[Senate Hearing 109-1089]
[From the U.S. Government Publishing Office]



                                                       S. Hrg. 109-1089
 
                             IDENTITY THEFT

=======================================================================

                                HEARING

                               before the

                         COMMITTEE ON COMMERCE,
                      SCIENCE, AND TRANSPORTATION
                          UNITED STATES SENATE

                       ONE HUNDRED NINTH CONGRESS

                             FIRST SESSION

                               __________

                             JUNE 16, 2005

                               __________

    Printed for the use of the Committee on Commerce, Science, and 
                             Transportation



                  U.S. GOVERNMENT PRINTING OFFICE
61-846                    WASHINGTON : 2010
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202ï¿½09512ï¿½091800, or 866ï¿½09512ï¿½091800 (toll-free). E-mail, [email protected].  


       SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION

                       ONE HUNDRED NINTH CONGRESS

                             FIRST SESSION

                     TED STEVENS, Alaska, Chairman
JOHN McCAIN, Arizona                 DANIEL K. INOUYE, Hawaii, Co-
CONRAD BURNS, Montana                    Chairman
TRENT LOTT, Mississippi              JOHN D. ROCKEFELLER IV, West 
KAY BAILEY HUTCHISON, Texas              Virginia
OLYMPIA J. SNOWE, Maine              JOHN F. KERRY, Massachusetts
GORDON H. SMITH, Oregon              BYRON L. DORGAN, North Dakota
JOHN ENSIGN, Nevada                  BARBARA BOXER, California
GEORGE ALLEN, Virginia               BILL NELSON, Florida
JOHN E. SUNUNU, New Hampshire        MARIA CANTWELL, Washington
JIM DeMINT, South Carolina           FRANK R. LAUTENBERG, New Jersey
DAVID VITTER, Louisiana              E. BENJAMIN NELSON, Nebraska
                                     MARK PRYOR, Arkansas
             Lisa J. Sutherland, Republican Staff Director
        Christine Drager Kurth, Republican Deputy Staff Director
                David Russell, Republican Chief Counsel
   Margaret L. Cummisky, Democratic Staff Director and Chief Counsel
   Samuel E. Whitehorn, Democratic Deputy Staff Director and General 
                                Counsel
             Lila Harper Helms, Democratic Policy Director


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on June 16, 2005....................................     1
Statement of Senator Allen.......................................    24
Statement of Senator Burns.......................................     2
Statement of Senator Inouye......................................     2
    Prepared statement...........................................     2
Statement of Senator Ben Nelson..................................    23
Statement of Senator Bill Nelson.................................     3
Statement of Senator Pryor.......................................    23
Statement of Senator Smith.......................................     1
    Prepared statement of Hon. Hardy Myers, Attorney General of 
      Oregon.....................................................    54

                               Witnesses

Feinstein, Hon. Dianne, U.S. Senator from California.............     7
Harbour, Hon. Pamela Jones, Commissioner, Federal Trade 
  Commission.....................................................    35
Hooley, Hon. Darlene, U.S. Representative from Oregon............    10
Leary, Hon. Thomas B., Commissioner, Federal Trade Commission....    34
Leibowitz, Hon. Jon, Commissioner, Federal Trade Commission......    36
Majoras, Hon. Deborah Platt, Chairman, Federal Trade Commission..    25
    Prepared statement...........................................    27
Schumer, Hon. Charles E., U.S. Senator from New York.............     4
Sorrell, Hon. William H., Vermont Attorney General; President, 
  National Association of Attorneys General......................    12
    Prepared statement...........................................    13
Swindle, Hon. Orson, Commissioner, Federal Trade Commission......    33

                                Appendix

Boxer, Hon. Barbara, U.S. Senator from California, prepared 
  statement......................................................    58
Dorgan, Hon. Byron L., U.S. Senator from North Dakota, prepared 
  statement......................................................    57
Lautenberg, Frank R., U.S. Senator from New Jersey, prepared 
  statement......................................................    59


                             IDENTITY THEFT

                              ----------                              


                        THURSDAY, JUNE 16, 2005

                                       U.S. Senate,
        Committee on Commerce, Science, and Transportation,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 10 a.m. in room 
SR-253, Russell Senate Office Building, Hon. Gordon H. Smith, 
presiding.

          OPENING STATEMENT OF HON. GORDON H. SMITH, 
                    U.S. SENATOR FROM OREGON

    Senator Smith. Ladies and gentlemen, we welcome you to this 
hearing of the Senate Commerce Committee.
    I thank our witnesses for being here today. Today's hearing 
takes place against the backdrop of one of the most rapidly 
growing crimes in America, identify theft. We'll hear from the 
Federal Trade Commission today that over ten million Americans 
are victimized by identity thieves every year. These numbers 
translate into losses of over $55 billion per year, averaging 
over $10,000 stolen per fraudulent incident.
    In 2005 alone there were at least 43 known incidents of 
data breaches potentially affecting over 9 million individuals. 
In my own State of Oregon, we rank ninth in the Nation for 
fraud complaints and identity theft. These breaches range from 
sloppy recordkeeping and security procedures by companies to 
extremely sophisticated online thefts by computer hackers.
    Last month, this Committee held a hearing on the recent 
data breaches at ChoicePoint, Inc., and LexisNexis, and methods 
used by private industry to prevent future data breaches. At 
today's hearing, the Committee will hear testimony concerning 
the current treatment of data broker services under existing 
state and Federal privacy laws, as well as proposals of public 
solutions to mitigate future data breaches and identity theft.
    Protecting sensitive information is an issue of great 
importance for all Americans. Consumers should have confidence 
when they share their information with others that their 
information will be protected. At the same time, the ability of 
legitimate companies to access personal information certainly 
does facilitate commerce and continues to benefit consumers.
    Data broker companies perform important commercial and 
public functions through their ability to quickly and securely 
access consumer data. Following today's hearing, I will be 
introducing legislation with my colleagues of this Committee. 
The principles of our bipartisan effort will include, one, a 
national obligation for companies to have a security procedure 
in place to safeguard sensitive and personal information, and, 
two, a balanced breach notification trigger to inform consumers 
when real risks of identity theft are at stake. We need to make 
sure that this legislation strikes the right balance to ensure 
the continued existence of the critical services while ensuring 
security of personal information to prevent its misuse and 
subsequent breaches and thefts.
    I'd also like to pay a particular welcome to one of my 
fellow Oregonians, Congresswoman Darlene Hooley, who is here to 
share her thoughts with us today. She has been a great leader 
on this issue in the House of Representatives, and I 
appreciate, especially, her coming across the Hill to be with 
us today.
    Before we turn to our first panel, it's my pleasure to turn 
the mike over to the Ranking Member of this Committee, Senator 
Daniel Inouye.

              STATEMENT OF HON. DANIEL K. INOUYE, 
                    U.S. SENATOR FROM HAWAII

    Senator Inouye. Thank you very much, Mr. Chairman. I 
commend you for conducting this hearing.
    I have a statement, but you've covered it adequately. I'd 
ask unanimous consent that it be placed in the record.
    Senator Smith. Without objection.
    [The prepared statement of Senator Inouye follows:]

 Prepared Statement of Hon. Daniel K. Inouye, U.S. Senator from Hawaii
    Data breach and identity theft is a serious problem that this 
Committee is committed to addressing. A 2003 Federal Trade Commission 
survey report found that during a 1-year period nearly 10 million 
Americans--or roughly 4.6 percent of the domestic adult population--
were victimized by identity thieves. Public opinion polls consistently 
find strong support among Americans for privacy rights to protect their 
personal information.
    The FTC and others have been working diligently to come up with a 
Federal legislative solution to protect America's consumers from the 
data breaches that lead to identity theft.
    Any solution must include a provision that notifies consumers of 
data breaches so that they can protect themselves from the misuse of 
their personal information. In addition, consumers deserve to have 
certain rights in their dealings with the information industry, and to 
have those rights protected by their government.
    Senator Bill Nelson has undertaken a tremendous amount of work on 
this issue, and I appreciate his interest and guidance. We are looking 
forward to working in bipartisan friendship with Chairman Stevens and 
Senator Smith to produce a bill that serves American consumers and 
allows them to take advantage of our great marketplace without fear.

    Senator Smith. Senator Burns, do you have an opening 
statement?

                STATEMENT OF HON. CONRAD BURNS, 
                   U.S. SENATOR FROM MONTANA

    Senator Burns. I do, and I shall be brief, Mr. Chairman.
    I want to thank you and Senator Stevens for setting this 
hearing up today, and I want to congratulate you for all the 
hard work you've done on this issue. I don't think there's 
anybody in the country that I don't talk to that doesn't fear 
identity theft. We've had all kinds of news articles and 
information on identity theft and how it has harmed them with 
regard to credit cards and multiple other situations. It's 
timely.
    And it is something that we've been dealing with here on 
this Committee a long time, all the way back to wherever we 
started to become really aware how big Internet commerce is and 
the dangers that were out there through the encryption debate, 
security and safety debates, and through spam and ham and 
everything else--we went through all of that--and yet we still 
have--problems keep cropping up about the shortfalls that we 
have been guilty of here in protecting people's security and, 
of course, their privacy. And privacy is utmost in the minds of 
a lot of people. They have a right to be concerned, and they're 
very angry about this situation.
    I look forward to hearing the witnesses today. I also 
would--after these witnesses we can draw some sort of a 
conclusion that there might be legislation; and, if there is, I 
will be very supportive of what Senator Smith and the rest of 
the people in this Committee do, and would hope that we have 
some sort of input.
    But we've also got to be careful on this issue, because we 
sure could throw the baby out with the bath water. There's a 
very fine line. The services that data brokers provide help 
make business more efficient, they keep costs low for all 
Americans across a wide range of services, from mortgage rates 
to online shopping and a wide range of financial services. So, 
we need to make sure that we preserve the positive uses of this 
data, as well.
    And, of course, I look forward to working with you and the 
rest--and the balance of the Members of this Committee, because 
it is timely, it is necessary, and we've got to do it right.
    Thank you.
    Senator Smith. Thank you, Senator Burns.
    Senator Nelson?

                STATEMENT OF HON. BILL NELSON, 
                   U.S. SENATOR FROM FLORIDA

    Senator Bill Nelson. Mr. Chairman, thank you for holding 
this hearing, and thank you for your personal interest.
    One of the bills that is in front of us, Mr. Chairman, is 
the bill that Senator Schumer and I have filed. The hearing is 
timely, because we just had another example of missing records, 
to the tune of 3.9 million records. We don't know if it's 
identity theft, but it's certainly subject to identity theft, 
because they are now missing. And if you add up all of the 
records that have been lost, missing, or stolen, starting back 
with ChoicePoint, which is the Georgia company that first came 
to light because of a California law that said that the people 
whose records were missing had to be notified--that was just a 
few months ago--in that short period of time, 8.8 million 
people's records are missing.
    Now, if this isn't an eye-opening threat to Americans' 
privacy, then I don't know what is. And it's not only the 
individual threats and how to go about getting your identity 
back that Senator Schumer and I address in this legislation, 
but look at the national security implications, look at what a 
terrorist can do, in trying to steal someone's identity. And, 
if that's not enough, look at the threat to electronic 
commerce. Consumers are losing trust in our system of 
electronic commerce, especially when they learn about these 
huge unsecured data warehouses, and suddenly their information 
is missing. And now you will find that identity theft is the 
number-one skyrocketing consumer fraud.
    So, I believe, Mr. Chairman, that the Congress needs to act 
now. That's the timely manner. And I want to thank you again 
for holding this hearing.
    Senator Smith. Thank you, Senator Nelson. We look forward 
to sharing ideas with you on how to make a good bill better, if 
we can.
    And, in that spirit, we welcome our colleague, Senator 
Schumer here, and we'll ask you to go first, and then my fellow 
statesman, Congresswoman Darlene Hooley.
    Senator Schumer?

             STATEMENT OF HON. CHARLES E. SCHUMER, 
                   U.S. SENATOR FROM NEW YORK

    Senator Schumer. Well, thank you, Mr. Chairman. I want to 
thank you, Chairman Stevens, and Ranking Member Inouye for 
having this hearing, and more importantly is the general 
interest that this Committee has shown in this very important 
issue.
    I'd like to commend my colleague, Senator Feinstein, who I 
believe will be coming----
    Senator Smith. She has just arrived.
    Senator Schumer.--as well. Oh.
    Senator Smith. Welcome, Senator Feinstein.
    Senator Schumer. See, I didn't even know you were in the 
room.
    Senator Smith. I'm very pleased she got the memo about--
this is Seersucker day.
    Senator Feinstein. Yes.
    Senator Smith. So, I'm not the only one looking like an ice 
cream salesman here.
    [Laughter.]
    Senator Schumer. Well, I'd like to comment on my National 
Seersucker Day Resolution that----
    [Laughter.]
    Senator Schumer. Anyway, I want to thank you, and I want to 
thank Senator Feinstein for her leadership on this issue, as 
well.
    Identity theft is just everywhere. And the number of people 
who call every one of our offices for advice, just to express 
their outrage, is growing and growing and growing. It's, of 
course, natural. Technology has allowed us to transfer 
information quickly, and, Senator Burns is right, it's an 
important part of the economy, and we don't want to stop it. 
But, at the same time, given all the new technology, it makes 
information about people, which used to be just proprietary--it 
makes it valuable. These days, information about people is as 
valuable as gold, and it ought to be treated that way. We don't 
transport gold the way we transport a crate of oranges, and we 
shouldn't transport people's identities, people's information, 
the way we transport a crate of oranges. We don't store it the 
same way. We have Fort Knox. Well, we ought to store this 
information in a different way.
    The bottom line is very simple, Mr. Chairman. What bank 
robbery was to the Depression Era, identity theft is to the 
Information Age. But, in a sense, identity thieves are even 
worse than bank robbers, because they not only steal your 
money, they steal your time, your sense of security, and your 
peace of mind. That's what the thieves, the identity thieves, 
do. And unless Congress, companies, and consumers take action, 
this is an epidemic that threatens to spiral out of control.
    Senator Nelson and I believe that Congressional action must 
be quick, but it also must be comprehensive. If you plug one 
part of the loophole, the identity thieves are going to find 
another way to do it. That's what the technology allows them to 
do, all this--all of us, in the Information Age. And I'm glad 
to say that identity theft is not a partisan issue--it's not a 
Democratic issue, a Republican issue--it's a nonpartisan 
consumer and economic crisis, and there's no excuse for 
Congress failing to act in a bipartisan way.
    The legislation that Senator Nelson and I have introduced 
offers a truly comprehensive solution. Instead of just adding 
another square to the current patchwork quilt of regulations, 
our bill provides a real security blanket for the American 
consumer. To really tackle identity theft, our bill takes an 
aggressive approach in three areas.
    One, empowering consumers. The average consumer, it's 
estimated--by the FTC--who's a victim of identify theft, spends 
175 hours restoring their credit information and their credit 
integrity. That is more than four 40-hour workweeks. So, 
people, who are busy with their jobs, with their families, with 
life's joys and life's trials, have to then take a huge amount 
of time to try and restore their good name back, even though 
they did nothing wrong. So, we empower consumers, and give them 
more rights there.
    Second, we protect our most personal information. We say, 
to people who carry this information, ``You have a new special 
responsibility. You can't just say, ``Well, it wasn't my fault; 
we were just doing what we did years ago.'' What they did 10 
years ago was not good enough 5 years ago, and what they did 5 
years ago is not good enough for today.
    And, finally, what we do is, we try to make sure that 
consumers are empowered. And let me describe that. We make 
companies, of course, tell consumers when their information has 
been breached. We also require companies to tell them if the 
company plans to sell sensitive personal information they 
collect. So, consumers can make intelligent decisions about 
whom to trust. When you buy something, if somebody's going to 
use all your information, you should have a right to say, ``I 
don't want to buy it here. I want to go somewhere else, where 
they won't sell the information about me.'' We protect the 
information.
    We believe an ounce of prevention is worth a pound of cure. 
And our bill makes prevention a centerpiece of the effort 
against identity theft. We establish procedures for the FTC to 
require companies to authenticate those who try to buy 
sensitive personal information from them, to stop situations 
where companies like ChoicePoint, for example, sell their 
personal information to identity-theft rings posing as 
legitimate businesses.
    We also insist that every company that stores sensitive 
information take reasonable steps to protect it, a simple 
minimum requirement. The Federal Trade Commission recently 
applauded this provision because of its potential, in their 
words, to reduce the risk of identity theft.
    All companies who keep sensitive personal information need 
to take responsibility. They need to guard our identities as if 
they were gold, because, in the hands of identity thieves, they 
are gold.
    We also intend--we are now adding an additional provision 
to our bill to deal with the transportation or storage of 
sensitive personal information. What we've learned from what 
happened at Citigroup is that we need standards when that 
information is transported. You can't just treat it like you're 
transporting any good, because it's too valuable, it's too 
important; and, therefore, we require standards, in terms of 
transportation, depending on how much information and how 
valuable it is, and we also encourage encryption, so that, even 
if it's stolen, this identity thief is not able to use it.
    Right now, we have a better chance of tracking down a lost 
book from Amazon than some banks have had in tracking down 
millions of sensitive records lost in transit. That has to 
stop.
    And, finally, helping victims. Our bill tries to provide 
relief to the millions of Americans each year who fall victim 
to identity theft. We create an Office of Identity Theft, 
within the FTC, which will serve as a one-stop shop. When a 
consumer's identity is stolen, they can call and say, ``Help 
me. How do I deal with all the various things that I have to 
deal with because of that?''
    So, Mr. Chairman, I encourage every company in America, and 
especially in my State of New York, to do a top-to-bottom 
review of its procedures for handling consumers' sensitive 
personal information to stave off more incidents where 
information is exposed. We can--companies can do that even 
before any legislation passes, and help their customers and 
help themselves.
    In conclusion, Mr. Chairman--I see the yellow light is on--
identity theft is a serious issue that deserves real 
comprehensive action. I hope this Committee will give the 
Schumer-Nelson bill the consideration that we believe it 
deserves.
    Thank you for your interest and the opportunity to testify. 
And I apologize, I'll have to excuse myself, because--they're 
buzzing me--we have a--I need to make a quorum in the Judiciary 
Committee.
    Senator Smith. Why don't you stick around?
    [Laughter.]
    Senator Schumer. I'll come back.
    [Laughter.]
    Senator Feinstein. Ulterior motive.
    [Laughter.]
    Senator Smith. No, we understand, Senator Schumer.
    Senator Schumer. It's to make a quorum. That's good for 
you.
    Senator Smith. Oh, OK. OK.
    [Laughter.]
    Senator Schumer. How I vote may not be, but my quorum 
presence is.
    [Laughter.]
    Senator Smith. Senator Feinstein, I had announced 
Congresswoman Hooley, but does your schedule permit----
    Senator Feinstein. If there--I, also, am on Judiciary. If 
he makes the quorum----
    Senator Smith. Is that all right----
    Senator Feinstein.--I will stay----
    Senator Smith.--with you, Congresswoman Hooley?
    Senator Feinstein.--for a while.
    Senator Smith. Thank you.
    Senator Feinstein?
    Senator Feinstein. Thank you.
    For me? All right, thank you.

