[Senate Hearing 109-1087]
[From the U.S. Government Publishing Office]
S. Hrg. 109-1087
IDENTITY THEFT AND DATA BROKER SERVICES
=======================================================================
HEARING
before the
COMMITTEE ON COMMERCE,
SCIENCE, AND TRANSPORTATION
UNITED STATES SENATE
ONE HUNDRED NINTH CONGRESS
FIRST SESSION
__________
MAY 10, 2005
__________
Printed for the use of the Committee on Commerce, Science, and
Transportation
----------
U.S. GOVERNMENT PRINTING OFFICE
61-787 PDF WASHINGTON : 2010
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
(202) 512-1800 Fax: (202) 512-2250 Mail: Stop SSOP,
Washington, DC 20402-0001
SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
ONE HUNDRED NINTH CONGRESS
FIRST SESSION
TED STEVENS, Alaska, Chairman
JOHN McCAIN, Arizona DANIEL K. INOUYE, Hawaii, Co-
CONRAD BURNS, Montana Chairman
TRENT LOTT, Mississippi JOHN D. ROCKEFELLER IV, West
KAY BAILEY HUTCHISON, Texas Virginia
OLYMPIA J. SNOWE, Maine JOHN F. KERRY, Massachusetts
GORDON H. SMITH, Oregon BYRON L. DORGAN, North Dakota
JOHN ENSIGN, Nevada BARBARA BOXER, California
GEORGE ALLEN, Virginia BILL NELSON, Florida
JOHN E. SUNUNU, New Hampshire MARIA CANTWELL, Washington
JIM DeMINT, South Carolina FRANK R. LAUTENBERG, New Jersey
DAVID VITTER, Louisiana E. BENJAMIN NELSON, Nebraska
MARK PRYOR, Arkansas
Lisa J. Sutherland, Republican Staff Director
Christine Drager Kurth, Republican Deputy Staff Director
David Russell, Republican Chief Counsel
Margaret L. Cummisky, Democratic Staff Director and Chief Counsel
Samuel E. Whitehorn, Democratic Deputy Staff Director and General
Counsel
Lila Harper Helms, Democratic Policy Director
C O N T E N T S
----------
Page
Hearing held on May 10, 2005..................................... 1
Statement of Senator Dorgan...................................... 25
Statement of Senator Inouye...................................... 1
Prepared statement........................................... 2
Statement of Senator Kerry....................................... 38
Statement of Senator Lautenberg.................................. 3
Prepared statement........................................... 3
Statement of Senator Bill Nelson................................. 2
Statement of Senator Pryor....................................... 27
Statement of Senator Smith....................................... 5
Chart, 2005 Data Security Incidents.......................... 32
Prepared statement of Senator McCain......................... 32
Statement of Senator Stevens..................................... 1
Statement of Senator Vitter...................................... 6
Witnesses
Barrett, Jennifer T., Chief Privacy Officer, Acxiom Corporation.. 46
Prepared statement........................................... 48
Curling, Douglas C., President/Chief Operating Officer,
ChoicePoint Inc............................................... 12
Prepared statement........................................... 15
Frank, Esq., Mari J., Attorney, Mari J. Frank, Esq. & Associates. 68
Prepared statement........................................... 73
Kurtz, Paul B., Executive Director, Cyber Security Industry
Alliance (CSIA)................................................ 53
Prepared statement........................................... 55
Rotenberg, Marc, President/Executive Director, Electronic Privacy
Information Center (EPIC)...................................... 58
Prepared statement........................................... 60
Sanford, Kurt P., President/CEO, U.S. Corporate and Federal
Government Markets, LexisNexis................................. 6
Prepared statement........................................... 8
Appendix
Dempsey, James X., Executive Director, Center for Democracy &
Technology, statement before the Senate Committee on the
Judiciary, April 13, 2005...................................... 107
Hillebrand, Gail, Senior Attorney, Consumers Union, prepared
statement...................................................... 99
Ireland, Oliver I., Attorney, Morrison & Foerster LLP; on behalf
of Visa U.S.A. Inc., statement before the Subcommittee on
Commerce, Trade, and Consumer Protection of the Committee on
Energy and Commerce, United States House of Representatives,
May 11, 2005................................................... 114
Response to written questions submitted by Hon. Daniel K. Inouye
to
Paul B. Kurtz.................................................. 116
Response to written questions submitted by Hon. Bill Nelson to:
Jennifer T. Barrett.......................................... 118
Kurt P. Sanford.............................................. 121
IDENTITY THEFT AND DATA BROKER SERVICES
----------
TUESDAY, MAY 10, 2005
U.S. Senate,
Committee on Commerce, Science, and Transportation,
Washington, DC.
The Committee met, pursuant to notice, at 2:30 p.m. in room
SR-253, Russell Senate Office Building, Hon. Ted Stevens,
Chairman of the Committee, presiding.
OPENING STATEMENT OF HON. TED STEVENS,
U.S. SENATOR FROM ALASKA
The Chairman. Mr. Sanford, Mr. Curling, let me welcome you,
gentlemen. And I thank the witnesses for coming, and appreciate
their willingness to appear to discuss the recent data breaches
that left exposed the personal information of thousands of
consumers. Over the recess, my staff attempted to steal my
identity, and I regret to say they were successful. So, they
demonstrated to me, when I came back from this recess, just how
easy it really is to steal an identity.
This is the first of several hearings that our committee is
going to conduct to have a better understanding of data
brokerage services, as well as how data brokers handle personal
consumer information.
This hearing is intended to discuss the recent data
breaches and what the private industry is doing to mitigate the
possibility of future breaches. The Committee will revisit this
issue next month as we look to develop legislative solutions
that might better protect consumers from future breaches.
We believe we must be careful to strike a balance between
assuring the security of certain types of personal information,
while not inhibiting the legitimate flow of information that is
vital to our economy.
Now, it's my intention to turn the chair over to Senator
Smith when he arrives, Senator. I've got a conflict today. But
let me yield to my Co-Chairman, Senator Inouye.
STATEMENT OF HON. DANIEL K. INOUYE,
U.S. SENATOR FROM HAWAII
Senator Inouye. I thank you very much, Mr. Chairman.
I agree with your words. And I'd like to point out that,
since January, there have been at least 32 major data security
incidents potentially affecting 5.2 million Americans. These
incidents only came to light because of a California law that
requires disclosure of data security breaches. No one knows how
many undisclosed breaches may have occurred prior to the
implementation of the California law. And equally disturbing is
the possibility that the full impact of these breaches may
never be known, and millions of Americans remain unaware of
their vulnerability to identity theft.
So, I look forward to hearing from the witnesses, and I
thank them for appearing. And I ask that my full statement be
made part of the record.
The Chairman. Your statement will be made part of the
record, and all the statements that the Senators have.
[The prepared statement of Senator Inouye follows:]
Prepared Statement of Hon. Daniel K. Inouye, U.S. Senator from Hawaii
I thank Chairman Stevens and Chairman Smith for holding a hearing
today on this important issue of data brokers.
Since January, there have been at least 32 major data security
incidents potentially affecting 5.2 million Americans. And those are
just the data breaches we know about due to the disclosure law in the
State of California. There are many more that have not been made
public.
The identity theft that results from these data breaches can wreak
havoc on the lives of consumers--weathly and poor--for many years.
Recognizing the risks of computerizing personal data, Congress, in
1970, passed the Fair Credit Reporting Act. The FCRA requires credit
reporting agencies to protect consumer information, and use it only for
limited purposes. These agencies also are responsible for vetting their
customers.
Data brokers are now collecting different sensitive, personal
information, yet their operations are not governed by any Federal law,
and only one State law.
We will hear today from the largest data brokers about the steps
they are taking to better secure their data, and to properly vet their
customers. We applaud you for taking those steps. But I am worried more
about the hundreds of smaller data brokers who have no incentive to
change their ways since there is no law governing their behavior.
Almost every American--including this Senator--has their personal
information stored in these databases whether we like it or not. This
committee is responsible for making sure that this sensitive, personal
information is not used for identity fraud that can ruin any family's
financial future. We look forward to our witnesses helping us reach
this goal.
The Chairman. Senator, do you have a statement?
STATEMENT OF HON. BILL NELSON,
U.S. SENATOR FROM FLORIDA
Senator Bill Nelson. Yes, sir, I do, Mr. Chairman, because
one of the vehicles in front of the Committee is a bill that--
two bills that I have filed, one with Senator Schumer that's
more of a comprehensive package.
As I have met with identity victims, Mr. Chairman, one of
the great parts of frustration for them is, once their identity
is stolen, they don't know where to go to get it back. They go
to local law enforcement; they send them to somebody at the
State. The State sends somebody to the Federal. The reason my
two bills have been referred here is that my solution to that
is using the FTC as the repository, first of all, to give them
some teeth in the law in which to regulate information brokers
who heretofore have not been regulated as information brokers,
and, second, to have a place where the consumer can go--one
place, one-stop shopping--in order to get their identity back.
And so, in the legislation, we create the Office of Identity
Theft in our legislation, within the FTC, that creates that
one-stop shopping.
And our legislation would mandate that the companies must
reasonably protect this consumer information that is now
collected on billions of bits of information on virtually every
one of us in America, and, as a result of what we've seen
happen thus far, if we don't do something about this, Mr.
Chairman, none of us are going to have any identity left. It's
going to require the companies--these are the information
brokers--to notify consumers when a security breach occurs. And
the only reason that we know about this, Mr. Chairman Stevens,
is the fact that there is a California State statute that
requires just that; otherwise, we wouldn't have known about
this. It's going to tighten the commercial usage of Social
Security numbers, and it's going to create an Assistant
Secretary of Cybersecurity within the Department of Homeland
Security.
And so, I'm really looking forward to the discussion today
about these ideas.
Thank you, Mr. Chairman.
The Chairman. Senator Lautenberg?
STATEMENT OF HON. FRANK R. LAUTENBERG,
U.S. SENATOR FROM NEW JERSEY
Senator Lautenberg. Yes, Mr. Chairman, I ask consent that
my full statement be included in the record.
But I do want to say a few things.
And before I came here, I was CEO of a company called ADP,
and--I was one of the founders of that company--and we were
terribly conscious of the records that we had, because, through
our company, we pay one out of six workers in the American
private-sector labor market. One out of six are paid through
the ADP company. And I thought our principal obligation, Mr.
Chairman, was the protection of the identity of those people.
And there is a treasure trove there that could be sold. We
refused to do it, but--that wasn't our business, anyway--but
this now has become such a problem, and I congratulate Senator
Nelson for his initiative here, to try and get something done.
But when you look at the numbers of identity--the people
who are affected by identity theft, it's staggering--2002,
404,000 people reported identify-theft complaints; in 2004,
just 2 years later, the number climbed by more than 230,000
more people who were exposed to identity theft.
So, Mr. Chairman, I congratulate you for moving the agenda
here on matters of great importance.
[The prepared statement of Senator Lautenberg follows:]
Prepared Statement of Hon. Frank R. Lautenberg,
U.S. Senator from New Jersey
Mr. Chairman, thank you for holding this important hearing on the
``data brokerage'' industry, and the role and responsibilities of firms
that compile, store, and sell sensitive, personal information.
The recent security breaches at the Nation's largest data brokerage
firms have left millions of Americans increasingly vulnerable to
identity theft and scams. Overall, some 10 million Americans were
victimized by identity thieves last year.
Mr. Chairman, before I ran for the Senate, I was a Co-Founder and
CEO of a company called ADP, or Automatic Data Processing, which
processes payrolls and maintains personnel records, and currently pays
one out of every six private-sector workers in the United States.
Throughout my years at ADP, we always recognized our obligation to
maintain the confidentiality of the information that was entrusted to
us. So I am extremely concerned about the security breaches and
management failures that have recently exposed sensitive, personal
information about millions of Americans.
In the wrong hands, this data about an individual can be used to
ruin that person's credit rating . . . their finances . . . and even
their good name.
In the past, personal information on individuals was available, but
it was stored in multiple locations and often only on paper. It took
significant effort to accumulate the information necessary to damage
the credit or identity of a person.
Today, however, technology permits faster and consolidated access
to personal data in fewer databases. Collecting and selling personal
information is a big business--but no matter how big it becomes, it
must never overshadow the rights of the American people. Their privacy
should never be compromised or neglected.
Victims of identity theft often spend years of their precious time,
and large amounts of their hard-earned money, to repair their financial
records and credit history. In some cases, job opportunities are lost
and loans are refused. In 2002, there were just under 404,000 reported
identity theft complaints nationwide. In 2004, that number climbed to
635,000.
Mr. Chairman, our laws must ensure that companies protect personal
information with great care. I look forward to hearing from our two
panels today.
Thank you, Mr. Chairman.
Senator Lautenberg. And, if I may indulge the Committee
just one half-minute more, today is the last day for Rudy
Brioche, who's been with me for these couple of years. Rudy is
leaving me to go work for the FCC. And so, this is his last
hearing, and I want to publicly thank him for his wonderful
work for all of us.
The Chairman. We wish him well. We'll keep him busy.
[Laughter.]
The Chairman. Let me just say, turning the hearing over to
Senator Smith, I was surprised when my staff presented me the
information they got from a series of places. For $65, they
were told they could get my Social Security number. I don't
know if you've done this, but in the report that they got on
me, I found my daughter's rental property in California and
some of my son's activities. And he's, unfortunately, a junior
out in California. I also found that there are probably two or
three other people in this community right here that have the
same basic name, Theodore F. Stevens; they're not all the same
middle name. It's been suggested that I should change my name,
and use my middle name now if I want to maintain my own
identity.
I think this is a very serious thing, and we want to hear
from you all. As I said, Senator Smith, this is just the first
of a series of hearings. I do think we've got several bills now
that have been introduced into Congress to address this, and
it's going to be a very difficult thing for us to handle.
So, we're not going to handle it on the basis of listening
sessions, like this one, because basic information is going to
come from people like the witnesses who are where today. Again,
I thank them very much for being willing to join us.
Senator Smith, it's your Chair.
Senator Bill Nelson. Mr. Chairman, could I just add one
thing to what Senator Stevens has said? This card that each one
of us has, which is Bank of America, and it is the Senate
travel card, the records are missing on 60 Senators. I am one
of them. Now, we hope that this information is not stolen, but
the records of over a million people, of which 60 United States
Senators are included within that, those records are missing.
If they are in the wrong hands, then, because they have the
information on that card, they've got all of our Social
Security numbers, and they've got detailed financial
information. And this is, increasingly, what we're going to be
facing.
The Chairman. Well, I'm embarrassed to say, Senator, my
staff doesn't trust me with that card.
[Laughter.]
The Chairman. Senator?
Voice: Zero balance.
[Laughter.]
STATEMENT OF HON. GORDON H. SMITH,
U.S. SENATOR FROM OREGON
Senator Smith. [presiding] Well, thank you, Mr. Chairman.
And I know you have another responsibility at some point, and
I'm happy to sit in your stead.
But I think this is a very, very important hearing, as all
of my colleagues have indicated, and I read, with horror, that
the FTC is reporting that over ten million Americans are
victimized by identity thieves every year. These numbers
translate into losses of over $55 billion per year, averaging
over $10,000 stolen per fraudulent incident. In 2005, alone,
there were at least 35 known incidents of data breaches
potentially affecting over five million individuals. My State
of Oregon ranks ninth in the Nation for fraud complaints and
identity theft.
So, today's hearing will focus on recent data-broker
services and their relationship to identity-theft enforcement.
Although this hearing will not focus on any particular
legislative proposal, the Committee, as the Chairman has noted,
will hold subsequent hearings with the FTC to discuss
legislative solutions that we need to pursue on identify theft.
At this hearing, the Committee will examine data-broker
services, the recent data breaches, and the treatment of data
brokers under existing Federal privacy laws. Specifically, we
will have the chance to better understand the recent security
breaches at ChoicePoint and LexisNexis and how the information
industry has responded to prevent future breaches. We'll also
explore public and private solutions to detect and prevent
identity theft and fraud, and ensure that personal information
is secure and protected from those who attempt to perpetrate
these crimes.
Protecting sensitive information is an issue of great
importance for all Americans, and this issue does not register
Democrat or Republican. Consumers should have confidence, when
they share their information with others, that their
information will be protected. At the same time, the ability of
legitimate companies to access personal information certainly
does facilitate commerce and continues to benefit consumers.
Data-broker companies perform important commercial and public
functions through their ability to quickly and securely access
consumer data.
Now, we look forward to working with all our colleagues in
coming up with legislative solutions to this problem. We need
to make sure that this legislation strikes the right balance to
ensure the continued existence of critical services while
ensuring the security of personal information to prevent its
misuse and subsequent breaches.
We've been joined by Senator Vitter on this Committee, and,
Senator, if you have an opening statement, we'll hear from you
before we go to our witnesses.
STATEMENT OF HON. DAVID VITTER,
U.S. SENATOR FROM LOUISIANA
Senator Vitter. Mr. Chairman, I don't have an opening
statement. Thank you, Chairman Stevens, for leading this
matter. It's, unfortunately, a very legitimate area of growing
concern because of these recent breaches and because of the
phenomenon across the country. So, thank you for your, Senator
Stevens, and others' leadership.
Senator Smith. Thank you, Senator Vitter.
We will, now hear first from Mr. Kurt Sanford, President
and Chief Executive Office of U.S. Corporate and Federal
Government Markets, LexisNexis, from Miamisburg, Ohio.
Thank you, Mr. Sanford. The mike is yours.
STATEMENT OF KURT P. SANFORD, PRESIDENT/CEO, U.S.
CORPORATE AND FEDERAL GOVERNMENT MARKETS, LexisNexis
Mr. Sanford. Chairman Stevens, Senator Inouye, Senator
Smith, and distinguished members of the Committee, good
afternoon. My name is Kurt Sanford. I am the President and
Chief Executive Officer for Corporate and Federal Markets at
LexisNexis. I appreciate the opportunity to be here today to
discuss the important issues surrounding identity theft, fraud,
and data security.
LexisNexis is a leading provider of authoritative legal
public records and business information, playing a vital role
in supporting government, law enforcement, and business
customers who use our information services for important uses,
including detecting and preventing identity theft and fraud,
locating suspects, and finding missing children.
One of the important uses of our products and services
provided by LexisNexis is to detect and prevent identity theft
and fraud. The FTC has indicated that the total cost of
identity fraud for businesses and individuals is approximately
$50 billion per year. In 2004, 9.3 million consumers were
victimized by identity fraud.
Until recently, it was not fully appreciated that identity
theft is part of a larger problem of identity fraud. Identity
fraud is the use of false identifiers, fraudulent documents, or
a stolen identity in the commission of a crime. Both industry
and government have asked LexisNexis to develop solutions to
help address this evolving problem.
Financial institutions, online retailers, and other
businesses have turned to LexisNexis to help them detect and
prevent identity theft and fraud. With the use of LexisNexis, a
major bank-card issuer experienced a 77 percent reduction in
the dollar losses due to fraud associated with identity theft.
Our products are becoming increasingly necessary to combat
identity fraud associated with Internet transactions, where
high-dollar merchandise, such as computers and other
electronics, are sold via credit card. Lower fraud costs to
businesses ultimately mean lower cost and greater efficiencies
for consumers.
While we work hard to provide our customers with effective
products, we also recognize the importance of protecting the
privacy of the consumer information in our databases. We have
privacy policies, practices, and procedures in place to protect
this information. Our Chief Privacy Officer and Privacy Policy
Review Board work together to ensure that LexisNexis has strong
policies to help safeguard consumer privacy.
We also have multilayer security processes and procedures
in place to protect our systems and the information contained
in our databases. Maintaining security is not a static process;
it requires continuously evaluating and adjusting our security
procedures to address the new threats we face every day.
Even with these safeguards, we discovered, earlier this
year, some security incidents at our Seisint business, which we
acquired last September. In February 2005, a LexisNexis
integration team became aware of some billing irregularities
and unusual usage patterns with several customer accounts. Upon
further investigation, we discovered that unauthorized persons
using IDs and passwords of legitimate Seisint customers may
have accessed personally identifying information such as Social
security numbers and driver's license numbers. No personal
financial, credit, or medical information was involved, since
LexisNexis and Seisint do not collect that type of information.
In March, we notified approximately 30,000 individuals whose
personally identifying information may have been unlawfully
accessed.
Based on these incidents at Seisint, I ordered an extensive
review of data-search activity going back to January 2003 at
our Seisint unit and across all LexisNexis databases that
contained personally identifying information. We completed that
review on April 11th and concluded that unauthorized persons,
primarily using IDs and passwords of legitimate Seisint
customers, may have accessed personally identifying information
on approximately 280,000 additional individuals. At no time was
the LexisNexis or Seisint technology infrastructure hacked into
or penetrated, no customer data was accessed or compromised.
We sincerely regret these incidents and any adverse impact
they may have on the individuals whose information may have
been accessed. We took quick action to notify those
individuals. We are providing all individuals with a
consolidated credit report and credit-monitoring services. For
those individuals who do become victims of fraud, we will
provide counselors to help them clear their credit reports of
any information relating to fraudulent activity. We will also
provide them with identify-theft insurance to cover expenses
associated with restoring their identity and repairing their
credit reports.
We've learned a great deal from the security incidents at
Seisint and are making substantial changes in our business
practices and policies across all LexisNexis businesses to help
prevent any future incidents. I have included the details of
these enhancements in my written statement.
I would like to focus the remainder of my time on policy
issues being considered to further enhance data security, and
address the growing problem of identity theft and fraud.
LexisNexis would support the following legislative
approaches.
First, we support requiring notification in the event of a
security breach where there is a significant risk of harm to
consumers. In addition, we believe that it's important that any
such proposal contain Federal preemption.
Second, we would support the adoption of data-security
safeguards modeled after the safeguard rules of the Gramm-
Leach-Bliley Act.
Finally, it's important that any legislation strike the
right balance between protecting privacy and ensuring continued
access to critically important information.
Thank you, again, for the opportunity to be here today to
provide the Committee with our company's perspective on these
important public-policy issues. We look forward to working with
the Committee as it considers these important issues.
[The prepared statement of Mr. Sanford follows:]
Prepared Statement of Kurt P. Sanford, President/CEO, U.S. Corporate
and Federal Government Markets, LexisNexis
Introduction
Good morning. My name is Kurt Sanford. I am the President and Chief
Executive Officer for Corporate and Federal Markets at LexisNexis. I
appreciate the opportunity to be here today to discuss the important
issues surrounding identity theft and fraud, and data security.
LexisNexis is a leading provider of authoritative, legal, public
records, and business information. Today, over three million
professionals--lawyers, law enforcement officials, government agencies'
employees, financial institution representatives, and others--use the
LexisNexis services. Government agencies, businesses, researchers, and
others rely on information provided by LexisNexis for a variety of
important uses.
One of the important uses of products and services provided by
LexisNexis is to detect and prevent identity theft and fraud. In 2004,
9.3 million consumers were victimized by identity fraud. Credit card
companies report $1 billion in losses each year from credit card fraud.
Although the insidious effects of identity theft are fairly well known,
until recently it was not fully appreciated that identity theft is part
of the larger problem of identity fraud. Identity fraud, which
encompasses identity theft, is the use of false identifiers, false or
fraudulent documents, or a stolen identity in the commission of a
crime. It is a component of most major crimes and is felt around the
world today. As a result, both industry and government have asked
LexisNexis to develop solutions to help address this evolving problem.
Financial institutions, online retailers, and others depend on
products and services provided by LexisNexis to help prevent identity
theft and fraud. With the use of a LexisNexis solution called Fraud
Defender, a major bank card issuer experienced a 77 percent reduction
in the dollar losses due to fraud associated with identity theft and
credit card origination.
LexisNexis products are becoming increasingly necessary to combat
identity fraud associated with Internet transactions where high-dollar
merchandise such as computers and other electronic equipment are sold
via credit card. Lower fraud costs ultimately mean lower costs and
greater efficiencies for consumers.
The following are some other examples of the important ways in
which the services of LexisNexis are used by customers:
Locating and recovering missing children--Customers like the
National Center for Missing and Exploited Children rely on LexisNexis
to help them locate missing and abducted children. Since 1984, the
Center has assisted law enforcement in recovering more than 85,000
children. Over the past 4 years, information provided by LexisNexis has
been instrumental in a number of the Center's successful recovery
efforts.
Locating suspects and helping make arrests--Many Federal, State and
local law enforcement agencies rely on LexisNexis to help them locate
criminal suspects, and to identify witnesses to a crime. LexisNexis
works closely with Federal, State, and local law enforcement agencies
on a variety of criminal investigations. For example, the Beltway
Sniper Task Force in Washington, D.C., used information provided by
LexisNexis to help locate one of the suspects wanted in connection with
that case. In another case, information provided by LexisNexis was
recently used to locate and apprehend an individual who threatened a
District Court Judge and his family in Louisiana.
Preventing money laundering--LexisNexis has partnered with the
American Bankers Association to develop a tool used by banks and other
financial institutions to verify the identity of new customers to
prevent money laundering and other illegal transactions used to fund
criminal and terrorist activities. This tool allows banks to meet
Patriot Act and safety and soundness regulatory requirements.
Supporting homeland security efforts--LexisNexis worked with the
Department of Homeland Security Transportation Safety Administration
(TSA) in developing the Hazardous Materials Endorsement Screening
Gateway System. This system allows TSA to perform background checks on
commercial truck drivers who wish to obtain an endorsement to transport
hazardous materials.
Locating parents delinquent in child support payments--Both public
and private agencies rely on LexisNexis to locate parents who are
delinquent in child support payments and to locate and attach assets in
satisfying court-ordered judgments. The Association for Children for
the Enforcement of Support (ACES), a private child-support recovery
organization, has had tremendous success in locating non-paying parents
using LexisNexis.
These are just a few examples of how our information products are
used to help consumers by detecting and preventing fraud, strengthening
law enforcement's ability to apprehend criminals, protecting homeland
security and assisting in locating missing and abducted children.
Types of Information Maintained by LexisNexis Risk Solutions
The information maintained by LexisNexis falls into the following
three general classifications: public record information, publicly
available information, and non-public information.
Public record information. Public record information is information
originally obtained from government records that are available to the
public. Land records, court records, and professional licensing records
are examples of public record information collected and maintained by
the government for public purposes, including dissemination to the
public.
Publicly available information. Publicly available information is
information that is available to the general public from non-
governmental sources. Telephone directories are an example of publicly
available information.
Non-public information. Non-public information is information about
an individual that is not obtained directly from public record
information or publicly available information. This information comes
from proprietary or non-public sources. Non-public data maintained by
LexisNexis consists primarily of information obtained from either motor
vehicle records or credit header data. Credit header data is the non-
financial identifying information located at the top of a credit
report, such as name, current and prior address, listed telephone
number, Social Security number, and month and year of birth.
Privacy
LexisNexis is committed to the responsible use of personal
identifying information. We have privacy policies in place to protect
the consumer information in our databases. Our Chief Privacy Officer
and Privacy and Policy Review Board work together to ensure that
LexisNexis has strong privacy policies in place to help protect the
information contained in our databases. We also undertake regular
third-party privacy audits to ensure adherence to our privacy policies.
LexisNexis has an established Consumer Access Program that allows
consumers to review information on them contained in the LexisNexis
system. While the information provided to consumers under this program
is comprehensive, it does not include publicly available information
such as newspaper and magazine articles, and telephone directories
contained in the LexisNexis system.
LexisNexis also has a consumer opt-out program that allows
individuals to request that information about themselves be suppressed
from selected databases under certain circumstances. To opt-out of
LexisNexis databases, an individual must provide an explanation of the
reason or reasons for the request. Examples of reasons include:
You are a State, local or Federal law enforcement office or
public official and your position exposes you to a threat of
death or serious bodily harm;
You are a victim of identity theft; or
You are at risk of physical harm.
Supporting documentation is required to process the opt-out
request. While this opt-out policy applies to all databases maintained
by our recently acquired Seisint business, it is limited to the non-
public information databases in the LexisNexis service. The policy does
not currently apply to public records information databases maintained
by LexisNexis. We are currently evaluating what steps we can take to
better publicize our opt-out program and extend the program to all
public records databases in the LexisNexis service.
Security
LexisNexis has long recognized the importance of protecting the
information in our databases and has multiple programs in place for
verification, authorization and IT security. Preventive and detective
technologies are deployed to mitigate risk throughout the network and
system infrastructure and serve to thwart potentially malicious
activities. LexisNexis also has a multi-layer process in place to
screen potential customers to ensure that only legitimate customers
have access to sensitive information contained in our systems. Our
procedures include a detailed authentication process to determine the
validity of business licenses, memberships in professional societies
and other credentials. We also authenticate the documents provided to
us to ensure they have not been tampered with or forged.
Only those customers with a permissible purpose under applicable
laws are granted access to sensitive data such as driver's license
information and Social Security numbers. In addition, customers are
required to make express representations and warranties regarding
access and use of sensitive information and we limit a customer's
access to information in LexisNexis products according to the purposes
for which they seek to use the information.
Maintaining security is not a static process--it requires
continuously evaluating and adjusting our security processes,
procedures and policies. High-tech fraudsters are getting more
sophisticated in the methods they use to access sensitive information
in databases. We continuously adapt our security procedures to address
the new threats we face every day from those who seek to unlawfully
access our databases. We undertake regular third-party security audits
to test the security of systems and identify any potential weaknesses.
Even with the multi-layer safeguards in place at LexisNexis, we
discovered earlier this year that unauthorized persons primarily using
IDs and passwords of legitimate customers may have accessed personal
identifying information at our recently acquired Seisint business. In
February 2005, a LexisNexis integration team became aware of some
billing irregularities and unusual usage patterns with several customer
accounts. At that point we contacted the U.S. Secret Service. The
Secret Service initially asked us to delay notification so they could
conduct their investigation. About a week later, we publicly announced
these incidents and within a week sent out notices to approximately
30,000 individuals.
The investigation revealed that unauthorized persons, primarily
using IDs and passwords of legitimate customers, may have accessed
personal-identifying information, such as Social Security numbers
(SSNs) and driver's license numbers (DLNs). In the majority of
instances, IDs and passwords were stolen from Seisint customers that
had legally permissible access to SSNs and DLNs for legitimate
purposes, such as verifying identities and preventing and detecting
fraud. No personal financial, credit, or medical information was
involved since LexisNexis and Seisint do not collect such information.
At no time was the LexisNexis or Seisint technology infrastructure
hacked into or penetrated nor was any customer data residing within
that infrastructure accessed or compromised.
Based on the incidents at Seisint, I directed our teams to conduct
an extensive review of data-search activity at our Seisint unit, and
across all LexisNexis databases that contain personal identifying
information. In this review, we analyzed search activity for the past
twenty-seven months to determine if there were any other incidents that
potentially could have adversely impacted consumers. We completed that
review on April 11, 2005. As a result of this in-depth review, we
discovered additional incidents where there was some possibility that
unauthorized persons may have accessed personal identifying information
of approximately 280,000 additional individuals.
We deeply regret these incidents and any adverse impact they may
have on the individuals whose information may have been accessed. We
took quick action to notify the identified individuals. We are
providing all individuals with a consolidated credit report and credit
monitoring services. For those individuals who do become victims of
fraud, we will provide counselors to help them clear their credit
reports of any information relating to fraudulent activity. We will
also provide them with identity-theft expense insurance coverage up to
$20,000 to cover expenses associated with restoring their identity and
repairing their credit reports.
We have learned a great deal from the security incidents at Seisint
and are making substantial changes in our business practices and
policies across all LexisNexis businesses to help prevent any future
incidents. These include:
Changing customer password security processes to require
that passwords for both system administrators and users be
changed at least every 90 days;
Suspending customer passwords of system administrators and
users that have been inactive for 90 days;
Suspending customer passwords after five unsuccessful login
attempts and requiring them to contact Customer Support to
ensure security and appropriate reactivation;
Further limiting access to the most sensitive data in our
databases by truncating SSNs displayed in non-public documents
and narrowing access to full SSNs and DLNs to law enforcement
clients and a restricted group of legally authorized
organizations, such as banks and insurance companies; and
Educating our customers on ways they can increase their
security.
Laws Governing LexisNexis Compilation and Dissemination of Identifiable
Information
There are a wide range of Federal and State privacy laws to which
LexisNexis is subject in the collection and distribution of personal
identifying information. These include:
The Gramm-Leach-Bliley Act. Social Security numbers are one of the
two most sensitive types of information that we maintain in our systems
and credit headers are the principal commercial source of Social
Security numbers. Credit headers contain the non-financial identifying
information located at the top of a credit report, such as name,
current and prior address, listed telephone number, Social Security
number, and month and year of birth. Credit header data is obtained
from consumer reporting agencies.\1\ The compilation of credit header
data is subject to the Gramm-Leach-Bliley Act (GLBA), 15 U.S.C.
Sec. Sec. 6801 et seq., and information subject to the GLBA cannot be
distributed except for purposes specified by the Congress, such as the
prevention of fraud.
---------------------------------------------------------------------------
\1\ Consumer reporting agencies are governed by the Fair Credit
Reporting Act (``FCRA''), 15 U.S.C. Sec. Sec. 1681 et seq. Some
information services, such as Seisint's Securint service and LexisNexis
PeopleWise, also are subject to the requirements of the FCRA.
---------------------------------------------------------------------------
Driver's Privacy Protection Act. The compilation and distribution
of driver's license numbers and other information obtained from
driver's licenses are subject to the Driver's Privacy Protection Act
(DPPA), 18 U.S.C. Sec. Sec. 2721 et seq., as well as State laws.
Information subject to the DPPA cannot be distributed except for
purposes specified by the Congress, such as fraud prevention, insurance
claim investigation, and the execution of judgments.
Telecommunications Act of 1996. Telephone directories and similar
publicly available repositories are a major source of name, address,
and telephone number information. The dissemination of telephone
directory and directory assistance information is subject to the
requirements of the Telecommunications Act of 1996, as well as State
law.
FOIA and other Open Records Laws: Records held by local, State, and
Federal governments are another major source of name, address, and
other personally identifiable information. The Freedom of Information
Act, State open record laws, and judicial rules govern the ability of
LexisNexis to access and distribute personally identifiable information
obtained from government agencies and entities. See, e.g., 5 U.S.C.
Sec. 552.
Other Laws
Unfair and Deceptive Practice Laws: Section 5 of the Federal Trade
Commission Act, and its State counterparts, prohibit companies from
making deceptive claims about their privacy and security practices.
These laws have served as the basis for enforcement actions by the
Federal Trade Commission and state attorneys general for inadequate
information security practices. The consent orders settling these
enforcement actions typically have required companies to implement
information security programs that conform to the standards set forth
in the GLBA Safeguards Rule, 16 C.F.R. Part 314.
Information Security Laws: A growing body of State law imposes
obligations upon information service providers to safeguard the
identifiable information they maintain. For example, California has
enacted two statutes that require businesses to implement and maintain
reasonable security practices and procedures and, in the event of a
security breach, to notify individuals whose personal information has
been compromised. See California Civil Code Sec. Sec. 1798.81.5,
1798.82-84.
Legislative Measures LexisNexis Supports
We recognize that additional legislation may be necessary to
further enhance data security and address the growing problem of
identity theft and fraud. LexisNexis supports the following legislative
approaches:
Data Security Breach Notification. We support requiring
notification in the event of a security breach where there is
substantial risk of harm to consumers. It is important that there is an
appropriate threshold for when individuals actually would benefit from
receiving notification, such as where the breach is likely to result in
misuse of customer information. In addition, we believe that it is
important that any such legislation contain Federal preemption to
insure that companies can quickly and effectively notify individuals
and not struggle with complying with multiple, potentially conflicting
and inconsistent State laws.
Adoption of Data Security Safeguards for Information Service
Providers Modeled After the GLBA Safeguards Rule. LexisNexis supports
the adoption of data security protections for information service
providers modeled after the Safeguards Rule of the GLBA.
Increased penalties for identity theft and other cybercrimes and
increased resources for law enforcement. LexisNexis strongly encourages
legislation that imposes more stringent penalties for identity theft
and other cybercrimes. Additionally, consumers and industry alike would
benefit from enhanced training for law enforcement and an expansion of
the resources available to investigate and prosecute the perpetrators
of identity theft and cybercrime. Too many of our law enforcement
agencies do not have the resources to neutralize these high-tech
criminals.
Finally, LexisNexis strongly encourages that any legislation
considered strike a balance between protecting privacy and providing
legitimate businesses, organizations, and government agencies with
access to critical information that enables them to fulfill their
important missions.
I appreciate the opportunity to be here today to discuss the
important issues surrounding identify theft and fraud and data
security. I look forward to working with the Members of this Committee
as you consider these important public policy issues.
Senator Smith. Thank you very much. Our next witness is Mr.
Douglas C. Curling, President and Chief Operating Officer of
ChoicePoint, of Alpharetta, Georgia.
STATEMENT OF DOUGLAS C. CURLING, PRESIDENT/CHIEF OPERATING
OFFICER, ChoicePoint INC.
Mr. Curling. Thank you.
Chairman Stevens, Chairman Smith----
The Chairman. Pull that mike up toward you, please? Thank
you.
Mr. Curling. Certainly. Better?
Chairman Stevens, Chairman Smith, Ranking Member Inouye and
Members of the Committee, good morning. I'm Doug Curling,
President and Chief Operating Officer of ChoicePoint.
ChoicePoint has, on several occasions, provided Congress
with testimony about the recent improper data access and the
criminals who perpetrated this fraud, the steps we are taking
to protect affected consumers, and the measures we're taking to
prevent similar violations from occurring in the future. I have
provided the Committee with details of these actions in my
written testimony.
At ChoicePoint, we recognize that in an increasingly risky
world, information and technology can be used to help create a
safer, more secure society. At the same time, we know, and have
been painfully reminded by recent events, that there can be
negative consequences to the improper access of personally
identifiable data. As a result of these experiences, we've made
fundamental changes to our business model and products to
prevent this from happening again in the future. I hope you see
in ChoicePoint a company that has listened to consumers, to
privacy experts, and to government officials, and learned from
this experience.
Accordingly, we've responded rapidly and in fundamental
ways. We've provided benefits to potentially affected consumers
that no other information company had done before and several
companies have since emulated, including voluntary nationwide
notification, dedicated call centers and websites, free three-
bureau credit reports, and 1 year of credit monitoring at our
cost. Once again, we extend our apology on behalf of our
company to those who have been potentially affected.
We learned that there are few places for consumers to turn
to if their identity is stolen. This, alone, increases the fear
and anxiety associated with identity theft. For this reason, we
have recently formed a partnership with the Identity Theft
Resource Center, a leading and well-respected nonprofit
organization dedicated exclusively to assisting identity-theft
victims.
Most importantly, we have shifted our focus to ensuring our
products and services provide a direct benefit to consumers or
to society as a whole. While this has meant exiting an entire
market, we decided that consumer interest must come first. We
have already made broad changes to our products, limiting
access to sensitive, personally identifiable information, and
more changes are under development.
Last year, we helped more than 100 million people obtain
fairly priced home and auto insurance. More than seven million
Americans get jobs through our pre-employment screening
services, and we helped more than one million consumers obtain
expedited copies of their own vital records--birth, death, and
marriage certificates. These transactions were started by
consumers, with their permission, and they provide a clear,
direct benefit to them.
Not all of our work is as obvious, but the value is. At a
time when the news is filled with crimes committed against
children, we're helping our Nation's religious institutions and
youth-serving organizations protect those in our society who
are least able to protect themselves. Our products and services
have identified 11,000 undisclosed felons among those seeking
to volunteer with children, 1,055 with convictions for crimes
against children, 42 of which who were registered sex
offenders.
Consumers, businesses, and nonprofits are not the only ones
that rely on ChoicePoint. In fact, government officials have
recently testified to Congress that they could not fulfill
their missions of protecting our country and its citizens
without the help of ChoicePoint and others in our industry.
Last month, ChoicePoint supported the U.S. Marshal Service in
Operation Falcon, which served approximately 10,000 warrants in
a single day.
Mr. Chairman, apart from what we do, I also understand that
the Committee is interested in how our business is regulated by
Federal legislation, as well as various State regulations.
Approximately 60 percent of ChoicePoint's business is driven by
consumer-initiated transactions, most of which are regulated by
the FCRA. These include pre-employment screening, auto- and
home-insurance underwriting services, tenant screening
services, and facilitating the delivery of vital records
directly to consumers.
Nine percent of ChoicePoint's business is related to
marketing services, none of which include the distribution of
personally identifiable information. Even so, we are regulated
by State and Federal Do Not Mail and Do Not Call legislation,
and, for some services, the FCRA.
Five percent of ChoicePoint's business is related to
supporting law enforcement agencies in pursuit of their
investigative missions through information and data services.
Six percent of our business supports law firms, financial
institutions, and general business to help mitigate fraud
through data and authentication services.
The final 20 percent of our business consists of software
and technology services that do not include the distribution of
personally identifiable information.
Although a majority of our products are already governed by
the FCRA, we believe additional regulation will give consumers
greater protections while strengthening our business model. I,
therefore, want to conclude by stating for the record
ChoicePoint's position on future regulation of our industry.
We support independent oversight and increased
accountability for those who handle personally identifiable
information, including public records. This oversight should
extend to all entities, including public-sector, academic, and
other private-sector organizations that handle such data.
We support a preemptive national law that would provide for
notification to consumers, ensuring that the burden of notice
follows the responsibility for breach.
ChoicePoint supports providing consumers with the right to
access and question the accuracy of public-record information
used to make decisions about them, consistent with the
principles of the FCRA. There are technical and logistical
issues that will need to be solved, but they are solvable.
We've already taken steps to restrict the display of Social
Security and driver's license numbers, and would support
legislation to restrict the display of Social Security numbers,
modeling existing law, including GLB and FCRA.
And, finally, we support increased resources for law
enforcement efforts to combat identity theft, and stronger
penalties for the theft of personally identifiable information.
We have all witnessed the significant benefits to society
that can come with the proper use of information, but we've
been reminded firsthand the damage that can be caused when
people with ill intent access sensitive consumer data.
As a company, we have re-dedicated our efforts to creating
a safer, more secure society. We look forward to participating
in continued discussion of these issues. And I would be pleased
to answer any questions you may have.
[The prepared statement of Mr. Curling follows:]
Prepared Statement of Douglas C. Curling, President/Chief Operating
Officer, ChoicePoint Inc.
Chairman Stevens, Ranking Member Inouye and members of the
Committee,
Good morning, I am Doug Curling, President and Chief Operating
Officer of ChoicePoint. I have been with the company since its
inception in 1997. ChoicePoint has on several occasions provided
Congress with testimony about the recent improper data access and the
criminals who perpetrated this fraud, the steps we are taking to
protect affected consumers, and the measures that we are taking to
prevent similar violations from occurring in the future.
As you know, California has been the only State that requires
consumers to be notified of a potential breach of personally
identifiable information. We not only followed California law, we built
upon it and voluntarily notified consumers who may have been impacted
across the country, and we did that before anyone called upon us to do
so. We've also taken other steps to help assist and protect the
consumers who may have been harmed in this incident--first, we've
arranged for a dedicated website and toll-free number for affected
consumers where they can access additional information; second, we're
providing, free of charge, a three-bureau credit report; and third,
we're providing, free of charge, a one year subscription to a credit
monitoring service.
In addition to helping those affected consumers, we've taken strong
remedial action and made fundamental changes to our business and
products:
ChoicePoint has decided to discontinue the sale of
information products that contain personally identifiable
information unless those products and services meet one of
three tests:
1. The product supports consumer driven transactions such as
insurance, employment and tenant screening, or provides
consumers with access to their own data;
2. The product provides authentication or fraud prevention
tools to large accredited corporate customers where consumers
have existing relationships. For example, information tools for
identity verification, customer enrollment and insurance
claims; or
3. When personally identifiable information is needed to
assist Federal, State or local government and criminal justice
agencies in their important missions.
Additionally, we've strengthened ChoicePoint's customer
credentialing process and are re-credentialing broad sections
of our customer base. Our new process will require more
stringent due diligence such as bank references and site visits
before allowing businesses access to personally identifiable
information.
Third, we've created an independent office of Credentialing,
Compliance and Privacy that will ultimately report to our Board
of Directors' Privacy Committee. This office is led by Carol
DiBattiste, the former Deputy Administrator of the
Transportation Security Administration, and a former senior
prosecutor in the Department of Justice with extensive
experience in the detection and prosecution of financial fraud.
Finally, we've appointed Robert McConnell, a 28-year veteran
of the Secret Service and former chief of the Federal
Government's Nigerian Organized Crime Task Force, to serve as
our liaison to law enforcement officials. In this role, he will
work aggressively to ensure that criminal activities are
investigated and prosecuted to the fullest extent possible. He
will also help us ensure that our security and safeguard
procedures continue to evolve and improve.
Obviously, our investigation as well as those of law enforcement
continues and if we identify additional instances of fraud related to
personally identifiable information we will provide notice.
At ChoicePoint, we recognize that in an increasingly risky world,
information and technology can be used to help create a safer, more
secure society. At the same time, we know, and have been painfully
reminded by recent events, that there can be negative consequences to
the improper access to personally identifiable data. As a result of
these experiences, we've made fundamental changes to our business model
and products to prevent this from happening in the future. I hope you
see in ChoicePoint a company that has listened--to consumers, privacy
experts and government officials--and learned from this experience.
Accordingly, we have responded rapidly and in fundamental ways.
We have provided benefits to potentially affected consumers
that no other information company had done before and that
several companies have since emulated--including voluntary
nationwide notification, dedicated call centers and websites,
free three-bureau credit reports and one year of credit
monitoring at our cost. Once again, we extend our apology on
behalf of our company to those who have been potentially
affected.
We learned that there are few places for consumers to turn
for help if their identity is stolen. This alone increases the
fear and anxiety associated with identity theft. For this
reason, we have recently formed a partnership with the Identity
Theft Resource Center--a leading and well respected non-profit
organization dedicated exclusively to assisting identity theft
victims.
Most importantly, we have shifted our focus to ensuring our
products and services provide a direct benefit to consumers or
to society as a whole. While this has meant exiting an entire
market, we decided that consumer interests must come first. We
have already made broad changes to our products--limiting
access to personally identifiable information--and more changes
are under development.
Mr. Chairman, before delving into the specifics of various policy
proposals, perhaps it would be helpful if I gave Members of the
Committee a brief overview of our company, the products we provide and
some insight as to how we are currently regulated.
The majority of transactions our business supports are initiated by
consumers. Last year, we helped more than 100 million people obtain
fairly priced home and auto insurance, more than seven million
Americans get jobs through our pre-employment screening services, and
we helped more than one million consumers obtain expedited copies of
their family's vital records--birth, death and marriage certificates.
These transactions were started by consumers with their permission, and
they provide a clear, direct benefit to consumers.
Not all of our other work is as obvious--but the value of it is. At
a time when the news is filled with crimes committed against children,
we're helping our Nation's religious institutions and youth-serving
organizations protect those in our society who are least able to
protect themselves. Our products or services have identified 11,000
undisclosed felons among those volunteering or seeking to volunteer
with children--1,055 with convictions for crimes against children.
Forty-two of those felons were registered sex offenders. In addition,
using information and tools supplied by us, the National Center for
Missing and Exploited Children has helped return hundreds of children
to their loved ones.
