[Senate Hearing 109-728]
[From the U.S. Government Publishing Office]



                                                        S. Hrg. 109-728

 
                    EXAMINING THE FINANCIAL SERVICES
                  INDUSTRY'S RESPONSIBILITIES AND ROLE
                    IN PREVENTING IDENTITY THEFT AND
               PROTECTING SENSITIVE FINANCIAL INFORMATION

=======================================================================

                                HEARING

                               before the

                              COMMITTEE ON
                   BANKING,HOUSING,AND URBAN AFFAIRS
                          UNITED STATES SENATE

                       ONE HUNDRED NINTH CONGRESS

                             FIRST SESSION

                                   ON

 EXAMINING THE FINANCIAL SERVICES INDUSTRY'S RESPONSIBILITIES AND ROLE 
    IN PREVENTING IDENTITY THEFT AND PROTECTING SENSITIVE FINANCIAL 
                              INFORMATION

                               __________

                           SEPTEMBER 22, 2005

                               __________

  Printed for the use of the Committee on Banking, Housing, and Urban 
                                Affairs


      Available at: http: //www.access.gpo.gov /congress /senate/
                            senate05sh.html


                                 ______

                    U.S. GOVERNMENT PRINTING OFFICE
31-069                      WASHINGTON : 2006
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½090001


            COMMITTEE ON BANKING, HOUSING, AND URBAN AFFAIRS

                  RICHARD C. SHELBY, Alabama, Chairman

ROBERT F. BENNETT, Utah              PAUL S. SARBANES, Maryland
WAYNE ALLARD, Colorado               CHRISTOPHER J. DODD, Connecticut
MICHAEL B. ENZI, Wyoming             TIM JOHNSON, South Dakota
CHUCK HAGEL, Nebraska                JACK REED, Rhode Island
RICK SANTORUM, Pennsylvania          CHARLES E. SCHUMER, New York
JIM BUNNING, Kentucky                EVAN BAYH, Indiana
MIKE CRAPO, Idaho                    THOMAS R. CARPER, Delaware
JOHN E. SUNUNU, New Hampshire        DEBBIE STABENOW, Michigan
ELIZABETH DOLE, North Carolina       ROBERT MENENDEZ, New Jersey
MEL MARTINEZ, Florida

             Kathleen L. Casey, Staff Director and Counsel

     Steven B. Harris, Democratic Staff Director and Chief Counsel

                         Mark Oesterle, Counsel

                Skip Fischer, Senior Staff Professional

              John V. O'Hara Senior Investigative Counsel

                 Dean V. Shahinian, Democratic Counsel

   Joseph R. Kolinski, Chief Clerk and Computer Systems Administrator

                       George E. Whittle, Editor

                                  (ii)


                            C O N T E N T S

                              ----------                              

                      THURSDAY, SEPTEMBER 22, 2005

                                                                   Page

Opening statement of Chairman Shelby.............................     1

Opening statements, comments, or prepared statements of:
    Senator Sarbanes.............................................     2
    Senator Allard...............................................     2
    Senator Reed.................................................     2
    Senator Dole.................................................     3
    Senator Bunning..............................................     5
    Senator Dodd.................................................    22
    Senator Carper...............................................    30
    Senator Pryor................................................     6
        Prepared statement.......................................    33

                               WITNESSES

Stuart K. Pratt, President and CEO, Consumer Data Industry 
  Association....................................................     8
    Prepared statement...........................................    34
Edmund Mierzwinski, Consumer Program Director, U.S. Public 
  Interest Research Group on Behalf of Consumer Federation of 
  America, Consumers Union, Electronic Privacy Information 
  Center, Privacy Consultant Mari Frank, Privacy Rights 
  Clearinghouse, Privacy Times, U.S. Public Interest Research 
  Group, and World Privacy Forum.................................    10
    Prepared statement...........................................    39
Ira D. Hammerman, Senior Vice President and General Counsel, 
  Securities Industry Association................................    12
    Prepared statement...........................................    62
    Response to written questions of Senator Bunning.............    74
Gilbert T. Schwartz, Partner, Schwartz & Ballen LLP, on Behalf of 
  the American Council of Life Insurers..........................    13
    Prepared statement...........................................    66
    Response to written questions of Senator Bunning.............    75
Oliver I. Ireland, Partner, Morrison & Foerster LLP, on Behalf of 
  the American Bankers Association...............................    15
    Prepared statement...........................................    69
    Response to written questions of Senator Bunning.............    76

                                 (iii)


                    EXAMINING THE FINANCIAL SERVICES
                    INDUSTRY'S RESPONSIBILITIES AND
                   ROLE IN PREVENTING IDENTITY THEFT
             AND PROTECTING SENSITIVE FINANCIAL INFORMATION

                              ----------                              


                      THURSDAY, SEPTEMBER 22, 2005

                                       U.S. Senate,
          Committee on Banking, Housing, and Urban Affairs,
                                                    Washington, DC.

    The Committee met at 10:25 a.m., in room SD-538, Dirksen 
Senate Office Building, Senator Richard C. Shelby (Chairman of 
the Committee) presiding.

        OPENING STATEMENT OF CHAIRMAN RICHARD C. SHELBY

    Chairman Shelby. The hearing will come to order. I want to 
thank my colleague from Arkansas, he is going to join us, 
Senator Pryor, this morning, but I thought we would move ahead 
with our opening statements while he is coming.
    The broad focus of the hearing this morning, identity 
theft, is not a subject that is new to this Committee. Indeed, 
it is far from it. During the Committee's consideration of the 
Fair Credit Reporting Act, we heard from numerous witnesses who 
represented various perspectives regarding this issue. 
Furthermore, we also held additional hearings on this subject 
independent of the FCRA reauthorization process.
    It is important to highlight the Committee's longstanding 
engagement with respect to this matter. We will spend 
considerable time and effort attempting to ascertain the nature 
and the scope of the identity theft threat. As a result, we 
have directed legal and regulatory changes to provide greater 
protections for consumers and the overall financial system. 
Therefore, as we might consider any changes in this area, it is 
very important that we assess what we are doing in the context 
of the things we have already done.
    That said, I do want to indicate that I am also aware of 
the fact that the criminal element is constantly searching for 
new ways to take advantage of consumers and the financial 
system. In as much, I recognize that this means that we must be 
constantly vigilant to ensure that we have the means in place 
to provide the appropriate safeguards necessary relative to the 
existing threats.
    The purpose of today's hearing is to continue this 
consideration, and we look forward at the proper time to 
hearing from all of our witnesses.
    Senator Sarbanes.

             STATEMENT OF SENATOR PAUL S. SARBANES

    Senator Sarbanes. Thank you very much, Mr. Chairman. I know 
we are awaiting the arrival of Senator Pryor. Let me first of 
all comment you for holding the hearing as we examine the 
question of protecting consumer financial information. You, of 
course, have been involved in a leadership way on the privacy 
issue for a number of years, and this Committee does have an 
important jurisdiction in this area.
    I think this is the third hearing we have held in this 
Congress on this subject. We previously heard from regulators 
and law enforcement officials, and also from financial 
institutions and a data broker. We do have these instances 
occurring where large amounts of information in the hands of 
private companies go outside the perimeter of security, and of 
course that raises very serious questions with respect to 
consumer data breaches.
    A number of States have responded to this issue, and have 
enacted their own legislation, and there are a number of 
important questions to be addressed, and I welcome this hearing 
as I welcomed the ones that have preceded it, and I am prepared 
to go forward to the witnesses at the appropriate time.
    Chairman Shelby. Senator Allard.

               STATEMENT OF SENATOR WAYNE ALLARD

    Senator Allard. Thank you, Mr. Chairman, for holding this 
important hearing regarding identity theft. I have been 
following this issue closely over a number of years, and look 
forward to hearing from our witnesses.
    For many of my constituents, identity theft is something 
that they believe will never happen to them. However, according 
to the Federal Trade Commission, in 2004, 246,570 people 
suffered from a stolen identity, and 4,409 of those cases were 
my constituents in Colorado, making the State the fifth highest 
in the Nation.
    Identity theft is becoming common to the point that I 
suspect that many of us in this room know a friend or family 
member who has had their identity stolen. This presents a grave 
situation for unsuspecting Americans and a challenge for all 
financial institutions in the United States.
    While there is a need to protect sensitive personal 
information from getting into the wrong hands, there is also a 
need for a certain degree of transparency in order for the U.S. 
financial system to function. The passage of recent 
legislation, including the FACT Act in 2003, has mandated that 
consumers be notified of information sharing between various 
credit reporting agencies. A recent GAO report stated that the 
implementation of such laws is going well, but it is too early 
to determine how successful these new laws will be in 
preventing more cases of identity theft.
    I look forward to hearing updates from the industry on 
these issues, and Mr. Chairman, thank you for holding this 
hearing.
    Chairman Shelby. Senator Reed.

                 STATEMENT OF SENATOR JACK REED

    Senator Reed. Thank you very much, Mr. Chairman, for 
holding this hearing, along with Senator Sarbanes, and this is 
indeed a very important topic. Identity theft is America's 
fastest-growing crime. Last year, 9.9 million Americans were 
victims of identity theft at a cost estimated to be about $5 
billion. We live in a time when proliferation of information 
through various electronic modes of exchange offers 
extraordinary opportunities to reshape our culture and our 
economy, but the down side, of course, is we open ourselves up 
to the exploitation of that information by criminals and by 
others.
    This is especially the case when safeguards are not in 
place to protect the security and integrity of the electronic 
information.
    We are here to discuss the state of large-scale security 
breaches leading to compromised personal data and the role that 
the financial industry can play in preventing these types of 
breaches, and each of these breaches have affected millions of 
individuals throughout the country.
    We have learned of many data breaches in the past year, 
where companies have announced that there were significant 
breaches. Hackers broke into databases belonging to these 
communities and stole names, passwords, addresses, Social 
Security numbers, and driver's license information. But in many 
of these cases, it is troubling to read in the media that 
companies have learned of intrusion weeks before disclosing the 
incident, and that if it were not for specific State laws such 
as the California law, that companies' breaches may never have 
been reported and would have gone unnoticed and unreported.
    Even with the zero liability policies of many major credit 
card, debt cardholders could see their bank accounts depleted 
in the interim. So we do have to do much.
    I commend the banking agencies for taking a step forward in 
the right direction by revising their guidance originally 
issued under Section 501(b) of the GLB Act, Gramm-Leach-Bliley 
Act, concerning the security of customer information, and the 
revised guidance requires banking institutions to notify their 
customers of breaches of security of sensitive information 
relating to those customers, and that timely disclosure of such 
breaches will allow the Federal Government, along with the 
institutions and consumers to closely monitor transaction 
information and mitigate any resulting damage from the breach.
    We have a unique challenge to face in this regard. I hope 
we can adapt our law to emerging technology which seems to be 
changing with each passing day, and again, I hope the 
Government and private industry can increasingly collaborate to 
stem the threat of identity theft, and look forward to today's 
hearing.
    Thank you, Mr. Chairman.
    Chairman Shelby. Senator Dole.

              STATEMENT OF SENATOR ELIZABETH DOLE

    Senator Dole. Thank you, Mr. Chairman. This is indeed a 
critical issue, and I certainly hope the American public is 
paying close, close attention to the fact that identity theft 
is very real and very prevalent.
    Identity thieves are constantly looking for new scams to 
rip off hard-working, law-abiding Americans. And, the stakes 
could not be higher for the security of the families we 
represent.
    In fact, I will be hosting a workshop in Raleigh, North 
Carolina the next month or so to educate North Carolinians on 
the ways to prevent identity theft and what to do if, heaven 
forbid, they become a victim.
    As already mentioned, identity theft is often cited as the 
fastest growing crime in the Nation. A large portion of the 
victims include our senior citizens. According to a recent FTC 
survey, approximately 10 million Americans as we have heard of, 
victimized by identity thieves every year, at an astonishing 
cost of $48 billion to businesses, and an additional $5 billion 
to consumers.
    The survey focused on two major categories of identity 
theft, first the misuse of personal accounts, and second, the 
creation of new accounts in the victim's name. Not 
surprisingly, the survey showed a direct correlation between 
the type of identity theft and its cost to victims, including 
the time and money spent resolving the problems. For example, 
although people who had new accounts opened in their names made 
up only one-third of the victims, they suffered two-thirds of 
the direct financial harm. The FTC survey also found that 
victims of these two categories, cumulatively spent almost 300 
million hours, or an average of 30 hours per person, correcting 
their records and reclaiming their reputation for good credit.
    Precise statistics are unfortunately not available to 
properly gauge the full extent of the problem, since some 40 
percent of identity theft cases are believed to involve friends 
or family members and are never reported.
    While financial institutions are liable for the larger part 
of identity theft fraud, consumers are hurt in more profound 
ways. In addition to the hours and hours spent reversing the 
damage, they bear the burden of the insecurity, the 
inconvenience, and the resulting loss.
    A gentleman from Cary, North Carolina told the Raleigh News 
and Observer, ``I wouldn't wish it upon my worst enemy.'' He 
went on to describe the mess of trying to restore his credit, 
being turned down for a credit card, having to pay a higher 
interest rate for a car loan because of his damaged credit. 
``The hardest thing,'' he said, ``was feeling powerless to do 
anything once the fraud started to happen.'' There can be no 
doubt that when fraud is committed, every law-abiding citizen 
loses.
    Consumers are left to foot part of the bill through the 
higher cost of services from financial institutions. In March, 
this Committee held a hearing that focused on two cases in 
which institutions made public disclosures, as we have heard, 
with regard to data security breaches. At that hearing, we 
heard testimony from the Chair of the Federal Trade Commission, 
who detailed a very reasonable position on this subject, and 
testified that Congress should consider requiring prompt 
notification only when there is a significant risk to 
consumers. This makes sense. Unnecessary notifications could 
scare consumers, as well as numb them to the risks, and such 
notification carries a great cost.
    As a former FTC Commissioner, I have a great deal of 
respect for their views.
    I look forward, Mr. Chairman, to working with my colleagues 
to ultimately pass legislation that requires such disclosures 
when there is a significant risk to consumers.
    Thank you.
    Chairman Shelby. Senator Bunning.

                STATEMENT OF SENATOR JIM BUNNING

    Senator Bunning. I would like to thank you, Mr. Chairman, 
for holding this very important hearing, and I would like to 
thank all of our witnesses for coming before us today. I would 
especially like to thank and welcome to the Committee our good 
friend and colleague, Senator Mark Pryor. Thank you for showing 
up, and we are glad to have you.
    Senator Pryor. Thank you.
    Senator Bunning. This Committee has been a leader on this 
issue, with Gramm-Leach-Bliley, the FACT Act, and the extensive 
hearings we have held thanks to you, Mr. Chairman. I appreciate 
your leadership on this issue, and I am glad we are continuing 
our good work to assure Americans' financial privacy. These 
issues should be handled by this Committee. We have the 
expertise and experience to best deal with privacy issues that 
affect individuals' financial information and financial 
institutions. I applaud the Chairman and the Ranking Member for 
their continued work.
    The stories of data breaches that have come to light in the 
past few years have given all Americans pause. Many of my 
constituents have taken more and more steps to ensure their 
financial privacy. They are checking their free credit reports 
that were provided for in the FACT Act. They are buying paper 
shredders, and they have made sure the websites they use are 
secure. Identity theft is a very pressing problem. If the 
Chairman of the Federal Trade Commission, Deborah Majoras, can 
become a victim of identity theft, anyone can.
    I also understand the fears of the financial services 
industry. It is very difficult to try and do business and serve 
their customers, if they have to comply with 50 different State 
and hundreds of different local financial privacy laws. They 
can become a liability for noncompliance and for many 
localities where they have their customers. Also, individuals 
may not understand their rights. I am not sure how many 
individuals understand the rights under Gramm-Leach-Bliley and 
the FACT Act, let alone what rights or prohibitions they may 
have under State or local laws that may have been passed. 
Business and individuals need certainty.
    However, we must remember that there is a reason why these 
State and local laws have been passed. Although I am sure many 
question the motives of politicians, we pass laws because our 
constituents want them. Given the data breaches that have 
occurred, and the identity thefts that have happened each year, 
business must do a better job of protecting private 
information. We are not at this point today and mistakes have 
not been made.
    Once again, thank you, Mr. Chairman, for holding these 
hearings, and your dogged efforts on this issue, and thank all 
of you for coming before us today.
    Chairman Shelby. Thank you.
    We welcome our colleague and friend, Senator Mark Pryor 
from Arkansas, former Attorney General of Arkansas. I think he 
knew a little about this before he came to the Senate.
    Senator Pryor, your written testimony will be made part of 
the record in its entirety. You proceed as you wish.

                   STATEMENT OF MARK L. PRYOR
           A U.S. SENATOR FROM THE STATE OF ARKANSAS

    Senator Pryor. Thank you very much, Mr. Chairman, and thank 
you for your leadership on this and the leadership of the 
Committee. Thank you for the hospitality and for inviting me 
here to talk today about identity theft and a security freeze.
    As Senator Dole mentioned a few moments ago, identity theft 
is the fastest growing financial crime in the country. 
According to the Federal Trade Commission, almost 10 million 
people per year become the victims of identity theft.
    In Arkansas, which is a relatively small State, as we all 
know, identity theft is the top category of reported fraud, 
with over 1,397 cases reported last year. That does not mean 
that is all the cases, but is what was reported last year, and 
in this issue that I first became involved with when I was the 
State's Attorney General.
    According to the Identify Theft Resource Center, it takes 
about an average of about $1,500 for a person to undo the 
identity theft, and in some cases we have heard that they have 
had to spend 600 hours. That is an amazing amount of time, but 
that is what they have had to expend to try to get out of the 
mess that someone has created for them.
    This crime, it is estimated--I think Senator Dole mentioned 
this as well--to cost the American business community about $48 
billion a year. Just as an example of how our personal 
information is spread very widely around the country and all of 
our personal information is, I have right here a stack of about 
11 pieces of mail that one of my staff members has received in 
the last week, 11 pieces in the last week. Only about half of 
this mail is for him. The other half is for previous occupants 
of his apartment, and the thing about that is, he knows that 
when he leaves, a lot of his mail will end up in someone else's 
hands and he does not know who is going to open that mail, who 
is going to go through these. A lot of these are for 
prescreened credit.
    So the problem is out there, and there are a lot of 
different dimensions to it, and certainly I think it is 
something that the Senate should be very vigilant about. 
Companies, we all know, we have all read the stories and seen 
them on television, companies, in the last year or so have had 
many instances where they have lost data. Sometimes they lose 
it off a truck, sometimes they accidently expose it, and it is 
easy to get, sometimes it is stolen from them, but for a while 
there, as you all remember, there was so much of that going on, 
that it seemed like almost every other day someone was coming 
out with a new story.
    I think it is just very important that consumers have a 
tool where they can protect themselves. What I would hope this 
Committee would consider is the security freeze, and that is 
one reason that I have pushed S. 1336, the Consumer Identify 
Protection and Security Act of 2005, because what it allows 
consumers to do, Americans to do, it allows them some tool that 
they have at their disposal, totally voluntary, where they can 
put a security freeze on their information. The way it would be 
set up would be fairly simple, where they could put this 
security freeze out there and then no one could have access to 
their credit information without them saying so.
    Now, honestly, we need to understand this. Some of these 
companies like to provide instant credit, like right here, you 
are prescreened, you are preapproved, and all of that. That may 
not work for people who do not want to receive these. That 
means that these companies may not be able to do the 
prescreening but it is almost like signing up for a do-not-call 
list. If you are going to go to the trouble of signing up for 
do-not-call, chances are you are not going to be a very good 
potential customer for a telemarketer. This is the same thing 
as here. Chances are these people are not going to be very good 
potential customers here.
    Right now, what we are starting to see is States taking 
action. You have California, Louisiana, Texas, Vermont, and 
Washington that have the law. Maine and Nevada, looks like they 
are going to come on in the next couple of months. There are a 
number of other States. I think it is 20 some odd States that 
are considering the law this year, and so what is happening out 
there is you are getting this thing that we see a lot, this 
patchwork quilt around the country. Even though I like States 
to have the authority to do things, under this circumstance it 
might be better--I believe it is better--to have a Federal 
system that everybody can tap into. If nothing else, the credit 
bureaus then have one system that they have to comply with, not 
50 different systems.
    Also technology and the technology sector is going to 
respond to this. There is a company out in California that is 
trying to set up some software for one-stop-shopping that will 
be very easy for consumers to use, so it looks like the 
marketplace is going to adjust to this. I think it is going to 
be a win-win for everybody.
    This Committee will consider a lot of different factors 
when they look at this. I appreciate your time and your 
deliberation on this, but I do think it is important for the 
Senate to act, and that we try to show some leadership on this 
because it is just too big of a problem that is growing every 
single year, as Senator Dole said a few moments ago.
    We do have the ability to do this, and our inaction would 
just make a bad situation worse out there.
    Mr. Chairman, thank you for that, and thank you for 
allowing my full statement to be part of the record.
    Chairman Shelby. Thank you. I understand you have 
Committees you have to attend. We appreciate your appearance.
    Senator Pryor. Thank you very much.
    Chairman Shelby. Our second panel will be Mr. Stuart Pratt, 
President and Chief Executive Officer, Consumer Data Industry 
Association; Mr. Ed Mierzwinski, Consumer Program Director, 
U.S. Public Interest Research Group; Mr. Ira Hammerman, Senior 
Vice President and General Counsel, Securities Industry 
Association; Mr. Gilbert Schwartz, Partner, Schwartz & Ballen, 
LLP; and Mr. Oliver Ireland, Partner, Morrison & Foerster.
    Gentleman, you take your seats. All of your written 
testimony will be made part of the hearing record in its 
entirety. We will start with you, Mr. Pratt, for you to briefly 
sum up your top points.