              STATEMENT OF HON. DIANNE FEINSTEIN, 
                  U.S. SENATOR FROM CALIFORNIA

    Senator Feinstein. I'm--can't see over the table. This is a 
first for me. I'm tall, but this chair--if you don't mind, I'll 
just move one.
    Mr. Chairman, I--and Ranking Member Inouye and Members on 
both sides--I've been working on this issue for over 3 years 
now. It has to do, really, with privacy. And I think most 
people don't understand----
    Senator Burns. Senator, could you pull that up so everybody 
can hear?
    Senator Feinstein. Sorry. I think--my low voice? Yes. I 
think most people don't understand that virtually everything 
they buy, do--when they buy from a catalog, when they buy 
insurance, when they buy a car, when they mortgage a home, when 
they get a loan--that all of that data is collated, and it has 
become big business. It's sold by banks to their affiliates. 
Citibank, I believe, sells to thousands of different 
businesses, all this data. And its database companies have 
developed programs which compile this data and then sell it 
out.
    Well, identity theft has become the largest-growing crime 
in America, with ten million victims. It's bigger than all of 
the theft and burglary in history was, in terms of loss. And 
nobody knows that their identity has been compromised.
    I've presented three bills. One is a notification bill, 
which is in Judiciary, and I'd like to have you take a look at 
it. Essentially, it says that when a database is breached, the 
data company must, within a reasonable period of time, alert 
the consumer that their data has been breached and tell them 
how to take the necessary steps to keep their credit intact.
    Notification is really important. Over the past 2 years, 
there have been 34 major data breaches. Just this morning, the 
FDIC, the second Federal agency, had its database breached, 
with people illegally, now, joining credit bureaus with data 
from that breach.
    Over the past 2 years, approximately 18,393,180 people in 
this country have been exposed or affected by identity theft. 
Last year, the total cost to individuals and businesses from 
this theft, believe it or not, was $52.6 billion. It is huge.
    Let me give you a few examples. CitiFinancial, earlier this 
month, announced that a box of computer tapes with unencrypted 
account information for 3.9 million customers had been lost in 
shipment. Look at the value of that loss. Somebody picks it up, 
they can go to Paris and sit there and assume other people's 
identities. They can be in Chicago and rip somebody off in San 
Diego. It is an insidious kind of opening.
    The Bank of America announced they lost tapes containing 
1.2 million Federal employees. ChoicePoint, 145,000. Both the 
California and Colorado Departments of Health had laptops 
stolen, which jeopardized personal information of 25,000 
residents. And the list goes on and on. DSW, LexisNexis, the 
University of California system, Boston College, HSBC, 
Ameritrade, Department of Justice, and now FDIC.
    California, in 2003, was the first state to require 
notification in the event of a data breach. Now, I believe that 
that bill is really responsible for the notice that's now being 
given throughout the United States, and that if it had not been 
for the California law, we may well not be privy to all of the 
breaches we are aware of today. So, California began a trend, 
and we're now seeing other states seeing the notification--the 
necessity of notification laws.
    At present, the states are out ahead of the Congress. 
States like Arkansas, Georgia, Indiana, Montana, North Dakota, 
and Washington State are moving. Now, this creates problems, 
because different states are going to have different laws.
    Now, earlier this year I introduced a second version of my 
earlier bill--and we're still working on it--and this would 
require the Federal Government or a business notify individuals 
when there has been a breach that involves Social Security 
numbers, driver's licenses, or state identification numbers, 
and financial account information. The bill would require that 
notice be sent out, without unreasonable delay, by mail or e-
mail. It would allow for exceptions to notice for law 
enforcement and national security purposes. It would impose 
civil penalties for failures to notify, such as $1,000 per 
individual whose personal data was compromised, or not more 
than $50,000 per day while the failure to notify continues. It 
would allow individuals to place an extended fraud alert on 
their credit report to protect themselves. And it would allow 
state attorneys general to protect the interests of residents 
in their state when the Federal Government or businesses fail 
to notify individuals of a breach.
    Now, there are some contentious issues that I've found that 
I want to make you aware of.
    The first is the issue of preemption, whether preemption 
should be a floor or a ceiling. The consumer groups believe 
that the states should have the right to enter this area, as 
well. And that comes directly into conflict with the concept of 
one uniform law all across the United States. We're trying to 
work that out.
    Second, exactly what triggers notice to be given to 
individuals, and striking a balance between over-notification 
and inadequate notice in dealing with companies--that has 
become a problem.
    And, finally, whether alternative notification procedures 
or so-called safe-harbor provisions--the California bill had a 
safe-harbor provision. Consumer groups do not like a safe-
harbor provision. Businesses will adamantly oppose anything 
without a safe-harbor provision. So, we are trying to work out 
a safe-harbor provision that protects individuals against 
identity theft in certain situations.
    We also have a bill that would do something on the privacy 
issue. Senator Schumer spoke of it. I mean, consider this. Our 
Social Security number and driver's license are the two major 
breeder documents that are there. Falling into the wrong hands, 
they allow people all kinds of access. In the wrong hands, 
that's fraudulent access; but, nonetheless, it happens. 
Personal financial data and personal health data, I think, used 
for commercial purposes without the individual's assent or even 
knowledge, I believe, is wrong.
    Now, California passed a law having to do with this. The 
banks and insurance companies supported it. Then when I tried 
to do it here, the same law, they came back and opposed it, and 
killed it.
    So, we're fighting, in this whole arena, big interests out 
there who make a lot of money on these databases and don't want 
the public to receive a notice that says, ``We sell your data, 
as indicated here. May we have your permission to do so, yes or 
no?'' They don't want to do that. So, that is a significant 
issue as identity theft reaches epic proportions.
    And the last point, and the last bill that we've worked on 
now for 5 years, and it would seem so simple--it has gone to 
Finance, it runs into trouble with Finance staff--and that is 
protection through the redaction of Social Security numbers on 
public documents. And, also, both of these documents, driver's 
license and Social Security, being sold through the Internet, 
where you can buy somebody's number for $12 or $15.
    These are huge questions that this new Internet technology, 
as well as database technology, presents to the Congress. I 
think, because of the excruciating pain caused, in terms of the 
loss of identity to so many people, the inordinate cost of 
this, that Congress really has a major issue before it.
    So, I'd like to just put into your record, if I might, my 
three bills on the subject that you could take a look at and, 
obviously, do with what you wish.
    Senator Smith. We'll receive those without objection, and 
we appreciate so much your concern about the issue, Senator 
Feinstein.
    A point of clarification for me, and perhaps my colleagues. 
In your view, why did the banks support the legislation in 
California, but oppose it nationally?
    Senator Feinstein. I've had conversations with CEOs on this 
subject. And one of the things, banks are buying more 
industries, and they want to be able to share this information 
with those industries. So, there is a question of liaison, 
there is a question of transmitting data within those 
industries. Now, what happens is, with--you have data breaches 
which is happening. This is exposing literally tens of millions 
of people. And it's all without their knowledge. So, this has 
added an additional dimension.
    The bill that I'm speaking of, that you just asked about, 
Senator Smith, actually was before we knew about these database 
breaches. The database breaches, I think, gives more momentum 
to my--we'll see, because there are powerful interests.
    Senator Smith. Well, thank you for your interest in this 
very important legislation, and we'll look forward to working 
with the ideas in your bill, and perhaps ultimately 
incorporating many, or most, into a Committee bill.
    Senator Feinstein. Thanks very much, I appreciate it.
    Senator Smith. Thank you.
    Senator Feinstein. Thank you.
    Senator Smith. Congresswoman Hooley, the mike is yours.

               STATEMENT OF HON. DARLENE HOOLEY, 
                U.S. REPRESENTATIVE FROM OREGON

    Ms. Hooley. Thank you, Chairman Smith. And I really 
appreciate the opportunity to testify in front of you. Thanks 
to all the Committee Members and Ranking Member Inouye.
    I am one of millions of former credit-card fraud victims 
and a Member of the House Financial Services Committee, and 
I've had a long interest in protecting consumers from potential 
identity theft. I'm delighted that you're working on this, that 
you're going to introduce a bill on this, and I hope it is as 
comprehensive as you can make it.
    When I started on this issue about 6 years ago, there were 
thousands of victims of identity theft. Today, there are over 
ten million victims of identity theft, and it is growing. This 
is a way to steal your money without putting a gun to your 
head. They can do it over the Internet and through computers. 
It represents a fundamental threat to our e-commerce, to our 
overall economy and, frankly, to our homeland security. We are 
no longer facing just hobby hackers; these are skilled 
criminals. ID theft is big business. It is imperative that 
Congress and the private sector work together to make certain 
that sensitive personal information is protected.
    Congress, last year, with the passage of the FACT Act, 
provided landmark consumer protections, including free annual 
access to credit reports. We know that if people know what's on 
their credit report, they will take some responsibility to make 
sure that credit report is accurate. We have to build on that 
success.
    We all know that there were recent high-profile data-
security breaches. You've heard all about them from the other 
two Members. And what that does is undermine the public 
confidence in the data-security practices of U.S. companies 
that have exposed millions of consumers to potential fraud and 
identity theft. Theft of thousands of consumer files from 
companies like ChoicePoint and LexisNexis illustrate how 
broadly our private information is collected and sold without 
our knowledge or consent, and how vulnerable these private 
databases are to both traditional and high-tech forms of theft.
    There are many consumers who think, ``Oh, I've kept tight 
control over my personal and financial information,'' but they 
can still be a victim of identity theft, because companies that 
seek to profit from their personal information may have 
inadequate security standards, or businesses may fall victims 
to criminal activities.
    With respect to data breaches, there are immediate steps. 
First of all, data brokers should be required to operate by the 
same information-sharing standards and consumer protections as 
consumer-reporting agencies. Because credit reports contain 
confidential personal information, the Fair Credit Report Act 
only allows an individual's credit report to be released to 
certain people for clearly defined purposes. FCRA requires that 
consumer-reporting agencies certify the purpose for which the 
report is being obtained, and that that report will not be used 
for any other purpose. Despite harboring similar sensitive 
personal information, data brokers currently face no such 
restrictions.
    Second, Congress should impose data-security obligations 
and standards on data brokers and consumer-reporting agencies 
as the Gramm-Leach-Bliley Act requires of regulated financial 
institutions.
    Third, Congress should establish uniform requirements for 
data brokers, consumer-reporting agencies, and financial 
institutions to notify consumers. And, again, I think, in all 
of your bills, there are notification procedures, and that has 
to be a balance. Congress should include in such a notice the 
date of the breach, specific information that was acquired, the 
actions being taken by the consumer-reporting agencies, 
financial institution, or data broker, an explanation of how a 
consumer may obtain a copy of their consumer report free of 
charge, and how they may place fraud alert on their consumer 
reports to discourage unauthorized use, and a toll-free number 
where consumers can obtain additional information about the 
security breach and their options to protect their consumer 
file.
    Finally, Congress must place greater responsibility on 
retail merchants to protect their customer payment account 
information.
    By accomplishing these initial goals, Congress will provide 
consumers with the protections they deserve, and provide the 
clarity and uniformity that industry needs in order to service 
their customers.
    In addition, there are a whole host of identity-theft 
proposals that I think warrant further examination and vigorous 
debate, and I'm just going to go through a very quick list. 
One, people have talked about--I think it needs to be 
examined--an Office of ID Theft Czar at the FTC, or elsewhere. 
You need more money in the Department of Justice and Secret 
Service to investigate and prosecute perpetrators of mass ID 
fraud. I think you need to allow consumers to protect their 
consumer file with optional credit freezes, encourage industry 
and consumer use of a second-factor authentication, effective 
Federal legislation to combat the practice of phishing and 
pharming--and that's with a ``p,'' and not an ``f ''--explore 
effective biometric technology; and, last, but not least, I 
think you have to seriously look at methamphetamine. There is 
an incredibly close alliance between meth use and ID theft. And 
if you don't go on the track of trying to stop 
methamphetamines, it will only help identity theft grow.
    Thank you again, very much, for this opportunity to testify 
in front of the Committee.
    Senator Smith. Thank you very much, Darlene. And I want to 
highlight--what you just said as your last point, and that is 
the linkage between methamphetamines and identity theft. Many 
of the crimes that are committed by methamphetamine users 
relate to identity theft because of the kinds of resources and 
information that they are able to glean from this practice. So, 
it has an implication well beyond just someone's finances. 
Sometimes they're being put in touch without their notice or 
knowledge, with some pretty shady characters peddling one of 
the worst of the drugs in our society, that is truly becoming a 
plague across our whole country.
    Thank you very much.
    Ms. Hooley. You're welcome. Thank you.
    Senator Smith. Appreciate your being here.
    I have been asked by several Members of the Committee to 
allow Mr. Sorrell, the President of the National Association of 
Attorneys General, to testify very briefly, before the FTC, 
because his statement is short and the Committee has a few 
questions for him. The normal protocol is for the FTC to 
testify first, but I'm asking for the indulgence of the 
Committee to allow this to occur.
    So, Mr. Sorrell, if you will come forward, we'll receive 
your testimony.

         STATEMENT OF HON. WILLIAM H. SORRELL, VERMONT 
ATTORNEY GENERAL; PRESIDENT, NATIONAL ASSOCIATION OF ATTORNEYS 
                            GENERAL

    Mr. Sorrell. Thank you, Senator Smith, members of the 
Committee. I appreciate your giving me the opportunity to 
appear before you today to speak on these important issues.
    I am currently the President of the National Association of 
Attorneys General, but I have not consulted with all of my 
colleagues about the substance of my testimony. I'm confident 
that most, if not all, would agree with the sentiments that I 
will express today, and have expressed in my prepared, or 
filed, testimony. But please let me testify as the Attorney 
General of Vermont today.
    Senator Smith. Thank you. You're welcome.
    Mr. Sorrell. And I assume, Senator, that my pre-filed 
testimony will be made part of the record.
    Senator Smith. We'll include it in the record, if there's 
no objection. Hearing none, so ordered.
    Mr. Sorrell. And if you'd allow me, Senator, I didn't know 
that Seersucker suits were allowed attire today, and--I have 
one, and I don't find many opportunities in Vermont to wear it, 
so I'm sorry I didn't get that information.
    [Laughter.]
    Senator Smith. We've adopted it, above the Mason-Dixon 
Line, at the urging of our southern colleagues.
    [Laughter.]
    Senator Smith. And thank you, Senator Nelson, for wearing 
yours today.
    [Laughter.]
    Senator Smith. And Senator Snowe, from Maine, absolutely.
    Mr. Sorrell. As our culture changes, the way we go about 
our commerce changes, not only for legitimate businesses, but 
those scam-artists and thieves who, maybe in the past, broke 
into our homes to steal our jewelry, our televisions, our 
computers, our stereos, or whatever. But the reality is--and 
we, as individuals, we lock our doors, we lock our cars, we 
park in well-lit areas, we try to protect ourselves--but the 
reality is that, quite apart from our cash assets and other 
valuables--is that, as our economy has changed, our truly 
valuable assets are frequently not our possessions, but our 
access to credit. And we can't lock our doors in the same way 
to protect ourselves from those who want to access our credit 
or to, in this information and electronic age, to withdraw the 
assets that we have with financial institutions. And, frankly, 
consumers need government help to allow us to figuratively lock 
our doors and protect ourselves from identity theft. We've 
heard the earlier testimony today--I'm sure we'll hear more 
from the Commission--about, you know, ten million Americans 
victimized by identity theft, the number of hours that it takes 
to try to regain your good name when you're the victim of 
identity theft. And, you know, it's like the crime that keeps 
victimizing you. As you try to access credit after someone has 
assumed your identity, and scammed either you individually or 
businesses to the tune of $50 billion a year in a crime that is 
continuing to escalate.
    And so, we do need government assistance to protect our 
personal information. And I think we all owe a debt of 
gratitude to the legislators of California for enacting their 
security-breach notification law. But for the existence of the 
law--I don't think we would be focused as much today as we are, 
but for the California law and the ChoicePoint and then the 
subsequent disclosures, which seem to be escalating in numbers 
and volume of records and individuals affected. It's almost a 
daily, certainly a weekly, occurrence of new security breaches 
coming to the fore.
    The states have followed California's lead. And a handful 
of states have passed their own security-breach laws. Many 
other state legislators are considering doing the same. We 
believe, and strongly encourage, that there be a Federal 
security-breach notification law. At the same time, we remain 
concerned that what is done federally remain a floor, and not a 
ceiling. Similar to what you did with the Gramm-Leach-Bliley 
legislation, several years back, where you adopted a national 
opt-out standard for financial institutions, banks, insurance 
companies to traffic in our personal information, you allowed 
states, if they wished, to go further. Vermont was one of the 
states that took advantage of your lack of preemption; and so, 
a more protective standard of opt-in standard is the law in 
Vermont. And for those who feel that there has to be one 
standard, we can't have these patchwork quilt--a quilt of 
regulations--the Vermont economy has not suffered. Banks, 
financial institutions, and insurance companies have continued 
to come into Vermont since the more protective opt-in standard 
has been implemented. So, we ask for a Federal law, 
notification law, a floor, not a ceiling.
    Similarly, we ask you to enact a Federal unified, one-place 
program to regulate data brokers. Again, that is a floor, and 
not a ceiling. We ask you to strengthen the so-called safeguard 
rules under Gramm-Leach-Bliley to require definitive minimum 
standards--minimum standards--for information security and 
ensure that these rules are written broadly enough to cover 
data brokers. And, finally, we just ask you to recognize the 
important role of state legislatures and state regulators and 
enforcement authorities in the development of laws in this area 
of security breaches and security freeze legislation.
    [The prepared statement of Mr. Sorrell follows:]

  Prepared Statement of William H. Sorrell, Vermont Attorney General; 
          President, National Association of Attorneys General

I. Introduction
    Chairman Stevens, Co-Chairman Inouye, and honorable Members of the 
Committee, I am William H. Sorrell, Attorney General of the State of 
Vermont and President of the National Association of Attorneys General. 
I very much appreciate the opportunity to appear before you today to 
discuss security breaches relating to personal information of consumers 
and to discuss my recommendations for addressing some of the problems 
in this area.
    The public has become aware of numerous incidences of security 
breaches in the past 2 months as a result of California's innovative 
security breach notification laws. These security breaches expose 
millions of consumers to potential identity theft, a serious and 
rapidly growing crime that now costs our Nation $50 billion per year. I 
make the following recommendations to address the problems of security 
breaches:

   Enact a Federal security breach notification law that 
        doesn't preempt more-protective state laws.

   Enact a unified Federal program for regulation of data 
        brokers that doesn't preempt more-protective state laws.

   Strengthen the Gramm-Leach-Bliley ``Safeguards Rules'' to 
        require definitive minimum standards for information security, 
        and ensure that these rules cover data brokers.

   Recognize the important role of state legislative and law 
        enforcement efforts, particularly in developing security freeze 
        laws.

II. The Growth of Security Breaches
    Over the past several months, consumers, law enforcement officials, 
and policymakers have learned about a rising incidence of security 
breaches at private companies and public institutions that have exposed 
consumers' personal information to unauthorized third parties. 
Separately, these breaches involve the personal information in tens of 
thousands, hundreds of thousands, and even millions of records about 
consumers nationwide.

A. Numerous Serious Incidences of Security Breaches Have Occurred Since 
        2002
    Nine known incidences of serious security breaches have occurred in 
the past few years. It is instructive to examine each one in some 
detail.

   Ford Motor Credit: In 2002, three individuals were arrested 
        for downloading credit reports on more than 30,000 consumers, 
        and then selling the credit reports to street criminals who 
        emptied the victims' bank accounts and opened credit cards in 
        their names. The scheme centered on an employee of Teledata, a 
        company that provides credit reports to banks and other 
        lenders. The employee stole the passwords and codes of Teledata 
        clients, such as Ford Motor Company, in order to download 
        credit reports from the three major credit reporting agencies. 
        Over a 10-month period, the password and code for Ford Motor 
        Credit alone was used to download 13,000 credit reports from 
        just one credit reporting agency, Experian. Losses were 
        originally calculated at $2.7 million, but were expected to 
        rise significantly in the weeks after the arrest.\1\

   Acxiom: In 2003, the records of an unknown number of 
        consumers were stolen from Acxiom, a commercial data broker 
        based in Little Rock, Arkansas. Hackers were able to download 
        the passwords of 300 business accounts on Acxiom's system, 
        costing the company $5.8 million in losses.\2\

   ChoicePoint: In February 2005, ChoicePoint notified 144,000 
        consumers nationwide that their personal data may have been 
        accessed by ``unauthorized third parties'' posing as small-
        business customers. ChoicePoint, an Atlanta-based data broker 
        and specialty credit reporting agency with databases that 
        contain 19 billion public records about consumers and 
        businesses, reported that identity thieves created as many as 
        50 fake companies that posed as customers and gained access to 
        consumer data.\3\ The Los Angeles, California, Sheriff's 
        Department estimates that the number of consumers whose 
        personal data has been compromised is in the millions.\4\

   Bank of America: Also in February 2005, Bank of America 
        announced that it lost computer back-up tapes containing 
        personal information, including names and Social Security 
        numbers (SSNs), relating to 1.2 million Federal workers. The 
        tapes had been lost 2 months earlier in December 2004. Bank of 
        America received permission from its Federal regulators to 
        notify consumers about the security problem in mid-February.\5\

   DSW Shoe Warehouse: On March 8, 2005, DSW Shoe Warehouse 
        announced the theft of credit card information, including 
        account numbers and customer names, relating to customers at 
        more than 100 of its 175 stores. The theft took place over a 
        three-month period beginning in early December 2004. The theft 
        was originally reported to affect ``more than 100,000'' 
        consumers. On April 18, 2005, DSW disclosed that the number of 
        affected consumers was 1.4 million, 10 times as many as 
        originally reported. DSW is a subsidiary of Retail Ventures, 
        Inc., based in Columbus, Ohio.\6\

   LexisNexis: On March 10, 2005, LexisNexis owner Reed 
        Elsevier PLC announced that records of about 32,000 consumers 
        were accessed and compromised when intruders used log-ins and 
        passwords of a few legitimate customers to obtain access to a 
        database of public records. The records included names, 
        addresses, SSNs, and driver's license numbers. The breach 
        occurred at Boca Raton, Florida-based Seisint, a data broker 
        recently purchased by Reed Elsevier and integrated into 
        LexisNexis. Seisint stores millions of personal records about 
        consumers nationwide.\7\ On April 12, 2005, LexisNexis 
        announced that an additional 280,000 consumers nationwide had 
        been affected by other security breaches of Seisint data over 
        the past 2 years.\8\

   Boston College: In late March 2005, Boston College notified 
        106,000 alumni that a hacker had gained access to a computer 
        database containing their personal information. College 
        officials stated that they had to tell the affected alumni 
        living in California about the theft due to California's 
        notification law. The officials therefore decided to tell 
        alumni who live in other states, too, to help them limit their 
        exposure to identity theft.\9\

   University of California: On April 1, 2005, University of 
        California-Berkeley officials announced that a laptop computer 
        containing information about 98,000 students and alumni had 
        been stolen a month earlier. The information, including names, 
        SSNs, and in some instances birth dates and addresses, was 
        unencrypted, although the laptop was password-protected. This 
        breach followed another incident at UC-Berkeley in September 
        2004 in which a hacker obtained the names, SSNs, and other 
        identifying information belonging to 600,000 people.\10\

   San Jose Medical Group: On April 8, 2005, the San Jose 
        (California) Medical Group notified nearly 185,000 current and 
        former patients that their financial and medical records might 
        have been exposed following the theft of computers. The theft 
        occurred after the group copied patient and financial 
        information from its secure servers to two local PCs as part of 
        a patient billing project and the group's year-end audit.\11\

   Ameritrade: On April 19, 2005, Ameritrade reported that 
        account information relating to as many as 200,000 customers 
        may have been lost when a package containing tapes with back-up 
        information on customers' accounts went missing. A shipping 
        company Ameritrade uses misplaced the tapes.\12\

   HSBC/Ralph Lauren: On April 13, 2005, the British financial 
        firm HSBC announced that criminals may have obtained access to 
        credit card information of at least 180,000 consumers who used 
        MasterCard credit cards to make purchases at Polo Ralph Lauren 
        Corp. The circumstances that led to the breach have remained 
        murky. Although the letter sent by HSBC told affected consumers 
        that the financial firm was ``unaware of any fraudulent 
        activity on your account,'' HSBC advised consumers to replace 
        their credit cards.\13\

   Time Warner: On May 3, 2005, Time Warner announced that a 
        cooler-sized container of computer tapes containing personal 
        information about 600,000 current and former employees was lost 
        by data-storage company Iron Mountain, Inc., based in Boston, 
        apparently during a truck ride to a data-storage facility. The 
        lost tapes contained the names and SSNs, as well as other data, 
        about 85,000 current and over 500,000 former employees dating 
        to 1986.\14\

   Bank of America, Commerce Bank, PNC Bank, and Wachovia: On 
        May 23, 2005, Hackensack, New Jersey, police announced that 
        bank employees may have stolen financial records of 700,000 
        customers of four banks: Charlotte, North Carolina-based Bank 
        of America and Wachovia, Cherry Hill, New Jersey-based Commerce 
        Bank, and PNC Bank of Pittsburgh. The bank employees sold the 
        financial records to collection agencies, according to the 
        police.\15\

   CitiFinancial: On June 6, 2005, CitiFinancial, the consumer 
        finance division of Citigroup, Inc., said that computer tapes 
        containing personal data relating to 3.9 million U.S. customers 
        had been lost by shipper UPS. The data included account 
        information, payment histories, and SSNs.\16\

    Several conclusions can be drawn from a review of these events. 
Hackers and identity thieves employ both high-tech means for stealing 
passwords and other log-in information to access consumers' personal 
information, as evidenced by the LexisNexis and Acxiom breaches, as 
well as low-tech techniques to breach information systems, as evidenced 
by the ChoicePoint incident. Other security breaches, such as those 
experienced by CitiFinancial, Time Warner, and HSBC, reveal gaps in 
offline handling of personal information, including trucking, air 
transport, and other traditional logistical systems. In addition, 
although the pace of disclosures about these breaches has accelerated 
over the past few months, it is safe to presume that breaches have been 
occurring regularly over the past several years. What has changed is 
not the existence of the problem, but rather the public's awareness of 
it.