Consumers, businesses and non-profits are not the only ones that
rely on ChoicePoint. In fact, government officials have recently
testified to Congress that they could not fulfill their missions of
protecting our country and its citizens without the help of ChoicePoint
and others in our industry. Last month, ChoicePoint supported the U.S.
Marshals Service in Operation Falcon, which served approximately 10,000
warrants in a single day for crimes ranging from murder to white-collar
fraud.
Mr. Chairman, apart from what we do, I also understand that the
Committee is interested in how our business is regulated by Federal
legislation, as well as various State regulations, including the Fair
Credit Reporting Act (FCRA) and the recently enacted companion FACT
Act, the Gramm-Leach-Bliley Act (GLB), and the Driver's Privacy
Protection Act (DPPA).
Approximately 60 percent of ChoicePoint's business is driven
by consumer initiated transactions, most of which are regulated
by the FCRA. These include pre-employment screening, auto and
home insurance underwriting services, tenant screening
services, and facilitating the delivery of vital records to
consumers.
Nine percent of ChoicePoint's business is related to
marketing services, none of which include the distribution of
personally identifiable information. Even so, we are regulated
by State and Federal ``Do Not Mail'' and ``Do Not Call''
legislation and, for some services, the FCRA.
Five percent of ChoicePoint's business is related to
supporting law enforcement agencies in pursuit of their
investigative missions through information and data services.
Six percent of our business supports law firms, financial
institutions and general business to help mitigate fraud
through data and authentication services.
The final 20 percent of our business consists of software
and technology services that do not include the distribution of
personally identifiable information.
Although a majority of our products are already governed by the
FCRA and other Federal and State legislation, a small percentage of our
business is not subject to the same level of regulation. We believe
additional regulation will give consumers greater protections while
strengthening our business model. I, therefore, want to state for the
record, ChoicePoint's positions on future regulation of our industry.
We support independent oversight and increased
accountability for those who handle personally identifiable
information, including public records. This oversight should
extend to all entities including public sector, academic and
other private sector organizations that handle such data.
We support a preemptive national law that would provide for
notification to consumers, ensuring that the burden of notice
follows the responsibility for breach and that consumers do not
become de-sensitized to such notices. We also support
notification to a single law enforcement point of contact when
personally identifiable information has fallen into
inappropriate hands.
ChoicePoint supports providing consumers with the right to
access and question the accuracy of public record information
used to make decisions about them consistent with the
principles of FCRA. There are technical and logistical issues
that will need to be solved, but they are solvable.
We have already taken steps to restrict the display of full
Social Security numbers and would support legislation to
restrict the display of full Social Security numbers modeling
existing law including GLB and FCRA while extending those
principles to public record information. Providing uniformity
as to which portion of a Social Security number should be
masked would be an important step.
Finally, we support increased resources for law enforcement
efforts to combat identity theft and stronger penalties for the
theft of personally identifiable information.
We have all witnessed the significant benefits to society that can
come with the proper use of information. But we have been reminded,
first-hand, the damage that can be caused when people with ill intent
access sensitive consumer data.
As a company, we have rededicated our efforts to creating a safer,
more secure society. We look forward to participating in continued
discussion of these issues and would be pleased to answer any questions
you might have.
Senator Smith. Thank you very much.
For the benefit of my colleagues, the order is, after my
questions, Senator Inouye, Senator Nelson, Senator Lautenberg,
and Senator Vitter. We've been joined now by Senator Dorgan and
Senator Pryor. If that's all right with you, gentlemen, we'll
go in that order.
Mr. Sanford, I think I heard you say that some 300,000 have
had their security breached within your company. I guess my
question is, have all these individuals, including, I believe,
about 9,000 Oregonians, received a consolidated credit report?
And are they getting any credit-monitoring services from you
all?
Mr. Sanford. Senator, when we announced the security
breaches in March, we mailed notice to approximately 30,000
individuals within the same week, modeled our notice after
California legislation, provided toll-free numbers for them to
call to take advantage of those reports. April 11th, we also
made notice of the additional incidents we discovered at our
Seisint business. Again, within the week, we mailed notices to
all 280,000. About 4 percent of the people that we've mailed
notices to have responded.
Senator Smith. And can you provide any update as to how
many of those individuals actually experienced theft as a
result of their identities being discovered?
Mr. Sanford. It's a tricky question on what is ``theft,''
because of different state interpretations, but, in terms of
financial losses, of the 12,800-or-so people who have notified
us, the process is to provide them the credit reports and then
a monitoring service. And if there was any indication of any
fraud or financial losses that may have occurred, we have a set
of counselors, professionals, to do that. We've referred about
a dozen people to those counselors. All of those, except for
one, have been resolved to show that there was no problem.
Sometimes consumers just forget they have a credit card.
Law enforcement has advised us of ten individuals that--in
their investigation--that there may have been some loss. Seven
of those were related to people opening AOL accounts or making
credit inquiries under somebody else's identity. Three people
may have suffered some financial loss, although law
enforcement's not clear whether it's related to the breach in
our system. We, personally, contacted, or tried to contact, all
ten of those; I think we've reached eight--personally tried to
enroll them all into our services; I think half of them
actually took us up on that.
Senator Smith. Thank you.
Mr. Curling, I was encouraged to hear of the technological
sorts of steps you have taken to protect Social Security
numbers and driver's licenses. Is that something that has not
been available until now? And is that a technological fix that
you think actually makes less legislation necessary on our
part?
Mr. Curling. Well, the steps we've taken are a combination
of technology changes and product offerings. We've completely
changed the types of businesses we sell products to, and the
circumstances under which, even if they're allowed to get
access to that product under the law, we will choose to sell
them products. So, most of the changes we made had to do with
withdrawing from markets where there's, in our opinion,
difficulty credentialing customers, particularly small
businesses that, for a company like ChoicePoint, whose
preponderance of revenue is in other markets that are unrelated
to these kind of public-record offerings, just isn't in our
commercial best interests to pursue.
We have, however, taken steps and tried to change the
products that we deliver to customers that we continue to
serve, restricting access to Social Security numbers and
driver's license numbers, just as a business practice, because
we think, given the propensity to--of identity theft out there
now, it's something everybody needs to step up to and go--we've
got to find a way to link data correctly together by limiting
the display of that Social Security number or other personal
identifier.
Senator Smith. Is it the case that the public is aware of
all--however many security breaches have occurred at
ChoicePoint?
Mr. Curling. Well, I don't--I would presume the public is
paying attention to this topic, as is everybody else. In the
breaches that we've investigated and noticed, we indicated it
was about 45 to 50 accounts that had been set up by a group of
fraudsters. We noticed all of those folks and offered them the
services I provided in my oral and written testimony.
Senator Smith. Isn't it true that there was a breach 5
years ago that just became public?
Mr. Curling. Yes, we became aware--I, personally, became
aware very recently of a breach that took place in the latter
part of 2001, where we apparently got a subpoena in a
California subsidiary, responded to that subpoena, working with
law enforcement, closed an account down, and didn't hear
anything else about it again until the latter part of 2004.
Back then, going back four or 5 years, I think that the
practice of many of us, including our company, was to work with
law enforcement to investigate potential crimes, turn over
information to them, prosecute the perpetrators, and law
enforcement had the responsibility to notify and communicate
with victims. Obviously, since the California notice law has
gone into place, our practices have changed substantially, and
we now spend a lot more time trying to research all kinds of
matters to make sure we can comply with that law, and that
something like that would be communicated much more rapidly up
the organization, going forward.
Senator Smith. But when this occurred 5 years ago, were
steps taken then to technologically get in the way of theft?
Mr. Curling. I don't know, sir. I don't--I don't believe
that the breach was communicated outside of the local area that
was affected--the local company affected by it.
Senator Smith. Thank you.
Senator Inouye?
Senator Inouye. Thank you, Mr. Chairman.
Mr. Sanford, how many companies can be designated as data
brokers?
Mr. Sanford. I don't know the exact number. I would--in our
industry, there are dozens and dozens of businesses. From a
competitive intelligence--we tend to focus on about a dozen of
them, as primary competitors, but there are many, many
businesses in which you could get personally sensitive
information on the Internet that I wouldn't consider to
actually be in my industry, but have access to the same
information.
Senator Inouye. Mr. Curling testified that most of your
activities, both of you, are covered by the FCRA provisions.
Mr. Curling. Most of ours are, yes, sir.
Mr. Sanford. Most of mine are not.
Senator Inouye. Would you be in favor of having FCRA
provisions cover all of the activities, Mr. Sanford?
Mr. Sanford. I don't believe the FCRA, and the FACT Act
that reauthorized it, is the appropriate framework. I mean, the
FCRA, as I understand it, Senator, was intended to cover very
specific transactions--the granting of insurance, granting
credit. The information services that we provide that are not
governed by the FCRA are about identity authentication, finding
and locating people. The FCRA has very limited permissive uses.
And if we were to extend the FCRA to this industry, there are
at least seven or eight major applications for identity theft
and fraud-detection purposes that would be eliminated.
Senator Inouye. Mr. Curling, would you be in favor of
FCRA----
Mr. Curling. Yes, sir. I think, in general, we'd be fine
with extending the principles of FCRA to cover these records
and products.
Senator Inouye. At the present time, if a consumer wants to
see his own file in your company, Mr. Sanford, would you let
him do it?
Mr. Sanford. We do have a consumer-access program in
LexisNexis, and today a customer can ask for access to that
information. We are not able to--if you recall, Senator, we
have a--news and business information, as well, where we list
all of the articles in the major newspapers--we're not able
to--because we don't have personal identifiers--aren't able to
tell that John Smith, who's asking for information, whether or
not that's the same John Smith that's--appears in all of the
different news articles or in the white pages, other public
information. But we certainly would provide access to the
information in our public/non-public-record databases.
Senator Inouye. Can a consumer have that right in your
company, Mr. Curling?
Mr. Curling. Yes, sir, they do. We don't maintain dossiers
on consumers, but we have information products that have this
consumer data, and those products are available for consumers
from a single point of entry, either via a website we maintain
or a 1-800 number.
Senator Inouye. Now, if that consumer finds that there's
some incorrect information, is he provided the opportunity to
correct it?
Mr. Sanford. We have a small part of our business which is
governed by the FCRA and there are provisions that indicate
exactly how those corrections happen. For the part that's not
part of the FCRA, our practice is, if the error in the
information is related to the way in which we keyed the data or
the way in which we stored the data in the database, we make
the correction. If it's an error that the individual is
claiming is in the public record, the way in which a mortgage
record or tax lien is recorded in a county courthouse, we then
point the individual to the county courthouse, because we don't
have authority to change a public record, and we can't have a
database where our version of the public record is different
than what's available in the public record.
Senator Inouye. What's the situation in your company, sir?
Mr. Curling. The majority of our products are regulated by
the FCRA, and, as a result, there's a defined process for
consumers to, you know, note the dispute and for us to help
them go through and navigate that correction. For the public-
record products that we have, our present policy is similar to
that of my colleague here, LexisNexis, although there are some
things that, if we extend the practices we talked about earlier
in this hearing to, we could potentially help consumers not
only know which courthouse that record came from and how it was
sourced, but we're also looking at ways to put disputes on the
file much like the FCRA provides. So, even though it's a
correction we cannot make legally on their behalf, we can note
the dispute in future searches that we would serve up to our
customers.
Senator Inouye. Now, if I wanted to buy information from
either one of your companies, would you permit me?
Mr. Sanford. We have a new-customer authentication
verification procedure, Senator, that you would go through,
like any other customer, and, depending upon the documentation
and records that you provided, depending upon the uses that you
claimed in our investigation, you would be able to get access
to certain types of databases. It might be our legal news and
business information databases. It might be public records. It
would unlikely, as a--in your current role, it would be
unlikely to qualify you for access to a nonpublic-record
information.
Senator Inouye. Can I just buy information on a specific
person?
Mr. Sanford. Again, if you didn't qualify for permissive
purposes, you wouldn't have access to that information.
Senator Inouye. What is the policy in your company, Mr.----
Mr. Curling. You could not buy sensitive, personal
identifiable information from ChoicePoint under our customer
credentialing procedures. There are some information products
you could buy. You can buy records--professional license
records on your doctor and healthcare providers. You can buy
your own vital records on behalf of your family. You can buy
basic public records like real-estate records and directory
searches, et cetera. But you wouldn't be able to gain--to set
up an account to gain access to any products that contained
sensitive, personal identifiable information.
Senator Inouye. Thank you very much.
Thank you, Mr. Chairman.
Senator Smith. Thank you, Senator Inouye.
Senator Nelson?
Senator Bill Nelson. Thank you, Mr. Chairman.
Mr. Sanford, does your company compile, store, and sell
this information only, or does it also provide analysis of this
information to your customers?
Mr. Sanford. We compile data, and we have data analytics
that link data. And then when a customer does a query, we,
hopefully, give them the answer back which is the most correct
answer available on the analysis. But you'd have to perhaps
give me an example, Senator, of what you mean, ``beyond the
analysis,'' so I make sure I'm responding to your question.
Senator Bill Nelson. Well, what kind of analysis would you
provide, for example, to law enforcement?
Mr. Sanford. Law enforcement can do a specific query. If
they're looking for a particular individual, they could do a
query on that, and they might say, ``I'm looking for John
Smith, who has the following type of vehicle, whose last known
address was the following,'' and they could do a query, and we
could then provide information of other known addresses for
that same individual, or associates of that particular
individual.
Senator Bill Nelson. So, there is some analysis--instead of
just giving them information, you would compile material, and
there would be some analysis of this information.
Mr. Sanford. In that way that you defined it, yes, Senator.
Senator Bill Nelson. Other than law enforcement, who else
would you provide analysis to? Give me an example, as a
customer.
Mr. Sanford. Financial institutions might want to be
ensuring, or a bank, when they're opening an account, that the
person who's there to open the account is who they purport to
be. They might want to use an ID product that would allow them
to ask the individual some qualifying questions to make sure
they really are who they purport to be. Again, they would then
be able to access to the broader databases to see unrelated
information that might be in different repositories.
Senator Bill Nelson. In following up to Senator Inouye, I
think it's absolutely critical, for the protection of the
consumer, that they have access to this data, so that if, in
fact, it's wrong, they can correct it. And I, further, think
that it's essential that the consumer should have access to the
information of who is collecting that data, other than someone
like a client of yours such as law enforcement.
So, would you, for the record, state again what is the
position of your company with regard to providing the consumer
with information that is contained within your records?
Mr. Sanford. If the question, Senator, is about--if I
collected the information, should I provide notice to the
consumer about its purposes and uses--I want to make sure you
understand this--we don't collect that kind of information, I
would have to say. I'm not really clear on whether there should
be legislation on that. If the question is--once I collect
information from public and nonpublic sources--I have white-
page phone information, I have public-record documents--I would
not be supportive of sending a notice to a consumer each and
every time a query might have gone on a database that touched
their name. We'd be talking about sending millions and millions
of notices----
Senator Bill Nelson. No, that's not the question. The
question is, If the consumer asks you for access to see what
kind of information is being contained on that consumer----
Mr. Sanford. I'm sorry, Senator, I misunderstood. I thought
there were two questions. I thought--one was access, and I
thought I had previously indicated I was supportive of that--
and I thought the second part was, Should I send them a
notice----
Senator Bill Nelson. No, I didn't ask about notice.
Mr. Sanford. I misunderstood.
Senator Bill Nelson. No. Notice is already what you're
required to do in the State of California, which is--and that's
something that I think this committee will be examining--once
that information is breached and it has been withdrawn from the
possession that you have, then, under California law, you're
required to notify. What we're going to consider is that--
should that be nationally, other than just the State?
So, your testimony is that, with regard to giving the
consumer access to the information that you contain, that you
would be willing to do that.
Mr. Sanford. We do that today in our LexisNexis business.
Senator Bill Nelson. Well, then that's very helpful.
Now, tell us something about what is the procedure for
becoming a LexisNexis client. When somebody becomes a client,
does the client have access to all of LexisNexis's databases,
for any purpose? For example, if an attorney became your client
to help locate a witness, can that attorney also use your
database for personal and other reasons?
Mr. Sanford. The customers go through an authentication and
credentialing process--applications, records. We do searches on
various databases to verify their identity. Part of the
application is, they have to indicate the permissive uses if
they want to access personally identifying information and
nonpublic record databases. Generally, lawyers do not qualify
for access to that information. We call that, in our business,
5A access.
Senator Bill Nelson. So, they have to qualify in order to
be able to use the other parts of the database.
Mr. Sanford. We have case law. We have news and business
articles. This is not the kind of thing that goes through a
special credentialing process. But access to, say, driver's
license number data or credit header information, nonpublic
information, there's a special credentialing process.
Senator Bill Nelson. How do you monitor that?
Mr. Sanford. Customers in each and every search session
have to indicate what their permissive use is. We do have
detection software. Under DPPA, I believe, each time you use a
search where you access a driver's license, you make a
statement subject to criminal sanctions. It's against the law
to have an impermissive use under DPPA.
We've instituted some recent procedures to do
recredentialing, on a periodic basis, for customers when
contracts are up for renewal. We're enhancing procedures all
the time. We're looking at having systems administrators
recertify on a monthly basis, or a 60-day basis. We're working
with our customers to figure out how we do that. Because we are
in a mobile society, and people do have employees that come and
go from their business, we want to make sure that the people
who have the passwords and IDs are still, you know, legitimate
users in those businesses.
Senator Bill Nelson. Mr. Chairman, I see my time is up. I
will have some more questions in the next round.
Senator Smith. We'll have another round.
Senator Bill Nelson. Thank you.
Senator Smith. Senator Lautenberg?
Senator Lautenberg. Thanks, Mr. Chairman.
Just curious about the material that's accessible when
someone becomes a client of your firm, either one of you. Now,
if--are most of these people likely to be looking for lists for
mailing solicitations?
Mr. Sanford. In LexisNexis, we don't have a marketing
business, except for a--there's a very, very small business
that helps people in bankruptcy, doesn't have personally
identifying information or driver's license numbers. But 99
percent of what we do has nothing to do with marketing. We
don't have financial----
Senator Lautenberg. How about ChoicePoint?
Mr. Curling. We have a collection of businesses, one of
which is purely direct marketing, but those--all of our
customers are credentialed and have access to separate product
platforms. There is no common ChoicePoint access or single
database with all the information in it. The information is
kept separate by product. So, for example, in direct marketing,
the customers would have access to no sensitive, personal
identifiable information. As I indicated in my testimony, it's
about 9 percent of ChoicePoint's revenue.
Senator Lautenberg. Yes, so if someone was a United States
Senator, and they wanted to compile a mailing list for campaign
solicitation, could they have that list, sorted out by--a list
sorted out by income levels?
Mr. Curling. Well, that's not a market we serve, so I can't
answer that, but if it was in a market that I do serve--well,
we're principally serving financial institutions and insurance
companies. The preponderance of our revenue is in the insurance
market. So, for insurance companies what they're typically
trying to do is look at the people they have insured today for
auto and home policies and try and find more----
Senator Lautenberg. So it would have to be specific----
Mr. Curling. Typically, they're going after a particular
product.
Senator Lautenberg. And when they sign up for your
services, do they have to identify those lists that--or the
area of listing that they might want to access?
Mr. Curling. Yes. As a part of our credentialing--in
marketing, as a part of that process, we would understand what
products they wanted to buy----
Senator Lautenberg. So, they're limited. They can't----
Mr. Curling. They're completely separate from other
products.
Senator Lautenberg. What--when people have--are expected--
or suspected to be a substantial risk for identity and fraud,
is it in the consumer's best interest for the company to make
that call or to inform consumers when there's any breach at
all? How do you anticipate that someone might be an easy target
for identity theft? Do you?
Mr. Sanford. Well, it's very much the process we went
through beginning in February. We have a chief security officer
in the business. We investigate security issues. No company is
immune to the constant attempts at hacking and penetration of
their services. And what we did in our situation was, we looked
at security breaches where a customer had said, ``This is not
my billing activity.'' And when we could see that that was an
employee who left the company, who went across the street, say,
figuratively, to work at the collection company across the
street, and continued to conduct searches in the normal course
of their business, that doesn't present a risk of harm to the
consumer. When a employee in a business is searching
celebrities on a database, that doesn't suggest a risk of harm
to consumers.
And so, what we looked for was anything in a search that we
couldn't authenticate, where there was some suggestion of risk
of harm to a consumer. So, for example if the IP address of
where that search emanated from came from a foreign country,
and this was a domestic business, that was suggestive of a
problem, given the body of literature on this issue. If people
were using anonymiers, or if there was a virus or spyware
inside of a customer's environment, we said there's some risk
of harm. And the real challenge, Senator, is this trigger--is,
When do you make notice? Because if there's any risk of harm,
or no risk of harm, I think you do run the risk of this over-
notification.
This is a very serious matter. But the facts, so far in our
notices, have indicated, you know, next to no financial harm,
at least, for those individuals. It's very discomfiting to
them, it's a very serious matter, but I think we do have to
wrestle with, What is it that's going to trigger notice?
Because the intent of notice, I hope, is to help someone
protect themselves, not to make them immune to the notices they
get so they don't protect themselves that one time when they
should.
Senator Lautenberg. If someone--if a company is interested
in debt collection, is that information fairly discernible in
any of the groups that you have?
Mr. Sanford. Debt collectors, credit departments, financial
institutions, and collection organizations are a part of our
business, and what they're looking for is authentication and
location of the individual; so they may collect the debt from
the correct person. Again, there are many, many John Smiths,
and they're trying to find out which John Smith is the right
John Smith for this particular debt.
Senator Lautenberg. Thanks, Mr. Chairman.
Senator Smith. Thank you, Senator Lautenberg.
Senator Dorgan?
STATEMENT OF HON. BYRON L. DORGAN,
U.S. SENATOR FROM NORTH DAKOTA
Senator Dorgan. Mr. Chairman, thank you. And thanks to the
witnesses.
This is a complicated set of issues for those of us who
don't work in the business. And my understanding is that there
is no Federal law prohibiting the use and sale of Social
Security numbers. Would that be correct?
Mr. Sanford. I think there are a number of laws. The most--
GLBA would be most applicable, where it talks about the use
of----
Senator Dorgan. GLBA?
Mr. Sanford. Gramm-Leach-Bliley Act.
Senator Dorgan. OK.
Mr. Sanford. Excuse me, Senator--where it talks about our
business, for example, as a recipient of information from a
financial institution. Our use of that credit-header
information, which includes the Social Security number, is
restricted.
Senator Dorgan. Do both of you do business in Europe and
the United States?
Mr. Sanford. Yes.
Senator Dorgan. And can we go----
Mr. Curling. We do, principally, business in the United
States.
Senator Dorgan. Do you do business in Europe?
Mr. Curling. We do very, very small amounts of business in
Europe, there are a few financial institutions that buy data
for customer enrollment purposes, Patriot Act compliance, but
very little; 99-plus percent of our revenue is domestic.
Senator Dorgan. Mr. Sanford, can you describe for us the
difference that exists with respect to the European approach
protecting confidentiality, versus the U.S. approach at this
point, given current law?
Mr. Sanford. I'm not an expert on the European privacy
issues. I can speak to the U.S. I'd be happy to give you the
information. Our business in Europe is principally a legal news
and business information service, as it is in Asia, Pacific,
and Latin America. Our risk-management business focusing on
public records is principally a U.S. business.
Senator Dorgan. But if you--because you do business in
Europe, you are required to comply with the--I believe it's
called the Data Protection Directive in Europe?
Mr. Curling. We don't collect public-record information or
data from--on European citizens.
Senator Dorgan. Well, the reason I was asking that--I was
going to ask you your assessment of the approach the Europeans
take, versus the approach that we take, under present law. And
that, I think, goes to the heart of what we might ought to
consider. Should we consider doing something that is much more
restrictive, much more protective? And I believe that the
Europeans do that. As I understand it, they require companies
to provide consumers with notice, the ability to opt out with
respect to nonsensitive commercial marketing of personal
information, opt in with respect to sensitive, personal
information, the right of access to personal information
collected, reasonable security protections for the information,
and so on, which I think is different than now exists in this
country. Is that right?
Mr. Sanford. I think some of them are the same, and some of
them are different. It depends, again, if we're talking about
FCRA applications, where I think you'd see opt-in--or, excuse
me, opt-out, you would see notice and correction.
Senator Dorgan. Tell me about, if you would--I expect
neither of your companies are involved in this, but I think my
colleague, Senator Inouye, was getting to it--if you, Mr.
Sanford, go to the Internet today and decide you want to know
about Senator Bill Nelson--you want to learn about him, you
want to know everything there is to know about him, you want--
you'd like to get his Social Security number, you want to find
out about his driving record, you want to know everything about
him. And my guess is there are many options for you on the
Internet to pay $100, $50, or $150 to gather information about
Senator Nelson. Is that correct?
Mr. Sanford. I believe there are.
Senator Dorgan. And what kinds of companies are they that,
on the Internet, are marketing that information? Do you know?
It's obviously----
Mr. Sanford. Yes, I wouldn't want to speculate as to the
business purposes. You wouldn't be able to do that on our
service.
Senator Dorgan. I understand that.
Mr. Sanford. You'd be able to access news articles and
public information that might be otherwise in a blog or, you
know, in a Google-type search.
Senator Dorgan. I understand that. And I'm not making a
comparison that either of you are involved in that. I'm just
saying that that's another type of data collection. Somebody is
collecting information about Senator Nelson, and, for $150 or
so, we can go find out what information they've collected,
which I assume would probably almost always include his Social
Security number and a whole range of issues relating to his
life. And that is also part of this data-collection industry,
albeit smaller companies, likely, companies that aren't
operating within the guidelines that you operate within. But as
we consider all of these issues, you, of course, will always
have to bear the burden of others in this industry that are
marketing information in different ways. How do you feel about
that?
Mr. Sanford. We have policies and practices which are more
restrictive than some of the existing laws. I would certainly
welcome enforcement of existing laws on my competitors. It is a
competitive disadvantage for us, where we comply with laws, but
people find ways to gain access to information that they
shouldn't.
Senator Dorgan. Is Social Security the critical identifier
with respect to personal information?
Mr. Sanford. The Social Security number would probably be
the most commonly agreed item. California statute also
suggested driver's license numbers. If you think about identity
theft and getting a photo ID with a driver's license number, I
would include that as a sensitive piece of data, as well.
Senator Dorgan. Is identity theft a crisis or a very
serious problem in this country, or is it overblown, in your
judgment?
Mr. Sanford. I think it's a very serious problem, but I
think it's been a very serious problem for a long, long, long
time. I've learned quite a bit from the research and--I mean,
identity thefts's been going on, and fraud associated with
identity theft's been going on for decades and decades.
Technology, while it's very powerful, has facilitated it more
recently. And that's--you know, again, without downplaying the
seriousness of us having very strong security safeguards, the
reality is--is that the bad guys now have technology tools
available to them to go out and commit all kinds of fraud. And
part of the solution has to be to create tools to stop them.
Restricting access to data is certainly, in some people's
minds, a way to do that. I think if the restriction goes too
far, we will, in fact, enable the bad guys to do even more than
they're doing now.
Senator Dorgan. Mr. Chairman, first of all, I think it's a
service for you to hold this hearing. And I know the work that
Senator Nelson has done, and others, is very important. You
know, I think, frankly, most people would be aghast--most of
our citizens would be aghast at the information that's being
collected with respect to their personal lives. And I think, as
we dig into this issue and mine this issue a bit to understand
it better, we have a lot of interesting choices to make about
how to protect American citizens with respect to the gathering
of their personal information by other companies.
Senator Smith. I think you're right, Senator. Thank you.
Next, Senator Pryor. And we have been joined by Senator
Nelson--we'll go to your questions after that, Senator Ben
Nelson. And then back to Senator Bill Nelson for round two.
STATEMENT OF HON. MARK PRYOR,
U.S. SENATOR FROM ARKANSAS
Senator Pryor. Thank you, Mr. Chairman.
Let me ask both of you a question, because, as I
understand, what we're talking about here today is, the two
entities you represent have very different business models,
right? You all have different business models from one another.
And they're--and I think what it shows is, there's kind of a
diversity within the information-providers sector of our
economy, if you will. What implications does the fact that you
all have different business models--what implications does that
have on possible legislation? In other words, when I see
something like what you're talking about today, I'm concerned
that a one-size-fits-all solution probably won't work. So,
could you discuss a little bit, if you can do it fairly
briefly, about, you know, how you're different and how you
think we need to--as we look at legislation, how we should be
careful to craft that to meet those differences?
Mr. Sanford. Well, we're both alike, to the extent that if
we have an FCRA solution, we're governed by the FCRA and the
FACT Act. We're both alike to the extent that if we're dealing
with information from financial institutions, we're governed by
the privacy provisions of the Gramm-Leach-Bliley Act. We're
different in our product mix. And that's our distinction. Now,
our business practices may be different, and our policies, but,
from a legislative standpoint, we are covered by the same laws;
we just happen to have different concentrations.
Senator Pryor. Do you agree with that, Mr. Curling?
Mr. Curling. Well, I think, generally, that's probably an
accurate characterization. I mean, we--our product mix is
principally consumer-driven transactions that are regulated by
FCRA or software and services. So, the segment of public-record
sales that are non-FCRA, that are nongovernmental, it's a very
small business for ChoicePoint. I think that the--some of the
legislative proposals that have been put forth do deal with
things, though, that all businesses and all enterprises should
agree on. I think that, you know, identity theft is a crime
that doesn't stay inside state borders. I think it's a crime
that doesn't contain itself to a particular industry. You know,
the breaches that were mentioned by the Committee members
earlier in the meeting happened to universities, nonprofits,
government agencies, commercial enterprises. So, I think that
some of the topics under discussion, you know, notice, you
know, how we're going to help affect the consumers. The things
that we all need to do to try and provide more support for law
enforcement to drive fraud and identity theft out of our
society are things we all agree on, regardless of the industry
we're in. And I think there is legislation there that everyone
would agree on, and it would fit under one tent.
Senator Pryor. Let me follow up on that, if I can, Mr.
Curling, because there has been security breaches that have
happened in a wide variety of companies and, as you said, some
nonprofits, some--even some government entities. Should a
security safeguards rule be applied only to information--only
to information-service providers, or should it be broader than
that and cover all businesses and even nonprofits and
government agencies?
Mr. Curling. We believe that consumers' interests are going
to be best protected when, you know, it applies to all
entities, regardless of the type of organization or structure
of that company. As I indicated, you know, if you collect,
assemble, maintain, transfer, or manage sensitive data, a
breach is a breach, and, whether that took place in a
commercial enterprise or a nonprofit organization, consumers
need to be noticed.
Senator Pryor. Mr. Sanford, you said, in your written
testimony, that you acknowledge that maintaining security is
not a static process. In other words, you have to continually
evaluate new or--new types of security breaches. And,
obviously, I know you have your hands full there. Do you think
it is possible for a small company data-broker to maintain
database security as diligently as they need to in order to
prevent identity theft? It seems to me they might be at a
disadvantage.
Mr. Sanford. There are certainly high fixed costs for
security. I mean, having credentialing programs, having
detection software, monitoring, having resources to investigate
certainly would be a disadvantage to a small business.
Senator Pryor. What about third-party security audits? Do
you use those in your company, right?
Mr. Sanford. We do use them.
Senator Pryor. And has that been a successful approach for
you?
Mr. Sanford. The third-party tends to be objective, has no
loyalties, points it out to you, makes suggestions on things
that are now available in the industry, state-of-the-art
technology, different practices and procedures.
Senator Pryor. Do you know how widespread third-party
security audits are in the industry? I mean, do the smaller
companies use them? Do we know?
Mr. Sanford. I don't know, Senator.
Senator Pryor. OK. Well, it looks like I'm just about out
of time, so let me ask my last question here.
Do you think that a consumer should have the ability to see
his own file with your company?
Mr. Sanford. In our non-FCRA businesses, we don't maintain
consumer files or consumer reports, but we do have the ability
for them to get access to the information, running a search to
see what information's there.
Senator Pryor. Is that available to them now?
Mr. Sanford. Yes.
Senator Pryor. And is that free?
Mr. Sanford. No. There's a fee for that. I've asked the
team to look at, you know, what that fee should be. Unlike a--
in a credit transaction, where data is pushed to you to
assemble credit reports, we incur extraordinary cost to go
collect and maintain all this information. We're not making a
profit on giving them the reports. We have to authenticate
the--I'm sorry, Senator----
Senator Pryor. Yes.
Mr. Sanford.--we have to authenticate the individual to
make sure who they are when they call up. We're not just going
to turn that information over to somebody over the phone. Then
we have to prepare the report, and we mail it out to them.
Senator Pryor. And, just as a very brief follow-up to that,
because we're out of time, is--should the consumer have the
ability to correct information in your file?
Mr. Sanford. If the information has an error, is related to
work we've done with it--let's say we transposed data
inadvertently when we were loading the file--we would certainly
correct that. If it's a public-record file, or a non-public-
record file, like a credit header, we need--we generally point
them right back to the source and say, ``This is where we got
this file from, let's get the public-record source collected so
that we have the correct public-record information.''
Senator Smith. Thanks, Senator Pryor.
Senator Nelson?
Senator Ben Nelson. Thank you, Mr. Chairman.
Mr. Curling, you mentioned that if information is
breached--security is breached, information is now out--that
there's a notice that should be sent out to the parties. Should
that security breach also be a violation of the specific law?
Should there be strict liability for anything that comes from
the misuse or the access of that information?
Mr. Curling. Well, as we indicated, I think, Senator, we do
agree that, you know, if there is a breach, we should send
notice. And we would prefer the legislature draw a bright line
as to what that notice criteria should be, because we don't
feel like we're in a position to judge whether or not that
breach posed a significant risk. In the event there is a
notice, you know, we do have obligations and responsibilities
that we need to fulfill. The first is, we help those consumers
that are affected, you know, try and do what they can to
understand the breach, understand the significance of the
effect on them, and give them access to information products
that would help them monitor whether or not they're going to be
a victim of identity theft. And we believe we've done that.
Senator Ben Nelson. What about strict liability? In other
words, if you have--if you have control over the information,
and it gets accessed, should you have strict liability for
anything that occurs that is damaging to the name whose
identity theft has occurred?
Mr. Curling. Well, I'm not a lawyer, I don't know that I'm
prepared to understand----
Senator Ben Nelson. Well, no, I'm not necessarily saying
you should you know right now, but do you think, as a matter of
law, if you're not strictly liable now, that that might be the
kind of imposition of responsibility that would be appropriate?
Mr. Curling. Well, there are certainly penalties and fines
already in place for breaches like this. I think that the
primary, you know, view that ChoicePoint would have, as a
commercial enterprise, is, we have market forces at play, as
well, that already put, you know, tremendous pressure on
companies to not only do the right thing, but maintain the
appropriate safeguards. And I think that the, you know, primary
liability is with the criminals. And I think what we want to
try and support is law enforcement, getting the fraudsters out
of our system.
Senator Ben Nelson. Well, if you were faced with the
question we're faced with--How does this get resolved?--what
would be the first thing you would suggest we do?
Mr. Curling. Well, I think there are many good proposals in
place. You know, I previously testified in the Judiciary
Committee that the proposal by Senator Schumer and Senator
Nelson has a lot of good principles that we agree with. We
believe in notice. We think notice is an important thing. You
need to give a consumer a notice that a breach has occurred,
and give them an opportunity to take the steps necessary to
protect themselves. We believe that there need to be standards.
And I think all of us, you know, would like to have a level
playing field, whether that's for us to better understand the
expectations that various constituencies place on us so we can
feel like we're honoring and acting responsibly in our
obligations, but also from a competitive and marketplace
standard to understand what it is the rules should be.
In my case, most of our products, as I indicated, that
contain personally identifiable information, are already
regulated by the FCRA, which, as you well know, has been a
tried and true kind of 30-year standard for how this kind of
information should be managed and what you should do if there
is a breach or if there is some kind of dispute. We think
that's a good model.
Senator Ben Nelson. Mr. Sanford?
Mr. Sanford. Senator, I would recommend that the three most
important things that this committee could consider, if the
ambitioning goal is to make a dent in the amount of fraud
associated with identity theft, is, one, look at what the
penalties are for the identity thieves, and make it a crime
that nobody wants to commit. It's a very hard crime to prove.
Sometimes the value of the theft is difficult to prove, and the
penalties sometimes makes these misdemeanors, while the harm to
society and the harm to the individuals and the financial
institutions, the banking industry, is in the billions. So,
that's one.
Second, I do think a national notification standard is in
order. California does have a law. Many, many states are
considering, as we are here today, different notification bills
across the United States, and I think having a national
notification standard that has Federal preemption will ensure
that when someone gets a notice, no matter where they live--
because, remember, our people in this country move around quite
a bit--they'll understand what that notice means, and it won't
depend upon which State it came from.
And, third, I think insisting--as Mr. Curling pointed out
earlier, insisting on data-security safeguards, regardless of
where that data repository is, would make sense--not just for
commercial organizations like us--so that we make it harder to
get that information. And I--as indicated in my testimony, I
believe that the Safeguard Rules, if they're modeled after
what's in GLBA, would be a good start.
I think that this framework needs to be flexible, because
every company's business is a bit different, technologies are
different, the size of the business is different, and the
threats are evolving. I think proscribing specific security--
within a year or 18 months, we would have companies that might
be in compliance with that, but would have ineffective security
safeguards in place.
Senator Ben Nelson. What about the--my question about
strict liability for any kind of damages that the victim of
identity theft might get as a result of information you held
that was accessed by an identity thief?
Mr. Sanford. It's not something that I've previously
considered. I'd be glad to give it some thought. I, top of
mind, wonder if it wouldn't provide some incentive for
companies not to make notice--who were worried about the
penalties--but it's something I'd be glad to work with your--
you and your staff on and consider.
Senator Ben Nelson. Thank you. Thanks to both of you.
Thank you, Mr. Chairman.
Senator Smith. Thank you very much, Senator Nelson.
As we go to a second round, I know Senator Inouye has
expressed an interest, but if there is no objection, Senator
McCain, a Member of this Committee, has asked that we include
in the record his statement. It relates to the leadership,
tragically, of Arizona on this issue, and it's an issue about
which he is very concerned.
Is there objection?
[No response.]
Senator Smith. We'll include it.
[The prepared statement of Senator McCain follows:]
Prepared Statement of Hon. John McCain, U.S. Senator from Arizona
Our Nation--along with the rest of the world--is experiencing a
data revolution. Thanks to information technology, innovative business
models, and globalization, data is flowing faster, more widely, and
more freely than ever before. This current of information is helping
our economy grow, but like many other revolutions, this one has not
been bloodless. The dark side of our Nation's information-based economy
is that the wider availability of data--including personal identifiable
information--has contributed to the theft of millions of American
identities.
Unfortunately, identity theft is especially common in my home
State. Federal Trade Commission data indicates that there were more
reported cases of identity theft per capita in Arizona than in any
other state in 2004. In addition, the FTC reports that the Phoenix area
leads other U.S. metropolitan areas in the incidence of the crime. This
has led one Arizona newspaper to christen my home State the ``identity
theft capital of the Nation,'' a distinction that no Arizonan is proud
of and that I will continue working to shed.
Today's hearing touches on yet another chapter in this country's
battle against identity theft. And, though I'm extremely concerned
about the security breaches at companies like ChoicePoint and
LexisNexis, I am not surprised by the news. ChoicePoint, for example,
has compiled 19 billion records covering virtually every American adult
according to press reports. Targets do not get bigger and more
predictable than that, and I have to say that I am disappointed to know
that a company that should have had better security measures in place
did not. I look forward to hearing what ChoicePoint and LexisNexis are
doing to restore integrity to their businesses.
I trust that this will be the first of many hearings that the
Committee will have on the issues of information security and privacy,
and that the Committee will build on the work it has done in the past
by taking a broad look at security and privacy issues during this
Congress. Our purpose in doing so should be to protect consumers while
maintaining the integrity and viability of our information economy. I,
for one, believe that those goals are not mutually exclusive.
I thank Chairman Stevens for holding this important hearing and the
witnesses for coming before the Committee.
Senator Smith. Also, I'll include in the record the data
security incidents in 2005 relating to public institutions,
primarily universities, and the tremendous levels of identity
theft that has occurred at some of the major universities of
our Nation.
[The information previously referred to follows:]
Data Security Incidents--2005
(As of 5/9, at least 35 incidents have been disclosed, potentially
affecting more than 5.2 million individuals)
------------------------------------------------------------------------
Date Entity Affected
------------------------------------------------------------------------
01/03/05 George Mason University.............. 30,000
--Officials discover that hackers had
accessed private information and
Social Security numbers on students
and staff..
01/06/05 University of Kansas................. 1,400
--Administrators send letters to
individuals whose personal
information, including Social
Security numbers, passport numbers,
countries of origin, and birthdates,
might have been compromised when a
hacker accessed a server in November
2004..
01/18/05 University of California, San Diego.. 3,500
--Officials reveal a mid-November
breach may have compromised names
and SSNs of students and alumni..
01/25/05 Science Applications International Unknown
(SAIC).
--Desktop computers were stolen from
the offices of Science Applications
International Corp., an online
payroll services company,
compromising personal information of
current and past stockholders.
01/27/05 Purdue University.................... 1,200
--An unknown person or group accessed
a computer in the College of Liberal
Arts' Theatre Division containing
names and SSNs of faculty, staff,
students, alumni and business
affiliates..
02/02/05 Indiana University................... Unknown
--Officials reveal that the F.B.I.
and campus police are investigating
a computer security breach that left
employees' personal information
vulnerable. It is unknown at this
point how many have been affected..
02/14/05 ChoicePoint.......................... 145,000
--Company confirms it was victimized
by a customer fraud in which public
records information about
approximately 30,000 consumers may
have been compromised; number of
potentially affected consumers later
increased to 145,000..
02/20/05 T-Mobile............................. 400
--Mobile phone accounts of Paris
Hilton and 400 T-Mobile customers
compromised by hackers.
02/24/05 Westlaw.............................. ``Millions''
--Accused by U.S. Sen. Charles
Schumer of having ``egregious
loopholes'' in one of its Internet
data services that would allow
thieves to harvest SSNs and
financial identities of millions of
people..
02/25/05 Bank of America...................... 1.2 million
--Announced it had lost computer data
tapes containing personal
information on Federal employees,
including some members of the U.S.
Senate..
02/05 PayMaxx.............................. 25,000
--Flaws in the online W-2 service of
PayMaxx exposed customers' payroll
records..
03/08/05 DSW Shoes............................ 1.4 million
--Announced that credit card
information from customers of more
than 100 DSW Shoe Warehouse stores
was stolen from a company computer's
database. The company announces on
April 18, the number of affected
consumers could be 1.4 million..
03/08/05 Harvard University................... 200
--Intruder gains access to its
admission systems and helped
applicants log on to learn whether
they had been successful weeks
before they were to find out..
03/09/05 Reed Elsevier, Seisint Unit 310,000
(LexisNexis).
--Announced that hackers gained
access to sensitive, personal
information of about 32,000 U.S.
citizens on databases owned by Reed
Elsevier. The company in April
updates the actual number of
potentially affected consumers to
310,000..
03/11/05 Boston College....................... 120,000
--Announced that hackers had accessed
personal information of alumni in a
computer system used for fund-
raising..
03/11/05 University of California-Berkeley.... 100,000
--Laptop computer stolen from a
graduate division office contained
the names and Social Security
numbers of 98,369 individuals..
03/11/05 Nevada Department of Motor Vehicles.. 8,900+
--Personal information compromised
when thieves stole a computer from a
Nevada DMV office..
03/14/05 California State University, Chico... 59,000
--Hackers broke into a housing and
food service computer system, which
contained names and SSNs of current,
former and prospective students, as
well as faculty and staff..
03/18/05 University of Nevada, Las Vegas...... 5,000
--Administrators reveal that a hacker
had been accessing the personal
information of international
students..
03/23/05 Mutual funds......................... Unknown
--Wall Street Journal reveals
numerous mutual funds reported data
security breaches, including Armada
Funds; Pimco, a unit of German
insurance giant Allianz AG; The
Dreyfus unit of Mellon Financial
Corp.; Bank of America Corp.'s
Columbia Funds unit; Nuveen
Investments; The First American
Funds unit of U.S. Bancorp; AmSouth
Bancorp's fund unit; CNI Charter
fund unit of City National Bank of
Los Angeles..
03/25/05 Northwestern University.............. 21,000
--Hackers broke into a graduate
school server, exposing the Social
Security numbers of students,
faculty, and alumni..
03/28/05 San Jose Medical Group............... 185,000
--Someone stole two computers that
contained patient billing
information, including names,
addresses, Social Security numbers
and confidential medical
information..
03/28/05 University of Chicago Hospital....... Unknown
--Announced an employee had been
selling patient records..
04/08/05 Eastern National (vendor for National 15,000
Park Service).
--Hacker infiltrated its
``eParks.com'' computer system and
may have gained access to customer
names, credit card numbers and
billing addresses..
04/10/05 Christus St. Joseph Hospital, 16,000
Houston, Texas.
--Published reports on 4/26 said the
hospital had sent letters to 16,000
patients saying their medical
records and SSNs were comprised due
to the theft of a computer in a
January burglary..
04/10/05 Carnegie Mellon University, 5,000
Pittsburgh.
--Published reports on 4/21 said the
university had sent letters to more
than 5,000 students, employees and
graduates that their SSNs and other
personal information was comprised
in a breach of the school's computer
network that was discovered on 4/10..
04/12/05 Tufts University..................... 106,000
--Announced it was sending letters to
106,000 alumni, warning of
``abnormal activity'' on a computer
that contained names, addresses,
phone numbers, and, in some cases,
Social Security and credit card
numbers..
04/13/05 HSBC North America................... 180,000
--Credit card issuer sending letters
to consumers who used General Motors-
branded MasterCards to make
purchases at Polo Ralph Lauren,
stating that criminals may have
obtained access to their credit-card
information..
04/19/05 Ameritrade........................... 200,000
--Online discount broker reported it
has notified current and former
customers that it has lost a backup
computer tape containing their
personal information..
04/23/05 Georgia Southern University, ``Thousands'
Statesboro, GA. '
--Associated Press reports on 4/28
that hackers broke into a GSU server
that contained thousands of credit
card and Social Security numbers
collected over more than three
years..
04/26/05 Foster Wheeler, Clinton, NJ.......... (est.) 6,700
--Engineering/construction company
writes to employees, retirees,
advising them that a hacker broke
into the company's computer system
in February and might have stolen
personal data, including SSNs and
bank deposit information..
04/28/05 Banks in New Jersey.................. 500,000
--NBC reports scheme by bank managers
and employees who sold personal data
of about 500,000 holders of accounts
of Bank of America, Wachovia, and
Commerce Bank branches in New
Jersey..
04/28/05 Oklahoma State University............ Unknown
--University begins notifying
students and alumni about the theft
of a laptop computer from the career
services office that contained
Social Security numbers, genders,
ethnicities, class levels and e-mail
addresses of most Stillwater and
Tulsa campus students and recent
alumni..
