[Senate Hearing 110-62]
[From the U.S. Government Publishing Office]


                                                         S. Hrg. 110-62
 
      IDENTITY THEFT: INNOVATIVE SOLUTIONS FOR AN EVOLVING PROBLEM

=======================================================================

                                HEARING

                               before the

                       SUBCOMMITTEE ON TERRORISM,
                    TECHNOLOGY AND HOMELAND SECURITY

                                 of the

                       COMMITTEE ON THE JUDICIARY
                          UNITED STATES SENATE

                       ONE HUNDRED TENTH CONGRESS

                             FIRST SESSION

                               __________

                             MARCH 21, 2007

                               __________

                          Serial No. J-110-22

                               __________

         Printed for the use of the Committee on the Judiciary


                      U.S. GOVERNMENT PRINTING OFFICE
35-797 PDF                    WASHINGTON  :  2007
---------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government
Printing Office Internet:  bookstore.gpo.gov Phone:  toll free (866)
512-1800; DC area (202) 512-1800 Fax: (202)512-2250 Mail: Stop SSOP,
Washington, DC 20402-0001 

                       COMMITTEE ON THE JUDICIARY

                  PATRICK J. LEAHY, Vermont, Chairman
EDWARD M. KENNEDY, Massachusetts     ARLEN SPECTER, Pennsylvania
JOSEPH R. BIDEN, Jr., Delaware       ORRIN G. HATCH, Utah
HERB KOHL, Wisconsin                 CHARLES E. GRASSLEY, Iowa
DIANNE FEINSTEIN, California         JON KYL, Arizona
RUSSELL D. FEINGOLD, Wisconsin       JEFF SESSIONS, Alabama
CHARLES E. SCHUMER, New York         LINDSEY O. GRAHAM, South Carolina
RICHARD J. DURBIN, Illinois          JOHN CORNYN, Texas
BENJAMIN L. CARDIN, Maryland         SAM BROWNBACK, Kansas
SHELDON WHITEHOUSE, Rhode Island     TOM COBURN, Oklahoma
            Bruce A. Cohen, Chief Counsel and Staff Director
      Michael O'Neill, Republican Chief Counsel and Staff Director
                                 ------                                

      Subcommittee on Terrorism, Technology and Homeland Security

                 DIANNE FEINSTEIN, California, Chairman
EDWARD M. KENNEDY, Massachusetts     JON KYL, Arizona
JOSEPH R. BIDEN, Jr., Delaware       ORRIN G. HATCH, Utah
HERB KOHL, Wisconsin                 JEFF SESSIONS, Alabama
CHARLES E. SCHUMER, New York         JOHN CORNYN, Texas
RICHARD J. DURBIN, Illinois          SAM BROWNBACK, Kansas
BENJAMIN L. CARDIN, Maryland         TOM COBURN, Oklahoma
                      Jennifer Duck, Chief Counsel
               Stephen Higgins, Republican Chief Counsel









                            C O N T E N T S

                              ----------                              

                    STATEMENTS OF COMMITTEE MEMBERS

                                                                   Page

Feinstein, Hon. Dianne, a U.S. Senator from the State of 
  California.....................................................     1
Kennedy, Hon. Edward M., a U.S. Senator from the State of 
  Massachusetts, prepared statement..............................    52
Kyl, Hon. Jon, a U.S. Senator from the State of Arizona..........     3
Leahy, Hon. Patrick J., a U.S. Senator from the State of Vermont, 
  prepared statement.............................................    54

                               WITNESSES

Davis, Jim, Associate Vice Chancellor, Information Technology, 
  Chief Information Officer, and Professor of Chemical 
  Engineering, University of California, Los Angeles, Los 
  Angeles, California............................................    15
Hoofnagle, Chris Jay, Senior Staff Attorney, Samuelson Law, 
  Technology & Public Policy Clinic, and Senior Fellow, Berkeley 
  Center for Law and Technology, University of California, 
  Berkeley, Boalt Hall School of Law, Berkeley, California.......    19
McNabb, Joanne, Chief, California Office of Privacy Protection, 
  Sacramento, California.........................................    17
Parnes, Lydia B., Director, Bureau of Consumer Protection, 
  Federal Trade Commission, Washington, D.C......................     7
Tenpas, Ronald J., Associate Deputy Attorney General, Department 
  of Justice, Washington, D.C....................................     5

                       SUBMISSIONS FOR THE RECORD

Davis, Jim, Associate Vice Chancellor, Information Technology, 
  Chief Information Officer, and Professor of Chemical 
  Engineering, University of California, Los Angeles, Los 
  Angeles, California, statement and attachments.................    28
McNabb, Joanne, Chief, California Office of Privacy Protection, 
  Sacramento, California, statement..............................    55
Mulligan, Deirdre K., Clinical Professor of Law; Director, 
  Samuelson Law, Technology & Public Policy Clinic, Faculty 
  Director, Berkeley Center for Law and Technology, Director, 
  Clinical Program, and Chris Jay Hoofnagle, Senior Staff 
  Attorney, Samuelson Law, Technology & Public Policy Clinic, and 
  Senior Fellow, Berkeley Center for Law and Technology, 
  University of California, Berkeley, Boalt Hall School of Law, 
  Berkeley, California, joint statement..........................    62
Parnes, Lydia B., Director, Bureau of Consumer Protection, 
  Federal Trade Commission, Washington, D.C., statement..........    87
Tenpas, Ronald J., Associate Deputy Attorney General, Department 
  of Justice, Washington, D.C., statement........................   102
Watkins, Bill, Chief Executive Officer, Seagate Technology, Inc., 
  Scott's Valley, California, statement..........................   113


      IDENTITY THEFT: INNOVATIVE SOLUTIONS FOR AN EVOLVING PROBLEM

                              ----------                              


                       WEDNESDAY, MARCH 21, 2007

                                       U.S. Senate,
        Subcommittee on Terrorism, Technology and Homeland 
                                                  Security,
                                Committee on the Judiciary,
                                                   Washington, D.C.
    The Subcommittee met, pursuant to notice, at 2:37 p.m., in 
room SD-226, Dirksen Senate Office Building, Hon. Dianne 
Feinstein, Chairman of the Subcommittee, presiding.
    Present: Senators Feinstein and Kyl.

OPENING STATEMENT OF HON. DIANNE FEINSTEIN, A U.S. SENATOR FROM 
                    THE STATE OF CALIFORNIA

    Chairman Feinstein. This Subcommittee will come to order. 
Senator Kyl and I have participated in this Subcommittee now 
for something like 12 years, I think.
    Senator Kyl. Going on 13.
    Chairman Feinstein. Going on 13, back and forth. He has 
been Chair more than I have, but, of course, I hope to change 
that record. But we have been able to work very well together 
over these many years, and I appreciate that so much.
    Today we are going to talk about identity theft. Identity 
theft is a crime that has many, many victims, and all of them 
innocent consumers that can be victims of a theft when a 
criminal gets hold of sensitive information like a Social 
Security number, a driver's license, then becomes them and 
builds up debt in the consumer's name.
    The victim might not even know about the problem until he 
or she applies for a mortgage or a car loan or a job that 
requires a background check or finds out their credit is really 
shot. Suddenly, that new house, the new car that is needed for 
the daily commute, or even the job opportunity is out of reach.
    It might be less obvious, but businesses are also major 
victims of identity theft. Under recent estimates, the business 
community loses as much as $48 billion a year in fraudulent 
transactions that involve stolen identities.
    And, finally, our economy as a whole suffers from the 
chilling effect of identity theft. People who are worried about 
the security of their personal data will avoid making purchases 
that might put that data at risk.
    Commerce on the Internet is stifled. And when consumers 
have fewer options for online commerce, there is less of the 
competition that fosters innovation and economic success.
    Since the beginning of 2005, which is just a short time 
ago, over 100 million data records containing individuals' most 
sensitive personal financial data, health data, other kinds of 
data, have been exposed due to data breaches. And that works 
out to about one in every three Americans. It could include the 
most personal data of many people in this room, and I will bet 
you do not even know that.
    Some people whose data has been breached do not know they 
are at risk. Some States require notice to affected individuals 
when a breach happens, and others do not.
    I believe it is really important to ensure that people know 
when their data has been exposed. The law actually allows 
people to take steps to protect themselves from identity theft, 
but that is of no use unless somebody knows they are a 
potential victim or have been a victim. So that is why I 
introduced the Notification of Risk to Personal Data Act.
    This legislation would require Federal agencies and 
businesses all across the country to give notice of data 
breaches involving sensitive personal information, unless they 
concluded--and the Secret Service agrees because they have the 
know-how--within 10 days that there is no significant risk of 
harm to the people whose data was breached.
    Today we will talk about why this legislation is needed. We 
will hear from representatives of the Department of Justice and 
the Federal Trade Commission, which are leading an Identity 
Theft Task Force that the President created last year.
    I am very proud that my home State has been a leader in 
this fight, and the Nation's first State agency devoted to 
privacy protection actually opened in California in 2001, and 
the head of that agency is here as a witness today.
    One of the steps that California took was to enact a law 
that requires businesses and Government agencies to send people 
a notice when their sensitive personal information is acquired 
in a data breach.
    Because of that notification requirement, in 2005 Senator 
Kyl and I learned that over 160,000 records with personal data 
were accessed in a data breach at a company called ChoicePoint. 
Now, many consumers never even heard of ChoicePoint in 2005, 
let alone even knew that the company was holding their personal 
data. Yet on that day over 160,000 people were, in fact, put at 
risk.
    More recently, in November of last year, the University of 
California at Los Angeles discovered that a computer hacker had 
accessed the personal records of up to 800,000 faculty, staff, 
students, and applicants. Now, UCLA fortunately did the right 
thing. They sent notices to everyone that was affected, so we 
know it can be done. The University also set up a toll-free 
hotline for the affected individuals to get more information. 
An official from UCLA is here as a witness to describe the 
University's experience and show why it is important to give 
notice of breaches.
    Last year, the Federal Trade Commission received 250,000 
complaints of identity theft. And even though California is a 
longtime leader in the fight against this crime, five of the 
ten cities with the highest number of complaints per capita 
were in California.
    The problem of identity theft is persistent, and it is not 
going to be solved without a strong effort from Congress and 
from all those who investigate and prosecute identity thieves.
    Now, my bill in the last session, Senator Kyl, was included 
as part of the Specter-Leahy bill on identity theft. It did not 
go anywhere. I wanted to break just this data breach part free 
from the bigger bill and get it passed so people could be 
notified.
    This year the bigger bill was introduced with some changes 
that are problematic, and, therefore, it is stalled. So I have 
reintroduced this bill separately with the hope that we could 
at least move this bill so that people whose information was at 
risk could at least be notified. I think it is pretty much 
basic and simple, but hopefully we will be able to move it 
shortly.
    I would like to turn it over to you now for any comment you 
would like to make, and then I will introduce the panels.