                  STATEMENT OF STUART K. PRATT
             PRESIDENT AND CHIEF EXECUTIVE OFFICER,
               CONSUMER DATA INDUSTRY ASSOCIATION

    Mr. Pratt. Chairman Shelby, Senator Sarbanes, Members of 
the Committee, thank you for this opportunity to appear before 
you today. For the record, I am Stuart Pratt, President and CEO 
of the Consumer Data Industry Association.
    Mr. Chairman, we commend you as well for holding this 
hearing. It is an important subject and one on which we welcome 
the chance to share our views.
    I am very pleased to announce on behalf of CDIA's members, 
Equifax, Experian, and TransUnion, a new initiative focusing on 
encryption of data reported to them. As of today, any furnisher 
of information can choose one of a number of acceptable 
encryption standards for use with all three companies by 
offering a data furnisher the choice to use one encryption 
standard. We reduce costs. We simplify the administration of 
encryption. It is our hope that with these new encryption 
standards in place, we will accelerate the choice to encrypt 
data that is supplied to consumer reporting agencies, and 
ultimately to achieve the goal of all information being 
encrypted when it is transmitted to us.
    Now let us take a look at the FACT Act that has been 
mentioned a number of times, and we believe it materially does 
add to the protections of consumers through the Uniform 
National Standards that were established through the leadership 
of this Committee in particular. Fraud alerts, for example, we 
believe often strike the right balance for consumers who wish 
to ensure that a lender is notified of their concerns about 
identity verification. I think consumers recognize fraud alerts 
slow down the process. They do not stop the transaction, 
however. In fact, the FACT Act strengthened the fraud alert 
system on members that had voluntarily established by making a 
responsibility of the receiving party that they must take 
additional steps to verify the identity of a consumer when a 
fraud alert is present. The FACT Act also addressed the needs 
of active military service personnel through a special alert 
that can be added to the credit report as well.
    Address discrepancy indicators was another idea that was 
enacted through the FACT Act. This duty requires us, the 
nationwide consumer reporting agencies, to indicate to a 
lender, when they request a credit report, when the address 
they have submitted to us differs substantially from the 
address we have in the file. It is a very practical idea. It is 
a good idea. We were glad to have been able to put that into 
place by December 1, the effective date, in 2004.
    Identity theft reports was a particularly important 
addition because consumers at times had trouble obtaining 
police reports in order to take advantage of rights they had 
under the law. The report is more flexible and allows consumers 
to obtain a report from any one of a number of law enforcement 
agencies.
    Ultimately, I think Congress was prescient in recognizing 
that fraud prevention identity theft victim assistance are best 
handled through uniform national standards, and it remains 
critical to our members who are operating as consumer reporting 
agencies, that we remain regulated solely under a single set of 
law and regulation, and that would be the Fair Credit Reporting 
Act.
    You have asked for our views on sensitive personal 
information that is held by nonfinancial institutions, and we 
have really two key themes in that regard, ensuring the 
security of information and sending consumers meaningful 
notices when there is a breach of that information.
    It is our view that a rational and effective national 
standard should be enacted both for information security and 
consumer notification as it applies to sensitive personal 
information, regardless of whether the person is a financial 
institution or not.
    Information security standards that are substantially 
similar to those we see in the GLB are well-suited for this 
type of regulation, and we would encourage this Committee to 
continue to look into that. To ensure regulatory continuity, we 
believe if there are new provisions established, these 
provisions would therefore also deem a financial institutions 
as being in compliance with those standards because of their 
compliance already with the GLB standards.
    For consumers and notification, we believe consumers should 
receive notices when their sensitive information is breached, 
and when there is a significant risk of harm, and in fact, key 
to notification requirements is making sure they do not result 
in either over-notification, but equally important, too few 
notices being sent.
    Chairman Shelby. When you say receive it, receive it 
immediately?
    Mr. Pratt. In terms of the notice, sir?
    Chairman Shelby. Yes.
    Mr. Pratt. I am sorry, I should have brought another set of 
glasses so I can see at the same time I am reading my 
testimony, but I think we would say that in concert with law 
enforcement investigations, Mr. Chairman, just to make sure 
that we do not open the door too soon before they have shut 
down the problem. I think that is the only coordination issue 
that we would raise with you, Mr. Chairman.
    Chairman Shelby. Thank you.
    Mr. Pratt. I think key to notification is the trigger, when 
do you send that notice? Chairman Majoras suggested, and got it 
right, when she said that a trigger should pivot off of a 
significant risk of harm. We think significant risk of harm is 
best defined as a risk of being a victim of identity theft, the 
very subject of this hearing.
    We also need coordination with national credit bureaus if 
thousands of notices are being sent out the door by many 
different agencies, many different companies, many of whom we 
do not have business relationships with. It is our job to plan 
and be able to handle the contacts that come back to us. We 
need some coordination. We would ask for that to be included in 
a proposal of this sort.
    You have asked us to also discuss file freezing, and we 
provide the following background. File freezing, as Senator 
Pryor has discussed, allows a consumer to freeze his or her 
credit report for I think what we would call new business 
purposes. File freezes have been enacted in 12 States. The file 
freeze enactments do often allow a consumer to charge a fee. 
Certainly, we have been on record in many States as indicating 
concerns about the rigidity of file freezes, how operable they 
will be for consumers, but I will tell you at this point, with 
this many enactments in the States and with many State 
legislatures looking at this next year, we encourage this 
Committee to continue to look at what we now have, and 
preserving what we now have, which is a seamless nationwide 
credit reporting system servicing a nationwide credit system in 
this country.
    And that is a dialogue that needs to continue in the 
context of these State laws, and it is a dialogue that needs to 
continue. It is an extension of the good work of this Committee 
in creating national standards through the FACT Act.
    With that, Mr. Chairman, I will close my opening remarks. 
Thank you, sir.
    Chairman Shelby. Thank you.
    Mr. Mierzwinski.

                STATEMENT OF EDMUND MIERZWINSKI
                   CONSUMER PROGRAM DIRECTOR,
              U.S. PUBLIC INTEREST RESEARCH GROUP
                          ON BEHALF OF
        CONSUMER FEDERATION OF AMERICA, CONSUMERS UNION,
             ELECTRONIC PRIVACY INFORMATION CENTER,
                 PRIVACY CONSULTANT MARI FRANK,
          PRIVACY RIGHTS CLEARINGHOUSE, PRIVACY TIMES,
            U.S. PUBLIC INTEREST RESEARCH GROUP, AND
                      WORLD PRIVACY FORUM

    Mr. Mierzwinski. Thank you, Chairman Shelby. I am Ed 
Mierzwinski, the Consumer Program Director of the U.S. Public 
Interest Research Group. My testimony is also on behalf of a 
number of consumer and privacy groups, including the Consumer 
Federation, the Consumers Union, the Privacy Rights 
Clearinghouse, and EPIC.
    I want to commend you for your longstanding leadership on 
privacy, along with Senator Sarbanes for his leadership, 
particularly on the Sarbanes Amendment, which allowed States to 
go further with financial privacy laws to the Gramm-Leach-
Bliley Act.
    We would not know about the nearly 100, depending on whose 
list you look at, security breaches that have occurred this 
year if it were not for the pioneering efforts of California in 
enacting a security breach notification law. Because the States 
have demonstrated such leadership on security breach 
notification laws, we believe the Committee should look very 
carefully, if it is going to enact any breach notification 
provisions, at maintaining only a Federal floor and allowing 
the States to continue to go further.
    As another example of how the States have shown leadership 
and how our nonuniform system has worked well, I would point 
out that the FACT Act allows States to go further in identity 
theft areas. Although our groups were disappointed that you did 
not allow States to go further in all areas, the FACT Act did 
allow States to pass stronger identity theft laws, and that is 
why a number of States, a dozen so far--and New Jersey is 
signing its law today--have enacted security freeze legislation 
around the country.
    Chairman Shelby. How would a security freeze work exactly?
    Mr. Mierzwinski. A security freeze really is the first way 
that we can give consumers control over their confidential 
person information, Senator Shelby. Most of the protections 
that are given to consumers in the FACT Act are protections 
after you have already become a victim--the right to a fraud 
alert, the right to clear your name, that type of thing. 
Identity thieves take advantage of the easy availability of 
Social Security numbers, coupled with the way that creditors 
apply for credit reports, and obtain them in your name to 
obtain credit in your name at a creditor's. A security freeze 
gives you the right to freeze access to your report for any new 
creditors. It essentially leaves the thieves out in the cold, 
but your existing creditors can still look.
    Chairman Shelby. But in the FCRA, we use fraud alerts 
instead of that, I believe.
    Mr. Mierzwinski. We use fraud alerts, but, again, a fraud 
alert is after you have already become a victim or suspect you 
are a victim. A freeze, in our view, should be available to 
everyone in advance. It essentially puts your credit report in 
a freezer so that the bad guy applies for credit in your name, 
and the creditor says, ``We cannot get a credit report on 
you.'' So you are protected. You can sleep at night.
    Chairman Shelby. So it is working.
    Mr. Mierzwinski. We think it is working. We would prefer 
that the freeze be easier to do, that it be cheaper, that it be 
selectively unfrozen, that you could turn it on and leave it 
on, but then, for example, on a Saturday if you are looking for 
cars, you should be able to selectively unfreeze it for car 
dealers just for the day. We have instant credit. Why can't we 
have an instant freeze? That is really what we are looking for.
    Getting back to the issue of the security breach, which is 
on Congress' mind because of all the security breaches that 
have occurred, I first want to point out that a lot of the 
companies have claimed that they were victims. Well, I am 
shocked to hear that. CitiFinancial, an arm of CitiGroup, and 
Bank of America both lost unencrypted data tapes containing 
records of millions of Americans. Other banks have lost laptops 
that were unencrypted containing records on many Americans. 
ChoicePoint sold its records. It did not lose them. It sold 
records to a thief. So we have some real problems out there 
with the way industries are taking care of our information. And 
the notion of a harm trigger is, I think, one that has been 
debated almost as much if not more than preemption of State 
law.
    Our view, the consumer coalition that I represent, is that 
if you lose the information, there should be disclosure to the 
consumer. That will, number one, force the companies to do a 
better job in the first place; but, number two, it will give 
consumers knowledge that their personal information has been 
lost. The problem has been that half of consumers do not know 
how they became identity theft victims.
    Chairman Shelby. But all this requires changes in statutes, 
statutory change?
    Mr. Mierzwinski. Well, I think that if you were to enact a 
security breach law, your Committee, the bank regulators have 
already enacted a breach regulation that applies to financial 
institutions under their regulation.
    Chairman Shelby. They did that by regulation.
    Mr. Mierzwinski. By regulation, by guidelines actually. But 
for other types of entities, ChoicePoint is not regulated by 
the bank regulators, nor are these card processors. So they 
would require additional legislation.
    My written testimony, Mr. Chairman goes into a number of 
other details on improvements to the FACT Act. For example, we 
believe that breach victims should have the right to obtain 
fraud alerts more easily, that extended fraud alerts should be 
more easily available, that police reports should not be 
required for a consumer to obtain business information. We also 
list a number of recommendations that may not be in the purview 
of the Committee, but I know are of very much interest to you, 
to improve Social Security number protection and get our 
financial DNA out of the marketplace so that the thieves cannot 
get at it.
    I appreciate the opportunity to testify before you today, 
and I want to point out that my written testimony includes a 
list of the major breaches that have occurred this year as 
Appendix 1. It includes a list of all the State security breach 
laws and a list of all the State security freeze laws.
    Thank you.
    Chairman Shelby. Thank you.
    Mr. Hammerman.

                 STATEMENT OF IRA D. HAMMERMAN
           SENIOR VICE PRESIDENT AND GENERAL COUNSEL,
                SECURITIES INDUSTRY ASSOCIATION

    Mr. Hammerman. Mr. Chairman, Ranking Member Sarbanes, and 
Members of the Committee, I am Ira Hammerman, Senior Vice 
President and General Counsel of the Securities Industry 
Association, and I appreciate the opportunity to testify on our 
industry's responsibility to prevent identity theft and protect 
our customers' financial information. We applaud your 
leadership and foresight, Mr. Chairman, and that of Senator 
Sarbanes in passing the precedent-setting law for data 
security, the Gramm-Leach-Bliley Act of 1999. Maintaining the 
trust and confidence of our customers is the bedrock of the 
securities industry. The long-term success of our markets 
depends on customers feeling confident that their personal 
information is secure. We, therefore, devote enormous time and 
resources to the protection of customer data. We are, however, 
concerned that the expanding patchwork of State and local laws 
affecting data security and notice will make effective 
compliance very difficult for us and equally confusing for 
consumers.
    The problem of data security is a distinct Federal 
responsibility that requires a targeted Federal legislative and 
regulatory response. In light of the increasing number of 
disparate Federal and State legislative proposals, we urge this 
Committee to strike the appropriate balance between addressing 
the legitimate concerns of American consumers threatened by 
identity theft and ensuring that protections are indeed 
meaningful.
    All businesses that have custody of sensitive personal 
information have a responsibility to provide data security 
measures. It is our belief businesses have a similar obligation 
to notify consumers when a breach of security creates a 
significant risk to their identity.
    As the Committee is well aware, the securities industry is 
subject to Securities and Exchange Commission regulations that 
requires every registered broker-dealer to have in place 
policies and procedures to safeguard sensitive customer records 
and information. The SEC and the self-regulatory organizations 
periodically examine broker-dealers to ensure compliance with 
this regulation. Similarly, the SEC has full authority to issue 
relevant guidance on how to construct a notification regime 
that best benefits consumers, and SIA looks forward to working 
with SEC Chairman Cox and his staff in determining how best to 
develop such a regime.
    In considering legislation related to data breach, SIA 
urges the Committee to consider the following six principles: 
First, adopt a clean National standard to achieve a uniform, 
consistent approach that meets consumer expectations; second, 
implement a trigger for consumer notice that is tied to 
significant risk of harm or injury that might result in 
identity theft; third, a need for a precise definition of 
sensitive personal information that is tied to the risk of 
identity theft; fourth, exclusive functional regulator 
oversight and rulemaking authority; fifth, a flexible 
notification standard; and, finally, reasonable administrative 
compliance obligations.
    SIA urges the Committee to develop meaningful and carefully 
targeted legislation that embodies these important principles.
    The securities industry recognizes that we face a major 
threat from criminals, including potential terrorists, who 
perpetrate identity theft. Therefore, we take very seriously 
our duty to safeguard our customers' sensitive financial 
information. Identity theft and other kinds of fraud hurt not 
only consumers but also businesses whose reputations inevitably 
suffer from security breaches. The cost of fraud is often 
beyond the monetary. Lost customers and reduced confidence can 
be the death knell for a business so dependent on the public's 
trust.
    Thank you again for the opportunity to testify today. We 
are eager to work with the Committee and its staff to draft 
meaningful and targeted effective data breach legislation. 
Thank you.
    Chairman Shelby. Mr. Schwartz.

                STATEMENT OF GILBERT T. SCHWARTZ
                PARTNER, SCHWARTZ & BALLEN LLP,
                          ON BEHALF OF
             THE AMERICAN COUNCIL OF LIFE INSURERS

    Mr. Schwartz. Chairman Shelby, Ranking Member Sarbanes, and 
Members of the Committee, I am Gilbert Schwartz, Partner in the 
Washington law firm of Schwartz & Ballen, and I am appearing 
today on behalf of the American Council of Life Insurers, the 
principal trade association for the Nation's life insurance 
industry. ACLI's 356 member companies account for 80 percent of 
the life insurance industry's total assets in the United 
States.
    This hearing today represents another chapter in the 
Committee's longstanding leadership in this area and strong 
commitment to the protection of consumer information and to the 
prevention of identity theft, as evidenced by the Committee's 
central role in the enactment of the Gramm-Leach-Bliley Act and 
the FACT Act. ACLI appreciates the opportunity to discuss the 
important role that life insurers play in preventing identity 
theft and protecting financial information of our 
policyholders.
    Life insurers have long been committed to establishing and 
maintaining policies and procedures to protect sensitive 
customer information and to prevent misuse of such information. 
Insurers expend considerable resources to achieve these goals. 
ACLI and its members were, and continue to be, strong 
supporters of Title V's privacy and information security 
provisions.
    As a result of the Gramm-Leach-Bliley Act, 34 States have 
adopted comprehensive regulations or statutes that establish 
standards for safeguarding customer information by insurers. 
The State requirements generally track the National Association 
of Insurance Commissioners' Standards for Safeguarding Customer 
Information Model Regulation. Under the NAIC model reg, life 
insurers are required to adopt comprehensive security programs 
to protect customer information.
    In 2003, Congress enacted the FACT Act in part to respond 
to the growing crime of identity theft. Because of recent 
concerns with the possibility of identity theft resulting from 
security breaches, 20 States have enacted legislation requiring 
companies to notify consumers in the event that sensitive 
personal information is affected by a security breach. Some 
States' notices require differences in scope and coverage. As 
Senator Pryor indicated, this is a patchwork quilt. The need to 
track these differences and factor them into a notification 
program will inevitably make it more difficult for institutions 
to send notices to consumers promptly. This may cause some 
consumers to experience delays in receiving notices and 
increase the likelihood that they will become victims of 
identity theft.
    Varying State laws may also result in uneven enforcement 
from State to State. Accordingly, ACLI supports Federal 
legislation that provides preemptive uniform national standards 
for notifications to individuals whose personal information has 
been the subject of a security breach where such information 
may lead to substantial likelihood of identity theft. Such an 
approach benefits consumers because it ensures that they 
receive the same information in a timely fashion, regardless of 
where they reside.
    ACLI also recommends focusing on breaches involving 
sensitive consumer information that is not encrypted or secured 
by a method that renders the information either unreadable or 
unusable. To avoid needlessly alarming consumers and 
undermining the significance of these notices, ACLI supports 
notification when there is a significant likelihood of identity 
theft. Uniform enforcement of notification standards is very 
important. ACLI strongly supports enforcement of insurers' 
compliance exclusively by the Department of the Treasury. 
Treasury is well-positioned to assume this role because it has 
had extensive experience with the insurance industry in 
connection with such laws as the USA PATRIOT Act, the Terrorism 
Risk Insurance Act, the Bank Secrecy Act, and OFAC regulations.
    In the event it is not possible to provide for enforcement 
by the Treasury Department, ACLI supports adoption of an 
approach set forth in the GLB Act. Under this approach, an 
insurer's compliance with Federal breach of security 
notification legislation would be enforced by the insurance 
authority of the insurer's State of domicile. If this approach 
is used, ACLI also requests that the legislation state that it 
is the intent of Congress that State insurance authorities 
enforce the legislation in a uniform manner.
    If the legislation provides for implementing regulations, 
ACLI believes that the relevant Federal agencies should jointly 
promulgate the rules. This would benefit consumers and assure 
that they will receive the same protection across all 
industries.
    The issues before you today, Mr. Chairman, are complex. 
ACLI anticipates that legislation you adopt will provide 
meaningful protection to consumers who might otherwise become 
victims of identity theft.
    Thank you for your attention.
    Chairman Shelby. Thank you, Mr. Schwartz.
    Mr. Ireland.