04/29/05 Florida International University..... Unknown
--Sun-Sentinel newspaper in Orlando
reports on a ``recent computer break-
in'' potentially compromising
personal data of students,
professors and staffers. A school
official told the newspaper that
electronic intruders apparently
dialed into FIU's computers from
Europe..
05/02/05 Time Warner.......................... 600,000
--Company announces that data on
current and former employees stored
on computer back-up tapes was lost
by an outside storage company..
------------------------------------------------------------------------
Total--At least 35 incidents, potentially affecting more than 5,244,300
individuals.
Senator Smith. Senator Inouye?
Senator Inouye. Thank you very much.
On the present laws and rules and regulations, I can have
my telephone number unlisted to protect my privacy. I can also
demand that spam callers be prohibited from using my number.
Can I call upon your companies and say to take my name off your
list?
Mr. Sanford. We have a opt-out program that has
restrictions on it. You could make a request to opt out of our
non-public-record information databases if were a victim of
identity theft, if you were a law enforcement official who has
had some threat of risk of harm, or we have a general other
category which says any other threat of risk of harm that you
would show us. And that might be, say, for example, a domestic-
abuse victim.
Senator Inouye. In other words, you have the final say as
to whether I can or cannot take it out?
Mr. Sanford. That's correct, Senator.
Senator Inouye. Mr. Curling?
Mr. Curling. Many of our products already are opt-in
products driven by the FCRA. There are products that we offer
that do have opt-out provisions--the direct-marketing products,
et cetera. Some of our products, though, the ones, in
particular, I think, the subject of this hearing, the public-
record products, are products that there is not an opt-out on,
except for a law enforcement or a government official opt-out.
Those are generally not records that are, you know, unique to
ChoicePoint. They are records that society has determined to be
open public records, and people typically turn to ChoicePoint
merely to--for cost effectiveness and convenience to acquire
that record. Those are records that we don't source. We didn't
originate them. We merely extract them from where--government
repositories and courthouses around the country, and we don't
have an opt-out provision for those.
Senator Inouye. Thank you very much.
Senator Smith. Thank you, Senator Inouye.
Senator Bill Nelson?
Senator Bill Nelson. Thank you, Mr. Chairman.
And, before I forget it, I would like--because I'm not
going to ask all the questions here--to submit a number of
questions in writing, as did Senator McCain.
Senator Smith. We will include those questions and ask for
their answer.
Senator Bill Nelson. Thank you.
And thank you, Mr. Curling, for your response to the other
Nelson with regard to this Nelson's legislation that is before
this committee saying that, generally, the concept of it, that
you would support it. And I want to go over those six items,
things like creating a government industry working group to
help develop best practices for safeguarding information, and
creating an Assistant Secretary of Cybersecurity within the
Department of Homeland Security, and tightening commercial
usage of Social Security numbers. Those are things that
certainly could be embraced. Is that accurate?
Mr. Curling. Generally speaking, yes, Senator.
Senator Bill Nelson. All right. How about requiring all of
the information-broker companies to notify consumers when a
security breach occurs? You've already answered that in
relation to other questions, and you generally support that
concept.
Mr. Curling. Yes.
Senator Bill Nelson. How about mandates in the law that all
companies must reasonably protect sensitive consumer
information?
Mr. Curling. Yes, Senator.
Senator Bill Nelson. And then having a one-stop shop?
Whatever the regulatory agency--my suggestion is that it is the
Federal Trade Commission, but this would be an Office of
Identity Theft, where a consumer could get help to restore
their identity.
Mr. Curling. We would agree with the one-stop shop, and we
agree with enhancing the FTC's oversight.
Senator Bill Nelson. All right. Now, that's pretty much the
comprehensive bill that Senator Schumer and I have filed. What
do you think about that, Mr. Sanford?
Mr. Sanford. Senator, it's a--it is a very comprehensive
bill. I believe the intent, in terms of helping consumers and
stopping identity theft and fraud, is certainly welcome. I
think the parts of the legislation that strike me as the most
relevant, that I would encourage this Committee, is the
national notification standard for consumers. I would encourage
Federal preemption so that we don't have competing notification
standards in the market. I think data safeguards definitely
modeled after GLBA, that flexible framework, I think, is the
appropriate measure----
Senator Bill Nelson. For information brokers?
Mr. Sanford. Well, I think--as I mentioned earlier, I think
the--if you have personally identifying information, which, if
it got in the wrong hands--and we could agree on what
personally identifying information is--and that posed a risk of
harm to individuals, then I would say if you are maintaining
that database, and you have a breach, then notice--you should
give notice to individuals when you have that breach.
Senator Bill Nelson. But a law that would mandate that the
companies must reasonably protect this sensitive consumer
information?
Mr. Sanford. I agree, Senator, that the safeguards that I
have mentioned, in GLBA, I believe are the right--is the right
framework. I think that would go a long way in protecting data
for, not just us, but other people who maintain personally
identifying information.
Senator Bill Nelson. What do you think about the one-stop
shopping?
Mr. Sanford. I'm not sure anybody could argue with
additional help in oversight and funding for the Federal Trade
Commission to help in identity theft. I know that Chairman
Majoras testifies how many thousands of calls a week they get,
and I'm sure that that would just be something that would be
very helpful.
Senator Bill Nelson. I've talked to her personally about
it, and she is--without endorsing it, she is clearly very
positively inclined.
Let me ask Mr. Curling, because, my previous round, I had
the chance to talk to Mr. Sanford. ChoicePoint has described
itself as a ``private intelligence service.'' ChoicePoint
markets itself as ``selling actionable intelligence.'' Could
you explain what this means for your company to be in the
intelligence business, and explain how consumers would feel
comfortable with that?
Mr. Curling. Sure. I'm not sure that we characterized
ourselves as a private intelligence agency. I believe that was
an author of a book that characterized that. But we do--we do
use----
Senator Bill Nelson. One of your staff yesterday told my
staff attorney that it had been characterized that way.
Mr. Curling. Well, I'll have to have a conversation with my
staff. But we are a company that provides identification and
credential verification solutions to principally commercial
enterprises. And what we try and do is help them understand and
manage the risks that they face. So, what we want to give
them--as you're aware, data is expensive to acquire and time-
consuming to analyze--what we want to give them is just the
right information at the right time. So, our services are all
oriented around things like helping an insurance company
understand how to evaluate and price the risk of an applicant
for auto insurance, so that consumer gets the insurance policy
that they want at a price that's fair for them; how to help a
commercial employer do a background check on a prospective
employee, so that that employee is able to get the job that
they want, but the employer is able to effectively manage the
risk that the society puts on them to know who's engaged in
their work force. That's the kind of actionable intelligence
that ChoicePoint products offer.
Senator Bill Nelson. You have a product named AutoTrackXP,
and it's not subject to the Fair Credit Reporting Act, and it
appears to contain some of the sensitive consumer information
that is in other products that you admit are regulated, as are
detailed and full credit reports. Explain to the Committee why
ChoicePoint believes that the AutoTrackXP is not regulated
under the Fair Credit Reporting Act.
Mr. Curling. Well, that's a search engine, not really a
report, but that product is used for investigative purposes.
The largest customer set is law enforcement. But, again, as
you've heard today in the testimony, there are other markets,
like fraud prevention for insurance fraud research, as well as
investigative research by commercial financial enterprises,
that run searches to try and get information back. For those
customers, that search does contain sensitive, personally
identifiable information. Since we've made the business changes
to our business, we don't offer that product with personally
identifiable information in it to any segments other than law
enforcement, large financial institutions, and insurance
companies.
Senator Bill Nelson. So, the theft that occurred by the
Nigerians faking the identity could not have occurred in that
sensitive information.
Mr. Curling. No, it did, in fact, occur in that sensitive
information, but, as a result of that fraud, we have changed
our product, and won't offer--and do not offer that product to
those parts of the market.
Senator Bill Nelson. All right. And, if I may, just this
last question. ChoicePoint has estimated that identity thieves
obtained sensitive, personal information on about 145,000
people. I believe----
Mr. Curling. That's correct.
Senator Bill Nelson.--I believe that's what you've stated.
Mr. Curling. Yes.
Senator Bill Nelson. Now, the L.A. Sheriff's Department
estimates that figure to be four million. Can you explain why
those figures are so different?
Mr. Curling. Sure. I think that the quoted number of four
million was a very early estimate by the L.A. Sheriff's
Department, going back to September or October of last year.
That was long before the investigation had actually gone
through the searches that had been done, anybody had determined
how many potentially affected consumers were affected by that.
We've appointed Robert McConnell, a 28-year veteran of the
Secret Service and, for the last 5 years of his career, the
head of the Federal Government's Interagency Nigerian Organized
Crime Task Force. I spoke with Robert yesterday. He has
confirmed to me that L.A. Sheriff's Department now believes
that our estimate is accurate.
Senator Bill Nelson. Gentlemen, I look forward to working
with you on this legislation.
Senator Smith. Thanks, Senator Nelson.
We're pleased to be joined by Senator Kerry. We've
completed a second round of questions, Senator. If you have an
opening statement or questions for this first panel, we'll be
happy to----
STATEMENT OF HON. JOHN F. KERRY,
U.S. SENATOR FROM MASSACHUSETTS
Senator Kerry. Thank you, Mr. Chairman. No, I apologize for
being late, but we had competing meetings, as is always the
case here. I apologize to the witnesses.
I've tried to get an update as fast as possible so I'm not
overly repetitive here. And I know a lot of questions, good
questions, have been asked.
Obviously, from the participation here today, you can get a
sense of the importance. But you already knew that before you
came here, because of the outcry, publicly, and the concerns
that people are expressing. And the moving, sort of, model
statewide, beginning with California, of regulation is,
obviously, an indication of people's desire to do something.
I understand your business models, and I understand that
the information you provide is, obviously, often used for very
valid purposes, but, as we move forward, the question of how to
protect this is, needless to say, critical. During the campaign
last year, and I think it came to fruition yesterday or today,
President Bush and I both talked about e-medical records and
the need to try to reduce costs in the medical system. And,
obviously, that's critical. And I just wonder if you could
share with us a little bit, sort of, first of all, what types
of personal information currently do your--do you maintain in
your product lines, including information based on biometrics,
DNA, and medical records?
Mr. Curling?
Mr. Curling. We don't maintain any data on biometrics, DNA,
or medical data. The data----
Senator Kerry. Might you, as this opens up now with a
certain amount of money? I mean, is this not a lucrative
business prospect?
Mr. Curling. I don't know whether it's a lucrative business
prospect or not, but it's not an area where we have a lot of
expertise or traction. We do have a DNA laboratory that
supports our law enforcement initiatives, but that laboratory,
Bode Labs, merely takes specimens on behalf of law enforcement
agencies, processes the DNA, maintains chain of custody, and
turns that back over to them for forensic purposes. Our
scientists have been to the--Thailand to work on the tsunami.
We identified the victims of the World Trade Center tragedy
through that laboratory. But it's a forensic-science laboratory
that's really an extension of the services we do to support law
enforcement, not a business--part of our business model that we
necessarily embrace.
I think it is possible that the identifiers that we all
begin to see used more in our society are perhaps biometric
identifiers you're seeing today, technological solutions
beginning to be deployed. They use authentications exceeding
User IDs and passwords, and incorporating things like
biometrics. But that's not something that, in the industry that
I'm in, is in heavy use today.
Senator Kerry. Mr. Sanford?
Mr. Sanford. We don't collect medical information, Senator,
or biometrics, or DNA, either.
Senator Kerry. What about that information, Mr. Curling,
that you do collect, in terms of the forensic chain-of-
custody--is there any intrusive link in there that should be of
concern?
Mr. Curling. No, sir. That data doesn't get--the data
repositories in ChoicePoint are generally housed at the product
level. None of the information in Bode Laboratories, which is
in Springfield, Virginia, goes out of the laboratory into other
places in ChoicePoint.
Senator Kerry. When you say you changed your business
model, and essentially have tightened procedures, what
loopholes did you tighten?
Mr. Curling. Well, I don't know that I would say we
tightened loopholes. We made business decisions that we thought
were in the best interest of our company, given the experiences
that we've had, and they were basically twofold. One, there are
businesses that are hard to credential. Those are small
businesses. And, given that the preponderance of our revenue is
in large, either government contracts, or government--or
commercial enterprises, small businesses are simply something
that's awful hard for us to adequately credential and ensure
that we know exactly who, on the other end, is buying the
information products. We chose to exit the market of selling
sensitive, personal information to those businesses, even
though they have legitimate business interests to get at. And,
you know, certainly small businesses face many of the
challenges that big businesses do.
Second, there are products that we sell that, while legal,
don't have direct consumer benefit. And so, we chose to not
sell to certain segments of the marketplace, sensitive,
personal data that they're legally entitled to get, but they
don't fit our business model.
Senator Kerry. Was that small-business change specifically
in response to the Nigerian----
Mr. Curling. Yes, it was.
Senator Kerry. It was, OK.
Is it your judgment now that those two problems were the
only two problems? Or are you taking further steps that we
should be aware of?
Mr. Curling. Well, our investigations, and those of law
enforcement, continue. There's--you know, we tend to think of
security risks in five different categories--you know, basic
physical-possession risk, which you can think of as common
burglary or the--just loss of data; second, the hacking
potential--and we have, like most in our industry, you know,
monitoring software and extensive tools to try and monitor and
track, and preventing hacking attempts; you have properly
credentialed customers that have an employee that does a search
they're not permitted to do, you know, the typical scenario of
doing a background check on somebody's girlfriend or neighbor;
you have properly credentialed customers that lose track of
passwords and User IDs, which you've already heard of--
testimony today; and then, last, you have, you know, customers
that get past credentialing procedures that simply should not
have been credentialed as customers, and that's the experience
we most recently had, where the notices were driven by.
Senator Kerry. With respect to the law enforcement
agencies, I gather you sell information to about 7,000
agencies. Is that correct?
Mr. Curling. We serve 7,000 agencies. A lot of those don't
buy data. They're buying software or tools from us.
Senator Kerry. So, is there any limitation on the sale of
that information to law enforcement?
Mr. Curling. Well, we're limited by the type of information
we're able to legally obtain from the repositories. The States
have laws, as does the Federal Government, about what data can
be sold and under what conditions it can be used.
Senator Kerry. So, that's established by the States.
Mr. Curling. And by Federal Government. But, Senator,
largely--and, as I testified earlier today, largely the Federal
agencies are turning to us to buy otherwise readily available
public-record information. They're merely turning to us for
convenience and cost-effectiveness.
Senator Kerry. And which law enforcement agencies do you
currently sell this--what I assume can be termed sensitive
consumer information?
Mr. Curling. We sell to a wide variety of Federal--we serve
most of the Federal law enforcement agencies, and many State
and local law enforcement agencies.
Senator Kerry. Is there any standard of probable cause?
Mr. Curling. There are--we have circumstances under which
they inform us they want to buy data for investigations, but
we're not privy, nor would you want us to be, to the actual
investigations those law enforcement agents are conducting.
Senator Kerry. So, it's an automatic affirmative response
for information.
Mr. Curling. In most cases, yes, sir.
Senator Kerry. No matter what.
A few years ago, you acquired VitalChek, which is a company
responsible for handling vital records--birth, death, marriage,
divorce--in all 50 states. How is that information shared with
ChoicePoint?
Mr. Curling. It's not. That's an ordering and payment
platform where a consumer orders a vital record directly from a
vital-records office. We provide a technology infrastructure to
those vital-records offices. They receive the customer order,
they pull the vital record, and they deliver it through secured
carrier, directly back to the consumer. The records never come
through ChoicePoint.
Senator Kerry. So, there's no transfer of any of that
information outside of VitalChek, itself.
Mr. Curling. No, sir.
Senator Kerry. Do both of you accept the premise that I
think has been bouncing around here today that reasonable
security standards ought to apply universally to any custodian
of sensitive, personal information?
Mr. Sanford. Yes, Senator.
Senator Kerry. And Mr. Curling?
Mr. Curling. Yes.
Senator Kerry. Well, I think most of the other questions
were touched on. Let me just ask you, for my own edification,
How do you collect and maintain, store, and protect the
information? What's the process by which you do that, if you
could go through that?
Mr. Curling? How do you collect the information and
maintain it and store it? How do you go about that?
Mr. Curling. It varies widely by market. In the largest
market we serve, which is the insurance market, we gateway
directly to states to get motor-vehicle records and driver's-
license records, in most cases, and we deliver those back
directly to our insurance customers an application at a time.
So an application comes in, we break that application down
against some decision rules the insurance company has given us,
and then we begin to buy information products. Sometimes we--
their products that we database and warehouse, sometimes we go
gateway to them.
Senator Kerry. Do you gateway to credit-check companies,
credit companies?
Mr. Curling. We do.
Senator Kerry. Do you see any distinction between the
information that you use and sell, and the information that's
on somebody's credit record?
Mr. Curling. In many cases, from a regulatory standpoint,
there's not a difference. We are a consumer reporting agency
governed by the FCRA in many of the information products we
have. The insurance products would be FCRA products. We would
be treated similar to a credit-reporting company. The same is
true for our pre-employment workplace solutions products and
our tenant screening products.
Senator Kerry. Do you think, from a legal point of view,
that any individual in America, as a citizen, has a proprietary
interest in their own information?
Mr. Curling. I think citizens are obviously very concerned
about the data----
Senator Kerry. Proprietary information, proprietary
interest. In other words, should you be trafficking in their
information, and they have no participation in the process?
Mr. Curling. Again, the majority of our transactions that
contain sensitive consumer information are initiated directly
by consumers, so the transaction would not happen if a consumer
hadn't initiated it.
Senator Kerry. But, of course, that depends on knowledge,
right? The knowledge standard. I mean, the opt-in----
Mr. Curling. Well, they----
Senator Kerry.--or out, whether they know or don't know----
Mr. Curling. Well, they applied for an automobile insurance
policy, and, on the application----
Senator Kerry. But they didn't apply to have their
information go to you to be winning you a profit for the
transfer of whatever their life is, did they?
Mr. Curling. I wouldn't know, Senator.
Senator Kerry. Mr. Sanford?
Mr. Sanford. I don't believe that a proprietary standard is
workable. We use public-record information to provide very
vital services that----
Senator Kerry. Is----
Mr. Sanford.--actually help consumers----
Senator Kerry.--is the information of a credit company
public record, or is it private----
Mr. Sanford. We are not----
Senator Kerry.--privately held----
Mr. Sanford.--we don't collect----
Senator Kerry.--on a specific kind of contract
relationship, the contract between the individual and that
particular entity?
Mr. Sanford. Yes. We do not collect financial or credit
information on individuals, so we're not in that business.
Senator Kerry. Mr. Curling, what about that? Is it
specifically----
Mr. Curling. I'm not an expert in the Fair Credit Reporting
Act, but I believe that a consumer--a credit-reporting agency
has opt-in and opt-out, both provisions, on it with respect to
certain uses of their products. And, in many cases, our
products are regulated by the FTC under FCRA, just as they are.
Senator Kerry. Well, I think one of the things, Mr.
Chairman, we're going to have to think through very carefully
as we go forward is, sort of, what is the level of knowledge
and options available to anybody as to how far and how wide
their information goes. I think that's central to this. And I
thank you.
Senator Smith. Thank you, Senator Kerry.
We do need to go to our second panel, but Senator Nelson
has one final brief, burning question.
Senator Bill Nelson. Yes. And I think this will illustrate
the extent to which information can be covered.
Both of you have indicated that you don't collect and store
medical records. Isn't that correct?
Mr. Curling. That's correct.
Mr. Sanford. That's correct, Senator.
Senator Bill Nelson. Well, for example, Mr. Curling, you
said you specifically represent, as clients, insurance
companies.
Mr. Curling. We do.
Senator Bill Nelson. So, some of those are life-insurance
companies.
Mr. Curling. No. Mostly property and casualty, sir. I
should have been more specific. Auto and home insurance.
Senator Bill Nelson. No life insurance companies.
Mr. Curling. No, sir. We have--may have some life-insurance
customers in the marketing business, but we don't do
underwriting of life-insurance products.
Senator Bill Nelson. Well, if you represent life-insurance
companies--and you're saying you don't--they have the medical
records----
Mr. Curling. That is not----
Senator Bill Nelson.--for someone getting a life-insurance
policy that they require a physical exam.
How about you, Mr. Sanford? Do you represent any life-
insurance companies?
Mr. Sanford. We have life-insurance companies who are
customers, but not in the medical-records business. For
example, the legal departments of insurance corporations. But
we don't collect medical records, we don't underwrite
insurance, we don't have a business that does that.
Senator Bill Nelson. You said, last October, that you
bought a Florida company, in Boca Raton, named Seisint. Seisint
has a program called Matrix. It's one of the most extensive
tools that is used by law enforcement. As a matter of fact, the
officials of that company told me, within a few days after
September 11, that they could determine who were the hijackers,
who were the perpetrators of September 11. That information,
how do you protect that information?
Mr. Sanford. The Matrix program was a federally funded
pilot, which has ceased. I believe it stopped last month,
actually. Matrix is a--was a search engine that allowed law
enforcement to search our services for public-record
information, and they could also, at the same time, search
their own databases. We did not maintain or manage that. That
was managed, I believe, by the Florida Department of Law
Enforcement on behalf of the other States that participated in
that.
Senator Bill Nelson. And so, that system wouldn't have any
biometric information, no DNA information, no medical
information?
Mr. Sanford. Again, the Matrix program, our participation
in it, is to share our technology and access to our data. What
the State law enforcement organizations are searching, I
believe, are things like sexual offender databases, correction
records, arrest records when they're trying to locate a
suspect. I'm not aware--I'll be glad to check with my staff and
get back to you if there was any medical information, access to
that. I don't believe there was.
Senator Bill Nelson. Blood types, diseases, scars,
identification marks, et cetera, et cetera.
Mr. Sanford. I'll have to get back to you, Senator.
Senator Bill Nelson. I would appreciate it very much.
Senator Bill Nelson. Mr. Chairman, I think you see the
concern welling up here of the extent of which if these folks,
which, thankfully, you all are very, very accommodating here to
want to help us develop this legislation, but if we are not
successful, you can see that no one in America is going to have
any privacy left if people can invade your databases. You say
you want to present--prevent that. That's what we're trying to
do.
Thank you very much.
Senator Kerry. Could I just have one quick follow-up?
Senator Smith. You bet, absolutely.
Senator Kerry. Would either of you sell to a political
committee?
Mr. Sanford. I think you--Senator, we have legal research
business, news and business information services. There's
nothing that would stop them from having access. I don't think
they would qualify for a permissive use under GLBA or the DPPA,
though. I mean, those are around fraud detection and prevention
and law enforcement type of permissive uses.
Senator Kerry. But is there anything to stop a committee
from--have you sold anything to a political----
Mr. Curling. Not that I'm aware of, no, Senator.
Senator Kerry. But could they buy it?
Mr. Curling. I don't believe that's a customer segment we
serve.
Senator Kerry. But could they?
Mr. Curling. I don't believe they would get credentialed.
But I can find out. I'm not--It's not a question I've heard
before. But I don't believe--I've never heard--I've been around
with the company----
Senator Kerry. Well, do you have a----
Mr. Curling.--since its inception, and----
Senator Kerry.--do you have a means of checking, sort of,
the----
Mr. Curling. We have a business-purpose criteria upon which
we'll enroll people as customers. I don't believe political
committees meet the business purpose; therefore, I don't
believe we would set up a customer----
Senator Kerry. What about a----
Mr. Curling.--account for them.
Senator Kerry.--political consultant who's doing
sophisticated political analysis----
Mr. Curling. We don't----
Senator Kerry.--polling analysis?
Mr. Curling. I don't believe they're customers of ours, nor
do I believe we'd serve them.
Senator Kerry. You don't believe. But there's no set of
guidelines with respect to----
Mr. Curling. I'm trying to be very specific. There are very
specific guidelines about who we serve as customers. I've never
heard of this customer segment being anybody we serve. The
preponderance of our customers are large insurance companies,
large financial institutions trying to process transactions so
a consumer can get some kind of benefit--an insurance policy, a
job--large retailers or large customers of ours. We don't have
very many customers that aren't in the large commercial space
or government enterprises.
Senator Bill Nelson. May I ask a follow-up on that?
But if one of your large commercial customers asked for
this information, and you had some reason to know that they
were going to use it for political purposes----
Mr. Curling. Our customers, by and large, have to send us--
they're asking questions an application at a time, so I'm not
sure how they'd come in and ask that question, anyway. The most
likely way they could present themselves is through the direct
marketing business, where we don't sell sensitive, personal
identifiable information anyway. But, again, I'll be happy to
get back to the Senator and the Committee on that. I'm not
aware this is a market we have any interest or any services to.
Senator Smith. Like I said at the--earlier in the hearing,
Senator, this was a question that didn't register Republican or
Democrat, but maybe both sides are pretty interested now.
[Laughter.]
Senator Smith. But I think you raise----
Senator Kerry. Well, I've seen some pretty sophisticated
analysis based on those things.
[Laughter.]
Senator Smith. Yes. But in all seriousness, I think your
point is well taken, and I think both sides do have an interest
in making sure that people's rights and privacy are protected.
And so, we appreciate very much, gentlemen, your being here
today and for the contribution you've made to our understanding
of this issue and the kind of problem we're trying to wrestle
with and get some results for the American people. So, we thank
you.
And we'll now call forward our second panel. It will
consist of Ms. Jennifer T. Barrett, Chief Privacy Officer of
Acxiom Corporation, in Little Rock, Arkansas; Mr. Paul Kurtz,
Executive Director of the Cyber Security Industry Alliance,
Arlington, Virginia; Mr. Marc Rotenberg, President and
Executive Director, Electronic Privacy Information Center, in
Washington, D.C.; and Ms. Mari Frank, of Mari J. Frank,
Esquire, & Associates, of Laguna Niguel, California.
Senator Pryor will introduce Ms. Barrett. Thank you all for
being here.
Senator Pryor. Thank you, Mr. Chairman.
It's really an honor for me to introduce to the Committee
today Jennifer Barrett. She's the Chief Privacy Officer at
Acxiom Corporation. And I think that title is very significant,
because, as I understand it, Ms. Barrett was one of the first
chief privacy officers anywhere in the Nation, and I think it
underscores a commitment that this particular company has, of
trying to find that balance between privacy issues and also the
burgeoning information age and the needs that we have there.
So, Acxiom is a company that was founded in 1969. I think
she's been with the company for a number of years--maybe not
since the very beginning, but from the early days, at least.
And it is based in Arkansas. And it employs more than 6,300
people in eight countries, with an annual revenue of $1.2
billion.
So, we're fortunate in our State to have, really, the
industry leader there, and we look forward to hearing her
insights on this subject matter today.
Senator Smith. Ms. Barrett, why don't we start with you?
STATEMENT OF JENNIFER T. BARRETT,
CHIEF PRIVACY OFFICER, ACXIOM CORPORATION
Ms. Barrett. Thank you, Senator Smith and Senator Pryor.
And thank you for allowing Acxiom the opportunity to
participate in this important hearing.
I ask that my written statement be inserted in the record.
Senator Smith. Without objection.
Ms. Barrett. Mr. Chairman, let me be blunt. The bad guys
are smart, and they're getting better organized and using their
skills to illegally and fraudulently access information. Acxiom
must, therefore, remain vigilant and innovative by constantly
improving, auditing, and testing our systems--and, yes, even
learning from security breaches in the marketplace. Information
is an integral part of the American economy, and Acxiom
recognizes its responsibility to safeguard the personal
information it collects and brings to market.
As FTC Chairman Majoras recently stated in her testimony
both before the Senate and the House, there's no such thing as
perfect security, and breaches can happen even when a company
has taken every reasonable precaution. Although we believe this
is true, no one has a greater interest than Acxiom in
protecting the information we have, because our very existence
depends on it and how well we do that.
Acxiom's U.S. business includes two distinct components,
our computer services and a line of information products. Our
computer services, which represent more than 80 percent of the
company's business, helps businesses, not-for-profit
organizations, political parties, and government manage their
own information. Less than 20 percent of Acxiom's business
comes from its four information product lines--a fraud-
management product line, background screening products,
directory products, and marketing products. Our fraud
management and background screening products are the only
Acxiom products containing sensitive information, and they
represent less than 10 percent of our business.
Acxiom would like to take this opportunity to set the
record straight in a number of misunderstandings that have
developed about the company:
First, Acxiom does not maintain one big database containing
dossiers on anyone. Instead, we maintain discreet, segregated
databases for each product.
Second, Acxiom does not commingle our clients' information
from our computer services business with our information
products. Such activity would constitute a violation of our
contracts and of consumer privacy.
Third, Acxiom's fraud-management products are sold only to
a handful of large companies and government agencies who have a
legitimate need for them. The information utilized in these
products is covered under the Safeguards Rules and Use Rules of
Gramm-Leach-Bliley, and both State and Federal driver privacy
protection laws.
Fourth, Acxiom's fraud-management verification services
only validate information already in the client's possession.
Access to additional information is available only to law
enforcement and the internal fraud departments of large
financial institutions and insurance companies.
Fifth, our background screening products are covered under
the Fair Credit Reporting Act, and we do not pre-aggregate any
of the information provided.
Beyond these protections, there are additional safeguards
that exist:
First, because public information is blended with regulated
information in both our fraud-management and background
screening products, Acxiom voluntarily applies the more
stringent security standard to all such blended data, even
though not required to by law.
Second, since 1997, Acxiom has posted its privacy policy on
our website, describing our online and offline practices; thus,
voluntarily subjecting the company to FTC rules governing
unfair or deceptive conduct.
Third, the company has imposed our own internal, more
restrictive guidelines for the use of sensitive information
such as Social Security numbers.
Fourth, all of Acxiom's information products and practices
have been audited on an annual basis since 1997, and our
security policies are regularly audited, both internally and by
many of our clients.
Two years ago, Acxiom experienced a security breach on one
of our external file-transfer servers. Fortunately, the vast
majority of information involved was of a nonsensitive nature,
and law enforcement was able to apprehend the suspects and
ascertained that none of the information was used to commit
identity fraud. Since then, Acxiom has put in place even
greater protections for the benefit of both consumers and our
clients.
In conclusion, ongoing privacy concerns indicate that the
adoption of additional legislation may be appropriate. Acxiom
supports efforts to pass federally preemptive legislation
requiring notice to the consumers in the event of a security
breach which places consumers at risk of identity fraud. Acxiom
also supports the recent proposal from FTC Chairman Majoras for
extension of the Gramm-Leach-Bliley Safeguards Rules.
Senator Smith, on behalf of Acxiom, I want to express my
gratitude for the opportunity to participate in this hearing.
I'll be happy to answer any questions the Committee may have.
[The prepared statement of Ms. Barrett follows:]
Prepared Statement of Jennifer T. Barrett,
Chief Privacy Officer, Acxiom Corporation
Summary
Acxiom has an inherent responsibility to safeguard the personal
information we collect and bring to the market, and we have focused on
assuring the appropriate use of these products and providing a safe
environment for this information since 1991 when the company brought
its first information products to market.
Information has become an ever growing and ever more integral part
of the American economy. Information is the facilitator of convenience
and competition, and it provides the tools that reduce fraud and
terrorism. As such, we believe that it is Acxiom's obligation to
provide effective safeguards to protect the information we bring to
market regardless of the difficulties encountered in doing so.
Only Acxiom's fraud management and background screening products
involve the transfer of sensitive information. These products,
therefore, are subject to law, regulations and our own company policies
that help protect against misuse.
GLBA and DPPA: Our fraud management products utilize
information covered under the Gramm-Leach-Bliley Act (GLBA),
and driver's license information covered under both State and
Federal driver's privacy protection acts (DPPAs).
FCRA and FACTA: Our background screening products are covered
by all of the regulations and consumer protections established
by the Fair Credit Reporting Act (FCRA) and the Fair and
Accurate Credit Transactions Act (FACTA).
Safeguarding Public Record Information: Although a heightened
level of protection is not mandated for public record
information, by virtue of the fact that such public information
is blended with regulated information, Acxiom voluntarily
chooses to apply the more stringent standards of the above-
mentioned regulations to the resulting products.
Although Acxiom's directory and marketing products do not contain
any sensitive information that could put a consumer at risk for
identity fraud, Acxiom is still subject to the following critical
safeguards: various industry guidelines, compliance with all
requirements in the original notice to consumers at the time the data
was collected, and voluntary compliance with those laws to which our
clients themselves are subject.
There has been much discussion, especially in recent weeks, about
whether existing Federal law sufficiently protects consumers from harm.
In this regard, Acxiom does believe that additional, appropriately
tailored measures, such as Federal preemptive legislation requiring
notice to consumers in the event of a security breach, would assist
Acxiom, the rest of the information services industry and businesses in
general in ensuring that consumers are protected from fraud and
identity theft. But, as FTC Chairman Majoras has said, even the best
security systems imaginable and the strongest laws possible can
nonetheless be circumvented by inventive criminals' intent on
committing fraud.
Introduction
Chairman Stevens, Senator Inouye, and distinguished members of the
Committee, thank you for holding this hearing to explore the treatment
of data broker services under existing State and Federal laws as well
as possible solutions to the crime of identity theft. Acxiom
appreciates the opportunity to participate in today's hearing.
Acxiom has an inherent responsibility to safeguard the personal
information we collect and bring to the market, and we have focused on
assuring the appropriate use of these products and providing a safe
environment for this information since 1991 when the company brought
its first information products to market.
It is important that we all recognize that information has become
an ever growing and ever more integral part of the American economy.
Information is the facilitator of convenience, competition and provides
the tools that reduce fraud and terrorism. As such, we believe that it
is Acxiom's obligation to provide effective safeguards to protect the
information we bring to market regardless of the difficulties
encountered in doing so.
Let me be blunt. The bad guys are smart and getting more organized.
They will use all of the skills available to them to try to find ways
to obtain the information they need to commit fraud. Acxiom must
therefore remain vigilant and innovative, and that is why we employ a
world-class information security staff to help us fend off criminals
who attempt to access Acxiom's data. Acxiom is constantly improving,
auditing and testing its systems. Yes, Acxiom is even learning from
security breaches when they occur, and we are certain that other
responsible companies are doing so as well.
As Chairman Deborah Majoras of the Federal Trade Commission
recently stated in her testimony before the Senate, ``[T]here is no
such thing as perfect security, and breaches can happen even when a
company has taken every reasonable precaution.'' Even though we believe
that this is true, no one has a greater interest than Acxiom in
protecting information because the company's very existence depends on
securing personal information pertaining to consumers.
In order to enjoy the benefits provided by a robust information-
based economy and also to keep our citizens safe from fraudulent
activity, there are no quick fixes or easy solutions. We believe that
it is necessary that cooperation exists among policy makers,
information service providers, Acxiom's clients, law enforcement and
consumers. We applaud your interest in exploring these issues and we
very much want to be a resource in helping you achieve the proper
legislative balance we all seek.
About Acxiom Corporation
Founded in 1969, Acxiom is headquartered in Little Rock, Arkansas,
with operations throughout the United States, and with processing
centers in Arkansas, Illinois, Arizona, Ohio and California. The
company also has offices in nine other countries across Europe and
Asia. From a small company in Arkansas, Acxiom Corporation has grown
into a publicly traded corporation with more than 6,000 employees
worldwide
Acxiom's U.S. business includes two distinct components: customized
computer services and a line of information products. Acxiom's computer
services represent the vast majority of the company's business and they
include a wide array of leading technologies and specialized computer
services focused on helping clients manage their own customer
information. These services are offered exclusively to large
businesses, not-for-profit organizations, political parties and
candidates, and government agencies. Acxiom's private sector computer
services clients represent a ``who's who'' of America's leading
companies. Acxiom helps these clients improve the loyalty of their
customers and increase their market share, while reducing risk and
assisting them with their compliance responsibilities under State and
Federal law. Finally, Acxiom helps government agencies improve the
accuracy of the personal information they currently hold.
The balance of Acxiom's business comes from information products
that are comprised of four categories: fraud management products,
background screening products, directory products and marketing
products. These four product lines represent less than 20 percent of
the company's total business and the fraud management and background
screening products represent less than 10 percent. While each product
plays a unique role, all of Acxiom's information products help fill an
important gap in today's business-to-consumer relationship.
To understand the critical role Acxiom plays in facilitating the
Nation's economy and safeguarding consumers, it is important to
understand what the company does not do. Over the years, a number of
myths have developed about Acxiom that require clarification. Please
allow us to set the record straight:
Acxiom does not maintain one big database that contains
detailed information about all individuals. Instead, the
company safeguards discrete databases developed and tailored to
meet the specific needs of Acxiom's clients--entities that are
appropriately screened and with whom Acxiom has legally
enforceable contractual commitments. I cannot call up from the
company's databases a detailed dossier on myself or any
individual.
Acxiom does not provide information on particular
individuals to the public, with the exception of Acxiom's
telephone directory products. These products, which are
available on several Internet search engines, contain
information already available to the public. The other
information Acxiom processes is provided only to legitimate
businesses for specific, legitimate business purposes.
Acxiom's does not have any information in either its
directory or marketing products which could be used to commit
identity fraud. Acxiom also does not include detailed or
specific transaction-related information, such as what
purchases an individual made on the Internet or what websites
they visited. The company's directory products include only
name, address, and telephone information. The company's
marketing products include only information that is general in
nature and not specific to an individual purchase or
transaction.
Acxiom does not commingle client information that the
company processes in its computer services business with any of
our information products. Such activity would constitute a
violation of the company's services contracts with those
clients and a violation of consumer privacy. A client for whom
the company performs services may have a different agreement
with us as a data contributor, but these two relationships are
kept entirely separate.
Acxiom's fraud management products are sold exclusively to a
handful of large companies and government agencies--they are not sold
to individuals. The company's verification services only validate that
the information our client has obtained from the consumer is correct.
Only law enforcement, government agencies and the internal fraud
departments of large financial institutions and insurance companies
have access to additional information.
Acxiom's background screening products provide employment and
tenant screening services which utilize field researchers who do in-
person, real-time research against public records and make calls to
past employers to verify the information provided by the consumer.
Where permitted by law, a pre-employment credit report can also be
obtained. Acxiom does not pre-aggregate information for these products.
Acxiom's directory information products contain only contact
information on consumers such as name, address and telephone number.
They are collected so businesses and consumers can locate other
businesses or consumers. They are compiled from the white and yellow
pages of published U.S. and Canadian telephone directories and from
information available from the various directory assistance services
provided by the telephone companies.
Acxiom's marketing information products provide demographic,
lifestyle and interest information to companies to reach prospective
new customers who are most likely to have an interest in their products
and to better understand and serve the needs of existing customers.
They are compiled from pubic records, surveys and summarized customer
information primarily from publishers and catalogers.
Respecting and Protecting Consumers' Privacy
Acxiom has a longstanding tradition and engrained culture of
protecting and respecting consumer interests in our business. The
company is today, and always has been, a leader in developing self-
regulatory guidelines and in establishing security policies and privacy
practices. There are, as explained below, numerous laws and regulations
that govern our business. Ultimately, however, Acxiom's own
comprehensive approach to information use and security goes far beyond
what is required by either law or self-regulation.
Safeguards Applicable to Products Involving the Transfer of Sensitive
Information
Only Acxiom's fraud management and background screening products
involve the transfer of sensitive information. These products,
therefore, are subject to law, regulations and our own company policies
that help protect against identity fraud. These legal protections and
additional safeguards are addressed below:
GLBA, DPPAs, and FTC: Our fraud management products utilize
information covered under the Gramm-Leach-Bliley Act (GLBA),
and driver's license information covered under both State and
Federal driver's privacy protection acts (DPPAs). These
obligations include honoring GLBA and DPPA notice and choice
related to sharing and use of the information, the GLBA
Safeguard Rules and FTC Privacy Rule and Interagency
Guidelines. Any uses of data must fall within one of the
permitted uses or exceptions specified in these laws.
FCRA and FACTA: Our background screening products are covered
by all of the regulations and consumer protections established
by the Fair Credit Reporting Act (FCRA) and the Fair and
Accurate Credit Transactions Act (FACTA). These protections
include: the requirement that a consumer authorize the creation
of employment reports; notice of adverse actions taken based on
such report; and the right of consumers to obtain a copy of
such reports and to dispute inaccuracies. Finally, such
regulations require that re-verification or correction of
disputed information be performed in a timely manner.
Safeguarding Public Record Information: Public records are used
in both Acxiom's fraud management and background screening
products. Although a heightened level of protection is not
mandated for such public record information, by virtue of the
fact that such public information is blended with regulated
information, Acxiom voluntarily chooses to apply the more
stringent standards of the above-mentioned regulations to the
resulting products.
Safeguards Applicable to Other Products
Although Acxiom's directory and marketing products do not contain
any sensitive information that could put a consumer at risk for
identity fraud, Acxiom is still subject to the following critical
safeguards: various industry guidelines, compliance with all
requirements in the original notice to consumers at the time the data
was collected, and voluntary compliance with those laws to which our
clients themselves are subject.
Telephone Directory Safeguards: Acxiom's directory products
comply with all applicable policies regarding unpublished and
unlisted telephone numbers and addresses. In addition, because
Acxiom recognizes that consumers may object to published
listings being available on the Internet, Acxiom itself offers
an opt-out from such use. Further, Acxiom voluntarily
suppresses all telephone numbers found on the Federal Trade
Commission's Do-Not-Call Registry and the eleven other State
Do-Not-Call registries, when providing phone numbers for
targeted telemarketing purposes.
Marketing Product Safeguards: Acxiom's marketing products
comply with all the self-regulatory guidelines issued by the
Direct Marketing Association. These requirements include notice
and the opportunity to opt-out. Consumers have the ability to
opt-out from Acxiom's marketing products by calling the
company's toll-free Consumer Hotline, accessing its website, or
by writing to the company. Since Acxiom does not have a
customer relationship with individual consumers, Acxiom
coordinates with its industry clients to research and resolve
consumer inquiries.
Additional Safeguards
Acxiom takes seriously its responsibility to assure that all the
information we bring to market is appropriate for the use to which it
is intended and to provide adequate safeguards specifically aimed at
protecting against unauthorized use.
Privacy Policy/FTC Jurisdiction: Since 1997, long before it was
a common practice, Acxiom has posted its privacy policy on the
company's website. The privacy policy describes both Acxiom's
online and offline consumer information products. The policy
further describes: what data Acxiom collects for these
products; how such data is used; the types of clients to which
such data is licensed; as well as the choices available to
consumers as to how such data is used. By making these
extensive disclosures, Acxiom has voluntarily subjected itself
to Section 5 of the Federal Trade Commission Act, which
prohibits unfair or deceptive conduct in the course of trade or
commerce, as well as various State statutes governing unfair
and deceptive acts and practices.
Consumer Care Department/Consumer Hotline: Acxiom maintains a
Consumer Care Department led by a Consumer Advocate whose team
interacted with more than 50,000 consumers in the past 12
months by way of answering questions, resolving issues,
processing opt-outs, and handling requests for access to
Acxiom's fraud management, background screening, directory and
marketing products. Acxiom provides consumers who contact the
company (through the company website, or by calling a toll-free
Consumer Hotline or by writing to the company) the options of:
opting-out of all of Acxiom's marketing products; receiving an
information report from the company's fraud management and
directory products; or receiving a consumer report as specified
in the FCRA from the company's background screening products.
Acxiom encourages consumers to notify the company if the
information in any of these reports is inaccurate and it is the
company's policy either to correct the information, to delete
it or to refer the consumer to the appropriate source to obtain
the requested correction, such as a county or State agency.
Certification and Compliance with Federal and State Law:
Acxiom's privacy policy is designed to adhere to all Federal,
State, and local laws and regulations on the use of personal
information. The company is also certified under the Department
of Commerce's European Union Safe Harbor and the Better
Business Bureau's Online Seal.
Consumer Education: Acxiom believes that consumers should be
educated about how businesses use information. To that end,
Acxiom publishes a booklet, entitled ``Protecting Your Privacy
in the Information Age--What Every Consumer Should Know About
the Use of Individual Information,'' which is available for
free both on the company's website and upon written or
telephone request.
Voluntary Acxiom Policies: Above and beyond the industry-
accepted guidelines with which Acxiom complies, Acxiom also has
established its own internal guidelines, which are more
restrictive than industry standards. For example, Acxiom only
collects the specific information required to meet its clients'
information needs, and the company properly disposes of the
remaining data, when information is compiled from public
records. Acxiom has also implemented specific guidelines
regarding the use and protection of information that could be
involved in identity fraud, such as Social Security numbers.
Information Practice and Security Audits: Acxiom has had a
longstanding focus on the appropriate use of information in
developing and delivering its information products. While the
creation of strong information use policies is a business
imperative, assuring these policies are followed is equally
important. To this end, all of Acxiom's information products
and practices have been internally and externally audited on an
annual basis since 1997.
Since many of Acxiom's computer service clients are financial
institutions and insurance agencies, Acxiom has been regularly
audited for many years by these clients. Furthermore, Acxiom
must honor the safeguards and security policies of the
company's clients. Since Acxiom's security program is
enterprise-wide, it is the company's policy to institute these
high levels of protection across all lines of business. These
client audits, along with Acxiom's own internal security
audits, provide Acxiom with regular and valuable feedback on
ways to stay ahead of hackers and fraudsters who may attempt to
gain unauthorized access to Acxiom's systems.
Lessons Learned
Two years ago, Acxiom experienced a security breach on one of the
company's external file transfer servers. The hackers were employees of
an Acxiom client and a client's contractor. As users with legitimate
access to the server, the hackers had received authority to transfer
and receive their own files. The hackers did not penetrate the
firewalls to Acxiom's main system. They did, however, exceed their
authority when they accessed an encrypted password file on the server
and successfully unencrypted about 10 percent of the passwords, which
allowed them to gain access to other client files on the server.
Fortunately, the vast majority of the information involved in this
incident was of a non-sensitive nature.
Upon learning of the initial breach from law enforcement, Acxiom
immediately notified all affected clients and, upon further forensic
investigation, the company informed law enforcement regarding a second
suspected security incident. Fortunately, in both instances, law
enforcement was able to apprehend the suspects, recover the affected
information and ascertain that none of the information was used to
commit identity fraud. One of the hackers pled guilty and was recently
sentenced to 48 months in Federal prison. The other is currently
awaiting trial.
As a result of the breach, Acxiom cooperated with audits conducted
by dozens of its clients, and both the Federal Trade Commission and the
Office of the Comptroller of the Currency examined Acxiom's processes
to ensure that the company was in compliance with all applicable laws
and its own stated policies.
This experience taught Acxiom additional valuable lessons regarding
the protection of information. For example, Acxiom now requires the use
of more secure passwords on the affected server. The process for
transferring files has been changed, specifically by keeping
information on the server for much shorter periods of time. And while
it was always a recommended internal policy, Acxiom now requires that
all sensitive information passed across such servers be encrypted. In
addition, while Acxiom has had in place a Security Oversight Committee
for many years, the company has also now appointed a Chief Security
Officer with more than 20 years of IT experience. In short, Acxiom's
systems are more secure today as a result of the company's experience
and dedication to the privacy of consumers.
The Need For Additional Legislative Safeguards
There has been much discussion, especially in recent weeks, about
whether existing Federal law sufficiently protects consumers from harm.