  STATEMENT OF HON. JON KYL, A U.S. SENATOR FROM THE STATE OF 
                            ARIZONA

    Senator Kyl. Thank you very much. Senator Feinstein, thank 
you for calling this hearing and really for years of hard work 
in helping to lead the effort to deal with identity theft. Much 
of the legislation that Congress has enacted is due to your 
initiative and work that we have done here in this 
Subcommittee. In fact, I had my staff check. We have held eight 
hearings in the last 9 years in this Subcommittee on the 
subject of identity theft and financial privacy and security 
for our citizens, and a lot of the information that has come 
from the hearings has resulted in legislative activity.
    As Senator Feinstein noted, identity theft is one of the 
fastest-growing crimes, not just in America but in the world. 
According to an article in the Baltimore Sun, identity theft-
related crime cost business and individuals--almost the same 
number you had--nearly $50 billion in 2006 and an estimated 8.4 
million Americans were victims of ID theft in 2006, about 1 in 
25 people. If you just stop and think about that, it is a lot, 
especially if you consider that the young and the elderly are 
especially targets for this crime.
    My home State has the dubious distinction of being, and I 
will quote from an FTC report from February 7th of this year, 
``an ID theft hotbed,'' posting more per capita complaints than 
any other State in the year 2006. Last year alone, there were 
8,146 victims of identity theft in Arizona, the fourth 
consecutive year Arizona led the Nation in per capita ID theft.
    I recently met with Todd Davis, who is the CEO of LifeLock, 
which is a company that offers a proactive solution for 
individuals concerned about this problem. For $10 a month, 
LifeLock will set alerts on a customer's credit reports at each 
of the major credit reporting agencies, and once the alerts are 
set, the credit reporting agencies are required to contact a 
customer personally to verify the legitimacy of any credit 
activity that is occurring. These alerts, which the company 
renews periodically, help prevent the unauthorized use of an 
individual's personal information after that person has become 
the victim of identity theft.
    I mention this just to note that the private sector is 
coming up with some innovative solutions as well, which, 
combined with what we are doing here, hopefully can reduce the 
incidence and the significance of the problem.
    According to Arizona Attorney General Terry Goddard, there 
is a high correlation between ID theft and methamphetamine use. 
Meth users typically steal identities in order to feed their 
habits, he says. An October 2006 article in the Washington Post 
also discussed this relationship and said, ``Unlike other drug 
users, those on meth stay up for days and can become absorbed 
in methodical, repetitive tasks, creating a high correlation 
between meth abuse and identity theft crimes.''
    In fact, an investigation by the Tucson Police Department 
and the U.S. Postal Service recently led to the arrest of a 
number of members of an ID theft ring that was mostly made up 
of heavy methamphetamine users.
    Another cause of identity theft in this country is illegal 
immigration. U.S. Immigration and Customs Enforcement agents 
recently arrested nearly 1,300 illegal aliens as part of an 
ongoing investigation into a large identity theft conspiracy. 
The ICE operation, known as Operation Wagon Train, targeted a 
large meat-processing company in six States and uncovered 
illegal workers from eight countries. According to the head of 
ICE, Homeland Security Assistant Secretary Julie Myers--and I 
am quoting--``The use of fraudulent documents by illegal aliens 
seeking employment has been a significant problem. In recent 
years, however, this fraud has evolved into a disturbing new 
trend. Now, instead of obtaining fraudulent documents with 
fraudulent identities, illegal aliens are buying genuine 
documents using identities of unwitting U.S. citizens.''
    Terrorism is another cause of ID theft. In 2002, Dennis 
Lormel, Chief of the FBI's Terrorist Financial Review Group, 
testified before this Subcommittee that identity theft was a 
key catalyst for terrorist groups. Also at that hearing, John 
Pistole, Acting Assistant Director for Counterterrorism at FBI, 
testified that financing of terrorism is facilitated through 
identity theft and that terrorists use identity theft to obtain 
cover employment and access to secure locations.
    So we have a multitude of problems and relationships, all 
nefarious, with this problem of ID theft, and I applaud the 
Chairman for examining further the adequacy of our ID theft 
laws today.
    I want to tell you also in advance that at 3:15 I am 
supposed to go to the floor to offer an amendment, so I hope I 
will be able to at least hear from the first panel, but I might 
miss the second panel. If I do, I apologize, and I will be 
anxious to read the transcript of the hearing later.
    Thank you again, Senator Feinstein.
    Chairman Feinstein. Thank you very much, Senator Kyl.
    I thought your comments were very interesting, and I look 
forward to working with you.
    Let me get on with the first panel. I would like to 
introduce the witnesses. I am going to ask you if you could 
confine your remarks to 5 minutes so we have an opportunity to 
go back and forth.
    Ron Tenpas is the Associate Deputy Attorney General for the 
United States Department of Justice. He was appointed in 
November of 2005. He serves as Executive Director to the 
President's Identity Theft Task Force. His other duties include 
coordinating the work of the President's Corporate Fraud Task 
Force, overseeing initiatives and work relating to health care 
fraud enforcement, and reviewing legislative and policy 
proposals to prevent and punish misconduct by corporate and 
public officials.
    Before his appointment as Associate Deputy Attorney 
General, he served as a U.S. Attorney for the Southern District 
of Illinois--so we know there is life after--and was an 
Assistant U.S. Attorney in the District of Maryland and the 
Middle District of Florida. He was a law clerk to Chief Justice 
William H. Rehnquist. He is a graduate of Michigan State 
University, the University of Virginia Law School, and earned a 
degree from Oxford University as a Rhodes scholar.
    Lydia Parnes is the Director of the Bureau of Consumer 
Protection of the Federal Trade Commission, which is one of the 
FTC's two law enforcement bureaus. The Bureau is the Nation's 
only general jurisdiction consumer protection agency. This 
Bureau enforces a wide range of laws designed to prevent fraud 
and deception in the commercial marketplace, to protect 
consumers' privacy, and to provide consumers with important 
information about the goods and services they purchase.
    Ms. Parnes joined the FTC in 1981 as Attorney Advisor to 
the Chairman. During her career, she has held a number of 
management positions, including Deputy Director of the Bureau 
of Consumer Protection from 1992 to 2004. She received her J.D. 
from the Washington College of Law at American University.
    Welcome, both of you. Mr. Tenpas, if you would begin, that 
would be excellent.

   STATEMENT OF RONALD J. TENPAS, ASSOCIATE DEPUTY ATTORNEY 
        GENERAL, DEPARTMENT OF JUSTICE, WASHINGTON, D.C.