                 STATEMENT OF OLIVER I. IRELAND
                 PARTNER, MORRISON & FOERSTER,
                        ON BEHALF OF THE
                  AMERICAN BANKERS ASSOCIATION

    Mr. Ireland. Chairman Shelby, Ranking Member Sarbanes, and 
Members of the Committee, my name is Oliver Ireland, and I am a 
Partner in the DC office of Morrison & Foerster. I am here 
today on behalf of the American Bankers Association to address 
the role of banks in protecting consumers from identity theft 
and account fraud.
    The American Bankers Association includes community, 
regional, and money center banks and holding companies, as well 
as savings associations, trust companies, and savings banks, 
and it is the largest banking trade association in the country.
    We appreciate your leadership in the area of privacy and 
identity theft and the opportunity to participate in this 
hearing. Identity theft occurs when a criminal uses information 
relating to another person to open a new account in that 
person's name. In addition, information relating to consumer 
accounts can be used to initiate unauthorized charges to those 
accounts. The issue of identity theft and account fraud are of 
paramount importance to banking institutions and the customers 
that they serve.
    In this regard, I would like to emphasize three key points: 
Banks have a vested interest in protecting customer information 
and are highly regulated in this area; a uniform approach to 
information security is critical; and any security breach 
notification requirement should be risk-based.
    First, banks have an interest in protecting customer 
information. Simply put, banks that fail to maintain the trust 
of their customers will lose those customers. In addition, 
because banks do not impose the losses for fraudulent accounts 
or fraudulent transactions directly on their customers, banks 
incur significant costs for identity theft and account fraud. 
These costs are in the form of direct dollar losses as well as 
reputational harm. Accordingly, banks aggressively protect 
sensitive information relating to consumers. Among those that 
handle and process consumer information, banks are among the 
most highly regulated and closely supervised.
    Guidance under Title V of the Gramm-Leach-Bliley Act 
requires banks not only to limit the disclosure of consumer 
information but also to protect that information from 
unauthorized access and to notify customers when there is a 
breach of security of sensitive customer information. In order 
to provide consistent protection for consumers, merchants, 
information brokers, and others that handle sensitive customer 
information should be subject to similar requirements.
    In designing security notification requirements, national 
uniformity is critical to preserving efficient national 
markets. A score of State legislatures have already passed new 
data security bills. While these laws have many similarities, 
they also have important differences. State laws that are 
inconsistent result in both higher costs and uneven consumer 
protection. Further, a single State that adopts a unique 
requirement or omits a key provision can effectively nullify 
the policy of other States.
    Finally, any notification requirement should be risk-based. 
While it is important to protect all sensitive consumer 
information from unauthorized use, it is most critical to 
protect consumers from identity theft and account fraud. Any 
security breach notification requirement should be limited to 
those cases where the consumer needs to act to avoid 
substantial harm. Further, security breach notification 
requirements should be tailored to the particular circumstances 
and the threat presented.
    Identity theft and account fraud pose different risks. In 
each case, the need for notification and the form of the 
notification will differ. Any Federal legislative requirement 
must recognize and accommodate these differences.
    Banks are proud of their record in protecting information 
relating to their customers and will continue to work to ensure 
that consumers receive the highest level of protection.
    Thank you. I will be happy to address any questions that 
you may have.
    Chairman Shelby. Thank you, Mr. Ireland.
    I will direct my first to Mr. Pratt. Do you believe that 
the fraud alert scheme that we included in the FCRA can work in 
tandem with the various State credit freeze laws that have been 
enacted in recent years that we have discussed here?
    Mr. Pratt. There is no doubt that credit freeze laws do not 
prohibit, if you will, a credit reporting agency from also 
putting a fraud alert on the file, so that fraud alert could be 
conveyed to a bank, for example, that has a current business 
relationship and is accessing the credit report for that 
purpose. But the fraud alert system is a more flexible system. 
It is a system that allows the transaction to go forward under 
a caution flag. A file freeze, as has been described--and I 
think rightly so--is an absolute stop. It will stop the 
transaction cold in its track. File freezes, by the way, are 
not absolute. You can lift a freeze for a temporary period of 
time, and this is a consistent element of the laws that we have 
seen in the States. But you have to do that in advance of the 
transaction in which you intend to engage.
    Chairman Shelby. Ed, do you have any comments on that? Can 
they work together?
    Mr. Mierzwinski. I agree with everything that Stuart said 
there. The two are separate rights; the two are separate 
protections. Again, the freeze, as Stuart pointed out, anyone, 
regardless of whether you have been a victim or think you are 
threatened by identity theft, can impose a freeze. A fraud 
alert you put on after you think you have been a victim, and 
the company must take additional steps before issuing credit.
    Chairman Shelby. Is a freeze, in a sense, preemptive?
    Mr. Mierzwinski. Preemptive, in the other sense of 
preemptive, yes.
    Chairman Shelby. Okay.
    Mr. Mierzwinski. It is often used around Capitol Hill, too.
    Chairman Shelby. Mr. Ireland, do you have any concerns 
about the impact that the use of credit freezes could have on 
the credit reporting system, the users of credit reports, or 
consumers? In other words, will there be an impact here if a 
freeze continues?
    Mr. Ireland. There is a significant potential for impact in 
this area. We saw some examples earlier of prescreened 
solicitations and the possibility that prescreening as a 
process could be disrupted. I think perhaps more significantly 
there are other credit transactions that occur with little 
prior notice, including opening credit charge accounts at 
retail outlets, automobile purchases, and so on, that are 
likely to be disrupted by a security freeze process. And the 
consumers, when they place those freezes, may well not 
understand that that is going to occur and may not remember to 
remove them in time.
    Chairman Shelby. Mr. Ireland, I think it is important to go 
over just some of the basic, elemental questions associated 
with the situation where information held by financial 
institutions is compromised.
    First, what, if any, different distinction should we make 
based on the kind of information that has been compromised? In 
other words, does the type of information that has been 
disclosed matter?
    Mr. Ireland. I think the type of information is critical.
    Chairman Shelby. Give us an example.
    Mr. Ireland. There is an initial issue as to whether you 
want to merely protect the privacy of consumer information with 
notifications or you want to be concerned about alerting 
consumers when they need to protect themselves, take action to 
protect themselves from identity theft or fraud. Much 
information about consumers cannot be used for either identity 
theft or account fraud, and while it is desirable to protect 
that information from unauthorized use, providing notices to 
consumers about disclosures of that information that may be 
unauthorized runs the risk of inundating them with notices, so 
that when a final notice does come that they need to do 
something, they miss it.
    Chairman Shelby. Should the nature--in other words, the 
security breach you alluded to--matter?
    Mr. Ireland. I think the nature of the security breach also 
matters. It matters in terms of the information. The nature of 
the security breach also matters in terms of determining 
whether harm will result. There are security breaches that 
occur which are for competitive purposes in financial markets 
where there is no risk of identity theft or fraud associated 
with it.
    Chairman Shelby. If you have different situations here, how 
should the differences be dealt with in relation to the type of 
notice provided to consumers?
    Mr. Ireland. The classic example is the difference between 
account fraud and identity theft information. If somebody loses 
name, address, and Social Security number, the thief can go 
open an account at another institution, and the consumers need 
to check their credit report to determine whether that happens. 
As Mr. Pratt has already indicated, in those cases coordination 
with the credit reporting agencies is appropriate and may be 
necessary. And the consumer has to take action with the credit 
reporting agencies.
    If the information is merely account number and name, it 
might be used to commit account fraud, but the credit reporting 
agencies need not be involved in that matter.
    Chairman Shelby. Mr. Hammerman and Mr. Schwartz, I will 
direct this question to you two. The financial institutions 
that you represent have duties under the Gramm-Leach-Bliley Act 
to protect sensitive consumer information. However, I would 
assume protecting consumers and yourselves is not merely a 
question of complying with the law and that you have to be more 
proactive in response to the threats that exist. You know there 
are threats out there. Is it true that you could highlight some 
of the efforts that you undertake as being proactive in your 
area?
    Mr. Schwartz. Certainly. Insurers have robust systems and 
procedures in place: Who can have access to the information in 
terms of encryption keys that are placed on information, who 
has access to buildings where some of the data are collected, 
how that information may be processed in various circumstances. 
And there are a whole range of actions that are put into place 
that ensure that only information will be made available when 
the appropriate parties are asking for it.
    So we are very confident that the insurance industry has 
state-of-the-art protections in place and is constantly trying 
to upgrade and ensure that whatever is developed is put into 
place as well. Encryption devices are always being upgraded as 
hackers try to break those encryption keys, and new procedures 
are implemented all the time.
    Chairman Shelby. Mr. Hammerman, do you have any comments?
    Mr. Hammerman. Yes, Mr. Chairman. I think this issue first 
starts with getting senior management support for data 
protection, and we have that among our members.
    In addition, there are dedicated groups of people within 
each firm whose sole job is to handle information security and 
privacy. As was mentioned, our firms have strong perimeter 
defenses to protect their networks. We are constantly utilizing 
technology to try and anticipate the next problem, and we are 
always trying to stay one step ahead----
    Chairman Shelby. But the thieves also use technology, do 
they not?
    Mr. Hammerman. I was just going to say that we try to stay 
one step ahead of them, and it is constantly changing. But we 
are putting the resources set forth to do that.
    Chairman Shelby. Senator Sarbanes.
    Senator Sarbanes. Thank you very much, Mr. Chairman.
    I have a couple of very simplistic-sounding questions to 
put first to the members of the panel.
    Senator Dodd. Be careful.
    [Laughter.]
    Senator Sarbanes. If I am in a State which has passed 
additional legislation on this issue, providing additional 
substantive standards guarding me against identity theft, and a 
national law is passed which preempts State law, and the 
substantive standard in the national law is less, lower than 
the protections provided under my State law, I will have lost 
consumer protection, will I not?
    Mr. Mierzwinski. Senator, I would agree that you have lost 
consumer protection. I would also point out that under the 
current regime that we have the California law has effectively 
been adopted nationwide by State Attorneys General. After the 
ChoicePoint breach, when California citizens started receiving 
notices, the State Attorneys General of other States told 
ChoicePoint, ``What about our citizens?'' And they provided 
notice nationwide. And so the opposite has occurred. You have 
more rights in States. So that argues for not preempting.
    Senator Sarbanes. I want to address this argument which I 
heard that a preemptive Federal law, would provide more 
consumer protection. And I have trouble understanding that 
except in a State that has no consumer protections whatsoever, 
perhaps. Whether it does or not would depend directly upon the 
substantive standard in the Federal law, would it not?
    Mr. Schwartz. Yes, that is correct, Senator Sarbanes.
    Senator Sarbanes. So if the Federal standard is weak, or 
indeed fairly strong but not as strong as the State standards, 
at least if I am a consumer in a State that has enacted 
legislation, I will actually lose protection, not gain 
protection. Is that correct?
    Mr. Schwartz. Senator, I think it depends upon the nature 
of the State provisions. I think many of the State provisions 
are different from State to State. It is not that necessarily 
one is regarded as stronger but, rather, it is different. And, 
for example, if the nature of the information that is the 
subject of a particular State's legislation differs from 
another State, as Senator Pryor indicated, you end up with a 
patchwork quilt. And, in fact, you end up perhaps resulting in 
a delay in informing the consumer until the company can figure 
out exactly what information was taken and whether or not that 
particular State law applies to that information.
    I think that it is really a compliance issue that, 
unfortunately, given the differing State laws, could very well 
result in less consumer protection, not more for that 
particular consumer in the State.
    Senator Sarbanes. Are you telling us that there is a very 
significant compliance issue, that these data collectors, who 
presumably have very sophisticated means of data collection, 
retention, cross-filing, and all the rest of it, cannot comply 
with varying State laws?
    Mr. Schwartz. I am not saying they cannot comply with the 
varying State laws. It makes it much more complex, and it takes 
them more time to comply with State laws that differ from place 
to place. A uniform Federal statute that addresses the identity 
theft provisions and provides for notification to consumers can 
be very well-tailored and be done promptly as opposed to having 
to decide and do an investigation to determine whether that 
particular breach falls within that particular State's law. And 
if you have 50 different State provisions, it could result in a 
significant time lag.
    Senator Sarbanes. Would you anticipate that the substantive 
Federal standard, if you moved in that direction and were to 
preempt, would be at least as strong as the existing California 
standard or even stronger?
    Mr. Schwartz. I think we would have to look at the 
provisions. I think it has to be tailored to specific problems 
of identity theft, and California was the first one that passed 
and it perhaps needs some tweaking.
    Senator Sarbanes. In which direction?
    Mr. Schwartz. In the direction of assuring that it 
identifies the problem and is directed toward solving the 
problem as opposed to being over-inclusive.
    Senator Sarbanes. So you think the California standards at 
the moment are too strict and rigid. Is that correct?
    Mr. Schwartz. I would have to take a look at them and 
compare them to what is being proposed. But I do think, for 
example, if you have to provide a notice for a breach of all 
information, you end up receiving so many notices in the mail 
that, if I were a consumer, I would completely ignore them 
because I am receiving one for any type of breach even though 
it may not result in any harm to me.
    Senator Sarbanes. Well, that leads me into my next 
question, if I could.
    Chairman Shelby. Go ahead, Senator Sarbanes.
    Senator Sarbanes. I won't be long.
    Mr. Ireland, I am reading your testimony, and I notice you 
make reference to the guidance which the Federal banking 
agencies have issued and the final Interagency Guidance on 
Response Programs for Unauthorized Access to Customer 
Information.
    Mr. Ireland. That is correct.
    Senator Sarbanes. The standard there is to notify its 
affected customers where misuse of the information has occurred 
or is reasonably possible. Is that correct?
    Mr. Ireland. That is correct.
    Senator Sarbanes. But I take it it is your position that it 
should be that there is a significant risk of harm. Is that 
correct?
    Mr. Ireland. That is correct.
    Senator Sarbanes. And that is a higher threshold to cross 
with respect to notice--would that be correct?--than the 
existing guidance. If that were the standard, that would 
diminish the number of notices to provide compared with the 
current guidance from the Federal banking agencies. Would that 
be correct?
    Mr. Ireland. I am not sure that would be the case. In the 
banking agency guidance, there is a process created by which, 
when a breach occurs, the bank suffering the breach notifies 
their examiner about the breach, and this is likely to lead and 
typically does lead to a dialogue about whether or not notice 
is required. And so you have an ongoing process with the bank 
regulators about whether or not there is sufficient risk to 
generate notice. I am not sure that the language in the 
guidance completely captures that process. I think if you are 
going to go out and adopt a bill that is supposed to be self-
effectuating, that people are going to adhere without the 
benefit of that dialogue--and that dialogue really cannot occur 
in less regulated institutions. You need a crisper line, and I 
would recommend the significant risk of harm standard there, 
which I think is broadly consistent with what the banking 
agencies have done.
    Senator Sarbanes. Do you think that the guidance they have 
issued is equivalent to significant risk of harm?
    Mr. Ireland. I believe that generally the way the banking 
agencies have implemented that has been consistent. I do not 
have a survey of all of the notifications that have been given 
under that standard, but I think they are generally consistent.
    Senator Sarbanes. So you think you already have a risk-
based standard. Is that right?
    Mr. Ireland. We think we already have a risk-based 
standard--
    Senator Sarbanes. Why in your statement then do you, after 
you set out the guidance of the banking agencies, say that you 
believe that a workable notification law would require 
entities, et cetera, et cetera, to notify individuals upon 
discovering a significant breach of security? Your statement 
seems to carry with it the implication that you do not, at the 
moment, have the significant risk of harm standard?
    Mr. Ireland. We have a standard under 501(b) for customer 
information that is being implemented as I described through a 
process. If I were going to try to articulate the results of 
that process in a bill, as I said, to be self-effectuating, the 
language I would use to describe it would be ``significant risk 
of harm.''
    I would also point out that the 501(b) guidance does not 
capture all of the information that is currently held by banks 
about consumers, and that if you adopt a bill that requires 
notification based on security breaches of consumer 
information, there will be places where that bill would apply 
to banking information that is not covered by the current 
guidance.
    Senator Sarbanes. Mr. Mierzwinski, do you have a take on 
all of this?
    Mr. Mierzwinski. Well, the consumer groups and the privacy 
groups have made it pretty clear that a harm standard or a harm 
trigger would work against giving consumers greater privacy 
rights. We think that the California standard is the proper 
standard to adopt nationally. Lose the information, almost in 
all circumstances provide the notice. But I would certainly say 
that the way that you have described the bank regulator 
guidances is the way we read them and that the industry seeks a 
higher standard which is much more difficult to attain. And I 
would respectfully disagree with Mr. Ireland.
    One of the other issues with harm triggers is the issue of 
whether they apply to identity theft, whether they apply to 
harm, or whether they apply to simple misuse. We believe that 
information can be misused in many ways in addition to identity 
theft. Information can be used to publicly embarrass you. It 
can be used for stalking. It can be used for terrorism. It can 
be used for criminal identity theft as well as financial 
identity theft. Account fraud may not be captured by a 
definition of identity theft.
    So there are a lot of problems with any of these triggers. 
They will all be litigated, and that is just another reason not 
to use them.
    Senator Sarbanes. Thank you.
    Thank you, Mr. Chairman.
    Chairman Shelby. Senator Dodd.