In this regard, Acxiom does believe that additional, appropriately
tailored legislation would assist Acxiom, the rest of the information
services industry and businesses in general in ensuring that consumers
are protected from fraud and identity theft. But, as FTC Chairman
Majoras has said, even the best security systems imaginable and the
strongest laws possible can nonetheless be circumvented by inventive
criminals' intent on committing fraud.
Breach Notification: Acxiom supports efforts to pass Federal
preemptive legislation requiring notice to consumers in the
event of a security breach, where such breach places consumers
at risk of identity theft or fraud. California implemented
similar legislation several years ago, and over thirty other
states are involved in passing similar laws. The bottom line is
that consumers deserve a nationwide mandate that requires that
they be notified when they are at risk of identity theft, so
they can take appropriate steps to protect themselves.
Extension of the GLBA Safeguards Rule: Currently, Acxiom
voluntarily subjects itself to the GLBA Safeguards Rule with
respect to the company's computer services and information
products. Acxiom also complies with the California safeguards
law (AB 1950). FTC Chairman Majoras recently has proposed an
extension of the GLBA Safeguards Rule to the information
services industry as a whole. Acxiom supports her
recommendation.
Mr. Chairman, Acxiom appreciates the opportunity to participate in
this hearing and to assist Congress in identifying how best to
safeguard the Nation's information and data. Acxiom is available to
provide any additional information the Committee may request.
Senator Smith. Thank you, Ms. Barrett.
Mr. Kurtz?
STATEMENT OF PAUL B. KURTZ, EXECUTIVE DIRECTOR, CYBER SECURITY
INDUSTRY ALLIANCE (CSIA)
Mr. Kurtz. Thank you, Senator Smith. It's a pleasure to be
here today. Thank you for inviting the Cyber Security Industry
Alliance to testify before this Committee. As Executive
Director of CSIA, I'm pleased to speak about the importance of
securing personal identity information.
Prior to leading CSIA, I served for 16 years in the Federal
Government, 12 years at the State Department and 4 years at the
White House, where I served on the National Security Council
and the Homeland Security Council, working on counterterrorism
and critical infrastructure protection.
CSIA is an organization of 15 CEOs consisting of the
world's top security providers who offer the technical
expertise and depth of focus and encourage a better
understanding of cybersecurity policy issues. We believe
ensuring the security, the integrity, and the availability of
global information systems is fundamental to economic and
national security.
We need, simply, to come to terms with our reliance on
information systems and the vast amount of personal information
in storage and in transit in such systems. Our information
systems must be secure and reliable--in particular, protecting
personal information from unauthorized disclosure. We need a
strategic approach that is more preventative or preemptive in
nature, rather than largely reactive and defensive, as a recent
CRS study on cybersecurity indicates.
Every electronic breach of personal information is another
reason for consumers to lose trust in our information systems.
A recent survey conducted by the Poneman Institute revealed
that 57 percent of consumers with high trust in their primary
banks say they would cease all online services with their
current bank in the event of a single security breach. The loss
of trust or confidence in our information systems inhibits
economic growth, the security of our citizens and Nation.
CSIA believes the right approach to securing consumers'
personal data requires a blend of appropriate policies,
technical expertise, and security technologies. Let me be
clear, we are not mandating specific technology solutions. A
key question before this Committee is defining the government's
role, whether directly or indirectly, in fostering the
protection of personal information on information systems owned
and operated by the private sector. This Committee, rightfully,
will also examine where the marketplace is succeeding at
protecting personal information, and where it is failing.
At this critical time of technology development and
innovation, the United States, as an economic force and a
global technology leader, must carefully chart a public-policy
approach to information security that continues to encourage
innovation while also providing protection.
There is no silver-bullet approach solution. There are two
fundamental areas requiring protection: the storage of personal
information, such as names, addresses, and Social Security
numbers, and the movement of the data. Movement of the data
amplifies the challenge of security, because it creates weak
points, if you will, in the system. The movement of data makes
it difficult to define the set of users who should take action
to secure the personal information.
So, what is the solution set? It involves a combination of
technologies, policies, and expertise. Key policies and
technologies include vetting employees, establishing and
enforcing corporate security policies, encryption, auditing,
monitoring, anti-virus, intrusion detection, and firewalls,
strong authentication and access controls. These technologies,
in particular, are critical, as passwords are inherently weak
and easily compromised.
Market adoption of security technologies, however, is
mixed. Some enterprises, however, are beginning to see security
as a means to differentiate themselves from their competition.
Congress should examine the protection of personal information
more broadly than just the data brokers, as other organizations
possess significant amounts of personal data. We have seen
evidence of those breaches in recent days.
In this context, CSIA recommends Congress consider the
following:
Take a holistic approach to understanding what
cybersecurity problems are, such as spyware, phishing, data-
warehouse security. They are, in fact, all related. In each
case, the target is personal information in order to commit
electronic fraud.
Two, harmonize any legislation with existing legislation at
the Federal level, filling gaps rather than duplicating
requirements already contained in existing law.
Use existing standards wherever possible, rather than
creating new ones.
Preempt State law, where appropriate, in order to avoid a
patchwork quilt of regulations relating to the security of
personal information.
Encourage the broader use of security technologies without
mandating such solutions. California, the Data base Protection
Act, 1386, which went into effect in July 2003, encourages the
encryption of personal information without mandating it.
Investigate incentives, including safe harbors, tax
benefits, third-party or self-certification, insurance, and
adoption of best practices.
Increase penalties for identity theft and cybercrimes, and
ensure appropriate resources are available.
Ratify the Council of Europe's Convention on Cybercrime,
which will create a global framework for prosecuting and
investigating cybercriminals. We need to see this in a global
fashion.
We need, also, to have leadership on the part of Federal
Government, the formation of--or, excuse me, an Assistant
Secretary at DHS focus on cybersecurity will be helpful.
And we also can't forget R&D.
Let me close by noting, again, the recent CRS study on
cybersecurity. The study states there is currently no unified
national framework for improving cybersecurity, and there are
several areas of weaknesses where such a framework could be
useful in generating improvements, and several means of
leverage exist that could be used in the development or
implementation of such a framework.
We believe the points noted above offer, if you will,
guideposts for the government's role in creating such a
framework.
I appreciate the opportunity to testify today. Thank you
very much.
[The prepared statement of Mr. Kurtz follows:]
Prepared Statement of Paul B. Kurtz, Executive Director,
Cyber Security Industry Alliance (CSIA)
Thank you Chairman Stevens and Co-Chairman Inouye for inviting the
Cyber Security Industry Alliance (CSIA) to testify before this
committee on Identity Theft/Data Broker Services. As Executive Director
of CSIA, I am pleased to speak about the importance of securing
personal identifying information.
The Federal Trade Commission estimates that 27 million Americans
were victims of some kind of ID theft in the past five years. Other
studies suggest 1 in 20 U.S. citizens have been hit by electronic
fraud. The numbers are staggering. Every electronic breach of personal
information is another reason for consumers to lose trust in our
information systems. A recent survey conducted by the Poneman Institute
revealed that 57 percent of consumers with high trust in their primary
bank say they would cease all online services with their current bank
in the event of a single privacy breach. The loss of trust or
confidence in our information systems inhibits economic growth, our
security as citizens as well as a nation. CSIA believes the right
approach to securing consumers' personal data requires a blend of
appropriate policies, technical expertise and security technologies.
A central question before this Committee today is defining the
government's role--whether directly or indirectly--in protecting
personal information residing on information systems owned and operated
by the private sector. This Committee, rightfully, will also look at
where the marketplace is succeeding at protecting personal information
and where it is failing. At this critical time of technology
development and innovation, the United States, as an economic force and
a global technology leader, must carefully chart a public policy
approach to information security that continues to encourage innovation
while also providing protections.
In my testimony today, I will cover four areas.
A brief introduction to CSIA;
Security challenges in securing electronic data;
Solutions and market activity; and
Recommendations for Congress' consideration in securing
electronic data.
Introduction to CSIA
CSIA is dedicated to enhancing cybersecurity through public policy
initiatives, public sector partnerships, corporate outreach, academic
programs, alignment behind emerging industry technology standards and
public education. CSIA is led by CEOs from the world's top security
providers, who offer the technical expertise, depth and focus to
encourage a better understanding of cyber security policy issues. We
believe that ensuring the security, integrity and availability of
global information systems is fundamental to economic and national
security. We are committed to working with the public sector to
research, create and implement effective agendas related to national
and international compliance, privacy, cybercrime, and economic and
national security. We work closely with other associations representing
vendors, critical infrastructure owners and operators, as well as
consumers.
CSIA's initiatives range from examining the cybersecurity
implications of Sarbanes-Oxley to the security and reliability of
Internet telephony, also known as Voice over IP, to advocating more
government leadership in identifying and protecting critical
information infrastructure.
CSIA understands that the private sector bears a significant burden
for improving cyber security. CSIA embraces the concept of sharing that
responsibility between information technology suppliers and operators
to improve cyber security. Cyber security also requires bi-partisan
government leadership.
Members of the CSIA include BindView Corp.; Check Point Software
Technologies Ltd.; Citadel Security Software Inc.; Citrix Systems,
Inc.; Computer Associates International, Inc.; Entrust, Inc.; Internet
Security Systems Inc.; iPass Inc.; Juniper Networks, Inc.; McAfee, Inc;
PGP Corporation; Qualys, Inc.; RSA Security Inc.; Secure Computing
Corporation; Symantec Corporation and TechGuard Security, LLC.
Challenges in Securing Electronic Data
Many large organizations, from corporations to universities and
health care systems, are conducting more of their business using
network technology such as the Internet. Therefore, customers,
employees, students and patients are having their personally
identifiable information gathered into vast electronic data storage
repositories. Some industries already have requirements to protect
personally identifiable information, such as the banking and health
communities. Laws and regulations are being created at various levels
to address security and privacy because the criminal activity related
to stealing these electronic data is increasing exponentially. Multiple
laws requiring potentially different requirements will quickly make
compliance an overly complex task.
The problem of ensuring security and confidentiality of electronic
data is complex. There are two fundamental areas requiring protection.
The first is protecting the storage of personal information in data
warehouses such as names, addresses and Social Security numbers. The
second is protecting the movement of these data to and from the data
warehouse.
Technical security safeguards are used to address both the storage
and movement issues. Policy is also crucial for it governs
implementation of the technical safeguards and access to the data.
Movement of the data amplifies the challenge of security because it
creates weak points in the system. Those points are often outside the
direct control of security administrators overseeing data warehouses.
The movement of data makes it difficult to define the set of users who
should take action to ensure the security of personal information by a
select group. Therefore, policy and best practices play a pivotal role
in shoring up weak points.
The core information technology application of large data holders
is a ``data warehouse.'' It accumulates disparate records then
analyzes, stores and distributes a vast amalgamation of information--
billions of records about hundreds of millions of Americans. Many
elements of the technology require special provisioning for security,
including applications, systems and networks. A secure solution
requires security provisions at the original source of data, at the
data holder, at service providers, and at each customer location
accessing the warehouse. The holder's control of security diminishes as
information passes over external networks. Control vanishes once
information is injected into the customer's internal applications.
The data warehouse's database management system handles security
and access control. Securing the warehouse is mostly a function of
establishing, granting and updating access control permissions and
rights--a configuration process based on policy. Security requirements
extend to appropriate configuration of access controls and permissions
for software applications feeding information into the data warehouse.
Data warehouse technology operates on a networked system of
servers. The servers may physically exist on premise at the data holder
or at an external hosting service provider. Other systems for the data
warehouse include access devices such as PCs, laptops, handheld
computing devices, and telephones. Primary security for all systems is
mostly a function of their operating systems. Proper installation,
configuration and patching of bugs in the operating system software are
crucial for secure systems.
Solutions and Market Activity
Before considering steps the government should take to facilitate
securing electronic data, it is appropriate to discuss solutions and
market activity. There is no ``silver bullet'' technical or policy
solution to secure data warehouses. A variety of technologies and
policies are required. Key technologies and policies include:
Policy Management: Enforces security rules and regulations.
Provides guidance to management on who should access what, when
and where.
Vulnerability Management: Remediate vulnerabilities through
scanning devices that identify and patch vulnerabilities, as
well mitigate misconfigurations, unnecessary services,
unsecured accounts, and malicious code. Addressing major
classes of network and desktop vulnerability improves IT
enterprise and operational stability.
Intrusion Detection/Prevention: Technologies that monitor
content of network traffic for infections and block traffic
carrying infected files or programs. Reducing incoming sick
traffic closes another window for criminals to access these
data.
Authentication: A critical first step to ensuring only
appropriate users may access the data is using digital
certificates and multiple factor authentication. This is a way
to confirm legitimate customers and control internal end-user
access. Strong authentication also mitigates the problem of
passwords, which are inherently weak, from being hacked or
otherwise compromised.
Access Controls: Ensure that authenticated users and
applications can access only that data and information which
they have been granted authority to use. Access controls may be
based on a number of factors, including an individual's role in
an organization. They are particularly important to prevent
insider attacks and as a deterrent to inappropriate browsing of
sensitive data.
Audit Files: Detailed and protected records of computer and
network traffic and transactions that can help ensure policy
compliance and assist in forensic investigations of computer
crime.
Encryption: Transforms data into password (key)-protected
packets that prevent reading by unauthorized users. Secure
communication enables data warehouse vendors to safely and
efficiently serve their customers.
Anti-Virus: Software automatically checks new files for
infection. Inoculates PCs and applications from diseased
software code attempting to cause harm.
Firewall: Blocks unauthorized traffic from entering PCs and
servers from the Internet. Protects end-users from unwanted
activity on their PCs.
Some enterprises are beginning to see security as a means to
differentiate themselves from their competition. For example, a well
known e-trading firm is working with a CSIA member to use two factor
authentication to improve the security of customer accounts. Some
Internet Service Providers (ISPs) are differentiating themselves from
others by highlighting the steps they are taking to protect personal
information. Other CSIA member firms are providing managed security
services, encryption technologies, intrusion prevention, vulnerability
management services to a variety of owners and operators of
infrastructure.
Policy Considerations for Securing Electronic Data
The security of data warehouses will require a blend of appropriate
policies, technical expertise, and security technologies. Technical
provisions for security are aimed to thwart unauthorized access to
personally identifiable information--whether by electronic hackers who
break in by securing a legitimate password (e.g. NexisLexis), or by in-
person fraud (e.g. ChoicePoint). Technical provisions are only as
strong as the security policy which implements them.
Security breaches of data warehouses can adversely affect the life
of any American so it is appropriate for Congress to establish national
policies in conjunction with the private sector for the protection and
privacy of personal information.
While Congress is largely focused on data brokers, the protection
of personal information is also critical in other businesses where data
warehouse technology is used and where similar risks exist. Congress
should examine the issue more broadly as it contemplates the need for
legislation.
In this context, CSIA recommends Congress to consider the
following:
Take a holistic approach to addressing cyber security.
Currently, Congress is considering cyber security problems such
as spyware, phishing, and data warehouse security on an
individual basis. In fact, each of these problems has at least
one issue in common: the attacker is seeking an individual's
personal information in order to commit financial fraud. We can
anticipate similar exploits in the future.
Harmonize any new legislation with existing legislation at
the Federal level, filling gaps rather than duplicating
requirements already contained in existing law, such as Gramm-
Leach-Bliley Act (GLBA), the Health Insurance Portability and
Accounting Act (HIPAA), and the Fair Credit Reporting Act
(FCRA). Use existing security standards wherever possible,
rather than creating new ones. This approach would provide a
framework for identifying areas of risk, as well as encouraging
industry best practices.
A piecemeal approach by Congress, in conjunction with the
numerous laws states are passing will present consumers and
businesses with a ``patchwork'' quilt of confusing laws and
complicated compliance issues. Already states are stepping into
the void and creating a confusing patchwork of legislation on
the issue. Legislation regulating spyware has been introduced
in 24 State legislatures this year, with approaches ranging
from studies to changes in criminal code. Anti-phishing
legislation is sitting on the Governor's desk in Hawaii, and
pending in states including Texas and Florida. And there are
more than 300 bills pending on identity theft in our Nation's
State legislatures. A Federal preemption of the many laws
recently passed or currently contemplated at the State level
related to spyware, phishing, and data broker security would
alleviate much of the concern and consternation within the
private sector as a whole. However, any preemptive Federal law
should maintain, at the minimum, the security standards already
put in place by corresponding state legislation.
Encourage broader use of security technologies without
mandating specific technology solutions. Urge adoption of the
approach utilized in CA 1386 which calls for disclosure of a
breach involving unencrypted data.
To encourage stronger cyber security, Congress should
investigate incentives, including ``safe harbors'', tax
benefits, third-party or self certification, insurance and the
adoption of best practices, without mandating specific
technology solutions. Dictating a specific technology is
counterproductive as it stifles innovation and discourages
creativity.
Congress should increase penalties for identity theft and
other cyber crimes as well as ensure appropriate resources are
available to law enforcement authorities. The Senate should
swiftly ratify the Council of Europe's Convention on Cybercrime
which would create a global framework for investigating and
prosecuting cyber criminals.
Congress should also take a long-term view of information
security. There is no coherent cyber security R&D agenda.
Significant Federal funding is closeted in classified programs.
While our national security needs must be met, we must
anticipate that privately owned and operated networks will be
attacked as well. We need to develop resilient, fault tolerant
networks which degrade gracefully under attack.
Leadership in information technology is a constantly moving target.
As the technology changes and improves, so must its security. Likewise,
as the need for public protection evolves, so must our public policy.
We call on Congress and the Administration to work with the private
sector to develop a holistic approach to protecting our Nation's
personal information.
Senator Smith. Thank you very much.
Mr. Rotenberg?
STATEMENT OF MARC ROTENBERG, PRESIDENT/EXECUTIVE DIRECTOR,
ELECTRONIC PRIVACY INFORMATION CENTER (EPIC)
Mr. Rotenberg. Senator Smith, Senator Nelson, Senator
Pryor, thank you for the opportunity to testify today.
My name is Marc Rotenberg. I'm an Executive Director at the
Electronic Privacy Information Center. EPIC is a nonpartisan
research organization, and we focus our work on emerging civil-
liberties and privacy issues. We'd like to thank you for
holding this hearing today on identity theft and data brokers.
We have a particular interest in this topic. Over the last
several months, you, many of your constituents, and the
American public have read quite a bit about the massive data
disclosures taking place across the United States. But it was
actually last year that EPIC wrote to the Federal Trade
Commission and urged the FTC to begin an investigation of
ChoicePoint and other companies in the data-broker industry.
And we expressed particular concern about the products that
were not covered under the Fair Credit Reporting Act. Our view
was that these products contained much of the same sensitive
information that would otherwise be regulated under Federal
law. And, because this information wasn't covered under Federal
law, we explained to the FTC, there was heightened risk of the
loss of privacy of American consumers, of data breaches. And,
in fact, many of the problems that we wrote about last year to
the FTC came to pass over the last several months. So, we're
very pleased that you're holding this hearing today.
I'm going to focus my testimony this afternoon on the
legislative proposals that have been put forward, because I
think it's very important to understand the need to pass
legislation at this point in time.
Now, I will say, also, that, clearly, the companies have
taken important steps, since the breaches have occurred, to try
to improve their business practices and reduce the likelihood
that future problems will arise, and they should be applauded
for this.
Senator Smith. But those steps, in your view, are not
sufficient.
Mr. Rotenberg. No, I don't think they are sufficient, sir.
Senator Smith. So legislation is necessary.
Mr. Rotenberg. I think legislation is part of the solution.
Now, just to put this in context, this is not unlike the
situation that the Congress faced when it first considered the
Fair Credit Reporting Act. People understood that information
about American consumers would be important for credit
determinations and for loans. But it was also the case that
that information had to be accurate and used only for
appropriate purposes. So, Congress was able to pass the FCRA,
improve the accuracy and reliability of the information for the
businesses that had an appropriate reason to use it, and, at
the same time, safeguard the privacy of American consumers.
And what I'm suggesting today is that I think a similar
approach should be taken with the information-broker industry.
Now, you've heard quite a bit so far about industry's
support for a notification bill. And we think this is also a
good starting point. Certainly, the notification law in
California made it possible for people to learn when this
breach occurred, and to protect themselves so that they could
minimize the risk resulting from the improper use of their
personal information. And I think that approach will likely be
adopted across the United States.
But I don't think notification is adequate. And it is the
two bills that are pending before this Committee, S. 500 and S.
768, that I think point us in the direction of how we reduce
the likelihood that future problems will occur.
S. 500, for example, will give the FTC the authority to
establish basic regulations to ensure that companies in the
information-broker industry--make sure that the information is
accurate and reliable, and establish privacy safeguards.
But I think the better approach, and the one that I know
Senator Nelson has spent a great deal of time on, is S. 768.
This legislation really gets to the key problems today in the
United States, not only ensuring the accuracy of this
information, but dealing directly with the problem if the
misuse of the Social Security number, which is clearly
contributing to the problem of identity theft--limiting the
circumstances under which personal information may be sold,
giving individuals a private right-of-action, and ensuring that
the types of safeguards are established, that international
cooperation is made possible, and that the FTC reports to you
on an annual basis about how their work is progressing to limit
the problem of identity theft. I think also the establishment
of an identity theft center within the FTC would come as an
enormous benefit to American consumers.
As you may know, identity theft is now the number one crime
in the United States. The FTC puts the figure at over $50
billion. It's one out of 20 adults in this country. I think S.
768 provides the type of framework, the type of comprehensive
solution, consistent with the approach that was taken with the
FCRA for the credit-reporting industry 30 years ago, that the
American public needs today.
So, I thank you, again, for holding this hearing, and I
hope the Committee will be able to take action on that bill.
[The prepared statement of Mr. Rotenberg follows:]
Prepared Statement of Marc Rotenberg, President/Executive Director,
Electronic Privacy Information Center (EPIC)
Mr. Chairman, and members of the Committee, thank you for the
opportunity to appear before you today. My name is Marc Rotenberg and I
am Executive Director and President of the Electronic Privacy
Information Center in Washington, DC. EPIC is a non-partisan public
interest research organization established in 1994 to focus public
attention on emerging civil liberties issues. We are very pleased that
you have convened this hearing today on Identity Theft and Data Broker
Services.
The main point of my testimony today is to make clear the
extraordinary urgency of addressing the unregulated sale of personal
information in the United States and how the data broker industry is
contributing to the growing risk of identity theft in the United
States. There is every indication that this problem is getting worse.
Whatever your views may be on the best general approach to privacy
protection, I urge you to take aggressive steps to regulate the
information-broker industry and to protect the privacy and security of
Americans.
The Significance of the ChoicePoint Matter
With all the news reporting of the last few months, it has often
been difficult to tell exactly how a criminal ring engaged in identity
theft obtained the records of at least 145,000 Americans. According to
some reports, there was a computer ``break-in.'' Others described it as
``theft.'' \1\ In fact, ChoicePoint simply sold the information.\2\
This is ChoicePoint's business and it is the business of other
companies that are based primarily on the collection and sale of
detailed information on American consumers. In this most recent case,
the consequences of the sale were severe.
According to California police, at least 750 people have already
suffered financial harm.\3\ Investigators believe data on at least
400,000 individuals may have been compromised.\4\ Significantly, this
was not an isolated incident. Although ChoicePoint CEO Derek Smith said
that the recent sale was the first of its kind, subsequent reports
revealed that ChoicePoint also sold similar information on 7,000 people
to identity thieves in 2002 with losses over $1 million.\5\ And no
doubt, there may have been many disclosures before the California
notification law went into effect as well as more recent disclosures of
which we are not yet aware.
The consumer harm that results from the wrongful disclosure of
personal information is very clear. According to the Federal Trade
Commission, last year 10 million Americans were affected by identity
theft. Identity theft is the number one crime in the country. For the
fifth year in a row, identity theft topped the list of complaints,
accounting for 39 percent of the 635,173 consumer fraud complaints
filed with the agency last year.\6\ And there is every indication that
the level of this crime is increasing.
ChoicePoint is not the only company that has improperly disclosed
personal information on Americans. Bank of America misplaced back-up
tapes containing detailed financial information on 1.2 million
employees in the Federal Government, including many Members of
Congress.\7\ Lexis-Nexis originally reported that it made available
records from its Seisint division on 32,000 Americans to a criminal
ring that exploited passwords of legitimate account holders.\8\ That
number was later revised to 310,000.\9\ DSW, a shoe company, announced
that 103 of its 175 stores had customers' credit and debit card
information improperly accessed.\10\ Last week, Time Warner revealed
that it lost track of detailed data concerning 600,000 current and
previous employees.
Legislation in this area is long overdue. Regrettably, ChoicePoint
and other information brokers have spent a great deal of time and money
trying to block effective privacy legislation in Congress. According to
disclosure forms filed with the U.S. House and Senate, obtained by the
Wall Street Journal, ChoicePoint and six of the country's other largest
sellers of private consumer data spent at least $2.4 million last year
to lobby Members of Congress and a variety of Federal agencies. The
Journal reports that, ``ChoicePoint was the biggest spender, with
$970,000 either paid to outside lobbyists or spent directly by the
company.'' \11\
But the real cost for these activities is borne by Americans, all
across the country. This improper disclosure and use of personal
information is contributing to identity theft, which is today the
number one crime in the United States. According to a 2003 survey by
the Federal Trade Commission, over a one-year period nearly 5 percent
of the adult populations were victims of some form of identity
theft.\12\
Growing Dependence on the Information Broker Industry
Mr. Chairman, the representatives of the information-broker
industry will testify this morning that the American economy and even
our national security are becoming increasingly dependent on this
industry. In many respects, this is true. These companies have become
the true invisible hand of the information economy. Their ability to
determine the opportunities for American workers, consumers, and voters
is without parallel. If a ChoicePoint record says you were late on a
rent payment, whether or not that's true, you may lose a chance for a
new apartment or a job. If one of these companies wrongfully removes
registered voters from the voting roles, those people are denied their
Constitutional right to vote.
The stakes becomes even higher with homeland security. Axciom, for
example, may play a central role in the identity verification
procedures for Secure Flight, the new airline passenger pre-screening
system. According to the Wall Street Journal, a Virginia company named
Eagle Force has tested sample passenger information against commercial
databases supplied by Arkansas-based Acxiom Corp.\13\ Acxiom is the
same company that stirred controversy after it shared information about
JetBlue Airways' passengers, without their knowledge, with a defense
contractor in 2002.\14\
Even as we become more reliant on these firms, the reports of
problems in the industry and the skyrocketing problem of identity theft
have made clear that Congress must step in. There are simply no market
mechanisms that protect privacy, ensure accuracy, or limit security
breaches where there is no direct obligation to the person whose
personal information is at risk.
EPIC's Efforts To Bring Public Attention to the Problems With
ChoicePoint
Well before the recent news of the ChoicePoint debacle became
public, EPIC had been pursuing the company and had written to the FTC
to express deep concern about its business practices and its ability to
flout the law. On December 16, 2004, EPIC urged the Federal Trade
Commission to investigate ChoicePoint and other data brokers for
compliance with the Fair Credit Reporting Act (FCRA), the Federal
privacy law that helps insure that personal financial information is
not used improperly.\15\ The EPIC letter said that ChoicePoint and its
clients had performed an end-run around the FCRA and was selling
personal information to law enforcement agencies, private
investigators, and businesses without adequate privacy protection.
ChoicePoint wrote back to us to say, in effect, that there was no
problem. The company claimed to comply fully with FCRA and that the
question of whether FCRA, or other Federal privacy laws, should apply
to all of its products as simply a policy judgment. It made this claim
at the same time it was spending several million dollars over the last
few years to block the further expansion of the FCRA.
Mr. Chairman, hindsight may be 20-20, but it is remarkable to us
that ChoicePoint had the audacity to write such a letter when it
already knew that State investigators had uncovered the fact that the
company had sold information on American consumers to an identity theft
ring. They were accusing us of inaccuracy at the same time that State
and Federal prosecutors knew that ChoicePoint, a company that offered
services for business credentialing, had exposed more than a hundred
thousand Americans to a heightened risk of identity theft because it
sold data to crooks.
But the problems with ChoicePoint long preceded this recent
episode. Thanks to Freedom of Information Act requests relentlessly
pursued by EPIC's Senior Counsel Chris Hoofnagle, we have obtained over
the last several years extraordinary documentation of ChoicePoint's
growing ties to Federal agencies and the increasing concerns about the
accuracy and legality of these products.\16\ So far, EPIC has obtained
FOIA documents from nine different agencies concerning ChoicePoint. One
document from the Department of Justice, dated December 13, 2002,
discusses a ``Report of Investigation and Misconduct Allegations . . .
Concerning Unauthorized Disclosure of Information.'' \17\ There are
documents from the IRS that describe how the agency would mirror huge
amounts of personal information on IRS computers so that ChoicePoint
could perform investigations.\18\ Several documents describe
ChoicePoint's sole source contracts with such agencies as the United
States Marshals Service and the FBI.\19\
Among the most significant documents obtained by EPIC were those
from the Department of State, which revealed the growing conflicts
between the United States and foreign governments that resulted from
the efforts of ChoicePoint to buy data on citizens across Latin America
for use by the U.S. Federal law enforcement agencies.\20\ One document
lists news articles that were collected by the agency to track outrage
in Mexico and other countries over the sale of personal information by
ChoicePoint.\21\ A second document contains a cable from the American
Embassy in Mexico to several different government agencies warning that
a ``potential firestorm may be brewing as a result of the sale of
personal information by ChoicePoint.\22\ A third set of documents
describes public relations strategies for the American Embassy to
counter public anger surrounding the release of personal information of
Latin Americans to ChoicePoint.\23\
Lessons of ChoicePoint
The ChoicePoint incident proves many important lessons for the
Congress as it considers how best to safeguard consumer privacy in the
information age.
First, it should be clear now that privacy harms have real
financial consequences. In considering privacy legislation in the past,
Congress has often been reluctant to recognize the actual economic harm
that consumers suffer when their personal information is misused, when
inaccurate information leads to the loss of a loan, a job, or
insurance. Consumers suffer harms both from information that is used
for fraud and inaccurate information that leads to lost opportunities
through no fault of the individual.
A clear example of how the company has contributed to the growing
problem of identity theft may be found in ChoicePoint's subscriber
agreement for access to AutoTrackXP, a detailed dossier of individuals'
personal information. A sample AutoTrackXP report on the ChoicePoint
website shows that it contains Social Security Numbers; driver license
numbers; address history; phone numbers; property ownership and
transfer records; vehicle, boat, and plane registrations; UCC filings;
financial information such as bankruptcies, liens, and judgments;
professional licenses; business affiliations; ``other people who have
used the same address of the subject,'' ``possible licensed drivers at
the subject's address,'' and information about the data subject's
relatives and neighbors.\24\ This sensitive information is available to
a wide array of companies that do not need to articulate a specific
need for personal information each time a report is purchased.
ChoicePoint's subscriber agreement shows that the company allows access
to the following businesses: attorneys, law offices, investigations,
banking, financial, retail, wholesale, insurance, human resources,
security companies, process servers, news media, bail bonds, and if
that isn't enough, ChoicePoint also includes ``other.''
Second, it should be clear that market-based solutions fail utterly
when there is no direct relationship between the consumer and the
company that proposed to collect and sell information on the consumer.
While we continue to believe that privacy legislation is also
appropriate for routine business transactions, it should be obvious to
even those that favor market-based solutions that this approach simply
does not work where the consumer exercises no market control over the
collection and use of their personal information. As computer security
expert Bruce Schneier has noted, ``ChoicePoint doesn't bear the costs
of identity theft, so ChoicePoint doesn't take those costs into account
when figuring out how much money to spend on data security.'' \25\ This
argues strongly for regulation of the information-broker industry.
Third, there are clearly problems with both the adequacy of
protection under current Federal law and the fact that many information
products escape any kind privacy rules. ChoicePoint has done a
remarkable job of creating detailed profiles on American consumers that
they believe are not subject to Federal law. Products such as
AutoTrackXP are as detailed as credit reports and have as much impact
on opportunities in the marketplace for consumers as credit reports,
yet ChoicePoint has argued that they should not be subject to FCRA.
Even their recent proposal to withdraw the sale of this information is
not reassuring. They have left a significant loophole that will allow
them to sell the data if they believe there is a consumer benefit.\26\
But even where legal coverage exists, there is insufficient
enforcement, consumers find it difficult to exercise their rights, and
the auditing is non-existent. According to EPIC's research, while
ChoicePoint claims to monitor their subscribers for wrongdoing, there
is no public evidence that the company has referred a subscriber to
authorities for violating individuals' privacy. In other words, in the
case where a legitimate company obtains personal information, there is
no publicly available evidence that ChoicePoint has any interest in
whether that information is subsequently used for illegitimate
purposes.
Law enforcement, which has developed increasingly close ties to
information brokers such as ChoicePoint, seems to fall entirely outside
of any auditing procedures. This is particularly troubling since even
those reports that recommend greater law enforcement use of private
sector databases for public safety recognize the importance of auditing
to prevent abuse.\27\
And of course there are ongoing concerns about the broad
permissible purposes under the FCRA, the use of credit header
information to build detailed profiles, and the difficulty that
consumers continue to face in trying to obtain free credit reports that
they are entitled to under the FACTA.
Fourth, we believe this episode also demonstrates the failure of
the FTC to aggressively pursue privacy protection. We have repeatedly
urged the FTC to look into these matters. On some occasions, the FTC
has acted.\28\ But too often the Commission has ignored privacy
problems that are impacting consumer privacy and producing a loss of
trust and confidence in the electronic marketplace. In the late 1990s,
the FTC promoted self-regulation for the information-broker industry
and allowed a weak set of principles promulgated as the Individual
References Service Group to take the place of effective legislation. It
may well be that the ChoicePoint fiasco could have been avoided if the
Commission chose a different path when it considered the practices of
the information-broker industry.
The FTC has also failed to pursue claims that it could under
section 5 of the FTC Act, which prohibits unfair practices. Practices
are unfair if they cause or are likely to cause consumers substantial
injury that is neither reasonably avoidable by consumer nor offset by
countervailing benefits to consumers and competition.\29\ It may be
that the unfairness doctrine could be applied in cases where there is
no direct relationship between the consumer and the company, but to
date the FTC has failed to do this.\30\
Fifth, we believe the ChoicePoint episode makes clear the
importance of state-based approaches to privacy protection. Congress
simply should not pass laws that tie the hands of State legislators and
prevent the development of innovative solutions that respond to
emerging privacy concerns. Many states are today seeking to establish
strong notification procedures to ensure that their residents are
entitled to at least the same level of protection as was provided by
California.\31\
In this particular case, the California notification statute helped
ensure that consumers would at least be notified that they are at risk
of heightened identity theft. This idea makes so much sense that 38
attorneys general wrote to ChoicePoint to say that their residents
should also be notified if their personal information was wrongly
disclosed.\32\ ChoicePoint could not object. It was an obvious
solution.
Recommendations
Clearly, there is a need for Congress to act. Although ChoicePoint
has taken some steps to address public concerns, it continues to take
the position that it is free to sell personal information on American
consumers to whomever it wishes where ChoicePoint, and not the
consumer, believes there is a ``consumer-driven benefit or
transaction.'' \33\ Moreover, the industry remains free to change its
policies at some point in the future, and the steps taken to date do
not address the larger concerns across the information-broker industry.
Modest proposals such as the extension of the Gramm-Leach-Bliley
Act's Security Safeguards Rule are unlikely to prevent future debacles.
The Safeguards Rule merely requires that financial institutions have
reasonable policies and procedures to ensure the security and
confidentiality of customer information. Recall that the disclosure by
ChoicePoint did not result from a ``hack'' or a ``theft'' but from a
routine sale. Moreover, the Security Safeguards Rule will do nothing to
give consumers greater control over the transfer of their personal
information to third parties or to promote record accuracy.
Extending notification statutes such as the California bill would
be a sensible step, but this is only a partial answer. Notification
only addresses the problem once the disclosure has occurred. The goal
should be to minimize the likelihood of future disclosures. It is also
important to ensure that any Federal notification bill is at least as
good as the California state bill and leaves the states the freedom to
develop stronger and more effective measures. What happens for example,
when at some point in the future, we must contend with the
extraordinary privacy problems that will result from the disclosure of
personal information contained in a database built on biometric
identifiers?
There are several proposals pending in the Senate to address the
growing problem of identity theft. In particular, the Notification of
Risk to Personal Data Act, S. 751, and the Comprehensive Identity Theft
Prevention Act, S. 768, provide strong complimentary safeguards. The
Committee should act quickly to ensure their passage.
Notification of Risk to Personal Data Act, S. 751
One of the lessons of the recent disclosures about the information-
broker industry is that we could not understand the scope of the
problem without information about actual security breaches. Imagine
trying to legislate airline safety or the reliability of medical
products without even basic information about the extent of the problem
or the number of people affected. That is where the information
security problem was before the passage of the California notification
law. That critical State law ensured, for the first time, that those
whose personal information had been wrongfully disclosed would be
notified of the breach and given the opportunity to take additional
measures. Not surprisingly, once the problem became known, other states
urged ChoicePoint to provide notification to their residents. Thirty-
eight State attorneys general wrote to the head of ChoicePoint. Many
State legislatures are now considering bills that would establish
similar notification obligations.
Given this experience, Senator Feinstein's bill, the Notification
of Risk to Personal Data Act, is an obvious first step in the effort to
help ensure that Americans can protect themselves when security
breaches occur. The bill would require Federal agencies and private
sector businesses that engage in interstate commerce to provide
notification when personal information is acquired by unauthorized
persons. The bill recognizes that there may be delayed notification
where this is necessary to aid a law enforcement investigation. The
bill also provides certain exceptions for national security and law
enforcement, though sensibly does not allow these exceptions to be used
to hide violations of law or to protect poor administration. There are
a number of alternatives for notification that recognize that there may
be more efficient and less costly ways to notify individuals in certain
circumstances.
While this is a good measure, we are concerned that the bill will
preempt stronger State laws that may be developed to address the
problem of notification where risks to personal data arise. We
understand the interest in a single national standard, but this is an
area where the states should retain the freedom to innovate and explore
new solutions to this far-reaching problem. We urge the Committee to
remove Section 5 of the Act, which would preempt State law.
We also caution against any effort to limit the circumstances under
which notification might occur. As a matter of fairness, it should be
the individual's right to know when his or her personal information has
been improperly obtained. And it should be equally obvious that given
the choice businesses will choose not to provide notice unless they are
required to do so.
Comprehensive Identity Theft Prevention Act, S. 768
Improved notification will play an important role in assisting
consumers where security breaches occur, but clearly the long-term goal
must be to reduce the risk of these disclosures and to minimize harm
when these breaches occur. This is not a new problem. Congress has
worked for more than thirty years to provide privacy safeguards and to
protect against the risks associated with the automation of personal
information. A good privacy bill works for both consumers and
businesses. The Fair Credit Reporting Act, for example, was a benefit
to both consumers and the credit reporting industry because it
established privacy safeguards and helped ensure greater accuracy in
the information that was made available to credit grantors.
The problem today is that information brokers are operating outside
of any comprehensive regulatory scheme. Moreover, they have no direct
relationship with the individuals whose personal information they
routinely sell to others. So, there are inadequate incentives to
protect privacy or to ensure accuracy. There is a clear need to
establish comprehensive protections for the information-broker
industry.
The Comprehensive Identity Theft Prevention Act, S. 768, provides
an excellent framework for privacy protection in the information-broker
industry. Building on the general approach of the FCRA and other
privacy statutes, the bill aims to ensure that when personal
information is collected, it will be used for appropriate purposes, and
that when problems arise there will be meaningful remedies.
The Act requires the Federal Trade Commission to establish rules
for information brokers and for the protection of personal information.
The rules cover data accuracy, confidentiality, user authentication,
and detection of unauthorized use. Significantly, the Act also gives
individuals the opportunity to review the information about them held
by data brokers. This helps ensure accuracy and accountability and is
similar to provisions currently found in the Fair Credit Reporting Act.
The Information Protection and Security Act also provides
meaningful enforcement by ensuring that the states are able to pursue
investigations and prosecution, after appropriate notice to the FTC and
the attorneys general. The Act also gives individuals, who of course
are the ones that suffer the actual harm, to pursue a private right-of-
action.
Additional Safeguards
Furthermore, to the extent that information brokers, such as
ChoicePoint, routinely sell data to law enforcement and other Federal
agencies, they should be subject to the Federal Privacy Act. A
``privatized intelligence service,'' as Washington Post reporter Robert
O'Harrow has aptly described the company, ChoicePoint should not be
permitted to flout the legal rules that help ensure accuracy,
accountability, and due process in the use of personal information by
Federal agencies.\34\ It would be appropriate to consider legislation
that would establish safeguards for the use of commercial information
by government agencies.\35\
Also, Professor Daniel Solove and EPIC's Chris Hoofnagle have put a
very good framework forward.\36\ This approach is similar to other
frameworks that attempt to articulate Fair Information Practices in the
collection and use of personal information. But Solove and Hoofnagle
make a further point that is particularly important in the context of
this hearing today on ChoicePoint. Increasingly, the personal
information made available through public records to enable oversight
of government records has been transformed into a privatized commodity
that does little to further government oversight, but does much to
undermine the freedom of Americans. While EPIC continues to favor
strong, open government laws, it is clearly the case that open
government interests are not served when the government compels the
production of personal information, sells the information to private
data vendors, who then make detailed profiles available to strangers.
This is a perversion of the purpose of public records.
Looking ahead, there is a very real risk that the consequences of
improper data use and data disclosure are likely to accelerate in the
years ahead. One has only to look at the sharp increase in identity
theft documented by the Federal Trade Commission, the extraordinary
rate of data aggregation in new digital environments, and the enormous
efforts of the Federal Government to build ever more elaborate
databases to realize that the risk to personal privacy is increasing
rapidly. Congress can continue to deal with these challenges in
piecemeal fashion, but it seems that the time has come to establish a
formal government commission charged with the development of long-terms
solutions to the threats associated with the loss of privacy. Such a
commission should be established with the clear goal of making specific
proposals. It should include a wide range of experts and advocates. And
it should not merely be tasked with trying to develop privacy
safeguards to counter many of the government new surveillance
proposals. Instead, it should focus squarely on the problem of
safeguarding privacy.
Congress needs to establish a comprehensive framework to ensure the
right of privacy in the twenty-first century. With identity theft
already the number one crime, and the recent spate of disclosures, any
further delay could come at enormous cost to American consumers and the
American economy.
The REAL ID Act
Finally, Mr. Chairman, I would like to say a few words about the
REAL ID Act, a sweeping proposal for a new Federal identification
system, that may be taken up tonight as part of the supplemental
appropriation for the troops in Iraq.
As you know, this bill, which was rejected in the last Congress,
has gone forward in this Congress without even a hearing. It would
require State agencies to collect sensitive, personal information on
every American citizen who drives a car. It would put the State DMVs in
the position of enforcing the country's immigration laws. It would give
the Federal Government broad authority to regulate a traditional State
function. Whatever one's views may be about the merits of the
legislation, it should concern all sides that this proposal could pass
in the Senate without a hearing or even debate.
I make this point today in this hearing on identity theft because
the State DMV record systems have actually become the target of
identity thieves. In recent months, three State DMVs have been attacked
by identity thieves. In March, burglars rammed a vehicle through a back
wall at a DMV near Las Vegas and drove off with files, including Social
Security numbers, on about 9,000 people. Recently, Florida police
arrested 52 people, including 3 DMV examiners, in a scheme that sold
more than 2,000 fake driver's licenses. Two weeks ago, Maryland police
arrested three people, including a DMV worker, in a plot to sell about
150 fake licenses.
It is obviously the case that the establishment of new
identification requirements in the United States, the dramatic
expansion of the authority of the Department of Homeland Security, and
the requirement that we all now deposit with State agencies the very
documents that establish our proof of identity will have a profound
impact on the issues under consideration today.\37\
Under any reasonable policy process, there would be an opportunity
to examine these issues in more detail and to assess the risks that
will surely result from the implementation of this legislation. Before
there is a vote on this proposal, there should be a hearing in this
Congress on this bill.\38\ That power still remains with the Senate. I
urge you to exercise it.
Conclusion
For many years, privacy laws came up either because of the efforts
of a forward-looking Congress or the tragic experience of a few
individuals. Now we are entering a new era. Privacy is no longer
theoretical. It is no longer about the video records of a Federal judge
or the driver registry information of a young actress. Today privacy
violations affect hundreds of thousands of Americans all across the
country. The harm is real and the consequences are devastating.
Whatever one's view may be of the best general approach to privacy
protection, there is no meaningful way that market-based solutions can
protect the privacy of American consumers when consumers have no direct
dealings with the companies that collect and sell their personal
information. There is too much secrecy, too little accountability, and
too much risk of far-reaching economic damage.
There are two important bills now before the Committee. The
Notification of Risk to Personal Data Act, S. 751, would provide
meaningful notice to individuals when their personal information is
wrongfully disclosed. The Comprehensive Identity Theft Prevention Act,
S. 768, would help reduce the likelihood of future breaches. I hope the
Committee will be able to act quickly on these proposals.
I appreciate the opportunity to be here today. I will be pleased to
answer your questions.
References
EPIC ChoicePoint Page, available at http://www.epic.org/privacy/
choicepoint/.
ENDNOTES
\1\ Associated Press, ``ChoicePoint hacking attack may have
affected 400,000,'' Feb. 17, 2005, available at http://www.ledger-
enquirer.com/mld/ledgerenquirer/news/local/10920220.htm.
\2\ Robert O'Harrow Jr., ``ID Theft Scam Hits D.C. Area
Residents,'' Washington Post, Feb. 21, 2005, at A01.
\3\ Bob Sullivan, ``Data theft affects 145,000 nationwide,'' MSNBC,
Feb. 18, 2005, available at http://www.msnbc.msn.com/id/6979897/.
\4\ Associated Press, ``ChoicePoint hacking attack may have
affected 400,000,'' Feb. 17, 2005, available at http://www.ledger-
enquirer.com/mld/ledgerenquirer/news/local/10920220.htm.
\5\ David Colker and Joseph Menn, ``ChoicePoint CEO Had Denied Any
Previous Breach of Database,'' Los Angeles Times, March 3, 2005, at
A01.
\6\ Federal Trade Commission, ``FTC Releases Top 10 Consumer
Complaint Categories for 2004,'' (Feb. 1, 2005), available at http://
www.ftc.gov/opa/2005/02/top102005.htm.
\7\ Robert Lemos, ``Bank of America loses a million customer
records,'' CNet News.com, Feb. 25, 2005, available at http://
earthlink.com.com/Bank+of+America+
loses+a+million+customer+records/2100-1029_3-
5590989.html?tag=st.rc.targ_mb.
\8\ Jonathan Krim and Robert O'Harrow, Jr., ``LexisNexis Reports
Theft of Personal Data,'' Washingtonpost.com, March 9, 2005, available
at http://www.washingtonpost
.com/ac2/wp-dyn/A19982-2005Mar9?language=printer.
\9\ LexisNexis Data on 310,000 People Feared Stolen, New York
Times, Apr. 12, 2005, available at http://www.nytimes.com/reuters/
technology/tech-media-lexis
nexis.html?.