B. The Public Has Learned About These Breaches As a Result of 
        California's 
        Security Breach Notification Laws
    On July 1, 2003, California's security breach notification laws 
went into effect. These laws require businesses and California public 
institutions to notify the public about any breach of the security of 
their computer information system where unencrypted personal 
information was, or is reasonably believed to have been, acquired by an 
unauthorized person.\17\ California's laws require that the notice be 
given without unreasonable delay and consistent with the legitimate 
needs of law enforcement, who can request a delay in notification if 
the notice would impede a criminal investigation of the incidence.\18\ 
``Personal Information'' is defined as an individual's first name or 
first initial and last name in combination with any one or more of the 
following data elements, when either the name or the data element is 
not encrypted:

   Social Security number.

   Driver's license number or California Identification Card 
        number.

   Account number, credit or debit card number, in combination 
        with any required security code, access code, or password that 
        would permit access to an individual's financial account.\19\

    The California law allows a business or public institution to 
satisfy the notice requirement in several ways: written notice through 
the mail; electronic notice in conformity with the Federal Electronic 
Signatures Act; \20\ substitute notice through e-mail, website 
publication, and major statewide news media if more than 500,000 
consumers are affected; or in conformity with the business's or 
institution's own notification system, if it meets the timeliness 
requirements of the California security breach notification laws.\21\
    California's unique and innovative laws in this area have ensured 
awareness of the growing problem of data leaks that are plaguing our 
Nation's businesses and public institutions.

III. The Effect of Security Breaches
    Identity theft, already a growing problem, is likely to grow even 
more rapidly as a result of security breaches. These data leaks expose 
consumers to the threat of identity theft by the criminals who gain 
access to consumers' personal information. MSNBC has noted that in the 
six-week period from mid-February through early April, the rash of data 
heists has exposed more than two million U.S. consumers to possible 
identity theft.\22\ Since that time, an additional 4.6 million U.S. 
consumers and employees have been exposed to possible identity theft, 
bringing the total number of consumers affected by data heists in 2005 
to 6.6 million U.S. consumers and employees.
    Current estimates of the incidence of identity theft in the United 
States are disturbingly high. According to a survey released in January 
2005 by Javelin Strategy & Research, about 9.3 million U.S. adults were 
victims of identity theft between October 2003 and September 2004.\23\
    Even though the vast majority of victims of identity theft do not 
report the crime to law enforcement authorities or credit bureaus,\24\ 
the reported incidence of identity theft has grown dramatically. The 
Federal Trade Commission reported in February 2005 that the number of 
identity theft complaints submitted to its Consumer Sentinel database 
has grown from 161,896 in 2002 to 246,570 in 2004,\25\ representing a 
growth rate of more than 50 percent in 2 years. Victims' information is 
misused to perpetrate financial fraud in the vast majority of cases: 
fraud involving credit cards, checking and savings accounts, and 
electronic funds transfers represented 46 percent of the complaints in 
2004.\26\ Out of the 50 Metropolitan Statistical Areas that have 
generated the greatest number of complaints relative to population, six 
are in California, four are in Texas, three each in of New York, Ohio, 
Pennsylvania, and Wisconsin, and two are in Illinois.\27\ Arizona 
victims of identity theft have filed the largest number of complaints 
relative to population, followed by Nevada, California, Texas, 
Colorado, Florida, New York, Washington, Oregon, and Illinois.\28\
    Identity theft has a deeply negative impact on our Nation's 
economy. According to a survey published by the Federal Trade 
Commission in September 2003, the total cost of identity theft 
approaches $50 billion per year, with victims bearing about $5 billion 
of the losses and businesses bearing the remaining $45 billion. \29\ 
The average loss from the misuse of a victim's personal information is 
$4,800, but for victims who had new credit card and other accounts 
opened in their name, the average loss is $10,200. \30\ Overall, 
victims spent almost 300 million hours resolving problems relating to 
identity theft in 1 year, with almost two-thirds of this time--194 
million hours--spent by victims who had new credit card and other 
accounts opened in their name. \31\

IV. Consumers' and State Officials' Concerns about Security Breaches
    The recent rash of information heists has had several important 
effects on the state and local level. Consumers have expressed concern 
about their current level of knowledge of security breaches and what 
they realistically can do if they become a victim. State Attorneys 
General and other state and local officials have taken action in a 
number of areas to resolve these concerns.

A. Consumers Across the Nation Want to Receive Notice of Security 
        Breaches
    The citizens of California have received notice of security 
breaches as a result of their state's innovative law. Consumers in the 
remaining 49 states, the District of Columbia, and the territories want 
the same right to receive notice when their personal information is 
accessed in an unauthorized manner. Unfortunately, in the absence of 
other state laws or a Federal minimum standard, consumers in the other 
states have not consistently received notices in the recent spate of 
incidences. LexisNexis sent notices on a voluntary basis to affected 
consumers nationwide. ChoicePoint originally sent notices only to 
California residents; only after receiving letters from the Attorneys 
General of numerous states did ChoicePoint expand its notification 
process to include potentially affected consumers in all states. \32\ 
The Ohio Attorney General was forced to file suit against DSW, Inc., 
because the company had not provided individual notice to half of the 
consumers--approximately 700,000 out of 1.4 million--affected by the 
security breach it experienced. \33\
    In addition to haphazard notification, the paucity of regulation in 
this area has led to another problem. The notices that were actually 
received by consumers came in envelopes from ``ChoicePoint.'' Consumers 
have no idea who ChoicePoint is because consumers typically have no 
business relationship with ChoicePoint. We learned of instances where 
consumers tossed out the notification letters without opening them, on 
the assumption that the letters were another unsolicited offer for a 
credit card or some other piece of junk mail.
    Rapid and effective notice of a security breach is an important 
first step to limiting the extent of harm that may be caused by 
identity theft. The Federal Trade Commission reports that the overall 
cost of an incident of identity theft, as well as the harm to the 
victims, is significantly smaller if the misuse of the victim's 
personal information is discovered quickly. \34\ For example, when the 
misuse was discovered within 5 months of its onset, the value of the 
damage was less than $5,000 in 82 percent of the cases. When victims 
did not discover the misuse for 6 months or more, the value of the 
damage was $5,000 or more in 44 percent of the cases. In addition, new 
accounts were opened in less than 10 percent of the cases when it took 
victims less than a month to discover that their information was being 
misused, while new accounts were opened in 45 percent of cases when 6 
months or more elapsed before the misuse was discovered. \35\
    To ensure that citizens across the Nation receive adequate notice 
about security breaches, this past spring 28 states considered 
legislation modeled on California's law. \36\ As of today, six states--
Arkansas, Georgia, Indiana, Montana, North Dakota, and Washington 
State--enacted security breach notification laws this session. \37\ 
Legislatures in two additional states--Illinois and North Carolina--
have passed security breach notification bills, but these bills have 
not yet been signed into law.

B. After Learning About a Breach of Their Personal Information, 
        Consumers Want to Review Their Credit Reports to Determine if 
        They Are Victims of Identity Theft
    The 2003 amendments to the Federal Fair Credit Reporting Act \38\ 
gave consumers the right to receive a free copy of their credit report 
once every 12 months, following the example previously set by 7 states 
that require credit reporting agencies to provide free reports to their 
citizens. \39\ However, because the FTC allowed the nationwide credit 
reporting agencies to stagger the implementation of the national free 
credit report, consumers in the Southern states--Alabama, Arkansas, 
Florida, Georgia, Kentucky, Louisiana, Mississippi, Oklahoma, South 
Carolina, Tennessee, and Texas--were not able to order their free 
reports under Federal law until June 1, 2005. And consumers in the 
Eastern states--Connecticut, Delaware, Maine, Maryland, Massachusetts, 
New Hampshire, New Jersey, New York, North Carolina, Pennsylvania, 
Rhode Island, Vermont, Virginia, and West Virginia, as well as the 
District of Columbia, Puerto Rico, and all U.S. territories--are not 
able to order their free reports under Federal law until September 1, 
2005. \40\ As a result, many citizens have been unable to see their 
credit report for free during this time of heightened anxiety over 
possible identity theft, causing great frustration in the Eastern and 
Southern states.
    In addition, in those Eastern and Southern states--like Vermont--
that already require credit reporting agencies to provide free credit 
reports under state law, consumers have been confused and frustrated 
because the credit reporting agencies have not adequately adjusted 
their systems to enable consumers in these states to easily access 
their free report under state law. Many consumers in Vermont attempted 
to obtain their free report under Vermont law after learning about the 
ChoicePoint and other security breaches, only to be told--incorrectly--
by the credit bureaus' voice-mail systems that they were not eligible 
for a free credit report.

C. Consumers Want to Control Access to Their Credit Reports so That 
        Identity Theft does not Occur
    The 2003 amendments to the Federal Fair Credit Reporting Act also 
gave consumers the right to place a ``fraud alert'' on their credit 
reports for at least 90 days, with extended alerts lasting for up to 7 
years in cases where identity theft occurs. \41\ Yet many states are 
considering enacting stronger measures to assist consumers in combating 
the rapidly escalating outbreak of security breaches. \42\ Two states, 
California and Texas, allow consumers to place a ``security freeze'' on 
their credit report. A security freeze allows a consumer to control who 
will receive a copy of his or her credit report, thus making it nearly 
impossible for criminals to use stolen information to open an account 
in the consumer's name. \43\ Security freeze provisions will become 
effective in 2 weeks--on July 1, 2005--in two additional states, 
Louisiana and Vermont. \44\
    Although the credit bureaus argue that security freezes are 
overkill and cause consumers more harm than good, many members of the 
business community in Vermont supported implementation of our security 
freeze law enacted last year. Overall, consumer advocates and many 
State Attorneys General believe that security freeze laws are one of 
the most effective tools available to stop the harm that can result 
from data heists. Twenty states considered security freeze bills this 
past spring. \45\ As of today, three of these states enacted the 
measure: Colorado, Maine, and Washington. \46\ The legislatures in 
Connecticut and Illinois also passed security freeze bills, but these 
bills have not yet been signed into law.

V. Recommendations on Addressing the Problem of Security Breaches
    I recommend that this Committee take several actions to address the 
security breach problem, with its concomitant potential effect on the 
increased incidence of identity theft. The recommendations center on 
enactment of better Federal laws to address the problem, while allowing 
the states to continue to perform their vital functions in assisting 
consumers and creating additional innovative solutions.

        1. Enact a Federal Security Breach Notification Law: Enact a 
        Federal law requiring notice of security breaches in 
        appropriate circumstances. Allow states to enact laws that are 
        more protective of consumers, thus ensuring that states can 
        continue devising additional innovative solutions to this 
        issue.

        2. Enact a Federal Program for Regulation of Data Brokers: 
        Enact a Federal law to regulate data brokers in a manner 
        similar to regulation of credit reporting agencies. Currently, 
        the regulation of data brokers comes under a scattered mixture 
        of Federal laws, including the Federal Fair Credit Reporting 
        Act, the Gramm-Leach-Bliley Act (GLBA), \47\ and a few other 
        laws, and arguably these laws do not cover all the practices of 
        data brokers. In developing a unified Federal regulatory scheme 
        for data brokers, only preempt state laws to the extent that 
        they are less protective of consumers.

        3. Strengthen the ``Safeguards Rules'': Enact a Federal law 
        that will strengthen the GLBA Safeguards Rules issued by the 
        Federal financial regulators and the Federal Trade Commission. 
        \48\ Currently, these rules require the covered institutions to 
        develop a written information security plan that describes 
        their programs to protect customer information, and to maintain 
        reasonable security for customer information. The rules were 
        intended to provide flexibility to account for each covered 
        institution's size, complexity, scope of activities, and 
        sensitivity of information handled. However, in light of the 
        recent wave of security breaches, we believe that more 
        definitive minimum standards of information security should be 
        required, and that the Safeguards Rules should be expanded to 
        more clearly cover data brokers.

        4. Recognize the Important Role of State Legislative and 
        Investigative Efforts: States are providing key additional 
        protections for consumers. Security breach notification laws in 
        California, Arkansas, Georgia, Indiana, Montana, North Dakota, 
        and Washington State and security freeze laws in California, 
        Louisiana, Texas, Vermont, Colorado, Maine, and Washington 
        State, are important examples of the critical role the states 
        play in developing innovative solutions to the complex problems 
        presented by data breaches. In addition, State Attorneys 
        General and local law enforcement are playing critical roles in 
        the investigations surrounding security breaches that have been 
        disclosed to date. State and local law enforcement officials 
        are cooperating with their Federal counterparts to investigate 
        and prosecute the perpetrators, and to determine if there were 
        defects in security systems that may have allowed the breaches 
        to occur. Congress should recognize these vital functions 
        provided by state and local authorities, and ensure that these 
        functions are not preempted.
    Thank you for giving me the opportunity to testify on this 
important subject.

ENDNOTES
    \1\ Debaise & Dreazen, Federal Prosecutors Break Ring of Identity 
Thieves, Wall Street Journal, Nov. 26, 2002, available at http://
online.wsj.com/PA@VJBNA4R/article_print/
0,,SB1038249179137636588,,00.html.
    \2\ UDDOJ, ``Milford Man Pleads Guilty to Hacking Intrusion and 
Theft of Data Cost Company $5.8 Million,'' Dec. 18, 2003, available at 
http://www.usdoj.gov/criminal/cybercrime/baasPlea.htm.
    \3\ Sullivan, Data base Giant Gives Access to Fake Firms; 
Choicepoint Warns More Than 30,000 They May be at Risk, MSNBC.com, Feb. 
14, 2005, available at 
http://www.msnbc.msn.com/id/6969799/print/1/displaymode/1098/; 
ChoicePoint: More ID theft warnings, CNN/Money, Feb. 17, 2005, 
available at http://money.cnn.com/2005/02/17/technology/personaltech/
choicepoint/.
    \4\ Perez & Brooks, For Big Vendor of Personal Data, A Theft Lays 
Bare the Downside, Wall Street Journal, May 3, 2005, at A1.
    \5\ Carrns, Bank of America Missing Tapes with Card Data, Wall 
Street Journal, Feb. 28, 2005, at B2.
    \6\ Credit Information Stolen From DSW Stores, AP, Mar. 8, 2005, 
available at http://biz.yahoo.com/ap/050308/
dsw_credit_cards_4.html?printer=1; DSW Alerts Customers of Credit Card 
and Other Purchase Information Security Issues, DSW, Mar. 8, 2005, 
available at http://www.dswshoe.com/ccpressrelease/pr/index.html; DWS 
data theft larger than predicted, USA Today, Apr. 19, 2005.
    \7\ El-Rashidi, LexisNexis Owner Reports Breach of Customer Data, 
Wall Street Journal, Mar. 10, 2005, at A3.
    \8\ ``LexisNexis Concludes Review of Data Search Activity, 
Identifying Additional Instances of Illegal Data Access,'' Apr. 12, 
2005, available at http://www.lexis
nexis.com/about/releases/0789.asp.
    \9\ Bank & Conkey, New Safeguards For Your Privacy, Wall Street 
Journal, Mar. 24, 2005, at D1.
    \10\ Fischer & Krupnick, UC informs people of data security breach, 
Contra Costa Times, Apr. 1, 2005, available at http://
www.contracostatimes.com/mld/cctimes/newslocal/states/california/
counties/alameda_county/cities_neighborhoods/berkeley/11284658.htm.
    \11\ Kawamoto, Medical Group: Data on 185,000 People was Stolen, 
Apr. 8, 2005, available at http://www.nytimes.com/cnet/CNET_2100-
7349_3-5660514.html.
    \12\ Ameritrade loses customer account info, CNN, Apr. 19, 2005.
    \13\ Sidel & Conkey, Security Breach Hits Credit Cards; HSBC 
Notifies 180,000 People Who Shopped at Ralph Lauren; Other Banks May Be 
Affected, Wall Street Journal, Apr. 14, 2005, at D1.
    \14\ Angwin & Bank, Time Warner Alerts Staff to Lost Data; Files 
for 600,000 Workers Vanish During Truck Ride, Wall Street Journal, May 
3, 2005, at A3.
    \15\ Bank data Theft Could Hit Nearly 700,000, AP, May 23, 2005.
    \16\ Citi Notifies 3.9 Million Customers of Lost Data, MSNBC, June 
7, 2005, available at http://www.msnbc.msn.com/id/8119720.
    \17\ Cal. Civ. Code Sec. Sec. 1798.29 and 1798.82.
    \18\ Cal. Civ. Code Sec. 1798.82(a) and (c); Cal. Civ. Code 
Sec. 1798.29(a) and (c).
    \19\ Id. at 1798.82(e) and 1798.29(e).
    \20\ 15 U.S.C.A. Sec. 7001.
    \21\ Cal. Civ. Code Sec. 1798.82(g) and (h); Cal. Civ. Code 
Sec. 1798.29(g) and (h).
    \22\ Sullivan, Is Your Personal Data Next? Rash of Data Heists 
Points to Fundamental ID Theft Problem, MSNBC, Apr. 4, 2005.
    \23\ Saranow & Leiber, Freezing Out Identity Theft, Wall Street 
Journal, Mar. 15, 2005, at D1.
    \24\ Synovate, Federal Trade Commission--Identity Theft Survey 
Report, Sept. 2003, at 9, available at http://www.ftc.gov/os/2003/09/
synovatereport.pdf. Only about 25 percent of all victims report the 
crime to local police or to a credit bureau. The victims of the most 
serious form of identity theft, involving ``new accounts and other 
frauds,'' report the crime to law enforcement authorities only 43 
percent of the time, and to credit reporting agencies 37 percent of the 
time. Id.
    \25\ National and State Trends in Fraud & Identity Theft, January-
December 2004, FTC, Feb. 1, 2005, at 9, available at http://
www.consumer.gov/idtheft/stats.html.
    \26\ Id. at 10.
    \27\ Id. at 13.
    \28\ Id. at 14.
    \29\ Synovate, Federal Trade Commission--Identity Theft Survey 
Report, Sept. 2003, at 6.
    \30\ Id.
    \31\ Id.
    \32\ See, e.g., ``ChoicePoint to Notify Vermont Consumers Affected 
by Security Breach,'' Vermont Attorney General press release, Feb. 24, 
2005, available at http://www.atg.state.vt.us/
display.php?pubsec=4&curdoc=881.
    \33\ State of Ohio v. DSW, Inc., Case No. 05CVH06-6128 (Franklin 
Cty, OH, June 6, 2005).
    \34\ Synovate, Federal Trade Commission--Identity Theft Survey 
Report, Sept. 2003, at 8.
    \35\ Id.
    \36\ According to the National Conference of State Legislatures, 
the following states are considering ``breach of information'' 
legislation: Alaska, Arizona, Arkansas, Colorado, Georgia, Florida, 
Illinois, Indiana, Maryland, Michigan, Minnesota, Missouri, Montana, 
New Jersey, New York, North Carolina, North Dakota, Ohio, Oregon, 
Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Virginia, 
Washington, and West Virginia. See 2005 Breach of Information 
Legislation, National Conference of State Legislatures, Apr. 1, 2005, 
available at http://www.ncsl.org/programs/lis/CIP/priv/breach.htm. In 
addition, Massachusetts in also considering a security breach bill. 
See, e.g., Mass. S.B. 184 (2005).
    \37\ Ark. Code Ann. Sec. Sec. 4-110-102 to 108; Fla. Stat. ch. 
817.5681; Ga. Code Ann. Sec. Sec. 10-1-910 to 912; Ind. Code Sec. 4-1-
11; Mont. Code Ann. Sec. 31-3-115; N.D. Cent. Code Sec. 51-30-01 to 07; 
Wash. Rev. Code Sec. 42.17.
    \38\ Pub. L. No. 108-159 (2003).
    \39\ See 15 U.S.C.A. Sec. 1681t(b)(4), grandfathering in the state 
provisions allowing free reports in Colorado, Georgia, Maine, Maryland, 
Massachusetts, New Jersey, and Vermont.
    \40\ See ``Facts for Consumers: Your Access to Free Credit 
Reports,'' FTC, available at http://www.ftc.gov/bcp/conline/pubs/
credit/freereports.htm.
    \41\ See 15 U.S.C.A. Sec. 1681c-1.
    \42\ See Saranow & Lieber, Freezing out Identity Theft, Wall Street 
Journal, Mar. 15, 2005, at D1.
    \43\ See Cal. Civ. Code Sec. 1785.11.2 (California); V.T.C.A., Bus. 
& C. Sec. 20.034 (Texas).
    \44\ See LSA-R.S. Sec. 9:3571.1 (Louisiana); 9 V.S.A. Sec. 2480b 
(Vermont).
    \45\ According to the National Conference of State Legislatures, 
the following states are considering security freeze legislation: 
Colorado, Connecticut, Hawaii, Illinois, Indiana, Kansas, Kentucky, 
Maine, Maryland, Missouri, Nevada, New Jersey, New Mexico, New York, 
Oregon, Pennsylvania, South Carolina, Utah, and Washington. See 
Consumer Report Security Freeze Legislation 2005 Session, National 
Conference of State Legislatures, Mar. 8, 2005, available at http://
www.ncsl.org/programs/banking/SecurityFreeze_2005.htm. In addition, 
Massachusetts is considering a security freeze bill. See, e.g., Mass. 
S.B. 184 (2005).
    \46\ Colo. Rev. Stat. Sec. Sec. 12-14.3-106.6 to 106.9 (effective 
July 1, 2006); Me. Rev. Stat. Ann. tit. 10, Sec. Sec. 1313-DC to E 
(effective Feb. 1, 2006); Wash. Rev. Code Sec. 19.182 (effective July 
24, 2005).
    \47\ Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. 
Sec. Sec. 6801-09, and its implementing privacy rule, Privacy of 
Consumer Financial Information, 16 C.F.R. Part 313.
    \48\ GLBA requires Federal and state regulators of financial 
institutions to issue ``safeguards rules''. See 15 U.S.C. Sec. 6801(b). 
The Federal banking agencies, state insurance authorities, and the 
Federal Trade Commission all issued comparable safeguards rules. See, 
e.g., Interagency Guidelines Establishing Standards for Safeguarding 
Customer Information, 66 Fed. Reg. 8, 616-8, 641 (Feb. 1, 2001). The 
FTC's Safeguards Rule is found at 16 C.F.R. Part 314.