            STATEMENT OF SENATOR CHRISTOPHER J. DODD

    Senator Dodd. Thanks, Mr. Chairman, and thank you and 
Senator Sarbanes for holding this hearing and asserting what I 
think is the appropriate jurisdiction of the Committee over 
this issue. And I thank Senator Pryor in his absence for 
submitting some legislation. It is a complicated area, but 
obviously I was looking over that chart that appeared in the 
Washington Post some time this year--I do not have the exact 
date on it--which identifies at least in the area of 15 million 
accounts that have been exposed to the possibility of identify 
fraud as the result of various problems that have occurred from 
various institutions, going back to February 15 with 
ChoicePoint and the identification fees on assessed accounts, 
145,000, to, of course, the Card Systems hacker on June 18 of 
40 million people. So there is a serious problem, obviously, 
that hangs out here that needs to be addressed. I think you all 
recognize and acknowledge that, and that is up to June. I 
presume those numbers may be even larger today. I do not have 
that information in front of me. So this is a significant issue 
and a tremendously important one for people across the country.
    I have a couple of issues. I want to get to--the last 
question I want to ask you about and have you think about this 
is Katrina and what the credit bureaus are doing for the people 
in the hard-hit areas of the Gulf States to protect their 
credit information as a result of what has happened to them, 
losing a lot of their own documentation, and whether or not 
there are any problems that are emerging here with identity 
theft of people in that region because of the devastation that 
has occurred there.
    But I want to pursue two other issues more generally. Under 
Title V of the Gramm-Leach-Bliley law, financial institutions 
are required to protect their customers' sensitive personal 
information where a customer is defined as a person to whom the 
institution provides a product or service. However, many 
financial institutions have data and information on people that 
are not customers. For instance, I apply for a credit card and 
I provide financial information. I decide or you decide either 
not to grant me a credit card or I decide to do business with 
another company. What do you do with that information about me? 
I am not a customer under Title V of Gramm-Leach-Bliley, but 
there is a lot of information being held by people out there 
now that can be misused, that can be the subject of theft. And 
I would like particularly the representatives of our financial 
institutions here to comment on what happens to that 
information that exists.
    Mr. Ireland. Senator, typically banks protect that 
information the same way they protect customer information.
    Senator Dodd. Are they required to, in your view, under the 
law?
    Mr. Ireland. Under the Gramm-Leach-Bliley guidance, I do 
not think they are required to. Let me make it clear, we are 
happy to live with the standards in the Gramm-Leach-Bliley 
banking agency guidance that we have today, and we are happy to 
apply that to that additional information maintained by banks 
as well as the customer information that is currently subject 
to the guidance.
    Senator Dodd. But there is no legal requirement of you to 
do so, the kind of information I just described?
    Mr. Ireland. Not under the guidance. There is no legal 
requirement under the guidance.
    Senator Dodd. What is being done on----
    Mr. Schwartz. Senator Dodd, with respect to the insurance 
industry, clearly all that information on applications, whether 
the insurance policy is issued or not, is protected, just the 
same way that an insured's information is protected.
    Senator Dodd. Protected because it is a matter of policy of 
the insurance industry but not as a matter of law?
    Mr. Schwartz. Yes. From a reputational risk standpoint, 
that information is just as protected and just as valuable from 
the standpoint of being protected. And, again, the policies and 
procedures will apply across the board to the information 
regardless of whether it is a customer or not.
    Senator Dodd. Do you share that viewpoint?
    Mr. Hammerman. Yes, Senator.
    Senator Dodd. Do you have any comment on this as an area 
that we should maybe look at here in terms of protection of 
consumer information?
    Mr. Mierzwinski. Senator, I think you should look at that 
area, and our testimony goes into detail about two other areas, 
one of which you touched on. The third-party processors, such 
as Card Systems, do not have customers. They are not covered by 
the GLB Act either, although they may be acting as agents of 
regulated entities. And I believe that at least one of the card 
associations has suspended Card Systems for violating its own 
rules. That may not have been enough. It may have been after 
the horse had left the barn, but they did do so.
    The other big area, of course, are the data brokers, and 
ChoicePoint may sometimes be a credit reporting agency or a 
credit bureau, and it may sometimes be covered by Gramm-Leach-
Bliley for other reasons. But as Chairman Majoras has 
testified, they are not covered by Gramm-Leach-Bliley in all 
their businesses. They are essentially unregulated in the view 
of the consumer groups, and they should be regulated more like 
credit reporting agencies under a robust system than merely 
covered by the security rule known as the safeguards rule.
    Senator Dodd. Well, Mr. Chairman, I would invite us to 
maybe look at that as part of our----
    Chairman Shelby. I think that is a very important question.
    Senator Dodd. Let me move, if I can, to one other area. 
Again, I think you have all pointed out this is complicated. 
The freeze issue is one that is--because it is a double-edged 
sword, obviously. It is a benefit obviously to the consumer to 
be able to protect that credit information. The other side of 
that sword is, of course, that same consumer then who wants to 
get a credit card, wants to buy a home, wants to buy a car, 
wants to unfreeze that information or they are not going to get 
they are seeking or the products they may be pursuing. And the 
industry says--and I hear you, and I am not suggesting it is 
simple. But this is a complicated matter to turn on and turn 
off.
    I want you to walk me through this a little bit. We are in 
the 21st century now, and it seems to me we have--and, again, I 
am old enough now to find all of this terribly complicated, but 
I know there are people smart enough to figure this out. Why is 
it so complicated to do that? Why does that become so hard to 
do? And I realize it can be complicated, and you can go back 
and forth rather quickly. But today, given the technology that 
exists that allows us to be able to transfer trillions of 
dollars at the speed of light, it seems to me the ability to 
respond to the customers that we seek, whose business we enjoy, 
whose hard-earned dollars we take, we cannot do a better job of 
responding to those people today. I mean, 15 million people in 
6 months in this country have been potentially subjected to 
identity theft, and the numbers are growing. And I do not quite 
understand--and I may be terribly naive about this--why the 
industry with all of its sophistication cannot more 
sophisticatedly respond to that consumer who wants to be able 
to engage in that stop-and-go process. Tell me why that is 
difficult. Walk me through it. Do you want to start, Mr. 
Ireland?
    Mr. Ireland. Senator, I think you have to add an extra 
party to the transaction. Under what this Committee and the 
Congress did in the FACT Act, a consumer who thinks they are 
going to be a victim of identity theft can place an extended 
fraud alert on their file, and a creditor opening a new credit 
account has to talk to that consumer, either in person or call 
them on the phone, before they open the account to make sure 
that they are dealing with the right person. Now, that system 
is not infallible. It has been in effect since last December, 
but we think it is working and it is too early to give that up.
    In the security freeze context, in order to go through with 
the transaction you have to add another party to the 
communication. The consumer has to talk not only to the 
prospective creditor but also to the credit bureau and 
authorize the credit bureau to release the information. And 
that all has to happen at the same time.
    We do transfer trillions of dollars around the country by 
wire transfer, but those are over dedicated lines in very 
carefully constructed systems. And my ability to talk to the 
credit bureau from the lobby of an auto dealership when I want 
to buy a car, convince the credit bureau who I am, and then 
have them release the report back to the auto dealer so that 
the auto dealer can use the report to give me a loan is more 
complicated than my talking directly to the auto dealer and the 
auto dealer verifying who I am.
    You might get there at some point in the future, but I 
think right now you have complicated the transaction. It is not 
just auto dealers. It is checkout lines at retail stores where 
they are going to offer you a discount for entering into a 
charge arrangement with them, and numerous other places. And 
that addition of another party creates another link of secure 
communications. You create a triangle instead of a bilateral 
relationship, and that is a challenge.
    Senator Dodd. Any distinction here you want to tell me for 
the life insurance industry or the securities industry?
    Mr. Schwartz. I think Mr. Ireland summarized it very well.
    Senator Dodd. It would be a similar situation where you are 
talking about a trilateral relationship with insurance?
    Mr. Schwartz. Well, somebody who would be applying for 
insurance would have to release the freeze, and then there 
would be a question as to how do you identify the person. So, I 
think you would run into the same potential for unintended 
consequences, and inefficiencies in terms of processing 
applications.
    Senator Dodd. Is the industry thinking about this at all 
and how to, in fact, do this? It seems to me it is a service 
that would be rather attractive in terms of who I do business 
with. If the insurance company I do business with offers this 
service to me to be able to respond to my desires to have that 
credit information available or not available to people, it 
would be a very attractive offer.
    Mr. Schwartz. That would have to be addressed on a company-
by-company basis, Senator, and we would be glad to get back to 
you on that.
    Mr. Hammerman. The only thing I would add from the 
securities industry standpoint is that the industry, as you 
know, is heavily regulated, and there are times that the 
industry may need to tap into that credit report when the 
consumer has put a freeze on for the industry to comply with 
the USA PATRIOT Act or other obligations that it has. So that 
would just be something to look at. But obviously, being able 
to provide this tool to a customer undergoing the difficulties 
of identity theft is important.
    Senator Dodd. Do you want to comment on this?
    Mr. Mierzwinski. Well, I will just say--and I will let 
Stuart have the last word for once after me--I think that 
fundamentally this is the first consumer protection in the 
privacy sphere that has really given consumers control over 
their information. And so there is a philosophical disconnect 
between the industry and the consumers. Really, a lot of our 
privacy laws are in name only. They allow the sharing of 
information as long as disclosure is made. Our industry has 
gotten used to a system where they are in the driver's seat all 
the time. This puts consumers in the driver's seat, and it is 
new, so it is going to take some time. But if you adopt it 
nationwide, I believe that they will make it easier for us 
because it will be in their interest to do so.
    Mr. Pratt. Senator, from our perspective, we are obviously 
the one that has to effectuate the freeze. Let me just remind 
all of us, of course, of a few truths that we have.
    This Committee and other Committees in the Congress and 
ultimately the USA PATRIOT Act Section 326 places obligations. 
That has been mentioned. It is important to know that that is 
out there and that companies must take additional steps to 
verify identities for those purposes, and that inures benefits 
to consumers even into the realm of risk of becoming a victim 
of identity theft.
    Fraud alerts, Mr. Chairman, you have discussed this before, 
and fraud alerts are another flexible choice that you have 
offered consumers today. I can place a temporary alert while I 
am still trying to decide whether I really have a higher level 
of risk. If I am a victim, I can place an extended alert on my 
files. So those choices are out there today.
    So there are many systems today, some of which are just 
brand new with the FACT Act, that are not final, that have not 
been tested large-scale in the marketplace. And this is also 
somewhat true for file freezing, and I think that is important. 
File freezing we think of as being out there for some time. It 
has been in California's law for some time. But in California, 
we only have 9,000 consumers who have frozen their credit 
reports.
    Senator Dodd. I am sorry. What is that again?
    Mr. Pratt. Nine thousand.
    Senator Dodd. Have what?
    Mr. Pratt. Out of 25 million or more consumers who are 
credit active in California, only 9,000 have frozen their 
credit reports. So we have a hard time giving you a good 
granular answer as to does it work, does it not work, how do 
consumers feel about it, how often are they act the countertop. 
What has been described by Mr. Ireland is true, though. If a 
consumer is at the countertop, we still have the question: How 
do you close the transaction at that point? Do you want 
consumers blurting out PIN numbers, if you will, at the 
countertop to the clerk who is hired during the holiday season? 
And how secure is that?
    You will have all the same kinds of challenges that you 
have in the online banking world where you have to authenticate 
consumers. To what extent do you have to deploy a two-factor 
authentication system to ensure that you are really unfreezing 
the file for the real consumer and that you do not at some 
point find that criminals, as has been pointed out, who get 
clever about these things start to chase you down the road a 
little bit further?
    I do not want us to think of file freezing as a panacea 
that somehow definitely cures all the ills, and I think you 
said it very well, Senator. It is complex.
    Our only message here is to say that in the absence of a 
dialogue here at the Federal level, and regardless, really, of 
what you do now or later, the States are continuing to act on 
this. And so our concern is variations of standards. We have 
some States beginning to say, well, you should be able to turn 
it on in X number of minutes. I cannot tell you what an 
anathema we think that is. We might as well just also obligate 
every credit vendor in the country to approve credit 
applications in X number of minutes, irrespective of whether 
the USA PATRIOT Act was complied with or not or irrespective of 
whether we have deployed all the fraud prevention tools or not. 
So those are concerns for us, that, in fact, we are now having 
on a service level performance standards.
    To your point, we will over time, regardless of what the 
Congress does, have to live with some degree of file freezing 
in this country for some percentage of the population. I think 
it will grow next year as a result of legislative activity. And 
we will have to find a way to deploy a system that operates 
with the variations that we see in the States today.
    Senator Dodd. I see Senator Reed is here, and I have taken 
more time here, but I am just curious on the Katrina issue. I 
had asked, Jack, before you walked in, what has happened with 
that at all. Any comments you want to share with us about the 
victims here?
    Mr. Pratt. Absolutely. We have three areas of focus with 
Katrina.
    First of all, the nationwide credit reporting systems have 
each set up toll-free numbers, either dedicated or options for 
Katrina victims specifically. Those toll-free numbers allow you 
access to live personnel up front because we know Katrina 
victims many times have left their homes with little or no 
information, little or no financial information that they 
really need in order to be properly identified. So, I think the 
human touch is very important in those cases.
    All Katrina victims have access to free reports. 
Annualcreditreport.com, the website through which you can 
obtain free reports, one of the elements of the FACT Act that 
was brought forward by this very Committee has been opened up 
so that free reports are available to consumers who can be 
authenticated online. But the key here is that when you cannot 
for some reason, we will have live personnel try to work 
through with you how to get a credit report to you.
    We have a lot of complexity. Are you still--you know, 
unfortunately, because of the new hurricane heading toward 
Houston, we now have a group of Katrina victims who are moving 
out of Houston and moving out of Galveston and some of the 
areas that are affected. So those addresses that might have 
been temporarily set up have now shifted again. And so the key 
is not to have credit reports floating, if you will, out there 
in the Postal Service at the same time. But we are dedicated to 
doing that.
    Second, within the first week of this, we sent out 
communications to more than 16,500 data furnishers, more than 
40,000 discrete contacts within the data furnisher system, 
notifying them of specific guidance on how to use the Metro-2 
data format, the Metro format to report natural disaster as an 
annotation on your credit account. We also explained how you 
could report account deferrals. This was in support of Treasury 
Secretary Snow's advocating lenders take a lenient approach to 
all of this.
    Third, though candidly I hope we never have to use it, we 
have now brought online a new Katrina dispute code so that if, 
in fact, at the end of the day, after all the communications to 
data furnishers, we have the unintended consequence of data 
reported that affects a consumer, we want to be able to 
sensitize that data furnisher very quickly to the fact that 
this is not just a dispute; this is a dispute about a victim of 
the Katrina disaster.
    Senator Dodd. Any evidence of identity theft at all 
occurring in the midst of all of this? It seems like a rather 
open system here, people calling in. I do not want to tie up 
the Committee time on this, but I am a little uneasy. Someone 
calls in and says they are so-and-so, give me my information.
    Mr. Pratt. Rest assured, Senator, the fact that you have 
access to live personnel does not mean that we are going to 
automatically make the decision to turn that credit report over 
to the individual on the call. Protocols that we probably 
should not discuss in a public forum are deployed in order to 
test----
    Senator Dodd. I am curious only because it may apply 
exactly to what we are talking about here in the freeze 
information. If you have found a means by which you can confirm 
information for people who do not have their data that they 
left back in their homes in Louisiana or Mississippi, it might 
be an interesting process to give us some guidance on how to 
address these issues outside of a natural disaster 
circumstance.
    Mr. Pratt. We do not know how easy that is going to be, by 
the way. This is new and uncharted territory. We are going to 
have to have these discussions with consumers along the way. 
Our hope is many of them can be authenticated through 
traditional systems so we do not actually have to move off 
point, if you will.
    Senator Dodd. I appreciate that.
    Thank you, Mr. Chairman. I thank Senator Reed. I took a lot 
of time.
    Chairman Shelby. Senator Reed.
    Senator Reed. Thank you very much, Mr. Chairman.
    Thank you, gentlemen. We are faced with an issue that we 
inevitably confront when we are trying to craft legislation, 
particularly when there are competing State legislative 
schemes, and that is coming with a national standard that is 
adequate, not just a national standard that is there but does 
not provide protection. I know we have talked about the 
California standard.
    And I am curious, I think Mr. Mierzwinski indicated that 
the California standard is something he sees as a good starting 
point, but I would like to get impressions of all the panelists 
about the California standard as a starting point for a 
national standard. One reason is it covers already a 
significant portion of the population. Is that an appropriate 
place to begin, particularly in terms of notification, or what 
things should be added or subtracted? Mr. Pratt?
    Mr. Pratt. From our perspective, the basic operation of 
California is a standard that we apply generally, but I think 
that as has been discussed, California has what is called an 
acquisition standard for its notification trigger. And this is 
where we do digress from, I suppose, the support for a national 
standard for notices to consumers.
    An example would be a laptop is stolen, a laptop is fenced, 
a laptop is recovered in a short period of time, and forensics 
indicates that nothing was done with that laptop. It was never 
even booted up. It was simply sold for cash, and the purpose 
for the crime was simply to get cash and not to use the data.
    The California acquisition standard, on its face in the 
law, would still require that you send every consumer a notice 
saying that your information was breached, although we know 
technically it was not, meaning the forensic analysis would 
tell you otherwise.
    So our only reason for pushing back on that is to make sure 
we do not send notices and create anxiety where anxiety is not 
necessary. What we want to do is make sure the notice is 
targeted to the risk, and I think this has been said several 
times on the Committee. Our goal and the goal that we will have 
to wrestle with is ultimately a goal the Committee has to 
wrestle with, is to make sure that we have the right trigger so 
that we send good, actionable notices, notices that consumers 
open, notices that consumers act on, and that is really the 
only underlying goal for why we push back on a sending notice 
to all consumers type of standard. We believe it has to do with 
remediation and taking actions when you are at risk.
    Senator Reed. Mr. Mierzwinski, can you tell me----
    Mr. Mierzwinski. This is other than preemption the status 
of the harm trigger is where the consumer and privacy community 
disagrees the most with the industry. Our view is you do not 
have an acquisition-based trigger, then you will not have 
companies doing a good job of protecting information in the 
first place. I would prefer that all those laptops have 
encrypted information on them, but then I hear that banks are 
losing laptops without even passwords, laptops let alone that 
are encrypted. So if you force the companies to disclose, there 
will be fewer losses, there will be better protection of the 
information.
    And the second point I made earlier is that 50 percent of 
people do not know where their identity theft came from, and if 
they start getting notices, they start keeping those notices, 
and then they later become a victim of identity theft, they may 
be able to track it backward and more people will find out how 
they became victims if they receive more notices,
    Senator Reed. I do not want to necessarily retrace ground 
you have covered, but I am curious if Mr. Hammerman, Mr. 
Schwartz, and Mr. Ireland have comments. Mr. Hammerman.
    Mr. Hammerman. Thank you. As Mr. Pratt had mentioned, the 
difficult with the California standard is that being an 
acquisition standard, the result will be an over-notification, 
if you will, even though there is no substantial risk of harm 
of identity theft to the customer. For example, if someone 
misplaces their Blackberry, their hand-held device that might 
have a customer name and phone number, that does not 
necessarily mean that customer is at risk of identity theft or 
other account fraud. Yet, as I understand it, under the 
California standard, a notification would be triggered, and we 
think that is the wrong balance.
    We think having the trigger apply when there is a 
significant risk of harm to the customer, that is the 
appropriate balance.
    Senator Reed. Let me inject one more point, which is, if 
the California standard is not adequate, what is the 
appropriate standard, from those people that would depart from 
that standard?
    Mr. Hammerman. From the securities industry standpoint, we 
would look forward to working with the SEC as a functional 
regulator to develop the details around the concept of 
significant risk of harm of identity theft or other fraud to 
the account.
    Senator Reed. Mr. Schwartz, Mr. Ireland.
    Mr. Schwartz. Senator Reed, actually, the California 
legislation just does not say ``unauthorized acquisition'' 
alone, it says ``unauthorized acquisition of computerized data 
that compromises the security, confidentiality, or integrity of 
the information.'' Those are ambiguous words that may very well 
impose or carry with it a standard of harm. I think the concern 
is the ambiguity and the fact that really you want to send a 
notice when there is a substantial likelihood of harm to 
consumers. So even the California legislation is not entirely 
clear as to what triggers a notification requirement.
    Senator Reed. Mr. Ireland.
    Mr. Ireland. I think I would agree with several of the 
other panelists, and Mr. Mierzwinski and I would probably 
disagree here. We are in favor of a risk-based standard. We 
think that California can be read to be an acquisition 
standard. Mr. Schwartz points out the compromise language, but 
it is not terribly clear what that means. We are concerned that 
California results in over-notification, and therefore it 
lessen the effectiveness of notices.
    Senator Reed. Mr. Pratt.
    Mr. Pratt. Senator, just one last point. If you go to the 
California Office of Privacy, they provide additional guidance 
on what they think the acquisition standard means. That 
acquisition standard looks more like a harm standard, so it is 
very important to look at the California guidance that 
underlies the statutory regime that you have in California.
    Senator Reed. Thank you very much.
    Thank you, Mr. Chairman.
    Chairman Shelby. Senator Carper, you have any comments?

             STATEMENT OF SENATOR THOMAS R. CARPER

    Senator Carper. I just have a quick question. I apologize 
for missing the hearing. We were having a markup on Homeland 
Security on Katrina, and a number of bills that we are just 
still working on.
    I want to ask maybe one question if I could of the panel, 
Mr. Chairman?
    Chairman Shelby. Go ahead.
    Senator Carper. First of all, thanks for being here and for 
your input. I understand that several States have enacted laws 
to protect the consumers against identity theft, and are now 
enacting laws mandating companies inform consumers when the 
consumer's information has somehow been compromised. I just 
want to ask which State approaches do you think work the best, 
if any, and why? We think of States as laboratories of 
democracy, and to see if there might be a model out there for 
us to emulate, and that is basically what I am asking you to 
help us do, identify if you think they are doing a particularly 
good job. No, not all at once.
    [Laughter.]
    Mr. Ireland. Senator, the lag in responding to your 
question is that it is complicated. All the State laws differ, 
and there are good pieces in a law here and there and I think 
we can very much learn from the States, and much of the 
testimony that has been given here today has been based on 
experience with some of those State laws, particularly 
California.
    I am not sure that I would advocate any particular State 
law as a single model. I think the issue of the way 
notification needs to be given and the factors it needs to 
address are perhaps more complicated and complex than many of 
the States have recognized, but we can certainly learn from 
those States.
    We can also learn from some of the mistakes, because, for 
example, Illinois has a law that says there is no delay for law 
enforcement in notification, even though every other State has 
a law that provides for delay, so that the law enforcement 
people can go try to get the crooks. In the current situation, 
the Illinois law effectively nullifies all the rest of the 
delays in other States, because you give notice in Illinois and 
the cat is out of the bag.
    I think the States have provided a valuable laboratory here 
and we can learn from each of the State laws, but I would not 
pick any particular one and make it the sole model to look to.
    Senator Carper. Do any of the other witnesses want to agree 
with anything that Mr. Ireland has said, or disagree?
    Mr. Schwartz. I would say, Senator Carper, that certainly 
the States do have provisions that we can look to, for example, 
for types of information that would be regarded as sensitive, 
personal information that would be the subject of the 
legislation, the various triggers, so I think there are 
elements in there, and I would agree with Mr. Ireland, that we 
should look to them and consider them and determine whether or 
not they should be applicable.
    But in terms of coming up with a specific State that has 
the magic bullet, I do not think that there is one.
    Senator Carper. Thanks. Others, please?
    Mr. Hammerman. I would agree with what has previously been 
said.
    Mr. Mierzwinski. Senator, the Consumer and Privacy Group 
testimony, Appendix 2, we list all the breach laws. Nine of 
them have no so-called ``harm trigger,'' starting with 
California. We prefer laws without a harm trigger.
    We also list in Appendix 3 all the State security freeze 
laws, and the best one is one that is expected to be signed 
today, which would be New Jersey's, because it makes it easy 
for consumers to selectively unfreeze their credit, and it is 
very inexpensive and it applies to all consumers. Those are the 
kinds of principles we believe in.
    Senator Carper. Thanks.
    Mr. Pratt. From our perspective, we would again agree with 
Mr. Ireland in terms of the characterization. Carrying forward 
your laboratory analogy here, really, it is up to you to find a 
final precipitate to know what it is that should be mixed and 
workable for the entire country. We have great confidence you 
will be able to do that as you have done with many other 
Federal laws that have created national standards.
    And as for file freezing, again, I think it is a dialogue 
that we really just would like to continue to have with all of 
you. We disagree with Mr. Mierzwinski about the merits of the 
New Jersey standard, in particular find it troubling because it 
creates regulatory powers at a State level over what is a 
nationwide credit reporting system. We think that that is the 
wrong direction in which for us to head.
    Senator Carper. One last quick question, if I could, just 
of Mr. Mierzwinski?
    In recent years we have seen an increase in certainly in 
the awareness of identity theft and the steps that people can 
take to protect themselves. Do you think consumers have enough 
information about ways to guard against prior financial 
privacy? And if not, what if anything can we do on this 
Committee here in the Congress to further educate people that 
is not being done, and is there something else you can think of 
that the financial services industry should be doing 
themselves?
    Mr. Mierzwinski. That is a big question in terms of 
identity theft and financial privacy. On financial privacy, I 
think the consumer groups are on the record. The Gramm-Leach-
Bliley privacy notices, the problem with them is they are 
rights without remedies, and that is why consumers get 
frustrated. We need to give consumers privacy rights, not 
simply privacy notices.
    In terms of identity theft, I think that consumers are 
starting to become more aware of the problem, but again, more 
information would always be adequate, and we will certainly 
think about ways that we can provide the Committee with greater 
recommendations to educate people about identity theft.
    When you are a victim of identity theft and when you 
contact your credit bureau, they do send you information 
automatically, am I correct?
    Mr. Pratt. That is right.
    Mr. Mierzwinski. That is right. So at the point of contact 
with identity theft you find out about it. However, in advance 
of identity theft there needs to be better ways to find out.
    We have been concerned that some of the companies are 
making money on identity theft, selling credit monitoring 
services. I would point out that this summer the Federal Trade 
Commission fined Experian, one of the big credit bureaus, 
$950,000, for deceiving consumers into obtaining its 
subscription based credit monitoring service, which it was 
marketing as if it were free. So we have to be careful how we 
urge companies to provide information.
    Mr. Pratt. Senator, if I could?
    Senator Carper. Very briefly. I have used up all my time.
    Mr. Pratt. We are mixing apples and oranges here. There was 
a marketing issue that was addressed by the Federal Trade 
Commission, the same Federal Trade Commission that said the 
monitoring services are a good idea. They do serve consumers. 
They are a product in the marketplace. It is like saying that 
home security systems are a bad idea, or OnStar in your car is 
a bad idea. Monitoring services are in the market because we 
have a great market and because we create great products in 
that marketplace, and monitoring services are one of those, and 
millions upon millions of consumers are purchasing them today.
    Senator Carper. Gentlemen, thank you all very much.
    Mr. Chairman, thanks for giving me a chance to ask those 
questions.
    Chairman Shelby. Thank you, gentlemen. This is a very 
informative panel. This is a very complex issue, as we all 
know.
    The hearing is adjourned.
    [Whereupon, at 12:05 p.m., the hearing was adjourned.]
    [Prepared statements, response to written questions, and 
additional material supplied for the record follow:]