\10\ Associated Press, ``Credit Information Stolen From DSW
Stores,'' March 9, 2005, available at http://abcnews.go.com/Business/
wireStory?id=563932&CMP=OTC-
RSSFeeds0312.
\11\ Evan Perez and Rick Brooks, ``Data Providers Lobby to Block
More Oversight,'' Wall Street Journal, March 4, 2005, at B1.
\12\ Federal Trade Commission, ``Identity Theft Survey Report''
(Sept. 2003), available at http://www.ftc.gov/os/2003/09/
synovatereport.pdf.
\13\ ``US To Require Airline Passengers' Full Names, Birth Dates,''
Wall Street Journal, May 4, 2005, available at http://online.wsj.com/
article/0,BT_CO_20050504
_012176,00.html.
\14\ EPIC pursued a complaint against JetBlue and Axcio at the
Federal Trade Commission, arguing that ``JetBlue Airways Corporation
and Acxiom Corporation have engaged in deceptive trade practices
affecting commerce by disclosing consumer personal information to Torch
Concepts Inc., an information mining company with its principal place
of business in Huntsville, Alabama, in violation of 15 U.S.C.
Sec. 45(a)(1).'' Although the FTC chose not to take action in response
to the complaint, it continues to be our position that when a company
represents that it will not disclose the personal information of its
customers to a third party and subsequently does so, it has engaged in
an unfair and deceptive trade practice.
\15\ Letter from Chris Jay Hoofnagle, Associate Director, EPIC, and
Daniel J. Solove, Associate Professor, George Washington University Law
School, to Federal Trade Commission, Dec. 16, 2004, available at http:/
/www.epic.org/privacy/choicepoint/fcraltr12.16.04.html.
\16\ EPIC v. Dep't of Justice et al., No. 1:02cv0063 (D.D.C. 2002).
\17\ Available at http://www.epic.org/privacy/choicepoint/
default.html.
\18\ Id.
\19\ Id.
\20\ Id.
\21\ Id.
\22\ Id.
\23\ Id.
\24\ ChoicePoint, AutoTrackXP Report, http://www.choicepoint.com/
sample_rpts/AutoTrackXP.pdf.
\25\ ``Schneier on Security: ChoicePoint'' available at http://
www.schneier.com/blog/archives/2005/02/choicepoint.html.
\26\ Aleksandra Todorova, ``ChoicePoint to Restrict Sale of
Personal Data,'' Smartmoney.com, March 4, 2005, available at http://
www.smartmoney.com/bn/index.cfm?story=20050304015004.
\27\ See Chris J. Hoofnagle, ``Big Brother's Little Helpers: How
ChoicePoint and Other Commercial Data Brokers Collect, Process, and
Package Your Data for Law Enforcement,'' University of North Carolina
Journal of International Law & Commercial Regulation (Summer 2004),
available at http://ssrn.com/abstract=582302.
\28\ See FTC's investigation into Microsoft's Passport program.
Documentation available at http://www.epic.org/privacy/consumer/
microsoft/passport.html.
\29\ 15 U.S.C. Sec. 45(n); Letter from Michael Pertschuk, FTC
Chairman, and Paul Rand Dixon, FTC Commissioner, to Wendell H. Ford,
Chairman, Senate Consumer Subcommittee, Committee on Commerce, Science,
and Transportation (Dec. 17, 1980), available at http://www.ftc.gov/
bcp/policystmt/ad-unfair.htm.
\30\ In FTC v. Rapp, the ``Touch Tone'' case, the FTC pursued
private investigators engaged in ``pretexting,'' a practice where an
individual requests personal information about others under false
pretenses. No. 99-WM-783 (D. Colo. 2000), 2000 U.S. Dist. LEXIS 20627.
In a typical scheme, the investigator will call a bank with another's
Social Security Number, claim that he has forgotten his bank balances,
and requests that the information be given over the phone. The FTC
alleged that this practice of the defendants, was deceptive and unfair.
It was deceptive because the defendants deceived the bank in providing
the personal information of another. The practice was unfair in that it
occurs without the knowledge or consent of the individual, and it is
unreasonably difficult to avoid being victimized by the practice.
\31\ ``ChoicePoint Incident Prompts State Lawmakers to Offer Data
Notification Bills,'' 10 BNA Electronic Commerce & Law Report 217-18
(March 9, 2005).
\32\ Associated Press, ``38 AGs send open letter to ChoicePoint,''
Feb. 18. 2005, available at http://www.usatoday.com/tech/news/
computersecurity/infotheft/2005-02-19-ag-letter-to-choicepoint_x.htm.
\33\ ``ChoicePoint Halts Sale of Sensitive Information, as Agencies
Launch Probes,'' 10 BNA Electronic Commerce & Law Report 219 (March 9,
2005).
\34\ Robert O'Harrow, No Place to Hide: Behind the Scenes of Our
Emerging Surveillance Society (Free Press 2005).
\35\ See, e.g., Center for American Progress, ``Protecting Privacy
in the Digital Age,'' May 4, 2005, available at http://
www.americanprogress.org/site/pp.asp?c=biJRJ8
OVF&b=651807.
\36\ Daniel Solove and Chris Jay Hoofnagle, ``A Model Regime of
Privacy Protection,'' March 8, 2005, available at http://
papers.ssrn.com/sol3/papers.cfm?
abstract_id=681902.
\37\ See EPIC, ``National ID Cards and REAL ID Act,'' available at
http://epic.org/privacy/id_cards/.
\38\ See letter from Senators Sam Brownback, R-Kan., Joe Lieberman,
D-Conn., and 10 other Senators to Senate Majority Leader Bill Frist,
Apr. 11, 2005 (``Because of its magnitude, this legislation should be
referred to the Senate Judiciary Committee on a schedule that provides
adequate time for full and careful consideration. Legislating in such a
complex area without the benefit of hearings and expert testimony is a
dubious exercise and one that subverts the Senate's deliberative
process.''), available at http://www.senate.gov/&7Egov_affairs/
index.cfm?FuseAction
=PressReleases.Detail&Affiliation=R&PressReleaseg_id=953&Month=4&Year=20
05.
Senator Smith. Mr. Rotenberg, it is a fact that--I think
one of my colleagues--Senator Kerry was asking--if you sign up
to buy insurance on your property, you're not signing up to
have your information shared, necessarily. Or are there, in
most of these transactions, opt-in and opt-out factors or
provisions?
Mr. Rotenberg. Well, this is a very important point,
Senator. In most of these transactions, the individual actually
has no direct relationship with the information broker. In
other words----
Senator Smith. Are they even aware?
Mr. Rotenberg. They don't know who these companies are.
They don't deal directly with them. If you have a privacy
problem with a bank, for example, you might decide not to do
business with that bank, and you would have the opportunity in
the marketplace to find another bank to do business with. But,
you see, these companies are very similar to the credit-
reporting companies, in that they provide information that
affects the ability of consumers to participate in the
marketplace, to get jobs, to rent apartments, to obtain
insurance, but consumers have no direct relationship with them.
And that's why we think regulation in this area is so
important.
Senator Smith. But if we had--if this were at all possible,
would you recommend, in the legislation, they have a means for
opting-in to some of this identity--identification----
Mr. Rotenberg. Yes.
Senator Smith. Yes.
Mr. Rotenberg. Yes. Under circumstances where the consumer
believes----
Senator Smith. They want----
Mr. Rotenberg.--there's a benefit.
Senator Smith.--they want it known.
Mr. Rotenberg. Absolutely. In fact, that's one of the
approaches, we think, for credit reports, for example,
consumers certainly would want to make their credit reports
available if they're seeking a loan. And I don't think any
legislation should stop them from doing that. We're concerned
about the circumstances where their credit reports are made
available that they haven't made that choice.
Senator Smith. Thank you.
Ms. Frank?
STATEMENT OF MARI J. FRANK, ESQ., ATTORNEY,
MARI J. FRANK, ESQ. & ASSOCIATES
Ms. Frank. Hi. Thank you, presiding-Senator Smith and
honorable Committee members, invited guests. And I want to
especially thank Senator Nelson for S. 500, which I
wholeheartedly support. And I will be happy to help you on S.
768, because I think there are a lot of great things in that,
as well.
I'm an attorney. My name is Mari, by the way--people call
me everything, but it is Mari--my name is Mari Frank, and I'm
an attorney and privacy----
Senator Smith. We're called a lot of things, too.
[Laughter.]
Ms. Frank. I know. I know.
[Laughter.]
Ms. Frank. I'm an attorney and privacy consultant from
Orange County, California. I've assisted thousands of identity-
theft victims, and I also sit as an advisor to the State of
California Office of Privacy Protection.
In 1996, my identity was stolen by an imposter who paraded
as me, robbing not only my personal life, but my professional
identity. She took over $50,000 in credit, purchased a red
convertible, rented a car and crashed it, and I was sued by the
rental agency. I learned that, while working as a temporary
secretary in an office 4 hours from my home, my evil twin
downloaded my consumer report from an information broker.
Because there is no law requiring a data broker to inform me of
the purchase, I couldn't do anything to prevent this heist.
Most victims are not negligent with their personal
information, and nothing will protect them from fraud if their
information is acquired from a security breach or by faulty
information practices of data aggregators.
Your personal information is worth more than currency
itself. A fraudster can do anything you can do with your
identification, and, even worse, they can do things like you--
that you would not do, such as commit crimes, seek revenge, or
even engage in terrorist activities.
Here are some examples of the main types of identity theft:
The first one is financial gain. These are examples of
people who have personally contacted me.
George had a great job in the financial industry. When he
was up for promotion, he permitted a background check, which
showed that he had several very expensive properties, luxury
cars, and even a boat. Also, it showed a problem with his CPA
license. He learned that there were many credit accounts also
that did not belong to him. He was flabbergasted, since this
was not true, none of these things were true. Needless to say,
he lost the promotion.
Second use, avoiding prosecution or avoiding arrest. Lori--
and, by the way, Lori is here with me today. I have been
helping her since last December, and Lori drove 4 hours to meet
me and come to this hearing. She's with me today. Lori, a
disabled vet who--and a single mom with a set of 6-year-old
twins, was attending school to get her B.A. degree when the
police showed up at her door. She was arrested and convicted
for a crime that was committed by her imposter. Neither her
fingerprints nor her physical description matched the
impersonator. She's hoping that we'll get a new trial for her,
but, more worrisome than that, she's fearful that, even when we
get this cleaned up--which I'm sure we will--that the incorrect
data will be resold.
And here's the reason why I'm thinking this will happen.
Scott Lewis is another client of mine who wanted to drive from
Ohio today, but I think he sent the Senators a note. Scott was
laid off from a high-paying job. He had great recommendations
and felt sure that he would be rehired. For 2 years, he was
denied employment. After hiring a private investigator, he saw
his file from a data broker. Included in it were two driving--
three DUIs and an arrest for murder, none of which belonged to
him.
After the databases were finally cleaned up, after a
tremendous amount of time and effort, he still couldn't get a
job. So, again, we pulled his consumer background check. And,
what did we find? The data broker was continuing to sell the
erroneous information to all the prospective employers. Scott
spent hundreds of hours living the nightmare of identity theft,
and we did get him on Dateline and finally we were able to get
him a job.
Revenge. This is another reason someone does this. A radio
talk-show host called me. He was shocked to learn that his own
identity was stolen by a disgruntled listener who bought his
dossier from an online information broker. Aside from calling
him at home and bullying him, he obtained access to his e-mail
and sent embarrassing e-mails to the station, pretending to be
the talk-show host.
And, finally, the last, but scariest, is terrorism and the
threat to homeland security. The 9/11 terrorists had opened
over 14 accounts at a Florida bank, using the false Social
Security numbers and other documents. They also received
thousands of dollars worth of credit. Not only did they do this
for financial gain, but over half of them had names that were
known as suspected terrorists. So they committed total
identity-theft takeover. And, worse, they used these false
identities to get revenge against our country.
Recently, at a meeting that I attended with Senator
Feinstein in California, law enforcement reported to her that
suspected terrorists have been apprehended with many false
documents in California so that they could hide under the radar
screen and come over across our borders.
Your identity is especially vulnerable with regard to the
mega-databases held by information brokers who are selling huge
amounts of your sensitive information in all-inclusive profiles
without any governmental oversight. The very essence of the
data-broker business is selling a broad range of very private
and highly sensitive information, which, if acquired by a
person with a criminal intent, provides a complete
comprehensive package ready for identity takeover.
These databases contain your personal, professional,
social, possibly criminal--true or not--and financial
existence. Tapping into your data profile is a fraudster's
dream come true.
In my written testimony, I attached Exhibit I, which has
the ChoicePoint AutoTrack, which will show you the kinds of
information--it's a sample--it's not a real person, by the way;
it's just a sample. It will shock you, as it did me.
When I recently attended the State Bar of California annual
meeting, a data broker in the exhibit hall pulled my background
after I gave him just my name. I was horrified--not only
because I felt violated by all that it revealed, but, worse, by
the tremendous number of errors. I was told that there was no
way to correct the egregious mistakes. I was stunned by the
prospect that aspects of that report may have resulted from my
imposter's actions.
Also, I was reminded of the Amy Boyer case, where Liam
Youens used information broker Docusearch to obtain Amy's
Social Security number and work address to kill her and then
himself. Police later found a message on his computer that
said, ``It's actually obscene what you can find out about
people on the Internet.''
Data brokers are invisible to most citizens. Everyone in
this room who has a birth certificate, a driver's license--or
if there's any public record about you at all, you are in those
secret files. And there's much more about you from the data
aggregation. Every Senator and everyone watching this hearing
is in those profiles. Have you seen your dossier? Do you know
what fact or fiction is being sold about you?
As the law stands now, you don't have the right to know
what is in these files, nor do you have the right to correct
the many errors, nor do you have the right to know who has had
access to these sensitive files, nor can you limit the sale.
Actually, none of us here, except maybe the data brokers, have
control over anything in those files. These companies have
operated in the shadows and have sold this often erroneous
information to myriad companies, the government, and even to
fraudsters.
Most Americans don't even know who these companies are or
what they do. This is America, the home of freedom and liberty.
This is not a communist country or a Nazi regime where secret
files are kept on citizens and shared with various entities and
governmental agencies.
Don't law-abiding citizens have a right to at least see the
dossiers and make sure that the information is correct?
Although the credit-reporting agencies are considered data
brokers, they're regulated by the FCRA, the Fair Credit
Reporting Act. And that law gives us the right to see our data,
review it, dispute it, correct it, find out who has had access
to it, and we can even limit the sale.
What is the impact of security breaches of the data brokers
that are here today? Those impacted may not yet be victims of
identity theft, yet they are victims of a Federal crime. The
Identity Theft and Assumption Deterrence Act of 1998, which I
testified for back then, 18 U.S.C. 1028, makes it a Federal
crime when anyone knowingly transfers or uses without lawful
authority a means of identification of another person with the
intent to commit or aid or abet any unlawful activity that
constitutes a Federal--a violation of Federal law or that
constitutes a felony under applicable State or local law.
I have personally spoken with victims of many of these
security breaches. The victims feel very violated, frightened,
and helpless. It is well known that criminals steal the
information, but may not use it for months, or even years,
afterwards. Additionally, the victims have not been notified of
exactly what was stolen. They haven't seen these dossiers. So
they feel entirely defenseless and don't even know what to
protect.
All right. So, what needs to be done? I'm going to go
quickly. I really appreciate everything in S. 500, and I have a
lot more, 25 pages, in my written testimony, but I'm going to
just do a quick sweep here.
Senator Smith. We'll include it all in the record.
Ms. Frank. Right, OK. So, you can all see it. And I would
really like you to look at my attachments, as well. I think
they're very important.
Number one, what do we need? We need transparency. That
means we need to see what they have available, in front of us,
for inspection. We need to define the uses of this information.
Number two, we need consent and notice. Consumers should be
able to give their consent to disclosure of their information
prior to disclosure.
The consumer should be able to know when it's sold.
And the consumer should receive a free copy once a year,
like we do under FCRA.
The consumer should also have access and inspection and the
ability to correct. There should also be quality controls and
timely correction, so that if I contact an agency and I see--
for example, what happened to me, I would like to correct
what's in that file, yet I--at this point, I can't. And I want
to know that I can correct it. And if it's a public record, I
need to know where to go to correct it.
There must be strict security controls against risk of
loss. We know this from what recently happened.
We need enforcement. Unfortunately, what I have seen, in
the past 9 years since I have been a victim, is that the
Federal Trade Commission is overwhelmed. I also now am also a
sheriff reserve in Orange County, and I know that--and
California is one of the top states for identity theft--about
one in ten cases are investigated; and, of those one in ten
cases, about one in ten are prosecuted. So, enforcement is
really important. And the Federal Trade Commission doesn't take
many cases on this. So----
Senator Smith. What do they find? Do they lead to a few
people, or to many?
Ms. Frank. Depends. It depends on the circumstance. They
usually won't take the case unless it's of very high
jurisdictional value or if they think it's a fraud ring,
because they just have to prioritize. They just have limited
resources.
Enforcement should be by private right-of-action. It should
also be by attorneys general and the Federal Trade Commission.
And it's very important that we preserve State rights. I'm
from a State that has been very proactive. We have the best
privacy legislation, we are the only State with an Office of
Privacy Protection. And it's our laws--in fact, we were the
second State to have an identity-theft statute. We have the
best identity-theft statutes, as far as penal codes, in the
country. We have the security-breach law. We also allow
security freezes to lock up your credit report, so, if you're a
victim or even a consumer, you--no one can steal your credit
identity. So----
Senator Smith. Are those laws working?
Ms. Frank. Yes. And--well, we know that the security-breach
law is working, because in July of 2003, our law became
effective. Prior to July 2003, we know that LexisNexis and
ChoicePoint both had security breaches that they admitted in a
hearing before the U.S. Senate. And they did not reveal it to
anyone--I mean, to law enforcement, yes--but they did not
reveal to potential victims. After 2003, we have seen a
tremendous amount of disclosure because of our security-breach
law. If it had not been for California, you would not even be
here today to know about all this.
So, that and the security-freeze laws, if we did not lock
up the credit reports--right now, there are four states that
allow you to close up your credit report for your credit
freeze, and they are California, Texas, Vermont, and Louisiana.
And I know there are 19 states that have introduced such
legislation.
So, if you tie the hands of State legislators, you're going
to find that there is going to be a huge amount of problems for
victims who cannot get some regulation to help them. And a lot
of your bills, even the bills that were introduced by Senator
Feinstein with regard to Social Security are based on
California law.
I understand about Federal preemption, that companies don't
want to have to speak to all of the various states and deal
with that--it's expensive--but I think we need to have a floor,
not a ceiling.
And I'll be happy to help this committee in any way I can.
Thank you.
[The prepared statement of Ms. Frank follows:]
Prepared Statement of Mari J. Frank, Esq., Attorney,
Mari J. Frank, Esq. & Associates
Good morning, Chairman Stevens, Co-Chairman Inouye, Presiding
Senator Smith, Honorable Committee Members, and invited guests. Thank
you very much for the opportunity to address you today regarding
concerns about identity theft and data broker services. I am grateful
that Congress is studying this issue to craft strong measures to
prevent identity theft in our society. Your desire to shine the light
on these problems and make needed changes deserves commendation. I also
thank this panel of witnesses who will educate us about these issues
from all perspectives and help to create solutions so that we may
better protect our personal and confidential information and reduce
this insidious crime. Additionally I thank Senator Bill Nelson for
introducing S. 500, The Information Protection and Security Act, which
I support because it addresses the need for responsible and reasonable
oversight over the data broker services industry while providing fair
information principles. I will be happy to assist this Committee with
other legislative proposals such as S. 768 and others. Since this issue
affects each one of us, I encourage a bi-partisan collaborative
approach to protect ourselves from identity theft.
My name is Mari Frank. I am an attorney, privacy consultant, and
author of several books on identity theft from Laguna Niguel,
California. (My two newest books are Safeguard Your Identity: Protect
Yourself with a Personal Privacy Audit (Porpoise Press, 2005 and From
Victim To Victor: A Step By Step Guide For Ending the Nightmare of
Identity Theft 2nd Edition with CD, Porpoise Press, 2005)
www.identitytheft.org.) I serve as a volunteer Sheriff Reserve for the
Orange County, California Sheriff Department, and sit on the Advisory
Board of the State of California Office of Privacy Protection which
focuses on privacy and identity theft safeguards for California
citizens. Additionally, I am a member of the State of California's
Department of Motor Vehicle's Task Force on Privacy and Identity Theft,
I've served on the Los Angeles District Attorney's Office Task Force on
Identity Theft, and I am an advisory board member to the nonprofit
Identity Theft Resource Center. I have personally assisted myriad
victims across the country with my personal time and educational
materials, and have donated hundreds of pro-bono hours to assist
victims. I have had the privilege of testifying before several
legislative bodies and four U.S. Congressional Committees, and have
consulted with national corporations on how to protect their clients,
customers, vendors, employees, and their businesses from the challenges
of identity theft and other privacy concerns. I am a certified trainer
for Continuing Legal Education of the State Bar of California, a former
law professor, and I presently teach Conflict Management at the
University of California, Irvine.
My own identity was stolen (in 1996) by an impostor who paraded as
me--stealing my personal as well as my professional lawyer identity.
While wrecking my credit, she also destroyed my sense of security and
peace of mind. My impersonator obtained over $50,000 using my name,
purchased a red convertible Mustang, and even caused me to be
threatened with a lawsuit by a rental car company for the auto that she
damaged in an accident. It took me almost a year and over 500 hours to
clear my records and regain my credit and my life. I accumulated five
banker boxes of correspondence, and lived in fear of how else this
invisible person might harm me and my children. I finally learned that
while working as a temporary secretary in a law office four hours from
my own office, my evil twin (who I never met) was able to access my
credit history (as well as the profile of other lawyers) from an
information broker who had a contract with that office. My impostor did
not need to prove who she was or establish that she had a permissible
purpose to download the profile, so it was instantly faxed to her. From
that report, she obtained my Social Security number and other personal
and financial facts to become my identity-clone. When that data broker,
situated across the country, electronically transferred my consumer
profile to a criminal in a city 4 hours from my home, it was beyond my
control to do anything to prevent the fraud.
From that arduous nightmare, I gained great insight into the
tribulations that victims endure--I became an expert by necessity.
After speaking with several thousand victims, I have learned that most
victims are not negligent with their personal information, and that no
amount of ``consumer education'' or vigilance will protect them from
identity theft if their information is acquired in a security breach by
an unscrupulous employee, or by faulty information handling practices
of entities that maintain their data. Consumer-privacy education is
important to minimize your risk and keep you informed as to barriers to
erect, but it won't guarantee that your identity won't be stolen by a
data breach.
Your esteemed Committee has invited me to focus on the concerns and
problems experienced by victims of identity theft and security
breaches. I will concentrate my testimony on answering the following
questions:
I. What Are the Motivating Factors for Stealing Your Sensitive
Information?
II. How Does Identity Theft Occur, and What Are the Unique
Issues as to Data Brokers?
III. What Are Real Life Examples of Identity Theft as They
Relate to Information Brokers?
IV. What Is the Impact of Security Breaches on Citizens Whose
Information Is Stolen?
V. What Needs to Be Done with Regard to Minimizing the Risks of
Identity Theft With Regard to Information Brokers?
VI. What Else Is Needed To Prevent and Resolve Identity Theft?
I. What Are the Motivating Factors for Stealing Your Sensitive
Information?
In our data-driven society your personal information is readily
transferred across the world in a nano-second through networks and on
the Internet (whether or not you are a computer user). Your personal
information, worth more than currency itself, can be used to apply for
credit cards, credit lines, mortgages, cell phones, insurance,
utilities, products and services, etc., all without your knowledge. A
fraudster can do anything you can do with your identifying
information--and worse--even do things you wouldn't do such as commit
crimes, seek revenge, or engage in terrorist activities.
A. What Is Identity Theft and How Is It Used?
Identity theft occurs when your personal (or business) identifying
information such as your name, Social Security number, address, birth
date, unique passwords, business name or logo, or even biometric
information, is used or transferred with the intent to use it for an
unlawful purpose. Below are the main motivations of fraudsters:
1. Financial Gain
This includes credit, loans, new accounts, mortgages, employment,
health care, insurance, welfare, citizenship, and other governmental
and corporate benefits--anything that has a dollar value. The fraud may
take place in multiple jurisdictions, and purchases and transfers can
be made by phone, fax, online or in person. Usually, the perpetrator
can buy or ``legally'' obtain a driver's license, create checks on a
computer with the victim's name, obtain, buy, or create other identity
documents including medical cards, credit cards, passports, etc.
2. Avoiding Arrest or Prosecution
A criminal commits crimes in the real world or virtual electronic
world, or terrorist acts using the name and identifying information of
another person. Often the perpetrator also commits financial fraud as
well to supplement her income. In a recent meeting I attended with
Senator Feinstein and law enforcement, detectives and district
attorneys in California (and also in Washington) reported that that 80-
90 percent of identity thieves who are caught also have a pending or
prior methamphetamine charge against them as well. In my own case, my
impersonator was a ``meth'' addict who stole the identity of several
lawyers to obtain credit and funds to feed her drug habit.
3. Revenge
One can remain ``invisible'' by stealing an identity to hurt
another person. This type of fraud may occur between ex-spouses, former
business partners, ex-employees, disgruntled staff or angry customers.
We also see this type of fraud committed in businesses where one
business owner will want to ruin the reputation of another. It can
occur offline or online. I've been contacted by employees, and business
owners who learned that their e-mail address was used to discredit
them.
4. Terrorism (Breaching Homeland Security)
The September 11, 2001 terrorists had opened 14 accounts at a
Florida bank, using false Social Security numbers and other documents.
They obtained credit cards, apartment units, leased cars, and
fraudulently charged airline tickets. They not only did this for
financial gain, but also over half of them likely suspected that their
true names were in FBI files as suspected terrorists, so they committed
total identity take-over to avoid arrest. And worse, they used false
identities to get revenge against our country. In Senator Feinstein's
meeting with law enforcement in California on March 29, 2005, law
enforcement reported that suspected terrorist cells have been
apprehended with false documents in California. It is well known that
foreign nationals have covertly crossed our borders and have easily
obtained stolen identity documents to hide under the ``radar screen.''
II. How Does Identity Theft Occur, and What Are the Unique Issues as to
Data Brokers?
A. Ways That Your Personal Information Is Stolen
The scope and extent of the problem of identity theft is rampant.
In 2003 the FTC conducted a survey found almost 10 million new victims
that year, and 27.3 million victims in the previous five years, with a
cost to consumers of $5 billion and a loss to financial institutions of
$48 billion. (www.consumer.gov/idtheft) According to the Identity Theft
Resource Center, victims paid an average of $1,400 in out-of-pocket
costs (not including attorney fees) and spent an average of 600 hours
to regain their credit and identity. (www.idtheftcenter.org) The
monetary costs are miniscule compared to the devastation, stress and
violation one feels when they are denied a job, unable to get an car or
apartment, lose the opportunity for a home, lose insurance health
benefits, or find out there is a warrant for their arrest--or worse
yet, when they are convicted of a crime committed by their impostor.
Victims have a great burden to ``prove'' their innocence, beg for an
identity theft report, and spend hundreds of hours calling and writing
various agencies and companies to get their life back.
The epidemic of identity theft is growing because sensitive,
personal information is acquired very easily, and the issuers of credit
are often less than careful in verifying and authenticating the true
identity of the applicant. There are many ways that fraudsters obtain
data about us--it may be appropriated by, stolen mail, dumpster-diving,
lost or stolen wallets, shoulder surfing, burglary, friends, relatives
(only about 9 percent), unscrupulous employees, phone fraud, Internet
fraud (phishing and pharming), spyware, hackers, unprotected wireless
networks, unethical use of public documents that contain personal
information, needless display of the Social Security numbers on
government documents (such as; military and Medicare identification
cards); the transfer sale and sharing of Social Security numbers and
other data among financial institutions, credit reporting agencies and
data brokers.
B. Data Brokers Files Provide Massive, Broad-Based Information When
Accessed by Fraudsters
Although an identity thief has a choice of simple easy ways to
steal your good name, as listed above, your identity is especially
vulnerable with regard to the mega-databases held by information
brokers who are collecting, storing, sharing, buying, transferring and
selling huge amounts of personal and sensitive information in all
inclusive profiles without any governmental oversight. (For example, it
is reported that ChoicePoint has 19 billion files on citizens.)
Although the credit bureaus also hold vast financial and personal
data--and if accessed also reek havoc for victims, (like what happened
to me) at least these credit reporting agencies are regulated by the
Fair Credit Reporting Act, and there was a way for me to correct my
file.
The very essence of the data broker business is selling a broad
range of very private and highly sensitive information which if
acquired by a person with criminal intent, provides a complete
comprehensive package ready made for total identity-takeover. These
databases contain your personal, professional, social, (possibly
criminal) and financial existence. Tapping into your data profile is a
fraudster's dream come true. The huge, lengthy dossiers provide far
more than just a Social Security number or the limited information that
could be accessed from stealing a bank account, your mail, or even your
un-shredded trash. Many of these companies have various products for
sale which will tell the recipient of the report far more about you
than your family or friends know. Most of us have seen our credit
reports and know how all embracing they are with regard to our
financial profile, but few of us have seen our complete dossier stored
and sold by the data aggregators. To give you an example of one type of
product, I have attached as Exhibit I, a sample AutoTrack report sold
by ChoicePoint for you to see how much information may be revealed
about you, which also includes the persons in your home, and
surrounding neighborhood. It should startle you.
C. Viewing Your Vast Profile
When I attended the State Bar Annual Meeting last fall, I visited
the exhibit hall and was summoned by one of the data brokers to view my
profile to see if I wished to purchase this data information service in
my law office. All I provided was my name, and instantly 30 pages of
private information (including my Social Security number) appeared on
the computer screen. I was shocked and horrified, not only because I
felt very violated by all it revealed, but worse yet, by the numerous
errors! I asked the salesperson how I could correct the information and
was told that I could not correct any information in the file; that
this information was not subject to the Fair Credit Reporting Act.
Please review this attached sample profile and consider how each
category heading is labeled, i.e.: ``Possible Social Security Numbers
Associated With This Subject; Possible Deeds Transferred; Possible
Felony/Probation/Parole.'' As a recovered identity theft victim, I was
stunned by the prospect that some of those items in my report could
have been reported as a result of my impostor's actions, and I was
fearful of what could happen to me and my family if this information
were to be acquired by someone who wished to do harm. I was reminded of
the Amy Boyer case a few years ago in which a young man, Liam Youens
used an on-line information broker--Docusearch to obtain Amy's Social
Security number, phone number, and work address in order to find her.
He then appeared at her office and killed her and then committed
suicide. Later in his computer, police found a message he had written
about data broker services--``It's actually obscene what you can find
out about people on the Internet.''
D. Data Brokers Are Operating Under the Radar Screen and Are Invisible
to Most Citizens
Even with all the publicity about data brokers and recent security
breaches, when I have spoken to large audiences in the last month about
identity theft, most people still didn't know these companies by name
or what they do, or how they gather data or what's in their databases.
There is no transparency. In fact, most people tell me that if they had
received a security breach letter from ChoicePoint or LexisNexis, they
probably would have thrown it out as ``junk mail'' since they hadn't
heard of the company and do not have a business relationship. Many
potential victims who received security breach letters have not taken
advantage of LexisNexis' offer for a year of credit monitoring (for
example) because they didn't even open the envelope, or if they did,
they didn't know what to worry about since they didn't know what was
revealed from their files to cause alarm. None of the breach letters
that I have seen contained a copy of the profile, or a detailed list of
the data that was stolen.
E. Everyone in This Room and Reading This Testimony Has a Profile in
the Data Broker Files
Do You Know What Information About You Is Being Sold?
Everyone in this room who has a birth certificate, a driver's
license, if you've been married, divorced, have auto or homeowner's
insurance, if you have ever worked, if you have a residence, if you
have any government approved license, if you've been issued a speeding
ticket--YOU ARE IN THOSE SECRET FILES. Every Senator in this room--and
every one watching this hearing has a profile in those files. Have you
seen your dossier? Do you know what fact or fiction is being sold about
you? As the law stands now--you don't have the right to know what is in
those files, nor do you have the right to correct the many errors, nor
do you have the right to know who has had access to those sensitive
files, nor can you limit their sale--actually none of us here (except
perhaps the data broker persons) have control over anything in those
files. These companies have operated in the shadows and have sold this
often erroneous information to myriad companies, journalists and
governmental agencies. Yet most Americans don't even know who these
companies are or what they do. This is America--the home of freedom and
liberty, this is not a communist country or Nazi regime where secret
files are kept on citizens--and shared with various entities and
governmental agencies. The FBI and other law enforcement agencies are
purchasing this information from data brokers, so are employers,
insurers, landlords, attorneys, private investigators, and others--
shouldn't law abiding citizens have a right to at least see the
dossiers and make sure that the information is correct?
Although the credit reporting agencies are also considered data
brokers, they are regulated by the Fair Credit Reporting Act and that
law gives us the right to see our data, review it, dispute it, correct
it, find out who has accessed it, limit its sale and review, and give
us the right to enforce our rights. Unfortunately, the information
service industry only acknowledges that a small portion of its products
apply to the FCRA (i.e., reports made for insurance, employment
history, landlord tenant history, medical insurance). Why shouldn't the
data brokers be subject to the same fair information principles?
III. What Are Some Real Life Examples of Identity Theft as They Relate
to Information Brokers?
A. Examples of Financial Identity Theft
1. John is a recent widower. After his wife died of cancer at age
35, (leaving him with three young children), he began receiving
collection calls from credit card companies, a computer manufacturer,
and a cell phone company for the items and services allegedly purchased
by his deceased wife after her funeral. He suspects that the imposter
got the information from the death certificate which has the Social
Security number and birth date on the document. This could have been
obtained in the funeral home, from public records offline or online,
through the Social Security Administration, or from any information
broker.
Many public records including birth certificates, death
certificates, marriages, pilot and captain licenses, etc. contain the
Social Security number--which is the key to the kingdom of identity
theft. The data brokers sell public records to almost anyone. John
became a victim prior to July 2003 when the California Security Breach
disclosure law became effective. If he were a victim of a security
breach after July 2003, he hopefully would have been notified, and
would have had a chance to put up barriers to protect his deceased
wife's good name and his finances.
2. Sidney, a wealthy retired executive learned that his identity
was stolen many months after he and his wife purchased a new home. His
loan application, with his 3-in-1 credit report attached, revealed his
credit score, his checking, savings, and investment accounts, Social
Security number, and all necessary information for an impostor to
become Sidney. He believes his masquerader had gotten a copy of
Sidney's credit report which was on the broker's laptop. The impostor
opened new credit card accounts, purchased computers, electronic
equipment, furniture, rented an apartment, obtained utilities, etc.,
stealing almost $100,000, and the couple are overwhelmed.
Allowing employees to download credit reports, and maintain loan
applications in unencrypted files on laptops, which may be easily
stolen outside a secured office, makes customers very vulnerable to
identity theft. It is imperative that all companies that collect data
and transfer it for use, verify the recipient (that he or she has a
lawful, permissible purpose), set up contracts and enforcement for the
security of the information. It's critical for victims to get notice
immediately of any security breach, so that they may take steps to
intervene and stop further fraud activities.
3. Susan, a physician, received a letter from a company that she
did business with, that her Social Security number and other
information about her had been acquired by unauthorized persons. She
was terrified as to what could happen to her finances, and her
practice. She put fraud alerts on her credit profile, changed all her
passwords, even closed accounts and opened new ones. She felt very
violated, angry, frightened and upset. Almost 1\1/2\ years later, she
started receiving calls from creditors from accounts she never owned--
including cell phones, credit cards, and loans. She believed the fraud
alert would remain on her credit profile--it did not. Even when the
fraud alert was on her file, companies seemed to ignore the alert and
issue credit. Since she lives in California, she was able to place a
security freeze on her profile so no one could see her credit report to
issue credit without her providing a password to release her file. Now
she has sleepless nights about her impostor parading as a doctor and
committing other crimes. She wants to see a full background check from
the information brokers.
This case shows us why it is so important to receive notice of a
security breach. Susan took proactive steps to prevent fraud, and
several companies called her and did not issue credit. Some negligent
companies ignored the alert. Because she lives in one of the four
states (presently California, Texas, Vermont, and Louisiana) that allow
victims to ``freeze'' their reports, she was finally able to stop the
financial fraud. But the fear of criminal identity theft is now
haunting her. She should be able to put a fraud alert on her consumer
profile and obtain a complete background check at no cost if she is a
victim--just as victims can obtain two free credit reports in the 12
months in which they learned of the fraud. She should also be able to
limit the sale of her consumer report and be notified with the name,
telephone number and address of a business or governmental entity
(other than Homeland Security) to see who is accessing her profile.
B. Examples of Criminal Identity Theft
1. George, a disabled veteran living in Colorado was suddenly
denied his disability payments, and hit with a large IRS bill for the
income that his impostor had earned while working under his name in
Tennessee. Upon reporting this fraud to the police, we learned that
George's impostor had also established a criminal record in yet another
state and there was a warrant for George's arrest.
George's information about his impostor's criminal activity and
work related fraud would not show up on a credit report (until the IRS
reports it), but it would show up on a background check provided by the
data brokers who are testifying today. George found out the hard way,
when he lost benefits and was arrested. If he had access to his
consumer file, he would have found out about the fraud and wouldn't
have lost his disability benefits.
George's case demonstrates why we must be able to review, dispute
and correct our consumer files. We should be able to get our complete
dossiers at least once a year at no cost as is our right to get a
credit report from each of the three credit reporting agencies under
the Fair and Accurate Credit Transactions Act.
2. Lori, a disabled vet from Virginia, and single mom with a set of
six-year-old twins was attending school to get her Master's degree in
Social Work, when the police showed up at her door. She was arrested
for a crime that she didn't commit. The woman who committed the fraud
used the name Laura along with Lori's last name. Her fingerprints did
not match the prints of the perpetrator, and the description of the
fraudster was different from Lori, yet she was convicted. With my help
and the help of new counsel, she was sentenced to probation--but the
felony record must be corrected with a new trial. Her greatest fear
isn't the new trial--it is the information broker databases that may
continue to report her as a felon even after the criminal records are
cleared. She has reason to fear as you will read in the next case.
3. Scott was laid off from a high-paying job in the medical
industry in Ohio. He had great recommendations and felt sure he would
be rehired. For two years he was denied employment after several
positive interviews and his permission to do a background check.
Finally Scott hired a private investigator who showed him his criminal
profile from a data broker. It included two DUIs and an arrest for
murder. None of which belonged to him. I spent many months helping him
to correct the sheriff and FBI databases. But months after we cleared
all the law enforcement databases, he applied for employment and was
offered the job, but after reviewing his background, he was told that
they couldn't hire him. He was in shock when the private investigator
pulled his report again and found that a major information broker was
still selling this false information to prospective employers without
updating their files. Finally after a lawsuit was filed by an Ohio
attorney, the information was corrected. But the years of anguish and
lack of employment continues to damage his career and his personal
life.
Scott had no idea why he had trouble getting a job. Although a
potential employer is supposed to tell you if you are denied employment
due to a consumer report, and let you know how to review the report,
it's understandable that an employer may be reticent to tell a
``murderer'' that he is denied employment due to his criminal history.
Instead he was told that there were others who were more suitable for
the position. If Scott had the right to see his file earlier and had
the right to correct it, he would have been able to secure employment
and perhaps not have gotten divorced, lost custody of his son, nor
become homeless for those years.
C. Examples of Identity Theft for Revenge
1. Linda was married to a prominent Chicago lawyer for 25 years.
When he decided to divorce her to marry his secretary, he had a friend
download Linda's consumer information and give it to a fraudster who
applied for numerous credit cards, ordered furniture, and other luxury
items. The fraudster also used Linda's name to set up e-mail accounts
to send the estranged husband threatening messages. This was done to
discredit Linda in court.
Obviously, there was no lawful purpose for downloading this report
from the data broker. There was no verification of permissive use by
the data broker. It clearly was revenge and self-interest.
2. The first cyber stalking case prosecuted in Orange County,
California turned out to be identity theft. A computer expert was angry
when a woman he liked shunned his advances. He proceeded to go online
to a chat room and pretend to be her--stating that she had fantasies of
being raped. From a data broker, he was able to find her home phone
number and address and shared it in the chatroom. The woman didn't even
own a computer. When several men appeared at her door to share her
fantasies, she was terrified and called the police. She had an
emotional breakdown and the violation has left scars.
3. A radio talk show host was shocked to learn that his own
identity was stolen by a disgruntled listener who bought his dossier
from an on-line information broker. Aside from calling him at home and
bullying him, he obtained access to his e-mail account and sent
embarrassing e-mails to the station, pretending to be the talk show
host.
The above cases demonstrate how identity theft is facilitated by
the data broker industry. Unless a victim gets notice of a security
breach or unless law enforcement or a private investigator can solve
the mystery, most victims don't have a clue how the criminal has gotten
his sensitive records. The assaults against these victims caused great
anguish, overwhelmed them and negatively impacted every aspect of their
lives. The time spent trying to regain their lives, the damage to their
reputation, and the out-of-pocket costs were miniscule compared with
the tremendous emotional turmoil these people endured.
IV. What Is the Impact of Security Breaches on Citizens Whose
Information Is Stolen?
Persons whose information has been stolen by criminals are victims
of a crime. They may not yet be victims of identity theft--yet they are
victims of a Federal crime. Not only has their private, sensitive
information gotten into the hands of unauthorized persons--but those
unauthorized persons have done so with the intent to commit an unlawful
act. Under 18 U.S.C. 1028, as stated below the persons committing the
act are felons and those who are adversely affected are victims of a
Federal felony:
The Identity Theft and Assumption Deterrence Act of 1998 (Identity
Theft Act) 18 U.S.C. Sec. 1028) makes it a Federal crime when anyone:
knowingly transfers or uses, without lawful authority, a means
of identification of another person with the intent to commit,
or to aid or abet, any unlawful activity that constitutes a
violation of Federal law, or that constitutes a felony under
any applicable State or local law.
I have personally spoken with victims of security breaches who have
received notice letters from entities such LexisNexis, ChoicePoint,
Ameritrade, Bank of America, Wells Fargo and several universities,
hospitals, and even smaller businesses. The victims of the breach feel
very violated, angry, frightened and overwhelmed and helpless. It is
well known that criminals steal the information and may often wait
months or years to use it--or they sell it in exchange for
methamphetamine or money. It may be transferred several times and used
for financial gain or to commit other crimes. Because the victims of
the breach don't know who the criminals are or their intent, they are
anxious. Additionally, the victims are not notified as to exactly what
information may have been taken, so they feel defenseless and don't
even know what to protect. Although I tell these victims actions to
take to put up barriers placing fraud alerts, instituting security
freezes, changing passwords, changing mother's maiden name, monitoring
credit reports, etc.), victims still feel incapable of insuring that
their identity won't be stolen. Many are fearful that their family home
or office may be intruded by the perpetrators who may have their
addresses, phone numbers, bank account information and perhaps an
entire dossier.
Below are a couple of e-mails I received from victims of a security
breach explaining their strong feelings of victimization.
``My husband and I are very upset and it is overwhelming. We
are very anxious and it takes a tremendous amount of time and
effort just to get a security freeze. The credit agencies
shouldn't make it so difficult. I'm spending so much time
monitoring accounts and credit reports--it's exhausting--I feel
very vulnerable and frightened that some criminal knows all
about me and may wait to use our stuff any time, now or in the
future-- what can I do?''
``I spend sleepless nights wondering when the phone may ring,
or I will open a letter from a bill collector. I'm worrying if
someone has obtained new identification under my wife's or my
name. It is scary to think that I may be pulled over by the
police for something I didn't do. What if they drag me or Lord
forbid MY WIFE, from the vehicle and handcuff us. My wife and I
are losing too much sleep''
The emotional impact on these victims is intense and their fears
are real. Why would a criminal steal the information if there was no
intent to sell, transfer or use it for an unlawful purpose?
V. What Needs To Be Done With Regard to Minimizing the Risks of
Identity Theft as to Information Brokers?
Data brokers must be regulated by imposing Fair Information
Practices as follows:
1. Transparency--The nature of personal data held by these
companies should be readily available for inspection by the public. The
uses of the information should be clearly defined.
2. Consent and Notice--Consumers should be able to give their
consent to the disclosure of their information prior to disclosure,
such as the rights with regard to disclosure of credit reports. The
exceptions would be for defined categories of law enforcement and
Homeland Security. In other words there should be an established,
permissible purpose; i.e.--employment background checks, insurance,
landlord tenant, etc. When a consumer gives his consent or it is
considered a ``permissible purpose,'' the consumer should be entitled
to notice of the sale, and the consumer should receive a free copy from
the entity that bought the report.
3. Consumer Access and Inspection--Individuals should have the
right to one free disclosure per year as they have for credit reports.
A central website and toll free numbers should be set up for consumers
to get their entire profile--not just a ``Clue Report.'' If a person
has become a victim of identity theft, he should be entitled to at
least one other free disclosure per year for 24 months after learning
of the stolen identity. The inspection report should be the same as
would be accessed by a company for a background check--the complete
profile. The disclosure should also provide a list of names, addresses
and phone numbers of all entities that received a copy of such report
in the last 5 years. This would include governmental entities except
for specific guidelines of Homeland security or other law enforcement
restrictions. Employers or others who order background checks on a
consumer should be required to provide a copy to the consumer upon
receipt whether or not the consumer report was a factor in hiring or
reviewing an employee or prospective employee.
4. Quality Controls and Timely Correction--The information
collected should be accurate, complete, updated and relevant to the
purpose for which it is to be used. The Data Broker industry should
allow individuals to dispute and provide prompt correction of the files
within no more than 30 days. The broker should reinvestigate without
cost to the consumer and make all appropriate changes if the
information cannot be verified. If after the data broker investigates,
it finds that the investigation verified the information, the company
shall provide the name, address and phone number of the verifying
entity so that the consumer can directly dispute the information.
5. Strict Security Controls--There should be safeguards against
risk of loss, unauthorized access, alteration, hacking, etc. Audit
trails and limited access should be standard, as well as encryption of
the sensitive data. Customers should be screened both initially and
with respect to how the end-user is safeguarding the information from
unlawful use. In the event of a security breach, the data broker must
notify all individuals whose information was acquired either on paper
or electronically with a letter providing the consumer the nature of
the breach, what information was stolen, how to protect themselves with
fraud alerts, security freezes and other useful tools. They should also
provide a free copy of the report that was accessed. Credit monitoring
and a background check monitoring would be needed. (Fraud resolution
services may be necessary.)
6. Enforcement--The data broker industry must be held accountable
to consumers and victims. Outside audits and training should be
mandatory. A private right-of-action is essential to allow enforcement
of the provisions of the law. A private right-of-action provides that
the cost of the legal system policing against acts of preventable
corporate negligence is paid by the guilty parties rather than by
increasing taxes or adding to the size of government. We have seen that
many provisions of FACTA and the GLB Act have not been enforced because
Federal agencies do not have the resources or manpower to take actions
against all the violations, and why should our taxes be spent to right
the wrongs of companies who violate the law. Individuals should be able
to seek redress for their damages without having to rely on the
government to intervene, however for large cases, enforcement should be
available in state courts by private parties, attorneys general and the
FTC.
