ensure that a customer can be reasonably expected \nto receive it, such as via website, regular mail, e-mail, or \neven oral notification depending upon the circumstances. In \naddition, firms need to have flexibility in the content of the \nnotice so that the communications may be geared to the business \nand the particular situation.\n\nQ.2. What do you consider harm? If account numbers are \ncompromised, is that considered harm? If a Social Security \nnumber is compromised?\n\nA.2. Before a financial institution is required to notify \ncustomers of a security breach of sensitive information, the \nfirm must make a determination, after reasonable investigation, \nthat there is a significant risk of identity theft or fraud. \nNotification for every incident, without regard to the risk of \nidentity theft or fraud, would only overwhelm customers with \nnotices, and only serve to needlessly frighten and confuse \npeople.\n    A brokerage account number by itself--without other \ninformation--would likely have little value. A financial \ninstitution would need to assess the facts and circumstances of \nthe entire incident to determine the risk to the customer. \nMonitoring account activity and/or merely changing an account \nnumber might limit the risk so that there is no need to notify \nthe customer. Changing account numbers should not be deemed to \ncause substantial inconvenience.\n    SIA believes that the scope of the type of information that \nunderpins any notification obligation should be carefully \ndefined so that the obligation to notify only arises when the \nsensitive personal information acquired in the breach can \nlikely be used to perpetrate the crime of identity theft or \nfraud upon a consumer. For instance, in the absence of a key, \nencrypted information is useless to others who acquire it and \nshould be excluded from the definition of sensitive personal \ninformation. Consumers would benefit more from a specific \ndefinition of covered personal information which includes \ncombinations of identifying data, as opposed to a broad \ndefinition that includes any single piece of information which \ncould not alone be used to steal a consumer's identity.\n\nQ.3. If the Committee put forward a data breach bill, what \nwould you suggest be covered?\n\nA.3. All businesses, not just financial institutions, should be \nrequired to protect the information that consumers provide to \nthem, and provide notification of a data breach where there is \nsignificant risk of identity theft or fraud. Given that \nsecurities firms and other financial institutions are already \ncovered by the Gramm-Leach-Bliley Act (GLB), any legislation \naddressing data breach should provide that the functional \nregulators of financial institutions subject to GLB have the \nexclusive authority to develop and enforce appropriate \nregulations. Moreover, legislation that extends beyond data \nbreach, possibly into unrelated areas of privacy, would lessen \nthe chances for a prompt and appropriate Congressional \nresponse.\n\nQ.4. Do any of you believe Social Security numbers should be \ntruncated? Do you think their use should be limited? What \nprotections do you suggest for use of the Social Security \nnumber?\n\nA.4. SIA believes that in light of the restrictions on \nfinancial institutions' use and transfer of Social Security \nnumbers under GLB, further restrictions on financial \ninstitutions are unnecessary. The GLB and its implementing \nregulations treat a financial institution's consumer's Social \nSecurity number as protected ``nonpublic personal \ninformation.'' Therefore, each financial institution customer \nhas the right to block a financial institution from selling or, \nsubject to exceptions, transferring his or her Social Security \nnumber to a nonaffiliated third party or the general public. In \nshort, a financial institution customer is fully protected with \nrespect to a financial institution's transfer of Social \nSecurity numbers, yet legitimate and important uses of these \nnumbers remain permissible.\n\n       RESPONSE TO WRITTEN QUESTIONS OF SENATOR BUNNING \n                    FROM GILBERT T. SCHWARTZ\n\nQ.1. Do you have an opinion on what kind of notice should be \nsent out?\n\nA.1. Notices should be sent to consumers only when the security \nand confidentiality of personal information is at risk and \nwhere the breach is likely to lead to substantial financial \nloss or material inconvenience to consumers. Companies should \nbe permitted to send notices by mail, e-mail, or other means \nthat ensures that notice will be received by affected \nconsumers. If the security breach affects a significant number \nof consumers, we believe that companies should be permitted to \nprovide notice via notice to media in the area in which the \naffected consumers are located and by posting an appropriate \nnotice on the companies' websites.\n\nQ.2. Why do you consider harm? If account numbers are \ncompromised, is that considered harm? If a Social Security \nnumber is compromised?\n\nA.2. If a security breach is unlikely to result in harm to \nconsumers, there is no need for consumers to take any action to \nprotect themselves. Consumers should not be needlessly alarmed \nnor should companies be needlessly subjected to the \nconsiderable expense associated with providing notifications to \nconsumers when the security and confidentiality of personal \ninformation is not at risk or when the breach is not likely to \nlead to substantial financial loss or material inconvenience to \nconsumers. Accordingly, the compromise of account numbers or \nSocial Security numbers should be considered harm only if it is \nlikely to lead to substantial financial loss or material \ninconvenience to consumers.