                    PREPARED STATEMENT OF MARK PRYOR
               A U.S. Senator from the State of Arkansas
                           September 22, 2005

    Chairman Shelby, Ranking Member Sarbanes, and Members of the 
Banking Committee, I thank you for your kind invitation to testify 
about identity theft and security freeze.
    As you are all aware, identity theft is one of the fastest growing 
financial crimes in the country. According to the Federal Trade 
Commission, almost 10 million people per year become the victims of 
identity theft. It is especially important to my constituents in 
Arkansas. Identity theft is in the top category of reported fraud in my 
State, with over 1,397 cases last year. It is an issue that I have 
cared about since my days as Arkansas Attorney General.
    The Identity Theft Resource Center noted that identity theft 
victims spend on average about $1,500 and expend 600 hours of time to 
restore their credit histories after they realize what has happened to 
them. In addition, this crime costs American business an estimated $48 
billion annually this must be prevented. A person's sensitive personal 
information is better than gold bullion. It weighs nothing, and in the 
hands of an experienced thief, yields far more wealth than the victim 
may actually possess. And all of our sensitive personal information is 
very vulnerable.
    The California notification law educated every American consumer 
about the difficulties of keeping our sensitive personal information 
safe. Companies can lose it off a truck, accidently expose it, or have 
it stolen from them. It seemed that there was a large breach at every 
turn. First, there was ChoicePoint, then Lexis-Nexis, Card Systems, 
DSW, and the list goes on and on.
    The goal is to make sure that companies adequately safeguard the 
personal information they keep. Then, in the event of a breach or a 
loss of sensitive personal information, we want to make sure those 
consumers are notified as soon as possible so that they can protect 
themselves from the potential identity theft.
    The issue that struck me is that we are not providing consumers the 
tools to protect themselves. And we should give consumers a broad array 
of positive actions they can take to protect their information. An 
ounce of prevention is worth a pound of cure.
    The Federal Government can place as many requirements as they 
please on businesses to protect sensitive personal information, but 
breaches will still happen. Hopefully, after a strong identity theft 
law is passed there will be fewer occurrences, but they will still 
happen. Sensitive personal information is readily available in paper 
sources and public records. Identity thieves will still steal mail and 
dig through trash for sensitive personal information.
    As a quick example, my staff has received 11 prescreened credit 
offers at his home in the past week--several of them for previous 
occupants. It is this environment that spurred me to introduce S. 1336, 
The Consumer Identity Protection and Security Act of 2005, to provide 
the opportunity for consumers to have a choice to place a security 
freeze on their credit reports.
    There is a philosophical tension regarding passage of a national 
security freeze law. Several States have security freeze laws in force 
right now, including California, Louisiana, Texas, Vermont, and 
Washington State, and even more States are considering such a law. 
Maine and Nevada security freeze laws are scheduled to come online in 
the next few months.
    Usually, in this situation, businesses come to Congress looking for 
a national law for uniformity. This is the case in terms of the notice 
issue and safeguarding information, but not when it comes to providing 
security freezes.
    I see the provision of a national security freeze law as the means 
of providing consumers a choice to protect themselves financially and 
to exercise their right to privacy. Security freezes are not for 
everyone. If a consumer enjoys having the ability to apply for instant 
credit and does not wish to surrender that convenience, he or she 
should not place a security freeze on their credit report. On the other 
hand, if you are a consumer that is not interested in instant credit 
and wants to eliminate the possibility of identity theft being turned 
into a tremendous financial loss, then a security freeze may be the 
right tool.
    The constituencies that argue against security freezes make the 
argument that consumers are too accustomed to having instant credit, 
and that having security freezes available to all consumers will have 
unintended consequences, such as missing sales or missing offers with 
short time frames. Or more simply stated, they do not want to lose 
customers for instant credit.
    But what is the danger in giving consumers a choice? The credit 
reporting agencies currently have to honor the security freeze laws for 
California, Louisiana, Texas, Vermont, and Washington. The agencies 
will have to honor the security freeze laws of Colorado, Connecticut, 
Illinois, Maine, and Nevada, so impracticability is clearly not the 
issue.
    There were 21 other States that considered security freeze 
legislation this year, with bills in New Jersey and North Carolina 
waiting for their governor's signature. In fact, technology companies 
in California are currently in the development stage of products for 
one-stop-shopping for consumers who wish to have their credit frozen at 
all three credit reporting agencies. In as little as 60 days, this type 
of one-stop-shopping for consumers could be available to all consumers 
in States where security freeze laws have been enacted.
    People that elect to put a security freeze on their reports are not 
customers for instant credit, just like people who elect to put their 
names on the Do Not Call list are not customers for telemarketers. To 
not provide consumers this choice because they will not understand the 
inconvenience a freeze may cause them does not strike me as a reason to 
deny Americans this protection. If this is truly a concern, educating 
the consumer would solve that problem.
    Another criticism I heard while we were discussing this issue was 
that security freeze legislation would impede necessary functions that 
rely on access to credit reports. After reviewing what the States have 
done, I am convinced that carefully crafted exceptions will insure that 
the flow of information needed for identity verification, fraud 
prevention, debt collection, government services, and the maintenance 
of prior business relationships will ensure those functions can 
continue in the normal course while fully protecting the consumer. 
California and Texas have had security freezes in place since 2003, and 
business continues to be conducted there with no incident.
    Still, credit reports are legitimately needed for fraud protection, 
to collect current outstanding debts, and for the proof of identity. 
Any national security freeze bill has to maintain the ability for 
proper and necessary uses of credit report information.
    Yet another criticism I heard was that a security freeze is the 
same as a fraud alert, which can be placed on a consumer s account from 
the recently passed FACTA. This is not true. Fraud alerts, while 
providing a level of security, are not as comprehensive as a freeze. 
Fraud alerts last only 90 days. In order to get an extended fraud 
alert, a consumer has to prove they have already been victimized by 
providing a police report or an affidavit. In addition, fraud alerts do 
not prohibit the release of a consumer's credit information from a 
consumer reporting agency. There is room for a security freeze option.
    Consumers that wish to have more flexibility in having instant 
credit but want a level of protection can use the fraud alert. If a 
consumer wishes to deal with a level of inconvenience but wants 
certainty that no new credit will be issued from his or her credit 
report can elect to have a freeze.
    In summary, Mr. Chairman and Senator Sarbanes, I believe that 
strengthening data safeguard and consumer breach notification 
requirements are important to help stop identity theft. But requiring 
businesses to better safeguard data and notify consumers of breaches 
are not the only answers. I believe we must also provide consumers with 
new tools to prevent identity theft. A national security freeze law 
will provide consumers with that additional tool.
    Consumers will have a choice on whether to actively protect their 
credit through affirmative action or to trust credit reporting 
agencies, financial institutions, data brokers, and others to do it for 
them. This is an important choice.
    The option of placing a security freeze on a consumer's credit file 
has proved to be a viable and workable one in several States across the 
country. It is my hope that the Congress will agree to give this choice 
to all consumers across the country to help prevent them from becoming 
victims of identity theft and protect their most important personal 
information.
    I thank the Chairman, Senator Sarbanes, and the Members of the 
Committee for inviting me to give testimony on this issue that is very 
important to me and my constituents. Thank you.

                               ----------

                 PREPARED STATEMENT OF STUART K. PRATT
                           President and CEO
                   Consumer Data Industry Association
                           September 22, 2005

    Chairman Shelby, Senator Sarbanes, and Members of the Committee, 
thank you for this opportunity to appear before the Committee on 
Banking, Housing, and Urban Affairs. For the record, I am Stuart Pratt, 
President and CEO for the Consumer Data Industry Association.
    CDIA, as we are commonly known, is an international trade 
association representing approximately 250 consumer information 
companies that are the Nation's leading institutions in credit and 
mortgage reporting services, fraud prevention and risk management 
technologies, tenant and employment screening services, check fraud 
prevention and verification products, and collection services.
    We commend you for holding this hearing on the financial services 
industry's responsibilities and role in preventing identity theft and 
protecting the sensitive financial information of their customers. You 
have asked the CDIA to provide input on a number of issues that have 
been raised in hearings and legislation this year and in doing so, let 
me begin with some comments on how the Fair Credit Reporting Act \1\ as 
amended by the Fair and Accurate Credit Transactions Act (PL 108-159) 
has already contributed materially to the protection of consumers by 
establishing new duties for the industry and empowering consumers with 
important new rights. It bears noting that these new duties and rights 
are all the more effective and easy for consumers to use because they 
are uniform. We again thank you, Mr. Chairman, Senator Sarbanes, and 
the Committee for the successful effort to set these national standards 
which are necessary to ensure that all consumers continue to enjoy the 
benefits of a nationwide credit reporting system and ultimately a low-
cost, competitive and creative credit marketplace which helps fuel our 
Nation's continued economic expansion.
---------------------------------------------------------------------------
    \1\ 15 U.S.C. 1681 et seq.
---------------------------------------------------------------------------
FACT Act
    By December 1, 2004, all FACT Act amendments made to the Fair 
Credit Reporting Act were effective. As of this date our members had 
brought online a series of nationwide practices which inure particular 
benefits to consumers who may have concerns about identity theft. These 
national standards include:
    Fraud Alerts--These alerts were voluntarily established by our 
members in the mid-1990's. Our members have long believed that fraud 
alerts strike the right balance for consumers who wish to ensure that a 
lender is notified of their concerns about identity verification where 
they have already been or may become victims of the crime of identity 
theft. Consumers recognize that while these alerts can slow down credit 
approval processes, alerts do not stop a transaction and, thus, 
consumers can continue to actively seek out better financial products 
and services whenever they wish.
    The FACT Act created two specific types of fraud alerts. Initial 
alerts stay on the consumer's report for a minimum of 90 days and will 
be placed on the report even when there is just a concern that a person 
might become a victim of identity theft. Creditors which receive this 
alert must take steps to form a reasonable basis that they have 
properly identified the consumer. Extended alerts are placed on the 
consumer's file when he/she presents an identity theft report. This 
alert remains on the consumer's file for a full 7 years and it may 
include contact information for a consumer which can be used as part of 
the identity verification process. Most important to the codification 
of our members' voluntary fraud-alert practice was that the FACT Act 
tied the presence of the alerts to specific duties for the recipients. 
This tying of the consumer reporting agency's duty to place such alerts 
with a corresponding duty for recipients to form a reasonable basis for 
identity verification had never previously been established and our 
members believe that this materially improves upon the fraud alert 
systems that previously existed.
    Active Duty Alerts--Though similar to fraud alerts, active duty 
alerts may only be used by individuals who are serving in an active 
duty capacity for our armed services. These alerts remain on the 
service member's credit report for 12 months and, like fraud alerts, 
are tied to duties for recipients to take steps necessary to reasonably 
identify the identity of the applicant before approving the 
application.
    Address Discrepancy Indicators--The FACT Act also established 
additional protections for consumers in transactions even where a fraud 
alert might not be involved. Specifically, the FCRA now requires that 
where a nationwide consumer reporting agency receives a request from a 
creditor for a credit report and finds that the address submitted by 
the creditor differs materially from the address on the consumer's 
credit report, it must indicate to the creditor that this difference 
exists. Thus, lenders have an additional red flag to consider in 
attempting to properly validate the identity of an applicant. It is 
important to note that changes in addresses are not necessarily a 
strong indication of fraud when one considers that approximately 40 
million addresses change each year in this country. Nonetheless, the 
FACT Act ensured an appropriate focus on address discrepancies by all 
financial institutions and this adds additional protection for 
consumers. While final regulations specifying what a recipient of an 
address discrepancy indicator must do with them are not completed, no 
doubt these indicators are being used by lenders today.
    Identity Theft Reports--The FACT Act also defined the term 
``identity theft report.'' This definition was a key to ensuring that 
victims of identity theft could avail themselves of a number of rights 
under the law even if they were having trouble obtaining a traditional 
police report. The ultimate success of this new definition is in the 
balance struck by the rules which ensure that such reports can be 
readily accessed and used by all victims without creating a situation 
where the reports are hard to verify, misused, or easily forged.
    Identity Theft Reports and Blocking Fraudulent Data--In year 2000, 
CDIA's national credit reporting agency members established a 
nationwide voluntary initiative for victims of identity theft which 
allowed them to submit a police report and request that fraudulent data 
be blocked in victims' reports. The FACT Act codified this initiative 
and expanded it by use of the new ``identity theft report'' definition. 
In enacting this national standard, Congress ensured that all victims 
received the same treatment and that fraudulent data would be removed 
from victims' reports.
    Red Flag Guidelines--Beyond the specific provisions of law 
discussed above, Congress recognized the need to empower regulators to 
develop guidance for financial institutions which is intended to 
encourage the use and accelerate the adoption of a robust combination 
of technologies and business rules to further reduce the incidence of 
identity theft. These guidelines are still under development.
    The fact that the provisions just discussed all operate as national 
standards bears repeating. The Congress was prescient in recognizing 
that fraud prevention and, in fact, regulation of a nationwide system 
of credit reporting and credit markets is best handled through uniform 
national standards. A series of State laws which impede the free flow 
of information across this country cannot possibly achieve the same 
benefit for all citizens wherever they may live. We applaud the 
Congress and the principal sponsors of the FACT Act for the necessary 
focus on the needs of consumers and identity theft victims through the 
establishment of national standards of practice.
    In closing our discussion of national standards under FCRA, I am 
reminded of the fact that the FCRA itself remains the only law which 
directly regulates our members operating as consumer reporting 
agencies. The national standards reauthorized and established by the 
FACT Act were critical to our nationwide members and it remains vitally 
important that our members operating as consumer reporting agencies are 
regulated under this single set of national standards, law, and 
regulation.
Information Security and Consumer Notification
    Beyond the FACT Act's many new protections and rights for 
consumers, the security of sensitive personal information held by 
nonfinancial institutions has been the focus of debate in a number of 
House and Senate Committees. In fact, this Committee was the first to 
hold hearings on breaches of sensitive personal information and 
ultimately there are two key themes on which to focus:

 Ensuring the security of sensitive personal information; and
 Sending consumers meaningful notices of a breach of sensitive 
    personal information when there is a significant risk of identity 
    theft.

    Information security and requiring consumer notification if the 
loss of information poses a significant risk are not new areas of focus 
for this Committee, which has traditionally taken a leadership role on 
information policy. Most recently enactment of the Gramm-Leach-Bliley 
Act \2\ (GLB), Title V included a requirement \3\ that Federal agencies 
write regulations \4\ for securing and protecting nonpublic personal 
information, including taking into consideration when a loss of such 
information should lead to consumer notification. The FTC published its 
final rule on May 23, 2002 and they became effective on May 23, 
2003.\5\
---------------------------------------------------------------------------
    \2\ 15 U.S.C. 6801-6809 (Financial Privacy).
    \3\ See Section 501(b) of Title V, PL 106-102.
    \4\ See 15 U.S.C. 6801(b), 6805(b)(2).
    \5\ 16 CFR Part 314, Standards for Safeguarding Customer 
Information; Final Rule.
---------------------------------------------------------------------------
    The discussion of safeguarding sensitive personal information and 
notifying consumers when there is a substantial risk of identity theft 
has expanded beyond the boundaries of financial institutions. It is our 
view that rational and effective national standards should be enacted 
both for information security and consumer notification as it applies 
to sensitive personal information, regardless of whether the person is 
a ``financial institution.''
    Safeguarding Sensitive Personal Information--GLB's statutory 
framework for safeguarding sensitive personal information is equally 
well-suited to information safeguards for sensitive personal 
information held by any person not otherwise defined as a financial 
institution. Under this approach, the FTC would promulgate rules for 
any nonfinancial persons just as they did under GLB. To ensure that 
there is absolute regulatory continuity between the applicable 
provisions of GLB and rules therein and new information security 
standards and rules, financial institutions which are compliant with 
their obligations under GLB should be deemed in compliance with any new 
requirements. Any new standards for nonfinancial entities should be 
substantially similar to those required by the GLB safeguard rule.
    Consumer Notification--Consumers should receive notices when their 
sensitive personal information is breached and there is a significant 
risk of identity theft. While there are many details which go into 
creating an effective notification requirement, a fundamental element 
is making sure that it does not result in either over-notification, or 
too few notices sent where there is a significant risk to the consumer.
    We believe that the general guidance provided this year by FTC 
Chairman Majoras in her testimony before a number of Congressional 
Committees regarding the appropriate ``trigger'' for a notice is on 
point. That is that notices should be sent when there is a significant 
risk of harm. In our view, harm is best defined as significant risk of 
identity theft. A poorly structured trigger leads to over-notification, 
which erodes the effectiveness of each subsequent notice sent to a 
given consumer. If notices are not tied to events that truly pose 
significant risks they will be ignored by many consumers who may become 
anesthetized to the importance of them.
    Further, consumer reporting agencies as defined under FCRA Section 
603(p),\6\ are affected by the volume of even legitimate breach notices 
(in addition to those that result from over-notification). The national 
systems' contact information is consistently listed in notices going to 
consumers. If you add up even just a few of the high-profile breaches 
which have taken place over the course of this year, it is easy to come 
up with tens of millions notices containing our members' contact 
information. Thus, we believe that when a breach results in more than 
1,000 notices to consumers, the company that breached the sensitive 
personal information should:
---------------------------------------------------------------------------
    \6\ The Fair Credit Reporting Act: 15 U.S.C. 1681 et seq.

 Notify each nationwide consumer reporting agency of this fact 
    and provide the estimated number of notices to be sent;
 Notify each other consumer reporting agency whose contact 
    information will be listed in the notice; and
 Confirm the contact information that should be used for each 
    listed consumer reporting agency. Our members report that there 
    have been times when incorrect telephone numbers have been listed 
    on notices.