    Senator Smith. Thank you very, very much for your presence 
and your testimony, and we will take into consideration, 
obviously, the things you're requesting. As a former state 
legislator, many of us, we appreciate that.
    Mr. Sorrell. Thank you, Senator.
    Senator Smith. Senator Burns have a----
    Senator Burns. Mr. Chairman?
    Senator Smith.--any of my colleagues have a question?
    Senator Burns. Thank you. I just want to ask a question. 
Like in Vermont and states, when we talk about people who 
collate--in other words, your data brokers--that used to be 
termed, I think, years ago, as their own credit bureaus. They 
were licensed, they were bonded, they took the information that 
was given to them by institutions on records, and that could 
only be accessed by permission of the person, along with the 
institution desiring the information. Are we headed in that 
direction, where all data brokers would have to be licensed and 
bonded and go through that procedure to be a legitimate broker, 
number one? And, number two, anybody that does that outside of 
that would be in an illegal business--we're trying to figure 
out how do we get a handle on this, because by the time you're 
notified, your information might be passed on to four or five 
other parties before you can do anything about it. And the 
biggest damage that we suffer is our credit. Once your credit 
is destroyed, it takes forever--if it can be restored--it's a 
very difficult thing.
    Mr. Sorrell. I think that there's a balance here. Because 
if we look at the way the economy functioned in the days of the 
credit bureaus, that was something that you could fairly 
readily get a handle on, and it was an important piece, but a 
relatively small piece of the overall functioning of commerce. 
Now, in the Information Age, with the ability to collect more 
information and to transmit more information much more 
efficiently and effectively, quickly, than was ever the case, I 
would--and, speaking for myself--want to take a hard look at 
the negative impacts on the economy if you were to have 
specific individual registration of everyone that would fit 
under the umbrella definition of a data broker. Depending on 
how broad that definition is, you'd need a huge, potentially, 
regulatory operation to register and enforce. That's why, I 
think, that creating safeguards that clearly affect and control 
all those that are in the data-broker--fit under that 
definition, with minimum standards for any companies that are 
collecting this personal information that we're talking about 
today, of what they would need to do, as a minimum, to lock 
that door to protect that consumer information, makes sense. 
The specific registration of each individual data broker, I 
don't, frankly, know, Senator, how many people would fit under 
that category, and I'm reluctant to----
    Senator Burns. Well----
    Mr. Sorrell.--say we should do it.
    Senator Burns. Well, we probably couldn't define, but I 
finally figured out, though, that the only way, on identity 
theft--and especially with the credit and credit cards--maybe 
we should take our credit cards and maintain a balance in our 
credit cards that would be almost to our limit----
    [Laughter.]
    Senator Burns. My wife does a good job of that.
    [Laughter.]
    Senator Burns. So that they--no fraud could be committed. 
In other words, they wouldn't be accepted. But it is the most 
fearful thing, I think, in my state about people, and--because 
it has happened--and you just hear horror stories with regard 
to that.
    Mr. Sorrell. One of the things that certain of the states--
California, Texas, Louisiana, Vermont, and a couple of other 
states now have enacted is to use security freeze legislation, 
which allows the individual consumer to communicate with the 
credit agencies--that all of the banks look to check your 
credit, to see whether to extend credit to you--allow you to 
put a freeze on your credit reports and--so that outside 
companies cannot access your credit unless you specifically 
give permission. You're allowed, under state statute, to so-
called ``thaw'' this, so that if you're going for a mortgage or 
a car loan, that the potential lender will be able to access 
your record.
    Senator Smith. Senator Nelson had a brief question, as 
well.
    Senator Bill Nelson. Mr. Attorney General, you have 
described your preference to approach this problem in many of 
the elements of the legislation that's been filed by several of 
the Members of this Committee. And you also recommend that the 
regulation of these data information brokers be similar to the 
way that we regulate the credit reporting agencies, without all 
the mumbo-jumbo of the licensing and all of that stuff.
    In addition to what you've already said, what--you would 
certainly embrace the concept of having one-stop shopping, 
where, identity theft, somebody has a place to go.
    Mr. Sorrell. Yes.
    Senator Bill Nelson. How about in the overall picture of 
homeland security, having an Assistant Secretary of 
Cybersecurity within the Department of Homeland Security?
    Mr. Sorrell. Well, I think I understand what you're asking. 
I think--it sounds like it makes sense to me, Senator.
    Senator Bill Nelson. And, clearly, tightening up on the 
commercial usage of Social Security numbers.
    Mr. Sorrell. Yes. I think that that's critical.
    Senator Bill Nelson. Do you embrace the concept that we 
take the model of the California law, notification, and apply 
that nationally?
    Mr. Sorrell. Yes, I do, but with the ability, if states 
wished, to go further, to be more protective of their citizens, 
to allow them to do that. Yes, sir.
    Senator Bill Nelson. Absolutely, I agree with you that this 
ought to be a floor upon which the states can build and be more 
creative.
    Mr. Sorrell. Thank you much.
    Senator Bill Nelson. How about the concept of utilizing the 
Federal Trade Commission as the place of the Office of Identity 
Theft?
    Mr. Sorrell. I don't pretend to be fully versed on all the 
nuances of the different Federal regulatory bodies, but that 
makes sense to me, from my knowledge.
    Senator Bill Nelson. It is the place that governs the 
credit reporting agencies.
    OK, thank you.
    Senator Smith. Thank you, Senator Nelson.
    Attorney General Sorrell, thank you for your presence and 
your testimony today.
    Mr. Sorrell. Thank you much.

                 STATEMENT OF HON. MARK PRYOR, 
                   U.S. SENATOR FROM ARKANSAS

    Senator Pryor. Mr. Chairman, can I say one--
    Senator Smith. Oh.
    Senator Pryor.--very briefly? And that is, I served with 
General Sorrel when I was the Attorney General in my state--
fine person, fine Attorney General, fine public servant. And I 
think this Committee would really benefit from his thoughts, 
not just on this, but a number of other subjects, because he 
has really committed his professional life to try to make his 
state, and, in some ways, the Nation, better for consumers and 
for, really, the marketplace. And so, he has been a real leader 
on this. So, I hope we'll take his words to heart and consider 
what he has to say.
    Senator Smith. We'll do that, Senator Pryor.
    Senator Ben Nelson apparently has a question, too.

             STATEMENT OF HON. E. BENJAMIN NELSON, 
                   U.S. SENATOR FROM NEBRASKA

    Senator Ben Nelson. Thank you, Mr. Chairman.
    And, Mr. Attorney General, I have a natural inclination to 
support states' rights and the right of the state to protect 
public health, welfare--in this case, the identity of its 
citizens. There was a point made by Senator Feinstein that 
there's a real question about preemption here and whether or 
not there's a conflict where, if we permit every state to do a 
patchwork quilt of regulation and/or legislation, that it will 
adversely affect commerce, that it may not facilitate simply 
identity theft protection, at the risk of harming commerce. And 
she also said to me--I think it's very optimistic on her part, 
and I hope it will be--it'll come to pass--and that is that 
they're trying to work out the whole question of preemption to 
permit the states to be able to protect at some level, but also 
recognize the interstate aspects of this.
    Could you give us maybe just a little bit more of your 
opinion about what you think that might consist of----
    Mr. Sorrell. Well, I----
    Senator Ben Nelson.--and whether it's possible. I certainly 
hope that it is.
    Mr. Sorrell. I think it is possible, Senator. I hear the 
arguments that we can't have this patchwork quilt of different 
regulations, but the reality is, as I talked about, as the 
commerce changes this really is a global economy now. And so, 
we have many, many different countries that have their own 
rules and regulations. We certainly, in the environmental 
arena, have different rules and regulations at the state level, 
that companies that do business nationally and internationally 
must abide by when they're doing business in an individual 
state. And they're--and the beauty of the information that we 
gather now is that, for many companies, they are looking to 
market to you, as an individual. They collect information about 
you, your income level. They collect data from other places 
about your buying habits. And it's a niche-niche-niche market. 
And so, the companies that are able to figure out what you, 
individually, might want, and to market to you, can certainly 
program their computers to trigger different regulation--give 
notice of different regulation provisions or standards at a 
different--certain zip code levels, or whatever.
    So, I am not one who buys the argument that we're going to 
throw a wrench into the works of commerce by allowing states 
that wish to go forward to do--go further--to do so. And I gave 
the example of what Vermont has done to better protect our 
consumers under Gramm-Leach-Bliley legislation that you've 
enacted.
    Senator Ben Nelson. Thank you.
    Thank you, Mr. Chairman.
    Senator Smith. Thank you very much.
    Senator Allen. Mr. Chairman, may I ask----
    Senator Smith. Yes.
    Senator Allen.--the Attorney General a question?
    Senator Smith. Sure.

                STATEMENT OF HON. GEORGE ALLEN, 
                   U.S. SENATOR FROM VIRGINIA

    Senator Allen. Thank you, Mr. Chairman. Thank you for 
holding this hearing.
    Attorney General, thank you for being here. And the fact 
that some states, such as you all, are acting on this shows 
there's a need for us to strengthen existing laws. In a 
somewhat analogous situation in dealing with spyware, there are 
some of us, including the Chairman of the Committee, who 
recognize this, similar to spyware, is not just in this 
country, it's national, it's international. There should be a--
and the way I'm looking at it is, have a national standard. On 
spyware, and possibly also on this issue here, of breach of 
data, or data mining, and so forth, have a national standard, 
tough standard, give assistance to the FTC to enforce it, but 
also allow the states attorneys general to also enforce that 
law. That's another level of enforcement. And could you share 
with us what your view would be? Let's assume we have a 
national standard, but allow you and others, attorneys general 
in the country, to enforce it, with proper enhanced penalties 
for those who are breaching or committing these sort of frauds. 
What would your view be of that?
    Mr. Sorrell. We, right now, have the ability to protect our 
consumers against some of these issues with data brokers. For 
example, through our state consumer-protection laws, unfair and 
deceptive practices. Giving us--having a Federal standard set, 
and giving the individual states the ability to enforce that 
standard, we would welcome that. The reality is, with the 
numbers, and the burgeoning numbers, of those perpetrating 
these crimes of identity theft, the numbers of victims--numbers 
of perpetrators, it will be very difficult for the Federal 
authorities, alone, to try to catch all the bad guys, and we 
would welcome the opportunity to have the authority to help in 
that effort.
    Senator Allen. Great, thank you. Thank you, Attorney 
General.
    Mr. Sorrell. Thank you.
    Senator Allen. Thank you, Mr. Chairman.
    Senator Smith. Thank you, Attorney General. We appreciate 
your presence.
    Mr. Sorrell. Thank you much.
    Senator Smith. We will now call to the dais the Federal 
Trade Commission. We are grateful for their patience. And the 
first panel--or, this panel will consist of the Honorable 
Deborah Majoras, Federal Trade Commission Chairman; the 
Honorable Orson Swindle, Commissioner; the Honorable Thomas B. 
Leary, Commissioner; the Honorable Pamela Jones Harbour, also a 
Commissioner; and the Honorable Jon Leibowitz, recently put on 
the Commission.
    I don't know whether my colleagues saw it, but I'll include 
it in the record, a story in the Washington Post this morning, 
which begins, ``Thousands of current and former employees at 
the Federal Deposit Insurance Corporation are being warned that 
their sensitive personal information was breached, leading to 
an unspecified number of fraud cases.'' That's our challenge--
to stop that.
    I would also like to note and thank Commissioner Swindle 
for his service to the FTC. Mr. Swindle is leaving the FTC at 
the end of the month, and this will be his last time appearing 
before the Committee. It's well known by many of us that 
Commissioner Swindle has a distinguished military career, along 
with his service to protect consumers at the FTC. And, sir, we 
thank you for your public service.
    Commissioner Swindle. Thank you, Mr. Chairman.
    Senator Smith. Madam Chairman?

  STATEMENT OF HON. DEBORAH PLATT MAJORAS, CHAIRMAN, FEDERAL 
                        TRADE COMMISSION

    Chairman Majoras. Thank you, Mr. Chairman, members of the 
Committee. I am Deborah Majoras, Chairman of the Federal Trade 
Commission.
    My fellow Commissioners and I appreciate the opportunity to 
appear before you today as we work to ensure the safety and 
security of consumers' personal information. The views 
expressed in the written testimony represent the views of the 
Commission. Our oral presentations and responses to your 
questions reflect our own views, and do not necessarily reflect 
the views of the Commission or any individual Commissioner.
    Advances in commerce, computing, and networking have 
transformed the role of consumer information. New technologies 
allow businesses to offer consumers a wide range of products 
and payment options, greater access to credit, and faster 
transactions. But with these benefits come some concerns about 
privacy and security of consumer sensitive information and, in 
particular, the threat of identity theft, which we've heard so 
much about this morning, and which my colleague, Commissioner 
Harbour, will address in more detail.
    Several current laws protect consumer sensitive 
information, depending on how that information is collected and 
how it is used. Both the Fair Credit Reporting Act and the 
Gramm-Leach-Bliley Act, for example, address access to, and the 
security of, such information in specific contexts.
    The Commission has brought five cases against companies, 
such as Microsoft and Eli Lilly, challenging the failure to 
maintain adequate data-security procedures. In each of these 
cases, the Commission alleged that the business misrepresented 
their privacy or security procedures, in violation of section 5 
of the FTC Act.
    Today, I am announcing that the Commission has brought and 
settled its sixth action in this area, this one against BJ's 
Wholesale Club, a Fortune 500 company with over $6 billion in 
annual sales. For the first time, we allege that inadequate 
data security can be an unfair business practice under section 
5. This action should provide clear notice to the business 
community that failure to maintain reasonable and appropriate 
security measures, in light of the sensitivity of the 
information, can cause substantial consumer injury and may 
violate the FTC Act.
    Our complaint alleges that BJ's stored personal information 
from customers' credit and debit cards on computers at its 
stores, even without a legitimate business reason for doing so, 
and then failed to take appropriate steps to secure this 
information. The complaint alleges that, as a result, the 
customer data that BJ's left unsecured ended up on counterfeit 
copies of cards that were used to make several million dollars 
in fraudulent purchases. Federal law limits consumers' 
liability for unauthorized use of the credit or debit card 
numbers. In this case, after the fraud was discovered, banks 
canceled and reissued thousands of credit and debit cards, and 
have turned to BJ's to cover the cost of the identity theft and 
corrective actions. According to SEC filings, as of May 2005, 
the amount of outstanding claims was approximately $13 million. 
Our settlement requires BJ's to establish a comprehensive and 
rigorous information security program, and to obtain regular 
security assessments of that program from a qualified 
independent auditor.
    Recent security breaches, such as that alleged in BJ's and 
all the others we've discussed here this morning, raise 
questions about whether companies that maintain sensitive 
personal information are taking adequate steps to protect it.
    My colleague to my right, Commissioner Swindle, will 
discuss the Commission's efforts to promote greater information 
security.
    As detailed in our written testimony, as this Committee is 
considering whether to enact new procedures for sensitive 
consumer data--protections for sensitive consumer data, several 
measures should be considered.
    First, Congress should consider whether companies that 
maintain sensitive consumer information should be required to 
implement reasonable security procedures. Any such requirement 
could be patterned after the Commission's Safeguards Rule under 
GLB. The Safeguards Rule provides a strong, but flexible, 
requirement to make sure that information is maintained 
securely. It recognizes that security is an ongoing process, 
and not a set of technical standards. Currently, the Safeguards 
Rule applies only to customer information collected by 
financial institutions. I believe the same principles embodied 
in that rule makes sense for other entities that maintain 
sensitive information.
    Second, Congress should consider whether to require firms 
to notify consumers if sensitive information about them has 
been breached in a way that creates a significant risk of 
identity theft. Obviously, many people agree that prompt notice 
in appropriate circumstances can help consumers avoid or 
mitigate identity theft. At the same time, however, requiring 
notices for security breaches that pose little or no risk may 
create confusion, even panic, and impose unnecessary costs. For 
example, consumers may cancel credit cards or place fraud 
alerts on their credit files even if such measures are not 
needed and, not to mention, may suffer from unwarranted worry 
and stress. Perhaps more importantly, if notices are sent too 
often, consumers will become numb to them and will fail to pay 
attention.
    Formulating the right balance is difficult, and there are 
different notices that could be considered. One, of course, is, 
in effect, promulgated by the Federal banking agencies, and 
another is in effect in California. And we think both of those 
deserve a close look.
    If Congress decides to enact a national breach requirement, 
it might consider authorizing the FTC to conduct a rulemaking 
to specify a standard that best meets the needs of consumers. 
Through a rulemaking, we could examine the different standards 
that have already been operating and determine how well they 
have worked.
    A third area for consideration is possible restrictions on 
the selling of Social Security numbers. My colleague, 
Commissioner Leary, will address Social Security numbers in 
greater detail.
    And, finally, given the globalization of the marketplace, 
effective law enforcement against security breaches will 
require effective cross-border efforts. Accordingly, the 
Commission recommends that Congress enact cross-border fraud 
legislation, which my colleague, Commissioner Leibowitz, will 
discuss in more detail.
    Mr. Chairman and Members of the Commission, thank you for 
your attention and for the opportunity to be here. And I 
welcome any questions you may have.
    [The prepared statement of Chairman Majoras follows:]

      Prepared Statement of Hon. Deborah Platt Majoras, Chairman, 
                        Federal Trade Commission

I. Introduction
    Mr. Chairman, I am Deborah Platt Majoras, Chairman of the Federal 
Trade Commission.\1\ My fellow Commissioners and I appreciate the 
opportunity to appear before you today as we work to ensure the safety 
and security of consumers' personal information.
    As we have testified previously, advances in commerce, computing, 
and networking have transformed the role of consumer information. 
Modern consumer information systems can collect, assemble, and analyze 
information from disparate sources, and transmit it almost 
instantaneously. Among other things, this technology allows businesses 
to offer consumers a wider range of products, services, and payment 
options; greater access to credit; and faster transactions.
    Efficient information systems--data that can be easily accessed, 
compiled, and transferred--also can lead to concerns about privacy and 
security. Recent events validate concerns about information systems' 
vulnerabilities to misuse, including identity theft.

II. Background
    One particular focus of concern has been ``data brokers,'' 
companies that specialize in the collection and distribution of 
consumer data. Data brokers epitomize the tension between the benefits 
of information flow and the risks of identity theft and other harms. 
Data brokers have emerged to meet the information needs of a broad 
spectrum of commercial and government users.\2\ The data broker 
industry is large and complex and includes companies of all sizes. Some 
collect information from original sources, both public and private; 
others resell data collected by others; and many do both. Some provide 
information only to government agencies or large companies, while 
others sell information to smaller companies or the general public as 
well. The amount and scope of the information that they collect varies 
from company to company, and many offer a range of products tailored to 
different markets and uses. These uses include fraud prevention, debt 
collection, law enforcement, legal compliance, applicant 
authentication, market research, and almost any other function that 
requires the collection and aggregation of consumer data. Because these 
databases compile sensitive information, they are especially attractive 
targets for identity thieves.
    Identity theft is a crime that harms both consumers and businesses. 
A 2003 FTC survey estimated that nearly 10 million consumers discovered 
that they were victims of some form of identity theft in the preceding 
12 months, costing American businesses an estimated $48 billion in 
losses, and costing consumers an additional $5 billion in out-of-pocket 
losses.\3\ The survey looked at the two major categories of identity 
theft: (1) the misuse of existing accounts; and (2) the creation of new 
accounts in the victim's name. Not surprisingly, the survey showed a 
direct correlation between the type of identity theft and its cost to 
victims, in both the time and money spent resolving the problems. For 
example, although people who had new accounts opened in their names 
made up only one-third of the victims, they suffered two-thirds of the 
direct financial harm. The ID theft survey also found that victims of 
the two major categories of identity theft cumulatively spent almost 
300 million hours--or an average of 30 hours per person--correcting 
their records and reclaiming their good names. Identity theft causes 
significant economic and emotional injury, and we take seriously the 
need to reduce it.
    As detailed in our recent testimony on this subject,\4\ there are a 
variety of existing Federal laws and regulations that address the 
security of, and access to, sensitive information that these companies 
maintain, depending on how that information was collected and how it is 
used. For example, the Fair Credit Reporting Act (FCRA) \5\ regulates 
credit bureaus, any entity or individual who uses credit reports, and 
the businesses that furnish information to credit bureaus.\6\ The FCRA 
requires that sensitive credit report information be used only for 
certain permitted purposes. The Gramm-Leach-Bliley Act (GLBA) \7\ 
prohibits financial institutions from disclosing consumer information 
to non-affiliated third parties without first allowing consumers to opt 
out of the disclosure. GLBA also requires these businesses to implement 
appropriate safeguards to protect the security and integrity of their 
customer information.\8\
    In addition, Section 5 of the Federal Trade Commission Act (FTC 
Act) prohibits ``unfair or deceptive acts or practices in or affecting 
commerce.'' \9\ Under the FTC Act, the Commission has broad 
jurisdiction to prohibit unfair or deceptive practices by a wide 
variety of entities and individuals operating in commerce. Prohibited 
practices include deceptive claims that companies make about privacy, 
including claims about the security they provide for consumer 
information.\10\ To date, the Commission has brought five cases against 
companies for deceptive security claims.\11\ These actions alleged that 
the companies made explicit or implicit promises to take reasonable 
steps to protect sensitive consumer information, but because they 
allegedly failed to take such steps, their claims were deceptive. The 
consent orders settling these cases have required the companies to 
implement appropriate information security programs that generally 
conform to the standards that the Commission set forth in the GLBA 
Safeguards Rule.
    In addition to deception, the FTC Act prohibits unfair practices. 
Practices are unfair if they cause or are likely to cause consumers 
substantial injury that is neither reasonably avoidable by consumers 
nor offset by countervailing benefits to consumers or competition.\12\ 
The Commission has used this authority to challenge a variety of 
injurious practices that threaten data security.\13\
    As the Commission has testified previously, an actual breach of 
security is not a prerequisite for enforcement under Section 5; 
however, evidence of such a breach may indicate that the company's 
existing policies and procedures were not adequate.\14\ It is important 
to note, however, that there is no such thing as perfect security, and 
breaches can happen even when a company has taken every reasonable 
precaution.\15\
    Despite the existence of these laws, recent security breaches have 
raised questions about whether data brokers and other companies that 
collect or maintain sensitive personal information are taking adequate 
steps to ensure that the information they possess does not fall into 
the wrong hands, as well as about what steps should be taken when such 
data is acquired by unauthorized individuals. Vigorous enforcement of 
existing laws and business education about the requirements of existing 
laws and the importance of good security can go a long way in 
addressing these concerns. Nonetheless, recent data breaches have 
prompted Congress to consider legislative proposals, and the Commission 
has been asked to comment on the need for new legal requirements.