7. Preserving States Rights--Consumer reforms with regard to
identity theft have derived from proactive States that were responsive
to the plight of its citizens. Some examples of this are: the right to
a free credit report, annually, the right to place a fraud alert, the
right of victims to obtain information from businesses and creditors to
regain their identity. More recently we have found out about the
security breaches of two of the data brokers here today only because of
the California Security Breach law. Both ChoicePoint and LexisNexis
admitted in a Senate hearing that they both experienced significant
breaches prior to July 2003, when the California law became effective,
and did not notify any of the victims of the breach. Since February
2005, over 4 million Americans have been victims of various security
breaches. (See Exhibit II from the Wall Street Journal)--none of which
we would have heard about, but for the California law. Arizona and
California, were the first two states to make identity theft a crime--
leading all the states and the Federal Government to establish the
consumer as a true victim. Numerous states are instituting security
freezes to lock up a consumer's credit so fraud cannot continue.
Federal law should serve as a floor, not a ceiling, so that states can,
if need be, quickly address the crises of their victims.
VI. What Else Is Needed To Prevent and Resolve Identity Theft?
1. Security Breach Notification must extend to all states--All
governmental agencies, and private industry, schools, and other
entities should be held accountable to quickly notify all persons whose
sensitive and personal information (paper and electronic files) were
acquired by an unauthorized person. There should be an exception for
encryption only if it is robust and if the unauthorized acquisition was
not capable of being decrypted by an unscrupulous employee or customer.
The standard of providing notice should be triggered by the acquisition
of the data rather than the use of it. A bank or other entity who
experiences a breach should not be allowed to determine the possibility
of the misuse. The only delay of notice would be for law enforcement
upon its written request. Allowing the business or entity to make the
call as to when there might be a risk of harm is like allowing the wolf
to tend the henhouse. There should be enforcement by the FTC, State
attorneys general and private individuals. Any preemption should be a
floor and not a ceiling so that states can protect their own citizens
regarding unique needs. As a member of the advisory board of the
California Office Of Privacy Protection, we created a list of
``Recommended Practices on Notification of Security Breaches Involving
Personal Information'' as a guide for dealing with security breaches,
please visit www.privacy.ca.gov to review those standards.
2. Governmental agencies as well as private industry should limit
the use of the Social Security number since it is presently the key to
kingdom of financial fraud--Our advisory board to the Office of Privacy
Protection in the California Office of Consumer Affairs also had the
privilege of developing the ``Recommended Practices for Protecting the
Confidentiality of Social Security Numbers'' (www.privacy.ca.gov). This
document should be considered by both pubic and private sector entities
as a guide to protect all consumers.
The Social Security number is used as the identifier for military
cards and ``dog-tags,'' Medicare, Medicaid, pilot's licenses, captain's
licenses, etc. No entity should be allowed to display, post, or sell
the SSN. The SSN in public records should be redacted before posting.
There should be no collection of SSNs by private or governmental
agencies except where necessary for a transaction and there is no other
reasonable alternative. SSNs collected for a specified purpose should
not be used for any other purpose.
3. Mandatory Destruction of Confidential Information--Governmental
agencies and private industry should be required to completely destroy
personal information that they are discarding by shredding, burning or
whatever means is necessary to protect the information from dumpster-
diving. This should extend to any confidential and sensitive
information--not just information derived from consumer reports.
4. Departments of Motor Vehicle Licensing--Bureaus should establish
more stringent monitoring and matching of duplicate licensing and new
licenses. A photo ID and a fingerprint could be matched. Rather than
developing a ``national ID'' with various forms of biometric
information, credit cards and other unnecessary information which would
complicate the process and invade privacy, this license would help
deter interstate identity theft without collecting too much information
nor allow it to be accessed or sold to private industry.
5. Need for an Easier Process for Victims--Problems with the Fair
and Accurate Credit Transactions Act (which was meant to make things
easier for victims)--
a. An Identity Theft Report is needed in order for victims to
get an extended fraud alert, block the fraud on their profile,
and gain access to records of the fraud--FACTA was meant to
streamline and help victims of identity theft. However, the new
rules recently released by the FTC with regard to the
``Identity Theft Report'' clearly show the time-consuming maze
that a victim must maneuver. Below is an example of the hassle
of exerting your victim rights with regard to the FTC rule
about the ``Identity Theft Report.''
``An Identity Theft Report may have two parts:
Part One is a copy of a report filed with a local, State, or
Federal law enforcement agency, like your local police
department, your State attorney general, the FBI, the U.S.
Secret Service, the FTC, and the U.S. Postal Inspection
Service. There is no Federal law requiring a Federal agency to
take a report about identity theft; however, some State laws
require local police departments to take reports. When you file
a report, provide as much information as you can about the
crime, including anything you know about the dates of the
identity theft, the fraudulent accounts opened and the alleged
identity thief.
Note: Knowingly submitting false information could subject you
to criminal prosecution for perjury.
Part Two of an identity theft report (depends on the policies
of the consumer reporting company and the information provider)
(the business that sent the information to the consumer
reporting company). That is, they may ask you to provide
information or documentation in addition to that included in
the law enforcement report which is reasonably intended to
verify your identity theft. They must make their request within
15 days of receiving your law enforcement report, or, if you
already obtained an extended fraud alert on your credit report,
the date you submit your request to the credit reporting
company for information blocking. The consumer reporting
company and information provider then have 15 more days to work
with you to make sure your identity theft report contains
everything they need. They are entitled to take five days to
review any information you give them. For example, if you give
them information 11 days after they request it, they do not
have to make a final decision until 16 days after they asked
you for that information. If you give them any information
after the 15-day deadline, they can reject your identity theft
report as incomplete; you will have to resubmit your identity
theft report with the correct information:'' (FTC Rules)
This rule is not only cumbersome it is confusing and allows the
credit reporting agencies to delay unnecessarily and it gives
victims a run around. I have already heard from many victims
who are frustrated, angry, and unable to block the fraud or
even extend the fraud alert.
b. Law enforcement agencies at the local, State and Federal
level should develop a uniform ``identity theft report'' to be
compliant with FACTA--and the FTC should determine what
satisfies an ``identity theft report''--New provisions of the
Fair Credit Reporting Act require a detailed ``identity theft
report'' to send to the credit grantors, and the credit
reporting agencies. If a proper identity theft report is sent
to the credit reporting agencies they are required to do the
following: place an extended fraud alert for 7 years, block all
the fraud on the profile immediately; notify the creditor that
the accounts are blocked. Additionally, if the victim provides
a proper, identity theft report to the creditors, they must
provide all documentation of the fraud to the victim and to the
law enforcement agency within thirty days. Unfortunately, the
agencies themselves are deciding what is ``proper'' and many
victims contacted us because they are not able to appease the
credit reporting agencies nor the credit grantors with the
reports. So they cannot exert these rights afforded under the
law and there is no private right-of-action to enforce these
rights.
The FTC should determine what will be acceptable as an identity
theft report and facilitate the victim's report. It should be
adhered to by law enforcement as well as the financial industry
without imposing an arduous task upon the victim. Also, the
victim should be able to get a police report in the
jurisdiction where she lives even if the impostor is in another
state. And, the case should be able to be prosecuted in the
jurisdiction where the victim lives or the jurisdiction where
the crime takes place. All police should be required to provide
a proper identity theft report even if they do not have the
resources to investigate the crime.
c. Initial Fraud alert should be one year--FACTA allows a
victim of a breach or fraud to place a fraud alert on credit
profiles for at least 90 days with their first phone call. To
extend the alert they must write a letter and provide an
``identity theft report. The initial fraud alert should be
changed to at least 1 year especially because victims of a
security breach may not be victimized for a long time.
d. Free credit report for victim should be available by phone
when calling in the fraud alert--Prior to the passage of FACTA,
victims could order their free credit report to review their
files at the same time they place a fraud alert. Now, the
credit reporting agencies (except for TransUnion
``temporarily'') do not give the victim an opportunity to get
the free credit reports in the initial phone notification of
the fraud. They are later sent a letter notifying them of their
right to a free report upon request. This is another delay
which allows the impostor more time to do his ``dirty work,''
and this is an added burden for the victim and costlier for the
creditor. The victim should be allowed to order the first of
his two free reports during the initial fraud alert phone call.
e. Victims should be provided a complete report upon disputing
the fraud and the victim should be able to see the report that
the creditors see--The CRAs are now sending corrections instead
of complete corrected reports to victims. This is dangerous
since other new fraud may appear on the report. Also--the
report that a creditor receives is more comprehensive than the
report that the victim sees, so this is not complete
disclosure.
6. Funding for law enforcement for identity theft cases should be
greatly increased since this is also a Homeland Security issue--All
major metropolitan areas should be funded to set up identity theft task
forces to include the Secret Service, the Postal Inspector, the Social
Security Inspector, the FBI, INS, State attorney general and local law
enforcement to collaborate in the investigation and prosecution of
these crimes since suspected terrorists will need to utilize stolen
identities to attempt their missions.
7. Law enforcement agencies should help victims of criminal
identity theft--A Federal law should set forth steps for law
enforcement to take (in conjunction with the judicial system), to
assist victims of criminal identity theft. So a victim of criminal
identity theft in California, whose impostor is in New York, could be
declared innocent in New York as well as California. This would entail
a national database of the criminal information and fingerprints. It
would contain the order of the true person's fingerprints for
comparison with the fingerprints of the impostor-criminal in New York.
The court would enter a declaration of factual innocence and any
warrants for the victim would be dismissed. All databases would be
corrected so that background checks would not show the victim as having
an arrest or criminal record. (See California law and package for
victims to clear their criminal record www.privacy.ca.gov).
8. Set up State and Federal Offices for Privacy Protection--There
should be a Federal office of privacy protection as well as State
offices. The office of privacy protection should institute an ombudsmen
office to assist citizens with identity theft and other serious privacy
issues. It should also coordinate and review the various governmental
offices of privacy to ensure oversight.
9. Credit Reporting Agencies--
a. Consumers should be able to put a complete freeze on their
credit reports in order to prevent identity theft--This would
enable the consumer to prevent their credit report from being
accessed by a creditor without the specific authorization of
release with a password. California, Texas, Vermont and
Louisiana have passed such laws. It would be impossible for an
impostor to apply for credit if there were a freeze on the
file. The consumer would have the right to release the file
when he so desires by a password or pin number. Every State
should pass this legislation or if it is Federal legislation,
then there needs to be a private right-of-action and no Federal
preemption.
b. Credit reporting agencies should provide to victims a
COMPLETE REPORT when providing corrections--All reports should
include the names, addresses and phone numbers of the companies
who accessed the consumer's credit report, including inquiries
with the issuance of a consumer report so that potential
victims could verify the permissible purpose.
c. Credit reporting agencies should notify a consumer by e-mail
when his/her credit report has been accessed--The agency should
be allowed to charge a minimal fee for this service--as to
actual cost (i.e., $10 per year),
d. Credit reporting agencies should set up hotlines with live
persons to talk to victims of identity theft--A live employee
in the fraud department should be assigned to a particular
victim--so the victim doesn't have to re-explain all the
problems in numerous letters.
10. Banks and other Creditors should be held accountable for
protecting consumers and others from identity theft--
a. Creditors who issue credit to an impostor after a fraud
alert is placed on a credit profile, should be held liable and
the victim should have a private right-of-action to enforce his
rights--Presently if a creditor ignores the fraud alert, only
the Federal Trade Commission or other Federal agencies may
bring and action and they clearly cannot enforce individual
rights nor do they have the resources to deal with most of the
violations. There should be a fixed penalty of at least $1000
per occurrence or actual damages, which ever is greater.
b. Need for private enforcement of access to business records--
If a fraud victim provides notification of fraud and includes
an ``identity theft report'' and an affidavit, under the FCRA,
a creditor is required, within 30 days, to provide copies of
all billing statements, applications and other documents of
fraud to the victim and the designated law enforcement agency.
Presently, victims are contacting us that many companies are
refusing to provide the information without a subpoena. Victims
presently have no private right to force a company to provide
this data. Only the FTC, or other Federal agencies, may bring
an action--but it cannot help an individual consumer. This must
be changed so that there will be enforcement of the provision
of the Act.
c. Creditors should not be allowed to send ``convenience
checks'' without a prior request by the consumer--I was told by
a postal inspector that 35 percent of these checks are used
fraudulently
d. Credit grantors should not be allowed to send pre-approved
offers of credit without a PRIOR the request of the consumer.
Identity Theft Conclusions
Personal, confidential, and financial information is a valued
commodity in our society. Data brokers have flourished abundantly while
selling and transferring your extensive, aggregated personal profiles
which include your income, credit worthiness, buying, spending,
traveling habits, heath information, age, gender, race, etc. Facts
about our personal and financial lives are shared legally, and
illegally, without our knowledge or consent--on-line and off-line
everyday. Privacy protection in the age of data collection is really
more about limiting access and instituting inspection and correction to
our records, rather than keeping the information secret. We have lost
control over the dissemination of our sensitive data, and this has led
to the enormous epidemic of identity theft. The huge data breaches in
recent months have shined the light on the immensity of the problem of
identity thieves and the havoc they cause. But it also has enlightened
our lawmakers to collaborate to create a new framework for reasonable
regulation of the data broker industry.
To avert identity theft, the burden is on the data brokers, and the
financial industry who are in the unique position on the front end, to
take precautions, require verification, and authentication of
employees, vendors, business associates and customers, and refuse to
sidestep fair information principles. Data brokers, the credit
reporting agencies and the financial industry is in a powerful position
to prevent the fraud before the impostor can establish a parallel
``shadow profile.''
I am hopeful that as a result of the gigantic breaches of sensitive
information, that this Congress will create a regulatory framework for
the information brokers that will protect our citizens and enable the
Data Broker industry to help society. I encourage you to strongly
consider the thoughtful and well reasoned language of S. 500, which
implements the Fair Information Principles, yet acknowledges the
importance the work that the data industry provides, while safeguarding
the identity of every American.
Thank you for the opportunity to share these concerns and
suggestions with this Honorable Committee.
Exhibit I
Sample Auto Track Data on Fictitious Person From ChoicePoint
National Comprehensive Report Plus Associates
Compiled on 01/05/2002 at 3:39PM
Reference: 123456
ZACHARY K THUL DOB: JAN 1955
SSN 960-45-XXXX issued in New York between 1968 and 1970
Possible AKA's for Subject
THUL, ZACK K SSN: 960-45-XXXX
Possible Other Social Security Numbers Associated with Subject
THUL, ZACHARY K SSN: 690-45-XXXX
THUL, ZACHARY K SSN: 690-45-XXXX
**ALERT** A Death claim was filed for SSN 690-45-XXXX in FEB 1962.
Possible Other Records/Names Associated with Social Security
Numbers
KIRBY, LOARDA SSN: 983-16-XXXX
KIRBY, LORADA SSN: 960-45-XXXX
Possible Driver Licenses
THUL, ZACHARY K
DL: T432117680470 issued in Ohio on 12/19/1996 expires 02/07/2001
DOB: 01/17/1955 Height: 5,08"
7891 W FLAGLER ST MIAMI, OH 38972
Possible Addresses Associated with Subject
SEP-1997/DEC-2000--7891 W FLAGLER ST
MIAMI, OH 38972
JUN-1995/AUG-1997--15 ROBY AVE (555) 123-4567
HAMPTON BAYS, NY 11238
JUN-1996/JUN-1996--1400 35TH ST K 4I
SPRINGFIELD, FL 34090
MAY-1995/MAY-1995--4833 STORM ST APT 33
SPRINGFIELD, OH 34443
JUL-1994/JUN-1996--4833 STORM ST I33
SPRINGFIELD, OH 34443
SEP-1994/JUL-1995--305 WAYBREEZE BLVD
COLUMBUS, OH 34209
DEC-1992/APR-1995--70 REARVIEW DR
RIVERBEND, NY 11903
438 BULLSIDE TER W
HACKENSACK, NJ 09348
The following is a sample National Comprehensive Report
SM Plus Associates.
The amount and type of records identified in a report will vary
from subject to subject. All names and other information are fictional
and are for illustrative purposes only. Any resemblance to real persons
or public record information is unintentional. Some National
Comprehensive Reports SM may locate a partial date of birth.
Frequently, subjects of a National Comprehensive Report SM
will be linked to other names because two public records reference two
different names, but only one Social Security number. The most common
reasons for these occurrences are:
1. Typographical errors
2. Jointly filed public records which list both the subject and the
second name
3. Father and son who have the same name
4. Fraudulent use of a Social Security number The dates represent
the approximate time period when the linked address appeared on a
publicly available record document for the subject. The subject may or
may not have resided at any of the addresses. Some public records link
the subject to an address without noting a date range. Addresses
without date ranges will appear at the bottom of the address list. Such
an address may be current or historical. Underlined Items provide a
Link to record details.
Phone Listings for Subject's Addresses
1400 35TH ST W SPRINGFIELD, FL 34090
Over 100 phone numbers found, only same last name considered.
4833 STORM ST SPRINGFIELD, OH 34443
ACME RENTALS (555) 555-1935
305 WAYBREEZE BLVD COLUMBUS, OH 34209
THUL ZACHARY (555) 498-5525
Possible Real Property Ownership
4833 STORM ST SPRINGFIELD, OH 34443
Ohio Assessment Record--County of: CLARK
Owner Name: THUL, ZACHARY
Parcel Number: 998-8748-9448
Short Legal Desc: STORM ST IR PT LOT 7& ADK J S BUCKINGHAM AM EST
Property Type: SINGLE FAMILY
Recorded Date:
Situs Address: 4833 STORM ST I 33
SPRINGFIELD, OH 34443
Mailing Address: 7891 W FLAGLER ST
MIAMI, OH 38972
Assessment Year: 1995 Tax Year: 1997
Assessed Land Value: Market Land Value: $366,800
Assessed Improvements: Market Improvements: $192,000
Total Assessed Value: Total Market Value: $558,800
Most Recent Sale: $305,000 Prior Sale Price:
A manual search of Real Property using the name THUL ZACHARY K is
recommended. 4 additional property records exist (including
historicals) but are not included, as they do not match all necessary
criteria.
Possible Deed Transfers
305 WAYBREEZE BLVD COLUMBUS OH 34209
Ohio Deed Transfer Records--County of: FRANKLIN
Parcel Number: T545663
Legal Desc: LT 56 BLK 87 PB 14/38
Sale Price: $84,000 Loan Amount: $67,200
Contract Date: 8/14/1995
Lender: LIBERTY SAV BK
Situs Addr: 305 WAYBREEZE BLVD
COLUMBUS, OH 34209
Seller(s): THUL, ZACHARY K
Buyer(s): SMITH, BART O
Possible Vehicles Registered at Subject's Addresses
1400 35th ST K 4I SPRINGFIELD, FL 34090
Plate: K387KJ State: NY Date Registered: 08/14/1995 Expire Date:
08/29/2000
Title: 76174678 Title Date: 10/30/1998
OWNER: ZACHARY K THUL
Color: WHITE
This message probably indicates that a multi-unit building is
located at this address.
By comparing the list of Possible Addresses Associated with Subject
with the listed phone numbers in the Phones module, the report finds
phone numbers, which have been listed at the given address. In this
report, one property record was found in Real Property SM
which matched the subject's name and address and the properties situs
address. This message indicates that additional records in Real
Property SM match the subject's name, but none of these
records had a situs address that matched an address found at the top of
the report. These additional properties may belong to the subject or
may simply belong to someone with the same name. Search Real Property
SM by name for a complete list of possible properties. A
list of states and counties for which AUTOTRACK XP SM has
deed transfer records can be located by choosing the Help link from the
blue AUTOTRACK XP SM navigation bar at the top of the
screen. The property information returned from this database may differ
from the information found in Real Property SM. (See the
above note on Possible Property Ownership.) A list of states for which
AUTOTRACK XP SM has vehicle registration records can be
located by choosing the Help link from the blue AUTOTRACK XP
SM navigation bar at the top of the screen. Underlined items
provide a link to record details.
1999 DODGE GRAND CARAVAN SE
DODGE GRAND CARAVAN SE--3.3L V6 SOHC FLEXFUE
VIN: 2B5CD3595EK253648
MINIVAN
Plate: ID036H State: FL Date Registered: 04/28/1999 Expire Date:
10/30/2000
Title: 77465960 Title Date: 09/29/1998
OWNER: ZACHARY K THUL
Color: RED
1997 CHEVROLET S10 PICKUP
CHEVROLET S10 PICKUP--2.2L L4 EFI OHV 8V
VIN: 1GCCS144X8144822
PICKUP
Possible Watercraft
Owner: THUL ZACHARY
Address: 70 REARVIEW DR
RIVERBEND, NY 11903
Year: 1988 Length: 41.9, MFG:
Reg Number: K989495 State Registered: NY
Hull Const.: FIBERGLASS
Hull Number:
Use: PLEASURE
Propulsion: INBOARD
Fuel: GASOLINE
Possible FAA Aircraft Registrations
Owner: THUL ZACHARY K
Year: 1957
Make: PIPER
Model: PA-22
N-Number: N0225J
Aircraft: FIXED WING SINGLE ENGINE
Address: 4833 STORM ST I33
SPRINGFIELD, OH 34090
Possible UCC Filings
Original Date: 02/09/1988
Action: INITIAL FILING Date: 1988
File State: OHIO
Debtor: ZACHARY THUL
Address: 305 WAYBREEZE BLVD
COLUMBUS OH 34209
Secured Party: HOME SAVINGS & LOAN ASSOC
AKRON OH
Possible Bankruptcies, Liens and Judgments
Court Location: EASTERN DISTRICT OF OHIO--FRANKLIN
Filing Type: CHAPTER 7 DISCHARGE Filing Date: 08/14/1996
Case Number: 98555555 Release Date:12/18/1996
Creditor/Plaintiff: MARTIN T MARTINSON Amount:
Debtor/Defender: THUYL ZACHARY K
305 WAYBREEZE BLVD SSN: 960-45-XXXX
A list of states for which AUTOTRACK XP SM has Uniform
Commercial Code lien records can be located by choosing the Help link
from the blue AUTOTRACK XP SM navigation bar at the top of
the screen.
COLUMBUS, OH 34209
Attorney: MARTIN T MARTINSON
Possible Professional Licenses
Type: OHIO Professional License
License Type: LICENSED SOCIAL WORKER
Lic. Number: 42389 Status: ACTIVE
Original Date: 01/10/1990
SSN: DOB:
Phone:
Full Name: THUL, ZACHARY K
Address: 4833 STORM ST I33
SPRINGFIELD, OH 34090
County: CLARK
Possible FAA Pilot Licenses
Pilot Name: THUL, ZACHARY K
FAA Class: PRIVATE PILOT
FAA Rating: SINGLE ENGINE LAND
Medical Class: THIRD CLASS--VALID FOR 24 MONTHS
Medical Date: 07/19/98
FAA Region: NORTHWEST/MOUNTAIN--CO, ID, MT, OR, UT, WA, WY
Address: 4833 STORM ST I33
SPRINGFIELD, OH 34090
Possible DEA Controlled Substance Licenses
Business: PRACTITIONER
Name: THUL, ZACHARY K MD Expires: 09/30/1999
Address: 7891 W FLAGLER ST
MIAMI OH 38972
Authorized Drug Schedules: II, II, III, III, IV, V
Possible Business Affiliations
15 ROBY AVE HAMPTON BAYS, OH 11238
STETSON HAULING, INC. OH 2543854
CHAIRMAN ACTIVE
Officer Name Match Only (NOT necessarily affiliated)
Matching Name : THUL ZACHARY K
OLSON FAMILY PROPERTIES & INVESTMENTS, INC. MA 789123
REG AGENT ACTIVE
TOO HOT TO HANDLE FL H76543
SECRETARY INACTIVE
Possible Relatives (* denotes match with one of subject's
addresses)
(R-1) THUL CLAIRE DOB: DEC 1954
SSN 999-15-XXXX issued in New York in 1973
SEP 1994/JUL 1998--*305 WAYBREEZE BLVD
COLUMBUS, OH 34209
Certain individuals and businesses are required to be registered
under the Controlled Substance Act. Physicians, dentists, and
veterinarians are among this group. For a more complete explanation and
definition of the drug schedules, choose the Help link from the blue
AUTOTRACK XP SM navigation bar at the top of the screen. A
list of states for which AUTOTRACK XP SM has corporation
records can be located by choosing the Help link from the blue
AUTOTRACK XP SM navigation bar at the top of the screen. A
person will qualify as a possible relative in the National
Comprehensive Report Plus Associates SM if he or she has the subject's
last name and has been linked to one or more of the same addresses
which appear under Possible Addresses Associated with Subject on page
1.
The asterisks indicate an address match between the possible
relative and the subject of the report (see Possible Addresses
Associated with Subject on page 1).
JUL 1995/JUL 1995--*15 ROBY AVE (555) 123-4567
HAMPTON BAYS, NY 11238
OCT 1994/OCT 1996--355 LAVERNE AVE
COLUMBUS, OH 34492
DEC 1992/DEC 1996--*70 LAKEVIEW DR
RIVERHEAD, NY 11901
(R-2) THUL TOMMY DOB:
DEC 1995/DEC 1996--599 MAIN ST
RIVERBEND, NY 11093
APR 1995/AUG 1995--355 LAVERNE AVE
COLUMBUS, OH 34492
Other People Who Have Used the Same Address of the Subject
(* denotes match with one of subject's addresses)
15 ROBY AVE HAMPTON BAYS, NY 11238
(O-1) GENNINE LOWELL
SSN 972-45-XXXX issued in New York between 1966 and 1969
SEP 1993/SEP 1994--5 NEWTON AVE
HAMPTON BAYS, NY 12983
12 M BAY ST
HAMPTON BAYS, NY 13987
*15 ROBY AVE
HAMPTON BAYS, NY 11238
305 WAYBREEZE BLVD COLUMBUS, OH 34209
(O-2) MARIE G SMITH
SSN 991-25-XXXX issued in New Jersey in 1962
SEP 1993/SEP 1994--*305 WAYBREEZE BLVD
COLUMBUS, OH 34209
AUG 1995/AUG 1996--301 BAYSIDE TER
CHARLOTTE, OH 34258
SEP 1993/SEP 1994--*438 BULLSIDE TER W
HACKENSACK, NJ 09348
Possible Licensed Drivers at Subject's Addresses
7891 W FLAGLER ST MIAMI, OH 33144
THUL, EDWARD H
DL: T600465 issued in Ohio on 07/27/1994 expires 09/11/2000
DOB: 04/19/1969 Height: 5,02"
1400 35TH ST K 4I SPRINGFIELD, FL 34090
**No Drivers Found At This Address**
4833 STORM ST I33 SPRINGFIELD, OH 34443
**91 Drivers found at this address, only last name considered. **
**No Drivers Found At This Address**
305 WAYBREEZE BLVD COLUMBUS, OH 34209
THUL, STACEY B
DL: T600788 issued in Ohio on 07/24/1994 expires 04/27/2001
DOB: 05/26/1926 Height: 5,04"
Driver License Information is unavailable for the following states:
NEW YORK, NEW JERSEY
The report will attempt to locate a brief list of addresses for the
possible relative. To possibly locate more current addresses for the
relative, run a report by clicking on the underlined link. A person
will qualify for this category in the National Comprehensive Report
SM Plus Associates if he or she has a last name different
from the report subject's last name and has been linked to one or more
of the same addresses, which appear under Possible Addresses Associated
with Subject on page 1. A person may be linked to one of the same
addresses as the subject, even though he or she has never known the
subject. Two people might be linked to the same address but at
different time periods. For example, one person could be a former
resident of the address where the subject now resides. Multiple address
matches with the subject, denoted by multiple asterisks, will identify
people who have a greater likelihood of knowing the subject.
This message probably indicates that a multi-unit building is
located at this address.
Neighbor Phone Listings for Subject's Addresses (only first six
addresses included)
7891 W FLAGLER ST MIAMI, OH 33144
STATER OFFICE PRODUCTS 7895 W FLAGLER ST (555) 555-0482
BIG ED'S MUFFLER SHOP 7897 W FLAGLER ST (555) 555-3358
BUD'S USED CARS 7900 W FLAGLER ST (555) 555-8288
15 ROBY AVE HAMPTON BAYS, NY 11238
FELLINGHAM MIKE 4 ROBY AVE (555) 555-8697
SCOTT GORDON G 6 ROBY AVE (555) 555-1297
GHERSI JOHN 8 ROBY AVE (555) 555-6819
ELIAS SIMON 9 ROBY AVE (555) 555-2659
SCALCIONE STAN 10 ROBY AVE (555) 555-8425
CANGIANO F P 12 ROBY AVE (555) 555-5217
CORCORAN STEVE 26 ROBY AVE (555) 555-9917
1400 35TH ST K SPRINGFIELD, OH 34443
AHRENDT DAN 1400 35 ST K (555) 555-1664
ALPIN JEFF 1400 35 ST K (555) 555-8117
AMBROSE A 1400 35 ST K (555) 555-7553
APURTON J 1400 35 ST K (555) 555-0735
ARNOLD ROBY 1400 35 ST K (555) 555-4071
BAKER C R 1400 35 ST K (555) 555-8490
BALCHUNAS TERRY 1400 35 ST K (555) 555-5753
BAMBERGER RICHARD 1400 35 ST K (555) 555-8203
The following databases were searched but data for the subject was
not found:
ABI Business Directory, Active U.S. Military Personnel, Broward
County Felonies/Misdemeanors, Broward County Traffic Citations, Federal
Firearms and Explosives License, Florida Accidents, Florida Banking and
Finance Licenses, Florida Beverage License, Florida Boating Citations,
Florida Concealed Weapon Permits, Florida Day Care Licenses, Florida
Department of Education, Florida Felony/Probation/Parole, Florida
Fictitious Name, Florida Handicap Parking Permits, Florida Hotels and
Restaurants, Florida Insurance Agents, Florida Marriages, Florida Money
Transmitter Licenses, Florida Salt Water Product Licenses, Florida
Securities Dealers, Florida Sexual Predator, Florida Tangible Property,
Florida Tobacco License, Florida Unclaimed Property, Florida Worker's
Compensation Claims, Marine Radio Licenses, Significant Shareholders,
Trademarks/Service Marks, and state-specific databases.
***End of Report SS--009/01***
Control Numbers: 5661614--5661620--1BF47FA5975FBA0
Exhibit II--The Wall Street Journal Online, May 2, 2005
In the last few months, several major companies reported that
customer data, including credit-card information, was compromised. The
list includes:
------------------------------------------------------------------------
Date
announced to Number of Affected Security
Company general people data breach Response
public affected
------------------------------------------------------------------------
ChoicePoin Feb. 15 About Addresses, Thieves Informed
t--compil 145,000 Social posing as Federal
er of consumers Security legitimat authoriti
consumer had data numbers e es. Will
data. in the and customers no longer
system. credit bought sell
At least reports. informati sensitive
750 fraud on. ,
cases are personal
known. data to
clients
other
than
governmen
tal
agencies,
accredite
d
corporate
customers
or other
businesse
s whose
use is
driven by
a
consumer-
initiated
transacti
on.
Bank of Feb. 25 Holders of Social Computer Contacted
America-- as many Security backup Federal
bank and as 1.2 numbers. tapes authoriti
credit- million were es, then
card Federal lost. consumers
company. Governmen .
t charge
cards.
DSW Shoe March 8 Initially, Credit- Hackers Reported
Warehouse the theft and debit- stole to
-shoestor was said card, data from Federal
e chain, to be checking a authoriti
a unit of limited account database es.
Retail to about and for 108 Customers
Ventures 100,000 driver's of the advised
Inc. customers license chain's to check
; a month numbers, 175 credit-
later, it and stores. card
was personal- statement
raised to shopping s.
1.4 informati
million. on.
LexisNexis March 9 Initially, Social Unauthoriz Informed
-consolid data for Security ed use of Federal
ator of as many numbers customer authoriti
legal and as 32,000 and logins es and
business consumers driver's and consumers
informati was at license passwords ,
on, a risk. A numbers. . improved
division month security,
of Reed later, limited
Elsevier raised to customer
PLC. about access to
310,000, personal
though data.
only 59
incidents
of
illegal
action
are
known.
Boston March 17 Database Addresses Intruder Notified
College* included and hacked affected
records Social into a alumni.
on Security school
120,000 numbers. computer
alumni. operated
by an
outside
fundraise
r.
Polo Ralph April 14 As many as Credit- n.a. Card
Lauren--c 180,000 card issuer
lothing customers data. HSBC
retailer. who hold notified
GM- consumers
branded .
MasterCar
ds.
Ameritrade April 19 About Varies by Backup Notified
-online 200,000 customer. computer affected
discount current tape was consumers
stock and lost in .
broker. former shipping.
customers
from 2000
to 2003.
Time May 2 About Social Backup Notified
Warner--m 600,000 Security computer those
edia current numbers tape was affected.
conglomer and and lost in
ate. former details shipping
U.S. on by an
employees beneficia outside
back to ries and data-
1986. dependent storage
s. company.
------------------------------------------------------------------------
*Other recent university-level security breaches occurred at California
State University-Chico, University of California-Berkeley, Tufts
University and Northwestern University.
Sources: WSJ, Associated Press, the companies.
Note: Unless where noted, these are cases of data being at risk, not of
data being fraudulently used. In all cases the stolen data included
the names of the affiliated consumers.
Senator Smith. Thank you very much.
This hearing has to conclude at 5 o'clock. And so, with
that, I'll let Senator Nelson--I know he has a number of
questions.
Senator Bill Nelson. OK. And, Mr. Chairman, what I'll do is
submit most of them in writing for the record.
But let me just go through a couple of questions each for
each of the four of you.
Ms. Barrett, there was a report that, in your company, you
had the theft of information through a person gaining illegal
access to sensitive, personal information of 20 million people.
When your company was alerted about this breach, Acxiom
allegedly alerted its clients, but not the individual consumers
that had been affected. Is it true--this report that's in a
book that we have read, entitled, ``No Place to Hide''--is it
true that someone gained access to the sensitive records of 20
million people?
Ms. Barrett. No, it's not, Senator. The incident occurred
in 2003. It was a server that our clients use to transfer files
to us for processing, and then we posted the results of that
processing back on the file--on the server, to be transferred
back to the client.
The theft did involve many, many records. And, while that
20 million number may be ballpark in terms of how many records
were involved, that did not necessarily represent individuals.
And it certainly in no way represented sensitive information.
The standard for that particular server was that
information of a sensitive nature--Social Security number and
so forth--be encrypted.
Senator Bill Nelson. Did law enforcement later search the
perpetrator's home and find a CD that contained the Acxiom
data?
Ms. Barrett. Yes. There were actually two perpetrators
involved in this. And in one incident the perpetrator had
copied information onto a CD and had it in his possession when
law enforcement apprehended him.
Senator Bill Nelson. And did that include the 20 million
records?
Ms. Barrett. I don't know exactly how many records were on
those CDs. We worked with law enforcement to identify the files
that were involved. But it would have contained some of that
information.
Senator Bill Nelson. Well, if it--I mean, that's what--the
purpose of this hearing. We're trying to point out what the
problem is, and if there's a CD in somebody's home that they
illegally stole, and it's got 20 million records, that's 20
million potential thefts.
Ms. Barrett. It did not have 20 million records containing
sensitive information.
Senator Bill Nelson. How many did it have?
Ms. Barrett. The CD?
Senator Bill Nelson. Yes.
Ms. Barrett. I do not know. I can try to get an estimate of
that information for you.
Senator Bill Nelson. And when you say ``not sensitive
information,'' is a Social Security number sensitive
information?
Ms. Barrett. Absolutely.
Senator Bill Nelson. How about a driver's license number?
Ms. Barrett. Absolutely.
Senator Bill Nelson. So----
Ms. Barrett. I would define ``sensitive information'' in
the way that California has defined it in their notice-breach
law.
Senator Bill Nelson. But you don't know how many numbers
were taken from the company.
Ms. Barrett. How many sensitive-information----
Senator Bill Nelson. That's correct.
Ms. Barrett. We do not know, exactly. Our clients sent us
this information. In some cases, it's encrypted, and--in many
cases, the sensitive information is encrypted; in some cases,
nonsensitive information is encrypted. When we send the files
back to the clients, what happened after the breach was, we
identified which files had been accessed inappropriately and
illegally, and our clients went through an inventory of exactly
what data was included in those files. In many cases, we did
not have the data in our possession.
Senator Bill Nelson. Mr. Chairman, the point that I'm
merely making here, instead of quibbling at the numbers, is
that, so often--obviously, the company doesn't want people to
know that somebody has gained illegal access to the
information. And the information is often described in a
certain figure. And in the case of both ChoicePoint and
LexisNexis, the first figure that was given out publicly was
much, much less than what it ultimately was. In the case of
LexisNexis--and I'm a little more sensitive to this, because it
was a Florida company that they had acquired--and they first
said it was 30,000, and then they admitted that it was 300,000.
So, we've got--I think the whole point here is, instead of
quibbling with you about 20 million or one million or whatnot,
that we've got a problem.
All right, let me ask you about--you had made some
assertions--specifically, an e-mail, Ms. Barrett, on May 21,
2002, to John Poindexter. And in that e-mail, you allegedly
stated--and tell us if this is true--quote, ``The U.S. may need
huge databases of commercial transactions that cover the
world,'' and that Acxiom could build this mega-scale database.
Why would such a--why would such a database of commercial
transactions be necessary? And what steps has Acxiom taken to
create this database?
Ms. Barrett. Senator, I'm not familiar, specifically, with
the e-mail that you're referring to.
Senator Bill Nelson. Did you send----
Ms. Barrett. Back in----
Senator Bill Nelson.--an e-mail to John----
Ms. Barrett. I did not----
Senator Bill Nelson.--Poindexter?
Ms. Barrett.--personally send an e-mail to John Poindexter,
no. I would--could check and see if someone from our company
did.
We worked with the Department of Defense and some of the
staff on John Poindexter's--in John Poindexter's organization
back in 2002, in an advisory capacity talking about some of the
projects that he was exploring. And, specifically, we advised
that Department that there were significant privacy concerns
that needed to be taken into account in the development of any
kind of large-scale databases.
Senator Bill Nelson. That information, supposedly--and
we'll check it out--was obtained under the Freedom of
Information Act by the Electronic Privacy Information Center.
And that's----
Ms. Barrett. I'm----
Mr. Rotenberg. Senator, the e-mail is on our website.
Ms. Barrett. The e-mail is an e-mail--if it's the specific
situation we're talking about with EPIC, the e-mail is not from
me; it is from a member of John Poindexter's staff.
Senator Bill Nelson. OK, thank you for clarifying that.
Rather chilling. ``The U.S. may need huge databases of
commercial transactions to cover the world.''
Let me ask you, Mr. Rotenberg, the Privacy Act of 1974, in
part, prevented the Federal Government from creating central
databases where all personal information could be stored for
government access. It now appears at least some levels of
government are out-sourcing this task to information brokers,
witness my further--earlier questioning about Seisint and the
database called Matrix. In your opinion, is the Federal
Government complying with the letter and the spirit of the law
of the Privacy Act of 1974?
Mr. Rotenberg. No, it's not, Senator. In fact, one of the
things that we realized as we pursued a Freedom of Information
Act request involving ChoicePoint was the extraordinary amount
of personal information that was being obtained by Federal
agencies for law enforcement purposes.
Now, we don't dispute that the information may have value
for investigations. We understand that. The question is whether
there is any legal safeguard in place to ensure that the
Privacy Act principles, such as due process and oversight and
protection of First Amendment freedoms, are being respected.
And our view is that, in the absence of explicit
application of the Privacy Act to the information brokers, the
answer is that there is not the protection of the 1974 Act, as
there should be.
Senator Bill Nelson. Just quick questions here, because the
Chairman needs to get out of here. Do you think the legislation
that Senator Schumer and I have filed would help restore
greater consumer privacy and reduce identity theft?
Mr. Rotenberg. Yes, I do, Senator. And I think it is
absolutely urgent for the Committee to act on it. One of the
points that I make in my written statement is that the problem
of identity theft is rapidly escalating in this country. In
fact, today the Senate may take up the Real ID Act, a dramatic
expansion of identification credentials in this country,
without even any debate. And you may be interested to know that
state DMVs have become the targets of identity thieves.
Senator Bill Nelson. Mr. Kurtz, what do you think about the
legislation that we filed?
Mr. Kurtz. Well, first of all, I want to commend you and
Senator--Senator Nelson and Senator Schumer for taking the lead
on pulling together legislation in this space. I think there
are several good points with regard to the legislation. First,
notice, mandatory notice, and the scope which you've applied
with regard to the notice. You've noted that it's broader than
just the data brokers that we need to think about. Two, you've
talked about reasonable security measures and the importance of
that. And I would note, in that space, under the Privacy Act,
there are reasonable measures that need to be taken by the
Federal Government in order to secure Social Security numbers
and dates of birth and the like. Three, you've given victims a
place to go. We, at the Cyber Security Alliance, get a lot of
calls, ``Where do we go? Who are we supposed to talk to?'' You
can report it in to the FTC, as it is right now, but, frankly,
they have limited means in order to deal with it. They can keep
it in the Sentinel database and track things, but they don't
actually have an apparatus where you can go to actually do
follow-up.
And, the final point that I would make--and I'm probably
leaving something out--is the importance of leadership. You've
identified the need to have the executive branch take a greater
leadership role in cybersecurity overall, understanding that
this is just not one single slice of an issue. All these issues
that we've dealing with--phishing, spyware, data-warehouse
security--they're all interconnected. Having an Assistant
Secretary at DHS to be that strategic leader would be
incredibly helpful.
Senator Bill Nelson. Thank you for that. I mean, and that
underscores the next part of this legislation, which is
protection of the homeland, as well as protection of our
individuals.
Thank you, Mr. Chairman.
Senator Smith. Thank you, Senator Nelson.
Senator Pryor, do you have a question?
Senator Pryor. Mr. Chairman, if you need to head out, I
can----
Senator Smith. Go ahead.
Senator Pryor. OK. Because I don't mind taking over the
leadership of this Committee. I don't think I can do a whole
lot of damage from here.
[Laughter.]
Senator Pryor. As much as I'd like to.
[Laughter.]
Senator Pryor. But I can--I'll be glad to. If you need to
run, please just--I'll try to make my questions brief.
Mr. Rotenberg----
Senator Bill Nelson. We can do a mark-up if he leaves.
[Laughter.]
Senator Pryor. That's right. If you'd just leave----
[Laughter.]
Senator Pryor.--and allow us a little time here by
ourselves, we would appreciate it. Do you mind?
[Laughter.]
Senator Smith. I trust you guys implicitly, but I think my
colleagues might question my wisdom, I'm sure.
[Laughter.]
Senator Pryor. Mr. Rotenberg, let me start with you, if I
may. I want to know what your experience has been with credit-
freeze laws in the states. And I'm seeing a story here--I
believe it comes out of Texas, or maybe Vermont, I'm not quite
sure--but can you tell us, first, what credit freeze is, and
how it's worked, if you think it's a good idea?
Mr. Rotenberg. Sure. Senator, I think it's a very good
idea. Simply stated, what a credit freeze does is puts your
credit report in the off-setting. In other words, it isn't
disclosed to others unless you decide that you want to make
your credit report available. Currently, credit reports are
widely available. They're used for very many purposes that most
consumers aren't aware of. And what the four states have done
that have passed credit-freeze legislation, has been to
basically say to consumers, ``If you need to get a home
mortgage, if you need a loan for the car, sure, you're going to
want to make your credit report available. But, otherwise, that
report will stay in the off-setting, and others won't get
access to it.'' And we think it's a very sensible way to reduce
the risk of identity theft.
Ms. Frank. May I add something?
Senator Pryor. Yes.
Ms. Frank. Our State was the first State to ask for it, and
I helped with that legislation. The reason we had a need for a
security freeze is because the fraud alerts weren't working. In
other words, when you became a victim of identity theft, you
could call the credit-reporting agencies and put a fraud alert
on your credit profile, and it says, ``Don't issue credit
without calling me first.'' What we were finding is that myriad
victims would have that fraud alert on their credit profile,
yet there were creditors that still issued credit. So, we went
to the legislature and said, ``We need something that is going
to be a real key to lock the door.'' And so, the credit freeze
is such that a victim, or even, in our State, a consumer, can
write to the credit-reporting agencies--and if you're a victim,
for free--you can put this credit freeze on, which gives you a
password. So, let's say I have a credit freeze on my credit
report and I want to go out and buy a car. I can unfreeze, or
``thaw,'' with my password for a specific industry, like all
the car dealerships, or I can do it for everyone. And then I
refreeze it. Now, if you're a non-victim, you pay $10 to freeze
it or non-freeze it.
If fraud alerts worked, which now you know, it's written
into the FACTA, which is the Fair and Accurate Credit
Transactions Act--if they really worked 100 percent, and people
called you, that would be one thing. But under FACTA, if a
creditor issues credit when there's a fraud alert on your
credit report, you have no private right-of-action. You have no
recourse. And so, I'm telling all California citizens, and
those who are in the states that have this freeze, the only way
you can guarantee that you can protect yourself from financial
identity theft is to use the freeze. It won't help you for
criminal identity theft, but it will help you for financial.
Senator Pryor. OK. Well, I--thank you for that. Ms. Frank,
let me ask you, while we're talking about this--changing gears
a little bit--but we know that data brokers have information
like Social Security numbers, dates of birth, you know, street
addresses, records of what we purchase, you know, things like
that, but can you give me some examples of information--if you
know any--examples of information that are so intensely private
that the data should never be allowed to be shared?
Ms. Frank. Well, if you look at my written testimony, on
page 17----
Senator Pryor. OK.
Ms. Frank.--you will find an exhibit of an actual sample of
AutoTrack, which is from ChoicePoint. It has not only the
Social Security number, date of birth, aka's, and then it says
``other possible Social Security numbers.''
Senator Pryor. OK.
Ms. Frank. It also has, if you look down here, driver's
licenses, height, weight--let's see--past addresses. You go
down here, and it has other things, like, hmm, you name it,
it's in here, places you've lived, cars you've bought, boats or
anything like that, if you have a pilot's--any kind of license
you ever had, any problem with the license, if you were ever
suspended for something, deeds, all the deeds that you've ever
owned. Now, some of these are public records.
Now, I want to say one thing about public records. Death
certificates, birth certificates, marriage certificates, they
have your Social Security number. In the State of California,
we have passed laws to redact those numbers, because your
mother's maiden name, for example, is on your birth
certificate, and your parents' Social Security number is on
your birth certificate.
OK. So, if you look at this--I don't want to take--I'm
seeing the red light coming on--you can look, yourself, for--
this thing goes from page 17 all the way to page 23 of all the
things--24.
Senator Pryor. But are you saying that some of that is so
intensely private that it should not be shared?
Ms. Frank. Well, if you got this, which I have seen on
other people--if you got this, you would have an entire package
to take someones identity--it even says your family and your
neighbors and your family's name--the members of your family,
who lives there, what licenses they have. And it even gives
neighbors around the block. So, basically, if somebody wanted
to steal your identity, Senator, they'd have everything that
they need to talk about who you are, what properties you've
owned, where you've lived.