    Mr. Tenpas. Thank you. Good afternoon, Madam Chairman and 
Ranking Member Kyl. I appreciate the opportunity to testify on 
the important issues that are the focus of today's hearing. 
Madam Chairman, we are grateful for the Committee's role in 
addressing the problem of identity theft and appreciate the 
legislative leadership that you personally have demonstrated in 
this area. You were a leader in the adoption of the Aggravated 
Identity Theft Penalty Enhancement Act of 2004, which gave 
Federal prosecutors important new tools in prosecuting this 
crime. We have made extensive use of that statute, and the 
Department of Justice shares your concern and interest in 
finding new ways to address this problem.
    The Department of Justice remains committed to aggressively 
combating the problem of identity theft working in concert with 
our many other Federal agency partners, such as the FTC, that 
play equally important roles. The precise scope of identity 
theft escapes uniform quantification; however, as you noted, it 
is clear that identity theft affects millions of Americans 
every year, cheats Americans of tens of billions of dollars, 
and as a result, demands continued attention across Government, 
in the private sector, and by individual citizens.
    The Department has aggressively sought to address this 
growing problem on parallel tracks. The first is our 
longstanding and continuing role as the leader of national law 
enforcement efforts. Our prosecutors continue to investigate 
and charge criminal identity theft cases every day all across 
the country, and in my written testimony, I have given a number 
of examples that range in scope of the cases that our 
prosecutors have been working on. They do so working closely 
with our agents in the FBI and with other important law 
enforcement partners, such as the Secret Service, the United 
States Postal Inspection Service, the Social Security 
Administration's Inspector General, and State and local 
authorities.
    Our Department brings cases involving identity theft under 
a variety of statutes, including mail and wire fraud, statutes 
criminalizing the misuse of Social Security numbers and of 
credit cards, and statutes relating to postal theft. And as you 
alluded to, because identity theft is so often interwoven with 
other crimes, for example, the methamphetamine problem that you 
alluded to--that is a matter I am personally familiar with 
especially in my time as U.S. Attorney in Southern Illinois. 
Even to concentrate on the fraud statutes probably 
underestimates the work that we do related to identity theft 
because so often we are using other statutes to go after people 
for whom identity theft may be a means to a bigger and even 
more--at least as important crime.
    But let me cite one particular example. We have prosecuted 
more than 700 of America's most serious offenders in the last 2 
years using the new 2-year mandatory minimum penalty that is 
provided for in the Identity Theft Penalty Enhancement Act, 
which I alluded to a moment ago and which this Committee and 
you, Senator Feinstein, led the legislative efforts to create.
    Our second role at the Department has been to work closely 
with our colleagues at the FTC to lead the work of the 
President's Identity Theft Task Force, which the Attorney 
General chairs and the FTC Chairman co-chairs. The task force 
was established in May of 2006 by the President. It is composed 
of 17 different Federal departments and agencies and is charged 
with implementing Federal policy to deter, prevent, detect, 
investigate, proceed against, and prosecute identity theft, 
focusing on three specific approaches: first is increased law 
enforcement actions to prosecute identity thieves and deprive 
them of the benefits of their crimes; second is improved public 
outreach by the Federal Government to the public and private 
sector; and third is increased safeguards within the Federal 
Government to protect the personal data that we in the 
Government hold.
    The task force was specifically charged with producing a 
strategic report with recommendations for the President for 
improving the Federal Government's work related to identity 
theft. The task force is in the final stages of what has been 
an unprecedented Federal effort to examine the identity theft 
problem and to identify comprehensive, multilayered solutions 
to address it. We have convened multi-agency working groups, 
met with representatives of various groups interested in this 
problem, invited formal public comment, and we are now in the 
very final stages and expect the report to be delivered to the 
President in mid-April. We look forward to providing the report 
to this Committee and to public so that we can work with you to 
address areas of common concern.
    Because this area is so important, the task force released 
a group of seven interim recommendations last September. They 
focus on the following areas: proposed immediate steps that 
Federal agencies can take to improve our own practices as 
repositories of data; urging the Government to sponsor 
workshops to highlight new identification and authentication 
technologies that the marketplace is currently producing so 
that we can promote best practices; and proposing the adoption 
of new criminal provisions designed to help victims get better 
restitution and designed to help victims and law enforcement 
through the creation of universal police reports. All of these 
interim recommendations either have occurred and been executed 
at this point or are in the process of being so or doing so.
    Again, we thank you, Madam Chairman, for your continued 
interest and leadership in addressing this complex and pressing 
issue. We look forward to your questions today, and we look 
forward to working with you and the Committee going forward. 
Thank you.
    [The prepared statement of Mr. Tenpas appears as a 
submission for the record.]
    Chairman Feinstein. Thank you very much. Good work, and I 
thank you for your work.
    Ms. Parnes, please proceed.

  STATEMENT OF LYDIA B. PARNES, DIRECTOR, BUREAU OF CONSUMER 
     PROTECTION, FEDERAL TRADE COMMISSION, WASHINGTON, D.C.