III. Increasing Consumer Information Security
    The Commission recommends that Congress consider whether companies 
that hold sensitive consumer data, for whatever purpose, should be 
required to take reasonable measures to ensure its safety. Such a 
requirement could extend the FTC's existing GLBA Safeguards Rule to 
companies that are not financial institutions.
    Further, the Commission recommends that Congress consider requiring 
companies to notify consumers when the security of this information has 
been breached in a manner that creates a significant risk of identity 
theft.\16\ Whatever language is chosen should ensure that consumers 
receive notices when they are at risk of identity theft, but not 
require notices to consumers when they are not at risk. As discussed 
below, the goal of any notification requirement is to enable consumers 
to take steps to avoid the risk of identity theft. To be effective, any 
such requirement must provide businesses with adequate guidance as to 
when notices are required.
    In addition, many have raised concerns about misuse of Social 
Security numbers. It is critical to remember that Social Security 
numbers are vital to current information flows in the granting and use 
of credit and the provision of financial services. In addition, private 
and public entities routinely have used Social Security numbers for 
many years to access their voluminous records. Ultimately, what is 
required is to distinguish between legitimate and illegitimate 
collection, uses, and transfers of Social Security numbers.
    Finally, law enforcement activity to protect data security is 
increasingly international in nature. Given the globalization of the 
marketplace, an increasing amount of U.S. consumer information may be 
accessed illegally by third parties outside the United States or 
located in offshore databases. Accordingly, the Commission needs new 
tools to investigate whether companies are complying with U.S. legal 
requirements to maintain the security of this information, and cross-
border fraud legislation would give the Commission these tools. For 
that reason, the Commission recommends that Congress enact cross-border 
fraud legislation to overcome existing obstacles to information sharing 
and information gathering in cross-border investigations and law 
enforcement actions.\17\
    For example, if the FTC and a foreign consumer protection agency 
are investigating a foreign business for conduct that violates both 
U.S. law and the foreign country's law, current law does not authorize 
the Commission to share investigative information with the foreign 
consumer protection agency, even if such sharing would further our own 
investigation. New cross-border fraud legislation could ease these 
restrictions, permit the sharing of appropriate investigative 
information with our foreign counterparts, and give us additional 
mechanisms to help protect the security of U.S. consumers' data whether 
it is located abroad or in the United States.

A. Require Procedures To Safeguard Sensitive Information
    One important step to reduce the threat of identity theft is to 
increase the security of certain types of sensitive consumer 
information that could be used by identity thieves to misuse existing 
accounts or to open new accounts, such as Social Security numbers, 
driver's license numbers, and account numbers in combination with 
required access codes or passwords.\18\ Currently, the Commission's 
Safeguards Rule under GLBA requires financial institutions to implement 
reasonable physical, technical, and procedural safeguards to protect 
customer information. Instead of mandating specific technical 
requirements that may not be appropriate for all entities and might 
quickly become obsolete, the Safeguards Rule requires companies to 
evaluate the nature and risks of their particular information systems 
and the sensitivity of the information they maintain, and to take 
appropriate steps to counter these threats. They also must periodically 
review their data security policies and procedures and update them as 
necessary. The Safeguards Rule provides a strong but flexible framework 
for companies to take responsibility for the security of information in 
their possession, and it reflects widely accepted principles of 
information security, similar to those contained in the Organization 
for Economic Cooperation and Development's Guidelines for the Security 
of Information Systems and Networks.\19\
    Currently, the Safeguards Rule applies only to ``customer 
information'' collected by ``financial institutions.'' \20\ It does not 
cover many other entities that may also collect, maintain and transfer 
or sell sensitive consumer information. Although we believe that 
Section 5 already requires companies holding sensitive data to have in 
place procedures to secure it if the failure to do so is likely to 
cause substantial consumer injury, we believe Congress should consider 
whether new legislation incorporating the flexible standard of the 
Commission's Safeguards Rule is appropriate.

B. Notice When Sensitive Information Has Been Breached
    Unfortunately, even if the best efforts to safeguard data are made, 
security breaches can still occur. The Commission believes that if a 
security breach creates a significant risk of identity theft or other 
related harm, affected consumers should be notified. Prompt 
notification to consumers in these cases can help them mitigate the 
damage caused by identity theft. Notified consumers can request that 
fraud alerts be placed in their credit files, obtain copies of their 
credit reports, scrutinize their monthly account statements, and take 
other steps to protect themselves.
    The challenge is to require notices only when there is a likelihood 
of harm to consumers. There may be security breaches that pose little 
or no risk of harm, such as a stolen laptop that is quickly recovered 
before the thief has time to boot it up. Requiring a notice in this 
type of situation might create unnecessary consumer concern and 
confusion. Moreover, if notices are required in cases where there is no 
significant risk to consumers, notices may be more common than would be 
useful. As a result, consumers may become numb to them and fail to spot 
or act on those risks that truly are significant. In addition, notices 
can impose costs on consumers and on businesses, including businesses 
that were not responsible for the breach. For example, in response to a 
notice that the security of his or her information has been breached, a 
consumer may cancel credit cards, contact credit bureaus to place fraud 
alerts on his or her credit files, or obtain a new driver's license 
number. Each of these actions may be time-consuming for the consumer, 
and costly for the companies involved and ultimately for consumers 
generally.
    Currently there are two basic approaches in place that are used to 
determine when notices should be triggered. The first is the bank 
regulatory agency standard.\21\ Under that standard, notice to the 
Federal regulatory agency is required as soon as possible when the 
institution becomes aware of an incident involving unauthorized access 
to or use of sensitive customer information. In addition, notice to 
consumers is required when, based on a reasonable investigation of an 
incident of unauthorized access to sensitive customer information, the 
financial institution determines that misuse of its information about a 
customer has occurred or is reasonably possible.\22\
    The second approach is found in the California notice statute.\23\ 
Under that approach, all businesses are required to provide notices to 
their consumers when a defined set of sensitive data, in combination 
with information that can be used to identify the consumer, has been or 
is reasonably likely to have been acquired by an unauthorized person in 
a manner that ``compromises the security, confidentiality, or integrity 
of personal information.'' \24\
    The California ``unauthorized acquisition'' approach to requiring 
consumer notice does not compel notice in every instance of improper 
access to a database. Instead, it allows businesses some flexibility to 
determine when a notice is necessary, while also providing a fairly 
objective standard against which compliance can be measured by the 
broad range of businesses subject to the law. Under guidance issued by 
the California Office of Privacy Protection, a variety of factors can 
be considered in determining whether information has been ``acquired,'' 
such as: (1) indications that protected data is in the physical 
possession and control of an unauthorized person (such as a lost or 
stolen computer or other device); (2) indications that protected data 
has been downloaded or copied; or (3) indications that protected data 
has been used by an unauthorized person, such as to open new 
accounts.\25\ One issue that is not directly considered is what action 
to take in cases in which, prior to sending consumer notification, the 
business already has taken steps that remedy the risk. For example, one 
factor to consider in deciding whether to provide notice is whether the 
business already has canceled consumers' credit card accounts and 
reissued account numbers to the affected consumers.
    We have growing experience under both models to inform 
consideration of an appropriate national standard. Because formulating 
any standard will require balancing the need for a clear, enforceable 
standard with ensuring, to the extent possible, that notices go to 
consumers only where there is a risk of harm, we believe that if 
Congress decides to enact a notice provision, the best approach would 
be to authorize the FTC to conduct a rulemaking under general statutory 
standards. The rulemaking would set the criteria under which notice 
would be required for data breaches involving non-regulated industries. 
The rulemaking could address issues such as the circumstances under 
which notice is required, which could depend on the type of breach and 
risk of harm, and the appropriate form of notice. This approach would 
also allow the Commission to adjust the standard as it gains experience 
with its implementation.

C. Social Security Numbers
    Social Security numbers today are a vital instrument of interstate 
commerce. With 300 million American consumers, many of whom share the 
same name,\26\ the unique 9-digit Social Security number is a key 
identification tool for business. As the Commission found in last 
year's data matching study under FACTA, Social Security numbers also 
are one of the primary tools that credit bureaus use to ensure that the 
data furnished to them is placed in the right file and that they are 
providing a credit report on the right consumer.\27\ Social Security 
numbers are used in locator databases to find lost beneficiaries, 
potential witnesses, and law violators, and to collect child support 
and other judgments. Social Security number databases are used to fight 
identity fraud--for example, they can confirm that a Social Security 
number belongs to a particular loan applicant and is not stolen.\28\ 
Without the ability to use Social Security numbers as personal 
identifiers and fraud prevention tools, the granting of credit and the 
provision of other financial services would become riskier and more 
expensive and inconvenient for consumers.
    While Social Security numbers have important legitimate uses, their 
unauthorized use can facilitate identity theft. Identity thieves use 
the Social Security number as a key to access the financial benefits 
available to their victims. Currently, there are various Federal laws 
that place some restrictions on the disclosure of specific types of 
information under certain circumstances. The FCRA, for example, limits 
the provision of ``consumer report'' information to certain purposes, 
primarily those determining consumers' eligibility for certain 
transactions, such as extending credit, employment, or insurance. GLBA 
requires that ``financial institutions'' \29\ provide consumers an 
opportunity to opt out before disclosing their personal information to 
third parties, outside of specific exceptions, such as for fraud 
prevention or legal compliance.\30\ Other statutes that limit 
information disclosure include the privacy rule under the Health 
Insurance Portability and Accountability Act of 1996,\31\ which applies 
to health care providers and other medical-related entities, and the 
Drivers Privacy Protection Act,\32\ which protects consumers from 
improper disclosures of driver's license information by state motor 
vehicle departments.
    While these laws provide important privacy protections within their 
respective sectors, they do not provide comprehensive protection for 
Social Security numbers.\33\ For example, disclosure of a consumer's 
name, address, and Social Security number may be restricted under GLBA 
when the source of the information is a financial institution,\34\ but 
in many cases the same information can be purchased on the Internet 
from a non-financial institution. The problem of how to strengthen or 
expand existing protections in ways that would not interfere with the 
beneficial uses of Social Security numbers is challenging.
    Although the Commission has extensive experience with identity 
theft and the consumer credit reporting system, restrictions on 
disclosure of Social Security numbers could have a broad impact on 
areas where the Commission does not have expertise. These areas include 
public health, criminal law enforcement, and anti-terrorism efforts. 
Moreover, efforts to restrict disclosure of Social Security numbers are 
complicated by the fact that among the primary sources of Social 
Security numbers are the public records on file with many courts and 
clerks in cities and counties across the Nation. Regulation or 
restriction of Social Security numbers in public records thus poses 
substantial policy and practical concerns.
    Ultimately, what is required is to distinguish between legitimate 
and illegitimate collection, uses, and transfers of Social Security 
numbers. The Commission would appreciate the opportunity to work with 
Congress to further evaluate the costs and benefits to consumers and 
the economy of regulating the collection, transfer, and use of Social 
Security numbers.

IV. Conclusion
    New information systems have brought benefits to consumers and 
businesses alike. Never before has information been so portable, 
accessible, and flexible. Indeed, sensitive personal financial 
information has become the new currency of today's high tech payment 
systems. But with these advances come new risks, and identity thieves 
and other bad actors have begun to take advantage of new technologies 
for their own purposes. As the recent focus on information security has 
demonstrated, Americans take their privacy seriously, and we must 
ensure that the many benefits of the modern information age are not 
diminished by these threats to consumers' security. The Commission is 
committed to ensuring the continued security of consumers' personal 
information and looks forward to working with you to protect consumers.

ENDNOTES
    \1\ This written statement reflects the views of the Federal Trade 
Commission. Our oral statements and responses to any questions you may 
have represent the views of individual Commissioners and do not 
necessarily reflect the views of the Commission.
    \2\ For more information on how consumer data is collected, 
distributed, and used, see generally Government Accountability Office, 
Private Sector Entities Routinely Obtain and use SSNs, and Laws Limit 
the Disclosure of this Information (GAO-04-11) (2004); Government 
Accountability Office, Social Security Numbers: Use is Widespread and 
Protections Vary, Testimony Before the House Subcommittee on Social 
Security, Committee on Ways and Means (GAO-04-768T) (statement of 
Barbara D. Bovbjerg, June 15, 2004); Federal Trade Commission, 
Individual Reference Services: A Report to Congress (December 1997), 
available at http://www.ftc.gov/os/1997/12/irs.pdf). The Commission 
also has held two workshops on the collection and use of consumer 
information: ``Information Flows, The Costs and Benefits to Consumers 
and Businesses of the Collection and Use of Consumer Information,'' was 
held on June 18, 2003; and ``The Information Marketplace: Merging and 
Exchanging Consumer Data,'' was held on March 13, 2001. An agenda, 
participant biographies, and a transcript for these workshops are 
available at http://www.ftc.gov/bcp/workshops/infoflows/
030618agenda.html and http://www.ftc.gov/bcp/workshops/info
mktplace/index.html, respectively.
    \3\ Federal Trade Commission, Identity Theft Survey Report (Sept. 
2003), available at http://www.ftc.gov/os/2003/09/synovatereport.pdf.
    \4\ See, e.g., Statement of the Federal Trade Commission Before the 
Subcommittee on Financial Institutions and Consumer Credit, Committee 
on Financial Services, U.S. House of Representatives, on Enhancing Data 
Security: The Regulators' Perspective (May 18, 2005), available at 
http://www.ftc.gov/opa/2005/05/data
brokertest.htm.
    \5\ 15 U.S.C. Sec. Sec.  1681-1681x.
    \6\ Credit bureaus are also known as ``consumer reporting 
agencies.''
    \7\ 15 U.S.C. Sec. Sec. 6801-09.
    \8\ The FTC's Safeguards Rule implements GLBA's security 
requirements for entities under the FTC's jurisdiction. See 16 C.F.R. 
pt. 314 (``GLBA Safeguards Rule''). The Federal banking regulators also 
have issued comparable regulations for the entities under their 
jurisdiction.
    \9\ 15 U.S.C. Sec. 45(a).
    \10\ Deceptive practices are defined as material representations or 
omissions that are likely to mislead consumers acting reasonably under 
the circumstances. Cliffdale Associates, Inc., 103 FTC 110 (1984).
    \11\ Petco Animal Supplies, Inc. (FTC Docket No. C-4133) (Mar. 4, 
2005); MTS Inc., d/b/a Tower Records/Books/Video (FTC Docket No. C-
4110) (May 28, 2004); Guess?, Inc. (FTC Docket No. C-4091) (July 30, 
2003); Microsoft Corp. (FTC Docket No. C-4069) (Dec. 20, 2002); Eli 
Lilly & Co. (FTC Docket No. C-4047) (May 8, 2002). Documents related to 
these enforcement actions are available at http://www.ftc.gov/privacy/
privacyinitiatives/promises_enf.html.
    \12\ 15 U.S.C. Sec. 45(n).
    \13\ These include, for example, unauthorized charges in connection 
with ``phishing,'' which are high-tech scams that use spam or pop-up 
messages to deceive consumers into disclosing credit card numbers, bank 
account information, Social Security numbers, passwords, or other 
sensitive information. See FTC v. Hill, Civ. No. H 03-5537 (filed S.D. 
Tex. Dec. 3, 2003), available at http://www.ftc.gov/opa/2004/03/
phishinghilljoint.htm; FTC v. C.J., Civ. No. 03-CV-5275-GHK (RZX) 
(filed C.D. Cal. July 24, 2003), available at http://www.ftc.gov/os/
2003/07/phishingcomp.pdf.
    \14\ See Statement of the Federal Trade Commission Before the House 
Subcommittee on Technology, Information Policy, Intergovernmental 
Relations, and the Census, Committee on Government Reform (Apr. 21, 
2004) at 5, available at http://www.ftc.gov/os/2004/04/
042104cybersecuritytestimony.pdf.
    \15\ Id. at 4.
    \16\ Commissioner Harbour is concerned about the use of the term 
``significant'' to characterize the level of risk of identity theft 
that should trigger a notice to consumers.
    \17\ The U.S. Senate passed cross-border fraud legislation last 
year by unanimous consent: S. 1234 (``International Consumer Protection 
Act'').
    \18\ The FTC also would seek civil penalty authority for its 
enforcement of these provisions. A civil penalty is often the most 
appropriate remedy in cases where consumer redress is impracticable and 
where it is difficult to compute an ill-gotten gain that should be 
disgorged from a defendant.
    \19\ FTC Commissioner Orson Swindle led the U.S. delegation to the 
OECD Committee that drafted the 2002 OECD Security Guidelines. See 
Organization for Economic Cooperation and Development, Guidelines for 
the Security of Information Systems and Networks: Toward a Culture of 
Security (July 25, 2002), available at http://www.oecd.org/document/42/
0,2340,en_2649_34255_15582250_1_1_1
_1,00.html.
    \20\ Under GLBA, a ``financial institution'' is defined as an 
entity that engages in one or more of the specific activities listed in 
the Bank Holding Company Act and its implementing regulations. See 15 
U.S.C. Sec. 6809(3). These activities include extending credit, 
brokering loans, financial advising, and credit reporting.
    \21\ See Interagency Guidance on Response Programs for Unauthorized 
Access to Customer Information and Customer Notice, 70 Fed. Reg. 
15,736-54 (Mar. 29, 2005).
    \22\ Under the guidance, this determination can be made by the 
financial institution in consultation with its primary Federal 
regulator.
    \23\ Cal. Civ. Code Sec. 1798.82.
    \24\ Id. at Sec. 1798.82(d).
    \25\ These factors are discussed in the California Office of 
Privacy Protection's publication, Recommended Practices on Notification 
of Security Breach Involving Personal Information, at 11 (Oct. 10, 
2003), available at http://www.privacy.ca.gov/recommendations/
secbreach.pdf.
    \26\ According to the Consumer Data Industry Association, 14 
million Americans have one of ten last names, and 58 million men have 
one of ten first names.
    \27\ See Federal Trade Commission, Report to Congress Under 
Sections 318 and 319 of the Fair and Accurate Credit Transactions Act 
of 2003 at 38-40 (Dec. 2004), available at http://www.ftc.gov/reports/
facta/041209factarpt.pdf.
    \28\ The Federal Government also uses Social Security numbers as an 
identifier. For example, HHS uses it as the Medicare identification 
number, and the IRS uses it as the Taxpayer Identification Number. It 
also is used to administer the Federal jury system, Federal welfare and 
workmen's compensation programs, and the military draft registration. 
See Social Security Administration, Report to Congress on Options for 
Enhancing the Social Security Card (Sept. 1997), available at 
www.ssa.gov/history/reports/ssnreportc2.html.
    \29\ See supra n.20 (defining financial institution).
    \30\ GLBA protects some, but not all Social Security numbers held 
by financial institutions. It does not, for example, cover Social 
Security numbers in databases of Social Security numbers furnished by 
banks to credit bureaus under the Fair Credit Reporting Act (i.e., so-
called ``credit header'' information) prior to the GLBA Privacy Rule's 
July 2001 effective date.
    \31\ 45 C.F.R. pts. 160 and 164 (implementing Sections 262 and 264 
of the Health Insurance Portability and Accountability Act of 1996, 
Pub. L. No. 104-191).
    \32\ 18 U.S.C. Sec. Sec. 2721-25.
    \33\ The Commission may, however, bring enforcement actions under 
Section 5 of the Federal Trade Commission Act against entities whose 
privacy or security practices are unfair or deceptive.
    \34\ See supra n.30 (discussing limitations of GLBA protection).

    Senator Smith. Thank you, Chairman Majoras.
    I think we'll go to Commissioner Swindle.