So, what I'm saying, it's the entire profile that is so
terribly frightening, and the Social Security number, at this
point, is the key to the kingdom of identity theft. And it's
all in here.
Senator Pryor. OK. One last question, if I may, Mr.
Chairman, and this is for Ms. Barrett, and that is--you
mentioned, during your testimony a few moments ago, that your
company encrypts data. If we required all companies that
handle, you know, personally identifiable data--if we required
them to encrypt it, would that help solve this problem?
Ms. Barrett. Yes, I think it would. Encryption is a
wonderful tool for protecting data, both in the static state,
as well as in transit. And as one of the--it was mentioned
earlier, information in transit is one of the riskier areas
where identity thieves have an opportunity to take hold of
data.
Encryption is not as easy as we would like for it--to think
it is. It's not a plug-and-play kind of thing for companies to
do. But we need all the incentives we can to make it much more
of a universal standard.
Ms. Frank. Senator, one thing. If we had encryption, it
would not have helped in the ChoicePoint, when it's a dirty
insider. So--and, also, if you have somebody in the IT
department who can un-encrypt--so, if you had encryption,
that's great, but you have to have an exception for security
notice if it is a dirty insider.
Senator Pryor. Mr. Chairman, I'm sorry, I think Mr. Kurtz
had a----
Mr. Kurtz. Yes. Senator, Pryor, I just wanted to add--I
think what California 1386 did, which I thought was rather
elegant, was, they didn't mandate that encryption be used. They
said that, for any unencrypted breach of information, that the
owner of the information needed to be notified. I think the
point that I guess I'm trying to make here is, we need to think
more broader--broadly, and not just a technology mandate of one
type of technology--or, excuse me, no mandates of specific type
of technologies; let's look at the whole set of tools that are
available which are, in fact, technologies, policies, and
expertise that need to be brought together. And I've outlined
that in my written testimony for you folks to review.
Senator Smith. So, it left it up to the companies and
technologies to----
Mr. Kurtz. Yes, in fact----
Senator Smith.--to meet the standard, rather than to
prescribe a standard.
Mr. Kurtz. Yes. And, in fact, we haven't talked about
standards today, but there are standards out there that people
can look and turn to in order to get some guidance as to what
they might need to do in order to secure their systems. There
are--you know, there are international standards, there are
American standards that people could look at that could really
be used for folks to turn to. Now, sometimes they're criticized
for being too broad, or to general, but there are some, you
know, if you will, key guideposts there that companies can look
at, or you could ask companies to look at, in order to ensure
they're doing the right thing.
Senator Smith. And their motivation is, they've got legal
liability for that.
Mr. Kurtz. That's an issue that the Congress might consider
investigating. What type of incentives might you build into
this in order to get folks to go down that road?
Senator Smith. Well, what did California do? What was their
elegant solution? What was it?
Mr. Kurtz. Their elegant solution was, they didn't require
encryption.
Senator Smith. So, if they didn't require it, did they just
give them the assignment and left open the liability?
Mr. Kurtz. Excuse me. I don't have the language in front of
me, but it basically said for any unencrypted breach of
information, there's a requirement to notify. So, if you unpack
that, it means that if you encrypt, there is not an obligation
to notify.
Ms. Frank. And we're thinking of amending that for--you
know, we like the idea of encryption, but we're thinking of
amending it for those who know that there was access without
encryption.
Senator Smith. What's the penalty if they don't do all of
that?
Ms. Frank. Well, they can be sued.
Senator Smith. OK. That's what I'm getting at.
Mr. Kurtz. Oh.
Senator Smith. And do they specifically address that, or do
they leave it open, do you recall?
Ms. Frank. Well, I'm trying to think exactly what the
language says, since----
Senator Smith. That's OK.
Ms. Frank. I can send it to you. I'll give it you.
Senator Smith. Senator, did you have any more questions?
Senator Pryor. All I was going to say is really just a
comment. I notice in this month's Fortune magazine, there's a
article called ``The Great Data Heist,'' and, in there, they
talk about how security information typically walks out the
door in one of three ways--hackers grab it, employees steal it,
or companies lose it. And I think that's probably right. I
assume you all would agree with that. And so, what you're
saying is right. Encryption, I think, is an important piece of
this, but it doesn't solve all the problems. It doesn't--it's
not a cure-all.
Mr. Kurtz. It's not a panacea.
Senator Pryor. Yes.
Thank you, Mr. Chairman.
Senator Smith. Thank you, Senator Pryor.
And, ladies and gentlemen, thank you each for the
contribution you've made to this first very important hearing
on a very vital topic to the American people. We will, no
doubt, be pursuing legislative proposals. The Chairman, Senator
Stevens, has so indicated. But I think you have laid a good
foundation in this hearing today, and we thank you very much
for your time and contribution.
We're adjourned.
[Whereupon, at 5:15 p.m., the hearing was adjourned.]
A P P E N D I X
Prepared statement of Gail Hillebrand, Senior Attorney, Consumers Union
Identity for Sale? Protecting Consumers from Identity Theft
Summary
Consumers Union, \1\ the non-profit, independent publisher of
Consumer Reports, believes that the recent announcements by
ChoicePoint, Lexis-Nexis, and many others about the lack of security of
our most personal information underscores the need for Congress and the
States to act to protect consumers from identity theft.
---------------------------------------------------------------------------
\1\ Consumers Union is a non-profit membership organization
chartered in 1936 under the laws of the State of New York to provide
consumers with information, education and counsel about goods,
services, health and personal finance, and to initiate and cooperate
with individual and group efforts to maintain and enhance the quality
of life for consumers. Consumers Union's income is solely derived from
the sale of Consumer Reports, its other publications and from
noncommercial contributions, grants and fees. In addition to reports on
Consumers Union's own product testing, Consumer Reports with more than
four million paid circulation, regularly, carries articles on health,
product safety, marketplace economics and legislative, judicial and
regulatory actions which affect consumer welfare. Consumers Union's
publications carry no advertising and receive no commercial support.
---------------------------------------------------------------------------
Identity theft is a serious crime that has become more common in
recent years as we have delved further into the ``information age.''
According to the Federal Trade commission, 27.3 million Americans have
been victims of identity theft in the past five years, costing
businesses and financial institutions $48 billion and consumers $5
billion. Victims pay an average of $1,400 (not including attorney fees)
and spend an average of 600 hours to clear their credit reports. The
personal costs can also be devastating; identity theft can create
unimaginable family stress when victims are turned down for mortgages,
student loans, and even jobs.
And as ongoing scandals involving ChoicePoint, Lexis-Nexis, and
others point to, American consumers cannot fully protect themselves
against identity theft on their own. Even consumers who do ``everything
right,'' such as paying their bills on time and holding tight to
personal information such as Social Security numbers and dates of
birth, can become victim through no fault of their own because the
companies who profit from this information have lax security standards.
Therefore, Congress and the States must enact new obligations
grounded in Fair Information Practices \2\ on those who hold, use,
sell, or profit from private information about consumers. In this
context, Fair Information Practices would reduce the collection of
unnecessary information, restrict the use of information to the purpose
for which it was initially provided, require that information be kept
secure, require rigorous screening of the purposes asserted by persons
attempting to gain access to that information, and provide for full
access to and correction of information held.
---------------------------------------------------------------------------
\2\ The Code of Fair Information Practices was developed by the
Health, Education, and Welfare Advisory Committee on Automated Data
Systems, in a report released two decades ago. The Electronic Privacy
Information Center has described the Code as based on these five
principles: (1) There must be no personal data recordkeeping systems
whose very existence is secret. (2) There must be a way for a person to
find out what information about the person is in a record and how it is
used. (3) There must be a way for a person to prevent information about
the person that was obtained for one purpose from being used or made
available for other purposes without the person's consent. (4) There
must be a way for a person to correct or amend a record of identifiable
information about the person. (5) Any organization creating,
maintaining, using, or disseminating records of identifiable personal
data must assure the reliability of the data for their intended use and
must take precautions to prevent misuses of the data. Electronic
Privacy Information Center, http://www.epic.org/privacy/consumer/
code_fair_info.html.
---------------------------------------------------------------------------
Consumers Union Recommends That Lawmakers Do the Following
Require notice of all security breaches: Impose requirements
on businesses, nonprofits, and government entities to notify
consumers when an unauthorized person has gained access to
sensitive information pertaining to them. Consumers Union
supports S. 751, by Senator Dianne Feinstein, which would put
these requirements in place. We also believe that S. 768,
introduced by Senator Charles Schumer and Senator Bill Nelson,
will make an excellent notice of breach law.
Require and monitor security: Impose strong requirements on
information brokers to protect the information they hold and to
screen and monitor the persons to whom they make that
information available. S. 768, as well as S. 500 and H.R. 1080,
introduced by Senator Bill Nelson and Representative Ed Markey,
respectively, would direct the Federal Trade Commission to
develop such standards and oversee compliance with them.
Give consumers access to and a right to correct information:
Give individuals rights to see, dispute, and correct
information held by information brokers. This is also addressed
in the Schumer/Nelson and Nelson/Markey bills.
Protect SSNs: Restrict the sale, collection, use, sharing,
posting, display, and secondary use of Social Security numbers.
Require more care from creditors: Require creditors to take
additional steps to verify the identity of an applicant when
there is an indicator of possible ID theft.
Grant individuals control over their sensitive information:
Give individuals rights to control who collects--and who sees--
sensitive information about them.
Restrict secondary use of sensitive information: Restrict
the use of sensitive, personal information for purposes other
than the purposes for which it was collected or other uses to
which the consumer affirmatively consents.
Fix FACTA: A consumer should be able to access more of his
or her Fair and Accurate Credit Transactions Act (FACTA)
rights, such as the extended fraud alert, before becoming an ID
theft victim. Further, one of the key FACTA rights is tied to a
police report, which victims still report difficulty in getting
and using.
Create strong and broadly-based enforcement: Authorize
Federal, State, local, and private enforcement of all of these
obligations.
Recognize the role of states: States have pioneered
responses to new forms of identity crime and risks to personal
privacy. Congress should not inhibit states from putting in
place additional identity theft and privacy safeguards.
Provide resources and tools for law enforcement: Provide
funding for law enforcement to pursue multi-jurisdictional
crimes promptly and effectively. Law enforcement also may need
new tools to promote prompt cooperation from the Social
Security Administration and private creditors in connection
with identity theft investigations.
After a very brief discussion of the problem of identity theft,
each recommendation is discussed.
The Problem of Identity Theft Is Large and Growing
Current law simply has not protected consumers from identity theft.
The numbers tell part of the story:
According to the Federal Trade Commission, 27.3 million
Americans have been victims of identity theft in the last five
years, costing businesses and financial institutions $48
billion, plus another $5 billion in costs to consumers.
Commentator Bob Sullivan has estimated that information
concerning two million consumers is involved in the security
breaches announced over just the six weeks ending April 6,
2005. Is Your Personal Data Next?: Rash of Data Heists Points
to Fundamental ID Theft Problem, http://msnbc.msn.com/id/
7358558
Based on a report to the FTC in 2003, which concluded that
there were nearly 10 million identity theft victims each year,
Consumers Union estimates that every minute 19 more Americans
become victims of ID theft.
These numbers can't begin to describe the stress, financial
uncertainty, lost work-time productivity and lost family-time identity
theft victims experience. Even financially responsible people who
routinely pay their bills on time can find themselves in a land of debt
collector calls, ruined credit and lost opportunities for jobs,
apartments, and prime credit. With more and more scandals coming out
every week, the time has come for Congress to act to protect the
security of our personal information.
Recommendations
Notification
Notice of security breaches of information, whether held in
computerized or paper form, are the beginning, not the end, of a series
of steps needed to begin to resolve the fundamental conundrum of the
U.S. information U.S. society: collecting information generates
revenues or efficiencies for the holder of the information but can pose
a risk of harm to the persons whose economic and personal lives are
described by that information.
The first principle of Fair Information Practices is that there be
no collection of data about individuals whose very existence is a
secret from those individuals. A corollary of this must be that when
the security of a collection of data containing sensitive information
about an individual is breached, that breach cannot be kept secret from
the individual. Recognizing the breadth of the information that
business, government, and others hold about individuals, Consumers
Union recommends a notice of breach requirement that is strong yet
covers only ``sensitive'' personal information, including account
numbers, numbers commonly used as identifiers for credit and similar
purposes, biometric information, and similar information. This
sensitive information could open the door to future identity theft, so
it is vital that people know when this information has been breached.
Consumers Union supports a notice-of-breach law which does the
following:
Covers paper and computerized data.
Covers government and privately-held information.
Does not except encrypted data.
Does not except regulated entities.
Has no loopholes, sometimes called ``safe harbors.''
Is triggered by the acquisition of information by an
unauthorized person.
Requires that any law enforcement waiting period must be
requested in writing and be based on a serious impediment to
the investigation.
Gives consumers who receive a notice of breach access to the
Federal right to place an extended fraud alert.
Consumers Union supports S. 751, which contains these elements. S.
768 contains most, but not all, of these elements and in certain other
respects provides additional protections.
Three of these elements are of special importance: covering all
breaches without exceptions or special weaker rules for particular
industries, covering data contained on paper as well as on computer,
and covering data whether or not it is encrypted. First, a ``one rule
for all breaches'' is the only way to ensure that the notice is
sufficiently timely to be useful by the consumer for prevention of
harm. ``One rule for all'' is also the only rule that can avoid a
factual morass which could make it impossible to determine if a breach
notice should have been given. By contrast, a weak notice
recommendation such as the one contained in the guidance issued by the
bank regulatory agencies \3\ cannot create a strong marketplace
incentive to invest the time, money, and top-level executive attention
to reduce or eliminate, future breaches.
---------------------------------------------------------------------------
\3\ That weak recommendation allows a financial institution to
decide whether or not its customers need to know about a breach, and
the explanatory material even states that it can reach a conclusion
that notice is unnecessary without making a full investigation.
Interagency Guidance on Response Programs for Unauthorized Access to
Customer Information and Customer Notice, 12 CFR Part 30, 12 CFR Parts
208 and 225, 12 CFR Part 364, 12 CFR Parts 568 and 570. Other reasons
why those guidelines are insufficient to substitute for a statutory
requirement to give notice include that they do not apply to non-
customers about whom the financial institution has sensitive data, that
there is no direct or express penalty for violation of the guideline,
and that their case-by-case approach will make it extremely hard to
determine in which circumstances the guidance actually recommends
notice to consumers, complicating the process of showing that an
obligation was unmet.
---------------------------------------------------------------------------
Second, unauthorized access to paper records, such as hospital
charts or employee personnel files, are just as likely to expose an
individual to a risk of identity theft as theft of computer files.
Third, encryption doesn't protect information from insider theft, and
the forms of encryption vary widely in their effectiveness. Further,
even the most effective form of encryption can quickly become worthless
if it is not adapted to keep up with changes in technology and with new
tools developed by criminals.
A requirement to give notice of a security breach elevates the
issue of information security inside a company. A requirement for
swift, no-exemption notice of security breaches should create
reputational and other marketplace incentives for those who hold
sensitive consumer information to improve their internal security
practices. For example, California's security breach law has led to
improved data security in at least two cases. According to news
reports, after giving its third notice of security breach in fifteen
months, Wells Fargo Bank ordered a comprehensive review of all its
information handling practices. The column quoted a memo from Wells
Fargo's CEO stating in part: ``The results have been enlightening and
demonstrate a need for additional study, remediation and oversight. . .
. Approximately 70 percent of our remote data has some measure of
security exposure as stored and managed today.'' \4\
---------------------------------------------------------------------------
\4\ D. Lazarus, ``Wells Boss Frets Over Security,'' S.F. Chronicle,
Feb. 23, 2005. http://sfgate.com/cgi-bin/article.cgi?file=/c/a/2005/02/
23/BUGBHBFCR11.DTL.
---------------------------------------------------------------------------
In another example, UC Berkeley Chancellor Robert Bigeneau
announced plans to hire an outside auditor to examine data gathering,
retention, and security, telling employees: ``I insist that we
safeguard the personal information we are given as if it were our
own.'' \5\ This announcement followed the second announced breach of
the security of data held by the University in six months, this one
involving 100,000 people.\6\
---------------------------------------------------------------------------
\5\ ``Cal Laptop Security Put Under Microscope,'' April 6, 2005,
Inside Bay Area, http://www.insidebayarea.com/searchresults/ci_2642564.
\6\ Opinion Page, Oakland Tribune, April 5, 2005.
---------------------------------------------------------------------------
In the Sarbanes-Oxley Act, Congress recognized the importance of
the ``tone at the top,'' and for that reason took steps to require the
corporate boards and CEOs work to improve the quality and accuracy of
audited financial statements. A strong, clear notice of security breach
law, without exceptions, could similarly focus the attention of top
management on information security--creating an incentive for a ``tone
at the top'' to take steps to minimize or eliminate security breaches.
Security
Consumers Union supports S. 500 and H.R. 1080, introduced by
Senator Bill Nelson and Representative Ed Markey, respectively. These
measures would direct the Federal Trade Commission (FTC) to promulgate
strong standards for information security and a strong obligation to
screen customers, both initially and with respect to how those
customers further protect the information from unauthorized use. They
also provide for ongoing compliance monitoring by the FTC. S. 768, the
Schumer-Nelson bill, contains similar provisions.
If Congress wanted to take even stronger steps with respect to
information brokers, it could require information brokers to undergo
annual audits, paid for by the broker and performed by an independent
auditor retained by the FTC, with specific authority in the FTC to
require corrective action for security and customer screening
weaknesses identified in the audit, as well as allowing the FTC to
specify particular aspects of information security that should be
included in each such audit.
Any Federal information broker law must require strong protections
in specific aspects of information security, as well as imposing a
broad requirement that security in fact be effective and be monitored
for ongoing effectiveness. Congress must determine the balance between
the public interest in the protection of data and the business interest
in the business of information brokering. Security breaches and the
effects on consumers of the ongoing maintenance of files on most
Americans by information brokers are issues too important to be
delegated in full to any regulatory agency.
Access and Correction
Two of the basic Fair Information Practices are the right to see
and the right to correct information held about the consumer. S. 768,
S. 500, and H.R. 1080 all address these issues. While the Fair Credit
Reporting Act (FCRA) allows consumers to see and correct their credit
reports, as defined by FCRA, consumers currently have no legal right to
see the whole file held on them by an information broker such as
ChoicePoint and Lexis-Nexis, even though the information in that file
may have a profound effect on the consumer. There is also lack of
clarity about what a consumer will be able to see even under the FCRA
if the information broker has not yet made a report to a potential
employer or landlord about that consumer.\7\
---------------------------------------------------------------------------
\7\ Testimony of Evan Hendricks, Editor/Publisher, Privacy Times
before the Senate Banking Committee, March 15, 2005, http://
banking.senate.gov/files/hendricks.pdf.
---------------------------------------------------------------------------
Because the uses of information held by data brokers continue to
grow and change, affecting consumers in myriad ways, consumers must be
given the legal right to see all of the information data brokers hold
on them, and to seek and win prompt correction of that information if
it is in error.
Protection for SSNs
The Social Security number (SSN) has become a de facto national
identifier in a number of U.S. industries dealing with consumers. Some
proposals for reform have emphasized consent to the use, sale, sharing
or posting of Social Security numbers. Consumers Union believes that a
consent approach will be less effective than a set of rules designed to
reduce the collection and use of sensitive consumer information.
Take, for example, an analogy from the recycling mantra: ``Reduce,
reuse, recycle.'' Just as public policy to promote recycling first
starts with ``reducing'' the use of materials that could end up in a
landfill, so protection of sensitive, personal information should begin
with reduction in the collection and use of such information.
Restrictions on the use of the Social Security number must begin with
restricting the initial collection of this number to only those
transactions where the Social Security number is not only necessary,
but also essential to facilitating the transaction requested by the
consumer. The same is true for other identifying numbers or information
that may be called upon as Social Security numbers are relied upon
less.
Consumers Union endorses these basic principles for an approach to
Social Security numbers:
Ban collection and use of SSNs by private entities or by
government except where necessary to a transaction and there is
no alternative identifier which will suffice.
Ban sale, posting, or display of SSNs, including no sale of
credit header information containing SSNs. There is no
legitimate reason to post or display individuals' Social
Security numbers to the public.
Ban sharing of SSNs, including between affiliates.
Ban secondary use of SSNs, including within the company
which collected them.
Out of the envelope: ban printing or encoding of SSNs on
government and private checks, statements, and the like
Out of the wallet: ban use of the SSN for government or
private identifier, except for Social Security purposes. This
includes banning the use of the SSN, or a variation or part of
it, for government and private programs such as Medicare,
health insurance, driver's licenses or driver's records, and
military, student, or employee identification. Any provision
banning the printing of SSNs on identifying cards should also
prohibit encoding the same information on the card.
Public records containing SSNs must be redacted before
posting.
There should be no exceptions for regulated entities.
There should be no exception for business-to-business use of
SSNs.
Congress should also consider whether to impose the same type of
``responsibility requirements'' on the collection, sale, use, sharing,
display and posting of other information that could easily evolve into
a substitute ``national identifier,'' including drivers license number,
state non-driver information number, biometric information and cell
phone numbers.
Creditor Identity Theft Prevention Obligations
Information is stolen because it is valuable. A key part of that
value is the ability to use the information to gain credit in someone
else's name. That value exists only because credit granting
institutions do not check the identity of applicants carefully enough
to discover identity thieves before credit is granted.
Financial institutions and other users of consumer credit reports
and credit scores should be obligated to take affirmative steps to
establish contact with the consumer before giving credit or allowing
access to an account when there is an indicator of possible false
application, account takeover or unauthorized use. The news reports of
the credit card issued to Clifford J. Dawg, while humorous, illustrate
a real problem--creditor eagerness to issue credit spurs inadequate
review of the identity of the applicant.\8\ When the applicant is a
dog, this might seem funny, but when the applicant is a thief, there
are serious consequences for the integrity of the credit reporting
system and for the consumer whose good name is being ruined.
---------------------------------------------------------------------------
\8\ Both the news stories about Clifford J. Dawg and a thoughtful
analysis of the larger problem of too lax identification standards
applied by creditors is found in C. Hoofnagle, Putting Identity Theft
on Ice: Freezing Credit Reports to Prevent Lending to Impostors, in
Securing Privacy in the Information Age (forthcoming from Stanford
University Press), http://papers.ssrn.com/sol3/
papers.cfm?abstract_id=650162.
---------------------------------------------------------------------------
As new identifiers evolve, criminals will seek to gain access to
and use those new identifiers. Thus, any approach to attacking identity
theft must also impose obligations on those who make that theft
possible--those who grant credit, goods, or services to imposters
without taking careful steps to determine with whom they are dealing.
At minimum, creditors should be required to actually contact the
applicant to verify that he or she is the true source of an application
for credit when certain triggering events occur. The triggering events
should include any of the following circumstances:
Incomplete match on Social Security number.
Address mismatch between application and credit file.
Erroneous or missing date of birth in application.
Misspellings of name or other material information in
application.
Other indicators as practices change.
Under FACTA, the FTC and the Federal financial institution
regulators are charged with developing a set of red flag ``guidelines''
to ``identify possible risks'' to customers or to the financial
institution. However, FACTA stops with the identification of risks. It
does not require that financial institutions do anything to address
those risks once identified through the not-yet-released guidelines.
The presence of a factor identified in the guidelines does not trigger
a statutory obligation to take more care in determining the true
identity of the applicant before granting credit. Congress should
impose a plain, enforceable obligation for creditors to contact the
consumer to verify that he or she has in fact sought credit when
certain indicators of potential identity theft are present.
Control for Consumers Over Affiliate-Sharing, Use of Information, Use
of Credit Reports and Credit Scores
Consumers are caught between the growth in the collection and
secondary use of information about them on the one hand and the
increasing sophistication of criminals in exploiting weaknesses in how
that information is stored, transported, sold by brokers, shared
between affiliates, and used to access credit files and credit scores.
Identity theft has been fueled in part by information-sharing
between and within companies, the existence of databases that consumers
don't know about and can't stop their information from being part of,
the secondary use of information, and the granting of credit based on a
check of the consumer credit file or credit score without efforts to
verify the identity of the applicant.\9\ Consumers Union has
consistently supported Federal and State efforts to give consumers the
legal right to stop the sharing of their sensitive, personal
information among affiliates. Finally, it is essential to stopping the
spread of numbers that serve as consumer identifiers that Congress and
the States impose strong restrictions on the use of sensitive, personal
information for purposes other than the purpose for which the consumer
originally provided that information.
---------------------------------------------------------------------------
\9\ Secondary use is use for a purpose other than the purpose for
which the consumer gave the information.
---------------------------------------------------------------------------
Fix FACTA
FACTA has made some things more difficult for identity theft
victims, according to information provided to Consumers Union by
nonprofits and professionals who assist identity theft victims.
Moreover, FACTA gives only limited rights to those who have not yet
become victims of identity theft, and FACTA fails to offer a pure
prevention tool for all consumers. A consumer who asserts in good faith
that he or she is about to become a victim of identity theft gets one
right under FACTA--the right to place, or renew, a 90 day fraud alert.
However, this type of alert places lower obligations on the potential
creditor than the extended alert, which is restricted only to identity
theft victims.
A consumer should be able to access more of his or her FACTA
rights, such as the extended fraud alert, before becoming an identity
theft victim. One key FACTA right is tied to a police report, which
victims still report difficulty in getting and using.
Here are some key ways to make FACTA work for victims:
Initial fraud alert should be one year, not 90 days.
Extended alert and other victims' rights, other than
blocking of information, should be available to all identity
theft victims who fill out the FTC ID theft affidavit under
penalty of perjury.
Business records should be available to any consumer who
fills out the FTC ID theft affidavit under penalty of perjury.
Consumers who receive a notice of security breach should be
entitled to place an extended fraud alert.
Consumers who place a fraud alert have the right under FACTA
to a free credit report, but this should be made automatic.
There is also work to do outside of FACTA, including work to
develop a police report that could be given to victims that is
sufficiently similar, if not uniform, across jurisdictions, so that the
victim does not find creditors or businesses in another jurisdiction
refusing to accept a police report from the victim's home jurisdiction.
Congress Must Encourage the States To Continue To Pioneer Prompt
Responses to Identity Crime
Virtually every idea on the table today in the national debate
about stemming identity theft and protecting consumer privacy comes
from legislation already enacted by a state. Congress must not cut off
this source of progress and innovation. Instead, any identity theft and
consumer privacy legislation in Congress should expressly permit states
to continue to enact new rights, obligations, and remedies in
connection with identity theft and consumer privacy to the full extent
that the State requirements are not inconsistent with the specific
requirements of Federal law.
Criminals will always be more fast-acting, and fast-adapting, than
the Federal Government. An important response to this reality is to
permit, and indeed encourage, State legislatures to continue to act in
the areas of identity theft and consumer privacy. Fast-acting states
can respond to emerging practices that can harm consumers while those
practices are still regional, before they spread nationwide. For
example, California enacted its notice of security breach law and other
significant identity theft protections because identity theft was a
significant problem in California well before it became, or at least
was recognized as, a national crime wave.
Identity theft illustrates how much quicker states act on consumer
issues than Congress. According to numbers released by the FTC, there
were 9.9 million annual U.S. victims of identity theft in the year
before Congress adopted the relatively modest rights for identity theft
victims found in FACTA. The identity theft provisions adopted by
Congress in FACTA were modeled on laws already enacted in states such
as California, Connecticut, Louisiana, Texas, and Virginia.\10\
---------------------------------------------------------------------------
\10\ See California Civil Code Sec. Sec. 1785.11.1, 1785.11.2,
1785,16.1; Conn. SB 688 Sec. 9(d), (e), Conn. Gen. Stats. Sec. 36a-699;
IL Re. Stat. Ch. 505 Sec. 2MM; LA Rev. Stat. Sec. Sec. 9:3568B.1,
9:3568C, 9:3568D, 9:3571.1 (H)-(L); Tex. Bus. & Comm. Code
Sec. Sec. 20.01(7), 20.031, 20.034-039, 20.04; VA Code Sec. Sec. 18.2-
186.31:E. The role of the states has also been important in financial
issues unrelated to identity theft. Here are two examples. In 1986,
California required that specific information be included in credit
card solicitations with enactment of the then-titled Areias-Robbins
Credit Card Full Disclosure Act of 1986. That statute required that
every credit card solicitation to contain a chart showing the interest
rate, grace period, and annual fee. 1986 Cal. Stats., Ch. 1397,
codified at California Civil Code Sec. 1748.11. Two years later,
Congress chose to adopt the same concept in the Federal Fair Credit and
Charge Card Disclosure Act (FCCCDA), setting standards for credit card
solicitations, applications, and renewals. P. L. 100-583, 102 Stat.
2960 (Nov. 1, 1988), codified in part at 15 U.S.C. Sec. Sec. 1637(c)
and 1610(e). The implementing changes to Federal Regulation Z included
a model form for the Federal disclosure box which is quite similar to
the form required under the pioneering California statute. 54 Fed. Reg.
13855, Appendix G.
---------------------------------------------------------------------------
Strong and Broadly-Based Enforcement
Consumers need effective enforcement of those obligations and
restrictions Congress imposes in response to the increasing threats to
consumer privacy, and of the growth of identity theft. A diversity of
approaches strengthens enforcement. Each statutory obligation imposed
by Congress should be enforceable by Federal agencies, the Federal law
enforcement structure with the Attorney General and U.S. Attorneys, and
State attorneys general. Where a state is structured so that part of
the job of protecting the public devolves to a local entity, such as a
district attorney or city attorney, those local entities also should be
empowered to enforce anti-identity theft and privacy measures in local
civil or, where appropriate, criminal courts.
There is also a role for a private right-of-action. It is an
unfortunate reality in identity theft is that law enforcement resources
are slim relative to the size of the problem. This makes it
particularly important that individuals be given a private right-of-
action to enforce the obligations owed to them by others who hold their
information. A private right-of-action is an important part of any
enforcement matrix.
Money and Tools for Law Enforcement
Even if all the recommended steps are taken, U.S. consumers will
still need vigorous, well-funded law enforcement. At a meeting convened
by Senator Feinstein which included some twenty representatives of law
enforcement, including police departments, sheriffs, and district
attorneys, law enforcement uniformly proposed that they be given tools
to more effectively investigate identity theft. Law enforcement costs
money, and the law enforcers noted that the multi-jurisdictional nature
of identify theft increases the costs and time, it takes to investigate
these crimes.
Law enforcers in California and Oregon have noted a strong link
between identity theft crime and methamphetamine. The Riverside County
Sheriff noted at a March 29, 2005 event that when drug officers close a
methamphetamine lab, they often find boxes of fake identification ready
for use in identity theft. The drug team has closed the lab; without
funding for training and ongoing officer time, there may be no
investigation of those boxes of identities.
To prove a charge of attempted identity theft, a prosecutor may
need to prove that the real person holding a particular driver's
license number, credit or debit card number, or Social Security number
is different from the holder of the fake ID. Doing this may require the
cooperation of a State Department of Motor Vehicles, a financial
institution, or the Social Security Administration. The public meetings
of the California High Tech Crimes Advisory Committee have including
discussion of the difficulties and time delays law enforcement
investigators encounter in trying to obtain this cooperation. Congress
should work with law enforcement and groups representing interest in
civil liberties to craft a solution to verifying victim identity that
will facilitate investigation of identity theft without infringing on
the individual privacy of identity theft victims and other individuals.
Law enforcement may have more specific proposals to enhance their
effectiveness in fighting identity theft. Consumers Union generally
supports:
Funding for regional identity theft law enforcement task
forces in highest areas of concentration of victims, and of
identity thieves.
Funding for investigation and prosecution.
An obligation on creditors, financial institutions, and the
Social Security Administration to provide information about
suspected theft-related accounts or numbers to local, State,
and Federal law enforcement after a simple, well designed,
request process.
Consumers Union believes that the time has come for both Congress
and State legislatures to act to stem identity theft through strong and
meaningful requirements to tell consumers of security breaches; strong
and detailed security standards and oversight for information brokers,
reining in the use of Social Security numbers, increased control for
consumers over the uses of their information, and obligations on
creditors to end their role in facilitating identity theft through lack
of care in credit granting. This should be done without infringing on
the role of the states, with attention to the need to fund law
enforcement to fight identity theft, and with attention to the need for
private enforcement by consumers. We look forward to working with the
Chair and Members of the Committee, and others in Congress, to
accomplish these changes for U.S. consumers. These recommendations by
Consumers Union have been informed by the work of victim assistance
groups, privacy advocates, and others. \11\
---------------------------------------------------------------------------
\11\ Many law enforcers, victim assistance workers, and consumer
and privacy advocates were engaged in the issue of identity theft
prevention long before the most recent ChoicePoint security breach came
to light. Consumers Union has worked closely for many years on efforts
to fight identity theft and protect consumer financial privacy with
other national groups, and with consumer privacy and anti-identity
theft advocates and victim assistance groups based in California. Our
views and recommendations are strongly informed by the experiences of
consumers reported to us by the nonprofit Privacy Rights Clearinghouse,
the nonprofit Identity Theft Resource Center, and others who work
directly with identity theft victims. These groups have worked to
develop the State laws that are the basis for many of the proposals now
being introduced in Congress. Consumers Union is grateful for the
leadership of the Privacy Rights Clearinghouse in consumer privacy
policy work, the work of the State PIRGs and U.S. PIRG on consumer
identity theft rights which includes the preparation of a model State
identity theft statute in cooperation with Consumers Union, for the
work for consumers on the accuracy of consumer credit reporting issues
done over the past decade by the Consumer Federation of America and
U.S. PIRG, and for the contributions to the policy debate of
organizations such as the Electronic Privacy Information Center,
Privacy Times, and others too numerous to mention.
---------------------------------------------------------------------------
Consumer Reports, June 2005
The Fight Against Identity Theft
by Jim Guest, President
``I was mugged once, years ago,'' one of our editorial researchers
told me. ``It was bad, but at least that guy had the guts to look me in
the eye.'' This time, she'd gotten a call from her bank alerting her
that someone in Oregon had just withdrawn $2,000 from her account.
Since she and her husband were both at home in New York, that was very
bad news.
Like many of the estimated 10 million people a year whose lives and
accounts are invaded by identity thieves, our staffer had been as
cautious as she could be and still be part of today's marketplace. But
either her financial records were leaked or a hacker typed his or her
way through the barriers protecting her account.
In either case, companies who hold sensitive, personal and
financial information about us, and the lawmakers who should be
overseeing them, are failing to build stronger protections against the
increasingly prevalent crime of ID theft. Lawmakers and regulators must
work fast. Here are three things that Consumers Union, the publisher of
Consumer Reports, is pushing them to do:
Oversee information brokers, companies that collect and sell
people's personal and financial data. Federal law should
require them to safeguard those data, sell data only to
carefully screened clients, tell consumers what's in their
files, and correct mistakes promptly, since mistakes can lose
you a job, a mortgage, or an insurance policy.
Pass strong Federal and State laws that require companies to
notify the consumers whose personal and financial information
they hold when their privacy is compromised. Now, only
California residents have that protection.
Pass laws in every state allowing consumers to ``freeze''
their credit-bureau files. With a security freeze in place,
your credit report and score can't be given to potential new
creditors unless you choose to ``unlock'' the file when you
apply for, say, a car loan. Most businesses won't issue new
credit or loans without first checking credit records. This
way, thieves will hit a brick wall trying to open an account in
your name.
There's no single solution to shielding consumers from the fast-
changing schemes of ID thieves, so Congress should preserve the right
of States to continue developing ever more sophisticated guards. For
more about what CU is doing, and for what you can do to protect
yourself, go to our websites www.consumersunion.org/privacy and
www.consumersunion.org/money.
______
Statement of James X. Dempsey, Executive Director, Center for Democracy
& Technology,\1\ before the Senate Committee on the Judiciary, April
13, 2005
---------------------------------------------------------------------------
\1\ The Center for Democracy & Technology (CDT) is a non-profit
public interest organization dedicated to promoting privacy and other
democratic values for the new digital communications media. Among other
activities, CDT coordinates the Digital Privacy and Security Working
Group (DPSWG), a forum for computer, communications, and public
interest organizations, companies and associations interested in
information privacy and security issues.
---------------------------------------------------------------------------
Securing Electronic Personal Data: Striking a Balance Between Privacy
and Commercial and Governmental Use
Chairman Specter, Senator Leahy, and Members of the Committee,
thank you for the opportunity to testify today. Recent security
breaches at a range of companies and institutions resulting in the loss
of sensitive, personal information have highlighted the need for a more
substantial legal framework at the national level for entities
collecting, using and selling personal data. A range of harms,
including identity theft, can flow from the failure to protect
electronic personal data and from governmental or corporate misuse of
data or reliance on inaccurate data. We offer here today an overview of
the policy landscape and suggest some approaches that Congress should
consider to ensure the appropriate level of security and privacy
protection. We look forward to working with you and interested
stakeholders to achieve balanced solutions.
The New Marketplace for Personal Data
In the past decade, the commercial collection and sale of personal
information has changed dramatically, driven by a combination of
factors, facilitated by the Internet, and resulting in an ever more
rapid flow of sensitive, personal information in ways that most
consumers barely understand. The implications for commerce, national
security and personal privacy have been detailed in recent books such
as Robert O'Harrow's ``No Place to Hide.''
The private sector and the Federal Government have many legitimate
needs for personal information, and the sharing of data offers benefits
to consumers in the form of readily available credit. Businesses and
non-profit entities, ranging from landlords to retailers, to lawyers,
to universities, obtain and share personal information to provide
services and facilitate economic transactions. Indeed, an important use
of commercial data services is for anti-fraud purposes, including the
prevention of identity theft. The Federal Government uses personal
information to determine eligibility for government benefits, to
support law enforcement, and to fight the war on terror.
An important category of this information is drawn from public
records at courthouses and other government agencies. Data brokers (we
use the term throughout our testimony for lack of a better one, without
intending to be derogatory and recognizing that it is not well-defined)
add considerable value by aggregating and categorizing this information
to provide a more complete picture of the individuals to whom it
pertains.
While data brokers provide important services to the government and
the private sector, they also raise a host of privacy issues and
concerns about the security of this information. The recent security
breaches at ChoicePoint and LexisNexis have prompted calls for
examination of this new industry. Already-regulated entities, such as
Bank of America, have also lost control of sensitive, personal
information. So have merchants whose primary business is not data
aggregation. DSW Shoe Warehouse, a chain of shoe retailers, announced
recently that someone had stolen customers' credit card information
from its database. And the New York Times reported that already this
year nine universities have reported the loss or compromise of
sensitive, personal information.\2\ Precisely because databases of
electronic personal data have tremendous value, they are attracting
identity thieves.
---------------------------------------------------------------------------
\2\ Tom Zeller, Jr., Some Colleges Falling Short In Data Security,
New York Times, Apr. 4, 2005, at B1.
---------------------------------------------------------------------------
Even legitimate uses of personal data can result in harm to
individuals. For instance, individuals can suffer adverse consequences
when data brokers sell inaccurate or incomplete information that
results in the loss of employment opportunities. In the context of
government use of personal information, adverse consequences could
include being suspected of criminal or terrorist activity.
Congress has addressed privacy and security issues with respect to
credit reporting agencies in the Fair Credit Reporting Act (FCRA),
financial institutions in Gramm-Leach-Bliley (GLB), and healthcare
providers in the Health Insurance Portability and Accountability Act
(HIPAA). But Congress's sectoral approach to information privacy has
left gaps in the coverage of the law.
Overview of Policy Responses
We see at least five sets of issues facing Congress at this time:
1. As a first step towards preventing identity theft, entities,
including government entities, holding personal data should be
required to notify individuals in the event of a security
breach.
2. Since notice only kicks in after a breach has occurred,
Congress should require entities that electronically store
personal information to implement security safeguards, similar
to those required by California AB 1950 and the regulations
under Gramm-Leach-Bliley.
3. Congress should impose tighter controls on the sale,
disclosure and use of Social Security numbers and should seek
to break the habit of using the SSN as an authenticator.
4. Congress should address the Federal Government's growing use
of commercial databases, especially in the law enforcement and
national security contexts.
5. Finally, Congress should examinee the ``Fair Information
Practices'' that have helped define privacy in the credit and
financial sectors and adapt them as appropriate to the data
flows of this new technological and economic landscape.
What Is Privacy?
Information privacy is not merely about keeping personal
information confidential. Rather, it is well established by United
States Supreme Court cases, the Federal Privacy Act, and privacy laws
like the FCRA and HIPAA that the concept of privacy extends to
information that an individual has disclosed to another in the course
of a commercial or governmental transaction and even to data that is
publicly available.\3\ Information privacy is about control, fairness,
and consequences. Data privacy laws limit the use of widely available,
and even public, information because it is recognized that individuals
should retain some control over the use of information about themselves
and should have redress to the consequences that result from others'
use of that information. A set of commonly accepted ``Fair Information
Practices'' captures this broader conception of privacy and is
reflected, albeit in piecemeal fashion, in the various privacy laws and
in the practices of commercial entities and government agencies. These
principles govern not just the initial collection of data, but also the
use of information collected and shared in the course of governmental
and commercial transactions.
---------------------------------------------------------------------------
\3\ In United States Department of Justice v. Reporters Committee
for Freedom of the Press, 489 U.S. 749, 762-63 (1989), the Supreme
Court rejected the ``cramped notion of personal privacy''that ``because
events . . . have been previously disclosed to the public, . . . [the]
privacy interest in avoiding disclosure of a . . . compilation of these
events approaches zero.'' The Court held in that case that the
government can withhold from public disclosure databases composed
entirely of publicly available data because there is a ``distinction,
in terms of personal privacy, between scattered disclosure of the bits
of information . . . and revelation of the [information] as a whole.''
The Court based its ruling on the conclusion that, ``Plainly there is a
vast difference between the public records that might be found after a
diligent search of courthouse files, county archives, and local police
stations throughout the country and a computerized summary located in a
single clearinghouse of information.'' 489 U.S. at 764. The Court
rejected the notion that an individual has no privacy interest in data
that is publicly available somewhere. See id. at 770 (``In sum, the
fact that an event is not wholly `private' does not mean that an
individual has no interests in limiting disclosure or dissemination of
the information.'' (quotation omitted)). See also Reno v. Condon, 528
U.S. 141, 148 (2000) (upholding Federal statute restricting States'
sale of driver's license information to commercial entities even though
the information was available to the public for a range of purposes).
---------------------------------------------------------------------------
The ``Fair Information Practices'' were first articulated in the
1970s and have been embodied in varying degrees in the Privacy Act, the
FCRA, and the other ``sectoral'' Federal privacy laws that govern
commercial uses of information. The concept of Fair Information
Practices (FIPs) has remained remarkably relevant despite the dramatic
changes in information technology that have occurred since they were
first developed. While mapping these principles to the current data
landscape poses challenges, and while some of the principles may be
inapplicable to public record data, they provide a remarkably sound
basis for analyzing the issues associated with creating a policy
framework for the privacy of commercial databases.
The FIPs principles are variously enumerated, but we see eight: (1)
notice to individuals of the collection of personally identifiable
information, (2) limits on use and disclosure of data for purposes
other than those for which the data was collected in the first place,
(3) limitations on the retention of data, (4) a requirement to ensure
the accuracy, completeness and timeliness of information, (5) the right
of individuals to access information about themselves, (6) the
opportunity to correct information or to challenge decisions made on
the basis of incorrect data, (7) appropriate security measures to
protect the information against abuse or unauthorized disclosure, and
(8) the establishment of redress mechanisms for individuals wrongly and
adversely affected by the use of personally identifiable
information.\4\
---------------------------------------------------------------------------
\4\ http://www.cdt.org/privacy/guide/basic/generic.html.
---------------------------------------------------------------------------
A lot more work would be needed to develop a regulatory framework
imposing all of these principles on all entities that hold or use
personally identifiable data. Nevertheless, these principles do provide
a framework for analyzing the current situation. They suggest certain
immediate steps that Congress could take.
Notice of Breach
As a first step, there should be a national requirement that
individuals be notified when their information held by a third party is
obtained by an unauthorized user. CDT would support appropriate Federal
legislation modeled on the California disclosure law that would require
holders of sensitive, personal information to notify people whose
information might have been stolen or otherwise obtained by
unauthorized persons.\5\ Some industry leaders have also supported
Federal notice legislation, as did the Chairman of the Federal Trade
Commission at earlier Congressional hearings.
---------------------------------------------------------------------------
\5\ The California law states that any agency or business ``that
owns or licenses computerized data that includes personal information
shall disclose any breach of the security of the system following
discovery or notification of the breach in the security of the data to
any resident of California whose unencrypted personal information was,
or is reasonably believed to have been, acquired by an unauthorized
person.'' Cal. Civ. Code Sec. 1798.29(a), Sec. 1798.82(a).
---------------------------------------------------------------------------
The California law worked well after the ChoicePoint security
breach. As a result of the California law, ChoicePoint was required to
notify individuals so they could take protective action. And public
pressure led ChoicePoint to give nationwide notice. California is
currently the only state with such a law on the books, but other states
are currently considering similar legislation. Congress should enact
Federal legislation that is as protective as the California statute.
There has been some debate about when entities should be required
to give notice of a breach. Some have argued that the holder of the
information should be allowed to exercise discretion in determining
whether the breach is one that poses a significant risk of harm to
individuals. Concern has been expressed that if consumers are notified
of every security breach, they would receive too many notices and
become immune to them. While the risk of over-notification is real,
guidance issued by the State of California on its disclosure law seems
to address concerns about over-notification. An appropriate standard
might be to require entities that discover a breach of security of a
system containing unencrypted personally identifiable data in
electronic form to notify any U.S. resident whose data was, or is
reasonably believed to have been, acquired by an unauthorized person.
If the entity is not certain whether the breach warrants notification,
it should be able to consult with the Federal Trade Commission. This
would allow the entities to avoid giving notice in the case of
accidental unauthorized access that does not pose a risk of harm to the
public, while ensuring that the public is adequately protected in those
cases where data has been acquired unlawfully. Additionally, it may be
desirable to have a two-tiered system, with notice to the FTC of all
breaches of personal data and notice to consumers where there is a
potential risk of identity theft. Broader notice to the FTC would help
with oversight and would allow for adjustment in reporting thresholds.
Notice alone, however, is not enough. Consideration needs to be
given to the question of what options a consumer has after receiving
notice of a breach. Consumers can require a fraud alert on their credit
reports, but under current law that has to be renewed every 90 days
unless the individual is actually the victim of identity theft, in
which case he is entitled to a 7 year notice. Another approach is to
give consumers the ability to ``freeze'' their credit reports, blocking
their release and thus preventing the issuance of credit. Texas and
California currently allow credit report freezes, and Vermont and
Louisiana freeze legislation is supposed to take effect this summer. At
least 15 other states are considering similar legislation. \6\ Another
way to allocate risk may be to create a ``Do Not Issue Credit without
Verification List,'' allowing consumers to post a warning to creditors
to obtain additional identity verification before issuing credit. This
would not be a freeze, but would put creditors on alert that they need
to be careful.