    A well-reasoned national standard for information security for 
sensitive personal information, coupled with effective notices where 
such information is breached by a party can contribute materially to 
the reduction in risk for all consumers.
Credit Report/File Freeze
    You have also asked us to provide background on and discuss our 
views of the trend in State laws often termed ``credit report freeze,'' 
``file freeze,'' or ``security freeze.'' First, it is important to 
clarify that a freeze is not a fraud alert as enacted by the FACT Act. 
It is also important to understand how a file freeze operates based on 
our experience with current State laws.
    A fraud alert accompanies a credit report sent to a lender and as 
such, a lender is notified of the consumer's concern. With a fraud 
alert, the lender can still process the application, though it will 
take additional measures to ensure that a consumer is properly 
identified before doing so. In contrast, a file freeze empowers a 
consumer to request that a consumer reporting agency not provide the 
credit report for a ``new business'' transaction such as an application 
for credit and, thus, the transaction cannot be completed.
    File freezes are not absolute and consumers can request that a 
freeze be lifted temporarily for a period of time (for example, for 30 
days). Depending on when and in what manner the request is received, 
this temporary lift does not happen instantaneously and consumers have 
to remember to make their request for a temporary lifting of the freeze 
to the consumer reporting agency prior to making an application for 
credit.
    All State laws and proposals allow consumer reporting agencies to 
charge a fee for placing or lifting a freeze (how and where fees are 
charged varies by State). Our members have viewed the right to charge a 
fee for the placement of a freeze and for each temporary lifting of a 
freeze as a matter of equity where such laws are enacted. California 
agreed with this principal when it enacted the first law in the 
country. Throughout the FACT Act hearings, time and time again this 
Committee heard testimony regarding the value that the credit reporting 
system brings to individual consumers. Simply put, credit reports lower 
credit costs, by lowering risk. Credit reports empower consumers and 
lead to the robust credit economy that benefits all consumers.
    In the past several months, Federal legislation has been introduced 
which would codify the right of consumers to freeze the release of 
their credit reports and/or certain additional sensitive information 
under certain circumstances. These measures are, S. 1408, introduced by 
Senator Gordon Smith on July 14, 2005 which was marked up and reported 
out of the Senate Commerce Committee on July 28, 2005, and S. 1336 
introduced by Senator Mark Pryor on June 29, 2005 and referred to the 
Senate Commerce Committee.\7\ On July 21, 2005, Senate Banking 
Committee Chairman Richard Shelby introduced a virtually identical 
measure as S. 1336.\8\ That bill was referred to the Senate Banking 
Committee. The Federal measures follow significant state activity over 
the past several years in this area. Currently, twelve states have 
enacted file freeze laws (California, Colorado, Connecticut, Illinois, 
Louisiana, Maine, Nevada, New Jersey, North Carolina, Texas, Vermont, 
and Washington). Since 2003, all but approximately 10 States have had 
file freeze measures introduced and though some have rejected the 
concept, this past year 7 States enacted new law. It is expected that 
there will be significant State activity in this area in 2006. The 
State laws vary in terms of substantive scope and operational elements. 
The measures contain different standards in the following key areas: 
(1) the circumstances under which consumers may request a freeze; (2) 
the extent to which consumer reporting agencies are required to notify 
other CRA's or entities which report affected information; (3) the 
extent to which certain information is exempt from a freeze; (4) the 
timetables within which freezes must be imposed or removed; (5) whether 
there are limits on amounts that can be charged to freeze or unfreeze 
reports; (6) and, the scope of liability for violations of the freeze 
laws. Though some file freeze provisions of State laws have been 
effective for years, our experience with them remains very limited. For 
example, we estimate that just a little over 9,000 California consumers 
have made use of the file freeze. With a population of more than 25 
million credit-active Americans, this population of frozen credit 
reports yields no useful information regarding the individual consumer 
experience. Most State laws are very recent enactments and, thus, we 
also have no experience with consumers moving in and out of States 
where the file can and cannot be frozen.
---------------------------------------------------------------------------
    \7\ Note that file freezing is only one of a range of issues 
addressed in this bill.
    \8\ The following quote by Senator Shelby drawn from the 
Congressional Record explains the Senator's motivations for the 
introduction of this bill:

    ``Mr. President, I rise today to introduce the Consumer Identity 
Protection and Security Act. This legislation provides consumers the 
ability to place credit freezes on their credit reports. Mr. President, 
my sole intent in introducing this legislation is to address a 
jurisdictional question that has recently arisen with respect to the 
Fair Credit Reporting Act. I want to make sure that the referral 
precedent with respect to legislation that amends the Fair Credit 
Reporting Act, or touches upon the substance covered by that Act, is 
entirely clear. I believe the Parliamentarian's decision to refer this 
bill to the Senate Banking Committee establishes that there is no 
question in this regard and that this subject matter is definitively 
and singularly in the jurisdiction of the Senate Banking Committee.''
---------------------------------------------------------------------------
    The merits of file freezing have been heatedly debated in many 
State legislative forums and in media. Some States have in fact 
rejected file freezes. The consumer reporting industry has often been 
quoted as expressing concerns that the rigidity of freezes, which 
operate in stark contrast to fraud alerts where transactions can 
continue under a ``caution flag.'' However, it is our view that as the 
number of State law enactment climbs, disparate State law file freeze 
provisions will increasingly affect the seamless operation of our 
Nation's credit reporting system which the FACT Act sought to preserve 
through the reauthorization of existing and establishment of additional 
national standards. Thus, in the context of significant State 
legislative activity, an increasing numbers of State file freeze laws, 
and also a country where 40 million consumers' addresses change each 
year, with many consumers moving across State lines, we must continue 
to monitor the risks to our nationwide credit reporting system and 
engage in an ongoing Federal dialogue about how best to preserve the 
efficiency and economic benefits that were protected first by the 
enactment of the FACT Act.




                 PREPARED STATEMENT OF IRA D. HAMMERMAN
               Senior Vice President and General Counsel
                    Securities Industry Association
                           September 22, 2005

    The Securities Industry Association \1\ (SIA) welcomes the 
opportunity to testify concerning the financial services industry's 
responsibility to prevent identity theft and to protect the sensitive 
financial information of its customers. Maintaining the trust and 
confidence of our customers is the bedrock of our industry. The long-
term success of our markets depends on customers feeling confident that 
their personal information is secure, and we therefore devote enormous 
time and resources to the protection of customer data. We are, however, 
concerned that the expanding patchwork of State--and local--laws 
affecting data security and notice will make effective compliance very 
difficult for us and equally confusing for consumers.
---------------------------------------------------------------------------
    \1\ The Securities Industry Association brings together the shared 
interests of approximately 600 securities firms to accomplish common 
goals. SIA's primary mission is to build and maintain public trust and 
confidence in the securities markets. SIA members (including investment 
banks, broker-dealers, and mutual fund companies) are active in all 
U.S. and foreign markets and in all phases of corporate and public 
finance. According to the Bureau of Labor Statistics, the U.S. 
securities industry employs nearly 800,000 individuals, and its 
personnel manage the accounts of nearly 93 million investors directly 
and indirectly through corporate, thrift, and pension plans. In 2004, 
the industry generated $236.7 billion in domestic revenue and an 
estimated $340 billion in global revenues. (More information about SIA 
is available at: www.sia.com.)
---------------------------------------------------------------------------
    Data security and notice is the legacy of precedents set by the 
passage, in 1999, of the Gramm-Leach-Bliley Act (GLB), which this 
Committee was so instrumental in passing. We therefore applaud your 
leadership, Chairman Shelby, and that of Senator Sarbanes, in holding 
this hearing today. We are pleased that your Committee, given its 
breadth of understanding of the financial services industry, is 
actively reviewing these important data security issues.
    As you know, at least four other Congressional Committees--the 
Senate Commerce Committee, the Senate Judiciary Committee, the House 
Financial Services Committee, and the House Energy and Commerce 
Committee--are currently actively involved in drafting legislation 
addressing many of these same issues, each with the intent to move 
their bills to the floor.
    We are hopeful that, as a result of the review you and your 
colleagues are embarking upon today, you will agree with the conclusion 
that we and many others have reached--that the problem of data 
security, especially in this unique time, is a distinct Federal 
responsibility that requires a targeted Federal legislative and 
regulatory response. In light of the increasing number of disparate 
Federal and State legislative proposals, we urge this Committee to 
strike the appropriate balance that addresses both the concerns of 
American consumers threatened by identity theft and the duty of those 
of us in the financial services industry to provide meaningful 
protections.
    Since 1999, SIA, through its member firm committees and working 
groups, has addressed the issues surrounding the protection of consumer 
financial information. During this period, SIA representatives have 
engaged in a dialogue with the Securities and Exchange Commission (SEC) 
staff to discuss the industry's requirements under the privacy 
provisions of GLB, including obligations to secure sensitive consumer 
information. In this regard, an SIA committee, comprised of 
representatives from 18 broker-dealers, meets regularly to discuss and 
focus on issues relating to the use, sharing, safeguarding, and 
disposal of personal customer information.
    SIA and its membership have identified six fundamental principles 
that we hope this Committee will consider in drafting data breach 
legislation. Before turning to them, however, we wish to underscore our 
considered view that all businesses that have custody of sensitive 
personal information have a responsibility to provide data security 
measures commensurate with the sensitivity and nature of the data, and 
to notify consumers whenever a breach of security creates a significant 
risk of identity theft to the consumer. All businesses should protect 
the information that consumers provide to them, and justify the trust 
those consumers place in them by doing so.
    Federal legislation addressing these duties must be carefully 
targeted to ensure that it is meaningful and can be speedily enacted. 
Legislation that extends beyond data breach, possibly into unrelated 
areas of privacy, will inevitably slow down the legislative process and 
delay, if not lessen, the chances for a prompt and appropriate 
Congressional response.
Overview
    As the Committee is well aware, Section 502(b) of GLB generally 
prohibits financial institutions from disclosing ``nonpublic personal 
information'' to nonaffiliated third parties without first providing 
those consumers with an opportunity to ``opt out'' of such a 
disclosure. In addition, and even more relevant to the issues being 
addressed here today, Section 501(b) of GLB specifically requires 
financial institutions to implement appropriate ``administrative, 
technical, and physical safeguards'' designed to protect the security 
and integrity of their customer information. Congress fully recognized 
the inherent obligation of financial institutions to protect consumer 
information when it drafted Title V. To that end, and pursuant to GLB, 
on June 22, 2000, Regulation S-P was issued by the SEC.\2\ This 
regulation requires every broker-dealer, investment company, and 
investment adviser registered with the SEC to adopt written policies 
and procedures designed to institute administrative, technical, and 
physical safeguards for information pertaining to sensitive customer 
records and information. In addition, broker-dealers are subject to 
periodic 
examination by the SEC and Self Regulatory Organizations for compliance 
with Regulation S-P.
---------------------------------------------------------------------------
    \2\ 17 CFR Part 48.
---------------------------------------------------------------------------
    Earlier this year, the Federal Deposit Insurance Corporation, the 
Office of Thrift Supervision, the Office of the Comptroller of the 
Currency, and the Board of Governors of the Federal Reserve System 
collectively issued interagency guidance, again pursuant to Title V of 
the GLB, which sets forth certain affirmative obligations aimed at 
protecting sensitive financial information and notifying customers in 
the event of a security breach (Interagency Guidance).\3\
---------------------------------------------------------------------------
    \3\ See Interagency Guidance on Response Programs for Unauthorized 
Access to Customer Information and Customer Notice, 70 Fed. Reg. 
15,736-54 (Mar. 29, 2005).
---------------------------------------------------------------------------
    As the functional regulator for the broker-dealer industry, the SEC 
is similarly well-situated to issue guidance for broker-dealers, and 
SIA looks forward to working with this Committee, SEC Chairman Cox, and 
the SEC staff in determining how best to construct a notification 
regime that considers the likely effect of notification thresholds 
currently in effect in various State data security breach notification 
statutes. Specifically, as we discuss in more detail below, we would 
urge that the Committee consider a standard that links an obligation to 
notify consumers in the event of a breach with the crime of identity 
theft. We are concerned that any notification threshold that the 
Committee might consider for application to the broker-dealer industry 
should be tied to an actual threat to the consumer to which he or she 
might reasonably and effectively be expected to respond, and we believe 
that functional regulators (like the SEC) are best-suited to monitor 
how industry conforms to statutory requirements.
    In considering legislation relating to data breach, SIA believes 
that the Committee should create a statutory framework under which 
regulations can properly and effectively be promulgated. In doing so, 
we urge the Committee to consider the following six principles:

 a clear national standard to achieve a uniform, consistent 
    approach that meets consumer expectations;
 trigger for consumer notice tied to significant risk of harm 
    or injury that might result in identity theft;
 a precise definition of sensitive personal information tied to 
    the risk of identity theft;
 exclusive functional regulator oversight and rulemaking 
    authority;
 flexible notification provisions; and
 reasonable administrative compliance obligations.
Principles for Legislation
Uniform National Standards
    As of this morning, a total of 19 States--and one major 
metropolitan area, New York City--have passed security breach 
notification laws, and a number of other States are poised to consider 
legislation in this area. Very few States provide exceptions to 
coverage for functionally regulated entities at the Federal level. 
Although much of the early legislation enacted in the States was 
modeled after California's 2002 security breach notification law, which 
was the first in the Nation, States are increasingly enacting much 
broader legislation that differs in many respects from the original 
California law.\4\
---------------------------------------------------------------------------
    \4\ The California legislation, S.B. 1386, was enacted in 2002 and 
went into effect on July 1, 2003.
---------------------------------------------------------------------------
    For example, New York City enacted three laws in May, marking the 
first instance of a locality enacting an ordinance placing affirmative 
obligations on businesses to safeguard data, dispose of it in a secure 
manner, and notify consumers in the event of a security breach. In 
addition, New York City also authorized the Commissioner of the New 
York City Department of Consumer Affairs to ``refuse to issue or 
renew'' any business license to any New York City business applicant or 
licensee if there are, among other things, ``two or more criminal 
convictions within a 2-year period of any employees or associates of 
the applicant or licensee for acts of identity theft or unlawful 
possession of personal identification information.'' Additionally, any 
licensed business must ``immediately notify the department upon the 
occurrence'' of a judgment or conviction against any employee, or the 
business itself, of any one of several enumerated offenses. These laws 
all went into effect 3 days ago, on September 19, 2005.
    Although some of these New York City provisions will likely be 
preempted by the recently enacted New York State data security breach 
bill, the provisions authorizing the denial of business licenses may 
not be preempted due to the construction of the preemption clause in 
the New York State legislation. The clear implication to regional and 
national businesses of this law is that, potentially, 100,000 or more 
localities in the United States may similarly decide to seek passage of 
their own data security compliance regimes, further complicating the 
compliance obligations of businesses that operate in more than one 
locality across the Nation. To this point, apart from the California 
and New York legislation, no other State has specifically incorporated 
provisions into their legislation preempting local branches of 
government within their States from instituting their own data security 
legislation.
    From a policy perspective, a patchwork of 19 (and likely more) 
State laws, let alone those of potentially thousands of localities, 
does not and will not serve the public interest. In fact, the 
multiplication of State and local laws is likely to exacerbate the 
confusion and potential harm to consumers. Consumers in different 
States would be subject to different security standards and levels of 
notification despite the fact that the harm they may suffer as a result 
of a security breach at the same institution is identical. 
Additionally, businesses would be subject to such an array of 
obligations, which would be ever-shifting, that they may not be able to 
comply in one jurisdiction without running afoul of the obligations 
imposed on them in another.
    For these reasons, SIA strongly urges that this Committee act 
quickly to create and obtain passage by Congress of legislation that 
results in a uniform national standard without subjecting the industry 
to a myriad of conflicting State and local laws.
Harm/Injury Trigger For Notice
    A principal benefit to uniform national standards is the creation 
of a consistent definition for a trigger that results in the 
notification of consumers in the event of security breaches. SIA 
recommends that the Committee create a statutory framework that defines 
a reasonable and balanced notification trigger to be activated 
following a breach of security. Specifically, consumers must be 
notified when there is a ``significant risk'' that they will become 
victims of identity theft.
    Under the California breach notification law, for example, the 
unauthorized acquisition of sensitive information--regardless of 
whether any harm has or could result from its acquisition--creates an 
obligation for the custodian of that data to notify consumers that it 
has been so acquired. The Interagency Guidance issued this year 
proposed that consumer notifications be issued whenever it was 
reasonable to expect that the data would be misused in a manner 
creating substantial harm or inconvenience to a consumer.\5\ Of course, 
companies are always free to unilaterally issue notifications whenever 
they feel it is appropriate to do so. However, a Federal mandate should 
be linked to some demonstrable risk of harm to the consumer, such as 
the possible theft of the consumer's identity. Notification in the wake 
of each incident of data breach, without regard to significant risk of 
identity theft that might result, could well have the counterproductive 
effect of overwhelming customers with notices that bear no relation to 
significant risk, and therefore might not only needlessly frighten and 
confuse people, but also likely desensitize them to future notices 
altogether.
---------------------------------------------------------------------------
    \5\ In testimony before the Senate Commerce Committee this past 
June, Federal Trade Commission (FTC) Chairman Deborah Majoras observed 
that neither the ``unauthorized acquisition'' standard of California 
law nor the ``misuse'' standard of the Interagency Guidance is optimal. 
Instead, she and her colleagues on the FTC suggested a different 
standard, one in which notifications would automatically go to 
customers when a significant risk of harm to them exists as a result of 
the breach. See Prepared Statement of the FTC before the Committee on 
Commerce, Science, and Transportation on Data Breaches and Identity 
Theft (June 16, 2005).
---------------------------------------------------------------------------
    Linking the notice trigger to a significant risk of harm strikes 
the appropriate balance for both consumers and financial institutions 
alike. Specifically, before a broker-dealer is required to notify 
potentially great numbers of customers of a security breach, it should 
be obligated to make a determination, following a reasonable 
investigation, that a significant risk of identity theft has occurred 
or could occur as a result of the breach. SIA recommends that the 
actual formulation for the notification trigger should be determined by 
functional regulators, through rulemaking. In the case of broker-
dealers, the SEC is in the best position to make that determination.
Precise Definition of Sensitive Personal Information
    As noted previously, 19 States and one locality have already passed 
laws imposing consumer notification requirements in the event of a 
security breach. In many of these States, the scope of the information 
covered by the laws varies widely. For example, Arkansas and Delaware 
have expanded California's definition of ``personal information'' to 
include medical information, while the definitions in the Illinois and 
Maine statutes include account numbers, regardless of whether they are 
accompanied by the security code required to access the account.
    New York State's recently enacted law expands the definition of 
covered personal information even further, to include ``any information 
concerning a natural person which, because of name, number, personal 
mark, or other identifier, can be used to identify such natural 
person,'' when acquired in combination with a Social Security number, 
driver's license or State identification number, or account number with 
a password or access code. Additionally, New York City's ordinance 
covers all forms of data, whether on paper or computerized, and whether 
encrypted or not. In addition, the North Carolina legislature 
unanimously passed a law just last month, which now awaits only the 
governor's signature, that would specifically cover ``personal 
information in any form (whether computerized, paper, or otherwise).'' 
This raises a question as to whether oral statements containing 
personal information are also covered by the impending North Carolina 
data security and notification law.
    SIA believes that the scope of the type of information that 
underpins any notification obligation should be carefully defined so 
that the obligation to notify only arises when the sensitive personal 
information acquired in the breach can actually be used to perpetrate 
the crime of identity theft upon a consumer. For instance, in the 
absence of a key, encrypted information is useless to others who 
acquire it and should be excluded from the definition of sensitive 
personal information, as it was in the California law. Consumers would 
benefit more from a specific definition of covered personal information 
which includes combinations of identifying data, as opposed to a broad 
definition that includes any single piece of information which could 
not alone be used to steal a consumer's identity.
Exclusive Functional Regulator Oversight and Rulemaking Authority
    Given the existing regulatory framework of GLB and the depth of 
expertise of the functional regulators in dealing with issues like 
identity theft and data security, any legislation should continue to 
recognize the primary role of the functional regulators in addressing 
these issues by granting them exclusive rulemaking and oversight 
authority.
    Functional regulators are in the best position to evaluate the 
risks for consumers served by each sector of the financial services 
industry and to determine the specific consumer protection measures 
that best address them. Functional regulators also have the expertise 
to adjust these protections over time as threat levels change and the 
industry's ability to respond evolves. Likewise, functional regulators 
have the ability to examine the institutions they regulate for 
compliance and sanction those not in compliance. Accordingly, 
legislation addressing the security of data held by securities firms 
and other financial institutions subject to GLB should provide that the 
functional regulators of these institutions have the exclusive 
authority to develop and enforce appropriate regulations.
Flexible Notification
    The number and variety of security breaches reported in the press 
over the past 8 months have made clear that the optimal means of 
notification will vary with the type and scope of security breach.
    Accordingly, SIA suggests that businesses should be permitted to 
deliver the customer notice in any timely manner designed to ensure 
that a customer can be reasonably expected to receive it. The specific 
requirements of any notification process should be determined by the 
functional regulators whose unique expertise will allow them to 
determine the optimal means of notification.
Reasonable Compliance Obligations
    Security breaches may occur through no fault of the business and 
despite the existence of reasonable safeguarding measures. As Deborah 
Majoras, Chairman of the FTC, said when she testified before the Senate 
Commerce Committee this past June, ``It is important to note . . . that 
there is no such thing as perfect security, and breaches can happen 
even when a company has taken every reasonable 
precaution.'' When that happens, businesses should be permitted to 
raise as an affirmative defense that they have acted in good faith and 
implemented systems to reasonably comply with applicable regulations. 
This opportunity will create incentives for businesses to better secure 
data and reward those who have already taken such steps.
    SIA supports a compliance regime that is both reasonable and 
predictable, with appropriate administrative liability for those 
businesses that fail to take the appropriate measures to protect 
sensitive consumer information. Given the complexity of the issues 
surrounding a data breach, and the intimate knowledge that functional 
regulators have about the financial services industry, SIA believes 
that any bill the Committee drafts should provide for administrative 
enforcement only.
Conclusion
    American consumers and industries are currently facing a major 
threat from criminals, including potential terrorists, who seek to 
perpetrate identity theft. The financial services industry takes very 
seriously its duty to safeguard the sensitive financial information 
that pertains to its customers. The damage created by incidents of 
identity theft and other kinds of fraud are not only attacks on 
consumers, but also of serious concern to businesses whose reputations 
inevitably suffer from security breaches and who must bear the cost of 
the fraud in both lost customers and reduced confidence in their brand.
    We believe that to resolve these issues, the Banking Committee 
should work to create carefully targeted legislation that embodies the 
principles we have outlined above. SIA is eager to serve as a valued 
resource for the Committee in this endeavor, and welcomes the 
opportunity to work with the Committee and its staff as it continues 
this critically important work.
    Mr. Chairman, thank you again for the opportunity to testify before 
the Banking Committee today. I welcome your questions, and those of 
your colleagues, and will endeavor to answer them fully and completely.