 STATEMENT OF HON. ORSON SWINDLE, COMMISSIONER, FEDERAL TRADE 
                           COMMISSION

    Commissioner Swindle. Thank you, Mr. Chairman and members 
of the Committee. And I also thank you very much for your 
comments and the courtesies that have been shown to me by this 
Committee, its Members, and its staff. It has really been a 
pleasure working with you, as well as with the Federal Trade 
Commission.
    Information security is a complex and huge issue involving 
many challenges, such as database intrusions, theft of 
sensitive information, viruses, and phishing. And recent 
headlines in the news have certainly brought into dramatic 
focus the need for data security. The FTC has been actively 
involved in promoting the importance of information security. 
And, personally, information security has been a passion of 
mine for several years.
    The FTC has held workshops with representatives from 
industry, from Congress, consumer groups, government agencies, 
and international organizations in an effort to educate 
ourselves, as well as others, about the issues, and to explore 
possible solutions to securing electronic data. We also have 
taken law enforcement action against companies failing to keep 
promises that they would keep consumers' personal information 
secure. In addition, the FTC has focused on educating 
businesses and consumers about the importance of information 
security.
    Security begins with people, each individual being aware of 
the risk and the importance of doing their part to keep 
information secure. We simply must establish a culture of 
security in this country, and--as was mentioned earlier, this 
is a global economy--and, therefore, the world, where security 
awareness and the best practices become a subconscious, yet 
reliable, aspect of our daily lives.
    Despite recent security-breach revelations, it is important 
to recognize that many businesses are making progress and 
improving information security. On the other hand, it's quite 
obvious many businesses do not appear to have raised the issue 
of information security to the CEO/Board-of-Directors level. 
CEOs must make information-security and privacy-protection 
practices a priority, devoting the necessary resources to the 
issue.
    Information security and privacy must become part of the 
corporate or organizational culture. In today's world, 
information is currency. Businesses take great steps to protect 
their money. They need to treat information the same way. It is 
their responsibility, at the highest levels of authority.
    New or refined laws may be necessary. New technologies 
certainly will help. But we must remember that poorly thought-
out legislation can have unintended and, often, adverse 
consequences. Neither new laws, nor new technologies, will 
provide perfect solutions. Consumers and businesses must 
properly use the available technical tools and employ 
responsible information security practices. This, alone, could 
significantly reduce breaches.
    Information security is a complex problem. We all must 
recognize that achieving good information security is a 
journey, not a destination. This will be a challenge for all of 
us for many years to come.
    And, in the immediate future, I look forward to answering 
your questions. Thank you very much, again.
    Senator Smith. Thank you, Commissioner Swindle.
    Mr. Leary?

STATEMENT OF HON. THOMAS B. LEARY, COMMISSIONER, FEDERAL TRADE 
                           COMMISSION

    Commissioner Leary. Thank you, Mr. Chairman and Members of 
the Committee.
    I'm pleased to testify here today with my fellow 
Commissioners on these important issues. I endorse the 
collective views expressed in the Commission's written 
testimony, and will, here, add some individual views on Social 
Security numbers.
    As explained in our written testimony, Social Security 
numbers have many important legitimate uses. Instant access to 
credit, which we all rely on for both large and small 
transactions, would be compromised if Social Security numbers 
could not be used to match consumers to their financial 
information. Social-Security-number databases are also used for 
other worthwhile purposes. For example, to locate lost 
beneficiaries, potential witnesses and law violators, and to 
collect child support and other judgments.
    At the same time, we all recognize that Social Security 
numbers are sensitive. There is no question that identity 
thieves can use Social Security numbers as a key to access 
other people's financial resources. The challenge is to find 
the proper balance between the need to keep Social Security 
numbers out of the hands of identity thieves and the ability of 
businesses to have sufficient information to spot fraud and 
attribute information to the correct person.
    The Federal Trade Commission, as you know, has done 
considerable research on the overall scope of the identity 
theft problem. In all candor, however, I personally do not 
think that we will ever be able to estimate with precision the 
extent to which misuse of Social Security numbers contributes 
to this problem or the downside costs of any particular effort 
to revamp the way Social Security numbers are handled. 
Congress, itself, will have to make some tough policy 
decisions.
    I also personally believe that the most promising approach 
would be to consider an extension of the Gramm-Leach-Bliley 
Act's safeguards rule beyond financial institutions and focus 
on the way sensitive information is handled, rather than to 
pass laws that would prohibit myriad private agencies from 
collecting and preserving sensitive information in the first 
place. You still have to recognize that a principal source of 
Social Security numbers today is public records on file with 
every court and country clerk across the Nation. Restriction of 
access to this information would raise particularly difficult 
issues.
    We should, however, consider ways to discourage the routine 
collection of Social Security numbers in circumstances where it 
is not essential to have such a unique identifier. This might 
be a very difficult matter to legislate, but, at the very 
least, we might start with the more active encouragement of 
private business initiatives and prudent actions by consumers, 
themselves.
    Thank you very much.
    Senator Smith. Thank you, Commissioner Leary.
    Commissioner Harbour?

 STATEMENT OF HON. PAMELA JONES HARBOUR, COMMISSIONER, FEDERAL 
                        TRADE COMMISSION

    Commissioner Harbour. Mr. Chairman, Senators, I am pleased 
to address a topic of great importance to the American people, 
the privacy and security of their most proprietary information.
    Almost weekly, it seems, a new story emerges about a 
company or institution where files containing sensitive 
information have been compromised, lost, or stolen. These data 
breaches have been particularly frightening for consumers who 
fear identity theft. Their apprehension is justified. Our 2003 
survey showed that ten million victims had experienced some 
form of identity fraud in 2002, with an out-of-pocket cost of 
roughly $5 billion. Our survey also showed that victims of 
identity theft believed they would have been helped by greater 
consumer awareness and vigilance about how to safeguard their 
personal information. Victims also wanted more responsive local 
law enforcers and stiffer penalties for offenders.
    Under Congressional mandate, the Commission has established 
an extensive program to educate consumers and law enforcers 
about identity theft, and to assist identity-theft victims.
    Consumers may face the greatest risk from security breaches 
or poor practices by data brokers, because information kept by 
brokers can be easily used to create new accounts. Accordingly, 
I believe that data brokers should not be allowed to buy, sell, 
or transfer Social Security numbers, driver's licenses, and 
other sensitive personally identifiable information, except for 
specific permissible purposes, such as law enforcement, anti-
fraud measures, and certain legal requirements.
    As consumers gain awareness that their personal information 
is being bought and sold by data brokers, it might be useful to 
consider whether the fair information practice principles of 
notice, consent, access, security, and enforcement, could be 
considered or used to elucidate this area. It is also worth 
considering that inaccurate data, as well as data that is 
stolen or misused, can have serious consequences for consumers. 
Perhaps those who use such data can improve its accuracy by way 
of best practices.
    Finally, nationwide notification to potential victims in 
the event of a security breach is a necessity. Notification is 
not just good business guidance; it should be the law whenever 
there is a risk of harm to consumers due to a security breach. 
If consumers know as soon as possible that it is reasonably 
likely their sensitive information has been compromised, they 
can take steps immediately to mitigate any possible damage, 
such as monitoring their accounts or availing themselves of the 
benefits FACTA provides.
    And, in conclusion, our national economy increasingly 
depends on transactions that require the provision of sensitive 
data. Our challenge in this electronic era is to strike the 
right balance between the right to information and the right to 
privacy. To protect sensitive data, we must develop strong 
policies that nurture and enable the Information Age by 
encouraging good use of technology while also raising consumer 
awareness. I'm pleased to work with Members of Congress to 
address this solution.
    Thank you.
    Senator Smith. Thank you very much, Commissioner Harbour.
    Commissioner Leibowitz?