---------------------------------------------------------------------------
\6\ Andrew Shain, ``Nation, N.C. address ID security breaches,''
Charlotte Observer, Mar. 24, 2005, http://www.charlotte.com/mld/
charlotte/11215774.htm.
---------------------------------------------------------------------------
Security of Personally Identifiable Information
While notice legislation would be helpful in mitigating the damage
from a security breach and might prod companies to improve security
proactively, Congress should enact legislation requiring commercial
entities that hold personal information to implement information
security programs. Already there is a patchwork of requirements.
Financial institutions are already subject to information security
requirements under Gramm-Leach-Bliley, \7\ and the Health Insurance
Portability and Accountability Act imposes similar requirements on
health care providers and insurers, \8\ the Sarbanes-Oxley legislation
also has a provision that is interpreted as imposing some kind of data
security obligation. The Federal Trade Commission has exercised its
Section 5 authority and obtained consent agreements with a number of
companies that are looked to as models. And the California law known as
AB 1950 has imposed a general data security obligation on companies
doing business there.
---------------------------------------------------------------------------
\7\ 15 U.S.C. Sec. 6801(b).
\8\ Pub. L. 104-191, Sec. 264.
---------------------------------------------------------------------------
It is probably time to bring some uniformity to these requirements.
The Federal Trade Commission regulations implementing Gramm-Leach-
Bliley provide a good framework and probably have about the right level
of detail for security programs for data brokers and other commercial
entities.\9\ They require an entity to develop, implement and maintain
a comprehensive information security program that contains
administrative, technical and physical safeguards that are tailored to
the size and nature of the entity. Among other elements of a security
program, they require entities that hold personal information to
conduct a risk assessment to identify and develop systems to protect
against anticipated threats and unauthorized access to information, to
train employees, to audit their systems to identify unauthorized
access, and to periodically reassess the program's effectiveness.
Otherwise, the FTC approach gives entities that collect and store
personal information the flexibility to develop security programs that
fit their business models.
---------------------------------------------------------------------------
\9\ See Standards For Safeguarding Customer Information, 16 C.F.R.
Sec. Sec. 314.1-.5 (2005).
---------------------------------------------------------------------------
Social Security Number Protection
Personal privacy is not just threatened by ineffective or
nonexistent information security systems, however. Another threat to
personal privacy is the proliferation and misuse of Social Security
numbers. When the Federal Government first issued Social Security
numbers in 1936, it limited their use to identifying accounts for
workers with earnings from jobs covered by the Social Security Act of
1935. Social Security numbers were not supposed to serve as the
universal identifiers that they have become. In fact, they were
initially called Social Security Account Numbers and for many years the
words ``Not For Identification''appeared on Social Security cards.\10\
Over time, however, Social Security numbers have become de facto
national identifiers, serving as the key that unlocks many databases
containing medical records, university records, employee files and bank
records, just to name a few.
---------------------------------------------------------------------------
\10\ www.epic.org/privacy/hew1973report/c7.htm
---------------------------------------------------------------------------
Worse, the SSN is used as an authenticator. That is, it is used
like a PIN number--even though SSNs are widely available, entities
treat them as if they were a secret and that therefore someone is you
if he knows your SSN. This is very poor security practice. As a result,
Social Security numbers are a major factor in identity theft.
CDT supports legislation that would tighten controls on the sale,
purchase and display of Social Security numbers. Given the ubiquity of
Social Security numbers in the public domain, it might not be possible
to prevent criminals from acquiring them, but that does not mean we
should give up trying to curtail the SSN's overuse and misuse. We
believe that this can be done without prohibiting the use of the SSN as
an identifier or disambiguator in large databases. Certainly, the SSN
should be phased out as a student or employee ID number reflected on ID
cards, transcripts and other records disclosed outside an institution.
Congress should also, where feasible, limit the use of Social Security
numbers by government entities. In particular, states should be
prohibited from using Social Security numbers on drivers' licenses.
These changes will have limited effect, however, unless it is also
recognized that it is poor security practice to use the SSN as an
authenticator--treating it like a password or an obscure bit of
information likely to be known only to the one person to whom it was
issued. The habit of relying on the SSN for verification of identity
needs to be broken.\11\
---------------------------------------------------------------------------
\11\ The habit of relying blindly on the SSN as an identifier also
needs to be broken. See Lesley Mitchell, ``New wrinkle in ID theft;
Thieves pair your SS number with their name, buy with credit, never get
caught; Social Security numbers a new tool for thieves,'' The Salt Lake
Tribune, June 6, 2004, at E1.
---------------------------------------------------------------------------
Government Use of Commercial Databases
An often overlooked but very important issue is the Federal
Government's use of commercial databases. As discussed earlier, the
government uses commercial data for law enforcement and national
security purposes. The Privacy Act of 1974 was supposed to subject
government agencies that collect personally identifiable information to
the Fair Information Practices, but the Act's protections only apply to
Federal ``systems of records.'' \12\ That means that the government can
bypass the Privacy Act by accessing existing private sector databases,
rather than collecting the information itself. Thus, although the
Privacy Act requires notice to and consent from individuals when the
government collects and shares information about them, gives citizens
the right to see whatever information the government has about them,
and holds government databases to certain accuracy standards, none of
those rules applies when the government accesses commercial information
without pulling that data into a government database. Currently, the
government need not ensure (or even evaluate) the accuracy of the data;
it need not allow individuals to review and correct the data; and the
government is not limited in how it interprets or characterizes the
data.
---------------------------------------------------------------------------
\12\ The term ``system of records'' is defined as ``a group of any
records under the control of any agency from which information is
retrieved by the name of the individual or by some identifying number,
symbol, or other identifying particular assigned to the individual.'' 5
U.S.C. Sec. 552a(a).
---------------------------------------------------------------------------
Commercial information can and should play a key role in law
enforcement and national security investigations. But agencies relying
on that data should have clear guidelines for its use--guidelines that
both protect individual rights and ensure the information is useful for
investigative purposes.
One option would be to make it clear that the Privacy Act applies
whether the government is creating its own database or acquiring access
to a database from a commercial entity. Also, Congress could apply the
concept of Privacy Impact Assessments to the acquisition of commercial
databases. Section 208 of the E-Government Act of 2002 already requires
a PIA if the government initiates a new ``collection'' of
information.\13\ The same process should apply when the government
acquires access to a commercial database containing the same type of
information that would be covered if the government itself were
collecting it.
---------------------------------------------------------------------------
\13\ E-Government Act of 1002, Pub. L. 107-347, Sec. 208(b)(1).
Under the E-Government Act, an agency is required to perform a privacy
impact assessment before it ``develop[s] or procure[s] information
technology that collects, maintains, or disseminates information that
is in an identifiable form'' or ``initiat[es] a new collection of
information. . . .'' Sec. 208(b)(1)(A). A privacy impact assessment is
required to address, ``(I) what information is collected; (II) why the
information is being collected; (III) the intended use of the agency of
the information; (IV) with whom the information will be shared; (V)
what notice or opportunities for consent would be provided to
individuals regarding what information is collected and how that
information is shared; (VI) how the information will be secured; and
(VII) whether a system of records is being created under'' the Privacy
Act. Sec. 208(b)(2)(B).
---------------------------------------------------------------------------
Another approach, based on a bill that Senator Wyden introduced in
the last Congress,\14\ would be to require the government to perform an
accounting of private sector databases before using them. Under the
Wyden proposal, a government agency that acquired access to databases
containing personally identifiable information concerning U.S. citizens
would be required to publish in the Federal Register a description of
the database, the name of the entity from which the agency obtained the
database and the amount of the contract for use of the database. In
addition, the agency would be required to adopt regulations that
establish
---------------------------------------------------------------------------
\14\ S. 1484, 108th Cong. (1st Sess. 2003).
the personnel permitted to access, analyze or otherwise use
---------------------------------------------------------------------------
the database;
standards that govern the access to and analysis and use of
such information;
standards to ensure that personal information accessed,
analyzed and used is the minimum necessary to accomplish the
government's goals;
standards to limit the retention and re-disclosure of
information obtained from the database;
procedures to ensure that such data is accurate, relevant,
complete and timely;
auditing and security measures to protect against
unauthorized access to or analysis, use or modification of data
in the database;
applicable mechanisms that individuals may use to secure
timely redress for any adverse consequences wrongly experienced
due to the access, analysis or use of such database;
mechanisms, if any, for the enforcement and independent
oversight of existing or planned procedures, policies or
guidelines; and
an outline of enforcement mechanisms for accountability to
protect individuals and the public against unlawful or
unauthorized access to or use of the database.
Agencies might also incorporate into their contract with commercial
entities provisions that provide for penalties when the commercial
entity sells information to the agency that the commercial entity
knows, or should know, is inaccurate or when the commercial entity
fails to inform the agency of corrections or changes to data in the
database.
The Intelligence Reform Act that Congress passed last December
established guidelines for the government's evaluation of Secure Flight
plans that suggest a broader framework for use of data.\15\ Congress
could adopt similar guidelines for government agencies to follow before
implementing any screening program that uses commercially available
data. As an initial matter, all government screening programs should be
Congressionally authorized. This would ensure some degree of public
accountability and Congressional oversight. In addition, all screening
programs should be subject to regulations that include, at a minimum,
the following elements:
---------------------------------------------------------------------------
\15\ Intelligence Reform and Terrorism Prevention Act of 2004, Pub.
L. 108-458, Sec. 4012(a).
procedures to enable individuals, who suffer an adverse
consequence because the system determined that they might pose
a security threat, to appeal the determination and correct any
---------------------------------------------------------------------------
inaccurate data;
procedures to ensure that the databases the government uses
to establish the identity of individuals or otherwise make
assessments about individuals will not produce a large number
of false positives or unjustified adverse consequences;
procedures to ensure that the search tools that the
department or agency will use are accurate and effective and
will allow the department or agency to make an accurate
prediction of who may pose a security threat; \16\
---------------------------------------------------------------------------
\16\ This provision is drawn from the Department of Homeland
Security Appropriations Act, 2005, Pub. L. 108-334, Sec. 552.
sufficient operational safeguards to reduce the chance for
---------------------------------------------------------------------------
abuse of the system;
substantial security measures to protect the system against
unauthorized access;
policies that establish effective oversight of the use and
operation of the system; and
procedures to ensure that the technological architecture of
the system does not pose any privacy concerns.
These approaches, all of which Congress has previously approved in
similar contexts, strike a balance between the government's need for
information and the privacy interests of individuals. Adapting the
Privacy Act and Fair Information Principles to government uses of
commercial databases would go a long way toward closing the unintended
gap in privacy protection that exists under the current law.
Regulation of Data Brokers
Finally, Congress should consider whether there are gaps in the
current sectoral laws that protect privacy and focus on the harms that
can flow from use of inaccurate or misleading information. This is not
about use of marketing data to send catalogues or sales offers. Rather,
in the context where adverse consequences can result, Congress should
apply to data brokers the Fair Information Practices that are the
framework of the Fair Credit Reporting Act and other privacy laws.
As the law stands now, these Fair Information Practices apply only
when data brokers collect and use information in a way that is governed
by the Fair Credit Reporting Act. For instance, if a data broker sells
personal information to a third party that uses the information to
determine eligibility for insurance, the Fair Credit Reporting Act
would apply and certain rights would attach to the individual to whom
the information pertains. The individual would be able to obtain a copy
of the report, challenge the accuracy of the data and correct any
inaccurate information. The ability to do this is particularly
important when a person can suffer adverse consequences--such as the
denial of insurance--from the use of the personal information. But if
the data broker sold that same information to an insurance company for
use in claims processing--in which case the individual might be denied
reimbursement under her insurance policy--the individual would not have
any of those same rights.\17\
---------------------------------------------------------------------------
\17\ Michael Hiltzik, Data Show Information Collector Can't Be
Trusted, Los Angeles Times, Mar. 3, 2005, at C1.
---------------------------------------------------------------------------
We note that Derek Smith, the Chairman and CEO of ChoicePoint, last
year called for a national dialogue on privacy, to develop a policy
framework for his companies and others. Specifically, Smith called for
expanding the principles reflected in the FCRA:
``We should agree that the consensual model is best to the
maximum degree possible, understanding that law enforcement and
national security uses may outweigh getting prior consent for
certain information. By this I mean that individuals should
give permission (or not) at the time information is gathered
and should agree to its use. Data should not be used for a
different purpose unless new permission is obtained. However,
we must recognize that public record data is, fundamentally,
just that--public--and does not fit within the consensual model
because of the current local, State, and Federal freedom of
information acts.
Everyone should have a right of access to data that is used to
make decisions about them--subject to the same caveats about
law enforcement and national security uses. In other words,
expand the principles of the Fair Credit Reporting Act to all
types of information: right to access, right to question the
accuracy and prompt a review, and right to comment if a
negative record is found to be accurate.'' \18\
---------------------------------------------------------------------------
\18\ Derek V. Smith, ``Risk Revolution: The Threats Facing America
and Technology's Promise for a Safer Tomorrow'' (Longstreet Press,
2004) 185.
Conclusion
Resolving these issues will require a broad-based and inclusive
dialogue. We must strike a balance, but the current absence of a
comprehensive legal framework for the collection, sale and use of
sensitive, personal information is yielding harms that are made clear
every day. The Center for Democracy and Technology looks forward to
working with the Committee, with all of today's witnesses, and with all
stakeholders. We are not helpless in the face of the ongoing revolution
in information technology. Through the policy process, we can decide
whether there is ``No Place to Hide.''
______
Statement of Oliver I. Ireland, Attorney, Morrison & Foerster LLP; on
Behalf of Visa U.S.A. Inc., Before the Subcommittee on Commerce, Trade,
and Consumer Protection of the Committee on Energy and Commerce, United
States House of Representatives, May 11, 2005
Securing Consumers' Data: Options Following Security Breaches
Good morning Chairman Stearns, Ranking Member Schakowsky, and
Members of the Subcommittee. I am a partner in the law firm of Morrison
& Foerster LLP, and practice in the firm's Washington, D.C. office. I
am pleased to appear before the Subcommittee on behalf of the Visa,
U.S.A. Inc., to discuss the important issue of consumer information
security.
The Visa Payment System, of which Visa U.S.A. is a part, is the
largest consumer payment system, and the leading consumer e-commerce
payment system, in the world, with more volume than all other major
payment cards combined. Visa plays a pivotal role in advancing new
payment products and technologies, including technology initiatives for
protecting personal information and preventing identity theft and other
fraud.
Visa commends the Subcommittee for focusing on the important issue
of information security. As the leading consumer electronic commerce
payment system in the world, Visa considers it a top priority to remain
a leader in developing and implementing technology, products, and
services that protect consumers from the effects of information
security breaches. As a result, Visa has long recognized the importance
of strict internal procedures to protect Visa's members' cardholder
information, thereby to protect the integrity of the Visa system.
Visa has substantial incentives to maintain strong security
measures to protect cardholder information. The Visa system provides
for zero liability to cardholders for unauthorized transactions.
Cardholders are not responsible for unauthorized use of their cards.
The Visa Zero Liability policy guarantees maximum protection for Visa
cardholders against fraud due to information security breaches. Because
the financial institutions that are Visa members do not impose the
losses for fraudulent transactions on their cardholder customers, these
institutions incur costs from fraudulent transactions. These costs are
in the form of direct dollar losses from credit that will not be
repaid, and also can be in the form of indirect costs attributable to
the harm and inconvenience that might be felt by cardholders or
merchants. Accordingly, Visa aggressively protects the cardholder
information of its members.
Existing Federal Laws and Rules for Information Security
Existing Federal laws and regulations also obligate financial
institutions to protect the personal information of their customers.
Rules adopted under section 501(b) of the Gramm-Leach-Bliley Act of
1999 by the Federal banking agencies and the Federal Trade Commission
(FTC) (GLBA 501(b) Rules) establish information security standards for
the financial institutions subject to the jurisdiction of these
agencies. Under the GLBA 501(b) Rules, financial institutions must
establish and maintain comprehensive information security programs to
identify and assess the risks to customer information and then control
these potential risks by adopting appropriate security measures.
Each financial institution's program for information security must
be risk-based. Every institution must tailor its program to the
specific characteristics of its business, customer information and
information systems, and must continuously assess the threats to its
customer information and systems. As those threats change, the
institution must appropriately adjust and upgrade its security measures
to respond to those threats.
However, the scope of the GLBA 501(b) Rules is limited. Many
holders of sensitive, personal information are not financial
institutions covered by the GLBA 501(b) Rules. For example, employers
and most retail merchants are not covered by the GLBA 501(b) Rules,
even though they may possess sensitive information about consumers.
Visa's Cardholder Information Security Plan
Because of its concerns about the adequacy of the security of
information about Visa cardholders, Visa has developed and is
implementing a comprehensive and aggressive customer information
security program known as the Cardholder Information Security Plan
(CISP). CISP applies to all entities, including merchants, that store,
process, transmit, or hold Visa cardholder data, and covers enterprises
operating through brick-and-mortar stores, mail and telephone order
centers, or the Internet. CISP was developed to ensure that the
cardholder information of Visa's members is kept protected and
confidential. CISP includes not only data security standards but also
provisions for monitoring compliance with CISP and sanctions for
failure to comply.
As a part of CISP, Visa requires all participating entities to
comply with the ``Visa Digital Dozen''--twelve basic requirements for
safeguarding accounts. These include: (1) install and maintain a
working network firewall to protect data; (2) do not use vendor-
supplied defaults for system passwords and security parameters; (3)
protect stored data; (4) encrypt data sent across public networks; (5)
use and regularly update anti-virus software; (6) develop and maintain
secure systems and applications; (7) restrict access to data on a
``need-to-know'' basis; (8) assign a unique ID to each person with
computer access; (9) restrict physical access to data; (10) track all
access to network resources and data; (11) regularly test security
systems and processes; and (12) implement and maintain an overall
information security policy.
Payment Card Industry Data Security Standard
Visa is not the only credit card organization that has developed
security standards. In order to avoid the potential for imposing
conflicting requirements on merchants and others, in December of 2004,
Visa, MasterCard, American Express, Discover, and Diners Club
collaborated to align their respective data security requirements for
merchants and third parties. Visa found that the differences between
these security programs were more procedural than substantive.
Therefore, Visa has been able to integrate CISP into a common set of
data security requirements without diluting the substantive measures
for information security already developed in CISP. Visa supports this
new, common set of data security requirements, which is known as the
Payment Card Industry Data Security Standard (PCI Standard).
Neural Networks To Detect Fraud and Block Potentially Unauthorized
Transactions
In addition to the CISP program, which helps to prevent the use of
cardholder information for fraudulent purposes, Visa uses sophisticated
neural networks that flag unusual spending patterns for fraud and block
the authorization of transactions where fraud is suspected. When
cardholder information is compromised, Visa notifies the issuing
financial institution and puts the affected card numbers on a special
monitoring status. If Visa detects any unusual activity in that group
of cards, Visa again notifies the issuing institutions, which begin a
process of investigation and card re-issuance. These networks, coupled
with CISP and Visa's Zero Liability, provide a high degree of
protection from fraudulent credit card transactions to cardholders.
Expansion of Existing Requirements
Current protections notwithstanding, Visa believes that an
obligation to protect sensitive, personal information, similar to the
GLBA 501(b) Rules, should apply broadly so that all businesses that
maintain sensitive, personal information will establish information
security programs. Because consumer information knows no boundaries, it
is critical that this obligation be uniform across all institutions in
all jurisdictions.
Security Breach Notification
Closely related to the issue of information security is the
question of what to do if a breach of that security occurs. Visa
believes that where the breach creates a substantial risk of harm to
consumers that the consumers can take action to prevent, the consumers
should be notified about the breach so that they can take appropriate
action to protect themselves. Both Federal and California law already
address this issue. California law currently requires notice to
individuals of a breach of security involving their computerized
personal information. The California law focuses on discrete types of
information that are deemed to be sensitive, personal information. The
statute defines sensitive, personal information as an individual's name
plus any of the following: Social Security Number, driver's license
number, California identification card number, or a financial account
number, credit or debit card account number, in combination with any
code that would permit access to the account. The California law
includes an exception to the notification requirement when this
personal information has been encrypted. The California law only
requires notice to be provided when personal information is ``acquired
by an unauthorized person.'' Other states recently have enacted or are
considering security breach notification laws; however, the details of
some of the laws differ.
In March, the Federal banking agencies issued final interagency
guidance on response programs for unauthorized access to customer
information and customer notice (Guidance). The Guidance applies to all
financial institutions that are subject to banking agency GLBA 501(b)
Rules and requires every covered institution that experiences a breach
of security involving sensitive customer information to: (1) notify the
institution's primary Federal regulator; (2) notify appropriate law
enforcement authorities consistent with existing suspicious activity
report rules; and (3) notify its affected customers where misuse of the
information has occurred or is reasonably possible.
The keen interest that states have shown to legislate on the issue
of security breach notification emphasizes the need for a single
national standard for security breach notification in order to avoid
confusion among consumers as to the significance of notices that they
receive and among holders of information about consumers as to their
notification responsibilities. In addition, any legislation on security
breach notification should recognize compliance with the Guidance as
compliance with any notification requirements.
Visa believes that a workable notification law that would require
entities that maintain computerized, sensitive personal information to
notify individuals upon discovering a significant breach of security of
that data should be risk-based to avoid inundating consumers with
notices where no action by consumers is required. As FTC Chairwoman
Majoras recently testified to Congress, notices should be sent only if
there is a ``significant risk of harm,'' because notices sent when
there is not a significant risk of harm actually can cause individuals
to overlook those notices that really are important.
Thank you, again, for the opportunity to present this testimony
today. I would be happy to answer any questions.
______
Response to Written Questions Submitted by Hon. Daniel K. Inouye to
Paul B. Kurtz
Question. Companies often protest against regulation by maintaining
that the market will address the problem and correct it. However, in
the case of ChoicePoint and other information brokers, those with the
buying power are not adversely affected by poor security and thus do
not demand it from the information suppliers. Can either of you comment
on the economics of security and how they apply, or not apply as the
case may be, to the information-broker industry? When should government
intervene?
Answer. In determining the Government's role with regard to cyber
security regulation, the President's National Strategy to Secure Cyber
Space is an appropriate place to start. The National Strategy provides
clear policy guidance for the Federal Government's role: ``In general,
the private sector is best equipped and structured to respond to an
evolving cyber threat. There are specific instances, however, where
Federal Government response is most appropriate and justified.'' The
Strategy goes on to describe the Government's role in the private
sector: ``Externally, a government role in cybersecurity is warranted
in cases where high transaction costs or legal barriers lead to
significant coordination problems; cases in which governments operate
in the absence of private sector forces; resolution of incentive
problems that lead to under-provisioning of critical shared resources;
and raising awareness.''
According to this description, it seems that information brokers
may fall into the narrow category where there is an absence of private
sector forces prompting cyber security. As such, it appears appropriate
for the Federal Government to intervene.
What makes regulation of this issue complex is the threat to
unsecured, sensitive personal information does not stop with
information brokers. Recent security breaches have occurred in a
variety of organizations in regulated and non-regulated industries,
ranging from banks and hospitals, to educational institutions and large
employers.
We believe there are five key principles that should be included in
legislation to address this issue.
1. Federal Pre-emption. Any new law should establish a national
data breach notification ``floor'' for unauthorized access to
unencrypted personal information while enabling State attorneys
general to prosecute the Federal law so long as the U.S.
Attorney General is notified.
Nine states have already passed legislation requiring
notification of unauthorized access to unencrypted personal
information. Without Federal pre-emption, we will face a web of
potentially conflicting breach notification requirements.
2. Scope. The scope of the breach notification bill should
apply to any agency or person, as defined in title 5 of the
U.S. Code, who owns or licenses computerized data containing
sensitive, personal information and should not be limited to
data brokers. In developing this legislation, it is important
not to duplicate requirements set forth under existing Federal
law such as the Gramm-Leach-Bliley Act (GLBA), the Fair Credit
Reporting Act (FCRA), or other relevant Federal legislation.
Legislation should address ``gaps'' in existing legislation
related to the security of personal information. Recent
security breaches have occurred in a variety of organizations,
ranging from data brokers, banks and hospitals, to educational
institutions and large employers.
3. Reasonable Security Practices. Reasonable security practices
encompass a combination of technology, policy, and expertise.
Consistent with existing State law, organizations that own or
license computerized data containing personal information
should implement and maintain reasonable security measures
based on widely accepted voluntary industry standards or
existing Federal law.
Security Practices. The term ``security practices'' shall mean
reasonable security and notification procedures and practices
appropriate to the nature of the information to protect
sensitive, personal information from unauthorized access,
destruction, use, modification or disclosure.
Certification. Congress should consider self-certification to
help safeguard sensitive, personal information. In the case of
self-certification, covered entities would be required to self-
certify that they have met a widely adopted standard in order
to safeguard sensitive, personal information. If a breach
occurs and it is clear that reasonable measures were not taken
to safeguard sensitive, personal information, then the covered
entity involved would be subject to criminal prosecution by the
Department of Justice. Congress should also consider an option
for certification by a third-party, coupled with liability
protection to foster protection.
Encryption. Congress should encourage the use of encryption
technologies without requiring it, similar to California's SB
1386. Encryption is defined as ``the protection of data in
storage or in transit using a NIST approved encryption
algorithm implemented within a FIPS 140 validated cryptographic
module combined with the appropriate key management mechanism
to protect the confidentiality and integrity of associated
cryptographic keys in storage or in transit.''
Existing voluntary standards include:
International Standards Organization (ISO) 17799
Control Objectives for Information and Related Technology
(COBiT)
British Standard (BS) 7799
Information security governance framework issued by the
National Cyber Security Summit Task Force in April 2004
Existing regulatory standards include:
Fair Credit Reporting Act (http://www.ftc.gov/os/statutes/
fcra.htm#607)
Gramm Leach Bliley, Safeguards Rule
FDA, Title 21, Subchapter A, Protection of Privacy
Basel II, Revised International Capital Framework
Health Insurance Portability and Accounting Act (HIPAA)
Security Rule
4. Definition of ``breach.'' A breach of unencrypted personal
information should be defined so that it encourages the
implementation of reasonable security measures and minimizes
false positives.
5. Regulatory Authority. The Federal Trade Commission is the
most appropriate authority to oversee breach notification on a
civil level and refer criminal cases to the Department of
Justice. Wherever possible, the FTC should be directed to adopt
existing standards, rather than to create new standards.
Regarding the economics of security, a recent CRS report states
that investments in cyber security cannot be easily analyzed in terms
of return on investment, since they do not contribute to income in a
measurable way. While such investments may not contribute directly to
income, their impact on the way an organization does business is
immeasurable. Information is the lifeblood of today's economy and
protecting that information--maintaining its confidentiality while
assuring its accessibility and reliability--are of the utmost
importance. Cyber security is more than just protecting names and
Social Security numbers held by data brokers. The economy depends on
the free flow of information and we need to be able to trust that
information to be what it purports to be. The issues we hear, seemingly
on a day to day basis--spyware, identity theft, phishing, breach
notification--are all symptoms in the larger problem of unsecured
information systems. We encourage the Congress to take a more holistic
approach to the issue of cyber security, rather than reacting to each
problem. In this context, CSIA believes that there are a number of
incentives that have not yet been investigated such as legislative safe
harbors, tax incentives, the use of cyber insurance, or other
motivating factors that would promote the use and development of
stronger security measures by information brokers.
Finally, there is very little economic data available to determine
the costs of cyber security attacks and vulnerabilities. Developing
cost estimates requires reporting of incidents as well as a common
methodology of breaking down lost productivity, system down time,
identifying vulnerabilities, testing patches, and personnel hours.
Federally funded research in this area would be of great value.
______
Response to Written Questions Submitted by Hon. Bill Nelson to
Jennifer T. Barrett
Question 1. Does Acxiom merely compile, store, and sell sensitive
consumer information? Or does your company perform analysis of such
information. Can you describe what this analysis involves? And what
sorts of analysis is your company performing generally for law
enforcement, such as the FBI?
Answer. Acxiom does compile consumer information, including SSNs
and Driver's License Numbers (DL#s), in order to develop our fraud
management products. The ``analysis'' performed in building such
products is limited to determining how to accurately integrate or
combine the multiple sources of information.
Our verification services only validate that the information our
client has obtained from the consumer is correct. There is no
``analysis'' performed in providing those services. Rather, the record
being verified is compared to the information Acxiom already possesses
and a ``match'' or ``no-match'' indicator is returned.
Only law enforcement and the internal fraud departments of large
financial institutions and insurance companies have access to
additional information in connection with these verification services.
The additional information made available to this select group of users
includes such information as previous addresses, additional SSNs or
DL#s associated with the particular consumer. Again, no ``analysis'' is
performed by Acxiom.
Acxiom's background screening products utilize field researchers
who do in-person, real-time research against public records and make
calls to past employers to verify the information provided by the
consumer. Acxiom does not pre-aggregate information for these products.
As a result, the compilation of this product is only done in
preparation of the actual report and the file is stored only for
purposes of compliance with the FCRA.
Question 2. What is the procedure for becoming an Acxiom client?
When someone becomes a client, does that client have access to all of
your company's databases for any purpose? For example, if an attorney
becomes an Acxiom client to help locate a witness, can that attorney
also use Acxiom's databases for personal or other reasons? How does
your company monitor this?
Answer. Acxiom sells its fraud management products exclusively to
very large financial services and insurance clients and law enforcement
agencies. These products are not sold to individuals, such as
attorneys.
The sales cycle for these types of clients is typically several
months long and involves many in-person visits and customized
interfaces between systems. The problem the client is trying to address
with the data, and the data to be provided by Acxiom, are fully vetted
by Acxiom's product, legal and compliance teams. Once the appropriate
Acxiom products for a particular solution are determined, the client
enters into a signed written agreement with terms and conditions of use
of the data.
Once a formal relationship is established, a client is permitted to
utilize only the data products for which it has been approved and
granted a license.
A log is kept of every transaction made by Acxiom's clients to our
fraud management products which provide access to sensitive
information. These are used for billing purposes and periodically
audited/reviewed by the product team.
Our background screening products, which are regulated by the Fair
Credit Reporting Act, are available only to employers and landlords.
All clients using these products are credentialed with such agencies as
the Better Business Bureau and, for those who receive any sensitive
information, onsite inspections of potential clients also are conducted
by Acxiom. Only pre-employment credit reports provide sensitive
information that employers or landlords do not already possess.
Question 3. Can you explain how Acxiom organizes and maintains its
sensitive consumer information? Is all information--regulated or
unregulated--contained in one database? If information is maintained
separately, can information from one database make its way into another
database? If not, how does Acxiom prevent information from migrating
from one database into others?
Answer. Acxiom builds distinct databases to support each of its
different data product lines. The only products Acxiom offers that
contain sensitive consumer information are its fraud management
products and background screening services.
Although the fraud management products are built from both
regulated and unregulated data, the entire database is maintained and
utilized as if it was all regulated.
Different Acxiom teams are responsible for the creation and
maintenance of each distinct product line and the databases from which
they are built. Only the appropriate team has access to the data within
each database. This strategy prevents the unintentional migration of
information from one database to another.
Acxiom voluntarily submits itself to external annual audits of its
information practices for the purpose of reviewing the data and data
sources utilized in each product line and to assure compliance with our
own principles, source contacts and applicable laws and regulations.
The background screening reports are provided by a separately run
subsidiary of Acxiom and are fully regulated under the Fair Credit
Reporting Act. The reports are compiled on an ``as needed'' basis by
associates and field agents who are employed by that subsidiary and who
are focused only on that business. The information in those reports is
not stored in a database and is not utilized in any other area of the
company.
Question 4. Some information brokers have cited the difficulty in
correcting consumer files, claiming that the inaccurate information is
generated from public records. But this addresses only part of the
issue. One problem is that information brokers may place information
regarding one person into another person's file. This is particularly
common with persons who have the same name. What steps does Acxiom take
to try to avoid this problem?
Answer. Acxiom utilizes all available identifying information in
consolidating the information from various sources to build the
company's data products. In the case of individuals with the same or
similar names, the use of address, telephone, date of birth and SSN, if
available, will assist in accurately differentiating between the two
persons. No one element is used to consolidate information. Rather a
combination of elements are utilized, reducing the chance that an error
or a similarity in one element will result in an error. We also conduct
quality audits of consolidation procedures to help identify problems
and to refine our consolidation algorithms.
Access to increased information reduces chances for errors. Should
some of these elements of differentiating data become unavailable to
the information services industry, the accuracy of the consolidation
may suffer.
Question 5. To what extent does Acxiom sell sensitive consumer
information to Federal, State, and local law enforcement agencies. Does
Acxiom have any limitations on the sale of information to law
enforcement entities?
Answer. Acxiom has only one contract with the Federal Government
which involves the sale of sensitive information. We impose similar
restrictions on the sale of sensitive information to government
agencies as we do for the fraud departments of large financial
institutions and insurance companies. Examples of such restrictions
include:
Sensitive data provided to the government may only be used
to verify the accuracy of personal information for the purposes
of preventing fraud or to locate individuals.
Driver's License data must be used by the government in
compliance with the Drivers Privacy Protection Act for the
verification of accuracy of personal information. If the
personal information is incorrect, the driver's license data
may be used to obtain the correct information, but only for the
purpose of preventing fraud.
The data provided cannot be stored in any other form or used
for any other purpose unless express written permission is
received from Acxiom.
Question 6. Please describe the procedures governing who can
purchase sensitive consumer information from Acxiom. Please tell us
about the types of holes Acxiom had in its old process and how the
company is now plugging those holes.
Answer. Acxiom sells our fraud management product exclusively to
large companies and has only several dozen clients for these products.
As described earlier, only the fraud departments of large financial
institutions and insurance companies and government agencies have
access to this investigative tool which provides sensitive information.
We do not believe we have any holes in our current process for
screening clients, as that process has never been compromised. However,
after the incidents involving ChoicePoint and Lexis-Nexis, Acxiom
undertook a review of all our client credentialing procedures,
including those procedures that apply to clients with access to only
non-sensitive data. As a result of that review, which will conclude
next month, Acxiom may implement additional credentialing procedures if
such procedures are determined to be appropriate.
While the security breach Acxiom suffered in 2003 did not involve
any of Acxiom's information products and did not result in access to
any of Acxiom's sensitive data, we did make substantial technical
changes in how files are transferred to and from Acxiom by our clients,
to prevent such an incident from reoccurring.
Question 7. Does Acxiom favor giving consumers wider access to
information that the company stores about them? This is a central
principle of the legislation I have introduced. What information should
companies like Acxiom make available to consumers?
Answer. Acxiom's fraud products and the background screening
products are the only products which contain sensitive information.
Since 1997, Acxiom has voluntarily provided consumers access to the
information Acxiom has about them in the company's fraud management and
directory products. We also provide consumer access to the company's
background screening product, pursuant to the requirements of the Fair
Credit Reporting Act.
Question 8. Does Acxiom perform any audits of its systems to ensure
accuracy of the sensitive consumer information that it compiles?
Answer. Acxiom is constantly auditing its data compilation
processes, and the quality of the files it obtains, in order to assure
maximum possible accuracy. These audits include manual reviews of the
data, comparisons to other sources, and verification of the company's
consolidation procedures. Acxiom obtains sensitive data from only a few
select sources with which Acxiom has worked for years.
Question 9. What auditing does Acxiom perform on its business and
government clients? Are clients required to type in a specific
justification for each search of personal information, or do they just
see a ``click through'' agreement? How long are audit logs maintained?
Has auditing ever revealed wrongdoing that led to a client being
prosecuted for misusing personal information?
Answer. Acxiom does not allow access to data products containing
sensitive information via a ``click through'' agreement. As described
above, the problem the client is trying to address with the data, and
the data to be provided by Acxiom, are fully vetted by Acxiom's
product, legal and compliance teams. Once the appropriate Acxiom
products for a particular solution are determined, the client enters
into a signed written agreement with terms and conditions of use of the
data.
Acxiom's practice is to maintain audit logs as described above for
our fraud management products for at least 7 years.
We have never had an audit reveal wrongdoing that led to a client
being prosecuted for misusing personal information.
Question 10. To which Federal Government agencies does Acxiom sell
sensitive consumer information?
Answer. Acxiom currently provides sensitive data to only one
Federal law enforcement agency engaged in homeland security efforts.
Question 11. Does your company compile information garnered from
warranty cards filled out by consumers? If so, what companies generally
supply you with this information and how is this information stored and
used?
Answer. Acxiom does not compile information garnered from warranty
cards, but we do license general lifestyle data from sources that do.
That information is only used for marketing purposes.
Question 12. Please give a complete listing of the types of
personal information that your company maintains in all of its product
lines, including information based on DNA and biometrics.
Answer. Acxiom possesses absolutely no information based on,
derived from, or in any way related to DNA or biometrics.
Marketing Products--Acxiom develops and maintains databases
containing information on households in the U.S. for companies to use
in their marketing and customer service programs. These databases are
developed from many different sources, including:
Public Record and Publicly Available Information--Telephone
directories, website directories and listings, real property
recorder and assessor information, historical drivers license
information and historical motor vehicle information.
Data from Other Information Providers--Demographic information,
survey information and summary buyer information.
These databases do not include credit information, medical
information, Social Security Number (or other related information) or
personally identifiable information about children.
Reference Products--Acxiom develops and maintains databases
containing information about many individuals and households in the
U.S. for directory reference and fraud management purposes and provides
online links to other information provider services for use by
qualified businesses and government agencies for lawful and ethical
purposes. These databases are developed from many different sources,
including:
Public Record and Publicly Available Information--Telephone
directories; real property recorder and assessor information;
historical drivers license information; current drivers license
information, where allowed by law; historical motor vehicle
information; current motor vehicle information, where allowed
by law; deceased information; and other suppression
information.
Data from Other Information Providers--Identifying information
only (header data) from consumer reporting agencies, where
allowed by law, and information about household characteristics
collected and permissioned by the consumer.
These databases and access to other information provider services
include financial information, Social Security Number and other related
information where permitted by law. This information is provided only
to qualified businesses primarily in the finance, insurance, mortgage,
real estate and retail industries for the purpose of risk management
including verifying information about customers, issuing mortgages,
speeding transactions, employment screening and reducing the chance of
fraud. This information is also provided to government agencies for the
purposes of risk management including verifying information, employment
screening, national security and assisting law enforcement.
In order to protect the use of this information, Acxiom does not
provide any information, whether public or non-public, to individuals.
Acxiom also does not allow our clients to make any non-public
information available to an individual. Acxiom does allow our clients
to make only public record and publicly available information available
to individuals in the form of commonly used and accepted real estate
research tools and public listing searches via the Internet.
______
Response to Written Questions Submitted by Hon. Bill Nelson to
Kurt P. Sanford
Question 1. Can you explain how LexisNexis organizes and maintains
its sensitive consumer information?
Answer. LexisNexis stores all data in electronic files. Individual
records comprise databases which are distinguished by source. The
LexisNexis system has the capability to search individual sources or
search multiple data sources simultaneously in group files, which is a
grouping of discrete data files from multiple sources.
At Seisint, data from multiple sources is generally combined into a
group file. Even though data is combined into a group file, Seisint
retains the ability to distinguish the source from which each record in
the group file originated.
Question 1a. Is all information--regulated or unregulated--
contained in one database?
Answer. No. In a few limited instances LexisNexis has successfully
combined data from multiple sources into a group file or report,
allowing a single search to be run on the resulting group file or
report. However, regulated data either separately or combined with non-
regulated data still requires a declaration of permissible use before
access is permitted.
Similarly, at Seisint, regulated data either separately or combined
with non-regulated data still requires a declaration of permissible use
before access is permitted.
Question 1b. If information is maintained separately, can
information from one database make its way into another database?
Answer. Information from one database (source file) cannot migrate
into another database due to system constraints, permissions, data file
and record structure. However, in a few limited instances we have
purposefully combined data into group files and reports for ease of use
by our customers, as described above.
Question 1c. If not, how does LexisNexis prevent information from
migrating from one database into others?
Answer. N/A.
Question 2. Some information brokers have cited the difficulty in
correcting consumer files, claiming that the inaccurate information is
generated from public records. But this addresses only part of the
issue. One problem is that information brokers may place information
regarding one person into another person's file. This is particularly
common with persons who have the same name. What steps does LexisNexis
take to try to avoid this problem?
Answer. To be linked, data must match on multiple data elements
such as name and Social Security number, or name, address and telephone
number, or some similar combination of multiple data elements. We
investigate reported mismatches. If we confirm an error, we take steps
to correct the error. If it is our error we correct it, otherwise we
direct the consumer to the originating source so that consumer can
pursue correction directly with the source.
Question 3. To what extent does LexisNexis sell sensitive consumer
information to Federal, State, and local law enforcement agencies?
Answer. The vast majority of information available through
LexisNexis comes from public records, court decisions, statutes, and
other open source publications like newspapers, periodicals, and
directories. ``Sensitive information'' on LexisNexis is limited to full
Social Security numbers obtained from nonpublic sources such as credit
headers, in accordance with both the Fair Credit Reporting Act (FCRA)
and the privacy provisions of the Gramm-Leach-Bliley Financial Services
Modernization Act (GLBA), and drivers license numbers obtained from
State departments of motor vehicles in compliance with Federal and
state implementations of the Drivers Privacy Protection Act (DPPA).
Sensitive information, as defined above, is made available to
Federal, State, and local law enforcement agencies where such agencies
certify that their access is in compliance with and expressly permitted
under the provisions of the applicable laws.
Question 3a. Does LexisNexis have any limitations on the sale of
information to law enforcement entities?
Yes. Law enforcement use of regulated data is limited to only those
uses specifically permitted under the GLBA and DPPA.
Question 4. Please describe the procedures governing who can
purchase sensitive consumer information from LexisNexis.
Answer. Access to sensitive information is limited to those
customers with a permissible purpose under DPPA or GLBA. Prior to
entering into a contract with LexisNexis, a customer must disclose its
intended purpose for the data, which must correspond to one or more of
the permissible purposes under the GLBA and/or the DPPA. In addition,
the customer must qualify as an authorized user and must certify that
it has one of a limited number of authorized uses. LexisNexis has the
right to review and audit the customer's use to ensure compliance with
terms of the agreement.
Question 4a. Please tell us about the types of holes LexisNexis had
in its old process and how the company is now plugging those holes.
Answer. The security incidents we uncovered primarily involved
unauthorized persons misusing IDs and passwords of legitimate Seisint
customers. As a result, we have enhanced our business practices and
policies involving the issuance and administration of customer IDs and
passwords. These include:
Changing customer password security processes to require
that passwords for both system administrators and users be
changed at least every 90 days;
Suspending customer passwords of system administrators and
users that have been inactive for 90 days;
Suspending customer passwords after five unsuccessful log in
attempts and requiring them to contact Customer Support to
ensure security and appropriate reactivation; and
Requiring that system administrators review the list of
employees issued IDs and passwords to ensure that access is
terminated when an employee leaves the company.
Question 5. Does LexisNexis perform any audits of its systems to
ensure accuracy of the sensitive consumer information that it compiles?
Answer. LexisNexis employs a number of procedures to test the
accuracy of sensitive information received and to test the accuracy of
this data prior to making the data available to customers. Accuracy is
measured by determining whether the data received matches the data in
the source document or record.
LexisNexis only obtains data from known, reputable sources. Credit
header data is obtained directly from the originating credit bureau,
not through brokers or other third parties.
We receive the most current data that the supplier can
provide;
Any questions arising regarding the accuracy of the content
delivered to LexisNexis are resolved quickly and effectively;
Data is delivered in the same, mutually agreed upon format,
thereby maintaining the integrity of the data conversion
process and minimizing the risk of conversion errors;
We respond to any questions regarding data accuracy brought
to our attention by consumers or others; and
Any updates, additions, or changes will be received from the
supplier.
The data conversion process is itself subject to a series of system
checks. The data is run through the conversion process where computer
systems and software check for conformance with formatting
specifications. Deviations, anomalous data, and data omissions are
noted and brought to the attention of the appropriate LexisNexis
personnel for verification, review, or remediation with the data
supplier.
Question 6. What auditing does LexisNexis perform on its business
and government clients?
Answer. LexisNexis has established systems that allow us to monitor
usage and identify abnormal usage patterns. When abnormal usage is
discovered, access is shut off and the use investigated.
Question 6a. Are clients required to type in a specific
justification for each search of personal information, or do they just
see a ``click through'' agreement?
Answer. LexisNexis does provide electronic access to applicable
terms and conditions on use for all users. These terms and conditions
keep users informed of their obligations under the written agreement.
In addition, LexisNexis employs a series of electronic notices and
responses to determine whether users have a legally permissible purpose
for accessing legally restricted, personal information such as credit
headers subject to restrictions on use under the privacy provisions of
the GLBA or driver's license records restricted under the DPPA. These
notices provide users with the permissible purposes authorized under
the applicable statutes. Unless the user indicates a specific,
enumerated permissible purpose, access is denied.
Users are given notice that records of their use of these materials
is subject to recordkeeping requirements of applicable Federal and
State laws and of data suppliers. Records are maintained of the user
ID, permissible purpose, date, and time of the search.
Question 6b. How long are audit logs maintained?
Answer. In accordance with the requirements of the DPPA records of
the identity of the user and of the applicable permitted use must be
maintained for at least 5 years for searches involving information
covered by that statute.
Question 6c. Has auditing ever revealed wrongdoing that led to a
client being prosecuted for misusing personal information?
Answer. We have identified instances where it appeared from
searching patterns that customers could have been misusing personal
information. In those instances system access was either suspended or
modified to avoid the possibility of improper use.
Question 7. To which Federal Government agencies does your company
sell sensitive consumer information?
Answer. LexisNexis works with virtually every agency in the Federal
Government. Some of our customers include:
Homeland Security agencies
Law enforcement agencies
Intelligence agencies
Entitlements agencies
Regulatory agencies
Revenue agencies
Question 8. Does your company compile information garnered from
warranty cards filled out by consumers?
Answer. No.
Question 8a. If so, what companies generally supply you with this
information and how is this information stored and used?
Answer. N/A.
Question 9. Please give a complete listing of the types of personal
information that your company maintains in all of its product lines,
including information based on DNA and biometrics.
Answer. The information maintained by LexisNexis falls into the
following three general classifications: public record information,
publicly available information, and non-public information.
Public record information. Public record information is information
originally obtained from government records that are available to the
public. Real estate records, court records, and professional licensing
records are examples of public record information collected and
maintained by the government for public purposes, including
dissemination to the public.
Publicly available information. Publicly available information is
information that is available to the general public from non-
governmental sources. Telephone directories are an example of publicly
available information.
Non-public information. Non-public information is information about
an individual that is not obtained directly from public record
information or publicly available information. This information comes
from proprietary or non-public sources. Non-public data maintained by
LexisNexis consists primarily of information obtained from driver's
license records, motor vehicle records or credit header data. Credit
header data is the non-financial identifying information located at the
top of a credit report, such as name, current and prior address, listed
telephone number, Social Security number, and month and year of birth.
LexisNexis does not collect or distribute personal financial
information such as credit card account information or personal medical
records. LexisNexis does not collect or maintain either DNA or
biometric data.