    Ms. Parnes. Thank you. Chairman Feinstein, Ranking Member 
Kyl, I also appreciate the opportunity to testify today about 
identity theft, data security, and the collection, use, and 
disclosure of Social Security numbers. Although the views 
expressed in my written testimony represent those of the 
Commission, my oral presentation and responses to your 
questions are my own and not necessarily those of the 
Commission or an individual Commissioner.
    Chairman Feinstein. We understand the disclaimer.
    [Laughter.]
    Ms. Parnes. Thank you. It is--yes, thank you.
    Identity theft is a pernicious crime that afflicts millions 
of Americans and costs consumers and businesses billions of 
dollars every year. But the damage caused by identity theft, as 
you indicated, transcends these direct costs. It threatens 
consumer confidence in the marketplace, especially in 
electronic commerce, and, Chairman Feinstein, I also thank you 
for your leadership in trying to address the identity theft 
problem by introducing bills on breach notification and misuse 
of Social Security numbers.
    There are many causes of identity theft, but I would like 
to focus today on two of them: the failure to safeguard 
consumer-sensitive information and the availability and value 
of Social Security number to identity thieves.
    Although not all data breaches result in identity theft, 
some do. And for that reason it is critical that those who 
maintain sensitive consumer information adequately protect it. 
The Commission has been vigorous both in educating businesses 
about data security and in enforcing the existing Federal data 
security laws. We have business education materials on ensuring 
computer security, complying with the GLB Safeguard Rules, and 
responding to a data breach. And just this month, we issued a 
new guide for businesses providing comprehensive advice on 
developing and implementing reasonable data security 
procedures.
    On the law enforcement front, the Commission has since 2001 
brought 14 cases challenging inadequate data security 
practices. These cases have certain common elements. In each, 
the company's security vulnerabilities were multiple and 
serious. The company did not take advantage of readily 
available and often inexpensive measures to avoid or correct 
these vulnerabilities. Together, these cases stand for the 
proposition that companies must maintain reasonable and 
appropriate procedures to protect sensitive consumer data.
    We also must do more to keep Social Security numbers out of 
the hands of identity thieves, and we must do what we can to 
reduce the value of Social Security numbers to thieves who are 
able to procure them. Reducing the unnecessary collection, use, 
and disclosure of Social Security numbers is a good first step, 
and the Federal Government has already begun this effort. The 
Identity Theft Task Force issued interim recommendations in 
September. One of these recommendations was that the Federal 
Government review its policies for collecting and using Social 
Security numbers. The Office of Personnel Management is 
finalizing its review of the use of Social Security numbers in 
its collection of human resource data from agencies, with the 
goal of eliminating unnecessary use.
    It is still important to remember, though, that the Social 
Security number, which is widely used to match individuals to 
information about them, serves important and beneficial 
functions in our economy. Excessive restrictions could harm 
such important purposes as public health, criminal law 
enforcement, and anti-fraud and anti-terrorism efforts.
    Yet even with better security and appropriate restrictions 
on the unnecessary use of Social Security numbers, some 
sensitive information inevitably will find its way to identity 
thieves. For that reason, making it more difficult for 
criminals to use the information to steal an identity is an 
essential part of the solution.
    Too often, criminals with a stolen, name, address, and 
Social Security number are able to open accounts in the 
victim's name. We should do what we can to improve 
authentication of identities. Next month, the Commission will 
host a workshop on this subject designed to facilitate the 
development of improved means of authentication.
    Finally, empowering consumers by educating them on identity 
theft is another important tool at our disposal. The Commission 
has been a leader in this endeavor. To date, we have 
distributed more than 22 million publications on identity 
theft. Our nationwide identity theft education program, 
entitled ``Avoid ID Theft: Detect, Detect, Defend,'' was 
launched last year. It includes direct-to-consumer brochures, 
as well as ready-made kits for organizations to use in training 
employees or constituencies, complete with presentation slides 
and a video. Our multimedia website, OnGuard Online, educates 
consumers about basic computer security. And the Commission 
maintains a hotline and online complaint form through which we 
receive between 15,000 to 20,000 contacts each week from 
identity theft victims and those who hope to avoid becoming 
victims.
    Identity theft is one of the most important consumer 
protection issues of our time. The Commission will continue to 
place a high priority on preventing this crime and helping 
victims recover from it. We look forward to continuing our work 
with you in this effort, and I would be happy to take any 
questions.
    [The prepared statement of Ms. Parnes appears as a 
submission for the record.]
    Chairman Feinstein. Thank you very much for the testimony. 
I am going to ask Senator Kyl to go first since he has to be on 
the floor. Senator?
    Senator Kyl. I really appreciate that. Thank you very much.
    First, probably to Mr. Tenpas, but either one of you are 
welcome to respond, according to the Identity Theft Resource 
Center, a national nonprofit organization based in San Diego, 
about 30 percent of identity theft victims have had fraudulent 
accounts opened in their names after placing a fraud alert. 
What is the penalty or consequence for a company that extends 
credit despite knowing of the existence of the fraud alert? And 
would a consumer have a private right of action against such a 
business?
    Chairman Feinstein. Good question.
    Mr. Tenpas. We have been working very closely together. Can 
we confer for a moment about who is better to take that?
    Senator Kyl. Sure.
    [Laughter.]
    Senator Kyl. And, incidentally, I am not trying to play 
``Stump the Witness'' here. If you get any ideas that you would 
like to present to us later, that would be fine, too.
    Mr. Tenpas. We have been pretty closely joined at the 
shoulder over the last 10 months, so if you will give us a 
moment.
    Ms. Parnes. Yes, I can--
    Mr. Tenpas. I will defer to my learned colleague.
    Senator Kyl. OK, good.
    Ms. Parnes. The 30-percent figure is a familiar one. Most 
of the surveys that have been conducted indicate that about 30 
percent of the victims have been the subject of what is called 
``new account fraud.'' But what I actually have not heard is 
that these have been accounts that have been opened after 
alerts have been placed. That is actually new information, and 
I would like to go back and look at that, if I may.
    Senator Kyl. Sure. I will provide you the--this comes from 
the Identity Theft Resources Center, a January 2007 article. I 
can give you the citation for it. So maybe what you could do is 
take a look at that and then get back with any information that 
you can.
    Ms. Parnes. OK. Thank you.
    Senator Kyl. Thanks. And this is kind of a followup. 
Various companies--and I mentioned one--offer services that--
well, actually, this is a different point, but offer services 
that provide addresses, criminal, civil, and professional 
history as well as a list of assets and bank account numbers. 
You are familiar with these.
    Also available are Social Security numbers, current phone 
numbers, names and phone numbers of neighbors and family member 
names.
    What protection is needed so that credit bureaus and 
information agencies are prohibited from selling such personal 
information?
    Ms. Parnes. Well, I certainly think that the restrictions 
on Social Security numbers that are included in this bill are a 
start in limiting the sale and disclosure of Social Security 
numbers.
    Senator Kyl. Have the credit bureaus been working closely 
with FTC to address these kinds of problems?
    Ms. Parnes. We work very closely with the credit bureaus. 
Yes, we do.
    Senator Kyl. I think that is important. The President's ID 
Theft Task Force is something else that has at least been in 
existence. Do you know what type of input the task force has 
sought from different consumer groups and private sector 
groups? It seems pretty heavily Federal Government oriented.
    Ms. Parnes. Well, the task force--we have spent a good deal 
of time talking among the 18 agencies that are members of the 
task force. But we also had a period of time when there was 
public input that was sought. Notice was given, and we 
received--
    Mr. Tenpas. We had about a 2-month public comment period. 
We set that public comment period once the task force had begun 
its work, and rather than simply inviting general comment--you 
know, ``Tell us what you think about identity theft''--we tried 
to identify eight or nine broad areas where we thought a lot of 
the task force work was being focused.
    A set of the questions essentially invited comments in the 
area you have described about what, if anything, remains to be 
done in terms of establishing regimes for businesses about 
protecting data, providing notification, and uses of that data. 
And I think within the task force there has also been a 
recognition that, as Lydia referred to, there are important 
legitimate uses of Social Security numbers, and one of the 
things that is important to do is make sure we have a good 
grasp of the legitimate--all of the ways in which Social 
Security numbers and other sensitive data are being used and 
shared, so that you can then parse out which ones really 
benefit consumers, which ones potentially make businesses 
better able to meet consumer needs, and which of those are sort 
of historic curiosities that grew up because, for example, a 
Social Security number was the easiest identifier at the time 
but where we have now got better ways to go about that.
    Senator Kyl. A very good way of distinguishing these 
different uses. Just to mention a final point, we are in very 
detailed discussions with members of the Department of Homeland 
Security and the Department of Commerce, and they have in turn 
got conversations going with the Social Security Administration 
and others about the Social Security number data base as it 
relates to enforcement of the immigration laws and potentially 
a new employee verification system that could be put in place 
as part of a comprehensive immigration reform. Clearly, we are 
going to have to have another whole conversation about that, 
and you all will be important in that.
    Senator Feinstein, I am sorry. I will have to go.
    Chairman Feinstein. I am sorry, too.
    Senator Kyl. But thank you for allowing me to go forward 
here, and I appreciate it very, very much.
    Chairman Feinstein. If you can come back, please do. Thank 
you.
    For either one of you, let me ask this question: Any data 
breach notification statute has to strike the right balance, 
and this is more difficult than people might think. If notices 
are sent even when a breach poses no risk of harm, consumers 
tune it out. Yet if notices are only sent when there is a high 
likelihood of harm, notices will not be sent often enough 
because in many cases it will be hard to predict whether the 
data will be used for identity theft.
    The data breach bill that we have introduced requires that 
notice of a data breach be given unless the breached entity 
conducts a risk assessment and concludes that there is no 
significant risk of harm to the affected individuals. So the 
burden is put on the entity that makes the money by selling 
this information.
    The entity that suffered the breach is also required to 
send that assessment to the Secret Service, which can overrule 
the assessment and require notice to be sent to the affected 
individuals.
    Do you believe that it is appropriate to require notice 
unless there is no significant risk of harm?
    Mr. Tenpas. I think the general approach that you have 
described is one that actually is already reflected in some of 
the task force's own work. One of the things that occurred as 
part of the interim recommendations that I alluded to was that 
the task force prepared guidance for Federal agencies to serve 
as, you know, something of a playbook for a Federal agency if 
it had an incident where sensitive information may have been 