\n\nQ.3. If the Committee put forward a data breach bill, who would \nyou suggest be covered?\n\nA.3. Federal data security breach legislation should cover any \nentity that maintains sensitive personal information about \nindividuals.\n\nQ.4. Do any of you believe Social Security numbers should be \ntruncated?\n\nA.4. It is of utmost importance to the insurance industry that \ninformation companies obtain about applicants, policyholders, \ninsureds, and beneficiaries be associated with the correct \nindividuals. A person's Social Security number is a unique \nidentifier and is one of the most reliable means of assuring \nthat the information insurers receive relates to the correct \nperson. We are concerned that truncation of Social Security \nnumbers could jeopardize insurers' ability to ensure that \naccurate and reliable information is obtained about the correct \nindividual.\n\nQ.5. Do you think their use should be limited?\n\nA.5. It is critically important that insurers continue to have \naccess to Social Security numbers to ensure the accuracy of \ninformation received about applicants, insureds, and \npolicyholders and beneficiaries and to perform insurance \nbusiness functions. In view of the significant role Social \nSecurity numbers play in processing and managing information \nneeded by insurers in their normal operations, we believe that \nit is important to preserve the ability of insurers to serve \nexisting and prospective customers. Accordingly, we believe \nthat no limitations should be placed on the ability of insurers \nto use Social Security numbers.\n\nQ.6. What protections do you suggest for use of the Social \nSecurity number?\n\nA.6. We believe that Social Security numbers should be subject \nto administrative, technical, and physical safeguards to \nprotect the confidentiality and integrity of Social Security \nnumbers in the possession of any business entity.\n\n       RESPONSE TO WRITTEN QUESTIONS OF SENATOR BUNNING \n                     FROM OLIVER I. IRELAND\n\nQ.1. Do you have an opinion on what kind of notice should be \nsent out?\n\nA.1. As stated in our written testimony, the ABA believes that \nnotice of a security breach should only be required where \nconsumers need to act to protect themselves from substantial \nharm resulting from the breach. More specifically, notice \nshould only be required where it is reasonably likely that \ninformation involved in a security breach will be misused in a \nmanner causing substantial harm, such as identity theft or \naccount fraud, to the consumers. The type of notice that should \nbe provided should depend on the type of sensitive information \ninvolved in the breach and the risks surrounding misuse of that \ninformation.\n    Consumers face different risks depending on what type of \nsensitive information is involved in a security breach. For \nexample, if a breach involves only a consumer's name and \naddress in combination with the consumer's Social Security \nnumber (SSN) or taxpayer identification number (collectively, \nsensitive personal information), the consumer may face a risk \nof identity theft because the thief may be able to use that \ninformation to open fraudulent accounts in the consumer's name. \nHowever, the consumer would not face a risk of account fraud \nbecause this information is not sufficient to access specific \naccounts. Conversely, if a breach involves only a consumer's \nname and financial account number in combination with any \npassword or code that is required to access the account \n(sensitive account information), the consumer would not face a \nrisk of identity theft because this information alone cannot be \nused to open fraudulent accounts. However, the fraudster may be \nable to use that information to commit account fraud on \nexisting accounts.\n    The appropriate response by consumers to a security breach \nalso depends on the type of sensitive information involved in \nthe breach and the risks surrounding the misuse of that \ninformation. For example, if a breach involves sensitive \npersonal information, a consumer can take several steps to \nprevent or mitigate the effects of identity theft resulting \nfrom the breach. The consumer can place an initial fraud alert \non his or her credit file at a consumer reporting agency (CRA) \nin order to alert creditors that an identity thief may attempt \nto open a fraudulent account in the consumer's name and also to \ntrigger creditors' duties to verify an applicant's identity and \nconfirm that the application is not the result of identity \ntheft. The consumer also may wish to monitor his or her credit \nreport to determine whether any fraudulent accounts have been \nopened in his or her name. However, the consumer would not need \nto monitor or close his or her existing financial accounts \nbecause there is not a risk of account fraud.