 STATEMENT OF HON. JON LEIBOWITZ, COMMISSIONER, FEDERAL TRADE 
                           COMMISSION

    Commissioner Leibowitz. Good morning, Mr. Chairman and 
members of the Committee. It's always great to be back here, 
especially when it's not my nomination hearing.
    We were all stunned to learn about Citigroup's computer 
tapes that were lost during UPS transit. Senator Nelson, you 
mentioned that earlier. Senator Feinstein did, too. But what 
struck me the most was a remark by one privacy advocate in a 
New York Times story on the breach. She said, and I'll just 
read it to you, ``Your every day dumpster diver may not know 
what to do with these tapes, but if these tapes ever find their 
way into the hands of an international crime ring, I think 
they'll figure it out.''
    Let's hope by now these tapes are either buried deeply in a 
landfill or that they're soon recovered untouched, but the 
truth is that consumers' personal information is being 
compromised every day, and that the data-security problem is 
not confined to U.S. borders. Indeed, American consumers 
routinely divulge personal information to foreign websites, 
they routinely share credit-card numbers with telemarketers 
from around the world, and they routinely receive spam from the 
distant corners of the globe.
    Let me share just a few disturbing examples with you. A 
foreign website selling to U.S. consumers states that, ``We 
take all reasonable steps to safeguard your personal 
information.'' In fact, they don't. The company posts sensitive 
consumer data in a publicly accessible manner.
    Or, thieves from Eastern Europe use spyware to track U.S. 
consumers' keystrokes as they shop over the Internet.
    Or, overseas telemarketers obtain U.S. consumers' bank-
account information under false pretenses--we call that 
pretexting--and use it to wipe out their accounts.
    Sadly, these scenarios are based on real investigations, 
many of which, unfortunately, are difficult for us to pursue, 
because of limits on our ability to exchange information with 
foreign law enforcement partners.
    Mr. Chairman, the Commission expects to issue a report 
later this summer that details the harm caused by transnational 
fraud and the serious challenges we face in investigating these 
international cases. Foreign law enforcement agencies may be 
unwilling to share information with the FTC, because we cannot 
sufficiently guarantee the confidentiality of that information. 
And we are prohibited from sharing certain information we 
obtain in investigations with our foreign counterparts, even if 
sharing information would result in helping to stop fraud 
against U.S. consumers.
    To be sure, there is no panacea for the problems of 
international data-security breaches, but legislation allowing 
us to exchange information with foreign law enforcers under 
appropriate circumstances would be a step forward.
    The bottom line is this: If you want the FTC to be more 
effective in stopping spam, spyware, and security breaches, you 
need to give us the tools to pursue data crooks across borders.
    Mr. Chairman, I won't go into detail about the legislation. 
I know that you're looking at a draft of the bill, for which we 
are enormously grateful. The draft is almost identical to the 
noncontroversial measure Senators McCain and Hollings moved 
unanimously through your Committee in the Senate in the 
previous Congress. It still includes those minor changes made 
last year to address the concerns of industry and privacy 
groups.
    Again, though, thank you for your willingness to listen to 
us today. Along with my colleagues, I'd be happy to take any 
questions.
    Senator Smith. Thank you all so very much.
    In the interest of order, we'll have questionings in the 
order arrived. And I have that list in front of me. After my 
questions, Senator Bill Nelson, Senator Burns, and Senator Ben 
Nelson. If our other colleagues come back, we will insert them 
in as they had arrived.
    To all of you, in your testimony you stated that companies 
should be required to notify consumers of a breach when the 
breach, ``creates a significant risk of identity theft.'' How 
would the Commission define ``significant risk?''
    Chairman Majoras. Thank you, Mr. Chairman.
    You raise the toughest point on this issue. We have been 
criticized at times, in fact, by those who think significant 
risk it not the right standard. The key here is completely 
definitional. What we need to do is, we need to look at 
instances in which we most certainly would want to have notice 
given to consumers, and instances in which we haven't.
    If you look, for example, at what the State of California 
has done, the standard looks broad, but then if you look at 
what the Office of Privacy in California has done, it accepts a 
long list of types of breaches that, in general, do not present 
risks of identity theft.
    So, what we would do, for example, in a rulemaking, or, 
obviously, in working with the Committee on a piece of 
legislation, is try to define those instances in which we 
believe consumers would most be at risk, or perhaps even except 
those where they would not be so--for example, if data were 
encrypted.
    Senator Smith. And would that definition, whatever we 
ultimately arrive at its meaning, would that then trigger 
notification to the consumer?
    Chairman Majoras. Yes, it would.
    Senator Smith. Some forms of security-related breaches may 
not pose a threat to having one's identity stolen, but might be 
defined as such. We need to find a sensible solution to 
determining when individuals should be notified that their 
personal information may be at risk. What do you all believe is 
the appropriate standard for determining whether to notify 
consumers that their identity has, or may have, been stolen?
    Chairman Majoras. Well, it really just goes back to what I 
was----
    Senator Smith. Back to the list.
    Chairman Majoras. I'm sorry. I think you would have to go 
back to the list. And one of the advantages, Senator, in doing 
it in a rulemaking context, as opposed to trying to do all 
specific instances in the statute, is that then we have the 
freedom to change it as we perceive changes in the marketplace 
and new threats to consumers.
    Senator Smith. To the issue of preemption of states--you've 
heard that talked a lot about--should it be a floor or a 
ceiling? Should we preempt the states? Should we have a 
national standard?
    Chairman Majoras. Well, I think--are you asking 
specifically about notice?
    Senator Smith. Yes.
    Chairman Majoras. Because there could be other parts of the 
bill where preemption--where we might answer the question 
differently.
    This is a difficult question. No one ever likes to have to 
preempt the states. What I would offer to you is that, if you 
provide a Federal standard that is defined as a floor, as 
opposed to a ceiling, I'm not sure why you would spend time 
imposing it at all, because I do think that businesses are 
going to have to respond to the very highest standard. They 
can't--I don't think they can chop up their customer lists into 
50 different standards, for example. And so, that's just a 
reality, and it's something to think about, if you want to have 
a Federal standard at all.
    Senator Smith. To the issue of Social Security numbers, you 
know Senator Burns and I were talking about how broadly we use 
them. They were created for one purpose; and that was your 
Social Security account. But now I understand they're even 
using them on dog tags in the military. We give them out 
whenever we're asked to--in various circumstances.
    In your opinion, where do you think the use in sharing of 
Social Security numbers ought to be accessible, or should we 
begin trying to limit their use for other--for non-Social-
Security purposes?
    Commissioner Leary. Well, Senator, I'll jump in on that 
one. I certainly agree with you, 100 percent, that Social 
Security numbers evolved very quickly away from their original 
purpose.
    I'll just give you a personal example. When I got my first 
Social Security number, almost 60 years ago, we were instructed 
to carry our Social Security card around with us at all times. 
If you lost your wallet, you would lose your Social Security 
card. The Internal Revenue Service asked us to put our Social 
Security number on the envelope when we were mailing in a 
check, in order to facilitate their filing of it.
    So, for people my age, the ship has sailed, as a practical 
matter. I am certain that my Social Security number is out 
there in so many places that anyone could find it in 3 minutes.
    You have however, a new generation coming in, and you also 
have I think, a very interesting interim period before we may 
be able to have even more rigorous individual identifiers, 
which will enable people to figure out who you are a lot more 
accurately even than the Social Security number will.
    So, the question is, what is worth doing during this 
interim period of time? And it is a very, very difficult issue. 
One of the things I wanted to make clear to you, is that this 
is not arithmetic, where you can figure out what the costs and 
benefits are of doing it. You're going to have to make these 
tough value judgments.
    I am encouraged by the fact that there is a growing 
awareness of the problem that you've addressed, and that we now 
have options. For example, you can now get a driver's license--
or you certainly can in the District of Columbia and, I expect, 
in most states--that no longer have your Social Security number 
on them. That's a useful first step. We are cautioned not to 
give away Social Security numbers to people who have no 
legitimate reasons for them. I would hope that universities 
would not cease the routine use of Social Security numbers to 
identify their students who are making purchases in their 
stores.
    All of these things, I think, show a growing awareness of 
this issue. But to try to put the cork in the bottle 
retroactively, I suggest to you, is a very difficult thing to 
do legislatively.
    Senator Smith. My time on that first round is up.
    Senator Bill Nelson?
    Senator Bill Nelson. Thank you, Mr. Chairman.
    I want to thank each of you for your public service. And, 
Mr. Swindle, thank you for your exceptional service to our 
country. And godspeed on your--the next chapter of your life.
    Commissioner Swindle. Thank you.
    Senator Bill Nelson. I want to ask each of you to respond 
to a series of goals which I think is in legislation that is 
before this Committee. And I think it will help the Committee 
as we develop a composite piece of legislation. And I'll go 
right down the line in the order in which you have used--first 
with Madam Chairman. And if you all could keep your answers 
short so that I can get all of this information--please respond 
whether you support the following goals.
    Requiring all businesses to take reasonable steps to 
safeguard sensitive personal information.
    Chairman Majoras. Yes.
    Senator Bill Nelson. Mr. Swindle?
    Commissioner Swindle. Yes.
    Senator Bill Nelson. Mr. Leary?
    Commissioner Leary. Yes.
    Senator Bill Nelson. Ms. Harbour?
    Commissioner Harbour. Yes.
    Senator Bill Nelson. Mr. Leibowitz?
    Commissioner Leibowitz. Yes.
    Senator Bill Nelson. OK.
    The next goal. Requiring all businesses to notify customers 
when their sensitive personal information was, or reasonably 
believed to have been, acquired by an unauthorized person?
    Madam Chairman?
    Chairman Majoras. It depends on the risk to consumers, for 
identity theft. If there's a significant risk, then yes.
    Commissioner Swindle. I agree with the Chairman.
    Commissioner Leary. I agree with the Chairman.
    Commissioner Harbour. I believe that if there is a risk 
present, yes, then they should be notified. And, again, I do 
agree with the Chairman, that it is a definitional question.
    Senator Bill Nelson. Mr. Leibowitz?
    Commissioner Leibowitz. I agree with notification if there 
is significant risk or material risk--there needs to be some 
sort of trigger.
    Senator Bill Nelson. Thank you.
    Next goal. Requiring that all data brokers register with 
the FTC so that consumers can find out who has their sensitive 
information.
    Chairman Majoras. No, not as stated.
    Commissioner Swindle. I don't think we can answer that 
question, because it involves establishing a new regulatory 
regime for something that we don't really know the details on.
    Commissioner Leary. No.
    Commissioner Harbour. I think it's a complex issue, and I 
would like to continue to discuss it with staff, but I'm really 
not ready to give you my opinion on it, at this point.
    Senator Bill Nelson. Thank you.
    Commissioner Leibowitz. Can I get back to you in a few 
days?
    [Laughter.]
    Senator Bill Nelson. OK, the next goal. Ensuring that 
consumers are given rights regarding their information held by 
the data brokers, similar to the consumers rights that now 
exist under the Fair Credit Reporting Act. For example, the 
right to correct errors in that information.
    Madam Chairman?
    Chairman Majoras. It depends on the information in the 
particular database that the data broker is maintaining. So, 
for example, today, if the data broker is maintaining a 
database that contains consumer-reporting agencies' information 
used for credit eligibility or employment, for example, then, 
even today, yes, a data broker would be required to give that 
access. If it's a fraud database, on the other hand, giving a 
fraudster access to his or her information would defeat the 
purpose of the fraud database.
    Commissioner Swindle. I could not have said it better.
    Commissioner Leary. I agree with the Chairman.
    Commissioner Harbour. Like you, Senator, I am very 
concerned about the accuracy of information provided by the 
data brokers. I think that data brokers should adhere to best 
practices, possibly for accuracy, and it would be extremely 
worthwhile for leading industry and consumer groups to suggest 
possible best practices in this area.
    Commissioner Leibowitz. I agree with my colleagues. And I 
think you should think seriously about it.
    Senator Bill Nelson. We've already discussed, I think, the 
Social Security situation. So, two more goals. Creating a blue-
ribbon panel made up of industry and consumers to help develop 
best practices for safeguarding sensitive consumer information.
    Madam Chairman?
    Chairman Majoras. I confess, Senator, that I have not spent 
a lot of time thinking that through, but, in general, I am very 
supportive of self-regulatory-type efforts, and I'm very 
supportive of having the consumer groups and the industry 
groups talking to each other.
    Commissioner Swindle. I cannot attest, with certainty, that 
they exist, but safe computing practices are everywhere. 
Devices, tools, technologies to protect data is everywhere. The 
problem is not so much the lack of it; it's the lack of 
implementation and deployment of it. As we all know, and 
several have reflected, people give away their Social Security 
number at just the drop of a hat. So, to get back to my point 
of a culture of security, we've got to change the way we think. 
It's not a lack of tools that is hurting us. It's not employing 
and thinking about those tools.
    Commissioner Leary. Senator, I think it's an ingenious 
idea, because it recognizes that what is adequate security is 
an ever-moving target, and technology is moving a lot faster 
than, at least, my ability to comprehend it. So, I think that 
having some people who are really adept at this, with various 
backgrounds, might be a very useful thing to do.
    Commissioner Harbour. Senator, I think it's an excellent 
idea. Having industry, the privacy groups, the consumer groups 
come together and talk about this very complex issue would be 
an excellent way to proceed.
    Commissioner Leibowitz. I agree with my colleagues. It 
could be very, very useful.
    Senator Bill Nelson. OK. And the final goal, fully funding 
a robust Office of Identity Theft within the FTC, with adequate 
resources to assist victims of identity theft.
    Madam Chairman?
    Chairman Majoras. Well, I've been known to say, Senator, 
that I don't think, in my 10-month tenure, I've ever turned 
down additional resources, so I thank you for that. But I will 
say, if the goal of that is--well, first of all, the FTC 
assists identity-theft victims today, and we will continue to 
do that. If what the legislation proposes, however, is that we 
would individually help each of the ten million identity-theft 
victims, that, I think, would be too much for any one agency to 
handle, particularly for ours, simply because identity theft is 
a crime, and we don't have criminal enforcement authority, so 
we're not involved in that aspect of prosecution.
    Commissioner Swindle. Senator, I agree, certainly, with the 
Chairman's point about the crime being the issue here, but if I 
may run some numbers by us here today very quickly. We received 
roughly 250,000 identity-theft complaints in our complaint 
center this past 12 months, and I think it has been a fairly 
consistent figure. If we discounted half of those and said 
that, only 120,000 were really identity-theft problems, and if 
we took Senator Schumer's numbers--and I think he was referring 
to some survey, as I recall--of 175 hours to resolve that on 
the part of any individual--so, let's say it takes a month, and 
we have 120,000 legitimate claims--it takes a month to do 
this--that's one month's work out of one employee. The FTC, 
right now--I think we have about 1,100 or 1,200 employees----
    Chairman Majoras. Eleven hundred.
    Commissioner Swindle.--we would be required to have at 
least, using those numbers, another thousand employees. The FTC 
would then start to lose--well, well beyond losing its identity 
in its involvement with antitrust. We would become a completely 
transformed agency.
    Now, I used half of the complaints to make the illustration 
here of what we're talking about when we throw this out, but 
there's a lot more to it than meets the eye. Remember, in the 
last 12 months there were approximately ten million people, 
supposedly, who were victims of identity theft. I'm talking 
about 120,000 resulting in the need to add 1,000 people in the 
agency. It's a very complex issue.
    And, again, I will repeat it until I am blue in the face, 
even when I'm not a commissioner, that the first line of 
defense for everyone is the individual, himself, using good 
thinking about how he handles his financial and personal 
information.
    Commissioner Leary. Senator, I agree with my colleagues who 
have spoken thus far, and I just want to add a couple of 
thoughts for your consideration.
    The skill set, if you will, and the capabilities to deal 
with identity theft vary tremendously. For example, a 
prosecutorial function aimed at getting the people who may have 
committed identity theft or facilitated it through negligence, 
one way or the other, is a very different function than 
counseling individual consumers as to how best to deal with 
their problem. And I think that, ultimately, this has to be 
handled on a decentralized basis, under common standards, to 
the extent possible.
    Commissioner Harbour. I agree with the comments of my 
colleagues, but I would like to add a few other things.
    The functions of the Office of Identity Theft, in my view, 
are already being fulfilled by the Federal Trade Commission. 
Currently, much of what you're seeking, as I said, I believe 
we're doing. We have victim assistance and counseling, we have 
a hotline, we have a toll-free number, we have extensive 
consumer education, we're the clearinghouse for all of the ID-
theft victims, and we report on trends. As the Chairman 
indicated, individual representation would be extremely 
difficult. As I said, the Commission currently assists 
consumers. And what we do is, we educate them and we empower 
them. So, one of the best lines of defense, as Commissioner 
Swindle indicated, is educating them so that they will not 
become a victim of identity theft. And, also, if they are, then 
they know what steps to take to rectify it.
    Commissioner Leibowitz. Yes, I agree with the collective 
wisdom of my colleagues. I think, in your bill, you have a $60 
million authorization. I think you'd probably have to put at 
least one more zero after that to make it actually work--to 
make it function and to not detract from the other missions of 
our agency.
    The one other thing I wanted to mention, which is a common 
thread in all of the bills I've seen introduced, is civil 
penalties or fines. I think we all agree, on the Commission, 
that it is very important. It's a very useful deterrent. It'll 
make companies think twice before they violate the law.
    Senator Bill Nelson. Thank you all.
    Senator Smith. Senator Burns?
    Senator Burns. When you go out and--and I would say that 
the collaboration of the industry coming together and using 
best practices for this, you--like Mr. Leary brought up--does 
bring up some of our own laws that, sort of, prevent that, 
because of antitrust and other exchange of information on the 
best practices, and all this. I'm wondering--and I'm coming 
down on the side of that anybody that collects information that 
doesn't have a license to do so is outside the law and should 
be shut down. I'm--maybe that's the only way we've got to doing 
it, but I think they have to have some reasonable license that 
gives them the guidelines to do business in this arena. And so, 
I'm coming down that----
    But let's say that you go out, and you dealt with Microsoft 
and the other companies that you mentioned a little while ago 
for inadequate security systems. In other words, advertising, I 
would imagine, a system that assured the public that their 
privacy couldn't be--their information couldn't be breached, 
but then it didn't work. Is that a correct assumption on my 
part?
    Chairman Majoras. On most of the cases we've brought, that 
is exactly what happened, yes.
    Senator Burns. OK. Now, when a person--say, you've got a 
breach here in some of these firms. Do you go out--do you 
actually ask them to explain their systems to you, and what 
actions they've taken, in order to protect the information that 
they might have stored?
    Chairman Majoras. Absolutely. When we open an investigation 
under section 5, or under our Safeguards Rule, we do--we 
absolutely get behind what it is that a company has done to 
safeguard the information, and----
    Senator Burns. Would that be like Citicorp in this last----
    Chairman Majoras. Well, we don't have jurisdiction over 
banks. That, obviously, is with the OCC and other banking 
agencies. So, we don't--we aren't--we do not investigate all of 
the breaches that you've heard about. We are investigating 
some.
    Senator Burns. Well, where I'm going here--and, Mr. 
Swindle, I think we've had this discussion before--do you have 
the people and the expertise to go out to a commercial 
organization and collect the information on the system that 
they use, and make a judgment whether it's adequate or not?
    Commissioner Swindle. Yes, sir. We have highly qualified 
investigators. I think the limitation that the Chairman was 
referring to is, we just don't have jurisdiction over the 
banking industry; it's covered under a different jurisdiction. 
But we have incredibly competent investigators that have got, 
literally, years of experience, and we know how to do this.
    Senator Burns. Are you looking at these organizations that 
were in our briefing here? And did you look at their systems 
and determine that they had adequate security systems?
    Chairman Majoras. It depends on which ones you're talking 
about. I mentioned a couple in which we actually did bring 
cases, and we did----
    Senator Burns. Well, let's go--let's go--here, we've got 
Boston College.
    Chairman Majoras. I'm sorry, Senator, I'm afraid I can't 
comment on----
    Senator Burns. OK. Well, I----
    Chairman Majoras.--non-public investigations.
    Senator Burns.--and we shouldn't----
    Chairman Majoras. So, I apologize.
    Senator Burns.--do that, either.
    Chairman Majoras. Right.
    Senator Burns. We don't do that, either. But I guess that's 
where I'm going, that--and are we looking at them before 
something happens, or after something happens? Do you have the 
authority to monitor and advise that their system might not be 
adequate for information protection?
    Chairman Majoras. We don't have regulatory authority in the 
same way, for example, that the banking agencies closely 
regulate the banks. So, we don't have an ongoing dialogue, for 
example, with various industries on what their security 
measures are that they have in place.
    Obviously, yes, we can enforce, if we learn that they don't 
have adequate security in place. And, unfortunately, sometimes 
the way we learn it is when there has been a breach. But we 
don't need a breach in order to find that reasonable security 
measures have not been taken, in violation of section 5 or GLB.
    Commissioner Swindle. Senator, if I may interject, we've 
had a couple of cases, in which we've been told by others who 
watch, perhaps, more carefully than we do, because it's their 
primary focus--we do a lot of antitrust work and other things--
but where we receive complaints, it has caused us to go make 
inquiries. We don't, as a routine matter, audit anybody, in the 
sense that the banking regulators might conduct, if that's the 
right word, an audit. But we do look at things.
    And, Mr. Chairman, I hate to leave this discussion--
because, as I said, I have a passion for all of this--but, as I 
mentioned to you, I have a plane to catch. And I would just say 
to you all, once again, it has been an absolute honor to work 
with you. And I bid you adieu, and I'll probably be around 
somewhere.
    Senator Smith. Thank you so much.
    Senator Burns. Keep your name in the phone book--we may 
need you one of these days--would you?
    Commissioner Swindle. I'm putting everything on the Do Not 
Call List, sir.
    [Laughter.]
    [Applause.]
    Senator Burns. I guess in that line of questioning, I'm 
driving toward prevention, actions that we can take. And I 
think Senator Nelson is, kind of, on target that it's going to 
take an industry--the industry has to drive this, rather than 
any kind of a regulatory regime that we could put in place. Am 
I not correct on that?
    Chairman Majoras. Well, I mean, I do think--I do think it 
would be--it's extremely helpful for industry and--to help 
drive this, Senator, because we can't be the eyes and ears 
within every----
    Senator Burns. Yes.
    Chairman Majoras.--company, in terms of what they're doing. 
And that's why we like our flexible and broad Safeguards Rule, 
because it says to companies, hey, you have to put in place 
appropriate procedures, depending on the kinds of information 
you have and the kinds of business you have, and so forth, and 
depending on what technology, for example, is available to you 
today--and fives years from now, it's different--in order to 
not run afoul of the law.
    Senator Burns. The way technology's moving, next week it's 
going to be different.
    Chairman Majoras. Absolutely. And we want companies to take 
that into account.
    Senator Burns. But it's kind of like trying to put your 
thumb on JELL-O; I mean, it just moves, but that's the 
direction I'm going, I think, is prevention more than anything 
else, and then very strict fines. I agree with Mr. Leibowitz, I 
don't think you can make a fine too high for this kind of 
activity.
    I thank the Chairman. I'm sorry I ran over my time. And 
thank you for coming today. We appreciate that very much.
    Senator Smith. Senator Ben Nelson?
    Senator Ben Nelson. Thank you, Mr. Chairman. And I, too, 
thank the witnesses for helping enlighten us as we work our way 
through this challenging issue.
    I asked Attorney General Sorrell if he thought that there 
was a way to square the challenge that you have of dealing with 
states interested in this area, together with the Federal 
interest. Is there a way to harmonize it? Recognizing that the 
states do a great job at consumer protection, dealing at the 
closest level with the residents is an important factor for us 
to all consider. The closer it gets to Washington, except for 
people in the area, the more removed it is from folks out in 
the Midwest and on the West Coast.
    Recognizing all that, in trying to--are you suggesting, Ms. 
Majoras, that it's an either/or situation? Either--as it 
relates to the standard? Either the Federal Government does it 
or the states do it; otherwise, you get the patchwork quilt 
problem, compliance, or companies will ignore whatever the 
Federal standard is, if it's a floor, and go to the highest 
level established by the states, because they don't want to 
have to deal with individual differences between and among the 
various states?
    Chairman Majoras. Thank you, Senator.
    First, I want to make sure I make absolutely clear that I 
agree with you wholeheartedly that the states are tremendous 
enforcers of consumer-protection laws, and we do--we do need 
their help, and we work effectively with them. And, in this 
space, we do believe that state AGs must be able to enforce.
    My only point was a practical one. It's not philosophical; 
it's simply practical. You could work very, very hard on a 
standard, and try to come up with the perfect standard, but if 
you say it's a floor, I'm just not sure that--and perhaps my 
colleagues would like to comment--I'm not sure that it will be 
meaningful, in the end, if other states enact higher standards. 
States will automatically have to go to the higher standard, in 
running their business. So, it just depends on how you feel 
about that.
    Commissioner Leibowitz. I'd just say that, for some things, 
like a standard for notification, preemption seems to make a 
lot of sense. On the other hand----
    Senator Ben Nelson. That's what I was thinking----
    Commissioner Leibowitz.--on the other hand, states are 
wonderful laboratories for experimentation. They have been for 
as long as--as long as there have been states. And so, for 
something like a credit freeze, which California is 
experimenting with, or Vermont's experimenting with, it may 
make sense to let them continue to do so. You wouldn't have to 
preempt in that area.
    Senator Ben Nelson. Well, that--you're anticipating where I 
was going with the laboratories of democracy. I think Jefferson 
was, in fact, right; and, in fact, we have seen great things 
come from the states. Am I right to say that the states moved 
on this before the Federal Government did?
    Chairman Majoras. On the notice requirement----
    Senator Ben Nelson. On the----
    Chairman Majoras.--they did.
    Senator Ben Nelson.--notice requirement, yes.
    Chairman Majoras. Yes.
    Senator Ben Nelson. So, there is a concern, I would have, 
that we not put into place a standard that would become, if you 
will, a fixed standard, where there's no further 
experimentation. It's one of the concerns I have when we take 
the best practices of the states, and we put them into place at 
the Federal level, and say, ``OK, we've solved that.'' But, 
when we do that, we tend to stop experimentation, and things 
remain static, rather than dynamic. I'm hopeful that there 
would be a way to work through this, to where we permit the 
states to continue to do the experimentation. We don't stop 
commerce. We don't in any way impede the ability of commerce to 
move forward on this, but yet we protect the public.
    With the former Attorney General sitting next to me, I can 
say that many of the Attorney Generals don't think that AG 
stands for Aspiring Governor. And so, they----
    [Laughter.]
    Senator Ben Nelson.--so, they take--they take great care--
as a former Governor, I used to have to be concerned about 
that.
    [Laughter.]
    Senator Ben Nelson. As they continue to work to bring about 
protections of the consumers at the local level, they continue 
to do a great job, and I would hate to see anything that would 
get in the way, block, or would in any way impede their ability 
to continue to do that. I'd like to get your thoughts about 
that.
    Commissioner Harbour. Senator, we've had this discussion 
within the Commission. And I know the Chairman says she takes a 
practical view. We've also discussed the philosophical view. 
And everyone does love the dissenting opinion of Brandeis, 
where he said one of the happy incidents of state--the Federal 
system was that states may serve as a laboratory and try novel 
social and economic experiments without risk to the rest of the 
country. But I think whatever approach is chosen by Congress, I 
believe that state attorney-general enforcement is essential.
    Senator Ben Nelson. I don't think we're--this isn't a 
challenge. It's the equivalent of squaring a circle. But it's 
going to be a very delicate area to carve out the relationship 
so that we get the best of both, so that we end up with the 
best practices; because, after all, that's what the consumers 
are expecting, and that's what they need; and they deserve it, 
as well.
    Well, thank you, Mr. Chairman, for the hearing.
    Thank you very much.
    Senator Smith. Thank you, Senator Nelson.
    Senator Pryor?
    Senator Pryor. Thank you, Mr. Chairman. Was Senator Allen 
next?
    Senator Smith. On my list, you got here before he did.
    Senator Pryor. OK. Thank you, Mr. Chairman. And I want to 
thank you, again, for this hearing. I know a number of our 
colleagues have thanked you, as well, but we really appreciate 
your leadership on this and other issues.
    Ms. Harbour, let me start with you, if I may, and that is, 
you mentioned, in your opening statement, Social Security 
numbers. And, as I understand what you said--maybe I 
misunderstood it, but as I understand what you said, you said 
that, basically, data brokers should not be allowed to share 
Social Security numbers, except within fairly narrow 
parameters. Do I have that right?
    Commissioner Harbour. Well, what I had in mind, Senator--I 
think Congress should consider imposing stricter controls on 
the sale, distribution, and use of Social Security numbers, and 
that perhaps Congress should consider breaking the habit of 
industry using Social Security numbers as authenticators. But I 
also appreciate all of the very thoughtful comments that my 
colleague, Commissioner Leary, indicated, as well. It's a very 
complex area, and it's going to take a very delicate balance 
between the right to privacy and the right to information and 
the economic factors that go into the importance of Social 
Security numbers.
    Senator Pryor. I agree, it's complicated, and it's not an 
easy fix, just a one--one simple solution isn't there, 
probably.
    Let me ask this, while I have you, on the subject of Social 
Security numbers. Is it your view that Congress needs to act to 
restrict Social Security numbers, or does the FTC have the 
authority right now to implement a regulation?
    Commissioner Leary. Well, Senator, the FTC has the 
essential authority to attack people for unfairness or 
deception if they misrepresent what they are going to do with 
information that they collect, or if they misrepresent the 
security with which they would treat it. But, in general, we do 
not have the authority to say to any particular institution 
that, ``You shall not transmit it,'' other than authority 
specifically granted to us under Gramm-Leach-Bliley or Fair 
Credit Reporting Act. We do not have a free-roving authority to 
regulate it----
    Senator Pryor. That's my sense----
    Commissioner Leary.--in that area.
    Senator Pryor.--of it, as well.
    Chairman Majoras. Right.
    Senator Pryor. Yes.
    Chairman Majoras. Right. I was just going to add that, 
under Gramm-Leach-Bliley today, if a Social Security number has 
come from a financial institution, then there are some 
restrictions on the transfer of that Social Security number. 
And to the extent that we have jurisdiction to enforce GLB, we 
do have that piece. But we don't have a general--we don't have 
general rulemaking authority in this area.
    Senator Pryor. While we're on the subject of Gramm-Leach-
Bliley, I'm curious for your thoughts--and, Ms. Majoras, maybe 
we'll start with you--on how Gramm-Leach-Bliley is working, 
from your standpoint and given the focus you have on it. How's 
it working? And, also, I know that there has been some ideas 
floated here about the Safeguard Rules in Gramm-Leach-Bliley, 
and how that interfaces with privacy, and how we should proceed 
into the future, and whether maybe we should expand a little 
bit on Gramm-Leach-Bliley, et cetera. So, I'd just like to get 
your thoughts on that.
    Chairman Majoras. Thank you.
    Gramm-Leach-Bliley, of course, is enforced by several 
different agencies in the FTC. You know, the banking agencies, 
for example, enforce against those financial institutions and 
the like, and the FTC has whatever's left when you take those 
regulatory agencies out of it. We do think that the Safeguards 
Rules under it are working appropriately. There have been 
questions raised about whether--under the privacy provisions, 
whether the notice to consumers has been working very well. We 
don't have exact numbers, but understand that consumers have 
not responded well to those notices, that most have gone into 
the trash can, as opposed to being read. And we are actually 
working now with industry to see whether there's something that 
could be done with those notices to make them more consumer-
friendly, if you will.
    Senator Pryor. Let me interrupt just right there. So, do 
you have the empirical data on that? Or is that what you're 
trying to collect?
    Chairman Majoras. We don't have empirical data today. I 
don't have exact numbers for you.
    With respect to extending the Safeguards Rule, the 
Safeguards Rule is broad and flexible enough, I think, to be 
applied beyond financial institutions, in GLB, to other 
businesses that collect and hold sensitive consumer 
information. And we think that would be--that that is a good 
extension, that rule, if Congress sees fit.
    Commissioner Leibowitz. I agree with the Chairman.
    Commissioner Leary. Senator, I agree with the Chairman. I'd 
just add, if it's not obvious, that Gramm-Leach-Bliley is a 
classic illustration of the risks that you might encounter with 
excessive notification. We're all bombarded with notices and 
documents of various kinds, and, if there are just too many, 
the message gets lost. For example, there might be some 
theoretical compromise of your data, however limited. If every 
time you automatically get a notice--eventually, it's like the 
boy who cried wolf, in the old fairytale, you stop paying 
attention.
    Senator Pryor. My sense is that there are a lot of people 
in this country that are just tuning them out. You know, maybe 
the first couple of times they got a notice they got read. And, 
you just get enough of them, you just start to tune it out, 
they start to lose----
    Commissioner Leary. Yes.
    Senator Pryor.--their impact.
    Commissioner Leary. Right.
    Senator Pryor. Mr. Chairman, that's all I have. Thank you.
    Senator Smith. Thanks, Senator Pryor.
    Senator Allen?
    Senator Allen. Thank you, Mr. Chairman.
    Let me just make some prefacing remarks before I ask for 
your insight.
    The states are laboratories. Having been Governor, I think 
the states come up with better ideas and are more responsive to 
the needs and values of the people than is the Federal 
Government. However, the states did create the Federal 
Government, and our present Constitution is one in which we 
wanted to make sure that there was a free flow of interstate 
commerce. And if the states are doing something that is harmful 
to interstate commerce, we don't want to be allowing that.
    I look at this situation as akin to other areas, where, 
actually, the states and the attorney generals are partners, 
we're not in competition. But we--it's a national security 
standard that we're concerned with. A lot--we get into privacy, 
but this is more of a security issue, of information, data, and 
identity, than it is a privacy issue. But the way it ought to 
work--like in many other areas, everything from OSHA to mining 
laws to even bank robbery--those are all tried in Federal 
court, but most of the time it's local law enforcement, or 
maybe a state police officer, who has apprehended the bank 
robber. So, I think the FTC, obviously, is preeminent, but I 
think, as the Chairman said, Chairman Majoras, this is one 
where we do want to work with the states.
    My view of this is that we should have uniform national 
security standards. We do need to make sure information of 
consumers is protected. If there's a breach, we've got to 
figure out what circumstances should a custodian notify the 
affected citizen where they reside.
    Now, since we have all of you here, if--the question 
really, for me, is, if the FTC--and you do have authority to 
bring actions against these companies that fail to adequately 
safeguard consumer information. In your testimony, you said you 
have the Federal laws. Now, as a follow-up on this, if the FTC 
has sufficient authority to bring enforcement actions against 
so many companies, can you identify any gaps--any gaps in your 
authority--where you would recommend--not just saying, ``Well, 
it's financial institutions,'' and so forth--but are there any 
gaps where you would recommend that we, as a Congress, grant 
you all, with the Federal Trade Commission, further enforcement 
authority?
    Chairman Majoras. Thank you, Senator Allen.
    One gap that could be filled is the extension of our GLB 
Safeguards Rule to other businesses. It's a fair question to 
ask why--if we can already bring these cases under section 5, 
why would we need that? But if you take, for example, the BJ's 
case, and our unfairness standard that we used in bringing this 
case, today, that requires, first and foremost, that we prove 
substantial consumer harm. And, of course, what we would prefer 
is not to have to wait until substantial consumer harm is shown 
all the time; in other words, to have companies recognizing 
that putting in place reasonable security measures is what they 
should be doing under the law, because what we most want to do 
is prevent the breaches. And then, of course, you've pointed 
out the notice provisions; and, as of today, of course, there 
is no Federal notice law, Senator.
    Senator Allen. Restate that again. Extension of what, 
specifically? I want to make this very----
    Chairman Majoras. OK.
    Senator Allen.--clear----
    Chairman Majoras. OK.
    Senator Allen.--for all of us.
    Chairman Majoras. All right. The FTC's Gramm-Leach-Bliley 
Safeguards Rule.
    Senator Allen. All right. Now, if you had had such 
additional enforcement authority--and you mentioned one 
particular case which you can't talk about--if you had this 
enforcement authority at the beginning of this year, would you 
have prevented the breaches that we've seen since January of 
this year? And, if not, are we merely talking about how much we 
can fine a company for failure to act responsibly?
    Chairman Majoras. Well, I'm not sure that, with respect to 
any specific breach, we could have prevented it. And, of 
course, we're investigating some of them; and so, we'll learn 
more information. But I do absolutely agree with Commissioner 
Swindle that what we need to do is create a culture of security 
in business. Businesses would not, of course, treat packages 
with cash in them in a way in which that cash could be stolen 
easily. And so, I think if the law is in place, and it is 
adaptable to all manner of businesses, the industry will likely 
respond to that. And there is no such thing as perfect 
security, Senator. We know that with respect to national 
security, and in all instances. But I do think that it will get 
companies, who have not brought up to date their security 
procedures, thinking, ``Gosh, now it's law, and we must do 
this.''
    Commissioner Leary. Senator, let me just expand on that a 
minute----
    Senator Allen. Yes, Commissioner Leary.
    Commissioner Leary.--because I agree with it completely. 
The mere fact that businesses are on notice, that they are now 
subject to a specific legal requirement that they were not 
specifically subject to before, will induce a level of 
compliance, because most businesses are law compliant. The 
prime enforcers of law in the United States are not people 
sitting on this side of the table, but people who are 
counselors to businesses, who say to them--to their clients--
that, ``Now we have a legal requirement, and we'd better set up 
procedures to be in compliance with this, because you might get 
sued someday down the road.''
    Senator Allen. Thank you.
    Commissioner Leibowitz. I agree with my colleagues. Let me 
just add one point, which is: a useful gap that could be 
plugged would be in the cross-border fraud area. We just don't 
have the authority, often, to receive information from our 
foreign law enforcement counterparts. And if we can get that 
ability, we'll be able to more effectively go after malefactors 
who are doing bad things to Americans from abroad. By the way, 
that's not just in the context of data security; it's also in 
the context of spam, spyware and----
    Senator Allen. Right.
    Commissioner Leibowitz.--various other problems.
    Senator Allen. Well, Mr. Chairman, we were actually working 
on that. That was one of the key components, on the spyware.
    Thank you, Mr. Leibowitz. We'll make sure any legislation 
gives whatever assistance in that regard to you all. Thank you.
    Ms. Harbour?
    Commissioner Harbour. And just to put a fine point on what 
Commissioner Leibowitz said, with the ChoicePoint data breach, 
as I recall, the information was given out to a Nigerian 
national. And had we had the cross-border legislation, that 
might have enabled us to share information with other 
countries, and perhaps have facilitated an investigation, or 
perhaps prevented something like that from happening in the 
future.
    Commissioner Leibowitz. One more thing to add, which is, 
civil penalties or fines would be useful, too, in the context 
of----
    Senator Allen. Additional civil----
    Commissioner Leibowitz.--this legislation.
    Senator Allen.--higher civil fines and penalties.
    Mr. Chairman, thank you.
    Thank you all. In the event that we craft legislation, as 
far as I'm concerned, you gave me the good framework for it, 
and I very much appreciate it. And we want to make sure that 
you all can do your job protecting our consumers in this 
country, and, obviously, working with international 
counterparts, as well. But thank you.
    And thank you, Mr. Chairman.
    Senator Smith. Any more questions?
    Senator Allen. No, I don't have anything further.
    Senator Smith. Thank you, Senator Allen.
    Commissioners, the FTC, itself, has documented the 
difficulty that peer-to-peer users have when they use software 
programs. They can unwittingly share their tax returns, bank 
account numbers, credit cards, medical records, resumes, e-mail 
in-boxes, and legal documents of all kinds, with literally 
millions of people. The question I have is, Do you have any 
suggestions on how we can better educate consumers about the 
ongoing risks of identity theft and fraud on P2P networks?
    Chairman Majoras. Well, thank you, Senator. It's an 
excellent question, and it's something that we, at the FTC, 
have been working on. We have materials designed to educate 
consumers. But what we are--what we have been doing is working 
with the peer-to-peer file-sharing industry, because we think 
that, to the extent that consumers need to be warned of risks, 
if they can be warned the minute they pull up the--download the 
software or begin working on the P2P file-sharing program, that 
really is the best place. And in--when we first started this, 
last year, after we had our peer-to-peer file-sharing 
workshop--at which we were pleased to have you as a speaker, 
Senator--really, almost none of the file-sharing companies had 
disclosures and warnings on their software. And, today, that 
has changed a great deal. I can't tell you that that's 
absolutely going to be enough, but we have been focusing a lot 
of efforts in that area.
    Senator Smith. If it isn't enough, do you need more tools 
from us?
    Chairman Majoras. We are--I think, Senator, we'd like the 
opportunity to finish what we're doing now, and then have the 
opportunity to come back to you and talk to you, if we think 
further tools are needed.
    Senator Smith. OK.
    Chairman Majoras. And, of course, the Supreme Court's 
decision in Grokster may also give us some guidance.
    Senator Allen. Yes.
    Commissioner Harbour. If I might just add to what the 
Chairman indicated, the Commission staff intends to continue to 
encourage the development of best practices with regard to the 
risk disclosures, but also the risk of inadvertent file sharing 
appears to have decreased, due to technological measures 
adopted by some of the peer-to-peer applications, although the 
risk of inadvertent file sharing may vary, depending on what 
the application is. I think there are new technological 
developments that are coming onto the market that are 
protecting consumers.
    Senator Smith. Is the European Union--or Japan or other 
nations, are they running into these issues, as well? And do 
you have any--do you do any work with them across the ocean?
    Chairman Majoras. We do, Senator. In fact, a great deal of 
work with them across the ocean. The EU has a much broader 
privacy and security scheme in place, as opposed to going after 
areas in which there's harm. It's a very broad, comprehensive--
indeed, it's so broad that, when I recently, on behalf of the 
Commission, attended the annual meeting of the International 
Competition Network, we weren't allowed to have a list of who 
was attending, because that might violate the privacy rights of 
the folks who were actually in attendance. In Japan, I've had 
folks go to conferences, where they're not--no one is given a 
name tag, because, if someone wore a name tag, that might 
violate privacy rights--so, in fact, there are broader schemes 
out there with other countries. We do work very closely, 
through several international organizations, and on a bilateral 
basis, to share what has worked and what has not worked.
    Senator Smith. Do you need any more tools in dealing with 
these other nations? Do you have what you need now?
    Chairman Majoras. Well, we have, in the cross-border fraud 
legislation that we have promoted, there is some language in 
there that would give us some more funding to be able to work 
more closely with our counterparts in this space, which is 
becoming so important to our work, as you know.
    Senator Smith. Well, it's clearly a problem that doesn't 
know borders, so I want to say that for the record. And we 
appreciate what you're doing internationally.
    I want to bring to your attention a constituent's problem 
of mine. A constituent in Eugene, Oregon, contacted the Oregon 
Department of Justice, filed a fraud report. Last year, she had 
been a victim of identity theft, after which she filed a fraud 
alert with her credit union, filed a police report, put a fraud 
alert on her credit report, yet this same individual was 
revictimized a year later. And I'm wondering, What do you say 
to consumers who do everything right to protect themselves, and 
yet still fall prey to identity theft?
    Chairman Majoras. Well, we say we're working as hard as we 
possibly can to make sure that that doesn't happen again, and 
to make sure that it doesn't happen to additional consumers.
    One of the things that we do--I commented on the fact, 
Senator, that identity theft is a crime. And that means that 
it's prosecuted, most often, except in very large national or 
international rings, at the very local level. And so, one of 
the things that we try to do is train local police officers. We 
have a very big program with the Association of Police Chiefs 
to try to train those who are on the ground dealing with these 
consumers at the time. And I'll let my colleagues weigh in 
here, as well, if they wish.
    Commissioner Leibowitz. We're a consensus-driven 
organization.
    [Laughter.]
    Senator Smith. I want to highlight a comment I made 
earlier, and I do this in conclusion to our hearing today. I 
have in front of me an article from the MSNBC.com website, and 
it highlights the connection between ID theft and 
methamphetamines. There was, in Eugene, Oregon, again, an ID-
theft ring that--their ring bosses use meth addiction to keep 
their runners in line and to get new recruits. In the case of 
Steven Massey, convicted for his role as a ringleader of an ID-
theft gang in 2000, methamphetamine was the glue that kept this 
guy's ring together. Massey knew where to find meth addicts, 
and he made them a simple proposal. Said he, ``I'll trade mail 
for meth.'' Soon, he had an army of meth addicts prowling the 
neighborhoods near Eugene, stealing mail out of hundreds of 
mailboxes, and raiding the local recycling center, for pre-
approved credit-card applications. Others in the ring broke 
into cars to steal purses and wallets, not for money, but for 
ID papers. By the time Massey was arrested, investigators say 
he had gained access to over 400 credit-card accounts and 
netted close to $400,000. He eventually pleaded guilty to 
conspiracy to commit computer fraud, and to mail theft. It's a 
typical case in Oregon. ``Ninety percent of our ID-theft cases 
deal with drugs,'' said the local policemen, ``and it's usually 
methamphetamine, which is easy and cheap to produce in mass 
quantities.''
    I highlight this, not to bring attention to my state, 
because I think it's a problem being experienced very broadly 
in this country, but I do this only to let people know just how 
dangerous this is. These are very dangerous people, and, 
obviously, one of the most unsurly of trades in illegal drugs.
    I don't know whether you would care to respond to that--
yes, Ms. Harbour?
    Commissioner Harbour. I know that crystal meth is a very 
serious and complicated problem. I do know that Senator 
Cantwell was concerned that the use of crystal meth in the 
State of Washington was fueling identity theft, as well. And I 
know that she had worked very hard to get local law enforcers 
in her state to take the issue very seriously; and, in fact, 
had involved Representative David Reichert, the former King 
County Sheriff, who, by the way, captured the Green River 
serial killer. But, anyway, local law enforcers are on the 
front lines, and I know that they're dealing with problems 
related to both drug use and identity-theft victims. At the 
Federal Trade Commission, obviously, we have no criminal law 
enforcement jurisdiction. The expertise of dedicated on-the-
ground local law enforcers is irreplaceable. So, I suppose I 
would urge all of the Senators and the Congressmen to use 
some--to convince your state and local enforcers to really take 
a look at this issue, and to take this seriously and step up to 
the plate.
    Senator Smith. Thank you very much.
    I'm going to ask unanimous consent--I guess I'm alone, so I 
agree----
    [Laughter.]
    Senator Smith.--to include in the Senate record a statement 
from Oregon's Attorney General, Hardy Myers, that it speaks to 
this whole issue and the connection of identity theft and 
drugs, specifically methamphetamine.
    [The information referred to follows:]