compromised. And one of the things that that guidance 
recommends is to conduct an analysis of the kind you have 
described, not to sort of jump to the conclusion that every 
time information may have been--''compromised'' may not be 
quite the right word--but some way there is some level of loss 
of control of it, you do not immediately jump to notification 
because, as you say, I think there is a very substantial 
concern that consumers will grow immune to notices and not be 
able to distinguish really important ones from less important 
ones.
    So I would say I think generally the approach you have 
outlined is one that the task force has already thought about 
and is one that we have sort of embraced for the Federal 
Government itself.
    Chairman Feinstein. I really appreciate that because this 
has been difficult, as you probably know, to work out. But in 
retrospect, as I look back on it, it seems to make the best 
sense as a way to do it.
    Mr. Tenpas. Senator, could I make one other just very small 
point on that?
    Chairman Feinstein. Sure.
    Mr. Tenpas. I think there are a couple of other things that 
are reflected in that that are useful. One is the notion of a 
notification to law enforcement so that they are able to 
involve themselves in a timely way in trying to figure out what 
the potential criminal opportunities might be from a particular 
incident. I think from a Department of Justice angle, we would 
also just note that the FBI is a very important investigative 
agency in parallel with the Secret Service, and so we think it 
would be useful for there to be some recognition of that in 
terms of any kind of notification or law enforcement kind of 
vetting.
    Chairman Feinstein. I would be open to any suggestion you 
might make. We chose the Secret Service because they apparently 
have the know-how to do this and can do it. But if you have a 
recommendation, I would sure welcome it.
    Mr. Tenpas. OK. Thank you.
    Chairman Feinstein. We want to make this as good as we 
possibly can.
    Mr. Tenpas. And the Secret Service does have tremendous 
expertise. That is not meant, you know, in any way to suggest 
they do not. But this is an area where a number of agencies all 
play important roles. Some have closer ties to one industry 
sector than another, and so I think we just want to be sure 
that anything we do here, we capitalize on the collective 
talents and abilities of all those agencies.
    Chairman Feinstein. I think one of the things that I have 
been interested in is, for example, I did not know that every 
time I buy something out of a catalogue or use my credit card 
or virtually do anything, it all goes into a big data grist 
mill, and the information is all compiled, and companies sell 
this information to other people. And almost nothing is private 
anymore.
    All your financial information is easily available and can 
be used. If somebody gets your driver's license and your Social 
Security number, they can go to this financial information and 
rip off people to the tune of hundreds of thousands of dollars.
    Do you have any other suggestions, either one of you, as to 
what we might do in this? Now, I know that L.A. County has set 
up an identity theft unit to service people who have had these 
problems. But it is very hard. I have talked to people where it 
has taken 18 months to recover your identity, and during that 
period of time, you were almost a non-entity. You have no 
credit. You cannot do this or that.
    See, I think that if you are going to sell somebody's 
personal data, you ought to have their permission. And that is 
the old opt-in/opt-out argument, and business resists it.
    That is the only answer I know.
    Ms. Parnes. I think, you know, a couple of things. The risk 
of lost or stolen information in our experience at the 
Commission, you know, goes beyond the situation that you were 
describing where your data is compiled, your personal financial 
information is compiled somewhere, and that it can be sold 
among entities. But what we have seen is the risk that exists 
when retailers are holding information. I mean, many of the 
cases that the Commission has brought involved data breaches at 
retailers--retailers that held information, credit card account 
information.
    Chairman Feinstein. Give an example of that, would you?
    Ms. Parnes. Well, you know, one example is the case--well, 
certainly one example was the ChoicePoint case that you 
mentioned. But another one was a case we brought involving BJ's 
Warehouse, a store, and they held information--they held credit 
card information when consumers paid for that information, and 
they were--that information was hacked by someone who was able 
to get into the system through the store scanners. It was a 
vulnerability in their system. So someone was able to get into 
their system and get all of this credit card account 
information.
    Now, a couple of problems there. First of all, retailers 
have no need to hold that account information for a 
particularly long period of time, and some do, and that is a 
problem.
    Chairman Feinstein. I think a lot do.
    Ms. Parnes. Yes.
    Chairman Feinstein. The question is: What do we do about 
that?
    Ms. Parnes. Well, you know, one of the things that we have 
been trying to do in our cases is highlight what the problems 
are and get out then consumer--excuse me, business education 
material really alerting the business sector what are the do's 
and don'ts in terms of data security. And the recent brochure 
that we released earlier this month I really think is an 
excellent example. We talk about tossing information. Don't 
keep it if you don't need it. Really look at what you need.
    Chairman Feinstein. Well, let me give you an example. I 
went into a store here not long ago, and the individual that 
waited on me--they knew I was coming in--knew everything I had 
bought on the other side of the country. I was sort of 
staggered by that.
    So I say to everybody out there, there are no secrets 
anymore. Everything is an open book, and I really have some 
concerns. I do not know what I think of that in terms of 
privacy being so violated all the time.
    Mr. Tenpas. Senator, could I add just one or two 
observations on that as well? I think we share that concern. 
One of the aspects of this problem that is, I think, so 
difficult to wrestle with is that same phenomenon that you 
describe of sort of the information being everywhere, also in 
certain cases presents opportunities to help consumers.
    As an example, one of the things we have been looking at in 
connection with the task force is thinking about, you know, in 
those unfortunate cases where a Government agency has an 
incident and some information is lost, how you respond to that. 
And one of the things that has happened during the life of that 
is a number of business enterprises have stepped forward to 
point out that they believe they have technologies or systems 
that, sort of capitalizing on the fact that a lot of 
information is out there, allows them to track whether a 
particular data breach is leading to identity theft.
    Chairman Feinstein. Right.
    Mr. Tenpas. So, you know, this is a sort of short layman's 
summary of it, but if 10,000 names or records were kind of 
lost, there are businesses now that believe they can, if you 
give that information to them, essentially go out and monitor 
what is going on in the world in terms of new accounts being 
opened, purchase activity, and detect unusual surges that would 
suggest that the information that has been compromised is 
actually being used for identity theft, because, obviously, the 
compromise is not the same as a person taking it up and 
misusing it.
    And so one of the really hard problems here is the things 
that create risk for us also create some opportunities to help 
consumers. And so getting the balance right is a difficult one.
    Chairman Feinstein. Let me ask you for your advice. Do you 
think we should pass legislation that would require Federal 
agencies to give notice of a data breach?
    Mr. Tenpas. I think our sense on that is that you should 
give us some chance, through the task force and other places, 
to get policies in place. I think one of the concerns about 
sort of legislating in this area is it is changing so quickly.
    Chairman Feinstein. Yes.
    Mr. Tenpas. For example, the ability that I described to 
you was not one that certainly I was aware of and I do not 
think was well developed even perhaps 2 years ago. And so I 
think what we want to really be encouraging in the Federal 
Government is for our agencies to be adopting the best possible 
practices available at any moment. And what those are today, 
you know, I am not a big gambler, but I would be willing to bet 
that whatever those are today, 2 years or 3 years from now we 
are going to think there is something even better and smarter 
that you can do. And sort of allowing us--
    Chairman Feinstein. That is a pretty good non-answer.
    Mr. Tenpas. Well, I think it is--
    Chairman Feinstein. I take it the answer is no, you do not 
think we should.
    Mr. Tenpas. I think we would like some time--
    Chairman Feinstein. OK. Fair enough.
    Mr. Tenpas.--to sort of try to manage our affairs and see 
if we can come up with ways to be responsive.
    Chairman Feinstein. Fair enough. That is why we tried to 
keep this bill simple, just data breach notification, and at 
least get that first step of protection out for the consumer. I 
just hope we can pass the bill. Anything both of you can do to 
be supportive would really be appreciated. I would like to get 
it passed as soon as possible, as a stand-alone bill if we have 
to, at least so there are some specifics out there with respect 
to notification in the event of a data breach, instead of 
having different States doing a different thing.
    Mr. Tenpas. Right.
    Chairman Feinstein. So let me just thank you for your 
testimony. Unless you have another comment you would like to 
make, we will move on to the next panel. You have been very 
generous, and we appreciate it.
    Ms. Parnes. Thank you.
    Mr. Tenpas. Thank you very much, Senator.
    Chairman Feinstein. Thank you.
    All right. This should be a very interesting panel, and I 
will introduce the individuals. In particular, Mr. Davis, let 
me thank you for coming such a long distance to be here today. 
I will begin by introducing you.
    James Davis is the Associate Vice Chancellor, Information 
Technology, and Chief Information Officer of UCLA. Mr. Davis 
will describe the data breach that UCLA discovered in November 
of 2006. He is a professor in the Department of Chemical and 
Biomolecular Engineering at UCLA. In his Associate Vice 
Chancellor position, he has broad responsibility for 
University-wide technology planning and implementation 
oversight. That means he is the point man there. He both 
facilitates and coordinates the campus IT planning, policy 
setting, prioritization, and decisionmaking processes, and is 
responsible for the strategic deployment of academic and 
administrative operations, services, and resources in support 
of the University, which is a big University, and its central 
and distributed technology requirements. He is responsible for 
UCLA's Office of Information Technology and coordinating IT 
deployment.
    Joanne McNabb is the Chief of the California Office of 
Privacy Protection that was created by legislation and opened 
in 2001. It is the first in the Nation, and it is a resource 
and advocate in identity theft and privacy issues. Mrs. McNabb 
is a certified information privacy professional, is co-chair of 
the International Association of Privacy Professionals' 
Government Working Group. She also serves on the Privacy 
Advisory Committee of the United States Department of Homeland 
Security. Before starting the Office of Privacy Protection, she 
had 20 years' experience in public affairs and marketing, in 
both the public and private sectors. She attended Occidental 
and holds a master's degree, of all things, in medieval 
literature from the University of California at Davis.
    Chris Jay Hoofnagle is the Senior Staff Attorney, Samuelson 
Law, Technology & Public Policy Clinic. He is a senior fellow 
at the Berkeley Center for Law and Technology, the School of 
Law, Boalt Hall, University of California. He previously served 
as director of the West Coast office and senior counsel at the 
Electronic Privacy Information Center. He is the author of many 
scholarly articles on identity theft and privacy protection and 
has served as a witness and commentator on privacy issues in 
Congressional Committees, State legislative bodies, and major 
media.
    Thank you, all of you, for being here. You have all come a 
distance, and we really appreciate that on this first day of 
spring. So let's begin with you, Mr. Davis.