\n    If a security breach involves sensitive account \ninformation, a consumer will not be at a risk of identity theft \nand should not expend time and valuable resources to address a \nrisk that does not exist. Sensitive account information \ngenerally will not enable an identity thief to open fraudulent \naccounts. Instead, the consumer should monitor the account to \nwhich the information relates, and promptly report any \nfraudulent transactions made on that account. Federal law, \nincluding the Truth in Lending Act and the Electronic Fund \nTransfer Act, and State law, in the form of the Uniform \nCommercial Code, provide strong remedies for consumers to \naddress \naccount fraud. In most instances when a consumer reports a \nfraudulent transaction to a banking institution, the \ninstitution will promptly credit the consumer's account for the \ntransaction, often requiring only a phone call by the consumer.\n    Because consumers face different risks when a security \nbreach involves different types of sensitive information, and \nbecause the appropriate response to these risks differs, \nconsumers should receive different notices that take into \naccount these different risks and responses. For example, if a \nsecurity breach involves sensitive personal information, the \nnotice to consumers should include: (1) a brief description of \nthe breach, including the type of sensitive personal \ninformation involved in the breach; (2) the Federal Trade \nCommission contact information to obtain model forms and \nprocedures for consumers who may be at risk of identity theft; \nand (3) the nationwide CRAs' contact information for obtaining \ncredit reports and filing fraud alerts. If a security breach \ninvolves sensitive account information, the notice to consumers \nshould include: (1) a brief description of the breach, \nincluding the type of sensitive account information involved in \nthe breach; and (2) a recommendation that they review account \nstatements and report suspicious activity or transactions to \nthe account-holding institution.\n\nQ.2. Why do you consider harm? If account numbers are \ncompromised, is that considered harm? If a Social Security \nnumber is compromised?\n\nA.2. It is appropriate to focus security breach notification \nrequirements on those breaches in which consumers face a risk \nof substantial harm from identity theft or account fraud. If \nnotice is not limited to those breaches involving a risk of \nsubstantial harm, \nconsumers will be inundated with notices, and likely will \ndisregard all security breach notices, including in \ncircumstances where they actually need to take steps to protect \nthemselves from identity theft or account fraud. In addition, \nthe costs of providing notice will increase dramatically.\n    Whether or not consumers are at risk of substantial harm \nfrom identity theft or account fraud as a result of a security \nbreach will depend on the facts surrounding that breach. In \nmany instances, consumers in fact should not be at risk of \nsubstantial harm from identity theft or account fraud even \nthough a security breach may have involved sensitive personal \ninformation or sensitive account information. For example, if a \nbreach involves sensitive personal information or sensitive \naccount information that was encrypted or redacted (or is \notherwise unuseable), consumers should not be at risk of \nsubstantial harm from identity theft or account fraud because \nthe information cannot be used in that form to commit identity \ntheft or account fraud. Similarly, if a breach involves \nsensitive account information, such as credit card numbers, but \nthe account-holding institution maintains a sophisticated \nneural network or fraud detection program to detect and block \nfraudulent transactions before they occur, consumers are not at \nrisk of substantial harm from account fraud. For example, \ncredit card issuers often proactively telephone consumers about \nsuspected account fraud and provide new accounts if the \nconsumers confirm that fraud has occurred. The fraudulent \ntransactions never even appear on a statement. In these cases, \nthe only ``harm'' suffered by a consumer may be answering a \nbrief phone call.\n\nQ.3. If the Committee put forward a data breach bill, who would \nyou suggest be covered?\n\nA.3. In order to provide meaningful and consistent protection \nfor all consumers, all entities that hold sensitive personal \ninformation or sensitive account information should be subject \nto similar data security and security breach notification \nrequirements with respect to that information. As we noted in \nour testimony, Title V of the Gramm-Leach-Bliley Act (GLBA), \nand associated rulemakings and guidance, require banking \ninstitutions not only to limit the disclosure of customer \ninformation, but also to protect that information from \nunauthorized access or use and to notify customers when there \nis a breach of security with respect to sensitive information \nrelating to those customers. However, most businesses, \nincluding retailers and CRA's, are not subject to data security \nand/or security breach notification requirements.\n\nQ.4. Do any of you believe Social Security numbers should be \ntruncated?\n\nA.4. In certain instances, requiring the truncation of SSN's, \nor otherwise limiting the use of SSN's, may be appropriate. For \nexample, under the Fair Credit Reporting Act, a consumer who \nrequests a file disclosure from a CRA also may request that the \nCRA truncate the consumer's SSN in that disclosure. However, in \neveryday transactions, banking institutions and other \nbusinesses use SSN's as an identifier for important and \nlegitimate purposes, including compliance with Federal law. Any \ndecision by Congress to limit the use of SSN's or to impose \nrestrictions with respect to the use of SSN's, such as \ntruncation or encryption requirements, must include exceptions \nthat permit the important and legitimate uses of SSN's by \nbanking institutions and other businesses, including for the \nprevention of fraud, the facilitation of credit checks, the \nidentification of prospective employees, and compliance with \nFederal law.