   Prepared Statement of Hon. Hardy Myers, Attorney General of Oregon

    Police investigating identity theft crimes are becoming 
increasingly aware that the perpetrators are almost always users of 
methamphetamines. Oregon has an especially high rate of Identity Theft 
(9th in the Nation) and has the largest number of citizens in meth 
treatment programs of any state in the country. Both of these dubious 
distinctions lend themselves to one another. Meth users are many times 
recruited by leaders of ID theft rings to steal personal information 
from their victims. The meth users, in turn, are given drugs as payment 
by the leader of the ID-theft ring.
    IDs are especially easy to get in Oregon--in fact, Oregon ranks 
48th out of 50 states in the ease of acquiring identification. 
Currently, for example, the DMV has approximately 6 million active 
Oregon driver's licenses on file, yet there are only 3.5 million 
residents in Oregon. In once instance, the Marion County Sheriff's 
Office shared one case in which an individual secured 20 DMV issued 
licenses within a 5-hour period.
    There are many reasons that identity theft seems to be so 
inexorably tied to meth use. Meth users, by virtue of their addiction, 
go on binges in which they are awake and focused for days at a time. 
Consequently, they must spend days at a time sleeping off the 
consequences of their actions. This means that part-time jobs are 
difficult to hold. As meth is an expensive habit to maintain, sources 
of income are needed to obtain the drug. Furthermore, according to a 
professor at SJSU in San Jose, meth's ``unique psychopharmacological 
properties would assist ID theft--the whole detail-oriented aspect of 
it, the obsessive-compulsive aspect of it.''
    Identity theft lends itself well to this because it can reap large 
monetary benefits, with relatively smaller punishments. As a police 
detective in Eugene put it, ``they (meth users) can make more money in 
a fraud crime than they can sticking a gun in someone's face. If you 
bring a gun in a bank, you can face life in prison. Or you can write a 
series of bad checks and score 10 times that amount and just get 
parole.''
    There seems to be no official data that states the percentage of 
ID-theft crimes that are connected to meth. The estimations vary--but 
typically officials say between 85-95 percent of all ID theft crimes 
are in some way connected to methamphetamine. In 2003, 100 percent of 
identity theft case worked by the Fraud and Identify Theft Enforcement 
Team investigators in Washington County, Oregon had a methamphetamine 
nexus.
    There have been many documented cases in which a meth users has 
been caught with a number of identifications, financial records, and 
Social Security numbers. In one example in Tualatin Oregon, officers 
located 340 separate probable victim identities in a storage unit along 
with a boxed up meth lab that only needed a few components to start 
cooking again. Of the 1,240 separate identities, there was identify 
information in the form of full profiles of persons, checks, ID cards, 
credit applications, W2's tax information, and much more.
    Oregon, by virtue of being among the most ravaged of states by both 
identity theft and methamphetamine, can be a unique example of the 
connection between the two. ID theft affects thousands of Oregonians 
every year, and it is being perpetuated by users of methamphetamine.

    Senator Smith. Let me just say how appreciative we are of 
your presence here today, the contribution you've made. We look 
forward to working with you to make sure you have the powers 
and authorities necessary to get ahead of what is a burgeoning 
problem in our country. We've got to protect our consumers from 
this; and, clearly, new tools are called for. And your input is 
valued, and will be included. And we look forward to working 
with you as this legislation develops. And, most of all, thank 
you for your public service.
    Chairman Majoras. Thank you, Mr. Chairman.
    Senator Smith. We're adjourned.
    [Whereupon, at 12:15 p.m., the hearing was adjourned.]

                            A P P E N D I X

              Prepared Statement of Hon. Byron L. Dorgan, 
                     U.S. Senator from North Dakota

    North Dakota is first in the Nation in many good respects. But I am 
happy to say that North Dakota ranks 49th in the Nation in the number 
of ID theft cases, on a per-capita basis. There are almost five times 
as many cases of ID theft in Arizona, on a per capita basis, than in 
North Dakota.
    Still, even though we have had relatively few cases in North 
Dakota, the first-hand stories of North Dakota victims are certainly 
devastating ones. This is clearly a national epidemic. And I am 
particularly worried about the many instances in which data brokers 
have lost the sensitive financial records of hundreds of thousands of 
Americans.
    I am a co-sponsor of S. 768, the Comprehensive Identity Theft 
Prevention Act, which my colleague Senator Nelson (along with Senator 
Schumer) has introduced.
    This bill does a number of things:

   It bans unregulated commercial trading of Social Security 
        numbers, and prohibits commercial entities from asking 
        individuals for their Social Security numbers, unless no other 
        alternative identifier that can be used.

   It establishes an Office of Identity Theft within the 
        Federal Trade Commission (FTC), as a ``one stop shop'' to help 
        the millions of victims of identity theft each year restore 
        their identities. This office would also be responsible for 
        passing regulations to protect consumers' sensitive personal 
        information that is collected, maintained, sold, or transferred 
        by commercial entities. It would have the authority to bring 
        enforcement actions for violators of the regulations.

   It requires safeguard rules for all commercial entities: 
        companies must take ``reasonable steps'' to protect all 
        sensitive personal information that they store.

   It requires information brokers subject to full regulations 
        by the FTC; and consumers would be afforded the rights they 
        have under the Fair Credit Reporting Act regarding credit 
        bureaus.

   It requires breach notification: all commercial entities 
        must notify individuals when there has been a breach of the 
        individual's sensitive personal information.

    I am particularly concerned about the pervasive use of Social 
Security numbers by businesses as a means of identifying potential 
customers. I believe that the use of misappropriated Social Security 
numbers is one of the main accelerants that fuels the epidemic of ID 
theft. I know that many businesses will argue that they need Social 
Security numbers to distinguish one customer from another. But the 
Better Business Bureau estimates that there were 9.3 million victims of 
identity theft in 2004. Clearly, there are competing interests here--
and given the number of victims, I think we need to provide much more 
protection for the confidentiality of Social Security numbers.
    When a company like LexisNexis is hacked into, and thieves steal 
the personal data of 310,000 Americans--including not only their Social 
Security numbers, but even the date and location where the Social 
Security card was issued--it is clear that we have a serious problem on 
our hands.
    I have read through FTC testimony. It states that ``private and 
public entities routinely have used Social Security numbers for many 
years to access their voluminous records,'' and suggests that the 
solution is not to restrict the use of Social Security numbers, but 
rather to go after those who use Social Security numbers for criminal 
purposes. I am certainly in favor of going after the bad guys, but I 
think we also need to restrict the use of Social Security numbers far 
beyond the status quo.
    So I look forward to discussing this point with the other 
commissioners today.
    I am also interested to hear from Vermont Attorney General William 
Sorrell on whether Federal legislation on the issue of ID theft should 
create a ceiling that preempts recently enacted state laws in this 
area. North Dakota is one of the states that has recently passed 
legislation requiring notification of individuals when their personal 
data has been compromised. I am not sure that we want to be capping the 
efforts of states to protect individuals from ID theft. The bill that I 
have co-sponsored with Senator Nelson does not do that.
    With that, I thank the witnesses for attending today.
                                 ______
                                 
 Prepared Statement of Hon. Barbara Boxer, U.S. Senator from California

    Mr. Chairman, thank you for calling this hearing on the vitally 
important issue of identity theft. I commend you for making this issue 
a top priority.
    As you know, I am a strong and vocal proponent of privacy 
protection--especially with regard to the distribution of personal 
information that can lead to the physical, financial, or psychological 
harm of an individual if the information falls into the wrong hands.
    In 1994, after an actress in my state was murdered by a stalker who 
obtained personal information about her from the Department of Motor 
Vehicles, I authored the Driver's Privacy Protection Act to keep 
personal information held by a state Department of Motor Vehicles from 
being released without the consent of the individual. The Supreme Court 
upheld this law on a unanimous 9-0 vote.
    That was during the days of the Internet's infancy. While the 
Internet has done wonderful things, it--and the computerization of more 
and more data--is making it easier for identity thieves.
    The Privacy Rights Clearinghouse, a nonprofit group in San Diego, 
estimates that nearly 4 million people's identities have been 
compromised through means such as hacking, dishonest insiders, and 
computer theft since mid-February. This number does not even include 5 
million people whose sensitive information is on the back-up tapes lost 
by Bank of America and CitiFinancial.
    According to a 2003 FTC study, over a period of 1 year, nearly 10 
million Americans were victims of identity theft. Losses to business 
and financial institutions were nearly $48 billion and consumer victims 
reported an additional $5 billion in out-of-pocket expenses.
    Criminals use misappropriated and stolen consumer information to 
assume the identity of innocent individuals. They get credit cards and 
mortgages in someone else's name and even use an assumed identity if 
caught committing a crime. The identity thieves then disappear and it 
is the victim who is left answering the calls of debt collectors and 
the police.
    Data brokers are of particular concern when it comes to identity 
theft. These companies actively collect and sell information about 
individuals.
    As aggregators of sensitive information, data brokers are 
attractive targets for identity thieves. And, unfortunately, the last 
few months have shown that criminals are succeeding in stealing 
information from them.
    Since the beginning of the year, we have learned that breaches of 
security at ChoicePoint and LexisNexis have resulted in information on 
approximately 145,000 individuals in ChoicePoint's case and 300,000 
records in LexisNexis's case being exposed.
    What is worse is if this had happened a few years ago, we might not 
have even known about them. It is only since a California credit law 
went into effect in mid-2003 that companies have been forced to notify 
Californians when their confidential information has been compromised. 
That required notification to California's consumers has resulted in 
the whole country knowing about these thefts. But, outside of 
California, people do not have a right to know when their own personal 
data may be compromised.
    This must change. People have a right to know when they are at 
risk. They have a right to know before they get turned down for a loan 
because someone else ruined their credit record. They have a right to 
know before they are arrested for someone else's crime. We, however, 
should not focus solely on data brokers. Many other organizations 
routinely store sensitive personal information. In April, DSW--the shoe 
store--admitted that its computer system had been hacked allowing 
criminals access to the credit card and driver's license numbers of 
approximately 1.4 million customers.
    Identity theft also raises serious homeland security concerns. 
Terrorists, too, are able to use sensitive consumer information to 
assume false identities. Unlike criminals, however, terrorists will 
avoid the activities that normally alert a person to the fact their 
identity was stolen. So long as the terrorist pays the credit card 
bills, it could be years before the deception is revealed.
    Legislation is needed to address the consumer harm and security 
threat arising from identity theft. Therefore, I have cosponsored the 
Comprehensive Identity Theft Prevention Act (S. 768).
    The legislation would create and fund the Office of Identity Theft 
in the FTC and create an Assistant Secretary for Cyber Security in the 
Department of Homeland Security.
    Moreover, it would regulate data brokers and ensure that companies 
maintaining sensitive personal information protect that data. A notice 
provision based on California's law would require companies to inform 
affected individuals of security breaches and give those consumers 
additional rights to protect their sensitive information.
    This legislation is timely and necessary. I look forward to working 
with my colleagues on this Committee to move the bill forward.
    I thank you again, Mr. Chairman.
                                 ______
                                 
Prepared Statement of Frank R. Lautenberg, U.S. Senator from New Jersey
    Mr. Chairman,

    Thank you for holding this important second hearing on the 
compilation, storage, and sale of sensitive personal information, and 
the American public's increasing concern and susceptibility to identity 
theft.
    Whereas our focus in May was to look at the actors in the data 
brokerage industry, today we focus on what the Federal Trade Commission 
is doing to help combat identity theft and what Congress can and should 
do to combat this increasing threat.
    Recent security breaches at the Nation's largest data brokerage 
firms have left millions of Americans vulnerable to identity theft and 
scams. Overall, some 10 million Americans were victimized by identity 
thieves last year.
    And the situation is only getting worse. The year 2005 has brought 
news of one security breach after another, with no end in sight. Some 
of these breaches have been high-tech, resulting from improperly or 
illegally accessed passwords. Others have been caused by mere 
carelessness, sometimes during the transport of files or disks.
    Regardless of method, these breaches have exposed sensitive 
personal information about millions of Americans in the past year 
alone. This is simply unacceptable, and it warrants our attention.
    In the wrong hands, an individual's private data can wreak havoc on 
a victim's life--ruining their finances and credit rating, their 
ability to obtain a mortgage, and often their good name.
    Victims of identity theft often spend years and large amounts of 
money to repair the damage done by identity thieves.
    Advances in technology allow more information to be compiled faster 
and in fewer databases. The collection and storage of personal 
information is a big business, and now is the time to exercise better 
oversight of this problem and consider how we can play a role in 
protecting Americans from identity theft.
    Mr. Chairman, our laws must ensure that companies protect personal 
information with great care.
    We must work harder to protect Social Security numbers. Social 
Security numbers should be requested and given based on need. 
Furthermore, we must make sure Americans are aware of how and when 
their Social Security number is being used.
    We must also notify consumers when a breach has occurred that puts 
them at risk of identity theft.
    I'm interested to hear from the Federal Trade Commissioners on what 
efforts the FTC currently employs to protect Americans, and what their 
agency is prepared to do moving forward to help combat identity theft.
    Thank you, Mr. Chairman.

                                  