STATEMENT OF JIM DAVIS, ASSOCIATE VICE CHANCELLOR, INFORMATION 
    TECHNOLOGY, CHIEF INFORMATION OFFICER, AND PROFESSOR OF 
 CHEMICAL ENGINEERING, UNIVERSITY OF CALIFORNIA, LOS ANGELES, 
                    LOS ANGELES, CALIFORNIA

    Mr. Davis. Thank you, Madam Chair. Obviously, I am here 
because UCLA, as noted, was the recent victim of a large data 
base security breach and reached the decision to notify more 
than 800,000 people that their Social Security numbers were or 
might have been illegally accessed. The scale and complexity of 
the situation served to amplify a number of difficult questions 
during deliberations, the intersections of competing goals, and 
the important elements of notification. So my objective today 
is to share some of our key experiences in light of the 
California law that I believe bear on the proposed legislation.
    I would like to start by saying we were thankful that we 
had a well-established incident response policy, process, and 
protocol in advance of the breach. Given the complex technical 
environment, the forensics picture evolved over multiple weeks, 
rapidly changing our understanding of the nature and 
sophistication of the attack, and dramatically affecting the 
number of potentially affected individuals.
    By UCLA policy, the final decision to notify rests with me 
as the Chief Information Officer. I convened what I considered 
to be the most objective, independent panel to help reach a 
final decision. The panel included the director of IT security, 
the director of IT policy, the campus network architect, legal 
counsel, and the University of California director of IT 
policy, as well as the director responsible for the particular 
data base.
    We needed to meet repeatedly, and our deliberations 
involves systematically reviewing the technical evidence, the 
projected approach of the hacker, and the intent of the attack. 
These were reviewed against the notification criteria from 
integrated technical, policy, and legal viewpoints. And I want 
to stress that the ability to analyze the situation from these 
viewpoints simultaneously was critical.
    A key lesson involved also was the tension in maintaining 
confidentiality while the investigation was in progress. We 
were keenly aware that the information going out prematurely or 
inappropriately could expose our systems to further harm or 
adversely impact notification. At the same time, we wanted to 
share information, especially technical information, quickly 
with others who could benefit. Ultimately, we were able to 
conclude with confidence that a very small percentage of the 
800,000 individuals in our data base required notification 
under California law. There was not conclusive evidence, 
however, of access for the rest. Therefore, the more difficult 
decision became whether to notify the rest of the individuals, 
the vast majority, when we knew doing so would have a large 
impact on them and on the campus.
    We used additional criteria--duration of exposure and the 
targeted nature of the attack--to help think through the 
situations where technical proofs were inconclusive. These are 
criteria articulated as guidelines by the University of 
California and drawn from Joanne's office.
    There was also a larger philosophical question about UCLA's 
position. Individual privacy is an institutional value highly 
regarded by the University of California and deeply embedded in 
our policies. There was early on a consensus that ensuring 
people are in the best possible position to protect their 
information indeed supported this value. Providing broader 
notification than was strictly required legally was part of 
this position.
    At the point of notification, it was critical to have the 
call center and website fully ready to go. We had 12,000 calls 
the first day. At its peak the call center operation included 
1,600 non-dedicated operators at 26 locations, handling as many 
as 1,000 calls per hour. Our website averaged 15,000 daily 
visitors during the first week of notification. We want to 
stress the importance of solid information, especially the 
ability to confirm a name in the data base and the specifics on 
how to protect oneself from identity theft. We were continually 
updating information in response to questions and reactions.
    We identified three groups of callers. The largest group 
felt violated and anxious and wanted the connection with a live 
person for answers and empathy. A much smaller group just 
wanted information. And about 2 percent of the callers were 
sufficiently angered or distraught that they demanded to speak 
with a higher-level UCLA official. Defining the escalation 
process was key to handling this last group of callers and 
essential to a successful notification process.
    Our experience left no doubt that notification 
effectiveness was determined by the ability to reach someone 
knowledgeable and/or to quickly find useful information for 
taking action; designed to minimize busy signals, voice 
messages, providing up-to-date information, and ensuring 
sympathetic operators were also very important. In terms of 
actual notification, all channels were important: e-mail and 
the media for the fastest way to reach individuals, and U.S. 
Mail for the more personalized notice.
    The enactment of the 2003 California law has empowered 
individuals to protect themselves against identity theft, and 
we want to also note it caused the University of California to 
accelerate and intensify institutional efforts to protect data. 
The fundamental belief is that the best protection, however, is 
not to have the protected data at all. Since 2003, UCLA has put 
significant effort into reducing the retention of Social 
Security numbers for all internal business practices. The same 
is true for the other UC campuses.
    In light of the breach, we have examined why we keep Social 
Security number institutionally, and we find it is because we 
must provide them to external organizations, such as the 
Internal Revenue Service and the National Student 
Clearinghouse. Though we continue to eliminate the unnecessary 
internal use of Social Security numbers, we see a threshold 
beyond which we will no longer be able to do so without 
reduction in the requirements from the external organizations. 
As the FTC's recent recommended practices and guidelines 
indicate, an incident response protocol is obligatory, no 
matter how well one protects data. However, incident response 
is the last step. We believe that an effective partner to the 
incident response and notification would be a reduction in 
these external requirements.
    Thank you very much for the opportunity to share these 
experiences.
    [The prepared statement of Mr. Davis appears as a 
submission for the record.]
    Chairman Feinstein. All 800,000 were notified?
    Mr. Davis. All 800,000 were notified.
    Chairman Feinstein. Thank you. Joanne, welcome.

STATEMENT OF JOANNE MCNABB, CHIEF, CALIFORNIA OFFICE OF PRIVACY 
               PROTECTION, SACRAMENTO, CALIFORNIA

    Ms. McNabb. Thank you very much. Thank you, Chairman 
Feinstein. I am very happy to be here. As you mentioned, the 
California Office of Privacy Protection is an education and 
advocacy office; that is, we do not enforce any of California's 
privacy laws. Our mission is, rather, to identify consumer 
privacy problems and to encourage fair information practices.
    We have four main functions: We assist consumers, and 
others, who call our hotline or e-mail us. We provide a lot of 
educational and informational tools, documents, a lot of 
workshops. For example, this year we are doing a series of 
victim assistance training programs for community-based 
organizations to help us reach groups that we do not routinely 
come across. We work with law enforcement, particularly on 
identity theft, and also on security incidents. We are just 
about to release a training manual for law enforcement on 
investigating and prosecuting identity theft. And, finally, we 
make best-practice recommendations to organizations on how to 
handle personal information in ways that reduce the exposure to 
identity theft for the people whose personal information is 
involved. One of our sets of recommended practices is related 
to breach notification, and we issued that one in 2003.
    Identity theft has been a major focus of the office from 
the beginning. In fact, about 60 percent of the calls that we 
get are about identity theft. Fortunately, only about 8 percent 
are from victims. The rest are from people who perhaps got a 
breach notice or saw a television ad or a news story that made 
them concerned about identity theft.
    California, as you mentioned, has indeed been a leader in 
privacy protection, and many of the more than 80 significant 
privacy laws introduced--enacted, actually, since 1999 have 
been imitated by other States and are receiving some 
consideration here in Washington. I want to just highlight 
three briefly, all of which were inspired by concerns about 
identity theft.
    The first one is a law relating to Social Security number 
confidentiality, which took effect started in 2003, which 
prohibits the public posting or display of Social Security 
numbers. It is because of that law that I no longer have my 
Social Security number on my Blue Shield card, nor do the other 
members of my family who used to have my Social Security number 
on their Blue Shield cards. Similarly, it is no longer on 
student ID cards, and every professor no longer has to receive 
the Social Security number of every student in his or her 
class. So that cut at dealing with Social Security numbers is 
aimed at removing them from public view, to some extent.
    The second law that I think has had a significant impact on 
identity theft is the security freeze law which allows 
individuals to have control over who gets access to their 
credit files, which are full of sensitive personal information, 
including Social Security numbers. This law has been in effect 
since 2002 and gives consumers the most effective tool 
available to them to protect themselves against new account 
identity theft, which, as Ms. Parnes mentioned, is one of the 
most difficult kinds to recover from.
    And then, finally, we come to the best known California 
privacy law, the breach notice law, which was indeed inspired 
by a concern about identity theft. A look at the legislative 
history reveals that the way it was described as a means of 
giving consumers sort of early warning so that they could take 
defensive action because their information was exposed in a way 
that put them at risk of identity theft. That was the way they 
talked about it as they were passing it.
    I think, however, the real impact of the law has been the 
extent to which it has served as a stimulus to organizations to 
improve their practices for handling personal information and 
that that has been the biggest impact. One way to look at it is 
that the notification process, the requirement to notify, 
revealed the cost of insecurity. Before that it just seemed 
like information security was just a cost that did not have any 
benefit. Well, now there is a cost to not securing information, 
so we can look at spending some money to protect it.
    I want to mention a couple of examples that we have learned 
of about the way in which organizations have changed their 
practices because of the breach notification requirement, and 
UCLA is an excellent example. It was not only a very good 
response on so many levels, being genuinely helpful, using 
multiple communications channels, offering people information 
about the security freeze, which is much more effective to 
protect them than credit monitoring and using the call centers 
so effectively, but principally, I want to commend their 
dedication to looking for ways to reduce the presence of Social 
Security numbers even further than they already have.
    We have seen similar actions in a couple of other 
organizations, which I do not think I will go into right now.
    So I would like to, in closing, quote another UCLA 
professor, Phil Agre, who says that personal information is 
like toxic waste, it takes skill and training to manage it, and 
to suggest that sometimes the best way to manage it is to 
detoxify the waste stream.
    Thank you.
    [The prepared statement of Ms. McNabb appears as a 
submission for the record.]
    Chairman Feinstein. Thank you very much, Ms. McNabb.
    Mr. Hoofnagle?

   STATEMENT OF CHRIS JAY HOOFNAGLE, SENIOR STAFF ATTORNEY, 
 SAMUELSON LAW, TECHNOLOGY & PUBLIC POLICY CLINIC, AND SENIOR 
 FELLOW, BERKELEY CENTER FOR LAW AND TECHNOLOGY, UNIVERSITY OF 
   CALIFORNIA, BERKELEY, BOALT HALL SCHOOL OF LAW, BERKELEY, 
                           CALIFORNIA