\n    The use of the SSN as an identifier in everyday \ntransactions has grown dramatically over the years. Generations \nago, when consumers lived, worked and shopped locally, their \ngood name in the community enabled them to obtain credit, \nemployment, insurance, and other services. With today's more \ntransient population and with the advent of national markets \ndue to the Internet and other improvements in communication, \nthe vast majority of businesses obtain and use SSN's to \nidentify consumers. Today, critical decisions about credit, \nemployment, insurance, and other services depend on the \navailability of SSN's.\n    SSN's provide a unique number that is issued by the Federal \nGovernment and can be used to link information to a consumer. \nMore than 280 million people live in the United States, and \ntens of thousands of these people share the same name. And, \nmany people who share the same name also share other \nidentifying information, such as the city and State of \nresidence or month and year of birth. Unlike other identifying \ninformation, such as name, address and marital status, an \nindividual's SSN does not change over that individual's life, \nand no other living person shares that number.\n    Banking institutions and other businesses, including \ninsurance companies, utility companies, and cell phone \nproviders, use SSN's to obtain credit reports and credit scores \nand to obtain public record information about individuals. The \nnationwide CRA's maintain credit files on nearly 200 million \nindividuals. These files are linked to SSN's. If businesses \ncannot obtain SSN's and provide these numbers to CRA's when \nrequesting credit reports and credit scores, it would be \ndifficult if not impossible to ensure that the credit report or \ncredit score they receive relates to the appropriate consumer. \nThis process of identifying and approving consumers would be \nslower and far less accurate without SSN's. Any delays in \napproving credit would be particularly hard on retail stores \nthat offer ``instant credit'' to their customers. Similarly, \npublic records serve as an important source of information \nabout individuals. SSN's are necessary to ensure that public \nrecord information is matched to the appropriate individuals.\n    If banking institutions cannot obtain and use SSN's to \nverify the identity of consumers, fraud, including identity \ntheft, could increase substantially. Banking institutions use \nidentification services based on SSN's to properly identify \nconsumers and to prevent identity theft and other fraud. In \naddition, if SSN's cannot be obtained, banking institutions \nwill not be able to comply with Federal laws designed to \nprevent money laundering and terrorist financing. For example, \nthe regulations implementing Section 326 of the USA PATRIOT Act \nrequire every bank, as part of its customer identification \nprogram, to collect taxpayer identification numbers, typically \nSSN's, and to verify the identities of individuals seeking to \nopen new accounts.\n    The ability of businesses to screen applicants for \nemployment also would be impaired by limiting the use or \navailability of SSN's. Many businesses obtain SSN's from job \napplicants in order to obtain credit reports or to conduct \nbackground checks. For example, businesses ranging from banking \ninstitutions to nursing homes, day care facilities, and \nsecurity companies obtain and use SSN's in order to determine \njob applicants' histories, including whether they have criminal \nrecords. And, for tax purposes, all employers are required to \nobtain and enter on every W-2 form each employee's name and \nSSN.\n    Although it may be possible to develop a secure and \ndependable replacement for SSN's, any such system would require \nyears, if not decades, to implement, could substantially \nincrease personal verification and transactions costs and, \nultimately, likely would be just as susceptible to fraud as \nSSN's. In the meantime, any decision to limit the use or \navailability of SSN's must include exceptions that permit the \nimportant and legitimate uses of SSN's by banking institutions \nand other businesses, including for the prevention of fraud, \nthe facilitation of credit checks, the identification of \nprospective employees, and compliance with Federal law.\n    Although arguably the ``truncation'' of SSN's could have a \nlesser impact than an outright limitation on the use or \ndisclosure of SSN's, any truncation of SSN's would impair the \ncurrent legitimate business uses of SSN's. For example, only \nallowing use of the last four digits of an SSN could result in \na significant number of errors in identifying individuals.\n\nQ.5. Do you think their use should be limited?\n\nA.5. See response to question 4.\n\nQ.6. What protections do you suggest for use of the Social \nSecurity number?\n\nA.6. Any entity or person that maintains or possesses an SSN \nrelating to a consumer should be required to protect the \nsecurity and confidentiality of that number and also to notify \nthe consumer if the security of that number is breached and the \nconsumer is at risk of substantial harm from identity theft.\n\x1a\n</pre></body></html>\n"