                               ----------

               PREPARED STATEMENT OF GILBERT T. SCHWARTZ
                     Partner, Schwartz & Ballen LLP
                            On Behalf of the
                   American Council of Life Insurers
                           September 22, 2005

Introduction
    Chairman Shelby, Ranking Member Sarbanes, and Members of the 
Committee, I am Gilbert Schwartz, Partner in the Washington DC law firm 
of Schwartz & Ballen LLP. I am appearing before the Committee today on 
behalf of the American Council of Life Insurers (ACLI) to discuss the 
life insurance industry's responsibilities and role in preventing 
identity theft and protecting sensitive financial information.
    ACLI is the principal trade association for the Nation's life 
insurance industry. ACLI's 356 member companies account for 80 percent 
of the life insurance industry's total assets in the United States. 
ACLI member companies offer life insurance, annuities, pensions, long-
term care insurance, disability income insurance, reinsurance, and 
other retirement and financial protection products.
    This hearing represents another chapter in this Committee's long-
standing commitment to the protection of consumer information and to 
the prevention of identity theft, as evidenced by the Committee's 
central role in the enactment of the Gramm-Leach-Bliley Act (the GLB 
Act) and the Fair and Accurate Credit Transactions Act of 2003 (the 
FACT Act). ACLI appreciates the opportunity to discuss with the 
Committee the important role that life insurers play in protecting 
sensitive financial information of our policyholders and in preventing 
identity theft.
Background
    The issue of preserving the confidentiality and security of 
customer information is a critically important matter for our country. 
It is significant not only to the Nation's economic well-being, but 
also to insurers and other financial institutions that use this 
information to provide vital services to our country's consumers. Due 
to the inherent nature of the life insurance business, ACLI member 
companies obtain and maintain sensitive personal information about 
their policyholders and insureds. The life insurance industry has long 
recognized the importance of maintaining and protecting the 
confidentiality and security of this information and ensuring that it 
is not otherwise compromised.
    Life insurers have long been committed to establishing and 
maintaining processes that protect sensitive customer information and 
to preventing misuse of such information. Insurers expend considerable 
resources to achieve these objectives. They recognize that 
policyholders expect insurers to protect their confidential personal 
information. Life insurers' recognition of the need to protect customer 
information predates enactment of the GLB Act. Indeed, ACLI and its 
members were, and continue to be, strong supporters of Title V's 
privacy provisions.
The Gramm-Leach-Bliley Act
    Title V of the GLB Act sets forth the Congressional policy that 
every financial institution has an affirmative and continuing 
obligation to protect the security and confidentiality of personal 
information of its customers. The institution's primary supervisor is 
required to establish appropriate safeguards relating to 
administrative, technical and physical safeguards to ensure the 
security and confidentiality of such information, to protect against 
anticipated threats or hazards to the security or integrity of the 
information and to protect against unauthorized access to, or use of, 
such records that could result in substantial harm or inconvenience to 
customers.
    The Federal agencies with supervisory authority over financial 
institutions have adopted comprehensive guidance or rules implementing 
the GLB Act's data security provisions.\1\ In addition, 34 States have 
adopted comprehensive regulations or statutes which establish standards 
for safeguarding customer information by insurers. The State 
requirements generally track the National Association of Insurance 
Commissioners' Standards for Safeguarding Customer Information Model 
Regulation and are consistent with the Federal guidance.
---------------------------------------------------------------------------
    \1\ See 66 Fed. Reg. 8615 (February 1, 2001) (Office of the 
Comptroller of the Currency, Federal Reserve Board, Federal Deposit 
Insurance Corporation, and Office of Thrift Supervision); 66 Fed. Reg. 
8152 (January 30, 2001) (National Credit Union Administration); and 67 
Fed. Reg. 36484 (May 23, 2002) (Federal Trade Commission).
---------------------------------------------------------------------------
    Under State law and regulation, life insurers are required to 
implement a comprehensive written security program that includes 
administrative, technical, and physical safeguards for the protection 
of customer information. The program must be appropriate to the size 
and complexity of the insurer and to the nature and scope of its 
activities. The program must also be designed to ensure the security 
and confidentiality of customer information, protect against any 
anticipated threats or hazards to the security or integrity of customer 
information, and protect against unauthorized access to, or use of, 
customer information that could result in substantial harm or 
inconvenience to customers. Insurers also require that companies from 
which they receive operational services maintain rigorous information 
security programs that meet the requirements of the GLB Act.
Identity Theft and the FACT Act
    Consumers are very concerned with the issue of identity theft. The 
Federal Trade Commission has reported that the number of identity theft 
complaints rose to almost 250,000 in 2004, an increase of 15 percent 
from 2003. Identity theft accounted for 39 percent of the total number 
of consumer complaints, topping the list of consumer frauds reported by 
the Federal Trade Commission by an overwhelming margin.\2\
---------------------------------------------------------------------------
    \2\ ``National and State Trends in Fraud & Identity Theft, January-
December 2004,'' Federal TradeCommission, February 1, 2005.
---------------------------------------------------------------------------
    Congress enacted the FACT Act, in part, to respond to the growing 
crime of identity theft. It directs Federal regulators to develop 
guidance to identify and prevent identity theft. The Federal agencies 
have proposed and adopted several regulations and provided guidance to 
deter identity theft. We anticipate that additional guidance will be 
forthcoming to educate consumers and the financial industry as to how 
to reduce the incidence of identify theft.
Breach of Security Notices
    As a result of growing concerns with the possibility of identity 
theft resulting from security breaches of information systems, 20 
States have enacted legislation requiring companies to notify consumers 
in the event their sensitive personal information is affected by a 
security breach of their information systems. Additional States are 
considering legislation as well. These statutes typically require 
disclosure of a breach of security of the computer system to the person 
whose unencrypted sensitive information was or is reasonably believed 
to have been compromised. Generally, notice is not required if after 
reasonable investigation it is determined that there is no reasonable 
likelihood of harm to customers.
    Some States have adopted requirements that differ in certain key 
respects. The need to track these differences and factor them into a 
notification program will inevitably make it more difficult for 
institutions to send notices to consumers promptly. The complexity 
resulting from differing State requirements will likely mean that 
consumers may experience delays in receiving timely notices. Moreover, 
State laws may also result in overlapping enforcement mechanisms, which 
increases the likelihood of uneven enforcement policies from State to 
State.
Federal Banking Agency Guidance
    In March, 2005, the Federal banking agencies amended their 
interagency guidance on information security safeguards to require 
banking organizations to adopt response programs in the event of 
unauthorized access to customer information.\3\ Under the agency 
guidance, depository institutions are required to develop and implement 
risk-based response programs to address incidents of unauthorized 
access to customer information in customer information systems. The 
guidance requires that if, after conducting a reasonable investigation, 
a depository institution determines that misuse of sensitive customer 
information has occurred or is reasonably possible, it should notify 
the customer as soon as possible. Customer notice may be delayed if law 
enforcement authorities request a delay so as not to interfere with 
their criminal investigation.
---------------------------------------------------------------------------
    \3\ 70 Fed. Reg. 15736 (March 29, 2005).
---------------------------------------------------------------------------
    The notification requirement focuses on sensitive customer 
information because this type of information is most likely to be 
misused by identity thieves. Sensitive customer information is regarded 
as the customer's name, address or telephone number in conjunction with 
a Social Security number, driver's license number, credit or debit card 
account number, or password or PIN that would allow someone to access 
the customer's account.
Possible Federal Legislation
Uniform Nationwide Protections
    ACLI supports Federal legislation that provides uniform national 
standards for notification to individuals whose personal information 
has been subject to a security breach. ACLI member companies believe it 
critical that the substantive requirements of Federal security breach 
notification legislation preempt State or local laws or regulations 
addressing any aspect of this subject matter.
    When a security breach occurs, it is important that the institution 
that maintained the sensitive information move quickly to investigate 
the nature of the breach, determine the likelihood that information may 
have been misused and notify customers. The proliferation of State laws 
that impose similar but varying requirements could result in a delay in 
notifying consumers while separate notices are developed for consumers 
who are located in States with nonuniform standards. Varying State 
requirements, therefore, could have an adverse effect on consumers and 
increase the likelihood that consumers will be victimized by identity 
thieves. Accordingly, ACLI urges Congress to establish uniform 
preemptive guidelines that will apply nationwide. Such an approach will 
be beneficial to consumers because it will ensure that consumers 
receive the same information in a timely fashion regardless of where 
they reside.
Sensitive Consumer Information
    ACLI believes that the Federal banking agencies and the States are 
correct in focusing attention on notice to consumers in connection with 
breaches of security of unencrypted or unsecured sensitive consumer 
information, such as a person's name and address when combined with 
such information as account number or Social Security number. While 
databases may contain other personal information about their customers, 
much of the information is of little or no value to identity thieves. 
Accordingly, ACLI recommends that security breach legislation apply 
only to sensitive consumer information obtained by an unauthorized 
person if the information is not encrypted or secured by a method that 
renders the information unreadable or unusable.
    ACLI also believes that it is important that Federal security 
breach notification legislation apply to all businesses that maintain 
sensitive consumer information. Consumers should be protected 
regardless of the nature of the business that maintains their sensitive 
information.
Likelihood of Harm
    ACLI member companies support legislation that avoids needlessly 
alarming consumers and undermining the significance of notification of 
a security breach by 
requiring notification only when the security and confidentiality of 
personal information is truly at risk. If the primary purpose of 
security breach legislation is to alert consumers to the possibility 
that their sensitive personal information may be subject to identity 
theft, it makes good sense to require companies to inform consumers 
only when there is a significant likelihood of identity theft. If there 
is little chance of identity theft or substantial harm, why needlessly 
alarm consumers when personal information is not at risk.
Enforcement and Rulemaking
    It is also very important that there be uniform enforcement of 
notification standards. For this reason, ACLI strongly supports 
enforcement of insurers' compliance with security breach legislation 
exclusively by the Department of the Treasury. The Treasury Department 
has extensive experience with the insurance industry in connection with 
the implementation and enforcement of laws such as the
    USA PATRIOT Act, the Terrorism Risk Insurance Act and the Bank 
Secrecy Act, as well as regulations promulgated by the Office of 
Foreign Asset Controls. As a result of this experience, ACLI believes 
that the Treasury is well positioned to implement and enforce the 
insurance industry's compliance with security breach notification 
legislation.
    In the event it is not possible to provide for enforcement 
jurisdiction by the Treasury Department, ACLI recommends adoption of 
the enforcement structure set out in the GLB Act. Under this approach, 
an insurer's compliance with Federal breach of security notification 
legislation would be enforced exclusively by the insurance authority of 
the insurer's State of domicile. If this approach is used, ACLI also 
requests that the legislation State that it is the intent of the 
Congress that State insurance authorities enforce the legislation in a 
uniform manner.
    If Federal security breach notification legislation provides for 
promulgation of implementing regulations, ACLI believes that the 
legislation should provide for the promulgation of uniform standards 
jointly by the relevant Federal agencies. Such an approach ensures that 
guidance will be applied uniformly across all industries and that the 
special needs of each sector of the economy will be taken into account 
and carefully considered. Adoption of joint standards has the added 
benefit of avoiding potential confusion among consumers because it 
provides certainty as to what consumers can expect to receive from 
companies that possess their sensitive information.
Conclusion
    The issues you have before you today are indeed complex. They 
should be carefully studied and considered, as you are doing. ACLI 
anticipates that legislation you adopt will provide meaningful 
protection to consumers who might otherwise become victims of identity 
theft.
    Thank you for your attention.

                               ----------

                PREPARED STATEMENT OF OLIVER I. IRELAND
                    Partner, Morrison & Foerster LLP
                            On Behalf of the
                      American Bankers Association
                           September 22, 2005

    Mr. Chairman and Members of the Committee, my name is Oliver 
Ireland. I am a Partner in the law firm of Morrison & Foerster LLP, 
practicing in the firm's Washington, DC office. I am here today on 
behalf of the American Bankers Association (ABA) to address the role of 
banking institutions in protecting consumers from identity theft and 
account fraud.
    ABA, on behalf of the more than two million men and women who work 
in the nation's banks, brings together all categories of banking 
institutions to best represent the interests of this rapidly changing 
industry. Its membership--which includes community, regional, and money 
center banks and holding companies, as well as savings associations, 
trust companies, and savings banks--makes ABA the largest banking trade 
association in the country.
    In general terms, identity theft occurs when a criminal uses 
personal identifying information relating to another person (generally, 
a name, address, and Social Security number (SSN)) to open a new 
account in that person's name. Identity theft can range from using a 
person's personal identifying information to obtain a cell phone, lease 
an apartment, open a credit card account, or obtain a mortgage loan or 
even a driver's license. In addition, in some cases, information 
relating to consumer accounts can be used to initiate unauthorized 
charges to those accounts.
    The issue of identity theft and account fraud, and related concerns 
about data security, are of paramount importance to banking 
institutions and the customers that we serve. Identity theft and 
account fraud can harm consumers and banking institutions, and 
challenge law enforcement. A major priority of the banking industry is 
stopping identity theft and account fraud before it occurs, and 
resolving those unfortunate cases that do occur. Both consumers and 
banking institutions benefit from a financial system that protects 
sensitive information relating to consumers, while remaining efficient, 
reliable, and convenient.
    In my statement, I would like to emphasize three key points:
Banking Institutions Are Already Regulated
    Unlike many other industries that maintain or process consumer 
information, banking institutions and their customer information 
security programs are subject to regulatory requirements and regular 
examinations. Banking institutions have a vested interest in protecting 
sensitive information relating to their customers, and work 
aggressively to do so.
Uniform Approach Will Promote Information Security
    The security of sensitive consumer information will be promoted 
most effectively by a uniform national standard.
Security Breach Notification Requirements Should be Risk-Based
    Any requirements should focus on situations that create a 
substantial risk of identity theft. Over-notification of consumers 
about breaches of information security will desensitize consumers and 
may lead consumers to ignore the very notices that explain the action 
they need to take to protect themselves from identity theft.
Banking Institutions Are Already Regulated
    Among those that handle and process sensitive consumer information, 
banking institutions are among the most highly regulated and closely 
supervised. Title V of the Gramm-Leach-Bliley Act (GLB Act), and 
associated rulemakings and guidance, require bank institutions not only 
to limit the disclosure of customer information, but also to protect 
that information from unauthorized accesses or uses and to notify 
customers when there is a breach of security with respect to sensitive 
information relating to those customers.
    Banking institutions have a strong interest in protecting customer 
information. Banking institutions that fail to earn and to maintain the 
trust of their customers will lose those customers. In the competitive 
market for financial services, consumers tend to hold their banking 
institution accountable for any problems that they experience with 
their accounts or information, regardless of the actual source of the 
problem. For example, if fraud is committed on a bank account as a 
result of a breach of security at a data processor working for a 
retailer--an entity that the bank does not control--the customer is 
likely to first seek a solution through his or her bank. Therefore, 
information security is critical in order for banking institutions to 
maintain customer relations.
    Because banking institutions do not impose the losses for 
fraudulent accounts on consumers and because banking institutions do 
not impose the losses associated with fraudulent transactions made on 
existing accounts on their customers, banking institutions incur 
significant costs from identity theft and account fraud. These costs 
are in the form of direct dollar losses from credit that will not be 
repaid, and also can be in the form of indirect costs, including 
reputational harm. In addition, when a breach of information security 
occurs at a banking institution, the banking institution typically 
incurs other costs in responding to that breach. Accordingly, banking 
institutions aggressively protect sensitive information relating to 
their customers.
Existing Security Guidance
    Earlier this year, the Federal banking agencies revised their 
guidance, originally issued in 2001 under Section 501(b) of the GLB 
Act, concerning the security of customer information. The revised 
guidance requires banking institutions to notify their customers of 
breaches of the security of sensitive information relating to those 
customers. We support the agencies' action and recommend their general 
approach as a model for going forward.
    Already in force, the guidance requires banking institutions to 
establish and maintain comprehensive information security programs to 
identify and assess the risks to customer information and then to 
address these potential risks by adopting appropriate security 
measures. The guidance requires that each banking institution's program 
for information security must be risk-based. Each banking institution 
must tailor its information security program to the specific 
characteristics of its business, customer information, and customer 
information systems, and must continuously assess the threats to its 
customer information and customer information systems. As those threats 
change, a banking institution must appropriately adjust or upgrade its 
security measures to respond to those threats.
    A banking institution must consider access controls on its customer 
information systems, background checks for employees with 
responsibilities for access to customer information systems, and a 
response program in the event of unauthorized access to customer 
information. Not only do these requirements apply to customer 
information while in the banking institution's customer information 
systems, but the guidance also requires that a banking institution's 
contracts with its service providers must require those service 
providers to implement appropriate measures to protect against 
unauthorized access to or use of customer information.
    A banking institution also must implement a risk-based response 
program to address instances of unauthorized access to customer 
information. A risk-based response program must include plans to:

 Assess the nature and scope of an incident of unauthorized 
    access to customer information, and identify what customer 
    information systems and the types of customer information that have 
    been accessed or misused;
 Notify the banking institution's primary Federal regulator 
    ``as soon as possible'' about any threats ``to sensitive customer 
    information;''
 Consistent with Suspicious Activity Report (SAR) regulations, 
    notify appropriate law enforcement authorities and file SAR's in 
    situations involving Federal criminal violations requiring 
    immediate attention; and
 Take appropriate steps to contain the incident to prevent 
    further unauthorized access to or use of customer information. This 
    could include, for example, monitoring, freezing, or closing 
    accounts, while preserving records and other evidence.
Existing Notification Requirements
    A critical component of the guidance is customer notification. The 
guidance dictates that when a banking institution becomes aware of a 
breach of ``sensitive 
customer information,'' it must conduct a reasonable investigation to 
determine whether the information has been or will be misused. If the 
banking institution determines that misuse of the information ``has 
occurred or is reasonably possible,'' it must notify, as soon as 
possible, those customers to whom the information relates. Customer 
notification may be delayed if law enforcement determines that 
notification will interfere with an investigation and provides a 
written request for a delay. The banking institution need only notify 
customers affected by the breach where it is able to identify those 
affected. If it cannot identify those affected, it should notify all 
customers in the group if it determines that misuse of the information 
is reasonably possible.
    The customer notification standards established by the guidance 
combine tough security measures with practical steps designed to help 
consumers. These standards assure a timely, coordinated response that 
enables consumers to take steps to protect themselves, in addition to 
knowing the steps that their banking institution has taken to address 
the incident. The guidance permits banking institutions to focus their 
resources in a result-orientated way, without requiring unnecessary and 
possibly misleading customer notifications.
    The customer notices required under these standards must be clear 
and conspicuous. The notices must describe the incident in general and 
the type of customer information affected. In addition, the notices 
must generally describe the banking institution's actions to protect 
the information from further unauthorized access and include a 
telephone number by which the customers can contact the institution 
concerning the incident. The notices should remind customers to remain 
vigilant over the following 12 to 24 months and to promptly report 
incidents of suspected identity theft to the institution. Where 
appropriate, the notices also should include:

 Recommendations that the customer review account statements 
    immediately and report any suspicious activity;
 A description of fraud alerts available under the Fair Credit 
    Reporting Act (FCRA), and how to place them;
 Recommendations that the customer periodically obtain credit 
    reports and have incorrect information removed from those reports;
 Explanations of how to obtain a free credit report; and
 Further information about the agencies' guidance.
Risk-Based Standard
    The agencies' approach encourages banking institutions to work on 
an ongoing basis with their regulators and customers, while requiring 
the institutions to take concrete and well-defined steps to address a 
suspected security breach. Immediately upon the discovery of a breach 
of any size or scope, banking institutions are required to communicate 
the problem to their primary regulator and to begin devising a strategy 
to best deal with the problem. This fosters close cooperation between 
banking institutions and their regulators in order to keep the focus 
where it belongs: protecting consumers.
    Although serious, a data security breach does not automatically, 
nor necessarily, result in identity theft or account fraud. Customer 
data is stored and transmitted in a variety of unique media forms that 
require highly specialized and often proprietary technology to read, 
and may be subject to sophisticated encryption. Even if customer data 
finds itself in the wrong hands, it is often not in a readable or 
useable form. Banking institutions and their regulators need to retain 
the ability to react to each situation using a risk-based approach, 
which takes into account the ability to use the information to harm 
consumers through identity theft or account fraud.
Uniform Approach Will Promote Information Security
    In order to provide meaningful and consistent protection for all 
consumers, all entities that handle sensitive consumer information--not 
just banking institutions--should be subject to similar information 
security standards. For example, retailers, data brokers, and even 
employers collect sensitive consumer information, but many of these 
entities are not subject to data security and/or security breach 
notification requirements. These entities, including data brokers, such 
as ChoicePoint, universities, hospitals, private businesses, and even 
the Federal Deposit Insurance Corporation, have been the victims of 
security breaches. The information security breaches that have occurred 
at banking institutions over the past year represent only a small 
percentage of the breaches that have been reported. However, any entity 
that maintains sensitive consumer information should protect that 
information and should provide notice to consumers when a security 
breach has occurred with respect to that information and the affected 
consumers can take steps to protect themselves.
    It is not necessary to design a completely new system to address 
this issue. The regulations that already apply to banking institutions 
offer policymakers both a model and a measure of experience to aid in 
establishing umbrella consumer protections that span all industries 
that maintain sensitive consumer information. In 
considering the extension of bank-like regulation to unregulated 
industries that maintain sensitive consumer information, we believe 
that Congress should focus on a uniform approach that is designed to 
protect consumers from actual harm.
Uniformity Benefits Consumers
    National uniformity is critical to preserving a fully functioning 
and efficient 
national marketplace. A score of state legislatures have already passed 
new data security or privacy bills that will take effect in 2006. While 
these laws have many similarities, they also have many differences. 
Millions of businesses--retailers, insurers, banks, employers, 
landlords, and others--use consumer information to make important 
everyday decisions on the eligibility of consumers for credit, 
insurance, employment, or other needs. State laws that are inconsistent 
result in both higher costs and uneven consumer protection. In some 
cases, a single State that adopts a unique requirement or omits a key 
provision can effectively nullify the policies of the other States.
Security Breach Notification Requirements Should be Risk-Based
    While it is important to protect all sensitive consumer information 
from unauthorized use, it is most critical to protect consumers from 
identity theft and account fraud. In order to avoid immunizing 
consumers to notices that information about them may have been 
compromised, security breach notification requirements, like the 
Federal banking agencies guidance, should be limited to those cases 
where the consumer needs to act to protect himself or herself from 
substantial harm. Security breach notification requirements should be 
tailored to those circumstances and, within these circumstances, to the 
type of threat presented.
    For example, a breach involving consumers' names and SSN's may 
expose them to the risk of identity theft, while a breach involving 
account information may pose no risk or cost to the consumer or may 
require the consumer to follow established procedures to reverse 
erroneous changes to their accounts. In each case, the need for 
notification and the form of notification will differ. Any Federal 
legislative requirement must recognize and accommodate these 
differences.
Other Issues
    While we believe that Federal legislation should focus on the 
security of sensitive consumer information and notification where a 
breach of that security threatens substantial harm to consumers, we 
recognize that in connection with this debate other issues, including 
the ability of consumers to place ``security freezes'' on their credit 
reports and the regulation of the display or sale of SSN's, have been 
raised. With respect to security freezes, we believe that the FCRA 
fraud alert system adopted in the Fair and Accurate Credit Transactions 
Act of 2003 appropriately alerts creditors to the potential for 
identity theft on particular accounts. It would be premature to discard 
this system in favor of a system of security freezes that could 
significantly disrupt the credit granting process by preventing 
consumers from obtaining credit without going through time-consuming 
procedures to lift security freezes.
    With respect to potential limitations on the display or sale of 
SSN's, it is important to avoid unintended consequences. For example, 
disrupting the many transactions that rely on these numbers, including 
the identification of bank customers for purposes of Section 326 of the 
USA PATRIOT Act, could harm consumers and national interests.
    Finally, it is important to remember that regulatory compliance 
costs fall disproportionately on community banks. Any legislative 
solution to data security must consider these and other costs that 
would be imposed on community banks and their customers.
Conclusion
    Bank institutions are proud of their record in protecting sensitive 
information relating to their customers, and will continue to work with 
the Committee and banking regulators to ensure consumers receive the 
highest level of protection possible.
    Thank you. I will be happy to answer any questions that you may 
have.
       RESPONSE TO WRITTEN QUESTIONS OF SENATOR BUNNING 
                     FROM IRA D. HAMMERMAN

Q.1. Do you have an opinion on what kind of notice should be 
sent out?

A.1. A notification requirement should be flexible, allowing 
financial institutions to deliver the notice in any manner 
designed to ensure that a customer can be reasonably expected 
to receive it, such as via website, regular mail, e-mail, or 
even oral notification depending upon the circumstances. In 
addition, firms need to have flexibility in the content of the 
notice so that the communications may be geared to the business 
and the particular situation.

Q.2. What do you consider harm? If account numbers are 
compromised, is that considered harm? If a Social Security 
number is compromised?

A.2. Before a financial institution is required to notify 
customers of a security breach of sensitive information, the 
firm must make a determination, after reasonable investigation, 
that there is a significant risk of identity theft or fraud. 
Notification for every incident, without regard to the risk of 
identity theft or fraud, would only overwhelm customers with 
notices, and only serve to needlessly frighten and confuse 
people.
    A brokerage account number by itself--without other 
information--would likely have little value. A financial 
institution would need to assess the facts and circumstances of 
the entire incident to determine the risk to the customer. 
Monitoring account activity and/or merely changing an account 
number might limit the risk so that there is no need to notify 
the customer. Changing account numbers should not be deemed to 
cause substantial inconvenience.
    SIA believes that the scope of the type of information that 
underpins any notification obligation should be carefully 
defined so that the obligation to notify only arises when the 
sensitive personal information acquired in the breach can 
likely be used to perpetrate the crime of identity theft or 
fraud upon a consumer. For instance, in the absence of a key, 
encrypted information is useless to others who acquire it and 
should be excluded from the definition of sensitive personal 
information. Consumers would benefit more from a specific 
definition of covered personal information which includes 
combinations of identifying data, as opposed to a broad 
definition that includes any single piece of information which 
could not alone be used to steal a consumer's identity.

Q.3. If the Committee put forward a data breach bill, what 
would you suggest be covered?

A.3. All businesses, not just financial institutions, should be 
required to protect the information that consumers provide to 
them, and provide notification of a data breach where there is 
significant risk of identity theft or fraud. Given that 
securities firms and other financial institutions are already 
covered by the Gramm-Leach-Bliley Act (GLB), any legislation 
addressing data breach should provide that the functional 
regulators of financial institutions subject to GLB have the 
exclusive authority to develop and enforce appropriate 
regulations. Moreover, legislation that extends beyond data 
breach, possibly into unrelated areas of privacy, would lessen 
the chances for a prompt and appropriate Congressional 
response.

Q.4. Do any of you believe Social Security numbers should be 
truncated? Do you think their use should be limited? What 
protections do you suggest for use of the Social Security 
number?

A.4. SIA believes that in light of the restrictions on 
financial institutions' use and transfer of Social Security 
numbers under GLB, further restrictions on financial 
institutions are unnecessary. The GLB and its implementing 
regulations treat a financial institution's consumer's Social 
Security number as protected ``nonpublic personal 
information.'' Therefore, each financial institution customer 
has the right to block a financial institution from selling or, 
subject to exceptions, transferring his or her Social Security 
number to a nonaffiliated third party or the general public. In 
short, a financial institution customer is fully protected with 
respect to a financial institution's transfer of Social 
Security numbers, yet legitimate and important uses of these 
numbers remain permissible.

       RESPONSE TO WRITTEN QUESTIONS OF SENATOR BUNNING 
                    FROM GILBERT T. SCHWARTZ

Q.1. Do you have an opinion on what kind of notice should be 
sent out?

A.1. Notices should be sent to consumers only when the security 
and confidentiality of personal information is at risk and 
where the breach is likely to lead to substantial financial 
loss or material inconvenience to consumers. Companies should 
be permitted to send notices by mail, e-mail, or other means 
that ensures that notice will be received by affected 
consumers. If the security breach affects a significant number 
of consumers, we believe that companies should be permitted to 
provide notice via notice to media in the area in which the 
affected consumers are located and by posting an appropriate 
notice on the companies' websites.

Q.2. Why do you consider harm? If account numbers are 
compromised, is that considered harm? If a Social Security 
number is compromised?

A.2. If a security breach is unlikely to result in harm to 
consumers, there is no need for consumers to take any action to 
protect themselves. Consumers should not be needlessly alarmed 
nor should companies be needlessly subjected to the 
considerable expense associated with providing notifications to 
consumers when the security and confidentiality of personal 
information is not at risk or when the breach is not likely to 
lead to substantial financial loss or material inconvenience to 
consumers. Accordingly, the compromise of account numbers or 
Social Security numbers should be considered harm only if it is 
likely to lead to substantial financial loss or material 
inconvenience to consumers.

Q.3. If the Committee put forward a data breach bill, who would 
you suggest be covered?

A.3. Federal data security breach legislation should cover any 
entity that maintains sensitive personal information about 
individuals.

Q.4. Do any of you believe Social Security numbers should be 
truncated?

A.4. It is of utmost importance to the insurance industry that 
information companies obtain about applicants, policyholders, 
insureds, and beneficiaries be associated with the correct 
individuals. A person's Social Security number is a unique 
identifier and is one of the most reliable means of assuring 
that the information insurers receive relates to the correct 
person. We are concerned that truncation of Social Security 
numbers could jeopardize insurers' ability to ensure that 
accurate and reliable information is obtained about the correct 
individual.

Q.5. Do you think their use should be limited?

A.5. It is critically important that insurers continue to have 
access to Social Security numbers to ensure the accuracy of 
information received about applicants, insureds, and 
policyholders and beneficiaries and to perform insurance 
business functions. In view of the significant role Social 
Security numbers play in processing and managing information 
needed by insurers in their normal operations, we believe that 
it is important to preserve the ability of insurers to serve 
existing and prospective customers. Accordingly, we believe 
that no limitations should be placed on the ability of insurers 
to use Social Security numbers.

Q.6. What protections do you suggest for use of the Social 
Security number?

A.6. We believe that Social Security numbers should be subject 
to administrative, technical, and physical safeguards to 
protect the confidentiality and integrity of Social Security 
numbers in the possession of any business entity.

       RESPONSE TO WRITTEN QUESTIONS OF SENATOR BUNNING 
                     FROM OLIVER I. IRELAND

Q.1. Do you have an opinion on what kind of notice should be 
sent out?

A.1. As stated in our written testimony, the ABA believes that 
notice of a security breach should only be required where 
consumers need to act to protect themselves from substantial 
harm resulting from the breach. More specifically, notice 
should only be required where it is reasonably likely that 
information involved in a security breach will be misused in a 
manner causing substantial harm, such as identity theft or 
account fraud, to the consumers. The type of notice that should 
be provided should depend on the type of sensitive information 
involved in the breach and the risks surrounding misuse of that 
information.
    Consumers face different risks depending on what type of 
sensitive information is involved in a security breach. For 
example, if a breach involves only a consumer's name and 
address in combination with the consumer's Social Security 
number (SSN) or taxpayer identification number (collectively, 
sensitive personal information), the consumer may face a risk 
of identity theft because the thief may be able to use that 
information to open fraudulent accounts in the consumer's name. 
However, the consumer would not face a risk of account fraud 
because this information is not sufficient to access specific 
accounts. Conversely, if a breach involves only a consumer's 
name and financial account number in combination with any 
password or code that is required to access the account 
(sensitive account information), the consumer would not face a 
risk of identity theft because this information alone cannot be 
used to open fraudulent accounts. However, the fraudster may be 
able to use that information to commit account fraud on 
existing accounts.
    The appropriate response by consumers to a security breach 
also depends on the type of sensitive information involved in 
the breach and the risks surrounding the misuse of that 
information. For example, if a breach involves sensitive 
personal information, a consumer can take several steps to 
prevent or mitigate the effects of identity theft resulting 
from the breach. The consumer can place an initial fraud alert 
on his or her credit file at a consumer reporting agency (CRA) 
in order to alert creditors that an identity thief may attempt 
to open a fraudulent account in the consumer's name and also to 
trigger creditors' duties to verify an applicant's identity and 
confirm that the application is not the result of identity 
theft. The consumer also may wish to monitor his or her credit 
report to determine whether any fraudulent accounts have been 
opened in his or her name. However, the consumer would not need 
to monitor or close his or her existing financial accounts 
because there is not a risk of account fraud.
    If a security breach involves sensitive account 
information, a consumer will not be at a risk of identity theft 
and should not expend time and valuable resources to address a 
risk that does not exist. Sensitive account information 
generally will not enable an identity thief to open fraudulent 
accounts. Instead, the consumer should monitor the account to 
which the information relates, and promptly report any 
fraudulent transactions made on that account. Federal law, 
including the Truth in Lending Act and the Electronic Fund 
Transfer Act, and State law, in the form of the Uniform 
Commercial Code, provide strong remedies for consumers to 
address 
account fraud. In most instances when a consumer reports a 
fraudulent transaction to a banking institution, the 
institution will promptly credit the consumer's account for the 
transaction, often requiring only a phone call by the consumer.
    Because consumers face different risks when a security 
breach involves different types of sensitive information, and 
because the appropriate response to these risks differs, 
consumers should receive different notices that take into 
account these different risks and responses. For example, if a 
security breach involves sensitive personal information, the 
notice to consumers should include: (1) a brief description of 
the breach, including the type of sensitive personal 
information involved in the breach; (2) the Federal Trade 
Commission contact information to obtain model forms and 
procedures for consumers who may be at risk of identity theft; 
and (3) the nationwide CRAs' contact information for obtaining 
credit reports and filing fraud alerts. If a security breach 
involves sensitive account information, the notice to consumers 
should include: (1) a brief description of the breach, 
including the type of sensitive account information involved in 
the breach; and (2) a recommendation that they review account 
statements and report suspicious activity or transactions to 
the account-holding institution.

Q.2. Why do you consider harm? If account numbers are 
compromised, is that considered harm? If a Social Security 
number is compromised?

A.2. It is appropriate to focus security breach notification 
requirements on those breaches in which consumers face a risk 
of substantial harm from identity theft or account fraud. If 
notice is not limited to those breaches involving a risk of 
substantial harm, 
consumers will be inundated with notices, and likely will 
disregard all security breach notices, including in 
circumstances where they actually need to take steps to protect 
themselves from identity theft or account fraud. In addition, 
the costs of providing notice will increase dramatically.
    Whether or not consumers are at risk of substantial harm 
from identity theft or account fraud as a result of a security 
breach will depend on the facts surrounding that breach. In 
many instances, consumers in fact should not be at risk of 
substantial harm from identity theft or account fraud even 
though a security breach may have involved sensitive personal 
information or sensitive account information. For example, if a 
breach involves sensitive personal information or sensitive 
account information that was encrypted or redacted (or is 
otherwise unuseable), consumers should not be at risk of 
substantial harm from identity theft or account fraud because 
the information cannot be used in that form to commit identity 
theft or account fraud. Similarly, if a breach involves 
sensitive account information, such as credit card numbers, but 
the account-holding institution maintains a sophisticated 
neural network or fraud detection program to detect and block 
fraudulent transactions before they occur, consumers are not at 
risk of substantial harm from account fraud. For example, 
credit card issuers often proactively telephone consumers about 
suspected account fraud and provide new accounts if the 
consumers confirm that fraud has occurred. The fraudulent 
transactions never even appear on a statement. In these cases, 
the only ``harm'' suffered by a consumer may be answering a 
brief phone call.

Q.3. If the Committee put forward a data breach bill, who would 
you suggest be covered?

A.3. In order to provide meaningful and consistent protection 
for all consumers, all entities that hold sensitive personal 
information or sensitive account information should be subject 
to similar data security and security breach notification 
requirements with respect to that information. As we noted in 
our testimony, Title V of the Gramm-Leach-Bliley Act (GLBA), 
and associated rulemakings and guidance, require banking 
institutions not only to limit the disclosure of customer 
information, but also to protect that information from 
unauthorized access or use and to notify customers when there 
is a breach of security with respect to sensitive information 
relating to those customers. However, most businesses, 
including retailers and CRA's, are not subject to data security 
and/or security breach notification requirements.

Q.4. Do any of you believe Social Security numbers should be 
truncated?

A.4. In certain instances, requiring the truncation of SSN's, 
or otherwise limiting the use of SSN's, may be appropriate. For 
example, under the Fair Credit Reporting Act, a consumer who 
requests a file disclosure from a CRA also may request that the 
CRA truncate the consumer's SSN in that disclosure. However, in 
everyday transactions, banking institutions and other 
businesses use SSN's as an identifier for important and 
legitimate purposes, including compliance with Federal law. Any 
decision by Congress to limit the use of SSN's or to impose 
restrictions with respect to the use of SSN's, such as 
truncation or encryption requirements, must include exceptions 
that permit the important and legitimate uses of SSN's by 
banking institutions and other businesses, including for the 
prevention of fraud, the facilitation of credit checks, the 
identification of prospective employees, and compliance with 
Federal law.
    The use of the SSN as an identifier in everyday 
transactions has grown dramatically over the years. Generations 
ago, when consumers lived, worked and shopped locally, their 
good name in the community enabled them to obtain credit, 
employment, insurance, and other services. With today's more 
transient population and with the advent of national markets 
due to the Internet and other improvements in communication, 
the vast majority of businesses obtain and use SSN's to 
identify consumers. Today, critical decisions about credit, 
employment, insurance, and other services depend on the 
availability of SSN's.
    SSN's provide a unique number that is issued by the Federal 
Government and can be used to link information to a consumer. 
More than 280 million people live in the United States, and 
tens of thousands of these people share the same name. And, 
many people who share the same name also share other 
identifying information, such as the city and State of 
residence or month and year of birth. Unlike other identifying 
information, such as name, address and marital status, an 
individual's SSN does not change over that individual's life, 
and no other living person shares that number.
    Banking institutions and other businesses, including 
insurance companies, utility companies, and cell phone 
providers, use SSN's to obtain credit reports and credit scores 
and to obtain public record information about individuals. The 
nationwide CRA's maintain credit files on nearly 200 million 
individuals. These files are linked to SSN's. If businesses 
cannot obtain SSN's and provide these numbers to CRA's when 
requesting credit reports and credit scores, it would be 
difficult if not impossible to ensure that the credit report or 
credit score they receive relates to the appropriate consumer. 
This process of identifying and approving consumers would be 
slower and far less accurate without SSN's. Any delays in 
approving credit would be particularly hard on retail stores 
that offer ``instant credit'' to their customers. Similarly, 
public records serve as an important source of information 
about individuals. SSN's are necessary to ensure that public 
record information is matched to the appropriate individuals.
    If banking institutions cannot obtain and use SSN's to 
verify the identity of consumers, fraud, including identity 
theft, could increase substantially. Banking institutions use 
identification services based on SSN's to properly identify 
consumers and to prevent identity theft and other fraud. In 
addition, if SSN's cannot be obtained, banking institutions 
will not be able to comply with Federal laws designed to 
prevent money laundering and terrorist financing. For example, 
the regulations implementing Section 326 of the USA PATRIOT Act 
require every bank, as part of its customer identification 
program, to collect taxpayer identification numbers, typically 
SSN's, and to verify the identities of individuals seeking to 
open new accounts.
    The ability of businesses to screen applicants for 
employment also would be impaired by limiting the use or 
availability of SSN's. Many businesses obtain SSN's from job 
applicants in order to obtain credit reports or to conduct 
background checks. For example, businesses ranging from banking 
institutions to nursing homes, day care facilities, and 
security companies obtain and use SSN's in order to determine 
job applicants' histories, including whether they have criminal 
records. And, for tax purposes, all employers are required to 
obtain and enter on every W-2 form each employee's name and 
SSN.
    Although it may be possible to develop a secure and 
dependable replacement for SSN's, any such system would require 
years, if not decades, to implement, could substantially 
increase personal verification and transactions costs and, 
ultimately, likely would be just as susceptible to fraud as 
SSN's. In the meantime, any decision to limit the use or 
availability of SSN's must include exceptions that permit the 
important and legitimate uses of SSN's by banking institutions 
and other businesses, including for the prevention of fraud, 
the facilitation of credit checks, the identification of 
prospective employees, and compliance with Federal law.
    Although arguably the ``truncation'' of SSN's could have a 
lesser impact than an outright limitation on the use or 
disclosure of SSN's, any truncation of SSN's would impair the 
current legitimate business uses of SSN's. For example, only 
allowing use of the last four digits of an SSN could result in 
a significant number of errors in identifying individuals.

Q.5. Do you think their use should be limited?

A.5. See response to question 4.

Q.6. What protections do you suggest for use of the Social 
Security number?

A.6. Any entity or person that maintains or possesses an SSN 
relating to a consumer should be required to protect the 
security and confidentiality of that number and also to notify 
the consumer if the security of that number is breached and the 
consumer is at risk of substantial harm from identity theft.