    Mr. Hoofnagle. Thank you, Madam Chair. Let me say that it 
is very nice to see you so well ensconced in that chair and in 
possession of the gavel.
    Chairman Feinstein. Thank you.
    Mr. Hoofnagle. Thank you for inviting me to this hearing. 
Let me mention two procedural issues. My written testimony is 
joined by Professor Deirdre Mulligan. It is not well known that 
Professor Mulligan at the University of California was one of 
the architects of security breach notification law in 
California. She provided a theoretical basis for it and helped 
then-Assemblyman Joseph Simitian introduce AB 700, which 
eventually was passed as Senate bill 1386. So we have a deep 
history in working on security breach notification at the law 
school at Berkeley.
    The second issue I wanted to mention is that our work is 
supported by the National Science Foundation, and we continue 
to be dependent on public funding for research, and it is a 
very important issue to us.
    With that, I just have a short amount of time today, so let 
me mention four of the recommendations we make in our written 
testimony. We actually make six all together.
    Our first recommendation is that Congress should consider 
the broad beneficial effects of security breach notification. 
These laws do not just shield individuals from identity theft. 
They perform a lot of other functions. And perhaps the best way 
to illustrate this is to visit environmental laws for a moment.
    Professor Mulligan borrowed the idea for security breach 
notification from environmental right-to-know laws, laws that 
required registration of dangerous chemicals and then public 
reporting once those dangerous chemicals were released. 
Security breach notification laws perform many of the same 
functions as these environmental right-to-know laws. They 
address a form of information pollution, if you will, just as 
Joanne alluded to in Phil Agre's comment. So not only do they 
warn individuals of risk, they do other things. Breach 
notification has caused a serious increase in investment in 
security. Prior to the passage of these laws, companies could 
simply not disclose security breaches and let consumers bear 
the costs of identity theft and other harms. But now those 
costs are internalized, and businesses have to do more to 
protect data.
    Second, one of the best aspects of security breach 
notification laws is that they are so-called lightweight 
regulatory mechanisms, meaning that the Government does not 
dictate how an entity should protect information. They simply 
say, ``agency or business, you figure out how to protect 
security and privacy, but if it does not work, you have to tell 
the public.'' And that is a major benefit of these laws.
    Third, just as environmental right-to-know laws reduced 
inventories of toxic chemicals, one of the things we are seeing 
is that security breach notification is reducing reliance on 
sensitive personal information. Now, as Jim noted in his 
testimony, entities cannot always get rid of all sensitive 
information. Sometimes it is external entities that are 
requiring them to hold Social Security numbers and other 
information. However, these laws are encouraging businesses to 
go through the process of determining whether or not they 
actually need Social Security numbers and removing them from 
their data bases if they can.
    Finally, security breach notification laws are very 
valuable in that they provide benchmarks for performance. One 
of the problems in investing in security is there are not good 
metrics to show that security is worthwhile, and having a 
security breach is a metric. It is a benchmark that can be 
looked at and can cause re-evaluation and greater security.
    Our second recommendation is that the Committee require 
standardized, central, and public reporting of breaches, just 
like environmental right-to-know laws. In the appendix to our 
written testimony today, we have a standardized form from the 
State of New York which the State requires when you have a 
security breach. That form sets forth basic information about 
the breach, how many people are affected, when notice is going 
to be given, et cetera. And those forms are essential for the 
public to learn more about breaches, for security researchers 
to learn about other incidences and whatnot. We really think it 
is essential that some type of public reporting be included in 
your bill.
    And then, finally, as I am running out of time here, let me 
just mention that just as security breach notification has 
given us more information about security lapses, if we had 
reporting on identity theft incidences, that is, if lending 
institutions were required to publicly report about how often 
they experience identity theft and the vectors of the crime--
that is, the types of products that are taken advantage of by 
criminals--I think we would get a clearer picture of the 
identity theft problem. And consumers could actually decide 
which bank to us based on the bank's rates of identity theft, 
and we could actually have competition.
    And with that, allow me to thank you again, Madam Chair, 
for holding this hearing.
    [The prepared statement of Mr. Hoofnagle appears as a 
submission for the record.]
    Chairman Feinstein. Thank you.
    Now, let me ask each of you a few questions, if I might. 
Let me begin with Mr. Davis.
    Mr. Davis, would a standard that requires notification of a 
breach, unless there is no significant risk of harm, be a 
useful and meaningful standard for entities that are deciding 
how to respond to a breach?
    Mr. Davis. I need to give you a mixed answer. In our 
particular case, the forensics were very complicated, and as I 
mentioned in the testimony, we had the vast majority of the 
people, you know, who were faced with the decision about 
whether to do this. So the really hard question was this risk 
analysis that you are speaking to.
    And so there is the question of how can one put the 
criteria together and in such a way that this risk analysis can 
be done in a uniform and a good way. So I raise that question. 
The principle of it makes good sense to us. How to do it in 
practice is the question I am raising.
    Chairman Feinstein. Well, this would depend upon the nature 
of the breach and the data, it would seem to me. Perhaps I am 
all wet, but can you come up with a better standard? This is 
where we get into, you know, dicey water because this is not 
something that has not been well considered and kind of vetted 
with various groups. And it is really the best we have been 
able to come up with.
    Perhaps, Ms. McNabb, would you like to get involved in this 
part of it?
    Ms. McNabb. I can speak to the issue, not any specific 
legislative proposal. I think that, in fact, Jim's discussion 
of the deliberative process they went through is very 
illustrative. In California, State agencies are subject to 
notification, so I have been involved in some deliberations 
similar to that in California, and--
    Chairman Feinstein. But we are talking about writing laws 
for everybody.
    Ms. McNabb. Exactly. I know, so I just want to say that how 
you conduct the risk analysis can be very tricky. Finally, you 
may find yourself--
    Chairman Feinstein. But that is up to the company or the 
university or--
    Ms. McNabb. You may find yourself in a position of trying 
to prove--establish a negative. His case was one example. Some 
other ones I can think of are where what the forensic evidence 
shows is that the apparent purpose of a hacking, let's say, was 
to store pirated music and there was no indication that data 
that was also on that server was touched, but there was no 
indication that it wasn't touched. So then you don't have 
forensic facts that tell you, yes, that data was accessed or 
acquired or, no, it was not. So then you have to go to a next 
level that is not part of risk--well, maybe it is part of risk 
analysis, but it is part of what are our values and principles 
and do we believe in an abundance of caution or not.
    Chairman Feinstein. What we do, by the way this is worded, 
is leave it up to the entity to make those decisions rather 
than to legislate a protocol which might work for some and not 
work for others. I do not know how we could legislate a 
protocol.
    Ms. McNabb. Yes. I do not either.
    Mr. Davis. That is, in effect, what I am saying. It seems 
very difficult to legislate a protocol.
    Just to build on what Joanne said, in our particular case 
we did have to apply additional criteria, as I said. These had 
to do with an analysis of the targeted nature of the event, the 
duration of the event, and our campus position on this. Those 
were the three ingredients that actually led us to proceed with 
the notification.
    I can certainly think of different situations, for example, 
with a stolen laptop, then the situation becomes very 
different, and you can have a very different kind of risk 
analysis. But if you are saying, you know, the principle of 
this, that does make very good sense to this, and it does put 
the burden back on us to do that kind of analysis, which I 
think that is where it needs to rest.
    Chairman Feinstein. I do not know a better way of doing 
this than saying no significant risk and that the company has 
to certify that. And that goes within 10 days to the Secret 
Service with the facts, and they then can reverse that. Let's 
say the company says there is no significant risk. Then there 
is a check that says, yes, you have to notify, and that check 
would be the Secret Service evaluation.
    Mr. Davis. If I may make one other comment, I may have been 
answering the question just a little bit differently as I 
listen to what you are saying. We would actually agree with 
what you are saying, and that is a good principle to proceed 
by. What I was really trying to say is that the definition of 
``significant risk'' is very, very difficult, and so when we do 
our own analysis, it actually is going to be very difficult to 
find a situation in which we would not notify.
    Mr. Hoofnagle. Madam Chair, if I may make two 
recommendations--
    Chairman Feinstein. Well, my staff just put a question 
before me which is interesting. Do you suggest then that the 
law include criteria for assessing the risk? Even that, I do 
not know how it could be complete because there are such 
differences.
    Mr. Davis. There are people to my left that can speak to 
this. My own perspective is that it would be very difficult to 
put criteria together, but I think some criteria based on the 
experiences across multiple breaches, much like Chris and 
Joanne have talked about, can be put together that would be 
useful for us to do our risk analysis and help us do this as an 
internal exercise.
    Chairman Feinstein. Would you be willing to make some 
suggestions?
    Mr. Davis. Well, I am trying to suggest two that did work 
very well for us, which was the targeted nature of the attack 
as well as the duration of the attack in the particular kind of 
event that we experienced. Those would be examples of these 
kinds--
    Chairman Feinstein. So you are saying, in other words, that 
there must be a protocol set up that covers such things?
    Mr. Davis. That is right.
    Chairman Feinstein. OK. Anybody else like to comment on 
that point?
    Ms. McNabb. I think Jim's testimony actually lists the 
number of criteria that they had before and that they developed 
afterwards that would be worth looking at.
    Chairman Feinstein. How about misplaced rather than stolen?
    Ms. McNabb. The California law, the triggering event is 
that data is acquired by an unauthorized person.
    Chairman Feinstein. That is a good definition.
    Ms. McNabb. Not ``accessed'' but ``acquired.'' As it moved 
through the legislature, it started as ``accessed,'' and that 
was considered not as good an indication of risk as 
acquisition. So that can help in some situations.
    Chairman Feinstein. For example, what do you do, somebody 
is traveling--
    Ms. McNabb. Yes, and they lose their laptop.
    Chairman Feinstein. They are carrying a computer that has a 
huge data base in it, and they misplace it.
    Ms. McNabb. Well, you have to decide if you have reasonable 
belief that it has fallen into the hands of an unauthorized 
person.
    Chairman Feinstein. You would have no way of knowing.
    Ms. McNabb. Right. So you have to--
    Chairman Feinstein. So you would have to proceed, it would 
seem to me, to provide some notification.
    Ms. McNabb. That tends to be what happens.
    Chairman Feinstein. Because you cannot take the risk.
    Ms. McNabb. Something like, I think, 46 percent of the 
notification--of about 530 notifications that we have noted, 46 
percent of the time it was a lost or stolen computer or CD or 
server.
    Chairman Feinstein. That is exactly right, and it seems to 
me that companies have to recognize that their employees, if 
they carry around these data bases, that is one policy 
question. Then they have to be responsible--
    Ms. McNabb. And then they can encrypt them.
    Chairman Feinstein.--if a computer is misplaced or lost or 
stolen.
    Ms. McNabb. And the data an be encrypted. California 
government established a policy that sensitive personal 
information on portable computing or storage devices must be 
encrypted.
    Chairman Feinstein. That is a good thing to have in our 
law.
    OK. Mr. Davis, was the toll-free number a successful way 
for affected people to communicate with the University? And how 
many actually used it?
    Mr. Davis. Well, let's see. We had a total of about 36,000 
calls to the call center over the entire time, so we had quite 
a few people out of the total number using that call center.
    In terms of useful, I would use stronger words. I think it 
was essential to have the call center and to have that toll-
free number. When we look at the responses from the people--and 
we did track this very closely -people really did want to talk 
to people, as I said, and the call center was essential to 
getting information out.
    Of course, there were many people that did not have access 
to a computer or did not have other means to get information, 
and it proved to be the only way to get information through 
some of the people who were involved.
    Chairman Feinstein. Right. Do you believe that providing an 
e-mail address to which individuals could write for more 
information about a breach would be as effective as a call 
center? And, everybody, please chime in.
    Mr. Davis. I do not. I think it is a useful second layer 
mechanism, but I believe the call center--our experience would 
say--I should not even say ``I believe.'' Our experience would 
say that the call center was essential as a first line of 
communication in this kind of situation.
    Ms. McNabb. That is our experience, too. My office has 
gotten lots and lots of calls over the years from people who 
got notices, and your statistics were very similar to what ours 
have been. A lot of people get a letter, and it says something 
that sounds a little frightening, and they want to talk to 
somebody.
    Chairman Feinstein. Yes, I understand.
    Ms. McNabb. And what the people are saying on the phone is 
pretty much what it said in the letter, but they want to get it 
from a live human being.
    Chairman Feinstein. Right.
    Do you have a comment?
    Mr. Hoofnagle. It does make sense to have multiple channels 
available to victims, whether it is e-mail or telephone or the 
Internet.
    Chairman Feinstein. OK. Should notice be required when a 
breach involves a hard-copy printout of computerized data?
    Ms. McNabb. that is the policy for California State 
agencies. The policy is that when the kind of information that 
would require a notice in electronic form has been acquired by 
an unauthorized person, if it is in paper form we would notify 
the same way.
    Chairman Feinstein. Mr. Davis?
    Mr. Davis. We are treating it exactly the same way.
    Chairman Feinstein. OK. Well, we have covered the lost or 
stolen laptop. Perhaps you could give us some help on this, and 
that would be the wording to ensure that it covers not just 
hacking incidents, but also breaches that involved hard-copy 
data and lost laptops?
    Ms. McNabb. Well, the California law, when it says 
``acquisition by an unauthorized person,'' has been constantly 
interpreted to apply to lost or stolen laptops or other 
devices.
    Chairman Feinstein. So the whole thing.
    Ms. McNabb. Yes, because--
    Chairman Feinstein. The California law, the wording has--
    Ms. McNabb.--it says if the data--
    Chairman Feinstein.--been legally interpreted to--
    Ms. McNabb. It has been interpreted by behavior, that is, 
people since the beginning, those who have had breaches, 
whether it was a stolen laptop or lost hard drive, have 
considered that acquisition, apparently, because they notified. 
There have been proposals in the California Legislature several 
times since the law was first enacted to remove the word 
``computerized,'' because it says ``computerized data.'' So it 
would just say ``data,'' which would make it clearly apply to 
paper, and those have never been passed. They were objected to.
    Chairman Feinstein. Right. That is interesting. All right. 
If any of you have a comment you would like to make, we will 
conclude this, but I would like to ask that if you have not had 
a chance to look at the bill, that you perhaps do so and give 
us any comment you might care to make, how to strengthen it or 
better it in any way. Any comments?
    Mr. Hoofnagle. Madam Chair, may I make one comment? That 
is, there is an exemption for situations where there is no 
significant risk of harm that would exempt a company or an 
agency from giving notice.
    Chairman Feinstein. Right.
    Mr. Hoofnagle. I do think it makes sense to consider using 
the word ``misuse'' rather than ``harm.'' The word ``misuse'' 
is more relevant. It has better context in privacy law, and 
that ``harm'' is usually equated with financial loss or injury, 
but sometimes data are stolen, sometimes there are security 
breaches made that are mere misuses of information. So--
    Chairman Feinstein. Define ``misuse.''
    Mr. Hoofnagle. A use of the data that is not compatible 
with its collection. Now, that is a confusing way of saying 
using the data in such a way that the victim would object to, 
and a common example would be the pretexting cases where 
information was used to investigate other people but not to 
steal their identity.
    Chairman Feinstein. Oh, I see where you are going.
    Mr. Hoofnagle. Or where data are stolen to embarrass 
another person or, let's say, data are stolen to locate a 
domestic violence victim. Those type of risks are particular to 
certain people, and the entity that is experiencing the breach 
may not know about those risks.
    Chairman Feinstein. Well, take a data base like UCLA had of 
800,000. If it were misused, how would they ever get to the 
point they got to? Because you would never know. All these 
other issues enter into it with respect to misuse.
    Mr. Hoofnagle. Well, it would be ``reasonable risk of 
misuse'' instead of ``significant risk of harm.'' So there is 
going to be a risk assessment made, and I think it makes more 
sense to assess whether or not the information is going to be 
misused, not whether or not there will be harm flowing from the 
incident.
    Chairman Feinstein. Well, we have opened a whole other 
chapter. Can you comment, Mr. Davis?
    Mr. Davis. I have to think about that one.
    Chairman Feinstein. Yes, I do, too. I do not know what it 
means, really. I understand what he is saying, but in terms of 
a law--I mean, I know what harm is, but is it proper use? Is it 
misuse? And you have 800,000 people, all of whom--take the case 
of UCLA. You have applicants, you have students, you have 
alumni. What else do you have on that data base?
    Mr. Davis. And we had some people from the Office of the 
President and faculty.
    Ms. McNabb. And you?
    Mr. Davis. I did get a letter.
    [Laughter.]
    Chairman Feinstein. So you had a cross-section of people. 
Now, if you go into the private sector away from a University 
setting, you are going to have an even broader group of people. 
Let's say it is a bank that has its data breached that owns 
insurance companies, and all that stuff, it is millions of 
pieces of data. How do you determine whether misuse would 
occur? How do you determine even who the population is? It 
seems to me it is a huge delaying effort just to get to that 
point.
    Mr. Hoofnagle. You are right, Madam Chair. This is the most 
difficult issue in security breach notification. But what I am 
trying to say is that we do not want entities just looking for 
risk of identity theft. There are other risks out there.
    Chairman Feinstein. Yes, but this is aimed at identity 
theft. It is not aimed at taking care of all the world's 
problems. That is the hard part of this. I see where you are 
going, but we have enough trouble moving this bill now.
    Mr. Hoofnagle. Well, it would be important, for instance, 
if a data base were breached, if information were stolen from a 
business by someone who attempted to stalk another person, to 
locate a domestic violence victim, to embarrass that person, 
that would be--
    Chairman Feinstein. But how would the bank know? How would 
the insurance company know?
    Mr. Hoofnagle. It might become apparent in the risk 
assessment. Of course, every situation is different. What I am 
saying is that the scope--
    Chairman Feinstein. You cannot do a risk assessment for 
every single person in that data base. There are millions. You 
have to do this in a timely way, within a very limited period 
of time.
    Mr. Hoofnagle. Let's consider the pretexting scandals where 
individuals' records were accessed without authorization. Those 
were single individuals' information that was stolen. It was 
not done for identity theft. It was done to investigate those 
people and possibly to embarrass them.
    What I am saying is that the scope of harms that may occur 
to a victim are broader, and sometimes in the risk assessment 
it will be possible to determine that. Sometimes it will not.
    Chairman Feinstein. Well, it seems to me with the word 
``harm'' it is a much more general phrase that you identify 
whether this particular break is apt to result in any kind of 
harm to an individual whose name or data is in that data base. 
And if the answer is yes and it is a significant risk of harm, 
you have to do certain things. If the answer is no, then you 
submit your assessment. The Secret Service will take a look at 
it and either agree with you or disagree with you.
    Mr. Hoofnagle. That is a sensible definition of ``harm,'' 
and what I would recommend is that the Committee report 
language specify that the harms, the possible harms, can be 
broader than just physical harm or identity theft.
    Chairman Feinstein. Well, I will think about it.
    Mr. Hoofnagle. OK.
    Chairman Feinstein. How is that one?
    Mr. Hoofnagle. That is perfect.
    [Laughter.]
    Chairman Feinstein. Thank you all very, very much. I think 
it has been an interesting hearing. I very much appreciate what 
you do. Please stay the course and continue on, and we will as 
well. Thank you.
    The hearing is adjourned.
    [Whereupon, at 4:05 p.m., the Subcommittee was adjourned.]
    [Submissions for the record follow.]
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] 
    
                                 
